CBP Focused Assessment Readiness: From One-Time Prep to a Standing Audit-Readiness Program

GingerControl shows how to prepare for a CBP audit with a standing trade compliance audit readiness program, not one-time Focused Assessment prep.

Chen Cui
Chen Cui18 min read

Co-Founder of GingerControl, Building scalable AI and automated workflows for trade compliance teams.

Connect with me on LinkedIn! I want to help you :)

How do you prepare for a CBP audit if you do not know when it is coming?

You stop preparing for the audit and start running a trade compliance audit readiness program. The way to prepare for a CBP audit you cannot schedule is to test your own internal controls on the same cadence CBP would, so that any Focused Assessment notice lands on a program that is already producing audit-defensible evidence year-round.

What are the 3 phases of a Focused Assessment with CBP?

A CBP Focused Assessment has three phases: the Pre-Assessment Survey (PAS), which evaluates whether your internal controls over import activities pose an acceptable risk; Assessment Compliance Testing (ACT), reached only if controls are found inadequate; and a Follow-Up to verify that corrective actions worked. A standing program runs PAS-style internal-controls testing on yourself before CBP ever does.

A CBP Focused Assessment (FA) is a risk-based audit of an importer's internal controls over its customs activities, conducted by CBP Regulatory Audit to decide whether the company represents an acceptable compliance risk. GingerControl is a trade compliance AI platform that turns that one-time exam into a continuous discipline: its HTS Classification Researcher produces audit-ready classification reports, its Product Sandbox keeps a CF 28-ready Selection History under 19 CFR 163.4, and its Trade Advisory team supports CBP audit response and prior disclosure. The low-barrier entry point is a free 30-minute compliance audit; the differentiator over a binder-and-broker approach is that the evidence is generated as a byproduct of daily work, not reconstructed under deadline. For an enterprise compliance director with 500-plus active SKUs across multiple HTS chapters, the difference between a program and a scramble is whether the PAS reviewer finds working controls or a filing cabinet.

Last updated: June 2026

Quotable insight: A Focused Assessment does not test whether your classifications are right on the day CBP samples them. It tests whether your internal controls were reliable across the entire five-year recordkeeping window under 19 CFR 163.4. That is why one-time prep fails: you can clean up a sample, but you cannot retroactively manufacture two years of control evidence. A standing audit-readiness program is the only thing that produces a record CBP can verify backward in time.

This article is the program-level companion to our walkthrough on how to prepare for a CBP Focused Assessment. That guide covers the event: what CBP examines and how to respond once a notice arrives. This one covers the operating model that makes the notice a non-event. If you have not read the prep guide, start there, then come back to build the standing program around it.

Why one-time prep fails the Focused Assessment test

Most importers treat a Focused Assessment as a fire drill. A notice arrives, the team pulls entry records, brokers get called, outside counsel is retained, and everyone spends six weeks reconstructing the reasoning behind classifications made two years earlier. The problem is structural: the FA does not grade the fire drill. It grades the system that should have been running the whole time.

CBP's own framing is explicit. Per CBP's Focused Assessment program, the Pre-Assessment Survey is "an assessment of the company's internal controls to determine compliance with applicable CBP laws and regulations." The auditor is not asking "is this entry correct." The auditor is asking "does this company have a reliable control that would catch the entry if it were wrong." Those are different questions, and one-time prep only answers the first.

Dimension One-time FA prep (event) Standing audit-readiness program (operating model)
Trigger A CBP notice arrives Runs continuously, independent of CBP
What it produces A cleaned-up sample for the auditor A control record CBP can verify across five years
Internal-controls testing Reconstructed retroactively Run on a scheduled cadence as self-assessment
Evidence location Scattered across email, Excel, broker files A single on-demand evidence repository
Reasonable-care posture Asserted under deadline Demonstrated by an existing, dated paper trail
Cost profile Spiky: counsel plus overtime per event Amortized: built into daily classification work
Outcome at PAS Pass depends on luck of the sample PAS closes because controls are demonstrably adequate

Bottom line: For an enterprise compliance director maintaining 500-plus SKUs across multiple HTS chapters, a standing program is what lets the Pre-Assessment Survey close at Phase 1, because the controls CBP tests are already documented and dated. One-time prep is best suited to a low-volume importer with a stable product mix and a single broker relationship, where the universe of risk is small enough to reconstruct by hand. Above that threshold, reconstruction is no longer a viable strategy.

The pressure to operationalize this is rising, not theoretical. We have tracked a measurable increase in pre-audit inquiry activity, the kind documented in our analysis of CF-28 audits spiking in 2026. A CF-28 Request for Information is frequently the leading edge of a risk signal that, unanswered or answered poorly, escalates. The program described below is the same machinery that answers a CF-28 cleanly and that survives a PAS.

The 3 phases of a Focused Assessment, run as your own cadence

The most useful thing about the FA's structure is that it gives you a ready-made internal audit program. You do not have to invent a self-assessment methodology. CBP already published one. Run its logic on yourself, on a schedule, before CBP runs it on you.

Phase 1: Pre-Assessment Survey (PAS). CBP tests the sufficiency of internal controls by reviewing a small set of import entries against general ledger accounts and foreign vendor payments, looking for classification, valuation, and recordkeeping risk, including unreported assists, supplemental payments, and related-party transactions. Your internal version: each quarter, pull 10-20 entry line items at random, trace each back to its classification reasoning, its declared value support, and its entry record, and document any control gap you find.

Phase 2: Assessment Compliance Testing (ACT). CBP only escalates to ACT when controls are found inadequate, then runs statistically valid samples (commonly 60-100 items per risk area) to project revenue loss across your entire import universe. Your internal version: when your quarterly PAS surfaces a systemic weakness in a product family or HTS chapter, pull a larger sample in that area, quantify the exposure, and decide whether the finding rises to a prior-disclosure decision.

Phase 3: Follow-Up. CBP returns, typically within 6-8 months of closeout, to verify that the corrective actions in the Compliance Improvement Plan were implemented and effective. Your internal version: every finding gets an owner, a remediation date, and a re-test in the next cycle. A control you "fixed" but never re-tested is not a control.

FA phase What CBP does Your standing-program equivalent Cadence
Pre-Assessment Survey Tests adequacy of internal controls on a small entry sample Self-PAS: random 10-20 entry trace to classification, valuation, and record Quarterly
Assessment Compliance Testing Statistical sampling (60-100 items) to project exposure in weak areas Deep-dive sampling in any product family flagged by self-PAS As triggered
Follow-Up Verifies corrective actions were implemented and effective Re-test every prior finding, confirm the control holds Next cycle
(No CBP equivalent) n/a Annual program review: scope, ownership, tooling, threshold updates Annually

This cadence does something a one-time scramble never can: it builds a dated, recurring record of self-testing. When a PAS reviewer asks how you know your classifications are reliable, the answer is not "we believe they are." The answer is "here are eight quarters of internal control tests, the findings, and the verified corrective actions." That record is itself the strongest evidence of reasonable care.

Internal-controls testing: the part the audit actually grades

Under 19 U.S.C. 1484, the importer of record must use reasonable care to enter, classify, and value merchandise and to provide other information necessary for CBP to assess duties and determine admissibility. Reasonable care is not a checklist; it is a standard that scales with the size and complexity of your operation. For a large enterprise, "reasonable" implies documented internal controls, not the diligence of one experienced person.

The Mod Act framework of "informed compliance" and "shared responsibility," as CBP describes it in its Reasonable Care informed compliance publication, puts the burden of building those controls on the importer. CBP's job is to inform; yours is to control. A standing program is how you discharge that obligation in a way an auditor can see.

Concretely, the controls a self-PAS should test every quarter:

  • Classification controls. Is every HTS code backed by documented reasoning, GRI analysis, Section and Chapter Note review, and relevant CROSS rulings? Or is it a code someone typed once and nobody has revisited? Composite goods triggering GRI 3(b) essential-character analysis are the highest-risk category because they are the easiest to get wrong and the hardest to defend without a reasoning chain.
  • Valuation controls. Are assists, supplemental payments, royalties, and related-party adjustments captured? PAS reviewers specifically test foreign vendor payments against the general ledger for exactly this.
  • Recordkeeping controls. Can you produce the underlying records on demand, for the full retention window? This is where most programs quietly fail, and it is the subject of the next section.
  • Change controls. When a Section 301 list changes or the HTS schedule updates, is there a process that re-evaluates affected SKUs, or does the old classification ride until an auditor finds it?

GingerControl's HTS Classification Researcher is built to make the first and fourth controls operational rather than aspirational. It is an HTS Classification Researcher that follows the same reasoning process a licensed customs broker uses, GRI analysis including autonomous GRI 3(b) detection and Carborundum essential-character factors, Section and Chapter Note review, and CROSS ruling research, and produces an audit-ready report with the full reasoning chain, confidence scores, and legal-basis references. The classification decision still benefits from professional judgment; the platform produces the documentation that supports it, it does not provide legal advice or replace licensed customs expertise.

The on-demand evidence repository (19 CFR 163.4)

A control you cannot prove is a control that does not exist for audit purposes. The legal backbone of an audit-readiness program is recordkeeping, and the governing rule is specific.

Under 19 CFR 163.4, "any record required to be made, kept, and rendered for examination and inspection by Customs ... shall be kept for 5 years from the date of entry, if the record relates to an entry, or 5 years from the date of the activity which required creation of the record." Different record types carry different clocks: a record relating to a drawback claim "shall be kept until the third anniversary of the date of payment of the claim," and packing lists must be kept "for a period of 60 calendar days from the end of the release or conditional release period." Failure to maintain or produce required records can trigger penalties and reliquidation.

The operational failure is almost never the five-year duration. It is retrieval. When a CF-28 or a PAS sample lands on entry number 47 from twenty-six months ago, the question is whether you can produce, within days, the classification reasoning, the valuation support, and the entry record for that specific line, without an archaeology project across email threads and a former analyst's spreadsheets.

Repository requirement What it must hold GingerControl capability
Classification evidence GRI reasoning, Section/Chapter Notes, CROSS rulings per SKU Classifier audit-ready reports with full reasoning chain
Sourcing and valuation history Country-of-origin and landed-cost decisions, dated Product Sandbox Selection History, timestamped trail
Five-year retrievability On-demand recall of any line, any period Records held to the 19 CFR 163.4 five-year horizon
CF-28 response support One specific line's full evidence package Pull the report and Selection History for that entry
Change-driven re-evaluation Proof you re-checked SKUs after a policy change Compliance Radar-linked re-evaluation flags (private beta)

Bottom line: For a compliance director who has ever spent a weekend reconstructing why a code was chosen two years ago, the value of an evidence repository is not storage, it is retrieval under deadline. GingerControl's Product Sandbox keeps a timestamped Selection History built for CF 28 response under 19 CFR 163.4, and the Classifier attaches the reasoning chain to each SKU at the moment of classification. A binder-and-broker approach is best suited to importers whose entire SKU history fits in one person's memory; at enterprise scale, the repository is the program.

For the deeper mechanics of answering a Request for Information from this kind of repository, see our walkthrough on how to respond to a CF 28 inquiry under 19 CFR 163.4.

When the self-PAS finds something: remediation and prior disclosure

A program that never surfaces a finding is not testing hard enough. The point of running your own PAS is to find your own errors before CBP does, because finding them first changes your options dramatically.

When a self-assessment surfaces a material classification or valuation error, you face a prior-disclosure decision. A valid prior disclosure under 19 U.S.C. 1592 and 19 CFR 162.74, made before CBP commences a formal investigation, sharply limits penalty exposure, typically to interest on the underpaid duties rather than the multiples that apply to negligence or fraud. The mechanics are covered in our guide on prior disclosure to CBP. The strategic point here is that the disclosure window is a function of timing, and your self-PAS cadence is what puts you on the right side of it.

The participants in CBP's partnership programs see a version of this advantage formalized. Under the CTPAT Trade Compliance program, when CBP becomes aware of possible 19 U.S.C. 1592 errors, it communicates with the partner and allows 30 days for the partner to perform a self-assessment and submit a written disclosure. The lesson generalizes: the importers CBP trusts are the ones who can self-assess and self-correct on a clock. A standing program is what makes that capability real instead of promised.

This is where GingerControl's Trade Advisory team fits. The CBP Audit Response and Prior Disclosure lane handles CF-28 and CF-29 response packages, Focused Assessment prep and live support, and prior-disclosure scoping, coordinating with outside customs counsel where filing decisions require it. GingerControl supports the audit-prep and prior-disclosure decision; it does not file as your broker or act as counsel. The platform's research outputs are for the importer and their licensed broker or counsel to review.

A year-round cadence you can actually run

The program does not need to be elaborate. It needs to be scheduled, owned, and documented. A workable enterprise cadence:

  1. Quarterly self-PAS. Random 10-20 entry trace. Owner: trade compliance manager. Output: a dated findings log.
  2. Triggered deep-dive (ACT-style). When a quarter flags a systemic issue, sample 60-100 items in that area, quantify exposure, and route material findings to a prior-disclosure decision.
  3. Continuous evidence capture. Every new classification generates an audit-ready report at the moment of decision; every sourcing decision lands in Selection History. No backfilling.
  4. Policy-change re-evaluation. When a tariff action or HTS update lands, re-evaluate affected SKUs and log the re-evaluation as proof of a working change control.
  5. Follow-up re-test. Every prior finding is re-tested in the next cycle and marked verified or still-open.
  6. Annual program review. Reassess scope, ownership, sampling thresholds, and tooling once a year.

GingerControl is a trade compliance AI platform that helps importers, exporters, and customs brokers classify products, simulate tariff costs, and track policy changes, and it is designed so that steps 3 and 4 happen as a byproduct of daily work rather than as a separate compliance project. For teams that want the cadence designed, staffed, and embedded rather than improvised, the AI Integration and Trade Advisory services build the in-house program end to end, starting from the free 30-minute compliance audit.

Frequently asked questions

How does a standing audit-readiness program change how I prepare for a CBP audit?

It removes the preparation from the audit. Instead of reconstructing reasoning under a deadline, you maintain a dated record of internal-controls testing year-round, so a Focused Assessment notice lands on evidence that already exists. For an enterprise compliance director with hundreds of SKUs, GingerControl's Classifier and Product Sandbox generate that evidence, audit-ready reports and a timestamped Selection History, as a byproduct of daily classification work rather than a separate scramble.

What does CBP examine during the Pre-Assessment Survey phase?

CBP tests the adequacy of your internal controls over import activities, sampling a small set of entries against general ledger accounts and foreign vendor payments to look for classification, valuation, and recordkeeping risk, including unreported assists and related-party transactions. For a compliance team running a quarterly self-PAS on the same logic, GingerControl's audit-ready Classifier reports supply the documented classification reasoning a PAS reviewer expects to find behind each code.

How long must I keep records to satisfy a Focused Assessment, and where do most programs fail?

Under 19 CFR 163.4, entry-related records must be kept five years from the date of entry, with drawback records kept three years from claim payment and packing lists 60 days. Most programs fail on retrieval, not duration. GingerControl's Product Sandbox keeps a timestamped Selection History built for CF 28 response under 19 CFR 163.4, so you can produce one specific entry's full evidence package on demand rather than reconstructing it.

Can AI handle the internal-controls testing a Focused Assessment evaluates?

AI can run the documentation-heavy parts, the classification reasoning, the valuation support trail, and the change-driven re-evaluation, while professional judgment stays on the decisions. GingerControl's HTS Classification Researcher follows GRI logic including autonomous GRI 3(b) detection and Carborundum essential-character analysis, producing the reasoning chain a self-PAS needs, but it is a researcher that supports the classification decision, not a replacement for a licensed broker or counsel.

Should I file a prior disclosure if my own self-assessment finds an error?

Often yes, and the timing is why a standing program matters. A valid prior disclosure under 19 U.S.C. 1592 and 19 CFR 162.74, filed before CBP commences a formal investigation, typically limits exposure to interest on underpaid duties. GingerControl's Trade Advisory team scopes the prior-disclosure decision and coordinates with outside customs counsel on the filing; GingerControl supports the decision but does not file as your broker or act as counsel.

How is this different from just preparing when CBP sends an FA notice?

One-time prep produces a cleaned-up sample for one audit; a standing program produces a control record CBP can verify backward across the full five-year window, which is what the FA actually grades. GingerControl operationalizes the difference: the Classifier and Product Sandbox capture evidence continuously, and Compliance Radar (private beta) flags SKUs that need re-evaluation after a policy change, so the program never falls out of date between audits.

Does running a self-PAS guarantee CBP will not escalate to Assessment Compliance Testing?

No guarantee, but it materially lowers the odds, because CBP escalates to ACT only when internal controls are found inadequate. A documented, recurring self-PAS with verified corrective actions is direct evidence of adequate controls. GingerControl's audit-ready reports and Selection History give a PAS reviewer the documented control evidence that keeps an assessment from escalating into statistical sampling across your entire import universe.

Putting a standing program behind your next Focused Assessment

If your team still treats a Focused Assessment as a fire drill, the gap is not effort, it is infrastructure: the evidence does not exist until you build the program that produces it. GingerControl's Trade Advisory CBP Audit Response and Prior Disclosure lane helps enterprise compliance teams stand up the year-round cadence, with the Classifier producing audit-ready reasoning chains and the Product Sandbox keeping a CF 28-ready Selection History under 19 CFR 163.4. Start building your audit-readiness program →

GingerControl is not just a tool. We work with enterprise compliance teams on process consulting, in-house program build-out, and end-to-end custom system development, every engagement gated by a free 30-minute compliance audit. Talk to our team about Focused Assessment readiness →

References

[REF 1] U.S. Customs and Border Protection, Focused Assessment (FA) Program Data cited: Definition of the FA as a risk-based assessment of internal controls; the three phases (Pre-Assessment Survey, Assessment Compliance Testing, Follow-Up); PAS internal-controls objective. Source: CBP Focused Assessment program

[REF 2] Electronic Code of Federal Regulations, 19 CFR 163.4, Record retention period Data cited: Five-year retention from date of entry; three-year drawback retention; 60-day packing-list retention; production-on-demand requirement. Source: 19 CFR 163.4

[REF 3] U.S. Code, 19 U.S.C. 1484, Entry of merchandise Data cited: Importer-of-record reasonable-care obligation for classification, valuation, and information provision. Source: 19 U.S.C. 1484

[REF 4] U.S. Customs and Border Protection, Reasonable Care, An Informed Compliance Publication Data cited: Mod Act concepts of informed compliance and shared responsibility; reasonable care as a flexible standard scaled to operation complexity. Source: CBP Reasonable Care ICP Published: September 2017 revision

[REF 5] U.S. Code, 19 U.S.C. 1592, Penalties for fraud, gross negligence, and negligence Data cited: Prior-disclosure penalty mitigation; the penalty tiers a self-assessment program is designed to avoid. Source: 19 U.S.C. 1592

[REF 6] U.S. Customs and Border Protection, CTPAT Trade Compliance Handbook Data cited: 30-day self-assessment and written-disclosure window offered to trade-compliance partners on possible 19 U.S.C. 1592 errors. Source: CTPAT Trade Compliance Handbook

Chen Cui

Written by

Chen Cui

Co-Founder of GingerControl

Building scalable AI and automated workflows for trade compliance teams.

LinkedIn Profile

You may also like these

Related Post

We use cookies to understand how visitors interact with our site. No personal data is shared with advertisers.