What does a DDTC compliance audit typically cover?

A DDTC compliance audit covers Empowered Official designation, DDTC registration status, USML commodity classifications, export license and agreement management, Technology Control Plans, recordkeeping under 22 C.F.R. § 122.5, employee training, restricted party screening, and incident response readiness.

How often should a company conduct an ITAR mock audit?

Active exporters with multiple licenses or Technical Assistance Agreements should conduct a mock audit annually. Smaller registrants with limited activity should audit every two years. Additional audits are recommended after mergers, significant personnel changes, post-acquisition integrations, or any known or suspected ITAR violation.

What are the most common ITAR compliance gaps found during mock audits?

The most common gaps include outdated or undocumented Empowered Official designations, USML classifications that predate Export Control Reform and haven't been revisited, failure to comply with license conditions, Technology Control Plans that exist on paper but aren't implemented in practice, incomplete or improperly retained transaction records, and lack of a formal incident response or voluntary disclosure process.

Why use a third-party consultant for an ITAR mock audit instead of an internal team?

Third-party consultants bring independence, regulatory depth, and objectivity that internal teams structurally cannot provide. External auditors are not organizationally incentivized to minimize findings, personnel speak more candidly to outside reviewers, and DDTC gives greater weight to voluntary disclosures supported by independent third-party findings.

ITAR Mock Audit: What It Covers & Why You Need One

Q: What is an ITAR mock audit?

An ITAR mock audit is a structured simulation of a DDTC compliance review conducted by an independent expert before any government inspection occurs. It examines all core areas of your ITAR compliance program — including licensing, recordkeeping, training, technology controls, and restricted party screening — and delivers a written gap analysis with corrective action recommendations.

If you've ever received a letter from the Directorate of Defense Trade Controls (DDTC) requesting a compliance review, you already know the feeling — a cold, immediate recognition that your export control program is about to be scrutinized by the same agency that can impose civil penalties of up to $1,308,725 per violation and criminal penalties of up to $1,000,000 per violation and 20 years in prison. That is not a moment you want to face without preparation.

An ITAR mock audit is the single most effective proactive measure a defense contractor, manufacturer, or technology exporter can take to ensure their compliance program is actually working — not just documented on paper. After working with more than 200 clients and maintaining a 100% first-time audit pass rate over 8+ years at Certify Consulting, I've seen what separates companies that sail through DDTC scrutiny from those that don't. Almost without exception, it comes down to whether they ever tested themselves first.

This guide walks you through exactly what an ITAR mock audit covers, how it's structured, what common gaps it surfaces, and why scheduling one now — before DDTC schedules one for you — is one of the highest-ROI compliance investments you can make.

What Is an ITAR Mock Audit?

An ITAR mock audit is a structured, systematic simulation of a DDTC compliance review conducted by an independent third-party expert (or a qualified internal team) against the requirements of the International Traffic in Arms Regulations (ITAR), 22 C.F.R. Parts 120–130, the Arms Export Control Act (AECA), and any applicable license conditions or Consent Agreements.

The goal is straightforward: identify gaps, weaknesses, and violations before a government regulator does — and fix them while the stakes are low.

A mock audit is not a casual internal checklist review. It mirrors the depth, methodology, and evidentiary standards of an actual DDTC compliance audit or State Department Blue Lantern end-use check. That means document requests, employee interviews, records inspection, process walkthroughs, and a formal written findings report.

Citation hook: An ITAR mock audit replicates the scope and methodology of a DDTC compliance review, covering recordkeeping, technology controls, personnel screening, license management, and training — and delivers a written gap analysis before regulators have the opportunity to do so first.

Who Should Conduct an ITAR Mock Audit?

Any organization that touches ITAR-controlled defense articles, defense services, or technical data should conduct regular mock audits. This includes:

Prime contractors and subcontractors on U.S. Department of Defense programs
Commercial manufacturers of items on the U.S. Munitions List (USML)
Universities and research institutions with ITAR-controlled research or foreign nationals on staff
Technology companies licensing or transferring ITAR-controlled technical data internationally
Distributors and brokers of defense articles under 22 C.F.R. Part 129

The DDTC's Compliance Program Guidelines explicitly state that periodic self-assessments are a hallmark of an effective compliance program. Companies that proactively audit themselves and document corrective actions are treated far more favorably in enforcement proceedings than those caught flat-footed.

According to DDTC enforcement data, the vast majority of civil penalty cases involve companies that lacked formal compliance programs or failed to detect internal violations through self-auditing.

What Does an ITAR Mock Audit Cover?

A comprehensive ITAR mock audit is organized into several functional domains. Each maps directly to areas a DDTC auditor will examine.

1. Empowered Official (EO) Designation and Authority

The ITAR requires every registered entity to designate an Empowered Official (EO) under 22 C.F.R. § 120.67 — a U.S. person with authority to sign export license applications, ensure compliance, and halt unauthorized exports.

The mock audit examines: - Whether the EO designation is formally documented and current - Whether the EO has adequate authority, training, and access to information - Whether backup EOs are designated to prevent single points of failure - Whether the EO is actually functioning in that role vs. holding it in name only

This is one of the most frequently cited gaps I find during client mock audits. Organizations often designate an EO for DDTC registration purposes and then never update the designation when personnel change.

2. DDTC Registration Compliance (22 C.F.R. Part 122)

Every U.S. manufacturer, exporter, or broker of defense articles must be registered with DDTC. The mock audit verifies:

Active, current registration with no lapses
Accurate business activity descriptions on the registration
Proper notification of changes (ownership, address, key personnel) within required timeframes
Correct registration tier and fee category

Citation hook: DDTC registration under 22 C.F.R. Part 122 must be renewed annually, and any changes to ownership structure, key management personnel, or business activities must be reported to the agency — failures to do so constitute independent violations of the ITAR independent of any underlying export transaction.

3. U.S. Munitions List (USML) Commodity Jurisdiction and Classification

One of the most technically complex areas of ITAR compliance is knowing what you control. The mock audit reviews:

Commodity Jurisdiction (CJ) determinations for products and technical data
USML classification decisions and supporting documentation
Alignment between internal classifications and actual product/data characteristics
Export Control Classification Number (ECCN) determinations for EAR-controlled items (to ensure ITAR items aren't accidentally exported under the wrong regulatory framework)

Misclassification is one of the leading causes of ITAR violations. The 2020 Export Control Reform (ECR) initiative moved many items from the USML to the Commerce Control List (CCL), and companies that haven't revisited their classifications since that transition are at significant risk.

4. Export License and Authorization Management

The mock audit conducts a deep review of how the organization manages export licenses, agreements, and license exemptions:

DSP-5, DSP-73, DSP-85 licenses and their conditions
Technical Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs) under 22 C.F.R. Part 124
Use of ITAR license exemptions (e.g., 22 C.F.R. § 125.4, § 126.4) and whether exemption criteria are properly evaluated and documented
License expiration tracking and renewal workflows
Screening of end-users, end-uses, and destinations against license conditions

License condition violations are a hidden landmine. Many companies obtain licenses correctly but then fail to comply with the specific conditions attached — sub-transfer restrictions, reporting requirements, and authorized end-use limitations.

5. Technology Control Plans (TCPs) and Facility Security

If your organization employs foreign nationals or engages foreign persons in any capacity, a Technology Control Plan (TCP) is essential infrastructure. The mock audit reviews:

Whether a TCP exists and is formally approved by the EO
Whether physical and logical access controls align with TCP requirements
Whether foreign national employees are screened for license requirements (including the "deemed export" rule under 22 C.F.R. § 120.50)
Network segmentation, cloud access controls, and IT security measures protecting ITAR technical data

The deemed export rule is one of the most misunderstood provisions in the ITAR. Releasing controlled technical data to a foreign national in the United States constitutes an "export" to their home country — and many organizations are entirely unaware of this requirement.

6. Recordkeeping Compliance (22 C.F.R. § 122.5)

The ITAR requires that export transaction records be retained for five years from the date of export or the expiration of a license, whichever is later. The mock audit examines:

Whether all required records are being captured and retained
Whether records are organized and retrievable within reasonable timeframes
Electronic recordkeeping system integrity and access controls
Destruction policies and whether any records have been improperly destroyed

Recordkeeping failures are among the most commonly cited violations in DDTC consent agreements — and they're entirely preventable.

7. Training Program Effectiveness

A compliance program that exists only in a policy manual is not a compliance program. The mock audit evaluates:

Whether all ITAR-relevant personnel have received initial and annual refresher training
Whether training content is current, role-specific, and substantively adequate
Training documentation, attendance records, and competency assessments
Whether training covers jurisdiction-specific topics (e.g., deemed exports for facilities with foreign nationals)

8. Screening Processes (Denied Parties, Debarred Persons, Sanctioned Entities)

Every export transaction must be screened against applicable restricted party lists, including:

DDTC Debarred Parties List (22 C.F.R. § 127.7)
OFAC Specially Designated Nationals (SDN) List
BIS Entity List, Denied Persons List, Unverified List
State Department nonproliferation controls

The mock audit reviews the screening workflow, the tools used, the frequency of screening, and whether "hits" are properly escalated and resolved.

9. Voluntary Disclosure Program Readiness (22 C.F.R. § 127.12)

If violations are discovered, how an organization responds matters enormously. The mock audit assesses:

Whether the organization has a documented incident response process for potential ITAR violations
Whether personnel know how and when to escalate potential violations internally
Whether leadership understands the Voluntary Disclosure process and the significant mitigation credit it provides

Citation hook: DDTC's Voluntary Disclosure Program under 22 C.F.R. § 127.12 provides significant penalty mitigation for companies that self-report violations promptly and in good faith — but only if the organization has the internal awareness infrastructure to detect violations in the first place.

ITAR Mock Audit Coverage: At a Glance

Audit Domain	Key Documents Reviewed	Common Gaps Found
EO Designation	Designation letter, org chart, training records	Outdated designees, no backup EO
DDTC Registration	Registration certificate, renewal history	Lapsed registration, unreported ownership changes
USML Classification	CJ determinations, classification memos	Pre-ECR classifications never revisited
License Management	Licenses, TAAs, MLAs, exemption logs	License condition violations, expired licenses in use
Technology Control Plan	TCP document, access logs, IT policy	No TCP, TCP not followed in practice
Recordkeeping	Transaction files, shipping records	Incomplete records, records older than 5 years destroyed early
Training	Training logs, curriculum materials	No documentation, outdated content
Restricted Party Screening	Screening logs, tool configurations	Manual-only screening, no documented hits resolution
Incident Response	VD procedures, escalation protocols	No formal process, personnel unaware of VD option

How a Mock Audit Is Conducted: The Process

A professionally executed ITAR mock audit follows a structured methodology:

Phase 1: Pre-Audit Planning (1–2 Weeks)

Define scope (full program vs. targeted functional areas)
Issue a document request list mirroring what DDTC would request
Schedule employee interviews across relevant functions (compliance, legal, operations, IT, HR)
Conduct facility walkthrough planning

Phase 2: Fieldwork (2–5 Days On-Site or Virtual)

Document review against ITAR requirements
Personnel interviews to test awareness and actual practice vs. policy
Transactional testing — selecting a sample of export transactions and tracing them end-to-end
Physical inspection of controlled article storage and access controls

Phase 3: Analysis and Findings Development (1–2 Weeks)

Classify findings by severity: Critical (potential violation), Major (significant control weakness), Minor (process improvement opportunity)
Map each finding to the specific ITAR regulatory citation
Develop root cause analysis for systemic gaps

Phase 4: Written Report and Remediation Roadmap

Formal written findings report with regulatory citations
Prioritized corrective action plan with ownership and timelines
Executive briefing for leadership

What Happens When DDTC Actually Shows Up

DDTC's Office of Defense Trade Controls Compliance (DTCC) conducts compliance reviews through several mechanisms:

Blue Lantern End-Use Monitoring — post-shipment verification checks
Directed Audits — triggered by specific concerns, tips, or anomalies in license applications
Consent Agreement Compliance Reviews — mandatory for companies under existing consent agreements
Proactive Compliance Reviews — DDTC's initiative to review registrants' programs proactively

When DDTC arrives, they will request documents, interview personnel, and examine transaction records. If they find violations, the process can result in warning letters, civil penalty orders, debarment, or referral to DOJ for criminal prosecution.

The average DDTC civil penalty settlement in recent consent agreements has exceeded $10 million for mid-sized defense contractors — and that figure doesn't include the legal fees, remediation costs, reputational damage, and business disruption that accompany an enforcement action.

Companies that have conducted recent mock audits and implemented corrective actions are in a fundamentally different position: they can demonstrate a culture of compliance, show documented self-correction, and approach the review with confidence rather than crisis management.

How Often Should You Conduct an ITAR Mock Audit?

Company Profile	Recommended Frequency
Small registrant, limited ITAR activity	Every 2 years
Active exporter, multiple licenses/TAAs	Annually
Company under existing consent agreement	As required (typically annually)
Post-merger/acquisition integration	Within 90 days of deal close
Following significant personnel changes (EO, legal, compliance)	Within 60 days
After any known or suspected violation	Immediately, pre-VD submission

Why a Third-Party Mock Audit Outperforms Internal Self-Assessment

Internal self-assessments have value, but they have structural limitations that a third-party mock audit overcomes:

Independence: Internal teams are too close to the processes they're assessing. A third-party auditor brings fresh eyes and no organizational loyalty to "protect the program."
Regulatory depth: ITAR is exceptionally complex. Few internal compliance teams have the breadth of experience to accurately assess all nine domains simultaneously.
Evidentiary credibility: If violations are found and a Voluntary Disclosure is submitted, DDTC gives more weight to disclosures supported by independent third-party findings.
Objectivity in interviews: Personnel speak more candidly to external auditors about actual practices — which is where the real compliance picture emerges.

At Certify Consulting, our mock audit engagements have helped clients identify critical gaps — including unreported deemed export violations, lapsed registrations being used to support active license applications, and Technology Control Plans that existed on paper but had never been implemented — before any of those issues reached a regulator.

If you're unsure whether your ITAR compliance program would hold up under scrutiny, explore our ITAR compliance consulting services or contact us for a program assessment.

The Cost of Waiting

Let me be direct: the question is never whether DDTC will scrutinize your program. For active registrants, it's a matter of when. The only variable you control is whether you've prepared.

A mock audit investment — typically a fraction of the cost of a single enforcement response — delivers:

A clear, documented picture of your compliance posture
Specific, actionable corrective actions before a regulator requires them
Evidence of a good-faith compliance culture (which is the single biggest factor in DDTC enforcement discretion)
Leadership confidence that the program is functioning as designed
A foundation for the voluntary disclosure mitigation credit if a past violation is discovered

The ITAR does not reward good intentions. It rewards documented, verifiable compliance. A mock audit is how you prove — to yourself, your leadership, and DDTC — that your program is real.

Last updated: 2026-04-04

Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the Principal Consultant at Certify Consulting. He has served 200+ clients across the defense, aerospace, and technology sectors with a 100% first-time audit pass rate. Learn more at certify.consulting.