CTPAT Trade Compliance Handbook 2.0 - 508

Customs Trade Partnership
Against Terrorism
Trade Compliance Handbook

CTPAT Trade Compliance Handbook | October 2022
I am pleased to present the Customs Trade Partnership Against Terrorism

(CTPAT) Trade Compliance Handbook, a resource for understanding
CTPAT’s modernized Trade Compliance program.
CTPAT has embarked on a journey over the previous four years to

reinvigorate U.S. Customs and Border Protection’s (CBP) Trade
Compliance efforts. In close collaboration with private industry and best
practices put forth by international trade groups, such as the World
Customs Organization (WCO), CTPAT has established a program that is
equipped to be the global standard for Trade Compliance.
The new CTPAT Trade Compliance program is an evolution of the former Importer Self-
Assessment (ISA) program. The goal of the program is to increase importer compliance and the
flow of legitimate cargo into the United States. In exchange for compliance with regulatory
trade requirements imposed by CBP and other government entities, the CTPAT Trade
Compliance program offers meaningful benefits to the trade as part of partnership. These
benefits are a combination of legacy CTPAT and ISA benefits, as well as benefits developed in
collaboration with partners of the CTPAT Trusted Trader Pilot (established under Federal
Register Notice 34334) and the Commercial Customs Operations Advisory Committee’s
(COAC) Secure Trade Lanes Subcommittee (Trusted Trader Working Group). These groups
worked collaboratively with CBP to understand the major challenges importers face today, and
to develop benefits that address those challenges and make program partnership worthwhile.
This handbook provides an overview of the major changes and improved industry benefits that
have led to the modernization of CTPAT’s Trade Compliance program and detailed instructions
for applying and maintaining partnership. I hope you will find this resource to be helpful as you
begin the process to join the CTPAT Trade Compliance program or begin the process of
fulfilling your annual partnership requirements.
The collaborative nature of this program presents us the unique opportunity to continually
maintain and advance a world class Authorized Economic Operator (AEO) program that
increases the security of the trade environment globally. Thank you for doing your part to
protect our Nation and support CBP’s mission.
Sincerely,
Manuel A. Garza Jr.

Director, CTPAT
Cargo and Conveyance Security
Office of Field Operations
2
CTPAT TRADE COMPLIANCE

TABLE OF CONTENTS
1. INTRODUCTION AND PROGRAM MODERNIZATION

1.1 PURPOSE
1.2 BACKGROUND AND PROGRAM HISTORY
1.3 PROGRAM OVERVIEW AND UPDATES
1.4 SUMMARY OF THE TRADE COMPLIANCE PROCESS
1.5 BENEFITS
2. PROGRAM DESCRIPTION AND REQUIREMENTS

2.1 APPLICANT
2.2 REQUIREMENTS AND ELIGIBILITY
2.3 EXPECTATIONS
3. APPLICATION, PROCESSING, AND ACCEPTANCE
3.1 TRADE COMPLIANCE PORTAL
3.2 APPLICATION
3.3 TRADE COMPLIANCE QUESTIONNAIRE
3.4 MEMORANDUM OF UNDERSTANDING
3.5 APPLICATION REVIEW
3.6 APPLICATION REVIEW MEETING (ARM)
3.7 TRADE COMPLIANCE DECISION
3.8 FOCUSED ASSESSMENT TO TRADE COMPLIANCE
3.9 INTERNAL GUIDANCE CONTROLS?
4. PROGRAM CONTINUATION REQUIREMENTS
4.1 CONTINUING RESPONSIBILITIES
4.2 MERGERS, ACQUISITIONS, AND COMPANY BUYOUTS
4.3 ANNUAL NOTIFICATION LETTER (ANL) AND PROGRAM UPDATES
4.4 ADDING ADDITIONAL IMPORTER OF RECORD NUMBERS
4.5 TRADE COMPLIANCE CONTINUATION REVIEW MEETING (CRM)
5. REVOCATION PROCEDURES
5.1 PROGRAM WITHDRAWAL
3
5.2 PARTNER SUSPENSION

5.3 PROCEDURES FOR SUSPENSION
5.4 PARTNER REVOCATION
5.5 PROCEDURES FOR REVOCATION
5.6 PARTNER RE-APPROVAL
6. APPENDIX
APPENDIX A: TRADE COMPLIANCE ELIGIBILITY QUESTIONS
APPENDIX B: TRADE COMPLIANCE APPLICATION QUESTIONS
APPENDIX C: TRADE COMPLIANCE MEMORANDUM OF UNDERSTANDING
APPENDIX D: GUIDANCE FOR DEVELOPING INTERNAL CONTROLS
APPENDIX E: INTERNAL CONTROL MANAGEMENT AND EVALUATION TOOL
APPENDIX F: RISK ASSESSMENT AND SELF-TESTING DEVELOPMENT
APPENDIX G: ANNUAL NOTIFICATION LETTER
APPENDIX H: ANL STEP BY STEP SUBMISSION
APPENDIX I: PORTAL APPLICATION PROCESS
APPENDIX J: CTPAT TRADE COMPLIANCE GRANT/DELETE ACCESS
4
HANDBOOK RECORD OF CHANGES
Version 2 Updates
October 2022
The handbook has been modified to reflect changes to forced labor requirements and to
correct several grammatical errors. Substantial updates include:
Pg 1: Updated Date to October 2022, Version 2
Pg 5: Created Handbook Record of Changes
Pg 10: Updated Disclosure benefit language
Pg 12 – Pg 16: Updated Sections 2 and 3 to include all program requirements, including

Forced Labor
5
Customs Trade Partnership Against Terrorism (CTPAT) Trade Compliance Program
1. INTRODUCTION & PROGRAM MODERNIZATON
1.1 PURPOSE
The Customs Trade Partnership Against Terrorism (CTPAT) Trade Compliance program is
built on the knowledge, trust, and willingness to maintain an ongoing relationship between
Customs and Border Protection (CBP) and importers that is mutually beneficial. The goal of
the Trade Compliance program is to partner with importers who can demonstrate their
readiness to assume the responsibility of managing and monitoring their compliance through
self-assessment. Importers accepted into the CTPAT Trade Compliance program receive
tangible benefits and their participation allows CBP to redirect resources and focus on higher-
risk and unknown importers.
1.2 BACKGROUND AND PROGRAM HISTORY
The passage of the Customs Modernization Act (Customs Mod Act) in 1993 ushered in an era
of new partnership concepts between the importing community and the United States Customs
Service (now U.S. Customs and Border Protection C). Under the Customs Mod Act, CBP and
the importer share the responsibility for compliance with trade laws and regulations. The
importer is responsible for using reasonable care when declaring the value, classification, and
rate of duty applicable to entered merchandise, and CBP, through the Office of Trade, Office
of Field Operations, and other relevant stakeholders, is responsible for informing the importer
of its rights and responsibilities under the law.
In 2002, the Importer Self-Assessment (ISA) program was initiated as a voluntary approach to
trade compliance. The program was based on the premise that importers with strong internal
controls designed to ensure a high level of compliance will require fewer enforcement reviews
and less oversight. The ISA program sought to offer meaningful benefits that could be tailored
to industry needs and required that importers demonstrate readiness to assume responsibilities
for managing and monitoring their own compliance through self-assessment. The program
required that importers maintain a system of internal controls that demonstrate a sound
business operation that supports the accuracy of their import transactions.
The CTPAT Trade Compliance program is an evolution of the former ISA program with
similar goals, requirements, and improved benefits. In 2016, CTPAT launched the Trusted
Trader Strategy, which sought to integrate CTPAT Security and ISA into a consolidated
program focused on supply chain security and trade compliance. The strategy was largely
executed through the establishment of the Trusted Trader Pilot program, which provided a
forum for testing and developing new and revised program benefits and operations. Through
integration and progress made in the Trusted Trader Strategy, the program laid the foundation
for CTPAT Trade Compliance. With the full implementation of the Trade Compliance
6
Program, the United States Authorized Economic Operator (AEO) program now includes both
security and trade compliance.
1.3 PROGRAM OVERVIEW AND UPDATES
In addition to the above changes, CTPAT updated the program’s Minimum Security Criteria
(MSC) and integrated CTPAT Security and CTPAT Trade Compliance to create a unified AEO
program which launched in FY20. The program reflects the following outcomes as a result of
this integration:
• Global AEO Program: The program meets the highest standards of a global AEO
program because of the integration of CTPAT Security and Trade Compliance.
• New Security Requirements and Benefits: The integrated program modernized supply
chain security requirements and new benefits for CTPAT Trade Compliance.
• Impact Measurement: The program establishes clear, transparent, and measurable impact
for partners of both CTPAT Security and CTPAT Trade Compliance.
1.4 SUMMARY OF THE TRADE COMPLIANCE PROCESS
The following steps briefly summarize the CTPAT Trade Compliance application submission
requirements and review processes, all of which take place within the CTPAT Trade
Compliance Portal.
Trade Compliance Application Submission Requirements:
• An importer must be a Tier II or Tier III partner of the CTPAT Security program and in
good standing.
• An importer must meet the eligibility criteria laid out in the Eligibility Questions.
7
• An importer must complete a Memorandum of Understanding (MOU) and Program

Questionnaire.
Application Review Process:
• The Trade Compliance application can be accessed through the importer’s existing
CTPAT Portal account by selecting Trade Compliance under Partnership Programs. See
Figure 1A below.
• Following the application submission, CTPAT will review the application package
within the CTPAT Trade Compliance Portal.
• CTPAT will schedule a formal meeting with the applicant, referred to as the Application
Review Meeting (ARM), which includes a risk assessment and review of the applicant’s
internal controls to determine the applicant’s readiness to assume the responsibilities for
self-assessment.
• CTPAT will establish the partnership by signing the MOU when the importer has
demonstrated readiness to assume the responsibilities for self-assessment.
• Once a partner of CTPAT Trade Compliance, the importer will receive the benefits of
both CTPAT Security and CTPAT Trade Compliance if the importer fulfills the
continuing responsibilities of the program.
Figure 1. CTPAT Trade Compliance Portal
Note: Only a company administrator can launch the CTPAT Trade Compliance Portal to create a
CTPAT Trade Compliance application.
8
Figure 1A. CTPAT Trade Compliance Application Process
1.5 BENEFITS
CTPAT Trade Compliance

The CTPAT Trade Compliance program provides opportunities for importers who demonstrate a
commitment to compliance to receive related benefits that are meaningful, measurable, and
reportable. The program offers benefits to importers who demonstrate a commitment to ensuring
compliant import transactions. Below is an overview of the benefit categories one can expect to
receive:
• National Account Manager (NAM): Access to an assigned NAM, who acts as an

advisor and liaison among CBP Headquarters and the CTPAT Trade Compliance partner.
• CTPAT Trade Compliance Portal: Access to the CTPAT Trade Compliance section of
the CTPAT Portal and use of the CTPAT Portal to review and update information related
to CTPAT Trade Compliance.
• Enhanced Importer Trade Activity (ITRAC) Data Access and Automation: U.S.
Importer partners will have access to their ITRAC data directly from the CTPAT Trade
Compliance Portal.
• Expedited Rulings: Rulings and Internal Requests that are being adjudicated by the
National Commodities Division will have priority and be placed at the front of the queue
for processing within 20 days.
9
• Multiple Business Units: Opportunity to apply for coverage of multiple Importer of

Record (IOR) numbers.
• Disclosure Benefit: If CBP becomes aware of errors indicating a possible violation of 19

U.S.C. 1592 or 1593a, CBP will communicate with the partner regarding such errors and
allow 30 days from the date of the communication for the partner to perform a self-
assessment and submit a written disclosure of the relevant facts to CBP. This benefit
does not apply if the matter is already a subject of an ongoing CBP investigation or if
fraud is involved.
• Removal from Focused Assessments (FA): Partners will be exempt from FA performed
by Office of Trade Regulatory Audit and Agency Advisory Services (RAAAS).
However, importers may be subject to a single-issue audit to address a specific concern.
An importer must complete an Annual Notification Letter (ANL), which allows the
partner to inform CBP of any business modifications that may have an impact on their
customs operations and to reaffirm its commitment to the requirements listed in the
CTPAT Trade Compliance MOU and other program documentation. This letter is
submitted electronically through the CTPAT Trade Compliance Portal.
CTPAT Security
Importers who are partners in CTPAT Trade Compliance also receive CTPAT Security benefits.
Examples of the CTPAT Security benefits include:
• Security Validation: As part of the validation or revalidation process, CTPAT partners

receive a comprehensive evaluation by a government Supply Chain Security Specialist
(SCSS) expert who assesses the partner’s security posture. The SCSS is an advisor that
will assist the CTPAT partner improve and maintain its security posture.
• Front of the Line Benefits: When feasible, CTPAT shipments are moved ahead of non-
CTPAT shipments for exams. Front of the Line inspection privileges apply to screening
by non-intrusive inspection (NII) equipment, examinations conducted dockside or at a
centralized examination station, and all other inspections conducted for security, trade
and/or agriculture purposes.
• Reduced Examination Rates: Reduced examination rates leading to decreased

importation times and reduced costs.
• Advanced Qualified Unlading Approval (AQUA Lane): Expedited unloading of sea

vessels through the AQUA Lane, creating an average cost savings of $3,250 per hour per
vessel for low-risk sea carriers. This benefit is applied at the ship level, not at the
container level.
10
• Free and Secure Trade (FAST) Lanes: Shorter wait times at the border and access to
the FAST Lanes.
• Status Verification Interface (SVI) Access: SVI Access that includes the verification of
companies yearly.
• SAFETY Act: The SAFETY Act of 2002 created liability limitations for claims resulting
from an act of terrorism where Qualified Anti-Terrorism Technologies have been
deployed. The Act applies to a broad range of technologies, including products, services,
and software, or combinations thereof. Further information regarding the SAFETY Act
of 2002 can be found at https://www.dhs.gov/science-and-technology/safety-act
• Seminars and Sponsored Events: Access to CTPAT-sponsored events such as CBP

training seminars and the CTPAT Conferences.
• Best Practices: Access to CTPAT best practices through guides, catalogs, and training
materials. CTPAT defines best practices as those that combine senior management
support, evidence of implementation, innovative business processes and technology,
documented processes, and a system of checks, balances, and accountability, also known
as the “Best Practices Framework.”
• Business Resumption: Priority entrance of goods following a natural disaster, terrorist

attack, or port closure.
• Penalty Mitigation: CBP’s Fines Penalties & Forfeitures (FP&F) will ensure that the
company's partnership status is taken into consideration and that any penalties will be
offset by the measure/level of the corrective actions taken to prevent future occurrences.
Correspondence from partners to FP&F should indicate their trusted trader status and
other pertinent information. Trusted traders requesting a penalty offset will ensure that
the cover letter to FP&F copies their NAM/SCSS.
• Mutual Recognition Arrangements (MRAs): Expedited screening with worldwide

security partners from foreign Customs administrations that have signed MRAs with the
United States.
• Marketability of CTPAT Partnership: Much like certification with other U.S.

government agencies or the International Standards Organization (ISO), CTPAT
partnership can raise a partner’s reputation and ability to secure business.
A current list of all CTPAT Security Benefits can be found here:

https://www.cbp.gov/border-security/ports-entry/cargo-security/ctpat
11
2 PROGRAM DESCRIPTION AND REQUIREMENTS
2.1 APPLICANTS AND ELIGIBILITY
In order to apply for the CTPAT Trade Compliance Program, Importers must:
• Be a U.S. Importer who maintains an Importer of Record Numbers (IOR numbers)

located and physically managed in the United States, or
• Be an approved non-resident Canadian importer (Canada) who is located and physically
managed in the United States.
• Have an active import history of two years or longer for all IOR numbers joining the
program
• Maintain a Tier II (validated) or Tier III (exceeding) partnership in the CTPAT Security
program, in good standing.
• Maintain evidence of no financial debt to CBP (for which the party has exhausted all
administrative and judicial remedies for relief, a final judgment, or administrative
disposition has been rendered, and the final bill or debt remains unpaid at the time of
initial application or annual renewal).
All eligibility questions are listed in Appendix A.
2.2 REQUIREMENTS
To be approved and maintain partnership for the CTPAT Trade Compliance program, Importers
must meet all general program requirements. The general program requirements include:
• Compliance with all applicable CBP laws and regulations.

• Compliance with all program requirements (see below for complete list), including the
Forced Labor requirements, as added 08/01/2022.
• Completed responses to all questionnaire questions and required attachments for
application and updates, as applicable, each year thereafter.
• Providing a company officer’s signature on the CTPAT Trade Compliance MOU at the
conclusion of the application and each year thereafter.
Specific Program Requirements and Required Attachments are included in Section 3.2 of this
document and further examples provided in Appendix D, E, and F.
2.3 EXPECTATIONS
• Members will complete all program requirements in a timely fashion.

• Members will provide trade-related updates to their NAM as needed to enable their
ability to manage the account.
12
• Members will submit an ANL to CBP and notify CBP of major organizational changes
(or as necessary). Members will act as positive ambassadors of the CTPAT trade
compliance program within the trade community.
3 APPLICATION, PROCESSING, AND ACCEPTANCE
3.1 TRADE COMPLIANCE PORTAL
The CTPAT Portal streamlines applications to CBP’s trade partnership programs and meets
Department of Homeland Security (DHS) mandated security requirements. The CTPAT Trade
Compliance section of the CTPAT Portal serves as a central electronic location for CTPAT
Security importers to learn more about the CTPAT Trade Compliance program and apply when
eligible. Launched in 2019, the CTPAT Trade Compliance Portal complements the existing
CTPAT Security Portal and provides an electronic and streamlined process for eligible
importers to apply and manage their status in the CTPAT Trade Compliance program. All
importers must complete the application process in the CTPAT Trade Compliance Portal to
become a partner of the Trade Compliance program.
If an importer meets the prerequisite requirements, they will be given the opportunity to begin
the application process. The first step in the application process is series of eligibility
questions (Figure 3). Once the eligibility questions are answered in full, if eligible, importers
will be directed to the CTPAT Trade Compliance application screen (Figure 3A). If an
importer is not yet eligible to apply, it will receive a CTPAT Trade Compliance ineligibility
notice (Figure 3B).
Figure 3. CTPAT Trade Compliance Eligibility Questions
13
Figure 3A. CTPAT Trade Figure 3B. CTPAT Trade

Compliance Application Welcome Compliance Ineligibility Notice
Screen
All eligibility questions are available for review in Appendix A of this document.
3.2 APPLICATION
The Trade Compliance Application Process consists of four main components, and each is
depended on the prior in order to move forward with the application process:
1. Eligibility Questions
2. IOR Selection
3. The CTPAT Trade Compliance Questionnaire
4. The CTPAT Trade Compliance MOU
Eligibility Questions
The applicant must be able to answer yes to all eligibility questions prior to proceeding to
the questionnaire portion of the application.
IOR Selection
All IOR numbers associated with the Importers’ CTPAT Security profile will be displayed
for selection. The Importer must carefully select which IOR numbers are included in their
Trade Compliance application and ensure the appropriate documents required cover each
IOR number.
The CTPAT Trade Compliance Questionnaire

The CTPAT Trade Compliance Questionnaire includes all of the questions and attachments
that are required to apply for the program. Responses should include applicable references
and/or inclusions for each of the IOR’s that are being submitted as part of the application.
For example, if two IOR numbers are selected and each IOR number represents a division
14
with different self-testing plans, each self-testing plan must be provided with the
application.
Specific Program Requirements and Required Attachments include:
• Provide a description of the overall organization and operations that includes all members
of the compliance department or division and to whom they report.
o Required Attachment: Company Organizational Chart at the application and
corrections annually, as applicable.
• Provide a Company Logo
o Required Attachment: Company Logo
• Maintain a compliance department that oversees CBP compliance with federal regulatory
laws, regulations, and policy/guidelines.
• Implement a compliance training for internal/external parties.
o Required Attachment: Evidence of Training Program
• Track duties, fees, and import activity to ensure bond sufficiency.
• Implement a comprehensive system of internal controls including the prevention of
Forced Labor in the supply chain. Further guidance regarding a system of internal
controls may be found in Appendix D and E.
o Required Attachment: Written documentation outlining these controls (desktop
procedures)
• Maintain an audit trail from financial records to CBP declarations
• Design and execute an annual self-testing plan in response to identified risks and
implement corrective action in response to errors and internal control weaknesses.
Further guidance regarding a self-testing plan may be found in Appendix F.
o Required Attachment: Self Testing Plan
• Retain self-testing records for three (3) years.
• Partners must conduct an annual risk assessment/self-testing to identify risks compliance
with CBP laws and regulations and provide an overview of all processes during the
Annual Review Meeting
o Required Attachment: Self Testing Results
Specific Program Requirements for the inclusion of Forced Labor prevention:
• Conduct Risk Based of supply chain partners that outlines the supply chains in their
entirety and to include regions, suppliers, etc. that the importer feels poses the most risk
for forced labor, to ensure the supply chain is free from the use of Forced Labor.
(Importers are required to determine within their organization what imports are
considered high risk to their business model but should take into consideration
information that CBP provides publicly, on CBP.gov.) While no attachments are
required for the application, CBP may request unredacted proof of supply chain mapping,
regarding a particular supply chain, if at any time CBP determines the information is
needed.
15
• Partners must create a Code of Conduct statement that represents their position against
the use of Forced Labor within any part of their supply chain. Partners must have policies
and procedures in place that operationalize the Code of Conduct, as well as evidence of
those policies’ implementation. The Code of Conduct statement must be included in the
company's social compliance program that focuses on forced labor, as outlined in the
CTPAT Security Minimum Security Criteria.
o Required Attachment: The Code of Conduct statement must be uploaded to the
CTPAT online portal and published publicly by the partner.
• Partners must provide CBP with evidence of implementation of their social compliance
program (as required by CTPAT Security MSC). As part of the social compliance
program, partners must be able to identify the parts of its supply chain most at risk and
provide CBP with this information, if requested.
o Required documentation: Evidence of implementation of the social compliance
program. Examples of evidence include (but are not limited to) unredacted audits
of high-risk supply chains related to Forced Labor, internal training programs for
employees on identifying signs of Forced Labor, and mechanisms taken to show
the supply chain is completely free of the use of Forced Labor.
• Partners must provide training about the social compliance program requirements to their
suppliers that identifies the specific risks and helps identify and prevent forced labor in
the supply chain. The training should exemplify the company's position against Forced
Labor as stated in their Code of Conduct. Training requirements are determined by the
partner but must ensure that the suppliers business model and code of conduct represent
they will not partner with business that use Forced Labor. Proof of training must be
available to CBP upon request.
• Partners must maintain a remediation plan for their organization, in the event forced labor
is identified in their supply chains and provide this information to CBP, upon request.
This plan must include the process for disclosing the identification to CBP and outline the
necessary steps for the organization’s employees and suppliers to correct the issue.
• Partners must share best practices with the CTPAT Trade Compliance program, as
appropriate, to help mitigate the risk of forced labor.
16
Figure 4. Trade Compliance Application Progress Indicators
Once all sections are complete, the application package must be submitted electronically via the
portal. An authorized officer of the legal entity responsible for the CTPAT Trade Compliance
application must sign the MOU and the original copy must be submitted to CBP via the CTPAT
Trade Compliance Portal.
3.3 TRADE COMPLIANCE QUESTIONNAIRE
The questionnaire and accompanying documentation are required to determine if the importer
has documented and implemented internal controls over its CBP-related processes. The
questions are available for review in advance in Appendix B of this document. Unsupported
responses will cause unnecessary delay of the CTPAT Trade Compliance application package.
3.4 MEMORANDUM OF UNDERSTANDING (MOU)
The MOU outlines importer and CBP responsibilities and identifies the company entities covered
by the MOU. Importers with multiple divisions may submit one MOU for each eligible entity
but must include the complete name and IOR number with all applicable suffixes. Once a
company is approved to participate in the CTPAT Trade Compliance program and elects to add a
business unit or importer of record number that was not previously covered under the original
MOU, the company must submit a revised MOU to reflect all current and additional business
units and associated IOR number(s) including the applicable suffix. MOU update requests must
17
be submitted in writing to [email protected] and the company’s assigned

NAM.
An MOU can be amended if the amendment is agreed upon between the Importer and CBP. If
the amendment to an MOU includes adding or removing importer of record numbers, the
changes to the importer of record numbers must be completed by the Importer in the CTPAT
Trade Compliance portal prior to the activation/removal of benefits by CBP. To add or remove
benefits, the Importer must open the “IOR Selection” and place/remove a check mark next to the
IOR number impacted by the amendment. Because the MOU is signed annually, the update to
the MOU will be included in the following ANL process.
To submit an application and electronically sign the MOU, the highest-level compliance officer,
as listed in the Trade Compliance Portal, must submit the final application (note: this individual
will be prompted to enter their sign in password prior to the submission being accepted by CBP).
Once an application is submitted, the account will be officially under review and the applicant
will not be able to modify the information submitted. If questions from CTPAT arise during the
review process, an alert will appear in the “Action Items” section, and the applicant will receive
an email informing them of the awaiting message in the Action Items section (Figure 5).
Partners can also access business units and IOR numbers associated with the MOU by looking
up the Application Summary through the Document Library once the Application has been
submitted, or by clicking on Summary while completing the initial application (Figure 5).
An example of a completed MOU is available for review in Appendix C of this document.
18
Figure 5. Action Items and Document Library
4.5 APPLICATION REVIEW
The CTPAT Trade Compliance Team will assess the applicant’s internal controls to determine
readiness to assume the responsibilities of the Trade Compliance program and achieve
compliance with CBP regulations and laws. Internal controls must be documented, logical,
comprehensive, and likely to prevent or detect noncompliance in the identified risk areas. The
design of internal controls cannot be assessed through the evaluation of individual controls in
isolation. Rather, controls are assessed as a group by:
• Obtaining an understanding of the processes and flow of information through the entry
process.
• Determining what can go wrong within the entry process.
• Determining whether the controls are sufficient to address the instances of what can go
wrong within the entry process.
• Evaluating questionnaire responses and supporting policies and procedures.
The CTPAT Trade Compliance team then assesses the applicant’s readiness based on the
operating effectiveness of the internal controls derived from an evaluation of their design. If any
questions arise during the application review process, NAMs and applicants may communicate
through the Trade Compliance Portal (Figure 6).
Figure 6. CTPAT Trade Compliance Portal Chat Feature
4.6 APPLICATION REVIEW MEETING (ARM)
Part of the application process includes a two day in person ARM Meeting with the CTPAT
Trade Compliance team. Prior to scheduling the ARM, the CTPAT Trade Compliance team will
conduct a risk assessment of the applicant’s import activities related to the IOR(s) on the MOU.
This risk assessment is based on:
19
Company History of Trade Compliance Company Risk Exposure

• Compliance measurement data • Imports from specific suspect
manufacturers or suppliers
• Previous penalty actions • Imports subject to quota, visa,
antidumping, or other CBP Priority
Trade Issues
• Previous enforcement actions • Large volumes of imports under special
duty provisions or trade programs
• Regulatory audits • Large volumes of imports under complex
tariff classifications
• Other information
Following the risk assessment, the CTPAT Trade Compliance team will contact the applicant to
schedule the ARM, provide the objective and expectations, and explain the evaluation process.
The team will provide the applicant with the risk areas along with up to five entry numbers to
walkthrough. Generally, the team selects a recent entry for each risk area and provides the entry
numbers to the applicant in advance.
4.7 TRADE COMPLIANCE DECISION
Based on the information provided in the application and the information gathered prior to and
during the ARM, the CTPAT Trade Compliance team will determine whether a company should
be accepted into CTPAT Trade Compliance. The decision will be provided in one of three
forms:
ACCEPTED: Acceptance entails a complete review of the internal CTPAT Trade

Compliance report, and the team leader will provide a synopsis of the evaluation, while
addressing questions or concerns. Applicants are formally notified of the Trade
Compliance team’s decision through the CTPAT Trade Compliance Portal. If accepted, CBP
will send the applicant an executed MOU, and a formal letter (including official ANL date and
NAM contact information) advising of acceptance into the program.
ADDITIONAL INFORMATION NEEDED: If the CTPAT Trade Compliance team identifies

internal control inconsistencies or unresolved issues during the initial evaluation that
require more than 60 days to correct, the team will request a follow-up review. The CTPAT
Trade Compliance follow-up evaluation will re-assess the applicant’s readiness once the
applicant has undertaken corrective action. Generally, the applicant is given up to 120 days to
develop and implement corrective actions and/or provide additional documentation before the
follow-up evaluation is initiated. The team will remain in contact with the applicant during this
time to provide guidance as necessary. If there are still unresolved issues after corrective action,
20
the team will continue to work with the applicant to ensure that all identified inconsistencies and
issues have been addressed prior to initiating a follow-up evaluation (see Figure 7-8).
APPLICATION DECLINED: The CTPAT Trade Compliance team will provide a notice
indicating the reasons why the application was declined and will allow the applicant 90-
120 days to correct errors and resubmit the application with corrected actions and
corresponding proof.
Figure 7. Additional Information Needed
21
Figure 8. Communication for Additional Information Needed.
For any questions regarding the status of an applicant’s application, please reach out to the
Trade Compliance team by emailing [email protected].
3.8 FOCUSED ASSESSMENT TO TRADE COMPLIANCE
Tier II or Tier III Importers that have undergone a CBP Focused Assessment and have been
deemed by RAAAS to represent an acceptable risk to CBP within the last 12 months may be
eligible to transition into the Trade Compliance program without the Application Review
Meeting.
The Focused Assessment audit further examines a company’s internal systems for compliance
with customs laws and regulations and is more comprehensive the Trade Compliance Review
process. Qualified importers will not need to undergo the ARM and will need to submit a Trade
Compliance MOU and the organization’s self-testing plan. The importer may apply through the
Trade Compliance Portal and will declare their eligibility based on the Focused Assessment as
part of the Trade Compliance Questionnaire. More information regarding this process can be
found in the Customs Bulletin and Decisions, Vol. 46, No. 44, dated October 24, 2012.
3.9 INTERNAL GUIDANCE CONTROL
To assist importers in developing and evaluating their system of internal controls of CBP
operations, importers should review “Guidance for Developing Internal Controls” (Appendix D),
which is an explanation of components of an internal control program ideal for small importers,
and the “Internal Control Management and Evaluation Tool” (Appendix E), a comprehensive
guide appropriate for large importers with complex organization structures. These documents
are tools to help determine how well a company’s internal control system is designed and
functioning, and helps determine what, where, and how improvements may be implemented.
CTPAT Trade Compliance participants must maintain an internal control system that
demonstrates the accuracy of CBP transactions with two specific processes:
1. Internal controls designed to ensure compliance in import transactions, and
2. An audit trail from accounting records and payments to entry records or an alternate
system that ensures accurate values are reported to CBP.
The applicant must establish, document, and implement internal controls, conduct self-testing
(Appendix F) of transactions based on risk, maintain results of testing for three years, and make
appropriate adjustments to internal controls
22
Internal controls developed and implemented by one company may vary considerably between
companies due to:
• Variations in company mission, goals, and objectives
• Differences in environment and the manner in which they operate
• Variations in degree of organizational complexity
• Differences in company histories and culture
• Differences in the risks companies face and are trying to mitigate
23
4 PROGRAM CONTINUATION REQUIREMENTS
4.1 CONTINUING RESPONSIBILITIES
CTPAT Trade Compliance participants are responsible for continuing compliance with program
requirements. Responsibilities are as follows:
• Maintain partnership in CTPAT Security

• Continue to comply with all applicable CBP laws and regulations
• Maintain an internal control system
• Make appropriate disclosures to CBP (such as post summary corrections and
misclassification errors)
• Submit an ANL to CBP to reaffirm the participant’s continuation in meeting the
program’s requirements through the CTPAT Trade Compliance Portal
• Notify CBP of major organizational changes as soon as possible through the CTPAT
Trade Compliance Portal by submitting a new organizational chart, if the company is not
in the CBP approval process. If the company is in the CBP approval process, the
company should email [email protected] for assistance.
4.2 MERGERS, ACQUISITIONS, AND COMPANY BUYOUTS
CTPAT Trade Compliance participants in a merger, acquisitions, company buyouts, or any other
corporate restructuring that includes adding/subtracting importer of record numbers to their
CTPAT portfolio must be reported to the CTPAT Security SCSS, the CTPAT Trade Compliance
National Account Manager, and [email protected] via an official letter on
company letterhead. These individuals will work together to determine how to advise the
company moving forward. Because these scenarios are often complicated, each case will be
handled on a case-by-case basis.
4.3 ANNUAL NOTIFICATION LETTER (ANL) AND PROGRAM UPDATES
The participants must provide written notification annually or following any significant change
to their trade compliance program or operations to show that they are continuing to meet the
requirements of the CTPAT Trade Compliance program. ANLs are due every year upon the
anniversary date of which the company was approved in the CTPAT Trade Compliance program.
The ANL should be submitted to CBP within 30 days of the applicant’s acceptance anniversary.
Importers will use the Trade Compliance Portal to submit their ANL information. This date is
reflected in the CTPAT Trade Compliance portal under the application overview section.
24
The information submitted in the ANL is captured in six categories and must be submitted
through the Trade Compliance Portal:
1. Company Information: Organizational and/or Personnel Changes

2. Import Activity Changes
3. Internal Control Adjustments and Changes
4. Risk Assessment Results
5. Periodic Testing Results
6. Prior Disclosures, Post Summary Corrections, and Post Entry Amendments
Figure 9. ANL Status Screen
For a complete guide to the ANL process including guidance on questions and required
responses, see Appendix G and Appendix H in this document.
Extensions for the ANL due date must be submitted in advance of the due date to
[email protected] with a copy to the importer’s assigned NAM. The
request must include the amount of time needed to complete the extension and a valid reason
why the extension is needed. Extension requests are not guaranteed and are considered on a
case-by-case basis.
25
4.4 ADDING ADDITIONAL IMPORTER OF RECORD NUMBERS
This section does not apply to situations where mergers, acquisitions, or company purchases
occur. Please reference Section 4.2 of this document for further information regarding these
scenarios.
Companies requesting to add additional IOR numbers to their CTPAT Trade Compliance
account must send an official letter on company letterhead to their CTPAT Trade Compliance
National Account Manager and the [email protected] mailbox. The letter
must include the additional Importer of Record numbers along with a complete justification of
the addition.
All CTPAT Security processing must be completed, approved, and added to the Importers
CTPAT portal account prior to proceeding with CTPAT Trade Compliance. Once approved by
CTPAT Trade Compliance, the Importer must include the new Importer of Record number on
the “IOR selection” in the portal, as this will ensure all Importer or Record numbers will be
referenced on the signed MOU. The company must also include updates to the company
handbook, internal control manuals, and self-testing plans to reflect added Importer or Record
number(s) during the next Annual Notification submission period.
National Account Managers and/or the CTPAT Trade Compliance Branch are available to assist
companies with the addition of new Importer of Record numbers. It is highly suggested that
companies utilize this assistance to avoid inadvertently removing benefits for any Importer of
Record numbers in the company’s profile.
4.5 TRADE COMPLIANCE CONTINUATION REVIEW MEETING (CRM)
After an importer has been in the CTPAT Trade Compliance program for five (5) years, a
Continuation Review Meeting (CRM) may be considered. However, risk indicators or non-
compliance with program requirements may warrant a CRM prior to the 5-year period. The
purpose of the CRM is to assess whether the participant is continuing to fulfill the CTPAT Trade
Compliance program requirements. If CBP identifies weaknesses or noncompliance, the
participant will be notified as early as possible and can correct any issues.
CBP will remove participants from the program for any issues that pose a significant risk to
compliance with CBP laws and regulations and/or failure to demonstrate they have fulfilled
program requirements. The Trade Compliance team will decide whether the company may
continue to participate.
26
5. PROGRAM WITHDRAWAL & REVOCATION PROCEDURES
5.1 Program Withdrawal
An importer (or an IOR number within a company profile) reserves the right to withdraw from
the program at any time. If a company determines it no longer wishes to participate in the
CTPAT Trade Compliance program, it must notify its NAM via email using a memo on official
company letterhead. The company’s assigned NAM will initiate the formal withdrawal process.
Once withdrawn from the CTPAT Trade Compliance program, the assigned NAM will be
removed from the company profile and will no longer be available to support the company. The
Trade Compliance Branch will provide the company a formal notification through a letter
submitted to them in their CTPAT Trade Compliance account.
5.2 Partner Suspension
CTPAT Trade Compliance partnership is dependent on satisfactory partnership of the CTPAT

Security program. If an Importer (or any IOR number within the company profile is suspended
from CTPAT Security, the partner will be automatically suspended from CTPAT Trade
Compliance. When this occurs, the company will be notified through the CTPAT Trade
Compliance Portal. From there, CTPAT is committed to working with the importer to take the
proper steps required to reinstate partnership, if applicable.
CTPAT Security partnership is not dependent on Trade Compliance partnership and therefore a
company (or any IOR number associated with the company) can be suspended from the Trade
Compliance program but remain in the CTPAT Security Program.
CBP may suspend participants from the CTPAT Trade Compliance Program for reasons
including, but not limited to:
• Suspension from the CTPAT Security Program

• Failure to comply with all applicable CBP laws and regulations
• Failure to maintain the internal control system, execute an annual self-testing plan,
and perform annual risk assessments
• Failure to share appropriate disclosures with CBP
• Failure to reaffirm that the partner is meeting program’s requirements by failing to
submit an ANL through the CTPAT Trade Compliance Portal within 30 days of the
anniversary of the program acceptance date
• Failure to notify CBP of major organizational changes through the CTPAT Trade
Compliance Portal as soon as possible, but not later than the submission of the ANL
27
5.3 Procedures for Suspension
Typically, each suspension is preceded by extensive outreach efforts to provide the company
with the opportunity to demonstrate compliance with program requirements. In addition, after
suspending the company’s benefits, additional outreach efforts are conducted to help the partner
address gaps, vulnerabilities, or weaknesses that lead to the proposal of suspension. If CTPAT
determines there is a basis for proposing the suspension of a participant, a notice of proposed
suspension will be sent through the CTPAT Trade Compliance Portal to apprise the participant
of the facts that warrant their suspension. The participant may respond to the proposed
suspension through the portal. The participant’s response should be submitted within 60 days of
the date of the notice. The response should address the facts outlined in the notice and how
compliance will or has been achieved. CBP will issue a final written decision on the proposed
suspension after the 60-day response period has closed. CTPAT will continue to work with the
company to take the proper steps required to reinstate partnership, if applicable.
During the suspension period, the importer is expected to continue to comply with the program
requirements, including the submission of the ANL if the anniversary date falls within the
suspension period.
5.4 Partner Revocation
CTPAT may revoke participants from the CTPAT Trade Compliance Program for reasons
including but not limited to:
• Participation in the program was obtained through fraud or misstatement of fact

• Participant is convicted of any felony or has committed acts that would constitute a
misdemeanor or felony involving theft, smuggling, or any theft-connected crime
• Participant refuses to cooperate with CBP in response to an inquiry, audit, or
investigation
• Participant fails to fulfill the terms of the MOU
• CRM concludes the participant is not meeting the requirements of the program
If CTPAT determines a removal from the program is warranted, Trade Compliance partners will
be removed from the program in the following ways:
1. Lack of Compliance with MOU: If the Trade Compliance branch determines that the
account (or any IOR number associated to the company) is not fulfilling the terms of
the MOU, the account will be subject to removal from CTPAT Trade Compliance. If
the account wishes to reapply in the future, the NAM will work with the account on an
action plan to put the account in a position to assume the responsibilities of CTPAT
Trade Compliance.
28
2. Program Suspension: If a company (or any IOR number associated with a company)
is suspended from CTPAT Security, the partner will be automatically suspended from
CTPAT Trade Compliance. When this occurs, the company will be notified through
the CTPAT Trade Compliance Portal. From there, CTPAT will work with the
company to take the proper steps required to reinstate partnership, if applicable.
3. Non-Approval and Lack of Desire for Participation: If the account is not approved to
participate in Trade Compliance or determines it no longer wants to continue to
participate, the Trade Compliance Branch will send the partner a letter indicating that
the company is removed from the program and will no longer be assigned a NAM.
4. Immediate Removal: In cases where public health or safety interests are concerned, a
removal from the program may be effective immediately as a final action.
5.5 Procedures for Revocation
If CBP determines there is a basis for the removal of a participant, a notice of proposed removal
will be sent through the CTPAT Portal to apprise the participant of the facts that warrant their
removal. The participant may respond to the proposed removal through the portal. The
participant’s response should be submitted within 60 days of the date of the notice. The response
should address the facts outlined in the notice and how compliance will or has been achieved.
CBP will issue a final written decision on the proposed removal after the 60-day response period
has closed. Once a participant has been removed from the program, the company will be eligible
to reapply at the discretion of CTPAT Leadership. In cases where public health or safety
interests are concerned, a removal from the program may be effective immediately as a final
action.
5.6 Partner Re-Approval
CTPAT Trade Compliance partners who withdraw from the program or are removed from the
program are eligible to reapply. If a participant has been removed from the program, the
company will be eligible to reapply at the discretion of CTPAT Leadership.
QUESTIONS
For any additional questions about the CTPAT Trade Compliance program, please visit
the CTPAT Website, or reach out to the NAM if assigned one, or by emailing
[email protected].
29
6. CTPAT TRADE COMPLIANCE HANDBOOK APPENDIXES
Appendix A: Trade Compliance Eligibility Questions
# Eligibility Questions / Requirements Yes No

Do you have a general authority to do business without requiring the approval of
1.
another person outside the United States or Canada?
Are you an active United States importer or Non-Resident Canadian importer
2. who meets the requirements set forth in 19 CFR Part 141, including in particular,
sections 141.17 and 141.18?
Do you maintain separate books and records for your United States / Canada
3. operations, prepare separate financial statements, maintain accounts for the
imported goods, and are you responsible for payment of import duties and taxes?
4. Do you possess a valid continuous importation bond filed with CBP?
Are you willing to complete a Memorandum of Understanding (MOU) and
5.
Trade Compliance Questionnaire?
Do you maintain an internal control system that is designed to provide assurance
6.
of compliance with CBP laws and regulations?
Do you perform annual risk assessments to identify risks to compliance with
7.
CBP laws and regulations?
Do you maintain and make appropriate adjustments to the system of internal
8.
controls?
Have you designed an annual self-testing plan in response to identified risks? Do
9. you implement corrective action in response to errors and internal control
weaknesses disclosed by self-testing?
Do you maintain an audit trail of financial records to CBP declarations, or an

10.
alternate system that ensures accurate values are reported to CBP?
Do you make appropriate disclosures through a prior disclosure, reconciliation,

11.
post summary corrections, or a supplemental letter to CBP?
Are you willing to submit an Annual Notification Letter (ANL) certifying that
12. you continue to meet CTPAT Trade Compliance requirements as listed in the
Handbook?
13. Do you agree to notify CBP of all major organizational changes?
30
Appendix B: Trade Compliance Application Questions
I. Company Information
1. Company Information (Required Document)

• Date Prepared:
• Company Name:
• Business Address:
• Phone Number:
• Company Website:
• Company Type: Public or Private
• Business Fiscal Year:
• Name, Title, Phone Number, and e-mail address of company contact:
• Please describe the overall organization/operating structure and provide
organizational chart of the company.
2. IOR(s) Numbers:
• Note, if the IOR number (s) in the Trade Compliance application is also used for
Drawback and/or FTZ activities, those activities will be included in the Trade
Compliance application review process unless you choose otherwise.
• If the Drawback or FTZ activity use a different IOR number, please specify those
IOR numbers if you’d like them included in this Trade Compliance application.
• Provide the names and addresses of any related foreign and/or domestic
companies, such as the company’s parent, sister, subsidiaries, or joint ventures,
etc.
3. Do all of your company’s business units/subsidiaries operate under a centrally controlled

customs compliance policy/system? (Y/N)
• If no, describe how the compliance system operates in other
divisions/subsidiaries. (Open Text)
4. Does your company maintain an in-house compliance department dedicated to

maintaining and updating your company’s operations in adherence to government
regulations, laws, executive orders and procedures that will affect your CBP operations?
(Y/N)
• If so, please provide details on management and operational activities performed
by this department. (Required Document—Organizational Chart/ Free Text)
5. If not in house (per #4 above), do you have a contract with a CBP brokerage house or
consulting service to provide this advisory assistance? (Y/N)
• Would you like this company/firm to participate with you in the Trade
Compliance application/review process? If yes, which company/firm? (Y/N –
Free Text)
31
6. Does the company have compliance training (external, internal, or both) that provides
pertinent training for its internal compliance office and other departments that are
involved with CBP related activities? (Y/N)
• If so, evidence of the training program, such as a training log that describes
course taken and attendees, must be included in the application. (Y/N –
Required Document)
7. Is your company applying to Trade Compliance due to successfully completing a

Focused Assessment (FA)? If so, please provide your invitation letter from the Trade
Compliance Branch. (Y – Required Document)
II. Import Activity
8. Does the company monitor/track its annual duties, fees, and taxes paid to CBP to ensure
bond sufficiency?
• If yes, briefly describe how this is done and include how payments of duties and
fees are made? (i.e. PMS, ACH, Debit, Credit or by Broker)? (Y/N – If Y,
Supporting Text Required)
9. Has the company’s surety been required to pay a claim on its behalf in the past 5 years?
• If yes, please provide claim details. (Y/N – If Y, Supporting Text Required)
10. Does the company own, or hold a license to use, trademarks, or copyrights for goods it
imports into the United States? (Y/N)
• If yes, please identify the imported merchandise that falls under the license
agreement or pertains to the company owned intellectual property rights (IPR).
(If Y, Supporting Text Required)
11. Does the company import products that are subject to an exclusion order from the
International Trade Commission (ITC)? (Y/N)
• If yes, please list them. (If Y, Supporting Text Required)
III.System of Internal Controls
12. Does your company have a written, comprehensive system of internal controls for its
import processes that is consistent with the five interrelated components of internal
control as defined by Committee of Sponsoring Organizations of the Treadway
Commissions (COSO) published report entitled “Internal Control-Integrated
Framework”: (Y/N – Check)
• Control environment
• Risk assessment
• Control activities
• Information and communication
32
• Monitoring
13. Does the company’s written internal control procedures focus on ensuring trade
compliance for the following areas? (Y/N Check all of the applicable options below.
Documents Required)
• Value
o All elements of costs are included.
o All additions to the price paid or payable such as assists are also
included etc.
• Drawback
• Foreign Trade Zone
• Classification
• Country of Origin
• Free Trade Agreements
• AD/CVD
• Forced Labor
• Other
IV. Risk Assessment Results
14. Is your company prepared to provide risk assessment testing results to include areas of
potential risks? (Y/N)
• If so, please summarize the risk management and assessment process. (Free Text)
V. Periodic Testing Results
15. Do the company’s internal control procedures include a process for conducting periodic
self-testing to include reporting results and implementing corrective actions? (Y/N)
• If so, please provide details. (Free Text)
16. Do you make adjustments to your internal control system when tests or other information
shows a need for improvement with your compliance procedures? (Y/N)
• If so, please provide details. (Free Text)
17. Does your internal control process include a record keeping system that maintains
evidence of testing and testing results for at least three years and enables you to submit
documents in a timely manner to CBP upon request, to include tests and test results?
(Y/N)
• If so, please provide details. (If Y, Supporting Text Required)
VI. Prior Disclosures
33
18. What processes do you have in place to initiate appropriate disclosures to CBP when
issues are discovered through your self-testing?
• Provide Response. (Free Text)
VII. Government Agency Affiliation
19. Do you participate in any other partnership programs with any other government
agencies? (Check one or more of the applicable options below) (Y/N Check One)
• FDA
• CPSC
• Not Applicable
• Other
34
Appendix C: Trade Compliance Memorandum of Understanding (MOU)
U.S. Customs and Border Protection

Trade Compliance Program
Memorandum of Understanding
This Memorandum of Understanding (MOU) is the document that describes very broad concepts
of mutual understanding, goals and plans shared by the parties. As such, (company name)
requests to participate in the Trade Compliance program (program) (formerly the Importer Self-
Assessment Program). This agreement is made between (company name) hereinafter referred to
as the account and U.S. Customs and Border Protection, hereinafter referred to as CBP. We
acknowledge that the primary objective of the Program is to maintain a high level of trade
compliance with customs laws through a cooperative CBP/ account partnership.
The account and CBP recognize the need to jointly address trade issues in order to maintain an
efficient and compliant import process. This MOU is designed to strengthen the account’s
ability to maintain a high level of compliance with CBP requirements through effective internal
controls of CBP activities and a cooperative interchange of ideas and information with CBP.
The program represents an opportunity to establish a joint informed compliance effort, in a

process built on knowledge, trust, and the desire to maintain an ongoing CBP/ account
relationship. The program provides CBP with the means to recognize and support the account’s
efforts to achieve compliance and offers the account the opportunity to demonstrate compliance
and receive related benefits.
This MOU does not exempt the account from statutory penalties or sanctions in the event of non-
compliance. However, the extent to which the account has shown compliance with the terms of
this MOU will reflect favorably and may be a mitigating factor toward any CBP decision or
recommendation on final case disposition.
The following are the account and CBP’s responsibilities under this MOU. More specific
information detailing the roles and responsibilities of the account and CBP are provided in the
CTPAT Trade Compliance Program Handbook.
ACCOUNT ROLES AND RESPONSIBILITIES
• Be a CTPAT partner;
• Complete the Trade Compliance Memorandum of Understanding and Questionnaire;
• Comply with all applicable CBP laws and regulations;
• Develop, update, and maintain an internal control system that is designed to provide
reasonable assurance of compliance with CBP laws and regulations;
35
• Conduct analysis and perform annual risk assessments to identify any risks related to
compliance with CBP laws, regulations and related transactions;
• Design and execute a periodic self-testing plan in response to identified risks;
• Implement corrective actions in response to errors and internal control weaknesses disclosed
by self-testing:
 Maintain results of testing for three years and make test information available to CBP
upon request;
 Make the necessary adjustments to internal controls in a timely manner;
 Maintain an audit trail of financial records related to CBP declarations or an alternate
system that ensures values reported to CBP are accurate;
• Make accurate and complete disclosures;
• Notify CBP of major organizational changes as soon as possible;
• Immediately inform CBP of incidents related to Priority Trade Issues (PTIs) which represent
high-risk areas that can cause significant revenue loss, harm the U.S. economy, or threaten
the health and safety of the American people;
• Timely submit an Annual Notification Letter (ANL) to CBP in accordance with the
requirements listed in the Trade Compliance program Handbook.
CBP ROLES AND RESPONSIBILITIES
• The account will be assigned a National Account Manager (NAM).

• CBP will provide guidance related to compliance, risk assessments, internal controls, etc.
providing the account with greater business certainty; The account will be removed from the
RAAAS audit pool established for focused assessments.
• The account will be removed from RA’s audit pool for Drawback and Foreign Trade Zones if
they requested to have these programs included in the Trade Compliance program.
• The audit exemptions will apply to each specific area when it is determined that adequate
internal controls are in place, to ensure compliance with CBP laws and regulations.
However, accounts may be subject to on-site examinations for single-issue reviews.
• The account will be able to obtain their Importer Trade Activity (ITRAC) data via the
CTPAT Portal on a quarterly basis.
• If CBP becomes aware of errors indicating a possible violation of 19 U.S.C. 1592 or 1593a,
CBP will communicate with the partner regarding such errors and allow 30 days from the
date of the communication for the partner to perform a self-assessment and submit a written
disclosure of the relevant facts to CBP. This benefit does not apply if the matter is already a
subject of an ongoing CBP investigation or if fraud is involved.
• The account participation in the Trade Compliance program may be considered as a
mitigating factor in the disposition of assessed civil penalties or liquidated damages cases.
This MOU governs the account activities under the following IOR numbers. The account
has the opportunity to apply for coverage of multiple business units.
36
Company Name Trade Compliance Office Physical Importer of Record

Address Number (s)
REPORTING AND DOCUMENTATION
The account must submit its first ANL to the Trade Compliance Branch (via the Trade
Compliance Portal) 12 months after its Trade Compliance program acceptance date, which is the
date that the Director, Customs Trade Partnership Against Terrorism (CTPAT), Office of Field
Operations, signs the MOU. The company representative that signed the MOU submitted to
CBP, or an equivalent, should sign and submit the ANL.
MODIFICATIONS
This agreement may be modified upon mutual consent of the parties involved. An original
revised MOU must be prepared and attached to the ANL if additional importer of record
number(s) and/or merged/acquired entities with own unique importer of record number will be
added to the program approved account.
OTHER PROVISIONS
Nothing in this Agreement is intended to conflict with current laws, regulations, or the directives
of CBP and ____ (company name) ____. If any term of this agreement is inconsistent with such
authority, then that term shall be invalid, but the remaining terms and conditions of this
agreement shall continue in full force and effect.
POINT OF CONTACT

Office of Field Operations/Cargo and Conveyance Security
Trade Compliance Branch
1300 Pennsylvania Ave., N.W.
Washington, DC 20229-1015
The account may use third parties to fulfill roles and responsibilities of this agreement. This
agreement shall enter into force upon each party’s signature and shall remain in effect until
notification of termination or failure to perform as agreed.
37
Customs and Border Protection enters into this Memorandum of Understanding pursuant to The
Customs Modernization Act (19 U.S. C. Section 3431) and the Department of Homeland
Security Management Directive 0450.1 dated January 24, 2003.
IN WITNESS WHEREOF, the undersigned, being duly authorized, have signed this agreement.
FOR U.S CUSTOMS AND BORDER FOR THE ACCOUNT

PROTECTION
______________________ ______________________
Signature Signature
______________________ ______________________
Print Name Print Name
______________________ ______________________
Director, CTPAT Title
______________________ ______________________
Date Date
38
Appendix D: Guidance for Developing Internal Controls
GUIDANCE FOR DEVELOPING INTERNAL CONTROLS
The following guidance is provided to assist a company in developing internal controls.

Please note that the list is not all-inclusive and that CTPAT Trade Compliance partners should
design their program to fit the circumstances, conditions, and risks relevant to the situation of
the company. A more extensive guide and management tool is available in Appendix G.
An effective system of internal control should contain the following components:
Control Environment: The company establishes and maintains an environment that

supports CBP compliance, including fostering a system that supports compliance,
maintaining competent personnel, and maintaining an organizational structure that
supports compliance.
Management conveys the message that integrity and ethical values must not be
compromised. Management and employees have a positive and supportive attitude
toward CBP internal controls and conscientious management of CBP- related operations.
Management has a philosophy and operating style that is appropriate to the development
and maintenance of effective internal controls for CBP, as evidenced by the following:
• A commitment to the competence of personnel responsible for CBP-related activities.

The company educates and trains employees about CBP programs that are affected by
the employees’ jobs. The employees should be educated on the importance of CBP
activities related to or affected by their job and the possible impact of errors. The
employees should be trained to successfully perform the job.
• The company’s organizational structure and the way in which it assigns authority and
responsibility for CBP operations contribute to effective internal controls.
• The company’s management cooperates with auditors, does not attempt to hide
known problems from them, and values their comments and recommendations.
Risk Assessment: The Company identifies risks to the goal of CBP compliance, analyzes
them for possible effects, and designs control activities to manage those risks. The company
has established clear and consistent company- wide objectives and supporting activity-level
objectives related to CBP activities. The following evidence risk assessment activities:
• Management has made a thorough identification of risks pertaining to CBP activities,

from both internal and external sources, which may affect the ability of the company
to meet those objectives.
• An analysis of those risks has been performed, and the company has
appropriate approach for risk management.
• Mechanisms are in place to identify changes that may affect the company’s
ability to achieve its missions, goals, and objectives related to CBP activities.
39
Control Activities: The company documents and implements policies and procedures and
other control activities to ensure complete and accurate reporting to CBP as well as
compliance with other CBP requirements. Procedures should include the correct reporting
of information for value, classification, special trade programs, special duty provisions, and
other CBP issues such as quota, antidumping duties, and countervailing duties.
Appropriate policies, procedures, techniques, and control mechanisms must be developed and
in place to ensure adherence to established CBP requirements. The following evidence
control activities:
• Proper control activities have been developed and documented for each of the company’s
CBP activities.
• The control activities identified as necessary are actually being applied properly.
• All documentation of transactions and records are properly managed,
maintained, and reviewed, as necessary.
• Control procedures are reviewed and revised, as necessary.
Information and Communication: The company establishes and maintains processes to

ensure that relevant, reliable information pertaining to CBP is recorded and communicated
through the organization to those who need it and that information provided to CBP is
complete and accurate.
Information systems are in place to identify and record pertinent operational and financial
information relevant to CBP activities. Management ensures that effective internal
communications take place. The company employs various forms of communications
appropriate to its needs and manages, develops, and revises its information systems in a
continual effort to improve communications. The following evidence effective information
and communication for CBP:
• Appropriate information is identified, recorded, and communicated to management

responsible for CBP activities and others within the company who need it, in a form
that enables them to carry out their duties and responsibilities efficiently and
effectively.
• Effective external communications occur with groups that can affect the achievement of
the company’s missions, goals, and objectives related to CBP activities.
• Individual roles and responsibilities for CBP activities are communicated through
policy and procedure manuals.
Monitoring: The Company monitors its CBP activities to assess the quality of performance
over time and ensure that issues and deficiencies are promptly resolved and that procedures
are corrected to prevent recurrence. Monitoring will include some testing of CBP
compliance on a periodic basis. Results of testing will be maintained for three years and will
40
be provided to CBP on request. Company internal control monitoring assesses the quality of
performance related to CBP activities over time. The following evidence monitoring:
• Procedures to monitor internal controls occur on an ongoing basis as a part of the
process of carrying out regular activities.
• Separate evaluations of internal controls are periodically performed, and
deficiencies found are investigated.
• Procedures are in place to ensure that the findings of all audits and other reviews are
promptly evaluated, decisions are made about the appropriate response, and actions
are taken to correct or otherwise resolve the issues promptly.
If you would like to know more about risk assessment and internal controls related to CBP
activities, extensive additional guidance and information is contained in the Focused
Assessment Technical Guides available on the CBP website.
41
Appendix E: Internal Control Management and Evaluation Tool
INTERNAL CONTROL MANAGEMENT AND EVALUATION TOOL
Introduction
This document is an Internal Control Management and Evaluation Tool. Although use of this
tool is not required, it is intended to help management and evaluators determine how well a
company’s internal control is designed and functioning and to help determine what, where, and
how improvements, when needed, may be implemented. This is a good tool for auditors to use
when developing questions and conducting interviews with company personnel, particularly in
large, complex companies.
The tool is presented in five sections corresponding to the five components of internal control: (1)
control environment, (2) risk assessment, (3) control activities, (4) information and
communications, and (5) monitoring.
Space is provided beside each issue for the user to note comments or describe the circumstances
affecting the issue. Comments and descriptions usually will not be of the“yes/no” type but will
generally include information on how the company does or does not address the issue. This tool
is intended to help users reach a conclusion about the company’s internal control as it pertains to
the particular component.
This tool could be useful in assessing internal control in compliance with laws and regulations.
It could also be useful in assessing internal control as it relates to various CBP activities within a
company.
This tool is not authoritative but is intended as a supplemental guide that managers and
evaluators may use in assessing the effectiveness of internal control and identifying important
aspects of control in need of improvement. Users should keep in mind that this tool is a starting
point and that it can and should be modified to fit the circumstances, conditions, and risks
relevant to the situation of the company. Not all of the issues need to be considered for every
company or activity.
1. Control Environment
According to the first internal control component, which relates to control environment,
management and employees should establish and maintain an environment throughout the
organization that sets a positive and supportive attitude toward internal control and conscientious
management. Several key factors affect the accomplishment of this goal. Management and
evaluators should consider each of these control environment factors when determining whether
a positive control environment has been achieved.
42
The factors that should be focused on are listed below. Management and evaluators should
concentrate on the substance of controls rather than their form because controls may be
established but not acted upon.
Internal Control Point Comments / Descriptions

A Integrity and Ethical Values
1 Management has promoted a climate that emphasizes
integrity and ethical behavior by its Import Department
employees. The company sets a code of conduct that
emphasizes proper behavior and sets penalties for unethical
conduct.
2 Dealings with CBP are conducted on a high ethical plane.
Reports to CBP are proper and accurate (not intentionally
misleading).
Management cooperates with auditors and other evaluators,
does not attempt to hide known problems from them, and
values their comments and recommendations.
3 The company has a well-defined and understood process for
dealing with CBP requests and concerns in a timely and
appropriate manner.
B Commitment to Competence
1 Management has performed analyses of the knowledge,
skills, and abilities needed to perform CBP-related jobs in an
appropriate manner.
2 The company provides training and counseling in order to
help employees maintain and improve their competence for
jobs relating to CBP.
There is an appropriate training program to meet the needs
of employees.
The company emphasizes the need for continuing training
and has a control mechanism to help ensure that all
employees actually received appropriate training.
C Management’s Philosophy and Operating Style
1 The company has a written policy on CBP compliance.
2 Management employs a philosophy that emphasizes the
correct reporting of information to CBP.
3 Management places a high degree of importance on
retaining competent personnel in key functions over its CBP
transactions.
43
4 The company’s Import Department has authority to interact

with other offices as needed, and strong synchronization and
coordination exist between the Import Department and other
departments with responsibilities or information related to
CBP activities.
5 Management places a high degree of importance on the work
of CBP officers, external audits, and other evaluations and
studies with CBP information and is responsive to
information from such officers
6 There is appropriate interaction between management of the
company, Import Department and senior management.
D Organizational Structure
The company’s Import Department is appropriately located
1
within the organization.
Key areas of authority and responsibility relative to CBP
2 activities are defined and communicated throughout the
organization. Consider the following:
Executives in charge of major activities or functions are
fully aware of their duties and responsibilities.
Executives and key managers understand their internal
control responsibilities and ensure that their staff also
understands their own responsibilities.
E Assignment of Authority and Responsibility
The company appropriately assigns authority and delegates
1 responsibility for CBP activities to the proper personnel to
deal with organizational goals and objectives.
Authority and responsibility are clearly assigned throughout
the organization and clearly communicated to employees.
Responsibility for decision-making is clearly linked to the
assignment of authority and responsibility.
Each employee knows how his or her actions related to CBP
2 activities relate to others’ actions and is aware of his or her
related duties concerning CBP internal control.
Delegation of authority is appropriate in relation to the
3
assignment of responsibility for CBP activities.
Employees at the appropriate level are empowered to correct
problems or implement improvements.
There is an appropriate balance between the delegation of
authority at lower levels to “get the job done” and the
involvement of senior-level personnel.
44
F Human Resource Policies and Practices
Employees’ responsibilities for CBP activities are properly

supervised.
G Oversight Groups
Within the company, mechanisms are in place to monitor
and review operations and programs. The company has a
committee or senior management council that reviews
internal audit work of CBP activities.
H Internal Control Point
The internal audit function reviews the company’s CBP
activities and systems and provides information, analyses,
appraisals, recommendations, and counsel to management.
Risk Assessment
The second internal control component addresses risk assessment. A precondition to risk
assessment is the establishment of clear, consistent company goals and objectives at both the
entity level and the activity level. Once the objectives have been established, the company needs
to identify the risks that could impede the efficient and effective achievement of those objectives.
Internal control should provide for an assessment of the risks the company faces from both
internal and external sources. Once risks have been identified, they should be analyzed for their
possible effect.
Management then must formulate an approach for risk management and decide upon the internal
control activities required to mitigate those risks and achieve the internal control objectives of
efficient and effective operations, reliable CBP reporting, and compliance with laws and
regulations. A manager or evaluator will focus on management’s processes for setting
objectives, risk identification, risk analysis, and management of risk during times of change.
Listed below are factors a user might consider.
45
Internal Control Point Comments /

Descriptions
A Establishment of Activity- Level Objectives
1 Company CBP compliance requirements are linked with
company objectives.
B Risk Identification
1 Management identifies CBP related risk.
Qualitative and quantitative methods are used to identify risk
and determine relative risk rankings on a scheduled and
periodic basis.
How risk is to be identified, ranked, analyzed, and mitigated is
communicated to appropriate staff.
Risk identification and discussion occur in senior-level
management meetings.
Risk identification takes place as part of short- and long-term
forecasting and strategic planning.
Risk identification occurs as a result of consideration of
findings from audits, evaluations, and other assessments.
2 Mechanisms exist to identify risks to CBP activities arising
from external factors. Consider the risks:
Arising from changing needs or expectations by Congress,
CBP officials, or the public.
Posed by new legislation, regulations, rulings, and court
decisions.
Resulting from business, political, or economic changes.
Associated with major suppliers, brokers, contractors, and
agents.
Resulting from interactions with other companies and outside
parties.
3 Mechanisms exist to identify risks to CBP activities arising
from internal factors. Consider the risks:
Resulting from downsizing operations and personnel.
Associated with major changes of operating processes, foreign
sourcing, or importing operations.
Resulting from new lines, products, or other business
activities.
Associated with restructuring and reorganizations.
Posed by disruption of information systems.
Posed by highly decentralized CBP operations.
46
Posed by personnel turnover or personnel who are not

qualified and trained.
Resulting from heavy reliance on agents or other parties to
perform critical company operations.
Resulting from rapid growth or expansion of import
operations.
4 Management assesses other factors, such as a history of
compliance problems.
C Risk Analysis
1 After CBP risks have been identified, management should
undertake an analysis of their possible effect. Consider the
following:
Management has established a formal or informal process to
analyze risks.
Criteria have been established for determining low, medium,
and high risks.
Appropriate levels of management and employees are involved
in the risk analysis.
Risks identified and analyzed are relevant to the corresponding
activity objective.
Risk analysis includes estimating the risk’s significance and
sensitivity.
Risk analysis includes estimating the likelihood and frequency
of occurrence of each risk (susceptibility) and determining
whether it falls into the low, medium, or high-risk category.
A determination is made on how best to manage or mitigate
the risk and what specific actions should be taken.
2 Management has developed an approach for risk management
related to CBP compliance and control based on how much
risk can be prudently accepted. Consider the following:
The approach will vary from company to company based on
the company’s CBP activities.
The approach is designed to keep risks within levels judged to
be appropriate, and management takes responsibility for
setting the tolerable risk levels.
Specific control activities are decided upon to manage or
mitigate specific risks, and their implementation is monitored.
D Managing Risks During Change
47
1 The company has mechanisms in place to anticipate, identify,

and react to risks presented by changes in government,
economic, industry, regulatory, operating, or other conditions
that can affect CBP compliance.
2 The company gives special attention to risks presented by
changes that can have a more dramatic and pervasive effect on
CBP compliance. The company is attentive to risks related to
Changes in CBP information systems.
Rapid growth and expansion or rapid downsizing.
Imports under CBP programs and activities that are new to the
company.
Imports from a new geographical area.
3. Control Activities
The third internal control component addresses control activities. Internal control activities are
the policies, procedures, techniques, and mechanisms that help ensure that management’s
directives to mitigate risks identified during the risk assessment process are carried out. Control
activities are an integral part of the company’s planning, implementing, and reviewing
processes.
Control activities occur at all levels and functions of the company. They include a wide range of
diverse activities, such as approvals, authorizations, verifications, reconciliations, performance
reviews, security activities, and the production of records and documentation. A manager or
evaluator should focus on control activities in the context of the company’s management
directives to address risks associated with established objectives for each significant activity.
Therefore, a manager or evaluator will consider whether control activities relate to the risk
assessment process and whether they are appropriate to ensure that management’s directives are
carried out. In assessing the adequacy of internal control activities, a reviewer should consider
whether the proper control activities have been established, whether they are sufficient in number
and the degree to which they are operating effectively. This analysis and evaluation should also
include controls over computerized information systems. A manager or evaluator should
consider not only whether established control activities are relevant to the risk assessment
process, but also whether they are being applied properly.
Given the wide variety of control activities that companies may employ, it would be impossible
for this tool to address them all. However, there are some general, overall points to be
considered by managers and evaluators, as well as several major categories or types of control
activity factors that are applicable at various levels throughout most if not all companies. In
addition, some control activity factors are specifically designed for information systems. These
factors and related issues are listed below to illustrate the range and variety of typical control
activities.
48

Descriptions
A General Application
1 Appropriate policies, procedures, techniques, and mechanisms
exist with respect to CBP activities.
All relevant objectives and associated risks have been
identified in relation to the risk assessment and analysis
function of internal control.
Management has identified the actions and control activities
needed to address the risks and directed their implementation.
2 Control activities identified as necessary are in place and being
applied. Consider the following:
Control activities described in policy and procedures manuals
are actually applied and applied properly.
Supervisors and employees understand the purpose of internal
control activities.
Supervisory personnel review the functioning of control
activities.
Timely action is taken on exceptions, implementation
problems, or information that requires follow-up.
B Common Categories of Control Activities
1 Management tracks CBP compliance in relation to goals.
Managers at all activity levels review performance reports,
analyze trends, and measure results against targets.
Appropriate control activities are employed, such as
reconciliations of summary information to supporting detail.
2 The company effectively manages its workforce to achieve
CBP compliance.
Procedures are in place to ensure that personnel with
appropriate competencies are recruited and retained.
Employees are given orientation, training, and tools to perform
their duties and responsibilities, improve their performance,
and meet the demands of changing organizational needs.
Qualified and continuous supervision is provided to ensure that
internal control objectives are being met.
3 The company employs a variety of controls of CBP activities
to ensure accuracy and completeness of information
processing.
49
4 The company has established and monitors performance

measures and indicators for CBP activities.
Actual performance data are continually compared and
analyzed against expected or planned goals.
Unexpected results or unusual trends are investigated to
identify circumstances where achievement of goals for CBP
compliance is threatened. Corrective action is taken.
5 CBP transactions and other significant events are properly
classified and promptly recorded so that they maintain their
relevance, value, and usefulness to management in controlling
operations and making decisions
6 Only authorized individuals can make adjustments to CBP
information.
7 Internal control and all transactions and other significant
events related to CBP activities are clearly documented.
Written documentation exists for the company’s internal
control structure and all significant transactions and events.
Documentation is readily available for examination.
Documentation for internal control includes identification of
the company’s activity-level functions and related objectives
and control activities and appears in management directives,
administrative policies, accounting manuals, and other such
manuals.
Documentation of transactions and other significant events is
complete and accurate and facilitates tracing the transaction or
event and related information from before it occurs, through its
processing, to after it is completed.
Documentation, whether in paper or electronic form, is useful
to managers in controlling their operations and to auditors and
others involved in analyzing operations.
All documentation and records are properly managed,
maintained, and updated periodically.
8 This analysis and evaluation should also include controls over
automated information systems.
4. Information and Communication
According to the fourth internal control component, for a company to effectively operate, it must
have relevant, reliable information relating to external as well as internalevents. That information
should be recorded and communicated to management and others within the company who need
50
it in a form and within a time frame that enables them to carry out their internal control and
operational responsibilities. Managers and evaluators should consider the appropriateness of
information and communication systems to the organization’s needs and the degree to which
they accomplish the objectives of internal control.
Listed below are factors to consider. The list is a starting point. It is not all-inclusive, nor will
every item apply to every company or activity within the company. Even though some of the
functions and points may be subjective in nature and require the use of judgment and reasonable
care, they are important in collecting appropriate data and information and in establishing and
maintaining good communication.

Descriptions
A Information
1 Information related to CBP activities from internal and
external sources is obtained and provided to management as a
part of the company’ reporting on operational performance
relative to established objectives.
2 Pertinent information related to CBP activities is identified,
captured, and distributed to the right people in sufficient detail,
in the right form, and at the appropriate time to enable them to
carry out their duties and responsibilities efficiently and
effectively.
3 Management ensures that effective internal communications
occur related to CBP activities.
Employees understand the aspects of internal control, how
their roles fits into it, and how their work relates to the work of
others.
Employees are informed that when the unexpected occurs,
they must pay attention not only to the event but also to the
underlying cause, so that potential internal control weaknesses
can be identified and corrected before they can do further
harm.
Mechanisms exist to allow the easy flow of information down,
across, and up the organization and between functional
activities.
Informal or separate lines of communications exist to serve as
a “fail-safe” control for normal communications avenues.
Mechanisms are in place for employees to recommend
improvements in operations.
51
4 Management ensures that effective external communications

occur with groups that can have a serious impact on CBP
compliance.
Open and effective communications have been established
with customers, suppliers, consultants, brokers, and others
who can provide significant input relative to CBP compliance.
Communication with external parties such as CBP and other
federal agencies is encouraged, since it can be a source of
information on how well internal control is functioning.
Management makes certain that advice and rulings from CBP
are implemented to correct any problems or weaknesses they
identify; and recommendations from CBP are fully considered
and implemented to correct any problems or weaknesses they
identify, as required.
B Forms and Means of Communication
1 The company employs various forms and means of
communicating important information with employees and
others (policies and procedures manuals, memorandums to
staff, regular meetings with staff, etc.).
5. Monitoring
Monitoring is the final internal control component. Internal control monitoring should assess the
quality of performance over time and ensure that the findings of audits and other reviews are
promptly addressed. In considering the extent to which the continued effectiveness of internal
control is monitored, both ongoing monitoring activities and separate evaluations of the internal
control system, or portions thereof, should be considered.
Ongoing monitoring occurs during normal operations and includes regular management and
supervisory activities, comparisons, reconciliations, and other actions that people take in
performing their duties. Separate evaluations are a way to take a freshlook at internal controls by
focusing directly on their effectiveness at a specific time. These evaluations may take the form of
self-assessments as well as review of control design and direct testing and may include the use of
this Management and Evaluation Tool or some similar device.
In addition, monitoring includes policies and procedures for ensuring that any audit and review
findings and recommendations are brought to the attention of management and are resolved in a
timely manner. Managers and evaluators should consider the appropriateness of the company’s
internal control monitoring and the degree to which it helps them accomplish their objectives.
52

Descriptions
A Ongoing Monitoring
1 Management has a strategy to ensure that ongoing monitoring
of CBP activities is effective and will trigger separate
evaluations where problems are identified, or systems are
critical and testing is periodically desirable.
Management’s strategy provides for routine feedback and
monitoring of performance and control objectives.
The monitoring strategy includes identification of critical
operational CBP-related systems that need special review and
evaluation.
The strategy includes a plan for periodic evaluation of control
activities for critical CBP activities.
2 In the process of carrying out their regular activities, company
personnel obtain information about whether internal control is
functioning properly
3 Communications from external parties corroborate internally
generated data or indicate problems with internal control.
Communications from CBP officers about compliance or other
matters that reflect on the functioning of internal control are
used for follow-ups on any problems indicated.
4 Meetings with employees are used to provide management
with feedback on whether internal controls are effective.
matters that reflect on the functioning of internal control are
used for follow-ups on any problems indicated.
B Separate Evaluations
1 Scope and frequency of separate evaluations of internal control
are appropriate for the company.
Risk assessment results and the effectiveness of ongoing
monitoring determine the scope and frequency of separate
evaluations.
Separate evaluations may be prompted by events such as
major strategies, expansions, downsizing, etc
Appropriate portions or sections of internal controls are
evaluated regularly
Personnel with required skills, who may include the
company’s internal auditor or an external auditor, conduct
separate evaluations.
2 The methodology for evaluating the company’s internal control
is logical and appropriate. Consider the following:
53
The methodology used may include self-assessments using

checklists, questionnaires, or other such tools, and it may
include the use of this Management and Evaluation Tool or
some similar device.
The separate evaluations may include a review of the control
design and direct testing of the internal control activities
The evaluation team develops a plan for the evaluation process
to ensure a coordinated effort
If company employees conduct the evaluation process, an
executive with the requisite authority, capability, and
experience manages the process.
The evaluation team gains a sufficient understanding of the
company’s objectives related to CBP compliance
The evaluation team gains an understanding of how the
company’s internal control system is supposed to work and
how it actually works.
The evaluation team analyzes the results of the evaluation
against established criteria. The evaluation process is properly
documented.
3 Deficiencies found during separate evaluations are promptly
resolved
Deficiencies are promptly communicated to the individual
responsible for the function and also to at least one level of
management above that individual. .
Serious deficiencies and internal control problems are
promptly reported to top management
C Issue Resolution
1 The company has a mechanism to ensure the prompt
resolution of findings from internal or external audits or
reviews. Consider the following:
Managers promptly review and evaluate findings resulting
from audits and assessments, including those showing
deficiencies and those identifying opportunities for
improvements.
Management determines the proper actions to take in response
to findings and recommendations
Corrective action is taken or improvements made within
established time frames to resolve the matters brought to
management’s attention.
In cases where there is disagreement with the findings or
recommendations, management demonstrates that those
54
findings or recommendations either is invalid or do not

warrant action
Management considers consultation with auditors when it is
believed to be helpful in the audit resolution process
2 Management is responsive to the findings and
recommendations of audits and other reviews aimed at
strengthening internal control
The company takes appropriate follow-up actions with regard
to findings and recommendations of audits and other reviews.
Problems are corrected promptly
Management investigates the underlying causes giving rise to
the findings or recommendations
Actions are decided upon to correct the situation or take
advantage of the opportunity for improvements.
Management and auditors follow up on audit and review
findings, recommendations, and the actions decided upon to
ensure that those actions are taken.
Top management is kept informed through periodic reports on
the status of audit and review resolutions so that it can ensure
the quality and timeliness of individual resolution decisions.
55
Appendix F: Risk Assessment and Self-Testing Development

SELF-TESTING PLAN
INTRODUCTION
This document is a risk assessment and self-testing development tool created for CTPAT Trade
Compliance program applicants. The intent of this document is to provide guidance as well as a
starting point for the design, development, and documentation of a self-testing plan. The self-
testing plan is a required document that must be submitted as part of the CTPAT Trade
Compliance application package, and ongoing self-testing is a requirement for continued
participation in the CTPAT Trade Compliance program.
Under the CTPAT Trade Compliance program, CBP will allow flexibility and will not dictate
specific testing requirements because self-testing is part of the monitoring activities of a
company’s system of internal control. It is important that a company has the flexibility to design
a program that fits its specific needs. Therefore, each company must perform its own risk
assessment, develop its own control procedures, and design its own self-testing program to
monitor and mitigate risk and ensure that import transactions are accurate and compliant with
CBP laws and regulations. The goal is to identify and eliminate vulnerabilities in a company’s
import compliance program.
CBP’s expectation is that the self-testing plan will be detailed regarding how risk is assessed;
how often the risk assessment is updated to identify new risk and how new risks will be
managed; how often self-testing will occur; who will perform the risk assessment and testing;
how the results will be documented; and how corrective actions will be implemented, when
needed. To help CTPAT Trade Compliance program applicants better understand risk
assessment and self-testing, CBP compiled a list of risk assessment factors and self-testing
questions that companies may consider. Additionally, example scenarios have been included to
help demonstrate the risk assessment factors and self-testing questions.
RISK ASSESSMENT FACTORS TO CONSIDER
Risk is the degree of exposure that would result in loss to the trade, industry, or the public.
Potential risk exists in ordinary day-to-day transactions as well as those extraordinary
transactions that happen infrequently or unintentionally. To identify risk, a risk assessment,
which is the integrated process for identifying and managing risk in trade compliance, should be
performed on a continuing basis or at least on an annual basis. Below are some example risk
factors to consider:
• Use of new, multiple, or sub-contracted brokers.

56
• Use of special trade programs such as free trade agreements, special duty provisions such
as Harmonized Tariff Schedule of the United States (HTSUS) Chapters 98 and 99,
Antidumping/Countervailing Duties, etc.
• Complexity of HTSUS classifications to types of merchandise imported.
• Use of a Basis of Appraisement other than Transaction Value.
• Use of “first sale” for valuation.
• Use of Landed Duty Paid terms of sale.
• Payments in addition to the price paid or payable (i.e., packing, selling commissions,
assists, royalties, and license fees, and proceeds from subsequentresale).
• Quality and quantity of pre- or post-entry reviews.
• Organizational changes that may affect the commitment to compliance, new management
structure, reduction in staff, etc.
• Changes to core business, addition of new product lines, and/or use of new manufacturers;
and,
• Impact of communication between CBP and the company (i.e., internal advice/ruling
decisions/information requests/notices of change liquidation).
RISK ASSESSMENT EXAMPLE SCENARIOS
Ex amp le Scen ario 1: XYZ Company utilizes an automated system for its post- entry
valuation review, which is a three-way match of the purchase order value, invoice value, and
entry summary value. Any differences between the three values causes a discrepancy report to
be generated that is sent to the Customs Compliance Department for research and/or corrective
action. This is the process in place for the vast majority of XYZ Company’s entries. The
remaining entries, which are manually entered by the company’s broker, are not subject to the
automated post-entry valuation.
The fact that a number of XYZ Company’s transactions are not subject to the company’s control
activities (listed above) mean that these transactions should be considered during the risk
assessment. Additionally, XYZ Company should consider whether the values being compared
by the automated system have been verified for accuracy, e.g., are there any additions to the price
paid or payable not being declared,
Example Scenario 2: Company X, which is a long-time CTPAT Trade Compliance program

participant, acquires ACME Corporation, a non-CTPAT Trade Compliance program company.
While ACME Corporation maintained its own CBP compliance manual along with desktop
policies and procedures prior to its acquisition, Company X’s policy is to gradually integrate any
acquired company’s CBP operations into its CBP compliance manual and associated policies and
procedures. Company X should evaluate ACME Corporation’s policies and procedures to
identify risk areas and review a sample of their past import transactions. The review will help
Company X to determine what the risk factors are and where improvements are needed. Until
57
ACME Corporation’s CBP operations are fully integrated into Company X’s procedures, current
transactions of ACME Corporation would be a risk factor and included in the self-testing plan.
SELF-TESTING QUESTIONS TO CONSIDER
Once risk has been identified, the company should utilize risk management-based process, which
is a method of managing by identifying and controlling those events that have the potential to
cause significant problems. The key to risk management is to gather and analyze all relevant
data efficiently and effectively and use these data to make decisions about allocating resources.
For CBP Trade Compliance program participants, risk management will help determine the
extent of transactional testing for each area of risk. Below are some questions to consider when
documenting the self-testing procedure.
• Who will be responsible for the risk assessment, and how often will a risk assessment be
performed, reviewed, and documented?
• What will be the methodology used to select transactions for review?
• Who will conduct the transactional testing (e.g., this should be someone independent of
the transaction)? How many entries or line items (express as anumber or percentage) will
be reviewed?
• Is there an audit trail from financial records to CBP declarations (i.e., a test for unreported
value)?
• How will the sampled items and results of the review be documented, tracked, and
maintained?
• How will errors be addressed (e.g., post-entry amendment, prior disclosure, etc.)?
• Are corrective action procedures in place to address errors?
• Who will the results of the review be provided to within the company, and who is
responsible for ensuring corrective actions are taken to address deficiencies?
• How often are the internal control policies and procedures reviewed, and how will the
review be documented?
• How are changes to the internal control manual tracked and/or tested, and how are users
notified of these changes?
When documenting the self-testing plan, do not use “periodic” as a testing interval. Provide a
specific time period, or minimum level, for review (e.g., daily, monthly, quarterly, annually, at a
minimum quarterly, etc.). Ensure that the designated person performing the self-testing is
independent of the transactions being reviewed.
SELF- TESTING EXAMPLE SCENARIOS
Example Scenario: Fast Courier’s contract with ACME Corporation requires Fast Courier to
provide monthly downloads of all transactions that ACME Corporation is billed for, including
both transactions where ACME Corporation and Fast Courier were the importer of record. In
order to test transactions processed by Fast Courier, ACME Corporation will utilize the data
58
provided to review information including, but not limited to, usage of the correct importer of
record number, correct classification of merchandise using the HTSUS number provided by
ACME Corporation on the commercial invoice, declaration of the proper “relationship” with the
vendor/manufacturer, etc. ACME Corporation’s self-testing is based upon a “X” percent of
judgmentally selected samples per risk area identified during its risk assessment. In addition to
the “X” percent judgmental samples for Fast Courier, ACME Corporation decided that it will
also look at all entries where Fast Courier classified merchandise under Chapter 9801 to ascertain
whether the classification was used correctly. ACME Corporation will note on its self-testing
spreadsheet, which is how the company tracks all items selected for review, that for entries
involving Chapter 9801 only the classification would be reviewed and not the other data
elements.
Per ACME Corporation’s self-testing plan, once testing is complete a report is provided to
management outlining the results of the review and corrective actions to be taken, which will be
monitored by ACME Corporation’s compliance department. With regard to the testing of Fast
Courier, ACME Corporation has regularly scheduled meetings with the courier at which time the
self-testing results will be discussed along with any needed standard operating procedure
enhancements.
COMBINED RISK ASSESSMENT AND SELF-TESTING SCENARIO
Example Scenario: Brand X Corp claims Generalized System of Preferences (GSP), which
provides duty-free tariff treatment to certain products imported from designated developing
countries, on a certain percentage of its entries. Brand X Corp has a documented set of GSP
post-entry review procedures and the task is assigned to one individual, the entry analyst.
During its risk assessment, Brand X Corp reviewed the roles and responsibilities of individuals
within the Customs Compliance Department. In the case of the entry analyst, a review of this
individual’s responsibilities identifies that he/she is solely responsible for reviewing entries
where GSP is claimed. As such, Brand X Corp determined that GSP claims should be
considered a risk factor.
The selected GSP entries are documented on the company’s self-testing spreadsheet. The GSP
entries must now be reviewed to ensure that the transaction qualifies for GSP and supporting
documentation are maintained; however, the entry analyst cannot review the entries because
he/she reviewed them as part of the post-entry review process. In this scenario, Brand X Corp’s
self-testing plan will require the customs compliance manager to review the GSP entries, because
the customs compliance manager’s day-to-day responsibilities do not include entry reviews. The
customscompliance manager will document the results of the review on the self-testing
spreadsheet.
If the customs compliance manager identified an error when reviewing the GSP entries, Brand X
Corp’s documented self-testing plan discusses how the transactional sample is expanded, who to
report the findings to within Brand X Corp, and how the errors will be relayed to CBP, i.e.,
59
disclosure, PEA, etc. Brand X Corp’s documented self-testing plan also includes a corrective
action process to avoid similar errors in the future.
60
Appendix G: Annual Notification Letter
ANNUAL NOTIFICATION LETTER (ANL) REPORTING REQUIREMENTS
The purpose of this document is to provide instructions for preparing the Importer to submit the
ANL. All approved Trade Compliance companies must follow these instructions.
The purpose of the ANL is to ensure that the participant continues to meet the requirements of
the Trade Compliance program and inform U.S. Customs and Border Protection (CBP) of any
business modifications that may have a potential impact on the company’s operations. Examples
of such modifications are significant changes to the company organization, personnel,
commodities, brokers, or trade programs. Additionally, CBP requests that the ANL include
summaries of the participant’s Trade Compliance risk assessment and self-testing, as well as
corrective actions taken when deficiencies are identified.
The ANL must be generated through the CTPAT Trade Compliance portal through a series of
questions required responses. At the conclusion of the questions, the Importer will be able to
generate and sign the memorandum of understanding with CBP.
The ANL submission process starts with the ANL cover letter, which allows the Importer to
provide four paragraphs to CBP summarizing the ANL submission. Below are examples of
what each paragraph may contain, this list in not all inclusive and provides only an example.
The Importer should include information that shows the most accurate portrayal of their
company for the year.
Paragraph 1 Example: In accordance with the requirements of participation to the CTPAT Trade
Compliance program, (Company Name) is hereby submitting its annual notification letter.
(Company Name) was formally approved for participation in the CTPAT Trade Compliance
program on (date). (Note: For legacy ISA participants, the ISA program date should be used.)
Paragraph 2 Example: During the past year, (Company Name) has complied with the CBP laws
and regulations, CTPAT Security, and CTPAT Trade Compliance program requirements. We
have, and continue to maintain, a system of business records that demonstrate the accuracy of
CBP transactions as required. Paragraph 3 Example: (Company Name) has performed a review
of its CBP internal control policies and procedures and made appropriate adjustments and/or
changes to its internal control systems when necessary. (Company Name) has also performed
periodic transactional testing based on its risk assessment and corrective action has been taken,
where necessary, to ensure that internal control is implemented. Test results will be maintained
for three years at (location) and are available for review upon request. Paragraph 4 Example: In
compliance with the CTPAT Trade Compliance program requirements, (Company Name) has
summarized in the following question responses the changes to its organization, personnel, and
import activity along with the results of the internal control adjustments/changes and
61
transactional testing. (Company Name) will continue to meet the requirements of the program.
If you have any questions, our contact for the program is (Name, Title). You can contact
him/her at (telephone number, e-mail address).
After the four paragraphs of the ANL cover letter are complete, the Importer must answer the six
(6) ANL questions along with uploading any attachments they deem relevant to answering the
questions. The questions include:
• Please provide details on organizational changes, including but not limited to: official
company name, physical address, leadership team, trade compliance personnel,
addition(s) or deletion(s) of Importer of Record (IOR) number(s), etc. due to
mergers/acquisition/divestiture or other reasons.
• Please provide details on changes in commodities imported, CBP trade programs utilized,
brokers, etc.
• Please provide details, adjustments, and/or changes (addition(s) or deletion(s)) to the
documented internal control policies and procedures.
• Please summarize the areas identified as potential risks because of the company’s risk
assessment along with the tests performed to review the potential areas of risk.
• Please explain the methodology used for transactional/internal control testing.
Summarize the test results and list them on a separate spreadsheet or a written
summarization of the number oof transactions tested, number of errors (identified by
type), cause of error(s), and whether corrective action was taken.
• Please provide details on prior disclosures by including submission dates, summary
issue(s), monies tendered, and CBP acceptance date. If this element is not applicable for
the reporting period, state “Not Applicable”.
Attached is an example ANL demonstrating how the required information could be incorporated,
this letter will be automatically generated with the responses to the above, with the answers to
the above paragraphs and question responses. If there are any questions regarding the ANL
requirements, please contact the assigned NAM or email your questions to the CPTAT Trade
Compliance program at [email protected].
62
(Participant’s Address 1)
(Participant’s Address 2)
(DATE)
(Name of Chief)
Chief, Partnership Programs Branch
Office of International Trade
1400 L Street, N.W. Washington, D.C. 20229-1143
Dear Mr./Ms. :
In accordance with the requirements outlined within the CTPAT Trade Compliance Handbook,
(Company Name) is hereby submitting its annual notification letter. (Company Name) was
formally approved for participation in the ISA program on (date).
During the past year, (Company Name) has complied with U.S. Customs and Border Protection
(CBP) laws and regulations, Customs Trade Partnership Against Terrorism and ISA program
requirements. We have, and continue to maintain, a system of businessrecords that demonstrates
the accuracy of CBP transactions as described in the CTPAT Trade Compliance Handbook.
(Company Name) has performed a review of its CBP internal control policies and procedures
and made appropriate adjustments and/or changes to its internal control systems when necessary.
(Company Name) has also performed periodic transactional testing based on its risk assessment
and corrective action has been taken, where necessary, to ensure that internal control is
implemented. Test results will be maintained for three years at (location) and are available for
review upon request.
Organizational and/ or Personnel Changes
(Note: If a company elects to add/delete business unit(s) or organization changes due to mergers
and/or divestitures, an amended Memorandum of Understanding is required.
Additionally, if a company has an official name change and/or importer of record numberchange
due to a merger or divestiture, a new Memorandum of Understanding is required.)
Import Activity Changes
(Note: Report any changes in commodities imported, CBP trade programs utilized, brokers, etc.)
Internal Control Adjustments and Changes
(Note: Summarize adjustments and/or changes (additions or deletions) to the documented

internal control policies and procedures.)
63
Risk Assessment Results
(Note: Summarize the areas identified as potential risks as a result of the company’s risk
assessment along with tests performed to review the potential areas of risk.)
Periodic Testing Results
(Note: Explain the methodology used for transactional/internal control testing. Summarize the
test results and list them on a separate spreadsheet or a written summarization of the number of
transactions tested, number of errors (identified by type), cause of error(s), and whether
corrective action was taken.)
Post Entry Amendments and/or Disclosures
(Note: Include submission dates, summary of issue(s), monies tendered, and CBP acceptance
date. If this element is not applicable for the reporting period, state “Not Applicable”)
(Company Name) will continue to meet the requirements of the ISA program and the previously
executed Memorandum of Understanding. If you have any questions, our company contact for
the ISA program is (Name, Title). You can contact him/her at (Telephone Number, e-mail
address).
Sincerely,
(Signature-should be the same officer who signed the CTPAT Trade Compliance MOU or
company officer equivalent)
In compliance with CTPAT Trade Compliance reporting requirements, (Company Name) has
summarized (below or attached) changes to its organization, personnel, and import activity along
with the results of internal control adjustments/changes and transactional testing as follows:
(Note: The six key elements listed below are the minimum reporting areas but are not all
inclusive. The key elements can be included in the body of the letter or as an attachment.)
64
Appendix H: ANL Step by Step Submission
ANNUAL NOTIFICATION LETTER STEP BY STEP WALK THROUGH
CUSTO MS TRADE PARTNERSHIP AGAINST TERRO RISM
Trade Compliance Quick Portal Guide-

Annual Notification Letter (ANL) Process
Presenter’s Name June 17, 2003
65
General Layout and Key Functions
2
1
Timeline: Displays key Importer submissions and CBP acknowledgements

Document Library: Storage for Importer and CBP files
Action Bar: Buttons for Importer actions
Review & Submit: Finalizing the Importer’s Annual Notification Letter and reviewing the
Memorandum of Understanding
Note: The company’s officer will have authorization to the Review & Submit Button
66
Starting the Annual Notification Letter
1
2
1. Starting the ANL: Click on the Annual Notification Letter button, a pop-up window will
appear.
• Note: Once the importer submits the ANL, no changes to the portal account can be
completed until CBP approves the ANL. This process may take up to 45 days (longer if
extenuating circumstances apply).
2. Information Only: The label “anniversary date” is confusing. The date in this field in most
cases reflects your month/day anniversary but should be used to be aware of your ANL due date.
Example: 01/01/2025 means your next ANL is due January 1, 2025.
67
Annual Notification Paragraph Requirements
1. ANL Cover Letter: The importer must complete in full all four cover letter paragraphs
(represents the first four parts of the ANL).
2. Numbers: Each number represents a cover letter paragraph, hovering over the numbers
will display “complete” (blue) and “incomplete” (white).
3. Paragraph Requirements: Notification of company submission (see notes below for an

example paragraph).
4. Save Button: At the completion of adding the four required paragraphs, the user must
save to continue.
Paragraph 1 Example:
In accordance with the requirements of participation to the CTPAT Trade Compliance program,
(Company Name) is hereby submitting its annual notification letter. (Company Name) was
formally approved for participation in the CTPAT Trade Compliance program on (date). (Note:
For legacy ISA participants, the ISA program date should be used.)
68
During the past year, (Company Name) has complied with the U.S. Customs and Border
Protection (CBP) laws and regulations, CTPAT Security, and CTPAT Trade Compliance
program requirements. We have, and continue to maintain, a system of business records that
demonstrate the accuracy of CBP transactions as required.
(Company Name) has performed a review of it’s CBP internal control policies and procedures
and made appropriate adjustments and/or changes to its internal control systems when necessary.
(Company Name) has also performed periodic transactional testing based on its risk assessment
and corrective action has been taken, where necessary, to ensure that internal control is
implemented. Test results will be maintained for three years at (location) and are available for
review upon request.
In compliance with the CTPAT Trade Compliance program requirements, (Company Name) has
summarized in the following question responses the changes to it’s organization, personnel, and
import activity along with the results of the internal control adjustments/changes and
transactional testing. (Company Name) will continue to meet the requirements of the program.
If you have any questions, our contact for the program is (Name, Title). You can contact
him/her at (telephone number, e-mail address).
69
Annual Notification Question #1
3
2
1. ANL Question #1: The importer must answer company information, organizational
changes, and/or personnel changes (represents part 5 of the ANL submission).
2. Question box: The importer must provide the executive summary narrative here
3. Attachments: The importer must provide attachments that support the executive
summary here
70
2 3
1. ANL Question #2: The Importer must answer information on import activity changes
(represents part 6 of the ANL).
2. Question box: The importer must provide the response narrative here
3. Attachments: The importer must provide attachments that support the narrative here
71
2 3
1. ANL Question #3: The importer must answer information on internal control adjustments
and changes (represents part 7 of the ANL).
72
2
3
1. ANL Question #4: The importer must answer information on risk assessment results
73
2 3
1. ANL Question #5: The importer must answer information on periodic testing results
74
2
3
1. ANL Question #6: The importer must answer information on prior disclosures and post
summary corrections (represents part 10 of the ANL).
75
Review and Submit
1
1. Review & Submit: The company officer (or highest ranking official) must select the
Review & Submit button to finalize the ANL submission, this will auto generate the
MOU between the Importer and CBP for the Importer to sign (see next page).
2. Information Only: Once signed, a copy of the MOU will be available in PDF format, in
the document library. This may be saved for company records.
76
Save Annual Notification Letter
1 2
1. Once the company officer hits “review & submit” (previous page), a copy of the
Importers ANL will appear to review.
2. Review: The company logo appears in ANL Letter as uploaded in the company
documents
3. Review: Address block will automatically populate
4. Review: ANL Letter will be auto generated with paragraphs and answers to ANL
Questions
5. Reviews: E-signed name of company officer or highest-ranking official will appear
6. Save Button: Importer must save application button to generate the Memorandum of
Understanding
77
Submit the Final Annual Notification Letter to CBP
1. Review: Memorandum of Understanding (MOU) is auto generated
2. Review: Company Name, Physical Address and Importer of Record Number (IOR) will
populate.
3. Review: Electronic signature of company officer or highest-ranking official will

populate
4. Submit: To finalize the ANL Letter submission, the company officer (or highest ranking
official) must enter his/her login password and hit the submit button.
Note: Passwords have to be typed in, it cannot be copied and pasted from another location.
Copying and pasting the password will result in an error message.
Note: To start a new ANL for the following year, an officer will need to click the “start ANL”
button for the process to start again. The company officer is the only person who will be able to
start the ANL, all other provisioned users for the account will be able to work the ANL after the
Company Officer has started it.
78
Appendix I: Portal Application Process

PORTAL APPLICATION STEP BY STEP WALK THROUGH
CUSTOMS TRADE
PARTNERSHIP
AGAINST TERRORISM
(CTPAT)
Portal Application Process
79
General Layout and Key Functions
1. Importer Trade Organization
2. Users: The individual who starts the Application Process must be identified as the
Company Administrator. This information can be verified in the user tab.
3. Partnership Programs: Trade Compliance must be selected to advance to the application

screen
80
CTPAT Trade Compliance Portal Application

Eligibility
1. The first step to the application is to confirm eligibility for the Importer Trade
Organization by completing the eligibility questions.
2. Click the “Get Started” button to launch the question pop up.
3. Answer all the questions listed in the pop up.
Note: The importer must be able to answer yes to all the questions to proceed with the
application process. If any of the answers are currently no, this is an area that needs to be
improved upon within the organization to move forward. Questions can be directed to
[email protected].
81

Home Page
1. Action: The first step to the application is to upload the company logo in .jpg or .gif
format.
2. Action: There are four steps in the application process including the IOR Selection, the
Points of Contact, the Required Attachments, and the Questionnaire. (Each page
following this one will walk the importer through each step.)
3. Information Only: Once all four parts of the application are completed, the Review &
Submit button will activate. This button is only available to those parties identified as
Company Officer will be able to sign the MOU and submit the application package to
CBP.
82
Home Page IOR Selection
1. By Selecting the “IOR Selection” Button, the user will be prompted to select which IOR
will included in the program application and to be a part of the memorandum of
understanding. The IOR numbers listed are not necessarily all the IOR’s that exist for a
company. The list is generated from the IOR’s CTPAT Security profile and will display
all IOR numbers that have been granted Tier II or Tier III benefits for selection. The
user can select as many or as few IOR numbers as the company wants to participate in
the program. NOTE: Only the IOR numbers selected will be granted benefits of the
CTPAT Trade Compliance program at the time of application approval.
83

Points of Contact
The user must add points of contact for the Trade Compliance program. These can be both the
same and different as the points of contact in the CTPAT Security portal.
Points of contact can be added in the CTPAT Security account and provisioned for Trade
Compliance through the Security account.
84

Required Attachments
1. Each company is responsible for uploading the Company’s Internal Control Manual and
all Desktop Procedures, the Company’s Organizational Chart, the Evidence of a Training
Plan, and a Self-Testing Plan to their document library. This information will be
reviewed as part of the Application Review Meeting with CBP to ensure it is sufficient
for program requirements.
85

Questionnaire: Company Information
Note: The questionnaire consists of eight different categories with each category having a series
of questions within for a total of nineteen questions. If attachments were added in the required
attachments, they do not need to be added a second time here. Additional attachments, as
needed, can be uploaded with the questions.
Category #1 pertains to the company’s company information and includes seven questions,
numbered 1-7. The questions include:
• Please describe the overall organization/operating structure and provide an organizational
chart of the company.
• Provide the names and addresses of any related foreign and/or domestic companies, such
as the company’s parent, sister, subsidiaries, or joint ventures, etc.
• Do all of your company’s business units/subsidiaries operate under a centrally controlled
customs compliance policy/system?
• Does your company maintain an in-house customs department dedicated to maintaining
and updating government regulations, laws, executive orders and procedures that will
affect your CBP operations?
• If not an in house (per #4 above), do you have a contract with a CBP brokerage house or
consulting service to provide advisory assistance?
86
• Does the company have compliance training (external, internal, or both) that provides
pertinent training for its internal compliance office and other departments that are
involved with CBP related activities?
• Is your company applying to Trade Compliance for successfully completing a Focused
Assessment (FA)? If so, please provide your invitation letter from the Trade Compliance
Branch.
87

Questionnaire: Import Activity
Category #2 pertains to the company’s import activity and includes four questions numbered 8-
11. The questions include:
• Does the company monitor/track its annual duties, fees, and taxes paid to CBP to ensure
bond sufficiency?
• Has the company’s surety been required to pay a claim on its behalf in the past 5 years?
• Does the company own, or hold a license to, trademarks or copyrights for goods it
imports into the U.S?
• Does the company import products that are subject to an exclusion order from the
International Trade Commission (ITC)?
88
Questionnaire: System of Internal Controls

Category #3 pertains to the company’s system of internal controls and includes two questions,
number 12-13. The questions include:
• Does your company have a written, comprehensive system of internal controls for its
import processes that is consistent with the five interrelated components of internal
control, as defined by the Committee of Sponsoring Organizations of the Treadway
Commissions (COSO) published report entitled “Internal Control-Integrated
Framework”?
• Does the company’s written internal control procedures focus on ensuring trade
compliance for the following areas?
o Value
o Classification
o Country of Origin
o Free Trade Agreements
o AD/CVD
o Forced Labor
o Other
89

Questionnaire: Risk Assessment Results
Category #4 pertains to the company’s risk assessment results and includes one question, number
14. The question is:
• Is your company prepared to provide risk assessment results to include potential areas of
risk?
90

Questionnaire: Period Testing Results
Category #5 pertains to the company’s internal control procedures and period testing results and
includes three questions numbered 15-17. The questions include:
• Do the company’s internal control procedures include a process for conducting period
self-testing to include reporting results and corrective actions?
• Do you make adjustments to your internal control system when the tests or other
information shows a need for improvement with your compliance procedures?
• Does your internal control process include a record keeping system that maintains
evidence of testing and testing results for at least three years and enables you to submit
documents in a timely manner to CBP upon request, to include tests and test results?
91

Questionnaire: Prior Disclosures
Category #6 pertains to the company’s prior disclosure activity and consists of one question,
number 18. The question is:
• What processes do you have in place to initiate appropriate disclosures to CBP when
issues are discovered via your self-testing?
92

Questionnaire: Government Agency Affiliation
Category #6 pertains to government agency affiliation and includes one question, number 19.
The question is:
• Do you participate in any other partnership programs with any other government
agencies?
93

Final Steps: Review
After completion of the questionnaire, the company is ready to review the summary. Under the
Trade Compliance Account Review, all four boxes should be highlighted in green. The Officer
of the company, as identified in the points of contact, must review and submit the questionnaire
for the company but selecting the review and submit button.
Once the officer initiates the review process, an application summary will populate on the screen
for review. The officer should confirm that all the information in the summary is correct before
proceeding.
94

Final Steps: Submit the Memorandum of Understanding
Once the company officer is ready to submit, they need to review several final documents:
a. The MOU (will auto generate)
b. The company name, physical address, and importer of record number
c. The electronic signature (will auto generate)
Submit the information to CBP. This must be the company officer and that user will be
prompted to enter the log in password to submit the information. Do not copy and paste the
password from another location, it must be typed into the password field in order to submit the
document to CBP.
95
Appendix J: CTPAT Trade Compliance Grant/Delete Access

CTPAT TRADE COMPLIANCE GRANT/DELETE ACCESS
CUSTOMS TRADE
PARTNERSHIP AGAINST
TERRORISM (CTPAT)
Grant/Delete Access
96
CTPAT Trade Compliance Access
Company Profile
1 1. Select “CTPAT Accounts” on the left Partnership Program box.
2. Use the drop down on the left to select “Company Profile”
97

Company Contacts
1. Select Contacts
2. Select the user you would like to delete or give permissions to, check or uncheck the
button to the left of their name
3. Click Save
98

Add User
5
1
1. Select the Trade Organization to add the user to

2. Select the User tab
3. Select the “Add” button to add the user to the security profile
4. Fill in the appropriate fields in the pop-up box
5. Select the “Save” button to continue
99

Delete User
4
1
1. Select the Trade Organization you wish to delete the user from
2. Select the user you would like to delete
3. Select the “delete” button and confirm the deletion in the pop up
4. Select the “save” button
100

Trade Compliance User Roles
Select “Trade Compliance” to go to the users Trade Compliance Account
1. Select “Points of Contact”

2. In the Points of Contact pop up box, you can assign the officer role, give permission to
view/edit the annual notification letter, and delete a user
3. Use the View/Edit features to add the roles
4. A Company Administrator will be able to delete a user from Trade Compliance
5. Select save to save to complete
101
US. Customs and Border Protection

Office of Field Operations
Customs Trade Partnership Against Terrorism Program
1300 Pennsylvania Ave, NW
Washington, DC 20229
Visit the CTPAT Web site at

www.cbp.gov/ctpat
CBP Publication #1042-1022

October 2022
102

CTPAT Trade Compliance Handbook 2.0 - 508

Uploaded by

Copyright:

Available Formats

CTPAT Trade Compliance Handbook 2.0 - 508

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CTPAT Trade Compliance Handbook 2.0 - 508

Uploaded by

Copyright:

Available Formats

Customs Trade Partnership

Trade Compliance Handbook

I am pleased to present the Customs Trade Partnership Against Terrorism

CTPAT has embarked on a journey over the previous four years to

Manuel A. Garza Jr.

CTPAT TRADE COMPLIANCE

1. INTRODUCTION AND PROGRAM MODERNIZATION

2. PROGRAM DESCRIPTION AND REQUIREMENTS

5.2 PARTNER SUSPENSION

HANDBOOK RECORD OF CHANGES

Pg 1: Updated Date to October 2022, Version 2

Pg 5: Created Handbook Record of Changes

Pg 10: Updated Disclosure benefit language

Pg 12 – Pg 16: Updated Sections 2 and 3 to include all program requirements, including

Customs Trade Partnership Against Terrorism (CTPAT) Trade Compliance Program

1. INTRODUCTION & PROGRAM MODERNIZATON

1.2 BACKGROUND AND PROGRAM HISTORY

1.3 PROGRAM OVERVIEW AND UPDATES

1.4 SUMMARY OF THE TRADE COMPLIANCE PROCESS

Trade Compliance Application Submission Requirements:

• An importer must complete a Memorandum of Understanding (MOU) and Program

Application Review Process:

Figure 1. CTPAT Trade Compliance Portal

Figure 1A. CTPAT Trade Compliance Application Process

CTPAT Trade Compliance

• National Account Manager (NAM): Access to an assigned NAM, who acts as an

• Multiple Business Units: Opportunity to apply for coverage of multiple Importer of

• Disclosure Benefit: If CBP becomes aware of errors indicating a possible violation of 19

• Security Validation: As part of the validation or revalidation process, CTPAT partners

• Reduced Examination Rates: Reduced examination rates leading to decreased

• Advanced Qualified Unlading Approval (AQUA Lane): Expedited unloading of sea

• Seminars and Sponsored Events: Access to CTPAT-sponsored events such as CBP

• Business Resumption: Priority entrance of goods following a natural disaster, terrorist

• Mutual Recognition Arrangements (MRAs): Expedited screening with worldwide

• Marketability of CTPAT Partnership: Much like certification with other U.S.

A current list of all CTPAT Security Benefits can be found here:

2 PROGRAM DESCRIPTION AND REQUIREMENTS

2.1 APPLICANTS AND ELIGIBILITY

• Be a U.S. Importer who maintains an Importer of Record Numbers (IOR numbers)

All eligibility questions are listed in Appendix A.

• Compliance with all applicable CBP laws and regulations.

• Members will complete all program requirements in a timely fashion.

3 APPLICATION, PROCESSING, AND ACCEPTANCE

3.1 TRADE COMPLIANCE PORTAL

Figure 3. CTPAT Trade Compliance Eligibility Questions

Figure 3A. CTPAT Trade Figure 3B. CTPAT Trade

The CTPAT Trade Compliance Questionnaire

Specific Program Requirements and Required Attachments include:

Specific Program Requirements for the inclusion of Forced Labor prevention:

Figure 4. Trade Compliance Application Progress Indicators

3.3 TRADE COMPLIANCE QUESTIONNAIRE

3.4 MEMORANDUM OF UNDERSTANDING (MOU)

be submitted in writing to [email protected] and the company’s assigned

An example of a completed MOU is available for review in Appendix C of this document.

Figure 5. Action Items and Document Library

4.5 APPLICATION REVIEW

Figure 6. CTPAT Trade Compliance Portal Chat Feature

4.6 APPLICATION REVIEW MEETING (ARM)