ICSF encryption is active and per IBM doc, to secure the refresh instorage option, they need to secure class CSFSERV resource CSFREFR. They are not seeing any SAF calls made for this when they run the ACF2 SECTRACE.
The ICSF CHECKAUTH parameter controls whether or not RACROUTE security calls are made for callers that are supervisor state or are running in a system key (key 0 - 7). Typically, programs running in supervisor state or in a system key would be considered authorized and would not need any extra authentication. ICSF parameter setting of CHECKAUTH(YES) will turn on the needed SAF calls.
The CSFPRMxx member of SYS1.PARMLIB contains the ICSF startup parameters including the CHECKAUTH parameter. Note that with CHECKAUTH(NO), accesses to the ICSF services are not logged in SMF records for callers that are in supervisor state or in a system key.