Methodology of the Auditing Measures to Civil Airport Security and Protection

Airports similarly to other companies are certiﬁed in compliance with the International Standardization Organization (ISO) standards of products and services (series of ISO 9000 Standards regarding quality management), to coordinate the technical side of standardizatioon and normalization at an international scale. In order for the airports to meet the norms and the certiﬁcation requirements as by the ISO they are liable to undergo strict audits of quality, as a rule, conducted by an independent auditing organization. Focus of the audits is primarily on airport operation economics and security. The article is an analysis into the methodology of the airport security audit processes and activities. Within the framework of planning, the sequence of steps is described in line with the principles and procedures of the Security Management System (SMS) and starndards established by the International Standardization Organization (ISO). The methodology of conducting airport security audit is developed in compliance with the national programme and international legislation standards (Annex 17) applicable to protection of civil aviation against acts of unlawful interference.


Introduction
Airport security aaudit is one of the crucial areas of security management in air transportation [1,2].Its main goal is to systematically evaluate how the airport (and airport companies, airlines and other stakeholders in air transportation) fulfil security programmess and their targets set.It represents a feedback by means of which a real-time evaluation of the security level of the entire air transportation process is performed.Ensuring security in air transportations is to be understood not only as a duty but also as a service to the public.Security audits represent pro-active elements of security management, a way of preventive identification of deficiencies and potential threats to the Security Management System (SMS).
Controls and analyses of compliance with security level standards are not only concerned with financial operations, technical and technological processes, IT sytems but also are fully applicable to the areas that ensure security of airports, passengers and air cargo against acts of unlawful interference.Appart from the service-related processes, airport activities of high importance also involve detection controls, checks of aircraft on airport movement areas, systems of entrances and accesses to restircted areas of the airport as well as further measures aimed at preventing inadmissible persons or objects boarding the plane and potentially committing an act of unlawful interference [3,4].
Until recently, in the times of complex political and societal changes, such requirements are more than actual.Quality of performing passenger, baggage or air cargo detection control (screeening) is a decisivie factor of air safety [5].Airport controls and screenings are aimed at protecting lives of aircrew, passengers and preventing material losses.The legislative part of air transport safety and security is vested into an airport security programme of the airport, the SMS, based on international standards of safety and security, internal rules and regulations.They all are mandatory documents of international organizations and national institutions, also dealing with the issue of audits.
It is indispensable for all the operational procedures involving security screening to be subjected to systematic, regular and continuous controls.Their role is not only in assessing the actual level of safety in the given area, but also defining measures to achieve overall improvement of the level of safety.The control mechanism ensuring quality and meeting requirements also involves a security audit applied to the individual procedures and the activities of departments responsible for the security of airports and the air transport processess [5,6].The audit itself must be in compliance with the airport security programme, specifying its methodology, ways and organization of control actions.

Airport security audit
In a country being member of the ICAO, there is a local professional authority supervising air transportation.In the majority of ICAO member-states, it is the competence of the local Civil Aviation Authorirites.In Slovakia, is this the Transport Authority competent of overseeing and controlling air transportation safety and security.Protection against acts of unlawful interference is ensured by way of measures and processes in compliance with the requirements of the airport securtiy programmes developed in accordance with the National Civil Aviation Programme of Security and the international legislative standards (Annex 17).Supervision of meeting the requirements of the National programme of security is enusred in via of the ICAO Universal Safety Oversight Audit Programme (USOAP), which is aimed at: • Defining the compliance with the requirements of implementing ICAO standards in the field of protecting aviation agianst acts unflawful interference, (unlawful actions), • Monitoring adherence to the recommended practices and procedures applicable to ICAO security standards when exercising contorl for security and screening, • Deifning efficiency of realizing and implementing safety and security measures by carrying through the required legislation, regulations and controls, • Providing counselling to ICAO member states in the field of developing and fulfilling national and airport security programmes, • Raising the overall level of safety in the individual areas of organization and realization of the air transport processes.
Safety audits to airports represent a way of evaluating the fulfilment and adherence to the safety standards applicable to air transportation with the aim to ensure the integrity of the national system of air traffic.The audits are performed by regulatory authorities, external auditing bodies, e.g. the State regulatory Body (Transport Authority of the SR).Airport security audits are rated among the elementary methods designed for monitoring the aviation security system at work.The principal goal of audits is to confirm that the individual operational components are functioning as an integrated system [7,8,9].Therefore, the regulative security audits should have their sufficient depth and width.
Optimal solution both for an audit and the airport security system is to focus on its parts as subsystems, for example: In the field of detection and screening of passengers, air cargo and protection of airport facilities, the key areas involved are as follows: • Oversight and compliance -adherence to and fulfilment of international, national and local standards of safety and regulative requirements, • SMS implementation -whether the SMS is conducted in compliance with the applicable international and national standards for security, • Risk management -if the organizational measures ensuring regular control, identification and evaluation of potential safety risks are implemented and adequate measrues are taken to eliminate them, • Areas of competence -if the positions are held by people beiog fully knowledgable and capable of meeting the SMS requirements, and whether they are sufficiently trained and educatied in the profession.(the adequate qualification need not automatically mean proficiency and managerial qualities), • Areas of responsiblities -whether the competencies are distributed properly and the measure of responsibility has been set to all the employees in terms of fulfilling the standards set forth by security programmes, • Structural aspect -whether the structure of fulfilling the security standards is reflecting the required level of training and professional skills of the employees, • Performance and technical level -if the performance and the technical outfit of check-points meets the required level for performing the checks and the services provided, • Area of support -if there are efficienty conditions for supporting security, monitoring of msafety and security and measures for coping with security issues and emergency situations, • Human factor -whether the personal and working conditions are adequate within the man -machine -environment system.
An important part of every security audit is the area of selfcontrol or self-audit.Critical self-evaluation is a tool of higher management [7,8,9] to measure the level of adherence to security procedures and process-based management.It can be realized in the form of a self-evaluation questionnaire, cheklist, interview or in other form.The aim of the self-evaluation is to identify the level of security policies and its culture at the various operational units.It can involve various applications, and is of great advantage to extend analyzis on all findings, both on the seemingly " false" answers and simulation-based decisions as well [10].
Under ideal conditions, airport security audits are to be performed regularly, as part of the airport security policies cycle, which involves planning, introduction, operation, monitoring, analysis, thereby maintaining and improving the overall level of security (see Fig. 1 and Fig. 2).This is the only way to ensure auditing of all airport activities and areas of operation within the framework of a comprehensive organizational plan for the evaluation of the overall status in providing air transportation safety and security.Security audits should produce regular and detailed overviews of compliance with the security measures, instructions and procedures at all departments or sections defined by safety competencies.To this purpose, it is inevitable to develop an organizational plan of audits for the individual departments/sections of the airport operation [11,12,7].

Planning and preparation of the audit
The prepared audit should be reported with a sufficiently long notice.Within the framework of this preparation, it is advisable to consult the individual steps and contents of the audit with the airport safety management [13,14].The auditing team has the right to ask the airport management to present internal materials and documentation relevant to the area of audit with a sufficiently long period prior to the beginning of the audit.
The initial steps of planning for the audit involve verification of the feasibility of the suggested schedule and familiarization with the nature of the information that might become necessary before getting started.It will also be suitable to specify the criteria within which the audit will be realized as well develop a detailed plan of audit along with the check-lists to be used during the audit.The contents of the audit plan should involve: • Presentation of the plan and the audit background; • Defining the aim of the audit, its purpose, extent and specification of the criteria, within which the audit is to be performed; • Address-bound specification a identification of areas to be verified, • Methodology of performing the audit; • Determining the schedule of the planned control activities; • Specifying the competencies and designating the team of auditors; • Form of developing checklists and the final report on the audit conducted.
The checklists consist of a complex series of questions grouped under joint headlines, covering the verification of all the fields and topics to be checked for.For the purpose of the airport security audit, the chekcklists should be focused on the following areas: • Meeting the requirements of the National Civil Aviation Programme of Security; • Development and level of organizational and safety guidelines and standards (operational documentation, manual of safety management, airport security programmes, emmergency plannes, organizational and methodological instructions and the like; • Structure of competencies within the framework of achievieng the goals of airport safety; • Level of the safety culture (reactive or pro-active); • Identification of potential threats and the process of risk management; • Forms of supervising safety (monitoring, inspections, audits etc.); and • Arrangements that ensure adherence to safety standards of subjects and subcontractors dislocated and operating in highly sensitive areas in terms of airport safety and protection.

Performing and extent of audit
Security audit should go beyond the limits of a standard inspection.Within the framework of the audit, the team of auditors should assess the adequateness of safety procedures and measures and whether there are other factors, which could unforeseeably impact air transportation safety as a whole.The extent of the security audit can involve control of all the activ-ities within a department/section, workplace up to inspecting a conrete activity, or even a person.The criteria of the prepared audit have to be specified in advance [8,9,11].During the audit, it is suitable to make use of checklists to ascertain for the coverage of the inspection in terms of all the planned processes, activities, tasks and functions.The extent and subtlety of the checklists will depend on the size, importance, copmlexity and the nature of the process-based activities to be audited.Success of the audit will depend on the mutual cooperation of all the components involved.Figure 3 is a clear illustration of the sequence of steps and activities when conducting the airport security audit.
Princles underlying the realization of the airport safety audit: • Inspecting the facts related to the fulfilment of airport safety programe in an objective way, • Making all the necessary documentation on the audited subject avalilable for the auditors, • Avoiding indications of blaming or threatening by disciplinanry punishments within the framework of the audit, as they will prove counterproductive, • Providing airport security managements and feed-back regarding the audit findings, • Attributing great importance not only to the negative but also the positive feed-backs on facts revealed during the audit, • Avoiding negative critique when conducting the audit, all that despite of unambiguous identification and anylisis of the defficiencies, • Presenting the final report and recommendations from the audit to the airport security management and the individual departments/sections, employees following a pre-defined period of time, • On completion of the audit, developing a plan of solving and eliminating the deficiencies identified.
It is recommended to implement a monitoring mechanism to verify the efficiency of the performed audit and for the purpose of accepting the correlational and remedial actions.A follow-up or secondary audit cannot be planned in advance.It depends on the results of the pirmary audit, whether some undesired trends, deficiencies or shourld if any doubts regarding the implementation of the airport safety policies have been raised or not.

Auditing team and testing
Depending on the extent of the inspected area, safety audits can be realized by a single person but most prequently by a team of auditors.In case of an internal audit, it should be performed by experienced and trained individuals from the airport company.However, with objectivity and the potential conflict of interest in mind, it is more advisable to have audits conducted by external auditors, however being adequately qualified eith professional experiences in the field to be audited.Sound knowledge of the applicable regulations as well as the entire SMS can also be defined as precondition of quality in performing audit within the framework of the inspected process or activity.Being familiarized with the procedures and techniques of auditing should be a matter of course.Individuals selected for the purpose of audit should be also creditable to those subjected to the audit.Realization of the audit should involve managerial, technical and physical aspects, too (Fig. 4).Members of the auditing team themselves should be independent of the subject of audit, as much as possible.With respect to the extent and the contents of the audit, members of the audit team should be persons neither be responsible nor involved in the activites inspected.Only then can the asssessment be neutral and independent in term of airport operation and organization.In case of an internal audit, the auditing team should not be made up exclusively from the airport management, potentially representing a " threat"to the employees being objects of the audit [8,7,15].It is therefore accepted that an external specialist is participating in the internal audit.In case of external audit, on the part of the professional oversight, the composition of the auditing team can be determined with due regard to the verified area, extent and goals of the audit.Verification (testing) of the airport safety system is a complex and time-consuming process, which is affected by several internal and external factors, see Fig. 5.
Within the framework of a more extensive audit, it is necessary to appoint the head of the team, who will be held responsible for the audit in terms of its realization, programme and fulfilment of tasks.The individual members of the auditing team are then assigned tasks by their professional focus and qualificational merits.Essentially, realization of the audits is a certain form of inspection.Fundamental to a well-performed audit are information and monitoring.During safety audits, there are tendencies to often limit monitoring only to areas, which fail to comply with the applicable legislation.However, it is important to realize that such inspections do not bring relevant results and their contribution is rather limited, mostly dut tothe following reasons: • Airport can exclusively rely on the organ of the audit in what they it meets or fail to meet the standards.• The areas and standards inspected will be fulfilled only during the inspection of the auditor.• The report from the audit will them be superficial and may point out only those areas, which have been identified unaccapteble in the time of inspection, • As a result, the audit fails to fulfil its pro-active function.
Every audit should start with an opening meeting, breafing, during which the head of the audit will explain the safety maangement the goal and the extent of the audit.Then he will go into practical details and specific issues of the audit as well as the questions raised in connection with the functioning of the auditing committee.
Way of performing audit must include auditing legislative and operational documentation, interviewing the employees and monitoring /observing the controlled activities.
In case of auditing legislative and operational documentation, the team of auditors should have available the the individual documentation so as to be capable of systematically reviewing the areas to be verified in line with the approved plan of audit, its scope and contents.The findings obtained from monitoring should be recorded on standardized monitoring archs.If during the audit, a concrete area of interest is identified, it should be subjected to more detailed inspection.
In case of interviewing the employees, asking questions is the main form of obtaining information for the auditors.This method also provides supplementary information, which do not form integral part of the written documentation.Interviewing the employees also represents a certain kind of inquiry, search for options of solutions to problems and assessing the extent of employees' engagement in the fulfilment of the SMS goals.The purpose of the interview is to obtain information and not to be bogged down in discussions.
After successful completion of all the auditing process, the auditing team should collectively reassess all the fields monitored, comparing them with the valid legislation and procedures.The aim of monitoring is to confirm or reject the rightfullness/correctness of the activities and the measures taken, identify the deficiencies, discordances and assess the potential threats to security.

Conclusion
After completion of the audit, the airport management has right of asking for the final report of evaluation, or the interim reports of evaluation during the audit.The official report from the audit should become an objective presentation of the results of the security audit.The best way appears to be the one if the auditing team, on completion of the audit, organizes a final meeting not only with the security management, informing them on the findings, recommendation to remedial actions but also with the positive aspects of the area.Any of the obtained deficiencies or discordances must be clearly defined in the evaluation report and eliminated within the preagreed deadline.Management of the section or department is responsible for developing a plan of remedial actions describing the shortcomings to be eliminated.This plan is to be submitted/handed over to the auditors' committee for the remedy to be effected.The manager of the inspected area is responsible for timely implementation and realization of the appropriate remedial actions.
In case of deficiencies, discordances or safety gaps, the auditing team can order a secondary audit to be performed.Its goal is to unambiguously indicate the status of the implementation of agreed remedial actions and their fulfilment or non-fulfilment.
Information safety -protection of classified data, personal data, computer networks and IT systems • Technical solution -detection and screening of passengers, baggage, air cargo and catering • Mechanical protection -fences, mechanical barriers, lighting • Physical protection -entrance and exit of the employees to and from the airport areas • Adequate mode of protection -security programmes, standards and guidelines • Safety of movements at airport areas • Ecological and fire-fighting safety • Safety of technical and technological processes • Man-Machine-Environment safety • Labour safety and health portection, etc.

Figure 1 .
Figure 1.The PDCA diagram of improving security and protection in air transportation.

Figure 2 .
Figure 2. Development of the process of writing an audit program.

Figure 3 .
Figure 3. Process-based procedures of the airport security audit.

Figure 4 .
Figure 4. Organizational and operational aspects of the airport security audit.

Figure 5 .
Figure 5. Testing of an airport security system.