Đang tải... (xem toàn văn)
TIÊU CHUẨN SCAN LÀ GÌ? SCAN là tên gọi của bộ tiêu chuẩn về “Mạng lưới đánh giá nhà cung cấp”. SCAN được viết tắt từ cum từ tiếng Anh “Supplier Compliance Audit Network”, dịch ra là “Mạng lưới kiểm tra sự tuân thủ của nhà cung cấp”.
Question General 100% Does the business license match the current location name and address as listed on the audit sheet? Actual Yes No Comments: No comments were provided Must Is there a primary point of contact (POC) identified regarding security matters? Actual Yes No Comments: No comments were provided Did the facility provide previous SCAN audit CAPAs to the auditor in preparation of this audit? Actual No Yes NA Comments: This is initial SCAN audit Must Has the audited location recently (within the last 60 days) participated in the free SCAN Security and Threat Awareness Training provided in advance of this Audit? Actual Yes No SCAN training certificate of the audittee.jpg Comments: Page of 93 Risk Assessment 100% Question Must Does the facility have a risk assessment that identifies vulnerabilities in the business plan? Actual Yes No Risk assessment.jpg Comments: No comments were provided Must Is the facility risk assessment shared with business partners and contractors? CAPA Sent: 3/14/20 Due Date: 3/28/20 CAPA: Insufficiency comments provided Pls upload evidence for review to confirm the risk assessment has been shared with business partners and contractors Or describe it in the comments area of when & how the facility implemented this requirement Actua l Yes No 7.Share risk assessment with business partners.pdf Comments: The company conducts internal risk assessment at least once a year days after the risk assessment results are available, the departments are responsible for sharing the Company's risk assessment report to business partners, contractors by email or in writing, requiring the partner's confirmation business Conduct training Share “Risk Assessment” with business partners Date completion 15/03/20 CAPA Sent: 2/21/20 Due Date: 4/22/20 CAPA: It is a good business practice to share your risk assessment with both your business partners, suppliers, and vendors to allow for coordination of corrective actions and business continuity planning Please provide summary in the comments section of how this gap has been resolved by the due date provided If additional time is required, please describe your plan and provide a timeline for completion and implementation Actual Yes No Comments: Modifying the business partner selection and management evaluation process, adding the content "The security department is responsible for sharing the Company's risk assessment report for business partners" by email or paper documents requires confirmation from business partners Conduct training and training The security tiến hành conducts: - Identify threats, identify hazards, assess risks, and give control method for the all operation of the department - Activities include regular and irregular activities (including activities of contractors, visitors) - Heads and deputy heads of departments are responsible for organizing the implementation of: Identify threats, identify hazards, assess risks according to the frequency of this process - The director, the head of department or designee is responsible for identifying threats, identifying hazards of activities at the department - The department has high-threat, high-risk, the head of department is responsible for monitoring the control measures for that hazard - The security department is responsible for aggregating high-risk threats across the company for monitoring and control Relevant departments shares “Risk Assessment “with business partners The security department reviewed and re-evaluated the above implementation Actua l Yes No Comments: There was no evidence to prove that the risk assessment which was performed on 25th November 2021 was shared to business partners and contractors Material Does the facility risk assessment include vulnerabilities specific to contracted service providers such as contractors, seasonal employees etc.? Actual Yes No Comments: No comments were provided Must Is the facility risk assessment updated periodically? Actual No updates noted or last update greater than 24 months ago Last update within the past 12 months Last update between 12 months and 18 months Last update between 18 months and 24 months Comments: No comments were provided 10 Must Define the facility's cargo mapping process (Select all that apply) Actual A written cargo process map is available No written cargo process map is available The cargo process map includes transit times from origin to final container yard The cargo process map includes locations where freight may be at rest NA Comments: No comments were provided 11 Material Define the facility's crisis plan (Select all that apply) CAPA Sent: 3/14/20 Due Date: 3/28/20 CAPA: Insufficiency comments provided Pls update your selection to match with the previous answer selected by the auditor and provide a timeline to update the crisis plan includes alternative locations if facility is rendered unusable Actua l No documented crisis plan available Crisis plan includes reporting crisis-related issues to business partners as necessary Crisis plan includes alternative locations if facility is rendered unusable Documented crisis plan available 11.Plan for an alternative site in the event of a plant crisis.pdf Page 10 of 93 Comments: 681 / 5.000 Kết dịch Our company has factories in different locations So in case Factory is unusable, we can choose of the following Factories: CAPA Sent: 2/21/20 Due Date: 4/22/20 CAPA: Develop and share your facility crisis plan with all of your business partners Include in your crisis plan alternative locations to establish operations in the event the facility is unusable for any significant period of time Please provide summary in the comments section of how this gap has been resolved by the due date provided If additional time is required, please describe your plan and provide a timeline for completion and implementation Actual No documented crisis plan available Crisis plan includes reporting crisis-related issues to business partners as necessary Page 10 of 93 Crisis plan includes alternative locations if facility is rendered unusable Documented crisis plan available Comments: A business continuity planning (BCP) is a plan that describes how the Company will continue to operating during an unexpected crisis or disturbance in the system - Business continuity planning (BCP) includes contingency plans for business processes, description of quick response to emergencies, detailed strategies on how business can be maintained during downtime short and long term operations Ensure that risks to assets, human resources and business partners are minimized – as well as every aspect of the Company that may be affected The Company's Security Department need to consider revising the Business Continuity Planning to add alternative locations if the facility is unusable during a crisis, specifically as follows: The planning department considers factors to identify and assess risks in business compared to the conditions of order production at another factory under the Company's system or associated with another manufacturing company Choose that factory /Company can be a backup replacement location if the facility is unusable during a crisis After that, security department conducts the first assessment of the Standby Factory / Company to ensure proper and complete compliance with laws, Compliance with social responsibility, Customs-Trade Partnership Against Terrorism ( C-TPAT), security standards of the Company and other standards of the customer After the assessment, the Board of Directors decides to choose the Factory/Company to become the backup replacement location, the Planning department makes a list to add to the Business continuity planning and continues to monitor, assess the compliance level of partner based on Current law and customer's standard The Security customer's standard is responsible for conducting periodic assessment and sharing the Company's risk assessment report for factories/companies of the backup replacement Actua l No documented crisis plan available Crisis plan includes reporting crisis-related issues to business partners as necessary Crisis plan includes alternative locations if facility is rendered unusable Documented crisis plan available Crisis plan.jpg Page of 93 Comments: The facility established the documented crisis plan on 28th September 2020 and reviewed this plan annually on 25 Nov 2021, but alternative location was not mentioned Business Partner Requirements 100% Question 12 Does the facility contract services such as security, transportation or manufacturing labor? Actual Yes No Comments: The facility used Transportation service and security service providers with below information: Page of 93 Transportation service provider 13 Must Does the facility review and provide copies of security criteria to business partners, particularly those that support international supply chain activities? Actual Yes - Security criteria reviewed and provided in local language Yes - Security criteria is reviewed but not provided to business partners No - Security criteria is not reviewed at all Requirement for business partner.jpg Yes - Security criteria reviewed and provided in English only Comments: No comments were provided 14 Must Does the facility have written procedures used in the selection of business partners including: material suppliers, manufacturers, and logistics service providers? (Select all that apply) CAPA Sent: 3/14/20 Due Date: 3/28/20 CAPA: Based on your comments, pls provide a completion date for review Then update your selection to all the applicable options to get the full score Actual Documented screening process is available Screening process is done on an annual basis 14 Business partner selection process.pdf Screening process includes looking for evidence of money laundering and terrorism funding No screening process takes place Screening process includes monitoring for financial stability Comments: Modify the process of evaluating, selecting and managing business partners: Valid business license; - Information about the license holder; - Operation time of the company; - Combat money laundering and terrorist financing - Financial stability The search and verification is based on: - Review the records - Find information about businesses online Supplement the basic information, other information that should be considered as above in the Supplier Selection Survey / Periodic Supplier Evaluation Conduct training Add profile to evaluate all list of business partners Date completion 11/03/20 regulations to meet security requirements Management reviews random by document about CCTV footage periodically to ensure security procedures are being followed CCTV inspection report Actua l Yes No Comments: There was no evidence to prove that Management review was performed to follow up CCTV footage 104 Critical How many days are CCTV recordings kept? Actual 90 or more days Less than 30 days retained Recordings not 45 - 89 days 30 - 44 days Comments: No comments were provided Actua l 90 or more days Less than 30 days Recordings not retained 45 - 89 days 30 - 44 days Comments: No comments were provided Actua l 90 or more days Less than 30 days Recordings not retained 45 - 89 days 30 - 44 days Comments: Data from CCTV system was stored within 92 consecutive days since 16 November 2021 105 Must Do employees display their ID badge at all times while at the facility? Actual Yes No IDs carried but not displayed Comments: No comments were provided 106 Critical Is a written procedure in place to require visitors to present photo identification upon arrival and have security or other authorized employee record their information in a log? (Select all that apply) Actual Written procedure is available Photo ID is required Visitor Log is utilized No written process is in place checked Computerized visitor logbook.jpg Photo IDs are not Comments: No comments were provided 107 Must Is a written procedure in place to inspect a visitor's bag before entering and leaving the manufacturing, production or shipping area of the facility? Actual Yes No Comments: No comments were provided 108 Critical Is a visitor issued a numbered visitor badge which is displayed or carried while at the facility? CAPA Sent: 3/14/20 Due Date: 3/28/20 CAPA: Pls upload the visitor logbook which includes “Number code” issued for visitor for review to support your selection Actua l Yes No 108 Management of customers entering and exiting the factory.pdf Comments: The company establishes a guest management policy This policy is issued to ensure absolute security in the factory and to comply with the customer's management regulations on the implementation of procedures to manage guests entering and leaving the factory - Guests coming to contact business, including visitors, customers, suppliers or contractors, when entering the factory, must present identification documents and register information, visitor card number on the software (dingtalk) ) - The security department is responsible for checking guest information, entering time, issuing guest cards (Visitor card numbers are numbered 01 - 99, based on registered information), and asking guests to wear cards during the stay at the company and lead the customer to the person to contact Guests must be escorted by a responsible person during their stay at the company Absolutely not allowed to let guests freely move within the company - When the guest leaves, the security guard is responsible for recovering the guest card and recording the guest's leaving time for example, if the customer card is lost during the travel time in the factory or the customer leaves but forgets to return the card, the security guard must record the incident on duty and report it to the superior instructions for use gate registration software for customer Conduct training and training Report on inspection of guest registration records Date completion 18/02/20 CAPA Sent: 2/21/20 Due Date: 4/22/20 CAPA: Establish a practice where visitors are supplied a "visitor" badge that distinguishes them from others Visitors should be required to display badges while on the premise Provide an example in the comments section of how visitors are identified while in your facility Actual Yes No Comments: The company establishes a guest management policy This policy is issued to ensure absolute security in the factory and to comply with the customer's management regulations on the implementation of procedures to manage guests entering and leaving the factory - Guests coming to contact business, including visitors, customers, suppliers or contractors, when entering the factory, must present identification documents and register information, visitor card number on the software (dingtalk) ) - The security department is responsible for checking guest information, entering time, issuing guest cards (Visitor card numbers are numbered 001 - 999, based on registered information), and asking guests to wear cards during the stay at the company and lead the customer to the person to contact Guests must be escorted by a responsible person during their stay at the company Absolutely not allowed to let guests freely move within the company - When the guest leaves, the security guard is responsible for recovering the guest card and recording the guest's leaving time for example, if the customer card is lost during the travel time in the factory or the customer leaves but forgets to return the card, the security guard must record the incident on duty and report it to the superior instructions for use gate registration software for customer Conduct training and training Report on inspection of guest registration records Actua l Yes No Comments: It was noted that the facility provided ID badges with number code for visitors However, per randomly checking, noted that Number code was not recorded into the visitor logbook in June and July 2021 Management explained that visitor's information was inputted online via computer, but only information of number code was separately recorded into logbook by security staffs, and they missed it 109 Critical Is a visitor escorted at all times while at the facility? Actual Yes No Comments: No comments were provided 110 Material Is a written procedure in place to inspect a suspicious package and mail for dangerous materials and/or contraband prior to distribution? A written procedure is in place to periodically inspect arriving packages for contraband Actual Yes No NA Comments: No comments were provided 111 Material Are hazardous materials or high value goods stored at the facility? If so, are hazmat goods or high value goods segregated from other items? Actual Yes No NA Comments: No comments were provided Question Personnel Security 83% 112 Must Does the facility have a written procedure in place to validate information provided on an employment application, such as an address, previous employment history, education, personal or professional references, and a certification? (Select all that apply) Actual Nothing in Policy is place written Education check Reference check Previous check NA employment Comments: No comments were provided 113 Must Are permanent and temporary job applicant(s) required to submit a written application for employment and provide proof of their identity? (Select all that apply) Actual Written application required Government issued ID required No NA Comments: No comments were provided 114 Must If allowed by local law, is a written procedure in place to perform a background check on an applicant and employee who works in a sensitive area of the facility, such as personnel, shipping, computer systems, or contract employees? (Select all that apply) CAPA Sent: 2/21/20 Due Date: 4/22/20 CAPA: If permitted, establish a process to background checks of employees at the time of hire and this background check should be done periodically on active employees in critical positions Please provide summary in the comments section of how this gap has been resolved by the due date provided If additional time is required, please describe your plan and provide a timeline for completion and implementation Actual Written policy is available Criminal background checks completed place Credit check completed Nothing in NA Comments: To ensure that the factory's Security policy operates in a highly effectiver, the Board of Directors promulgates regulations on verifying employee background, as follows: Modifying the process checking employee"" background, adding the following content: - Reviewing employee's credit information Conduct training HR department checks background for the applicant and employees working in sensitive area Actual Written policy is available Criminal background checks completed Credit check completed Nothing in place NA Comments: The facility had a written procedure in place to perform a background check on an applicant and employee who works in a sensitive area of the facility, such as personnel, shipping, computer systems, or contract employees They kept criminal background check reports of all sampled employees who worked on sensitive areas However, they did not conduct credit check for its employees Security Training & Threat Awareness 100% Question 115 Must Is a security threat awareness training provided to all new employees and an annual refresher course for current employees? Actual Training logs are kept to insure required personnel attend the training Management personnel randomly reviews documentation There is no Threat Awareness training in place Training program in place Training provided annually for all employees Training provided for new employees Comments: No comments were provided 116 Must Does security threat awareness training cover security-related issues? Actual Yes No Comments: No comments were provided 117 Material Is there an evaluation of understanding included at the end of a training session? (Select all that apply) Actual No evaluations are conducted Retraining is required if a successful score is not achieved Evaluations are conducted NA Comments: No comments were provided 118 Must Does the facility provide training to employees who conduct security and agricultural inspections? (Select all that apply) Actual Training material lists specific requirements Training logs list employees working in this area Training provided annually for existing employees with this job function Training provided for new employees with this job function No training logs for this specific criteria No training material for this specific criteria Comments: No comments were provided 119 Must Does training include security criteria for restricted areas of the facility such as final packing, shipping and receiving? Actual Training material lists specific requirements Training logs list employees working in this area Training provided annually for existing employees with this job function Training provided for new employees with this job function No training logs for this specific criteria No training material for this specific criteria Comments: No comments were provided 120 Must Does Threat Awareness training inform employees of procedures to report suspicious activity or a security incident? Actual Yes No Comments: No comments were provided 121 Must Does Threat Awareness training provide additional instruction to shipping and receiving employees regarding access controls, container and trailer inspection, and security seal control procedures? (Select all that apply) Actual Training includes shipping & receiving controls Training includes how to conduct container/trailer inspections Training includes container/trailer sealing practices Training includes how to control seals No specific additional training is in place for shipping & receiving personnel Comments: No comments were provided 122 Must Does the training program include Threat Awareness, Contraband, Human Smuggling and Terrorism? Actual Yes No Comments: No comments were provided 123 Material Does the facility have a program to recognize an employee when reporting a security incident or recommending improvements? Actual Yes No Comments: No comments were provided 124 Must Does training include identifying pest contamination? Actual Yes No Comments: No comments were provided 125 Must Is there a documented training platform outlining the risks of Cybersecurity? Actual Yes No NA Comments: No comments were provided Question Misc NA 126 Describe the front of the factory building including any signage Please attach a picture Comments: The facility had 02 entrance per gate for employees/visitors and shipment vehicles The gate was monitored by the security station 127 Facility name.jpg Describe the guard station and facility access gates Please attach a picture Comments: There was a security guard monitoring at per the entrance gate Security guard station.jpg 128 Describe the buildings and structures for this location Please attach a picture Comments: The facility consisted of main buildings as follows: - 1st building (3-storey building) for Office area - 2nd building (1-storey building): For full manufacturing process: Input Material - Forming - Polishing - Cutting - Inspection - Packing - Finished goods warehouse - 3rd building (1-storey building) for Canteen area Supporting areas: Security room, Employees and Guess parking lot, Waste storage area, Toilet rooms, Firefighting water pump, Electric station, etc Remark: There were 02 sister companies which are located far from under km from the audited facility The companies are not covered in the audit scope confirmed that manufacturing process and employees were also isolated Building Structure.jpg 129 Describe the shipping and receiving areas Please attach a picture Comments: The loading and unloading area were separated with the others areas The fence and CCTVs systems were installed for the designed loading/unloading area The security guard and designated personnel are stationed there when loading/unloading activity was taking place 130 Loading and unloading area.jpg Describe how the perimeter of the facility is protected from unauthorized access? Please attach pictures Comments: The facility was protected from unauthorized access by security guard patrol, CCTV system and perimeter fence Perimeter fence.jpg 131 Describe the final packaging area Please attach a picture Comments: The final packing area was a separated area by fence The facility installed the CCTVs system to monitor at the final packing area The final packing area was also monitored by a supervisor 132 Final Packing area.jpg Describe any container storage and vehicle parking areas and please attach picture Comments: i) The container stored area was monitored by security guard ii) The employees' parking area monitored by security guard and CCTVs Employee parking lot.jpg 133 Did the Factory Representative and the Auditor sign the Opening Meeting Letter? Please attach the signed copy Actual Yes No Opening Meeting.pdf Comments: The facility cooperated during audit process, the opening Meeting was signed by the facility representative ... ensure proper and complete compliance with laws, Compliance with social responsibility, Customs-Trade Partnership Against Terrorism ( C-TPAT), security standards of the Company and other standards... to identify and assess risks in business compared to the conditions of order production at another factory under the Company's system or associated with another manufacturing company Choose that... Current law and customer's standard The Security customer's standard is responsible for conducting periodic assessment and sharing the Company's risk assessment report for factories/companies of