Establishing and Maintaining an Authority Document Library

Magnifying glass over monitor showing scales, with books and documents beside monitor.
Click HERE to discuss this topic in our forum!

Compliance is ensuring that the requirements of laws, regulations, industry codes, and organizational doctrines are met. This also applies to contractual arrangements to which the organizational process is subject, i.e., externally imposed criteria. In other words, “being compliant” simply means following the rules that are set by people other than us or by the norms of the organization.

Because of human nature, if we were left to ourselves to comply with all the rules and regulations foisted upon us, do you really think that we would? Of course not. At least not all the time. No one reading this (and us as writers) can say that we have always complied with all laws and regulations. Who among us hasn’t driven over the speed limit, cheated in solitaire, or broken/bent the rules? Not one of us.

And because we are apt to break the rules, we need to have measurable organizational compliance programs put in place to ensure that we do follow the rules. Compliance programs aim to prevent, and where necessary, identify and respond to; breaches of laws, regulations, codes, or organizational requirements occurring in the organization. They should promote a culture of compliance within the organization. The organizational compliance program is instilled using compliance controls found within various regulations, standards, audit guides, etc. commonly called Authority Documents.

Therefore, it behooves each organization to maintain a library of these [Authority Documents]( "Authority Documents"). As of late, we’ve found other terms for the same thing, such as regulatory inventory, regulatory compliance library, and Authoritative Source Library (ASL). Of these, Authority Document List and regulatory inventory are the most commonly used1. Maintaining the library is more than maintaining a list. Its about internalizing what the Authority Documents have to say.

Therefore, when we say that an organization is complying, we are saying that they are following all the rules and guidelines set before them by creating and implementing a compliance program that outlines and documents specific controls in the form of policies, standards, and procedures – and most importantly auditing or attesting that they are following those policies, standards, and procedures. To accomplish this, every organization must internalize these guidelines.

It takes four steps, at minimum, to internalize regulatory guidelines they comply with. They must

  1. catalog the regulatory guidelines so that they can communicate which ones they are following;

  2. analyze those documents’ contents to determine the applicable mandates;

  3. assign the various mandates’ auditable entities to people, processes, records, and asset classes within the organization; and

  4. harmonize the applicable controls to the compliance program being run by the organization to avoid duplication of efforts.

Four steps to internalizing guidelines

Four steps to internalizing guidelines

There isn’t much doubt in the industry about these four core activities. While job descriptions for those who would maintain regulatory inventories or authoritative source libraries aren’t very specific about which of the four activities are involved in the process for those jobs2, most articles as of late automatically assume that maintaining the library fully considers all four activities of internalization.

We say they assume all four activities because in their articles they point out the ability of such a library to map the mandates found in the library to activities and processes that are managed in the GRC system3, such as this quote from members of Wolters Kluwer in an article about enhancing the insurance industry’s compliance:

“Compliance requirement citation connectivity can be the central point used to gain greater understanding of an insurer’s compliance program.”4

Other authors such as Kara Kauter of Ernst & Young, are saying the same thing, that mapping requirements to the organization – which can only be done after the source documents are fully internalized, is a key value proposition5.

Service organizations, such as the Thomson Reuters’ Pangea3 service6, KPMG’s regulatory change management consulting7, LexisNexis’ Regulatory Compliance offerings8, and Unified Compliance’s Mapping software9 offer all four activities, with the [UCFMapper]( "UCFMapper") software breaking the activities into discrete units.

  1. According to ↩︎

  2. “Job Opening: Technology and Information Security Risk Officer Description at Wells Fargo”; “Job ID”; “Job Opening: Compliance and Operational Risk Manager - Data Risk.” ↩︎

  3. This mapping process is the fourth step in internalization, the harmonizing step. ↩︎

  4. “Enhancing Insurance Industry Compliance with an Authorative Source Library.” ↩︎

  5. “How Regulatory Inventories Can Deliver More Value.” ↩︎

  6. Thomson Reuters, “Pangea3 Regulatory Mapping Data Sheet.” ↩︎

  7. “Regulatory Change Management Enhancement and Transformation.” ↩︎

  8. Regulatory Compliance Solutions | LexisNexis.” ↩︎

  9. “UCF Mapper.” ↩︎


“Enhancing Insurance Industry Compliance with an Authorative Source Library.” Accessed August 1, 2022.

“How Regulatory Inventories Can Deliver More Value.” Accessed August 7, 2022.

Bank of America Careers. “Job ID:22024675 - Regulatory Compliance Inventory Specialist - Multiple Locations.” Accessed August 7, 2022.

“Job Opening: Compliance and Operational Risk Manager - Data Risk.” Accessed August 7, 2022.

“Job Opening: Technology and Information Security Risk Officer Description at Wells Fargo.” Accessed August 7, 2022.

“Regulatory Change Management Enhancement and Transformation,” 2020, 6.

“Regulatory Compliance Solutions | LexisNexis.” Accessed August 7, 2022.

Thomson Reuters. “Pangea3 Regulatory Mapping Data Sheet,” n.d.

UCF Mapper. “UCF Mapper.” Accessed August 7, 2022.