Common security lens
Retailers collaborate on standard process for security audits of overseas factories.
Several major U.S. retailers have banded together and harmonized how they conduct security audits of foreign suppliers to make it easier for all parties to meet the guidelines of the Customs-Trade Partnership Against Terrorism.
Trade compliance officers involved in the process spoke with American Shipper to describe how they came up with a common security checklist for contract manufacturers in hopes of attracting other retailers to join the initiative and to demonstrate the industry’s ability to collaborate for the collective good on an issue important to the government.
Retailers such as Target were among the founding participants of C-TPAT in the wake of the Sept. 11, 2001 terror attacks. Aware of heightened concerns about the potential for a weapon of mass destruction to be smuggled in a container moved through international commerce and fearful that authorities would respond by conducting time-consuming inspections of many shipments, several companies approached U.S. Customs and volunteered to have their supply chain operations scrutinized to show that they weren’t vulnerable to infiltration and their cargo could be trusted as secure. In exchange for undergoing a “cargo background check,” they requested their cargo be quickly cleared without having to undergo a security exam.
The idea represented a major step in pushing the United States towards a risk-based approach for cargo security. Customs eventually developed a weighted system for scoring shipments using advance shipping information and other data. C-TPAT membership doesn’t guarantee a shipper’s cargo will skip examination, but — when the system works properly — it substantially lowers the shipment’s risk score and chances of being selected for review.
C-TPAT has grown from seven original members to 10,643 companies, of which 4,340 are importers, according to the latest figures from Customs and Border Protection. But the program’s growth has plateaued for several years and the number of participants is a fraction of the total universe of importers. CBP officials have stated they want 40,000 companies in C-TPAT by the end of the decade. But many trade professionals question whether the stated benefits of C-TPAT, which now include front-of-the-line treatment in the event an exam is required, are worth the effort and cost required to put together a security plan, have it approved by CBP, prepare for and host security checks at headquarters and an overseas location, implement the plan and enforce supplier compliance. The burden is especially felt by smaller importers.
For years, retailers have developed requirements for vetting foreign vendors themselves or through third-party auditors. They provide basic training to internal personnel and suppliers on how to meet security requirements, perform audits against those standards and demand immediate corrective action for those that fall short. Some retailers have even terminated contracts with factories that did not follow their prescribed security program.
Contract manufacturers, as a result, are bombarded with audits from many retail customers, which requires managers to spend time answering questionnaires, preparing for on-site audits, accompanying audit teams during plant visits and paying for third-party auditors when retailers outsource verification. And audits aren’t limited to security. Companies, to varying degrees, also vet suppliers for their internal controls on product quality, social responsibility such as treatment of workers or use of child labor, and environmental practices.
To combat “audit fatigue,” compliance professionals at about 10 of the nation’s top retailers in 2011 began brainstorming around the idea of using the same checklist when auditing the same factories, Alan Johnson, a global supply chain security manager at Home Depot, said.
The average factory gets audited multiple times a year, which leads to confusion about whose standards to follow, inefficiency, cost increases, and a focus on passing the audit rather than on fixing any underlying problems, he said.
“It’s a significant cost for all our overseas partners. Our factories have to pay for each of those security audits,” Kelly Schultz, manager of global trade security partnerships at Target, said. “At the end of the day, we’re all duplicating efforts. Why conduct security audits at the same factory three different times for three different retailers?”
The retailers formed a working group to standardize the process for security audits in global supply chains and drive continuous improvement at the factory level through follow-up education. The checklist incorporates the eight major areas CBP requires for C-TPAT certification, including container/trailer security, physical access controls, personnel security such as background checks, training, and secure information technology systems.
By agreeing on minimum security requirements, the retailers intend to meet both industry and customs standards without being too prescriptive about security measures, such as the height of fencing, so that factories can easily comply without having to satisfy multiple masters, Walter Fong, director of trade compliance for Levi Strauss & Co., said.
Factories benefit from the standard approach to security by having more clarity and consistency about requirements, and undergoing fewer audits, which enables them to focus on production and security, Johnson said. Retailers stand to gain, he said, by being able to lower costs; focus time and resources on corrective action, education and training; and exchanging best practices with other retailers and brands.
The checklist is easily integrated into in-house or third-party databases, can be readily shared because the format is the same and is independent of company-specific methods for grading security performance.
Some retailers are loading the checklist into online surveys where suppliers log in and enter responses to self-audit themselves, while others use it for internal auditing purposes or share it with third party auditors to include in their process.
“Companies are going to utilize it differently based on their risk model,” Schultz said.
Companies that ask factories to respond to a questionnaire will determine whether to make a follow-up visit in person based on the responses, which typically require picture attachments showing access controls, camera locations, guards or other safeguards described in the document.
Fong said retailers must be careful about how they share the completed audits among themselves because of potential antitrust liabilities. But factories, which own the audits, are free to share the results of an audit conducted for one customer with other retailers. Subsequent importers can decide whether to accept the audit, accept it with some supplemental questions or request their own audit.
In the past, factories were reluctant to produce audits for other clients because they had the requesting retailer’s name stamped on it, which might reveal some unique standards pursued by the client. Factories also don’t want to disclose who they do business with, Fong said.
The new checklist doesn’t have any proprietary information attached to it, which levels the playing field and makes it easier to share the responses, he added.
“The speed of onboarding a factory is much faster than if we have to independently require a specific audit,” which can take three months to set up, Johnson said.
The retailers were in frequent contact with CBP throughout the project to get the agency’s feedback on questions to include in the checklist, another compliance specialist whose company didn’t want to be identified, said.
Third-party auditing companies were also invited to provide additional perspective. Although standardization likely will reduce their business because fewer security audits will need to be conducted, Fong said the firms realized that retailers were already heading in that direction and wanted to help shape the process. And, Schultz added, companies involved in development would have a head start incorporating the standards and could use that as a key selling point to potential customers.
SGS, a Swiss inspection, verification, testing and certification company with U.S. headquarters in Rutherford, N.J., is one of the outside firms that contributed towards the new security checklist. Losing some security audits isn’t a big problem because the money freed up from C-TPAT audits can be used by factories for product testing, production line inspections, post-production inspections in stores, product comparisons, environmental and social compliance audits or other quality reviews to meet retailers’ requirements, Jo Dee Devries, a deputy manager at SGS, said.
The standardized audit “helps us as an auditing firm because we know exactly what the questions are” and don’t have to work up a template for each retailer engagement, she said. C-TPAT minimum security standards are often treated as guidelines, with companies varying in their actual policies, so having the standards makes clear what is a suggested versus mandatory practice, she added.
Audits can take one to three days, depending on the size of the factory, Devries said.
Other audit firms involved in the project included Intertek and UL Responsible Sourcing, according to the participating companies.
The working group recently ran a pilot for several months and adjusted some of the questions on the checklist.
The next phase of the project is to get the word out to other retailers, Johnson said. The working group wants to create its own Website and a LinkedIn group, and promote the tool at the next C-TPAT conference held by Customs. Unresolved yet is who will pay for and organize creation of an online platform.
Developing the standardized checklist was a grassroots effort by the compliance professionals, but their respective corporate management was aware of their work or generally supportive of initiatives to enhance industry collaboration, they said.