Guidance

C118-3 — section 3

Updated 22 January 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/information-you-need-to-apply-for-authorised-economic-operator-status/c118-3-section-3

Application for Authorised Economic Operator status

For all forms you will need your Economic Operator Registration and Identification (EORI) number that starts with GB.

To complete this form you will also need the following information.

3.1 Audit trail, internal control system, flow of goods, stocktaking checks, recent customs routes audit reports

If your logistic accounting systems provide a full audit trail of your customs activities, tax relevant movement of goods and accounting entries, give details.

The accounting system should include:

  • general ledger
  • sales ledger
  • purchase ledger
  • assets
  • financial statements – balance sheet, income statement, statement of cash flows and statement of stockholders equity
  • management accounts

The logistical system should include:

  • sales order processing
  • purchase order processing
  • manufacture
  • inventory – storage, warehousing
  • shipping or transport
  • supplier or customer lists

Your audit trail should include:

  • sales
  • purchases and purchase orders
  • inventory control
  • storage (and movements between storage locations)
  • manufacture
  • sales and sales orders
  • customs declarations and documentation
  • shipping
  • transportation
  • accounting, for example, invoicing, credit and debit notes, remittances or payments

Details about the computer system you use for your business in general and for customs matters in particular. Include if those 2 systems are integrated. You must give details about your actual computer hardware set up, if you:

  • rely only on a free-standing PC
  • use a PC network
  • have a ‘server’ based computer system
  • have a mainframe based computer system
  • use other systems or have a different set up

You must give details about your software such as programs which allow the computer to run and execute the software applications that support your business. For example Windows or UNIX.

You must give details and the name of the supplier of the systems you use such as:

  • Enterprise Resource Planning (ERP) solution
  • accounting and logistical software
  • business software for small and medium sized enterprises
  • software developed by or for your business

Details about the separation of functions between development, testing and operation in your logistical accounting system.

Details about the separation of functions between users in your logistical accounting system.

Details on access controls in your logistical accounting system.

Details of traceability between business and declaration systems in your logistical accounting system.

Give details if your logistical systems are capable of distinguishing between UK and non-UK goods (or EU and non-EU goods if your authorisation covers Northern Ireland).

During the authorisation process, you’ll need to demonstrate:

  • the extent of computerisation
  • the hardware platform available and the operating system running on it
  • the segregation of functions between development, testing and operations
  • the segregation of functions among users
  • how access to the various parts of the system is controlled
  • if there have been any adaptations to the standard package
  • the list of ledger accounts
  • if the system makes use of verification interim accounts
  • how liabilities to customs, excise duty or VAT are recorded in the ledger
  • if you operate in batches
  • if your stock and financial records are linked
  • how you manage your records where these are maintained by a third party software provider

Details about the location where your computer activities are undertaken. If the activities, for example setting up standing data or keying data, are split between more than one location, tell us which activities are carried out at each location.

If your computer applications have been outsourced, give details such as who you outsourced applications to and how you manage access controls to these.

If you have in-house guidelines for your internal control system, provide a brief description of them and how and when they are updated. Examples of in-house guidelines include job instructions, employee training, instructions for checking faults and a proofreading process. This applies to departments such as: accounts buying, sales, customs, production, material, merchandise management and logistics.

Give the following details about your internal control system audits if:

  • your internal control processes have been subject to any internal or external audit
  • it included an audit of your customs routines and a copy of your most recent customs routines audit report

When customs auditors visit your business, you’ll need to provide the reports as well as evidence of action taken to correct any deficiencies identified.

Brief description of the procedures for checking your computer files, for example standing data or master files, including how the procedures cover:

  • incorrect or incomplete recording of transactions in the accounting system
  • the use of incorrect permanent or out of date data such as number of articles and tariff codes
  • the inadequate control of the company processes in your business

Brief description of the registration procedure for the flow of goods starting from their arrival, including who keeps records and where they keep them.

Your registration procedures for before and during the arrival of goods should include:

  • purchase ordering procedures
  • confirmation of order
  • shipping or transport of goods
  • supporting documentation requirements
  • transport of goods from the frontier to your or your customers’ premises
  • receipt of goods at your or your customers’ premises
  • payment or settlement
  • how, when and by whom goods are entered into the stock record

During the storage of goods:

  • a clear assignment of a location for storage of the goods
  • safe storage of dangerous or hazardous goods
  • whether stock is recorded by value or quantity
  • existence and frequency of stocktaking
  • if a third party’s premises is used to store your goods, arrangements including reconciliation between your and third party’s stock record
  • if a temporary location is used to store the goods

During the manufacturing process of goods:

  • raising the works order
  • requisitioning of stock items and delivery from storage
  • manufacturing process, staff responsibilities, and records maintained
  • recipe codes
  • recording the manufactured product and unused stock in the stock records
  • use of standard manufacturing methods in the production

During the shipping process of goods:

  • receiving the customer order and raising a works or purchase order
  • informing the warehouse of the sale order or release of the goods
  • instructions to third party if goods stored elsewhere
  • picking
  • packing procedures
  • how, when and by whom the stock records are updated

Brief description of the procedures in place for checking stock levels. These should include the frequency of those checks and how you handle discrepancies, for example, stocktaking and inventory.

Your checking and quality control procedures should include the following items.

During the arrival of goods:

  • reconciling purchase orders and goods received
  • arrangements for returning or rejecting goods
  • arrangements for accounting and reporting short and over shipments
  • arrangements for identifying and amending wrong entries in the stock record
  • identifying non-UK goods in the system

During the storage of goods:

  • recording and controlling the stock
  • identifying UK and non-UK goods (not appropriate for Authorised Economic Operator Security and Safety (AEOS) status)
  • movement and recording of goods between locations in the same premises or different sets of premises
  • arrangements for dealing with breakages, deterioration or destruction of goods, losses and stock variations

During the manufacturing process:

  • monitoring and management controls of the manufacturing process, for example, rates of yield
  • how you deal with irregularities, variations, waste, by-products and losses in the manufacturing process
  • quality inspection of manufactured goods and recording of results
  • safe disposal of hazardous goods

During the shipping process of goods:

  • despatch or collection notes
  • transport of goods to your customers or to the frontier for re-export
  • raising sales invoices
  • instructions to agent for re-exports and raising, availability or control of supporting documents
  • acknowledgement of receipt or evidence of shipment of goods
  • returned goods – inspection, counting and recording in stock
  • payment and credit notes
  • dealing with irregularities, short shipments and variations

3.2 Customs routines, computer system backup and protection, security documentation, and compliance

Brief description of the documented procedures for verifying accuracy of customs declarations including if, and how, you verify them. This includes declarations submitted on your behalf, for example, by a customs agent or a freight forwarder.

As importers, exporters or warehousekeepers, your procedures should include:

  • how you make sure of the completeness, accuracy and timeliness of customs declarations you make yourself, including performing management checks
  • presentation or availability of supporting documentation
  • up-to-date details (names and addresses) of customs agents or third parties used
  • how customs agents are appointed, for example, the credibility and suitability checks you perform before you appoint them
  • the circumstances when agents are used
  • contracts detailing responsibilities, including the type of representation by customs agents, for example, direct, indirect
  • the way you provide clear and unambiguous instructions to your agent
  • how you provide supporting documents, for example, licences and certificates, to your customs agent, including presentation and retention or return
  • what the customs agent should do if the instructions are unclear
  • checking or verifying the accuracy and timeliness of your customs agent’s work by you
  • how you notify your customs agent of any errors or amendments regarding cleared entries
  • dealing with irregularities
  • voluntary disclosures of errors to customs

As third party representatives, your procedures should include:

  • contracts detailing responsibilities, including the type of representation to be used by you, for example, direct, indirect
  • how you make sure of the completeness, accuracy and timeliness of customs declarations you make, including performing management checks
  • prompt presentation or availability of supporting documentation
  • how your staff are aware of customers’ and contract requirements
  • what you do if the customers’ instructions are unclear or the details provided are wrong
  • what you do if you discover any errors or amendments regarding cleared entries
  • voluntary disclosures of errors to customs

Tell us if your company has documented instructions or guidelines on how to notify the competent authorities of irregularities. Examples of irregularities include suspicion of theft, burglary or smuggling.

During the visit by customs auditors, you must provide evidence that shows you regularly review the instructions. You should also prove that you keep records of any changes and tell your staff about them.

You should tell us if you’ve notified the competent authorities over the last year of any detected or presumed irregularities.

If you trade in goods that are under economic trade licences, give a brief description of how you deal with the licences for the import and export of these goods. You’ll need to provide evidence of how you handle licences and authorisations when we visit you.

If you deal with goods that need import and export licenses connected to prohibitions and restrictions such as embargos or dangerous goods, tell us how you manage this. Procedures should be in place for handling these import and export licences. The procedures should include how you distinguish goods subject to prohibitions or restrictions from other goods. They should also include how you ensure compliance with those prohibitions and restrictions.

If you deal with goods under other import and export licenses, provide details about the type of goods and any procedures in place for handling those other licenses.

If you deal with goods that fall under the dual-use items, give details.

If you have implemented an Internal Compliance Programme (ICP), give details about how it is updated.

Details about your procedures for backup should include:

  • how long data is saved in the production system and how long this data is archived
  • if the business has a contingency plan for IT system disruption or failure

Your procedures should include details about:

  • the type of media and software format you use to store data
  • if you compress the data and at what stage
  • if you use a third party – the arrangements, frequency and location of any backup and archived information

Brief description of the actions you have taken to protect your computer system from unauthorised intrusion should include:

  • any intrusion testing that has been carried out
  • if you have had any IT security incidents in the last year

You should also include protection such as firewall antivirus programmes and password protection.

Protective actions should cover:

  • an updated safety plan describing the measures in place to protect your computer system from unauthorised access, deliberate destruction of information or loss of information
  • details of whether you operate more than one system at more than one site and how they are controlled
  • who is responsible for the protection and running of your computer system – this should be more than one person so that they can monitor each other’s actions
  • details of firewalls, anti-virus and other malware protection
  • a business continuity or disaster recovery plan in case of incidents
  • backup routines including restoring all relevant programmes and data if there is a breakdown of the system
  • logs that record all actions of each user
  • whether the vulnerability management of the system is done periodically and who does it

Brief description about the computer system access rights, including:

  • how access rights for the computer systems are issued – access to sensitive information should be limited to staff who are authorised to change or add to it
  • who is responsible for the running and protection of the computer system
  • guidelines or internal instructions for IT security for your personnel
  • how you monitor that IT security measures are followed in your business

Your access rights procedures should include:

  • how you issue authorisation for access and the level of access given
  • who issues passwords, the format for setting them and the frequency of changes
  • maintenance, updating and removal of user details

Details of where your main server is located and how it is secured.

Brief description of the actions in place to protect information and documents from unauthorised access, abuse, intentional destruction or loss. Examples of protection include: restricted access rights, creation of electronic backup and a clear desk policy.

Your actions should include:

  • recording and backup of documents including scanning and microfiche, and limiting access
  • an updated safety plan describing the measures in place to protect documents from unauthorised access as well as their deliberate destruction or loss
  • the filing and safe, secure storage of documents including responsibilities for their handling
  • dealing with incidents which compromise document security

If there have been any cases of unauthorised access to documents in the last year, give details of the actions taken to prevent it happening again. Your actions should include:

  • testing your system against unauthorised access and recording the results
  • business continuity or disaster recovery plan
  • documented remedial action taken as a result of any actual incidents

Details about documentation security for employees including:

  • the categories of employees which have access to detailed data about the flow of materials and goods
  • the categories of employees which are authorised to change the data
  • if the changes to the data are comprehensively documented

Brief description about what security and safety requirements you need from your trade partners and other contact persons in order to avoid abuse of information, such as unauthorised transfer of shipping details, including:

  • if security declarations or agreements are in place with your trade partners
  • how you make sure information or goods are safe and secure with trade partners
Back to top