Regulatory statutory and itar ear requirements what an auditor needs to know
1 / 77

- PowerPoint PPT Presentation

  • Updated On :

Regulatory, Statutory and ITAR/EAR Requirements What an Auditor Needs to Know. Atlanta, GA July 22-23 , 2010 Dr. Ingrid D. Knox Adjunct Professor Embry Riddle Aeronautical University and Aerospace Engineer with FAA. Auditor Workshop Atlanta, GA July 22-23, 2010. Objective.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - Thomas

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Regulatory statutory and itar ear requirements what an auditor needs to know l.jpg

Regulatory, Statutory and ITAR/EAR RequirementsWhat an Auditor Needs to Know

Atlanta, GA

July 22-23, 2010

Dr. Ingrid D. Knox

Adjunct Professor Embry Riddle Aeronautical University and Aerospace Engineer with FAA

Auditor Workshop

Atlanta, GA

July 22-23, 2010

Objective l.jpg

How to determine what will be applicable when auditing/audit planning for an organization

What are Statutory Regulations

Export Control/EAR/ITAR introduction

FAA Regulations

Rules of Thumb for auditors

Regulations l.jpg

Definition of Statutory Regulations:

Relating to a statute, which is a formal written enactment of a legislative authority that governs a state, city, or country. Typically, statutes command or prohibit something, or declare policy. The word is often used to distinguish law made by legislative bodies from case law and the regulations issued by government agencies.

Before a statute becomes law in some countries, it must be agreed upon by the highest executive in the government, and finally published as part of a code. In many countries, statutes are organized in topical arrangements (or “codified”) within publications called codes, such as the United States Code.

Regulations4 l.jpg

Statutory Regulations Example:

The Sarbanes Oxley Act, commonly called SOX, sets forth records management and retention policies for all public companies. SOX was enacted in 2002 in response to corporate scandals involving large, public corporations and their accounting firms.

The vast majority of organizations use email to communicate internally and as a vehicle for the exchange of documents and correspondence between businesses and their outside consultants, accounting and auditing firms. Since these communications often contain information about business transactions and decisions, these email communications must be retained for an organization to comply with the provisions of SOX. There are other sections of SOX that provide requirements as well.

Regulations5 l.jpg

Statutory Regulations Example:

The Federal Water Pollution Control Act, popularly known as the Clean Water Act (CWA), is a comprehensive statute aimed at restoring and maintaining the chemical, physical, and biological integrity of the Waters of the United States

Water quality standards A system of minimum national effluent standards for each industry A permit program for the discharge of pollutants into navigable waters, provides enforcement mechanisms A revolving construction loan program (Clean Water State Revolving Fund (CWSRF) , formerly a grant program) for publicly-owned treatment works (POTWs) and funding to states and tribes for their water quality programs Provisions to address waterway and/or regions specific water quality

Regulations6 l.jpg

Other Examples of Statutory Regulations and Agencies:

Department of Labor - Occupational Safety and Health Administration (OSHA)

Department of Transportation – Hazardous Waste

Resource Conservation and Recovery Act

National Fire Protection Act

Regulations7 l.jpg

Exports are controlled by the United States with the following primary regulations:

The Office of Foreign Assets Control (OFAC)

Export Administration Regulations (EAR)

International Traffic In Arms Regulations (ITAR)

Regulations8 l.jpg

Why are regulations (ITAR, EAR, OFAC) needed in the U.S? Because companies and countries have a right to:

Protect Information

Protect Product

Best Interest

How is this done? Export control regulations and proprietary information.

Regulations9 l.jpg

What are the major focuses of the regulations and what do these regulations accomplish?

Control over listed products, technical data, and technology - U.S.

Technical Knowledge – protects – U.S.

Stops and prevents products, technical data and technology from going in the wrong hands of countries/individuals deemed to be harmful to the U.S.

Export l.jpg

Definition of Exports include:

Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person whether in the U.S. or abroad or

Performing a defense service on behalf of, or the benefit of, a foreign person, whether in the U.S., or aboard.

The transfer of anything to a Foreign Person by any means anywhere, anytime, or the knowledge that what you are transferring to a U.S. Person, will be further transferred to a Foreign Person.

Export11 l.jpg

Export (Cont’d)

Or transferring in the United States any defense articles to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or disclosing (including oral or visual disclosure) or transferring technical data to a foreign person whether in the U.S. or aboard; or performing a defense service on behalf of, or for the benefit of foreign person, whether in the U.S. or abroad

Technical data l.jpg
Technical Data

Technical data is an Exportable Commodity

Within ITAR regulations technical data is included as an export. Examples include:

  • Testing

  • Maintenance or Modification of defense articles

  • Blue prints

  • Drawings

  • Process Specification

  • Photographs

  • Plan, instructions, and documentation

  • Design

  • Development

  • Production

  • Manufacture

  • Assembly

  • Operation

  • Repair

Slide13 l.jpg

Data can be transmitted in numerous ways


Internet downloads,



staff meetings,

Verbally to Non-U.S. Employees,


Copies to Foreign Persons, emails

letters, documents,

or snail mails,


industry meetings,


visitors, potential customers,

data on computers,

networks, and hard drives

FAX, phone conversations,

Slide14 l.jpg

ITAR Definitions

Defense Article – any item on the USML, including technical data.

Slide15 l.jpg

ITAR Terms

Technical Data – Information which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles; classified information related to defense article; information covered by an invention secrecy order; software directly related to defense articles.

Itar definitions l.jpg
ITAR Definitions

ITAR - U.S. Persons

U.S. Person – a natural person who is a lawful permanent resident as defined in 8 U.S.C. 1101 (a) (20) or who is a protected individual as defined by 8 U.S.C 1324b(a) (3).

It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the U.S. It also includes any governmental (federal, state or local), entity.

Slide17 l.jpg

ITAR Terms

Foreign Person – Opposite of U.S. Person

Export –sending or taking a defense article out of the U.S. in any manner, except by mere travel outside of the U.S. by a person whose personal knowledge includes technical data; or transferring registration, control of ownership to a foreign person of any aircraft, vessel, or satellite covered by the USML, whether in the U.S. or abroad; or disclosing (including oral or visual disclosure)

Proscribed l.jpg

Proscribed Countries -22 CFR 126.1

If a country appears on this list, it is (generally U.S policy to deny licenses, or other approvals, associated with exports and imports of defense articles and defense services, destined for or originating in that country.

ITAR License Exemptions are trumped if a foreign person from any of these counties is involved; i.e., a license must be applied for.

Slide19 l.jpg

ITAR Proscribe Countries List (22 CFR 126.1

Afghanistan, Angola

Armenia, Azerbaijan

Belarus, Burma

China (PRC), Nigeria

North Korea, Pakistan

Rwanda, Somalia, Zaire

Cyprus, Haiti

India, Iran

Iraq, Liberia

Libya, Sudan

Syria, Tajikistan

Vietnam, Yeman

Federal Republic of Yugoslavia, Serbia, Montenego

Slide20 l.jpg

Export Administration Regulations (EAR)

Administration by the Department of Commerce (Bureau of Export Administration)

The Commerce Control List (CCL)

Complete listing of items controlled by the EAR

Slide21 l.jpg

EAR Terms

Export – an actual shipment or transmission of items subject to the EAR out of the United States; or release of technology or software subject to the EAR to a foreign national in the U.S.

Slide22 l.jpg

Controlled Technology – specific information required for the development, production, or use of a product which is itself controlled. The information takes the form of technical data or technical assistance.

Slide23 l.jpg

Technical Data: may take forms such as blue prints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such a disk, tape, or read-only memories.

Technical Assistance – may involve transfer of technical data.

Slide24 l.jpg


Re export – shipment from one foreign country to another foreign country

Publicly Available information –information that is generally accessible to the interested public in any form and; therefore, not subject to the EAR.

Slide25 l.jpg


Publicly Available Technology and Software – that technology and software that are already published or will be published; arise during, or result from fundamental research; are educational; or are included in certain patent applications (see 15 CFR 734).

Slide26 l.jpg

EAR License Exceptions

TMP (use for certain temporary exports up to one year)

GOV (U.S. government official use and use by government agencies of cooperating countries in their national territory)

BAG (your right to take your personal belonging out of the country on a trip).

CAUTION – Use exceptions with care and read all conditions/provisions.

Slide27 l.jpg

Military application is a key concept:

Defense services and articles are regulated by ITAR

What is a defense article:

An item is/was specifically design, modified, or developed for a military application and is listed on the United States Munitions List (USML).

If the above statement is the case, then item is controlled by the International Traffic in Arms Regulations (ITAR).

Slide28 l.jpg

If it was not specifically developed, designed, or modified for a military application and/or is not listed on the United States Munitions List (USML),

then it is a commercial (or dual use) item and it is controlled by the Export Administration Regulations (EAR).

Slide29 l.jpg

ITAR – Agency

Directorate of Defense Trade Controls (DDTC), U.S. Department of State.

International Traffic in Arms Regulations

Code of Federal Regulations Parts 120-130


Export Administration Regulations

Full text of the Federal Law available at (

Auditor l.jpg

How does ITAR and EAR impact auditors?

Job Audits and the auditor’s ability to review blueprints, specifications, or other documentation may be impacted by this law.

The auditors must be aware of the requirements of these laws should the auditor audit any ITAR/EAR hardware.

Auditors l.jpg

Rule of Thumb 1:

Certification bodies developed a plan as to how they are going to ensure that restricted items in their possession are only available person that have a need to know such as:

U.S. Persons;

Licensed Organization or Individuals; and

People, companies, and countries that have a legal access.

Plan should be shared with auditors if it has an effect on auditing.

Auditors32 l.jpg

Rule of Thumb 2:

Companies should be aware of their export control status of both their categories/items and the status of the individuals and companies in terms of whom they are sharing the data.

This information can be shared with the auditors.

Auditors33 l.jpg

Rule of Thumb 3:

Certification body first determines whether they are going to collect and keep any restricted data – that comes to body by the auditor or company as part of the audit.

Auditor should be informed of how to process the data by the certification body if a set plan is in place.

Auditors34 l.jpg

Rule of Thumb 4: Why should be auditor care?

(1) Certification body action could threaten U.S. National Security.

(2) Violation could stop the certification body from working with restricted data.

(3) Penalties or fines can hurt the business and business brand name could be damaged in public eye sight. Penalties are public record.

(4) Auditors, companies, and customers might lose confidence in the certification body.

(5) Incarceration, penalties, fines, and debarment can hurt business.

Auditors35 l.jpg

Rule of Thumb 5:

Prior to and at the beginning the audit, the lead auditor may speak to the Supplier to ensure that the Supplier shall identify specifications, processes, and drawings (referred to as “auditable material” which are restricted under the ITAR and EAR).

The Supplier shall contact the owner of any information for clarification when unsure about whether information is export controlled under ITAR or EAR.

Auditors36 l.jpg

Rule of Thumb 6:

The auditor role is not to remind the Supplier of ITAR and EAR obligation. The company should be aware of obligations it is not the auditor role to make the company aware.

The Auditor shall not be held liable for any unauthorized transfer of restricted data, unless such auditor knew or should have known of the restricted nature of the data.

Auditors37 l.jpg

Rule of Thumb 7:

The Auditor receives direction from certification body on how to deal with ITAR and EAR. Some bodies will restrict access to the auditor and of course how the information is recorded is restricted.

Additional information can be discussed during the opening meeting in-brief if needed.

Auditors38 l.jpg

Rule of Thumb 8:

Auditors check with the certification body on restriction on posting ITAR/EAR. Typically material should not removed from the supplier facility by the auditor.

Contact the certification body or staff for direction if objective evidence is necessary to support the audit.

Slide39 l.jpg

Rule of Thumb 9:

Some Certification bodies may be vigilant to comply with this U.S. law and avoid review of any ITAR/EAR material.

As an auditor you should check with your certification body on the requirements.


Auditors40 l.jpg

Rule of Thumb 10:

Auditors should be aware of restricted technical data and how it is to be handled while auditing.

Typically technical data is password protected from foreign persons such as hardcopy data, copies, are secured to prevent access by Foreign Persons.

Company should identify any restricted technical data.

Means of knowing the US person status of all employees, consultants, or anyone who can obtain access to restricted technical data in the system should be readily viable.

Auditors41 l.jpg

Rule of Thumb 11:

Certification bodies should have a system to purge restricted technical data once discovered in the system.

Restricted data much be identify/described clearly.

Some certification bodies communicate to the customer that no restricted data can be collected as part of the audit.

Certification bodies sometimes train auditors not to document restricted technical data as part of the audit.

Auditors42 l.jpg

Rule of Thumb 12:

Two basic techniques:

The Certification body will prohibit restricted data from entering into the system.

The Certification body will control access within the system.

Auditors43 l.jpg

Rule of Thumb 13:

What should you as an auditor tell customers?


Auditors should follow the rules, policies, and procedures at the company in place they are auditing such as (camera, safety, union, labor, emergency, etc.).

Auditors44 l.jpg

Rule of Thumb 14:

Auditor may need proof of citizenship if the parent certification body can’t vouch or didn’t provide proof of citizenship just in case to safe guard stopping an audit.

Auditors45 l.jpg

Rule of Thumb 15:

Auditors can address the subject of export control in opening meeting in-brief.

Their status (as a US Person or as a Foreign Person) and what that means to the audit.

Expectation that customer will control access to restricted data accordingly.

Certification body procedures if there is a problem.

Certification body policy on data retention or purging if applicable.

Auditors46 l.jpg

Foreign Persons employed by the certification body may be restricted from access of technical data.

This approach is used whenever the certification body accepts responsibility and retains restricted technical data in their system during audit reporting or record keeping.

Auditable material l.jpg
Auditable Material

If auditable material is under the ITAR and EAR, the supplier may either:

Limit the audit to auditable material not restricted under ITAR and EAR.

Work with certification body staff to provide and discuss appropriate auditable material, so that the staff can provide appropriate direction to restricted auditors or; and

request an unrestricted auditor.

Material l.jpg

ITAR/EAR Material - How to Recognize?

Identification could be on

Purchase Order

Specification – Typically first sheet and may be embedded in the text

Face of drawing

May be identified as ITAR/EAR Control or Export Control

Material50 l.jpg

Point of Clarification

Suppliers located outside of the U.S. may be licensed under the legislation and may be processing ITAR/EAR material.

Penalties l.jpg

Penalties: Companies or individuals



Criminal and civil



Civil penalties

Up to $500,00 per violation

Criminal fines

Up to $1,000,00 and/or

10 years imprisonment


Civil penalties

Greater of $250,000 or five times the value of the transactions.

Criminal fines or violations

Up to $1,000,00 and/or

20 years imprisonment

Auditors52 l.jpg

What do you expect to see for a company with ITAR and EAR restriction?

Company may check your status – much see proof of employment

Acceptable documentation:

U.S. Passport

U.S. Certificate of birth

U.S. Naturalization papers

Resident Alien Papers Permanent (Green Card)

Secure Documentation by company with certification body before arrival – Condition of contract

Auditors53 l.jpg

Company will determine if the auditor has access to any restricted data.

Auditor should be alerted in advance to prove U.S. citizenship or personhood.

Written verification from the certification body might be acceptable.

Restricted data should be properly marked.

Restricted data should be secured.

Auditors54 l.jpg

Company will find out the status of anyone who will have access to the data.

Company should inform the auditor of the policy.

The company may have a sign-in sheet which identifies whether the auditor is a U.S. citizen.

The company may require an escort.

Camera policy prohibiting cameras or cameras telephone except under approved conditions may be mandated not to be carried into the company.

Evaluation of the reason for the visit by security and security presentation may be presented to the auditor.

Auditors55 l.jpg

Auditors’ Keys to Performance

Key 1

The Auditors needs to know how to write up process findings without revealing technical data restricted by ITAR/EAR data in the write-up.

Slide56 l.jpg

Key 2

Auditors need to understand not to give any kind of advice on defense service or technical advice.

Key 3

Auditors need to understand how to review accept or reject corrective actions on findings.

Slide57 l.jpg

Key 4

Auditors need to understand what is expected of them by the certification body.

Key 5

Auditors need to understand the fundamentals of export control and the company’s policies and certification body requirements.

Auditors58 l.jpg

Regulations - How to Audit?

Short Snap Shot of Other Government Regulations

Regulations59 l.jpg

Auditors should be aware that there are regulations that the auditee are held to such as:

FAA FAR 21 The holder of a Parts manufacturer Approval shall notify the FAA in writing within 10 days Subpart K from the date the manufacturing facility at which the parts are manufactured is relocated or expanded to include additional facilities at other locations.

Questions auditors could ask: What delegation do you have such as PMA? When were the last time you were audited by government such as FAA or DOD what were the findings, do you still have the delegation of such TSO or PMA or you suspended, do you have any letter of enforcement issued and have you corrected the all the findings? Did the government audit effect the certification body audit? I noticed you relocated your facility have you given FAA notice if so I would like to see the notice?                    

Regulations60 l.jpg

FAA FAR 145.107 Satellite repair stations: 1) may not hold a rating not held by the certificated repair station with managerial control; 2) must meet the requirements for each rating it holds; 3) must submit a repair station manual acceptable to the FAA; 4) must submit a quality control manual acceptable to the FAA.; Inspection must be designated for each satellite repair station any determination of airworthiness or return to service is made.   

Auditors’ question “Show me how you have met FAR 145.107?” Go down the list and auditee should be able to provide proof on the regulatory requirements.           |

Regulations61 l.jpg

Regulations Examples:

145.163: Training requirements: Employee training program (initial and recurrent) approved by the FAA.                                                                         

145.211: A certificated repair station must notify its certificate holding district office of revisions to its quality manual.

145.214: The FAA approves the maintenance function to be contracted to the outside source...

145.221: Reports of failures, malfunctions, or defects: A certificated repair station must  report to the FAA within 98 hours after it discovers any serious malfunction or defect of an article....                                                                                  |

Auditor question: show me how you meet the regulatory requirement? Auditee should be able to show how the regulatory requirements were met.

Exercise l.jpg

XYZ Company Planning on a Restricted Part)

Read the Write-Up (2 minutes)

Rewrite the Example individually without the restricted information (3 minutes)

Compare Write-up as a Group and rewrite (one write together) (12 minutes, 1 recorder, 1 group leader)

Record your write up on sheet of paper and post (as a Group; 3 minutes)

Rate each others writings and pick the best write-up (5 minutes) Rate 1-5 Highest rating 5 each group.

Winner Selected

Restricted write up l.jpg
Restricted Write-Up

XYZ Manufacture

XYZ technical engineering manufacturing plan operation 450 on 9-15 spool (IZ876P5J) was incorrect. The engineering planning sheet called that heat treat operation sheet called for Department of Navy hardness result of HRC 50-55; the specification MIL345 018-08z called for HRC 60-70.

Does this write up reveal technical data if so rewrite the write-up.

Slide65 l.jpg
ITAR your information only

Important ITAR Definition: Public Domain

Public Domain – Information which is published and which is generally accessible or available to the public:

through sales at news stands and bookstores;

through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;

through second class mailing privileges granted by the U.S. government;

Slide66 l.jpg
ITAR your information only

ITAR Definitions (Cont’d).

Public Domain

at Libraries open to the public or from which the public can obtain documents;

through patents available at any patent office;

through unlimited distribution at a conference meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;

Slide67 l.jpg
ITAR your information only

ITAR Definitions (Cont’d)

through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency.

Through fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community.

Slide68 l.jpg
ITAR your information only

ITAR Definitions (Cont’d)

Technical data does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain.

It also does not include basic marketing information on function or purpose or general system descriptions of defense articles.

Slide69 l.jpg
ITAR your information only


Public Domain (Cont’d)

University research will not be considered fundamental research if:

the University or its researchers accept other restrictions on publication of scientific and technical information resulting from the project or activity, or

the research is funded by the U.S. government and specific access and dissemination control protecting information resulting form the research are applicable.

Regulations70 l.jpg
Regulations your information only

U.S. Export control reasons:

Non Proliferation

National Security

Foreign Policy

Short Supply


Crime Control

High Performance Computer

Regional Stability

UN Sanctions

Export control stakeholders l.jpg
Export Control Stakeholders your information only



Bureau of Export Affairs


Defense Threat Reduction

Joint Chiefs of Staff (JCS)





Arms Control & Disarmament Agency



Office of Foreign Assets Control

White House

Office of Science & Technology Policy

National Security Council

U.S. Trade Representative


Federal Bureau of Investigation

Defense service l.jpg
DEFENSE SERVICE your information only

What is a defense service:

Defense service is furnishing assistance to Foreign Persons which includes training in the:

Development, design, engineering, manufacture,

Production, assembly, test, repair,

Maintenance, modification, operation,

Demilitarization, destruction, processing, or

Use of defense articles.

Defense services l.jpg
Defense Services your information only

ITAR Section 120.9

ITAR Section 120.9 states in part that defense services are performing a defense service on behalf of, or for the benefit of, a Foreign Person in the U.S. or abroad.

Slide74 l.jpg
ITAR your information only

Part 121 of the ITAR: The United States Munitions List

22 CFR 120-130

21 categories of “Defense Articles/Services

If an item is listed, it is subject to the ITAR

Category I


Category II

Artillery Projectors

Category III


Slide75 l.jpg
USML your information only

Category XII

Fire Control, Range Finder, Optical and Guidance and Control Equipment

Category XIII

Auxiliary Military Equipment

Category XIV

Toxicological Agents and Equipment and Radiological Equipment

Category XV

Spacecraft Systems and Associated Equipment

Category XVI

Nuclear Weapons Design and Related Equipment

Category XVII

Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated

Category XVII and XIX


Category XX

Submersible Vessels, Oceanographic and Associated Equipment

Category XXI

Miscellaneous Articles

Slide76 l.jpg
USML your information only

Category IV

Launch Vehicles, etc.

Category V

Explosives, Propellants, Incendiary Agents, and their constituents

Category VI

Vessels of War and Special Naval Equipment

Category VII

Tanks and military Vehicles

Category VIII

Aircraft and Associated Equipment

Category IX

Military Training Equipment

Category X

Protective Personnel Equipment

Category XI

Military Electronics

Slide77 l.jpg

Disclaimer your information only

This brief contained information here in that is intended to be a general service to auditors and cannot be substitute for a thorough and careful review and evaluation of readings of the governmental laws, regulations and rulings.

No responsibility is assumed by the presenter for the accuracy or timeliness of any of the material or information provided herein applicable to any particular case or circumstance.

These materials do not representative the Federal Aviation Administration (FAA) views or any government agency. These materials are intended to provide concise, convenient, and helpful concepts and information about regulations. The presenter does not representative FAA or is speaking on behave of FAA or paid for this public service.

The material does not, and are not intended to, constitute legal or other advice or an official reading of the reference regulations by the government.

This brief cannot be used as a substitute for the government rules, process, or procedures or thorough reading of the actual statues, regulations, and other documents that apply to the complex area of ITAR and regulatory requirements. These include, but are not limed to International Traffic in Arms Regulations (ITAR) and other laws and regulations. Government source are controlling in the event of any inconsistency with the material or information provided herein. Information does not represent the view of ERA University or FAA. Some parts of this overview was originally presented at the NASA Export Control Program website at and has been modified for purposes of relations to this brief. All items on the U.S. Munitions List are covered by this law. The presenter is not providing this information as an expert for any government agency but is only providing information she researched on the subject material. Most of the information provided was provided from a public domain. This material is intended only as an overview tools and does not provide all substantive information that may be needed to make a responsible decision. Auditors should contact their certification body for assistance.