Best Practices for Export Compliance Auditing & Oversight

Chad Geary Celena Kingman Zachary Parker

Raytheon Company 11/7/13 Copyright © 2012 Raytheon Company. All rights reserved.

Customer Success Is Our Mission

is a registered trademark of Raytheon Company.

Introductions

Chad Geary – Global Trade Operations Manager  Transactional Export/Import compliance Celena Kingman – Manager II, ExIm Operational Excellence  Responsible for IDS EXIM Operational Compliance through training, creating and implementing work instructions, procedures and practices. Oversee the completion of regular internal assessments and the close out of incidents/disclosures and corrective actions. Investigates any findings and creates corrective actions to address.

Zachary Parker – Senior Compliance Advisor – Raytheon Office of General Counsel/Global Trade Compliance  Responsible for Enterprise-wide Export/Import oversight through management of audits/assessments, metrics and disclosures to governmental agencies 5/2/2020 2

Agenda

– Fundamentals of a Strong Compliance Program – Auditing from a Global Trade Operations Perspective – Auditing from a Business Unit/Product Line Perspective – Auditing from a Corporate Perspective – Incident Reporting & Corrective Actions – Questions and Discussion 5/2/2020 3

Fundamentals for Compliance

In order to have a strong compliance program, you need: – Corporate Leadership Commitment – Strong Recordkeeping Program – Implementation of Compliance-Related and Cross-Functional Policies, Standard Operating Procedures and Work Instructions – Clearly Defined Roles & Responsibilities – Understanding of Regulatory Jurisdictions – Consistency in Decisions 5/2/2020 4

Global Trade Operations Perspective

 A Multi-Tiered approach to transactional audits – Established process and desk-level work instructions – Data integrity on export/import documents  Engage with internal stakeholders and external vendors – Partnership with freight forwarders/brokers-they represent you before USG 5/2/2020 5

Global Trade Operations Perspective

 Follow-up and timeliness are key – Timely identification of errors – Cadence for reviews – Rules for corrective actions  Established escalation process/reporting – Clear path for reporting errors and escalations (Incident Reporting/Disclosures)  Ability to adjust to changes – Flexible audit protocol – regulations constantly changing 5/2/2020 6

GTO – Case Study

 Originated with incident related to transactional compliance with handling of AES filing for ITAR controlled shipment – Mishandling of export license and AES filing – Gap in quality of work done by filing agent- manual process filled with errors – Developed 21-point checklist that filing agent would use to validate AES filing data and transactional compliance  Audit checklist includes: – AES data integrity     Did agent file accurately based on SLI provided on SLI – Documentation accuracy Are proper markings included on documents-DCS, license information, parties, values – Temporary export/import licenses Endorsements done timely and accurately – Recordkeeping Complete/correct/timely export documentation 5/2/2020 7

Business/Product Line Perspective

 Continuous Audits Through Checklists – Based upon ITAR/EAR Requirements  Pre license submittal  Post license approval  Semi-annual assessments – Completeness and Requirement  Ensure all documents are on record – Modify Checklists based upon instances of non-compliance 5/2/2020 8

Business/Product Line Perspective

 Semi-Annual Audit Review – Identify the timeframe for which the Audit will cover – Identify Activity within the timeframe – Randomly select the records to be audited   For consistency need to have a set format for choosing records to be audited This includes determining the data pool to be used – have written instructions that define the time frame and the records that will be audited  use a standard Statistical Sampling tool such as Zero-Based Acceptance Sampling Plan to determine the number of records from each source to be reviewed.

– Need method for recording the records assessed and any findings i.e. database or spreadsheets – Within the

Internal Self Assessment

tool, identify records that are not sufficient/potential issue and develop action plan (report or fix).

5/2/2020 9

BU/PL – Case Study

 Self-audits drive compliance - One of the questions is whether all provisos have been completed - Standard Proviso for classified agreements, IDS is suppose to send copies of agreement approvals and the executed agreement to the local DSS office.

- Additionally any simple amendments and reclamas - Discovered that a simple amendment had not been sent to the DSS office - As this was a proviso requirement, it was a violation and had to be reported in a Disclosure - Prior to sending the disclosure, we did a further review of all agreements authorizing classified data export to determine if we had any other issues - Discovered that we had several simple amendments and reclamas that had not been forwarded to DSS - Edited work instruction to specifically call out the need to forward such documents to DSS.

5/2/2020 10

Corporate Perspective

Why does Corporate also assess?

– External and independent assessments are an essential element in the process of accountability for correct export and import compliance behavior – Strong internal compliance is a method of good corporate stewardship – Assessments are underpinned by three fundamental principles   The assessment team is independent from the business being audited The scope of the assessment is extended to cover not only the review of export and import transactions, but also all areas that may affect the legality of an export or import transaction  The assessment team may report aspects of their work to the General Counsel, the Board of Directors and other key stakeholders 5/2/2020 11

Corporate Perspective

Assessment Program Development

– Study Incident Report and Voluntary Disclosures submitted for the previous year throughout the enterprise and perform a detailed analysis on the Root Cause of the incidents – Review changes in the regulatory environment – Discuss anecdotal situations – Hold discussions with business contacts – Identify issues that are high-risk but have previously not been monitored by OGC/GTC or business leads Examples of areas for audit may be: • Shipping/Receiving Processes • Authorized Parties • License Quantities • Hardware Controls • General Exemption Usage • Agreement/License Provisos and Limitations • Inter-Organizational Transfers • Contract Scope, Statement of Work and Contract Modifications • Temporary Export/Import of Hardware • Part 130 Reporting • Program Export/Import Compliance Procedures (PEICP) Compliance/Distribution • Public Release Process • Technical Data Controls/Document Markings • Recordkeeping/Maintenance • Tradeshows • USML/CCL Classifications • General Knowledge and Training 5/2/2020 12

Corporate Perspective

What is involved in Corporate Audits?

– The GTC Audit Procedures involve multiple research methods. Specifically, the assessment will involve:    Review of business and site procedures Knowledge of international trade compliance Implementation of a compliance program within various functional areas of program or location 5/2/2020 13

Corporate Perspective Who is involved?

– Due to the company-wide implications of international trade compliance, the Audit Procedures involve open and candid conversations with multiple individuals throughout the various functional areas of the company.

– The team may contact individuals from the functional areas listed below to learn more about their role within international trade compliance, as applicable to the specific location and business procedures.

           Export/Import Operations (Licensing & Global Trade Operations) Program and Engineering Personnel Supply Chain Management-Logistics Business Development Physical/Program Security Finance Contracts Configuration Management/Data Management Communications, including Business Tradeshow Coordinator Information Technology Security Mailroom 5/2/2020 14

Incident Reporting & Corrective Actions

Audit Findings are Key to Compliance – Prioritize findings based upon business risk for immediate action  Immediately Report Issues of Regulatory Non-Compliance – Gather the immediate facts – Notify relevant responsible compliance personnel – Collect supporting documentation – Conduct thorough investigation to identify scope and root cause – Disclose to regulatory agencies 5/2/2020 15

Incident Reporting & Corrective Actions

Corrective Actions Drive Compliance – Address the root cause of the finding, not just correcting the problem – Outline a timeframe for achievement – Identify the deliverables required for closure – Implement fully across affected parties – Track for completion – Test for compliance – Monitor for closure 5/2/2020 16

Questions and Discussion

5/2/2020 17