Skip to content
OnticBeta
Tier 3 — Best Practice

Compliance Management Systems — Frameworks, Monitoring, and Evidence — Oracle Source

Publisher

International Organization for Standardization (ISO) / U.S. Federal Banking Regulators / U.S. Department of Justice

Version

v1

Last verified

February 15, 2026

Frameworks

ISO 37301:2021OCC CMSCFPB CMSDOJ ECCP

Industries

Applies to all industries

Compliance Management Systems - Overview

A Compliance Management System (CMS) is the integrated set of processes, structures, policies, and activities through which an organisation manages its compliance obligations and mitigates compliance risk [cite:319][cite:329]. Two parallel but convergent frameworks define the modern CMS landscape: ISO 37301:2021, the international certifiable standard for compliance management systems (replacing ISO 19600:2014), and the U.S. regulatory CMS model established by the OCC, CFPB, FDIC, NCUA, and the Federal Reserve for financial institutions [cite:331][cite:320]. Both frameworks share a common architecture: governance and leadership commitment at the top, a structured compliance programme with policies, training, monitoring, and testing, and mechanisms for reporting, remediation, and continuous improvement [cite:325][cite:329]. The DOJ's Evaluation of Corporate Compliance Programs (ECCP) provides a third, enforcement-oriented lens — a framework prosecutors use to evaluate the design, resourcing, and operational effectiveness of corporate compliance programmes when making charging and sentencing decisions [cite:341][cite:349]. Together, these frameworks establish that an effective CMS is not a static document library but a living, risk-based governance system that adapts to regulatory change, organisational growth, and emerging threats including AI and technology risks [cite:345][cite:343].

Compliance Management Systems - What It Is

ISO 37301:2021 Definition

ISO 37301 defines a compliance management system as a management system that establishes, develops, implements, evaluates, maintains, and improves an organisation's compliance with its compliance obligations [cite:331][cite:325]. The standard follows the ISO Harmonised Structure (shared with ISO 27001, ISO 9001, ISO 14001, ISO 42001), enabling integration with other management systems [cite:325][cite:319]. ISO 37301 is certifiable — organisations can obtain third-party certification from accredited bodies [cite:328][cite:331].

U.S. Regulatory Definition

The OCC's Comptroller's Handbook defines a CMS as "the method by which a bank manages consumer compliance risk, supports compliance with consumer protection-related laws and regulations, and prevents consumer harm" [cite:329]. The CFPB states that "an institution must develop and maintain a sound compliance management system that is integrated into the overall framework" of its operations [cite:320][cite:323].

DOJ ECCP Definition

The DOJ evaluates corporate compliance programmes by asking three fundamental questions [cite:349][cite:341]:

  1. Is the compliance programme well designed? — Does it address the company's risk profile with appropriate policies, training, reporting mechanisms, and third-party management?
  2. Is the programme adequately resourced and empowered? — Does the compliance function have sufficient authority, staffing, budget, access to data, and independence?
  3. Does the programme work in practice? — Is it more than paper — does it detect, prevent, and remediate misconduct in actual operations?

Core Architecture (Common Across All Frameworks)

All CMS frameworks share these structural elements [cite:329][cite:325][cite:341]:

  • Governance and leadership — Board/governing body oversight and top management commitment
  • Compliance obligations identification — Systematic identification of applicable laws, regulations, standards, and ethical commitments
  • Risk assessment — Identification, analysis, and prioritisation of compliance risks
  • Compliance programme — Policies, procedures, training, communication, and control activities
  • Monitoring and testing — Ongoing surveillance and periodic evaluation of compliance effectiveness
  • Evidence management — Collection, retention, and organisation of compliance evidence
  • Reporting and remediation — Deficiency communication, root cause analysis, corrective action, and continuous improvement
  • Compliance function — Dedicated, resourced, and independent compliance personnel

Compliance Management Systems - Who It Applies To

Mandated Application

  • U.S. financial institutions — All banks, thrifts, credit unions, and their affiliates are expected to maintain a CMS as evaluated by the OCC, FDIC, NCUA, Federal Reserve, and CFPB. Institutions approaching $10B in assets face heightened CFPB expectations [cite:320][cite:323][cite:329]
  • Corporations under DOJ scrutiny — Any company facing criminal investigation or prosecution; the ECCP serves as the benchmark for compliance programme evaluation in plea agreements, deferred prosecution agreements (DPAs), and non-prosecution agreements (NPAs) [cite:341][cite:345]
  • EU regulated entities — The EU Whistleblower Directive, Anti-Money Laundering Directives, and sector-specific regulations require compliance management systems
  • Highly regulated industries — Healthcare (OIG compliance programme guidance), defence contractors (DFARS), pharmaceuticals, energy, and financial services all have sector-specific CMS requirements [cite:328]

Voluntary / Certification

  • Any organisation — ISO 37301 applies to organisations of all types, sizes, and industries [cite:331][cite:328]. Certification is voluntary but increasingly sought for competitive advantage, supply chain requirements, and regulatory goodwill [cite:319]
  • Anti-corruption context — ISO 37301 complements ISO 37001 (anti-bribery management system); together they form a comprehensive integrity and compliance certification package [cite:331]

Roles and Responsibilities

RoleISO 37301U.S. Regulatory CMSDOJ ECCP
Governing body (Board)Active, visible commitment; oversee CMS; ensure independence of compliance function [cite:325]Oversight and commitment; approve compliance policies; review CMS reports [cite:329]Board engagement with compliance; tone at the top; resource allocation [cite:341]
Top managementEstablish compliance policy; allocate resources; integrate CMS into business processes [cite:325]Change management; ensure adequacy of CMS; accountability [cite:329]Senior management conduct; messaging; willingness to discipline [cite:345]
Compliance functionAppointed or nominated; independent; competent; adequately resourced; direct access to governing body [cite:325]Dedicated compliance officer/team; reporting to board/committee [cite:320]Sufficient stature, authority, resources, access to data [cite:341]
Management (all levels)Implement CMS requirements within their areas; model compliant behaviour [cite:325]First-line monitoring responsibility; policy adherence [cite:342]Operational integration of compliance into business units [cite:349]
All personnelUnderstand and fulfil compliance obligations; report concerns [cite:325]Follow policies and procedures; participate in training [cite:329]Report misconduct; use whistleblower channels without fear of retaliation [cite:341]

Compliance Management Systems - What It Requires - Governance and Leadership

Effective compliance governance is the single most critical element of a CMS — regulatory enforcement actions consistently cite weak "tone at the top" as the root cause of compliance failures [cite:326][cite:329].

ISO 37301 Requirements (Clauses 5.1–5.3)

  • Clause 5.1 — Leadership and commitment: The governing body and top management must demonstrate "active, visible, consistent and sustained commitment" to compliance [cite:325][cite:319]. This includes integrating CMS requirements into business processes, ensuring adequate resources, communicating the importance of compliance, and ensuring the CMS achieves its intended results [cite:325]
  • Clause 5.2 — Compliance policy: Establish a compliance policy appropriate to the organisation's purpose, providing a framework for setting compliance objectives. The policy must be communicated, available, and reviewed periodically [cite:325]
  • Clause 5.3 — Roles, responsibilities, and authorities: Define and communicate compliance responsibilities at all levels. Appoint a compliance function with direct access to the governing body, adequate authority, independence, and competence [cite:325]
  • Compliance culture: Behaviour that undermines compliance must not be tolerated and, whenever possible, prevented. The organisation must foster a culture where raising concerns is encouraged and protected [cite:319][cite:325]

U.S. Regulatory Requirements

The OCC Comptroller's Handbook identifies the following board and management oversight elements [cite:329]:

  • Oversight of and commitment to the CMS, including oversight of third parties
  • Effective change management processes — responding timely to regulatory changes, new products, mergers, and technology changes
  • Comprehension, identification, and management of compliance risk across all products, services, and activities
  • Self-assessment and corrective action processes
  • Board and management information systems sufficient for compliance oversight

DOJ ECCP — Leadership and Structure

The DOJ evaluates [cite:341][cite:345]:

  • Whether compliance is integrated into senior management's operational decision-making
  • Whether the Chief Compliance Officer has a direct reporting line to the board and sufficient autonomy
  • Whether compliance personnel have access to the same data and technology as the business
  • Whether the company ties compliance performance to executive compensation and clawback provisions (Compensation Incentives and Clawbacks Pilot Program) [cite:341][cite:343]

Compliance Management Systems - What It Requires - Compliance Programme

The compliance programme is the operational core of the CMS — the policies, training, controls, and activities that translate governance directives into daily compliance behaviour [cite:329][cite:323].

Policies and Procedures

  • Must be clear, current, tailored to the organisation's products, services, risk profile, and regulatory environment [cite:326][cite:329]
  • Must cover all applicable compliance obligations (laws, regulations, industry codes, internal standards, ethical commitments) [cite:325]
  • Must be systematically reviewed and updated in response to regulatory changes, enforcement actions, audit findings, and business changes [cite:329][cite:326]
  • ISO 37301 Clause 4.5 requires the organisation to systematically identify its compliance obligations and maintain documented information [cite:325]

Training and Communication

  • All personnel must receive compliance training appropriate to their roles, responsibilities, and risk exposure [cite:329][cite:325]
  • Training must be delivered at onboarding, periodically thereafter, and when significant changes occur [cite:326]
  • Training effectiveness must be measured and documented [cite:341][cite:349]
  • The DOJ evaluates whether training is "presented in a form and language that is appropriate for the audience" and whether the company tracks participation and comprehension [cite:341]

Compliance Obligations Management

ISO 37301 Clause 4.5 requires [cite:325]:

  • Systematic identification of all compliance obligations from activities, products, and services
  • Processes to identify new and changed obligations and ensure ongoing compliance
  • Evaluation of the impact of identified changes and implementation of necessary adjustments
  • Documented information of all compliance obligations

Internal Reporting and Whistleblower Systems

  • ISO 37301 Clause 8.3 requires a system for raising and addressing concerns [cite:325]
  • The DOJ's 2024 ECCP update significantly strengthens whistleblower expectations: companies must actively promote internal reporting, safeguard reporters, and prevent retaliation [cite:341][cite:345]
  • The Corporate Whistleblower Awards Pilot Program (launched 2024) incentivises reporting of criminal misconduct involving financial institutions, foreign corruption, and other areas [cite:341][cite:343]
  • Channels must include anonymous/confidential options with documented investigation and resolution processes [cite:326][cite:349]

Third-Party and Supplier Compliance

  • ISO 37301 Clause 4.6 requires assessment of compliance risks related to outsourced and third-party processes [cite:325]
  • The OCC and CFPB expect oversight of third parties to ensure they do not introduce compliance risk [cite:323][cite:329]
  • The DOJ's 2024 update emphasises continuous (not just onboarding) due diligence of third parties, with ongoing monitoring of compliance risk throughout the relationship [cite:343][cite:345]

Compliance Management Systems - What It Requires - Risk Assessment

Compliance risk assessment is the process of identifying, analysing, evaluating, and prioritising risks that the organisation may fail to meet its compliance obligations [cite:325][cite:349].

ISO 37301 Requirements (Clause 4.6)

  • Identify compliance risks by relating compliance obligations to activities, products, services, and relevant operational aspects [cite:325]
  • Assess compliance risks related to outsourced and third-party processes [cite:325]
  • Assess compliance risks periodically and whenever material changes occur in circumstances or organisational context [cite:325]
  • Retain documented information on the compliance risk assessment and on actions to address compliance risks [cite:325]

U.S. Regulatory Approach

Federal banking regulators expect a risk-based CMS that is commensurate with the institution's size, complexity, and risk profile [cite:320][cite:329]. Risk assessment should:

  • Cover all consumer protection-related laws and regulations applicable to the institution's products and services
  • Identify inherent risk before controls and residual risk after controls
  • Inform the scope and frequency of monitoring, testing, and audit activities
  • Be updated for new products, services, geographies, regulatory changes, and enforcement trends [cite:329][cite:326]

DOJ ECCP — Risk Assessment Expectations

The 2024 DOJ update expects [cite:349][cite:345]:

  • Risk assessments that are ongoing, not one-and-done or merely annual
  • Incorporation of lessons learned from the company's own issues and from other companies in the same industry/geography
  • Integration of emerging technology risks (including AI) into enterprise risk management
  • Assessment of risks related to mergers, acquisitions, and new business lines
  • Documentation of how risk assessment results translate into specific compliance programme enhancements

Compliance Management Systems - What It Requires - Monitoring, Testing, and Audit

Monitoring, testing, and audit are distinct but complementary assurance activities that verify the CMS is functioning as designed [cite:342][cite:350].

Definitions and Distinctions

ActivityPurposeFrequencyPerformed By
MonitoringContinuous observation of compliance processes to detect issues in real timeOngoing / continuous [cite:342]First-line management (process owners) [cite:342]
TestingDirect evaluation of whether specific controls function under defined conditionsPeriodic (scheduled) [cite:350]Second-line compliance function [cite:350]
AuditIndependent, objective assessment of CMS effectiveness and adequacyPeriodic (annual or cycle-based) [cite:342]Third-line internal audit or external auditors [cite:342][cite:344]

Compliance Monitoring

Monitoring is an always-on practice designed to identify changes, exceptions, and potential compliance issues as they occur [cite:342]. It is a first-line management responsibility [cite:342].

Monitoring techniques include [cite:342][cite:350]:

  • Sampling protocols to identify variations from established baselines
  • Automated exception reports and alerts (transaction monitoring, access anomalies, policy violations)
  • Dashboard surveillance of key compliance indicators (KCIs) and key risk indicators (KRIs)
  • Review of consumer complaints, regulatory inquiries, and incident reports
  • Change monitoring — tracking regulatory changes, new products, and organisational changes that affect compliance obligations

Monitoring programmes should test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, and other breakdowns in compliance controls [cite:342].

Compliance Testing

Testing is a direct attempt to determine whether compliance controls function under specific conditions [cite:350]. Unlike monitoring (which observes), testing actively probes.

Testing methods include [cite:350][cite:342]:

  • Transaction testing — Selecting samples of transactions and verifying compliance with applicable requirements
  • Scenario simulation — Creating test conditions (e.g., simulated suspicious transactions, mock data breaches) to evaluate control response
  • Walkthrough testing — Tracing a compliance obligation from identification through policy, training, monitoring, and remediation
  • Control reperformance — Independently re-executing a compliance control to verify its outcome
  • Data analytics — Using automated tools to analyse entire populations for patterns, anomalies, and exceptions

Compliance Audit

Audit provides independent, objective assurance that the monitoring and testing programmes are themselves effective [cite:342][cite:344]:

  • Verify that managers are meeting their obligations for ongoing monitoring
  • Validate that monitoring processes are achieving desired outcomes
  • Confirm that controls are in place and functioning as intended
  • Identify weaknesses in the programme that need to be addressed
  • Must be performed by parties independent of the area being audited (compliance office, internal audit department, external reviewers, or any combination) [cite:342]

ISO 37301 Requirements (Clauses 9.1–9.3)

  • Clause 9.1 — Monitoring, measurement, analysis and evaluation: Determine what needs to be monitored, methods, frequency, and when results must be analysed [cite:325]
  • Clause 9.2 — Internal audit: Conduct at planned intervals to provide information on whether the CMS conforms to requirements and is effectively implemented and maintained [cite:325]
  • Clause 9.3 — Management review: Top management must review the CMS at planned intervals, considering audit results, compliance performance, non-compliance incidents, corrective actions, and opportunities for improvement [cite:325]

Compliance Management Systems - What It Requires - Evidence Management

Evidence is the documented proof that compliance obligations are being met, controls are operating, and the CMS is functioning as designed. Without proper evidence management, organisations cannot demonstrate compliance to regulators, auditors, or enforcement authorities [cite:321][cite:327].

Types of Compliance Evidence

  • Policy and procedure documentation — Current, approved versions with revision history
  • Training records — Attendance logs, completion certificates, comprehension assessments, training content
  • Risk assessment documentation — Risk registers, assessment methodologies, scoring criteria, risk treatment decisions
  • Monitoring and testing results — Exception reports, sample selections, test workpapers, findings, and resolution tracking
  • Audit reports — Internal and external audit findings, management responses, remediation tracking
  • Incident and complaint records — Consumer complaints, whistleblower reports, investigation files, corrective actions
  • Board and committee minutes — Documentation of compliance oversight, approvals, and decisions
  • System logs and audit trails — Access logs, transaction logs, change management records, automated control evidence
  • Third-party due diligence records — Vendor assessments, contract provisions, ongoing monitoring documentation
  • Regulatory correspondence — Examination reports, enforcement actions, supervisory letters, and responses [cite:321][cite:329]

Evidence Management Best Practices

Standardise evidence collection [cite:321]:

  • Create intake procedures to gather evidence from systems and personnel digitally
  • Incorporate compliance tools to automate evidence collection
  • Capture metadata (custodian, timestamp, source system) for chain of custody
  • Support various evidence types — documents, audit logs, training records, system configurations

Centralise evidence in a repository [cite:321][cite:327]:

  • Use a searchable platform (GRC system, document management system, or cloud-based evidence repository)
  • Avoid scattered storage across local drives, spreadsheets, and email
  • Simplify oversight, retention, and access for audits and regulatory inquiries

Structure and organise evidence [cite:321]:

  • Categorise using tags and naming conventions aligned to compliance standards and frameworks
  • Standardise file structures organisation-wide
  • Add descriptive metadata (compliance domain, department, control objective, regulatory reference)
  • Enable rapid search and findability during audits and examinations

Control access [cite:321]:

  • Apply role-based access controls and permission levels
  • Limit internal sharing to personnel involved in the compliance programme
  • Manage external sharing with auditors, regulators, and stakeholders through controlled channels
  • Maintain confidentiality and support applicable data protection requirements

Automate where possible [cite:324][cite:327]:

  • Integrate GRC platforms with core systems (cloud platforms for security configurations, code repositories for change management, HR systems for training records, ITSM tools for incident management)
  • Map high-volume evidence types to specific source systems for continuous collection
  • Set automated reminders for evidence refresh cycles and retention schedules
  • Use SIEM, CSPM, and automated control testing tools for real-time evidence generation

Continuously review and optimise [cite:321]:

  • Regularly assess evidence coverage gaps, retention compliance, and collection workflows
  • Update procedures for regulatory changes and new compliance requirements
  • Conduct periodic quality reviews of evidence integrity and completeness

Evidence Retention

Evidence retention periods must be governed by applicable regulatory requirements, statutes of limitations, and organisational policy. ISO 37301 requires documented information to be controlled (creation, updating, availability, storage, retention, disposition) consistent with compliance obligations [cite:325].

Compliance Management Systems - Governance Implications

A CMS is fundamentally a governance mechanism — it operationalises the organisation's commitment to lawful and ethical conduct across all levels, functions, and relationships [cite:325][cite:329].

Enterprise Governance Integration

  • Board accountability: ISO 37301 Clause 5.1 and all U.S. regulatory frameworks require governing body oversight of the CMS. The board must ensure the compliance function has independence, authority, and direct reporting access [cite:325][cite:329]
  • Integration with business processes: The CMS must not operate as a siloed function. ISO 37301 requires integration into business processes; the DOJ evaluates whether compliance is embedded in operational decision-making [cite:325][cite:345]
  • Three Lines alignment: The CMS operationalises the Three Lines Model — first line (business) owns compliance execution, second line (compliance function) provides oversight and expertise, third line (internal audit) provides independent assurance [cite:342]

Ontic BOM Mapping

  • model — AI/ML models used in compliance operations (transaction monitoring, sanctions screening, risk scoring, document review) must themselves be governed under the CMS: model validation, bias testing, performance monitoring, change management, and human oversight. The DOJ's 2024 ECCP explicitly requires companies to assess AI-related compliance risks [cite:341][cite:345]
  • oracle — Regulatory databases, compliance obligation registers, sanctions lists, and authoritative reference data are core CMS data sources. Their accuracy, completeness, currency, and integrity are compliance-critical and must be controlled through monitoring, reconciliation, and access controls [cite:325][cite:329]
  • ontology — The taxonomy of compliance obligations, risk categories, control types, evidence classifications, and reporting categories forms the CMS ontology. Consistency in classification is essential for cross-framework mapping, regulatory reporting, and audit trail integrity [cite:325]
  • system_prompt — For AI systems used in compliance workflows (automated screening, chatbot-based compliance guidance, LLM-powered document review), prompt configurations that influence compliance-relevant outputs must be governed under change management, testing, and monitoring disciplines consistent with the CMS [cite:341][cite:345]
  • gate — The CMS itself is a governance gate: compliance approvals, risk assessments prior to product launches, regulatory change impact assessments, and third-party due diligence clearances are decision gates that prevent non-compliant activities from proceeding [cite:329][cite:325]
  • security — Compliance evidence, investigation files, whistleblower reports, and regulatory correspondence contain sensitive information requiring access controls, encryption, and audit trails. The security BOM component directly supports CMS evidence integrity and confidentiality [cite:321]
  • signed_client — Regulatory filings, compliance certifications (SOX 302/906, BSA/AML certifications), and attestations require authenticated, non-repudiable signatures. Audit trails tracing compliance actions to specific individuals support accountability [cite:329]

E/A/D Axis Integration

E/A/D AxisCMS Framework ElementHallmarksEvidence
Ethical (E)Governance & leadership commitment (ISO 37301 Clause 5.1), compliance culture, speaking-up mechanisms, anti-retaliation protectionsTone at the top and middle, ethical culture embedded in business processes, safe reporting channels, DEIA-inclusive compliance trainingLeadership communications, culture assessments, whistleblower programme metrics, training completion records, anti-retaliation policy attestations [cite:325][cite:329]
Accountable (A)Compliance programme design (ISO 37301 Clauses 6–8), risk assessment, resource allocation, obligation register, third-party due diligenceDocumented compliance programme, risk-based obligation mapping, adequate resourcing with independence and authority, traceable third-party risk managementCompliance risk assessments, obligation registers, resource allocation records, compliance function org charts, third-party due diligence files [cite:325][cite:345]
Defensible (D)Monitoring, testing & audit (ISO 37301 Clauses 9–10), investigation & remediation, regulatory self-disclosureTested controls, timely and thorough investigations, documented root cause analysis and remediation, self-disclosure where warrantedControl testing results, investigation files, root cause analyses, remediation tracking, regulatory correspondence, board reporting packages [cite:321][cite:341]

Compliance Management Systems - Enforcement Penalties

CMS failures are enforced through the regulatory and legal frameworks that mandate them — there is no standalone "CMS penalty," but the consequences of CMS deficiency are severe and well-documented [cite:326][cite:329].

U.S. Financial Regulatory Enforcement

OutcomeConsequence
Consumer Compliance Rating downgradeAdverse CC Rating (3, 4, or 5) triggers enhanced supervisory scrutiny, restrictions on expansion, and potential enforcement actions [cite:320][cite:329]
Consent orders / cease and desistFormal enforcement actions requiring specific CMS remediation within defined timeframes; public disclosure; reputational damage [cite:326]
Civil money penalties (CMPs)Monetary penalties for violations of consumer protection laws; can be assessed against institutions and individuals [cite:329]
Restitution and disgorgementRequirement to return funds to harmed consumers; can exceed hundreds of millions of dollars [cite:326]
Restrictions on activitiesLimitations on new products, acquisitions, branching, or dividend payments until CMS deficiencies are remediated [cite:329]

DOJ Criminal Enforcement

The ECCP directly influences [cite:341][cite:345][cite:349]:

  • Charging decisions — Whether to bring criminal charges against a corporation
  • Resolution terms — Type of resolution (NPA, DPA, guilty plea) and monetary penalties
  • Compliance obligations — Whether an independent compliance monitor is imposed
  • Penalty reductions — Companies with effective compliance programmes receive reduced penalties under the U.S. Sentencing Guidelines
  • Clawback provisions — The 2024 update ties compliance failures to executive compensation consequences

Notable 2024–2025 Enforcement Examples

  • In 2024–2025, enforcement actions related to BSA/AML deficiencies, redlining, UDAAP violations, and data security breakdowns were not limited to large banks — FinTechs and smaller institutions were also targeted [cite:326]
  • The OCC cited poor board engagement as a root cause of ongoing violations in a 2024 enforcement order against a regional bank [cite:326]
  • CFPB enforcement actions have consistently focused on inadequate monitoring, insufficient complaint management, and failures to update policies in response to regulatory changes [cite:323]

Compliance Management Systems - Intersection With Other Frameworks

ISO 37301 and the ISO Management System Family

ISO 37301 follows the Harmonised Structure, enabling seamless integration with [cite:325][cite:331]:

StandardFocusIntegration With CMS
ISO 37001Anti-bribery managementSpecific compliance domain; shares governance architecture with ISO 37301 [cite:331]
ISO 37002Whistleblowing managementOperationalises CMS reporting channels (ISO 37301 Clause 8.3) [cite:331]
ISO 37303Internal investigations and due diligenceSupports CMS investigation and remediation processes [cite:331]
ISO 27001Information securityProvides ISMS controls that protect CMS data and evidence; shared risk assessment methodology [cite:325]
ISO 9001Quality managementShared process approach and continuous improvement (PDCA); complementary operational controls [cite:325]
ISO 14001Environmental managementEnvironmental compliance obligations managed through integrated CMS [cite:325]
ISO 42001AI managementAI-specific risks integrated into CMS through shared Harmonised Structure [cite:331]

COSO Internal Control Framework

The COSO 2013 five-component model directly supports CMS implementation [cite:263]:

  • Control environment → CMS governance and compliance culture
  • Risk assessment → Compliance risk assessment
  • Control activities → Compliance programme policies, procedures, and controls
  • Information and communication → Compliance reporting and evidence management
  • Monitoring → Compliance monitoring, testing, and audit

DOJ ECCP

The ECCP is not a standalone framework but evaluates against the same governance, programme, and effectiveness dimensions as ISO 37301 and U.S. regulatory CMS expectations. Its three-question structure (well designed, adequately resourced, works in practice) maps to ISO 37301's Clauses 4–8 (design), Clause 7 (support/resources), and Clauses 9–10 (performance evaluation and improvement) [cite:341][cite:349].

SOX Compliance

SOX Sections 302 and 404 create specific CMS requirements for ICFR. The broader CMS framework encompasses SOX compliance as a subset — the financial reporting compliance programme operates within the organisation's overall CMS architecture [cite:265].

GDPR and Data Privacy

Privacy compliance (GDPR, CCPA, LGPD) operates as a compliance domain within the CMS. ISO 37301 provides the management system shell; ISO 27701 (privacy information management) and specific privacy programme elements populate the domain-specific requirements [cite:325].

Compliance Management Systems - Recent Updates

ISO 37301:2021 + Amendment 1:2024

ISO 37301 was published in April 2021, replacing ISO 19600:2014 (which was a guidance standard, not certifiable). Key changes from ISO 19600 [cite:319][cite:331]:

  • ISO 37301 is a requirements standard (certifiable), whereas ISO 19600 was guidance-only
  • Expanded requirements for understanding organisational context (Clause 4.1–4.2)
  • New requirement to determine which interested-party requirements will be addressed through the CMS [cite:319]
  • Simplified compliance risk assessment requirements (detailed guidance moved to Annex A) [cite:319]
  • Strengthened requirements for governing body and top management commitment
  • Amendment 1:2024 adds climate action considerations (same as ISO 27001 Amd 1:2024) — requiring organisations to determine whether climate change is a relevant compliance issue [cite:331]

DOJ ECCP Update — September 2024

The September 2024 ECCP update introduced three major new focus areas [cite:341][cite:345][cite:349]:

  1. AI and Emerging Technology Risks:

    • Companies must have processes to identify and evaluate risks associated with AI in commercial operations and compliance programmes
    • AI risk management must be integrated into enterprise risk management
    • Governance frameworks must guide the company's use of AI
    • Companies must address how they mitigate unintended consequences of AI, including ensuring AI does not undermine compliance controls
    • Companies must monitor for the potential use of AI to engage in or conceal misconduct [cite:341][cite:345]

  2. Whistleblower Protections:

    • Enhanced expectations for promoting internal reporting without fear of retaliation
    • Launch of the Corporate Whistleblower Awards Pilot Program, incentivising reporting of criminal misconduct
    • DOJ will evaluate how companies treat employees who report misconduct [cite:341][cite:343]

  3. Compliance Function Resources and Data Access:

    • Compliance personnel must have access to the same data and technology as the business units
    • The DOJ will assess whether compliance teams can effectively use data analytics for risk detection
    • Compliance resourcing must keep pace with business growth and complexity [cite:341][cite:345]

Increased Regulatory Focus on CMS Effectiveness (2024–2026)

  • U.S. banking regulators are applying heightened scrutiny to CMS adequacy at institutions approaching and exceeding $10B in assets, particularly around fair lending, UDAAP, BSA/AML, and third-party risk management [cite:323][cite:326]
  • GRC platform adoption is accelerating as organisations move from spreadsheet-based compliance management to automated evidence collection, continuous monitoring, and integrated reporting [cite:324][cite:327]
  • Continuous compliance monitoring (rather than periodic point-in-time assessments) is becoming the regulatory and market expectation across financial services, healthcare, and technology
← Oracle LibraryChat with Goober →