Compliance officers carry a weight that most people in the organization never fully appreciate. You're responsible for ensuring your company doesn't break laws, violate regulations, or expose itself to regulatory action—across multiple frameworks, jurisdictions, and business units simultaneously.
The job is relentlessly document-heavy. Policy documents, risk assessments, training materials, audit responses, regulatory filings, incident reports, board presentations—the writing never stops.
ChatGPT won't interpret regulations for you or provide legal advice. But it can dramatically accelerate the documentation work that consumes your time: drafting policies, structuring risk matrices, writing training content, and preparing regulatory communications that need to be clear, precise, and thorough.
These 35 prompts cover the full compliance workflow. Copy, adapt to your regulatory environment, and get more done.
Policy Development and Management
Prompt 1 — Draft a compliance policy
Draft a [policy name] policy for a [industry] company of approximately [size]. Regulatory drivers: [list applicable regulations — GDPR, SOX, HIPAA, etc.]. Policy must cover: purpose, scope, definitions, policy statements, roles and responsibilities, procedures, exceptions process, and review cycle. Tone: formal but accessible. Flag any sections that need legal review before adoption.
Prompt 2 — Update an existing policy
I need to update our [policy name] policy due to: [regulatory change / incident / audit finding / business change]. Here is the current policy: [paste policy]. Here is what changed: [describe the change]. Revise the affected sections, flag any cascading changes needed in other sections, and add a revision history entry. Preserve the original structure and voice.
Prompt 3 — Write a policy summary for employees
Summarize the following compliance policy for a general employee audience: [paste or describe policy]. The employees are [role description] who don't have compliance backgrounds. Create: a 1-page plain-English summary of what the policy requires, what employees must do (and not do), consequences of non-compliance, and how to ask questions. Remove jargon.
Prompt 4 — Create a policy gap analysis
I need to identify gaps between our current policies and [regulation/framework — e.g., ISO 27001, GDPR Article 32, SOC 2 Type II]. Our current policies: [list policy titles]. The regulation requires: [paste or describe requirements]. For each requirement: flag whether we have a policy covering it (yes/partial/no), identify the specific gap, and suggest the remediation needed.
Prompt 5 — Write a policy exception request template
Create a policy exception request template for our [policy name] policy. Include fields for: requestor information, policy section and requirement, reason the exception is needed, proposed alternative control, risk assessment of granting the exception, duration requested, approvals required, and conditions for renewal. Add guidance notes for how to complete each field.
Risk Assessment and Management
Prompt 6 — Write a compliance risk assessment
Write a compliance risk assessment for [business area or process]. Applicable regulations: [list]. For each risk: identify the regulatory requirement, describe the risk event, assess likelihood (1-5) and impact (1-5), calculate inherent risk score, describe current controls, assess residual risk, and recommend additional controls. Format as a risk register table.
Prompt 7 — Write a risk narrative
Write a risk narrative for the following compliance risk: [describe risk]. Cover: what the risk is, the regulatory basis (cite specific regulation/section), what could trigger it, business impact if it materializes (financial, reputational, operational), existing mitigating controls, residual exposure, and recommended action. Format for risk committee presentation — concise and decision-ready.
Prompt 8 — Create a compliance controls matrix
Create a compliance controls matrix mapping [regulation] requirements to our internal controls. Regulation sections to map: [list]. For each requirement: the regulatory citation, the control objective, our control name and description, control type (preventive/detective/corrective), control frequency, control owner, and evidence of operation. Use a table format for audit readiness.
Prompt 9 — Write a third-party risk assessment
Write a third-party compliance risk assessment for [vendor/partner name]. Services provided: [description]. Data accessed: [what data and how sensitive]. Regulatory relevance: [which of our regulatory obligations are implicated]. Assessment areas: data security, privacy practices, business continuity, financial stability, regulatory standing, and sub-processor controls. Recommend: approve / approve with conditions / reject.
Training and Awareness
Prompt 10 — Write compliance training content
Write compliance training content on [topic — e.g., data privacy, anti-bribery, insider trading]. Audience: [employee level and function]. Learning objectives: employees will understand [list]. Training format: [e-learning script / in-person guide / policy quiz]. Cover: the rule in plain English, real-world examples of violations, what employees must do, red flags to recognize, and how to report concerns. Avoid legal jargon.
Prompt 11 — Create compliance training scenarios
Create 5 realistic scenario-based training questions on [compliance topic]. Audience: [employee role]. Each scenario: describe a realistic workplace situation, ask what the employee should do, provide 4 answer options (1 correct, 3 plausible-but-wrong), and write the feedback explanation for each option. Make the wrong answers genuinely tempting — easy questions don't change behavior.
Prompt 12 — Write a compliance awareness email
Write a compliance awareness email to [audience — all staff / specific department] on [topic]. Triggered by: [upcoming deadline / regulatory change / recent industry enforcement action / internal reminder]. Cover: why this matters right now, the key rule in plain English, 2-3 examples of what compliance looks like in practice, and one specific action employees should take. Under 300 words. Tone: informative, not preachy.
Prompt 13 — Write FAQs for a new policy
Write an FAQ document for our new [policy name] that launches on [date]. Anticipated employee questions: [list questions you've heard or expect]. For each question: write it as an employee would ask it (not how you'd phrase it internally), give a direct answer in 2-4 sentences, and flag if the answer involves a judgment call that employees should escalate. Organize by topic.
Audit and Regulatory Response
Prompt 14 — Prepare an audit response
We received an audit finding: [paste finding]. The auditor's concern: [describe]. Our position: [do we agree/disagree and why]. Help me write a formal response that: acknowledges the finding professionally, presents our position with supporting facts, describes the corrective action we're committing to (if any), includes a timeline, and identifies who is responsible. Tone: cooperative but factual.
Prompt 15 — Write a corrective action plan
Write a corrective action plan (CAP) for the following compliance finding: [describe finding]. Include: root cause analysis (why did this gap occur), immediate remediation steps, systemic corrective actions to prevent recurrence, validation steps to confirm effectiveness, responsible owners, and target completion dates. Format for regulator or auditor submission.
Prompt 16 — Draft a regulatory response letter
Draft a response letter to [regulator name] regarding: [describe inquiry, request, or enforcement action]. Our position: [describe]. Key facts to include: [list]. Tone must be: cooperative, transparent, and professional — not defensive. Include: acknowledgment of the inquiry, factual response to each question/request, timeline for any requested information, and our point of contact. Have legal review before sending.
Prompt 17 — Prepare for a regulatory examination
We have a regulatory examination by [regulator] scheduled for [date]. Focus areas: [list]. Help me create: a pre-exam preparation checklist, a list of documents we should have ready, 10 likely examiner questions with suggested response frameworks, and an internal briefing template to align department heads on what to expect and how to communicate with examiners.
Prompt 18 — Write an audit trail documentation summary
Write an audit trail summary documenting our compliance with [requirement] for the period [date range]. Evidence collected: [list documents, logs, approvals]. For each control: describe what was done, when, by whom, with what evidence. Format as a defensible compliance narrative that connects each piece of evidence to the specific regulatory requirement it satisfies.
Incident Management and Reporting
Prompt 19 — Write a compliance incident report
Write a compliance incident report for the following event: [describe incident]. Cover: incident description and timeline, regulatory implications (which rules may have been violated), immediate containment steps taken, root cause analysis, affected parties, notification obligations (internal and external), corrective actions, and lessons learned. Flag which sections require legal review before finalization.
Prompt 20 — Draft a breach notification
Draft a data breach notification for [affected parties — customers / regulators / both]. Incident: [brief, non-technical description]. Data involved: [type of data]. Timing: [when it occurred, when discovered]. What we've done: [containment and remediation steps]. What affected parties should do: [recommended actions]. Regulatory basis for notification: [GDPR Art. 34 / HIPAA / state law]. Legal must review before sending.
Prompt 21 — Write a whistleblower report summary
Summarize the following whistleblower report for legal and compliance review: [paste report or describe allegations]. Organize as: allegation summary, parties named, regulatory implications, evidence mentioned, urgency assessment, and recommended investigation next steps. Maintain confidentiality — use role descriptions rather than names in the summary document.
Board and Leadership Reporting
Prompt 22 — Write a quarterly compliance report
Write a quarterly compliance report for the board/audit committee. Period: [quarter]. Cover: regulatory developments affecting us this quarter, open regulatory matters and status, audit findings and remediation progress, policy updates approved, training completion rates, compliance incidents (type and count, no details), and key risks for board awareness. Tone: executive-level, factual, forward-looking.
Prompt 23 — Write a regulatory change impact assessment
Write a regulatory change impact assessment for: [describe new or amended regulation]. Effective date: [date]. Affected business areas: [list]. For each area: describe what changes, what our current state is, what gap exists, the effort to remediate (High/Medium/Low), the risk of non-compliance, and the recommended action. Format for leadership review and resource allocation decisions.
Prompt 24 — Write a compliance dashboard narrative
Write a narrative to accompany our compliance dashboard metrics for [period]. Key metrics: [paste metric names and values]. For each metric: explain what it measures, what the current value indicates, whether we're on track or at risk, and what action (if any) leadership should be aware of. Translate numbers into business language — the audience doesn't think in compliance metrics.
Program Management
Prompt 25 — Write a compliance program charter
Write a compliance program charter for [company name]. Include: program purpose and objectives, regulatory scope, governance structure and oversight, roles and responsibilities, program components (policy management, training, monitoring, reporting, investigations), resource requirements, and success metrics. This document establishes the authority and structure of the compliance function.
Prompt 26 — Create a compliance calendar
Create an annual compliance calendar for [company type] subject to [list regulations]. Include: regulatory filing deadlines, required training completion deadlines, policy review cycles, scheduled audits and assessments, board/committee reporting dates, and key regulatory reporting dates. Format as a month-by-month view with responsible owner and lead time needed for each item.
Prompt 27 — Write monitoring and testing procedures
Write compliance monitoring and testing procedures for [control or process]. Testing objective: [what we're validating]. Testing frequency: [how often]. Sample size approach: [methodology]. Steps: [what the tester does]. Evidence to collect: [what documents/data]. Acceptable vs. exception findings: [thresholds]. Escalation path for exceptions: [describe]. Documentation requirements: [what must be recorded].
Prompt 28 — Draft a conflicts of interest disclosure form
Draft a conflicts of interest disclosure form for [company type]. Cover: types of conflicts employees must disclose (outside employment, financial interests, personal relationships with vendors/customers, board memberships, gifts above threshold), how to disclose, what happens after disclosure, and the annual certification requirement. Include a sample disclosure scenario for each conflict type.
Professional Effectiveness
Prompt 29 — Communicate a compliance requirement to business partners
I need to explain [compliance requirement] to [business team — e.g., sales, marketing, product]. They've been resistant because [describe concern]. Write a communication that: frames the requirement in terms of business risk they care about, explains what they need to do specifically, acknowledges the operational impact, and proposes a workable path forward. No jargon. Under 300 words.
Prompt 30 — Write a compliance advisory memo
Write a compliance advisory memo on [topic] for [business unit]. Triggered by: [regulatory change / business initiative / recent enforcement trend]. Bottom line up front: [the key point in 2 sentences]. Background: [context]. What this means for your business unit: [specific implications]. Required actions: [list with owners and deadlines]. Questions: [your contact]. Keep it to 1 page.
Prompt 31 — Prepare a compliance presentation
Create an outline and talking points for a [X]-minute compliance presentation to [audience]. Topic: [subject]. Key messages to land: [list 3]. Structure: opening hook, current state, what's changing/at risk, what we need from this audience, and next steps. For each slide: suggest the main visual/data point, 3 talking points, and one audience question to anticipate. Avoid wall-of-text slides.
Prompt 32 — Write a compliance self-assessment
Write a compliance self-assessment for [business unit / process] against [regulation/standard]. For each requirement: describe our current practice, identify evidence of compliance, note any gaps or weaknesses, assess our compliance level (Compliant / Partially Compliant / Non-Compliant), and recommend improvement actions. Format for internal audit use — honest assessment, not aspirational.
Prompt 33 — Respond to a business request that raises compliance concerns
A business colleague has requested: [describe request — e.g., "skip the KYC check for this VIP client" or "use personal email for this communication"]. I need to decline or modify the request for compliance reasons. Write a professional response that: states my concern clearly, explains the regulatory basis without over-explaining, proposes a compliant alternative, and keeps the business relationship intact.
Prompt 34 — Document a compliance decision
Document the following compliance decision for the record: [describe decision made]. Include: date, decision-maker, issue presented, options considered, rationale for decision chosen, regulatory basis, any conditions or caveats, follow-up actions required, and approval signatures needed. This document should be defensible if the decision is later questioned by a regulator or auditor.
Prompt 35 — Write a year-end compliance summary
Write a year-end compliance program summary for [year]. Cover: regulatory changes we navigated, audit and examination outcomes, incidents managed and closed, training completion rates, policies updated, program improvements implemented, and key risks heading into [next year]. Format for the annual report to the board's audit committee. Lead with outcomes, not activities.
A Note on These Prompts
Compliance work is high-stakes. ChatGPT is a drafting tool, not a legal advisor. Every policy, regulatory response, and incident report should go through appropriate legal review before finalization. Use these prompts to eliminate blank-page time and first-draft friction—not to replace professional judgment or legal counsel.
Never paste confidential regulatory correspondence, employee PII, or legally privileged material into any AI tool without explicit organizational approval.
The Complete Compliance Officer AI Toolkit
These 35 prompts cover core compliance deliverables. If you want the full system — advanced prompts for multi-jurisdictional compliance mapping, regulatory change management workflows, board communication templates, and a complete audit readiness toolkit — the Compliance Officer AI Toolkit has everything organized and ready.
Get the Compliance Officer AI Toolkit →
Save this page. Share it with your compliance team. Use one prompt on your next policy draft — you'll see the difference immediately.
Top comments (0)