Best Practices for Export Compliance Auditing & Oversight Chad Geary Celena Kingman Zachary Parker Raytheon Company 11/7/13 Copyright © 2012 Raytheon Company. All rights reserved. Customer Success Is Our Mission is a registered trademark of Raytheon Company. Introductions Chad Geary – Global Trade Operations Manager Transactional Export/Import compliance Celena Kingman – Manager II, ExIm Operational Excellence Responsible for IDS EXIM Operational Compliance through training, creating and implementing work instructions, procedures and practices. Oversee the completion of regular internal assessments and the close out of incidents/disclosures and corrective actions. Investigates any findings and creates corrective actions to address. Zachary Parker – Senior Compliance Advisor – Raytheon Office of General Counsel/Global Trade Compliance Responsible for Enterprise-wide Export/Import oversight through management of audits/assessments, metrics and disclosures to governmental agencies 4/13/2015 2 Agenda – Fundamentals of a Strong Compliance Program – Auditing from a Global Trade Operations Perspective – Auditing from a Business Unit/Product Line Perspective – Auditing from a Corporate Perspective – Incident Reporting & Corrective Actions – Questions and Discussion 4/13/2015 3 Fundamentals for Compliance In order to have a strong compliance program, you need: – Corporate Leadership Commitment – Strong Recordkeeping Program – Implementation of Compliance-Related and Cross-Functional Policies, Standard Operating Procedures and Work Instructions – Clearly Defined Roles & Responsibilities – Understanding of Regulatory Jurisdictions – Consistency in Decisions 4/13/2015 4 Global Trade Operations Perspective A Multi-Tiered approach to transactional audits – Established process and desk-level work instructions – Data integrity on export/import documents Engage with internal stakeholders and external vendors – Partnership with freight forwarders/brokers-they represent you before USG 4/13/2015 5 Global Trade Operations Perspective Follow-up and timeliness are key – Timely identification of errors – Cadence for reviews – Rules for corrective actions Established escalation process/reporting – Clear path for reporting errors and escalations (Incident Reporting/Disclosures) Ability to adjust to changes – Flexible audit protocol – regulations constantly changing 4/13/2015 6 GTO – Case Study Originated with incident related to transactional compliance with handling of AES filing for ITAR controlled shipment – Mishandling of export license and AES filing – Gap in quality of work done by filing agent- manual process filled with errors – Developed 21-point checklist that filing agent would use to validate AES filing data and transactional compliance Audit checklist includes: – AES data integrity Did agent file accurately based on SLI provided on SLI – Documentation accuracy Are proper markings included on documents-DCS, license information, parties, values – Temporary export/import licenses Endorsements done timely and accurately – Recordkeeping Complete/correct/timely export documentation 4/13/2015 7 Business/Product Line Perspective Continuous Audits Through Checklists – Based upon ITAR/EAR Requirements Pre license submittal Post license approval Semi-annual assessments – Completeness and Requirement Ensure all documents are on record – Modify Checklists based upon instances of non-compliance 4/13/2015 8 Business/Product Line Perspective Semi-Annual Audit Review – Identify the timeframe for which the Audit will cover – Identify Activity within the timeframe – Randomly select the records to be audited For consistency need to have a set format for choosing records to be audited This includes determining the data pool to be used – have written instructions that define the time frame and the records that will be audited use a standard Statistical Sampling tool such as Zero-Based Acceptance Sampling Plan to determine the number of records from each source to be reviewed. – Need method for recording the records assessed and any findings i.e. database or spreadsheets – Within the Internal Self Assessment tool, identify records that are not sufficient/potential issue and develop action plan (report or fix). 4/13/2015 9 BU/PL – Case Study Self-audits drive compliance - One of the questions is whether all provisos have been completed - Standard Proviso for classified agreements, IDS is suppose to send copies of agreement approvals and the executed agreement to the local DSS office. - Additionally any simple amendments and reclamas - Discovered that a simple amendment had not been sent to the DSS office - As this was a proviso requirement, it was a violation and had to be reported in a Disclosure - Prior to sending the disclosure, we did a further review of all agreements authorizing classified data export to determine if we had any other issues - Discovered that we had several simple amendments and reclamas that had not been forwarded to DSS - Edited work instruction to specifically call out the need to forward such documents to DSS. 4/13/2015 10 Corporate Perspective Why does Corporate also assess? – External and independent assessments are an essential element in the process of accountability for correct export and import compliance behavior – Strong internal compliance is a method of good corporate stewardship – Assessments are underpinned by three fundamental principles The assessment team is independent from the business being audited The scope of the assessment is extended to cover not only the review of export and import transactions, but also all areas that may affect the legality of an export or import transaction The assessment team may report aspects of their work to the General Counsel, the Board of Directors and other key stakeholders 4/13/2015 11 Corporate Perspective Assessment Program Development – Study Incident Report and Voluntary Disclosures submitted for the previous year throughout the enterprise and perform a detailed analysis on the Root Cause of the incidents – Review changes in the regulatory environment – Discuss anecdotal situations – Hold discussions with business contacts – Identify issues that are high-risk but have previously not been monitored by OGC/GTC or business leads Examples of areas for audit may be: • • • • • • Shipping/Receiving Processes Authorized Parties License Quantities Hardware Controls General Exemption Usage Agreement/License Provisos and Limitations • Inter-Organizational Transfers • Contract Scope, Statement of Work and Contract Modifications • Temporary Export/Import of Hardware • Part 130 Reporting • Program Export/Import Compliance Procedures (PEICP) Compliance/Distribution • Public Release Process • Technical Data Controls/Document Markings • Recordkeeping/Maintenance • Tradeshows • USML/CCL Classifications • General Knowledge and Training 4/13/2015 12 Corporate Perspective What is involved in Corporate Audits? – The GTC Audit Procedures involve multiple research methods. Specifically, the assessment will involve: Review of business and site procedures Knowledge of international trade compliance Implementation of a compliance program within various functional areas of program or location 4/13/2015 13 Corporate Perspective Who is involved? – Due to the company-wide implications of international trade compliance, the Audit Procedures involve open and candid conversations with multiple individuals throughout the various functional areas of the company. – The team may contact individuals from the functional areas listed below to learn more about their role within international trade compliance, as applicable to the specific location and business procedures. Export/Import Operations (Licensing & Global Trade Operations) Program and Engineering Personnel Supply Chain Management-Logistics Business Development Physical/Program Security Finance Contracts Configuration Management/Data Management Communications, including Business Tradeshow Coordinator Information Technology Security Mailroom 4/13/2015 14 Incident Reporting & Corrective Actions Audit Findings are Key to Compliance – Prioritize findings based upon business risk for immediate action Immediately Report Issues of Regulatory Non-Compliance – – – – – Gather the immediate facts Notify relevant responsible compliance personnel Collect supporting documentation Conduct thorough investigation to identify scope and root cause Disclose to regulatory agencies 4/13/2015 15 Incident Reporting & Corrective Actions Corrective Actions Drive Compliance – – – – – – – Address the root cause of the finding, not just correcting the problem Outline a timeframe for achievement Identify the deliverables required for closure Implement fully across affected parties Track for completion Test for compliance Monitor for closure 4/13/2015 16 Questions and Discussion 4/13/2015 17