Compliance pillar tips

Audit-ready compliance management without shortcuts

These checklists fuse our research with COSO 2013, ISO 37301, PCAOB auditing standards, EU CSRD delegated acts, DORA policy instruments, and FinCEN guidance.

Run them as recurring sprints so finance, risk, privacy, and sustainability teams stay synchronised with regulator expectations.

Program governance

  • Charter authority. Align compliance committee mandates with ISO 37301 clauses 5 and 6, documenting reporting lines to the board audit or risk committee.
  • Integrated risk assessment. Combine COSO enterprise risk assessment outputs with control scoping for SOX Section 404, UK Corporate Governance Code 2024 internal control statements, and CSRD double materiality workshops.
  • Policy lifecycle. Maintain policy inventories with approval dates, owners, and cross-references to regulatory citations; ensure changes follow documented ISO 9001-controlled procedures.

Control execution

  • Testing cadence. Schedule design and operating effectiveness testing in line with PCAOB AS 2201 and UK FRC thematic reviews; evidence stratified sampling results and remediation follow-up.
  • Automation validation. Evaluate automated controls, robotic process automation, and scripts with change-management tickets, code reviews, and re-performance logs mapped to ISACA COBIT control objectives.
  • Segregation of duties. Run quarterly SoD analytics across ERP, treasury, and procurement systems, capturing mitigating controls when conflicts remain.

Documentation and evidence

  • Workpaper standards. Follow IIA Global Internal Audit Standards 2024 and AICPA audit documentation rules to ensure workpapers are indexed, review-noted, and retained for required periods.
  • Disclosure support. Store management representation letters, disclosure committee minutes, and ESRS tagging evidence alongside narrative controls for SEC, ESMA, and FCA filings.
  • Beneficial ownership files. Keep FinCEN BOI submission receipts, entity structure charts, and change logs ready for 30-day update deadlines and enforcement inquiries.

Third-party oversight

  • Critical supplier register. Classify vendors using DORA RTS criteria, EBA outsourcing guidelines, OCC Bulletin 2013-29, and OSFI B-10; tie contract clauses to reporting and exit obligations.
  • Due diligence evidence. Collect SOC 1/SOC 2 reports, ISO/IEC 27001 certificates, financial statements, and sustainability attestations; record review notes and remediation commitments.
  • Continuous monitoring. Feed public sanctions lists, adverse media, and regulator enforcement bulletins into vendor risk dashboards with documented escalation paths.

Regulatory reporting

  • Submission tracker. Maintain a master calendar covering CSRD filings, SEC Form 10-K/Q, HMRC Making Tax Digital returns, EU ETS/CBAM reports, and FinCEN SAR/BOI submissions.
  • Quality assurance. Reconcile reported metrics to general ledger, data warehouse, and ESG systems of record; document reviewer sign-off and management certifications.
  • Retention and audit trail. Archive filings, regulator correspondence, and proof-of-delivery acknowledgements for jurisdiction-specific retention periods (e.g., EU CBAM 5 years, IRS 7 years).

Continuous monitoring and improvement

  • Issue management. Track deficiencies from internal audit, external audit, and regulator findings through closure with root-cause analysis and target dates.
  • Training coverage. Deliver role-based compliance training aligned to DOJ Evaluation of Corporate Compliance Programs guidance, retaining completion evidence and comprehension checks.
  • Metrics and reporting. Publish dashboards covering control failure rates, regulatory submissions on time, hotline case trends, and remediation velocity for executive oversight.