- (a) Audit required. U.S. persons that, on or after October 6, 2025, engage in any restricted transactions under § 202.401 shall conduct an audit that complies with the requirements of this section.
(b) Who may conduct the audit. The auditor:
- (1) Must be qualified and competent to examine, verify, and attest to the U.S. person's compliance with and the effectiveness of the security requirements, as defined in § 202.248, and all other applicable requirements, as defined in § 202.401, implemented for restricted transactions;
- (2) Must be independent; and
- (3) Cannot be a covered person or a country of concern.
- (c) When required. The audit must be performed once for each calendar year in which the U.S. person engages in any restricted transactions.
- (d) Timeframe. The audit must cover the preceding 12 months.
(e) Scope. The audit must:
- (1) Examine the U.S. person's restricted transactions;
- (2) Examine the U.S. person's data compliance program required under § 202.1001 and its implementation;
- (3) Examine relevant records required under § 202.1101;
- (4) Examine the U.S. person's security requirements, as defined by § 202.248; and
- (5) Use a reliable methodology to conduct the audit.
(f) Report.
- (1) The auditor must prepare and submit a written report to the U.S. person within 60 days of the completion of the audit.
(2) The audit report must:
- (i) Describe the nature of any restricted transactions engaged in by the U.S. person;
- (ii) Describe the methodology undertaken, including the relevant policies and other documents reviewed, relevant personnel interviewed, and any relevant facilities, equipment, networks, or systems examined;
- (iii) Describe the effectiveness of the U.S. person's data compliance program and its implementation;
- (iv) Describe any vulnerabilities or deficiencies in the implementation of the security requirements that have affected or could affect the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person;
- (v) Describe any instances in which the security requirements failed or were otherwise not effective in mitigating the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person; and
- (vi) Recommend any improvements or changes to policies, practices, or other aspects of the U.S. person's business to ensure compliance with the security requirements.
- (3) U.S. persons engaged in restricted transactions must retain the audit report for a period of at least 10 years, consistent with the recordkeeping requirements in § 202.1101.