U.S. Customs and Border Protection (CBP) has updated its Focused Assessment (FA) and audit guidelines for the first time since 2003. FAs assess an importer’s internal controls and identify possible issues to ensure compliance with Customs law and regulations. Most of the changes to the FA program are shifts that allow auditors more flexibility in determining the scope of an audit and parameters for analysis. CBP believes this will provide more substantive and effective analysis. The update is effective immediately, as of October 1, 2014, so importers should be mindful of the changes to FAs in order to be better prepared for a future audit.
The changes to the Focused Assessment program focus on the Pre-Assessment Survey (PAS) stage, the first phase of a FA. CBP will update the rest of the FA process in the near future. The FA process has three general phases: the PAS, ACT (Assessment Compliance Testing) and Follow-Up. The ACT and Follow-Up stages take place if it is determined there is unacceptable risk during the PAS. During a PAS, CBP reviews the company’s import program to assess controls and possible risks. Auditors then test them to determine whether there is an acceptable level of risk. If the risk is determined to be acceptable, the importer is colloquially termed to have “passed” the audit. CBP would then forgo the ACT and Follow-Up phases of the Focused Assessment.
The FA update affects all aspects of the PAS. Many changes highlight CBP’s desire to receive more information about the company’s business practices and import activities earlier in the process to allow auditors to better tailor the audit to each company’s profile and therefore produce a risk assessment that more accurately reflects risk for that importer. For example, CBP has changed the name of the initial questionnaire from “Internal Control Questionnaire” (ICQ) to “Pre-Assessment Survey Questionnaire” (PASQ). The PASQ has additional questions that CBP believes helps auditors in the preliminary stages of the FA. The updated PASQ can be found here.
Many changes have been made to the Preliminary Assessment Review (PAR) stage of the PAS. The PAS still focuses on risk assessment, but the changes also permit auditors to learn more about the audited importer while refraining from making substantive risk assessments until later in the PAS process. Auditors have the discretion to request as much, or as little, information as they determine necessary to accurately assess the risk of noncompliance. One main change to the PAS addresses the size of the judgmental sample. Rather than using set matrices to determine sample sizes, auditors now follow general guidelines. For example, if the population of the sample is more than 250, an auditor can select from 25-40 sample lines. Auditors may also use “stop-and-go” statistical sampling. Instead of performing a routine judgmental sample, identifying issues for further exploration and then performing a full statistical sample to quantify issues and loss of revenue, auditors have the choice of simply creating a statistical sample. Auditors can bypass this two-part process of sampling and merely take a portion of the statistical sample to be used for judgmental sampling purposes. If the portion reveals errors that require further review, the full statistical sample can be utilized. It is CBP’s belief that using this “stop-and-go” method benefits the importer by not having to pull additional import data and entry records as would be required under a two-part sampling process. Overall, it is believed this new method would benefit both CBP and importers by expediting the overall FA and making it less burdensome on the importer.
Depending on the level of risk and complexity of issues seen by the auditor during the judgmental sample and onsite interviews, the auditor can increase the scope of the FA as determined necessary. Also, auditors are no longer bound to automatically analyzing certain core issues in a FA, including value and classification. If an auditor deems that classification is not an issue for an importer based on available data and company profile, for example, an auditor can decide not to delve into this issue in the FA.
At the end of the PAR phase, auditors have traditionally labeled an importer’s level of risk (e.g., high, medium, or low) before moving on to later parts of the PAS. This labeling has been removed to allow for a more fluid risk analysis by the auditor, and to allow the auditor to render these qualitative assessments later in the overall FA process. Auditors will also allow new risks to be studied that weren’t initially stated during the PAR and may later eliminate audit areas that were initially included in the PAR.
The changes to FAs after the PAR also emphasize CBP’s shift to a more customized auditing technique according to the importer’s activities. For example, the FA update eliminated the formal Entrance Conference at the beginning of the FA and will instead simply provide reference materials and explain the FA process to the importer.
Auditors will also place increased consideration on the size of the company as part of their assessment. Larger importers inherently have more risk, and therefore likely need a more formal system. Conversely, small and medium-size companies present less risk and have fewer resources so they will likely be fine with a simpler and less formal system.
CBP has also eliminated the Worksheet for Evaluating Internal Control (WEIC). The worksheets were previously used by auditors to ensure uniformity in the audit approach for evaluating internal control. Instead, auditors now use an unlabeled set of general questions that allow for a more open and comprehensive response by importers, and an assessment tailored to their specific company profile.
Of course, the ultimate determination at the conclusion of a PAS is whether a company’s controls present an acceptable amount of risk. Continuing its focus on customization in every audit, CBP is increasingly emphasizing that a lack of formally documented internal controls and written policies is not a per se indication of unacceptable risk. A company may still have sufficient procedures in place where auditors can still obtain an understanding through the PASQ, interviews, walkthroughs, and inspections of documentation. Similarly, auditors are now less likely to find unacceptable risk under certain situations, such as where noncompliance or internal control deficiencies are deemed not significant enough to be reported as a finding, or implementation of internal control cannot be verified by auditors, but material noncompliance is not detected.
The FA update is a conceptual shift in CBP’S focus and auditing technique as opposed to the addition of more stringent or technical rules. Nonetheless, companies should be aware of the changes and how they will be affected. The audit will not be conducted according to a standardized list of requirements and actions which are completed by checking boxes on a checklist. CBP is making FAs more substantive and customized which forces companies to stay vigilant and maintain compliance with Customs laws and regulations.