AMC2 ORO.GEN.205 Contracted activities
CAA ORS9 Decision No. 1
(a) The initial audit and/or the continuous monitoring of contracted organisations may be performed by a third-party provider on behalf of the operator when it is demonstrated that:
(1) a documented arrangement has been established with the third-party provider;
(2) the audit standards applied by the third-party provider address the scope of this Regulation in sufficient detail;
(3) the third-party provider uses an evaluation system, designed to assess the operational, management and control systems of the contracted organisation;
(4) the independence of the third-party provider, its evaluation system as well as the impartiality of the auditors is ensured;
(5) the auditors are appropriately qualified and have sufficient knowledge, experience and training, including on-the-job training, to perform their allocated tasks;
(6) audits are performed on-site;
(7) access to the relevant data and facilities is granted to the level of detail necessary to verify compliance with the applicable requirements;
(8) access to the full audit report is granted;
(9) procedures have been established for monitoring continuous compliance of the contracted organisation with the applicable requirements; and
(10) procedures have been established to notify the contracted organisation of any non- compliance with the applicable requirements, the corrective actions to be taken, the follow-up of these corrective actions, and closure of findings.
(b) The use of a third-party provider for the initial audit or the monitoring of continuous compliance of the contracted organisation does not exempt the operator from its responsibility under the applicable requirements.
(c) The operator should maintain a list of the contracted organisations monitored by the third-party provider. This list and the full audit report prepared by the third-party provider should be made available to the CAA upon request.