Internal Compliance Program - Series (26) - Audit

Today, in the hands-on practical advice series on Internal Compliance Programs for Export Control:

Part 26: Audit

A sound audit process is an important element of your export control compliance program. Audits determine if the right questions are being asked throughout the process to ensure exports are consistent with national security and foreign policy interests and, thus, consistent with the best interest of the company.

The audit program should be specific to each company and could consist of the following:

Internal checks.

Compliance monitoring shall integrate control mechanisms as part of daily operations, and regular / random audits as well.

During daily operations, products will be released based on the 4-eyes principle. Random inspections will take place any time this is necessary in order to ensure that operational procedures within all of the company's export-related divisions and locations reflect the Internal Compliance Program and Government export regulations.

Control Self-Assessment.

This is defined as a process by which a department examines and improves existing internal controls and/or implements new internal controls to mitigate risks associated with a process or function. The CSA process entails documentation of the process, identification of all risks related to that process, and identification and evaluation of all internal controls that should be in place to mitigate the risks to an acceptable level.

The concept considers two levels. Through the first level (team level), the Export Compliance team works together with team leaders and specific employees to carry out an analysis for the strengths, challenges and risks that may affect the company’s ability to achieve its objectives within the control framework and to take the appropriate procedures in this regard.

Through the second level (organization level), the results reached by the team in the first level are analysed to identify the strengths, weaknesses and risks and to link them in order to identify the main reasons for each one of them in the existing control system.

Control Self-Assessment relies on internal control assessment through the use of specific assessment techniques, in which the major role is carried out by the operational management rather than internal audit. This technique depends on team work rather than individual work, and it provides a reasonable rather than absolute assurance that the objectives will be achieved.

Most teams use either workshops technique or questionnaire technique. In the workshops technique, a team is formed to carry out Control Self-Assessment procedures. Workshops identify objectives, and define the existing controls to achieve these objectives. After that, the residual risks (remaining after assuming the application of controls) are identified. It is assumed that controls and risks are already present in the system. The team’s task is identifying and assessing these controls.

The questionnaire technique is based on performing Control Self-Assessment through designing a questionnaire including a number of yes-no questions. The results of the questionnaire are then analysed to reach the required evaluation of internal control. The questionnaire used within the Self-Assessment tool will be customized to the company’s products and operations, taking into account national law requirements.

This CSA should be conducted on a more frequent basis than the corporate-level audit, at least once a year.

Internal audits

A company should schedule audits to be conducted at least on a bi-annual basis. These audits should focus on our overall export compliance process and the export transactions of specific business units. The frequency of subsequent audits may be adapted in consideration of the results of the previous audits, the development of the risk level according to the product portfolio and company operations, and the corrective measures implemented as a follow-up to previous audits.

The direction of the internal audit is determined by the Internal Audit department management. It typically includes testing of transactions to determine whether internal controls are operating as expected.

Since the system audit examines the processes and supervision that take place within the company’s internal export control procedure, all aspects of internal export control shall be included. These include the relevant work orders and organisational guidelines, training courses, record-keeping methodology and documentation.

For each audit period, the Internal Audit Team, in cooperation with the Export Control Compliance Team, sets the audit questions to be examined. For testing, to ensure that a representative number of shipments is audited, Internal Audit will use random sampling methodology that creates an opportunity for every shipment, customer and/or destination to be selected for testing.

The internal audit will be conducted by the internal audit team, composed of auditors selected for their qualifications and expertise in the export control compliance field. If Internal Audit feels the need for additional expertise, they will contract with an external provider to obtain that expertise.