Pillar 9 · Cluster 2
Regulatory compliance and internal controls
Segregation of duties, GDPR, SOX, AML, and document retention are the compliance guardrails that every GBS professional operating in finance, HR, or procurement must understand and follow.
Three lines of defense, SOX compliance, and the COSO framework
Sound familiar?
Topic 01 · Access Controls
Segregation of Duties and toxic combinations
Toxic access combinations — create plus approve, vendor plus payment — are findable before auditors find them. Review access, not intentions. The model is in THE FIX.
Nobody plans the toxic combination.
It accumulates.
PAccess review season. Peter checks his team’s roles line by line.
One analyst, through two role changes and one coverage emergency, can now create vendors and approve payments to them.
Nobody decided that. It grew.
"Every toxic combination has an innocent history."
He feels uneasy — and glad he looked before an auditor did.
You trust that access matches roles. Access accumulates; roles change; nobody subtracts.
SoD review hunts combinations, not individuals.
The combination is split the same week — documented as self-identified. In audit language, that is the best sentence there is.
SoD and toxic combinations in depth
No single person should be able to create a vendor, enter an invoice, approve the payment, and execute the bank transfer. SoD prevents fraud by splitting critical actions across different individuals.
- Vendor master creation + invoice entry — the same person could create a fictitious vendor and process payments to them
- Purchase order creation + goods receipt — the same person could order goods and confirm receipt without physical verification
- Journal entry posting + journal entry approval — the same person could create and authorize fraudulent entries
- Payment execution + bank reconciliation — the same person could divert payments and hide the discrepancy
- User access administration + transaction processing — the same person could grant themselves excessive access and use it
SoD is straightforward in large GBS centers with hundreds of employees. It becomes genuinely difficult in small teams where there are not enough people to split every function. The answer is compensating controls that mitigate the risk when full segregation is not possible:
- Additional review steps
- Management approvals
- Exception reporting
- Audit trail monitoring
Three lines of defense — operations, risk & compliance, internal audit
Review your own access for one toxic pair. Found one? Report it — self-found counts in your favor.
Access is one rulebook. Two bigger ones govern the data and the numbers.
Topic 02 · Regulatory Frameworks
GDPR and SOX — the two compliance pillars
GDPR protects personal data; SOX protects financial reporting integrity. Different laws, different logic — your controls serve both. The model is in THE FIX.
Two rulebooks on your desk.
They are not the same book.
KAn auditor asks Klaudia which of her controls are SOX-relevant. She points at the GDPR training certificate.
Wrong book. One protects people’s data; the other protects investors’ numbers.
Her four-eyes check serves SOX. Her data-retention discipline serves GDPR. She had never sorted which was which.
"I follow both. I just could not name which rule I was serving."
She feels clearer after one sorting exercise.
You lump all compliance into one blur — and cannot explain your own controls when asked.
Two regimes, two different protections.
Her control list gains two columns: GDPR, SOX. The next audit question gets a ten-second answer.
GDPR and SOX in depth
GDPR governs how you handle personal data. SOX governs the accuracy and integrity of financial reporting. Both carry severe consequences for violations.
Scope and focus
- Protects personal data of EU residents
- Applies to any organization processing EU personal data
- Enforcement: fines up to 4% of annual global revenue
- Key requirements: consent, data minimization, right to erasure, breach notification within 72 hours
Scope and focus
- Ensures accuracy of financial reporting for US-listed companies
- Applies to the company and all entities that contribute to consolidated financial statements
- Enforcement: criminal penalties including imprisonment for executives
- Key requirements: internal controls over financial reporting (ICFR), management assessment, external auditor attestation
COSO framework — foundation of SOX compliance in GBS
Take your three main controls. Label each: GDPR, SOX, or both.
Some transactions face a third rulebook. The one with sanctions lists.
Topic 03 · Financial Crime
AML and sanctions screening basics
AML and sanctions screening block transactions with prohibited parties. In GBS, the alert queue is where the law meets your day. The model is in THE FIX.
A name matches a list.
Your next click is regulated.
AA new customer setup hits a screening alert on Amara’s queue. Partial name match, sanctions list.
The sales team pushes: "It is obviously a false positive, just clear it."
Amara works the protocol instead: secondary identifiers, documentation, escalation to compliance. Cleared properly — in hours, not seconds.
"False positive is a conclusion, not a starting assumption."
She feels firm under pressure that had a deadline attached.
You treat screening alerts as friction to clear fast — and inherit personal exposure with every shortcut.
Alert handling is protocol over pressure.
The match proves false — on evidence, on record. The pressure evaporates; the paper trail stays.
AML and sanctions screening in depth
Anti-Money Laundering and sanctions compliance are not just for banks. GBS centers processing payments, onboarding vendors, or managing customer data have screening obligations.
- Know Your Customer (KYC) / Know Your Vendor (KYV) — verify the identity and legitimacy of business partners before entering into financial relationships
- Sanctions screening — check all counterparties against government sanctions lists (OFAC, EU, UN) before processing payments
- Suspicious Activity Reporting (SAR) — obligation to report transactions that appear unusual, structured, or inconsistent with known business patterns
- Transaction monitoring — automated rules that flag payments above thresholds, to high-risk jurisdictions, or with unusual patterns
- Record retention — maintain transaction records and screening results for the period required by applicable regulations (typically 5-7 years)
Know your escalation path for a screening doubt. Name and channel, before you need them.
What you keep matters as much as what you block. Retention has rules too.
Topic 04 · Records Management
Document retention and archiving policies
Records have legal lifespans — keeping too short breaks the law, keeping too long breaks GDPR. The schedule decides, not habit. The model is in THE FIX.
Keep everything forever?
That is also a violation.
RRavi hoards everything — every file, every email, "just in case." A colleague deletes freely to keep folders clean.
The records team explains: both habits are violations. Invoices carry statutory minimums; personal data carries GDPR maximums.
The lifespan is set by a schedule, not by personality.
"There is a date for keeping and a date for deleting. Neither is mine to choose."
He feels relieved — the rule replaces the guesswork.
You retain by instinct — hoarder or cleaner — when both instincts violate a schedule that already exists.
Retention runs on three dates.
Ravi checks the schedule once and labels his folders by class. Keeping and deleting both become compliance instead of personality.
Records retention in depth
Keeping documents too long creates liability. Deleting them too early creates compliance violations. Retention policies define the rules for every document type.
- Financial records (invoices, journals, ledgers) — typically 7-10 years depending on jurisdiction and tax requirements
- Employee records — varies by type: payroll records 7 years, personnel files 3-7 years after termination, medical records per local regulation
- Contracts — duration of contract plus 6-10 years for potential dispute resolution
- Tax records — minimum 7 years in most jurisdictions; longer in some countries
- Correspondence and emails — follow organizational policy; default to 3-5 years unless litigation hold or regulatory requirement applies
Two rules pull in opposite directions — and you need both.
- GDPR requires data minimization and storage limitation: do not keep personal data longer than necessary.
- Tax and financial regulations require long retention periods for records that contain personal data.
- These requirements conflict. The resolution is purpose-based retention: keep only the data elements required for the regulatory purpose, for the minimum period required, with appropriate access controls.
Your role — approvals, reconciliations, documentation, compliance
Find your retention schedule and look up one document type you handle. Note both dates.
The classic rules covered. Cluster 3: the risks still being written.
The teams that breeze through audits have one thing the others don't: a dedicated function — even part-time resources — that owns audit readiness year-round, not just during audit season.
- → Their job: maintain documentation, prepare samples, and guide both auditors and the audited team through sampling and interviews.
- → During the year they support management testing for SOX 404.
- → During the audit they clarify and dispute potential findings before they get formally written up — that's where the real damage prevention happens.
- → Good partnership with auditors matters more than most people realize: smooth collaboration means faster progress, fewer surprises, and cleaner outcomes for everyone.
Reference
Glossary
Full glossary at the GBS Insider Club Field Guide.
- Sarbanes-Oxley Act — Section 404 requirements
- European Data Protection Board — GDPR enforcement and guidance
- FATF — Recommendations on Anti-Money Laundering, 2023
- IRS — Record retention requirements for businesses
- ISACA — COBIT framework for IT governance and controls
Knowing the frameworks is the entry ticket. Applying them — visibly, at your actual job — is what gets you promoted.
The GBS Insider Club Career Playbooks turn this theory into a guided 90-day program for your role: self-assessment, practical exercises, templates, and Julian's unfiltered practitioner playbook.
Explore the Career Playbooks → Back to Compliance and Risk