-
Notifications
You must be signed in to change notification settings - Fork 0
Audit Lookback
Skill name: exchek-audit-lookback | Folder: exchek-skill-audit-lookback
Runs a retrospective audit on historical shipments or transactions (CSV or CRM export). Re-screens parties against current CSL, re-checks ECCNs and license determinations against today's rules, and produces a self-audit report with findings (High/Medium/Low severity), overall risk rating, and remediation suggestions. Consumes historical data — does not classify or screen itself. Free; optional donation.
- "Self-audit my historical shipments"
- "Lookback on last year's exports"
- "Re-screen parties from this CSV"
- "Self-audit report for these transactions"
- "Flag where controls or licensing might be wrong now"
| Column | Required | Notes |
|---|---|---|
| Transaction / shipment ID | Yes | Unique identifier |
| Transaction date | Yes | Date of shipment or transaction |
| Party name (consignee, end user) | Yes | At least one party per row |
| ECCN | Yes | Or EAR99 |
| Destination country | Yes | Ultimate destination |
| End use / end user | No | Improves ECCN re-check |
| License or exception used | No | For license re-check |
| Screening result at time | No | Original screening result if available |
| Value | No | For AES and license analysis |
| Product description | No | For ECCN re-check context |
If the user's export uses different column headers, the skill asks for mapping (e.g., "Which column is the consignee?").
Step 0 — CUI / classified / § 126.18 gate Three-question gate: CUI? classified? ITAR § 126.18 foreign-national release? Any "yes" routes to on-prem guidance. See CUI and Classified Information.
Step 0b — Privacy-settings attestation User attests AI platform tier (Claude Enterprise / ChatGPT Enterprise / Workspace training-off / consumer training-disabled). Recorded in report.
Step 1 — Report folder, format, and mode In file-access environments, asks where to save the self-audit report, preferred format, and the audit mode:
- Full audit — re-screen all parties, re-check all ECCNs and licenses against today's rules.
- Delta-since-date mode — pass a prior audit date; the skill only re-checks rules that have changed since then (Entity List additions, OFAC actions, AC/S IFRs, USML revisions, GL issuances). Faster for rolling quarterly/annual lookbacks.
Step 2 — Collect historical data User provides CSV or CRM export. The skill parses and validates columns; summarizes: number of transactions, date range, unique parties.
Step 3 — Re-screening path Extracts unique parties and asks the user to re-screen them using CSL Search or their screening tool. Merges current screening results with historical records and builds findings:
- "Party now on list" → High severity
- "New hit — needs adjudication" → High severity
- "No change" → document re-screened date
- "Re-screen recommended" (no current result provided)
Step 4 — Re-check ECCN and license For each transaction with ECCN + destination, adds findings:
- Re-classify per current CCL recommended (controlled ECCNs)
- Re-run license determination recommended (ECCN + destination)
- Assigns severity (High / Medium / Low) per the lookback best-practices reference
Step 5 — Human-in-the-loop confirmation User confirms scope, findings, and preliminary overall risk rating before the final report is produced.
Step 6 — Build self-audit report
Fills the Self-Audit Report template and produces both a .docx and a machine-readable .json sibling (schema v1.0.0) with the same findings and metadata for CRM/SIEM/GRC ingestion.
Sections:
- Document header
- Scope (date range, record count, party count)
- Findings table (each finding: type, description, severity, transaction IDs, remediation)
- Overall risk rating (High / Medium / Low)
- Remediation summary (prioritized action items)
- AI tool disclosure
File name: ExChek-SelfAudit-YYYY-MM-DD-ShortName.docx
| Finding type | Example | Severity |
|---|---|---|
| Screening — party now listed | Consignee now on SDN | High |
| Screening — new hit needs adjudication | Possible match on EL | High |
| ECCN — re-classify recommended | Controlled ECCN, rules changed | Medium |
| License — re-determination recommended | Destination now embargoed | High |
| License — exception may no longer apply | LVS limit changed | Medium |
| Missing data | No ECCN recorded | Low–Medium |
- 15 CFR Part 762 — Recordkeeping (required retention of shipment records)
- 15 CFR Part 774 — Commerce Control List (current rules)
- 15 CFR Part 738 — Commerce Country Chart (current rules)
- 15 CFR Part 740 — License Exceptions (current rules)
| Step | Skill |
|---|---|
| Re-screen extracted parties | CSL Search |
| Re-check license for a specific ECCN + destination | License Determination |
| Re-classify a specific item | ECCN Classification |
- Self-audit ≠ government audit. This is an internal self-review tool. Results and remediation are recommendations; the user and their Export Compliance Officer make final decisions.
- Re-screening must be user-driven. The skill asks you to re-screen extracted parties using CSL Search or another tool and provide the results — it does not automatically screen.
- BIS voluntary self-disclosure. If the lookback uncovers potential violations, the user should consult legal counsel and consider BIS voluntary self-disclosure (15 CFR Part 764, Supplement No. 1).
- Retention. Self-audit reports should be retained per your program and 15 CFR § 762.6 as applicable.