BIS Audit Documentation: Screening Record Requirements

The Bureau of Industry and Security requires exporters to retain screening records for five years under 15 CFR Part 762. Five years. Not three, not "as long as practical," not whatever your IT department decided when they set up the archive policy in 2019.

But retention alone won't save you when auditors show up. What matters is whether your records tell a coherent story—what you screened, when, against which lists, and what you did with the results. With penalties at $374,474 per violation (BIS.gov, January 2025) and Commerce Secretary Lutnick promising a "dramatic increase" in enforcement at the March 2025 Update Conference, screening documentation has become your primary audit defense. Not your compliance manual. Your actual records.

Key Takeaways

• EAR records must be retained five years from export or last known reexport; OFAC now requires ten years (15 CFR 762.6, 31 CFR 501.601)
• BIS administrative penalties hit $374,474 per violation or twice the transaction value, whichever is greater (BIS.gov, January 2025)
• The September 29, 2025 Affiliates Rule extends screening obligations to entities 50% owned by listed parties—named-party screening alone no longer cuts it (Federal Register, September 2025)
• Voluntary Self-Disclosure caps maximum penalties at 50% (BIS Administrative Enforcement Guidelines, 2024)
• Cadence Design Systems paid $140M+ in combined DOJ/BIS penalties in July 2025, with mandatory third-party audits through 2028 (DOJ Press Release, July 28, 2025)

What Records Must You Actually Retain for BIS Audits?

Part 762 specifies twelve categories of records subject to mandatory retention (15 CFR 762.2). Licenses, license exceptions, AES filings, bills of lading, commercial invoices, packing lists. Screening results fall under "other records pertaining to transactions." Same preservation rules apply.

Here's where we see companies get it wrong. They treat screening as a checkbox. Run a name through Visual Compliance or Descartes, get a green light, ship the order. Done, right?

No. That's a screenshot collection, not documentation.

BIS wants records showing what you screened, when, against which lists, and what you did with the results. Timestamps. List versions. Disposition notes explaining why a potential hit got cleared or kicked upstairs. When a field agent asks you to walk through your February shipment to that Dubai trading company, a screenshot of a green checkmark won't cut it.

We talked to a compliance manager at a Midwest industrial controls manufacturer last year—her audit went sideways because they couldn't pull screening logs older than 18 months. Their screening vendor's retention was 12 months. The EAR requires 60. Nobody had checked whether the vendor contract aligned with regulatory requirements. The auditors weren't interested in whose fault that was.

How Has the Affiliates Rule Changed Screening Documentation?

The September 29, 2025 Interim Final Rule fundamentally rewrote what "complete screening" means. Before, screening against the Consolidated Screening List covered your Entity List obligations. Not anymore.

Any entity 50% or more owned by a listed party now triggers the same restrictions as the parent (Federal Register, September 2025). BIS warned that the CSL "will no longer comprise an exhaustive listing of foreign entities subject to Entity List license requirements" (BIS FAQ, October 2025). The list you've been screening against for years? No longer complete.

Your records now need to demonstrate ownership diligence. Screenshots of a negative CSL hit mean nothing if the customer's parent company sits on the Entity List. Good luck determining that for a trading company with three layers of Hong Kong holding companies.

Where do you source ownership data? What counts as "reasonable diligence" when beneficial ownership isn't publicly available? BIS hasn't issued binding guidance. The Entity List contains over 3,100 entries as of late 2025 (Sidley Austin analysis). Every one could have majority-owned subsidiaries you've never heard of.

The practical answer: document everything, including your uncertainty. Save corporate registry pulls, third-party screening reports, customer certifications. If you can't determine ownership with reasonable confidence, document that too. "We couldn't verify ownership so we escalated to legal and decided not to ship" is defensible. "We didn't think to check" lands you in a charging letter.

What Happens When Documentation Fails During an Audit?

BIS auditors don't show up randomly. End-use checks, license condition verification, tips from competitors, Customs referrals—these trigger most examinations. When they request records, 15 CFR 762.7 gives you "a reasonable time to produce them." What's reasonable? Depends. Delays raise suspicion. Missing records raise it more.

The June 2024 enforcement policy eliminated "no admit, no deny" settlements. If you settle now, you admit the violation occurred. That admission goes public—posted on BIS enforcement actions, picked up by trade press, forwarded to your customers' compliance teams. Documentation gaps that might have resolved quietly now carry reputational stakes alongside financial ones.

The Cadence case showed what maximum enforcement looks like. $140 million combined penalties. Mandatory third-party audits through 2028. Employees in their China subsidiary thought using "Central South CAD Center" in English and "National University of Defense Technology" in Chinese characters would somehow fool everyone. It did not.

What doesn't work: retroactive documentation assembly after you receive an audit notice. We've watched companies try it. Auditors spot fabricated records. They compare timestamps against known list update dates. They check file metadata. One company we know tried to "reconstruct" screening logs after notification—their IT team created backdated files. Made everything worse. What started as a recordkeeping deficiency became evidence of obstruction.

Which Documentation Practices Actually Reduce Audit Risk?

The BIS Audit Module self-assessment tool (BIS.gov) gives you a framework. But operational consistency matters more. Intermittent screening, inconsistent record formats, varying retention practices across business units—these create vulnerabilities that documented policies can't paper over.

Screening frequency trips up more teams than you'd expect. One-time pre-transaction screening satisfies minimum requirements—technically. But OFAC published 2,847 designation changes in 2024 (Treasury.gov). Your customer cleared screening in January. Got designated in March. You shipped in April without rescreening. That's a violation regardless of your earlier documentation.

Match disposition is where documentation falls apart most often. A hit on "Mohammad Ali" or "China International Trading" generates investigation. But then what? Your records should show: potential match details, investigation steps, sources consulted, analyst reasoning, final decision with approver signature. "Cleared—not a match" without explanation fails the audit test every time. We've seen disposition notes that just said "NM." The auditor asked what investigation was performed. The analyst couldn't remember. Three years old. You can imagine how that went.

Platforms like Lenzo, Descartes, and SAP GTS generate timestamped audit trails automatically. But automated systems need documented configuration. Which lists are active? What matching thresholds apply? One electronics distributor couldn't explain why their tool was set to 70% match threshold when their policy specified 85%. The lower threshold generated more false positives, which their overwhelmed team cleared without documentation just to keep orders moving. Created exactly the exposure they thought automation would prevent.

FAQ

How long must I keep screening records under EAR requirements?

Five years from export date, known reexport, or transaction termination per 15 CFR 762.6. OFAC now requires ten years under 31 CFR 501.601—so transactions touching both need the longer period. Storage is cheap. Penalties aren't.

What specific screening documentation does BIS expect during audits?

Parties screened, date and time, lists checked, list version, match results, disposition of hits, approver identification. The Export Compliance Guidelines recommend logs allowing "efficient search and retrieval" matched to transaction documents. If you can't connect a screening result to a specific shipment, you have a gap.

Does the Affiliates Rule require documenting ownership analysis?

Yes. The September 2025 rule extends Entity List restrictions to 50%+ owned affiliates. Document your methodology, sources, findings, and escalation decisions when ownership can't be verified. "We looked, couldn't find information, and declined the transaction" works. "We assumed they were fine" does not.

Can automated screening tools satisfy BIS documentation requirements?

If properly configured. You need timestamped results, list version identification, match details, and documented configuration settings. Keep tool audit logs showing changes. When an auditor asks why your threshold dropped from 85% to 70% last March, you want an answer that doesn't involve shrugging.

Documentation requirements will tighten as BIS shifts toward diversion prevention and ownership transparency. The July 2025 Cadence settlement signals the direction. The question isn't whether your sector will see more audits. It's whether your current records would survive one.