IOSA...
if the assumption of "goodness" is determined by the outcomes of the IOSA report... beware. IOSA looks primarily at documentation rather than implementation, and little meaningful correlation of actual system behaviour vs reports is conducted. What do I mean by this? The IOSA audit may find that the SMS is fine, however the incident reports do not reflect the policy of reporting vs QAR data capture... therefore there is a variation between the policy and reality/practices. IOSA AO are additionally paid by the parties that they are auditing of or for, and therefore have a dog in the fight, which is problematic. This may be well managed as a Chinese firewall, or not. The proof is look which airlines have gained glowing IOSA audits, and after you have stopped rolling around on the floor laughing, consider the implications.