Compliance Fundamentals
A practitioner guide to building evidence-driven compliance programs that satisfy regulators, auditors, and customers across finance, privacy, operational resilience, and reporting regimes.
Anchored on COSO and ISO control principles, mapped to Sarbanes-Oxley, DORA, GDPR, HIPAA, and national e-invoicing mandates across the EU, LatAm, and APAC.
Program architecture
Design compliance as a continuous service with ownership, policies, and controls connected to risk appetite and business change.
Controls
- Run a risk and control matrix mapped to COSO components and material processes (order-to-cash, hire-to-retire, record-to-report).
- Define policy ownership with annual reviews, tracked approvals, and exception logs tied to risk acceptance.
- Maintain control narratives that link procedures to evidence locations and system-of-record fields.
- Implement change impact assessments for ERP or cloud changes so access, segregation of duties (SoD), and logging stay intact.
Metrics
- Control effectiveness: pass rate and severity of operating effectiveness tests; remediation cycle time.
- Policy freshness: percentage of policies reviewed within the last 12 months and number of open exceptions.
- SoD coverage: high-risk conflicts mitigated or prevented in IAM and ERP roles.
- Change traceability: proportion of major releases with completed control impact assessments and updated narratives.
Regulatory hooks
Sarbanes-Oxley (SOX) Sections 302/404 expect management assessments and auditor testing. DORA Article 6 requires ICT risk frameworks and governance. GDPR Articles 24–25 mandate demonstrable accountability and privacy by design.
Control lifecycle and evidence flow visuals
Use these visuals to brief leadership and auditors on how controls are scoped, operated, evidenced, and reported across COSO, ISO 27001, SOX, DORA, and GDPR obligations.
Financial and operational controls
Integrate control activities across finance, operations, and technology so evidence is reusable for multiple regulators.
Controls
- Access and change controls over financial systems with privileged access reviews, ticketed changes, and log retention aligned to SOX and SOC 1.
- E-invoicing readiness with real-time clearance support (Italy SDI, France PPF, Mexico CFDI) and validated tax codes for VAT/GST regimes.
- Operational resilience runbooks and impact tolerances aligned to DORA and UK Operational Resilience rules, with mapping to critical services and third parties.
- Privacy and security safeguards including DPIAs, data minimization, encryption, and breach notification playbooks consistent with GDPR and HIPAA.
Metrics
- Access recertification completion and overdue rate for key applications and infrastructure.
- Invoice compliance rate: percentage of invoices accepted by clearance platforms on first submission; exception rework time.
- Impact tolerance adherence: incidents exceeding tolerances, duration, and root-cause distribution.
- DPIA coverage: proportion of high-risk processing activities with completed assessments and residual risk ratings.
Regulatory hooks
E-invoicing aligns with EU VAT in the Digital Age proposals, Brazil Nota Fiscal, Mexico CFDI 4.0, and India GST e-invoicing. Resilience controls respond to DORA (EU 2022/2554) and UK FCA/PRA policy statements PS21/3 and SS1/21.
Third-party and sanctions oversight
Vendor risk, sanctions, and anti-bribery programs need structured onboarding, monitoring, and evidence.
Controls
- Due diligence tiers driven by service criticality, data access, and geography; collect beneficial ownership and conflict-of-interest attestations.
- Sanctions and export screening against OFAC, EU, UN, and national lists plus export control determinations (EAR, ITAR, UK dual-use).
- Contract guardrails covering audit rights, subprocessor approvals, incident notice SLAs, and data localization commitments.
- Continuous monitoring for adverse media, performance SLAs, penetration testing reports, and SOC 2/ISO certifications with expiry tracking.
Metrics
- Screening timeliness: time to clear vendor sanctions/export checks; number of blocks or escalations.
- Assurance currency: percentage of critical vendors with current SOC/ISO attestations and penetration test summaries.
- Contract compliance: SLA adherence, data residency violations, and unapproved subprocessor findings.
- Issue remediation: average days to close vendor-related findings and recurrence rate by category.
Regulatory hooks
OFAC and EU sanctions programs require screening and blocking controls. US FCPA and UK Bribery Act expect third-party anti-corruption due diligence. DORA and EBA outsourcing guidelines require layered oversight and audit access for critical ICT providers.
Evidence, reporting, and culture
Sustainable compliance depends on traceable evidence, timely disclosures, and a culture that reinforces accountability.
Controls
- Centralize evidence repositories with retention aligned to statutory requirements; tag artifacts by control ID and period.
- Implement issue management workflows with ownership, due dates, and linkage to control failures or audit findings.
- Publish training cadences for code of conduct, privacy, sanctions, and anti-bribery topics; capture completion and comprehension checks.
- Coordinate regulatory reporting calendars (10-K/10-Q filings, SOC reports, DPIA logs, DORA incident notifications) with dry runs and sign-offs.
Metrics
- Evidence completeness: percentage of controls with period evidence attached and validated.
- Finding closure: mean time to remediate internal audit, external audit, and regulator findings; overdue count.
- Training effectiveness: completion rates, quiz scores, and phishing/simulation outcomes for targeted populations.
- Disclosure punctuality: on-time submission rate for statutory filings and supervisory notifications.
Regulatory hooks
Evidence and training underlie SEC reporting, Department of Justice evaluation of corporate compliance programs, GDPR accountability (Article 5(2)), and DORA incident reporting timelines.