Just for clarification, the company is on the IOSA registry and as such must comply with the IOSA Safety Recommended Practices and Standards (ISARPs).
Here is one ISARP in the Organization action of the ISM. The ISARP is repeated in each of the disciplines, FLT, MNT, CO, GRH, SEC, CAB.
Maybe I did not state it correctly but QA is a requirement of SMS as far as IOSA is concerned. It is NOT regulatory. I cannot say there is not a reference in FAA documentations but that does not mean it is not there. I also want to note that the ISARP does not mention how to conduct the program.

ORG 3.4.1 The Operator shall have a quality assurance program that provides for the auditing and evaluation of the management system, and of operations and maintenance functions, to ensure the organization is:
i) Complying with applicable regulations and standards of the Operator;
ii) Satisfying stated operational needs;
iii) Identifying areas requiring improvement;
iv) Identifying hazards to operations. [SMS] (GM) ►
Guidance
Refer to the IRM for the definition of Quality Assurance.
A quality assurance program serves to monitor, evaluate and continually improve operational safety performance, which are elements of the Safety Assurance component of the SMS framework.
Information gained from quality assurance audits can be used in the management of operational risk. Additionally, the quality assurance program could be structured to serve as a safety performance monitoring and measuring activity in an SMS. In some organizations the quality assurance program may have a different name (e.g. internal evaluation program