GBS Insider ClubField Guide Free
Regulatory and Internal Controls June 2026

Pillar 9 · Cluster 2

Regulatory compliance and internal controls

Segregation of duties, GDPR, SOX, AML, and document retention are the compliance guardrails that every GBS professional operating in finance, HR, or procurement must understand and follow.

$4.2B+GDPR fines issued globally since 2018
SOX 404The compliance framework that shapes GBS finance controls
SoDSegregation of Duties — the most audited control in GBS
GBS regulatory controls — three lines of defense, SOX compliance, COSO framework, control testing

Three lines of defense, SOX compliance, and the COSO framework

Three Lines Defense model Ops / Risk / Audit SOX & GDPR Compliance pillars Financial + data Your Role Daily controls Every professional counts
Regulatory Control Framework

Topic 01 · Access Controls

Segregation of Duties and toxic combinations

TL;DR

Toxic access combinations — create plus approve, vendor plus payment — are findable before auditors find them. Review access, not intentions. The model is in THE FIX.

Nobody plans the toxic combination.
It accumulates.

2 min read · full theory in the expandable
The Problem
P
Peter
Team lead · Year 2 · Budapest

Access review season. Peter checks his team’s roles line by line.

One analyst, through two role changes and one coverage emergency, can now create vendors and approve payments to them.
Nobody decided that. It grew.

"Every toxic combination has an innocent history."

He feels uneasy — and glad he looked before an auditor did.

The Trap

You trust that access matches roles. Access accumulates; roles change; nobody subtracts.

The Fix

SoD review hunts combinations, not individuals.

THE PAIRSKnown toxic combos. Create + approve, vendor master + payment run, order + goods receipt.
THE DRIFTHow they form. Role changes, coverage, "temporary" access that never expired.
THE REVIEWQuarterly subtraction. Finding it yourself is a control working; an auditor finding it is a finding.

The combination is split the same week — documented as self-identified. In audit language, that is the best sentence there is.

SoD and toxic combinations in depthTHEORY · 4 MIN

No single person should be able to create a vendor, enter an invoice, approve the payment, and execute the bank transfer. SoD prevents fraud by splitting critical actions across different individuals.

Common SoD conflicts in GBS finance
  • Vendor master creation + invoice entry — the same person could create a fictitious vendor and process payments to them
  • Purchase order creation + goods receipt — the same person could order goods and confirm receipt without physical verification
  • Journal entry posting + journal entry approval — the same person could create and authorize fraudulent entries
  • Payment execution + bank reconciliation — the same person could divert payments and hide the discrepancy
  • User access administration + transaction processing — the same person could grant themselves excessive access and use it
The small team challenge

SoD is straightforward in large GBS centers with hundreds of employees. It becomes genuinely difficult in small teams where there are not enough people to split every function. The answer is compensating controls that mitigate the risk when full segregation is not possible:

  • Additional review steps
  • Management approvals
  • Exception reporting
  • Audit trail monitoring
THREE LINES OF DEFENSE 1ST LINEBusiness operationsOwn the risk & controlsTHIS IS YOU 2ND LINERisk & complianceOversee & adviseSUPPORT FUNCTION 3RD LINEInternal auditIndependent assuranceINDEPENDENT CHECK YOU ARE THE FIRST LINE · CONTROLS START WITH YOU

Three lines of defense — operations, risk & compliance, internal audit

Monday Move

Review your own access for one toxic pair. Found one? Report it — self-found counts in your favor.

Topic 02 · Regulatory Frameworks

GDPR and SOX — the two compliance pillars

TL;DR

GDPR protects personal data; SOX protects financial reporting integrity. Different laws, different logic — your controls serve both. The model is in THE FIX.

Two rulebooks on your desk.
They are not the same book.

2 min read · full theory in the expandable
The Problem
K
Klaudia
Senior associate · Year 3 · Krakow

An auditor asks Klaudia which of her controls are SOX-relevant. She points at the GDPR training certificate.

Wrong book. One protects people’s data; the other protects investors’ numbers.
Her four-eyes check serves SOX. Her data-retention discipline serves GDPR. She had never sorted which was which.

"I follow both. I just could not name which rule I was serving."

She feels clearer after one sorting exercise.

The Trap

You lump all compliance into one blur — and cannot explain your own controls when asked.

The Fix

Two regimes, two different protections.

GDPRProtects people. Personal data: minimization, consent basis, retention limits, breach duties.
SOXProtects the numbers. Financial reporting: access controls, approvals, evidence, change management.
YOUR MAPSort your controls once. Each daily control serves one regime, sometimes both — know which.

Her control list gains two columns: GDPR, SOX. The next audit question gets a ten-second answer.

GDPR and SOX in depthTHEORY · 5 MIN

GDPR governs how you handle personal data. SOX governs the accuracy and integrity of financial reporting. Both carry severe consequences for violations.

IT GENERAL CONTROLS (ITGC) Controls over the systems themselves Access management (who can log in) Change management (code deploys) Backup and recovery procedures Job scheduling and batch processing BUSINESS PROCESS CONTROLS Controls over the transactions Three-way match (PO, receipt, invoice) Segregation of duties (SoD) Account reconciliation sign-off Journal entry approval workflow Both layers must pass for SOX 404 compliance. One failure = material weakness risk.
SOX 404 — Two Control Layers
GDPR

Scope and focus

  • Protects personal data of EU residents
  • Applies to any organization processing EU personal data
  • Enforcement: fines up to 4% of annual global revenue
  • Key requirements: consent, data minimization, right to erasure, breach notification within 72 hours
SOX

Scope and focus

  • Ensures accuracy of financial reporting for US-listed companies
  • Applies to the company and all entities that contribute to consolidated financial statements
  • Enforcement: criminal penalties including imprisonment for executives
  • Key requirements: internal controls over financial reporting (ICFR), management assessment, external auditor attestation
COSO FRAMEWORK CONTROLENVIRON.Tone at the top RISKASSESSMENTIdentify & evaluate CONTROLACTIVITIESPolicies & procedures INFO &COMMSRight info, right time MONITORINGACTIVITIESOngoing & separate THE GLOBAL STANDARD FOR INTERNAL CONTROLS

COSO framework — foundation of SOX compliance in GBS

Monday Move

Take your three main controls. Label each: GDPR, SOX, or both.

Some transactions face a third rulebook. The one with sanctions lists.

Topic 03 · Financial Crime

AML and sanctions screening basics

TL;DR

AML and sanctions screening block transactions with prohibited parties. In GBS, the alert queue is where the law meets your day. The model is in THE FIX.

A name matches a list.
Your next click is regulated.

2 min read · full theory in the expandable
The Problem
A
Amara
O2C analyst · Year 1 · Lagos

A new customer setup hits a screening alert on Amara’s queue. Partial name match, sanctions list.

The sales team pushes: "It is obviously a false positive, just clear it."
Amara works the protocol instead: secondary identifiers, documentation, escalation to compliance. Cleared properly — in hours, not seconds.

"False positive is a conclusion, not a starting assumption."

She feels firm under pressure that had a deadline attached.

The Trap

You treat screening alerts as friction to clear fast — and inherit personal exposure with every shortcut.

The Fix

Alert handling is protocol over pressure.

VERIFYSecondary identifiers. Dates, addresses, registration numbers — match or clear on evidence.
DOCUMENTEvery disposition recorded. The trail is the protection — yours and the company’s.
ESCALATEDoubt goes to compliance. Speed pressure is never a valid clearing criterion.

The match proves false — on evidence, on record. The pressure evaporates; the paper trail stays.

AML and sanctions screening in depthTHEORY · 4 MIN

Anti-Money Laundering and sanctions compliance are not just for banks. GBS centers processing payments, onboarding vendors, or managing customer data have screening obligations.

AML/sanctions essentials for GBS
  • Know Your Customer (KYC) / Know Your Vendor (KYV) — verify the identity and legitimacy of business partners before entering into financial relationships
  • Sanctions screening — check all counterparties against government sanctions lists (OFAC, EU, UN) before processing payments
  • Suspicious Activity Reporting (SAR) — obligation to report transactions that appear unusual, structured, or inconsistent with known business patterns
  • Transaction monitoring — automated rules that flag payments above thresholds, to high-risk jurisdictions, or with unusual patterns
  • Record retention — maintain transaction records and screening results for the period required by applicable regulations (typically 5-7 years)
KYC / KYV Verify partner identity Sanctions Screen OFAC · EU · UN lists Transaction Monitor Flag unusual patterns SAR if Suspicious Report immediately Retain Records 5–7 years minimum AML COMPLIANCE FLOW
Every payment follows screen → flag → retain.
Monday Move

Know your escalation path for a screening doubt. Name and channel, before you need them.

What you keep matters as much as what you block. Retention has rules too.

? REALITY TEST click to expand
  • Do you know which regulations apply to your process area — SOX, GDPR, AML, or others? Can you explain the key requirements?
  • Does your team operate as the first line of defense? Do you own your controls, or do you rely on compliance to tell you what to do?
  • When was your last audit interaction? Were you comfortable with the process, or did it feel stressful and unfamiliar?

Topic 04 · Records Management

Document retention and archiving policies

TL;DR

Records have legal lifespans — keeping too short breaks the law, keeping too long breaks GDPR. The schedule decides, not habit. The model is in THE FIX.

Keep everything forever?
That is also a violation.

2 min read · full theory in the expandable
The Problem
R
Ravi
AP analyst · Month 8 · Pune

Ravi hoards everything — every file, every email, "just in case." A colleague deletes freely to keep folders clean.

The records team explains: both habits are violations. Invoices carry statutory minimums; personal data carries GDPR maximums.
The lifespan is set by a schedule, not by personality.

"There is a date for keeping and a date for deleting. Neither is mine to choose."

He feels relieved — the rule replaces the guesswork.

The Trap

You retain by instinct — hoarder or cleaner — when both instincts violate a schedule that already exists.

The Fix

Retention runs on three dates.

MINIMUMStatutory keep-until. Financial records: often 7–10 years by law.
MAXIMUMGDPR delete-by. Personal data past its purpose must go.
THE SCHEDULEYour org’s retention policy. Per document type — look it up instead of guessing.

Ravi checks the schedule once and labels his folders by class. Keeping and deleting both become compliance instead of personality.

Records retention in depthTHEORY · 3 MIN

Keeping documents too long creates liability. Deleting them too early creates compliance violations. Retention policies define the rules for every document type.

Retention period guidance by category
  • Financial records (invoices, journals, ledgers) — typically 7-10 years depending on jurisdiction and tax requirements
  • Employee records — varies by type: payroll records 7 years, personnel files 3-7 years after termination, medical records per local regulation
  • Contracts — duration of contract plus 6-10 years for potential dispute resolution
  • Tax records — minimum 7 years in most jurisdictions; longer in some countries
  • Correspondence and emails — follow organizational policy; default to 3-5 years unless litigation hold or regulatory requirement applies
GDPR vs retention

Two rules pull in opposite directions — and you need both.

  • GDPR requires data minimization and storage limitation: do not keep personal data longer than necessary.
  • Tax and financial regulations require long retention periods for records that contain personal data.
  • These requirements conflict. The resolution is purpose-based retention: keep only the data elements required for the regulatory purpose, for the minimum period required, with appropriate access controls.
YOUR ROLE IN CONTROLS EXECUTEFollow SOPs preciselyNo shortcuts on controls DOCUMENTEvidence your workIf it's not documented, it didn't happen ESCALATEFlag exceptions immediatelyNever hide a control failure CONTROLS PROTECT YOU AS MUCH AS THE COMPANY

Your role — approvals, reconciliations, documentation, compliance

Monday Move

Find your retention schedule and look up one document type you handle. Note both dates.

The classic rules covered. Cluster 3: the risks still being written.

PRACTITIONER'S LENS

The teams that breeze through audits have one thing the others don't: a dedicated function — even part-time resources — that owns audit readiness year-round, not just during audit season.

  • Their job: maintain documentation, prepare samples, and guide both auditors and the audited team through sampling and interviews.
  • During the year they support management testing for SOX 404.
  • During the audit they clarify and dispute potential findings before they get formally written up — that's where the real damage prevention happens.
  • Good partnership with auditors matters more than most people realize: smooth collaboration means faster progress, fewer surprises, and cleaner outcomes for everyone.
? CAREER CHECK click to expand
  • Compliance knowledge is a direct path to Internal Audit, Risk Management, and Controls leadership. Are you building this expertise deliberately?
  • Could you explain the three lines of defense model to a new team member? Understanding where you fit in the control framework is foundational.
  • Have you considered becoming a Controls Champion or audit liaison for your team? That role builds skills and visibility simultaneously.
GBS Insider Club learning paths offer structured career frameworks, practical templates, and guided exercises tailored to your GBS role — from entry-level to leadership.

Reference

Glossary

Full glossary at the GBS Insider Club Field Guide.

SoDSegregation of Duties — the principle that no single individual should control all aspects of a critical transaction. Prevents fraud and errors through split responsibilities.
SOXSarbanes-Oxley Act — US federal law (2002) requiring public companies to maintain effective internal controls over financial reporting. Section 404 is the most operationally relevant for GBS.
AMLAnti-Money Laundering — regulations and procedures designed to prevent the processing of illicit funds through the financial system.
KYCKnow Your Customer — the process of verifying the identity, background, and legitimacy of customers and business partners before entering into financial relationships.
OFACOffice of Foreign Assets Control — US Treasury department that administers and enforces economic sanctions. Maintains the SDN (Specially Designated Nationals) list.
Compensating controlAn alternative control implemented when the primary control (e.g., full SoD) cannot be achieved. Must provide equivalent risk mitigation.
Litigation holdA directive to preserve all relevant documents and data when litigation is reasonably anticipated. Overrides normal retention and deletion schedules.
Sources and further reading
  1. Sarbanes-Oxley Act — Section 404 requirements
  2. European Data Protection Board — GDPR enforcement and guidance
  3. FATF — Recommendations on Anti-Money Laundering, 2023
  4. IRS — Record retention requirements for businesses
  5. ISACA — COBIT framework for IT governance and controls
Theory done. Now make it count.

Knowing the frameworks is the entry ticket. Applying them — visibly, at your actual job — is what gets you promoted.

The GBS Insider Club Career Playbooks turn this theory into a guided 90-day program for your role: self-assessment, practical exercises, templates, and Julian's unfiltered practitioner playbook.

Explore the Career Playbooks → Back to Compliance and Risk
Leave a comment
← Previous Risk Management Next → Emerging Risk