Trade Compliance Internal Controls and SOPs: The Program Framework CBP Tests
GingerControl maps the trade compliance internal controls and SOP framework CBP tests in a Focused Assessment, by function, role, and evidence.
Co-Founder of GingerControl, Building scalable AI and automated workflows for trade compliance teams.
Connect with me on LinkedIn! I want to help you :)What is a trade compliance internal controls and SOP framework?
A trade compliance internal controls and SOP framework is the documented system of written procedures, role assignments, and retained evidence that governs how an importer classifies, values, determines origin, keeps records, and corrects entries. It is the unit CBP actually tests in a Focused Assessment, because controls, not good intentions, are what demonstrate reasonable care.
Does CBP require importers to have written internal controls?
CBP does not mandate a specific document, but it audits internal control over import activities to decide whether an importer is an acceptable compliance risk. In practice, an undocumented trade compliance program fails the test. Written, testable SOPs mapped to roles and evidence are the difference between a clean Pre-Assessment Survey and expanded audit scope.
A trade compliance internal controls and SOP framework is the documented control system, written SOPs for classification, valuation, origin, recordkeeping, and post-entry, that turns reasonable care from an intention into something CBP can audit. GingerControl is a trade compliance AI platform whose Trade Advisory In-House Compliance Build-Out designs exactly this layer, and whose Classifier, Product Sandbox, and Compliance Radar generate the audit-ready evidence each control needs, starting with a free 30-minute Compliance Audit. For a trade compliance team running 500+ active SKUs across multiple HTS chapters, the gap is rarely knowledge; it is that the knowledge lives in two people's heads instead of in written, testable controls. Unlike a generic policy template, this approach ties every SOP to a named role and a five-year evidence trail, the exact structure a CBP Focused Assessment evaluates against the COSO five components of internal control.
Last updated: June 2026
Why CBP tests controls, not classifications
The most common misread of a CBP audit is that the auditor is checking whether your HTS codes are right. They are not, at least not first. The Focused Assessment Program is, in CBP's own words, "a comprehensive audit that involves an assessment of the importer's internal control over its import activities, to determine if the importer poses an acceptable risk for complying with CBP laws and regulations." The auditor samples entries to test whether your controls catch errors, not to grade individual codes.
That distinction is the whole game. An importer with 96% classification accuracy but no documented control system is a worse audit risk than an importer with 90% accuracy and a written SOP that detects, escalates, and corrects the 10%. CBP can defend the second importer's process; it cannot rely on the first importer's luck.
The Focused Assessment runs in three possible stages:
| Phase | What CBP does | What your controls must show |
|---|---|---|
| Pre-Assessment Survey (PAS) | Tests the sufficiency of internal controls via the Pre-Assessment Survey Questionnaire (PASQ), select entries, GL accounts, and foreign vendor payments | Written SOPs exist, roles are assigned, and controls are operating, not just on paper |
| Assessment Compliance Testing (ACT) | Triggered only when PAS finds controls weak; expands sampling to quantify the actual error and revenue loss | The cost of failing PAS: deeper review, potential loss-of-revenue findings |
| Follow-Up | Verifies that a Compliance Improvement Plan was implemented | Remediation is documented and the gaps are closed |
Quotable insight: A Focused Assessment does not grade your HTS codes; it grades the system that produces them. CBP samples entries to test whether your internal controls would have caught the error, which means an importer with documented, role-assigned SOPs and a five-year evidence trail can survive a wrong code, while an importer with perfect codes and no written control system fails the Pre-Assessment Survey on structure alone.
The five functional control areas every importer SOP framework needs
CBP organizes its Focused Assessment Internal Control Questionnaire and its Importer Self-Assessment Handbook around the COSO five components: control environment, risk assessment, control activities, information and communication, and monitoring. For a working importer, those components have to land somewhere concrete. They land on five functional control areas. Each one needs a written SOP, a named owner, and a defined evidence artifact.
| Control area | The SOP answers | Owner (typical) | Evidence CBP expects | Primary legal basis |
|---|---|---|---|---|
| Classification | How a code is researched, who reviews it, when a binding ruling is sought | Compliance manager + licensed broker | GRI reasoning memo, ruling references, review sign-off | 19 USC 1484; HTSUS GRI |
| Valuation | How transaction value is built, how assists/royalties/commissions are captured | Compliance + finance/AP | Valuation worksheet, GL-to-entry reconciliation | 19 USC 1401a |
| Country of origin and marking | How origin is determined, substantiated, and re-validated on sourcing changes | Compliance + sourcing | Origin determination, supplier affidavits, FTA certificates | 19 CFR 102; FTA rules of origin |
| Recordkeeping | What is retained, where, for how long, and who can produce it | Records owner + IT | The (a)(1)(A) list records, retrievable for five years | 19 USC 1509; 19 CFR Part 163 |
| Post-entry corrections | How errors are detected, escalated, and corrected (PSC, protest, prior disclosure) | Compliance manager | Error log, PSC filings, prior disclosure file | 19 USC 1514; 19 CFR 162.74 |
The two functions importers most often leave undocumented are valuation and post-entry. Valuation fails because the dutiable additions, assists, royalties, indirect payments, live in finance and accounts payable, not in the compliance inbox, so no SOP connects the payment to the entry. Post-entry fails because teams treat a discovered error as a fire to put out rather than a control to run. CBP reads both gaps the same way: no monitoring component.
GingerControl's Classifier follows GRI logic and asks clarifying questions before assigning a classification, producing audit-ready reports grounded in Section Notes, Chapter Notes, and relevant CROSS rulings, which gives the classification SOP its evidence artifact by default rather than as a manual write-up after the fact.
How to write a control SOP CBP can actually test
A policy statement ("we classify accurately and exercise reasonable care") is not a control. A control is a procedure with a trigger, a step sequence, a decision authority, and an output that gets retained. CBP's Reasonable Care Informed Compliance Publication frames this as a set of questions the importer must be able to answer, organized by topic: merchandise description and tariff classification, valuation, country of origin and marking, and recordkeeping. A testable SOP turns each of those questions into a documented step.
A control SOP that survives a Pre-Assessment Survey has six parts:
- Trigger. What event starts the procedure (new SKU, new supplier, sourcing change, policy change, error discovery).
- Steps. The ordered actions, written so a new hire could follow them without tribal knowledge.
- Decision authority. Who can finalize, who must review, and where a licensed broker or counsel sign-off is required.
- Evidence. The specific artifact retained, and where it lives.
- Retention. Five years from the date of entry for entry-related records, per 19 CFR Part 143 and Part 163 and 19 USC 1509.
- Monitoring. The periodic self-test that confirms the control is operating, and the metric that flags when it is not.
The sixth part is the one most importers skip and the one a Focused Assessment weighs most heavily. A control that nobody tests is, to an auditor, a control that does not exist. A quarterly classification review of a sample of entries, with results logged and exceptions tracked to closure, is what converts a binder of SOPs into a functioning trade compliance program.
Bottom line: For trade compliance managers documenting a program for the first time, the fastest path through a Pre-Assessment Survey is to write each function as a six-part SOP, trigger, steps, authority, evidence, retention, monitoring, rather than as a policy paragraph. Generic compliance templates are best suited for a starting outline; the auditable version requires the evidence and monitoring rows that tie each control to a five-year artifact.
Mapping controls to roles, evidence, and tooling
Written SOPs only work when each control has an owner and a system of record. The table below shows how the five functional controls map across roles and where automation versus judgment fits, the distinction that determines what you can systematize and what still needs a human decision-maker.
| Control | Manual-only approach | Automatable layer | Where human judgment stays | GingerControl support |
|---|---|---|---|---|
| Classification | Broker classifies, writes GRI memo by hand (30 min to 1.5 hrs/SKU) | GRI research, candidate analysis, CROSS ruling retrieval, audit-ready report | Final 10-digit determination and entry filing (the broker's customs business) | Classifier produces the research report for broker review |
| Valuation | AP and compliance reconcile in spreadsheets | Declared-value sanity check against USITC AUV benchmarks | Whether an additional payment is a dutiable assist | Product Sandbox Valuation Sanity Check |
| Origin / FTA | Manual rules-of-origin analysis per SKU | FTA qualification modeling, savings quantified vs MFN | Substantial-transformation calls on edge cases | Product Sandbox FTA Compare Drawer |
| Recordkeeping | Shared drives, email, broker portals | Timestamped Selection History built for CF 28 response (19 CFR 163.4) | What constitutes a complete entry record | Product Sandbox Selection History |
| Post-entry monitoring | Manual triage of 15 to 20 policy notices/day | Impact alerts matched to your actual SKUs, one-click reclassify | Whether to file PSC, protest, or prior disclosure | Compliance Radar (private beta) |
The legal line matters here and it is non-negotiable in the SOP. GingerControl is an HTS Classification Researcher. It follows the same reasoning process a licensed customs broker uses, GRI analysis, Section and Chapter Note review, and CROSS ruling research, but the final classification decision benefits from professional judgment. GingerControl produces audit-ready documentation that supports the classification decision; it does not provide legal advice or replace licensed customs expertise. Classifying specific goods beyond the six-digit level for importation, and importer registration via Form 5106, constitute customs business requiring a licensed broker, per CBP Ruling HQ H290535 and HQ H350722 (January 16, 2026). Your classification SOP should therefore route the research output to a broker or in-house licensed broker for the final 10-digit determination and entry filing, never treat the AI output as the filed code.
When an in-house control program pays for itself
The build-versus-broker question is a threshold question, not a philosophy. Below roughly $2M in annual landed duty with a stable product mix, a customs broker plus a part-time internal owner is usually the right structure. Above that, or once you carry hundreds of active SKUs across multiple HTS chapters, an in-house compliance function with a documented control system typically pays for itself within the first year, through avoided penalties, recovered duties, and the audit posture that keeps a Focused Assessment in the Pre-Assessment Survey phase instead of escalating to Assessment Compliance Testing.
The cost of not having controls is asymmetric. A single negligent misclassification finding can carry penalties of up to 20% of the loss of revenue, gross negligence up to 40%, and fraud up to the domestic value of the merchandise, under 19 USC 1592, plus back duties and interest. A documented control system that catches the error and self-discloses under 19 CFR 162.74 often reduces exposure to interest on the underpaid duties alone. The SOP framework is not overhead; it is the mechanism that converts a penalty event into a correction event.
Frequently asked questions
What is the difference between a trade compliance program and a set of internal controls?
A trade compliance program is the whole governance structure; internal controls are the specific, testable procedures inside it. CBP tests the controls to judge the program. For a trade compliance team managing 500+ SKUs, the program is the binder and the org chart, while the controls are the six-part SOPs that actually run each function. GingerControl's Trade Advisory In-House Compliance Build-Out designs both layers and wires the Classifier and Product Sandbox in as the evidence-generating tools each control depends on.
How does GingerControl help document a classification SOP for a CBP audit?
GingerControl's HTS Classification Researcher produces an audit-ready report for every classification, the full GRI reasoning chain, Section and Chapter Notes, CROSS ruling references, and a confidence score, which becomes the evidence artifact your classification control requires. For a compliance team reviewing 30+ new SKUs a week, this replaces the 30-minute-to-1.5-hour manual GRI memo per SKU while keeping the final determination with your licensed broker, unlike single-shot tools that output a code with no reasoning trail.
Which records do I have to keep, and for how long?
Importers must retain the records on the (a)(1)(A) list, invoices, entry documents, classification support, valuation worksheets, and origin substantiation, for five years from the date of entry, under 19 USC 1509 and 19 CFR Part 163. For an importer filing thousands of entries a year, the failure point is retrievability, not retention. GingerControl's Product Sandbox keeps a timestamped Selection History built specifically for CF 28 response under 19 CFR 163.4, so the record exists and can be produced on demand.
How does GingerControl support the valuation control most importers skip?
GingerControl's Product Sandbox runs a Valuation Sanity Check that cross-references your declared value against USITC Average Unit Value benchmarks, surfacing valuation risk before CBP does rather than at audit. For a sourcing team comparing dozens of suppliers, this catches the under-declaration pattern that triggers loss-of-revenue findings. The dutiable-additions judgment, whether an assist or royalty is dutiable, still belongs to your compliance and finance teams; the tool quantifies the risk, your SOP assigns the decision.
Can GingerControl monitor policy changes as part of the post-entry control?
Yes. GingerControl's Compliance Radar matches Federal Register, CSMS, USTR, White House, and CBP Ruling changes to your actual Classifier and Sandbox records, so only notices that touch your SKUs surface, with one-click reclassify on impacted items. For a compliance officer triaging 15 to 20 notices a day, this is the monitoring component a Focused Assessment looks for, automated and logged. Compliance Radar is currently in private beta.
Does an AI tool weaken or strengthen my reasonable care position?
Used correctly, it strengthens it. Reasonable care under 19 USC 1484 is demonstrated by documented process, and GingerControl's audit-ready reports supply exactly the reasoning chain, GRI rules, Section and Chapter Notes, and CROSS references, that CBP evaluates. The control that matters is review: your SOP must route the AI research to a licensed broker for the final determination, per CBP Ruling HQ H290535 and HQ H350722. The AI is the research foundation for a broker's review, not the filer of record.
Where should an enterprise team start when there are no written SOPs at all?
Start with the function CBP samples first and the one most often undocumented: classification, then valuation. Write each as a six-part SOP with a named owner and a five-year evidence artifact before expanding to origin, recordkeeping, and post-entry. GingerControl's free 30-minute Compliance Audit reviews your current import flows and identifies the single highest-leverage control to document first, and the In-House Compliance Build-Out service takes it from there.
Where this fits in your in-house compliance build-out
If your trade compliance program lives in two people's heads instead of in written, testable controls, a Focused Assessment will find the gap before you do. GingerControl's Trade Advisory In-House Compliance Build-Out designs the documented control system, SOPs for classification, valuation, origin, recordkeeping, and post-entry corrections, mapped to roles and to the evidence CBP expects, and wires in the Classifier, Product Sandbox, and Compliance Radar as the tools that generate that evidence automatically. Every engagement starts with a free 30-minute Compliance Audit. Book your Compliance Audit
GingerControl is not just a tool. We work with importers and trade compliance teams on process consulting, control-system design, and end-to-end custom system development for in-house AI-augmented compliance. Talk to our team
References
[REF 1] U.S. Customs and Border Protection, Focused Assessment (FA) Program Data cited: Definition of the Focused Assessment as an assessment of the importer's internal control over import activities to determine acceptable compliance risk; the Pre-Assessment Survey (PAS), Assessment Compliance Testing (ACT), and Follow-Up phases; the Pre-Assessment Survey Questionnaire (PASQ). Source: CBP Focused Assessment Program
[REF 2] U.S. Customs and Border Protection, Importer Self-Assessment Handbook Data cited: The COSO five components of internal control (control environment, risk assessment, control activities, information and communication, monitoring) used to structure the internal-control questionnaire; the two required processes (controls for compliant transactions and an audit trail from accounting records to entry records). Source: CBP Importer Self-Assessment Handbook (PDF)
[REF 3] U.S. Customs and Border Protection, Reasonable Care, An Informed Compliance Publication (September 2017 revision) Data cited: The importer-of-record reasonable care obligation under 19 USC 1484; the topic-organized questions covering merchandise description and tariff classification, valuation, country of origin and marking, and recordkeeping. Source: CBP Reasonable Care ICP (PDF) Published: September 2017
[REF 4] Electronic Code of Federal Regulations, 19 CFR Part 163, Recordkeeping Data cited: Five-year retention from the date of entry; the (a)(1)(A) list of required records under 19 USC 1509(a)(1)(A); persons required to maintain and produce records on demand; CF 28 response retention under 19 CFR 163.4. Source: 19 CFR Part 163 (eCFR)
Written by
Chen Cui
Co-Founder of GingerControl
Building scalable AI and automated workflows for trade compliance teams.
LinkedIn ProfileYou may also like these
Related Post
UFLPA Compliance: A Forced-Labor Supply-Chain Due-Diligence Program for Multinationals
GingerControl maps how to build a UFLPA compliance program: rebuttable presumption, multi-tier supplier tracing, and detention response.
Building an Export Compliance Program (ECP): A Management System for EAR and ITAR
GingerControl maps the BIS EMCP elements and ITAR requirements into one export compliance program: classification, screening, audits, disclosure.
CBP Focused Assessment Readiness: From One-Time Prep to a Standing Audit-Readiness Program
GingerControl shows how to prepare for a CBP audit with a standing trade compliance audit readiness program, not one-time Focused Assessment prep.