{ "schemaVersion": "1.0", "item": { "slug": "afrexai-regulatory-compliance", "name": "Regulatory Compliance Audit", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-regulatory-compliance", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-regulatory-compliance", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/afrexai-regulatory-compliance", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-regulatory-compliance", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-regulatory-compliance" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/afrexai-regulatory-compliance", "agentPageUrl": "https://openagent3.xyz/skills/afrexai-regulatory-compliance/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-regulatory-compliance/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-regulatory-compliance/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Regulatory Compliance Audit", "body": "Run a full regulatory compliance audit for any business. Covers US, UK, and EU frameworks across 8 compliance domains with gap analysis, risk scoring, and remediation timelines." }, { "title": "When to Use", "body": "Annual or quarterly compliance reviews\nPre-audit preparation (SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS)\nNew market entry requiring regulatory assessment\nBoard or investor due diligence on compliance posture\nPost-incident compliance gap analysis" }, { "title": "Step 1: Identify Applicable Frameworks", "body": "Based on the business profile (industry, geography, data types, revenue), determine which frameworks apply:\n\nFrameworkTriggersSOC 2 Type IIB2B SaaS, handles customer dataGDPRAny EU customer data, EU employeesHIPAAAny PHI (healthcare, benefits, wellness)PCI DSSProcesses, stores, or transmits card dataISO 27001Enterprise clients requesting certificationSOXPublic company or preparing for IPOCCPA/CPRA>$25M revenue OR >50K CA consumersNIST AI RMFDeploying AI/ML in productionUK DPA 2018UK operations or UK customer dataFCA/PRAUK financial services" }, { "title": "Step 2: 8-Domain Compliance Assessment", "body": "Score each domain 1-5 (1=non-existent, 5=mature):\n\nDomain 1: Data Governance\n\nData classification policy (public/internal/confidential/restricted)\n Data retention schedule with legal hold procedures\n Data processing agreements with all vendors\n Cross-border transfer mechanisms (SCCs, adequacy decisions)\n Data subject rights workflow (access, deletion, portability)\n Data breach notification procedure (<72hr GDPR, state-specific US)\n\nDomain 2: Access Control & Identity\n\nRole-based access control (RBAC) implemented\n Multi-factor authentication on all critical systems\n Privileged access management (PAM) for admin accounts\n Quarterly access reviews with evidence retention\n Automated provisioning/deprovisioning tied to HR\n Service account inventory with rotation schedule\n\nDomain 3: Security Operations\n\nVulnerability management program (scan frequency, SLA by severity)\n Penetration testing (annual minimum, after major changes)\n Security incident response plan (tested within 12 months)\n Log retention meeting regulatory minimums (1yr SOC 2, 6yr SOX)\n Endpoint detection and response (EDR) on all endpoints\n Network segmentation between environments\n\nDomain 4: Business Continuity\n\nBusiness impact analysis (BIA) current within 12 months\n Disaster recovery plan with defined RTO/RPO by system tier\n Backup testing (restore verified quarterly minimum)\n Pandemic/remote work continuity procedures\n Third-party dependency mapping for critical services\n Communication plan (internal + external + regulatory)\n\nDomain 5: Vendor & Third-Party Risk\n\nVendor risk assessment questionnaire (SIG Lite or equivalent)\n Tiered vendor classification (critical/high/medium/low)\n Annual vendor reviews for critical and high-tier vendors\n Right-to-audit clauses in critical vendor contracts\n Fourth-party risk assessment for critical vendors\n Vendor offboarding procedure with data return/destruction\n\nDomain 6: HR & Personnel Security\n\nBackground check policy (scope appropriate to role)\n Security awareness training (annual + phishing simulations)\n Acceptable use policy signed by all employees\n Code of conduct with reporting mechanisms\n Termination checklist (access removal, device collection, NDA reminder)\n Contractor/temp worker security requirements\n\nDomain 7: AI & Automation Governance\n\nAI model inventory with risk classification\n Bias testing and fairness metrics for decision-making models\n Human-in-the-loop requirements defined per use case\n AI incident response procedures\n Transparency documentation (model cards, impact assessments)\n Training data governance and lineage tracking\n\nDomain 8: Financial & Reporting Controls\n\nSegregation of duties in financial processes\n Change management procedures for financial systems\n Audit trail for all financial transactions\n Revenue recognition controls (ASC 606 / IFRS 15)\n Tax compliance calendar (federal, state, international)\n Internal audit schedule and findings tracking" }, { "title": "Step 3: Risk Scoring Matrix", "body": "For each gap identified:\n\nLikelihoodImpactRisk ScoreAction TimelineHighHighCriticalFix within 30 daysHighMediumHighFix within 60 daysMediumHighHighFix within 60 daysMediumMediumMediumFix within 90 daysLowHighMediumFix within 90 daysLowMediumLowNext quarterly reviewLowLowInformationalAnnual review" }, { "title": "Step 4: Remediation Roadmap", "body": "Build a 90-day plan:\n\nDays 1-30: Critical Gaps\n\nAddress any gaps with Critical or High risk scores\nImplement quick wins (policy updates, access reviews)\nEngage external counsel for regulatory interpretation if needed\n\nDays 31-60: Systematic Improvements\n\nDeploy technical controls (MFA, EDR, log aggregation)\nComplete vendor risk assessments for critical vendors\nUpdate employee training program\n\nDays 61-90: Evidence & Documentation\n\nBuild evidence collection system for ongoing compliance\nConduct internal audit of remediated areas\nPrepare board-ready compliance dashboard" }, { "title": "Step 5: Compliance Cost Benchmarks (2026)", "body": "Company SizeAnnual Compliance BudgetKey Cost Drivers10-50 employees$30K-$80KSOC 2 audit ($15-30K), tools ($10-20K), training ($5-10K)50-200 employees$80K-$250K+ DPO/compliance hire ($80-120K), pen testing ($15-40K)200-1000 employees$250K-$800K+ GRC platform ($50-150K), multiple audits, legal counsel1000+ employees$800K-$3M++ Dedicated compliance team, continuous monitoring, regulatory filings\n\nCost of non-compliance (real examples):\n\nGDPR fines: up to 4% global annual revenue (Meta: €1.2B, 2023)\nHIPAA: $100-$50K per violation, $1.5M annual cap per category\nPCI DSS: $5K-$100K/month until compliant + liability for breaches\nSOX: Criminal penalties, officer personal liability\nAverage data breach cost: $4.88M (IBM 2024)" }, { "title": "Step 6: Output Format", "body": "Generate a compliance report with:\n\nExecutive Summary — Overall maturity score (1-5), top 3 risks, recommended budget\nFramework Applicability Matrix — Which frameworks apply and current certification status\nDomain Scores — 8 domains with gap counts and risk distribution\nCritical Findings — Top 10 gaps ranked by risk score with remediation steps\n90-Day Roadmap — Week-by-week action plan with owners and milestones\nBudget Estimate — Compliance cost projection for next 12 months\nBoard Dashboard — One-page visual for board/investor reporting" }, { "title": "Industry-Specific Requirements", "body": "IndustryPrimary FrameworksSpecial ConsiderationsSaaS/TechnologySOC 2, GDPR, CCPAAI governance, open source licensingHealthcareHIPAA, HITRUST, FDA (if devices)PHI everywhere, BAAs requiredFinancial ServicesSOX, PCI DSS, GLBA, FCA/PRATransaction monitoring, AML/KYCLegalABA ethics, GDPR, privilege rulesClient confidentiality, conflict checksConstructionOSHA, environmental, bondingSafety records, subcontractor complianceE-commercePCI DSS, CCPA/GDPR, FTCPayment data, consumer protection, returnsManufacturingISO 9001, OSHA, EPA, export controlsSupply chain compliance, ITAR/EARReal EstateFair Housing, AML, state licensingProperty data, transaction complianceRecruitmentEEOC, GDPR (candidate data), ban-the-boxAI hiring bias (NYC Local 144), background checksProfessional ServicesIndustry-specific licensing, SOC 2Client data handling, engagement letters" }, { "title": "7 Compliance Audit Mistakes That Cost Companies Millions", "body": "Treating compliance as annual — It's continuous. Point-in-time audits miss 60% of gaps that develop mid-year.\nIgnoring AI governance — NIST AI RMF and EU AI Act are here. Every production model needs documentation.\nVendor risk as checkbox — Your vendor's breach is your breach. Fourth-party risk is real.\nNo evidence retention system — If you can't prove compliance, you're not compliant. Automate evidence collection.\nSecurity ≠ compliance — You can be secure and non-compliant, or compliant and insecure. Address both.\nUnderbudgeting remediation — Plan for 2x the estimated remediation cost. Surprises are the norm.\nBoard reporting as afterthought — Boards that see compliance dashboards quarterly make better risk decisions.\n\nGet the full compliance implementation toolkit for your industry:\n\nBrowse all 10 industry context packs → https://afrexai-cto.github.io/context-packs/\nCalculate your AI automation ROI → https://afrexai-cto.github.io/ai-revenue-calculator/\nSet up your AI agent stack → https://afrexai-cto.github.io/agent-setup/\n\nBundles: Playbook $27 | Pick 3 $97 | All 10 $197 | Everything $247" } ], "body": "Regulatory Compliance Audit\n\nRun a full regulatory compliance audit for any business. Covers US, UK, and EU frameworks across 8 compliance domains with gap analysis, risk scoring, and remediation timelines.\n\nWhen to Use\nAnnual or quarterly compliance reviews\nPre-audit preparation (SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS)\nNew market entry requiring regulatory assessment\nBoard or investor due diligence on compliance posture\nPost-incident compliance gap analysis\nHow It Works\nStep 1: Identify Applicable Frameworks\n\nBased on the business profile (industry, geography, data types, revenue), determine which frameworks apply:\n\nFramework\tTriggers\nSOC 2 Type II\tB2B SaaS, handles customer data\nGDPR\tAny EU customer data, EU employees\nHIPAA\tAny PHI (healthcare, benefits, wellness)\nPCI DSS\tProcesses, stores, or transmits card data\nISO 27001\tEnterprise clients requesting certification\nSOX\tPublic company or preparing for IPO\nCCPA/CPRA\t>$25M revenue OR >50K CA consumers\nNIST AI RMF\tDeploying AI/ML in production\nUK DPA 2018\tUK operations or UK customer data\nFCA/PRA\tUK financial services\nStep 2: 8-Domain Compliance Assessment\n\nScore each domain 1-5 (1=non-existent, 5=mature):\n\nDomain 1: Data Governance\n\n Data classification policy (public/internal/confidential/restricted)\n Data retention schedule with legal hold procedures\n Data processing agreements with all vendors\n Cross-border transfer mechanisms (SCCs, adequacy decisions)\n Data subject rights workflow (access, deletion, portability)\n Data breach notification procedure (<72hr GDPR, state-specific US)\n\nDomain 2: Access Control & Identity\n\n Role-based access control (RBAC) implemented\n Multi-factor authentication on all critical systems\n Privileged access management (PAM) for admin accounts\n Quarterly access reviews with evidence retention\n Automated provisioning/deprovisioning tied to HR\n Service account inventory with rotation schedule\n\nDomain 3: Security Operations\n\n Vulnerability management program (scan frequency, SLA by severity)\n Penetration testing (annual minimum, after major changes)\n Security incident response plan (tested within 12 months)\n Log retention meeting regulatory minimums (1yr SOC 2, 6yr SOX)\n Endpoint detection and response (EDR) on all endpoints\n Network segmentation between environments\n\nDomain 4: Business Continuity\n\n Business impact analysis (BIA) current within 12 months\n Disaster recovery plan with defined RTO/RPO by system tier\n Backup testing (restore verified quarterly minimum)\n Pandemic/remote work continuity procedures\n Third-party dependency mapping for critical services\n Communication plan (internal + external + regulatory)\n\nDomain 5: Vendor & Third-Party Risk\n\n Vendor risk assessment questionnaire (SIG Lite or equivalent)\n Tiered vendor classification (critical/high/medium/low)\n Annual vendor reviews for critical and high-tier vendors\n Right-to-audit clauses in critical vendor contracts\n Fourth-party risk assessment for critical vendors\n Vendor offboarding procedure with data return/destruction\n\nDomain 6: HR & Personnel Security\n\n Background check policy (scope appropriate to role)\n Security awareness training (annual + phishing simulations)\n Acceptable use policy signed by all employees\n Code of conduct with reporting mechanisms\n Termination checklist (access removal, device collection, NDA reminder)\n Contractor/temp worker security requirements\n\nDomain 7: AI & Automation Governance\n\n AI model inventory with risk classification\n Bias testing and fairness metrics for decision-making models\n Human-in-the-loop requirements defined per use case\n AI incident response procedures\n Transparency documentation (model cards, impact assessments)\n Training data governance and lineage tracking\n\nDomain 8: Financial & Reporting Controls\n\n Segregation of duties in financial processes\n Change management procedures for financial systems\n Audit trail for all financial transactions\n Revenue recognition controls (ASC 606 / IFRS 15)\n Tax compliance calendar (federal, state, international)\n Internal audit schedule and findings tracking\nStep 3: Risk Scoring Matrix\n\nFor each gap identified:\n\nLikelihood\tImpact\tRisk Score\tAction Timeline\nHigh\tHigh\tCritical\tFix within 30 days\nHigh\tMedium\tHigh\tFix within 60 days\nMedium\tHigh\tHigh\tFix within 60 days\nMedium\tMedium\tMedium\tFix within 90 days\nLow\tHigh\tMedium\tFix within 90 days\nLow\tMedium\tLow\tNext quarterly review\nLow\tLow\tInformational\tAnnual review\nStep 4: Remediation Roadmap\n\nBuild a 90-day plan:\n\nDays 1-30: Critical Gaps\n\nAddress any gaps with Critical or High risk scores\nImplement quick wins (policy updates, access reviews)\nEngage external counsel for regulatory interpretation if needed\n\nDays 31-60: Systematic Improvements\n\nDeploy technical controls (MFA, EDR, log aggregation)\nComplete vendor risk assessments for critical vendors\nUpdate employee training program\n\nDays 61-90: Evidence & Documentation\n\nBuild evidence collection system for ongoing compliance\nConduct internal audit of remediated areas\nPrepare board-ready compliance dashboard\nStep 5: Compliance Cost Benchmarks (2026)\nCompany Size\tAnnual Compliance Budget\tKey Cost Drivers\n10-50 employees\t$30K-$80K\tSOC 2 audit ($15-30K), tools ($10-20K), training ($5-10K)\n50-200 employees\t$80K-$250K\t+ DPO/compliance hire ($80-120K), pen testing ($15-40K)\n200-1000 employees\t$250K-$800K\t+ GRC platform ($50-150K), multiple audits, legal counsel\n1000+ employees\t$800K-$3M+\t+ Dedicated compliance team, continuous monitoring, regulatory filings\n\nCost of non-compliance (real examples):\n\nGDPR fines: up to 4% global annual revenue (Meta: €1.2B, 2023)\nHIPAA: $100-$50K per violation, $1.5M annual cap per category\nPCI DSS: $5K-$100K/month until compliant + liability for breaches\nSOX: Criminal penalties, officer personal liability\nAverage data breach cost: $4.88M (IBM 2024)\nStep 6: Output Format\n\nGenerate a compliance report with:\n\nExecutive Summary — Overall maturity score (1-5), top 3 risks, recommended budget\nFramework Applicability Matrix — Which frameworks apply and current certification status\nDomain Scores — 8 domains with gap counts and risk distribution\nCritical Findings — Top 10 gaps ranked by risk score with remediation steps\n90-Day Roadmap — Week-by-week action plan with owners and milestones\nBudget Estimate — Compliance cost projection for next 12 months\nBoard Dashboard — One-page visual for board/investor reporting\nIndustry-Specific Requirements\nIndustry\tPrimary Frameworks\tSpecial Considerations\nSaaS/Technology\tSOC 2, GDPR, CCPA\tAI governance, open source licensing\nHealthcare\tHIPAA, HITRUST, FDA (if devices)\tPHI everywhere, BAAs required\nFinancial Services\tSOX, PCI DSS, GLBA, FCA/PRA\tTransaction monitoring, AML/KYC\nLegal\tABA ethics, GDPR, privilege rules\tClient confidentiality, conflict checks\nConstruction\tOSHA, environmental, bonding\tSafety records, subcontractor compliance\nE-commerce\tPCI DSS, CCPA/GDPR, FTC\tPayment data, consumer protection, returns\nManufacturing\tISO 9001, OSHA, EPA, export controls\tSupply chain compliance, ITAR/EAR\nReal Estate\tFair Housing, AML, state licensing\tProperty data, transaction compliance\nRecruitment\tEEOC, GDPR (candidate data), ban-the-box\tAI hiring bias (NYC Local 144), background checks\nProfessional Services\tIndustry-specific licensing, SOC 2\tClient data handling, engagement letters\n7 Compliance Audit Mistakes That Cost Companies Millions\nTreating compliance as annual — It's continuous. Point-in-time audits miss 60% of gaps that develop mid-year.\nIgnoring AI governance — NIST AI RMF and EU AI Act are here. Every production model needs documentation.\nVendor risk as checkbox — Your vendor's breach is your breach. Fourth-party risk is real.\nNo evidence retention system — If you can't prove compliance, you're not compliant. Automate evidence collection.\nSecurity ≠ compliance — You can be secure and non-compliant, or compliant and insecure. Address both.\nUnderbudgeting remediation — Plan for 2x the estimated remediation cost. Surprises are the norm.\nBoard reporting as afterthought — Boards that see compliance dashboards quarterly make better risk decisions.\n\nGet the full compliance implementation toolkit for your industry:\n\nBrowse all 10 industry context packs → https://afrexai-cto.github.io/context-packs/\nCalculate your AI automation ROI → https://afrexai-cto.github.io/ai-revenue-calculator/\nSet up your AI agent stack → https://afrexai-cto.github.io/agent-setup/\n\nBundles: Playbook $27 | Pick 3 $97 | All 10 $197 | Everything $247" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/1kalin/afrexai-regulatory-compliance", "publisherUrl": "https://clawhub.ai/1kalin/afrexai-regulatory-compliance", "owner": "1kalin", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-regulatory-compliance", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-regulatory-compliance", "agentUrl": "https://openagent3.xyz/skills/afrexai-regulatory-compliance/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-regulatory-compliance/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-regulatory-compliance/agent.md" } }