Now that I'm home for the weekend (or most of it) I had a chance to dig out my notes.
ITAR -- International Traffic In Arms Regulations
There is a reasonable article on the topic on Wikipedia
https://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations
The regulations restrict sending things out of the United States that in theory at least could come back to us in a hostile manner. The types of things involved are referred to as RTI or Restricted Technical Items.
RTI includes hardware, information, software, technical know how, and technologies.
RTI generally does not include quality management system information.
RTI generally would include things like drawings, tooling fixtures, gauges, and the items needed to make a restricted item.
Export is defined as RTI which has been given by any means to a Foreign Person. Anyone who is not a US person is a foreign person. That would be anyone who is not a US citizen or permanent resident alien (green card holder).
Person definition includes entities or companies.
Definition of export of technical data includes physically giving information to a person (hard copy or digital), Telling someone how a part is manufactured, and showing technical data to someone. It also includes transporting that information to a foreign country, even if you don't share it with a non US person. (This should give pause to anyone traveling internationally that may have any RTI on their laptop, even if it was unknown that it was RTI).
Auditors need to be careful around RTI. They should identify themselves as a US person. If not a US person, they should avoid RTI. They need to control any RTI they may have, no matter how insignificant they may think it is. They need to be careful not to write findings in such a manner that they disclose an RTI.
I hope this is useful.