Key Definitions
| Term | Definition |
|---|---|
| Compliance Review | A systematic, documented evaluation of an organization's compliance status against applicable regulatory requirements and internal standards |
| Internal Reviewer | A person within the organization trained to conduct compliance reviews using structured methodology |
| Reviewer Competence | The combination of knowledge, skills, and personal attributes needed to conduct effective compliance reviews |
| Review Programme | The planned schedule and scope of all compliance reviews for a defined period |
| Review Criteria | The set of requirements (regulatory, standard, policy) against which compliance is evaluated |
| Review Evidence | Records, factual statements, and verifiable information relevant to compliance status |
| Review Finding | A determination of conformity or nonconformity with review criteria, based on evidence |
| Corrective Action | An action taken to eliminate the cause of a detected nonconformity |
| AI Literacy | The skills, knowledge, and understanding that allow deployers and affected persons to make informed decisions regarding AI systems (EU AI Act Art.4) |
| Competence Framework | A structured description of the knowledge, skills, and attributes required for a specific role |
| Assessment Calibration | The process of ensuring consistent scoring and evaluation across different reviewers and review events |
| Review Methodology | The systematic approach to planning, conducting, and reporting compliance reviews |
Chapter 1: Introduction to Compliance Review Training
Building internal compliance review capability is one of the most impactful investments an organization can make in its compliance programme. Internal reviewers understand the organization's operations, culture, and constraints in ways that external assessors cannot — and they can conduct reviews more frequently, at lower cost, and with greater operational relevance. This chapter establishes the foundations of the compliance review training programme, explaining why internal capability matters and how the training programme is structured.
1.1 Why Internal Review Capability Matters
| Benefit | Explanation |
|---|---|
| Frequency | Internal reviewers can conduct reviews more often than external engagement allows |
| Cost Efficiency | Reduces dependence on expensive external assessors |
| Contextual Understanding | Internal reviewers understand organizational operations and can provide more relevant findings |
| Speed of Response | Internal reviewers can quickly verify corrective action effectiveness |
| Culture Building | Trained reviewers become compliance advocates throughout the organization |
| Knowledge Retention | Compliance expertise stays within the organization |
| Continuous Monitoring | Enables ongoing compliance surveillance between formal assessments |
| Preparation | Internal reviews prepare the organization for external assessments |
1.2 Regulatory Drivers for Internal Review Capability
| Regulation | Requirement | Relevance |
|---|---|---|
| EU AI Act Art.4 | AI literacy for deployers and their staff | Mandates competence in AI systems being deployed |
| EU AI Act Art.9 | Risk management system implementation and monitoring | Internal review of risk management effectiveness |
| EU AI Act Art.17 | Quality management system for high-risk AI | Internal quality review capability required |
| ISO 42001 Clause 7.2 | Competence of persons doing work affecting AI management | Competence requirements for AI-related roles |
| ISO 37301 Clause 7.2 | Competence for compliance-affecting roles | General compliance competence requirements |
| ISO 19011 Clause 7 | Competence of auditors | Defines auditor competence framework |
| NIST AI RMF Govern 4 | Organizational teams are committed to a culture of managing AI risk | Internal AI risk review competence |
| Regulation 852/2004 Art.5 | HACCP implementation and maintenance | Internal review of food safety systems |
1.3 Training Programme Structure
The compliance review training programme consists of five progressive levels:
| Level | Title | Target Audience | Duration | Outcome |
|---|---|---|---|---|
| 1 | Compliance Awareness | All staff | 4 hours | Understanding of compliance obligations and personal responsibilities |
| 2 | Compliance Fundamentals | Compliance-adjacent roles | 16 hours | Working knowledge of compliance frameworks and documentation |
| 3 | Review Practitioner | Designated internal reviewers | 40 hours | Capability to conduct compliance reviews under supervision |
| 4 | Lead Reviewer | Experienced reviewers | 24 hours | Capability to lead and manage compliance review programmes |
| 5 | Domain Specialist | Reviewers in specialized areas | 16-40 hours per domain | Deep expertise in domain-specific compliance review |