Compliance is ensuring that the requirements of laws, regulations, industry codes, and organizational doctrines are met. This also applies to contractual arrangements to which the business process is subject, i.e., externally imposed business criteria.

In other words, it simply means following the rules that are set by people other than ourselves.

Compliance is following rules set by people other than ourselves

Because of human nature, if we were left to ourselves to comply with all of the rules and regulations foisted upon us, do you really think that we would? Of course not. At least not all of the time. No one reading this (and us as writers) can say that we have always complied with all laws and regulations. Who among us hasn't driven over the speed limit, cheated in solitaire, or broken/bent the rules? Not one of us.

And because we are apt to break the rules, we need to have measurable organizational compliance programs put in place to ensure that we do follow the rules. Compliance programs aim to prevent, and where necessary, identify and respond to; breaches of laws, regulations, codes, or organizational requirements occurring in the organization. They should promote a culture of compliance within the organization. The organizational compliance program is instilled through the use of compliance controls.

Compliance control is a process, effected by management and other personnel, designed to provide reasonable assurance that transactions are executed in accordance with 1) laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements or required supplementary stewardship information and 2) any other laws, regulations, and government wide policies identified in audit guidance. We call all of these type of documents "Authority Documents".

However, because there is such a plethora of these Authority Documents, compliance can often become a confusing mess.

Compliance can often be confusing when there are too many Authority Documents to follow

The task at hand for all organizations faced with complying with more than one Authority Document is to create a process by which these Authority Documents are researched, identified, and consumed. This is an eight step process.

The process of complying

In short, here's the process of complying that organizations must follow.

Step	Description	Results
	Authority Document Research in which the organization finds new and updated Authority Documents.	A list of websites or documents that the organization can turn to that lists the new, changed, or deleted Authority Documents of interest.
	Library Categorization of the Authority Documents.	A winnowed down list of all Authority Documents that pertain to the organization.
	Analysis of References within each of the Authority Documents.	A set of rules which the organization can use when examining the Authority Documents for control content versus other un-necessary content.
	Citation and Harmonized Control Mapping wherein the organization assigns each of the references within an Authority Document to a matching Control or Metric ID. Or, if there is no matching Control, the organization must then create a new control/metric and map the references and citation to the new control/metric.	A harmonized set of controls that the organization has to follow. A harmonized set of metrics that the organization has to use for measurement and reporting. Detailed information sheets connecting the organization's controls and metrics to their original citations for auditing and support purposes.
	Role Mapping wherein the organization maps organizational roles to the their controls.	Role definition standards that link the roles to their controls/metrics.
	Asset and Configurable Item Mapping wherein the organization maps the configuration-based controls to their assets (and configurable items that are a part of the asset).	A list of all configurable items tied to a list of all of their assets. A list of all vendors and contact info for those assets and configurable items. A configuration and change management plan and set of standards.
	Compliance Process and Document Mapping wherein the organization maps their controls to their appropriate compliance processes and their associated policies, standards, and procedures.	Policies, standards, procedures, checklists, and plans that are mapped to the appropriate controls, assets, and roles.
	Audit Question Mapping wherein the organization examines each control and its associated roles, assets, and compliance processes and assembles a coherent set of audit questions from that amalgamation.	Audit guidance in its various forms and formats.

The result of this process is that the organization has a methodology to continually research, digest, and interpret the various Authority Documents and their controls, and then turn those controls into usable compliance objectives.

The result of the compliance process is a clear and unambiguous direction