83282 Post Clearance Audit: Reference and Implementation Guide February 2013 Post Clearance Audit: Reference and Implementation Guide Contents 1 About this Reference and Implementation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v 2 PCA in the Context of Pre-arrival Clearance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii 3 Key aspects of Post Clearance Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Quality Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Audit Planning: general considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Audit Planning: obtaining knowledge of the trader’s business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Audit planning: materiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Internal Controls and Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Audit Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Using the Work of another Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Considering the Work of an Internal Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Using Experts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Audit Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4 PCA Objectives and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Audit Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Audit Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5 PCA Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 5.1 Audit Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.1.1 Developing the Draft Audit Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.1.2 Gaining an Initial Insight into the Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 5.1.3 The Entrance Interview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.1.4 Determining Materiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.1.5 Understanding and Documenting the Business Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.1.6 Finalizing the Audit Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.2 Identifying and Analyzing Internal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.2.1 Understanding internal controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.2.2 Understanding the relationship between controls and risk in the business systems . . . . . . . . . . . . 23 5.2.3 Understanding the Risks in the Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.3 Internal Control Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.3.1 How do the internal controls operate? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.3.2 Designing the Control Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5.3.3 Sample Size for Control Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.3.4 Testing, documenting and analyzing the results of control tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.4 Substantive Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.4.1 Designing the Substantive Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.4.2 Substantive Testing Sample Size and Sampling Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5.4.3 Conducting and documenting the substantive tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 5.4.4 Evaluation of substantive test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.5 Dealing with Audit Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.5.1 Analysis of Outstanding Audit Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.5.2 Response by the trader to audit issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5.5.3 Initiating any immediate follow-up actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5.6 Audit Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5.6.1 Preparing the Audit Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.6.2 The Exit Interview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 iv | Border Management Modernization 6 Audit Working Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 7 Quality assurance, filing and using audit results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Ensuring quality and integrity of the PCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Safe care of audit working papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Use of PCA working papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Developing a National PCA Plan from PCA Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 8 Enablers and Impediments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 9 Getting started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 ANNEXES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 This Guide has been prepared by Professor David Widdowson and Adj. Professor Rob Preece, University of Canberra, on behalf of the International Trade Department of the World Bank. It forms part of a series of good practice guides prepared to assist reformers and policy makers in applying the principles outlined in the World Bank’s publication: Border Management Modernization, Mclinden, G., Fanta, E., Widdowson, D., and Doyle, T. (eds) World Bank, Washington DC, 2011. See http://www.worldbank.org/trade for more information. 1 About this Reference and Implementation Guide This Reference and Implementation Guide builds high compliance environment, while still facilitating on the content of the World Bank’s publication cross-border transactions, without any loss of border Border Management Modernization (2011), which control, when compared to traditional compliance provides policymakers, reformers, Customs and strategies. The contents of this Guide have been de- other government officials with a comprehensive veloped to supplement the information contained perspective on improving trade facilitation through in the World Bank publication by providing border better border management. management officials and development professionals with a thorough introduction to the key issues asso- This Guide focuses on the use of Post Clearance Audit ciated with implementing a PCA regime. It presents (PCA) which represents one of the most effective a practical, step by step approach to PCA that will in- trade facilitation strategies available to border agen- form and equip readers to understand the key steps cies as it enables the immediate release of imported and preconditions necessary to progressively estab- cargo through the subsequent use of audit-based lish an effective PCA capability. regulatory controls. When implemented as part of an overall regulatory compliance framework, a PCA re- Specifically, the Guide builds on the contents of gime is capable of delivering improved rates of com- Chapter 6 (Core border management disciplines: pliance. This is because its underlying methodology risk-based compliance management) and Chapter is based on contemporary research and analysis of 11 (Reform instruments, tools, and best practice ap- the factors that contribute to the achievement of a proaches) of the World Bank publication. 2 PCA in the Context of Pre-arrival Clearance The trend by border agencies to adopt pre-arrival Since the basis of pre-arrival clearance is early provi- clearance and PCA reflects the many changes which sion of information, it is necessary to combine it with are occurring in international trade today. Whilst the a capacity to undertake more detailed analysis of the need to maintain high levels of compliance by traders information and supporting documentation after the has not changed, the volume of cargo moving in and goods have arrived in the country. This is where the out of a country, as well as the speed with which it concept of PCA comes into play. Audits undertaken is expected to move through the border, has changed by PCA specialists can take a variety of forms, from significantly in recent times. random audits to verify compliance with regulatory requirements, to regularly scheduled audits with a As such, border compliance managers face the focus on particular companies or industry sectors. challenge of an environment where there is rapid What they all have in common is a legislative base growth in the number of transactions being gen- that provides trained auditors with the power to enter erated and communicated to agencies by traders, premises and to inspect documents, either physically and greater pressure on the agencies to clear cargo or electronically. more efficiently (i.e. reduced timeframes and costs for traders). Thus compliance efforts have been shift- PCA represents a move away from traditional ap- ing towards advance reporting, screening out high proaches which focus on the physical inspection risk cargo for immediate intervention, and undertak- of cargo and the relatively ineffective documenta- ing PCA. ry checks that restrict auditors to reviewing a very small percentage of a trader’s overall transactions. Pre-arrival clearance is a process that allows traders PCA rather is a focus on the business systems of to submit data at an early stage in the transport of the trader that generate and communicate transac- the goods for advance processing of that informa- tions to the regulatory agencies, recognizing that tion by the regulatory agencies and thereby provide good business systems with adequate controls will for immediate release of the goods once they arrive lead to high levels of regulatory compliance. In this at the border or port or prior to the arrival of the context, risks to compliance can be mitigated if the goods if deemed appropriate by the controlling agen- audit process is used to identify enhancements to the cies. The pre-arrival clearance process is particularly trader’s business systems and controls, thus work- important for certain types of goods that are highly ing with the trader to improve future compliance perishable or that in some other way require prompt (a concept that is often referred to as ‘compliance handling upon arrival. improvement’). However, pre-arrival clearance is not just about fa- The World Customs Organization (WCO), in recogni- cilitation. It is also particularly useful for early identi- tion of this need to adapt to the growing world econ- fication of goods that may pose a health, revenue or omy, has spelt out in the Revised Kyoto Convention security risk to the country. The effectiveness of the the need for Customs agencies to move towards post screening process is of course dependent on receipt clearance controls to facilitate trade, which includes of advance information, supported by the necessary transitioning towards ‘control based audit’, which technology to enable agencies to analyze information represents the auditing of traders’ internal systems from a variety of sources and to link it to risk ‘flags’ and controls as they relate to Customs requirements. or alerts. The following Standards contained in the Revised viii | Border Management Modernization Kyoto Convention are of particular relevance (see BOX 1 Revised Kyoto Convention General also Annex 1): Annex Chapter 3 Clearance and other formalities—Special procedures for • Standard 6.6: Customs control systems shall authorized persons include audit-based controls; and • Standard 6.10: The Customs shall evaluate 3.32. Transitional Standard traders’ commercial systems where those sys- For authorized persons who meet criteria specified by the tems have an impact on Customs operations to Customs, including having an appropriate record of compliance ensure compliance with Customs requirements. with Customs requirements and a satisfactory system for managing their commercial records, (italics added) the Customs PCA activities are designed to provide a clear indica- shall provide for: tion of a company’s level of compliance with regu- W release of the goods on the provision of the minimum latory requirements, and to highlight or confirm information necessary to identify the goods and permit the areas of potential risk where additional compliance subsequent completion of the final Goods declaration; or enforcement activity may need to be undertaken. However, PCA results not only allow agencies to iden- W clearance of the goods at the declarant’s premises or another tify potentially unlawful conduct, but also to identify place authorized by the Customs; and, in addition, to the highly compliant traders that may be regarded as extent possible, other special procedures such as: low-risk. Such entities can then be granted mean-  allowing a single Goods declaration for all imports or ingful benefits such as ‘fast-track’ permissions and exports in a given period where goods are imported or simplified procedures that contribute to facilitation exported frequently by the same person; outcomes while reducing costs to government. This  use of the authorized persons’ commercial records to self- concept forms the basis of the Authorized Economic assess their duty and tax liability and, where appropriate, Operator (AEO) programs that are being introduced to ensure compliance with other Customs requirements; by border administrations worldwide.  allowing the lodgment of the Goods declaration by The AEO initiative, sometimes implemented as a means of an entry in the records of the authorized ‘gold card’ or ‘trusted trader’ program, is emerging person to be supported subsequently by a supplementary as a central element of regulatory compliance man- Goods declaration. agement programs internationally. The concept of AEO is embodied in the Revised Kyoto Convention (see Box 1 and also Annex 2), and in the WCO’s SAFE Framework of Standards. Essentially, an AEO risk, a PCA is designed to determine and improve lev- is a member of the international trading community els of compliance, whereas the purpose of an inves- who is deemed to comply with relevant regulatory tigation is to determine whether a suspected breach requirements and standards. AEO’s can generally of the law has occurred. Both processes require the expect to have their performance monitored, rather collection of ‘evidence’ but PCA collects evidence than having their activities scrutinized transaction to determine or confirm an opinion of compliance, by transaction; their cargo is likely to be subjected to whereas an investigation collects evidence in sup- minimal intervention; and they may be eligible to use port of a possible prosecution. PCA should be per- simplified clearance processes. It is therefore vital formed in a non-adversarial manner, with both the that regulatory authorities ensure that assessments agency and the trader working to achieve compliance of traders’ compliance levels are accurate. PCA is an with legislative requirements in the most cost effec- essential tool in that regard. tive manner. As such, PCA and investigation require significantly different skill sets, legislation and proce- It is important at this point to draw the distinction dures which are not necessarily interchangeable. between a PCA and an investigation, recognizing that both activities involve comprehensive examinations While PCA does not signal the end of compliance- of trader systems and documentation. Whilst both related interests in a trader, it does provide greater in- PCA and investigations are responses to an identified sight into existing levels of compliance, and identifies PCA in the Context of Pre-arrival Clearance | ix areas in which compliance may be improved in the Even in situations where an audit is deemed to be ap- future. Those companies with sound systems and propriate, it may be determined that more traditional controls will of course require less direct intervention audit procedures may be preferable to a PCA in the and scrutiny over individual transactions, but will re- following types of cases: main subject to monitoring and regular audit cycles to ensure these high levels of confidence do not slip. • Cost effectiveness—where the compliance plan Such monitoring may be undertaken through the has selected a small trader it may not be cost ef- use of IT systems, where available. Even the most fective to document business systems, identify highly compliant traders can alter that status quick- and analyse controls, and then perform relevant ly, and further intervention may be necessary in control and substantive testing procedures if the following circumstances during periods of ‘hands the company has only imported a few consign- off’ monitoring: ments. In such cases it may be more efficient to ensure that all transactions are identified and a • Analysis of company declarations, returns, sufficient number tested statements or duty payments indicates an anom- • Unreliable internal controls– where the owners aly or unexpected variance of a company being audited, or persons with a • The company notifies the regulatory authority direct financial relationship to that company, that a material change has occurred to its busi- are those who would benefit from the controls ness systems or internal control structure operating incorrectly, then importantly no reli- ance can be placed on those systems and con- There has been a change to inherent risk within the trols. As PCA focuses on the key controls of a industry, such as changes to legislation, reporting pro- business system, this approach is inappropriate cedures, duty and tax rates, increased competition, or • Focussed audit—where, the agency is respond- detection of common errors within the industry. ing to a single risk issue, it may be more efficient to undertake a review of one particular area Finally, it is important to note that PCA may not be of the operations of a trader and/or a specific appropriate in all circumstances. For example, in time-frame situations where goods are deemed to pose a high • No consent—where audit powers in legislation risk, it is often necessary to refocus on immediate are limited to goods and documents relating to controls such as physical intervention and verifica- those goods, then PCA will require a trader’s tion of goods whilst still subject to border controls consent to review the relevant business sys- at a wharf, airport, border crossing, depot or ware- tems. In such situations PCA will be performed house. For example, where the high-risk transaction in a ‘partnership’ environment where the trader is thought to involve prohibited or restricted goods, is looking to improve future compliance. or where other illegal activity may be suspected, it would be inappropriate to release the goods on the basis that a PCA will subsequently be undertaken. 3 Key aspects of Post Clearance Audit A major difference between the conduct of PCA • audit conclusions, reporting and communicat- and more traditional approaches to auditing is the ing with the trader and agency management. skill set and knowledge required of the auditor. Customs audit has typically been based on a sound Looking at each of these areas in more detail, it be- knowledge of customs law and technical skills in tar- comes evident that there is considerable benefit in iff, valuation and origin. PCA however requires an considering the content of the international stan- understanding of how a business operates and how dards when developing PCA programs, as they serve this relates to its transactions with the broader spec- to enhance the PCA process significantly. trum of regulatory agencies. There is also an expectation from the trading Quality Control community that the skill level of auditors is of an appropriately high standard, given that the PCA pro- Quality control is applied at two levels—by the agen- cess is designed to review their business systems and cy over its own operations, and by the agency over internal controls, assess the effectiveness of their the conduct of each PCA. At the agency level, the compliance measures and make recommendations following matters should be considered prior to the on enhancements or changes in order to improve fu- commencement of PCA: ture compliance. • Independence must exist within the PCA team. Thus PCA can have a significant impact on a trader’s In particular, there should be no financial, emo- business and should be conducted with a high degree tional or family relationships between PCA team of professionalism similar to the level of professional- members and the trader subject to PCA; ism expected of private sector audit service providers • Staff must be sufficiently qualified to conduct Private sector auditors are bound by International PCA activities, particularly those in key roles, Standards on Auditing (ISA—which will form the ba- and sis of local auditing standards issued by the national • Each PCA process must be adequately super- professional auditing body). PCA should therefore be vised. guided by those ISA’s that are relevant to PCA con- Note: Further information can be found in ducted by border management agencies. The full set ISA 220. of ISA’s can be found in Annex 3, the most relevant being those relating to: At the individual audit level, the following should be established by the audit manager and enforced • responsibilities of auditors and audit managers; throughout the audit process: • audit planning and collecting information about the trader and the trading environment; • Allocation of proper resources against the • identification of internal controls and risk as- agreed audit plan; sessment of the trader; • Review of delegated work for performance and • audit testing and collection of sufficient audit consistency with the PCA process; evidence to form an accurate opinion about a • Resolution of any audit issues as they arise; and traders level of compliance; • Monitoring audit outcomes. • using the work of other auditors in assessing risks; and 12 | Border Management Modernization Documentation the audit plan. Materiality can be defined as being ‘information which if omitted, misstated, or not dis- All matters contributing to the auditor’s overall opin- closed has the potential to adversely affect decisions’. ion of compliance, or any evidence to support this opinion, should be captured and filed in audit work- Materiality will affect the audit plan in terms of the ing papers for review by peers and by the audit man- nature of the testing to occur. For planning purposes, ager. PCA papers should incorporate the following: materiality can be measured either quantitatively (e.g. dollars or percentages) or qualitatively (e.g. in- • A record of audit planning; adequate or weak policies, or lack of integrity). How • The testing that has been undertaken, includ- it is measured will be determined by the nature of ing what is tested, how it is tested and sampling the company’s business and the expectations of the procedures; administration in relation to compliance. • The results from testing; • Any audit conclusions; and Audit staff will rely on the audit manager’s direction • Evidence that audit managers have reviewed the as to what is ‘material’ should they find errors during audit data. field testing, in particular, how to respond to these er- Note: Further information can be found in rors and whether they need to expand their testing ac- ISA 230. tivities. Further information can be found in ISA 320. Audit Planning: general considerations Internal Controls and Risk Assessment The success of PCA hinges on an effective Audit Plan, which should be compiled under the direction of The audit plan also requires the auditor to gain the audit manager, and signed off before field work an understanding of the internal control environ- commences. ment of the company and to have begun forming an opinion about their level of confidence in the trader. The audit plan, the output of audit planning, should In this context, the ‘control environment’ can be de- bring together the audit scope and objectives, mat- fined as the management’s attitude and actions to- ters for consideration, and a program of the proce- wards controls. dures to implement the plan. Audit planning involves several key stages, each covered by individual audit audit managers will need to review the opinion (with standards. These are discussed in detail in Section 5. evidence) of the audit team and sign-off on their views, as the initial risk assessment will determine early approaches to the extent of testing. Further in- Audit Planning: obtaining knowledge formation can be found in the ISA 400 series. of the trader’s business Audit standards require the auditor to gain business Audit Evidence knowledge sufficient to be able to identify and under- stand the events, transactions, and practices which The standards require PCA evidence to be ‘sufficient’ may have a significant effect on the audit, or audit and ‘appropriate’ to support the audit opinion. Audit report. Auditors should be able to form an initial evidence can be described as the information by judgment as to the level of risk posed by the trader. which the auditors came to their conclusions in order Further information can be found in ISA 310. to provide their audit opinions. It will comprise copies of documents, records, and Audit Planning: materiality other information from the trader; information from within the administration such as duty payments, re- As well as forming an initial judgment about the level funds, or production statements; and other internal of risk, a judgment about materiality is required for or external documentation analyzed by the auditor. Key aspects of Post Clearance Audit | 13 Audit evidence is also generated during the PCA it- While internal audit has the same objectives as exter- self, for example, audit working papers relating to ob- nal audit, i.e. seeking a level of assurance over com- servations, interviews, and tests performed. Further pany operations, internal and external audit have information can be found in the ISA 500 series. different purposes within the organization. Internal audit is more an ongoing management tool, and there At all stages of PCA, audit managers should be re- is certainly a reduced level of independence given viewing audit evidence to ensure that it has been that internal auditors are generally the company’s properly obtained, is relevant and supports the audi- own employees. There is also a greater possibility of tor’s opinions. management ‘influencing’ the results of internal au- dit before those results reach the Board. Using the Work of another Auditor If a PCA auditor is to rely on internal audit work, that work should still be tested to some degree during the PCA can take into account the work of another audi- course of the audit. However, the extent of testing tor such as the company’s own internal auditor, or an will be based upon the auditor’s confidence in the external auditor at year-end sign off of financial state- internal audit arrangements, and this can be gauged ments. However, the audit manager must ensure that by asking the following types of questions: the following has been considered: • Were internal audits conducted by trained Was the auditor independent? (see ISA210, ISA220) personnel? • Were the audits properly supervised? Was the auditor competent? (see ISA 220) • If there were audit conclusions, were these con- clusion based on audit evidence? Can the PCA team review the audit evidence? • Are internal audit conclusions consistent with work performed? Do the views of the auditor differ from the initial • Were issues identified by internal audit views of the PCA team? followed up? These same types of questions could be asked if the Considering the Work of an PCA auditor decides to use the work of an external Internal Auditor auditor such as the audit company conducting the “year-end” financial statement audit. Further infor- Internal audit can be defined as: mation can be found in ISA 610. “An appraisal activity within an entity as a ser- vice to the entity. It is independent within the Using Experts entity and its functions include … examining evaluating and monitoring the adequacy and ef- An expert could mean a person or business with a fectiveness of the internal control structure”. special skill, knowledge or experience outside of au- diting and accounting. Experts are used when the Internal audit and some specific audit engagements audit could miss some material error without the as- form part of the internal control structure of an en- sistance of professional knowledge. For example, a tity and if appropriate and relevant, these audit pro- PCA may require the expert services of a chemist for grams may decrease the company’s level of control classifying chemicals, or an intellectual property (IP) risk. However, given the greater perceived level of rights valuer to determine the customs value of cer- independence, audit managers should ensure that tain IP. When selecting an expert, the audit manager external audit results take precedence over internal needs to ensure that the proposed expert is: audit or the work of any other ad-hoc auditors, where these services overlap. • Properly certified by a relevant institution or association; 14 | Border Management Modernization • Currently certified, i.e. the relevant certification Audit Reporting has not expired; • Qualified in accordance with professional refer- The standards relating to audit reporting are large- ences; and ly based on financial statement audits. However, of • Independent (i.e. has no business, financial or note to the PCA manager is that the audit report other relationship with the company). Indepen- needs to be: dence is a particular issue in small industry spe- cialisations where experts are in limited supply, • Relevant to those who will use the report; as the company itself may have used or intends • Reliable, being based on audit evidence; to use the same expert at some point. • Capable of identifying and discussing material issues; In the majority of cases an expert will not be a trained • Issued in a timely fashion; auditor, so there is a further need to ensure that: • Capable of being understood by the reader; and • Consistent to allow comparisons. • The audit objectives, scope and expectations are clear to the expert; The actual content, style and format of the audit re- • Confidentiality is maintained; port will be determined by the needs of the agencies’ • The expert is obtaining supporting evidence compliance area and it is the responsibility of the which the audit can also use; and audit manager to ensure that such requirements are • The expert’s work is also being reviewed—by a met. Finally, no audit report (draft or final) should peer if possible, but at least by the auditor and be sent to the trader subject to PCA without sign-off audit manager. from the audit manager. Further information can be found in the ISA 700 series. Finally, experts have a reputation of sometimes being ‘inconclusive’ and such output needs to be managed so that their work usefully contributes to the audit. Further information can be found in ISA 620. 4 PCA Objectives and Scope The audit scope and objectives essentially reflect the • ‘To assess compliance with duty liabilities and reason or reasons why the trader has been selected other regulatory commitments’; or for PCA, which will generally be linked in some way • ‘To determine that all duties and taxes payable, to the perceived level of risk posed by the trader. For have been paid in full and on time, in compli- example, a trader may be selected for PCA for one of ance with the legislation’ the following reasons: Not all PCA audit objectives will be that broad. For • The trader is a significant tax/duty payer who example, if a desk-based analysis of data such as duty has not been visited for some time; payments, declarations, operating statements or re- • The trader’s last audit left several outstanding turns reveals unexplained deviations from the trad- issues to be followed up and remedial activity to er’s normal or expected operations, a more focused be undertaken; set of audit objectives would result, such as ‘To de- • Monitoring the trader’s performance, e.g. duty termine whether: payment, permits, losses, conditional conces- sions, refunds, indicates that established pat- • all goods delivered under duty suspension terns and trends of the trader, or between the schemes are entitled to receive such conces- trader and the trader’s industry, are altered to sional treatment’ the point that revenue or other requirements are • all goods delivered from the licensed warehouse at risk; had the appropriate clearances • There have been changes to legislation or ad- • all receipts of imported petroleum product can ministration within the industry in which the be properly accounted for in the trader’s records trader operates; • all payments of VAT refund or duty drawback • The industry as a whole, in which the trader op- relate to valid export consignments. erates, has come to notice as a significant com- pliance risk; or It is important to identify and document audit objec- • A trend of non-compliance has been identified tives at the very start of the PCA planning process, within an industry, and the extent of that non- as this helps the auditor to stay focused on relevant compliance across the industry needs to be un- issues such as the type of information to gather, the derstood. systems to be identified and the relevant controls to be tested. Audit Objectives Audit Scope The PCA will need to address the areas of risk that have been identified, and these areas of risk will Audit scope relates to the particular aspects of the establish audit objectives. For example, in the case trader’s operations and the period of time the PCA of a large trader that is included on an ‘audit cycle’ activity will cover. For example, the time period may with other significant payers simply due to the size of be financial year, calendar year, half year, quarter, or the potential risk, the audit objectives may be quite month. In establishing the timeframe, regard should broad, such as: be had to any legislative restraint, particularly in re- lation to record keeping requirements. A common feature of customs law, for example, is the need to 16 | Border Management Modernization retain records for 5 to 7 years, thus restricting any sample sizes, again important in determining issues PCA scope to the relevant statutory period. such as audit testing. Like audit objectives, audit scope may often be deter- When combined with the objectives, the audit scope mined by the initial reasons for PCA selection. The should provide all parties with a clear indication of same monitoring and analysis of industry data can what the audit will entail. For example, in the case of often highlight those points in time at which an im- a trader who imports raw materials for further manu- porter, exporter or manufacturer began to show signs facturing, a PCA may be designed to form an opinion that ‘things weren’t right’. The start of an unusual or as to whether the trader’s losses in the previous cal- unexpected pattern, or a period of time in which data endar year were within relevant legislative provisions were not following normal trends, should be clearly and/or administrative guidelines. identified within the audit scope. In this regard, the audit scope and objectives should It is important to identify and document the audit be clearly identified in both the initial correspon- scope at the commencement of PCA planning. Audit dence in which the company is advised of the scope will also assist in estimating audit populations intention to conduct the audit, and during the (or total transactions to come under the audit) and Entrance Interview. 5 PCA Methodology This section provides a framework and step by step approach to the conduct of PCA using a series of practical examples. The methodology is comprised of the following stages: 1. Audit planning 2. Identifying and analyzing the trader’s internal controls within their relevant business systems 3. Designing and undertaking tests of internal controls and assessing trader risk 4. Confirming a trader’s risk assessment by designing and undertaking substantive testing 5. Dealing with issues arising during the audit and developing recommendations to improve compliance 6. Preparing and communicating the audit report. Stages of a PCA (1) (2) (3) (4) (5) (6) Audit Identifying Control Substantive Dealing with Audit Planning and Testing Testing Audit Issues Reporting Analysing Internal Controls Note: In situations where PCA is not suitable, traditional transaction based auditing is utilized in which case Stages 2 and 3 of this methodology are omitted. 5.1 Audit Planning 5.1.1 Developing the Draft Audit Plan Audit planning is essential to running an effective The initial step for the PCA auditor is to properly set PCA. A proper investment in planning helps to en- the audit scope and objectives (refer to Section 4), sure the success of what can be a complex set of pro- which will reflect the reasons why the trader has cedures and tests. Audit planning is divided into a been selected for PCA, the expectations of the agen- number of key steps as follows: cies’ management, and the legislation which governs the trader’s operations. For example, scope and ob- • Developing a draft audit plan jectives may be determined to be: • Gaining an initial insight into the trader’s busi- ness • conducting a comprehensive review of the trad- • Formally commencing the PCA with an En- er’s business systems in relation to the impor- trance Interview tation, exportation, storage, or manufacture of • Setting materiality in case errors are detected goods and their duty payment for the last finan- • Documenting (and understanding) the traders cial year; business system • conducting a review of recent amendments/ • Finalizing the audit plan. upgrades made to a trader’s business systems and/or internal controls as they relate to the reporting of imported goods; 18 | Border Management Modernization • conducting a focussed review of the trader’s use information about the entity to enable all events, of duty suspension arrangements in the previ- transactions, and practices concerning compliance ous quarter; or with importation, exportation, manufacture or duty • conducting a follow-up to ensure recommended payment processes, etc, as they relate to the au- remedial action in a recently completed PCA has dit scope and objectives, to be properly identified been implemented to agreed standards. and understood. The scope and objectives of the audit then serve to While a detailed knowledge will be gained during the co-ordinate the “core” aspects of the PCA, including: course of the audit, considerable information may be already be available from alternative sources that will • a program of audit procedures to be carried out provide the auditor with some initial insights into the to form an opinion about the trader’s level of business prior to the audit’s commencement. Sources compliance; for such data can be either from outside the admin- • sites to be visited, persons to be interviewed, istration or, where such data exists, from within the and processes to be observed; agency itself. • start dates, testing dates, and reporting timelines; • audit team resources required, including exper- The type of data available from within the agency tise in areas such as IT, classification and valu- will depend upon the information the agency cap- ation; and tures and records from industry by way of lodg- • any other matters relevant to the conduct of ment of returns, declarations, statements or reports. the PCA. Generally, it would be expected that agencies would require from traders the following types of informa- The audit planning process must also address the fol- tion on either a transaction-by-transaction, or peri- lowing important areas, which will be identified and odic reporting basis: documented in the final plan: • import declarations for imported goods, ware- • advising the trader of the intention to conduct housed goods, and for duty payment a PCA of their operations and placing a copy of • export declarations the correspondence on the audit plan file; • manufacturers’ declarations or returns • any action needed to seek and establish a co-op- • requests for refund, rebates, remissions, or erative relationship with both the trader’s man- drawbacks of duty and taxes agement and those operational staff who will be • manufacturers’ production statements important to the conduct of the actual audit; • operational statements relating to packaging, • where the trader is willing, seek from them in storing, and delivering imported goods, includ- advance of the PCA, any procedure statements, ing receipts, deliveries, losses, gains and other user manuals, policies, etc that they believe are movements relevant to their compliance obligations—not- • other statements or periodic returns which are ing each document received on the audit plan required by legislation or as part of import con- file; and ditions, such as duty suspension arrangements. • identifying any other potential sources of infor- mation relevant to the PCA, in particular, how The agency may also generate its own informa- to gain sufficient knowledge of the trader’s busi- tion about individual traders that may be useful to ness (see below) and industry. the PCA auditor. For example, it may have histori- cal records concerning companies and industries, gathered from earlier PCA work, including previous 5.1.2 Gaining an Initial Insight into audit working papers and audit reports. The auditor the Business should also look for the following types of internal information where relevant: The auditor needs to gain a sound knowledge of the trader’s business, and should gather sufficient PCA Methodology | 19 • import, export or bonded warehouse licensing • outline the audit scope and objectives and dis- files that may contain application and current cuss reasons for PCA selection; status details • request further information, or access to fur- • license, permit or permission details ther information not available or forwarded by • import, export or excise statistical data for ar- the trader during the early information gather- eas such as duty, values, refunds, exemptions, ing process, such as sales data, production data, and volumes. customer data, product data, systems documen- tation, job descriptions, procedure manuals and Where permitted under local legislation, it may also internal policy documents; be possible to request relevant information from • invite the trader to volunteer any issues or con- other Government agencies that hold data about the cerns about its own compliance. This may in- trader. The sort of information useful to the PCA au- clude findings of internal or external auditing ditor may include: commissioned by the company as part of its own internal control structure, or issues in deal- • movement of import and export cargo from port ing with border authorities such as disagree- authorities ment with classification or values; • company registration and ownership details • agree on administrative issues including: from business registration authorities  details of audit team contacts • other relevant business activity details from in-  details of relevant contact staff dustry, trade, economics, or finance agencies  use of outside experts and expertise if • other taxation information from inland revenue applicable or taxation authorities  use of computer assisted audit tools if • licence or permit details from permit issuing applicable authorities.  what sites should be visited and when  timing of commencement, conduct and The auditor should also consider the following useful finalization of tests external sources:  estimated time of PCA completion and reporting opinions to the trader. • articles in newspaper, trade journals and other • If applicable, discuss and document any con- industry press cerns regarding relevant business systems un- • discussions with customers and suppliers covered after reviewing any procedure manuals, • Stock Exchange announcements (for public licensing files, or other materials previously for- companies). warded by the trader. 5.1.3 The Entrance Interview 5.1.4 Determining Materiality Prior to conducting the entrance interview, it is nec- Materiality may be defined as the potential of audit essary to formally advise the trader of the agency’s findings to influence the auditor’s opinion about intention to conduct a PCA, and should arrange a the trader’s level of compliance. When PCA auditors mutually convenient time to conduct the interview. identify errors, omissions or other forms of inaccu- The entrance interview represents the formal start of racy (as they inevitably will, in even the most highly the PCA process with the trader. compliant of companies), they need to ask them- selves whether a particular error, omission or inac- It should be conducted with relevant senior manag- curacy is likely to have an impact on their opinion of ers, those company staff with whom the auditors will the trader’s compliance. deal directly during the course of the audit, and pos- sibly the trader’s professional advisors. During the Materiality can be measured in two ways. Firstly, interview, the PCA team will look to: it can be measured quantitatively. For example, an auditor may determine that, provided the valuation 20 | Border Management Modernization of goods for duty purposes is within 1% or within • systems for reporting transactions to border au- $50.00 on a line of any import consignment, the error thorities will not impact upon the auditor’s opinion. • records of receipts of foreign goods or raw mate- rials and, where appropriate, from local sources Alternatively, materiality may be measured qualita- • production records—including raw materials tively, or in a more descriptive fashion. For example, into production, production into inventory, and it may be determined that a spelling error in a ‘goods efficiency reports (losses/gains) description’ field will not impact the auditor’s opin- • packaged stock and deliveries ion provided the error does not affect the classifica- • sales and invoicing (domestic and export), in- tion of the goods. cluding customer files • returns and credits. When applying materiality decisions during audit testing, the PCA auditor must bear in mind that, The type of documentation the auditor requires in- while a small percentage deviation on a low-value cludes: procedure manuals, policy statements, op- line may be considered immaterial and not affect the erating instructions, computer system descriptions, audit outcome, the same deviation occurring on a and control manuals. The auditor may already have high-value line may well be considered material, and access to some of these documents, as they may have may consequently have an impact on the audit opin- been forwarded by the trader upon notification of the ion. In such cases, the auditor would need to analyze upcoming PCA activity. The appropriate people with- the error and assess how likely or how possible it is in the company to approach in relation to such docu- that the same error could occur on a high value line. mentation include management, technical staff (e.g. This issue is further discussed below in the testing information technology division), business manag- and sampling sections of the methodology. ers (e.g. production, warehouse operations, etc), or financial managers (duty and tax payments) as nec- Once determined by the auditor and audit manager, essary. The key action at this point is to confirm that materiality levels should be documented in the audit all relevant documentation has been received and plan to inform the audit team of the procedures to reviewed by the audit team. be followed when finding errors during the course of their PCA fieldwork at the trader’s premises. During this stage the auditors should also obtain an understanding of the company’s organizational structure and identify those groups which have a role 5.1.5 Understanding and Documenting which is directly or indirectly relevant to the audit the Business Systems objectives (for example, those responsible for per- forming relevant monitoring activities). Due to the nature of PCA with its approach of review- Other possible sources of information which may be ing a trader’s systems, the auditor must acquire suffi- available and useful to the PCA to confirm that all cient information about relevant business systems so business documentation has been received and that that any internal controls within that system can be business systems are effective, are: both identified and assessed. The first requirement is therefore to gain the necessary knowledge of the • relevant internal audit reports and discussions business systems which are of relevance to the audit with the company’s internal audit staff scope and objectives. These business systems will • relevant risk assessments performed during the generally relate to areas such as: annual external financial audit • external audit management letters and reports • product files—including details of product clas- and discussions with the external auditors. sification, value, origin, and other relevant de- tails for the range of goods the trader imports, Once all business systems documentation has been exports or manufactures received by the PCA team, the documentation needs to be reviewed in relation to its accuracy and level PCA Methodology | 21 of detail. As previously noted, the business systems Systems verification can be achieved by conducting documentation should be sufficiently detailed to en- walk-through tests or examining system documents able the identification and analysis of all existing in- filed in the permanent files which were identified in ternal controls that are relevant to the audit. the documentation. It may also be possible that the trader’s business Walk-through tests are used to confirm the complete- system documentation still remains on the audit ness and accuracy of the auditors’ understanding of files of previous PCA activity, in which case the PCA how a significant transaction is processed, or how team need only verify that no material changes have product storage and movement is controlled, and been made to those systems. Where applicable, any will complement the discussions with management material changes that have occurred to business sys- noted above. The exact technique employed will de- tems should be incorporated into existing systems pend on the nature of the system, type of evidence documentation. Further, where those changes are available and the audit objectives. considered significant, the auditor should then verify that they have properly understood and documented In executing a walk-through, the auditor should trace the changes. a transaction through the processes as documented in the flowcharts and/or narratives of each business If business systems documentation is unavailable (or system. Having walked through each significant pro- business system documentation is insufficient to an- cess, the auditor will be in a position to assess wheth- alyze internal controls) then the PCA team will need er the systems description is correct. Where audit ac- to document the business systems themselves. The tivity is being undertaken at several sites, then this form of systems documentation may include a sim- walk-through check must be undertaken at each site ple narrative of the relevant system, through to high- and local variations/extensions noted. ly complex process flow-charts (or a combination of both). The narrative approach is useful where the This is an essential component in the system docu- business system under review is small or simple in mentation stage, as it is possible that one area of the nature, and flowcharting is more appropriate where trader’s operations may have adopted its own ‘local the system is large and complex in nature. It is likely procedures’ which either enhance or detract from the that, where such systems are large and complex, the documented procedures. Once the auditor is satisfied system (or systems) will be broken down into sub- that a complete set of all relevant business systems systems for the purposes of flowcharting. Computer documentation is available, and the documentation software is also available to assist the auditor in pro- is sufficient for the next stage of the audit where in- ducing large and complex flowcharts, and is useful ternal controls are identified and analyzed, the audit for easy amendment or updating as the company plan may be finalized. makes changes to its business systems. Again it is critical to note that the basic requirement 5.1.6 Finalizing the Audit Plan for business system documentation, whether drafted by the trader, or by the PCA team, is that internal The audit plan should now be ready for completion. controls can be identified and analyzed for their rele- The auditor is aware of the scope and objectives, vance and effectiveness. In some cases, the business and importantly the audit approach, which allows system documentation may indicate a high level of for confirmation of what will be tested, where and usage and reliance on IT systems, in which case it when. An entrance interview will have been con- will be necessary to ensure that IT expertise exists in ducted during which this information will have been the PCA team or is available from an external source discussed with the trader, and the auditor will have a during the course of the PCA. set of business documentation covering the relevant operations of the trader which they will have verified Once the PCA team has a full set of business docu- (alternatively the audit team may have documented mentation covering all relevant areas of the trader’s the relevant business systems themselves). operations, the business systems must be verified. 22 | Border Management Modernization It is important to remember that it is better to invest • Sites to be visited, persons to be interviewed and time in developing a good audit plan than to create processes to be observed the potential for duplication, lack of co-ordination, • Proposed timing of visits, tests and audit com- and other issues which detract from an efficient PCA. pletion • Audit team leaders and members, and where The audit plan when finalized will bring together the applicable, use of outside professional expertise following areas of the audit procedures: such as IT specialists, chemists, valuers, etc., and their respective roles in the audit • Audit scope • Any other matters that are relevant to the audit • Audit objectives such as outstanding audit related issues, indus- • Program of procedures (analytical procedures, try complaints to check, or queries generated testing, etc.) during company research, etc. • Levels of materiality in the event that errors are detected 5.2 Identifying and Analyzing Internal Controls (1) (2) (3) (4) (5) (6) Audit Identifying Control Substantive Dealing with Audit Planning and Testing Testing Audit Issues Reporting Analysing Internal Controls From the knowledge of the business systems gained misstatements, non-compliance, and internal fraud during the audit planning stage it is time to identify from occurring. There are two types of internal con- and analyze the appropriateness and effectiveness of trols within a business system: the trader’s internal controls which are relevant in ensuring compliance. This stage of “Identifying and • Preventive Controls—being internal controls de- Analyzing Internal Controls” involves 3 key steps signed to prevent errors and other non-compli- as follows: ance before they can occur; and • Detective Controls—being internal controls de- 1. Understanding what internal controls are, and signed to identify errors and other types of non- the different types; compliance once they have occurred, so that the 2. Understanding the relationship between con- company can take timely remedial action. trols and risk in the business systems; At this stage in the PCA process the auditor is re- Understanding the various audit risks, i.e. inherent quired to identify the internal controls in the vari- risk, control risk and overall confidence in the level ous business systems that are relevant to compliance of compliance of the trader. and that the auditor will review as part of the PCA. Common examples of “preventative” internal con- trols could include: 5.2.1 Understanding internal controls • Any review, verification, re- calculation or re-as- Internal controls are company policies and proce- sessment of data before it proceeds to the next dures that are designed to prevent errors, omissions, stage of a process; PCA Methodology | 23 • Counter-signing of documents; Where compliance is seen as a priority by the trader, • Use of two persons to undertake particular tasks; the auditor will likely see comprehensive business • Passwords on a computer; process documents such as user manuals, procedure • Maintaining the accuracy of flow meters statements, rules and measures that focus on ensur- and scales; ing compliance, with very clear instructions to staff • Locks on a gate; or to follow, all of which should be considered positive- • Swipe key systems that block access to unau- ly by the auditor in shaping opinions on risk in the thorized persons. following steps of the methodology. Common examples of “detective” type internal con- trols include: 5.2.2 Understanding the relationship between controls and risk in the • Stock-takes; business systems • Weekly or monthly reconciliations; • Internal audits; • Periodic quality assurance (QA) processes; and The next step is to document the risks and relevant • Exception reports. internal controls for the trader’s business systems. This process provides order, direction and organiza- A trader’s attitude to establishing and using internal tion to the PCA itself. controls is an important assessment to make in this early stage of the PCA as it will help shape the audi- A useful way of documenting risks and controls is by tor’s opinions as the audit is carried out. The trader’s using a ‘controls/risk matrix’ (see example at Annex attitude is sometimes referred to as the ‘control envi- 7.) This approach enables the auditor to identify any ronment’. The control environment is effectively the potential errors in each business system that are like- management’s position and commitment to the op- ly to impact on compliance, and to link them to the eration of relevant internal controls and the level of trader’s internal controls (which should be designed importance management has put into ensuring that to mitigate those risks). The controls/risk matrix ap- such controls are properly utilized. Even with good proach allows the auditor to quickly review whether internal controls in place, these become worthless if potential errors that have been identified have at management is happy to cut corners or bend rules least one internal control operating to prevent or de- when things are busy, profits are down or perhaps tect them. when someone is away from work and an important task is overlooked. The auditor should examine the The matrix is further supported by use of control de- business documentation obtained during the audit scription/testing worksheets (see example at Annex planning stage and look for the following indications: 6), one of which is completed for each internal con- trol in each business system being audited, and • Has the trader identified regulatory compliance provides the auditor with the opportunity to fully as a priority and is this priority reflected in staff describe each control, and to eventually design and training, staff procedure statements, and other record appropriate tests. Use of these forms, when operational documentation? properly completed and cross referenced between • Does the trader arrange internal or external each control and each business system, creates a log- audit review of compliance with regulatory ical and sound set of audit working papers. requirements, and do those reviews look at whether relevant internal controls are being ap- The process of identifying risks and relevant internal plied properly? controls in each business system can be illustrated • Has the trader engaged professional advisors to using the following examples. help establish compliant systems and controls, or assist with ensuring compliance in relation to Using the above case study as an example, the auditor particular transactions? will develop a control description/testing worksheet 24 | Border Management Modernization Identifying Risks and Controls: “Container receipt and unpack” A large importer has established a set of procedures for the arrival and the unpacking of shipping containers to ensure that their orders are properly filled by the supplier, and that there has been no pillaging of the cargo between the container leaving the supplier and arriving at the warehouse. The PCA has identified this system as being of relevance in the context of evaluating the level of compliance of the trader, as this control is also effectively ensuring that the goods received are the same as those which have been declared to Customs for duty payment. Consequently the relevant internal controls need to be identified and an initial assessment made as to their appropriateness. The system has been documented as follows: 1. Container of imported goods arrives and is met by the warehouse supervisor and a senior storeworker. Documents for the consignment and the import declaration are checked against the container number, and if correct, the seals are broken and the doors of the container are opened. 2. Warehouse storeworkers unpack the container in the presence of the warehouse supervisor and senior storeworker, and the goods are verified against both the packing slip and import declaration as the unpacking occurs. 3. On completion, a “Container Unpack Report” is completed in triplicate with details of the consignment and any variance between what was in the container and the description on the packing slip and import declaration. 4. The warehouse supervisor and senior storeworker both sign the Container Unpack Report and send one copy of the document to Accounts Payable and another to Inventory Control, while one is retained in the warehouse supervisor’s office. The system is important as it serves to ensure the accuracy of the import declaration by ensuring that the goods in the container are the same, and in the same quantities as declared on the import declaration. The internal controls in operation can be considered to be effective in ensuring compliance provided they are operating correctly and the verification is being performed properly. (see Annex 6) and a control/risk matrix (See Annex the auditor would list all potential errors in an import 7) as follows. declaration lodged by the trader such as tariff clas- sification, description of goods, number of packages, number of units, value, origin (and any other risk). Control/Risk Matrix Then the auditor would list the internal controls such as the two-person count and reconciliation with the This working paper should be completed for each packing slip and import declaration. The auditor can system or sub-system which is to be reviewed by the then use this document to indicate which controls PCA. In the above example, the control/risk matrix help to mitigate the risks (or potential errors). would be titled “Container Receipt and Unpack”, and Control Risk Matrix Auditee Audit Manager SYSTEM: Container Receipt and Unpack POTENTIAL ERRORS REF CONTROLS IDENTIFIED COMMENTS ON 1 2 3 4 5 6 7 8 9 10 11 12 13 Test CONTROLS Ref CRU 1 Container Unpack Report Relevant to quantities X X X X Preliminary Adequacy of Controls : High level of confidence Control Assessment after Testing: Risk Remaining Substantive Test Reference POTENTIAL ERRORS IDENTIFIED 1 Incorrect Classification Declared 2 Incorrect Quantities Declared 3 Incorrect Value Declared 4 Incorrect Origin Declared 5 Incorrect Marks and Numbers 6 Undeclared Goods 7 Import declarations in error not adjusted 8 9 Prepared by Reviewed by Index 10 11 E 1A 12 / / / / 13 PCA Methodology | 25 26 | Border Management Modernization Control Description/Testing Worksheet The control description/testing worksheet is then completed by entering the name of the internal A control description/testing worksheet should be control, and including a full description of how the created for each control listed in the control/risk internal control operates. There should also be an in- matrix. The relevant internal control documented in dication of the auditor’s initial views of the control the control description/testing form should be cross- (see below). referenced to the control/risk matrix. Control Description/Testing Worksheet Auditee Audit Manager Control Description: Container Unpack Report System: Container Receipt 1. Container of imported goods arrives and is met by warehouse supervisor and a senior and Unpack storeworker. Documents for the consignment and the import declaration are checked against the container number, and if the correct consignment, the seals are broken and the doors of the container are opened. 2. Warehouse storeworkers unpack the container in the presence of the warehouse supervisor and senior storeworker and goods are verified against both the packing slip and import declaration as the unpacking occurs. 3. On completion, a “Container Unpack Report” docu ment is completed in triplicate with details of the consignment and any variance between what was in the container and what was in the packing slip and import declaration. 4. The warehouse supervisor and senior storeworker both sign the Container Unpack Re port and sends one copy of the document to Accounts Payable, another to Inventory Control and one is retained in the warehouse supervisor’s office. Notes: Preliminary assessment: High level of confidence based on low inherent risk and low control risk. : Description of control test Sampling: size: selection method: period: population size: Summary of Test Findings: Control Assessment after test: Prepared by Reviewed by Index E 1A / / / / PCA Methodology | 27 The following is another example of a business examined and along with the relationship be- system for which the compliance risk could be tween the two in the context of completing a con- quite high. The risks and controls should be trols/risk matrix. Inventory control An alcohol trader with a license to store imported alcoholic beverages under bond until it is delivered into home consumption performs a weekly stock-take to ensure that receipts and deliveries of stock have been accurately recorded. The PCA has identified this system as being of relevance when evaluating the level of compliance and as such the risks (or potential errors) in the system and the relevant internal controls to mitigate these risks need to be identified and documented in matrix form. The potential errors that would be recorded in the controls/risk matrix are as follows: W Receipts of imported goods not correctly recorded in the bonded inventory records. W Receipts of under-bond transfers from other licensees not correctly recorded in bonded inventory records. W Transfers from production not correctly recorded in bonded inventory records. W Approved remissions from breakages, out-of-date stock, etc not correctly recorded in bonded inventory records. W Approved returns from customers not properly recorded in bonded inventory records. W Wrong goods or wrong quantities of goods selected from inventory for delivery. W Deliveries not correctly recorded in bonded inventory records. The primary internal control here is the weekly stock-take conducted by the bond manager and assistant, which is likely to mitigate all seven potential errors/risks as a ‘detection control’. The importer may well have other internal controls such as a “gate pass” and physical inspection of truck contents against paperwork at the exit gate—a control which could mitigate risks 6 and 7. Again, these additional internal controls in this system are listed in the control/risk matrix, with an indication of which potential errors they are mitigating. These controls are then copied to an individual control description/testing worksheet and will later be tested by the auditor. 5.2.3 Understanding the risks in the audit tests is linked directly to the level of confidence the auditor has prior to commencing control testing. As noted above, evaluating the operation and effec- tiveness of the trader’s internal controls is the basis The following matrix is useful in determining this of the PCA approach. Where such controls are found initial level of pre-testing confidence. One axis iden- to be sound and are being applied appropriately, tifies ‘inherent risk’ and the other ‘control risk’, then it is likely that the auditor will form an opin- with the body of the matrix showing an initial level ion that the trader is compliant, and where they are of confidence, which is expressed as high, medium not, then the auditor will look to recommend en- or low. For example a high inherent risk with a hancements to certain controls in order to improve medium level of control risk provides the auditor future compliance. with a “low” level of confidence which will trans- late during control testing to higher levels of test- However, an important part of determining whether ing. Alternatively, where a low level of inherent risk the internal controls are appropriate and are being and medium level of control risk is perceived by the properly applied by the trader is to test them—and auditor, then the starting point is a high level of con- this will occur in the next stage of the PCA. When fidence which will mean lower levels of testing will control testing occurs, the level or extent of those be needed. 28 | Border Management Modernization CONTROL RISK HIGH RISK MEDIUM RISK LOW RISK HIGH RISK LOW CONFIDENCE LOW CONFIDENCE MEDIUM CONFIDENCE INHERENT MEDIUM RISK LOW CONFIDENCE MEDIUM CONFIDENCE HIGH CONFIDENCE RISK LOW RISK MEDIUM CONFIDENCE HIGH CONFIDENCE HIGH CONFIDENCE Determining Inherent Risk High Risk Any of the following are evident: poor or uncertain staff knowledge, Inherent risk is also known as the business risk, and experience and/or integrity; highly is best described as the risk of errors and other non- competitive industry where staff compliance by the trader if no internal controls were feel under pressure to perform; re- in place. Inherent risk can also be assessed from in- liance on highly complicated or formation which is generally gathered during the au- highly manual processes, or highly dit planning stage, and includes: taxed and regulated industry in which there are many competitors • What is the level of integrity of the management who are regularly found to be non- and staff at the company? Have any persons compliant. been found guilty of border agency or taxation Medium Risk Any of the following are evident: offences, or indeed any other financial matters? there is some staff knowledge and • What is the level of knowledge and experience experience which can be accessed of management and staff at the company—both by all employees; competitive in- in terms of working in the industry, and in work- dustry; some reliance on highly ing with border related legislation? complicated or highly manual pro- • What is the nature of the business systems and cesses; medium level taxed and reg- controls—are they complex; are they manual ulated industry in which there are with a heavy reliance on human input; are they several large competitors. unclear? Low Risk Most or all of the following are evi- • What is the nature of the industry in which the dent: good staff knowledge, experi- trader operates—is it highly competitive; does ence and integrity; moderately com- it have high duty rates; is it highly regulated; petitive industry where staff feel would non-compliance generally deliver sub- little pressure to cut corners; no reli- stantial competitive advantages? ance on complex manual processes; • Is there a history of poor industry-wide compli- industry has low rates of tax and ance, with a significant number of common er- regulation; and the industry has a rors occurring across the sector? good compliance record. When considering these matters, the auditor must The auditor’s assessment as to the level of inherent make an assessment as to whether inherent risk risk, with evidence, should then be documented in is high, medium or low. As a guide, and based on the audit working papers, including reference in the the above questions, the following conclusions may control description/testing worksheet. be reached: PCA Methodology | 29 Determining Control Risk should be adopted. As a general guide to determining the level of control risk, the auditor could consider Control risk is simply the risk that errors and other the following: instances of non-compliance will not be prevented or detected by the internal controls or their detec- High Risk Internal controls are present, but tion will be too late to prevent a breach of legislation. there are questions in relation to The auditor again must make an assessment as to the their effectiveness and their appli- level of control risk by determining whether the con- cation by staff, and user documen- trols are working effectively. This will involve taking tation about performance of the a number of factors into consideration such as: controls is difficult to comprehend. There have been significant chang- • use of the auditor’s own skills, knowledge and es to business systems and controls experience. The auditor is likely to have seen since any previous audit. many companies’ internal control structures, Medium Risk Internal controls are present and and can ‘benchmark’ against these. The auditor seem quite relevant to the process. will also be familiar with the relevant legisla- Staff are generally applying the con- tion with which the company must comply, and trols well, and each control is sup- whether the controls are appropriate; ported by clear and precise user doc- • the auditor’s specific knowledge of the trader umentation. There have been some and the relevant systems and controls, as a re- changes to business systems and sult of reviewing the business system documen- controls since any previous audit. tation during the audit planning stage; Low Risk Internal controls are present and • the auditor may have visited or audited the trad- appear to be relevant and effective er previously; in their operation. Staff are well • the results if previously audited and any other trained and are applying the con- information in the agency’s possession relating trols. User documentation to sup- to errors or instances of non-compliance; port the controls is clear and pre- • material changes to the business systems and cise. There have been no changes to controls since the last audit; business systems and controls since • review and query of relevant user manuals, pol- any previous audit. icy and procedure statements and job descrip- tions; and The auditor’s assessed level of control risk should • observation of processes, systems and controls. then be documented in the audit working papers, in- cluding reference in the control description/testing The auditor again needs to make an assessment worksheet. Once the auditor has formed an opinion as to whether control risk is high, medium or low. about inherent risk and control risk, the matrix above Remembering that if control risk is assessed un- can be used to gain an overall initial ‘confidence lev- acceptably high or if internal controls are found el’. Once the initial confidence level has been deter- to be entirely unreliable, then systems based audit- mined and recorded in the audit working papers, this ing approach of PCA should be abandoned and a stage is effectively complete and the PCA can move to more traditional transaction-based audit approach the next stage of control testing. 30 | Border Management Modernization 5.3 Internal Control Testing (1) (2) (3) (4) (5) (6) Audit Identifying Control Substantive Dealing with Audit Planning and Testing Testing Audit Issues Reporting Analysing Internal Controls Having identified internal controls in the business • What transactions are relevant? systems and made initial judgments about these and • Where, when, and how often is the process about the confidence as to compliance, the PCA now applied tests the effectiveness of those internal controls. This • Is it designed to be a preventative or detective testing is conducted by following these 4 steps: control? • Who performs the control? 1. Understanding how the relevant internal con- • What is the nature of the errors and non- trols operate; compliance that could occur in the identified 2. Designing the control tests; transactions? 3. Selecting the sample size for the control tests; • What was the initial opinion regarding the ef- 4. Testing documenting and analyzing the control fectiveness of the control? test results. This information may already be available from 5.3.1 How do the internal controls operate? the documentation obtained during the audit planning stage, but as auditors are now in the trad- The PCA is now at the point where the trader’s busi- er’s premises, these types of questions can also be ness systems have been documented, the risks to answered by observation of processes, talking compliance have been identified, and the relevant to staff, or reading through procedure statements internal controls to mitigate those risks have been on site. identified and documented. It is now time to test the internal controls to confirm or modify the auditor’s It is possible that many of the relevant internal con- initial judgments concerning the trader’s controls trols in the business systems will be computerized and level of compliance. controls, in which case the controls will be automat- ed, or be dependent upon computer-generated infor- Having selected a particular business system, the au- mation. Examples of such controls are: ditor should refer to the relevant controls/risk matrix and all associated control description/testing work- • computer processes that perform significant cal- sheet for that system, remembering there will be culations for example: import duty liabilities for one description/testing worksheet for each internal transaction details; control. The control description/testing worksheets • automated controls such as edit checks to en- will have a description of how each control operates sure accuracy when data is input; from the work completed at 5.2.2 above, and the au- • system produced “exception reports” that are ditor must now locate and document the following subsequently to be followed up by staff, e.g. re- information which will be important for the design of ceipts from one tank do not match with deliver- each control test in the next stage of the PCA: ies from source tank; PCA Methodology | 31 • computer produced management information, 5.3.2 Designing the control tests e.g. export sales for duty free purposes; • controls to prevent or detect access to standing Based on the information gathered about each inter- data files by unauthorised staff, such as tariff nal control, the auditor now develops and conducts classification or duty rate updates. the control tests. The nature of each test will depend on what the control is actually supposed to do. The The PCA may require specialist assistance in devel- auditor will examine each control and determine oping appropriate control testing from an IT expert what the control entails, ensuring that the control at this point, and this would have been highlighted is being performed by the appropriate person or by during audit planning. Such specialists are skilled in the appropriate computer program and at the appro- determining whether the company’s computer con- priate time. The primary purpose is simply to gauge trols are operating, and are operating in accordance whether the internal controls being applied by the with the system documentation that was provided by trader in the way that they should be, in other words the company during the information gathering pro- the control is operating in the same manner as set cess. In such cases it will also be necessary to liaise out in the business systems documentation. with the trader’s own information systems auditors and computing staff in order to determine the most Examples of control test design could include the efficient testing approach. following: 1. “Container Unpack Report” (see example from the illustration in 5.2.2 above) In order to ensure this control is working, the auditor could take a sample of customs import declarations and ask to see the relevant container unpack report. The PCA auditor would then look for the 2 signatures—warehouse manager and senior storeworker. Where discrepancies are found in a container unpack, the auditor could also follow up with the warehouse manager to ensure these were properly reported and acted upon. This control could also be further tested by the auditor observing the unpack process to be certain the tasks are performed properly before signatures are applied. 2. “Weekly Stock-take” (see example from the illustration in 5.2.2 above) In order to ensure this control is working, the auditor could take a sample of weekly stock-take sheets and ask to see the relevant summary. The auditor would then look for the 2 signatures and/or 2 stamps—one from the bond manager and the other from the assistant. Where discrepancies are found in a stock-take, the auditor could also check to ensure that appropriate investigations were conducted to find and correct the discrepancy. Again, the control could also be further tested by the auditor observing the weekly stock- take process to be certain the tasks are performed properly before signatures are applied. 32 | Border Management Modernization Internal Control Control Test Design Password security in any IT system relevant to a customs transaction Attempt to sign into a customs IT system Only allowing access to certain functions in an IT systems to certain levels Ask non-agency staff to attempt to sign into an agency function of authorised employee and protecting this with password features ‘Counter-sign’ or ‘approval’ screen needs to be completed by a senior Select a sample of lodged declarations, returns, statements, etc staff member, before transmitting a declaration, return, statement, etc and confirm a senior staff member counter-signs or approves to the agency. before transmission. ID cards have ‘swipe’ function at building access points. ID card readers Ask a staff member to walk through several building access points, at each access point ensure ID card is valid before allowing access and observe ID swiping at each access point, and then ask building security record the movement of the staff member through the access point manager for a print-out of the staff members’ movements from the relevant building access program and ensure it matches the walk through route. Certain areas of the trader are restricted, for example the bonded Ask a staff member from a non-related area to try and access the bonded warehouse, where only permitted staff have swipe card access. warehouse with their ID card. The examples above are ‘manual process’ type con- period of the audit. Using the example again from trols being performed by staff members. In some cas- 5.2.2 above, if the PCA covers the period 1 January es the controls which are relevant to a PCA may be to 31 December of the previous year, and in that that part of an IT system, or be an automated process con- year 1,000 shipping containers are imported and ducted by an IT system. These controls still require 1,000 unpack reports are produced by the trader, testing as part of the PCA and assessments made by then the audit population is 1,000 and those unpack the auditor based on the testing. The following table reports that are to be selected and reviewed from the outlines some common examples of IT based con- 1,000 will represent the audit sample. trols that an auditor may need test. Based on a level of confidence (high, medium, or low) decided at 5.2.3 above by the auditor, the 5.3.3 Sample size for control testing following table provides a guide as to how many transactions will need to be tested to confirm the As previously noted, the extent of testing the trader’s auditor’s opinion. From this table, it is possible to controls will depend on the level of confidence that select just 30 transactions as an audit sample from the auditor reached at 5.2.3 above. The transactions a population of several thousand provided the that will be tested are known as the audit sample and auditor during audit planning and analysis of the form part of the audit population which is the total business systems and control has an initial high level number of transactions that fall within the scope of confidence. High Confidence Light testing The auditor is confident that the control procedure is working and is only looking (30 items) to confirm this. Medium Confidence Medium testing The auditor is reasonably confident that the control procedure is working but is (65 items) not sure. Low Confidence High testing The auditor is not confident that the control procedure is working and is looking (100 items) to get some feel for the extent of non-compliance. In this case the auditor may choose not to proceed with testing of the control at all and assess the control as being unreliable. PCA Methodology | 33 If the initial testing of transactions finds an error then • what was found—e.g. all correct or provide an the auditor may choose to extend the testing to the outline of an irregularity medium or high level and see if any further errors or • a copy of the relevant documentation should be issues arise in this larger sample size. The auditor is retained for any irregularities or errors that are expected to discuss the errors and the proposed ac- noted., e.g. a copy of the report in error, a copy tion with the audit manager who will have regard to of the unsigned or unchecked document, etc. the materiality levels set during the audit planning stage as extended sampling will increase the time Returning to the sample control description/test- needed to conduct the audit. In extreme cases, the ing worksheet discussed in section 5.2.2, the audi- auditor could decide not to place any reliance on the tor can now complete the document by outlining the control and both the risk rating and levels of substan- tests they performed, the sample size and method tive testing in the next stage will increase. of selection, as well as the results. Significantly, the auditor should also make a judgment as to whether After determining the sample size for control testing, the initial level of confidence in the controls has re- the auditor must then decide which samples from mained the same, or whether the level of confidence the total transactions are to be selected for testing. has improved or dropped. Where the auditor is not sure how to select a sample of transactions, there are four main sampling options available. These are outlined in full in Stage 4 of the methodology below, “Conducting the Substantive Tests”, however, in short, the sample selection op- tions include: use of a random system; a systematic approach such as an every 10th transaction or item; a block sample such as all of a particular month’s transactions or items; and/or a haphazard approach which may involve some of each of the previous three approaches. 5.3.4 Testing, documenting and analyzing the results of control tests The auditor now undertakes the tests, selecting the audit sample and conducting the review that com- prises the test. For example: looking for 2 signatures on a form; looking at who has signed onto an IT sys- tem, looking at who has access to controlled areas, looking at approval stamps etc, with details of results entered on the control description/testing work- sheets as the tests are being conducted. The auditor should record the following on each worksheet as it may be required later as audit evidence: • what reports (month/number, etc), what pro- cesses, what actions were reviewed • how many were tested and how was this sample selected • who from the trader’s organization was present 34 | Border Management Modernization Control Description / Testing Worksheet Auditee Audit Manager Control Description: Container Unpack Report System: Container Receipt and 1. Container of imported goods arrives and is met by warehouse supervisor and a Unpack senior storeworker. Documents for the consignment and the import declaration are checked against the container number, and if the correct consignment, the seals are broken and the doors of the container are opened. 2. Warehouse storeworkers unpack the container in the presence of the warehouse supervisor and senior storeworker and goods are verified against both the packing slip and import declaration as the unpacking occurs. 3. On completion, a “Container Unpack Report” document is completed in triplicate with details of the consignment and any variance between what was in the container and what was in the packing slip and import declaration. 4. The warehouse supervisor and senior storeworker both sign the Container Unpack Report and sends one copy of the document to Accounts Payable, another to Inventory Control and one is retained in the warehouse supervisor’s office. Notes: Preliminary assessment: High level of confidence based on low inherent risk and low control risk. Description of control test: 1. Check Container Unpack Report for competed of all boxes and report has been signed by both Warehouse Supervisor and Storeworker. 2. Observe on container arrival to ensure process conducted as per operating procedures. Sampling: „ size: 30 (high level of confidence) rd „ selection method: Systematic (every 33 Container Unpack Report starting at 11/0001) „ period: 1/1/11– 31/12/11 „ population size: 1,000 (Container Unpack Report No 11/00001 – 11/01000) Summary of Test Findings: 30 sample Container Unpack Reports numbered 11/00001, 11/00034, 11/00077........11/00991, reviewed for completeness and both supervisor and storeworker signatures. On Report 11/00041 the storeworker had not dated his signature, but this was considered immaterial and no extension to the sample was needed. The supervisor was shown the oversight and reminded to ensure both signatures are dated. A container arrived during the audit on 2 May 2012, Report 12/000432 applies. The receipt and unpack process was observed and found to follow staff operating procedures. Control Assessment after test: The high level of confidence in the system is retained Prepared by Reviewed by Index E 1A / / / / PCA Methodology | 35 Once the testing has been conducted and working be outlined in more detail in a separate audit issues papers for each control test completed, the auditor worksheet (see Annex 9) and each of these audit is- should form an opinion as to the effectiveness of the sues recorded in an audit issues log (see Annex 10). internal controls, in particular those key controls Errors or irregularities should be raised with the that relate directly to ensuring compliance in the trader at this time, and indeed some may be quickly business systems. The confidence level, in terms of resolved. The auditor keeps track of the resolution of the controls, is again assessed and expressed as ei- these issues through the audit issues log. However, ther high, medium or low, using the same guide that material errors that are disputed by the trader will was used prior to testing. This opinion should be need to be dealt with at a later stage of the PCA. documented in the appropriate control description/ testing worksheet and also in the relevant control/ Once an opinion as to the level of confidence in the risk matrix for the business system in the box titled internal controls has been documented, the auditor ‘Control Assessment After Testing’. can move to the next stage of the process. If any material issues are found during testing, or compromises to controls detected, these should also 5.4 Substantive Testing (1) (2) (3) (4) (5) (6) Audit Identifying Control Substantive Dealing with Audit Planning and Testing Testing Audit Issues Reporting Analysing Internal Controls The PCA now tests the effectiveness of relevant in- 5.4.1 Designing the substantive tests ternal controls by testing the passage of actual data from the business systems through the internal con- Substantive testing includes any verification, inquiry, trols. There are four main steps to substantive testing observation, inspection, confirmation, recalculation which include: or analytical review that tests the accuracy of data that affects the trader’s compliance with agency re- 1. Designing the substantive tests; quirements. This form of testing may be familiar to 2. Selecting the sample size and sampling ap- auditors who have been involved in transaction-based proach for the tests; checking activities such as documentary checks and 3. Conducting and documenting the tests; cargo inspections. Substantive testing often relates 4. Evaluating the results. to comparing information reported on declarations, statements or returns with the relevant commercial Even with the highest level of confidence in the trad- documentation. However one major difference be- er’s controls, a level of substantive testing is required tween traditional audit methods and PCA relates to to confirm this. The transactions that pass through audit sampling which is discussed below. these controls, if correct, provide the auditor with this confirmation. The actual substantive test will relate directly to the business system or business systems being reviewed. For example, if the auditor was reviewing the tariff 36 | Border Management Modernization Examples of Substantive Testing 1. Import Declaration lines. Sample of import declaration lines selected from total import declaration lines and compared with commercial documentation to verify:  tariff classification  duty rate usage  tariff concession usage  valuation  origin 2. Receipts at a petroleum installation. A sample of warehousing declarations selected from total warehousing declarations for petroleum product destined to the installation checked to ensure that each has been correctly:  received into the recording systems at the installation  adjusted to reflect any temperature variations  measured by ensuring that tanks were dipped properly pre and post receipt  received in a timely fashion  followed up in relation to any variances 3. Export declaration lines. A sample of export declarations selected from total export declarations and examined against commercial documentation to verify:  classification;  valuation;  destination  departure dates  permit requirements met  other compliance requirements. master file system of a trader which holds informa- population sufficient to form an opinion about the tion relating to tariff classification, origin and duty trader’s level of compliance. rates for each product imported, then substantive testing would be verifying the classification, origin The extent of testing to be performed, i.e. the number and duty rates for a sample of import declarations. of transactions to be checked for each test, will de- pend on both the auditor’s initial level of confidence when first analysing the control environment, and 5.4.2 Substantive testing sample size and the level of confidence directly after control testing, sampling approach as to whether the trader has the systems and controls that will ensure compliance with the relevant legisla- tive requirements. In some situations substantive testing may involve 100% verification of all transactions, e.g. in the case Based on this approach, the following table provides of small traders, or traders considered to represent an appropriate guide to sample size selection in the a high risk of non-compliance due to poor internal regulatory compliance context:1 controls. However, for large traders this will not be feasible, in which case the auditor should select and 1. Designed statistically to establish a 95% confidence lev- test a number of transactions from the entire audit el that no more than 1.5% of transactions have errors. PCA Methodology | 37 Initial Confidence Level Post Control Test Confidence Substantive Testing Sample Size Not using PCA Not using PCA 200 Low or Medium Low 200 Low Medium 200 Low High 100 Medium Medium 150 Medium High 50 High Low 100 High Medium 50 High High 30 After identifying the total transactions in the audit This sampling technique ensures there is no bias population (e.g. the trader may have 10,000 import or favoritism shown by the auditor, and ensures declaration lines for the audit period), and the size of all transactions have an equal chance of selection in the audit sample based on the table above, the audi- the sample. tor will need to determine how to select the samples from the audit population. Systematic Sampling The method of selection should ensure that the sam- Systematic sampling involves selecting every ‘X’ ple chosen is representative of the total population number of items in a population, where X is the being examined. This means that, to the maximum determined sampling interval. Systematic sampling extent practicable, all items in the population should requires the auditor to: have an equal chance of being selected. Common techniques to achieve this, explained below, include: • determine the population size and sample size • establish a sampling interval by dividing the • random number sampling; sampling size into the population size • systematic sampling; • randomly selecting a start point in the first sam- • block sampling; and pling interval • haphazard sampling. • selecting the sampling items located at the start • Random Number Sampling point and at subsequent sampling intervals from the start point. Random number sampling is based on the use of a random number generator or random number tables. For example, if the sample size is 50, and the audit The first and last transaction number are input to the population is 1,000, then the auditor will select every random number generator program or table, which 20th transaction for testing. then identifies the transactions or items to be tested, e.g. invoice numbers, declaration numbers, packing Block Sampling slip numbers etc Block sampling involves the selection of a number This method relies on the auditor’s ability to estab- of grouped sampling items, for example checking all lish the start and end numbers for the population to transactions for selected dates, or from selected sites. be sampled, and is only effective when the transac- Some auditors may use this approach if wanting to tions or items in the population, i.e. the ‘sampling stratify an audit population, perhaps only wanting to unit’, are either sequentially numbered, or stored in test transactions over a certain value, or from a certain sequential number order. foreign supplier, or from another set of risk criteria. 38 | Border Management Modernization However, care needs to be taken to ensure that suffi- of a single internal control). The substantive testing cient blocks are selected to be able to reach a reason- worksheets should also be cross-referenced to the able audit conclusion for the total period being au- relevant control/risk matrix in relation to the particu- dited. Selecting one or two small blocks over a large lar business system which will be tested, and the rel- period with bias towards a certain target sample will evant control description/testing worksheets which not achieve this, and other issues could be missed. relate to the controls in that business system, thus Examples of block sampling include: maintaining the organization of the audit working papers. • a number of days/weeks in the audit period • all lines over a certain value As a minimum, documentation of the substantive • all duty free deliveries test should include: • all exports • any combination of the above points. • objective of the test • description of the testing procedures Adjustments could be made to the block during the • level and extent of testing test process to avoid major over- or under-sampling. • basis for sample selection and sample sizes (and stratification definitions if relevant) • the total sampling population. Haphazard Sampling The sample of transactions is now selected from Haphazard sampling is defined as sampling trans- the total population using one of the sampling tech- actions or items which have been selected without niques listed above, and the substantive tests as de- any conscious bias. The items should be selected in signed are performed by the auditor. a manner that can be expected to be representative of the population. However, it does not require any If the sample size has been determined using the form of systematic selection. above table and no errors are detected, the auditor is able to reach a conclusion with a high level of confi- Haphazard sampling is probably best explained by dence that there is a very small chance that an error saying it is a combination of one or more of the three in the total population has not been detected. approaches listed above. However, care must be taken to avoid distorting the sample by selecting, for However, if errors, omissions or other forms of inac- example, only unusual or physically small items or curacy are found, these should be documented in the omitting items such as the first or last items. Further, substantive testing worksheet, and an audit issues this technique must not be used as a way of avoiding worksheet raised for each type of error. As with con- difficult items. trol testing, most errors or irregularities should be raised with the trader at this time, which may result While it is acceptable to use any one or any com- in a speedy resolution of the issues. bination of the above techniques, it is important to ensure that the sample is representative of the In the following substantive testing worksheet the au- total population. ditor has conducted a substantive test in the trader’s tariff master file business system which manages the tariff classification, description, value, origin, and 5.4.3 Conducting and documenting the duty rate for all of its imported products, by testing substantive tests a sample of import declaration lines against relevant commercial import documentation. The auditor should now complete a substantive test- In this example the auditor has found a number of ing worksheet (See Annex 8) for each test process (it errors. Initially all errors must be regarded to be is possible that two or three different substantive tests of equal significance, since relatively small errors may have been conducted to review the effectiveness (e.g. small duty loss) may in some cases represent PCA Methodology | 39 Substantive Testing Worksheet Page 1/7 Auditee Audit Manager System: Tariff Master File Transaction: Tariff classification and duty rates Test Description: Import declaration lines reviewed against commercial documentation for accuracy in terms of: Tariff Classification; Value per Unit; Origin; and Use of Tariff Concession. Sample Size: 100 (high initial level of confidence, low level of confidence after control tests) Selection Method: Systematic (every 30th import declaration line) Period: 1/1/11-31/12/11 Population Size: 3,000 lines from 500 import declarations Transaction Details Test Results 11000078A Line 3 Nil error 11000765F Line 6 Nil error 11000612K Line 1 Nil error 11000612K Line 16 Nil error 11000754A Line 2 Nil error 11000865M Line 4 Nil error 11000921N Line 7 Spelling error “goods description” 11000954G Line 3 Incorrect duty rate applied 11001002Y Line 2 Nil error 11001002Y Line 16 Nil error 11001234H Line 4 Nil error 11001245K Line 5 Nil error 11001356P Line 3 Nil error 11001378K Line 8 Nil error 11001456J Line 2 Nil error 11001789H Line 4 Nil error Prepared by Reviewed by Index / / / / G 2B1 40 | Border Management Modernization a risk if the same error was to occur in relation to a Where the auditor believes that there are no mate- larger transaction. For example, where a tariff classi- rial errors and has completed the substantive testing fication is incorrect on a low value line on an import worksheets to this effect, then provided the audit declaration, the duty loss may be immaterial in terms manager signs off, it should be possible to form of the audit plan. However, if that same error occur- an opinion that the trader is likely to be compliant. red on a high value line the duty loss would in fact However, where errors have been detected during be material. substantive testing, the auditor must make certain judgments about the nature of these errors, often Consequently small errors found during testing are in consultation with the audit manager. In this pro- documented and a judgment on whether to increase cess, the following types of questions need to be the sample size needs to be made after reaching the addressed: end of the sample. In this regard, the auditor needs to consider whether the small error was an isolated in- • Are the errors material as set out in the audit cidence (e.g. a staff member was away from work on plan, e.g. leading to material under and over leave, or there was an IT glitch). If so, there should be statements of duty, or are they immaterial and no other like errors found. If the auditor has started likely to have no impact on compliance? with a high level of confidence and the sample size • Are the errors consistent, i.e. is there a pattern was fairly small, then there may be a need for further of the same error occurring continuously? This testing in order to confirm that the small error was a is likely to indicate a breakdown in one of the one-off. systems or controls (for which the audit can rec- ommend remedial action) and that a systemic By increasing the actual sample size the auditor will error has occurred. be able to see if more of the same errors are occur- • Are the errors of a more serious nature in terms ring, and possibly one of these errors may appear on of frequency and size, indicating perhaps a a high value line and change the auditor’s confidence large-scale failure of management and of the levels. The increase in sample size could be targeted, trader’s controls (for which the company will for example through the use of ‘block sampling’ to be required to take immediate corrective action cover a particular period of time or perhaps all high and may be the subject of sanctions)? Such value/high duty goods. errors could be an indication of carelessness, recklessness, or non-regard for compliance, and A decision to increase sample sizes depends on the can actually facilitate internal or external fraud circumstances of the error or errors and whether if not immediately rectified. the explanations by the trader are acceptable. Such decisions should be discussed with and approved by Consider, for example, the word ‘spoons’ being in- the audit manager as this may increase the workload correctly spelt ‘spools’ in the Goods Description field on the PCA considerably, particularly in the case of on an import declaration. Would the trader be consi- large traders. dered a high-risk of non-compliance? Such an error may or may not lead to a loss of revenue depending on the particular country of import. However, even if 5.4.4 Evaluation of substantive test results it did not lead to revenue non-compliance, it indica- tes a lack of quality assurance (QA) around the input Having completed substantive testing in each of the of data into the trader’s tariff master file or similar business systems subject to PCA, the auditor needs system. If the QA process of inputting data to a tariff to consider what errors were found, how many were master file is not picking up spelling errors, is it also found, were they material, and more importantly missing incorrect input of other data? These are all what do they mean? Each error is now recorded in issues that the auditor must consider. its own audit issues worksheet in the same manner as when errors were detected during control testing. The auditor’s views about the nature of errors— one-off, immaterial, material, systemic, etc.—must be capable of being supported, and it is therefore PCA Methodology | 41 necessary for the auditor to keep copies of the rele- At the end of the substantive testing stage, the au- vant documents that were checked which relate to ditor must be satisfied that sufficient evidence has the error. This will form part of the audit evidence been collected to form and confirm their opinions on and be kept with the substantive testing worksheets compliance. In this regard, consider how the auditor in the audit working papers. has worked through the two different errors found during the substantive testing above on the relevant Where it is determined that errors are not of an iso- audit issues worksheets, noting their contact with lated nature, a decision must be made as to whether the trader for an explanation, the possible expansion the sample size will need to be made larger (perhaps of the sample size and the formulation of recommen- even to 100% of the audit population in some situ- dations to remove these errors in the future: ations) not simply to confirm an opinion on com- pliance, but to identify the impact of the error, such as calculation of the amount of revenue loss for reco- very from the trader. 42 | Border Management Modernization Audit Issues Worksheet Auditee Audit Manager Issue Description: Substantive testing in Master Tariff File system. Logged 2/5/12 One line in sample had goods description as Issued 2/5/12 “plastic spools” and not “plastic spoons” as per Response 3/5/12 tariff classification. Follow-up n/a Indicates possible lack of QA in terms of inputting Closed 4/5/12 product information to Tariff Master File. Company Response: QA conducted on product data input to Master File, but not on immaterial fields like ‘goods description’. Operating procedures will be amended to include goods description in QA process. Follow-up: N/a Closed: Finance manager has shown the PCA team an updated QA procedure which includes a review of goods description field. Prepared by Reviewed by Index / / / / G 2B1A PCA Methodology | 43 Audit Issues Worksheet Auditee Audit Manager Issue Description: Substantive testing in Master Tariff File system. Logged 2/5/12 One line in sample had the incorrect duty rate for Issued 2/5/12 the tariff classification. Response 3/5/12 Indicates recent duty rate increase not input to Follow-up 4/5/12 Tariff Master File. Closed 5/5/12 Company Response: Updated the duty rate increase in Tariff Master File after the official start date of the new rate. Follow-up: Sample size expanded to 200. No further errors detected. Closed: Staff member responsible for updating Tariff Master File was on sick leave and information on the new duty rate was not input until the staff member returned. The error is considered material and will form part of the Audit Report and new procedures recommended for timely input of all duty rate changes. Prepared by Reviewed by Index / / / / G 2B1B 44 | Border Management Modernization Suspected Fraud Auditors should remember, however, that they may become prosecution witnesses, and their audit work- If it is the opinion of the PCA auditor that the non- ing papers would be used as evidence in any pros- compliance detected may be due to fraudulent activ- ecution case. Therefore, all audit papers should be ity on the part of the trade or individuals within the properly completed, filed, and stored securely. company, then this should be reported to the audit manager immediately. Internal fraud will be treated differently, and will in- volve working with the company to address the rel- Suspected fraud against the border administration evant internal controls to ensure future protection of should be handed over to the relevant investigation revenue and future compliance, as well as recovery authority either within or external to the agency. of any lost revenues. The matter will then become an Fraud is a crime, and its investigation and prosecution issue for the individual, the trader and local police. involves skills very different to those of the auditor. 5.5 Dealing with Audit Issues (1) (2) (3) (4) (5) (6) Audit Identifying Control Substantive Dealing with Audit Planning and Testing Testing Audit Issues Reporting Analysing Internal Controls Many issues that arise during the audit can and testing, or from audit procedures generally, will have should be discussed informally at the time they are been identified and documented on an audit issues found. Less significant errors and issues, non-mate- worksheet (Annex 9). rial issues and simple misunderstandings can often be dealt with at the time they are discovered and do The audit issues should be discussed with the trader not necessarily need to carry through to the current openly in the context of working collaboratively to stage of the audit. improve compliance. All such issues should be listed on an audit issues log (Annex 10) which will be used This stage of PCA seeks to resolve any issues identi- as the basis for raising the various issues with the fied during testing which could not be properly dealt trader and recording their response. with or agreed to at the time of testing, or issues that were discussed and were material and therefore need The purpose of this stage of the audit is to ensure that to form part of the Audit Report and its recommenda- traders are not surprised or ‘ambushed’ at the end tions. This stage includes three main steps: of the audit with a range of issues involving possible non-compliance that may result in recommended re- • Analysis of outstanding audit issues; mediation of systems and controls, or even sanction- • Response by the trader to audit issues; and ing. Consequently PCA auditors should be looking to • Initiating any immediate follow-up actions. work closely with the trader to resolve the various issues, and this may require a number of meetings, reviews of the audit evidence, and discussions. 5.5.1 Analysis of outstanding audit issues Sharing all audit issues with the trader at this point At this point in the audit control and substantive test- in the PCA also ensures that the auditor has properly ing should be completed, and issues arising from that understood the business systems under review, the PCA Methodology | 45 operation of the relevant internal controls and the • disagreement, claiming that the errors or issues transactions under review. have been incorrectly identified (and in fact do not represent errors or issues) in which case the auditor and audit manager should review any 5.5.2 Response by the trader to audit issues supporting evidence from the trader and deter- mine if the trader is correct. Before providing a response to some of the issues raised, the trader may wish to undertake its own in- These trader’s responses should be documented on ternal checks to determine precisely how the errors the appropriate audit issues worksheet, and they will or issues arose. The auditor should therefore allow a form part of the final audit report (and importantly short period of time (usually no more than a week) its recommendations). Where the trader continues to for the trader to respond to any formal audit issues. disagree with a finding after discussions with the au- Responses can be expected to take the form of one of ditor, the auditor’s opinion will stand and be includ- the following: ed in the final audit report, but the trader’s position will also be documented and included in the report. • acceptance of the issue and immediate resolu- tion (that is resolution prior to audit comple- tion), details of which can be incorporated in 5.5.3 Initiating any immediate the final audit report; follow-up actions • acceptance and an undertaking to implement any remedial action that will be recommended in the final audit report. The trader will imple- Where specific errors and audit issues are not re- ment the recommendation following comple- solved during the PCA, there may be a need for im- tion of the PCA and the auditor will also need to mediate regulatory action such as recovery of duty consider whether the agency should return after short-paid, recovery of over-paid refunds, or suspen- a period to ensure the recommendations have sion of a licence or permit. Any such actions that are been properly implemented; recommended by the auditor should be documented • acceptance but disagreement that issue is mate- in the PCA working papers for subsequent referral rial, arguing that the error or issue should not to the appropriate areas of the administration for ac- have any impact on the opinion as to compli- tion. Such recommendations will also appear in the ance in which case the auditor and audit manag- final audit report. er should review any supporting evidence from the trader and determine if the trader is correct; 5.6 Audit Reporting (1) (2) (3) (4) (5) (6) Audit Identifying Control Substantive Dealing with Audit Planning and Testing Testing Audit Issues Reporting Analysing Internal Controls The findings of the PCA and importantly its recom- 1. Preparing the audit report; and mendations on improving compliance are now for- 2. The exit interview. merly communicated with the trader at management level. This stage includes: 46 | Border Management Modernization 5.6.1 Preparing the audit report • comments from the trader on the PCA findings and recommendations, including agreements, The audit report represents the formal communica- disagreements and where applicable, comment tion from the audit team to the trader. It contains the on how and when recommendations will be findings of the audit, including the auditor’s opinion implemented; as to the level of compliance based on the results of • an opinion as to the overall level of compliance the audit procedures, and it makes certain recom- of the trader in terms of the audit objectives and mendations as to how the trader can improve com- scope; and pliance in the future. • any qualifications or caveats to this opinion such as the need to await further information The audit report should be seen by both the agency from the trader, or perhaps certain aspects of and the trader as an opportunity for adding value to systems that were unable to be tested. the trader’s business. Discussion and recommenda- tions about compliance should address the most ef- The draft audit report is then handed to the trader for ficient means of complying and where possible, en- review and submission of a formal written response able the company to reduce its cost of compliance. in relation to opinions, issues and recommendations. The auditor should again work with the trader to re- Significantly, the audit report will be one of the key solve any disputes in the findings so that the final starting points in any subsequent PCA activity, and report, when issued, is acceptable to all parties. Of should be used by the company’s own internal or ex- course, where an issue cannot be resolved, the audi- ternal auditors to inform their own reviews. tor’s findings prevail and will appear in the final ver- sion of the report. In the context of working collaboratively to improve compliance, the audit report is issued in draft form The trader’s responses will be added to the draft re- in the first instance. The trader is then given the op- port, together with any further amendments by the portunity to comment, in particular, in relation to the auditor arising from consultations about the draft re- audit opinion, audit issues and recommendations. port. The report is now issued as a final audit report, The trader should not be confronted at this late stage ready for distribution to the trader and to relevant ar- of the audit with any issues that are being raised for eas of the agency, including PCA management, risk the first time. assessors and profiling and targeting areas. • The following details must appear in the draft report: 5.6.2 The exit interview • Title of the audit report (clearly showing ‘draft’); • Name of the trader subject to PCA; Following completion of the final audit report, the • Audit scope and objectives; auditors will arrange for an exit interview with the • Name of the audit manager who is approving audit manager and the management and other rep- the PCA; and resentatives of the trader—usually the same people • Date of the report. involved with the entrance interview. The content of the report should include: The main purpose of the exit interview is to: • the main PCA findings and recommendations in • present the audit report to management; summary form, such as a summary of the type • reach formal agreement with management as to and nature of errors found and the main busi- the main PCA findings; ness systems to which these errors relate; • obtain management commitment to implement • audit issues for resolution by the trader, and the or act on recommendations, together with rel- need or otherwise for the agency to follow these evant timeframes; and up; • continue a co-operative relationship between agency and the trader. PCA Methodology | 47 Minutes or notes should be taken at the exit interview, These notes should then be filed with the audit work- particularly details of commitments to recommenda- ing papers. These notes will help to inform future tions and relevant timetables for implementation. PCA planning activities (see section 8). 6 Audit Working Papers Annexes 4 to 10 contain a set of working papers rel- description/testing form, linked back to the business evant to any audit that utilizes the generic PCA meth- system in which it operates. The control description/ odology discussed in this Guide. testing form here should be read with section 5.2.2 of the Methodology. Working Paper Index Page (Annex 4) Control/Risk Matrix (Annex 7) This index should remain on top of the audit working paper file. A reference letter (i.e. A, B, C, etc) should The control/risk matrix is central to PCA with its fo- be used for each section of the working papers. cus on the business systems of the trader. A sepa- rate matrix should be used for each business system More detailed indexing may be added as each stage subject to PCA. The control/risk matrix example here of the PCA is completed. should be read with section 5.2.2 of the Methodology. General Working Paper (Annex 5) Substantive Testing Worksheet (Annex 8) The general working paper is virtually blank note pa- This worksheet is intended to be used for recording per, which can be used for general note taking or in the details of transactions to be tested, as well as the situations where none of the specific worksheets are nature of tests, and the results of the testing. suitable (e.g. where an auditor is taking notes while reading from a company document or interviewing Sufficient details should be recorded to enable a re- a staff member). Annex 5 also contains an example viewer to see what item was actually tested, and the of how the general working paper can be completed results against each item in the test. The worksheet with notes that could be taken at an entrance inter- should be read with section 5.4.4 of the Methodology. view (see section 5.1 of the Methodology). Audit Issues Worksheet (Annex 9) Control Description/Testing Worksheet (Annex 6) The Issues worksheet should be used when signifi- cant issues arise during an audit. In some situations these can be resolved readily with the trader and ad- This worksheet is commonly used to describe in dressed at the time of discovery. This detail is noted more detail the internal controls which have been on the worksheet. Other significant issues not readily identified in a business system, as well as details addressed at the time, will form part of the overall of both the relevant tests to be conducted on those assessment of the trader and feed into recommen- controls and the results of those tests. Each business dations to improve compliance. The examples here system could have more than one internal control should be read with the example in Annex 8 above, and each internal control should have its own control and with 5.4.4 of the Methodology. 50 | Border Management Modernization Audit Issues Log (Annex 10) audit issues log will also record the trader’s respons- es to the issue, and dates. From here the auditor can The issues log is used to manage those audit issues look at whether those issues will impact on the final documented on audit issues worksheets (Annex 9) assessment of compliance, what recommendations including the communication of these issues with to make and what needs to form part of the final au- the trader. The audit issue log allocates a reference dit report. The audit issues log is central to dealing number to each issue then includes a summary and with audit issues (section 5.5 of the Methodology.) notes the date of communication. Importantly, the 7 Quality assurance, filing and using audit results Ensuring quality and integrity of • delivering the finalized audit report to the trader the PCA at the completion of the PCA process. The PCA methodology outlined in this Guide regu- Critical to the integrity of the PCA is the prepara- larly refers to the role of an audit manager. This is tion and accurate completion of working papers at a key position, requiring someone with considerable each stage of the audit. These must be completed in experience in reviewing business systems in the con- a logical order, matching the processes that are being text of risk to compliance and the skills and ability to reviewed, with a clear reference to the relevant busi- ensure that the members of the PCA team are making ness system. To facilitate this, the various working judgments and recommendations based on appropri- papers should be cross-referenced with other work- ate testing and sound audit evidence. Responsibilities ing papers relating to the business system under of the audit manager include: review. Each document should also identify which member of the PCA team has prepared and reviewed • ensuring the audit is conducted to the stan- the worksheet. dards set by the administration, including those which apply to the qualification of audit team Working papers, once completed, should be filed members, the planning, testing, and the opin- together with other working papers from the same ions and recommendations to be expressed in business systems and then filed against an index the audit report; which enables future users to readily identify any • reviewing and approving the work of auditors part of the audit. A sample of a working paper index at each stage of the PCA before progressing to which follows the above methodology can be found the next; at Annex 4. • ensuring that the audit working papers contain- ing the audit evidence are properly completed, reviewed, signed and filed, and eventually Safe care of audit working papers stored securely for future use; • taking responsibility for delivering the audit Once the PCA has been completed, and working pa- on time and within budget using appropriate pers appropriately filed, audit evidence and reports resources, including external specialists when should generally be accorded an ‘audit-in-confi- required; dence’ status, and be kept under lock and key, with • dealing with any issues arising with the trader restricted access. Where one or more documents of during PCA, particularly those which are sensi- a higher security classification such as commercially tive, or where there may be disagreement be- sensitive materials or details of IT system access, etc, tween the auditor and the trader in areas such are included in the working papers or audit report, as materiality of errors, opinions on compliance then the audit file and associated working papers will and recommendations; require a higher security classification, and may re- • establishing formal contact with the trader, in- quire a more secure storage and retrieval system. cluding chairing the entrance interview and exit interview; and It should be noted that such PCA working papers are likely to be used again as the starting point should 52 | Border Management Modernization the trader be selected for PCA subsequently, includ- try groupings (and sub-groupings if desirable). ing follow-up activities on certain recommenda- For example, the automobile industry grouping tions requiring action from the trader. As previously could be broken down further into sub-groups noted, PCA working papers may also be required by of importers of finished vehicles; manufactur- investigators should the trader come under suspi- ers using imported components; importers of cion at a future point and may become evidence in components; free zone manufacturers; vehicle possible investigation and prosecution proceedings. distributors, etc. Consequently audit working papers need to be read- • Stratification of companies by size, or volume of ily accessible to future users, who must have confi- trade e.g. large businesses, medium businesses dence that all materials are present, i.e. that none are and small businesses missing or stored elsewhere. • Identification of risk areas. For example, im- porter risks may include valuation, tariff clas- It should also be noted that, in the case of civil or sification, origin, suspension regimes, import criminal prosecutions, the ability to demonstrate that permits and licenses; while manufacturer risks PCA working papers have been properly and safely may include classification, valuation, quanti- filed adds to their weight as reliable evidence. ties, undeclared production, permits, licenses, losses, etc. • Nature and value of detected errors, with a ca- Use of PCA working papers pacity to give a narrative on the errors detected and to quantify the extent of those errors in suf- At the end of the PCA process it is important to feed ficient detail to allow for later analysis. the results of the audit into the agency’s broader compliance management process. This assists plan- In essence, PCA results need to be captured in a for- ning by updating a trader’s risk assessment and iden- mat consistent with the risk management needs of tifying trader or sector specific compliance issues the administration so that trends and other patterns that the PCA has identified. Compliance analysts will in errors may become apparent or begin to emerge, be examining errors and other issues that have been allowing for better targeting in future compliance- identified across a range of audits, and it is there- planning processes. Whilst an audit report will high- fore essential to provide a high degree consistency light an area of risk, the actual working papers can in the way in which audit results are communicated. provide an excellent insight in to how traders make Adoption of the following general principles when the errors and how they can be detected, and this creating audit reports and databases will enhance point emphasizes the importance of keeping good their usefulness: working papers which are properly linked to the rel- evant business systems in the audit file, and are eas- • Industry segregation of information should be ily accessed from the agency’s database. provided, to enable monitoring of issues within and across industry sectors. This will require Following is a possible template for collating PCA re- assigning all companies to a particular indus- sults from the audit working papers and reports: Quality assurance, filing and using audit results | 53 Table 7.1: Database of Results PCA Plan 2012/13 Trader Date Reason for Industry Sector/ Material Follow up Audit Name complete PCA selection sub sector Error types PCA needed Filing ref# XYZ Co 03/07/12 Random selection Agriculture / Nil No 319b/12 of small trader Chemicals ABC Ltd 14/07/12 Large importer not Auto / Parts supply - tariff master file No, resolved 432a/12 audited for 5 years contained some out dated duty rates No, resolved - new products not checked for accuracy before loaded into tariff master file DEF Pty Ltd 30/7/12 Large usage of duty Computer hardware - Use of single Yes, recommend 542c/12 free end use by-law use “education trader engage institution” licensed broker to certificate for compile and lodge multiple imports declarations GHI Partners 2/8/12 Duty drawback claims Fuel / blending & - Multiple Customer Yes, trader agreed to 558/112 value for exported distribution Sales Invoices implement ‘approval’ fuels doubled from incorrectly coded as process prior to previous year “duty paid exports issuing Customer to foreign vessels” Sales Invoices, when status of fuel new process was under-bond requires review. Note that, in addition to material errors, the database should be reviewed for emerging issues, trends to- should also contain details of required follow-up ac- wards or away from compliance, and commonly oc- tion such as the need for a follow-up audit resulting curring errors, all of which will inform the next na- from adverse findings in a PCA which require the tional PCA planning and development process. trader to take immediate remedial action to business systems and controls. For example, a change in eligibility criteria for use of a particular duty concession may have generated Finally, the database should contain adequate ref- a large number of under-statements of duty liability erencing to enable location of PCA working papers from traders who have been using the concessional and files. arrangements for several years. The administration’s risk response, which is incorporated into its current national PCA plan, may have been to target large us- Developing a National PCA Plan from ers of the duty concession, and also to increase educa- PCA Results tion and awareness of the criteria changes. However, if having reached the end of its current national PCA As noted above, PCA results should be fed into the plan, material errors are still being discovered, then agency’s broader compliance management process, the agency should identify this as a high risk in its and the best way to achieve this is in the formulation next national PCA plan and perhaps consider addi- or modification of the agency’s national PCA plan. tional risk responses. In particular, the major findings from PCA activity 54 | Border Management Modernization Alternatively, towards the end of a national PCA plan, • Types of trader making material errors. For ex- risks identified at the outset of the plan may not be ample mid-sized importers, large exporters, or as apparent, and indeed higher levels of compliance traders not visited for 5 years, etc; and are observed during PCA activity. Using the duty • An industry sector or industry sub-sector that is concession example, such findings are likely to in- making an increased number of errors, or mak- dicate that the trading community has appropriately ing common material errors. responded to the change in criteria as a result of the national PCA strategy. Therefore, the risk may now In summary, the following details of the completed be reduced to an acceptable level and will not be spe- PCA should be capable of being taken directly from cifically targeted in the next iteration of the national the PCA results database and fed into the next itera- PCA plan. Rather, that particular issue will form part tion of the national PCA plan: of the general risk analysis when reviewing a trader’s business systems in the context of PCA. • High risk in current PCA plan confirmed— yes or no; Emerging risks, which can be fed directly into the • Success of responses to identified high risks; planning process of the next PCA plan, may include • Emerging areas of risk; the type and nature of material errors, and from • Ongoing areas of risk; and which types of traders and in which types of indus- • Required follow up activities. tries they are occurring. For example: This information then adds to the new information on • Types of material errors being detected. For ex- risk emanating from other areas of the administration ample non-compliant origin certificates, certain such as intelligence, cargo examinations; industry cost elements being excluded from valuation, complaints, hot-lines; and legislative or administra- unauthorized access to IT systems that generate tive changes, in the preparation of the next PCA plan. agency transactions, or unauthorized personnel accessing the bond-store; 8 Enablers and Impediments In this section we examine a number of regulatory, or- acceptable. Indeed, a balanced mix of qualifications, ganizational and administrative issues that may have skills and knowledge within PCA units is seen to be an impact on an administration’s ability to implement highly desirable. Consequently, existing staff with a PCA regime, including the skill and qualification re- the ability and willingness to improve their skills quirements of staff involved in PCA activities. and qualifications should be given the opportunity to do so. Equally, a program of entry level recruitment of graduates may be pursued to ensure a balanced Qualification and Skill Requirements mix of skills, qualifications and knowledge within PCA teams. Those involved in PCA activities must be appropri- ately skilled and experienced to do so, and for those The main features of an education program should administrations that have not yet introduced PCA, it include: is unlikely that existing audit staff will possess the skills required of a PCA auditor, particularly where • a procedural curriculum to provide base current audit work is focused on transaction based level skills and relevant agency and industry checking. PCA auditors require higher level skills due knowledge to the broader range of functions and increased com- • modules relating to higher level audit skills such plexity of the audit activity, where the emphasis is as sampling, research and accounting which can on assessing the overall integrity of traders’ systems. be obtained through in-house or external courses • elements such as team development, client ser- Indeed, PCA auditors should not only possess high vice, management development, applying the level audit skills, but must also have relevant bor- law and negotiation skills, and der agency knowledge coupled with a knowledge of • a capacity for accreditation towards tertiary traders’ operations, which includes an understand- courses by educational institutions. ing of Government policy and environmental, com- mercial and international issues relevant to a given Each level of the program should include specific industry sector. agency and industry elements, as well as elements addressing such skills as research, analysis, evalua- There is therefore a need to consider whether it is tion, planning, sampling, report writing, audit, ac- preferable to provide agency and industry knowledge counting, negotiation skills, client service, etc. to a person with relevant audit qualifications through an appropriate training program, or to supplement an The general trend in all fields of education is towards employee’s acquired knowledge with formal training ensuring that courses can be accredited towards ter- in auditing. Put simply, it is a question of whether the tiary qualifications. This provides staff with a greater agency should hire qualified auditors and educate incentive to participate in educational programs, and them in agency/industry matters, or seek to educate accreditation received through the various agency existing staff in auditing matters. programs may encourage staff to continue tertiary studies. Accreditation will also give individuals and It is generally considered that, given the range of the administration more credibility when dealing available education programs, either situation is with the trading community. 56 | Border Management Modernization Composition of PCA Teams Outside expertise may also be drawn from outside the agency, in which case the audit manager is re- PCA teams are by their nature multi-functional, and quired to establish the credentials of any experts who the structure of teams should therefore reflect the will be attached to the PCA team. This can generally various levels of knowledge and experience required be verified through professional peak bodies that ac- to carry out PCA activities. Not all team members will credit and certify experts in the field. Examples of need to possess the same level of skill, experience expertise that is unlikely to be sourced from within or qualifications. It is therefore important to stratify the agency include specialists in areas such as jew- the levels of competencies, skills and qualifications elry valuation, antique certification, chemical classi- to realistically reflect the composition and classifica- fication, and experts in particular IT systems that are tion levels of multi-functional teams and the range of central to a trader’s operation. skill and knowledge requirements within that team. The process of stratification should also reflect the The composition of PCA teams will vary depending appropriate balance between agency and industry on the size and complexity of the trader to be audit- knowledge, audit techniques and other skills/quali- ed, and some team members may be working across fications required. more than one audit, especially if they have a high level of expertise in particular areas such as IT sys- The key team member is of course the audit man- tems, origin or valuation. In such cases the relevant ager, who is responsible for assembling an effective audit managers need to coordinate their Audit Plans PCA team from the available resources, looking each to ensure an efficient use of such specialists. time to build a balance of audit experience, industry knowledge, technical skills and the opportunity to Audit managers themselves may also be required to develop junior or new staff in the PCA area. manage more than one PCA concurrently. There is however a need for each PCA team to have a single The audit manager must also identify potential gaps audit manager with overall responsibility for the con- in relation to specialist knowledge, skills and/or duct of the audit. competencies that may be required during the course of a particular PCA, taking into consideration the Finally, while the number of auditors in a PCA team nature of the trader’s activities and the types of the will vary according to the nature of the particular au- risks that are likely to be faced. If the necessary skills dit, it is important to ensure that at least two auditors cannot be sourced from within the audit group, are present during field testing or meetings with the it may be necessary to fill these gaps using exper- trader to both corroborate issues and peer review de- tise drawn from other areas or in some cases from cisions when appropriate. outside the agency. Other reasons for using exter- nal expertise include the need for a high degree of confidence in audit opinions relating to a politically Legislative Requirements sensitive trader or a trader who runs a particularly complex operation. Legislative provisions relating to audit activities vary from country to country. However, most if not all bor- The audit standards referred to in section 3 above not der administration laws include a basic requirement only permit the use of outside expertise, but require it for traders to keep documents relating to imports or where it is necessary to ensure the deployment of an exports for a statutory period of time, and generally appropriately qualified PCA team. Externally sourced such provisions allow these documents to be kept expertise may be required in situations where legisla- in electronic form. Similarly, most border adminis- tive complexities are involved, e.g. an expert in tariff tration laws provide for officers (in some cases lim- classification may be seconded to the PCA team from ited to authorized officers) to enter a trader’s prem- another area to assist during the substantive testing ises without a warrant for the purposes of inspecting stage where particularly complex classifications re- those records, be they in paper or electronic form. quire confirmation. It is imperative that PCA teams fully understand the Enablers and Impediments | 57 extent of those provisions and act at all times within produce or process the commercial documentation the limits of the relevant legislation. and compile the trader’s import or export declara- tions. This requires the auditor to review a broader These basic laws are generally adequate for the tra- range of commercial documentation such as proce- ditional transaction-based audit approach where the dure statements, user manuals for IT systems, policy auditor will take a number of the trader’s import or and training documents, agreements with brokers export declarations and review these against com- and freight forwarders, and other internal documen- mercial documents such as invoices, bills of lading, tation which may have implications for compliance. purchase orders, packing slips, bank transfers, etc. Consequently, if an administration is seeking to in- PCA goes further than this and is focused on the troduce a PCA regime, it will be necessary to amend various business systems and internal controls that the law to provide the necessary legislative support. 9 Getting started In this section we examine specific techniques that exercise is to identify those aspects of PCA that are al- will help to facilitate the implementation of PCA. In ready being applied by the administration and those particular, we consider ways of assessing an adminis- which need to be addressed. This is referred to as a tration’s current audit approach, its existing capabili- situation analysis. ties and reform priorities. The next step is to determine what the future PCA At the outset, it will be necessary to draw a compari- regime should look like and to identify the steps that son between the way in which the administration are necessary to achieve the desired end-state. This is currently operates and the principles and procedures referred to as a gap analysis. that are discussed in this Guide. The purpose of the Figure 9.1 Situation and gap analysis Existing Audit Regime t 0SHBOJ[BUJPO Situation Analysis: t 2VBMJöDBUJPOT4LJMMT Principles and Practices t 1PMJDJFT1SPDFEVSFT )PXEPXFDPNQBSF in this Guidebook t -FHJTMBUJPO 8IBUFMFNFOUTPGUIJT(VJEFCPPL EPXFXJTIUPBEPQU Gap Analysis: )PXEPXFDIBOHF Proposed Audit Regime t 0SHBOJ[BUJPO t 2VBMJöDBUJPOT4LJMMT t 1PMJDJFT1SPDFEVSFT t -FHJTMBUJPO 60 | Border Management Modernization Situation Analysis • Would the current organizational arrangements be capable of supporting a PCA regime in terms The administration’s current approach to audit may of organizational policies, lines of reporting, well be limited to transaction-based checks, in which structural arrangements, classification levels, case some elements of PCA may already be present, etc? but not all. For example, the existing legislative pro- • Do existing employees possess the necessary visions may enable auditors to examine documents skills, qualifications and competencies to un- and cargo relating to import, export and warehous- dertake PCA? ing declarations, but may not permit broader based • Does the organizational culture support the reviews of a trader’s systems and procedures. concept of PCA? • To what extent do the existing audit policies and Similarly, some audit staff may be skilled in under- procedures accommodate a PCA approach? taking audits where the focus is on substantive test- • To what extent do the existing legislative pow- ing of import declarations, in which the details of a ers support the introduction of PCA? trader’s declarations are checked against invoices, purchase orders, packing lists and other commercial It is then a matter of identifying the gaps and deter- documents in order to verify their accuracy. mining what needs to be done in order to effectively change from the administration’s current audit ap- In such situations it will become readily appar- proach to the PCA approach outlined in this Guide. ent that the existing audit environment in which This then sets the starting point for what will be a the administration operates is quite different to the significant change management project involving the requirements of PCA in terms of organizational development and implementation of new policies, structure, staff qualifications and skills, operational practices and procedures; and the development and policies and procedures, and the underlying leg- implementation of a transition plan. islative base. There is also likely to be a different cultural approach to the audit function, i.e. an ad- versarial approach rather than the collaborative com- References pliance improvement approach that is required in the PCA environment. International Auditing and Assurance Standards Board (IAASB) 2010, Handbook of International Quality The first stage in a move towards implementing PCA Control, Auditing, Review, Other Assurance, and is to identify those aspects of the administration Related Services Pronouncements, IAASB, New York. which differ from the principles and practices out- lined in this guide, as well as those areas where the McLinden, Gerard; Fanta, Enrique; Widdowson, existing organizational situation aligns with those David and Doyle, Tom. 2010. Border Management principles and practices. Modernization, The World Bank, Washington, DC. World Customs Organization (WCO) 1999, Gap Analysis International Convention on the Simplification and Harmonization of of Customs Procedures (as amend- The next step is to identify how the administration ed) ‘Revised Kyoto Convention’, WCO, Brussels. envisages the end state of the proposed PCA regime. Assuming that it is decided to implement PCA in the World Customs Organization (WCO) 2005, WCO way that is based on the principles and practices out- SAFE Framework of Standards to Secure and lined in this Guide, the following issues will need to Facilitate Global Trade, WCO, Brussels. be addressed: ANNEXES Annex 1: Revised Kyoto Convention Guidelines—Chapter 6 Customs Control Annex 2: Revised Kyoto Convention Guidelines—Chapter 3 Clearance and other Customs Formalities Annex 3: International Auditing and Assurance Board—International Standards on Auditing Annex 4: Working Paper Index Page Annex 5: General Working Paper Annex 6: Control Description/Testing Worksheet Annex 7: Control/Risk Matrix Annex 8: Substantive Testing Worksheet Annex 9: Audit Issues Worksheet Annex 10 Audit Issues Log ANNEXES | 63 Annex 1 Revised Kyoto Convention Guidelines Chapter 6: Customs Control 7. Control methods facilitation measures in the form of simplified proce- dures (e.g. periodic entry system). 7.2. Audit-based controls 7.2.1.2. Development of audit programmes (Standard 6.6) Customs administrations should identify post-clear- ance audit categories, e.g. importer/exporter, value, To manage the worldwide increase in trade and to foreign trade zone, broker, and carrier manifest, and provide traders with greater facilitation, Customs in- produce manuals to provide step-by-step guidance creasingly rely on audit based controls, using traders’ for carrying out audits. commercial systems. These controls may vary from a simple post-clearance audit to trader self-assessment. Audit-based controls do not preclude physical exami- 7.2.1.3. Selection of persons/companies for audit nation of the goods. The selection of persons/companies for audit should be based on risk profiles (see Section 6.2.2). Audits To ensure the reliability of the traders’ commercial should generally be conducted for compliance veri- systems for these purposes, they must follow the gen- fication purposes in the areas of valuation 2 , origin, erally accepted accounting principles (GAAP) within tariff classification, duty relief/drawback/remission the country. These principles determine which eco- programmes, etc., but other areas should be targeted nomic resources and obligations should be recorded as necessary. Depending on the profile of the auditee as assets and liabilities, which changes in assets and and its business (e.g. type of business, goods, rev- liabilities should be recorded, how the assets and li- enue involved, etc.) the audit may be conducted on a abilities and changes in them should be measured, continuous, cyclical or occasional basis. what information should be disclosed and how it should be disclosed, and which financial statements should be prepared. 7.2.1.4. Annual audit planning Audit planning should take place every year, taking into account the availability of the auditor or audit 7.2.1. Post clearance audit team, in relation to work in progress and the start of new audits. Each audit area could be assigned stan- 7.2.1.1. Introduction dard hours of completion and each available auditor Post-clearance audit focuses on persons involved in or audit team hour could be calculated in order to de- the international movement of goods. It is an effec- termine how many audits can be performed by each tive tool for Customs control because it provides a auditor or audit team in a given year. Alternatively, clear and comprehensive picture of the transactions each stage of the audit activity could be broken down relevant to Customs as reflected in the books and into time blocks in order to measure productivity records of international traders. At the same time it against time spent. Both methods allow Customs to enables Customs administrations to offer the trader allocate resources effectively. 64 | Border Management Modernization 7.2.1.5. Audit process out in a professional manner. Representation by a se- Post-clearance audit places great emphasis on pro- nior member of the company is invaluable to ensure fessionalism in the conduct of a review and the ex- a high level of co-operation. It is at this conference amination of the auditees’ books and records. From that the auditee should designate a representative to pre-audit planning to completion, it is essential to whom all requests for the production of documents maintain communication and co-ordination with the (books, records, etc.) should be directed. auditee and with other interested parties in Customs. A report should be produced to ensure that all find- Audit questionnaire: Companies may be asked to ings and other relevant issues are fully shared and fill out a questionnaire to obtain information about discussed. Follow-up visits may be needed. their structure, related-party transactions, commodi- ties, methods of payment, valuation, manufacturing costs, sourcing and supply. In related-party transac- Audit phases tions, the foreign parent company may also be asked Pre-audit survey: The first step in the audit process to complete a questionnaire focusing on information is to assess and evaluate the strength and weak- regarding the relationship between the auditee and nesses within the commercial system of the auditee. its parent company. Completion of such a question- Depending upon the size and location of the com- naire by the foreign parent company would be purely pany to be audited, Customs may choose to perform voluntary. an on-site survey or request corporate data of the au- ditee via a background questionnaire. Internal corporate review: Customs administra- tions should encourage the auditee, where practical, Such a survey may include gathering data regarding: to carry out a preliminary self-evaluation, review and corporate organization and structure, commodity in- analysis of its operations in relation to the audit. formation, methods of payment, value of commodi- ties, costs associated with commodities, detailed Audit co-ordination: The auditee should be kept product-cost information/submissions for analysis, fully informed of any potential findings or other related-party transactions, and record-keeping sys- relevant Customs matters throughout the audit. tems. This information may be commercially sensi- However, if a significant misrepresentation or poten- tive and should therefore, as with other information tial Customs offence is discovered during the course of passed to Customs, be treated as confidential. the audit, the audit team should communicate and co- ordinate with the appropriate enforcement unit who Initial importer contact: Before carrying out a routine will decide whether to start a formal investigation. compliance audit, Customs administrations should The Customs administration may make information contact the auditee to request detailed information available to other revenue/tax agencies, in accor- on the types of records and documentation needed. dance with national laws on confidentiality. These may include: commercial invoices, shipping records, purchase orders, delivery notes, accounts, Exit conference: A formal meeting should be held records, contracts, royalty and marketing agree- with the auditee to present the findings, and to pro- ments, inventory records, journals, ledgers, business vide an opportunity for the auditee to give any ex- correspondence, records of payments. planations needed, to assist preparation of the final report. Initial Audit conference: The initial meeting should be attended by the auditor or audit team, representa- Final report: Customs administrations should pre- tives of other Customs areas as needed, and repre- pare a final report and let the auditee have a copy, sentatives of the auditee (e.g. consultants, accoun- provided that national law provides for this. A copy tants, controllers, lawyers). The auditor or audit team should also be sent to the appropriate Customs office will discuss the scope and objectives of the audit. for resolution of any issue which has arisen. The auditee has a vested interest in acquiring and maintaining Customs facilitation, and therefore has Follow-up Visit: To conclude the audit process, a responsibility to ensure that the audit is carried Customs may carry out a follow-up desk audit to ANNEXES | 65 ensure that any findings and recommendations for and ultimate goal against which to measure the effec- changes are carried out by the trader. tiveness of the audit. The planning stage will determine amongst other 7.2.2. Traders’ systems audit things: (Transitional Standard 3.32 and Standard 6.10) the objectives; the scope; the risk areas; 7.2.2.1. Introduction the conduct of the audit including preliminary Customs must carry out traders’ systems audit and exit meetings with the auditee; for control purposes, as a quid pro quo for greater the duration of the audit; facilitation, which can include a trader’s use of the necessary resources needed to undertake his computer systems for preparation and submis- the audit; sion of single or periodic declarations, and for the availability of key personnel for interview self-assessment. purposes; and the extent to which changes to the system or The audit of traders’ systems aims to provide assur- the organization operating it have affected pre- ance that a particular activity or process is being vious audit knowledge. carried out properly. Systems audit, as the name im- plies, means looking at the entire processing cycle When Customs is considering allowing self-assess- rather than just the transactions themselves. It does ment, the planning stage will include the establish- not rely on a fully visible audit trail and substantive ment of criteria against which a trader’s systems testing of all or a significant number of transactions, should be judged. These will include his financial as in a manual system. Instead, systems audit uses soundness and his capacity to: the inherent properties of computer processing to provide user confidence. • distinguish between import, export and domes- tic consignments, allowing appropriate alloca- If it can be established that the process itself is reli- tion of duty and taxes, able and accurate and the controls which govern it • allocate and identify consignments to specific are sound and complied with, then safe assumptions Customs regimes, can be made regarding the quality of the output and • identify consignments requiring a licence or facilitation measures can be granted. permit, • calculate tax and duty liability on consignments, The traditional method of checking the accuracy of • regularly update commodity code and duty rate the “books” on a transaction basis is not only inap- files, propriate in a computer environment, but also prob- • cross match commercial part numbers against ably impossible. Even advanced methods using file commodity codes, interrogation methodology are of little use unless • use valuation calculation methods appropriate the auditor or audit team understands how the com- to the traders business transactions, puter and its associated manual procedures combine • issue management reports providing assurance to produce the required information. This is where a of completeness of accounting, systems audit is most effective. • identify outstanding, unreported consignments, • perform quality cross-matching of commercial The principal steps in a systems audit are as follows: transport and accounting information with • statistical and accounting information declared to Customs, 7.2.2.2. Planning • exercise quality control and management check- This initial phase, which is critical to the success and ing procedures to ensure the system is function- credibility of an audit, will define the direction, scope ing correctly, 66 | Border Management Modernization retain historical data for long enough to comply with even re-enactment of the processing cycle. Using ad- national legal requirements and use satisfactory back- vanced techniques, i.e. file interrogation software, it up procedures in the event of a system breakdown. is possible to test for unusual combinations of data which could lead to incorrect processing as well as for straightforward situations. 7.2.2.3. Enquiry or fact gathering By interviewing personnel at all levels in the manage- ment chain, both the application users and the data 7.2.2.7. Report processors, the auditor or audit team can discover The outcome of the audit will usually be a report how the system actually works. The auditor or au- to senior management which will make recommen- dit team will also refer to any material such as user dations as to how identified weaknesses can be guides, system specifications, which is available. The eliminated or controls tailored to be more effective. controls, or lack of them, both internal and opera- Controls can even be discarded if they are seen to be tional can then be identified. Often the way the sys- irrelevant in a particular situation. tem works is at variance with how it was designed and implemented and how individuals, especially se- nior managers, perceive it to be working. The auditor 7.2.2.8. Conclusion or audit team can also deduce much from the state of Once a system has been recorded and evaluated system documentation, or the lack of it. For example, and any amendments to improve control have been it may be out of date or incomplete. implemented, it can be expected to perform reli- ably until the next significant change is undertaken. However periodic audits need to be carried out to 7.2.2.4. Recording the system confirm that nothing has changed and that the con- The auditor or audit team will record the findings ei- trols which have been built in to the system continue ther by means of a narrative text or pictorially, by the to be administered and adhered to. The use of audit use of flow diagrams, or both. The diagrams can be packs (a set of pre-programmed audit tests) can be at different levels of detail, from a broad overview to used to automate this process. actual stages in computer processing. They can cover the document flows before and after computer pro- cessing. At this stage the auditee will normally con- 7.2.2.9. Development audit firm the auditor’s or audit team’s understanding of Traders’ systems audit can also be of great benefit the system, before moving on to the next phase. in the development stage of a new application. In the past the need to implement a new application as soon as possible has meant that suitability for audit 7.2.2.5. Evaluation has been overlooked or only partially addressed. The By reviewing and evaluating the evidence gathered, consequence of poor suitability means at best inad- the auditor or audit team will begin to discover ac- equate or at worst non-existent controls. Part of the tual or perceived weaknesses in the internal controls. planning cycle of any new application should ensure They can then plan tests to measure the effectiveness the inclusion of controls and audit trails. This will en- of the controls and the credibility of the output. able the auditor or audit team to confirm the process- ing of data from inception to final recording. It will also enable the auditor or audit team to trace transac- 7.2.2.6. Testing tions in the reverse direction. If audit considerations Testing is carried out to some extent at various stages are taken into account at the outset of a new system, of the audit, for instance at the fact-gathering stage, the subsequent audit and control of that system will by observation and as a result of evaluation. It can be much more effective and trustworthy. be by inspection of records, output reports, etc. or Annex 2 Revised Kyoto Convention Guidelines Chapter 3: Clearance and Other Formalities 7. Special procedures for authorized persons with Customs law and thus pose a low risk for con- trol purposes. These traders can then be approved for special or “fast track” procedures that require 7.1. Special procedures little intervention by Customs for the release and clearance of their goods. Such traders are referred Transitional Standard 3.32 to as “authorized persons” for the purposes of this For authorized persons who meet criteria specified Convention. This provision is especially appropriate by the Customs, including having an appropriate re- for traders who regularly import or export goods. cord of compliance with Customs requirements and a satisfactory system for managing their commercial The special procedures enumerated in Transitional records, the Customs shall provide for: Standard 3.32 that are granted to authorized persons will allow: • release of the goods on the provision of the minimum information necessary to identify the • the provision of minimal information at the time goods and permit the subsequent completion of of release of the goods; and—clearance at the de- the final Goods declaration; clarant’s premises or other inland locations. In • clearance of the goods at the declarant’s premis- addition Customs may also allow: es or another place authorized by the Customs; • lodgement of a Goods declaration covering mul- and, in addition, to the extent possible, other tiple transactions over a certain period; special procedures such as: • the self-assessment and accounting of duties • allowing a single Goods declaration for all and taxes by the authorized person; and lodge- imports or exports in a given period where ment of the Goods declaration by an entry in the goods are imported or exported frequently by commercial records of the authorized person. the same person; • use of the authorized persons’ commercial re- Special procedures are beneficial for both Customs cords to self-assess their duty and tax liability and the trade. They facilitate the movement of goods, and, where appropriate, to ensure compliance encourage compliance with Customs rules and en- with other Customs requirements; able more effective use of Customs resources. They • allowing the lodgement of the Goods declara- also promote the modern concept of a partnership tion by means of an entry in the records of the between Customs, traders and third parties within authorized person to be supported subsequent- international trade. ly by a supplementary Goods declaration. It is therefore a requirement that at least two special procedures be introduced by all Customs administra- 7.1.1. Introduction tions and that other special procedures are consid- Through implementation and use of a risk manage- ered for possible implementation. Customs should ment programme, Customs can determine which consult regularly with the various parties involved goods and which traders are generally in compliance to ensure that once special procedures have been 68 | Border Management Modernization introduced, the optimum benefits are realized for all an authorization to any trader who wants to use it. the trade partners, including Customs. This can be considered as granting a greater facility in accordance with Article 2 of the Convention. Although Contracting Parties to this Convention must implement a programme for special procedures in accordance with Transitional Standard 3.32, the 7.2. Types of special procedures procedures are applied at the trader’s request. They are clearly not mandatory upon all traders, particu- 7.2.1. Release on minimum information larly as they are designed only for those who meet This procedure allows for the release of the qualifications to be authorized. goods for the Customs procedure requested using a minimum amount of information. 7.1.2. Authorization The procedure usually requires an initial declaration Customs will determine criteria or conditions that a to enable the release of the goods, followed later and trader must meet in order to be considered eligible within a specified period of time by a supplementary for a special procedure. Any trader can apply for ap- declaration containing all the normally required in- proval to use the special procedures. Once Customs formation or by the provision of any supplementary agrees that a trader meets the criteria they have iden- information. The amount of duties and taxes due will tified as necessary to ensure the trader’s compliance be based on the completed information. However, with Customs law, they will authorize the trader for the goods will be assigned to the requested Customs one or more of the special procedures. procedure based on the initial declaration. The criteria and conditions for this authorization The information required on the initial declaration should be developed by Customs through the con- should be limited to that necessary to determine the sultative process with the trading community. Where admissibility of the goods. This will normally include possible, the criteria should be based on measurable the description, quantity and value of the goods. requirements, such as the ability to supply the neces- sary information to Customs within given time scales. In some administrations, the information in the ini- As illustrated in this Transitional Standard, the ba- tial declaration can also simply comprise the declar- sic criteria are that the applicant can demonstrate a ant’s authorization number and a commercially rec- good record of compliance with all Customs require- ognized description of the goods or the commercial ments and the maintenance of an adequate system reference to the goods in the authorized person’s re- for commercial records. Compliance with Customs cords. With this reference to the authorized person’s requirements includes all the elements associated records it is possible for Customs to have access to with accurate and correct declarations, adequate se- all the information necessary. Some administrations curity provided to meet obligations, timely duty and also allow a commercial or official document to be tax payments, proper methods for tariff classification the initial declaration. and country of origin claims, and no history of sig- nificant recurring errors or violations. Standard 4.5 of the General Annex requires national legislation to fix the point in time for determining the In addition to the practical requirements, the as- rates of duties and taxes. In many administrations sessment of any application by a trader for a special the date of registration of the initial declaration es- procedure will be based on risk management tech- tablishes this time of lodgement of the Goods decla- niques as explained in the Guidelines to Chapter 6 of ration. It is not always necessary for Customs to be this Annex. able to assess the exact amount of liability for import or export duties and taxes at the time of release of Once granted, the authorization will indicate the ob- the goods. This can be done at a later stage using the ligations of the authorized person concerning the more comprehensive supplementary declaration. In use of a special procedure. Some Customs adminis- most administrations that use this special procedure, trations allow the use of a special procedure without the supplementary declaration is required at the end Annexes | 69 of a month, or even longer, after the release of the 7.3. Additional special procedures goods. The supplementary declaration may be a sin- gle Goods declaration covering a single transaction The following procedures are optional and provide or it may be a single Goods declaration covering a only an example of additional special procedures number of transactions within the given period. that could be introduced. They are not mutually exclusive, but provide a framework within which Customs and the relevant parties can work to find 7.2.2. Clearance of goods at the declarant’s premises agreeable facilitation methods that meet Customs re- This procedure allows the clearance of goods for the quirements. The decision to introduce these special Customs procedure requested at designated loca- procedures depends on each Contracting Party, al- tions away from the Customs office or at approved though all Customs administrations are encouraged traders’ premises. It provides advantages for the to make these special procedures available. trade, not only for the treatment of urgent consign- ments such as perishables, but also for increasing the convenience of clearance, the security of the goods 7.3.1. Periodic goods declaration themselves and a degree of certainty for delivery at One of the more widely applied special procedures the expected time. For Customs, the procedure en- is permitting the lodgment of a single Goods declara- ables them to become more familiar with the goods tion for imports and/or exports that have taken place and systems that they are dealing with and may cre- over a given period of time. ate more favourable conditions in which to carry out their work. This procedure has great benefits for both the trade and the Customs administrations. For the trade, the Normally the goods arrive at the declarants’ prem- periodic declaration procedure allows for improved ise under Customs transit procedure or under an ap- speed in their overall operations by more rapid re- proved simplified system for the movement of goods. lease of goods and less repetitive documentation de- The requirement to use this procedure may simply mands. This in turn should lead to reduced clearance be a notification to Customs of the impending arrival and transport costs. For Customs this procedure en- of imported goods at the approved premises or the ables a more rational use of the available resources despatch of goods for export. This is followed, within and allows controls to be applied more flexibly as a period of time specified in the authorization, by the well as any overall reduction in the number of docu- lodgement of the Goods declaration. ments and transactions to be processed. This in turn results in more effective post-audit checks and en- When the arrival or the despatch of the goods is on a hanced risk management. regular basis, Customs may even accept a list of im- pending arrivals or despatches of goods for a certain To implement this procedure, administrations period, or they may waive the requirement for the must have either legislative or regulatory provi- notification and only require the subsequent lodge- sions in place that allow the Goods declarations ment of the Goods declaration. for importation and/or exportation to be lodged periodically. This is an additional requirement The procedure may also be divided into two stages: since most administrations traditionally require a an initial declaration that may be accepted as the no- Goods declaration to be lodged for every import or tification, followed by a supplementary declaration. export consignment. Together these constitute the Goods declaration. This Goods declaration would have the same legal The procedure may not be applied in situations status as a normal Goods declaration. where it may place undue risks on the revenue or on the administration of the procedure. Thus cer- Some administrations, particularly in Europe, grant tain categories of goods may be excluded because the procedure described above combined with the of their nature (difficult to apply post-audit checks), procedure of lodgement by entry in the records as because they are placed under Customs procedures described in 7.3.3 as a Local clearance procedure. that will not be facilitated by periodic lodgment of 70 | Border Management Modernization the declaration (processing procedures) or because regulation or legislation. This is normally one month. they are a high risk to the revenue. The authorized trader would be required to submit the declaration in a standard format giving the de- Traders must obtain prior authorization by Customs tails of the goods released during that period. As to use the periodic declaration procedure. Customs mentioned, this periodic Goods declaration is linked can issue these authorizations at a central level with the provision of certain minimal information at or at the regional or local level. The authorization the time the goods are imported or exported or an may be granted on a case-by-case basis for specific entry made in the records. The date on which that goods, operations or persons. The authorization initial notification was given to Customsorthe date on may also be a general one for certain approved trad- whichthe entrywasmadeisusuallytakento be thedate ers but subject to conditions that Customs might for the assessment of duties and taxes. Electronic prescribe, by such as specific requirements for the submission of the periodic declarations is a common premises where the goods are kept, the maintenance feature of this special procedure. of adequate commercial records, a good record of compliance with Customs requirements, and so on. Under this procedure, the provisional and periodic General authorization may also be granted for trad- declarations, which together constitute the Goods ers who conclude an agreement with Customs for the declaration, may have the same legal status and are implementation of this simplified procedure and are regarded as normal Customs declarations, and thus usually based on the same conditions. Customs can the provisional declaration may determine the date also combine the two types of authorizations for a for the assessment of duties and taxes. This may also single trader, i.e. a case-by-case approval for certain apply where changes occur in the rates of duty and types of goods and a general approval for other goods. taxes or in the regulations during the period covered by the periodic Goods declaration, unless otherwise Goods are released under the periodic declaration specified in national legislation under Standard 4.5. procedure upon arrival if no physical examination When Customs perform audit-based controls for the is necessary. Customs requires only the provisional periodic Goods declaration, they ensure to their sat- declaration at this initial stage. The trader may lodge isfaction that all goods imported under the procedure a simplified provisional declaration either in the form during the relevant period are declared and that the of a list of the goods or with a commercial docu- information contained in the declarations is accurate. ment, both of which are conditional that the trader maintains records of the goods in a format that is ac- ceptable to Customs. In many administrations this 7.3.2. Self-assessment of duties and taxes using provisional declaration is closely linked with that commercial records described in Standard 3.13 of this Chapter. These are This procedure is a system whereby the trader him- normally very simplified and contain only the basic self is authorized to determine the duties and taxes information relating to the goods. For highly reliable due. It is based on the principle that, in international traders, Customs may allow the trader to simply en- trade, systems are required for commercial purposes ter the details of the goods in their records. in order to control the movement, supply and stor- age of goods and to carry out effective fiscal controls. Customs retains the right to examine the goods cov- Once Customs performs an audit of the trader’s rel- ered by this procedure based on the initial infor- evant system and commercial records and is satisfied mation provided. Since this procedure is reliant on that they meet the criteria necessary for authoriza- audit-based controls, Customs will base the require- tion to use special procedures, Customs has a rea- ment for any examinations on their risk management sonable assurance that it can rely on the system for programme. For additional details on audit-based Customs control. In effect Customs control becomes control systems, see the Guidelines to Chapter 6 on an integral part of the authorized person’s commer- Customs Controls. cial activities. To clear the goods, the periodic Goods declarations This self-assessment procedure is accompanied are lodged at the end of a period specified in the by Customs performing audit-based controls as Annexes | 71 provided for in Standard 6.6 of the General Annex The method used to establish the point in time for and described in the Guidelines to that Chapter. duty and tax application will be specified in na- tional legislation in accordance with Standard 4.5 Goods imported under the self-assessment proce- and should be specified by Customs in the trader’s dure should be released at importation immediately authorization. For goods assigned to a Customs pro- upon their arrival in the Customs territory. Likewise, cedure which places them under the suspension of goods exported under the procedure should be au- duties and taxes, Customs can authorize that these thorized to move directly to the place of exportation. goods are not included in the periodic declaration Minimum checks or indeed no checks at all should until such time as they are either moved out of the be carried out at a Customs office or at the trader’s regime and become liable for duties and taxes or are premises in either situation under normal circum- re-exported. Any goods held by the authorized per- stances, other than random checks conducted as part son which are under suspension of duties and taxes of the risk management programme. Detailed checks should be identifiable in the commercial system. are always appropriate in exceptional circumstances, for instance, where it is suspected that the procedure Where Customs is satisfied that the trader’s commer- is being abused or where information is received that cial system is operating correctly, the declarations a consignment may be misrepresented or used as a submitted for the period should be considered to be medium to import or export illicit goods. correct unless there is evidence to the contrary. Once the physical movement of the goods has taken The regularity of any checks on the authorized per- place for import or export, a declaration should be son’s system should be based on risk management furnished by the authorized person or their represen- techniques and the nature and complexity of the tative. This normally indicates the amount of duties business. Whenever controls are carried out, they and taxes that will be due. Other information may be should be targeted at the functioning of the system. required in the declaration, such as value and origin, However, this does not preclude checking individual but it should be kept to a minimum. Some adminis- consignments to verify that amounts of duties and trations require a supplementary declaration which taxes due have been correctly attributed. may not be required for a month or more after the release of the goods. As described for the procedure In administrations which allow the special procedure of release on minimum information, the supplemen- of self-assessment, Customs retain the authority to tary declaration may be a single Goods declaration determine the amount of duties and taxes. covering a single transaction or it may be a single Goods declaration covering a number of transactions within the given period. 7.3.3. Lodgement by entry in the records Where release or clearance is allowed away from When the time of lodgement of the Goods declara- the border and at approved premises, allowing the tion is used to establish the rates of duties and tax- Goods declaration to be lodged simply by an entry in es applicable, it can be established by a number of the authorized person’s commercial records can be methods. It is acceptable to use either the date of the a substantial facilitation measure for the declarant. provision of minimum information, the date of the entry of the individual consignment into the trader’s Customs can authorize this special procedure where accounts or the date of registering or acceptance of they are satisfied that the applicant’s records will en- the periodic declaration. able them to carry out effective checks, particularly retrospective audits. Normally the entry in the re- Where the last method is used, it will constitute cords consists of specific information concerning the a single tax point for the period covered by the goods such as the shipper, consignee, quantity, value declaration. This single tax and duty point may and country of origin, the date of release of those therefore cover several imports and exports over the goods and any other information which may be re- given period. quired by Customs for the application of the Customs 72 | Border Management Modernization procedure concerned. The information to be entered The date of the entry into the records is regarded as the in the records of the authorized person will be speci- formal time for the lodgement of the Goods declaration. fied in the authorization for this special procedure. Customs administrations which grant any of these special procedures often combine more than one in The entry in the records can be regarded as the initial the authorization since they have already determined declaration, which has to be followed by a supplemen- with a satisfactory level of assurance that the trader tary declaration. A simple notification to Customs of will maintain high standards of compliance with the impending arrival of the goods at the approved Customs requirements. Many authorized persons are premises or despatch of the goods from these prem- granted lodgement by entry in their records along with ises can be required in order to allow Customs to per- submission of periodic supplementary Goods declara- form random checks when deemed necessary. tions or with the self-assessment of duties and taxes. Annex 3 International Auditing and Assurance Board—International Standards on Audit The International Auditing and Assurance Standards Objective Board (IAASB) is an independent standard-set- ting body that serves the public interest by setting Each ISA now contains a clear statement of the ob- high-quality international standards for auditing, jective of the auditor in the audit area addressed by quality control, review, other assurance, and re- that ISA. lated services, and by facilitating the convergence of international and national standards. In doing so, the IAASB enhances the quality and uniformity Definitions of practice throughout the world and strengthens public confidence in the global auditing and assur- For greater understanding of the ISAs, applicable ance profession. terms have been defined in each ISA. Structure of the ISAs Requirements The ISAs now have a new structure, in which Each objective is supported by clearly stated require- information is presented in separate sections: ments. Requirements are always expressed by the Introduction, Objective, Definitions, Requirements, phrase „the auditor shall.” and Application and Other Explanatory Material. Application and Other Explanatory Material Introduction The application and other explanatory material ex- Introductory material may include information re- plains more precisely what a requirement means garding the purpose, scope, and subject matter of the or is intended to cover, or includes examples of ISA, in addition to the responsibilities of the auditors procedures that may be appropriate under given and others in the context in which the ISA is set. circumstances 74 | Border Management Modernization Individual ISAs are available below via the linked version of the 2010 handbook. • ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing • ISA 210, Agreeing the Terms of Audit Engagements • ISA 220, Quality Control for an Audit of Financial Statements • ISA 230, Audit Documentation • ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements • ISA 250, Consideration of Laws and Regulations in an Audit of Financial Statements • ISA 260, Communication with Those Charged with Governance • ISA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Manage- ment • ISA 300, Planning an Audit of Financial Statements • ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment • ISA 320, Materiality in Planning and Performing an Audit • ISA 330, The Auditor’s Responses to Assessed Risks • ISA 402, Audit Considerations Relating to an Entity Using a Service Organization • ISA 450, Evaluation of Misstatements Identified during the Audit • ISA 500, Audit Evidence • ISA 501, Audit Evidence-Specific Considerations for Selected Items • ISA 505, External Confirmations • ISA 510, Initial Audit Engagements-Opening Balances • ISA 520, Analytical Procedures • ISA 530, Audit Sampling • ISA 540, Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures • ISA 550, Related Parties • ISA 560, Subsequent Events • ISA 570, Going Concern • ISA 580, Written Representations • ISA 600, Special Considerations-Audits of Group Financial Statements (Including the Work of Component Auditors) • ISA 610, Using the Work of Internal Auditors • ISA 620, Using the Work of an Auditor’s Expert • ISA 700, Forming an Opinion and Reporting on Financial Statements • ISA 705, Modifications to the Opinion in the Independent Auditor’s Report • ISA 706, Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report • ISA 710, Comparative Information-Corresponding Figures and Comparative Financial Statements • ISA 720, The Auditor’s Responsibilities Relating to Other Information in Documents Containing Audited Financial Statements • ISA 800, Special Considerations-Audits of Financial Statements Prepared in Accordance with Special Pur- pose Frameworks • ISA 805, Special Considerations-Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement • ISA 810, Engagements to Report on Summary Financial Statements • International Standard on Quality Control (ISQC) 1, Quality Controls for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements Annexes | 75 Working Paper Index Annex 4 Trader Audit Manager Section Ref Planning A Information Gathering B Analytical Checks and Initial Assessment C Systems Documentation D Internal Controls – Descriptions, Risk Matrices and Testing E Compliance Testing and Control Assessment F Substantive Testing G Prepared by Reviewed by Index / / / / 76 | Border Management Modernization General Working Paper Annex 5 Auditee Audit Manager Prepared by Reviewed by Index / / / / General Working Paper - Example Trader Audit Manager Entrance Interview notes Action Monday 23 April 2012 at trader head office Introductions: Agency: PCA Manager and PCA team members Trader: Managing Director, Finance Director, Head of Assistant Import Manager appointed as main Internal Audit, Import Manager, Assistant Import Manager contact point and Warehouse Supervisor Confirmation of audit scope and objectives Agreement from trader Confirmation of start / finish dates, sites to be visited Agreement from trader Asked if any major changes to business systems, systems Upgrade to purchasing system, Assistant documentation, or operating procedures since previous audit Import Manager to forward this asap. Asked if any compliance or related issues during 2011 Nil Confirmed will deliver final Audit Plan document to trader Copy of final Audit Plan to be sent to trader. with 7 days Prepared by Reviewed by Index / / / / A 20 Annexes | 77 Control Description/Testing Worksheet Annex 6 Auditee Audit Manager Control Description: System / subsystem: Notes: Preliminary assessment: Description of control test: Sampling: „ size „ selection method „ period „ population size Summary of Test Findings: Control Assessment after test: [Effective/Not Effective/Undecided] Prepared Reviewed Index by by / / / / 78 | Control Risk Matrix Annex 7 Auditee Audit Manager SYSTEM: POTENTIAL ERRORS REF CONTROLS IDENTIFIED COMMENTS ON 1 2 3 4 5 6 7 8 9 10 11 12 13 Test CONTROLS Ref Border Management Modernization Preliminary Adequacy of Controls : Control Assessment after Testing: Risk Remaining Substantive Test Reference POTENTIAL ERRORS IDENTIFIED 1 2 3 4 5 6 7 8 9 Prepared by Reviewed by Index 10 11 12 / / / / 13 Annexes | 79 Substantive Testing Worksheet Appendix 8 Auditee Audit Manager Sub-system___________________Transaction__________________ Description___________________ Transaction Details Test Results Prepared by Reviewed by Index / / / / 80 | Border Management Modernization Audit Issues Worksheet Annex 9 Auditee Audit Manager Issue Description: Priority: Logged Issued Response Follow-up Closed Company Response: Follow-up: Closed: Prepared by Reviewed by Index / / / / Annexes | 81 Annex 10 Auditee Audit Manager Issue Ref Business Issue summary Date to Trader Response & No. System Trader Date PO 1 Purchase Purchase Orders can be 1/5/12 Agreed, will implement Order Raising amended without approval immediately a soft-ware after goods have been upgrade to require an imported ‘approval’ process with Finance Manager level access. Soft-ware provider contacted. 8/5/12. PO 2 Purchase Purchase Order copy to be 1/5/12 Agreed. Operation Order Raising sent to Customs Broker to procedures amended to assist confirming ask import staff to declaration details obtain copies of Purchase Orders for “Documents to Broker” procedure. 2/5/12 Prepared by Reviewed by Index / / / / F2 A3 THE WORLD BANK 1818 H Street, NW Washington, DC 20433