I spent eleven years at CBP, the last six as a Senior Officer running classification audits on importers in the South Atlantic CEE. In that time I opened a file on every kind of compliance program: world-class, scrappy, sloppy, and a couple that were openly fraudulent.
The pattern that separated clean audits from painful ones was almost never the quality of the imports. It was the quality of the paperwork. Here's what auditors actually look for, in the order they look for it.
Step 1: the master classification list
The first thing I asked for was always the same: "Send me your current master HTS list, with classifications, effective dates, and the broker signature for each."
What I was looking for in 30 seconds:
- Is there a date on every row? If the classifications are undated, the importer is telling me the codes are valid forever. They aren't. HTS changes twice a year. An undated list is a list that hasn't been maintained.
- Is there a name on every row? Classification is an opinion. CBP wants to know whose opinion. If the names are all the same person, or all blank, that's a flag.
- Are there both current and historical versions? An importer with no classification history has either started recently or has been overwriting changes. Both are concerning. A clean program shows me the audit trail.
A list that fails any of these three tests guarantees a deeper audit. A list that passes all three buys me a strong prior that the rest of the program is well run.
Step 2: a sampled rationale check
I pick five to ten codes from the master list, weighted toward high-volume or high-duty-rate codes, and ask: "Walk me through the rationale on this one."
A confident answer sounds like this: "SKU 4421-A is classified at 6109.10.0027. We considered 6110.20.2040 because the garment has a partial knit construction, but the product is a t-shirt under General Rule of Interpretation 1. Our broker wrote a memo in March 2023 and we have CBP ruling NY N321-845 as supporting precedent."
A red-flag answer sounds like this: "I'd have to check with our broker." Or: "That's what our software classified it as."
The point is not that you need to be a customs lawyer. The point is that your program has to know why every classification is what it is, and that "why" has to be defensible without me leaving the conference room.
CBP doesn't expect you to be right on every classification. CBP expects you to have a defensible process. If a classification turns out to be wrong but your process was reasonable, the worst outcome is usually a recap adjustment. If your process is sloppy, even a correct classification becomes evidence of luck rather than diligence.
Step 3: the entry summary trace
I pull five recent entry summaries (7501s) at random and trace each one backward. I'm looking for one thing: does the HTS on the entry match the HTS in the master list, as of the date of entry?
If yes: I trust the master list.
If no: I now have a project. Either the entry was wrong, or the master list was wrong, or both have drifted. Either way, I'm going to widen the sample.
The worst version of this finding is when the discrepancy is consistent in one direction (the entries always favor the importer). At that point I'm not auditing; I'm building a case. Don't let your program land here.
Step 4: the CF-28 response history
If you've gotten Requests for Information (CF-28s) in the last 24 months, I want to see them. Specifically:
- Did you respond within the deadline?
- Were the responses complete?
- Did the response stand up, or did CBP follow with a CF-29 (Notice of Action)?
- If a classification was adjusted, did you propagate the new classification to all matching SKUs, or only the entry CBP asked about?
The last one is where I see the most damage. Importers respond to a CF-28 on one entry, adjust that entry, and never propagate. Two years later, the same wrong classification is on 800 more entries. Now we're talking about prior disclosures.
Step 5: the "tell me about your process" conversation
At this point I'm 80% done forming my opinion. The last 20% is a conversation. Who classifies new products before they're imported? What's the SLA? Who has authority to override a broker recommendation? When was the last classification training? Show me the documentation.
The importers I closed quickly were the ones whose answers were boring and specific. "Our broker classifies new SKUs within 5 business days of receiving the product spec. Our compliance manager has override authority but uses it twice a year on average. We do annual training every January with our broker plus an outside trade attorney. Here's the deck from this year's session."
The importers I opened a deeper file on were the ones whose answers were generic. "Our software does it." "Our broker handles everything." "It's been a while since we trained, but our team is experienced."
How to be the boring file
If you read this list and felt your stomach drop, the fix isn't software. It's process. Software helps you maintain the artifacts (dated, signed, versioned master lists; trace from entry summary back to classification rationale; CF-28 response logs). The hard part is the discipline to use those artifacts the same way every time.
That's what Mamora is built to do. Every classification is dated and signed. Every entry traces back. Every CF-28 response is logged and propagated. You don't have to remember to be defensible. The system makes "defensible" the easy path.
If you want a no-cost compliance program audit (we'll review your master list, sample five entries, and tell you what we'd find as auditors), drop us a line. We do this for prospects and customers alike. No pitch.