|
4. Risk Assessment and Audits
(a) Buyers and Suppliers Responsibilities for Risk Assessments and Audits
I. At acceptance of a contract between the Buyer and the Supplier, the Supplier agrees to Buyer's right to conduct risk assessments or audits of all transit, storage and warehousing locations that will be used for Buyer's assets. Buyer can nominate an agent to perform audits on behalf of the Buyer. Normally the Buyer or its agent shall notify the Supplier at least five working days in advance of any audit, detailing its nature.
II. Supplier shall ensure the TAPA certified audit body is engaged to ensure FSR audits and certification process is completed. Costs for TAPA certification shall be the responsibility of the Supplier.
III. The requirement for TAPA certification is also extended to Supplier's sub-contractor's facilities and in-transit locations, where used to transit Buyer's assets.
IV. The Buyer reserves the right to conduct unscheduled audits. The Buyer shall give a minimum of 24 hours notice to the Supplier
V. TAPA certified auditors shall inform the Supplier of assessment/audit results within ten working days from the completion of the audit. A summary of the probable findings/results should be given informally to the Supplier on the day of the audit/assessment at the closing conference.
VI. Supplier shall have deemed to pass the audit and certified if a TAPA FSR audit score of 60% or more is achieved and all mandatory items are scored at least 1. Supplier shall still be responsible for completing audit action items in the agreed time scale, even when certification is achieved. Clearance of the non-mandatory SCAR is at the option of the Supplier but must be disclosed to Buyer.
VII. When the TAPA certified auditor submits a SCAR (Supplier Corrective Action Requirement) to the Supplier associated with the audit findings, the Supplier shall respond to the auditor within ten working days, documenting the action to be taken, the date the action will be completed. SCAR completion dates may be negotiated between the auditor and the Supplier. However, unless the TAPA certification body approves a waiver from process, corrective action implementation shall not exceed sixty days from notification to the Supplier
VIII. The Supplier is required to complete self-audits of their facilities and their subcontractor's facilities as detailed in section IV paragraph(d).
(b) Monitoring Supplier Corrective Action Requirements
The Supplier shall submit to the TAPA auditor progress updates on all outstanding SCAR's at monthly intervals. Any SCAR's not completed on or before the due date are to be escalated by the Supplier's Security Representative to the Supplier's Management and reasons for non-compliance are to documented and communicated to the TAPA auditor. Supplier failure to address SCAR's may result in the TAPA certification being withdrawn or suspended. The Supplier has the right to appeal to TAPA directly if certification is withdrawn. TAPA will agree to a process for adjudication between the Supplier and the TAPA auditor and has the right to impose a resolution on both parties.
(c) Storage/Warehousing Building Classification Assessment
The Building Classification Assessment is designed to categorize the facility into one of three categories, "A" being the highest security requirement and "C" the lowest. For facilities not previously classified, the Supplier must complete a classification assessment before the effective date of the contract and give results to the Buyer. Separate TAPA audit forms for A, B, & C facilities exist. The Supplier, in cooperation with the TAPA auditor, shall complete the final classification assessment within 30 days of acceptance of contract. The TAPA Certification body shall periodically complete their own classification assessments and ultimately make the decision on the final classification to be assigned to each of Supplier facilities handling or storing of Buyer's assets. The Supplier or Buyer can request the facility to be re-assessed if either party considers the assessment category to have changed.
I. The Building Classification Assessment methodology is set forth below.
・Pre-Contract & where TAPA Certification has not been previously granted.
・Using TAPA audit forms Supplier classifies facilities that will be used in the transpiration of Buyers assets by being rated at least 1 in each of the mandatory audit areas and obtain a score 60% or greater on the audit score.
・Final classification is attained (within 30 days) when the Supplier facility complies with or has agreements in place with the TAPA auditor that will meet all the requirements of a category and is assessed by an independent TAPA auditor.
(d) Supplier/Buyer Facility Security Audit Schedule
For the duration of the contract the Supplier will conduct security audits of their or their subcontractor's facility in line with the audit schedule published below. The format of the audit is to be agreed with the Buyer. It is suggested the Supplier use the same audit format as the Buyer will use in Section 3. Results of Supplier self-audits shall be forwarded to the certifying body within 2 weeks of the self-assessment. A self-assessment is to be conducted annually within the anniversary month of the independent audit.
Supplier will allow Buyer to conduct audits when pre-arranged. Supplier will, as a minimum, audit the Supplier's facilities in line with the audit requirements published below. The Buyer or the TAPA Certified Auditor reserves the right to increase or decrease the frequency of the audits by giving prior notification to the Supplier. The format of the TAPA audits will be to use the standard audit format contained in Section 3.
| CLASSIFICATION |
SUPPLIERS/SUBCONTRACTORS SECURITY AUDIT REQUIREMENTS |
| "A" |
・Independent auditor: Certification audit conducted 1st year, validation audit conducted the following year (Note: Certification audits are conducted every other year)
・Supplier Self Assessment: Annually and submitted to TAPA CA body within two weeks of original certification anniversary.
|
| "B" |
・Independent auditor: Certification audit conducted 1st year, validation audit conducted the following year (Note: Certification audits are conducted every other year)
・Supplier Self Assessment: Annually and submitted to TAPA CA body within two weeks of original certification anniversary.
|
| "C" |
・No audits by Buyer or independent auditor
・Supplier audits, when requested by Buyer
|
|
5. Security/Loss Investigations
(a) Supplier Investigation Responsibilities
I. The Supplier, its agents and sub-contractors shall actively cooperate with law enforcement authorities, and the Buyer or their appointed agents in the conduct of an investigation into product, material or equipment that is lost, stolen, damaged or tampered with while under the responsibility of the Supplier or when the Supplier can provide assistance to any such investigation. All information, including regular updates, gathered by the Supplier, its sub-contractors or agents during the investigation shall be shared with the Buyer.
II. A reporting procedure shall be included in the Suppliers own security procedures, see Section 2
III. The Buyer shall have the right to oversee or participate in such investigations
6. Waivers
(a) Waivers
In exceptional circumstances, the TAPA CA may be confronted with a waiver request for a specific security requirement in part or whole on behalf of the supplier. TAPA has a sub team that reviews and approves/denies all waiver request. It is the TAPA CA's responsibility to decide whether the request is valid and that substantial mitigating reason(s) exist that led to the waiver application. Request for waivers are more likely to be approved by TAPA if alternative security controls are introduced to mitigate the security exposure.
Waivers are valid for up to a maximum of 1 year. The original requirement must be completed on the expiration date of the waiver or requested and approved again.
Waiver Process
I. Supplier considers a specific requirement in the FSR is not required from a security standpoint.
II. Supplier completes and submits Request For Waiver form to TAPA CA (See Section 3). One form should be completed for each FSR waiver request
III. TAPA CA reviews waiver request(s) and determines if request is valid. Each TAPA region currently administers waiver requests independently and the regional Board of Directors should be contacted for appropriate waiver process.
IV. If approved: -
・Waiver specifics are documented and signed by the TAPA Certified Auditor
・TAPA Certified Auditor assigns date for how long waiver will be approved, sends copy to Supplier
・Supplier will meet all requirements of waiver in agreed time scales. Failure to do so will result in waiver approval being removed.
・TAPA Certified Auditor informs Buyer of waiver.
V. If not approved:
・Supplier required to implement full requirement of FSR
7. Supplier Facility and Truck Security
(a) Procedures
Section 2 lists the detailed requirements for the Supplier's security procedures.
(b) Supplier Facility Security Requirements (Summary)
The Supplier's facility security is to be based on good physical barriers, the efficient operation of intruder alarm and CCTV surveillance and strict adherence to agreed operational procedures. The facility should not be located in an area that has a high incidence of crime or is adjacent to derelict land or a run-down area. Requirements for the Supplier's facility physical security are detailed in Section 2.
For purposes of audit, Preventive Measures are specific tactics to achieve acceptable levels of security for a given Area of Concern as identified in the TAPA audit form. These specific tactics have been identified through the knowledge and experience of industry security and logistics professionals, and represent best known methods and proven operational processes. However, in evaluating specific Preventive Measures of an individual Supplier, where such Supplier employs alternative methods that result in meeting or exceeding security requirements of the FSR, such methods shall be accepted, and rationale for acceptance noted in the audit"Comments" section. Additionally, specific tactics in the audit form that are in direct violation of Supplier documented policies and procedures shall be considered for removal from audit scoring on a case-by-case basis.
(c) Handling Operations
The various points at which the Buyer's assets will be transferred from one operation to another (i.e. truck to warehouse, warehouse to truck, truck to airline handler, airline handler to aircraft are all viewed as areas of risk. The Supplier shall ensure all procedures for these operations are detailed and communicated to the Buyer. The Supplier shall notify the Buyer of any known deviation from these procedures.
(d) High Value Shipments by truck (Summary)
Shipments of Buyer's assets by truck between the Suppliers facilities and delivery to the final destination shall are subject to minimum-security requirements. The table in Section 2 also specifies the truck security requirements. The level of Security required is dependant on independent agreement between Buyer and Supplier.
|
