Skip to main content
2016 OAS Guidelines

Annex 2

Threats, risks and possible solutions

This document contains a list of the most significant risks associated with the AEO authorization and monitoring process, as well as a list of possible solutions to keep these risks under control. The possible solutions proposed for a given indicator may be applicable to more than one identified risk area. The suggested list is neither exhaustive nor definitive, and in practice, possible solutions will vary from case to case depending on factors such as the size of the operator, the type of goods, the type of automated systems, and the operator's degree of modernization.

The self-assessment questionnaire is completed by economic operators at the beginning of the application process. It is intended to provide an overview of their business activity and procedures, as well as their relevance for authorization as an AEO. The "Threats, Risks, and Possible Solutions" document is intended for both customs authorities and economic operators to facilitate auditing and review, thereby ensuring compliance with the criteria applied to AEOs by comparing the information provided in the CAE with the identified risk areas, as well as possible solutions to address the identified risks.

1. Compliance history (Section 2 of the EAC)
Criterion: An appropriate compliance history with customs requirements [Articles 39(a) of the UCC and 24 of the AE UCC]

Indicator Risk description Possible solutions References
Compliance
with customs requirements

Offending conduct regarding:

  • the completion of customs declarations, including the commission of errors in the classification, valuation or
    sections;
  • the use of customs procedures;
  • tax regulations;
  • the application of measures related to prohibitions and restrictions, trade policy;
  • the introduction of goods into the customs territory of the Union, etc.

Past violations increase the likelihood that future rules and regulations will be ignored or violated.
Insufficient knowledge of violations of customs requirements.

Active compliance policy by the operator, in the sense that it has established and applies internal compliance standards.
Written operational instructions are preferred regarding responsibilities for carrying out controls on the accuracy, completeness and timeliness of operations and for reporting irregularities and errors, including suspected criminal activity, to the
customs authorities.
Procedures for investigating and reporting detected errors and for reviewing and improving processes.
Clear identification of the competent or responsible person in the company and establishment of the vacation and other types of absence regime.

Application of internal compliance measures; use of audit resources to verify and ensure that procedures are applied correctly.
Internal instructions and training programs to ensure that staff are aware of customs requirements.

CAE-2.1

2. The applicant's accounting and logistics system (Section 3 of the EAC)
Criterion: an adequate system for managing commercial and, where applicable, transport records, allowing for appropriate customs control [Articles 39(b) of the UCC and 25 of the AE UCC]

2.1 Accounting system (subsection 3.2 of the CAE)

Indicator Risk description Possible solutions References

Computer environment Integrated accounting system

Risk that the accounting system does not comply with the generally accepted accounting principles applied in the Member State.
Incomplete and/or incorrect recording of transactions in the accounting system.
Lack of correspondence between the inventory record and the accounting record.
Lack of separation of tasks corresponding to different functions.
Lack of physical or electronic access to customs records and, where applicable, transport records.
Deterioration of auditability.
Inability to undertake a timely audit due to the way the applicant's accounting is structured.
Possibility of covering up illegal operations, given the complexity of the management system.
Unavailability of historical data.

The separation of duties for different functions should be considered in close relation to the size of the applicant's company. For example, in the case of a microenterprise active in road transport with a very small volume of daily operations, the packaging, handling, and loading and unloading of goods can be entrusted to the truck driver. Instead, the receipt of goods, their entry into the administration system, and the payment and receipt of invoices should be entrusted to third parties.
Adoption of an alert system to identify suspicious transactions.

Development of an interface between customs clearance and accounting software to avoid marking errors.
Adoption of enterprise resource planning (ERP).
Development of training initiatives and preparation of instructions for using the software.
Possibility of cross-checking information.

CAE - 3.2
ISO 9001:2015, section 6

2.2. Audit trail (subsection 3.1 of the CAE)

Indicator Risk description Possible solutions References
Audit trail The absence of an adequate audit trail makes it difficult to carry out efficient and effective audit-based customs control.
Lack of control over security and access to the system.
Consultation with customs authorities prior to the introduction of new customs accounting systems to ensure their compatibility with customs requirements.
Verification and assurance of the existence of the audit trail in the pre-audit phase.
CAE - 3.1
ISO 9001:2015, section 6

2.3. Logistics system that distinguishes between Union and non-Union goods

Indicator Risk description Possible solutions References
Amalgamation of Union goods with non-Union goods Absence of a logistics system that distinguishes between Union and non-Union goods.
Substitution of non-Union goods.
Internal control procedures.
Data entry integrity checks to verify that data entries are correct.
CAE 3.2.2

2.4. Internal control system (subsection 3.3 of the CAE)

Indicator Risk description Possible solutions References
Internal control procedures Inadequate control of operational processes in the applicant's company.
The absence of internal controls or their ineffectiveness makes fraud and the development of unauthorized or illegal activities possible.
Incomplete and/or incorrect recording of transactions in the accounting system.
Incorrect or incomplete information in customs declarations and other documents submitted to customs.

Appointment of a person responsible for quality and in charge of the company's internal procedures and controls.
Full awareness, by each department head, of the internal controls of their respective department.
Record of the dates of internal controls and audits and correction of deficiencies detected through corrective measures.
Notification to customs authorities of any cases of fraud or unauthorized or illegal activity that are detected.
Provision of relevant internal control procedures to competent personnel.
Creation of a folder or file in which each type of merchandise is linked to its respective customs information (tariff code, customs duty rates, origin, and customs regime).
Designation of the person or persons responsible for managing and updating the applicable customs regulations (inventory of regulations); e.g., updating data in enterprise resource planning (ERP), accounts receivable, software.
Staff information and training regarding inaccuracies and how they can be prevented.

Establishing procedures to record and correct errors and ongoing transactions.

CAE 3.3
ISO 9001:2015, sections 5, 6, 7 and 8

2.5. Flow of goods (subsection 3.4 of the CAE)

Indicator Risk description Possible solutions References
General provisions The lack of control over stock movements increases the risk of dangerous or terrorist-related goods being introduced or goods being withdrawn without proper record-keeping. Information on relevant personnel and filing of the declaration as planned.
Records of stock movements.
Periodic stock reconciliations.
Mechanisms for investigating inventory discrepancies.
Ability to distinguish in the computer system whether goods have been cleared or are still subject to duties and taxes.
CAE - 3.4
ISO 9001:2015, section 6
Incoming flow of goods Mismatch between goods ordered, goods received, and accounting entries. Records of incoming goods.
Comparison of purchase orders with received goods.
Procedures for the return or rejection of merchandise, for accounting for and reporting shortages or excesses in shipments, and for identifying and correcting incorrect entries in the inventory record.
Formalization of import procedures.
Periodic inventory execution.
Carrying out specific consistency checks between the entry and exit of goods.
Protection of storage areas (special external protection, special access routines) to prevent the substitution of goods.
Storage Lack of control over stock movements. Clear determination of storage areas.
Procedures for the periodic performance of inventories.
Protection of storage areas to combat merchandise substitution.
CAE - 3.4
ISO 9001:2015, section 6
Production Lack of control over stocks used in the manufacturing process. Monitoring and management control of the rate of return.
Controls over variations, waste, by-products and losses.
Protection of storage areas to combat merchandise substitution.
CAE - 3.4
ISO 9001:2015, section 6
Outgoing goods flow
Delivery from the warehouse and dispatch and transfer of the goods
Lack of correspondence between inventory records and accounting entries. Designation of persons to authorize and supervise the sale and release process.
Formalization of export procedures.
Pre-release controls to compare the release order with the goods to be loaded.
Mechanisms for managing irregularities, delivery shortages, and variations in merchandise.
Standardized procedures for managing the return, inspection, and registration of goods.
Verification that the declaration has been completed in the case of customs procedures with economic impact.
CAE - 3.4
ISO 9001:2015, sections 6 and 7

2.6. Customs procedures (subsection 3.5 of the CAE)

Indicator Risk description Possible solutions References
General provisions

Inadmissible use of procedures.
Incomplete and incorrect customs declarations and equally incomplete and incorrect information about other customs activities.
Use of incorrect or outdated permanent data (article numbers, customs codes).

  • Incorrect classification of goods.
  • Incorrect tariff code.
  • Incorrect customs value.

Absence of procedures for reporting identified irregularities to customs authorities in accordance with relevant customs requirements.
Currently, Binding Tariff Information (BTI) is also mandatory for the BTI holder. The customs declaration must refer to the BTI (Article 33 of the UCC).

Adoption of formal procedures for the management and monitoring of each customs activity and formalization of certain clients (classification of goods, origin, value, etc.). These procedures are intended to ensure the continuity of the customs department in the event of the absence of assigned personnel.
Use of the IAV that establishes import duties and taxes and applicable regulations (health, technical, trade policy measures, etc.).
Use of the IAV that provides the Administration with advice regarding:

  • The origin of the product you wish to import or export, especially when different stages of production have taken place in different countries.
  • The possibility of obtaining or not obtaining preferential treatment under an international convention or agreement.
    Establishment of formal procedures for determining and declaring customs value (valuation method, calculation, boxes to be completed in the declaration, and documentation to be provided).

Application of procedures for reporting irregularities to customs authorities.

CAE - 3.5
ISO 9001:2015, section 6
Representation through third parties Lack of control Procedures for checking the work of third parties (p. e.g., in customs declarations) and identify irregularities and violations by representatives. It is not enough to rely entirely on outsourced services.
Verification of the employee representative's competence.
If the responsibility for completing customs declarations is outsourced:
specific contractual provisions for controlling customs data;
specific procedure for transmitting the data needed by the declarant to determine the tariff (i.e. technical specifications of the goods, samples, etc.).
In the case of outsourcing the export of goods by an approved exporter, this outsourced work may be assigned to a customs broker who has obtained authorization to act as an authorized representative, provided the broker can prove the originating status of the goods.
Adoption of formal internal control procedures to verify the accuracy of the customs data used.
Import and/or export licenses linked to trade measures or exchanges of agricultural products Inadmissible use of goods

Standardized license registration procedures.

Periodic internal controls of current licenses and their registration.
Segregation of duties between registration and internal controls.
Rules on reporting irregularities.
Procedures to ensure that the use of goods is in accordance with the license.

2.7 Non-tax requirements (subsection 3.5.4 of the CAE)

Indicator Risk description Possible solutions References
Non-tax aspects Inadmissible use of goods subject to prohibitions, restrictions or trade policy measures. Procedures for the management of goods subject to non-tax requirements.
Establishment of appropriate routines and procedures:
Distinction between goods subject to non-tax requirements and other goods.
Verification that operations are carried out in accordance with current legislation (other than tax legislation).
Management of goods subject to restrictions, prohibitions or embargoes, including dual-use goods.
Processing of licenses according to individual requirements.
Training to raise awareness among staff handling goods subject to non-tax requirements.
CAE - 3.5.4

2.8. Procedures relating to backup, normal and emergency recovery, and archiving (subsection 3.6 of the CAE)

Indicator Risk description Possible solutions References
Requirements relating to the maintenance and filing of documents.

Inability to undertake a timely audit due to loss of information or deficiencies in records.

Lack of backup procedures.
Absence of satisfactory procedures for archiving the applicant's records and information.
Deliberate destruction or loss of important information.

Presentation of an ISO 27001 certificate demonstrating high standards in the field of IT security.
Procedures for backing up, recovering, and protecting data against damage or loss.
Emergency plans in case of disturbance or failure of systems.

Backup and recovery testing procedures.
Storage of customs archives and commercial documents in secure facilities.
Establishment of a classification system.
Compliance with legal filing deadlines.
Backups must be daily, incremental or full. Full backups should be made at least once a week. At least the last three consecutive backups must be available at all times. It is preferable to perform backups remotely, using an electronically secure method, to a storage facility located at least 300 meters away. A backup copy of the encryption key should also be made and stored away from the storage facility.

ISO 9001:2015, section 6
ISO 27001:2013
ISO standards relating to IT security

2.9 Information security: Protection of computer systems (subsection 3.7 of the CAE)

Indicator Risk description Possible solutions References
General provisions Unauthorized access or intrusion into the economic operator's computer systems or programs.

Adoption and provision to staff of an IT security policy, procedures, and standards.
Presentation of an ISO 27001 certificate demonstrating high standards in the field of IT security.
Establishment of an information security policy.
Appointment of an information security officer. - Information security assessment and identification of risk-related issues in the IT field.
Procedures for granting access rights to authorized persons; Access rights must be withdrawn immediately in the event of transfer of duties or termination of employment.

  • Access to data to the extent necessary.
    Use of encryption programs, where appropriate.

Firewall.
Virus protection.
Password-protect all personal computers and, if possible, important programs.
If employees leave their workstation, the computer should always be protected with a password.
The password must be at least eight characters long, with a mix of two or more uppercase and lowercase letters, numbers, and other characters. The longer the password, the more secure it is. Usernames and passwords should never be shared.
Conducting tests on unauthorized access.
Limiting access to server rooms to authorized persons.
Intrusion tests at periodic intervals; Penetration tests must be recorded.
Execution of procedures for handling incidents.

CAE - 3.7
ISO 27001:2013
General provisions Deliberate destruction or loss of important information. Contingency plan in case of data loss.
Backup procedures in case of system disruption or failure.
Procedures for the deletion of the right of access.
Procedures to prevent the use of personal devices, such as USB flash drives, CDs, DVDs, or other personal electronic peripherals.
Restricting Internet use to locations that are only appropriate for business activity.
ISO 28001:2007, section A 3
ISO 27001:2013

2.10 Information security: Documentation security (subsection 3.8 of the CAE)

Indicator Risk description Possible solutions References
General provisions Misuse of the economic operator's information system that puts the supply chain at risk.
Deliberate destruction or loss of important information.
Presentation of an ISO 27001 certificate demonstrating high standards in the field of IT security.
Procedures for authorized access to documents.
Secure archiving and storage of documents.
Procedures for addressing incidents and taking corrective actions.
Document registration and backup, including scanning.
Contingency plan to manage losses.
Possibility of using encryption programs if necessary.
Sales agents should be aware of travel safety measures (never consult "sensitive" documents on public transport).
Establishment of levels of access to strategic information according to different categories of personnel.
Secure management of discarded computers.
Agreements with business partners regarding the protection and use of documentation.
CAE - 3.8
ISO 28001:2007, section A 4
ISO 27001:2013
Safety and security requirements imposed on third parties Misuse of the economic operator's information system that puts the supply chain at risk.
Deliberate destruction or loss of important information.
Inclusion of data protection requirements in contracts.
Procedures for controlling and auditing contract requirements.

3. Financial solvency (section 4 of the CAE)
Criterion: Demonstrated financial solvency [articles 39, letter c) of the CAU and 26 of the AE CAU]

3.1. Proven solvency

Indicator Risk description Possible solutions References
Insolvency or inability to meet financial commitments  Financial vulnerability that may lead to non-compliance behavior in the future. Examination of the applicant's financial statements and financial transactions to assess their ability to meet legal debts. In most cases, the applicant's bank will be able to provide information on the applicant's creditworthiness.
Internal monitoring procedures to prevent financial threats.

4. Safety and security requirements (Section 6 of the CAE)
Criterion: Appropriate levels of security and protection [Articles 39(e) of the CAU and 28 of the AE CAU]


4.1 Safety assessment carried out by the economic operator (self-assessment)

Indicator Risk description Possible solutions References
Self appraisal Inadequate awareness of safety and security issues across all relevant departments within the company. Self-assessment of risks and threats, and periodic review, updating, and documentation thereof.
Precise identification of safety and security risks arising from the company's activities.
Assessment of risks related to safety and security (% probability or risk level): low/medium/high).
Certainty that all relevant risks are addressed with preventive and corrective measures.
CAE - 6.1.2
ISO/PAS 28001:2007, section A.4
ISPS Code
Appendix 6-B "Validation Checklist for Known Shippers",
Air transport security criteria for Accredited Agent / Known Shipper
Security management and internal organization Inadequate coordination of safety and security within the applicant's company Designation of a responsible person with sufficient authority to coordinate and implement appropriate security measures across all relevant departments of the company.
Adoption of formal procedures for managing and monitoring each logistics activity from a safety and security perspective.
Execution of procedures to ensure the security and protection of merchandise during vacations and other situations in which assigned personnel are absent.
CAE - 6.1.4
ISO 28001:2007, section A.3
ISO 9001:2015, section 5
ISPS Code
Internal control procedures Inadequate control of safety and security issues within the applicant's company Execution of internal control procedures and issues related to safety and security.
Procedures for recording and investigating security incidents, including reviewing risk and threat assessments and taking corrective action, where appropriate.
CAE - 6.1.7
ISO 28001:2007, sections A.3, A.4
ISPS Code
Internal control procedures Inadequate control of safety and security issues within the applicant's company Possibility of recording the incident in a file containing, for example, the date, the observed anomaly, the name of the person who detected it, the response measures, the signature of the competent person, etc.
Making the security and safety incident log available to company employees.
ISO 28001:2007, sections A.3, A.4
ISPS Code
Safety and security requirements specifically for goods Alteration of goods Implementation of a merchandise tracking system.
Special requirements for packaging and storage of dangerous goods.
ISPS Code

4.2. Access to facilities (subsection 6.3 of the CAE)

Indicator Risk description Possible solutions References
Procedures for the entry or access of people, vehicles, and goods Unauthorized entry or access of vehicles, persons or merchandise to the facilities or the vicinity of the loading and shipping area. Maximum limit on the number of vehicles with access to the facilities.
Therefore, staff parking should preferably be located outside the security perimeter.
In addition, it is mandatory, if possible, for trucks to wait before and after loading in an area outside the security zone. Only registered trucks will be granted access to the loading area upon request during these operations.
The use of ID cards is reasonable. They must include a photograph. If a photo is not included, the cards must at least indicate the name of the operator or the facilities for which they are valid (risk of abuse in case of loss).
The use of these cards must be supervised by a person competent in this matter. Visitors will carry temporary identification cards and will be escorted at all times.
Data relating to entries, including names of visitors and drivers, arrival and departure times and auxiliary staff, must be recorded and stored on a suitable form (e.g., e.g., a diary, an IT system) and will be listed.
The cards cannot be used twice in a row, to prevent them from being used by a companion.
Access control using codes: routines for periodic code switching.
ID cards and codes will only be valid during each employee's working hours.
Standardized procedures for returning all access authorizations.
The company must accompany and supervise visitors to prevent any unauthorized activity.
Visitors must carry their identification cards in a visible place.
Talk to strangers.
Corporate attire to distinguish strangers.
In case of temporary work (e.g. e.g., maintenance tasks), a list of authorized workers of the subcontracted company.
CAE - 6.3
ISO 28001:2007, section A.3
ISPS Code
Standard operating procedures in case of intrusion Inadequate response to the detection of an intrusion. Execution of procedures applicable to cases of intrusion and unauthorized access.
Conducting penetration tests and recording the results, and taking corrective action if necessary.
Use of incident reports or other appropriate forms to record incidents and actions taken.
Adoption of corrective measures following incidents related to unauthorized access.
ISO 28001:2007, section A.3
ISPS Code

4.3. Physical security (subsection 6.2 of the CAE)

Indicator Risk description Possible solutions References
External limits of the facilities Inadequate protection of premises against intrusion. Where appropriate, establish a perimeter security fence subject to periodic inspections to check its integrity and possible damage, and plan for its maintenance and repair.
Where appropriate, establishment of controlled areas suitable for authorized personnel only, subject to appropriate approval and control mechanisms.
Unsystematic patrols by security personnel.
CAE - 6.2
ISO 28001:2007, section A.3
ISPS Code
Entrances and accesses Existence of unguarded entrances and access points. Implement appropriate measures to secure all entrances and access points in use, such as CCTV or access control systems (lighting, projectors, etc.).
CCTV is only useful if the recordings are evaluable and allow for immediate reactions.
Where appropriate, implementation of procedures to ensure the protection of access points.
ISO 28001:2007, section A.3
ISPS Code
Closing devices Inadequate locking devices on interior and exterior doors, windows, entrances and gates.

Formulation of instructions and procedures on the use of keys available to relevant personnel.
Only authorized personnel may access the keys to the locking devices used in buildings, facilities, rooms, security areas, archives, safes, vehicles, machinery, and air cargo.

Preparation of periodic inventories of keys and locking devices.
Logging of unauthorized access attempts and periodic checking of this information.
Doors and windows should be locked when no one is working in the room or office.

CAE - 6.2.4
ISO 28001:2007, section A.3
illumination Inadequate lighting of doors, windows, portals and barriers, both interior and exterior. Adequate lighting indoors and outdoors.
Where appropriate, use backup generators and alternative sources of electrical power to ensure constant lighting in the event of a local power outage.
Existence of equipment maintenance and repair plans.
CAE - 6.2.4
Key access procedures Lack of adequate key access procedures.
Unauthorized access to keys.
Execution of a key access control procedure.
Keys must be handed over only after registration and must be returned immediately after use. The return of the keys must also be recorded.
ISO 28001:2007, section A.3.3
Internal physical security measures Inadequate access to interior areas of the facilities. Application of a procedure to distinguish the different categories of employees in the facilities (e.g. e.g., jackets, ID cards).
Controlled and personalized access according to each employee's position.
ISO 28001:2007, sections A.3, A.4
ISPS Code
Parking for private vehicles Lack of adequate procedures for parking private vehicles.
Inadequate protection of premises against intrusion.
Maximum limitation on the number of vehicles with access to the facilities.
Establishment of designated vehicle parking areas for visitors and staff, located away from the merchandise handling and storage areas.
Identification of risks and threats associated with unauthorized access by private vehicles to protected areas.
Definition of rules and procedures for private vehicle access to the applicant's facilities.
If the visitor and employee parking areas are not separated, visitor vehicles must be marked with identification.
Maintenance of exterior boundaries and buildings Inadequate protection of premises against intrusion as a result of improper maintenance. Periodic maintenance of the outer boundaries of facilities and buildings whenever an anomaly is detected. ISO 28001:2007, section A.3