Exports and other party audits

Transcription

1 Registration Management Committee Exports and other party audits A presentation at the 2012 AAQG RMC Auditor Workshop July 19-20, 2012 By Don Buehler, President

2 DISCLAIMER The information contained herein is intended to be a general service to our clients and cannot be a substitute for a careful and thorough reading of the governmental laws, regulations and rulings. No responsibility is assumed for the accuracy or timeliness of any information provided herein applicable to any particular case or circumstance. These materials are intended to provide convenient, concise, and helpful information about U.S. export control regulations. They do not, and are not intended to, constitute legal or other advice or an official reading of the referenced regulations. This cannot be used as a substitute for a thorough reading of the actual statutes, regulations, and other documents that apply to the complex area of export control. These include, but are not limited to, the Export Administration Regulations, the International Traffic In Arms Regulations and other laws and regulations dealing with export control. These governmental source documents are controlling in the event of any inconsistency with the materials or information provided herein.

3 DISCLAIMER All the ideas and suggestions contained in this presentation are the result of Export Solutions experience in dealing with audits and the export regulations. Auditors must follow the policies and procedures of the CB they represent when dealing with these issues.

4 Topics Covered Basic export concepts & issues The Regulations: Basics of ITAR and EAR Application to 3 rd party audits

5 Goals of the Presentation These topics will provide you with the following: A background of U.S. export control law How products, technical information and data can be exported The basics of the regulations How 3 rd party audits are affected TO MAKE YOU THINK

6 Why does the U.S. have these regulations? Countries and companies have a right to protect information and products from other countries or companies as they deem in their best interest. This is done through export control regulations and proprietary information. Top three reasons for U.S. export control: 1. National Security 2. Foreign Policy 3. Non Proliferation

7 What do the regulations accomplish? 1. Prevent products, technical data, and technology from getting in the hands of countries/individuals deemed harmful to the United States. 2. Allows U.S. to exercise control over listed products, technical data, and technology. 3. Protects U.S. technical base of knowledge.

8 Why is this important for CBs and their auditors? ITAR and EAR are the law. All U.S. CBs, employees and contractors are subject to the laws. Even companies and auditors who are not U.S. citizens are subject to the laws.

9 Registration Management Committee Khalid Mahmood and David Tatum

10 Penalties 1. Civil and criminal 2. Fines 3. Debarment from exporting activities 4. Imprisonment Penalties can be applied to both companies and individuals.

11 Maximum Penalties EAR Civil penalties may be the greater of $250,000 or five times the value of the transactions. Criminal violations may be up to $1,000,000 and/or 20 years imprisonment. ITAR Civil penalties up to $500,000 per violation Criminal fines up to $1,000,000 per violation and/or 10 years imprisonment

12 Exports Defined What is an export? What is technical data?

13 What is an export? Any item which goes from the United States to a foreign destination (company or person) is an export. All these items are exports and, therefore, may be subject to controls and restrictions. Items include hardware (parts, materials, sub assemblies), information (drawings, specifications, test data, calculations) software (used to design or manufacture the items) and technologies (e.g., composites). Person to person exports can occur within the U.S.

14 What is technical data? Data which is used in the manufacture, design, etc of restricted components. Manufacturing instructions Technical plans (weld schedules, NDT techniques) Inspection operations Dimensions, operating characteristics Process controls CMM instructions or results Manufacturing software Unique tooling or tool designs

15 Registration Management Committee Export: data from a US person to a Foreign Person

16 Registration Management Committee Export: data from a Foreign Person to another Foreign Person

17 Registration Management Committee AN EXPORT US auditor to an English acquaintance Verbal Export

18 Registration Management Committee Another Example During an AS9100 audit, a U.S. manufacturer shows technical data on an ITAR controlled part to a CB Canadian auditor Visual Export

19 Registration Management Committee Another Example American auditor writes up findings with ITAR restricted technical data & s them to the German customer he audited. Physical Export

20 Registration Management Committee The Regulations

21 Registration Management Committee How does the government exercise control? International Traffic in Arms Regulations (ITAR) Export Administration Regulations (EAR)

22 Registration Management Committee What is covered in the ITAR? The ITAR regulates defense articles and defense services. An item is a defense article: is listed on the United States Munitions List (USML). If that is the case, then it is controlled by the International Traffic in Arms Regulations (ITAR) and regulated by The Directorate of Defense Trade Controls (DDTC).

23 The United States Munitions List (USML) Part 121 of the ITAR Category I Firearms, Close Assault Weapons and Combat Shotguns Category II Guns and Armament Category III Ammunition/Ordnance Category IV Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines Category V Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents) Category VI Vessels of War and Special Naval Equipment Category VII Tanks and Military Vehicles Category VIII Aircraft and Associated Equipment Category IX Military Training Equipment and Training Category X Protective Personal Equipment and Shelters

24 The United States Munitions List (USML) Part 121 of the ITAR Category XI Military Electronics Category XII Fire Control, Range Finder, Optical and Guidance and Control Equipment Category XIII Auxiliary Military Equipment Category XIV Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment Category XV Spacecraft Systems and Associated Equipment Category XVI Nuclear Weapons, Design and Testing and Related Items Category XVII Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated Category XVII Directed Energy Weapons Category XIX Reserved Category XX Submersible Vessels, Oceanographic and Associated Equipment Category XXI Miscellaneous Articles

25 Registration Management Committee What is covered in the EAR? If the product has dual-use or commercial application it is controlled under the Export Administration Regulations (EAR) and enforced by the U.S. Bureau of Industry and Security. Items which are listed with an ECCN in the CCL ECCN (Export Control Classification Number ) the method by which the EAR identifies items and technology which are controlled by the regulations CCL (Commerce Control List ) the list of ECCNs which are controlled by the EAR divided up into 11 categories

26 Registration Management Committee What is covered in the EAR? The EAR covers the following types of products and technical data: Nuclear materials & facilities Materials, microorganisms Materials Processing Electronics design Computers Telecommunications/ info security Sensors & lasers Navigation & avionics Marine Propulsion systems (Planes & engines)

27 Registration Management Committee How do the regulations control exports? Two basic methods: 1. By requiring exporters to get approvals for exports in the form of licenses 2. By restricting exporters from dealing with specific countries, companies and individuals (denied parties lists). (OFAC) OFAC (Office of Foreign Assets Control) the Treasury Department which administers sanctions and embargoes against countries and debarment actions against individuals

28 So what does this have to do with auditors? Do you know your company s policies concerning Export Control? Have you received formal training in how to handle export Restricted information and data? Do you know if the information you receive in an audit is Restricted? Do you know what you can and cannot do with this data? Do you ever give customers information on how they can comply with requirements?

29 Registration Management Committee Auditors: a key to conformance Auditors need a clear understanding of what is expected of them and how they are to proceed. Auditors need to understand the fundamentals of export control and the company s policies

30 Registration Management Committee Auditors: a key to conformance Auditors need to understand the impact of giving any kind of advice and how that could be a defense service or technical advice/transfer of technology. Auditors need to understand how to review and accept or reject corrective actions on findings.

31 Registration Management Committee Auditors: a key to conformance Auditors need to know how to write up findings without revealing technical data in the write up.

32 Registration Management Committee The Basic restriction

33 Question: What should be included in your opening meeting with the customer?

34 Question: What should be included in your opening meeting with the customer? 1. Inform them of your nationality 2. Remind them to not show you restricted technical data that is not authorized to someone of your nationality 3. Remind them to not post restricted technical data where others can see it 4. Remind them that it is their responsibility to protect restricted data

35 Registration Management Committee Question: What kind of advice can you give the customer in how they can comply with the specs? None - your advice may be an export a transfer of technical data or a defense service.

36 Question: How can a systems audit result in an illegal export of technical data? 1. Foreign person auditor (UK) is reviewing a system that contains technical data. What systems elements could contain technical data? Manufacturing or quality planning; first article inspection; non conforming materials

37 Question: How can a systems audit result in an illegal export of technical data? 1. Foreign person auditor (UK) is reviewing a system that contains technical data. 2. The technical data is restricted by one of the Export regulations. 3. The technical data is not authorized to the UK (company or person) without a license.

38 Question: What should you do if you know an export law is being violated? EXAMPLE: during a review of shipping records you see parts marked ITAR being shipped to China and Cuba?

39 Question: What should you do if you know a export law is being violated? Bring the problem to the attention of the Customer you are auditing. Report the problem to the CB.

40 Question: How should you write up a technical finding on a restricted part?

41 EXAMPLE: Manufacturing planning finding (on a restricted part): Technical manufacturing plan operation 260 on 3-9 spool (1234P07) was incorrect. The heat treat operation sheet called for a Rockwell hardness result of HRC 55 60; the specification ASTM b called for HRC This write up reveals technical data.

42 Registration Management Committee New way to write finding on a restricted part: Manufacturing planning (on a restricted part): Technical manufacturing plan operation 260 on 3-9 spool was incorrect. The heat treat operation sheets called for a hardness check which was 10 Rockwell C units below the specification requirement. This write up does not reveal technical data.

43 Registration Management Committee Example: advise A foreign supplier is coating ITAR-controlled parts where the statistical analysis shows a 2.1 sigma process. The specification requires a 100% test for each coating set-up if the process is less than 2.6 sigma. However, the supplier was only performing test inspection for the initial set up of each lot of parts (which consisted of eight set-ups). The auditor writes a finding against the supplier. Before answering the finding, the supplier asks PRI s auditor how to achieve 2.6 sigma.

44 Example If auditor answers this question, is he performing a defense service? Yes. He would be providing assistance to a Foreign Person in the manufacture of a defense article. CB policy (should) prohibit the auditor from giving advice on how parts should be processed. Such activity could violate U.S. export regulations. 44

45 Question: What is the best way for an auditor (or anyone) to reject a corrective action? UNACCEPTABLE Or UNSATISFACTORY Or (Cause or C/A) REJECTED 45

46 Acceptance and Rejection of corrective actions If reviewers give any suggestions as to what might be an acceptable corrective action, you could be providing technical assistance A simple yes or no (or accept/reject) is the best policy

47 Be Prepared Some suppliers have export compliance systems in place. CBs should check to see if your auditor needs proof of citizenship. In some cases the parent company can vouch for the auditor (should be in writing.) Auditors should always follow the rules and policies in place in the company they are auditing (safety, labor, camera, etc.).

48 Registration Management Committee QUESTIONS?