BIS Audit Checklist: What They Request

Lenzo Compliance Team

Export Audit

Export Compliance

Export Records

Export Documentation

BIS Voluntary Disclosure

BIS investigations led to criminal convictions of over 65 individuals and businesses in fiscal year 2024 (BIS 2024 Year in Review, bis.doc.gov). When an Office of Export Enforcement agent sends a formal document request letter, usually on what feels like the worst possible Tuesday, the clock starts immediately. You either have the records organized and retrievable, or you're pulling people off their actual jobs to dig through five years of shipping files while the compliance manager quietly panics about the folder structure nobody fixed back in 2021.

We've helped companies prepare for exactly this scenario. Here's what BIS actually requests, where most exporters fall short, plus what you can do before the letter arrives.

Key Takeaways

BIS requires five years of export record retention under 15 CFR 762.6, measured from the date of export, last known reexport, or final transaction termination (whichever comes latest)
Maximum administrative penalty per violation reached $374,474 as of January 2025 (BIS.gov), with criminal penalties up to $1 million per violation and 20 years imprisonment under ECRA
BIS updated its Administrative Enforcement Guidelines in September 2024, removing penalty caps for non-egregious cases and tying fines directly to transaction value
Document requests typically cover ECCN classifications, end-use statements, license determinations, screening records, plus all correspondence related to flagged transactions
Failing to self-disclose a significant violation now counts as an aggravating factor during penalty calculations

What BIS Actually Asks For

The document request letter from BIS Office of Export Enforcement lands with a specific transaction list or a broad date range. Sometimes both. The letter cites 15 CFR 762.7, which grants BIS authority to inspect and copy any records required under Part 762. That authority extends to records held anywhere, including overseas subsidiaries.

What trips up most mid-market exporters: the request rarely targets just shipping documents. BIS wants to reconstruct your entire decision-making chain for each transaction. The classification worksheet showing how you arrived at your ECCN. The screening logs proving you checked the Consolidated Screening List before shipment. End-use and end-user documentation. Every email thread where someone internally questioned whether the destination raised red flags.

Under 15 CFR 762.2, the specific record categories include export control documents (licenses, license exceptions, Shipper's Export Declarations), memoranda, notes, correspondence, financial records, restrictive trade practice documentation. Then there's the catch-all: "other records pertaining to transactions subject to the EAR." That last category has no practical boundary. We've seen BIS request internal Slack messages and calendar invites related to a flagged transaction. If it touched the deal, they want it.

The Five-Year Rule and Its Hidden Extension

15 CFR 762.6 mandates five years of record retention. But the five-year clock has three possible start dates, with BIS counting from whichever comes latest: the original export date, any known reexport or in-country transfer, or final termination of the transaction. For companies selling capital equipment with ongoing service contracts, that five-year window can stretch to eight or ten years in practice. We worked with a medical device exporter whose 2017 shipment records were still within the retention window in 2024 because the service agreement hadn't terminated.

Once BIS sends any request, formal or informal, you cannot destroy the requested records even after the five-year period expires. That casual phone call from an enforcement agent asking about a 2019 shipment to Malaysia? It froze your ability to shred those files indefinitely.

BIS provides written authorization to destroy records when they're done. Until then, everything stays.

A 200-person electronics manufacturer shipping power controllers to Southeast Asia might have 50-70 active transactions in any given month. Multiply by five years. The records volume for a single audit can exceed 15,000 documents. Most companies at this size still rely on shared drives where each department invented its own naming convention. Pulling the right records within BIS's requested timeframe becomes a full-time job for two to three weeks.

The Classification Documentation Gap

ECCN classification records are where BIS audits go sideways for SMB exporters more often than anywhere else. BIS doesn't just want the final classification. They want the analytical basis: which technical parameters you evaluated, which CCL category you referenced, why you determined an item was EAR99 versus a controlled ECCN.

Most companies under 300 employees handle classification informally. An engineer looks at the spec sheet, compares it against the Commerce Control List, fires off an email saying "this one's EAR99." No formal worksheet. No record of which specific technical thresholds were evaluated. Zero documentation of the self-classification methodology.

When BIS asks how you determined that your 5-axis CNC component falls below the control parameters in ECCN 2B001, "our engineer checked" doesn't cut it. We hear that answer from at least half the companies we talk to during audit prep. It's the single fastest way to turn a routine records request into a compliance investigation.

The September 2024 BIS penalty guideline revisions made this gap more expensive. BIS eliminated penalty caps on non-egregious cases, meaning even unintentional classification errors now carry fines proportional to transaction value. A $50,000 shipment misclassified as EAR99 when it should have required a license? The penalty can dwarf the original sale.

Screening Records: Proving What You Checked and When

BIS expects documented proof that you screened every party to each transaction against the relevant restricted party lists (Entity List, Denied Persons List, Unverified List, Military End-User List) before the shipment left your dock. The Consolidated Screening List from the Department of Commerce aggregates these alongside OFAC and DDTC restrictions.

The operational headache for companies processing 100+ monthly shipments: generating the screening record at shipment time, then retaining it in a retrievable format for five years. A "no hits found" screenshot from a screening tool dated March 2022 means nothing if you can't pull it up three years later when BIS comes asking. We've seen companies lose exactly this kind of evidence after a platform migration.

Screening frequency matters too. Running names once during customer onboarding doesn't hold up when the Entity List received over 340 additions in 2024 alone (BIS.gov). An entity cleared in January may appear on the list by April. Ship to them in June without rescreening, BIS treats the gap as a compliance program failure. Not an honest oversight.

We tracked a mid-size industrial machinery exporter's screening process for six months. Seventy-one percent of their screening hours went to investigating false positive hits, not running the actual checks. The screening itself took minutes per transaction. The investigation and documentation of each hit resolution consumed the real time. And that resolution documentation (why a hit was cleared, who approved it, what additional diligence was performed) forms a critical part of what BIS requests during an audit. Most companies don't retain it at all.

End-Use and End-User Statements

BIS expects written end-use statements for controlled items, plus increasingly for EAR99 items shipped to destinations or end-users that trigger red flag indicators under Supplement No. 3 to Part 732. The statement should identify the specific application, the physical location where the item will be used, confirmation that the item won't be diverted to prohibited end-uses or unauthorized third parties.

The gap most exporters miss: re-verification. An end-use statement collected during initial customer qualification in 2020 doesn't cover a 2025 shipment if the customer's business activities changed. BIS sent red flag letters to 20 U.S. manufacturers in 2024, identifying specific customers whose products were recovered in weapons found in Ukraine. That kind of downstream tracking tells you BIS watches the chain far more closely than most mid-market exporters assume.

End-use documentation also connects to the "know your customer" obligation. If a customer in a third country orders quantities that exceed any reasonable commercial need, requests unusual shipping routes, or declines to state what they're doing with the product, those red flags require documented responses. Not just that you noticed them. That you investigated, reached a conclusion, recorded why you proceeded or refused the transaction.

The Voluntary Self-Disclosure Calculation

BIS published a final rule in September 2024 formalizing a dual-track system for voluntary self-disclosures. Minor or technical violations? Abbreviated narrative. Significant violations require a full investigation report within 180 days of initial notification.

The penalty math shifted. Deliberately choosing not to disclose a significant violation now triggers aggravating treatment during assessment. Before September 2024, silence was neutral. Now silence costs money. A non-egregious case with a VSD carries a base penalty of half the transaction value. Without a VSD, the base doubles to full transaction value. On a $2 million transaction, that gap between $1 million and $2 million hits fast. That's before aggravating or mitigating factors move the number further.

Companies that discover violations during internal audits face a sharper cost-benefit calculation than they did two years ago. Multiple BIS enforcement actions in late 2024 and early 2025 signal clearly that they expect compliance programs to catch issues proactively and disclose them promptly.

What Most Audit Checklists Get Wrong

Standard BIS audit preparation advice tells you to organize your records and train your employees. Fine, but insufficient. The actual failure pattern we see among mid-market exporters looks different.

The records exist but can't be connected to each other. Screening logs sit in the compliance database. Classification worksheets live in an engineering shared folder. End-use statements got filed with customer qualification documents in the sales team's CRM. Shipping documents are with logistics. When BIS asks you to produce the complete compliance file for a single shipment to a specific consignee on a specific date, no one person can assemble it without cross-referencing four or five systems. Nobody practiced doing it before the letter arrived.

That reconstruction work — linking product classification, party screening, end-use verification, license determination, and shipping documentation into one auditable package per transaction — represents the real preparation gap. Not whether you kept records. Whether you can produce them as a coherent set when it matters.

Lenzo consolidates screening results, classification data, transaction documentation into a single compliance record per shipment, which turns the per-transaction audit trail into the actual insurance policy. For companies running 100+ monthly shipments, that audit-ready record beats the compliance manual collecting dust in the quality management folder every time.

This article covers BIS audit requirements under the EAR only. OFAC, DDTC/ITAR, CBP audit procedures operate under separate authorities with different retention rules and penalty structures. Companies exporting items potentially subject to multiple regimes need to evaluate each authority's requirements independently.

FAQ

How long do I have to respond to a BIS document request?

BIS typically provides 30 days, though the actual deadline appears in the request letter itself. Requesting an extension before the deadline passes happens regularly. BIS generally grants reasonable extensions when the request covers a large volume of records or spans multiple years. What they won't grant: forgiveness for records that should have existed but don't.

Can I store export compliance records electronically?

Yes. 15 CFR 762.5 permits electronic reproductions provided they are complete, accurate, legible, durable. The electronic copy must remain accessible and producible during the entire five-year retention period. Companies that migrated compliance systems between 2020 and 2024 should verify that legacy records survived the transition. BIS won't accept "we switched platforms" as an explanation for missing data.

What happens if I can't locate records BIS requested?

Inability to produce required records constitutes an independent violation of Part 762 recordkeeping requirements, separate from whatever underlying transaction BIS was investigating. The penalty for failure to maintain or produce records falls under the same statutory framework: up to $374,474 per violation as of January 2025. Missing records also eliminate your ability to demonstrate compliance for the underlying transaction, which compounds your exposure significantly.

Does BIS only audit large companies?

No. BIS enforcement does not filter by company size. The 2024 enforcement actions included penalties against companies of widely varying scale, from major technology firms to specialty manufacturers with fewer than 50 employees. BIS uses customs data to identify distributors and customers in supply chains, sending red flag letters to companies whose products turned up in unauthorized end-uses regardless of the exporter's revenue or headcount.