The purpose of an export control audit is to ensure that your organization is properly managing all compliance issues related to export activities.
Auditing is critical to an export control program as it helps identify gaps in compliance and assess the effectiveness of a company’s export control measures. Auditing should not be viewed as a separate activity but rather as a standard business practice and an integral part of a comprehensive export control program.
This is an important process; depending on the size and business of your company, compliance issues can be widespread, involving many people who have never heard of the EAR or ITAR, and who are unaware that their work involves exports.
For example, a programmer at a computer services company might have good reasons to share code snippets with programmers at a foreign subsidiary, but this could inadvertently be exporting controlled information. A sales representative might be doing the same thing if he provides a quote to an overseas company that includes specifications for certain types of machines.
Even sending CAD/CAM files to a U.S.-based contract manufacturer can result in an export violation when production is discovered to be conducted by a Chinese subsidiary.
A well-designed export control audit can uncover these types of everyday issues, leading to improved processes and significantly reduced organizational risk.
When discussing this type of audit, an easy starting point is to understand that it is different from an IRS audit, which is government-sponsored. However, in certain circumstances, the Directorate of Defense Trade Controls (DDTC) may direct a company to undergo an audit.
Whether you export under ITAR or EAR, the government does not have any program that involves randomly selecting companies for export control audits. Regulators may ask questions or investigate a company’s activities, but these instances are usually related to a specific transaction or issue.
The Bureau of Industry and Security (BIS), the Directorate of Defense Trade Controls (DDTC), and the Office of Foreign Assets Control (OFAC) all strongly recommend audits and even provide audit guidance (see Resources below), but no rules mandate audits.
Therefore, the decision to conduct any export control audit is an internal one. It is an important investment in risk management, helping to detect minor problems, avoid major ones, and demonstrate due care when problems arise.
Audit compliance and system design
An audit is different from an investigation; it is not an action taken in response to a specific problem or violation. It is a preventive measure.
The simplest type of audit considers compliance with existing processes and procedures.
But as an organization grows, even the most carefully designed processes can become outdated.
Acquisitions (domestic and international) may result in new products and new customers that require different treatment under export regulations. Outsourcing the manufacture of parts that were previously made in-house may require a new set of inspections and controls.
Even if U.S. foreign policy changes, existing practices may need to be reconsidered, particularly for companies that export under the International Traffic in Arms Regulations or dual-use items (items that can have both military and civilian uses), or those classified as part of the EAR 600 series (military items).
Therefore, more in-depth audits may be required on a regular, if not annual basis, to assess whether existing controls still provide the same level of assurance.
Assigning auditors
Audits can be conducted internally or with the help of external consultants.
When doing this internally, the export control manager can assemble a team consisting of compliance personnel and other interested parties.
Many companies have their own in-house experts who perform financial and quality audits, and because they have audit experience, they often get calls for export control audits as well.
If you are auditing compliance with established processes, then there is nothing wrong with doing this, and the designated auditor has the authority to enforce cooperation from all involved.
But if you need to review the process itself, the auditor’s general experience is not enough; you need a trained expert who is familiar with export regulations and compliance best practices.
This is usually an external consultant who brings the added value of fresh thinking and impartial analysis. It is common practice to conduct regular internal audits and periodically bring in external experts to provide benchmarks and in-depth reviews.
Setting range
The scope of the audit has a lot to do with the structure of the company and, of course, the company’s history of auditing export projects.
Audits can cover the entire organization, but for larger companies with complex structures and dispersed locations, it may be more feasible to develop a rotating audit system that covers all bases. For example, auditing domestic operations one year and foreign operations the next. Or auditing functional areas (such as R&D, manufacturing, and finance) in rotation, focusing on three or four areas each year.
Basic Methods
The type of information required when conducting an audit also varies greatly. One of the most important steps is to review the record keeping process. Export control regulations require companies to retain documents related to export transactions for five years.
A typical audit may include the following document requests:
- review written procedures and policy documents;
- Review documents related to a particular transaction, such as licenses and how to determine the classification of an item;
- Analyze data such as who the company works with in different locations, how often, and whether the risks involved in those relationships have changed;
- Assess the screening process for Specially Designated Nationals and Blocked Persons.
- Review random document sets (such as bills of lading or license applications) for consistency and completeness.
Audits involving non-tangible exports such as technology or data may require a different approach than audits involving manufactured products.
Audits may also involve interviews with personnel from various functions directly or indirectly related to exports, as well as on-site visits to remote or high-risk locations (such as a sales office in the Middle East or a manufacturing plant in China).
Audit Report
An audit is not complete until it is presented in the form of a written report. These reports can vary widely in length and format. I prefer shorter audits because they are easier to understand and, in my experience, are more likely to be used.
The written report should provide information on the methodology, findings, and recommendations. The report is usually provided in draft form, and appropriate stakeholders have the opportunity to review and comment before it is finalized.
If the audit does uncover questionable findings, you don’t want to wait until the final report has been thoroughly reviewed before taking action. Therefore, in an extensive audit, interim reports may be helpful. In addition, outlining recommendations to executives while the final report is being drafted may be an expedient way to draw attention to important findings.
Recommendations should include specific corrective actions, the department or individual responsible for taking action, and a realistic deadline. The company should audit these corrective actions within one year—or sooner, depending on the severity of the problem.
If a decision is made not to implement any recommendation, this should also be recorded, with reasons given.
resource
Do you have questions about export controls for your organization? Visit www.learnexportcompliance.com to learn about our company, our faculty, and our highly regarded Export Compliance Professional (ECoP®) certification program. To find upcoming e-seminars, live seminars and live webinars in the U.S., Europe, and elsewhere, and to browse our catalog of more than 80 on-demand webinars, visit our ECTI Academy. You can also call the Export Compliance Training Institute (540-433-3977) for more information.
Scott Gearity is President of ECTI, Inc.
Leave a Reply Cancel reply
You must be logged in to post a comment.