What DDTC Examiners Are Actually Looking For
When the Directorate of Defense Trade Controls conducts a compliance review, examiners are not looking for a binder on a shelf. They are looking for evidence that your ITAR export control compliance program is operational, documented, and embedded in daily business activity. The penalties for falling short are severe: fines up to $1 million per violation, criminal prosecution, and debarment from future defense contracts.
This checklist reflects what examiners consistently examine during voluntary disclosures, administrative agreements, and proactive audits. If you are a compliance manager or executive at a defense contractor, aerospace firm, or manufacturer handling USML-controlled items or technical data, use this list to identify gaps before a DDTC examiner does.
For a broader understanding of the regulatory landscape, our post on ITAR compliance fundamentals provides essential background before diving into the checklist.
The 15-Item ITAR Audit Checklist
1. DDTC Registration Is Current and Accurate
Examiners verify that your organization is registered with DDTC under 22 CFR Part 122 and that your registration accurately reflects your current business activities, commodity categories, and corporate structure. Mergers, acquisitions, and changes in ownership must be disclosed promptly. An outdated registration is one of the first red flags an examiner will flag.
2. A Designated Empowered Official Is in Place
Your Empowered Official must be a U.S. person, employed by the registrant, with authority to sign export licenses and agreements, and legal accountability for compliance decisions. Examiners will confirm this individual is active, trained, and genuinely empowered rather than a figurehead designation.
3. Written ITAR Compliance Policies and Procedures Exist
A comprehensive, written compliance program is non-negotiable. Examiners expect policies covering jurisdiction and classification determinations, license requirements, technical data controls, visitor and foreign national access, and recordkeeping. Generic templates that have not been tailored to your specific operations will not satisfy an examiner. Our ITAR and export controls compliance services help organizations build programs that hold up under scrutiny.
4. USML Commodity Jurisdiction and Classification Records Are Documented
Examiners want to see that your organization has formally determined which products, components, and technical data fall under the United States Munitions List. Jurisdiction and classification analyses should be documented, dated, and retained. Undocumented assumptions about whether an item is ITAR-controlled are a significant enforcement risk.
5. Export Licenses and Authorizations Are Properly Managed
Every export transaction must be covered by an appropriate license, license exemption, or agreement. Examiners review license files for completeness, verify that shipments did not exceed authorized quantities or destinations, and confirm that exemptions were properly invoked. A license management log should be maintained and regularly reconciled. For a detailed breakdown of available authorizations, see our post on ITAR licenses explained.
6. Technical Data Controls Are Enforced
Controlling technical data is often where companies have the most exposure. Examiners look for evidence that ITAR-controlled technical data is identified, marked, stored in controlled environments, and not accessible to foreign nationals without proper authorization. This includes data in email, shared drives, cloud platforms, and engineering systems. Our post on proper labeling of ITAR documents and records covers the marking requirements in detail.
7. Foreign National Access Controls Are Implemented
Access by foreign nationals to ITAR-controlled facilities, systems, or technical data without a license or applicable exemption constitutes an unauthorized export. Examiners scrutinize how your organization screens employees and visitors, what access restrictions are enforced, and whether deemed export risks have been formally assessed. Visitor control is a frequent finding. Properly badging visitors with ITAR visitor badges and maintaining a compliant visitor log are basic controls examiners expect to see in place.
8. Employee Training Is Documented and Role-Specific
Examiners do not accept a one-size-fits-all annual training acknowledgment as sufficient. They expect training to be tailored by role, recurring, and documented. Engineers handling technical data, program managers, shipping personnel, HR staff involved in foreign national hiring, and executives all need differentiated training content. Training records must be retained and available for review.
9. Subcontractor and Vendor Compliance Obligations Are Flowed Down
Prime contractors are responsible for ensuring that ITAR obligations flow down to subcontractors and suppliers who handle controlled items or technical data. Examiners review teaming agreements, purchase orders, and subcontracts for appropriate ITAR flow-down clauses and verify whether subcontractor compliance has been monitored.
10. Recordkeeping Meets the Five-Year Retention Requirement
ITAR requires that records related to exports, including licenses, shipping documents, technical data transfers, and correspondence, be retained for five years. Examiners will request production of records and expect them to be organized and retrievable. Gaps in recordkeeping, even for transactions that were otherwise compliant, raise credibility concerns during a review.
11. A Voluntary Disclosure Process Is Documented
Examiners look favorably on organizations that have a documented process for identifying, escalating, and voluntarily disclosing potential violations to DDTC. The existence of a voluntary disclosure program demonstrates that your compliance culture is proactive rather than reactive. Organizations without any internal escalation process are viewed as higher risk. Our post on ITAR violations guidance for compliance managers addresses this process in depth.
12. Jurisdiction Over Software and Technology Is Assessed
Software, source code, and technology can be ITAR-controlled items. Examiners pay close attention to how organizations classify software that performs military functions or is specifically designed for USML-listed systems. This is especially relevant for defense software developers, system integrators, and aerospace technology companies. Misclassifying controlled software as EAR-jurisdiction is a recurring enforcement finding.
13. Physical Security Controls Support Technical Data Protection
Facility access controls, locked storage areas, secure print environments, and restricted workspace configurations all serve as evidence that ITAR-controlled information is being physically protected. Examiners look for posted signage, access logs, and badging systems that visibly enforce ITAR restrictions. Facilities handling controlled items should have ITAR-compliant facility signage prominently displayed at entry points.
14. An Internal Audit and Monitoring Program Is Active
A written compliance program that is never tested provides little assurance. Examiners look for evidence of periodic internal audits, transaction monitoring, and corrective action tracking. Organizations with a structured compliance program development framework in place are better positioned to demonstrate continuous monitoring rather than point-in-time checkboxes.
15. Senior Leadership Is Demonstrably Committed to Compliance
Examiners assess whether compliance is a corporate value or a paper exercise. Evidence of leadership commitment includes adequate budget allocation for compliance activities, executive participation in training, compliance program reporting to the board or senior leadership, and a compliance officer with genuine authority. Organizations where the compliance function is understaffed or lacks authority rarely perform well under examination.
How to Use This Checklist Before a DDTC Review
This checklist is most effective when used as the basis for an internal mock audit conducted well before any anticipated DDTC review. Walk through each item with your Empowered Official, legal counsel, and compliance team. Document your findings. Where gaps exist, develop a remediation plan with owners and deadlines.
Organizations in the aerospace and defense sector and those operating in defense manufacturing environments often find that multiple checklist items reveal interconnected weaknesses. Addressing them in isolation is less effective than building a comprehensive, integrated compliance program.
If your organization handles both ITAR-controlled items and Controlled Unclassified Information, the overlap between export control obligations and CUI protection requirements adds additional complexity. Our team regularly helps organizations navigate both frameworks simultaneously.
Do Not Wait for an Examiner to Find Your Gaps
DDTC enforcement actions have increased in frequency and in financial impact. The organizations that fare best under examination are those that treat ITAR export control compliance as a continuous operational discipline, not a reactive measure triggered by a contract requirement or an investigation. If you are not confident your program would hold up under the 15 items reviewed here, the time to act is now.
Cleared Systems works directly with defense contractors, manufacturers, and federal contractors to build, assess, and mature ITAR compliance programs that satisfy DDTC scrutiny. To discuss where your program stands and what it will take to close the gaps, request a quote or explore our ITAR and export controls compliance services to learn how we can help your organization get and stay compliant.