35 ChatGPT Prompts for Compliance Officers: Policies, Audits, and Risk Assessments That Actually Get Done

You are an experienced corporate compliance officer. Draft a [POLICY TYPE — e.g., data retention policy, conflicts of interest policy, vendor due diligence policy] for a [INDUSTRY] company with approximately [NUMBER] employees. The policy must address: [LIST 3–4 KEY REQUIREMENTS — e.g., regulatory requirement, specific risk scenario]. Include: purpose statement, scope, definitions, policy requirements, responsibilities, exceptions process, and review frequency. Plain but professional language. No legal jargon unless required.

I'm reviewing our existing [POLICY NAME] against [REGULATORY FRAMEWORK — e.g., GDPR, SOX, HIPAA, ISO 27001]. Our current policy covers: [LIST WHAT'S IN IT]. The framework requires: [LIST KEY REQUIREMENTS]. Identify the gaps, rank them by risk severity (high/medium/low), and recommend specific additions or revisions for each gap.

Rewrite the following compliance policy section in plain language for a non-legal employee audience. Remove jargon, use active voice, and keep sentences under 20 words. The audience is [ROLE — e.g., sales staff, warehouse workers, new hires]. Preserve all substantive requirements but make them easy to understand.

Original policy text:
[PASTE POLICY SECTION]

I've revised our [POLICY NAME]. Write a change summary document for our policy management system and a brief announcement for employees. Changes made:
[LIST CHANGES — what was added, removed, or modified]

The change summary should include: effective date, reason for revision, summary of changes, and who approved it. The employee announcement should be under 100 words and direct.

Create a policy exception request form template for our [POLICY NAME]. Include: requestor information, specific policy section being excepted, business justification, duration of exception, compensating controls in place, risk assessment, approval tiers (based on risk level), and an expiration/review date. Add a note that exceptions must be reapproved annually.

Create a compliance risk assessment for our [PROCESS NAME — e.g., vendor onboarding, data access management, third-party marketing]. For each risk identified:
1. Describe the risk scenario
2. Rate inherent likelihood (1–5) and inherent impact (1–5)
3. List existing controls
4. Rate residual likelihood and impact after controls
5. Recommend additional controls or monitoring if residual risk is high

Industry: [INDUSTRY]. Applicable regulations: [LIST REGULATIONS].

Create an audit preparation checklist for a [TYPE OF AUDIT — e.g., internal SOX audit, HIPAA compliance review, external ISO 27001 surveillance audit] for a [INDUSTRY] company. Include: documents to gather, stakeholders to brief, common findings in this audit type, pre-audit self-assessment steps, and logistics checklist (room booking, access credentials, interview schedule template).

Write a response memo to the following audit finding:

Finding: [PASTE FINDING TEXT OR SUMMARIZE]
Severity: [HIGH/MEDIUM/LOW]
Auditor: [INTERNAL/EXTERNAL/REGULATOR]

The memo should include: acknowledgment of the finding, root cause analysis, corrective action plan with owner and due date for each action, and a statement of management's commitment to resolution.

Write a control effectiveness summary for our [CONTROL NAME] for the period [DATE RANGE]. Include: control objective, how the control operates, testing performed, number of samples, exceptions found, root cause of exceptions, and an overall effectiveness rating (effective/partially effective/ineffective) with justification.

Write an email to department heads requesting their input for our annual compliance risk register update. Include: what a risk register is (one sentence), why their input matters, the 3 questions I need them to answer for each process they own, the deadline, and how to submit. Tone: collaborative, not threatening. Under 200 words.

Summarize the compliance impact of the following regulatory update for our [INDUSTRY] business:

[PASTE REGULATORY UPDATE TEXT OR DESCRIBE THE CHANGE]

Structure your response as:
1. What changed (plain language)
2. Effective date and transition requirements
3. Which of our processes or policies are affected
4. Specific actions we need to take, by when
5. Risk of non-action

Write a 1-page regulatory update briefing for our executive team on [REGULATORY CHANGE OR NEW RULE]. They are not compliance specialists. Include: what changed, why it matters to our business (in dollar/operational terms), what we're doing about it, what decisions they need to make (if any), and timeline. No footnotes, no jargon.

We are expanding into [STATE/COUNTRY/SECTOR]. Create a compliance regulatory inventory checklist for a [INDUSTRY] company entering this market. List: applicable regulations by category (data privacy, employment, industry-specific licensing, environmental, financial reporting), key deadlines or registration requirements, and first-priority actions to get compliant before operations begin.

Create a compliance calendar for Q[QUARTER] [YEAR] for a [INDUSTRY] company. Include: regulatory filing deadlines, required training windows, policy review due dates, audit schedule items, and board/committee reporting dates. Format as a table with: date, activity, owner, and status column.

Write a notification to our vendors/partners about a regulatory change that affects how they must work with us. The change: [DESCRIBE CHANGE]. What vendors must do differently: [LIST REQUIREMENTS]. Deadline for compliance: [DATE]. Consequence of non-compliance: [DESCRIBE]. Tone: clear and factual, not threatening but serious.

Create a 60-minute annual compliance training outline for [EMPLOYEE GROUP — e.g., all employees, sales team, finance team] at a [INDUSTRY] company. Topics required: [LIST TOPICS — e.g., code of conduct, anti-bribery, data privacy, conflicts of interest]. For each module: learning objective, key message (one sentence), format (video/quiz/scenario), and time allocation.

Write 3 realistic workplace scenarios for [COMPLIANCE TOPIC — e.g., conflicts of interest, gifts and entertainment, data handling] tailored to a [INDUSTRY] company. Each scenario should: describe a realistic situation, present 3 answer choices (one clearly correct, one a common mistake, one borderline), and include an explanation of the correct answer and why the others are wrong.

Write a company-wide email reminding employees about [COMPLIANCE REQUIREMENT — e.g., annual code of conduct certification, data handling policy, gift reporting]. Include: why it matters (one sentence, no fear-mongering), exactly what they need to do, deadline, how long it takes, and who to contact with questions. Tone: professional and direct. Under 150 words.

Write a 10-minute compliance orientation script for new hires at a [INDUSTRY] company. Cover: our compliance culture and expectations, the top 3 compliance risks in our industry, who to contact with concerns, the whistleblower policy summary, and how to access our policies. Written for verbal delivery, not reading. Friendly, direct, no jargon.

Create an employee FAQ for our new [POLICY NAME] that takes effect [DATE]. Include 10 questions employees are likely to ask, with clear answers. Questions should cover: what changed, who it applies to, what they need to do differently, common edge cases [LIST 2–3 SCENARIOS], and what happens if they violate it. Plain language, under 15 words per answer where possible.

Create a compliance incident intake report template. Fields to include: incident reference number, date/time reported, reported by, type of incident [with dropdown categories], description of incident (what happened, where, who was involved), immediate actions taken, potential regulatory implications, escalation required (yes/no), and reviewer sign-off. Include a section for preliminary risk rating.

Write a root cause analysis document for the following compliance incident:

Incident summary: [DESCRIBE INCIDENT]
Business area: [DEPARTMENT/PROCESS]
Date occurred: [DATE]
Date discovered: [DATE]

Structure the analysis using the 5-Why method. Identify: the immediate cause, contributing factors, systemic cause, and recommended corrective/preventive actions with owners and due dates.

Draft a regulatory breach notification to [REGULATOR NAME] regarding [INCIDENT TYPE]. Details:
- What happened: [SUMMARY]
- When: [DATE/DATE RANGE]
- Who was affected: [DESCRIPTION]
- Data or activity involved: [DESCRIPTION]
- Actions taken to date: [LIST]

Tone: factual, cooperative, and professional. Note any required elements under [APPLICABLE REGULATION — e.g., GDPR Article 33, HIPAA Breach Notification Rule]. Flag anything I need to verify with legal counsel before sending.

Create an interview question guide for investigating a [TYPE OF INCIDENT — e.g., potential code of conduct violation, data misuse allegation, expense fraud]. Questions should be: open-ended, non-leading, appropriate for a fact-finding (not accusatory) tone. Include: opening statement script, 10 investigation questions, follow-up probes for each question, and a closing statement that explains next steps.

Write a lessons learned memo following the resolution of [INCIDENT TYPE] at our company. The incident was resolved on [DATE]. Key facts: [BRIEF SUMMARY]. Include: what worked in our response, what didn't work, three specific process improvements we're implementing, who owns each improvement, and timeline. Audience: compliance committee. Under 400 words.

Create a vendor due diligence questionnaire for [RISK TIER — high/medium/low risk vendors] at a [INDUSTRY] company. Include sections on: corporate information, financial stability, information security practices, compliance certifications ([LIST RELEVANT CERTS — e.g., SOC 2, ISO 27001, PCI-DSS]), regulatory compliance, sub-processor/subcontracting practices, incident history, and insurance coverage.

Write a formal letter notifying a vendor that we intend to exercise our contractual audit rights. Include: reference to the relevant contract clause, scope of the audit, proposed dates [DATE RANGE], documents we'll need in advance, who will conduct the audit, and our expectation of cooperation. Professional and firm tone.

Write a letter to a vendor who has failed to meet their compliance obligations under our agreement. Specific breach: [DESCRIBE BREACH]. Required remediation: [LIST ACTIONS]. Deadline for cure: [DATE]. Consequence of non-cure: [CONTRACT SUSPENSION/TERMINATION/OTHER]. Include a formal cure notice clause reference if applicable. Serious but professional tone.

Write an email requesting annual compliance certification from our strategic vendors. They need to re-certify that they meet our standards for [LIST AREAS — e.g., data privacy, anti-bribery, labor practices]. Include: a link to our vendor code of conduct [PLACEHOLDER], the certification form link, the deadline, and what happens if they don't respond. Under 200 words.

Write a third-party risk summary for presentation to our compliance committee. As of [DATE], our vendor population includes:
- Total vendors: [NUMBER]
- High-risk tier: [NUMBER] vendors
- Overdue due diligence items: [NUMBER]
- Vendors with open findings: [NUMBER]

Summarize: top 3 risks, actions in progress, escalation items requiring committee decision, and the remediation timeline.

Write a quarterly compliance report for the board of directors for [QUARTER/YEAR]. Audience: non-compliance board members. Include: compliance program health summary, key regulatory developments, significant incidents (with resolution status), audit results, training completion rates, metrics vs. targets, and top risks for the next quarter. Under 600 words. Use headers and bullets.

Write the narrative section for our compliance metrics dashboard for [PERIOD]. Metrics:
- Policy exceptions requested: [NUMBER] (vs. target [NUMBER])
- Training completion rate: [%]
- Incidents reported: [NUMBER]
- Mean time to resolve incidents: [DAYS]
- Vendor due diligence completion: [%]

For each metric: state the result, compare to target, explain the main driver of any variance, and note the next action.

Write an annual compliance program report for [YEAR] for a [INDUSTRY] company. Sections to include: executive summary, program highlights and achievements, key regulatory changes addressed, training and communication results, audit and monitoring results, incident summary, areas for improvement, and priorities for [NEXT YEAR]. Length: 800–1,000 words. Audience: board and senior leadership.

Write a quarterly ethics hotline summary report for [QUARTER/YEAR]. Data:
- Total reports received: [NUMBER]
- By category: [LIST CATEGORIES AND COUNTS]
- Substantiated: [NUMBER], Unsubstantiated: [NUMBER], Pending: [NUMBER]
- Average investigation time: [DAYS]

Include: key trends, any systemic issues identified, actions taken, and a note on reporter experience (anonymity protected, no retaliation confirmed).

Create a 12-month compliance communication plan for [YEAR] for a [INDUSTRY] company. For each month, include: the primary compliance message or topic, target audience, communication channel, responsible owner, and success metric. Cover at minimum: code of conduct, data privacy, anti-bribery, conflicts of interest, and whistleblower channel. Balance training deadlines with natural business calendar (avoid December and major crunch periods).