How to Conduct a Winning CTPAT Annual Assessment

As a member of CTPAT, each year you are required to pass an Annual Renewal conducted by your assigned Supply Chain Security Specialist (SCSS). Whether the audit is conducted remotely or on-site, companies need to conduct a CTPAT Annual Assessment internally ahead of the inspection. 

With the CBP’s newly implemented minimum security criteria, companies often find themselves lacking clarity on what is expected of them when completing this assessment, and the uncertainty can be nerve-wracking. Here, we outline every step you need to take to execute a complete internal assessment and ultimately ensure your organization passes its CTPAT Renewal with flying colors each year.

Schedule a CTPAT Management Review

This needs to be done annually at minimum, however, every six months would be considered “best practice” and every three months would be considered “above and beyond.”  

To do this, start by setting up a meeting with your CTPAT Team (Designated Security Officer, Operations Manager, Warehouse Manager, HR Team, IT team, applicable Executive Staff, etc.), and work together to answer questions such as:

• Are we meeting current CTPAT Minimum Security Criteria (MSC) objectives?
• Do we have the appropriate processes in place?
• Are there any upcoming changes to the CTPAT program that we need to plan for?
• Are internal and external audits and risk assessments improving process performance?
• Are preventative and corrective actions up to date?
• Have we implemented proper IT safeguards and HR checks for hiring and terminating employees?

Also, be sure to review your current security questionnaire and CTPAT training material with the team.  Consider whether new questions need to be added to comply with 2020 MSC regulations and evaluate whether the training currently provided to employees is adequate.

Finally, make sure you document these management meetings by keeping a log of attendance, what was discussed, and who owns any follow-up actions that result from the discussion.

Review the CTPAT Status of Your Business Partners

If your vendors/business partners are CTPAT certified, simply add them to your CTPAT SVI partner portal, and if they are not certified, be sure to send them a CTPAT questionnaire so they can make you aware of processes they have in place to keep your supply chain safe.  A good security questionnaire will allow you to spot gaps in their procedures so you can work with them to resolve any issues.  Along with your security questionnaire, you should also send them your organization’s Standard Operating Procedures (SOPs) and CTPAT Training to ensure they are aware of your expectations.

Prepare and Complete an “Action Plan” Form 

Standardize a company-wide method to address any discrepancies found during your management review as well as any issues with business partner compliance that you may uncover upon return of their security questionnaires.

This action plan should include:

• The owner of the project and the subject.
• The issue, resolution, and a planned completed date.
• Notes on the solution discussed to resolve the issue.

Coming into your CTPAT audit with at least one action plan already executed demonstrates to your SCSS that you understand the internal process of escalating and resolving any issues found during your Annual Assessment.

Review the Training Status of Employees

Before the meeting with your Supply Chain Security Specialist (SCSS), be sure to complete an up-to-date CTPAT Security Awareness Training Log.  This can be in the form of an exported file from your e-training system or simply a spreadsheet detailing the dates and scores of each employee trained on the procedures.

Complete a Threat Assessment

First, create a document noting each country/region that plays a part in your supply chain. This can include suppliers, carriers, and – in some cases – even customers. From there, determine the risk level of each country to the U.S. supply chain and finally rank them individually on a scale of 1-3 (1 = risk, 3 = highest).

Complete a CTPAT Cargo Map Exercise

Select an example shipment and demonstrate using either words or graphics how that shipment enters and moves through your entire supply chain, all the way to its final destination. As you complete your Cargo make, be sure to identify any gaps in security, then document and update any new policies and processes to rectify those gaps. 

Check Logs

Make sure your Visitor Logs, Cargo Pick Up Logs, and Seals Logs are being used by your team and updated properly by your internal CTPAT SOPs.

Verify Alarm and Camera Checks

Confirm an Alarm and Camera checklist is regularly being used by your team as outlined in the standard operating procedures your company submitted to the CBP in your CTPAT Security Profile.

Update Your Security Profile in the official CTPAT Portal:

On the CBP website, make sure the following items are up-to-date in your official Security Profile.

• Changes to a business address.
• Active employees listed as users in the system.
• New/updated policies and procedures that differ from those submitted with your original profile.

Though this list is certainly not exhaustive, it is a relatively comprehensive sampling of the items that should be included in your Annual Assessment to demonstrate to your SCSS that your organization is doing its due diligence to maintain CTPAT compliance and protect the supply chain as effectively as possible.

As always, if you have questions or concerns about any piece of the Annual Assessment outlined above – or you want to learn how Veroot’s SaaS platform can automate these processes to alleviate 85%-90% of the annual workload?