Compliance Gap Analysis Questionaire

  • Compliance Gap Analysis Questionaire

    Answer the questions for your department. We will use the answers to develop a custom gap analysis report for your organization benchmarked against best practices.
  • Date
     - -

  • Human Resources Department Questions

  • Do you have a written Equal Employment Opportunity (EEO) policy? Resource: EEOC Guidelines

  • Are all job descriptions updated to reflect essential job functions and required qualifications? Resource: Fair Labor Standards Act (FLSA)

  • Are your recruitment advertisements and job postings free from discriminatory language? Resource: Title VII of the Civil Rights Act

  • Do you use a structured interview process to ensure fairness? Resource: Uniform Guidelines on Employee Selection Procedures (UGESP)

  • Are all employees properly classified as exempt or non-exempt under the FLSA? Resource: FLSA Exemption Guidelines

  • Are independent contractors appropriately classified to avoid misclassification risks? Resource: IRS Independent Contractor Rules

  • Are your hiring practices fair, transparent, and compliant with anti-discrimination laws? Including: 1) Work authorization (e.g., I-9) is verified for all employees. 2) DEI goals are integrated into recruitment strategies. 3) Hiring decisions are documented to demonstrate compliance.

  • Do all new hires complete Form I-9, and are their documents verified within three business days of hire? Resource: U.S. Citizenship and Immigration Services (USCIS) Form I-9

  • Are all employees provided with harassment and discrimination prevention training? Resource: EEOC Harassment Guidelines

  • Do you provide training on workplace safety, including OSHA requirements? Resource: Occupational Safety and Health Administration (OSHA)

  • Do you have an up-to-date employee handbook that includes workplace policies, anti-discrimination policies, whistleblower protection policies, and complaint procedures? Resource: EEOC Best Practices for Workplace Policies

  • Do you conduct compliance training for all employees and managers (e.g., anti-harassment, workplace safety), including training in conflict resolution and performance management for managers, and role-specific compliance training?

  • Are training records maintained and checked for completion?

  • Documentation and Records Management: Do you have: 1) Employee contracts and compliance acknowledgments are securely stored, 2) Benefits enrollments and claims are accurately documented, 3) Payroll and tax documentation are compliant and up to date. [Record retention meets legal requirements (e.g., payroll for 7 years).]

  • Are all HR policies reviewed and updated annually to reflect changes in laws and regulations? Resource: Society for Human Resource Management (SHRM)

  • Do you maintain accurate and secure personnel records in compliance with record retention laws? Resource: Fair Credit Reporting Act (FCRA)

  • Compensation and Benefits: 1) Do your wage practices comply with minimum wage and overtime laws? 2) Are legally mandated benefits (e.g., FMLA, health insurance) are provided. 3) Pay structures are transparent and pay equity gaps are addressed. 4) Benefits programs are audited regularly for compliance.

  • Do you have a documented process for determining employee wages and ensuring compliance with minimum wage laws? Resource: FLSA Minimum Wage Laws

  • Do you conduct annual reviews of employees?

  • Are employee benefits, including health insurance, provided in compliance with the Affordable Care Act (ACA)? Resource: Affordable Care Act Employer Provisions

  • Are overtime and break policies compliant with federal and state laws? Resource: Wage and Hour Division (WHD) - Breaks
  • Workplace Health & Safety: Do you: 1) Conduct regular workplace safety inspections and maintain OSHA-required documentation? 2) Workplace safety programs meet OSHA standards. 3) Regular risk assessments and audits are conducted. 4) Employees are trained in emergency procedures. 5) Workplace injuries are documented and reported promptly. Resource: OSHA Recordkeeping Requirements
  • Are accommodations provided to employees with disabilities in compliance with the ADA? Resource: Americans with Disabilities Act (ADA)

  • Do you have a workplace violence prevention program? Resource: OSHA Workplace Violence Guidelines

  • Are employee data and records stored securely in compliance with data protection laws? Resource: General Data Protection Regulation (GDPR) (if applicable to your organization)

  • Do you have a policy and training on preventing and responding to data breaches? Resource: Federal Trade Commission (FTC) Data Security

  • Reporting and Auditing: 1) Are internal HR compliance audits are conducted regularly? 2) Are key compliance metrics (e.g., diversity hiring rates) monitored? 3) Are audit findings inform action plans for continuous improvement 4) Legal teams are engaged for external audits or inquiries.

  • Employee Relations and Conflict Resolution: Do you have: 1) Clear processes exist for handling grievances and complaints. 2) Workplace incidents are documented and resolved in a timely manner. 3) Mediation or conflict resolution programs are available. 4) Employee feedback is collected and reviewed regularly.

  • Technology and Software: 1) HR management software complies with GDPR, CCPA, and HIPAA, 2) Automated compliance tracking is in place for training and policy acknowledgments, 3) Employee data is secured with encryption and access controls.

  • Federal Government-Specific Compliance (if applicable): 1) FAR and other government contracting regulations are followed, 2) Background checks and security clearances are conducted for federal project employees, 3) Government-mandated reporting and payment systems are used (e.g., E-Verify).

  • Operations Department Questions

  • Do you maintain updated documentation of all operational policies and procedures? Resource: ISO 9001 - Quality Management Standards

  • Are you in compliance with all state and federal licensing requirements for operations? Resource: Small Business Administration (SBA) Licensing Guide

  • Do you conduct regular compliance audits for operational activities? Resource: Federal Compliance Guidance*

  • Are all vendors and suppliers vetted for compliance with applicable regulations (e.g., labor, environmental, safety)? Resource: Federal Acquisition Regulations (FAR)

  • Do you have contracts with all suppliers that include compliance clauses (e.g., anti-bribery, ethical sourcing)? Resource: Foreign Corrupt Practices Act (FCPA)

  • Are supply chain activities monitored to ensure adherence to import/export laws? Resource: U.S. Customs and Border Protection (CBP) Regulations

  • Are all safety policies and procedures documented and communicated to employees? Resource: Occupational Safety and Health Administration (OSHA)

  • Do you conduct regular workplace safety inspections to identify and address potential hazards? Resource: OSHA Workplace Safety Requirements

  • Are all operations employees provided with appropriate personal protective equipment (PPE)? Resource: OSHA PPE Standards

  • Are your operations in compliance with environmental laws, including waste disposal and emissions standards? Resource: Environmental Protection Agency (EPA) Regulations

  • Do you conduct regular environmental impact assessments? Resource: National Environmental Policy Act (NEPA)

  • Do you have a system for reporting and addressing environmental violations? Resource: EPA Enforcement and Compliance

  • Are operational records retained in compliance with federal and state record retention laws? Resource: Federal Records Act

  • Are confidential operational records securely stored and accessible only to authorized personnel? Resource: Sarbanes-Oxley Act (SOX)

  • Do you have a data breach response plan for operational systems? Resource: FTC Data Breach Response Guide

  • Have you conducted a recent risk assessment for your operational processes? Resource: COSO Framework for Risk Management

  • Do you have a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)? Resource: Federal Emergency Management Agency (FEMA)

  • Are there regular training and drills for disaster preparedness among operations staff? Resource: Ready.gov Continuity Planning

  • Do you have an anti-corruption policy in place for operational activities? Resource: Foreign Corrupt Practices Act (FCPA)

  • Are employees trained on identifying and reporting unethical practices? Resource: Global Anti-Bribery and Corruption Regulations

  • Is there a whistleblower system for reporting compliance concerns anonymously? Resource: Whistleblower Protection Act

  • Are all procurement processes conducted in compliance with competitive bidding laws? Resource: Federal Acquisition Regulations (FAR)

  • Are contracts reviewed by legal counsel to ensure compliance with applicable laws? Resource: Contract Law Guidelines

  • Do you maintain a record of procurement activities for audit purposes? Resource: Uniform Guidance Procurement Standards

  • Legal Department Questions

  • Does the legal department have a documented mission statement outlining its role and responsibilities? Reference: U.S. Sentencing Guidelines §8B2.1(b)(1) (effective compliance program policies).

  • Is the General Counsel or equivalent a member of the executive team or has direct access to the Board of Directors?Reference: Sarbanes-Oxley Act (SOX), Section 301.

  • Does the legal department participate in risk assessments related to compliance and regulatory obligations?Reference: DOJ Guidance on Evaluation of Corporate Compliance Programs (2020).

  • Does the legal department maintain an up-to-date inventory of laws and regulations applicable to the company’s operations?Reference: ISO 37301:2021, Clause 4.3.

  • Are legal updates and regulatory changes regularly communicated to relevant departments?Reference: Federal Sentencing Guidelines §8B2.1(b)(5)(C).

  • Does the legal department ensure compliance with anti-corruption and anti-bribery laws (e.g., FCPA)?Reference: Foreign Corrupt Practices Act (FCPA), 15 U.S.C. §§ 78dd-1.

  • Are company policies reviewed by the legal department to ensure compliance with applicable laws and regulations?Reference: U.S. Sentencing Guidelines §8B2.1(b)(1).

  • Is there a documented process for reviewing and approving contracts to mitigate legal risks? Reference: Uniform Commercial Code (UCC) Article 2.

  • Are data protection policies aligned with applicable regulations (e.g., GDPR, CCPA)?Reference: GDPR Article 24, CCPA §1798.

  • Does the legal department provide training to employees on key legal risks (e.g., anti-bribery, antitrust, data privacy)?Reference: U.S. Sentencing Guidelines §8B2.1(b)(4).

  • Are senior executives and the Board trained on their legal responsibilities (e.g., fiduciary duties, compliance oversight)?Reference: Delaware General Corporation Law (DGCL) §141(a).

  • Are employees trained on how to identify and report potential legal violations?Reference: SOX Section 806 (whistleblower protections).

  • Does the legal department conduct regular audits to ensure compliance with legal and regulatory requirements? Reference: DOJ Guidance on Evaluation of Corporate Compliance Programs (2020).

  • Is there a process to evaluate and mitigate legal risks in mergers, acquisitions, and joint ventures? Reference: Hart-Scott-Rodino Act, 15 U.S.C. §18a.

  • Does the legal department monitor litigation trends and assess their impact on the company’s operations? Reference: Federal Rules of Civil Procedure (FRCP), Rule 26 (duty to disclose).

  • Does the legal department prepare regular reports on legal risks and compliance for the Board of Directors? Reference: SOX Section 301.

  • Are investigations into potential legal violations documented and handled consistently? Reference: DOJ Guidance on Corporate Compliance Programs (2020).

  • Are disciplinary actions for legal violations tracked and reported to ensure consistency? Reference: Federal Sentencing Guidelines §8B2.1(b)(6).

  • Does the legal department evaluate third-party compliance with applicable laws and regulations (e.g., due diligence on vendors)?

  • Are contracts with third parties reviewed to include compliance-related clauses?Reference: Uniform Commercial Code (UCC) Article 2.

  • Is there a process for monitoring third-party compliance after contracts are signed?Reference: ISO 37301:2021, Clause 8.4.

  • Does the legal department oversee compliance with data protection regulations (e.g., GDPR, CCPA)? Reference: GDPR Article 5, CCPA §1798.

  • Are legal considerations factored into the company’s incident response plan for data breaches? Reference: GDPR Articles 33-34.

  • Does the legal department ensure appropriate contracts (e.g., data processing agreements) are in place with third-party processors?Reference: GDPR Article 28.

  • Does the legal department benchmark its compliance practices against industry standards? Reference: ISO 37301:2021, Clause 10.

  • Are lessons learned from legal violations or compliance failures integrated into policies and procedures? Reference: DOJ Guidance on Evaluation of Corporate Compliance Programs (2020).

  • Does the legal department regularly review and update its processes for effectiveness? Reference: ISO 37301:2021, Clause 10.3.

  • Security/IT Department Questions

  • Does the department have a defined governance structure for cloud and IT operations? Reference: ISO/IEC 27001:2013, Clause 5 (Leadership and commitment).

  • Are roles and responsibilities for managing cloud, security, and IT operations clearly documented? Reference: NIST Cybersecurity Framework (CSF), Identify Function.

  • Are security policies regularly reviewed and approved by leadership? Reference: ISO/IEC 27001:2013, Clause 5.2 (Information Security Policy).

  • Is there a documented process for selecting and evaluating cloud service providers (e.g., SLA reviews)? Reference: ISO/IEC 27017:2015 (Cloud-specific controls).

  • Are cloud environments configured to comply with applicable data protection regulations (e.g., GDPR, CCPA)? Reference: GDPR Article 25 (Data protection by design and default).

  • Is multi-factor authentication (MFA) enforced for accessing cloud systems?Reference: NIST SP 800-63B (Digital Identity Guidelines).

  • Are encryption protocols used for data in transit and at rest in the cloud? Reference: ISO/IEC 27018:2019, Clause 10 (Cloud encryption standards).

  • Does the organization utilize an EDE solution to monitor and respond to endpoint threats? Reference: NIST SP 800-137 (Information Security Continuous Monitoring).

  • Are endpoint security configurations regularly updated to address new vulnerabilities? Reference: CIS Controls v8, Control 5 (Secure Configuration for Hardware and Software).

  • Is there a centralized log management system for tracking endpoint activity?Reference: NIST SP 800-92 (Guide to Computer Security Log Management).

  • Does the organization maintain an up-to-date inventory of all IT assets (hardware, software, and systems)? Reference: NIST CSF, Identify Function (Asset Management).

  • Are IT systems regularly patched and updated to mitigate vulnerabilities? Reference: CIS Controls v8, Control 7 (Continuous Vulnerability Management).

  • Is a secure baseline configuration applied to all IT systems? Reference: ISO/IEC 27001:2013, Annex A.12.1.1 (Change Management).

  • Are network security measures, such as firewalls and intrusion detection systems, implemented and monitored? Reference: NIST CSF, Protect Function (Access Control and Security).

  • Does the organization have a documented data classification and handling policy?Reference: GDPR Article 5 (Data minimization and integrity).

  • Is sensitive data encrypted during transmission and storage? Reference: ISO/IEC 27018:2019, Clause 10 (Encryption).

  • Are data backups performed regularly, and are backup systems tested? Reference: ISO/IEC 27001:2013, Annex A.12.3.1 (Information Backup).

  • Is access to sensitive data restricted to authorized personnel only? Reference: CIS Controls v8, Control 4 (Controlled Use of Administrative Privileges).

  • Does the department have a documented incident response plan for security breaches? Reference: NIST SP 800-61 (Computer Security Incident Handling Guide).

  • Are security incidents logged, reviewed, and analyzed regularly? Reference: NIST SP 800-92 (Log Management Guide).

  • Are incident response exercises (e.g., tabletop exercises) conducted to test readiness? Reference: ISO/IEC 27035:2016 (Information Security Incident Management).

  • Is there a defined process to notify regulatory bodies and stakeholders in the event of a breach? Reference: GDPR Articles 33-34 (Breach Notification).

  • Are third-party cloud and IT vendors assessed for compliance with security and privacy regulations?Reference: FCPA Resource Guide, Chapter 5 (Third-Party Due Diligence).

  • Do contracts with vendors include specific clauses on security responsibilities?Reference: ISO/IEC 27036:2013 (Supplier Relationships).

  • Is third-party access to the company’s IT systems regularly reviewed? Reference: NIST CSF, Protect Function (Access Control).

  • Does the organization have a documented disaster recovery plan for IT systems?Reference: ISO/IEC 22301:2019 (Business Continuity Management Systems).

  • Are disaster recovery plans tested at least annually? Reference: NIST SP 800-34 (Contingency Planning Guide for IT).

  • Are critical IT functions prioritized in the organization’s continuity planning?Reference: ISO/IEC 22301:2019, Clause 8.4.

  • Does the department regularly benchmark its practices against industry standards (e.g., CIS, NIST)? Reference: ISO/IEC 27001:2013, Clause 10.1 (Improvement).

  • Are lessons learned from security incidents integrated into policies and procedures?Reference: NIST CSF, Respond Function (Improvements).

  • Are emerging technologies and threats monitored to ensure proactive security measures? Reference: ISO/IEC 27001:2013, Clause 6.1.2 (Risk Assessment).

  • SRE Department Questions

  • Does the SRE department have documented policies for system reliability, incident response, and monitoring? Relevant Regulations: ISO/IEC 27001, SOC 2, NIST SP 800-53.

  • How often are these policies reviewed and updated to align with regulatory or industry standards? Relevant Regulations: GDPR Article 32, HIPAA 45 CFR 164.308(a)(1)(ii)(B).

  • Are compliance and reliability requirements integrated into the SRE team’s goals and performance metrics? Relevant Standards: ISO 22301.

  • Are all SRE team members trained on compliance policies relevant to their role? Relevant Regulations: GDPR Article 39, HIPAA 45 CFR 164.308(a)(5).

  • Are systems continuously monitored for uptime, performance, and compliance with SLAs? Relevant Standards: ISO/IEC 27001 A.12.4.1, PCI DSS Requirement 10.

  • Are logs and metrics retained and archived in compliance with organizational or regulatory retention policies? Relevant Regulations: SOX Section 802, GDPR Article 30.

  • Are monitoring tools configured to detect and alert on compliance-related events or anomalies (e.g., unauthorized access, data breaches)? Relevant Regulations: NIST SP 800-53 SI-4, PCI DSS Requirement 11.5.

  • Are monitoring and alerting tools periodically reviewed and tested for effectiveness? Relevant Standards: ISO/IEC 27001 A.14.2.8.

  • Does the SRE team have a documented incident response plan (IRP)? Relevant Regulations: NIST SP 800-61, GDPR Article 33.

  • How frequently is the incident response plan tested through drills or simulations? Relevant Standards: ISO 22301.

  • Does the IRP include steps to ensure compliance reporting (e.g., breach notifications)? Relevant Regulations: GDPR Article 33, HIPAA 45 CFR 164.408.

  • Are post-incident reviews conducted to ensure compliance issues are identified and addressed? Relevant Standards: ISO/IEC 27035.
  • Are configurations managed through version control and auditable systems? Relevant Standards: ISO/IEC 27001 A.12.5.1.

  • Is there a defined process for approving changes to configurations that impact compliance? Relevant Regulations: SOX Section 404.

  • Automatically enforced and monitored? Relevant Standards: NIST SP 800-53 CM-6.

  • Are compliance checks integrated into CI/CD pipelines? Relevant Standards: OWASP SAMM.

  • Is access to SRE systems and tools limited based on least privilege principles? Relevant Regulations: PCI DSS Requirement 7, HIPAA 45 CFR 164.312(a)(1).

  • Are access controls audited regularly to ensure compliance with internal and external standards? Relevant Regulations: ISO/IEC 27001 A.9.2.3.

  • Does the SRE team use secure methods for storing and accessing secrets (e.g., API keys, passwords)? Relevant Standards: NIST SP 800-53 SC-12.

  • Are compliance-related security controls (e.g., firewalls, encryption) implemented and validated? Relevant Regulations: GDPR Article 32(1)(a), PCI DSS Requirement 4.

  • Are SRE team members trained on relevant regulatory requirements (e.g., GDPR, HIPAA, PCI DSS)? Relevant Regulations: GDPR Article 39(1)(b), HIPAA 45 CFR 164.308(a)(5).

  • How often does the team participate in compliance and security awareness training? Relevant Standards: ISO/IEC 27001 A.7.2.2.

  • Are lessons learned from compliance audits shared with the SRE team? Relevant Standards: ISO 19011.

  • Does the SRE department have a process for integrating compliance feedback into workflows and tools? Relevant Standards: ITIL Continual Service Improvement.

  • Are new compliance standards and regulatory updates proactively reviewed and incorporated? Relevant Regulations: GDPR Article 24.

  • Are compliance metrics reported and reviewed as part of regular team meetings or retrospectives? Relevant Standards: CMMI.

  • Workplaces Department Questions

  • Product Department Questions

  • Privacy Department Questions

  • Internal Audit Department Questions

  • GRC Federal Department Questions

  • Ops Engineering Department Questions

  • Finance Department Questions

  • AI Department Questions

  • Communications Department Questions

  • Procurement Department Questions

  • Research & Development Department Questions

  • Customer Service Department Questions

  • Marketing & Sales Department Questions

  • Quality Assurance Department Questions

  • Board of Directors/Executive Office Department Questions

  • DEI Department Questions

  • Data Analytics Department Questions

  • Mergers & Acquisitions/Corporate Strategy Department Questions

  • Should be Empty: