On-Site: What’s a C-TPAT Security Audit?

security-auditI’ve recently returned from a visit to our offices in China where I was able to attend a C-TPAT audit with our Supplier Development Manager, Jean Champlain.

A C-TPAT audit isn’t quite as common as a general QMS or ISO 9001 evaluation, but the information generated has significant value when you understand the scope.

“C‐TPAT (Customs-Trade Partnership Against Terrorism) seeks to safeguard the world’s vibrant trade industry from terrorists, maintaining the economic health of the U.S. and its neighbors. The partnership develops and adopts measures that add security but do not have a chilling effect on trade, a difficult balancing act.”

When we go on-site for a security audit, here’s the agenda:

  • Opening Meeting
  • Initial Factory Tour
  • General Information
    • Size of the factory, number of employees, hours of operations, shift details, etc.
  • Business Partner Requirements
    • Status as C-TPAT member, contracted carriers, etc.
  • Container / Trailer Requirements
    • Procedures to verify physical integrity, storage, seals, etc.
  • Personnel Security
    • Pre-employment verification, criminal background checks, identification, etc.
  • Procedural Security
    • Procedures, accuracy, delivery, etc.
  • Physical Security
    • Schedule, protective barriers, building construction, inspections, logs, alarms, etc.
  • Information Technology Security
    • Automated systems, passwords, policies, training, etc.
  • Security Training & Threat Awareness
    • Programs, frequency, confidentiality, etc.
  • Closing Meeting (Review)

The factory is notified in advanced and requested to have all written procedures and examples of supporting documentation readily available for each question. We ask that individual questions be assigned to various departments/individuals within the company.  All elements are evaluated based on what is done for the client’s parts/products regardless of what is done for other customers.  The score for each question is assessed according to the following:

  • Have the processes requiring control been identified and established?
  • How is the quality system documented, and are the processes appropriately described in the procedures?
  • Have the procedures been implemented and maintained as documented?
  • Are the procedures effective in providing the required results?

Scoring includes:

Complies with requirements: Has objective evidence to support the question, and has a written procedure (when required).

Improvement needed: Has objective evidence but procedure needs improvement, or maybe no written procedure or lacking objective evidence to support the question.

Non-conformance: No objective evidence to support the question (regardless of procedure) or lacking some objective evidence and no written procedure.

The score is based on the percent of questions that conform to requirements, percent that needs improvement and percent that have a major non-conformance.

The factory I visited with Champlain was quite organized, and our auditor carefully went through everything and completed a detailed checklist that relates to each item.  Several representatives from the factory presented evidence and answered questions throughout the day.  During the closing meeting, we reviewed the findings and discussed a few points for corrective action.

Improvement plans include:

  • Detailed description of action plan
  • Name of person responsible for improvement activity
  • Date when the improvement will be completed

In the end, C-TPAT reviews all aspects of the manufacturer’s security management system and provides invaluable feedback that is used in sourcing decisions. Ask us for an example report, or let us know if you have questions or want to schedule an audit!


  1. Mahmud says:

    I am a student. I’m preparing a project report on C-Tpat for my university .

    i’ve 2 question.

    1.How many score in C-TPat and what is the passing score?
    2. if the documentation and the original process are not matched(through CCTV checking) what score will deduct?

    please, your immediate support will help me to improve my Report.

    have a nice day.

    1. jennifer says:

      There is no standard score rate. Every industry or organization or country that require the implementation and assessment of C-TPAT will define its standard score.

      Here is the score rate applied by many of them in average, and related follow up decision:

      Low Risk Priority (86 – 100), Meet Expectations.
      Medium Risk Priority (76 – 85), Further Improvement Needed.
      High Risk Priority(0 – 75), Urgent Action Required.

      For the question 2, Can you provide more detail?

      –Jean Champlain, Supplier Development Manager

      1. Mahmud says:

        Thanks Jean,

        I got my 1st Q ans & its so helpful.

        In My 2nd Q I meant to say that, If any company do not following any C-tpat process, but before the audit they prepare all fake documentation.
        as a example they dont have any separated Parking & loading unloading area, but they show the document that they have. then what will be the procedure.
        another example is, a company do not follow the packing C-tpat procedure, but they show the fake docs.
        In this situation does a company Meet the C-TPAT expectations.

        Thank you again

        1. jennifer says:

          Our Supplier Development Manager provided the following comments:

          In general, preparing fake documentations for audits is not an easy job also for the factory, especially when they have to cover a lack of year or more.

          1) The time does allow them to do that,
          2) There is always something that shows something wrong. For example, same color pen was used to record data in record over months and months. Sometimes by the same handwriting characters.

          When an experienced audit discovers this, he should normally try to get sample records as much as possible, and as randomly as possible to prove the existence of a NCF.

          The document cannot shows sometime that does not physically exist. It’s just an expression of a commitment from the top management to have some facilities or systems in place to achieve a certain goal. Having a commitment been documented is already a step ahead to have it in place.

          In the case of that what it commitment is not in place, or does not provide evidences if it existing, many reasons could be in cause: maybe it’s in process, maybe operator not following the requirement. In such case, we score as HALF COMPLY (I).

          Regarding the example of “….they don’t have any separated parking & loading unloading area, but they show the document that they have it.” It makes no sense to say they have the area in place, while it does not exist. We should score as NC.

  2. Mahmud says:

    Hello Jennifer,

    thank you so much. your information really help me to prepare my report.

    recently i’ve join in a knitwear factory & most horrible think is happen with me that i have to face C-TPAT audit next month. However your BLOG and google is helping me and am taking preparation. my main challenge is to prepare the factory for audit. because its area is too small to following the C-TPAT critaria .

    anyway, thank you again. and pray for me.

    Have a nice day.

    1. jennifer says:

      Good luck with your audit! Please let us know if you have any other questions we can assist with.

      1. Mahmud says:

        Hello jennifer,

        How are you. we are maintaining 92 register book for C-TPAT. I want to share the name of those register book with you if you want please send me your email id.

        Have a nice day.

  3. Raul Hidalgo says:

    C- tap Security criteria is good working.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>