770 likes | 783 Views
This guide provides auditors with the knowledge and understanding of regulatory, statutory, and ITAR/EAR requirements when auditing organizations. Learn about the different regulations, their definitions, examples, and the importance of compliance.
E N D
Regulatory, Statutory and ITAR/EAR RequirementsWhat an Auditor Needs to Know Atlanta, GA July 22-23, 2010 Dr. Ingrid D. Knox Adjunct Professor Embry Riddle Aeronautical University and Aerospace Engineer with FAA Auditor Workshop Atlanta, GA July 22-23, 2010
Objective How to determine what will be applicable when auditing/audit planning for an organization What are Statutory Regulations Export Control/EAR/ITAR introduction FAA Regulations Rules of Thumb for auditors
Regulations Definition of Statutory Regulations: Relating to a statute, which is a formal written enactment of a legislative authority that governs a state, city, or country. Typically, statutes command or prohibit something, or declare policy. The word is often used to distinguish law made by legislative bodies from case law and the regulations issued by government agencies. Before a statute becomes law in some countries, it must be agreed upon by the highest executive in the government, and finally published as part of a code. In many countries, statutes are organized in topical arrangements (or “codified”) within publications called codes, such as the United States Code.
Regulations Statutory Regulations Example: The Sarbanes Oxley Act, commonly called SOX, sets forth records management and retention policies for all public companies. SOX was enacted in 2002 in response to corporate scandals involving large, public corporations and their accounting firms. The vast majority of organizations use email to communicate internally and as a vehicle for the exchange of documents and correspondence between businesses and their outside consultants, accounting and auditing firms. Since these communications often contain information about business transactions and decisions, these email communications must be retained for an organization to comply with the provisions of SOX. There are other sections of SOX that provide requirements as well.
Regulations Statutory Regulations Example: The Federal Water Pollution Control Act, popularly known as the Clean Water Act (CWA), is a comprehensive statute aimed at restoring and maintaining the chemical, physical, and biological integrity of the Waters of the United States Water quality standards A system of minimum national effluent standards for each industry A permit program for the discharge of pollutants into navigable waters, provides enforcement mechanisms A revolving construction loan program (Clean Water State Revolving Fund (CWSRF) , formerly a grant program) for publicly-owned treatment works (POTWs) and funding to states and tribes for their water quality programs Provisions to address waterway and/or regions specific water quality
Regulations Other Examples of Statutory Regulations and Agencies: Department of Labor - Occupational Safety and Health Administration (OSHA) Department of Transportation – Hazardous Waste Resource Conservation and Recovery Act National Fire Protection Act
Regulations Exports are controlled by the United States with the following primary regulations: The Office of Foreign Assets Control (OFAC) Export Administration Regulations (EAR) International Traffic In Arms Regulations (ITAR)
Regulations Why are regulations (ITAR, EAR, OFAC) needed in the U.S? Because companies and countries have a right to: Protect Information Protect Product Best Interest How is this done? Export control regulations and proprietary information.
Regulations What are the major focuses of the regulations and what do these regulations accomplish? Control over listed products, technical data, and technology - U.S. Technical Knowledge – protects – U.S. Stops and prevents products, technical data and technology from going in the wrong hands of countries/individuals deemed to be harmful to the U.S.
Export Definition of Exports include: Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person whether in the U.S. or abroad or Performing a defense service on behalf of, or the benefit of, a foreign person, whether in the U.S., or aboard. The transfer of anything to a Foreign Person by any means anywhere, anytime, or the knowledge that what you are transferring to a U.S. Person, will be further transferred to a Foreign Person.
Export Export (Cont’d) Or transferring in the United States any defense articles to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or disclosing (including oral or visual disclosure) or transferring technical data to a foreign person whether in the U.S. or aboard; or performing a defense service on behalf of, or for the benefit of foreign person, whether in the U.S. or abroad
Technical Data Technical data is an Exportable Commodity Within ITAR regulations technical data is included as an export. Examples include: • Testing • Maintenance or Modification of defense articles • Blue prints • Drawings • Process Specification • Photographs • Plan, instructions, and documentation • Design • Development • Production • Manufacture • Assembly • Operation • Repair
Data Data can be transmitted in numerous ways Website, Internet downloads, Memo, face-to-face, staff meetings, Verbally to Non-U.S. Employees, Teleconferences, Copies to Foreign Persons, emails letters, documents, or snail mails, presentations, industry meetings, conferences, visitors, potential customers, data on computers, networks, and hard drives FAX, phone conversations,
ITAR ITAR Definitions Defense Article – any item on the USML, including technical data.
ITAR ITAR Terms Technical Data – Information which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles; classified information related to defense article; information covered by an invention secrecy order; software directly related to defense articles.
ITAR Definitions ITAR - U.S. Persons U.S. Person – a natural person who is a lawful permanent resident as defined in 8 U.S.C. 1101 (a) (20) or who is a protected individual as defined by 8 U.S.C 1324b(a) (3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the U.S. It also includes any governmental (federal, state or local), entity.
ITAR ITAR Terms Foreign Person – Opposite of U.S. Person Export –sending or taking a defense article out of the U.S. in any manner, except by mere travel outside of the U.S. by a person whose personal knowledge includes technical data; or transferring registration, control of ownership to a foreign person of any aircraft, vessel, or satellite covered by the USML, whether in the U.S. or abroad; or disclosing (including oral or visual disclosure)
Proscribed Proscribed Countries -22 CFR 126.1 If a country appears on this list, it is (generally U.S policy to deny licenses, or other approvals, associated with exports and imports of defense articles and defense services, destined for or originating in that country. ITAR License Exemptions are trumped if a foreign person from any of these counties is involved; i.e., a license must be applied for.
ITAR ITAR Proscribe Countries List (22 CFR 126.1 Afghanistan, Angola Armenia, Azerbaijan Belarus, Burma China (PRC), Nigeria North Korea, Pakistan Rwanda, Somalia, Zaire Cyprus, Haiti India, Iran Iraq, Liberia Libya, Sudan Syria, Tajikistan Vietnam, Yeman Federal Republic of Yugoslavia, Serbia, Montenego
EAR Export Administration Regulations (EAR) Administration by the Department of Commerce (Bureau of Export Administration) The Commerce Control List (CCL) Complete listing of items controlled by the EAR
EAR EAR Terms Export – an actual shipment or transmission of items subject to the EAR out of the United States; or release of technology or software subject to the EAR to a foreign national in the U.S.
EAR Controlled Technology – specific information required for the development, production, or use of a product which is itself controlled. The information takes the form of technical data or technical assistance.
EAR Technical Data: may take forms such as blue prints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such a disk, tape, or read-only memories. Technical Assistance – may involve transfer of technical data.
EAR Terms Re export – shipment from one foreign country to another foreign country Publicly Available information –information that is generally accessible to the interested public in any form and; therefore, not subject to the EAR.
EAR Terms Publicly Available Technology and Software – that technology and software that are already published or will be published; arise during, or result from fundamental research; are educational; or are included in certain patent applications (see 15 CFR 734).
EAR EAR License Exceptions TMP (use for certain temporary exports up to one year) GOV (U.S. government official use and use by government agencies of cooperating countries in their national territory) BAG (your right to take your personal belonging out of the country on a trip). CAUTION – Use exceptions with care and read all conditions/provisions.
ITAR Military application is a key concept: Defense services and articles are regulated by ITAR What is a defense article: An item is/was specifically design, modified, or developed for a military application and is listed on the United States Munitions List (USML). If the above statement is the case, then item is controlled by the International Traffic in Arms Regulations (ITAR).
EAR If it was not specifically developed, designed, or modified for a military application and/or is not listed on the United States Munitions List (USML), then it is a commercial (or dual use) item and it is controlled by the Export Administration Regulations (EAR).
ITAR ITAR – Agency Directorate of Defense Trade Controls (DDTC), U.S. Department of State. International Traffic in Arms Regulations Code of Federal Regulations Parts 120-130 EAR Export Administration Regulations Full text of the Federal Law available at (http://pmdtc.org/reference.htm)
Auditor How does ITAR and EAR impact auditors? Job Audits and the auditor’s ability to review blueprints, specifications, or other documentation may be impacted by this law. The auditors must be aware of the requirements of these laws should the auditor audit any ITAR/EAR hardware.
Auditors Rule of Thumb 1: Certification bodies developed a plan as to how they are going to ensure that restricted items in their possession are only available person that have a need to know such as: U.S. Persons; Licensed Organization or Individuals; and People, companies, and countries that have a legal access. Plan should be shared with auditors if it has an effect on auditing.
Auditors Rule of Thumb 2: Companies should be aware of their export control status of both their categories/items and the status of the individuals and companies in terms of whom they are sharing the data. This information can be shared with the auditors.
Auditors Rule of Thumb 3: Certification body first determines whether they are going to collect and keep any restricted data – that comes to body by the auditor or company as part of the audit. Auditor should be informed of how to process the data by the certification body if a set plan is in place.
Auditors Rule of Thumb 4: Why should be auditor care? (1) Certification body action could threaten U.S. National Security. (2) Violation could stop the certification body from working with restricted data. (3) Penalties or fines can hurt the business and business brand name could be damaged in public eye sight. Penalties are public record. (4) Auditors, companies, and customers might lose confidence in the certification body. (5) Incarceration, penalties, fines, and debarment can hurt business.
Auditors Rule of Thumb 5: Prior to and at the beginning the audit, the lead auditor may speak to the Supplier to ensure that the Supplier shall identify specifications, processes, and drawings (referred to as “auditable material” which are restricted under the ITAR and EAR). The Supplier shall contact the owner of any information for clarification when unsure about whether information is export controlled under ITAR or EAR.
Auditors Rule of Thumb 6: The auditor role is not to remind the Supplier of ITAR and EAR obligation. The company should be aware of obligations it is not the auditor role to make the company aware. The Auditor shall not be held liable for any unauthorized transfer of restricted data, unless such auditor knew or should have known of the restricted nature of the data.
Auditors Rule of Thumb 7: The Auditor receives direction from certification body on how to deal with ITAR and EAR. Some bodies will restrict access to the auditor and of course how the information is recorded is restricted. Additional information can be discussed during the opening meeting in-brief if needed.
Auditors Rule of Thumb 8: Auditors check with the certification body on restriction on posting ITAR/EAR. Typically material should not removed from the supplier facility by the auditor. Contact the certification body or staff for direction if objective evidence is necessary to support the audit.
Rule of Thumb 9: Some Certification bodies may be vigilant to comply with this U.S. law and avoid review of any ITAR/EAR material. As an auditor you should check with your certification body on the requirements. Auditors
Auditors Rule of Thumb 10: Auditors should be aware of restricted technical data and how it is to be handled while auditing. Typically technical data is password protected from foreign persons such as hardcopy data, copies, are secured to prevent access by Foreign Persons. Company should identify any restricted technical data. Means of knowing the US person status of all employees, consultants, or anyone who can obtain access to restricted technical data in the system should be readily viable.
Auditors Rule of Thumb 11: Certification bodies should have a system to purge restricted technical data once discovered in the system. Restricted data much be identify/described clearly. Some certification bodies communicate to the customer that no restricted data can be collected as part of the audit. Certification bodies sometimes train auditors not to document restricted technical data as part of the audit.
Auditors Rule of Thumb 12: Two basic techniques: The Certification body will prohibit restricted data from entering into the system. The Certification body will control access within the system.
Auditors Rule of Thumb 13: What should you as an auditor tell customers? OFFER NO ADVICE Auditors should follow the rules, policies, and procedures at the company in place they are auditing such as (camera, safety, union, labor, emergency, etc.).
Auditors Rule of Thumb 14: Auditor may need proof of citizenship if the parent certification body can’t vouch or didn’t provide proof of citizenship just in case to safe guard stopping an audit.
Auditors Rule of Thumb 15: Auditors can address the subject of export control in opening meeting in-brief. Their status (as a US Person or as a Foreign Person) and what that means to the audit. Expectation that customer will control access to restricted data accordingly. Certification body procedures if there is a problem. Certification body policy on data retention or purging if applicable.
Auditors Foreign Persons employed by the certification body may be restricted from access of technical data. This approach is used whenever the certification body accepts responsibility and retains restricted technical data in their system during audit reporting or record keeping.
Auditable Material If auditable material is under the ITAR and EAR, the supplier may either: Limit the audit to auditable material not restricted under ITAR and EAR. Work with certification body staff to provide and discuss appropriate auditable material, so that the staff can provide appropriate direction to restricted auditors or; and request an unrestricted auditor.
Material ITAR/EAR Material - How to Recognize? Identification could be on Purchase Order Specification – Typically first sheet and may be embedded in the text Face of drawing May be identified as ITAR/EAR Control or Export Control
Material Point of Clarification Suppliers located outside of the U.S. may be licensed under the legislation and may be processing ITAR/EAR material.