Compliance Tracking — Obligations and Evidence
The FCA supervisory visit is six weeks away. The lead compliance officer has spent the last three weeks assembling evidence — pulling documents from three different shared drives, emailing colleagues who own controls they have never formally documented, and discovering, on week two, that the PEP screening provider contract lapsed four months ago. The organisation believed it was compliant with AML obligations because it was compliant at the last audit. Nobody had verified what had changed since then.
This is compliance drift. It does not arrive announced. A regulation changes and the control addressing the old version is never updated. A team member leaves, taking with them the knowledge of how a control works. A software system is upgraded, removing a check that was embedded in the old workflow. The organisation continues operating, continues signing compliance attestations, continues believing it is covered — until something forces a real assessment.
The problem is not that organisations ignore compliance. It is that nobody has a complete, current, verified view: every obligation, who owns it, whether the control is effective, what evidence exists to demonstrate it, and when it was last assessed. This lesson teaches you to build that view — systematically, with structured AI assistance, so that the answer is never "we think we comply" but "here is the evidence, dated last month, verified by the named owner."
This exercise requires the Operations plugin (official) and the Operations Intelligence plugin (custom). If you have not installed them, follow the instructions in the Chapter 38 prerequisites before continuing.
Compliance Drift and Why It Happens
Every organisation carries three layers of compliance obligations:
| Layer | Examples | Typical Owner |
|---|---|---|
| Regulatory | UK GDPR, FCA (COBS/SM&CR), AML (MLR 2017), Companies Act, ISO 27001 | CCO, DPO, MLRO, CISO |
| Contractual | Client SLA obligations, data handling clauses, insurance conditions | Operations, Legal |
| Standards/Internal | ISO certification requirements, board governance commitments, internal policies | CISO, Board Secretary, COO |
Organisations typically have good awareness of their regulatory layer — there are named owners, compliance teams, and periodic reviews. The contractual and standards layers drift more silently. The client SLA that requires 4-hour P1 incident notification was signed two years ago; the incident response procedure does not mention it. The ISO 27001 surveillance audit requires evidence of annual risk assessment; the risk assessment was completed but filed in a location nobody can now locate.
Compliance drift accelerates at three predictable triggers:
- Personnel change — the person who owned a control leaves without documenting it
- Regulatory change — a regulation updates and the control addressing the old version is not updated
- System change — a technical upgrade removes a control that was embedded in the old system's workflow
The compliance map does not prevent these changes. It makes them visible quickly, so the organisation can respond before a regulator does.
The Five-Status Classification
Every obligation in the compliance map carries one of five statuses. The five-status standard is a forcing function: it prevents organisations from marking everything CURRENT by requiring specific criteria for each status.
| Status | Colour | Criteria | Action Required |
|---|---|---|---|
| CURRENT | 🟢 | Control effective and tested; evidence current (<12 months); no known gaps | Schedule next review date |
| REVIEW NEEDED | 🟡 | Evidence >12 months old; control not tested since last regulatory change; review date passed | Review and reassess within 30 days |
| PARTIAL | 🟡 | Control exists but does not fully address obligation; evidence has identifiable gaps | Close gaps; do not assert full compliance |
| GAP | 🔴 | No effective control; evidence absent or cannot be located; known control failure | Remediate before next regulatory touchpoint |
| URGENT | 🔴 | Active breach likely or confirmed; regulatory deadline within 30 days and gap exists; regulator has signalled review | Stop. Escalate. Act immediately. |
The evidence standard for CURRENT status: "We comply with UK GDPR" is an assertion. "Privacy notice updated [date], ROPA at [location], last reviewed [date] by [DPO]" is evidence. CURRENT status requires cited, locatable evidence — not a declaration of belief. An obligation where the evidence cannot be located must be rated PARTIAL at best, regardless of the organisation's confidence.
The most common compliance map failure is optimistic CURRENT status on obligations where the evidence is assumed to exist but has not been verified. A PARTIAL that is honestly labelled gives you a remediation priority. A CURRENT that is incorrectly labelled gives you false confidence and a regulator surprise.
Building the Compliance Obligation Map
The compliance-tracking auto-skill activates from keywords like "compliance", "obligations", "regulatory", "control", and "GDPR" in natural-language prompts. You do not type a slash command — you describe what you need and the skill activates automatically.
Worked example. You are the Operations Manager at a 200-person UK professional services firm. The firm is regulated by the FCA for investment management activities and is subject to UK GDPR, Companies Act, AML regulations (MLR 2017), and holds ISO 27001 certification. Client contracts include SLA and data handling obligations. You type:
Map our compliance obligations for a UK professional services firm.
We are subject to:
- FCA regulation (COBS, SYSC, SM&CR)
- UK GDPR (Data Protection Act 2018)
- AML regulations (MLR 2017) — note: our PEP screening provider
contract lapsed 4 months ago; currently screening manually
- Companies Act 2006 (statutory filings)
- ISO 27001 (surveillance audit due in 3 months)
- Client SLAs: 99.5% uptime, <4hr P1 incident notification
Known areas of concern: AML PEP screening, data subject rights
response times (2 responses missed 30-day deadline last quarter),
and SM&CR annual certification cycle due next month.
What to expect: A structured obligation map organised by framework, with each obligation carrying a status, an owner, a control description, evidence reference, and — where status is not CURRENT — a specific action with owner and deadline.
A well-formed compliance map output looks like this:
COMPLIANCE OBLIGATION MAP
Organisation: [Firm] | Jurisdiction: UK | Date: [Date]
════════════════════════════════════════════════════════════
── REGULATORY OBLIGATIONS ──────────────────────────────────
FRAMEWORK: FCA — Investment Management (COBS, SYSC, SM&CR)
OBL-REG-001: Conduct of Business (COBS) — treating customers fairly
Owner: Chief Compliance Officer
Control: Client suitability process; complaint management; T&C documentation
Evidence: Complaint log; suitability assessments; training records; T&C versions
Status: 🟢 CURRENT — last reviewed [date]
Next review: [date]
OBL-REG-002: Senior Manager Regime (SM&CR) — annual certification
Owner: CEO / Board
Control: Approved persons register; responsibilities map; annual certification
Evidence: FCA register entries; certification records dated [date]
Status: 🟡 REVIEW NEEDED — certification cycle due within 30 days
Action: Initiate annual certification by [date]; assign to HR + CCO
FRAMEWORK: UK GDPR (Data Protection Act 2018)
OBL-DPR-001: Lawful basis for processing personal data
Owner: Data Protection Officer
Control: Privacy notices; ROPA; legitimate interests assessments
Evidence: Privacy policy v[N] updated [date]; ROPA at [location]; LIA docs
Status: 🟢 CURRENT
OBL-DPR-002: Data Subject Rights (access, erasure, portability)
Owner: DPO + Operations
Control: DSR procedure; response tracking; 30-day deadline management
Evidence: DSR log — 2 responses missed 30-day deadline in Q[N]
Status: 🟡 PARTIAL — procedure exists but deadline management has gaps
Action: Add calendar alerts for approaching DSR deadlines; review procedure
Owner: DPO | Deadline: [date]
FRAMEWORK: Anti-Money Laundering (MLR 2017)
OBL-AML-001: Customer Due Diligence (CDD) — PEP/Sanctions Screening
Owner: MLRO
Control: Onboarding KYC process; PEP/sanctions screening
Evidence: KYC records current; PEP screening provider contract LAPSED [date]
Manual screening in place but not validated against provider standards
Status: 🔴 URGENT — PEP screening contract expired 4 months ago;
manual process has NOT been validated; HIGH regulatory breach risk
Action: IMMEDIATE — renew PEP screening provider or implement validated
alternative. Escalate to CCO and COO today.
Owner: MLRO | Deadline: within 5 business days
── CONTRACTUAL OBLIGATIONS ─────────────────────────────────
OBL-CTR-001: Service availability — 99.5% uptime
Owner: Head of Technology
Control: Infrastructure monitoring; incident response; monthly reporting
Evidence: Monthly uptime reports — 99.8% average last quarter
Status: 🟢 CURRENT
OBL-CTR-002: Incident notification — <4hr P1 notification
Owner: Operations
Control: Incident response procedure; client notification list
Evidence: Incident log — 1 breach last quarter: 6hr notification
Status: 🟡 PARTIAL — procedure exists; one breach last quarter
Action: Add automated alert trigger at 2hr mark; review procedure
Owner: Operations Manager | Deadline: [date]
── STANDARDS OBLIGATIONS ───────────────────────────────────
OBL-ISO-001: ISO 27001 annual surveillance audit (BSI)
Owner: CISO
Status: 🟡 REVIEW NEEDED — surveillance audit due in 3 months;
evidence pack assembly not yet started
Action: Begin evidence pack assembly; assign Lesson 8 audit prep
── COMPLIANCE DASHBOARD ────────────────────────────────────
Total obligations tracked: 24
🟢 CURRENT: 15 (63%)
🟡 REVIEW NEEDED / PARTIAL: 7 (29%)
🔴 GAP / URGENT: 2 (8%)
PRIORITY ACTIONS:
1. 🔴 URGENT: AML PEP screening — renew provider | MLRO | 5 business days
2. 🟡 HIGH: SM&CR certification — initiate process | CEO + CCO | [date]
3. 🟡 HIGH: ISO 27001 — begin evidence pack assembly | CISO | [date]
4. 🟡 MEDIUM: DSR procedure — add deadline alerts | DPO | [date]
5. 🟡 MEDIUM: Incident notification — automate 2hr trigger | Ops Mgr | [date]
════════════════════════════════════════════════════════════
The PEP screening provider contract lapsed four months ago. Manual screening is in place — a control exists. But the manual process has not been validated against the standards the provider was meeting. Under MLR 2017, this is not a partial compliance state — it is a potential breach of the CDD obligation. With an FCA supervisory visit approaching, this escalates from GAP to URGENT: active breach risk exists, and the regulator has indicated they will review AML controls.
Evaluating the Compliance Map Output
The compliance map is only useful if it is honest. Your job when reviewing the output is to ensure the AI has not optimistically over-assigned CURRENT status.
What to evaluate:
- CURRENT status evidence — For every obligation marked CURRENT, has the output cited specific, locatable evidence (document name, location, date)? Any CURRENT without a specific evidence citation should be downgraded to REVIEW NEEDED.
- Status logic — Does the AI correctly distinguish PARTIAL (control exists, evidence gaps) from GAP (no effective control)? Check the AML and DSR entries specifically.
- Missing frameworks — Has the output included all the frameworks you specified? Compliance maps commonly omit contractual and standards obligations, focusing only on regulatory ones.
- Action specificity — For every non-CURRENT obligation, does the action identify a named owner, a specific action, and a deadline? "Review compliance" is not an action. "DPO to add calendar alerts for DSR deadlines by [date]" is an action.
- Priority logic — Is the AML gap rated as the highest priority? An URGENT obligation that is buried below REVIEW NEEDED items in the priority list suggests the AI did not apply the regulatory consequence weighting correctly.
Building the Evidence Inventory
For every CURRENT obligation in your map, verify that the cited evidence is actually locatable. An evidence inventory confirms three things: what evidence exists, where it is stored, and how old it is.
Map the evidence inventory for our CURRENT compliance obligations.
For each obligation with CURRENT status, confirm:
1. Document name and version
2. Storage location (shared drive, system, physical)
3. Date last updated
4. Date last reviewed by the named owner
Flag any evidence that is older than 12 months, stored in a location
that may not be accessible on audit day, or where the named reviewer
has left the organisation.
What to verify in the evidence inventory output:
| Evidence Element | Red Flag |
|---|---|
| Document age | Any evidence >12 months old — requires REVIEW NEEDED reassessment |
| Storage location | "Someone's local drive" or "the old server" — not accessible under audit |
| Reviewer status | Named reviewer has left the organisation — evidence may be unverified |
| Version currency | Document version predates the last significant regulatory change in the area |
Remediation Planning for Gaps
For GAP and PARTIAL obligations, the compliance map is the starting point — not the deliverable. The deliverable is a prioritised remediation plan that closes the gaps before the next regulatory touchpoint.
Build a remediation plan for the GAP and PARTIAL obligations in our
compliance map. Prioritise by:
1. Regulatory consequence — FCA and AML gaps before administrative obligations
2. Breach risk — obligations where non-compliance is already active
3. Time sensitivity — obligations with approaching deadlines
4. Effort to close — quick wins that reduce headline risk fast
For each item, provide: action, owner, target date, estimated effort,
and what CURRENT evidence will look like when complete.
Prioritisation framework:
| Priority | Criterion | Example from worked case |
|---|---|---|
| P1 | Active breach risk + regulatory enforcement consequence | AML PEP screening — URGENT |
| P2 | Regulatory deadline approaching + significant gap | SM&CR certification — 30 days |
| P3 | Audit approaching + evidence pack incomplete | ISO 27001 — 3 months to audit |
| P4 | Partial controls + evidence gaps + no immediate deadline | DSR procedure, incident alerts |
The compliance obligation map you build here feeds directly into two later lessons. Lesson 8 (Audit Preparation) uses this map as the foundation for your evidence inventory and audit preparation plan — the audit preparation prompt begins: "Use the compliance map from Lesson 7 as your starting point." Lesson 12 (Persistent Agents) deploys a compliance-monitor agent that tracks these obligations continuously, alerting you when review dates are due and evidence is aging. Keep this Cowork session open.
Exercise: Map Compliance Obligations (Exercise 4 — Part 1)
Type: Compliance management
Time: 45 minutes
Plugin skill: Official compliance-tracking auto-skill (activated by natural prompts — no slash command)
Goal: A complete compliance obligation map for a UK professional services firm, with five-status classification, an evidence inventory for CURRENT obligations, and a prioritised remediation plan for gaps
Step 1 — Define Your Compliance Landscape
You are the Operations Manager at a 200-person UK professional services firm. The firm is subject to:
- FCA regulation — if the firm provides investment advice or manages investments; if not, use Companies Act 2006 as the primary regulatory framework
- UK GDPR (DPA 2018) — data protection obligations for client and employee data
- AML regulations (MLR 2017) — if financial services; or substitute sector-relevant AML equivalent
- ISO 27001 — the firm holds certification; surveillance audit is due in 3 months
- Client SLAs — 99.5% uptime, <4hr P1 incident notification, quarterly reporting
Before prompting, assess your known gaps honestly. For this exercise, assume:
- PEP screening provider contract lapsed 4 months ago (manual process in place, unvalidated)
- Two DSR responses missed the 30-day deadline last quarter
- SM&CR annual certification cycle is due within 30 days
Step 2 — Run the Compliance Mapping Prompt
Map our compliance obligations for a UK professional services firm.
We are regulated by the FCA and subject to:
- UK GDPR (Data Protection Act 2018)
- AML regulations (MLR 2017)
- Companies Act 2006
- ISO 27001 (surveillance audit due in 3 months)
- Client SLAs: 99.5% uptime, <4hr P1 incident notification
Known gaps and concerns:
- AML: PEP screening provider contract lapsed 4 months ago;
manual process in place but not validated
- GDPR: 2 DSR responses missed 30-day deadline last quarter
- FCA: SM&CR annual certification due within 30 days
For each obligation, provide: owner, control description, evidence
reference, status (CURRENT/REVIEW NEEDED/PARTIAL/GAP/URGENT), and
next review date. For non-CURRENT obligations, include a specific
action with named owner and deadline.
Include a compliance dashboard with total counts and priority actions.
Step 3 — Evaluate the Output
What to evaluate:
- Has the output identified any obligations you did not specify? (A well-calibrated compliance map for an FCA-regulated firm should include COBS, SYSC, SM&CR, and any Consumer Duty obligations — not just the ones you listed.)
- Is every CURRENT obligation accompanied by specific, locatable evidence — not just an assertion of compliance?
- Is the AML PEP screening gap correctly classified as URGENT (not merely GAP or PARTIAL)? If the AI has classified it as PARTIAL, push back: "The PEP screening gap has been open for 4 months with no validated alternative. Reassess as URGENT given the FCA visit timeline."
- Does the compliance dashboard total match the obligation count in the map?
- Are the priority actions in the correct order — regulatory breach risk first, administrative gaps last?
Step 4 — Build the Evidence Inventory
For the CURRENT obligations in your map, run a second prompt:
For each CURRENT obligation in the compliance map above, list:
1. The specific document or record that constitutes the evidence
2. Where it is stored (system name, folder path, or physical location)
3. When it was last updated
4. Whether the named reviewer is still in the organisation
Flag any evidence that is older than 12 months, stored in a
non-accessible location, or where the reviewer has left.
Review the output: does it reveal any CURRENT obligations where the evidence is older than expected, stored in a location that may not be accessible, or associated with a reviewer who has since left?
Step 5 — Prioritise the Remediation Plan
Run a third prompt:
Build a prioritised remediation plan for all non-CURRENT obligations
in the compliance map. Rank by: (1) regulatory breach risk,
(2) time sensitivity, (3) effort. For each action, provide a named
owner, specific action, target completion date, and what completed
evidence will look like.
Deliverable: A completed compliance obligation map with five-status classification, an evidence inventory confirming CURRENT obligation evidence is locatable and current, and a prioritised remediation plan for all non-CURRENT obligations. Save this Cowork session — you will use this map in Lesson 8 (Audit Preparation).
Try With AI
Reproduce: Apply what you just learned to a simple case.
Map our compliance obligations for a small UK technology startup.
We are subject to:
- UK GDPR — we handle customer personal data
- Companies Act 2006 — statutory filings and director duties
- ISO 27001 — we are pursuing certification (not yet certified)
We have 3 staff members who each "own" multiple compliance areas.
Known gaps: our ROPA (Record of Processing Activities) has not been
updated in 18 months. Our privacy notice was last reviewed before
our new product feature launched.
Map our obligations with owner, control, evidence, and status.
Include a compliance dashboard and prioritised actions.
What you are learning: Applying the obligation map to a simpler scenario builds the pattern before tackling a complex regulated environment. Notice how even a three-person startup with basic obligations will typically surface 10-15 items — and how the ROPA and privacy notice gaps immediately show as PARTIAL or REVIEW NEEDED.
Adapt: Modify the scenario to match your organisation.
Map our compliance obligations for my organisation. We are a
[size]-person [type of business] in [jurisdiction].
We are subject to: [list your actual regulatory frameworks].
Known gaps and concerns (be honest): [describe any areas where
you suspect controls may have drifted or evidence may be incomplete].
Map all obligations with owner, control, evidence, and status.
Flag any obligation where the status should be URGENT or GAP.
Include a compliance dashboard and prioritised remediation actions.
What you are learning: The act of writing out your known gaps honestly — before the AI responds — is itself a compliance discipline. It forces you to acknowledge what you know is not current, rather than allowing the map to reflect only what you want to believe.
Apply: Extend to a new situation the lesson didn't cover directly.
Our compliance obligation map shows 6 non-CURRENT obligations across
three frameworks (UK GDPR, AML, and client SLAs). Our CCO has asked
me to prepare a board-level compliance status report for next month's
meeting, showing: current compliance posture, top three risks, and
a remediation roadmap with target completion dates.
Draft the board-level compliance status report. It should be:
- One page (executive summary level, not detailed obligation list)
- Show RAG status by framework (not by individual obligation)
- Identify the top 3 risks with regulatory consequence descriptions
- Include a 90-day remediation roadmap showing when each gap closes
- Use language appropriate for a board that is not composed of
compliance specialists
What you are learning: Translating a detailed obligation map into board-level communication is a distinct skill from building the map itself. The board does not need to see every obligation — they need to understand the overall posture, the top risks, and whether the organisation is moving in the right direction. This prompt tests whether you can make that translation.
Flashcards Study Aid
Continue to Lesson 8: Audit Preparation — Evidence and Mock Review →