The Most Common ITAR Recordkeeping Failures Found During DDTC Audits

Why ITAR Recordkeeping Is a Top DDTC Audit Priority

When the Directorate of Defense Trade Controls conducts a compliance audit, recordkeeping is rarely treated as a secondary concern. In practice, it is often the first place examiners look—and the place where they find the most problems. Incomplete records, inconsistent retention practices, and missing transaction documentation are not administrative oversights. Under the International Traffic in Arms Regulations, they are violations that can result in civil penalties, consent agreements, and debarment from future defense contracts.

The challenge for most defense contractors is that ITAR recordkeeping requirements are more demanding than many compliance teams realize. They span physical records, digital files, technical data transfers, license authorizations, and visitor logs. Gaps in any of these categories can surface during a DDTC examination and create serious exposure. Understanding where auditors consistently find failures is the most effective way to close those gaps before an examiner arrives.

The Five-Year Retention Rule Is Misunderstood More Than You Think

22 C.F.R. § 122.5 requires registrants to maintain records related to the manufacture, export, and temporary import of defense articles for a minimum of five years. That rule sounds straightforward. In practice, it is one of the most frequently misapplied requirements we see when conducting ITAR assessments.

Common misapplications include:

• Starting the five-year clock from the date a document was created rather than from the date the transaction was completed or the license expired
• Applying the five-year rule to some records categories but not others, resulting in inconsistent retention across departments
• Deleting electronic records during IT system migrations without verifying retention obligations first
• Maintaining physical records for five years but purging associated email communications, meeting notes, or approvals that would provide context during an audit

If your records retention schedule was written before your company expanded into new ITAR-controlled product lines or before a merger or acquisition, it almost certainly has gaps. A formal records retention policy, aligned explicitly to ITAR requirements and reviewed annually, is a non-negotiable element of a defensible compliance program. You can find practical guidance on building that foundation in our post on ITAR recordkeeping requirements explained.

Export Transaction Records Are Incomplete or Disconnected from License Authorization

Every export of a defense article or technical data must be traceable to its authorization—whether that authorization is a DSP-5 license, a DSP-61 or DSP-73 temporary import or export license, an exemption, or another approved mechanism. DDTC auditors will attempt to walk a specific transaction from the initial request through shipment or transfer, verify the authorization that covered it, and confirm that records accurately reflect what occurred.

The failures we see most frequently in this area include:

• Export records that reference a license number but do not retain a copy of the license itself
• Transactions processed under exemptions with no documentation of the exemption determination or the identity of the individual who made it
• Shipping records, commercial invoices, and Electronic Export Information filings maintained in separate systems with no cross-reference linking them to the underlying authorization
• Oral authorizations or approvals communicated by phone or verbal agreement with no written confirmation in the transaction file

Auditors are specifically trained to look for these disconnects. A license on file means nothing if you cannot demonstrate that the specific transaction was covered by it. Our ITAR and export controls compliance services are designed to help companies build the transaction documentation infrastructure that survives this level of scrutiny.

Technical Data Transfer Records Are the Most Overlooked Category

Physical exports of hardware often receive the most compliance attention. Technical data transfers—particularly electronic ones—are where we find the most significant recordkeeping gaps. Under ITAR, transferring technical data to a foreign person, whether abroad or within the United States, constitutes an export. Every such transfer must be authorized and documented.

In practice, this means companies must maintain records of:

• Emails containing ITAR-controlled technical data sent to any recipient, including the nationality of each recipient
• File sharing, collaboration platform activity, or cloud storage access logs when foreign nationals have access to ITAR environments
• Presentations, proposals, or technical briefings shared with foreign national employees, partners, or customers
• Technology transfers to foreign subsidiaries or joint venture partners

Many companies have policies addressing these transfers in theory but have no systematic process for capturing and retaining evidence that the policies were followed. Proper labeling of technical data before transfer is a related requirement that also generates audit findings regularly. Our resource on ITAR compliance and proper labeling of documents and records provides a solid starting point for companies working to close this gap.

Visitor and Access Control Records Consistently Generate Findings

DDTC auditors reviewing facility compliance will request visitor logs, foreign national access records, and documentation of any Technology Control Plans or visitor authorizations. This is an area where companies often have informal practices that do not translate into the documented, auditable records that examiners require.

The most common failures in this category include:

• Visitor logs that capture name and date but omit nationality, purpose of visit, areas accessed, and escort information
• No documented process for verifying the citizenship or immigration status of visitors before granting access to ITAR-controlled areas
• Visitor badges that are not color-coded or otherwise differentiated to indicate access level or authorization status, making it impossible to verify post-hoc that access was properly controlled
• Foreign national visits that occurred under a claimed exemption with no written determination retained in the file

A properly maintained visitor log is one of the simplest and most effective records controls a facility can implement. Using ITAR-compliant visitor log books purpose-built for defense contractor facilities removes ambiguity about what information must be captured. Pairing visitor logs with a structured badging system—using color-coded ITAR visitor badges that visually communicate access authorization—gives auditors a clear, traceable record of facility access control.

Training Records Are Missing, Incomplete, or Undated

ITAR requires that registrants have a compliance program, and DDTC examiners expect training to be a documented component of that program. The failure mode here is not usually that companies fail to train employees—it is that they fail to document the training in a way that satisfies an auditor.

Auditors will ask for records that demonstrate:

• Which employees received ITAR training and when
• What content was covered, including whether the training addressed specific regulatory requirements relevant to each employee's role
• Whether employees acknowledged their obligations in writing
• Whether training is repeated at defined intervals or when employees change roles

A training spreadsheet with no supporting materials, no signed acknowledgments, and no record of content is unlikely to satisfy an examiner. For companies that want a structured, documented approach to ITAR training and overall program management, our ITAR Compliance Documentation Toolkit provides the templates and frameworks needed to build an auditable training record from day one.

Commodity Jurisdiction and Classification Records Are Rarely Retained Properly

When a company makes a determination that an item or technical data is or is not subject to ITAR, that determination must be documented. If the company submitted a Commodity Jurisdiction request to the State Department, the request and the response must be retained. If an internal classification determination was made—relying on legal counsel, a compliance officer, or an outside consultant—the analysis supporting that determination should be documented and stored in a retrievable format.

In many audits, companies can demonstrate that they reached a classification conclusion but cannot produce the analysis behind it. That creates significant risk. If a product is later found to have been misclassified, a documented, good-faith classification analysis is a meaningful mitigating factor. The absence of documentation eliminates that mitigation entirely.

How to Prioritize Your Recordkeeping Remediation

If your organization has not recently conducted a records audit specifically focused on ITAR requirements, the priority sequence should be:

1. Verify that all active licenses and recent transactions have complete, linked documentation files
2. Review your records retention policy against the five-year requirement and current product lines
3. Audit technical data transfer logs for completeness and traceability to authorization
4. Standardize your visitor and foreign national access records with documented procedures
5. Confirm that training records include content documentation, dated acknowledgments, and role-specific coverage
6. Create or update classification files for all items in your ITAR-controlled product portfolio

Recordkeeping failures are rarely the result of bad intent. They are almost always the result of processes that were never designed to meet the documentation standard an audit demands. The ITAR recordkeeping requirements checklist for compliance and contracts teams is a practical tool for conducting that internal review systematically.

For companies that want to benchmark their overall program posture, our existing resource on how your ITAR compliance program measures up provides a useful self-assessment framework alongside the recordkeeping review.

Take Action Before the Auditor Arrives

DDTC audits are not announced with months of lead time. Recordkeeping deficiencies found during an examination cannot be remediated retroactively. The time to build an auditable records infrastructure is now—before the examiner requests your transaction files, visitor logs, and training records. Cleared Systems works with defense contractors, manufacturers, and regulated exporters to identify recordkeeping gaps, implement compliant documentation processes, and build ITAR compliance programs that hold up under DDTC scrutiny. To discuss your organization's current recordkeeping posture and where your exposure may lie, request a consultation with our team or explore our full range of ITAR and export controls compliance services to find the right engagement model for your organization.