The point of an export control audit is to ensure your organization is taking proper care in managing all the compliance issues related to export activities.
Audits are essential for export control programs as they help identify gaps in compliance and assess the effectiveness of the company’s export control measures. An audit should not be seen as a separate activity, but rather as a standard business practice and an integral part of a comprehensive export control program.
It’s an important process; depending on your company’s size and business, compliance concerns can spread far and wide, involving many people who have never heard of the EAR or ITAR, and who don’t realize their work has anything to do with exporting.
For example, a programmer at a computer services company who has good reason to share snippets of code with a counterpart at a foreign subsidiary may inadvertently be exporting controlled information. A sales rep whose quote to an overseas company includes specifications for certain types of machinery may be doing the same.
Even sending CAD/CAM files to a U.S.-based contract manufacturer has resulted in export violations when it was discovered that production was being done by an affiliate in China.
A well-designed export control audit can uncover such everyday issues—leading to process improvements that significantly reduce organizational risk.
A simple starting point for any discussion of such an audit is to understand that it’s not like an IRS audit, which is initiated by the government. However, in some circumstances, the Directorate of Defense Trade Controls (DDTC) might instruct companies to conduct audits.
Whether you export under the ITAR or the EAR, the government doesn’t have any program that involves randomly selecting companies for an export control audit. The relevant regulatory body may ask questions or investigate a company’s activities, but these instances will generally relate to specific transactions or issues.
The Bureau of Industry & Security (BIS), the Directorate of Defense Trade Controls (DDTC) and the Office of Foreign Assets Control (OFAC) all strongly recommend audits and even provide guidelines for doing them (see “Resources” below), but there is no rule that mandates them.
So the decision to conduct any sort of export control audit is an internal one. It’s an important investment in risk management to identify small problems, avoid big ones and demonstrate due diligence in case trouble does arise.
Auditing compliance vs. system design
An audit isn’t the same as an investigation; it’s not something you do in response to a specific concern or violation. It’s preventive medicine.
The simplest type of audit considers adherence to existing processes and procedures.
But as organizations evolve, even well-designed processes can grow outdated.
Acquisitions – domestic and international – can introduce new products and customers that require different handling under export regulations. Outsourcing manufacturing for a component that was previously built in-house can require a whole series of new checks and controls.
Even changes in U.S. foreign policy can necessitate rethinking existing practices particularly for companies that export under the ITAR or dual-use items (goods that serve both military and civil purposes), or those classified in the EAR 600 series (military items).
So periodically, if not every year, a deeper audit may be necessary to evaluate whether existing controls are still providing the same level of assurance.
Assigning an auditor
Audits can be conducted internally or with the help of outside consultants.
When conducted internally, the export controls manager can assemble a team comprising compliance personnel and other relevant parties.
Many companies have their own internal experts who conduct finance and quality audits, and because they have auditing experience, they often get the call for export control audits as well.
This is fine if you’re auditing for compliance with established processes—and if the assigned auditor has the authority to compel cooperation from everyone involved.
But if it’s time to review the processes themselves, general experience as an auditor isn’t enough; you’ll need a specialist who is well-trained and up to date on the export regimes and compliance best practices.
This will often be an outside consultant, who brings the added value of fresh thinking and unbiased analysis. It’s commonplace to do a regular internal audit and periodically go to outside experts to provide benchmarking and in-depth review.
Setting the scope
The scope of an audit has a lot to do with the company’s structure—and, of course, its history of auditing export programs.
Audits can cross the entire organization, but for larger companies with complex structure and multiple locations, it may be more feasible to develop a rotation that covers all the bases over time. For example, domestic operations one year and foreign operations the next. Or auditing functional areas (such as R&D, manufacturing and finance) on a rotating basis, with three or four areas getting attention each year.
Basic methodology
The type of information that’s needed when conducting an audit can also vary widely. One of the most important steps is to review the recordkeeping process. Export control regulations mandate that companies retain documents pertaining to export transactions for five years.
A typical audit might include document requests to:
- Review written procedures and documentation of policies;
- Review paperwork related to specific transactions, such as licenses and how an item’s classification was determined;
- Analyze data, such as who the company works with in various locations, how often and whether the risk involved with any of these relationships has changed;
- Assess the screening process for Specially Designated Nationals and Blocked Persons.
- Review random sets of documents, such as bills of lading or license applications, for consistency and thoroughness.
Audits involving less tangible exports, such as technology or data, may require a different approach than those involving manufactured goods.
Audits may also involve interviews with people in various functions related directly or indirectly to exports, and site visits to remote or high-risk locations—such as a sales office in the Middle East or a manufacturing facility in China.
Audit reports
No audit is complete until it’s been encapsulated in a written report. The length and format of these reports can vary widely. I like shorter audits because they’re easier to understand and, in my experience, more likely to be used.
The written report should provide information about methodology, findings and recommendations. It’s usually provided as a draft, with opportunity for appropriate stakeholders to review and make comments before it becomes final.
If an audit does turn up problematic results, you don’t want to wait to act on them until the final report has been fully vetted. So in an extensive audit, interim reports may be helpful. Also, while the final report is being drafted, an overview for executives of the recommendations may be an expedient way to bring attention to important findings.
Recommendations should include specific corrective actions, the department or individual(s) responsible for taking the action and realistic deadlines. Companies should conduct an audit on these corrective actions within a year – or earlier, depending on the severity of the issue.
If a decision is made not to follow through on any recommendations, that should be documented as well, along with the reasons why.
Resources
- BIS provides a manual with in-depth insights on designing an effective export compliance program and audit routine under the EAR.
- For exporting under the ITAR, the DDTC provides International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines.
- OFAC, which administers and enforces U.S. sanctions programs, also offers a document with recommendations in its Framework for OFAC Compliance Commitments.
- The Export Compliance Institute offers a number of relevant trainings, including the on-demand webinar, Bringing Export Compliance into the New Century: A Roadmap for a Modern Export Compliance Program.
Do you have questions about your organization’s export controls? Visit gy3.soadonefnet.com to learn about our company, our faculty, our staff and our esteemed Export Compliance Professional (ECoP®) certification program. To find upcoming e-seminars, live seminars in the U.S., Europe and elsewhere, and live webinars and browse our catalog of 80-plus on-demand webinars, visit our ECTI Academy. You can also call the Export Compliance Training Institute at 540-433-3977 for more information.
Scott Gearity is President of ECTI, Inc.