LenzoBlogWhat BIS Actually Requests During an Audit
Last updated:
December 31, 2025

What BIS Actually Requests During an Audit

Lenzo Compliance Team
Export Audit
Export Records
Export Documentation
Export Compliance
Export Management

The Bureau of Industry and Security can assess $374,474 per violation as of January 2025 (BIS.gov). That figure means nothing until an OEE Special Agent asks for your export documentation and you realize three years of ECCN determinations are scattered across email threads, personal drives, and a former employee's laptop that IT wiped six months ago.

Key Takeaways

  • BIS audits fall into two categories: informal requests under 15 CFR 762.7 or formal administrative subpoenas—both demand the same five-year document retention under the EAR
  • The 12 mandatory record categories under 15 CFR 762.2 include export control documents, screening logs, classification justifications, and all correspondence related to covered transactions
  • OEE frequently issues subpoenas as first contact—receiving one does not indicate you are already suspected of violations
  • Missing or incomplete records represent the most common audit failure, not the underlying transaction errors themselves
  • OFAC finalized its 10-year retention requirement in March 2025, creating compliance gaps for companies using the EAR's five-year standard across all programs

The Two Types of BIS Audit Contact

BIS's Office of Export Enforcement uses two primary mechanisms to request records: informal production requests and administrative subpoenas. The informal approach comes under 15 CFR 762.7, where OEE asks you to voluntarily produce books, records, and transaction documentation. Most compliance officers assume subpoenas only follow a refusal to cooperate.

That assumption is wrong.

OEE routinely issues administrative subpoenas as the initial contact mechanism. A 150-person electronics distributor in Texas received one with no prior correspondence—the agent later confirmed this was standard procedure for their sector review. The subpoena demanded five years of Entity List screening logs, ECCN classification records, and all correspondence with distributors in Malaysia and Singapore.

The practical difference between informal requests and subpoenas is enforcement: non-compliance with a subpoena allows the Department of Commerce to petition a federal district court. Ignoring either, however, damages your standing with OEE and eliminates cooperation credit if violations surface later. Under the 2024 Administrative Enforcement Guidelines, cooperation credit can reduce penalties by 25-50%—but only if you cooperate fully from first contact.

The 12 Mandatory Record Categories

Under 15 CFR 762.2, BIS requires retention of 12 specific document categories. The regulation lists them plainly, but the operational reality is messier. Many export compliance programs capture transaction data while missing the supporting documentation that auditors actually request.

The required records include export control documents as defined in Part 772 of the EAR. This covers commodity classification letters, technology control plans, and technical data agreements. It also includes all memoranda, notes, correspondence, contracts, invitations to bid, books of account, and financial records pertaining to covered transactions.

Three categories get overlooked consistently:

First, restrictive trade practice and boycott documents under Part 760. If your company has ever received a request to certify origin or blacklist status, that correspondence must be retained—even if you declined the request.

Second, all notifications from BIS: license denials, commodity classification results, encryption review outcomes, and returned-without-action notices. These get lost when the person who submitted the request leaves the company.

Third, "other records pertaining to the types of transactions described in § 762.1(a)." This catch-all includes emails between sales and engineering about a customer's technical capabilities, internal notes questioning whether an end-user might have military applications, and any red flag documentation. If your screening system flagged a hit and someone cleared it manually, that decision record falls here.

Where Most Audit Failures Actually Happen

The common assumption is that BIS audits catch transaction violations—unlicensed exports, misclassified items, or Entity List shipments. Reality differs. The majority of audit deficiencies stem from recordkeeping failures, not underlying compliance failures.

The January 2025 enforcement settlement with Haas Automation illustrates this pattern. BIS imposed $1.5 million in administrative penalties plus ongoing audit requirements; OFAC added another $1,044,781 (BIS Press Release, January 17, 2025). The company had exported CNC machine parts to Entity-Listed parties in Russia and China between 2019 and 2024. But the enforcement order specifically noted deficiencies in the company's compliance documentation—internal controls existed on paper but failed to generate records demonstrating consistent application.

The mistake most export compliance programs make is building screening workflows without building documentation workflows. Your compliance team runs names against the Consolidated Screening List and gets results. Good. But if no one captures those results in a retrievable format tied to specific transaction numbers, the audit file contains nothing but assertions. One machinery manufacturer discovered this after receiving an OEE request: their denied party screening ran automatically on every order, but the system purged match results after 90 days to save storage. Three years of compliance activity, zero retrievable documentation.

The Five-Year Retention Problem

Part 762.6 of the EAR requires record retention for five years from the date of export, reexport, or transfer. Straightforward, except when it isn't.

Different agencies start their retention clocks at different points. The Foreign Trade Regulations under 15 CFR 30.10 require five years from the date of export for EEI records. ITAR regulations under the State Department require five years from license expiration—not from the export date. These two standards alone can create a three-year gap on multi-year licenses.

And OFAC—which governs sanctions compliance for the same transactions your EAR records cover—finalized its 10-year retention requirement effective March 2025, following an interim rule published in September 2024 (Federal Register, March 21, 2025). The OFAC change aligned with the doubling of its statutory limitations period under the 21st Century Peace through Strength Act signed in April 2024.

This creates an operational gap. If your export compliance program follows the BIS five-year standard uniformly, you're potentially destroying OFAC-relevant records while the statute of limitations remains open. A 2020 transaction involving Russia remains enforceable through 2030 under OFAC's expanded timeline. Your BIS-compliant five-year retention policy would have deleted those records in 2025.

The practical recommendation: retain all export-related documentation for 10 years regardless of the specific regulatory authority. Storage costs have collapsed to the point where the marginal expense of additional retention is meaningless compared to the enforcement exposure of missing records.

What Happens When Documents Are Missing

BIS does not treat missing records as a neutral gap. Under 15 CFR 764.2(i), failure to keep required records is itself a violation of the EAR. This means an audit can generate enforcement exposure independent of any underlying transaction problem.

The operational consequence is stark. Suppose OEE requests classification records for a specific shipment to a UAE distributor in 2022. Your ECCN determination was correct, your screening was clean, and the license exception properly applied. But the engineer who made the classification left the company in 2023. His email archive was deleted per IT policy after 180 days of inactivity. The only surviving record is a one-line note in your ERP system: "EAR99 - confirmed."

That transaction, fully compliant when executed, now presents an audit deficiency. The penalty exposure exists not because you violated export controls but because you cannot demonstrate you did not violate them.

This inversion catches many companies off guard. They expect audits to examine their decisions, not their documentation of those decisions. The July 2025 Cadence Design Systems settlement included detailed findings about the company's failure to maintain records demonstrating compliance procedures were followed, separate from the underlying export violations (DOJ Press Release, July 28, 2025). Total penalties exceeded $140 million.

Building Audit-Ready Records

The difference between a passing audit and an enforcement action often comes down to how records are organized before OEE contacts you. Waiting until a subpoena arrives to compile transaction documentation is already too late—and OEE knows this.

Effective export compliance programs maintain what practitioners call "audit packages" for each controlled transaction. An audit package contains every document BIS might request for that specific export: the ECCN determination with technical justification, all screening results and their resolution, end-use statement or certificate, license or license exception documentation, shipping and customs records, and any internal correspondence discussing the transaction.

The format matters less than the retrievability. BIS accepts electronic records if they can be produced in readable form without charge to the inspecting official. Some companies maintain document management systems with automated tagging; others use organized folder structures on network drives. The failure mode is scattered records across multiple systems—ERP, email, SharePoint, local drives—with no index connecting a shipment number to its compliance documentation.

One concrete test: when an OEE Special Agent calls, you should be able to produce any transaction's complete audit package within 24 hours. Not 48, not "by end of week." Twenty-four hours. If your current record system cannot meet that standard, the audit has already surfaced a compliance gap before the agent asks the first question.

Platforms like Lenzo consolidate screening records, classification data, and transaction documentation specifically to eliminate the retrieval scramble that turns routine audits into enforcement exposure.

FAQ

Can BIS request records for transactions that occurred before the current five-year retention period?

Yes. If you voluntarily retained records beyond five years and BIS makes a formal or informal request for those older records, you cannot destroy them without written authorization from BIS under 15 CFR 762.6. The five-year rule establishes the minimum retention period, not a safe harbor for destruction once the period expires.

What happens if an employee deleted relevant emails before an audit?

Routine deletion under a pre-existing retention policy is generally defensible if applied consistently and not triggered by awareness of an investigation. Deletion after becoming aware of an inquiry—even an informal one—constitutes obstruction and dramatically increases enforcement exposure. This is why many companies implement litigation hold procedures that suspend normal deletion when any government contact occurs.

Does BIS coordinate with other agencies during audits?

Frequently. The January 2025 Haas Automation settlement involved both BIS and OFAC imposing penalties for overlapping conduct. CBP, Census Bureau, and DDTC may also receive referrals or share information under the Disruptive Technology Strike Force framework. A BIS audit can surface records that trigger enforcement by other agencies operating under different standards and penalty structures.

How long does a typical BIS audit take from first contact to resolution?

There is no typical timeline. Some compliance reviews conclude within 60 days with a no-action letter. Others extend for years if violations are suspected or if the company cannot produce requested documentation promptly. The audit response itself—gathering documents, organizing records, responding to follow-up requests—typically consumes 40-200 hours of compliance staff time depending on transaction volume and record accessibility.

Companies with organized audit packages resolve inquiries faster than those reconstructing documentation from scattered sources. The Cadence investigation spanned conduct from 2015 to 2021 and was not resolved until July 2025—a timeline partly attributable to difficulties obtaining records from the company's China operations.

Sources

More to explore

View all
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance FAQ: 25 Questions Every SMB Exporter Gets Wrong

OFAC's maximum civil penalty hit $377,700 per violation in January 2025. BIS bumped its ECRA penalty cap to $374,474 the same month. The questions compliance teams ask haven't changed much over the years. They've just gotten a lot more expensive to answer wrong.
Last updated:
November 27, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance Glossary: Terms Every Exporter Needs

Your customs broker just emailed about an ECCN classification conflict with the freight forwarder's HTS determination. Legal wants to know if the end-user triggers EAR99 or needs a BIS license review. And someone in accounting keeps confusing OFAC with OFCCP. Again.
Last updated:
November 28, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Best Trade Compliance Software for SMB Exporters (2026)

OFAC civil penalties blew past $254M by mid-2025. BIS piled on with over 170 Entity List additions across 6 separate rulings between January and October. And the part that keeps compliance teams awake: none of those penalties landed because someone forgot to screen a counterparty.
Last updated:
February 12, 2026
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

License Exception Eligibility: Quick Reference

BIS published 2,847 updates to the Export Administration Regulations in 2025. Seventeen directly affected license exception eligibility for at least one ECCN category. For compliance teams processing 50–200 shipments monthly, tracking which exceptions apply to which items has turned into a puzzle that resets every few weeks.
Last updated:
February 11, 2026
Lenzo — Trade Compliance Platform
TOOLS
Tariff CalculatorCompliance ServiceCanada TariffsHS CodeUS Tariffs on ChinaOFAC SearchMexico TariffsHSN Code List
Legal
Acceptable Use PolicyAI Data Usage PolicyBilling & Refund PolicyCookies PolicyData Processing AddendumPrivacy PolicyTerms of Service
Lenzo - Trade Compliance © 2026 All rights reserved
Secure read-only integrations
AES-256 encrypted data
OAuth 2.0 access