The Importance of Being Audit-Ready: Proving Your OFAC Compliance

How much do you remember about the past five years of your life?

You may be able to recollect the highlights and the low-lights, but imagine if you had to recall every decision you ever made during that time – every purchase, every social outing, every time you chose fries instead of salad. Not so simple, is it? But in the world of OFAC compliance, it’s exactly what you’re asked to do in the event of an audit. According to the Office of Foreign Assets Control (OFAC): All records required to be kept must be retained for five years. When it’s your turn, will you be able to account for every compliance decision you’ve made over that period of time?

If the question of being audit-ready frightens you, you’re in good company. Many businesses are reliant on over-stuffed filing cabinets, bulging storage boxes and variations of “I think I remember that transaction…” Retaining records over several years sounds straightforward in theory, but in practice, good record-keeping takes forethought and planning. Your data is useless unless it’s accurate and defensible when the authorities arrive in your lobby. Ask yourself a few questions:

  • “If asked for a list of all our dealings with China since 2009, how fast could I compile it?”
  • “Could I explain, in satisfactory detail, how we train our compliance staff?”
  • “Do we have all our licenses, entity ownership research, and screening records? What about our other records?”
  • “What are our official instructions for blocking and unblocking property? Is everyone in our office dealing with documentation exactly the same way?”

If your answers to these questions are giving you chills, it’s time to revisit your record-keeping system. The ability to prove due diligence is essential to any company’s compliance plan. Without it, the detailed attention you’ve put into compliance activities – everything from screening to ownership research and license determination – is all for naught. Being audit-ready shouldn’t mean a mad scramble the night before the auditors arrive; your company should always be audit-ready. And the effort required to achieve that state should be minimal.

The OFAC, FFIEC Bank Secrecy Act/Anti-Money Laundering, and FinCEN websites provide lots of information and handy self-assessment tools with which everyone on your compliance team should be familiar. You may be surprised to learn you’re responsible for more than just screening records. Among other things, an audit will also look at your overall Compliance Program including your compliance training procedures, as well as evidence of “management commitment”. You must not only be able to show a history of compliant transactions, but also clearly demonstrate that you have official, company-wide compliance procedures and policies.

Automated systems are tremendously helpful when it comes to audit recording. When your screening and classification activities are automatically recorded and you’re able to thoroughly document the relevant details, there’s no need to rummage through a stack of bankers’ boxes to figure out the who, what, when, where, why and how of your company’s transactions. And when your system provides a centralized workflow that delivers cohesive compliance throughout divisions and sub-divisions, you can be sure that none of your critical data is lost – even when key personnel leave the organization.

If you’re not confident that your company could pass a government audit tomorrow, take a step back and look at your current procedures. Adopting best practices now is far less painful than doing damage control later. And when the authorities do arrive, you’ll be able to roll out the welcome mat.