The point of an export control audit is to ensure your organization is taking proper care in managing all the compliance issues related to export activities.

Audits are essential for export control programs as they help identify gaps in compliance and assess the effectiveness of the company’s export control measures. 审计不应被视为一项单独的活动, but rather as a standard business practice and an integral part of a comprehensive export control program.

It’s an important process; depending on your company’s size and business, 合规性问题可以广泛传播, 涉及许多从未听说过EAR或ITAR的人, 他们没有意识到他们的工作与出口有关.

For example, a programmer at a computer services company who has good reason to share snippets of code with a counterpart at a foreign subsidiary may inadvertently be exporting controlled information. A sales rep whose quote to an overseas company includes specifications for certain types of machinery may be doing the same.

即使将CAD/CAM文件发送到美国.S.-based contract manufacturer has resulted in export violations when it was discovered that production was being done by an affiliate in China.

A well-designed export control audit can uncover such everyday issues—leading to process improvements that significantly reduce organizational risk.

A simple starting point for any discussion of such an audit is to understand that it’s not like an IRS audit, 哪个是由政府发起的. However, 在某些情况下, the Directorate of 国防贸易管制 (DDTC) might instruct companies to conduct audits.

你是根据ITAR还是EAR出口, the government doesn’t have any program that involves randomly selecting companies for an export control audit. The relevant regulatory body may ask questions or investigate a company’s activities, 但这些实例通常与特定的交易或问题有关.

工商局 & 安全(BIS), the Directorate of 国防贸易管制 (DDTC) and the Office of Foreign Assets Control (OFAC) all strongly recommend audits and even provide guidelines for doing them (see “Resources” below), 但并没有规定要求他们这样做.

So the decision to conduct any sort of export control audit is an internal one. 识别小问题是风险管理中的一项重要投资, 避免大问题,并在出现问题时表现出尽职调查.

审计遵从性vs. system design

An audit isn’t the same as an investigation; it’s not something you do in response to a specific concern or violation. 这是预防医学.

The simplest type of audit considers adherence to existing processes and procedures.



Acquisitions – domestic and international – can introduce new products and customers that require different handling under export regulations. Outsourcing manufacturing for a component that was previously built in-house can require a whole series of new checks and controls.

即使是U的变化.S. foreign policy can necessitate rethinking existing practices particularly for companies that export under the ITAR or dual-use items (goods that serve both military and civil purposes), 或ear600系列(军用物品).

所以定期, 如果不是每年都这样, a deeper audit may be necessary to evaluate whether existing controls are still providing the same level of assurance.



在内部进行时, the export controls manager can assemble a team comprising compliance personnel and other relevant parties.

Many companies have their own internal experts who conduct finance and quality audits, 因为他们有审计经验, 他们也经常接到要求进行出口管制审计的电话.

This is fine if you’re auditing for compliance with established processes—and if the assigned auditor has the authority to compel cooperation from everyone involved.

但如果是时候回顾一下流程本身, general experience as an auditor isn’t enough; you’ll need a specialist who is well-trained and up to date on the export regimes and compliance best practices.

这通常会是一个外部顾问, 谁带来了新思维和公正分析的附加价值. It’s commonplace to do a regular internal audit and periodically go to outside experts to provide benchmarking and in-depth review.


审计的范围与公司的结构有很大关系, of course, 审计出口项目的历史.

审核可以跨越整个组织, 但对于结构复杂、多地点的大公司来说, it may be more feasible to develop a rotation that covers all the bases over time. 例如,国内业务一年,国外业务一年. 或者审计功能区域(如R&D, (制造业和金融业)轮流任职, 每年有三到四个领域受到关注.


The type of information that’s needed when conducting an audit can also vary widely. 最重要的步骤之一是审查记录保存过程. Export control regulations mandate that companies retain documents pertaining to export transactions for five years.


  • 审核书面程序和政策文件;
  • 审查与特定交易相关的文书工作, 例如许可证和如何确定一个项目的分类;
  • Analyze data, 比如公司在不同地点与谁合作, how often and whether the risk involved with any of these relationships has changed;
  • Assess the screening process for Specially Designated Nationals and Blocked Persons.
  • 随机查看一组文件, 例如提单或许可证申请, 为了一致性和彻底性.

涉及较少有形出口的审计, 比如技术或数据, 可能需要不同于涉及制成品的方法.

Audits may also involve interviews with people in various functions related directly or indirectly to exports, and site visits to remote or high-risk locations—such as a sales office in the Middle East or a manufacturing facility in China.

Audit reports

没有审计是完整的,直到它被封装在一个书面报告. 这些报告的长度和格式可以有很大的不同. 我喜欢简短的审计,因为它们更容易理解, 根据我的经验, 更有可能被使用.

The written report should provide information about methodology, findings and recommendations. 它通常以草稿的形式提供, with opportunity for appropriate stakeholders to review and make comments before it becomes final.

如果审计确实发现有问题的结果, you don’t want to wait to act on them until the final report has been fully vetted. 因此,在大规模审计中,中期报告可能会有所帮助. Also, 最终报告正在起草中, an overview for executives of the recommendations may be an expedient way to bring attention to important findings.

建议应包括具体的纠正措施, the department or individual(s) responsible for taking the action and realistic deadlines. Companies should conduct an audit on these corrective actions within a year – or earlier, 这取决于问题的严重程度.

如果决定不遵循任何建议, 这也应该被记录下来, 以及原因.



Scott Gearity 是ECTI公司的总裁.
