DJBC validation is where AEO becomes real. You've drafted your manual, built your procedures, and logged your training hours — now DJBC's auditors show up, walk your facility, review your evidence, and interview your team. This visit typically lasts 2–4 weeks of active engagement and determines whether you'll be certified or sent back for rework.
This checklist surfaces the 12 questions DJBC auditors always ask, the common findings they discover, and how to pressure-test your readiness before validation begins.
The Validation Process
DJBC's validation typically follows this flow:
- Pre-validation notification (1–2 weeks notice) — DJBC confirms the visit date and sends a preliminary document request list
- Opening meeting — DJBC team introduces themselves, explains the scope, and schedules interviews
- Document review — Auditors examine your AEO manual, procedures, training records, audit reports, and compliance evidence (often parallel to facility tour)
- Facility tour — Walk-through of warehouses, offices, secure areas, and cargo-handling zones with security observations
- Staff interviews — Formal Q&A with your AEO Manager, operations leads, and key staff (usually 30–60 min per person)
- Findings discussion — DJBC debrefs with your AEO Manager, highlighting any gaps or non-conformities
- Post-validation report — DJBC delivers a written report with findings and timelines for corrective action (if needed)
Typical timeline: 2–6 weeks from findings to DJBC's decision (approve, approve with conditions, or request rework).
The 12 Validation Questions
Use these to stress-test your readiness. If your team can't answer confidently with evidence to back it up, that's a gap to fix now.
1. "Walk me through your trade data management system. Show me how you would retrieve all shipments imported by customer X in the past 18 months."
What they're checking: Can you access your own data? Do you maintain independent records beyond what your customs broker provides? Is your system organized and auditable?
Evidence needed:
- Live demo (ideal) or printout showing customer shipments, dates, HS codes, declared values, payment records
- Screenshots of your ERP or database interface
- Evidence that you reconcile broker filings against your records
- Data retention and backup procedures documented
Common finding: "Company has no independent data system; all inquiries must go through broker." This is a red flag. You need your own master record.
2. "Show me your internal audit from the past 12 months. What non-conformities did you find, and how did you fix them?"
What they're checking: Are you regularly monitoring your own compliance? Do you take findings seriously and act on them?
Evidence needed:
- Internal audit report signed and dated
- Audit checklist or scope document
- List of findings with severity levels
- Corrective action plans with evidence of closure (e.g., "Training gap found March 15 → Training re-delivered April 10 → Attendance roster attached")
- Management review meeting notes referencing audit findings
Common finding: "No internal audit conducted in the past year" or "Audit findings with no corrective actions." DJBC expects at least one comprehensive audit annually, plus ongoing spot checks.
3. "Has your AEO Manager completed training on PMK 137/2023 and the 7 requirements? Show me the training record."
What they're checking: Does your AEO Manager actually know the regulations they're responsible for managing?
Evidence needed:
- Training attendance record (date, facilitator, duration)
- Training materials or certificate showing PMK 137/2023 content covered
- For external training, provider credentials and course outline
- If internal, evidence of who delivered it and their qualifications
Common finding: "AEO Manager has no formal training record" or "Manager attended a one-hour seminar two years ago, then nothing."
4. "Have you conducted a customs classification audit in the past 12–24 months? Show me the results."
What they're checking: Are your HS codes and tariff classifications accurate? Do you catch errors before DJBC does?
Evidence needed:
- Classification audit report covering a sample of past shipments (e.g., 20–50 declarations)
- Audit methodology (who performed it, which shipments sampled, how classifications were verified)
- Findings: any misclassifications found? How were they corrected?
- Proof of corrective action (refilings, amended duty payments, training for staff)
Common finding: "Company has never conducted a classification audit" or "Audit sample too small to be credible."
5. "Can your AEO Manager produce your compliance procedures on demand? Walk me through how you handle a restricted-commodity import."
What they're checking: Are procedures documented and truly understood, not just theoretical?
Evidence needed:
- Procedure document for handling restricted commodities (e.g., steel, textiles, hazmat)
- Real example: a recent import of a restricted item, from order to customs clearance, with all documents
- Proof that staff followed the procedure (email approvals, customs documentation, payment records)
- Training records showing staff were trained on the procedure
Common finding: "Procedures exist, but staff don't follow them consistently" or "Procedure is generic and doesn't reflect actual practice."
6. "Show me your audited financial statements for the past 2 years. Are there any audit qualifications or concerns?"
What they're checking: Financial stability. Can you sustain AEO operations and meet customs obligations?
Evidence needed:
- Two years of audited statements (balance sheet, P&L, cash flow, auditor's opinion)
- Auditor's report with no going-concern qualifications
- Bank statements showing regular customs-duty payments
- No history of unpaid duties or tax arrears
Common finding: "Latest statements are 8 months old" or "Auditor noted a going-concern risk."
7. "What security incidents have occurred in the past 12 months? Show me incident reports and how you responded."
What they're checking: Do you detect and report security breaches, or do they go unnoticed?
Evidence needed:
- Incident-reporting log (ideally none, but if there were any: cargo damage, unauthorized access, security breaches)
- For each incident: date, description, investigation, root cause, corrective action
- Updated security procedures based on lessons learned
- If zero incidents reported, DJBC may be skeptical ("Do you actually monitor?")
Common finding: "No incident reports on file" or "Security breach discovered in audit that was never formally reported."
8. "Walk me through your staff onboarding. What compliance training do new hires receive?"
What they're checking: Does every person who touches customs understand their role and obligations?
Evidence needed:
- New-hire onboarding checklist or SOP
- AEO and compliance training content (slides, manual section, video)
- Signed acknowledgments from recent new hires
- Onboarding completion records for the past 2 years
Common finding: "No formal onboarding; new hires just watch someone else work."
9. "How do you stay updated on customs regulation changes? Show me examples from the past year."
What they're checking: Are you proactive about regulatory awareness, or do you only respond after violations?
Evidence needed:
- Evidence of subscribing to DJBC updates, industry newsletters, or trade associations
- Training records showing you taught staff about new rules (e.g., new tariff rules, updated lartas, MRA changes)
- Policy changes in your manual based on new regulations
- Communication to staff about regulatory changes
Common finding: "No evidence of monitoring regulatory updates."
10. "Can your AEO Manager produce your risk register? Walk me through top 3 risks and your controls."
What they're checking: Have you identified where things can go wrong, and are you managing those risks?
Evidence needed:
- Risk register document (risk description, probability, impact, control, owner, review date)
- Top risks typically include: tariff misclassification, restricted-commodity violations, financial payment delays, staff turnover, cybersecurity
- For each risk, evidence of the control in place (procedure, training record, audit check)
- Evidence of regular risk review (at least quarterly)
Common finding: "No risk register exists" or "Risk register is generic and not specific to our business."
11. "Are your 2 years of audited financials current and from a registered public accountant? Show me the accountant's credentials."
What they're checking: Are your statements legitimate and recent?
Evidence needed:
- Audited financial statements with auditor's opinion letter
- Auditor's firm name and registration number with Badan Pengawas Profesi Akuntan Publik (BPPAP)
- Statements dated within the past 6 months (if you're applying mid-year, provide interim statements + prior-year audited statements)
Common finding: "Statements are >12 months old" or "Accountant is not BPPAP-registered."
12. "If we found a compliance gap tomorrow, how would you address it? Walk me through your corrective-action process."
What they're checking: Do you have a system for addressing problems, or would you panic?
Evidence needed:
- Written corrective-action procedure
- Examples of past corrective actions (from internal audits) showing: problem identified → root cause → action plan → timeline → verification of closure
- Owner assignments and follow-up meeting notes
- Evidence that corrective actions are checked and verified
Common finding: "No formal CA process; management just tells staff to 'be more careful.'"
Common Findings and How to Avoid Them
| Finding | Why It Happens | How to Fix It |
|---|---|---|
| Trade data system is outsourced entirely to broker | Many companies assume the broker's system is enough | Maintain your own master data record, even if broker files declarations |
| No internal audit conducted | Seen as optional or administrative | Schedule annual audit 6 months before DJBC validation; conduct it formally |
| Training records are incomplete or generic | Training is ad-hoc, not systematic | Create annual training calendar; require attendance rosters and post-training checks |
| Procedures don't match actual practice | Procedures copied from templates and never updated | Audit your actual workflow, then document it; have procedures reviewed by operational staff |
| AEO Manager has no formal qualification or training | Seen as just a title, not a real role | Send AEO Manager to formal PMK 137/2023 training; keep certificate on file |
| Corrective actions from past audits are incomplete | Findings are logged but not acted upon | Assign owners, set deadlines, track closure evidence, review monthly |
| Security gaps (unlocked warehouses, no CCTV, poor access control) | "We trust our staff" mentality | Implement basic controls: locks, visitor log, basic CCTV, segregation of cargo types |
| No evidence of staff understanding AEO obligations | Training is one-way (lecture, no verification) | Add post-training quizzes, practical walkthroughs, and scenario discussions |
Pre-Validation Pressure Test
60 days before DJBC notification, run your own mock validation:
- Have an external consultant or internal audit team review your manual and evidence against these 12 questions
- Interview your AEO Manager and 2–3 ops staff using the questions above
- Identify gaps and build corrective actions into your calendar
- Conduct a full facility walk-through and security check
- Ensure all training, audit, and compliance records are current and organized
The Final Push
DJBC validation feels high-stakes, but it's fundamentally a readiness check. If you can answer these 12 questions confidently with evidence to back it up, you'll likely sail through.
Ready for Validation?
Learn more about our AEO certification service →
RKM Consulting has accompanied 60+ clients through DJBC validation. We run pre-validation mock audits, help close gaps, and provide on-site support during the actual validation visit. Let's make sure you're ready.