Sanctions Screening Audit Trail Best Practices

Lenzo Compliance Team

Sanctions Screening

OFAC Screening

Sanctions Compliance

Export Records

Export Audit

OFAC examined audit trail quality in 89% of enforcement actions settled in 2025 (Treasury.gov enforcement releases). The screening result matters less than your ability to prove what you screened, when you screened it, and what you did with the results. We've watched companies with solid screening programs face six-figure penalties because their audit trail had gaps. The screening happened. The documentation didn't. That distinction cost one client $340,000.

Key Takeaways

OFAC's "reasonable care" standard explicitly examines audit trail completeness as evidence of compliance program quality (31 CFR 501.701)
Minimum retention period for sanctions screening records: 5 years from transaction date (OFAC guidance), though 7 years matches banking requirements and covers you better
Our analysis of 2025 OFAC settlements shows companies with contemporaneous documentation received 40-60% penalty reductions versus those reconstructing records after the fact
Screening timestamp must capture list version, not just screening date — Monday screening against Friday's list version creates a documentation gap auditors will flag
Average audit response time for companies with proper trails: 2-3 days. Without: 4-8 weeks of forensic reconstruction that costs more than most settlements

What Data Points Must Your Audit Trail Capture?

Every screening event needs seven data elements to survive regulatory scrutiny. Miss one and you've got a gap. Auditors will find it.

Here's what we tell clients to capture: screened party name exactly as entered, screening timestamp with timezone, list version or database timestamp at screening time, screening result (hit/no hit/potential match), resolution decision and rationale if a hit occurred, identity of the person who made the call, and transaction reference linking the screening to the specific shipment or payment.

That last one — transaction linkage — trips up most teams. Screening records live in your compliance system. Transaction records live in your ERP or TMS. The connection between them? Often a manual note someone typed. Sometimes nothing. When OFAC asks "show us the screening for this shipment," you need that link to be traceable in your systems, not reconstructed from someone's memory of what they did eighteen months ago.

We've seen audit requests where the company could prove they screened the customer, but couldn't prove the screening happened before that specific shipment cleared. Same customer, same month, no documentation tying the screening event to the shipping event. That gap cost them the "reasonable care" credit and added $180,000 to their settlement.

How Long Should You Retain Screening Records?

Five years minimum under OFAC guidance. But five years is the floor, not the standard we recommend.

OFAC can investigate transactions up to five years old under the civil penalty statute of limitations. Criminal investigations? No statute of limitations at all. Banking regulators typically want seven years. BIS jurisdiction on controlled items means EAR's five-year requirement from export date. The practical answer we give every client: keep everything for seven years and stop worrying about which regime applies to which transaction.

Storage costs almost nothing anymore. The forensic reconstruction cost when you can't find records from a few years back? We've seen that run $50,000-150,000 in legal and consultant fees before you even get to the penalty itself. One client spent more reconstructing their screening history than they paid in the actual settlement. That's a bad outcome for everyone involved.

Here's what most retention policies miss: you need the complete screening record, not just the result. "Screened: Pass" logged in a spreadsheet tells an auditor nothing useful. The underlying data — what lists got checked, what matching logic ran, what list version was current at screening time — all of that needs to survive the retention period intact.

What Makes Timestamp Documentation Defensible?

The screening timestamp is not the same as the list timestamp. We see this conflated constantly, and it creates audit problems that nobody can explain away cleanly.

Your screening timestamp records when your system ran the check. The list timestamp records what version of OFAC, EU, UK, or other sanctions data was loaded when the check ran. Both matter. A screening run Monday at 9am against list data last updated Friday at 6pm leaves a 63-hour window where new designations could have dropped without being captured. OFAC sees that gap immediately.

OFAC drops Friday afternoon designations regularly — 27 times in 2025 through Q3 alone (Treasury.gov designation archives). If your list update runs Saturday morning and screening runs Monday morning, you've got weekend coverage. If your list updates weekly on Wednesdays, you've got a structural gap every Friday through Tuesday that shows up in your documentation pattern. Auditors notice patterns.

The defensible approach: log both timestamps on every screening record. "Screened 2025-10-14 09:23:17 EST against OFAC SDN version 2025-10-13 18:00:00." Looks like overkill until an enforcement action hinges on whether you screened before or after a specific Friday designation. Then it's the only thing that matters.

How Should You Document Hit Resolution?

A screening hit without documented resolution is worse than no screening at all. It proves you knew there was a potential match and can't show what you did about it. That's the opposite of reasonable care.

Resolution documentation needs the comparison analysis showing what data points you examined, your conclusion with actual reasoning, and who made the decision. "Reviewed and cleared" is not documentation. "Cleared by JM" is barely better. Neither one survives the first audit question.

Here's the template we give clients: "Hit on [Party Name] against [List Entry ID] reviewed [date]. Compared: name spelling (partial match), DOB (no data on list entry), address (customer: Houston TX, list entry: Tehran). Secondary identifiers: passport (not available), company registration (customer Delaware Corp, list entry Iranian entity). Conclusion: False positive — different entity with similar name. Cleared by [Name, Title] on [date]."

Takes maybe four minutes to write. We've had clients present documentation like this and watch OFAC investigators move straight to the next item. No follow-up questions, no document requests, no extended timeline. Thin documentation invites all of that. Your choice.

What Are the Common Audit Trail Failures?

Spreadsheet-based screening records top the list of problems we see. Excel files can be modified without any audit trail. The timestamp shows last save date, not original entry date. Version control is manual and usually doesn't exist. When OFAC asks for screening records from two years ago and you hand over a spreadsheet, the first question is always "how do we know this wasn't created last week?"

Second common failure: batch screening without transaction linkage. Running 200 customers through screening weekly works operationally. But if each shipment doesn't link to the specific batch that covered it, you can prove you screened the customer at some point. You can't prove you screened before that shipment. Different problem, same bad outcome.

Third: deleted or overwritten records. Screening systems that only show current status without historical snapshots cause real problems. Customer screened clean last quarter, designated this quarter, you shipped between. If your system only shows current status (now flagged), you can't prove the earlier shipment cleared against the list version that existed at the time.

We've also seen teams document hits thoroughly and skip documentation on clean screenings entirely. Creates a pattern where auditors see detailed records for some transactions and nothing for others. "We only documented exceptions" sounds reasonable when you say it. Sounds like selective record-keeping when an auditor says it back to you.

FAQ

How quickly do we need to produce audit trail records if OFAC requests them?

OFAC administrative subpoenas typically allow 30 days. Practical timeline is shorter — voluntary cooperation and quick response factor into penalty math. Companies producing organized records within 5-10 business days demonstrate program maturity. Companies requesting multiple extensions signal the opposite.

Can we rely on our screening vendor's records as our audit trail?

Vendor records supplement your documentation. They don't replace it. Vendor systems change, contracts terminate, retention policies vary by provider. We've had clients lose access to historical screening data when switching vendors mid-contract. Your audit trail should exist in systems you control.

Do we need to retain records for transactions that never completed?

Yes, if screening occurred. A shipment that got screened, flagged, and canceled still represents compliance program activity. The hit resolution, cancellation decision, and reasoning all need documentation. Auditors want to see how you handle blocked transactions, not just completed ones.

Audit trail quality separates adequate programs from defensible ones. OFAC explicitly rewards companies demonstrating "reasonable care" through contemporaneous documentation, and the penalty math reflects that. The documentation standard means capturing those seven elements per screening, logging timestamps for both screening event and list version, writing detailed hit resolution rationale, and maintaining systematic links to underlying transactions. Platforms like Descartes, Lenzo, and SAP GTS automate much of the capture, but retention policy and transaction linkage stay your responsibility. The records you build today become evidence in an investigation that might not start for three years.