Compliance Gap Analysis Questionaire
Answer the questions for your department. We will use the answers to develop a custom gap analysis report for your organization benchmarked against best practices.
Company Name
*
Date
-
Month
-
Day
Year
Date
Human Resources Department Questions
Name of department representative filling out this section of the form:
Do you have a written Equal Employment Opportunity (EEO) policy? Resource: EEOC Guidelines
Yes
In Progress
No
Other
Are all job descriptions updated to reflect essential job functions and required qualifications? Resource: Fair Labor Standards Act (FLSA)
Yes
In Progress
No
Other
Are your recruitment advertisements and job postings free from discriminatory language? Resource: Title VII of the Civil Rights Act
Yes
In Progress
No
Other
Do you use a structured interview process to ensure fairness? Resource: Uniform Guidelines on Employee Selection Procedures (UGESP)
Yes
In Progress
No
Other
Are all employees properly classified as exempt or non-exempt under the FLSA? Resource: FLSA Exemption Guidelines
Yes
In Progress
No
Other
Are independent contractors appropriately classified to avoid misclassification risks? Resource: IRS Independent Contractor Rules
Yes
In Progress
No
Other
Are your hiring practices fair, transparent, and compliant with anti-discrimination laws? Including: 1) Work authorization (e.g., I-9) is verified for all employees. 2) DEI goals are integrated into recruitment strategies. 3) Hiring decisions are documented to demonstrate compliance.
Yes
In Progress
No
Other
Do all new hires complete Form I-9, and are their documents verified within three business days of hire? Resource: U.S. Citizenship and Immigration Services (USCIS) Form I-9
Yes
In Progress
No
Other
Are all employees provided with harassment and discrimination prevention training? Resource: EEOC Harassment Guidelines
Yes
In Progress
No
Other
Do you provide training on workplace safety, including OSHA requirements? Resource: Occupational Safety and Health Administration (OSHA)
Yes
In Progress
No
Other
Do you have an up-to-date employee handbook that includes workplace policies, anti-discrimination policies, whistleblower protection policies, and complaint procedures? Resource: EEOC Best Practices for Workplace Policies
Yes
In Progress
No
Other
Do you conduct compliance training for all employees and managers (e.g., anti-harassment, workplace safety), including training in conflict resolution and performance management for managers, and role-specific compliance training?
Yes
In Progress
No
Other
Are training records maintained and checked for completion?
Yes
In Progress
No
Other
Documentation and Records Management: Do you have: 1) Employee contracts and compliance acknowledgments are securely stored, 2) Benefits enrollments and claims are accurately documented, 3) Payroll and tax documentation are compliant and up to date. [Record retention meets legal requirements (e.g., payroll for 7 years).]
Yes
In Progress
No
Other
Are all HR policies reviewed and updated annually to reflect changes in laws and regulations? Resource: Society for Human Resource Management (SHRM)
Yes
In Progress
No
Other
Do you maintain accurate and secure personnel records in compliance with record retention laws? Resource: Fair Credit Reporting Act (FCRA)
Yes
In Progress
No
Other
Compensation and Benefits: 1) Do your wage practices comply with minimum wage and overtime laws? 2) Are legally mandated benefits (e.g., FMLA, health insurance) are provided. 3) Pay structures are transparent and pay equity gaps are addressed. 4) Benefits programs are audited regularly for compliance.
Yes
In Progress
No
Other
Do you have a documented process for determining employee wages and ensuring compliance with minimum wage laws? Resource: FLSA Minimum Wage Laws
Yes
In Progress
No
Other
Do you conduct annual reviews of employees?
Yes
In Progress
No
Other
Are employee benefits, including health insurance, provided in compliance with the Affordable Care Act (ACA)? Resource: Affordable Care Act Employer Provisions
Yes
In Progress
No
Other
Are overtime and break policies compliant with federal and state laws? Resource: Wage and Hour Division (WHD) - Breaks
Yes
In Progress
No
Other
Workplace Health & Safety: Do you: 1) Conduct regular workplace safety inspections and maintain OSHA-required documentation? 2) Workplace safety programs meet OSHA standards. 3) Regular risk assessments and audits are conducted. 4) Employees are trained in emergency procedures. 5) Workplace injuries are documented and reported promptly. Resource: OSHA Recordkeeping Requirements
Yes
In Progress
No
Other
Are accommodations provided to employees with disabilities in compliance with the ADA? Resource: Americans with Disabilities Act (ADA)
Yes
In Progress
No
Other
Do you have a workplace violence prevention program? Resource: OSHA Workplace Violence Guidelines
Yes
In Progress
No
Other
Are employee data and records stored securely in compliance with data protection laws? Resource: General Data Protection Regulation (GDPR) (if applicable to your organization)
Yes
In Progress
No
Other
Do you have a policy and training on preventing and responding to data breaches? Resource: Federal Trade Commission (FTC) Data Security
Yes
In Progress
No
Other
Reporting and Auditing: 1) Are internal HR compliance audits are conducted regularly? 2) Are key compliance metrics (e.g., diversity hiring rates) monitored? 3) Are audit findings inform action plans for continuous improvement 4) Legal teams are engaged for external audits or inquiries.
Yes
In Progress
No
Other
Employee Relations and Conflict Resolution: Do you have: 1) Clear processes exist for handling grievances and complaints. 2) Workplace incidents are documented and resolved in a timely manner. 3) Mediation or conflict resolution programs are available. 4) Employee feedback is collected and reviewed regularly.
Yes
In Progress
No
Other
Technology and Software: 1) HR management software complies with GDPR, CCPA, and HIPAA, 2) Automated compliance tracking is in place for training and policy acknowledgments, 3) Employee data is secured with encryption and access controls.
Yes
In Progress
No
Other
Federal Government-Specific Compliance (if applicable): 1) FAR and other government contracting regulations are followed, 2) Background checks and security clearances are conducted for federal project employees, 3) Government-mandated reporting and payment systems are used (e.g., E-Verify).
Yes
In Progress
No
Other
Operations Department Questions
Name of department representative filling out this form:
*
Do you maintain updated documentation of all operational policies and procedures? Resource: ISO 9001 - Quality Management Standards
Yes
In Progress
No
Other
Are you in compliance with all state and federal licensing requirements for operations? Resource: Small Business Administration (SBA) Licensing Guide
Yes
In Progress
No
Other
Do you conduct regular compliance audits for operational activities? Resource: Federal Compliance Guidance
*
Yes
In Progress
No
Other
Are all vendors and suppliers vetted for compliance with applicable regulations (e.g., labor, environmental, safety)? Resource: Federal Acquisition Regulations (FAR)
Yes
In Progress
No
Other
Do you have contracts with all suppliers that include compliance clauses (e.g., anti-bribery, ethical sourcing)? Resource: Foreign Corrupt Practices Act (FCPA)
Yes
In Progress
No
Other
Are supply chain activities monitored to ensure adherence to import/export laws? Resource: U.S. Customs and Border Protection (CBP) Regulations
Yes
In Progress
No
Other
Are all safety policies and procedures documented and communicated to employees? Resource: Occupational Safety and Health Administration (OSHA)
Yes
In Progress
No
Other
Do you conduct regular workplace safety inspections to identify and address potential hazards? Resource: OSHA Workplace Safety Requirements
Yes
In Progress
No
Other
Are all operations employees provided with appropriate personal protective equipment (PPE)? Resource: OSHA PPE Standards
Yes
In Progress
No
Other
Are your operations in compliance with environmental laws, including waste disposal and emissions standards? Resource: Environmental Protection Agency (EPA) Regulations
Yes
In Progress
No
Other
Do you conduct regular environmental impact assessments? Resource: National Environmental Policy Act (NEPA)
Yes
In Progress
No
Other
Do you have a system for reporting and addressing environmental violations? Resource: EPA Enforcement and Compliance
Yes
In Progress
No
Other
Are operational records retained in compliance with federal and state record retention laws? Resource: Federal Records Act
Yes
In Progress
No
Other
Are confidential operational records securely stored and accessible only to authorized personnel? Resource: Sarbanes-Oxley Act (SOX)
Yes
In Progress
No
Other
Do you have a data breach response plan for operational systems? Resource: FTC Data Breach Response Guide
Yes
In Progress
No
Other
Have you conducted a recent risk assessment for your operational processes? Resource: COSO Framework for Risk Management
Yes
In Progress
No
Other
Do you have a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)? Resource: Federal Emergency Management Agency (FEMA)
Yes
In Progress
No
Other
Are there regular training and drills for disaster preparedness among operations staff? Resource: Ready.gov Continuity Planning
Yes
In Progress
No
Other
Do you have an anti-corruption policy in place for operational activities? Resource: Foreign Corrupt Practices Act (FCPA)
Yes
In Progress
No
Other
Are employees trained on identifying and reporting unethical practices? Resource: Global Anti-Bribery and Corruption Regulations
Yes
In Progress
No
Other
Is there a whistleblower system for reporting compliance concerns anonymously? Resource: Whistleblower Protection Act
Yes
In Progress
No
Other
Are all procurement processes conducted in compliance with competitive bidding laws? Resource: Federal Acquisition Regulations (FAR)
Yes
In Progress
No
Other
Are contracts reviewed by legal counsel to ensure compliance with applicable laws? Resource: Contract Law Guidelines
Yes
In Progress
No
Other
Do you maintain a record of procurement activities for audit purposes? Resource: Uniform Guidance Procurement Standards
Yes
In Progress
No
Other
Legal Department Questions
Does the legal department have a documented mission statement outlining its role and responsibilities? Reference: U.S. Sentencing Guidelines §8B2.1(b)(1) (effective compliance program policies).
Yes
In Progress
No
Other
Is the General Counsel or equivalent a member of the executive team or has direct access to the Board of Directors?Reference: Sarbanes-Oxley Act (SOX), Section 301.
Yes
In Progress
No
Other
Does the legal department participate in risk assessments related to compliance and regulatory obligations?Reference: DOJ Guidance on Evaluation of Corporate Compliance Programs (2020).
Yes
In Progress
No
Other
Does the legal department maintain an up-to-date inventory of laws and regulations applicable to the company’s operations?Reference: ISO 37301:2021, Clause 4.3.
Yes
In Progress
No
Other
Are legal updates and regulatory changes regularly communicated to relevant departments?Reference: Federal Sentencing Guidelines §8B2.1(b)(5)(C).
Yes
In Progress
No
Other
Does the legal department ensure compliance with anti-corruption and anti-bribery laws (e.g., FCPA)?Reference: Foreign Corrupt Practices Act (FCPA), 15 U.S.C. §§ 78dd-1.
Yes
In Progress
No
Other
Are company policies reviewed by the legal department to ensure compliance with applicable laws and regulations?Reference: U.S. Sentencing Guidelines §8B2.1(b)(1).
Yes
In Progress
No
Other
Is there a documented process for reviewing and approving contracts to mitigate legal risks? Reference: Uniform Commercial Code (UCC) Article 2.
Yes
In Progress
No
Other
Are data protection policies aligned with applicable regulations (e.g., GDPR, CCPA)?Reference: GDPR Article 24, CCPA §1798.
Yes
In Progress
No
Other
Does the legal department provide training to employees on key legal risks (e.g., anti-bribery, antitrust, data privacy)?Reference: U.S. Sentencing Guidelines §8B2.1(b)(4).
Yes
In Progress
No
Other
Are senior executives and the Board trained on their legal responsibilities (e.g., fiduciary duties, compliance oversight)?Reference: Delaware General Corporation Law (DGCL) §141(a).
Yes
In Progress
No
Other
Are employees trained on how to identify and report potential legal violations?Reference: SOX Section 806 (whistleblower protections).
Yes
In Progress
No
Other
Does the legal department conduct regular audits to ensure compliance with legal and regulatory requirements? Reference: DOJ Guidance on Evaluation of Corporate Compliance Programs (2020).
Yes
In Progress
No
Other
Is there a process to evaluate and mitigate legal risks in mergers, acquisitions, and joint ventures? Reference: Hart-Scott-Rodino Act, 15 U.S.C. §18a.
Yes
In Progress
No
Other
Does the legal department monitor litigation trends and assess their impact on the company’s operations? Reference: Federal Rules of Civil Procedure (FRCP), Rule 26 (duty to disclose).
Yes
In Progress
No
Other
Does the legal department prepare regular reports on legal risks and compliance for the Board of Directors? Reference: SOX Section 301.
Yes
In Progress
No
Other
Are investigations into potential legal violations documented and handled consistently? Reference: DOJ Guidance on Corporate Compliance Programs (2020).
Yes
In Progress
No
Other
Are disciplinary actions for legal violations tracked and reported to ensure consistency? Reference: Federal Sentencing Guidelines §8B2.1(b)(6).
Yes
In Progress
No
Other
Does the legal department evaluate third-party compliance with applicable laws and regulations (e.g., due diligence on vendors)?
Yes
In Progress
No
Other
Are contracts with third parties reviewed to include compliance-related clauses?Reference: Uniform Commercial Code (UCC) Article 2.
Yes
In Progress
No
Other
Is there a process for monitoring third-party compliance after contracts are signed?Reference: ISO 37301:2021, Clause 8.4.
Yes
In Progress
No
Other
Does the legal department oversee compliance with data protection regulations (e.g., GDPR, CCPA)? Reference: GDPR Article 5, CCPA §1798.
Yes
In Progress
No
Other
Are legal considerations factored into the company’s incident response plan for data breaches? Reference: GDPR Articles 33-34.
Yes
In Progress
No
Other
Does the legal department ensure appropriate contracts (e.g., data processing agreements) are in place with third-party processors?Reference: GDPR Article 28.
Yes
In Progress
No
Other
Does the legal department benchmark its compliance practices against industry standards? Reference: ISO 37301:2021, Clause 10.
Yes
In Progress
No
Other
Are lessons learned from legal violations or compliance failures integrated into policies and procedures? Reference: DOJ Guidance on Evaluation of Corporate Compliance Programs (2020).
Yes
In Progress
No
Other
Does the legal department regularly review and update its processes for effectiveness? Reference: ISO 37301:2021, Clause 10.3.
Yes
In Progress
No
Other
Security/IT Department Questions
Does the department have a defined governance structure for cloud and IT operations? Reference: ISO/IEC 27001:2013, Clause 5 (Leadership and commitment).
Yes
In Progress
No
Other
Are roles and responsibilities for managing cloud, security, and IT operations clearly documented? Reference: NIST Cybersecurity Framework (CSF), Identify Function.
Yes
In Progress
No
Other
Are security policies regularly reviewed and approved by leadership? Reference: ISO/IEC 27001:2013, Clause 5.2 (Information Security Policy).
Yes
In Progress
No
Other
Is there a documented process for selecting and evaluating cloud service providers (e.g., SLA reviews)? Reference: ISO/IEC 27017:2015 (Cloud-specific controls).
Yes
In Progress
No
Other
Are cloud environments configured to comply with applicable data protection regulations (e.g., GDPR, CCPA)? Reference: GDPR Article 25 (Data protection by design and default).
Yes
In Progress
No
Other
Is multi-factor authentication (MFA) enforced for accessing cloud systems?Reference: NIST SP 800-63B (Digital Identity Guidelines).
Yes
In Progress
No
Other
Are encryption protocols used for data in transit and at rest in the cloud? Reference: ISO/IEC 27018:2019, Clause 10 (Cloud encryption standards).
Yes
In Progress
No
Other
Does the organization utilize an EDE solution to monitor and respond to endpoint threats? Reference: NIST SP 800-137 (Information Security Continuous Monitoring).
Yes
In Progress
No
Other
Are endpoint security configurations regularly updated to address new vulnerabilities? Reference: CIS Controls v8, Control 5 (Secure Configuration for Hardware and Software).
Yes
In Progress
No
Other
Is there a centralized log management system for tracking endpoint activity?Reference: NIST SP 800-92 (Guide to Computer Security Log Management).
Yes
In Progress
No
Other
Does the organization maintain an up-to-date inventory of all IT assets (hardware, software, and systems)? Reference: NIST CSF, Identify Function (Asset Management).
Yes
In Progress
No
Other
Are IT systems regularly patched and updated to mitigate vulnerabilities? Reference: CIS Controls v8, Control 7 (Continuous Vulnerability Management).
Yes
In Progress
No
Other
Is a secure baseline configuration applied to all IT systems? Reference: ISO/IEC 27001:2013, Annex A.12.1.1 (Change Management).
Yes
In Progress
No
Other
Are network security measures, such as firewalls and intrusion detection systems, implemented and monitored? Reference: NIST CSF, Protect Function (Access Control and Security).
Yes
In Progress
No
Other
Does the organization have a documented data classification and handling policy?Reference: GDPR Article 5 (Data minimization and integrity).
Yes
In Progress
No
Other
Is sensitive data encrypted during transmission and storage? Reference: ISO/IEC 27018:2019, Clause 10 (Encryption).
Yes
In Progress
No
Other
Are data backups performed regularly, and are backup systems tested? Reference: ISO/IEC 27001:2013, Annex A.12.3.1 (Information Backup).
Yes
In Progress
No
Other
Is access to sensitive data restricted to authorized personnel only? Reference: CIS Controls v8, Control 4 (Controlled Use of Administrative Privileges).
Yes
In Progress
No
Other
Does the department have a documented incident response plan for security breaches? Reference: NIST SP 800-61 (Computer Security Incident Handling Guide).
Yes
In Progress
No
Other
Are security incidents logged, reviewed, and analyzed regularly? Reference: NIST SP 800-92 (Log Management Guide).
Yes
In Progress
No
Other
Are incident response exercises (e.g., tabletop exercises) conducted to test readiness? Reference: ISO/IEC 27035:2016 (Information Security Incident Management).
Yes
In Progress
No
Other
Is there a defined process to notify regulatory bodies and stakeholders in the event of a breach? Reference: GDPR Articles 33-34 (Breach Notification).
Yes
In Progress
No
Other
Are third-party cloud and IT vendors assessed for compliance with security and privacy regulations?Reference: FCPA Resource Guide, Chapter 5 (Third-Party Due Diligence).
Yes
In Progress
No
Other
Do contracts with vendors include specific clauses on security responsibilities?Reference: ISO/IEC 27036:2013 (Supplier Relationships).
Yes
In Progress
No
Other
Is third-party access to the company’s IT systems regularly reviewed? Reference: NIST CSF, Protect Function (Access Control).
Yes
In Progress
No
Other
Does the organization have a documented disaster recovery plan for IT systems?Reference: ISO/IEC 22301:2019 (Business Continuity Management Systems).
Yes
In Progress
No
Other
Are disaster recovery plans tested at least annually? Reference: NIST SP 800-34 (Contingency Planning Guide for IT).
Yes
In Progress
No
Other
Are critical IT functions prioritized in the organization’s continuity planning?Reference: ISO/IEC 22301:2019, Clause 8.4.
Yes
In Progress
No
Other
Does the department regularly benchmark its practices against industry standards (e.g., CIS, NIST)? Reference: ISO/IEC 27001:2013, Clause 10.1 (Improvement).
Yes
In Progress
No
Other
Are lessons learned from security incidents integrated into policies and procedures?Reference: NIST CSF, Respond Function (Improvements).
Yes
In Progress
No
Other
Are emerging technologies and threats monitored to ensure proactive security measures? Reference: ISO/IEC 27001:2013, Clause 6.1.2 (Risk Assessment).
Yes
In Progress
No
Other
SRE Department Questions
Does the SRE department have documented policies for system reliability, incident response, and monitoring? Relevant Regulations: ISO/IEC 27001, SOC 2, NIST SP 800-53.
Yes
In Progress
No
Other
How often are these policies reviewed and updated to align with regulatory or industry standards? Relevant Regulations: GDPR Article 32, HIPAA 45 CFR 164.308(a)(1)(ii)(B).
Quarterly
Annually
Other
Are compliance and reliability requirements integrated into the SRE team’s goals and performance metrics? Relevant Standards: ISO 22301.
Yes
In Progress
No
Other
Are all SRE team members trained on compliance policies relevant to their role? Relevant Regulations: GDPR Article 39, HIPAA 45 CFR 164.308(a)(5).
Yes
In Progress
No
Other
Are systems continuously monitored for uptime, performance, and compliance with SLAs? Relevant Standards: ISO/IEC 27001 A.12.4.1, PCI DSS Requirement 10.
Yes
In Progress
No
Other
Are logs and metrics retained and archived in compliance with organizational or regulatory retention policies? Relevant Regulations: SOX Section 802, GDPR Article 30.
Yes
In Progress
No
Other
Are monitoring tools configured to detect and alert on compliance-related events or anomalies (e.g., unauthorized access, data breaches)? Relevant Regulations: NIST SP 800-53 SI-4, PCI DSS Requirement 11.5.
Yes
In Progress
No
Other
Are monitoring and alerting tools periodically reviewed and tested for effectiveness? Relevant Standards: ISO/IEC 27001 A.14.2.8.
Yes
In Progress
No
Other
Does the SRE team have a documented incident response plan (IRP)? Relevant Regulations: NIST SP 800-61, GDPR Article 33.
Yes
In Progress
No
Other
How frequently is the incident response plan tested through drills or simulations? Relevant Standards: ISO 22301.
Monthly
Quarterly
Annually
Other
Does the IRP include steps to ensure compliance reporting (e.g., breach notifications)? Relevant Regulations: GDPR Article 33, HIPAA 45 CFR 164.408.
Yes
In Progress
No
Other
Are post-incident reviews conducted to ensure compliance issues are identified and addressed? Relevant Standards: ISO/IEC 27035.
Always
Sometimes
Rarely
Never
Are configurations managed through version control and auditable systems? Relevant Standards: ISO/IEC 27001 A.12.5.1.
Yes
In Progress
No
Other
Is there a defined process for approving changes to configurations that impact compliance? Relevant Regulations: SOX Section 404.
Yes
In Progress
No
Other
Automatically enforced and monitored? Relevant Standards: NIST SP 800-53 CM-6.
Yes
In Progress
No
Other
Are compliance checks integrated into CI/CD pipelines? Relevant Standards: OWASP SAMM.
Yes
In Progress
No
Other
Is access to SRE systems and tools limited based on least privilege principles? Relevant Regulations: PCI DSS Requirement 7, HIPAA 45 CFR 164.312(a)(1).
Yes
In Progress
No
Other
Are access controls audited regularly to ensure compliance with internal and external standards? Relevant Regulations: ISO/IEC 27001 A.9.2.3.
Yes
In Progress
No
Other
Does the SRE team use secure methods for storing and accessing secrets (e.g., API keys, passwords)? Relevant Standards: NIST SP 800-53 SC-12.
Yes
In Progress
No
Other
Are compliance-related security controls (e.g., firewalls, encryption) implemented and validated? Relevant Regulations: GDPR Article 32(1)(a), PCI DSS Requirement 4.
Yes
In Progress
No
Other
Are SRE team members trained on relevant regulatory requirements (e.g., GDPR, HIPAA, PCI DSS)? Relevant Regulations: GDPR Article 39(1)(b), HIPAA 45 CFR 164.308(a)(5).
Yes
In Progress
No
Other
How often does the team participate in compliance and security awareness training? Relevant Standards: ISO/IEC 27001 A.7.2.2.
Quarterly
Annually
Other
Are lessons learned from compliance audits shared with the SRE team? Relevant Standards: ISO 19011.
Yes
In Progress
No
Other
Does the SRE department have a process for integrating compliance feedback into workflows and tools? Relevant Standards: ITIL Continual Service Improvement.
Yes
In Progress
No
Other
Are new compliance standards and regulatory updates proactively reviewed and incorporated? Relevant Regulations: GDPR Article 24.
Yes
In Progress
No
Other
Are compliance metrics reported and reviewed as part of regular team meetings or retrospectives? Relevant Standards: CMMI.
Yes
In Progress
No
Other
Workplaces Department Questions
1. Are workplace safety policies documented and compliant with OSHA regulations? Relevant Regulations: OSHA 29 CFR 1910.
2. Are emergency procedures clearly communicated to all employees? Relevant Regulations: OSHA 29 CFR 1910.38.
3. Are workplace policies reviewed annually for compliance with labor laws? Relevant Regulations: Fair Labor Standards Act (FLSA).
4. Are employees trained on workplace safety procedures? Relevant Regulations: OSHA 29 CFR 1910.1200.
5. Are DEI training sessions conducted annually? Relevant Regulations: EEOC Title VII.
6. Are workplace incidents reported and addressed in compliance with OSHA guidelines? Relevant Regulations: OSHA 29 CFR 1904.
Product Department Questions
1. Are accessibility standards incorporated into product designs? Relevant Regulations: ADA Title III, WCAG 2.1.
2. Are product updates reviewed for compliance with industry and regulatory standards? Relevant Regulations: ISO 9001, GDPR Article 25.
3. Are products tested for compliance with safety regulations before release? Relevant Regulations: CPSC Regulations, ISO/IEC 17025.
4. Are data privacy concerns addressed during product development? Relevant Regulations: GDPR Article 5, CCPA §1798.100.
Privacy Department Questions
1. Are privacy policies documented and accessible to all employees? Relevant Regulations: GDPR Article 24, CCPA §1798.100.
2. Are privacy impact assessments conducted for new projects? Relevant Regulations: GDPR Article 35, HIPAA 45 CFR 164.308.
3. Are sensitive personal data encrypted at rest and in transit? Relevant Regulations: GDPR Article 32, HIPAA 45 CFR 164.312.
4. Are data subject access requests (DSARs) handled within the required timeframe? Relevant Regulations: GDPR Article 12, CCPA §1798.130.
Internal Audit Department Questions
1. Are compliance audits conducted annually for all key processes? Relevant Regulations: ISO 19011, SOX Section 404.
2. Are audit findings tracked and addressed promptly? Relevant Regulations: COSO Framework.
3. Are internal auditors trained on relevant regulatory requirements? Relevant Regulations: IIA Standards.
GRC Federal Department Questions
1. Are federal compliance requirements (e.g., FISMA) reviewed annually? Relevant Regulations: FISMA, NIST SP 800-53.
2. Is a risk management framework (RMF) implemented for federal projects? Relevant Regulations: NIST SP 800-37.
3. Are federal security incidents reported within the required timeframe? Relevant Regulations: FISMA, NIST SP 800-61.
Ops Engineering Department Questions
1. Are systems monitored continuously for vulnerabilities and incidents? Relevant Regulations: PCI DSS Requirement 11, ISO/IEC 27001.
2. Are system configurations documented and compliant with industry standards? Relevant Regulations: ISO 20000.
3. Are operational incidents logged and reviewed for compliance implications? Relevant Regulations: NIST SP 800-61.
Finance Department Questions
1. Are financial records maintained in compliance with SOX requirements? Relevant Regulations: SOX Section 404, ISO/IEC 27001.
2. Are financial controls reviewed periodically? Relevant Regulations: COSO Framework.
3. Are finance employees trained on anti-fraud measures? Relevant Regulations: Sarbanes-Oxley Act (SOX).
AI Department Questions
1. Are AI models audited for ethical compliance and bias? Relevant Regulations: EU AI Act, IEEE Ethically Aligned Design.
2. Are AI systems compliant with data privacy laws? Relevant Regulations: GDPR Article 22, CCPA §1798.140.
3. Are employees trained on ethical AI development? Relevant Regulations: AI Ethics Guidelines.
Communications Department Questions
1. Are public communications reviewed for compliance with legal standards? Relevant Regulations: FTC Act, GDPR Article 12.
2. Are communication records archived per regulatory requirements? Relevant Regulations: SEC Rule 17a-4.
Procurement Department Questions
1. Are supplier contracts reviewed for compliance with company policies? Relevant Regulations: UCC Article 2, FAR Part 52.
2. Is vendor risk assessed before contract execution? Relevant Regulations: ISO 27036, GDPR Article 28.
Research & Development Department Questions
1. Are research projects reviewed by an IRB or ethics committee? Relevant Regulations: Belmont Report, 45 CFR 46.
2. Is research data stored securely? Relevant Regulations: GDPR Article 5, HIPAA 45 CFR 164.312.
Customer Service Department Questions
1. Are customer service agents trained on data protection regulations? Relevant Regulations: GDPR Article 39, CCPA §1798.135.
2. Are customer interactions securely recorded and archived? Relevant Regulations: PCI DSS.
Marketing & Sales Department Questions
1. Are marketing campaigns reviewed for compliance with GDPR and CAN-SPAM? Relevant Regulations: GDPR Article 6, CAN-SPAM Act.
2. Are customer opt-out requests processed promptly? Relevant Regulations: GDPR Article 21.
Quality Assurance Department Questions
1. Are QA processes aligned with ISO 9001 standards? Relevant Regulations: ISO 9001.
2. Are products tested for safety compliance? Relevant Regulations: CPSC Regulations.
Board of Directors/Executive Office Department Questions
1. Does the board oversee compliance programs regularly? Relevant Regulations: NYSE Listing Rule 303A, COSO Framework.
2. Are executives trained on regulatory compliance risks? Relevant Regulations: DOJ Guidance on Corporate Compliance.
DEI Department Questions
Are DEI initiatives compliant with EEOC guidelines? Relevant Regulations: EEOC Title VII, OFCCP Regulations.
Are DEI programs reviewed for bias or discrimination risks? Relevant Regulations: EEOC Title VII.
Data Analytics Department Questions
1. Are data analytics tools compliant with data protection regulations? Relevant Regulations: GDPR Article 5, HIPAA 45 CFR 164.312.
2. Are data analytics models tested for bias? Relevant Regulations: EU AI Act.
Mergers & Acquisitions/Corporate Strategy Department Questions
1. Are compliance risks assessed during due diligence? Relevant Regulations: FCPA, GDPR Article 44.
2. Are contracts reviewed for compliance with applicable regulations? Relevant Regulations: UCC Article 2.
Yes COUNT
In Progress COUNT
No COUNT
Please verify that you are human
*
Submit
Should be Empty: