Internal Controls for Export Compliance – Let’s Borrow from Customs & COSO

By: Bruce H. Leeds, Senior Counsel

A number of years ago I attended a 2-day workshop conducted by U.S. Customs.  The agency was discontinuing the Compliance Assessment Team approach to conducting audits, and was going to a new method based on what they termed the COSO model. The workshop described the model they were adopting and how it would be used for compliance.  By the end of the workshop I had discovered the world of COSO-based internal controls.

COSO is the Committee of Sponsoring Organizations of the Treadway Committee, established back in the 1980s to promote business ethics, accurate financial reporting, and internal controls.  In regard to the latter, COSO created a standard for establishing and maintaining internal controls.

U.S. Customs adopted the COSO internal control standard for conducting audits (or Focused Assessments as the agency terms them) and later extended it to the Importer Self Assessment (ISA) program.  Although there have been some modifications, the COSO standards are still in place for Focused Assessments and ISA.

The COSO internal control model has been used for other purposes as well.  The purpose of this article is to suggest that it provides an excellent standard to establish internal controls for export compliance.

The COSO internal control standard consists of 5 major elements:

  1. Control environment – Establishing the basic policies, governance and training for compliance
  2. Risk assessment – Knowing what the major risks are for non-compliance
  3. Control activities – Establishing procedures to mitigate or eliminate identified risks
  4. Information and communication – Providing compliance information to internal and external parties; obtaining information needed for compliance from internal and external parties
  5. Monitoring – Conducting reviews and audits to ensure that controls are in place and effective

Let’s take a hypothetical situation and see how these controls may work in an export compliance situation:

Acme Aerospace (Acme) manufactures parts and subsystems for military aircraft.  Acme exports many of the parts and subsystems, and obtains others from non-U.S. suppliers.  The export controls on many of Acme’s products have been affected by Export Control Reform.  How should Acme position itself for compliance?  Let’s try the COSO model.

Control environment

  • Acme publishes an export compliance policy, signed by the CEO, stating that it is the policy of the company to comply with export control laws and regulations.
  • Acme identifies an export control function, and provides employees working within that function with tools and training to competently perform their jobs. This includes Export Control Reform training.
  • Acme provides export compliance training to other affected company functions, such as Contracts and Business Development, and general compliance training to the entire workforce.

Risk Assessment

  • Based on experience and training, Acme identifies major risk areas for non-compliance. These include misclassification of products, failure to obtain licenses, failure to properly administer licenses and exemptions, and failure to maintain required records.

Control Activities

  • Acme develops written procedures to address the identified risk areas to minimize or eliminate the risks. The procedures are made available to all who need them, and are regularly reviewed and revised as required. Acme develops new procedures to address new products, technologies, and changes in the regulations. To ensure the export compliance procedures remain current and relevant, Acme asks its internal audit function to regularly review them.

Information & Communication

  • Acme’s export compliance function provides information to affected company functions on export controls that apply to their activities and technologies. The export compliance staff also provides training to company personnel and functions, in particular, after changes to the regulations that may affect Acme’s activities. Acme export compliance personnel also provide export license and exemption information to its Shipping function and to freight forwarders.
  • Acme’s export compliance personnel are able to learn of new products and technologies, and are briefed on new non-U.S. business development activities. They also learn of new hires, contractors, and visitors to Acme facilities. The Acme export compliance function ensures that required records, such as contracts, purchase orders and export documentation are available and retained for the period required by the regulations.


  • Acme’s export control function regularly reviews licenses and agreements to ensure that balances are maintained, reports are submitted, and there have been no changes to the parties or products.
  • Acme’s export compliance function also samples export documentation, including invoices and export declarations, to ensure that licenses and exemptions have been accurately declared, that all required records are in place, and any corrections or follow-up actions have been completed.

Would these internal controls guarantee that Acme was totally compliant?  “Guarantee” is probably too strong a word, but these internal controls would go a long way to achieving compliance.

One of the best things about the COSO model is that it provides a framework to identify compliance requirements, and categorize them appropriately.  Another good thing is that many auditors, both internal and external, will recognize the COSO model and applaud its use.

Building or revising an export compliance program?  Consider the COSO model.