Controls and the ISA Program
U.S. Customs Bureau Offers Benefits for
Frank Chioccola and Carolyn Muhlstein
2005 - Strong internal controls can limit a company’s
risk exposure and provide many competitive benefits. The need
for strong internal controls is not limited to financial areas.
Significant benefits are available to U.S. importers that
implement compliance controls in the customs area.
primary mission of the United States Bureau of Customs and
Border Protection (Customs) has significantly shifted over
the past three years to security, and away from commercial
import processing. Customs is trying to focus its limited
resources by creating new programs that grant significant
benefits to companies that can demonstrate strong internal
such initiative, the Importer Self-Assessment Program (ISA),
permits importers to self-assess their customs compliance
to avoid Customs audits and reduce the danger of costly
delays for government inspections. Importers can achieve
competitive advantages by strengthening their internal controls
and availing themselves of ISA’s many benefits.
is a voluntary partnership between Customs and an importer
to foster high levels of trade compliance. It allows the
importer to demonstrate that it will self-monitor its controls
over Customs compliance, based on the control framework
established in SAS 78, and maintain a sustainable audit
trail from accounting records to import entries. The premise
is that importers with strong internal controls and oversight
mechanisms will achieve the greatest compliance with Customs
regulations and require the least Customs intervention.
The government will reward these importers with special
benefits while focusing inspections efforts on companies
that lack controls.
gives importers an opportunity to leverage their investment
in compliance to gain meaningful benefits,” according
to Deborah J. Spero, assistant commissioner at the Office
of Strategic Trade at Customs. An ISA-certified importer
can receive government benefits that begin in as little
as 90 days. Exhibit
1 depicts ISA’s major benefits, which include
exemption from Customs audits. Furthermore, an ISA participant
will enjoy greater business certainty, which often leads
to enhanced investor confidence and faster and more efficient
management of the supply chain. Shareholders concerned about
a company’s internal controls may be reassured by
an importer’s participation in a government-sanctioned
internal control system. This is good news for company executives
grappling with the spotlight placed on internal controls
by section 404 of the Sarbanes-Oxley Act of 2002 (SOA).
And for companies with a significant cost of goods in imports,
the benefits are even greater.
may already possess extensive documentation of their accounting
procedures and related internal controls, such as accounting
policies-and-procedures manuals. Through ISA, an importer
may assemble a similar documentation trail and evaluate
the effectiveness of internal controls over the import function.
choosing not to participate may experience more Customs
inspections, port-clearance delays, reprioritization of
imports, and low-priority processing during port closures.
“Nissan received its ISA certification at the end
of 2002,” says Leslie Cazas, a senior manager of customs
and international trade with Nissan North America, Inc.
“We have already seen the benefits in many areas,
ranging from greater efficiency in administration matters
at the port level to rapid access to Customs Headquarters
program managers for very timely problem resolution.”
may also play a crucial role in an importer’s attainment
of low-risk status and favorable Customs treatment. In the
past, Customs generally categorized an importer as a low,
medium, or high risk, with two grades in between. Risk categories
were important in determining the level of scrutiny a company
received. Those that had not been audited were usually considered
medium risk and received moderate governmental scrutiny.
But now, Customs has largely eliminated the middle ground,
with companies categorized as low or high risk. ISA participation
will be a key element to ensuring low-risk status.
Does ISA Work?
era of partnership between the importing community and Customs
began with the advent of the Customs Modernization and Informed
Compliance Act of 1993. Under the law, Customs and the importer
share the responsibility for compliance with trade laws
and regulations. The government recognizes ISA-certified
importers with special benefits, and Customs concentrates
on companies that it believes lack controls.
join ISA, an importer must develop a program around two
major components. The first is a system of internal controls
under SAS 78, which encompasses a framework of corporate
objectives and control components (Exhibit
2 and Exhibit
3). (Although not mentioned by ISA, SAS 94 may be useful
to companies when addressing controls over IT.) The second
ISA component is a sustainable audit trail from accounting
records to customs entry records, enabling an importer to
match payments and expenses to merchandise entries.
document, and implement internal controls.
The internal controls must incorporate five interrelated
environment. Internal controls are likely to function
well if management believes that those controls are important
and communicates that view to employees at all levels. An
effective internal control environment—
sets the tone of the organization, influencing the control
consciousness of its people;
is the foundation for all other components of internal
describes “organizational culture”;
includes a commitment to hire, train, and retain qualified
encompasses both technical competence and ethical commitment.
assessment. A risk is anything that endangers the achievement
of an objective. Companies should always ask: What can go
wrong? What assets do we need to protect? Companies should
consider developing a risk matrix that can—
identify, analyze, and manage the potential risks that
could hinder or prevent an organization from achieving
evaluate increased risks resulting from rapid change,
such as turnover in personnel, rapid growth, or the establishment
of new services; and
identify other potential high-risk activities, such as
duty liability, dependence on third-party service providers,
and prior problems.
activities. A company establishes policies and procedures
so that identified risks do not prevent the organization
from reaching its objectives. Policies and procedures should
enable a company to—
clearly define activities, thus minimizing risk and enhancing
establish both preventive (for example, requiring supervisor
approval) and detective (such as reconciling reports)
avoid excessive controls, which are as harmful as excessive
risk and result in increased bureaucracy and reduced productivity.
and communication. To be useful, information must be
reliable and must be communicated to—
internal and external resources, such as employees, vendors,
and service providers; and
individuals and groups, both within and between various
levels and activities of the organization.
A company must monitor the effectiveness of internal
controls periodically to ensure that controls remain adequate
and function properly. Management should also revisit previously
identified problems to ensure they are corrected, by—
scheduling regular monitoring;
selecting samples, viewing documentation, and visiting
external sites, if appropriate;
supplementing samples with special tests of sensitive
and problem areas; and
creating reconciliation and exception reports to provide
periodic testing of the system based on risk. Periodic
testing is a normal part of the monitoring process. Periodic
process reviews can assess the performance quality of the
internal controls. A periodic review of each business unit
is desirable to confirm that corporate policies are implemented
and to mandate corrective action when necessary. Testing
should also be adjusted in response to changing risk.
testing results. A company must agree to maintain
the testing results for three years and to make information
available to Customs upon request. In exchange, Customs
agrees not to continually review the company’s testing
who have completed a CAT or FA [two kinds of compliance
audits] may be the best initial candidates, as they would
have gained firsthand experience performing a self-audit,
working with Customs’ regulatory audit division, and
developing and implementing compliance improvement programs,”
said Nissan’s Leslie Cazas. “I believe it provided
a strong foundation for [Nissan’s] ISA participation.”
importer can apply for the program by first completing an
ISA questionnaire and memorandum of understanding (MOU).
The questionnaire is a brief series of inquiries designed
to ensure that the importer has implemented or plans to
implement key internal controls important for customs compliance.
The MOU is an agreement between Customs and the importer
that establishes their respective roles and responsibilities.
In addition, Customs may schedule an informal meeting with
the company to become more familiar with it. To complete
the application, the importer must develop and submit an
ISA workplan under the ISA program’s auditing standards
requirement. The workplan must stress monitoring and periodic
testing of the company’s system of controls based
on risk, similar to a financial audit.
will review the ISA application to assess the company’s
internal framework and readiness to assume responsibility
for self-assessment. The application review will likely
include a visit by Customs, during which the company will
formally present its ISA program. Customs’ on-site
review team typically includes several representatives,
including the assistant field director.
will deny the application if it receives insufficient information
to evaluate an ISA applicant’s internal controls or
if it believes the company is not prepared to self-assess.
Customs may also choose to help the importer strengthen
its controls and implement a satisfactory testing program.
Once satisfied, Customs confirms the partnership by signing
the MOU, at which point the program benefits begin.
for and enrolling in ISA is not especially complex and provides
an opportunity for importers to assess their internal controls.
The benefits of ISA participation greatly improve an importer’s
ability to ensure the smooth flow of goods.
first step in ISA membership is to submit an application
to enroll in the Customs-Trade Partnership Against Terrorism
(C-TPAT), a joint government-industry initiative to strengthen
supply-chain and border security by ensuring the integrity
of security practices and communicating security guidelines
to an importer’s supply-chain partners. The process
involves analyzing existing corporate security measures,
completing a security questionnaire, and preparing for a
possible on-site visit from Customs. As with ISA, C-TPAT
stresses self-monitoring, not Customs oversight.
and broad commitment from upper-level management will help
create a culture of commitment to C-TPAT/ISA and Customs
compliance in general. In most cases, the corporate customs
department or other area responsible for imports may be
most qualified to manage the ISA application process and
present a clear business case for program participation.
upper-management support for ISA participation will foster
interdepartmental communication and cooperation between
various corporate groups that affect the import process,
such as legal, accounting, finance, shipping/receiving,
transportation/logistics, procurement, and security. This
communication process begins when the importer is completing
the ISA questionnaire and MOU.
directly involved in a company’s import function are
often not well positioned to tackle ISA independently. Because
core competencies in establishing, documenting, implementing,
and testing internal controls are helpful in the Customs
compliance environment, outside auditors and accountants
can play a vital role in helping a company transform a standard
trade compliance program into an ISA.
is relatively new, and only a few companies have been granted
membership. Recognizing the import community’s many
questions, Ernst & Young LLP held a symposium to benchmark
ISA best practices. A total of 16 representatives from 11
companies attended. The
participants were at various stages of applying to ISA,
and each had identified some best practices associated with
After analyzing the benefits of ISA participation,
nine of the 11 companies viewed removal from the audit pool
as the top factor influencing ISA participation. All participants
agreed that upper-level management buy-in is necessary for
ISA success, and that the challenges of implementing the
program could be mitigated through the use of a strong workplan.
Although companies debated whether all corporate units or
subsidiaries should be included in the ISA application,
participants overwhelmingly agreed that it was important
to include all business units in the process.
All symposium participants said their companies
considered various ways to approach the task during the
early stages of the ISA application process. Participants
established cross-functional teams to complete the questionnaire,
including accounting, finance, and purchasing personnel.
All participants involved internal or external customs experts
in the process. External assistance helped companies adhere
to the workplan and establish a timeline for successful
found that responding to the ISA questionnaire was difficult.
The most challenging question was: “Are your Customs
internal processes consistent with SAS 78?” Companies
also initially had difficulty tracing financial records
to import entries.
and implementation. All companies agreed on
the importance of properly assembling and presenting ISA
program information to Customs. Companies also agreed on
the need to develop a risk matrix, organized by customs
activity or business unit, that could be modified when business
consideration, especially for publicly traded companies,
is whether to advise the public of ISA participation. There
may be distinct advantages to doing so, especially if a
company derives most of its cost of sales from imported
government is publicizing the benefits of ISA participation
and touting companies that have joined. Customers of ISA
participants and their supply-chain partners will reap collateral
benefits from the importer’s ISA participation. Doing
business with ISA importers provides customers with greater
recent surge in high-profile business failures, allegations
of corporate fraud, and restatements of earnings has shifted
attention to internal controls. ISA participation should
help restore the confidence of investors, regulators, and
the general public, all of whom are uneasy about corporate
failures and inadequate internal controls. The public’s
perception of an ISA participant should be enhanced by the
knowledge that it manages supply-chain risks though a government-endorsed
program requiring strong internal controls.
section 404 requires public companies to assess the effectiveness
of its internal controls, and requires auditors to attest
to and report on management’s assessment. For larger
importers, customs-related financial accounts might be significant
and subject to SOA review. Many companies are also looking
beyond SOA requirements and carefully reviewing the design,
operation, and effectiveness of their internal controls
in operational and compliance areas. ISA participation provides
certification of import internal controls. Any business
that has decided to review internal controls over imports
for certification should strongly consider ISA participation
in concert with that effort, and may be able to incorporate
ISA into the annual certification process. Customs has instituted
substantial benefits for companies that incorporate internal
controls into import compliance.
challenges of implementing and maintaining ISA compliance
are outweighed by the competitive advantages received by
Chioccola, CPA, is a senior manager, global customs
and trade, PepsiCo International.
Carolyn Muhlstein is a senior consultant
of customs and international trade at Ernst & Young, San