Compliance leaders, General Counsel, COOs, Security/IT, and HR leads in US/EU/UK SMB–mid-market.
A compliance checklist is a concise, auditable list of controls your team executes to meet laws, regulations, and policies. Each control names the required evidence of compliance, the owner, and the review cadence. Strong checklists are versioned, risk-mapped, and support board oversight, inspections, and continuous improvement.
Most mature deployments follow this pipeline:
AI Review: scan policies, minutes, and logs; flag vague or non-compliant language (e.g., no owner/cadence).
AI Suggestions: propose policy/control text; draft evidence requests; assemble board-ready summaries.
Safeguards: keep human approval; store redlines; log decisions for audit.
Keep board time on duties, cadence, and proof. Tie agenda items to risk. Track exceptions and decisions in minutes.
Board responsibilities and disclosure/oversight are core governance principles (OECD Corporate Governance Principles: https://www.oecd.org/corporate/principles-corporate-governance/.
Use the “three lines” model to clarify oversight vs. management roles (IIA Three Lines Model: https://www.theiia.org/en/content/guidance/standards/the-iia-s-three-lines-model/.
Charity boards: record legal duties in packs and minutes (UK Charity Commission: https://www.gov.uk/government/collections/charity-commission-guidance.
Name the function, mandate independence, define reporting lines to the board/audit committee.
US DOJ Evaluation of Corporate Compliance Programs: https://www.justice.gov/criminal/criminal-fraud/document/file/937501/download
IIA Three Lines Model: https://www.theiia.org/en/content/guidance/standards/the-iia-s-three-lines-model/
Maintain a single, versioned manual that maps laws to controls and evidence. Keep it searchable.
ISO 37301: https://www.iso.org/standard/75080.html
GAO Green Book: https://www.gao.gov/products/gao-14-704g
Cover hiring, training, conduct, accommodation, leave, and separation. Link policies to evidence of compliance.
HIPAA BAA guidance (HHS): https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
ICO GDPR/RoPA accountability guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
Inventory data, maintain a RoPA, run DPIAs for high-risk processing, enforce access controls, and test incident response.
NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
Close the books, validate filings, and certify key controls (billing, collections, segregation of duties). Do a year-end sweep.
GAO Green Book: https://www.gao.gov/products/gao-14-704g
Turn on only if applicable.
HIPAA overview (HHS): https://www.hhs.gov/hipaa/for-professionals/security/index.html
PCI Security Standards Council: https://www.pcisecuritystandards.org/
UK Charity Commission: https://www.gov.uk/government/collections/charity-commission-guidance
Register models. Record purpose, data, risks, testing, and human oversight. Run DPIAs where needed. Track vendor AI. Keep an internal model registry linked to policies.
NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
EU AI Act (informational): https://artificialintelligenceact.eu/
Policy vs. control?
A policy states intent and rules. A control is a repeatable task that proves the policy is followed, with evidence, owner, and cadence.
How often should we review controls?
Quarterly for high-risk; at least annually for others. Align cadence to risk and document it.
Do SMBs really need board oversight?
Yes. Governance principles apply to all sizes; boards should oversee risk and compliance and record decisions.
Is there a standard format for evidence?
Use durable formats (PDF/CSV/exports) with timestamps and approver names; maintain records as documented information.
How do we handle AI systems?
Maintain a model registry, apply risk frameworks, run DPIAs where needed, and document human oversight.
Where do industry specifics fit?
Enable sector modules (HIPAA, PCI DSS, Charity) only if in scope; attach regulator-defined evidence.
Create one checklist file; add Control, Evidence, Owner, Frequency.
Add five governance controls and assign owners.
Add HR training and access-review controls.
Register any live AI models; add DPIA status.
Run an AI review on policies/minutes; accept AI suggestions to fill gaps.
Schedule quarterly reviews; link evidence locations.
OECD Corporate Governance Principles — https://www.oecd.org/corporate/principles-corporate-governance/
ISO 37301 — https://www.iso.org/standard/75080.html
GAO Green Book — https://www.gao.gov/products/gao-14-704g
NIST Cybersecurity Framework — https://www.nist.gov/cyberframework
EDPB DPIA Guidelines — https://edpb.europa.eu/
UK ICO GDPR guidance — https://ico.org.uk/
HHS HIPAA guidance — https://www.hhs.gov/hipaa/for-professionals/index.html
PCI Security Standards Council — https://www.pcisecuritystandards.org/
NIST AI Risk Management Framework — https://www.nist.gov/itl/ai-risk-management-framework
EU AI Act (informational) — https://artificialintelligenceact.eu/
