January, 2015

Back to Publications Page

US Customs Audit Program—
Major Changes Coming

Mark K. Neville, Jr.

[This discussion marks the 100th appearance of this column, in a nearly unbroken line dating to the summer of 2006. It is an honor to share these reflections with you.]

The United States was one of the first countries to shift compliance away from the border and to move to a post-entry program of audits. The theory was that a compliant company was one that would be paying all of the duty owed, so there was a pay off in increased revenue as well as the direct benefit of a more compliant community. Dating to the Customs Modernization and Simplification Act (the Mod Act) of 1993, the emphasis was newly placed on the importer showing that it met its twin burdens of “informed compliance” and “reasonable care.”1 For its part, US Customs promised that it would be more transparent and that there would be less of an adversarial relation with the import community. In fact, a partnership was proposed.

Customs proved true to their word. Prior to the changes, the audit experience was completely different. First, many importers were never audited, as there was no systematized process whereby companies were selected for audit. Apart from the relatively scattered, hit-or-miss character of the audit selection, the process of the audits proved quite secretive. Customs auditors played their cards very close to the vest, so there was little in the way of publicly available information about the manner in which the audit would be conducted, time limits were long forgotten as audits dragged on interminably, and there was even a difficulty in obtaining a copy of the audit report. All of that changed with the CAT program. The Compliance Assessment Team (CAT) audit program was an ambitious attempt to audit the top 3000 importers. Unveiled in 1995, the CAT was a good faith effort by Customs to make good on its promise to be more open and partnering. In fact, the audit program was made available to the public, through the online publication of the “CAT Kit,” and there was no excuse for surprise by the importer at the direction of a CAT audit. Instead, the Customs playbook was laid open and even a little effort by the importer or its advisors would pay big dividends. The importer had access to the questionnaire that would be sent to the importer. The importer’s responses to the questions posed there would be used as a guide by Customs in focusing on one or more areas.

All of the procedures were laid out and the importer was entitled to a post-audit closing interview and a copy of the audit report. Despite Customs’ good intentions, and despite its very obvious improvements over the earlier case, the CAT stalled. This was largely due to the transaction sampling. If Customs were going to sample for general compliance as well as compliance for targeted programs, such as created by an importer’s taking advantage of the Generalized System of Preference (GSP) or the NAFTA, then the auditors would wind up sampling hundreds of transactions. There was no way that the target of completed audits of the top 3000 importers could ever be reached, and indeed it was not reached. Customs scrapped the CAT in October 2001 for the Focused Assessment (FA) Program.

The hallmark of the FA was its emphasis on the internal controls plus its “work smarter” emphasis on directing close attention only to areas where a deficiency was revealed. This was accomplished through a two-phase plan, both of which were to be preceded by the familiar questionnaire. The responses to the questionnaire would lead to a Pre-Assessment Survey (PAS) focused on the internal controls and some limited sampling. CBP employs a simple analysis of risk determination. Risk falls into one of two categories, acceptable risk and unacceptable risk. Unacceptable risk means not only significant internal control deficiencies and/or material noncompliance, but also repetitive immaterial noncompliances. If unacceptable risk is the finding, more compliance testing is on the way. CBP will close the PAS and proceed to the second phase, the Assessment Compliance Testing (ACT). A central feature of the FA audit process has been that the importer would be allowed to rectify mistakes or to improve defects in its controls within a reasonable time frame through a Compliance Improvement Plan (CIP), and Customs might then verify that the CIP steps were actually implemented with a Follow-Up Audit.

Changes to FA Program

All of the foregoing is good background information for the FA changes announced by CBP2 in October 2014. The changes are motivated by a need to keep pace with environmental changes since the last major update and are also aimed at incorporating the latest developments in accounting and auditing methodologies. As part of the “roll out” process, CBP provided useful information on the FA candidate selection process. CBP takes into account various factors, including company size, complexity of the company’s business model, the nature and volume of import activity with regards to sensitive areas and priority trade issues (which CBP terms “audit areas”) such as antidumping, Intellectual Property Rights (IPR), textiles and apparel and imports under the NAFTA and other Free Trade Agreements (FTAs).

Medium Companies Beware

Large companies have long been aware that they can expect an FA. In general, small businesses are outside the scope of FAs. CBP has signaled that their FAs will start to include more of the mid-cap companies. These are companies at real risk, because they may not have allocated the resources needed to meet their compliance obligations.

FA Largely Unchanged

Importantly, the heart of the FA remains unchanged. It is still a comprehensive audit of an importer, focused on an assessment of the importer’s internal control over its import activities to determine if the importer poses an acceptable risk for complying with CBP laws and regulations. One change is to align risk assessment with the “audit risk” model (with “audit risk” defined as inherent risk x control risk x detection risk). The familiar three phases remain: Pre-Assessment Survey (PAS), Assessment Compliance Testing (ACT) and follow-up audit of the CIP. The timing is also unchanged, with CBP noting that their goal is to conduct an FA within nine months. Presumably, too, the audit cycle remains tied to the fiscal year for CBP, October 1 through the following September 30. The FAs are scheduled on a FY basis.

Changes to PAS

The changes for this first phase are limited to the PAS, and later-phase changes are expected in the future. The changes comprise
  • an increased emphasis on the consideration of significance/materiality in making audit decisions,
  • expanded guidance on tailoring the audit approach to suit the specific circumstances of the importer,
  • replaced sample size matrices with more general sample size ranges, and
  • changes in report language.

In truth, CBP considers the PAS to be almost a stand-alone audit. The goal of the PAS remains unchanged, i.e., to determine whether an importer’s import activities represent an acceptable risk to CBP through an assessment of that importer’s internal controls such subject areas as what I have begun calling the “Big Three” (tariff classification, valuation and origin) and such other potentially problematical areas (the Priority Trade Issues) as FTAs, “American Goods Returned” (Headings 9801 and 9802, Harmonized Tariff Schedule of the US) and trade remedies (antidumping and countervailing duties).

The PAS is comprised of a seven-step process
  1. Obtaining an understanding of the importer and its business, including a Preliminary Assessment of Risk (PAR), opening conference, questionnaire (renamed the Pre-Assessment Survey Questionnaire) responses, walkthrough and interviews and document review.
  2. Assess Audit Risk
  3. Conduct detailed testing
  4. Evaluate testing results
  5. Make risk determinations (acceptable or unacceptable) for each audit area
  6. Draft the audit report and obtain responses
  7. Conduct exit conference and issue the report

The PAR refers to the internal, pre-notification to the importer review of the importer’s import activities, factoring in such considerations, inter alia, as volume of activity and such revenue implications as tariff numbers, entry type, special indicators; examining past three years to reveal any changes, trends or anomalies; impact of importer activities on the Priority Trade issues (see above); history of noncompliance; potential risks posed by tariff numbers, MIDs, country of origin.

Effect of Internal Advice or Ruling Request

One change that is especially welcome for importers and their advisors is that if there is an open question, the risk may be classed as acceptable. Disputes with the audit team on matters of legal interpretation occur far too often, with the auditors attempting to discharge a role that is outside their mandate. The remedy is usually for the importer to have the matter of interpretation sent to the attorneys at the Office of Regulations and Rulings within Headquarters on an Internal Advice request or for the issuance of a ruling. This is long over-due.

Importer Preparations

To be sure, the importer does not need to wait for a letter from CBP notifying an impending FA. Just as CBP will be conducting its PAR on its own turf, and at a time of its own choosing, so too does the importer always have the opportunity to prepare for an FA. Whether the importer is working on its own initiative or is being prompted to act by a notice from CBP, an importer will have an opportunity to conduct its own internal review, with a focus on uncovering gaps in its controls.

Note that the importer’s controls should be reduced to a writing. CBP has moved away from its long held position that the lack of written procedures is automatically an indication of unacceptable risk. Still, written procedures are a better practice, as they more readily connote an institutional capability. Thus, it is imprudent to not have a written procedure even if the importer is managing its risks properly but only because a particular manager is on top of the issues. CBP might rightly ask, what happens if that person leaves the importer’s employ or is re-assigned? Without a written process, the importer has no institutional capability.

But be careful to recognize that CBP is looking for the actual, on-the-ground state of play, the “operating effectiveness” of the controls. It does no good for an importer to have a written policy, such as represented by an off-the-shelf, “one size fits all” pre-packaged set of procedures purchased on the open market if the process does not fit the importer’s actual business flow or, even if it was tailored to the importer’s actual case, if it is not being implemented or followed.

Gaps in controls could be found in communication between departments, whether and how corrections are reported to CBP and, at the heart of customs valuation, whether there are sufficient processes whereby specific purchase orders, invoices, and payment records may be tied to a specific customs entry. One example of a frequently encountered problem is with quantities. If the import documents all show a specified quantity, say, 100 units, but the quantity actually received into the warehouse is 97 or 103, there may not be a process by which the discrepancy is notified to the customs broker. As a result of such a failing, debit or credit notes may have been generated in response to the discrepancy, which would have been reported ultimately to the accounting department, but there is no ability to correct the record with CBP.  

One change CBP made was on its PAS testing methodologies. . In general, CBP felt more flexibility was needed. CBP takes judgmental sampling from the company’s books and records for compliance and controls that occur at the transaction level and look at proof of payment, as well as at such transactional documents as freight invoice/bill of lading, accounting books and records, commercial invoices and purchase orders. The prior sample size matrices (1-20) are eliminated and replaced with more general guidelines. For example, a population of equal to or greater than 250 transactions will lead to a pull of 25-40 samples. A population of smaller than 250 may lead to a pull of 10%. For those smaller populations, as where the controls are conducted on a periodic basis, perhaps 2-10 occurrences will be adequate. CBP notes that stop-and-go statistical sampling may be used.

Importer Self Assessment (ISA)

After the FA is completed, what’s next for the importer?

CBP notes that an importer who has been found to have an acceptable level of risk may apply for the ISA, which would get it out of the audit pool for future FAs. This is certainly a very valid opportunity and should be given a very close review. After all, why would an importer who has successfully completed an FA want to go through the process again?

To be eligible, the applicant must apply within12 months of the FA completion and be either be a US or Canadian resident importer, and a participant in C-TPAT. The company will need to complete an ISA Memorandum of Understanding and develop a risk-based self-testing assessment plan.


1. For the latter standard, see 19 USC § 1484 (a).

2. The US Customs Service was re-named Customs and Border Protection in 2003 and housed with the Department of Homeland Security.

Back to Publications Page