U.S. Customs and Border Protection (CBP) states that a CTPAT member, regardless of its Tier level (1, 2 or 3) must conduct a routine internal security audit on all security measures used to secure its international supply chain.
The audit will ensure that these measures are carried out consistently and effectively. Furthermore, an external security audit should be conducted in order to verify the accuracy and implementation of the security measures listed in the internal audit. In addition, to the SCSS (Supply Chain Security Specialist) requesting to see a copy of the internal/external audit at the time of the validation and subsequent revalidations, it is an excellent tool for preparing for present as well as future validations as well.
Prior to preparing the internal security audit, Norman Jaspan Associates, Inc. (NJA) will work with the CTPAT member in reviewing the supply chain flow chart which is incorporated within the internal audit. The supply chain flow chart enables member to identify their exposure to risk. You begin with the shipper and end with the importer and/or consignee regardless of whether the CTPAT member is responsible for contracting the supply chain provider.
NJA will work with the CTPAT member in preparing the internal security audit and then upon completion, will conduct an external security audit. If any deficiencies are identified, NJA will help you create and implement the written procedure.
CTPAT Background Checks
Supply Chain Security Specialists (SCSS’s) have been asking the following Human Resources related questions during the CTPAT validation phase:
- Do you have an employment application and a written release & consent form completed by the applicant?
- Have you hired anyone since you started the CTPAT process?
- Have you conducted a through background check, which includes the verification of previous employment, and the verification of education (if applicable) to validate the candidate’s time line?
- Have you conducted a criminal history check?
- Have you verified the social-security number of each newly-hired employee?
The SCSS will not only ask to see the supporting documentation for the aforementioned issues, but may ask to see the raw data received from the courthouse.
According to U. S. Customs and Border Protection (CBP), all CTPAT employers must verify each new employment candidate’s background. In addition, employers must conduct criminal checks for new employees as well as present employees (a few each year) and verify the candidate’s social-security number. All new and present employees must complete the I-9 form and provide required documentation (Immigration Verification Employment eligibility provisions required by law). During the validation phase CBP is verifying that the CTPAT member is conducting thorough background checks and has the corresponding paperwork on file.
Norman Jaspan Associates, Inc. (“NJA”) provides an employment verification service. A SCSS recently told one of our clients, “By having employment verifications done professionally, it shows that you’re taking the (CTPAT) program seriously.” NJA will investigate and verify the following required information:
- Employment Verification including duties and responsibilities
- Education including advanced and specialty degrees
- Salary – if available: base plus extras; such as commission, bonus, allowances, etc.
- Social Security Number
- Criminal background check for the county(s) where the applicant presently and previously resided.
Since many employers offer an applicant a salary package based on their education, degrees and prior salary, verification of these items can prevent you from overpaying your candidates.
We will also train your staff on the appropriate questions to ask when conducting an interview, as well as how to evaluate the information listed on the resume and application. In order to conduct a background check, we will need a copy of the applicant’s following documents:
- General Release and Consent Form – Completed by new and present employees.
Please compare dates between the application and the resume. If the dates are not the same, ask why. At minimum, make sure that all dates are listed as month and year, not just the year.
Please contact NJA so that we can assist you with this important and necessary process in order to:
a) Review your hiring process and
b) Consolidate the hiring process when you have multiple locations.
5-Step risk Assessment Process (5SRAP): Supply Chain Security Risk Assessment
A supply chain security risk assessment (“SCSRA”) examines the security threat environment and operational vulnerabilities associated with a CTPAT member’s international supply chain. U.S. Customs Border and Protection (“CBP”) created the 5SRAP in order to help the CTPAT member in evaluating risk.
Even though SCSRA is not a new requirement to the CTPAT program, it enables CTPAT members to recognize that evaluating supply chain security risk is not only a domestic issue for examining their own facilities and processes in the US, but it is also an international issue.
The SCSRA is a CTPAT requirement for membership and maintenance of the program as well as for the validation and revalidation phase.
For the CTPAT member that does not have a security staff, a CTPAT budget or an employee dedicated to compliance issues, the 5SRAP is quite overwhelming and extremely time consuming. Many clients have asked “Is this program really worth it and where am I going to find the manpower to manage this new aspect of the CTPAT program within the framework of their new guidelines?”
Is it worth it? Yes. The CTPAT program has become the industry norm for companies that are eligible to join. Companies that are not eligible to join have trouble competing for business against companies that are members. As a result, non eligible CTPAT companies are finding alternate methods of demonstrating to their present or potential customers that they are meeting the minimum security requirements.
How can you find the manpower? If companies have downsized and are cautious about adding new staff and spending a lot of money on a program just to maintain it, Norman Jaspan Associates, Inc. (“NJA”) works with the CTPAT member as follows:
NJA has transformed Customs’ 5SRAP into a user friendly version that is easy to implement. NJA does not want the CTPAT member to view the 5SRAP as a separate program but rather as a catalyst to heighten the awareness of all parties involved in the member’s supply chain.
The 5SRAP consists of the following:
1) Map Cargo Flow & Identify Supply Chain Business Partners.
NJA starts the 5SRAP by creating a supply chain flow chart which helps the CTPAT member identify their exposure to risk. We begin with the foreign shipper and end with the importer or consignee regardless of whether the CTPAT member is responsible for contracting the supply chain provider. The flow chart is a picture of how the cargo moves from the point of origin to destination. It includes:
- List of countries that cargo is exported from.
- Modes of transportation-air, sea, rail, truck.
- Transit points-consolidators, deconsolidators, ports, CFS
NJA uses this information as the basis for creating a unique procedure and analysis for company flow of goods which clearly explains to both the CTPAT member’s employees and their Customs Security Specialist (SCSS) their operation flow.
2) Conduct a Threat Assessment
- Review the list of countries that you do business with based on dollar amount, volume and frequency. Verify CTPAT membership if applicable, or certification in an equivalent security program administered by a foreign customs authority.
- Use the following security threats at the point of origin to identify the risk in the supply chain:
- Terrorism- Political, Bio, Agro & Cyber
- Contraband Smuggling
- Organized Crime
- Theft, pilferage, hijacking and piracy
- Conditions within a country which may foster any of the above threats.
NJA will assist you in calculating the different levels of threat by providing you with reliable sources that rate the risk level which is constantly being updated. Risk is calculated as follows:
The C-TPAT member should monitor the above levels of threat on a yearly basis or more frequently if it deems necessary. If a particular risk status changes to “High Risk”, they should carefully review the particular supply chain and alert the respective members on what actions should be taken to minimize risk.
3) Conduct a Vulnerability Assessment
In order to conduct a vulnerability assessment, you should send a security survey to your business partners who are NOT eligible to join the CTPAT program, and do NOT participate in the CTPAT or a “mutual recognition” program. Other sources of information that can be used in conjunction with the security survey are site visits by company representatives overseas personnel/agents or third party supply chain security assessments.
NJA has customized a CTPAT security survey that incorporates all of the questions which will enable the CTPAT member to conduct a vulnerability assessment. NJA’s security survey also incorporates an audit function which is a method for an independent party, as defined in NJA’s security survey, to verify the integrity of the answers that were give by the business partner. This function is particularly important for the CTPAT member when preparing for the validation or revalidation phase.
4) Prepare an Action Plan.
Establish a corrective action plan to address all vulnerabilities found in the business partner’s security program. When creating an action plan, you must make recommendations that will change the status of your business partners from high or medium risk to low risk. Some of the categories that should be covered in the action plan include the following:
- Vulnerability identified
- Corrective action required
- Responsible company Point of Contact (POC)
- Responsible partner POC
- Progress Review date
- Corrective action deadline
- Evidence action taken
- Verified by and date
- Outcome of recommendation
5) Document How Risk Assessments are conducted
The purpose of creating a risk assessment procedure is to ensure that a responsible party as well as a “back up” employee will create and monitor the five step risk assessment on a regular basis. Some of the criteria that should be included in the procedure are as follows:
- Document Preparation
Please contact NJA to set up the 5 Step Risk Assessment program in a cost efficient manner which will minimize both your financial outlay and staffing requirements but will still enable you to identify and reduce risk throughout your whole supply chain.