Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · CFR · Title 28 — Judicial Administration · Part 202 · § 202.1002

§ 202.1002. Audits for restricted transactions.

403 words·~2 min read·/us/cfr/t28/s§ 202.1002·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

(a)Audit required. U.S. persons that, on or after October 6, 2025, engage in any restricted transactions under § 202.401 shall conduct an audit that complies with the requirements of this section.
(b)Who may conduct the audit. The auditor:
(1)Must be qualified and competent to examine, verify, and attest to the U.S. person's compliance with and the effectiveness of the security requirements, as defined in § 202.248, and all other applicable requirements, as defined in § 202.401, implemented for restricted transactions;
(2)Must be independent; and
(3)Cannot be a covered person or a country of concern.
(c)When required. The audit must be performed once for each calendar year in which the U.S. person engages in any restricted transactions.
(d)Timeframe. The audit must cover the preceding 12 months.
(e)Scope. The audit must:
(1)Examine the U.S. person's restricted transactions;
(2)Examine the U.S. person's data compliance program required under § 202.1001 and its implementation;
(3)Examine relevant records required under § 202.1101;
(4)Examine the U.S. person's security requirements, as defined by § 202.248; and
(5)Use a reliable methodology to conduct the audit.
(f)Report.
(1)The auditor must prepare and submit a written report to the U.S. person within 60 days of the completion of the audit.
(2)The audit report must:
(i)Describe the nature of any restricted transactions engaged in by the U.S. person;
(ii)Describe the methodology undertaken, including the relevant policies and other documents reviewed, relevant personnel interviewed, and any relevant facilities, equipment, networks, or systems examined;
(iii)Describe the effectiveness of the U.S. person's data compliance program and its implementation;
(iv)Describe any vulnerabilities or deficiencies in the implementation of the security requirements that have affected or could affect the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person;
(v)Describe any instances in which the security requirements failed or were otherwise not effective in mitigating the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person; and
(vi)Recommend any improvements or changes to policies, practices, or other aspects of the U.S. person's business to ensure compliance with the security requirements.
(3)U.S. persons engaged in restricted transactions must retain the audit report for a period of at least 10 years, consistent with the recordkeeping requirements in § 202.1101.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.