By Kevin M. Hyams
This article draws on more than 35 years of practical experience designing and leading governance, risk and compliance assessment work across multiple industries and regulatory subject areas.
Why I wrote this
Compliance assessment scoping can place real pressure on the people responsible for deciding what should and should not be assessed.
My aim in writing this article is to make that decision clearer, more structured and easier to explain.
Good scoping should help teams focus on the requirements that apply, avoid unnecessary assessment work, and make better use of limited compliance resources.
It should also help them explain why the assessment was scoped as it was.
That matters because scoping is not just an administrative step. It is the foundation for the whole assessment.
If the scope is weak, everything that follows becomes harder to support.
Opening Summary
Every effective compliance assessment starts with one simple question:
Are we meeting the requirements that apply to us?
The words “that apply to us” matter.
They are the difference between a focused, risk-based assessment and an expensive exercise that tries to assess everything, whether relevant or not.
Good scoping helps a business:
- Focus on the requirements that genuinely apply.
- Avoid wasted effort on requirements that do not.
- Apply judgement in a structured and defensible way.
- Align the organisation’s principle-based policy with the detailed assessment record.
- Create a clearer link between policy, scope, risk, controls, evidence and reporting.
- Give senior management, boards, auditors and regulators more confidence in the assessment outcome.
This is the first blog in a six-part series on the practical phases of a compliance assessment. In this article, we start where every good assessment should start: Scope.
Compliance Assessment Scoping: How to Assess Only What Applies — and No More
Compliance assessments can become unnecessarily expensive when they are poorly scoped.
That does not usually happen because people are careless. It happens because the assessment starts in the wrong place.
Too often, teams begin by asking:
“What does the regulation or framework say?”
That is important, but it is not enough.
The better starting point is:
“Which of these requirements apply to us, and how much assessment work is needed to answer that question credibly?”
That is the purpose of scoping.
Scoping is not about doing less work for the sake of it.
It is about doing the right work, at the right level of depth, with a clear reason for what is included, what is excluded, and where the assessment should focus.
It should also help the organisation consider risk before it moves too quickly into control responses, testing or evidence requests.
That matters because the scope should not be driven only by what is easiest to assess, what was assessed last year, or what appears first in the source material.
It should be guided by what applies and by the level of inherent risk associated with the requirement, activity, process or obligation being considered.
Done well, scoping makes the assessment:
-
More efficient.
-
More cost-effective.
-
More proportionate.
-
Easier to explain.
-
Easier to repeat in future periods.
-
More credible to oversight stakeholders.
Done poorly, it can lead to one of two equally unhelpful outcomes:
- Assessing too much, which wastes time and budget.
- Assessing too little, which creates false comfort.
The practical objective is to avoid both.
The Core Question Behind Every Compliance Assessment
Every compliance assessment is trying to answer one central question:
Are we meeting the requirements that apply to us?
That question has two parts.
The first part is:
Are we meeting the requirements?
That is the assessment question.
The second part is:
Which requirements apply to us?
That is the scoping question.
The second question must come first.
There is also a related governance question:
Has the organisation’s policy committed it to the same position as the assessment being tested?
If the policy says one thing, the assessment tests another, and actual practice reflects something else, the organisation may create unnecessary compliance risk.
A well-designed scoping process should avoid that disconnect.
If the scoping is weak, the rest of the assessment is built on uncertain ground.
The maturity assessment may be too broad. The gap analysis may identify issues that are not relevant. The risk and control matrix assessment may include unnecessary work. The evidence request may become larger than needed. The final report may be harder to defend.
That is why scoping should not be treated as a quick administrative step. It is a core assessment activity.
Where Scoping Fits in the Compliance Assessment Process
A practical compliance assessment can be thought of in six integrated phases:
-
Scope — assess what applies, focus where risk justifies it, and no more
-
Maturity Assessment — understand current readiness and the assurance path
-
Gap Analysis — identify what needs attention and what risk remains
-
Risk and Control Matrix Assessment — test the controls management relies on and update the assessment position
-
Documentary Evidence — support the assessment position and produce evidence on demand
-
Inspection-Ready Deliverables — make the assessment usable, reportable and credible
Scoping comes first because it shapes everything that follows.
It helps the assessor identify which requirements apply, which do not, and where the assessment should focus.
A critical part of that judgement is inherent-risk assessment.
Before the assessor moves too quickly into detailed testing, the assessment should help them consider the risk before relying on controls or mitigation.
That gives the team a more disciplined way to decide:
-
Where deeper assessment work is justified
-
Where a lighter review may be proportionate
-
Where non-applicable or lower-risk items can be documented without consuming unnecessary time
-
Why the assessment was scoped as it was
Each phase then builds on that foundation.
The policy defines the commitment. The risk-based scoping defines the focus. The assessment shows what has been done. The testing confirms what can be relied on. The evidence supports the conclusion. The outputs make it usable.
That is the practical value of a joined-up assessment process.
Step 1: Confirm That the Regulation, Framework or Subject Matter Applies
Before scoping individual requirements, the first question is whether the regulation, standard, framework or policy area applies to the business at all.
This may sound obvious, but it is an important discipline.
A regulation or framework may apply because of:
- The type of business
- The jurisdictions in which it operates
- The customers it serves
- The products or services it provides
- The data it handles
- Its size or structure
- Contractual requirements
- Internal governance commitments
Once it is clear that the subject matter applies, the team needs a suitable subject-matter assessment template anchored to the relevant source requirements.
Only then can it make a properly informed decision about which requirements apply and how deeply they should be assessed.
Step 2: Align the Principle-Based Policy With the Assessment
A scoping process should not only identify which requirements apply.
It should also ensure that the organisation’s policy position is aligned with what the assessment will actually test, evidence and report.
This matters because policies are often one of the first documents requested by auditors, regulators and inspectors.
A policy helps them understand the mandate the organisation has given itself:
- What it says it will do
- How it expects people to behave
- How it approaches compliance with the relevant subject matter
- How it assigns roles, responsibilities and review expectations
- The policy explains the organisation’s principles and commitment
- The assessment records what applies, what has been assessed and what evidence supports the conclusion
- Detailed requirements can be updated in the assessment without constantly rewriting the policy
- The organisation reduces the risk of writing detailed policy commitments that do not reflect actual practice
- Auditors, regulators and inspectors can see both the governance position and the supporting assessment trail
That creates an important risk.
If a policy includes detailed requirements that the organisation does not meet, cannot meet, or has not assessed properly, the policy itself can become a source of weakness.
The organisation may appear to have committed itself to standards or procedures that are not reflected in practice.
A more practical approach is to keep the policy principle-based and use the assessment as the detailed document of record.
In this model, the policy sets out the organisation’s overall commitment, scope, guiding principles, roles, responsibilities, standards of conduct and review expectations.
The detailed requirements, control responses, evidence, ratings, gaps and mitigation actions sit in the assessment.
That separation is powerful.
It means the policy remains stable, clear and understandable, while the assessment can be updated as requirements, risks, controls, evidence and business circumstances change.
In the NORVA Solutions model, each smart compliance assessment template is supported by an editable, principle-based policy document.
The policy gives the organisation a practical starting point for setting out its compliance commitment, while the assessment records the detailed work performed against the applicable requirements.
The result is a cleaner and safer structure:
This is an important part of scoping because it connects the organisation’s stated compliance mandate to the practical assessment work.
The policy says, in effect:
“This is how we approach the subject.”
The assessment then shows:
“This is what applies to us, this is what we assessed, and this is the evidence supporting our position.”
That is a more practical and defensible structure than trying to make the policy carry every detailed requirement itself.
Step 3: Start With the Complete Requirement Set
A good scoping process should not begin with a blank page.
It should begin with the full set of relevant requirements.
That means the assessment tool or template should include the regulation, framework or control set in a structured form.
Ideally, the source material should be mapped into the assessment record, with each requirement clearly organised, tagged and linked back to the relevant source.
This matters for one simple reason:
You cannot confidently scope requirements out unless you can first see the complete population of requirements that may apply.
Completeness creates confidence.
It helps the assessor know that the starting point is not partial, informal or dependent on memory.
It also helps oversight stakeholders understand that exclusions were made through judgement, not omission.
Step 4: Structure the Assessment So It Follows the Source Logic
Compliance requirements are easier to assess when they are organised in a way that follows the source material and makes practical sense to the assessor.
A useful structure may include:
- Subject headings
- Sub-headings
- Control questions or declarative assessment statements
- Source references
- Applicability and scoping fields
- Risk and assessment fields
- Evidence and reporting fields
This structure gives the assessment a logical flow.
It also helps the assessor make more consistent scoping decisions.
Scoping is not only a checklist exercise.
It requires context.
A requirement may look relevant in isolation, but become less significant when viewed in the wider risk profile of the business.
Equally, a requirement that appears small on the page may carry much greater risk in practice.
That is why structure and judgement need to work together.
Step 5: Use Inherent Risk to Decide the Level of Assessment Depth
Once the full requirement set is visible, the next step is to apply risk-based judgement.
The goal is not to avoid assessment.
The goal is to match the level of assessment work to the level of relevance and risk.
This is where inherent-risk assessment is especially useful.
Before considering how strong the controls may be, the assessor should consider the risk associated with the requirement, process, activity or obligation itself.
A high-risk applicable requirement may need deeper assessment, stronger evidence and closer management review.
A moderate-risk requirement may need a lighter but still structured assessment.
A very low-risk area may need limited review or may be scoped out, provided the reason is documented.
A requirement that does not apply should be marked as not applicable, not simply ignored.
This is one of the ways scoping becomes more disciplined.
It helps the team focus effort where exposure is greatest, reduce wasted work and create a stronger assessment record from the outset.
Step 6: Mark Requirements as Out of Scope — Do Not Delete Them
One of the most important scoping principles is also one of the simplest:
Requirements that do not apply should be marked as out of scope, not removed.
Deleting them may look tidy, but it weakens the assessment trail.
If a requirement is removed, it becomes harder to show:
- That it was considered
- Why it was excluded
- Who made the decision
- Whether the decision remains valid
- Whether it needs to be brought back into scope later
A business changes over time.
It may enter new markets, offer new products, acquire new entities, change its technology environment or become subject to new oversight expectations.
A requirement that does not apply today may apply later.
That is why a good assessment process should preserve the full requirement set and clearly show which items are currently out of scope.
Step 7: Identify the Key Controls or Key Assessment Points
Not every applicable requirement needs the same level of assessment.
Some requirements may need every listed control question or declarative statement to be assessed.
Others may be satisfied by a smaller number of key controls or key assessment points.
The scoping process should make these decisions visible.
If an item is marked as key, the assessment should show why.
If an item is marked as not applicable, the assessment should show why.
If an item is assessed with reduced focus, the assessment should show why.
A good assessment tool should not simply list requirements.
It should help the assessor document scoping decisions in a way that can be reviewed, repeated and defended.
Step 8: Adapt the Assessment to the Business
A standard requirement set is a strong starting point, but it may not be enough.
Every business has its own operating model, risk profile and practical realities.
That means the assessment may need to be adapted.
The assessment team may need to:
- Add a business-specific requirement
- Modify wording
- Add a control question
- Mark an item as not applicable
- Adjust the level of evidence required
- Increase assessment depth where risk justifies it
This is not a weakness in the process.
It is part of making the assessment practical.
However, those changes should be controlled and visible.
If items are added, changed or removed from active assessment, the reason should be clear.
Step 9: Review Auditor, Regulator and Oversight Input
Scoping should not rely only on the assessment team’s internal view.
Before the scope is finalised, the team should review relevant input where available, including:
- Internal audit findings
- External audit observations
- Regulator or supervisory feedback
- Prior assessments
- Previous findings
- Management action plans
- Board or committee reporting
- Client or contractual obligations
This input can reveal areas that need more attention than the initial scoping exercise suggests.
The purpose is not to make the assessment bigger by default.
The purpose is to make it better informed.
Why Good Scoping Reduces Cost
The most immediate benefit of good scoping is efficiency.
A well-scoped assessment helps avoid:
- Assessing requirements that do not apply
- Requesting evidence that is not needed
- Involving teams that do not need to be involved
- Creating findings against irrelevant requirements
- Expanding the assessment beyond its useful purpose
- Rebuilding reports manually at the end
- Repeated meetings
- Unclear evidence requests
- Rework
- Inconsistent ratings
- Reports that take longer to explain than they should
This is especially important for compliance teams that are already stretched.
Many businesses do not have unlimited assessment capacity.
They need to spend time where it matters most.
Good scoping also reduces the hidden cost of poor assessment design:
A principle-based policy also helps reduce avoidable maintenance cost, because detailed requirement changes can be reflected in the assessment rather than requiring the policy to be rewritten each time the organisation’s circumstances or control environment changes.
Why Good Scoping Improves Credibility
Cost matters.
But credibility matters just as much.
A compliance assessment is only useful if people can trust the answer.
Senior management, boards, auditors and regulators do not only want to know the final rating.
They want to know whether the process behind the rating was sound.
A well-scoped assessment can explain:
- What was included
- What was excluded
- Why the scope was appropriate
- How inherent risk was considered
- How judgement was applied
- What evidence supports the conclusion
- Whether the scope should change in future periods
It can also show that the organisation’s principle-based policy and detailed assessment record are aligned.
That makes the final answer more credible.
The Assessment Tool Should Make Scoping Easier
The scoping process should not depend on informal notes, disconnected spreadsheets or memory.
If scoping is a core part of the assessment, the assessment tool should support it by design.
A practical assessment tool should help the user:
- Start from the complete requirement set
- See how each requirement links to the source material
- Apply scoping decisions consistently
- Consider inherent risk before relying on controls or mitigation
- Mark items as in scope, out of scope, not applicable or key
- Document the reason for those decisions
- Keep out-of-scope items visible for future reassessment
- Add or modify items where business-specific risks require it
- Link the assessment to a principle-based policy that states the organisation’s compliance commitment
- Preserve a clear trail from policy to scope, assessment, evidence and reporting
- Produce usable outputs from the assessment record itself
This is where tool design matters.
The tool should not make the assessor work around the scoping process.
It should guide the assessor through it.
That is one of the design principles behind the NORVA Solutions Compliance Assessment Toolkit.
The aim is to make structured assessment work easier to start, easier to complete, easier to evidence and easier to deliver.
The point is not that software replaces judgement.
It does not.
The point is that the right tool helps experienced people apply judgement consistently and document it clearly.
That is what we believe NORVA can help subscribers do.
A Practical Scoping Checklist
Before moving from scoping into maturity assessment or gap analysis, the assessment team should be able to answer these questions:
- Have we confirmed that the regulation, framework or subject matter applies?
- Have we confirmed that the related policy is principle-based rather than overloaded with detailed requirements?
- Does the policy point to the assessment as the detailed record of applicable requirements, controls, evidence and outcomes?
- Have we avoided writing policy commitments that are not reflected in actual practice or supported by assessment evidence?
- Have we started with the full requirement set?
- Are the requirements structured in a logical way?
- Are source references visible and accessible?
- Have we identified which subject areas apply?
- Have we assessed inherent risk at the appropriate level?
- Have we used inherent risk to decide where deeper assessment is justified?
- Have we marked non-applicable items without deleting them?
- Have we identified key controls or key assessment points?
- Have we documented the reason for scoping decisions?
- Have we considered business-specific risks?
- Have we reviewed relevant audit, regulator and oversight input?
- Can we explain the scope to senior management, auditors or regulators?
- Can the scope be updated easily in future periods?
- Does the scope provide a reliable foundation for maturity assessment, gap analysis, control testing, evidence collection and final reporting?
If the answer to those questions is yes, the assessment is starting from a much stronger position.
Conclusion: Scope First, Assess Second
Scoping is not a side issue.
It is the foundation of an efficient and credible compliance assessment.
A business that scopes well can focus its effort where it matters most.
It can reduce wasted work.
It can make better use of limited compliance resources.
It can explain why the assessment is proportionate.
And it can give decision-makers more confidence in the answer.
A business that aligns a principle-based policy with a detailed assessment record is also in a stronger position when auditors, regulators or inspectors ask what mandate the organisation has given itself and how that mandate is being met in practice.
The best compliance assessments do not try to assess everything.
They assess what applies, at the right level of depth, for a clearly documented reason.
That is how compliance teams move from activity to a more supportable assessment position.
And it is how they answer the question that sits at the heart of every assessment:
Are we meeting the requirements that apply to us — and can we support the answer?
Make Compliance Assessment Scoping Easier
The NORVA Solutions Compliance Assessment Toolkit is designed to help compliance teams scope, assess, evidence and report their compliance position using structured, Excel-native smart templates.
Each smart template is supported by an editable, principle-based policy document, so the organisation can maintain a clear policy commitment while using the assessment as the detailed record of applicable requirements, controls, evidence, ratings and outcomes.
The built-in inherent-risk assessment functionality helps teams focus effort where exposure is greatest, justify scoping decisions more clearly, reduce wasted work and create a stronger assessment record from the outset.
This helps teams avoid unnecessary policy complexity, reduce wasted assessment effort and produce practical outputs without the cost and overhead of heavier enterprise systems.
Explore the NORVA Solutions Compliance Assessment Toolkit and see how structured scoping can make your next assessment easier, faster and more cost-effective.