P
AI for Compliance Manager

Prompt Chain: Compliance Gap Assessment → Complete Remediation Package

Tools:Claude Pro
Time to build:1 hour
Difficulty:Intermediate
Prerequisites:Comfortable using Claude for compliance analysis — see Level 3 guide: "Claude Pro for Vendor Document Analysis"

What This Builds

A 4-step prompt chain that takes your compliance gap findings and produces a complete remediation package: gap summary report + root cause analysis + remediation action plan + board/executive summary. Each step builds on the previous output — the result is four internally consistent documents that reference the same gaps, the same risk ratings, and the same remediation timeline throughout, eliminating the version drift that happens when you write these documents separately across multiple weeks.

Prerequisites

  • Claude Pro account ($20/month — claude.ai)
  • Ideally, a Claude Project configured with your compliance program context (see Level 4 guide: "Claude Project: Build a Persistent Compliance Assistant")
  • Your completed gap assessment findings from a recent audit, examination, or self-assessment

The Concept

After a compliance exam or audit, you need at least four documents: the gap summary for the compliance file, a root cause analysis for the remediation team, an action plan with owners and deadlines for senior management, and a summary for the board or audit committee. Writing these separately over 3–4 weeks creates drift: the gap summary says "17 findings," the action plan has 19 items, and the board summary mentions "significant deficiencies" while the gap summary only rated 2 issues as significant. A prompt chain produces all four in one session with one consistent set of findings.

Build It Step by Step

Part 1: Collect Your Gap Assessment Inputs

Before starting the chain, organize your findings into a structured input:

Copy and paste this
Assessment scope: [e.g., BSA/AML program review, HIPAA security review, SOX controls assessment]
Assessment period: [dates covered]
Regulatory framework: [e.g., 12 CFR 21.11, HIPAA Security Rule 45 CFR 164, SOX Section 302/404]
Findings summary:
  - Finding 1: [brief description, severity — Critical/High/Medium/Low]
  - Finding 2: [same]
  - [continue for all findings]
Repeat findings (from prior assessments): [list any]
Business units affected: [which departments]
Root cause themes identified: [e.g., training gaps, resource constraints, system limitations, policy gaps]
Proposed remediation timeline: [overall deadline, e.g., 90 days / 6 months]

Part 2: Run Step 1 — Gap Summary Report

Paste your assessment inputs into Claude (ideally in your Compliance Assistant Project) with this prompt:

Copy and paste this
This is Step 1 of a 4-step compliance remediation chain. Based on these gap assessment findings, draft a formal compliance gap summary report.

[Paste your assessment inputs here]

The gap summary report should:
- State the assessment scope, period, and framework
- List each finding with: finding number, description, regulatory citation, severity rating, and affected business unit
- Identify repeat findings separately
- Provide an overall risk rating for the assessment (e.g., Needs Improvement / Satisfactory / Unsatisfactory)
- Conclude with the total finding count by severity level (Critical: X, High: X, Medium: X, Low: X)

Formal regulatory examination language. This document goes in the compliance file.

What you get: A formal gap summary in examination-appropriate language that will anchor all subsequent documents.

Part 3: Run Step 2 — Root Cause Analysis

Feed the Step 1 report back into Claude with additional context:

Copy and paste this
This is Step 2 of the remediation chain. Using the gap summary above as context, draft the root cause analysis for these findings.

For each finding or finding theme:
- Identify the underlying root cause (policy gap / training deficiency / resource constraint / system limitation / control design failure / supervisory gap)
- Distinguish between immediate causes and systemic causes
- Note where multiple findings share a common root cause — these may be addressed by a single remediation action

Root cause context I observed:
[Add any direct observations about why these gaps occurred — e.g., "The BSA officer position was vacant for 6 months," "The training module had not been updated since 2022," "The system cannot generate the required report automatically"]

What you get: A root cause analysis that connects each gap from Step 1 to its underlying cause — critical for designing effective remediation actions in Step 3.

Part 4: Run Step 3 — Remediation Action Plan

Continue the chain with the operational plan:

Copy and paste this
This is Step 3 of the remediation chain. Based on the gap summary (Step 1) and root cause analysis (Step 2), draft the remediation action plan.

For each finding (or finding group with shared root cause):
- State the finding reference number(s)
- Describe the specific remediation action
- Assign responsibility to: [list the business unit owners — e.g., BSA Officer, IT Security, HR, Operations]
- Set target completion dates: [provide your proposed timeline — e.g., "high severity findings: 30 days; medium: 60 days; low: 90 days"]
- Identify the validation method: how will you confirm the action was completed? (e.g., policy review, retesting, training completion report, system audit)

Format as a numbered action plan table with columns: Finding #, Action, Owner, Due Date, Validation Method, Status (blank).

What you get: An action plan table that references the exact finding numbers from Step 1 — consistent numbering and descriptions across both documents.

Part 5: Run Step 4 — Board / Audit Committee Summary

The final step produces the executive-level communication:

Copy and paste this
This is Step 4 — the board/audit committee summary. Based on the gap summary, root cause analysis, and action plan above, draft a concise executive summary suitable for presentation to the Board of Directors or Audit Committee.

Tone: direct, non-alarmist, demonstrates that management has identified the issues and is actively remediating. Board-level audience — no regulatory jargon without plain-English explanation.

The summary should include:
- Assessment scope and period (1–2 sentences)
- Total findings by severity (reference Step 1 counts)
- Top 2–3 significant findings and their risk implications (plain English)
- Root cause themes (reference Step 2 — at the theme level, not individual finding level)
- Remediation timeline and management commitment (reference Step 3)
- Request for board acknowledgment or oversight action (if applicable)
- Compliance program overall health assessment

Target length: 1–2 pages maximum.

What you get: A board summary that uses the same finding counts, severity ratings, and timeline as the three prior documents — board members and regulators will see one consistent set of facts.

Real Example: BSA/AML Annual Program Review

Starting inputs:

  • Scope: BSA/AML annual compliance program review
  • Regulatory framework: Bank Secrecy Act, FinCEN regulations, 12 CFR 21
  • Findings: 3 High (SAR filing timeliness, training completion gaps, enhanced due diligence documentation), 4 Medium, 6 Low
  • Repeat findings: SAR timeliness was noted in prior year review
  • Root causes: staff turnover in BSA team; training platform not integrated with HRIS; EDD procedures not updated for new product lines
  • Timeline: 90-day remediation period

Chain output after 4 steps (50 minutes total):

  1. Gap summary: 13 findings formally documented with regulatory citations, severity ratings, and affected business units. Overall program rating: Needs Improvement. Repeat finding noted with increased severity assessment.

  2. Root cause analysis: 3 root cause themes: (a) staffing instability in BSA function driving timeliness failures; (b) training platform fragmentation causing completion tracking gaps; (c) product expansion outpacing procedure update cycle. Systemic vs. immediate causes distinguished for each.

  3. Action plan: 13-item action plan table with owners (BSA Officer, HRIS, Product Compliance), due dates (30/60/90 days), and validation methods (SAR filing audit, completion reports, procedure sign-off). Repeat finding flagged with accelerated 30-day deadline.

  4. Board summary: 2-page narrative with finding counts, top 3 risk implications in plain English, 3 root cause themes, 90-day remediation commitment, request for board acknowledgment of repeat finding.

Consistency check: All four documents cite "13 total findings," "3 High severity," "90-day remediation period," and identify "SAR filing timeliness as a repeat finding." No drift between the file document and the board communication.

Time: 50 minutes of Claude interaction + 30 minutes of review = 80 minutes. Manual equivalent: 2 full days across multiple documents.

What to Do When It Breaks

  • Step 3 action plan has different finding numbers than Step 1 → Paste the Step 1 finding list explicitly at the start of Step 3. Claude retains context in one conversation but loses it in a new one.
  • Board summary mentions findings not in the gap report → Claude may have extrapolated. Add to Step 4 prompt: "Reference only findings documented in Step 1 — do not add findings not in the gap summary."
  • Root cause analysis is too granular for board consumption → Step 4 prompt already says "theme level" for the board summary. If it still gets granular, add: "The board summary must not reference individual finding numbers — summarize themes only."
  • Action plan missing required fields → Add your firm's required columns to Step 3 prompt: "Include these columns: [list your organization's standard action plan fields]."

Variations

  • Simpler version: Run Steps 1 and 3 only — gap report + action plan. Skip root cause and board summary for low-stakes internal assessments.
  • Extended version: Add a Step 0 — "Based on these assessment inputs, identify the top 5 regulatory risks that should be prioritized in the remediation plan." Pre-prioritize before the gap report for complex multi-framework assessments.

What to Do Next

  • This week: Run the full chain on one recent gap assessment. Compare the document set's consistency to your normal process.
  • This month: Use the chain for all exam preparation and self-assessment remediation packages.
  • Advanced: Combine with your Compliance Claude Project — the Project's regulatory framework context makes Step 1 gap summary language more precise from the start.

Advanced guide for compliance manager professionals. All regulatory findings and remediation commitments require legal and senior management review before external submission.