2013年GSV-审核报告(不通过的实例)

CAP for GSV Audit 2013Audit type and date: TRU GSV Audit 2013Audit firm: ITSAuditor: Bond liu（刘南邦）CAP for audit report: Annual audit 48% Section: Personnel SecuritySubSection: Documented Personnel Security Policies / ProceduresInternational Supply Chain Security Requirements & CriteriaA process must be in place to screen prospective employees and to periodically check current employeesExceptions Noted:解释Security guidelines for hiring are not evaluated periodically to ensure their effectiveness.The guideline was not evaluated every six months.1、 每个入职人员都会对他的家庭住址、工作经历等关键信息进行评估，并记录在人事档案上。2、公司每月会有专人审查在职人员的身份证信息，发现有过期的就会立即要求更新。3、公司所有人员都利用身份证信息进行“社保购买”和“银行卡发工资”，由于政府的社保系统和银行系统都于公安的人员身份信息系统联网。如果公司员工出现犯罪记录，我们都会得到提示。见PIC006-009Auditor comment:这个问题讲的是工厂的人事招聘程序没有每半年评估一次。工厂的人事招聘程序是2009的。SubSection: Personnel ScreeningInternational Supply Chain Security Requirements & CriteriaA process must be in place to screen prospective employees and to periodically check current employeesApplication information, such as employment history and references, must be verified prior to employmentConsistent with national regulations, background checks and investigations should be conducted for prospective employeesPeriodic checks and reinvestigations for existing employees should be performed based on cause and/or the sensitivity of the employees positionExceptions Noted:解释Background checks are not conducted on all applicants.No valid background check was conducted.1、 每个入职人员都会对他的家庭住址、工作经历等关键信息进行评估，并记录在人事档案上。2、公司每月会有专人审查在职人员的身份证信息，发现有过期的就会立即要求更新。3、公司所有人员都利用身份证信息进行“社保购买”和“银行卡发工资”，由于政府的社保系统和银行系统都于公安的人员身份信息系统联网。如果公司员工出现犯罪记录，我们都会得到提示。见PIC006-009Auditor comments:审核当天工厂没有提供有当地派出所或者公安机关出示的员工背景调查记录Employment history checks are not conducted1、每个入职人员都会对他的家庭住址、工作经历等关键信息进行评估，并记录在人事档案上2、每个人必须提供有效的身份证复印件保留在人事档案中见PIC006、PIC007、Auditor comments:审核当天工厂没有提供有当地派出所或者公安机关出示的员工背景调查记录Periodic and follow-up background checks are not conducted on employees based on circumstances and/or sensitivity/scope of employee responsibility.No follow up background check was conducted1、公司每月会有专人审查在职人员的身份证信息，发现有过期的就会立即要求更新。2、公司所有人员都利用身份证信息进行“社保购买”和“银行卡发工资”，由于政府的社保系统和银行系统都于公安的人员身份信息系统联网。如果公司员工出现犯罪记录，我们都会得到提示。见PIC006-009Auditor comments:审核当天工厂没有提供有当地派出所或者公安机关出示的敏感岗位员工背景调查记录SubSection: Identification SystemInternational Supply Chain Security Requirements & CriteriaAn employee identification system must be in place for positive identification and access control purposesEmployees should only be given access to those secure areas needed for the performance of their dutiesManagement or security personnel must adequately control the issuance and removal of employee, visitor, and vendor ID badgesExceptions Noted:解释The facility identification is not required for entry of personnel. Part of the employees did not wear ID badges when entering the facility.公司质量管理要求员工不能把厂牌、钥匙、手机等物品混入产品内。因此，在员工进入厂区后，没有特殊情况下为防止不小心把ID卡等物品混入产品内，都会把ID卡等物品放入自己的储物空间内，因此有些员工在工作区域内没有佩戴ID卡。Auditor Comments:此点讲的是部分员工没有佩戴厂牌进出工厂，GSV的要求是员工佩戴厂牌，工厂走访中，发现很大一部份员工是没有佩戴厂牌的，已与陪行的工厂代表沟通过此问题点.The ID does not include an indicator, i.e. a unique physical identifier such as a facial photograph or fingerprint所有员工的ID都有一张照片，并且每天的考勤记录都是使用指纹记录。见PIC 010-011Auditor Comments:此点讲的是部分员工没有佩戴厂牌进出工厂，GSV的要求是员工佩戴厂牌，工厂走访中，发现很大一部份员工是没有佩戴厂牌的，已与陪行的工厂代表沟通过此问题点.The security staffs is not informed of missing IDs. No information was given to the security丢失ID卡的人员记录由于审核当天知道审核员要看，所有从保安室拿到会议室。因此，在保安室没有看到，但已经给审核员解释并拿给他看过。见PIC012Auditor Comments:在保安室走访时，已经跟保安确认过员工厂牌更换补办记录没放在保安室。IDs are not required to access restricted areasNo specific access for the restricted areas.对于特殊区域，例如：包装部、成品仓库，有准入人员名单和访客登记。并有专人负责记录。见PIC013-016Auditor Comments:工厂走访中，所有敏感岗位的员工都没有进行有效的区分，包括没有按颜色，袖章区分。陪行的工厂代表很清楚这个问题。工厂成品仓，装柜区域都没有授权人员名单Guards do not check employees ID to monitor access to the restricted areas. No guard checked the employee ID由于公司保安是雇佣xx保安公司的，他们对公司内部的管理不熟悉，因此对公司内部人员进入受限制区域，都是由受限制区域的主管进行控制。对于特殊区域，例如：包装部、成品仓库，有准入人员名单和访客登记。并有专人负责记录。见PIC013-016Auditor Comments:工厂走访中，所有敏感岗位的员工都没有进行有效的区分，包括没有按颜色，袖章区分。陪行的工厂代表很清楚这个问题。工厂成品仓，装柜区域都没有授权人员名单SubSection: Education / Training / AwarenessInternational Supply Chain Security Requirements & CriteriaWritten procedures must stipulate how seals are controlled and affixed to loaded containers, including recognizing and reporting compromised seals and/or containers to local Customs authoritiesIT security policies, procedures and standards must be in place and provided to employees in the form of trainingA threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chainEmployees must be made aware of the procedures the company has in place to address a situation and how to report itAdditional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mailSpecific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies, and protecting access controlsExceptions Noted:解释New employee orientation does not include confirming that all onsite personnel are wearing ID at all times while in the facility premise.Part of the employees did not wear ID badges via on site observation公司质量管理要求员工不能把厂牌、钥匙、手机等物品混入产品内。因此，在员工进入厂区后，没有特殊情况下为防止不小心把ID卡等物品混入产品内，都会把ID卡等物品放入自己的储物空间内。Auditor Comments:此点讲的是部分员工没有佩戴厂牌进出工厂，GSV的要求是员工佩戴厂牌，工厂走访中，发现很大一部份员工是没有佩戴厂牌的，已与陪行的工厂代表沟通过此问题点.New employee orientation does not include recognizing internal conspiracies由于新员工培训都是按照公司文件“SM33/S-A1”员工保安意识培训教材进行培训，因此培训记录只是概括了培训的项目，没有详细写明培训的内容。见PIC017-019Auditor Comments:工厂的反恐培训记录只是简单独出现了类似“反恐培训”的字眼，没有反恐培训的主题和内容，根据标准这种培训记录是不能接受的。New employee orientation does not include detecting unlawful activity.No such content was included.由于新员工培训都是按照公司文件“SM33/S-A1”员工保安意识培训教材进行培训，因此培训记录只是概括了培训的项目，没有详细写明培训的内容。见PIC017-019Auditor Comments:工厂的反恐培训记录只是简单独出现了类似“反恐培训”的字眼，没有反恐培训的主题和内容，根据标准这种培训记录是不能接受的。New employee orientation does not include maintaining cargo integrity.No such content was included由于新员工培训都是按照公司文件“SM33/S-A1”员工保安意识培训教材进行培训，因此培训记录只是概括了培训的项目，没有详细写明培训的内容。见PIC017-019Auditor Comments:工厂的反恐培训记录只是简单独出现了类似“反恐培训”的字眼，没有反恐培训的主题和内容，根据标准这种培训记录是不能接受的。New employee orientation does not include computer security.No such content was included.由于新员工培训都是按照公司文件“SM33/S-A1”员工保安意识培训教材进行培训，因此培训记录只是概括了培训的项目，没有详细写明培训的内容。见PIC017-019Auditor Comments:工厂的反恐培训记录只是简单独出现了类似“反恐培训”的字眼，没有反恐培训的主题和内容，根据标准这种培训记录是不能接受的。New employee orientation does not include reporting compromised security infrastructure(broken locks,windows,computer viruses,etc.)No such content was included.由于新员工培训都是按照公司文件“SM33/S-A1”员工保安意识培训教材进行培训，因此培训记录只是概括了培训的项目，没有详细写明培训的内容。见PIC017-019Auditor Comments:工厂的反恐培训记录只是简单独出现了类似“反恐培训”的字眼，没有反恐培训的主题和内容，根据标准这种培训记录是不能接受的。New employee orientation does not include recognizing and detecting dangerous substances and devices.No such content was included.由于新员工培训都是按照公司文件“SM33/S-A1”员工保安意识培训教材进行培训，因此培训记录只是概括了培训的项目，没有详细写明培训的内容。见PIC017-019Auditor Comments:工厂的反恐培训记录只是简单独出现了类似“反恐培训”的字眼，没有反恐培训的主题和内容，根据标准这种培训记录是不能接受的。The facility does not have a security awareness program covering awareness of current terrorist threat(s),smuggling trends,and seizures in place to ensure employees understand the threat posed by terrorist at each point of the supply chain.No awareness train was provided to employees.The facility does not have a process in place requiring all personnel to participate in the security awareness program.公司每年制定年度保安培训计划表，并按照计划，对员工进行培训。见PIC020Auditor comment:审核当天审核员问工厂有没有进行员工的反恐年度培训时，工厂代表回答没有。Periodic updated training covering security awareness is not required.No periodic training was provided to employees.公司每年制定年度保安培训计划表，并按照计划，对员工进行培训。见PIC020Auditor comment:审核当天审核员问工厂有没有进行员工的反恐年度培训时，工厂代表回答没有。82% Section: Storage & DistributionSubSection: StorageInternational Supply Chain Security Requirements & CriteriaExceptions Noted:The facility does not have fencing or other barrier materials to enclose cargo handling and storage areas to prevent unauthorized access.The facility does not have fencing or other barrier materials to enclose cargo handing and storage areas to prevent unauthorized access.No fence was used in the finished good warehouse and loading area.由于公司成品仓库在包装区域内（包装区域内有围栏和门于其他区域隔离）。因此没有对成品仓库增设围栏。装货区在工厂内部，大门进出由于保安控制，因此没有增设围栏，但划线区分，并张贴警示牌。见PIC035-036Auditor comment:工厂的成品仓是半开放式的，没有门，并没有在包装区域内，成品仓里还有电梯，员工可以进出。SubSection: Loading for ShipmentInternational Supply Chain Security Requirements & CriteriaContainer integrity must be maintained to protect against the introduction of unauthorized material/person(s)Procedures must be in place to identify, challenge, and address unauthorized/unidentified personsExceptions Noted:解释There are no security controls in place to prevent the introduction of foreign materials at point of loading.The was no security control in the shipping area.2009年起公司执行SM41/S-A1集装箱及拖车安全程序和SM42/S-A1集装箱及拖车完整性检查程序。对货柜车进行7点检查和控制。并记录详细信息和拍照存档。见PIC037-043Auditor comment:审核员在走访工厂敏感区域，包括成品仓，包装区，装柜区，发现工厂在审核员进出这些区域的时候，工厂并没有提示审核员不要将随身携带的物品进入该区域。Goods for shipment are tracked by the use of electronic and hardcopy procedures.由于货物到海关后，由海关人员检查货物和装箱清单是否一致。因此，在货物运输至海关前没有电子设备跟踪货车。但是，可以根据海关的系统跟踪货车是否正常通过海关。Auditor comment:这个不是问题点，是系统自动跳出来的。无需改善。The facility does not have fencing or other barrier materials to enclose cargo handing and storage areas to prevent unauthorized access.No fence was used in the finished good warehouse and loading area.由于公司成品仓库在包装区域内（包装区域内有围栏和门于其他区域隔离）。因此没有对成品仓库增设围栏。装货区在工厂内部，进出由于保安控制，因此没有增设围栏，但划线区分，并张贴警示牌。见PIC035-036Auditor comment:工厂的成品仓是半开放式的，没有门，并没有在包装区域内，成品仓里还有电梯，员工可以进出。The loading and departure of containers/trailers is not captured on CCTV and the recording is kept for 45 days.Not enough 30 days record was maintained公司CCTV记录设计的功能是保留45天。由于ICTI审核有疑问，为保留D盘2012年12月的CCTV记录，没有设定覆盖D盘的空间只设定覆盖E盘，导致2月份记录直接覆盖1月份的记录，而保留了12月份的记录。因此，只保留了2012年12月和2013年2月8日28日的记录。Auditor comment:GSV的要求至少要保存最近30天地记录，工厂只保存了20天。Cargo are not identified, weighed and labeled to detect and report cargo shortages and overages during container/trailer loading.The goods were weighed by sample.公司每一批货都会称重，称重的方式是抽去几箱货去平均值乘箱数，得到总重。并报货物称重数据给海关。然后货柜车到海关，海关会对货柜车称重。如果货柜重量和公司上报的数量不一致，会被海关查走私行为的。见PIC044Auditor comment:工厂只是抽取样品进行称重，没有进行全部货物称重。Section: Physical SecuritySubSection: Plant SecurityInternational Supply Chain Security Requirements & CriteriaAlarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling/storage areasAll external and internal windows, gates and fences must be secured with locking devices.Exceptions Noted:The facility does not have an automatic intrusion detection or alarm system No intrusion detection was installed.由于工厂的围墙安装有CCTV，并由保安24小时监控，因此没有安装自动报警系统。只有在财务室安装有自动报警系统。见PIC060-061Auditor comment:工厂的外围没有安装自动报警器，只在财务室安装报警器根据标准是不可以接受的Locking devices are not used to control access to restricted areas The finished good warehouse was not locked由于公司成品仓库在公司的包装区域内，因此没有单独再增加一个门和锁。Auditor comment:现场走访中，发现工厂成品仓的窗户是没有上锁的，从外面也可以打开，已与陪行的工厂代表沟通过此问题点.Facility management does not review and approve the up-to date list of employees with special access to controlled of sensitive areas.No approved name list was available in the loading area and finished good warehouse.1、由于公司装货人员全部由包装部人员进行，公司没有专门的装车工人，因此装货人员名单和包装部人员名单一样的。2、公司包装部门口张贴了准入人员名单。见PIC021Auditor comment:工厂的成品仓和装柜区域都没有授权人员名单。无法判断这些区域如何管控人员进出SubSection: Perimeter SecurityInternational Supply Chain Security Requirements & CriteriaPerimeter fencing should enclose areas around cargo handling and storage facilitiesCargo handling and storage facilities in international locations must have physical barriers and deterrents that guard against unauthorized access.Exceptions Noted:Physical barrier surrounding the perimeter of the property is insufficient/missing. Part of the perimeter was not 2 meters high enough.公司围墙从工厂成立一直使用2米的围墙，最低的地方离根基也刚刚2米，部分区域围墙离地面水平不足2米，但下面有水沟实际离根基也有2米。见PIC057PIC058Auditor comment:现场走访中，发现工厂有一面围墙的高度只有1.5米-1.6米，工厂代表解析围墙是隔壁工厂的，工厂不能随便动别人的围墙。The facility has adjoining/overhanging structures or foliage which would potentially facilitate illicit entry over the fenced areas into the facilitySome goods were near the fence.。工厂围墙下有绿化带，但确实没有货物存放在围墙旁边。见PIC062Auditor comment:现场走访中，发现工厂围墙旁有一个小型的混凝土建筑，贴近围墙，可以借助建筑物进出围墙。工厂解析以前该建筑物以前用来装柴油桶的。如图SubSection: Access ControlsInternational Supply Chain Security Requirements & CriteriaAlarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas.Exceptions Noted:解释The placement of the cameras does not provide an adequate view of activities in relevant areasNot enough view in the finished good warehouse and the loading area由于工厂成品仓库和出货区域面积并不大。装货区面积仅够停放一台货柜车。因此，都只安装有一个摄像头。见PIC022-023Auditor comment:工厂装柜区域只有一个摄像头，但是该摄像头的角度已经更改，原本照向装柜区域的，工厂将它对着旁边的停车区域。Recordings (e.g., tapes or electronic files) are not kept for a minimum of 30 days or according to client specific requirement, whichever is longer.Not enough 30 days record were maintained公司CCTV记录设计的功能是保留45天。由于ICTI审核有疑问，为保留D盘2012年12月的CCTV记录，没有设定覆盖D盘的空间只设定覆盖E盘，导致2月份记录直接覆盖1月份的记录，而保留了12月份的记录。因此，只保留了2012年12月和2013年2月8日28日的记录。Auditor comment:GSV的要求至少要保存最近30天地记录，工厂只保存了20天。SubSection: Visitor ControlsInternational Supply Chain Security Requirements & CriteriaContainer integrity must be maintained to protect against the introduction of unauthorized material/person(s)Access controls must include the positive identification of all employees, visitors, and vendors at all entry pointsVisitors must present photo ID for documentation purposes upon arrivalAll visitors should be escorted and visibly display temporary IDFor deliveries, proper vendor ID and/or photo ID must be presented documentation purposes upon arrival by all vendorsVisitors must present photo identification for documentation purposes upon arrival.Exceptions Noted:There is no positive identification process for recording all vendors and repair personnel and facility does not have a written procedure to challenge, identify, and remove unauthorized/unidentified persons.No photo identification was required for vendorsCTPAT程序文件SM38/S-A1，有对供应商等访客的识别、控制管理有详细要求。见PIC024-025Auditor comment:通过查看工厂的访客车辆进出记录，发现部分访客，供应商是没有进行身份确认，没有登记有效证件号码而进入工厂的。现场走访时，也发现一些供应商没有登记直接进入工厂，如送货的A visitors log which records entries and exits is not maintainedSome vistors were not issued the temporary ID badges.那个访客刚好在审核员到门口拍照时准备停车登记，保安误认为审核员要拍照不让车停在门口，就立即放行让这个供应商进入，然后供应商放下货就开车出去，前后不到2分钟。Auditor comment:通过查看工厂的访客车辆进出记录，发现部分访客，供应商是没有进行身份确认，没有登记有效证件号码而进入工厂的。现场走访时，也发现一些供应商没有登记直接进入工厂，如送货的Visitors and/or contractors are not required to wear temporary ID badges.Some vistors were not issued the tempoary ID badges由于部分供应商是保安比较熟悉的人，因此保安人员没有严格按照程序文件要求给访客发放临时ID证。Auditor comment:no comment for this NCVisitor ID badges are not controlled through numbering/coding to identify any missing badgesSome ID badges number were not record公司访客证有公司专用的LOGO来进行识别。有的访客佩戴有区别于我司的证件，因此保安在访客人员登记表上已经记录“证件编号”。见PIC026Auditor comment:通过查看工厂的访客车辆进出记录，发现部分访客没有登记访客证号码。Visitor ID badges are not controlled through a log of ID badges issued and returned保安员没有及时填写访客证IDAuditor comment:应记录相关信息.There is no authorized employee supervising the contractors while at the facility. The contractors were not supervised via on site observation.由于部分供应商是保安比较熟悉的人，另外工厂面积很小，因此保安人员没有严格按照程序文件安排公司内部人员陪同访客。Auditor comment:应有工厂代表陪同访客在厂区内活动.Photo identification is not required of all visitors.No photo identification was required for part of vistors.由于部分供应商是保安比较熟悉的人，因此保安人员没有严格按照程序文件要求访客人员出示身份证明。Auditor comment:应要求访客提供带照片的证件.SubSection: Entering / Exiting DeliveriesInternational Supply Chain Security Requirements & CriteriaVisitors must present photo ID for documentation purposes upon arrivalFor deliveries, proper vendor ID and/or photo ID must be presented documentation purposes upon arrival by all vendorsDrivers delivering/receiving cargo must be positively identified before cargo is received/releasedMeasures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain.Exceptions Noted:Conveyance drivers are not required to show positive identification.No photo identification was required for the conveyance driversFor conveyance entries/exits, records are not maintained for manifest check所有车辆进入公司都会有保安检查是否有自带货，如果有就会记录货物数量并在放行时核对数量；如果没有放行时需要运输人提供“放行条”或“出库单”对货物数量进行检查。见PIC027Auditor comment:根据GSV要求，此登记需放在保安室，由保安进行核对For conveyance entries/exits, logs are not maintained with container number由于货柜车属于公司负责出货人员跟踪记录，因此保安的外来车辆进出登记记录，在货柜车进入公司后只要求货柜车登记车牌号。而具体的货柜号和封条号有负责出货人员记录在成品货柜安全跟踪记录上。见PIC066Auditor comment:根据GSV要求，此登记需放在保安室，由保安进行核对For conveyance entries/exits, logs are not maintained with seal number由于货柜车属于公司负责出货人员跟踪记录，因此保安的外来车辆进出登记记录，在货柜车进入公司后只要求货柜车登记车牌号。而具体的货柜号和封条号有负责出货人员记录在成品货柜安全跟踪记录上。见PIC066Auditor comment:根据GSV要求，此登记需放在保安室，由保安进行核对SubSection: Production, Assembly, Packing SecurityInternational Supply Chain Security Requirements & CriteriaMeasures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chainExceptions Noted:There are no security measures in place