Major Overhaul to Focused Assessment Program Could Mean More Testing, Longer Audits
A major facelift to the Focused Assessment program U.S. Customs and Border Protection uses to evaluate compliance could mean a major headache for importers. The first significant changes in more than a decade took effect Oct. 1 and could result in more testing, heavier paperwork burdens on importers, longer audit cycle times, and inconsistency among FAs by region or industry for small and medium-sized importers.
Sandler, Travis & Rosenberg will be conducting a webinar Oct. 8 to discuss these changes, as well as a number of issues concerning the revised FA process that remain uncertain. A former senior official from CBP’s Office of Regulatory Audit will highlight areas of potential concern and provide information that can help importers to not only lower their chances of being selected for an audit but also prepare to undergo an FA or other audit should it occur. Click here for more information and to register to participate.
FAs have been the primary audit tool for CBP’s Regulatory Audit for more than 15 years, replacing transaction-based compliance assessments with a less intrusive system that emphasizes assessments of risk based on evaluations of internal controls. The FA process generally encourages importers to take a more active role in identifying and remedying noncompliance and internal control deficiencies and helps CBP decide whether to initiate collection or other enforcement actions.
However, the program has not been updated since 2003 and CBP is therefore revising it to reflect significant changes in the U.S. and world economies, CBP’s own risk parameters and processes, business practices, company profiles, government auditing standards, and standards for internal control evaluations that have taken place during that time. Areas in which importers will see some noticeable differences include an increased emphasis on the consideration of significance or materiality in making audit decisions, greater flexibility for CBP auditors in tailoring FAs according to the specific circumstances of each importer, bigger sample sizes and changes in the language of audit reports. Larger importers may see a greater emphasis on assessing and testing internal controls, while those that are smaller may see more emphasis on assessing and testing compliance.
It’s important to note at the outset that the fundamental nature of the FA program is not changing. It is still risk-based and still has three phases: pre-assessment survey, assessment compliance testing and follow-up. FAs still evaluate the risk of noncompliance posed by the importer’s activity through assessments of internal controls and will still result in a determination of acceptable or unacceptable risk. The process for compliance improvement plans and follow-up audits is consistent with previous practice, and CBP will still be able to conduct an ACT or permit the importer to perform self-testing under CBP supervision.
Nevertheless, there are some notable changes that importers should be aware of, as discussed below.
FA PAS Process Changes
Pre-Assessment Survey. The objective of a PAS is to assess the importer’s internal controls over compliance with applicable CBP laws and regulations and determine whether import activities present an acceptable risk of noncompliance. A PAS typically covers the most recently completed fiscal year and multiple review areas (value, classification, free trade agreements, etc.) are usually involved, depending on the nature of the import activity and the auditor’s consideration of risk and significance.
Under the revised process, the importer will be engaged to provide certain information (e.g., written policies and procedures, working trial balances, chart of accounts, etc.) earlier in the process so that CBP can more accurately define elements of risk and better tailor the PAS questionnaire, which has replaced the internal control questionnaire. Auditors will no longer conduct an onsite formal advance conference and instead will explain the FA process to the importer and provide reference materials informally.
Preliminary Assessment of Risk. Historically, at the start of a PAS, CBP would document a preliminary assessment of risk based on initial work performed to obtain an understanding of the nature of the importer’s import activity and its prior audit and compliance history. The PAR considered both qualitative and quantitative elements of the risk of noncompliance, eliminating from the scope of the audit areas determined not significant enough to warrant further attention.
CBP will no longer assess the level of risk at the start of the PAS and instead will wait until more of the audit effort is complete. There will be an increased emphasis on significance and materiality in determining areas to include or exclude from the audit, ensuring sufficient audit work is performed to obtain an accurate conclusion. However, areas included in the beginning of the audit may be later eliminated based on the additional information. While CBP will no longer require the value and classification review areas to be included in the scope of an FA, it also states that elimination is unlikely.
Preparing for the FA PAS. Once an importer is notified of an FA PAS, an entrance conference is scheduled and a confirmation letter is sent that may include a request for the importer’s written import-related policies and procedures, a description/flowchart of the importer’s customs activities, and a copy of the importer’s general ledger, working trial balance and other accounting information such as audited financial statements and any applicable transfer pricing studies. Once this information is received and reviewed, the auditors intend to (a) tailor and issue the PASQ soliciting information about the importer’s internal controls and environment and (b) identify “walkthrough entries” and the documentation for those entries that should be ready for the entrance conference. At the conference, walkthroughs and interviews are conducted to determine the importer’s processes for purchasing and receiving foreign merchandise, recording in inventory, paying foreign vendors and declaring goods to customs. Auditors use this information to identify what could go wrong, where it could go wrong and the likelihood that it might go wrong.
Under CBP’s revised procedure, the number of walkthrough transactions (traditionally three to five entry lines) is likely to increase, as CBP plans to select several entry line items for walkthroughs for each audit area based on the perceived risks identified. The PASQ is being expanded to obtain additional information regarding business practices and import activities that can help better identify potential risks. The entrance conference may also include a discussion of any statistical sampling plans to be employed if known at that time.
Testing Methodologies. CBP is replacing its sample size matrices with more general guidelines that will likely yield increased sample sizes for testing of both internal controls and compliance. This change will enable Regulatory Audit to not only (a) better assess the risk of material noncompliance and determine the most appropriate reaction but also (b) reach a conclusion of acceptable risk where it might have concluded otherwise for potentially immaterial or non-systemic issues or a lack of documented internal control. When testing reveals problems, the risk will be reassessed and the audit approach will be modified accordingly.
Assessment of Risk. The FA PAS concludes with an overall assessment of the risk of material noncompliance. In making this assessment, auditors will now evaluate inherent, control and detective risks to adjust the amount and type of procedures they conduct to reduce (to an acceptable level) the risk of arriving at an incorrect or inappropriate conclusion. In addition, the focus of the audit may be varied based on the auditor’s expectation of the operating effectiveness of the importer’s internal controls.
CBP is also updating its approach to reflect that a lack of formally documented internal control and written policies and procedures will no longer be an automatic indication of unacceptable risk. An importer may not have written policies and procedures, CBP notes, but may have a lot of good practices and procedures in place that auditors can still obtain an understanding of through the PASQ, interviews, walkthroughs and inspections of documentation. While a lack of written policies and procedures will increase the extent of compliance testing, that testing can demonstrate that the practices and procedures are indeed effective.
In addition, CBP states, the size, complexity and risk profile of the importer will affect the extent and formality of internal control that is necessary to ensure compliance. Larger importers have greater resources but more risk and are therefore likely to need a more formal system, while small and medium-sized importers have fewer resources and potentially pose a lower risk and are therefore likely to need a simpler or less formal system. As a result, in the FA PAS, the auditor may rely more heavily on control testing of larger importers while relying more heavily on transactional compliance testing of small and mid-size importers to address identified risks.
Finally, the worksheets previously used by the auditor to ensure uniformity in the audit approach for evaluating internal control are being eliminated and “reimagined” into general questions auditors may consider in assessing internal control rather than a checklist.
PAS Risk Conclusions. The FA PAS results in a determination of either acceptable risk or unacceptable risk. For unacceptable risks the auditor either allows the importer to develop a compliance improvement plan and conduct self-testing or proceeds to assessment compliance testing if the importer declines to develop a CIP or is not a good candidate or CBP determines a need for more immediate compliance testing.
Under the new changes, reportable internal control deficiencies and unacceptable risk conclusions are linked to material noncompliance. Auditors may now report acceptable risk when (a) noncompliance or internal control deficiencies are deemed not significant enough to be reported as a finding, (b) the implementation of internal control cannot be verified but no material noncompliance is detected, and (c) there are unresolved matters that do not involve an internal control deficiency (e.g., a difference in opinion awaiting the results of an internal advice or ruling). These revisions are aimed at ensuring that resources are being used to address significant risks of material noncompliance. Nevertheless, CBP cautions, auditors will consider all the circumstances in totality in drawing their risk conclusions and there may be other factors that impact those conclusions.
PAS Finalization and Reporting. The conclusion of the FA PAS process includes drafting the final report, providing the draft finding sheets to the importer and obtaining a formal written response, holding the exit conference and issuing the final report. Changes being made to this segment of the proceeding include (1) limiting the conclusion to the scope period of the audit, (2) including language expressing the inherent limitations of internal control and cautioning against the projection of the results to future periods, and (3) including language describing the limited nature of procedures performed for IPR, FTZs and NAFTA (when applicable). CBP notes that these conditions “have really always existed” and that it is now explicitly stating them.
Transition to ISA. Importers with an acceptable risk conclusion in all audit areas will have the opportunity to transition into the Importer Self-Assessment program. If the importer is a C-TPAT member, it can apply for ISA and will be reviewed in an expedited fashion. In addition, the importer will not need to undergo the application review meeting that is routinely scheduled for ISA applicants. Once accepted, the importer will still have to meet all ISA requirements to maintain membership (annual written notification letters, perform periodic self-testing, etc.).
Preparing for FA Changes
There are a number of steps importers can take to adjust to these changes. One is to develop documented policies and procedures for all components of internal control at the corporate, divisional, departmental and individual levels and to be able to demonstrate (e.g., through documentation or knowledgeable staff) that policies, procedures and internal control activities actually occur and are followed. In addition, any and all risks identified, both realized and potential, should be addressed. Finally, monitoring, assessment and testing of internal controls should be conducted by qualified parties outside the import department and the results and corrective actions taken should be documented.