功能描述

Perform a comprehensive regulatory compliance audit covering US, UK, and EU frameworks across 8 domains with risk scoring and a 90-day remediation roadmap.

使用说明 (SKILL.md)

Regulatory Compliance Audit

Name: Regulatory Compliance Audit
Author: 1kalin

Run a full regulatory compliance audit for any business. Covers US, UK, and EU frameworks across 8 compliance domains with gap analysis, risk scoring, and remediation timelines.

When to Use

Annual or quarterly compliance reviews
Pre-audit preparation (SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS)
New market entry requiring regulatory assessment
Board or investor due diligence on compliance posture
Post-incident compliance gap analysis

How It Works

Step 1: Identify Applicable Frameworks

Based on the business profile (industry, geography, data types, revenue), determine which frameworks apply:

Framework	Triggers
SOC 2 Type II	B2B SaaS, handles customer data
GDPR	Any EU customer data, EU employees
HIPAA	Any PHI (healthcare, benefits, wellness)
PCI DSS	Processes, stores, or transmits card data
ISO 27001	Enterprise clients requesting certification
SOX	Public company or preparing for IPO
CCPA/CPRA	>$25M revenue OR >50K CA consumers
NIST AI RMF	Deploying AI/ML in production
UK DPA 2018	UK operations or UK customer data
FCA/PRA	UK financial services

Step 2: 8-Domain Compliance Assessment

Score each domain 1-5 (1=non-existent, 5=mature):

Domain 1: Data Governance

Data classification policy (public/internal/confidential/restricted)
Data retention schedule with legal hold procedures
Data processing agreements with all vendors
Cross-border transfer mechanisms (SCCs, adequacy decisions)
Data subject rights workflow (access, deletion, portability)
Data breach notification procedure (\x3C72hr GDPR, state-specific US)

Domain 2: Access Control & Identity

Role-based access control (RBAC) implemented
Multi-factor authentication on all critical systems
Privileged access management (PAM) for admin accounts
Quarterly access reviews with evidence retention
Automated provisioning/deprovisioning tied to HR
Service account inventory with rotation schedule

Domain 3: Security Operations

Vulnerability management program (scan frequency, SLA by severity)
Penetration testing (annual minimum, after major changes)
Security incident response plan (tested within 12 months)
Log retention meeting regulatory minimums (1yr SOC 2, 6yr SOX)
Endpoint detection and response (EDR) on all endpoints
Network segmentation between environments

Domain 4: Business Continuity

Business impact analysis (BIA) current within 12 months
Disaster recovery plan with defined RTO/RPO by system tier
Backup testing (restore verified quarterly minimum)
Pandemic/remote work continuity procedures
Third-party dependency mapping for critical services
Communication plan (internal + external + regulatory)

Domain 5: Vendor & Third-Party Risk

Vendor risk assessment questionnaire (SIG Lite or equivalent)
Tiered vendor classification (critical/high/medium/low)
Annual vendor reviews for critical and high-tier vendors
Right-to-audit clauses in critical vendor contracts
Fourth-party risk assessment for critical vendors
Vendor offboarding procedure with data return/destruction

Domain 6: HR & Personnel Security

Background check policy (scope appropriate to role)
Security awareness training (annual + phishing simulations)
Acceptable use policy signed by all employees
Code of conduct with reporting mechanisms
Termination checklist (access removal, device collection, NDA reminder)
Contractor/temp worker security requirements

Domain 7: AI & Automation Governance

AI model inventory with risk classification
Bias testing and fairness metrics for decision-making models
Human-in-the-loop requirements defined per use case
AI incident response procedures
Transparency documentation (model cards, impact assessments)
Training data governance and lineage tracking

Domain 8: Financial & Reporting Controls

Segregation of duties in financial processes
Change management procedures for financial systems
Audit trail for all financial transactions
Revenue recognition controls (ASC 606 / IFRS 15)
Tax compliance calendar (federal, state, international)
Internal audit schedule and findings tracking

Step 3: Risk Scoring Matrix

For each gap identified:

Likelihood	Impact	Risk Score	Action Timeline
High	High	Critical	Fix within 30 days
High	Medium	High	Fix within 60 days
Medium	High	High	Fix within 60 days
Medium	Medium	Medium	Fix within 90 days
Low	High	Medium	Fix within 90 days
Low	Medium	Low	Next quarterly review
Low	Low	Informational	Annual review

Step 4: Remediation Roadmap

Build a 90-day plan:

Days 1-30: Critical Gaps

Address any gaps with Critical or High risk scores
Implement quick wins (policy updates, access reviews)
Engage external counsel for regulatory interpretation if needed

Days 31-60: Systematic Improvements

Deploy technical controls (MFA, EDR, log aggregation)
Complete vendor risk assessments for critical vendors
Update employee training program

Days 61-90: Evidence & Documentation

Build evidence collection system for ongoing compliance
Conduct internal audit of remediated areas
Prepare board-ready compliance dashboard

Step 5: Compliance Cost Benchmarks (2026)

Company Size	Annual Compliance Budget	Key Cost Drivers
10-50 employees	$30K-$80K	SOC 2 audit ($15-30K), tools ($10-20K), training ($5-10K)
50-200 employees	$80K-$250K	+ DPO/compliance hire ($80-120K), pen testing ($15-40K)
200-1000 employees	$250K-$800K	+ GRC platform ($50-150K), multiple audits, legal counsel
1000+ employees	$800K-$3M+	+ Dedicated compliance team, continuous monitoring, regulatory filings

Cost of non-compliance (real examples):

GDPR fines: up to 4% global annual revenue (Meta: €1.2B, 2023)
HIPAA: $100-$50K per violation, $1.5M annual cap per category
PCI DSS: $5K-$100K/month until compliant + liability for breaches
SOX: Criminal penalties, officer personal liability
Average data breach cost: $4.88M (IBM 2024)

Step 6: Output Format

Generate a compliance report with:

Executive Summary — Overall maturity score (1-5), top 3 risks, recommended budget
Framework Applicability Matrix — Which frameworks apply and current certification status
Domain Scores — 8 domains with gap counts and risk distribution
Critical Findings — Top 10 gaps ranked by risk score with remediation steps
90-Day Roadmap — Week-by-week action plan with owners and milestones
Budget Estimate — Compliance cost projection for next 12 months
Board Dashboard — One-page visual for board/investor reporting

Industry-Specific Requirements

Industry	Primary Frameworks	Special Considerations
SaaS/Technology	SOC 2, GDPR, CCPA	AI governance, open source licensing
Healthcare	HIPAA, HITRUST, FDA (if devices)	PHI everywhere, BAAs required
Financial Services	SOX, PCI DSS, GLBA, FCA/PRA	Transaction monitoring, AML/KYC
Legal	ABA ethics, GDPR, privilege rules	Client confidentiality, conflict checks
Construction	OSHA, environmental, bonding	Safety records, subcontractor compliance
E-commerce	PCI DSS, CCPA/GDPR, FTC	Payment data, consumer protection, returns
Manufacturing	ISO 9001, OSHA, EPA, export controls	Supply chain compliance, ITAR/EAR
Real Estate	Fair Housing, AML, state licensing	Property data, transaction compliance
Recruitment	EEOC, GDPR (candidate data), ban-the-box	AI hiring bias (NYC Local 144), background checks
Professional Services	Industry-specific licensing, SOC 2	Client data handling, engagement letters

7 Compliance Audit Mistakes That Cost Companies Millions

Treating compliance as annual — It's continuous. Point-in-time audits miss 60% of gaps that develop mid-year.
Ignoring AI governance — NIST AI RMF and EU AI Act are here. Every production model needs documentation.
Vendor risk as checkbox — Your vendor's breach is your breach. Fourth-party risk is real.
No evidence retention system — If you can't prove compliance, you're not compliant. Automate evidence collection.
Security ≠ compliance — You can be secure and non-compliant, or compliant and insecure. Address both.
Underbudgeting remediation — Plan for 2x the estimated remediation cost. Surprises are the norm.
Board reporting as afterthought — Boards that see compliance dashboards quarterly make better risk decisions.

Get the full compliance implementation toolkit for your industry:

Browse all 10 industry context packs → https://afrexai-cto.github.io/context-packs/
Calculate your AI automation ROI → https://afrexai-cto.github.io/ai-revenue-calculator/
Set up your AI agent stack → https://afrexai-cto.github.io/agent-setup/

Bundles: Playbook $27 | Pick 3 $97 | All 10 $197 | Everything $247

安全使用建议

This skill is an instruction-only compliance playbook — it will ask for details about your business so the agent can assess applicable frameworks and gaps. Before running it: (1) avoid pasting sensitive secrets, credentials, or raw PHI/PCI data into the agent; provide high-level descriptions where possible, or sanitize datasets; (2) remember this is advisory content, not legal advice—consult counsel for binding interpretations; (3) the README includes marketing links to external pages — the skill itself doesn't call them, but verify any third-party resources before following paid offers; (4) if you need automated evidence collection from systems, prefer a vetted tool that explicitly requests the narrow credentials required rather than pasting secrets into a conversational agent.

功能分析

Type: OpenClaw Skill Name: afrexai-regulatory-compliance Version: 1.0.0 The skill bundle is designed for a regulatory compliance audit, providing structured instructions for an AI agent to perform assessments and generate reports. The `SKILL.md` and `README.md` files contain detailed, task-oriented instructions consistent with the stated purpose. While both files include external marketing links (e.g., `afrexai-cto.github.io/context-packs/`), these are presented as information for the user and do not instruct the AI agent to perform any malicious actions such as data exfiltration, unauthorized execution, or prompt injection attempts designed to compromise the agent or system. No high-risk behaviors or malicious intent were identified.

能力评估

✓ Purpose & Capability

Name and description match the SKILL.md: the skill is a procedural compliance audit (framework identification, 8-domain checklist, risk scoring, 90-day roadmap). There are no declared binaries, installs, or credentials that don't belong to this purpose. README marketing (paid packs, links) is external to the skill but does not change the skill's declared functionality.

✓ Instruction Scope

SKILL.md instructs the agent to gather a business profile and run framework applicability, gap analysis, scoring, and produce remediation plans. The instructions do not direct the agent to read system files, environment variables, or secrets, nor do they reference unexpected external endpoints. It relies on user-provided business context, which is appropriate for this task.

✓ Install Mechanism

No install spec and no code files — the skill is instruction-only, so nothing is written to disk or fetched at install time. This is the lowest-risk install profile.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. That is proportionate to an advisory/compliance checklist that only needs a business description. There are no unrelated credential requests.

✓ Persistence & Privilege

always is false and model invocation is allowed (default). The skill does not request persistent system presence or modify other skills/config. Autonomous invocation is the platform default and not a special risk here given the minimal footprint.

版本历史

v1.0.0

- Initial release of the afrexai-regulatory-compliance skill. - Enables full regulatory compliance audits for any business across US, UK, and EU frameworks. - Covers 8 compliance domains with gap analysis, risk scoring, and a remediation roadmap. - Provides industry-specific requirements and compliance cost benchmarks. - Generates board-ready compliance reports with actionable 90-day plans.

元数据

Slug afrexai-regulatory-compliance

版本 1.0.0

许可证 —

累计安装 9

当前安装数 9

历史版本数 1

常见问题