First, your enterprise must designate an auditor(s) that is responsible for conducting the audit of your enterprise’s ICP. Depending on the structure, size and other circumstances of your enterprise, audits can be performed internally by your enterprise’s employees, or externally by a qualified consultant or audit specialist.

If conducted internally, your enterprise should seek to ensure that auditors maintain objectivity and avoid any potential conflicts of interest by using auditors that do not have sales, export promotion, or marketing responsibilities. Internal staff serving in an audit capacity should have the independence and flexibility to identify STC compliance deficiencies and be properly authorized to make recommendations about how best to rectify them. Note: In the event a conflict of interest cannot be avoided, the STC audit should be conducted as objectively as possible using written review procedures.

Some enterprises choose to pool their resources and create STC audit teams that are comprised of internal auditors, legal counsel, and experienced compliance personnel. Using a team approach ensures the full breadth of your enterprise’s expertise is leveraged in order to critically evaluate the quality and effectiveness of your ICP.

The experience level of auditors and the structure of the STC audit team can have a significant impact on the effectiveness of the audit. If your enterprise chooses to conduct ICP audits internally, one of the following employees should be entrusted with this responsibility:

• Senior employee from the hierarchy of responsibilities for internal audits;
• Quality control manager;
• Finance manager or accountant; or
• Individual from middle or senior management that does not interact directly with empowered compliance personnel.

Some enterprises (often larger firms) choose to conduct external audits. External audits can provide an unbiased, objective, third-party evaluation of your enterprise’s ICP and compliance practices. External audits are usually conducted by legal practitioners, management consultants, or certified public accountants (Price Waterhouse Coopers or Deloitte are two prominent examples).

Regardless of the approach, the auditor(s) should be qualified to conduct such reviews and held responsible for scheduling and developing suitable procedures to carry-out the audit. It may be appropriate for your enterprise to make someone else responsible for reviewing the audit reports and following through with the corrective actions necessary to remedy any deficiencies that are discovered by the auditors.

Note: Audit personnel require regular training that is tailored to your enterprise’s operations and specific, STC compliance issues. Training for auditors might address topics such as:

• STC auditing principles, practices, and procedures;
• Overview of your country’s STC laws, regulations, and requirements;
• Overview of the entire order process from customer inquiry to product delivery;
• Enterprise policy and procedures for implementing license approvals and conditions; and
• Overview of potential STC compliance vulnerabilities and areas of high risk.

The next task is the creation of auditing modules. STC compliance audits generally involve a transaction-level and process-level review of STC compliance efforts with a special emphasis placed on high risk areas. A review procedure or self-assessment checklist can be developed to document the review of each component of the Internal Compliance Program. Enterprises sometimes utilize a simple checklist format of compliance factors to conduct audit assessments.

Note: An audit module template and numerous audit self-assessment checklists are available in the “ICP Implementation Aids” section of the ICP Guide.

The best way for an enterprise to assess the effectiveness of its compliance efforts is to formally assess all elements of its compliance program, including the audit process itself. An effective audit program compares day-to-day STC compliance practices with written procedures to determine whether the ICP is being implemented properly and effectively. Audits determine if the right questions are being asked throughout the process to ensure your enterprise’s activities and transactions are fully-compliant with STC requirements.

Audit Techniques

Part of this task involves determining the auditing techniques used by the reviewer. The auditor can use any of the following techniques in conducting an ICP audit:

• Interview STC compliance-related personnel and management;
• Distribute a checklist or interview questions to relevant personnel;
• Review current policies and procedures including all written ICP guidelines;
• Review transaction and administrative documents;
• Compare operational STC compliance practices with written procedures (i.e. How closely does the enterprise adhere to established, written ICP policies and procedures?).

Audit Criteria

The auditor should also stipulate the audit criteria in writing beforehand. At a minimum, a comprehensive STC audit should assess the following aspects of your enterprise’s ICP:

• The license authorization process and the implementation of STC licenses including adherence to license conditions;
• Degree of management commitment to STC compliance;
• The quantity and quality of STC compliance personnel and whether there are clear lines of accountability and organizational communication in the enterprise;
• Conduct of due diligence checks and transaction screening practices and the safeguards in place at various stages of the transaction – from order inquiry to shipment;
• A sampling of transactions involving controlled items to verify compliance with licensing requirements;
• The Internal Compliance Program Manual;
• The quality and thoroughness of the enterprise 's internal review/audit procedures;
• The enterprise's training and educational programs and extent of awareness-raising efforts;
• Recordkeeping practices and the extent to which the enterprise maintains thorough documentation of controlled transactions and activities;
• Notification mechanisms in place which enable reporting of acts of non-compliance within the enterprise;
• Procedures for corrective action and follow-up in the wake of an STC violation or audit;
• Procedures in place to update the ICP when there are changes to applicable STC legislation;
• Technology controls and procedures related to intangible transfers of technology (ITT) (if applicable);
• Access controls and physical security measures in place and procedures implemented to prevent foreign national employees or visitors access to controlled goods and/or technologies (if applicable);
• Existence of procedural checklists for travel abroad, including for hand-carried items like laptop computers or USBs that contain controlled technical data (if applicable).

Note: Auditing modules should be tailored to the specific activities and circumstance of your enterprise and the STC requirements present in the jurisdiction in which your enterprise operates. For example, if your enterprise determines it is not necessary to adopt screening procedures for foreign nationals that visit your facilities, then it is not necessary to include a review of this in the auditing module. However, your enterprise may decide during the course of an audit or over time to re-examine the decision not to include such screening measures as part of the ICP. If specific screenings are deemed unnecessary by your enterprise, it is recommended this decision be documented in the audit report with an accompanying rationale for omission.

Record and Document Review

A large part of the auditing module involves reviewing the records maintained by your enterprise. There are three types of records that the auditor/reviewer should evaluate: ICP documentation, transaction records, and administrative records. The module should determine that all applicable records are maintained and should evaluate the documents to determine compliance with all applicable laws and regulations.

The examination of your enterprise’s ICP documentation should assure the following:

• A current STC policy statement.
• The ICP procedures are formalized in a written ICP Manual.
• All STC compliance-related communications and correspondences are accessible.
• Attendance at STC-related training programs is well documented.
• The operation of the ICP in practice corresponds with the written procedures set out in the ICP Manual.

In addition, the auditor should determine, by a representative sampling,* whether the following records are in order:

• Documentation that transaction screenings were performed (with completion, results, date, and person responsible for conducting the screening).
• License authorizations and accompanying documentation related to controlled transactions.
• Records demonstrating that appropriate license approvals were obtained for controlled transactions and all conditions of the license are being abided by.
• Documentation that verifies that all license requirements associated with a product are furnished to the appropriate parties within the enterprise (e.g. shipping department).

* Note: In order to ensure that a representative number of transactions are audited, at least one shipment per customer or destination should be audited. Some firms also conduct a random sampling review of transactions.

Your enterprise should endeavor to conduct an ICP audit, at both pre-determined intervals and on a random, unannounced basis. Once you have developed an auditing module, your enterprise should establish a timetable for conducting scheduled audits at all of your enterprise's locations (as applicable). It is recommended that your enterprise complete an audit of the ICP on at least an annual basis.

Throughout the year, spot checks and informal reviews may be performed to verify accuracy of work and the effectiveness of STC compliance policies and procedures. These spot checks and reviews should be well-documented and the results distributed to empowered compliance personnel and senior management.

Your enterprise’s ICP should include appropriate procedures and practices for audit reporting. The auditor(s) should write a report detailing the processes and procedures examined and providing actionable recommendations for how the enterprise might improve the ICP in the future.

The audit report might include the following sections:

1. Executive Summary [Purpose, methodology, key findings]
2. Findings and Recommendations [Identify compliance risks and vulnerabilities, gaps and inconsistencies, and recommend corrective actions for identified issues. Organize findings in priority order]
3. Appendices/Annexes [Interview list (individuals, departments, and business units), list of records reviewed, any process and organizational charts]

Audit reports should be provided to the appropriate senior management and empowered compliance officials. If applicable, the audit findings may also be shared with the departments and/or business units that were reviewed.

If the audit reveals STC compliance risks or breaches, procedures should be in place for these issues to be documented and brought to the attention of senior management and empowered compliance officials. Procedures should define the requirements for implementing audit recommendations and following-up on corrective actions taken.

Corrective actions should be implemented in a timely fashion (within a defined time period) and the auditor should expect written confirmation when corrective actions have been fully-implemented.