Annex 2
Threats, risks and possible solutions
This document contains a list of the most significant risks associated with the AEO authorization and monitoring process, as well as a list of possible solutions to keep these risks under control. The possible solutions proposed for a given indicator may be applicable to more than one identified risk area. The suggested list is neither exhaustive nor definitive, and in practice, possible solutions will vary from case to case depending on factors such as the size of the operator, the type of goods, the type of automated systems, and the operator's degree of modernization.
The self-assessment questionnaire is completed by economic operators at the beginning of the application process. It is intended to provide an overview of their business activity and procedures, as well as their relevance for authorization as an AEO. The "Threats, Risks, and Possible Solutions" document is intended for both customs authorities and economic operators to facilitate auditing and review, thereby ensuring compliance with the criteria applied to AEOs by comparing the information provided in the CAE with the identified risk areas, as well as possible solutions to address the identified risks.
1. Compliance history (Section 2 of the EAC)
Criterion: An appropriate compliance history with customs requirements [Articles 39(a) of the UCC and 24 of the AE UCC]
Indicator | Risk description | Possible solutions | References |
Compliance with customs requirements |
Offending conduct regarding:
Past violations increase the likelihood that future rules and regulations will be ignored or violated. |
Active compliance policy by the operator, in the sense that it has established and applies internal compliance standards. Application of internal compliance measures; use of audit resources to verify and ensure that procedures are applied correctly. |
CAE-2.1 |
2. The applicant's accounting and logistics system (Section 3 of the EAC)
Criterion: an adequate system for managing commercial and, where applicable, transport records, allowing for appropriate customs control [Articles 39(b) of the UCC and 25 of the AE UCC]
2.1 Accounting system (subsection 3.2 of the CAE)
Indicator | Risk description | Possible solutions | References |
Computer environment Integrated accounting system |
Risk that the accounting system does not comply with the generally accepted accounting principles applied in the Member State. Incomplete and/or incorrect recording of transactions in the accounting system. Lack of correspondence between the inventory record and the accounting record. Lack of separation of tasks corresponding to different functions. Lack of physical or electronic access to customs records and, where applicable, transport records. Deterioration of auditability. Inability to undertake a timely audit due to the way the applicant's accounting is structured. Possibility of covering up illegal operations, given the complexity of the management system. Unavailability of historical data. |
The separation of duties for different functions should be considered in close relation to the size of the applicant's company. For example, in the case of a microenterprise active in road transport with a very small volume of daily operations, the packaging, handling, and loading and unloading of goods can be entrusted to the truck driver. Instead, the receipt of goods, their entry into the administration system, and the payment and receipt of invoices should be entrusted to third parties. Development of an interface between customs clearance and accounting software to avoid marking errors. |
CAE - 3.2 ISO 9001:2015, section 6 |
2.2. Audit trail (subsection 3.1 of the CAE)
Indicator | Risk description | Possible solutions | References |
Audit trail | The absence of an adequate audit trail makes it difficult to carry out efficient and effective audit-based customs control. Lack of control over security and access to the system. |
Consultation with customs authorities prior to the introduction of new customs accounting systems to ensure their compatibility with customs requirements. Verification and assurance of the existence of the audit trail in the pre-audit phase. |
CAE - 3.1 ISO 9001:2015, section 6 |
2.3. Logistics system that distinguishes between Union and non-Union goods
Indicator | Risk description | Possible solutions | References |
Amalgamation of Union goods with non-Union goods | Absence of a logistics system that distinguishes between Union and non-Union goods. Substitution of non-Union goods. |
Internal control procedures. Data entry integrity checks to verify that data entries are correct. |
CAE 3.2.2 |
2.4. Internal control system (subsection 3.3 of the CAE)
Indicator | Risk description | Possible solutions | References |
Internal control procedures | Inadequate control of operational processes in the applicant's company. The absence of internal controls or their ineffectiveness makes fraud and the development of unauthorized or illegal activities possible. Incomplete and/or incorrect recording of transactions in the accounting system. Incorrect or incomplete information in customs declarations and other documents submitted to customs. |
Appointment of a person responsible for quality and in charge of the company's internal procedures and controls. Establishing procedures to record and correct errors and ongoing transactions. |
CAE 3.3 ISO 9001:2015, sections 5, 6, 7 and 8 |
2.5. Flow of goods (subsection 3.4 of the CAE)
Indicator | Risk description | Possible solutions | References |
General provisions | The lack of control over stock movements increases the risk of dangerous or terrorist-related goods being introduced or goods being withdrawn without proper record-keeping. | Information on relevant personnel and filing of the declaration as planned. Records of stock movements. Periodic stock reconciliations. Mechanisms for investigating inventory discrepancies. Ability to distinguish in the computer system whether goods have been cleared or are still subject to duties and taxes. |
CAE - 3.4 ISO 9001:2015, section 6 |
Incoming flow of goods | Mismatch between goods ordered, goods received, and accounting entries. | Records of incoming goods. Comparison of purchase orders with received goods. Procedures for the return or rejection of merchandise, for accounting for and reporting shortages or excesses in shipments, and for identifying and correcting incorrect entries in the inventory record. Formalization of import procedures. Periodic inventory execution. Carrying out specific consistency checks between the entry and exit of goods. Protection of storage areas (special external protection, special access routines) to prevent the substitution of goods. |
|
Storage | Lack of control over stock movements. | Clear determination of storage areas. Procedures for the periodic performance of inventories. Protection of storage areas to combat merchandise substitution. |
CAE - 3.4 ISO 9001:2015, section 6 |
Production | Lack of control over stocks used in the manufacturing process. | Monitoring and management control of the rate of return. Controls over variations, waste, by-products and losses. Protection of storage areas to combat merchandise substitution. |
CAE - 3.4 ISO 9001:2015, section 6 |
Outgoing goods flow Delivery from the warehouse and dispatch and transfer of the goods |
Lack of correspondence between inventory records and accounting entries. | Designation of persons to authorize and supervise the sale and release process. Formalization of export procedures. Pre-release controls to compare the release order with the goods to be loaded. Mechanisms for managing irregularities, delivery shortages, and variations in merchandise. Standardized procedures for managing the return, inspection, and registration of goods. Verification that the declaration has been completed in the case of customs procedures with economic impact. |
CAE - 3.4 ISO 9001:2015, sections 6 and 7 |
2.6. Customs procedures (subsection 3.5 of the CAE)
Indicator | Risk description | Possible solutions | References |
General provisions |
Inadmissible use of procedures.
Absence of procedures for reporting identified irregularities to customs authorities in accordance with relevant customs requirements. |
Adoption of formal procedures for the management and monitoring of each customs activity and formalization of certain clients (classification of goods, origin, value, etc.). These procedures are intended to ensure the continuity of the customs department in the event of the absence of assigned personnel.
Application of procedures for reporting irregularities to customs authorities. |
CAE - 3.5 ISO 9001:2015, section 6 |
Representation through third parties | Lack of control | Procedures for checking the work of third parties (p. e.g., in customs declarations) and identify irregularities and violations by representatives. It is not enough to rely entirely on outsourced services. Verification of the employee representative's competence. If the responsibility for completing customs declarations is outsourced: specific contractual provisions for controlling customs data; specific procedure for transmitting the data needed by the declarant to determine the tariff (i.e. technical specifications of the goods, samples, etc.). In the case of outsourcing the export of goods by an approved exporter, this outsourced work may be assigned to a customs broker who has obtained authorization to act as an authorized representative, provided the broker can prove the originating status of the goods. Adoption of formal internal control procedures to verify the accuracy of the customs data used. |
|
Import and/or export licenses linked to trade measures or exchanges of agricultural products | Inadmissible use of goods |
Standardized license registration procedures. Periodic internal controls of current licenses and their registration. |
2.7 Non-tax requirements (subsection 3.5.4 of the CAE)
Indicator | Risk description | Possible solutions | References |
Non-tax aspects | Inadmissible use of goods subject to prohibitions, restrictions or trade policy measures. | Procedures for the management of goods subject to non-tax requirements. Establishment of appropriate routines and procedures: Distinction between goods subject to non-tax requirements and other goods. Verification that operations are carried out in accordance with current legislation (other than tax legislation). Management of goods subject to restrictions, prohibitions or embargoes, including dual-use goods. Processing of licenses according to individual requirements. Training to raise awareness among staff handling goods subject to non-tax requirements. |
CAE - 3.5.4 |
2.8. Procedures relating to backup, normal and emergency recovery, and archiving (subsection 3.6 of the CAE)
Indicator | Risk description | Possible solutions | References |
Requirements relating to the maintenance and filing of documents. |
Inability to undertake a timely audit due to loss of information or deficiencies in records. Lack of backup procedures. |
Presentation of an ISO 27001 certificate demonstrating high standards in the field of IT security. Backup and recovery testing procedures. |
ISO 9001:2015, section 6 ISO 27001:2013 ISO standards relating to IT security |
2.9 Information security: Protection of computer systems (subsection 3.7 of the CAE)
Indicator | Risk description | Possible solutions | References |
General provisions | Unauthorized access or intrusion into the economic operator's computer systems or programs. |
Adoption and provision to staff of an IT security policy, procedures, and standards.
Firewall. |
CAE - 3.7 ISO 27001:2013 |
General provisions | Deliberate destruction or loss of important information. | Contingency plan in case of data loss. Backup procedures in case of system disruption or failure. Procedures for the deletion of the right of access. Procedures to prevent the use of personal devices, such as USB flash drives, CDs, DVDs, or other personal electronic peripherals. Restricting Internet use to locations that are only appropriate for business activity. |
ISO 28001:2007, section A 3 ISO 27001:2013 |
2.10 Information security: Documentation security (subsection 3.8 of the CAE)
Indicator | Risk description | Possible solutions | References |
General provisions | Misuse of the economic operator's information system that puts the supply chain at risk. Deliberate destruction or loss of important information. |
Presentation of an ISO 27001 certificate demonstrating high standards in the field of IT security. Procedures for authorized access to documents. Secure archiving and storage of documents. Procedures for addressing incidents and taking corrective actions. Document registration and backup, including scanning. Contingency plan to manage losses. Possibility of using encryption programs if necessary. Sales agents should be aware of travel safety measures (never consult "sensitive" documents on public transport). Establishment of levels of access to strategic information according to different categories of personnel. Secure management of discarded computers. Agreements with business partners regarding the protection and use of documentation. |
CAE - 3.8 ISO 28001:2007, section A 4 ISO 27001:2013 |
Safety and security requirements imposed on third parties | Misuse of the economic operator's information system that puts the supply chain at risk. Deliberate destruction or loss of important information. |
Inclusion of data protection requirements in contracts. Procedures for controlling and auditing contract requirements. |
3. Financial solvency (section 4 of the CAE)
Criterion: Demonstrated financial solvency [articles 39, letter c) of the CAU and 26 of the AE CAU]
3.1. Proven solvency
Indicator | Risk description | Possible solutions | References |
Insolvency or inability to meet financial commitments | Financial vulnerability that may lead to non-compliance behavior in the future. | Examination of the applicant's financial statements and financial transactions to assess their ability to meet legal debts. In most cases, the applicant's bank will be able to provide information on the applicant's creditworthiness. Internal monitoring procedures to prevent financial threats. |
4. Safety and security requirements (Section 6 of the CAE)
Criterion: Appropriate levels of security and protection [Articles 39(e) of the CAU and 28 of the AE CAU]
4.1 Safety assessment carried out by the economic operator (self-assessment)
Indicator | Risk description | Possible solutions | References |
Self appraisal | Inadequate awareness of safety and security issues across all relevant departments within the company. | Self-assessment of risks and threats, and periodic review, updating, and documentation thereof. Precise identification of safety and security risks arising from the company's activities. Assessment of risks related to safety and security (% probability or risk level): low/medium/high). Certainty that all relevant risks are addressed with preventive and corrective measures. |
CAE - 6.1.2 ISO/PAS 28001:2007, section A.4 ISPS Code Appendix 6-B "Validation Checklist for Known Shippers", Air transport security criteria for Accredited Agent / Known Shipper |
Security management and internal organization | Inadequate coordination of safety and security within the applicant's company | Designation of a responsible person with sufficient authority to coordinate and implement appropriate security measures across all relevant departments of the company. Adoption of formal procedures for managing and monitoring each logistics activity from a safety and security perspective. Execution of procedures to ensure the security and protection of merchandise during vacations and other situations in which assigned personnel are absent. |
CAE - 6.1.4 ISO 28001:2007, section A.3 ISO 9001:2015, section 5 ISPS Code |
Internal control procedures | Inadequate control of safety and security issues within the applicant's company | Execution of internal control procedures and issues related to safety and security. Procedures for recording and investigating security incidents, including reviewing risk and threat assessments and taking corrective action, where appropriate. |
CAE - 6.1.7 ISO 28001:2007, sections A.3, A.4 ISPS Code |
Internal control procedures | Inadequate control of safety and security issues within the applicant's company | Possibility of recording the incident in a file containing, for example, the date, the observed anomaly, the name of the person who detected it, the response measures, the signature of the competent person, etc. Making the security and safety incident log available to company employees. |
ISO 28001:2007, sections A.3, A.4 ISPS Code |
Safety and security requirements specifically for goods | Alteration of goods | Implementation of a merchandise tracking system. Special requirements for packaging and storage of dangerous goods. |
ISPS Code |
4.2. Access to facilities (subsection 6.3 of the CAE)
Indicator | Risk description | Possible solutions | References |
Procedures for the entry or access of people, vehicles, and goods | Unauthorized entry or access of vehicles, persons or merchandise to the facilities or the vicinity of the loading and shipping area. | Maximum limit on the number of vehicles with access to the facilities. Therefore, staff parking should preferably be located outside the security perimeter. In addition, it is mandatory, if possible, for trucks to wait before and after loading in an area outside the security zone. Only registered trucks will be granted access to the loading area upon request during these operations. The use of ID cards is reasonable. They must include a photograph. If a photo is not included, the cards must at least indicate the name of the operator or the facilities for which they are valid (risk of abuse in case of loss). The use of these cards must be supervised by a person competent in this matter. Visitors will carry temporary identification cards and will be escorted at all times. Data relating to entries, including names of visitors and drivers, arrival and departure times and auxiliary staff, must be recorded and stored on a suitable form (e.g., e.g., a diary, an IT system) and will be listed. The cards cannot be used twice in a row, to prevent them from being used by a companion. Access control using codes: routines for periodic code switching. ID cards and codes will only be valid during each employee's working hours. Standardized procedures for returning all access authorizations. The company must accompany and supervise visitors to prevent any unauthorized activity. Visitors must carry their identification cards in a visible place. Talk to strangers. Corporate attire to distinguish strangers. In case of temporary work (e.g. e.g., maintenance tasks), a list of authorized workers of the subcontracted company. |
CAE - 6.3 ISO 28001:2007, section A.3 ISPS Code |
Standard operating procedures in case of intrusion | Inadequate response to the detection of an intrusion. | Execution of procedures applicable to cases of intrusion and unauthorized access. Conducting penetration tests and recording the results, and taking corrective action if necessary. Use of incident reports or other appropriate forms to record incidents and actions taken. Adoption of corrective measures following incidents related to unauthorized access. |
ISO 28001:2007, section A.3 ISPS Code |
4.3. Physical security (subsection 6.2 of the CAE)
Indicator | Risk description | Possible solutions | References |
External limits of the facilities | Inadequate protection of premises against intrusion. | Where appropriate, establish a perimeter security fence subject to periodic inspections to check its integrity and possible damage, and plan for its maintenance and repair. Where appropriate, establishment of controlled areas suitable for authorized personnel only, subject to appropriate approval and control mechanisms. Unsystematic patrols by security personnel. |
CAE - 6.2 ISO 28001:2007, section A.3 ISPS Code |
Entrances and accesses | Existence of unguarded entrances and access points. | Implement appropriate measures to secure all entrances and access points in use, such as CCTV or access control systems (lighting, projectors, etc.). CCTV is only useful if the recordings are evaluable and allow for immediate reactions. Where appropriate, implementation of procedures to ensure the protection of access points. |
ISO 28001:2007, section A.3 ISPS Code |
Closing devices | Inadequate locking devices on interior and exterior doors, windows, entrances and gates. |
Formulation of instructions and procedures on the use of keys available to relevant personnel. Preparation of periodic inventories of keys and locking devices. |
CAE - 6.2.4 ISO 28001:2007, section A.3 |
illumination | Inadequate lighting of doors, windows, portals and barriers, both interior and exterior. | Adequate lighting indoors and outdoors. Where appropriate, use backup generators and alternative sources of electrical power to ensure constant lighting in the event of a local power outage. Existence of equipment maintenance and repair plans. |
CAE - 6.2.4 |
Key access procedures | Lack of adequate key access procedures. Unauthorized access to keys. |
Execution of a key access control procedure. Keys must be handed over only after registration and must be returned immediately after use. The return of the keys must also be recorded. |
ISO 28001:2007, section A.3.3 |
Internal physical security measures | Inadequate access to interior areas of the facilities. | Application of a procedure to distinguish the different categories of employees in the facilities (e.g. e.g., jackets, ID cards). Controlled and personalized access according to each employee's position. |
ISO 28001:2007, sections A.3, A.4 ISPS Code |
Parking for private vehicles | Lack of adequate procedures for parking private vehicles. Inadequate protection of premises against intrusion. |
Maximum limitation on the number of vehicles with access to the facilities. Establishment of designated vehicle parking areas for visitors and staff, located away from the merchandise handling and storage areas. Identification of risks and threats associated with unauthorized access by private vehicles to protected areas. Definition of rules and procedures for private vehicle access to the applicant's facilities. If the visitor and employee parking areas are not separated, visitor vehicles must be marked with identification. |
|
Maintenance of exterior boundaries and buildings | Inadequate protection of premises against intrusion as a result of improper maintenance. | Periodic maintenance of the outer boundaries of facilities and buildings whenever an anomaly is detected. | ISO 28001:2007, section A.3 |