Skip to main content
2016 OAS Guidelines

2.II.2 Condition of satisfactory system for managing commercial and transport records

Article 25(1)(a) of the SA CAU requires the applicant to maintain an accounting system " consistent with the commonly accepted accounting principles applied in the Member State in which the accounts are kept ", which allows " customs control by audits " and to maintain a history of data providing " an audit trail from the moment the data are entered into the files "

In accounting, an audit trail is the process or practice of referring to the source of each accounting entry to facilitate verification of its accuracy. A complete audit trail will allow the applicant's operating activities to be tracked throughout their entire lifecycle, meaning, in this case, the incoming shipments, goods, and products, their processing, and their departure from the factory. For security reasons, many companies and organizations require that their computer systems include an audit trail. It is important to combine the controls carried out in the company's system with those carried out for reasons of protection and security. Regarding safety and security, it is important that, where applicable, the information recorded in this system reflects the physical movement of shipments, goods, and products, and having such information should be part of the verification process. It is also important that, where applicable, the information included in the company's system reflects the flow of shipments, goods, and products, as well as the measures taken to ensure their protection and security at the various stages of the international supply chain in which the AEO participates. Operational tests should reflect these issues when carried out and should also ensure that the company follows planned routines at all times. The audit trail maintains a history of data that allows the user to track specific data from its entry into the system to its exit from the system.

Article 25(1)(b) of the CAU AE requires that the records kept by the applicant for customs purposes be " integrated into its accounting system " or allow " cross-checks of information with the accounting system ".

Some economic operators use Enterprise Resource Planning (ERP) software to structure their core business processes. Records intended for customs purposes may be integrated or linked electronically into this PRE.

It is not necessary, especially for SMEs, to use a single integrated system, but rather to allow cross-checks between customs records and the accounting system. This can be achieved through an automatic link, an interface, or even cross-references in both systems or documentation.

Article 25(1)(c) of the CAU AE requires the applicant to allow the customs authority " physical access to its accounting systems and, where applicable, to its commercial and transport records ".

See letter d) below.

Article 25(1)(d) of the CAU AE requires the applicant to allow the customs authority " electronic access to its accounting systems and, where applicable, to its commercial and transport records " where such systems or records are kept electronically.

Access to company records is defined as the ability to obtain necessary information, regardless of where it is physically stored. The necessary information includes company records, as well as other relevant data, necessary to conduct the audit. Information can be accessed in several ways:

  • On paper: A printed copy of the requested information is provided. Paper support is the appropriate solution when the amount of information required is limited. This situation may arise, for example, when auditing the annual accounts.

  • Using portable data storage devices: A copy of the requested information is provided on CD-ROM or similar media. This solution is the most recommended when dealing with a larger volume of information and requiring data processing.

  • Via online access: through the company's computer system when the site is visited, using electronic channels for data exchange, including the Internet.

Regardless of the form in which the information is provided, customs authorities must be able to examine and analyze the data (i.e., be able to work with the data). It is also important that the data provided is always up to date.

With regard to this specific condition, the nature of SMEs must be taken into account. For example, while all applicants for an AEO must demonstrate that they have an effective record-keeping system that facilitates audit-based customs controls, the manner in which this is achieved may vary. For a large applicant company, an integrated electronic registration system may be necessary to facilitate auditing by customs authorities, while for an SME, a simplified paper-based registration system may be sufficient if it allows customs to carry out the necessary checks.

Article 25(1)(e) of the CAU EA requires the applicant to have a logistics system that identifies " the goods as Union or non-Union goods " and indicates, where applicable, " their location ".

The way in which non-Union goods or goods subject to customs control can be distinguished from Union goods should be assessed. Pursuant to Article 25, paragraph 2 of the AE CAU, AEOS are not subject to this condition. The reason is that the provisions on protection and security do not differentiate between the two. These requirements apply to all goods entering or leaving the customs territory of the Union, regardless of their condition.

For SMEs, compliance with this condition can be considered satisfactory if it is possible to distinguish between EU and non-EU goods through simple electronic filing or paper records, provided these are managed and protected securely.

Article 25(1)(f) of the CAU AE requires that the applicant have "an administrative organisation" that corresponds " to the type and size of the company " and that is " suitable for the management of the flow of goods ", and that applies internal controls that allow " to prevent, detect and correct errors and prevent and detect illegal or irregular transactions ".

It should be noted that there is no “standard” for administrative organization. The most important thing an applicant must demonstrate is that the administrative organization they are applying is adequate, given their business model, for managing the flow of goods, and that an appropriate system for internal control exists. Therefore, the use of "quantitative thresholds," such as minimum staff numbers, or others, is not appropriate.

Notwithstanding the foregoing, it is expected that written procedures and work instructions with clear descriptions of processes, responsibilities, and substitution in case of absence will be established and properly implemented. In the case of small and micro-enterprises, these expectations can also be met through other appropriate measures that must be demonstrated to the AAE.

Internal control procedures not only impact the day-to-day operations of the department responsible for operations covered by customs legislation, but also all services involved in managing activities related to the international supply chain in which the applicant participates. There are various examples of internal controls, from a simple "two-person rule" to complex electronic plausibility checks.

Any administrative irregularity, including customs violations, may be an indicator of the ineffectiveness of the internal control system. From this perspective, any customs violation must always be analyzed in relation to this condition, in order to adopt measures to improve the internal control system and, thus, prevent the violation from recurring.

Article 25(1)(g) of the CAU AE requires that the applicant has established, where appropriate, " satisfactory procedures for the management of licences and authorisations granted under trade policy measures or related to trade in agricultural products ".

Based on the information provided in the CAE and any other information available to the customs authorities, it is important to determine in advance whether the applicant operates with goods subject to commercial licenses (e.g., e.g., in the textile sector). If this is the case, appropriate routines and procedures should be in place for managing licenses related to the import and/or export of goods. If necessary, the practical application of these routines and procedures must be verified in the field.

In the case of trade in specific goods subject to licenses issued by other competent authorities, it is advisable for customs authorities to consult with those authorities and obtain reference information about the applicant from them.

Article 25, paragraph 1, letter h) of the AE CAU requires the applicant to have " adequate procedures for archiving company documentation and information and for protection against data loss ".

Procedures for archiving and retrieving the applicant's records and information must be evaluated, including determining the type of media and software format on which the data is stored, and whether and at what stage the data is compressed. If a third party is used, the terms of this service must be unambiguous, particularly with regard to the frequency and location of backups and archived information. An important aspect of this condition is related to the possible destruction or loss of relevant information. In this regard, it is important to check whether a security plan exists that includes a description of the measures to be taken in the event of an incident and whether such a plan is updated periodically. Backup routines should also be checked in case computer systems stop working.

Article 25(1)(i) of the CAU AE requires the applicant to ensure that " the relevant employees have been instructed to inform the customs authorities if compliance difficulties are discovered " and " lays down procedures for informing those authorities of such difficulties ".

In the event of compliance difficulties in the customs area, the applicant must implement customs notification procedures and must have a designated contact person responsible for such notification to the customs authorities. Formal instructions should be issued to employees involved in the supply chain to avoid potential difficulties in complying with customs requirements. All difficulties detected will be communicated to the designated responsible person or persons or their substitutes.

To this end, the contact details of the designated person should be clearly visible to the staff in charge of the goods as well as to the staff in charge of the relevant information (e.g. eg. on a board or next to the telephone).

To determine what information the economic operator must provide, a list of examples is included in Annex 4 of these Guidelines.

Article 25(1)(j) of the CAU AE requires that the applicant has established " appropriate security measures to protect its computer system from any unauthorized intrusion and to secure its documentation ".

Procedures must be in place to protect the computer system from unauthorized intrusion and to secure available data. This section may include how the applicant controls access to computer systems through the use of passwords, protects against unauthorized intrusion, for example, through the use of firewalls and virus protection, and archives and ensures the secure storage of documentation. These security measures should not only cover the hardware located on the applicant's company premises, but also mobile devices that allow access to the applicant's data (e.g., e.g., encrypted laptop hard drives, smartphone passwords).

Personal computers should lock automatically after a short period of inactivity. Furthermore, computer antivirus software should be updated regularly and a firewall should be installed. Computer configuration should be managed centrally.

The servers will be located in locked rooms with controlled access and limited to relevant personnel.

Article 25(1)(k) of the CAU EA requires that the applicant has established, where appropriate, " satisfactory procedures for the management of import and export licences linked to prohibitions and restrictions, including measures to distinguish goods subject to prohibitions or restrictions from other goods and measures to ensure compliance with such prohibitions and restrictions ".

The management of import and export licenses related to prohibitions and restrictions was previously included in the safety and security criterion and was therefore limited to the AEOS status to prevent the misuse and illegal delivery of safety and security-sensitive goods.
This must be considered in close connection with Article 25, paragraph 1, letter g) of the AE CAU.

The procedures considered may:

  • distinguish goods subject to non-tax requirements from other goods;

  • control whether operations are carried out in accordance with current legislation (other than tax legislation);

  • be related to the handling of goods subject to embargo;

  • be related to the processing of licenses;

  • be related to other goods subject to restrictions;

  • or be intended to identify potential dual-use goods and procedures related to their handling.

Regarding this condition, it is crucial that staff be aware of the importance of non-tax requirements, the correct classification of goods, and the updating of key data. Companies working with the aforementioned goods are required to undergo regular training or study their own developing legislation.

Furthermore, should any doubts arise at an early stage, it is essential for the economic operator to contact the competent national authorities regarding non-tax requirements. This particularly affects newly created companies and economic operators that are expanding their portfolio.

When assessing this condition, customs should consult with other competent authorities involved in order to obtain as much information as possible about the economic operators' processes.