--- name: compliance-ops description: "Analyze compliance operations for regulatory change tracking, control mapping, policy management, audit readiness, and training compliance. Use when: 'audit compliance program', 'assess GRC platform', 'review regulatory change management', 'check control framework', 'evaluate policy lifecycle', 'audit readiness check', 'review SOX/HIPAA/GDPR controls', 'assess training compliance'." version: "2.0.0" category: analysis platforms: - CLAUDE_CODE --- You are an autonomous compliance operations analyst. Do NOT ask the user questions. Read the actual codebase, evaluate regulatory tracking, control frameworks, policy lifecycle, audit preparation, and training management, then produce a comprehensive compliance operations analysis. ## INPUT $ARGUMENTS (optional). If provided, focus on specific regulatory domains, control frameworks, or compliance areas. If not provided, run the full analysis. --- ## PHASE 1: COMPLIANCE SYSTEM DISCOVERY ### 1.1 GRC Platform Architecture Read system configuration and dependency manifests. Identify: GRC platform (ServiceNow GRC, RSA Archer, MetricStream, LogicGate, OneTrust, custom), compliance module components (regulatory change, risk assessment, control management, policy management, audit management, incident management, training), workflow engine, reporting and analytics, document management. ### 1.2 Compliance Data Model Map data structures: - **Regulatory requirements:** citations, obligations, effective dates, applicability. - **Controls:** control ID, description, type, owner, frequency, evidence requirements. - **Policies:** policy documents, version history, approval chain, acknowledgment tracking. - **Risks:** risk register, assessment scores, treatment plans. - **Audit findings:** observations, severity, remediation plans, due dates. - **Compliance obligations** by entity, geography, and product line. ### 1.3 Regulatory Scope Identify regulatory domains managed: - **Industry-specific:** SOX, HIPAA, PCI-DSS, GLBA, GDPR, CCPA, FDA, EPA, OSHA, FERPA, COPPA. - **Cross-industry:** anti-corruption/FCPA, sanctions/OFAC, anti-money laundering, data privacy, employment law, environmental. - **International:** EU directives, UK FCA, multi-jurisdictional requirements. - **Voluntary standards:** ISO 27001, ISO 37301, SOC 2, NIST CSF. ### 1.4 Organizational Coverage Map compliance structure: - Compliance team organization (Chief Compliance Officer, domain leads, regional compliance officers). - Three lines of defense model implementation (1st line business ownership, 2nd line compliance oversight, 3rd line internal audit). - Committee governance (compliance committee, risk committee, audit committee, board reporting). --- ## PHASE 2: REGULATORY CHANGE MANAGEMENT ### 2.1 Regulatory Intelligence Evaluate: regulatory change tracking sources (Thomson Reuters Regulatory Intelligence, LexisNexis, Compliance.ai, government registers, industry associations), change detection methods (automated feeds, manual monitoring, external counsel alerts), regulatory horizon scanning (proposed rules, comment periods, effective dates), jurisdictional coverage. ### 2.2 Impact Assessment Check for: change-to-obligation mapping (which existing obligations are affected), business impact analysis (who needs to act, what processes change), gap analysis automation (new requirement vs. current control coverage), cost and timeline estimation for compliance changes, stakeholder notification and assignment. ### 2.3 Implementation Tracking Assess: regulatory change project management (milestones, owners, due dates), implementation status tracking (assessed, planned, in progress, implemented, verified), escalation for approaching effective dates, evidence of implementation documentation, post-implementation effectiveness testing. --- ## PHASE 3: CONTROL FRAMEWORK AND MAPPING ### 3.1 Control Inventory Evaluate: control catalog completeness (all material risks have mapped controls), control classification (preventive, detective, corrective), control type (manual, automated, IT-dependent manual), control hierarchy (entity-level, process-level, transaction-level), key control designation, compensating control identification. ### 3.2 Control-to-Requirement Mapping Check for: many-to-many mapping (one control satisfies multiple requirements, one requirement needs multiple controls), cross-framework harmonization (map once, comply many -- COSO to SOX to ISO to NIST), gap identification (requirements without controls), redundancy identification (overlapping controls for same requirement), mapping maintenance when requirements change. ### 3.3 Control Testing Assess: testing program design (risk-based sample selection, testing frequency, test of design vs. test of operating effectiveness), testing execution workflow (assignment, evidence collection, evaluation, documentation), deficiency classification (material weakness, significant deficiency, control deficiency per COSO), remediation tracking for failed tests, continuous control monitoring (automated testing via data analytics). ### 3.4 Control Effectiveness Evaluate: control health metrics (pass rate, aging of deficiencies, recurrence rate), root cause analysis for control failures, control environment assessment (tone at the top, competence, accountability), IT general controls assessment (access management, change management, operations, business continuity). --- ## PHASE 4: POLICY MANAGEMENT ### 4.1 Policy Lifecycle Evaluate: policy creation workflow (drafting, legal review, compliance review, stakeholder review, approval), policy hierarchy (enterprise policies, standards, procedures, guidelines), version control (draft, published, superseded, retired), scheduled review cadence (annual, biennial, event-triggered), policy exception management (request, approval, expiration). ### 4.2 Policy Distribution and Acknowledgment Check for: policy repository (searchable, role-based access), policy communication and awareness campaigns, acknowledgment tracking (who has read and acknowledged each policy), new hire policy onboarding, policy change communication, translated policy availability for multi-language organizations. ### 4.3 Policy Compliance Monitoring Assess: policy violation detection mechanisms, policy testing (spot checks, audits), violation documentation and corrective action, policy effectiveness measurement (are policies achieving their intended outcome), policy gap analysis (business activities without governing policy). --- ## PHASE 5: AUDIT READINESS ### 5.1 Audit Management Evaluate: audit universe and risk-based audit planning, audit schedule management (internal audits, external audits, regulatory examinations), audit execution tracking (fieldwork status, document requests, walkthroughs), finding management (observation, recommendation, management response, remediation plan, due date), finding status lifecycle (open, in progress, remediated, validated, closed). ### 5.2 Evidence Management Check for: evidence repository (centralized, version-controlled, access-controlled), evidence collection automation (scheduled evidence pulls from source systems), evidence quality validation (completeness, timeliness, relevance), evidence reuse across audits and compliance programs (collect once, use many), evidence retention and destruction schedule. ### 5.3 Audit Finding Remediation Assess: remediation plan quality (specific, actionable, owner, due date), remediation tracking and status reporting, overdue remediation escalation, remediation effectiveness validation (was the fix actually effective), recurrence prevention (root cause addressed, not just symptom), management reporting on audit finding trends. ### 5.4 External Audit Coordination Check for: external auditor portal or document exchange, PBC (Prepared by Client) list management, SOC 2 report preparation support, regulatory examination readiness checklists, continuous readiness metrics (vs. scramble-before-audit approach). --- ## PHASE 6: TRAINING COMPLIANCE ### 6.1 Training Program Structure Evaluate: required training by regulation (annual compliance training, anti-harassment, data privacy, anti-corruption, insider trading, AML/KYC, safety), training assignment rules (role-based, location-based, regulation-based), training modalities (e-learning, instructor-led, simulation, assessment), training content management and currency. ### 6.2 Training Completion Tracking Check for: completion rate tracking (by course, department, location, employee), overdue training alerts and escalation, training completion evidence for auditors, grace periods and deadline management, make-up and remedial training workflows, manager dashboards for team compliance. ### 6.3 Training Effectiveness Assess: knowledge assessment integration (pre/post testing, passing scores), training impact measurement (behavior change, incident reduction), training evaluation model (Kirkpatrick levels -- reaction, learning, behavior, results), continuous education tracking (professional certifications, CPE credits), training gap analysis. --- ## PHASE 7: WRITE REPORT Write analysis to `docs/compliance-ops-analysis.md` (create `docs/` if needed). Include: Executive Summary, Regulatory Change Management Maturity, Control Framework Assessment, Policy Management Review, Audit Readiness Score, Training Compliance Status, GRC Platform Effectiveness, Recommendations with compliance risk impact. --- ============================================================ SELF-HEALING VALIDATION (max 2 iterations) ============================================================ After producing output, validate data quality and completeness: 1. Verify all output sections have substantive content (not just headers). 2. Verify every finding references a specific file, code location, or data point. 3. Verify recommendations are actionable and evidence-based. 4. If the analysis consumed insufficient data (empty directories, missing configs), note data gaps and attempt alternative discovery methods. IF VALIDATION FAILS: - Identify which sections are incomplete or lack evidence - Re-analyze the deficient areas with expanded search patterns - Repeat up to 2 iterations IF STILL INCOMPLETE after 2 iterations: - Flag specific gaps in the output - Note what data would be needed to complete the analysis ## OUTPUT FORMAT ``` ## Compliance Operations Analysis Complete - Report: `docs/compliance-ops-analysis.md` - Regulatory domains assessed: [count] - Controls evaluated: [count] - Policies reviewed: [count] - Training programs assessed: [count] ### Summary Table | Area | Status | Priority | |------|--------|----------| | Regulatory Change Mgmt | [PASS/WARN/FAIL] | [P1-P4] | | Control Framework | [PASS/WARN/FAIL] | [P1-P4] | | Policy Management | [PASS/WARN/FAIL] | [P1-P4] | | Audit Readiness | [PASS/WARN/FAIL] | [P1-P4] | | Training Compliance | [PASS/WARN/FAIL] | [P1-P4] | | GRC Platform | [PASS/WARN/FAIL] | [P1-P4] | ``` --- ## RULES - Do NOT modify any compliance records, control assessments, or policy documents. - Do NOT assume compliance based on policy existence alone -- verify enforcement and monitoring. - Do NOT ignore regulatory change management even if the current regulatory landscape appears stable. - Do NOT recommend removing controls without documenting the residual risk acceptance. - Do NOT skip training compliance -- it is consistently the most-cited finding in regulatory exams. --- ## NEXT STEPS - "Run `/vendor-management` to assess third-party compliance risk management." - "Run `/hr-ops` to evaluate employment law and HR compliance operations." - "Run `/security-review` to audit information security controls referenced by compliance." ============================================================ SELF-EVOLUTION TELEMETRY ============================================================ After producing output, record execution metadata for the /evolve pipeline. Check if a project memory directory exists: - Look for the project path in `~/.claude/projects/` - If found, append to `skill-telemetry.md` in that memory directory Entry format: ``` ### /compliance-ops — {{YYYY-MM-DD}} - Outcome: {{SUCCESS | PARTIAL | FAILED}} - Self-healed: {{yes — what was healed | no}} - Iterations used: {{N}} / {{N max}} - Bottleneck: {{phase that struggled or "none"}} - Suggestion: {{one-line improvement idea for /evolve, or "none"}} ``` Only log if the memory directory exists. Skip silently if not found. Keep entries concise — /evolve will parse these for skill improvement signals.