Internal Controls and the ISA Program
U.S. Customs Bureau Offers Benefits for Demonstrated Compliance

By Frank Chioccola and Carolyn Muhlstein

E-mail Story Print Story

The primary mission of the United States Bureau of Customs and Border Protection (Customs) has significantly shifted over the past three years to security, and away from commercial import processing. Customs is trying to focus its limited resources by creating new programs that grant significant benefits to companies that can demonstrate strong internal controls.

One such initiative, the Importer Self-Assessment Program (ISA), permits importers to self-assess their customs compliance to avoid Customs audits and reduce the danger of costly delays for government inspections. Importers can achieve competitive advantages by strengthening their internal controls and availing themselves of ISA’s many benefits.

Importer Self-Assessment Program

ISA is a voluntary partnership between Customs and an importer to foster high levels of trade compliance. It allows the importer to demonstrate that it will self-monitor its controls over Customs compliance, based on the control framework established in SAS 78, and maintain a sustainable audit trail from accounting records to import entries. The premise is that importers with strong internal controls and oversight mechanisms will achieve the greatest compliance with Customs regulations and require the least Customs intervention. The government will reward these importers with special benefits while focusing inspections efforts on companies that lack controls.

Rewards of Self-Governance

“ISA gives importers an opportunity to leverage their investment in compliance to gain meaningful benefits,” according to Deborah J. Spero, assistant commissioner at the Office of Strategic Trade at Customs. An ISA-certified importer can receive government benefits that begin in as little as 90 days. Exhibit 1 depicts ISA’s major benefits, which include exemption from Customs audits. Furthermore, an ISA participant will enjoy greater business certainty, which often leads to enhanced investor confidence and faster and more efficient management of the supply chain. Shareholders concerned about a company’s internal controls may be reassured by an importer’s participation in a government-sanctioned internal control system. This is good news for company executives grappling with the spotlight placed on internal controls by section 404 of the Sarbanes-Oxley Act of 2002 (SOA). And for companies with a significant cost of goods in imports, the benefits are even greater.

Companies may already possess extensive documentation of their accounting procedures and related internal controls, such as accounting policies-and-procedures manuals. Through ISA, an importer may assemble a similar documentation trail and evaluate the effectiveness of internal controls over the import function.

Importers choosing not to participate may experience more Customs inspections, port-clearance delays, reprioritization of imports, and low-priority processing during port closures. “Nissan received its ISA certification at the end of 2002,” says Leslie Cazas, a senior manager of customs and international trade with Nissan North America, Inc. “We have already seen the benefits in many areas, ranging from greater efficiency in administration matters at the port level to rapid access to Customs Headquarters program managers for very timely problem resolution.”

ISA may also play a crucial role in an importer’s attainment of low-risk status and favorable Customs treatment. In the past, Customs generally categorized an importer as a low, medium, or high risk, with two grades in between. Risk categories were important in determining the level of scrutiny a company received. Those that had not been audited were usually considered medium risk and received moderate governmental scrutiny. But now, Customs has largely eliminated the middle ground, with companies categorized as low or high risk. ISA participation will be a key element to ensuring low-risk status.

How Does ISA Work?

A new era of partnership between the importing community and Customs began with the advent of the Customs Modernization and Informed Compliance Act of 1993. Under the law, Customs and the importer share the responsibility for compliance with trade laws and regulations. The government recognizes ISA-certified importers with special benefits, and Customs concentrates on companies that it believes lack controls.

To join ISA, an importer must develop a program around two major components. The first is a system of internal controls under SAS 78, which encompasses a framework of corporate objectives and control components (Exhibit 2 and Exhibit 3). (Although not mentioned by ISA, SAS 94 may be useful to companies when addressing controls over IT.) The second ISA component is a sustainable audit trail from accounting records to customs entry records, enabling an importer to match payments and expenses to merchandise entries.

Establish, document, and implement internal controls. The internal controls must incorporate five interrelated components.

Control environment. Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. An effective internal control environment—

• sets the tone of the organization, influencing the control consciousness of its people;
• is the foundation for all other components of internal control;
• describes “organizational culture”;
• includes a commitment to hire, train, and retain qualified staff; and
• encompasses both technical competence and ethical commitment.

Risk assessment. A risk is anything that endangers the achievement of an objective. Companies should always ask: What can go wrong? What assets do we need to protect? Companies should consider developing a risk matrix that can—

• identify, analyze, and manage the potential risks that could hinder or prevent an organization from achieving its objectives;
• evaluate increased risks resulting from rapid change, such as turnover in personnel, rapid growth, or the establishment of new services; and
• identify other potential high-risk activities, such as duty liability, dependence on third-party service providers, and prior problems.

Control activities. A company establishes policies and procedures so that identified risks do not prevent the organization from reaching its objectives. Policies and procedures should enable a company to—

• clearly define activities, thus minimizing risk and enhancing effectiveness;
• establish both preventive (for example, requiring supervisor approval) and detective (such as reconciling reports) controls; and
• avoid excessive controls, which are as harmful as excessive risk and result in increased bureaucracy and reduced productivity.

Information and communication. To be useful, information must be reliable and must be communicated to—

• internal and external resources, such as employees, vendors, and service providers; and
• individuals and groups, both within and between various levels and activities of the organization.

Monitoring. A company must monitor the effectiveness of internal controls periodically to ensure that controls remain adequate and function properly. Management should also revisit previously identified problems to ensure they are corrected, by—

• scheduling regular monitoring;
• selecting samples, viewing documentation, and visiting external sites, if appropriate;
• supplementing samples with special tests of sensitive and problem areas; and
• creating reconciliation and exception reports to provide this information.

Perform periodic testing of the system based on risk. Periodic testing is a normal part of the monitoring process. Periodic process reviews can assess the performance quality of the internal controls. A periodic review of each business unit is desirable to confirm that corporate policies are implemented and to mandate corrective action when necessary. Testing should also be adjusted in response to changing risk.

Maintain testing results. A company must agree to maintain the testing results for three years and to make information available to Customs upon request. In exchange, Customs agrees not to continually review the company’s testing program.

“Importers who have completed a CAT or FA [two kinds of compliance audits] may be the best initial candidates, as they would have gained firsthand experience performing a self-audit, working with Customs’ regulatory audit division, and developing and implementing compliance improvement programs,” said Nissan’s Leslie Cazas. “I believe it provided a strong foundation for [Nissan’s] ISA participation.”

An importer can apply for the program by first completing an ISA questionnaire and memorandum of understanding (MOU). The questionnaire is a brief series of inquiries designed to ensure that the importer has implemented or plans to implement key internal controls important for customs compliance. The MOU is an agreement between Customs and the importer that establishes their respective roles and responsibilities. In addition, Customs may schedule an informal meeting with the company to become more familiar with it. To complete the application, the importer must develop and submit an ISA workplan under the ISA program’s auditing standards requirement. The workplan must stress monitoring and periodic testing of the company’s system of controls based on risk, similar to a financial audit.

Customs will review the ISA application to assess the company’s internal framework and readiness to assume responsibility for self-assessment. The application review will likely include a visit by Customs, during which the company will formally present its ISA program. Customs’ on-site review team typically includes several representatives, including the assistant field director.

Customs will deny the application if it receives insufficient information to evaluate an ISA applicant’s internal controls or if it believes the company is not prepared to self-assess. Customs may also choose to help the importer strengthen its controls and implement a satisfactory testing program. Once satisfied, Customs confirms the partnership by signing the MOU, at which point the program benefits begin.

Getting Started

Preparing for and enrolling in ISA is not especially complex and provides an opportunity for importers to assess their internal controls. The benefits of ISA participation greatly improve an importer’s ability to ensure the smooth flow of goods.

The first step in ISA membership is to submit an application to enroll in the Customs-Trade Partnership Against Terrorism (C-TPAT), a joint government-industry initiative to strengthen supply-chain and border security by ensuring the integrity of security practices and communicating security guidelines to an importer’s supply-chain partners. The process involves analyzing existing corporate security measures, completing a security questionnaire, and preparing for a possible on-site visit from Customs. As with ISA, C-TPAT stresses self-monitoring, not Customs oversight.

A strong and broad commitment from upper-level management will help create a culture of commitment to C-TPAT/ISA and Customs compliance in general. In most cases, the corporate customs department or other area responsible for imports may be most qualified to manage the ISA application process and present a clear business case for program participation.

Establishing upper-management support for ISA participation will foster interdepartmental communication and cooperation between various corporate groups that affect the import process, such as legal, accounting, finance, shipping/receiving, transportation/logistics, procurement, and security. This communication process begins when the importer is completing the ISA questionnaire and MOU.

Personnel directly involved in a company’s import function are often not well positioned to tackle ISA independently. Because core competencies in establishing, documenting, implementing, and testing internal controls are helpful in the Customs compliance environment, outside auditors and accountants can play a vital role in helping a company transform a standard trade compliance program into an ISA.

Other Companies’ Perspectives

ISA is relatively new, and only a few companies have been granted membership. Recognizing the import community’s many questions, Ernst & Young LLP held a symposium to benchmark ISA best practices. A total of 16 representatives from 11 companies attended. The participants were at various stages of applying to ISA, and each had identified some best practices associated with the program.

Planning. After analyzing the benefits of ISA participation, nine of the 11 companies viewed removal from the audit pool as the top factor influencing ISA participation. All participants agreed that upper-level management buy-in is necessary for ISA success, and that the challenges of implementing the program could be mitigated through the use of a strong workplan. Although companies debated whether all corporate units or subsidiaries should be included in the ISA application, participants overwhelmingly agreed that it was important to include all business units in the process.

Application. All symposium participants said their companies considered various ways to approach the task during the early stages of the ISA application process. Participants established cross-functional teams to complete the questionnaire, including accounting, finance, and purchasing personnel. All participants involved internal or external customs experts in the process. External assistance helped companies adhere to the workplan and establish a timeline for successful implementation.

Participants found that responding to the ISA questionnaire was difficult. The most challenging question was: “Are your Customs internal processes consistent with SAS 78?” Companies also initially had difficulty tracing financial records to import entries.

Approval and implementation. All companies agreed on the importance of properly assembling and presenting ISA program information to Customs. Companies also agreed on the need to develop a risk matrix, organized by customs activity or business unit, that could be modified when business factors changed.

Reporting Considerations

Another consideration, especially for publicly traded companies, is whether to advise the public of ISA participation. There may be distinct advantages to doing so, especially if a company derives most of its cost of sales from imported merchandise.

The government is publicizing the benefits of ISA participation and touting companies that have joined. Customers of ISA participants and their supply-chain partners will reap collateral benefits from the importer’s ISA participation. Doing business with ISA importers provides customers with greater business certainty.

The recent surge in high-profile business failures, allegations of corporate fraud, and restatements of earnings has shifted attention to internal controls. ISA participation should help restore the confidence of investors, regulators, and the general public, all of whom are uneasy about corporate failures and inadequate internal controls. The public’s perception of an ISA participant should be enhanced by the knowledge that it manages supply-chain risks though a government-endorsed program requiring strong internal controls.

SOA section 404 requires public companies to assess the effectiveness of its internal controls, and requires auditors to attest to and report on management’s assessment. For larger importers, customs-related financial accounts might be significant and subject to SOA review. Many companies are also looking beyond SOA requirements and carefully reviewing the design, operation, and effectiveness of their internal controls in operational and compliance areas. ISA participation provides certification of import internal controls. Any business that has decided to review internal controls over imports for certification should strongly consider ISA participation in concert with that effort, and may be able to incorporate ISA into the annual certification process. Customs has instituted substantial benefits for companies that incorporate internal controls into import compliance.

The challenges of implementing and maintaining ISA compliance are outweighed by the competitive advantages received by participating importers.