In our last newsletter, we reviewed the first four elements of the U.S. Department of State’s Directorate of Defense Trade Controls December 2022 Compliance Program Guidelines. These Guidelines are intended to provide an overview of an effective ITAR Compliance Program (ICP) and an introduction to defense trade controls.
The Guidelines are divided into eight sections:
- Management Commitment
- DDTC Registration, Jurisdiction & Classification, Authorizations, & Other ITAR Activities
- Recordkeeping
- Detecting, Reporting, & Disclosing Violations
- ITAR Training
- Risk Assessment
- Audits & Compliance Monitoring
- ITAR Compliance Manual
This article will focus on the last four sections: ITAR Training, Risk Assessment, Audits & Compliance Monitoring, and the ITAR Compliance Manual.
This guidance is not an official part of the International Traffic in Arms Regulations. Instead, serves as a way for the Directorate of Defense Trade Controls (DDTC) to express their expectations for export compliance. DDTC also understands that different companies have unique levels of ITAR activity and may need different approaches.
ITAR Training
An ITAR training program must be “tailored, dynamic, up-to-date, and adequately resourced.” A tailored ITAR training program is designed to reflect the organization’s type of ITAR work, its relationship with any parent companies, subsidiaries, or affiliates, the nature of its customers and other business partners, the geographic region in which it operates, and the duties and responsibilities of the personnel being trained. A dynamic and up-to-date training program is reviewed regularly to reflect any changes to the organization as well as changes in the ITAR or other DDTC guidance. Significant updates should also be shared with personnel in between training sessions. ITAR violations and even avoided violations may provide valuable training opportunities. An adequately resourced training program is needed to make sure that all employees get the appropriate level and frequency of training.
The guidelines suggest a four-tiered training program based on employee responsibilities:
- First Tier: General ITAR Training for All Personnel
- Second Tier: Senior Management
- Third Tier: Positions with Export Functions
- Fourth Tier: Export Compliance Team
Details of what should be provided in each tier are included in the guidance. Training may be conducted by internal experts or external service providers. Internal trainers must be able to maintain subject matter expertise in the ITAR, DDTC guidance, and industry best practices. In order to maintain this expertise, internal trainers will need a higher level of external training. ECS offers many options for training which can be customized to organizations and categories of employees, from general awareness to train-the-trainer.
Risk Assessment
As DDTC states, “Risk assessments in the defense trade controls context are evaluations of the potential compliance risks that are specific to each organization and that, if left unaddressed, may lead to ITAR violations.” The risk assessment process reviews many areas of business activity in order to find potential compliance risks. As important as the risk assessment itself, the risks identified need to be prioritized and mitigated once identified. Notable risk areas include:
- Jurisdiction & classification
- Authorization management
- Foreign person employees or visitors
- Vetting of parties and verification of end users
- License exemptions
- International travel
- Facility visits
- Inventory management
A risk assessment may be conducted by a company’s internal audit function or an external service provider. ECS provides both risk assessment and audit services.
Audits & Compliance Monitoring
A compliance audit is more in-depth than a risk assessment and may include interviews with personnel in multiple roles, document review, evaluation of IT systems, and site visits. A sample audit checklist is provided in the guidance. As with risk assessments, an audit may be conducted by a company’s internal audit function or an external service provider. Different types of audits include functional-level and program-level, depending on the focus of the audit. Audits should be periodic, depending on the company’s level of risk, but may be needed in merger and acquisition transactions as part of the due diligence process. Findings may lead to voluntary disclosures as well as compliance improvements.
Ongoing compliance monitoring essentially means that any organization should be ready to adjust its compliance program based on to the ITAR or DDTC guidance as well as industry best practices and lessons learned from others’ violations. Changes to the organization’s business and risk factors are also important considerations.
ITAR Compliance Manual
The ITAR compliance manual should provide a written, authoritative source of the organization’s ITAR compliance policies and procedures, as well as employee compliance responsibilities. It should address all of the main points of the compliance guidelines, starting with management commitment, be readily available to all employees, and identify key ITAR compliance points of contact. It may also provide copies of the organization’s compliance templates, forms, and checklists. A well-written manual can be a valuable reference and should continue to be updated based on changes to the ITAR, DDTC guidance, best practices, and company experience (to include risk assessments, audits, violations, and disclosures).
Additional detail on these elements, each being crucial to the success of your export compliance program, is available in the Guidelines themselves. As always, if you need help with meeting, understanding, or tailoring any export compliance obligations, ECS is here to help!