KAS Audit on Sanctions — How to Prepare

The Head of the National Revenue Administration (KAS — Krajowa Administracja Skarbowa) can impose an administrative fine of up to PLN 20,000,000 on your company for breaching obligations arising from EU sanctions — by way of administrative decision, without any court proceedings.¹ This is not a risk reserved for banks or companies trading with Russia on a large scale. A travel agency, an estate agency, a leasing company, or an insurance broker is subject to exactly the same rules. The question is not “will an inspection ever reach my industry?” but “will you be ready when it does?”

Legal status as of: 2026-05-20.

TL;DR — 5 things you need to know

• The Head of KAS is the authority empowered to impose fines for failing to freeze funds or for making funds available to a listed entity — the fine is up to PLN 20 million.¹ The GIIF (General Inspector of Financial Information — Generalny Inspektor Informacji Finansowej) supervises obliged entities under the AML Act, while the KNF (Polish Financial Supervision Authority — Komisja Nadzoru Finansowego) supervises entities it regulates.²
• Key documents you must have: a written sanctions policy, a counterparty verification register, evidence of sanctions-list checks, a company risk assessment, and a written authorisation for the person responsible for compliance.
• Due diligence is your primary line of defence — documented screening before a transaction, even if imperfect, is a mitigating argument. The complete absence of any procedure works in the opposite direction.
• Most common deficiencies: no written sanctions policy; verification carried out only at the start of a relationship (without repeating it when lists are updated); no evidence of verification (verbal confirmation is not enough); failure to screen intermediaries and suppliers.
• If auditors arrive at your premises — do not obstruct access, designate a single point of contact, and do not make statements without consulting a lawyer.

Who supervises sanctions compliance in Poland

Companies outside the financial sector often assume that sanctions are a matter for financial regulators. That is a mistake with concrete consequences.

The obligation to comply with Council Regulation (EU) No 269/2014³ and Council Regulation (EU) No 833/2014⁴ applies to every entity operating in the European Union — EU regulations are directly applicable without the need for transposition.⁵ The Polish Act of 13 April 2022 on Special Solutions for Countering Support for Aggression against Ukraine and for Protecting National Security (Journal of Laws 2022, item 835; hereinafter: the 2022 Act) assigns supervisory competences to three different authorities depending on the nature of the entity and the type of breach.⁶

The Head of the National Revenue Administration (KAS) imposes financial penalties for failure to freeze financial funds or economic resources and for making them available to listed entities. A fine of up to PLN 20 million is imposed by administrative decision under Article 6(2) of the 2022 Act.¹ KAS also conducts customs and fiscal controls in respect of trade embargoes — if you import or export goods subject to restrictions, this is the authority that will inspect your company.⁶

The General Inspector of Financial Information (GIIF) supervises obliged entities within the meaning of the Act of 1 March 2018 on Countering Money Laundering and Terrorist Financing (Journal of Laws 2018, item 723; hereinafter: the AML Act).² If you run an estate agency, act as an insurance broker, or operate an accounting firm — you are an obliged entity and the GIIF has the right to audit you for the application of sanctions measures in respect of your clients.⁷

The Polish Financial Supervision Authority (KNF) exercises sanctions supervision over entities it regulates — insurers, banks, and investment firms.² For a typical SME outside the financial sector, the KNF is not the competent authority — but if your business requires a KNF licence, a sanctions inspection may come through that channel.

It is worth noting that the Polish sanctions list is maintained by the Minister of Internal Affairs and Administration (MSWiA — Minister Spraw Wewnętrznych i Administracji) and published in the Public Information Bulletin (BIP).⁸ The MSWiA does not, however, conduct compliance inspections — it issues decisions on list entries. The authority responsible for financial enforcement is the Head of KAS.

A full picture of who is responsible for what is set out in the article What penalties apply for breaching sanctions in Poland and the EU?.

What an inspection examines — risk areas

A sanctions inspection is not a financial audit. It is not about whether you correctly deducted VAT. The authority checks whether your company took reasonable steps to avoid entering into a transaction with an entity subject to EU sanctions or listed on the Polish MSWiA list.

Key areas that every sanctions inspection focuses on:

Counterparty and client verification. Did you check your counterparties and clients against sanctions lists before entering into a contract or executing a transaction? The authority will want to see evidence of that verification — not a verbal assurance that “we always check.” A lack of verification records is a signal that either no procedure exists, or it is not being followed.

Application of the ownership and control rule. EU sanctions cover not only entities directly listed, but also those in which a listed person or entity holds at least 50% of the shares or exercises control over them.⁹ Checking only the “company name” without reviewing the ownership structure is one of the most serious deficiencies.

Currency of verification. Does your verification cover only the moment a relationship begins, or do you repeat it when lists are updated? Sanctions lists are updated regularly — an entity that was clear a year ago may be listed today. The absence of a mechanism to monitor list changes is a genuine risk.

Process documentation. Does the company have a written sanctions policy? Is there a designated responsible person with a formal written authorisation? Do employees know what to do when a verification result is MATCH or POSSIBLE?

Scope of entities subject to verification. Do you verify only end clients, or also suppliers, intermediaries, sub-contractors, and commercial partners? Full verification should cover everyone through whom funds could flow to a sanctioned entity.

If you are unsure whether your company has an obligation to carry out sanctions screening at all, start with the article Does my company have to conduct sanctions screening?.

Which documents you need to have ready

Documentation is the cornerstone of any defence in sanctions proceedings. This is not bureaucracy for its own sake — it is proof that your company acted in good faith and took reasonable steps to avoid a breach.

Below is the minimum set of documents every company subject to a sanctions obligation should hold:

1. Written sanctions policy. A document specifying: who you verify (clients, B2B counterparties, suppliers, intermediaries); when you verify (at every new relationship, at every list update, periodically for existing counterparties); how you verify (manually or via a system, against which lists); what you do when the result is MATCH or POSSIBLE (escalation procedure); and who is responsible for sanctions compliance. The policy should bear an adoption date and the signature of the company’s management.

2. Counterparty verification register. For each verification: date, counterparty identification details (name, tax identification number, country of incorporation), the sanctions list checked, the result (MATCH / POSSIBLE / CLEAR), the identity of the person who carried out the check, and the action taken. This is your audit trail — without it, you cannot prove that screening ever took place.

3. Evidence of sanctions-list checks. Printouts from the European Commission’s Financial Sanctions Files portal, from the MSWiA portal, or screenshots from a screening tool bearing the date and time of verification. Simply saying “we checked” without evidence is worthless to the authority.

4. Sanctions risk assessment. A document evaluating the risk profile of your business — which sectors you serve, which countries you trade with, and which categories of clients carry the greatest risk of a connection to a sanctioned entity. A risk assessment allows you to calibrate the intensity of screening to your company’s actual risk level and provides the rationale for the procedure you have adopted.

5. Written authorisation for the person responsible for compliance. A single document that names the individual responsible for sanctions compliance in the company and sets out precisely what their duties are. The absence of a designated person is interpreted by authorities as the absence of a compliance structure — even if verification is in fact being carried out.

6. Documentation of POSSIBLE and MATCH cases. If a verification returned an ambiguous result (POSSIBLE — possible match) — you must be able to show how you investigated that case and what decision you took. If the result was MATCH — what protective measures you took (transaction block, notification to the GIIF, contact with a lawyer). These cases are of particular importance to the authority.

7. Training records. Documentation showing that employees who interact with counterparties are aware of the sanctions obligation and know the internal procedure. A list of training participants, date, and scope — proof that the procedure does not exist on paper alone.

A detailed guide to the sanctions lists you must check — EU, UN, OFAC, and MSWiA — is set out in the article What is a sanctions list and why does it affect your company?.

Due diligence as a line of defence

“Due diligence” is a legal concept that, in the context of EU sanctions, means something specific: the company took rational and proportionate steps — commensurate with the scale of risk — to detect any connection between a counterparty and a sanctions list. The requirement is not a guarantee of outcome, but proof of process.

Why does this matter? Council Regulation (EU) No 269/2014³ and Council Regulation (EU) No 833/2014⁴ are directly applicable — they do not require you to know about them in order to be bound by them. However, in administrative or criminal proceedings, the circumstances in which a breach occurred affect the level of penalty. A company that built a procedure, documented its screening, and acted in good faith has a significantly stronger procedural position than a company with no documentation whatsoever.

Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures¹⁰ identifies mitigating and aggravating circumstances for the purposes of imposing penalties. Voluntary disclosure of information to law enforcement, acting in good faith, and the absence of prior violations are all elements that may influence the final penalty.¹⁰

In practice, due diligence in sanctions screening means at a minimum:

• Verification against current sanctions lists (not from a year ago, not a cursory check).
• Review of the counterparty’s ownership structure — not just the entity’s name — because of the 50% rule, which extends sanctions to companies controlled by listed persons.⁹
• Documenting the outcome of verification with the date and the list against which the check was made.
• Repeating verification for existing counterparties whenever a list is updated.
• Having a procedure for ambiguous results or matches — so that decisions are not made on an ad hoc basis by each individual member of staff.

A complete absence of any documented screening is treated by the authority as a sign of gross negligence — not a neutral or mitigating circumstance. A company with no procedure has very limited room for manoeuvre in any eventual proceedings.

Most common deficiencies identified during inspections

Based on the logic of sanctions compliance and the catalogue of obligations arising from EU regulations and the 2022 Act, several typical deficiencies can be identified that most commonly lead to proceedings being initiated or their outcome being aggravated.

No written sanctions policy. A verbal procedure, even if genuinely followed, does not exist in the eyes of the authority. If you cannot produce a document bearing an adoption date and signature, the authority treats compliance as non-existent.

Verification carried out only once — at the start of the relationship. Sanctions lists change. A counterparty that was clear when the contract was signed may appear on the list a year later — and from that point onwards, every subsequent transaction with them may constitute a breach. A procedure limited to a one-off onboarding check is insufficient.

No evidence of verification. Employees claim they “checked” — but there is no record of it: no printout, no screenshot, no register entry. For the authority, verification without documentation is verification that never happened.

Omission of the ownership structure. The company checks whether counterparty X appears on the list — but does not check whether X is controlled by an entity or person on the list. The 50% rule means that sanctions cover the entire capital structure, not only directly listed entities.⁹ This deficiency appears particularly often in relation to counterparties from jurisdictions where ownership structures are less transparent.

No designated responsible person. Sanctions compliance is “everyone’s” responsibility — which in practice means no one’s. The absence of a formally designated responsible person with a written authorisation is a signal that the procedure is a fiction.

Verification limited to end clients, with suppliers and intermediaries overlooked. Funds can reach a sanctioned entity through a chain of intermediaries — and the company that initiated the transaction bears responsibility for that. Verification should cover all participants in a transaction towards whom the company has financial exposure.

No procedure for POSSIBLE and MATCH results. What does a member of staff do when a verification result is ambiguous? If the answer is “they decide themselves” or “we ask someone after the fact,” the procedure is not working. The authority will examine how the company handled difficult cases — and the absence of documentation for those decisions is an aggravating factor.

Inspection-readiness checklist

The checklist below sets out the minimum requirements for a company that wants to be prepared for a sanctions inspection. Every item you cannot tick is a gap that needs to be closed.

Documents

1. Written sanctions policy — current (no more than 24 months old), signed by management, describing the scope of entities to be verified, frequency, lists used, and the escalation procedure.
2. Counterparty verification register — containing date, counterparty details, sanctions list, result, and verifying person for each check, maintained from the date the procedure was implemented.
3. Verification evidence — printouts, screenshots, or system logs confirming every verification entered in the register.
4. Sanctions risk assessment — tailored to the company’s business profile, with identification of high-risk counterparties.
5. Written authorisation for the person responsible for sanctions compliance.
6. Documentation of POSSIBLE and MATCH cases — what was investigated, who decided, what was resolved.
7. Employee training records covering sanctions compliance.

Processes

8. New-counterparty verification procedure — confirmed to be triggered before the first transaction, not after.
9. Mechanism for monitoring sanctions-list updates — does the company know when a list changes, and does it then re-verify active counterparties?
10. Procedure for POSSIBLE results — who decides, on what basis, with what documentation.
11. Procedure for MATCH results — transaction block, escalation, contact with a lawyer, possible notification to the GIIF (for AML-obliged entities).
12. Verification scope covers the ownership structure, not just the entity name.

People and competences

13. A designated and formally authorised person responsible for sanctions compliance.
14. Employees who interact with counterparties are aware of the screening obligation and know the internal procedure.
15. The company has access to a lawyer specialising in sanctions compliance — for situations where a verification result requires legal assessment.

What to do during an inspection

An inspection by the authorities in relation to sanctions is a stressful situation — particularly when the company was not prepared. A few principles that will help you navigate it without making avoidable mistakes.

Do not obstruct access and do not hinder the process. The authorities have the power to request documents and explanations within their remit. Refusing to cooperate or obstructing proceedings is an aggravating circumstance in any subsequent process — it does not help.

Designate a single point of contact. Not every member of staff should speak with the auditors. Designate one person — ideally the person responsible for compliance or a member of management — and direct all questions to them. This reduces the risk of contradictory or inaccurate statements.

Do not make hasty statements. An authority’s question may sound like a routine enquiry, but the answer can carry procedural weight. If you are unsure about the answer to a specific question — say that you need to verify it and will return with a written response. Do not speculate; do not guess.

Contact a lawyer immediately. If the inspection concerns a potential breach of sanctions law — do not wait. A lawyer specialising in sanctions compliance should be informed of the inspection on the day it begins. Legal assistance at the proceedings stage is many times less costly than a defence after a decision has been issued.

Provide the documentation you have. Do not fabricate or modify documents. If a register does not exist — do not create it retrospectively. The authority will check and identify this. Present what actually exists — and confirm that you will address any gaps going forward.

Ensure every step is confirmed in writing. Every request for documents, every response, every statement — should be documented in writing. Maintain your own chronological record of events from the day the inspection begins.

If the inspection arises from an error in verification — voluntary disclosure to the authorities and prompt remedial action may be treated as a mitigating circumstance under Directive (EU) 2024/1226.¹⁰

FAQ — frequently asked questions

Does a KAS audit concern only companies that trade with Russia?

No. The Head of KAS is the competent authority for any company that has failed to fulfil the obligation to freeze funds or has made funds available to a listed entity — regardless of industry or the counterparty’s country.¹ The EU sanctions list covers entities from many jurisdictions, not only Russian ones. Any company operating in the EU is a potential subject of an inspection.

Is a small company (5 employees) subject to the same rules?

Yes. Council Regulation (EU) No 269/2014³ and Council Regulation (EU) No 833/2014⁴ contain no size or turnover threshold. They apply to every entity operating in the European Union. The scale of a penalty may depend on the circumstances of the breach — but the compliance obligation is identical for a sole trader and a corporation.

What should I do if it turns out that my counterparty is on the list?

Immediately suspend all transactions with that entity. Contact a lawyer specialising in sanctions law. If you are an obliged entity under the AML Act² — you may have an obligation to notify the GIIF.⁷ Document all actions taken from the moment of discovery — this is a key element of any defence. Further details are set out in the article What penalties apply for breaching sanctions?.

How often do I need to update verification of my counterparties?

The absolute minimum is verification before every new commercial relationship. Good practice is re-verification of active counterparties at every significant update to the sanctions lists, since entries appear irregularly and without notice. The MSWiA list is updated as new ministerial decisions are issued.⁸ The EU list is updated by the European Commission (DG FISMA) as circumstances require.¹¹

Is a verbal sanctions procedure sufficient to defend before the authority?

No. The supervisory authority will scrutinise documentation — a written policy, a verification register, and evidence of list checks. A verbal assurance that a procedure exists has no evidential value in administrative proceedings. Sanctions compliance must be documented to exist in any legal sense.

What should I do if the verification result is POSSIBLE — a possible match, but inconclusive?

You cannot ignore a POSSIBLE result. You are required to carry out enhanced verification — comparing the counterparty’s identification details with the data on the list, reviewing the ownership structure, and consulting a lawyer if any doubt remains. Only on the basis of that investigation may you decide whether to proceed with or halt the transaction. You must document the entire procedure and its outcome. How to verify counterparties for sanctions compliance, step by step is covered in a separate article.

How Sanqto can help

Preparing for a sanctions inspection does not require an external legal department or months of implementation. Sanqto offers sanctions screening software installed on the client’s own network (on-premise model) — counterparty data never leaves your company’s infrastructure. The system checks counterparties against sanctions lists and returns a result in three states: MATCH, POSSIBLE, or CLEAR. Every verification is automatically documented with the date, result, and list identifier — which means the verification register maintains itself, and you have a ready audit trail in the event of an inspection. The implementation document package includes a ready-made sanctions policy, a position-specific instruction, a risk assessment template, and a hit register — documents tailored to Polish and EU requirements. See how Sanqto works in your industry:

• Travel agencies and OTAs — sanctions screening in tourism
• Estate agencies — sanctions obligations of an intermediary
• Insurance brokers and agents — sanctions screening

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269
• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833
• Council Regulation (EU) No 765/2006 of 18 May 2006 concerning restrictive measures in respect of Belarus — CELEX 32006R0765
• Act of 13 April 2022 on Special Solutions for Countering Support for Aggression against Ukraine and for Protecting National Security (Journal of Laws 2022, item 835) — ISAP
• Act of 1 March 2018 on Countering Money Laundering and Terrorist Financing (Journal of Laws 2018, item 723) — ISAP
• Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures — CELEX 32024L1226
• Polish sanctions list maintained by MSWiA — gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami
• EU Consolidated Sanctions List maintained by the European Commission (DG FISMA) — finance.ec.europa.eu

Information, not legal advice. This article is for informational and educational purposes only. It does not constitute legal advice. Legal status as of: 2026-05-20. The specific obligations applicable to your company depend on your business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.