Effective Date: 30^th January 2025

Review Intervals: 6 months or as required
Approved by: Luke McFarland

1. Purpose

This policy ensures that McFarland Consulting & Advisory (MCA) complies with all applicable global laws, regulations, and industry standards, including but not limited to:

• International Traffic in Arms Regulations (ITAR)
• Federal Information Security Management Act (FISMA)
• Sarbanes-Oxley Act (SOX)
• EU Artificial Intelligence Act (EU AI Act)
• Other relevant regional and sector-specific regulations.

The policy establishes governance structures, audit trails, reporting obligations, and compliance training to mitigate legal, financial, and reputational risks.

2. Scope

This policy applies to:

• All MCA employees, contractors, and third-party vendors.
• All business operations, data systems, and processes under MCA’s control.
• Any product, service, or engagement involving regulated activities (e.g., defense, finance, AI).

3. Compliance Governance

3.1 Ownership & Accountability

• MCA Compliance Officer (CO) is responsible for overseeing adherence to this policy.
• Legal & Regulatory Team ensures continuous monitoring of evolving laws.
• Department Heads enforce compliance within their teams.

3.2 Regulatory Mapping

• Maintain an up-to-date register of applicable laws and obligations.
• Conduct annual risk assessments to identify compliance gaps.

4. Key Compliance Requirements

4.1 ITAR Compliance

• Restrict access to defense-related technical data to authorized personnel only.
• Implement secure document handling and export control procedures.

4.2 FISMA Compliance

• Apply NIST security controls for federal data systems.
• Conduct annual security assessments and vulnerability testing.

4.3 SOX Compliance

• Ensure accurate financial reporting with internal controls.
• Maintain audit-ready documentation for financial transactions.

4.4 EU AI Act Compliance

• Classify AI systems per risk categories (unacceptable, high, limited, minimal).
• Implement transparency and human oversight for high-risk AI applications.

5. Audit Trails & Reporting

5.1 Documentation & Recordkeeping

• Maintain logs of compliance activities, access controls, and policy updates.
• Retain records per statutory requirements (e.g., SOX: 7 years; GDPR: as needed).

5.2 Internal & External Audits

• Conduct quarterly internal audits to verify compliance.
• Engage third-party auditors annually for independent validation.

5.3 Incident Reporting

• Report breaches (e.g., data leaks, export violations) within 24 hours to the CO.
• Escalate regulatory non-compliance to senior management immediately.

6. Compliance Training

• Mandatory annual training for employees on relevant regulations.
• Role-specific training (e.g., ITAR for defense teams, SOX for finance).
• Certification of completion tracked in HR records.

7. Enforcement & Non-Compliance

• Violations may result in disciplinary action, up to termination.
• Regulatory fines or penalties incurred due to negligence may lead to personal accountability.

8. Policy Review & Updates

• Reviewed annually or upon major regulatory changes.
• Amendments require approval by MCA’s Executive Leadership.

Approved By: Luke McFarland
Signature: _________________________
Date:25 January 2025

Contact: compliance@mcfarland-consulting.com