StacksVerified U.S. regulatory reference

28 CFR §202.1002

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)Audit required. U.S. persons that, on or after October 6, 2025, engage in any restricted transactions under § 202.401 shall conduct an audit that complies with the requirements of this section.
  2. (b)Who may conduct the audit. The auditor:
    1. (1)Must be qualified and competent to examine, verify, and attest to the U.S. person's compliance with and the effectiveness of the security requirements, as defined in § 202.248, and all other applicable requirements, as defined in § 202.401, implemented for restricted transactions;
    2. (2)Must be independent; and
    3. (3)Cannot be a covered person or a country of concern.
  3. (c)When required. The audit must be performed once for each calendar year in which the U.S. person engages in any restricted transactions.
  4. (d)Timeframe. The audit must cover the preceding 12 months.
  5. (e)Scope. The audit must:
    1. (1)Examine the U.S. person's restricted transactions;
    2. (2)Examine the U.S. person's data compliance program required under § 202.1001 and its implementation;
    3. (3)Examine relevant records required under § 202.1101;
    4. (4)Examine the U.S. person's security requirements, as defined by § 202.248; and
    5. (5)Use a reliable methodology to conduct the audit.
  6. (f)Report.
    1. (1)The auditor must prepare and submit a written report to the U.S. person within 60 days of the completion of the audit.
    2. (2)The audit report must:
      1. (i)Describe the nature of any restricted transactions engaged in by the U.S. person;
      2. (ii)Describe the methodology undertaken, including the relevant policies and other documents reviewed, relevant personnel interviewed, and any relevant facilities, equipment, networks, or systems examined;
      3. (iii)Describe the effectiveness of the U.S. person's data compliance program and its implementation;
      4. (iv)Describe any vulnerabilities or deficiencies in the implementation of the security requirements that have affected or could affect the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person;
      5. (v)Describe any instances in which the security requirements failed or were otherwise not effective in mitigating the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person; and
      6. (vi)Recommend any improvements or changes to policies, practices, or other aspects of the U.S. person's business to ensure compliance with the security requirements.
    3. (3)U.S. persons engaged in restricted transactions must retain the audit report for a period of at least 10 years, consistent with the recordkeeping requirements in § 202.1101.