Automated Compliance Reporting
Build a compliance reporting system that collects regulatory data, generates required reports, tracks deadlines, and maintains audit trails.
Compliance reporting fundamentals
Every business faces regulatory requirements — data protection (GDPR, CCPA), financial reporting (tax filings, annual accounts), employment law (payroll reporting, workplace safety), and industry-specific regulations (healthcare, finance, food safety). Missing a compliance deadline results in fines, legal exposure, and reputational damage. The challenge is that compliance requirements are scattered across multiple regulations, involve data from multiple systems, have different reporting frequencies, and the regulations themselves change. A compliance reporting system centralises these requirements and automates the data collection, report generation, and deadline tracking. Ask Claude Code: Create a Next.js project with TypeScript, Tailwind, and Prisma for a compliance reporting platform. Define the database schema. Regulation (id, name, jurisdiction as UK or EU or US or other, category as data_protection or financial or employment or industry, description, effectiveDate, lastUpdated). Requirement (id, regulationId, title, description, reportingFrequency as monthly or quarterly or annually or on_demand, deadline description like 30 days after quarter end, dataFields as JSON array describing what data is needed, templateId optional linking to a report template). ComplianceReport (id, requirementId, periodStart, periodEnd, dueDate, status as upcoming or in_progress or submitted or overdue, generatedAt optional, submittedAt optional, submittedBy optional, data as JSON containing the collected report data, notes). AuditLog (id, entityType, entityId, action, performedBy, performedAt, details as JSON, ipAddress). Seed with 10 common compliance requirements spanning GDPR data processing records, quarterly VAT returns, annual accounts filing, payroll reporting, and workplace safety assessments. Ask Claude Code: Generate realistic compliance requirements with proper deadlines, data field definitions, and descriptions.
Deadline tracking and calendar
Missing a compliance deadline is the most common and most preventable compliance failure. Ask Claude Code: Create a deadline calculation engine at src/lib/deadlines.ts. Each requirement has a deadline pattern — quarterly reports are due 30 days after the quarter ends, annual filings are due by a specific date, and monthly reports are due by the 15th of the following month. The engine takes a requirement and calculates the next deadline. It should also calculate upcoming deadlines for the next 12 months so teams can plan ahead. Build the compliance calendar. Ask Claude Code: Create a calendar view at src/app/compliance/calendar/page.tsx. Show a monthly calendar with compliance deadlines marked. Colour-code by status: green for submitted, blue for upcoming (more than 14 days away), yellow for approaching (7 to 14 days away), orange for imminent (less than 7 days), and red for overdue. Click a deadline to see the requirement details, the data needed, and the current status of data collection. Add notifications. Ask Claude Code: Create a notification system that sends alerts at configurable intervals before each deadline. Default: 30 days, 14 days, 7 days, 3 days, and 1 day before the deadline. Each notification includes: the requirement name, the deadline date, the current preparation status (not started, data collection in progress, report generated awaiting review, submitted), and a direct link to the report preparation page. Send notifications via email. Escalate overdue items: if a deadline passes without submission, send daily notifications to the responsible person and their manager. Add a compliance dashboard overview. Ask Claude Code: Create a dashboard showing: total requirements tracked, upcoming deadlines in the next 30 days (sorted by urgency), overdue items (prominently displayed in red), compliance rate (percentage of deadlines met on time over the last 12 months as a trend chart), and a risk assessment summary (requirements with the highest fines for non-compliance should be flagged as high priority). Common error: deadline calculations must account for weekends, bank holidays, and jurisdiction-specific non-business days. A deadline that falls on a Saturday should move to the following Monday (or the previous Friday, depending on the regulation). Build a business day calculator that accounts for UK bank holidays.
Data collection and validation
Compliance reports require data from multiple sources — your database, accounting system, HR system, and manual inputs. Collecting this data consistently is the most time-consuming part of compliance. Ask Claude Code: Create a data collection framework at src/lib/data-collection.ts. Each requirement defines the data fields it needs. For example, a GDPR data processing record needs: categories of personal data processed, legal basis for processing, data retention periods, third parties data is shared with, and technical security measures. Create a DataCollector interface with methods: getFields (returns the list of required fields with their types and validation rules), collect (attempts to auto-populate fields from connected data sources), and validate (checks that all required fields are present and correctly formatted). Build auto-collection from your database. Ask Claude Code: Create collectors for common data. A user count collector queries the users table and returns the count of active users, new users this period, and deleted users (relevant for GDPR reporting). A financial collector queries the transactions table and returns revenue, expenses, and tax amounts by category (relevant for VAT and financial reporting). An employee collector queries the employees table and returns headcount, new hires, departures, and salary totals (relevant for payroll reporting). Build a manual data entry interface. Ask Claude Code: For fields that cannot be auto-collected, create a form-based entry interface. When preparing a compliance report, show a checklist of required fields. Auto-collected fields show their values with a Verify button. Manual fields show input controls appropriate to the field type: text inputs for descriptions, date pickers for dates, number inputs for quantities, dropdown selects for predefined categories, and file uploads for supporting documents. Add data validation. Ask Claude Code: Validate collected data against the requirement's rules. Check that all required fields are present, numeric values are within reasonable ranges (revenue should be positive, percentages between 0 and 100), dates are within the reporting period, cross-field validation (end date must be after start date, total must equal the sum of line items), and format validation (UK company numbers are 8 digits, VAT numbers follow a specific format). Show validation errors clearly with specific instructions for fixing each one. Common error: auto-collected data can be stale. If the user count was collected on Monday but the report is submitted on Friday, 5 days of changes are missing. Add a freshness indicator showing when each field was last collected and a Refresh button to re-collect from the source.
Report generation and templates
Compliance reports have specific formats — some are free-form documents, others are structured forms with exact field positions, and some must be submitted through government portals as specific file types. Ask Claude Code: Create a report template system at src/lib/templates.ts. A report template defines: the output format (PDF, CSV, XML, or online form data), the layout (sections, fields, tables, and static text), calculated fields (derived from the collected data — for example, total tax liability equals the sum of all taxable amounts multiplied by the tax rate), and conditional sections (sections that appear only when certain conditions are met — for example, the international transfers section appears only if data is shared outside the UK). Build PDF report generation. Ask Claude Code: Create a PDF generator at src/lib/pdf-generator.ts using a library like puppeteer or react-pdf. Create a template for a GDPR Data Processing Record with: a header section (company name, reporting period, preparation date, prepared by), a data processing activities table (each row has the activity description, data categories, legal basis, retention period, and third-party sharing), a technical measures section (security measures in place, access controls, encryption status), and a signature block (prepared by, reviewed by, approved by, with dates). Generate a PDF from collected data and display a preview before finalising. Build CSV and XML export for structured submissions. Ask Claude Code: Create exporters for government filing formats. A VAT return exporter generates a CSV with the exact columns required by HMRC's Making Tax Digital API. An annual accounts exporter generates iXBRL (inline XBRL) formatted data for Companies House filing. Each exporter validates the output against the submission schema before saving. Add a report review workflow. Ask Claude Code: Before submission, reports go through a review process. The preparer generates the report and marks it as Ready for Review. A reviewer (different person — separation of duties is a compliance requirement itself) reviews the data, can approve or reject with comments. If rejected, the preparer makes corrections and resubmits for review. If approved, the report status changes to Approved and can be submitted. Log every step in the audit trail. Common error: compliance report formats change when regulations are updated. Build templates as configurable data, not hardcoded layouts. When a regulation changes (a new field is added, a section is renamed), update the template data without changing code.
Audit trails and evidence management
Regulators do not just want the report — they want evidence that your process is reliable. An audit trail records every action taken in the compliance process, creating an unalterable evidence chain. Ask Claude Code: Enhance the audit logging system at src/lib/audit.ts. Log every significant action: data collected (who collected it, when, what values, from which source), data modified (who changed it, when, old value, new value, reason for change), report generated (who generated it, when, which template version, the complete data snapshot), report reviewed (who reviewed, when, the decision, any comments), report submitted (who submitted, when, to which authority, submission reference number), and deadline acknowledged (who acknowledged approaching deadline, when). Make the audit log append-only — entries can never be edited or deleted. Ask Claude Code: Implement audit log integrity using a hash chain. Each audit entry includes a hash of the previous entry. If any entry is modified, the hash chain breaks, making tampering detectable. Store the hash chain root in a separate system (or log it to an external service) as additional tamper evidence. Build an audit trail viewer. Ask Claude Code: Create a page at src/app/compliance/audit/page.tsx. Show the complete audit trail as a filterable timeline. Filter by: entity (specific report, requirement, or data field), action type (collections, modifications, approvals), person (who performed the action), and date range. For each entry, show the timestamp, person, action description, and a details expansion showing the complete data snapshot. Add evidence attachment support. Ask Claude Code: Allow users to attach supporting evidence to compliance reports and audit entries. Evidence types: documents (PDF, images), screenshots, email correspondence, and external system exports. Each attachment is stored with a SHA-256 hash for integrity verification. When a regulator requests evidence, generate an evidence pack: a ZIP file containing the report, all audit trail entries for that report, and all attached evidence documents with a manifest listing each file and its hash. Common error: audit logs grow large quickly. Do not delete old entries (they are evidence), but implement archival: move entries older than 2 years to cold storage (a separate table or file) that is still searchable but does not slow down the primary audit log queries.
Regulatory change tracking and deployment
Regulations change. Tax rates are updated, reporting requirements are added, filing deadlines shift. Your compliance system must track these changes and alert you to their impact. Ask Claude Code: Create a regulatory change tracker at src/lib/reg-tracker.ts. Define a RegulatoryChange type: regulationId, changeType (new_requirement, modified_requirement, removed_requirement, deadline_change, format_change), description, effectiveDate, impactAssessment (which of your existing reports are affected), actionRequired (what you need to change in your system). Build a change management workflow. Ask Claude Code: When a regulatory change is logged, create an impact assessment. For each affected requirement: describe what changes are needed (new data field, modified calculation, different deadline), estimate the effort to update templates and data collection, set a target implementation date (before the change becomes effective), and assign the update to a team member. Track progress and alert if implementation is not complete before the effective date. Add a regulation monitoring dashboard. Ask Claude Code: Create a page showing: pending regulatory changes (changes logged but not yet implemented), upcoming effective dates (changes that take effect in the next 90 days), change history (all past changes and when they were implemented), and a compliance gap analysis (requirements where your current system does not yet meet the new regulation). Build a regulations library. Ask Claude Code: Create a reference library at src/app/compliance/regulations/page.tsx. List all tracked regulations with: name and jurisdiction, current requirements, upcoming changes, last updated date, official source link, and plain-language summary of what the regulation requires. This becomes a reference for the team — instead of reading the full legal text, they check the library for a clear summary. Deploy the compliance platform. Ask Claude Code: Configure production deployment on Vercel with a PostgreSQL database. Set up the deadline notification cron job (daily at 7 AM, check for upcoming and overdue deadlines). Set up the data freshness check (daily, verify auto-collected data is recent). Configure email notifications via Resend. Set up backup for the audit log (daily export to a separate storage location for disaster recovery). Test the complete workflow: create a requirement, set a deadline, collect data, generate a report, review and approve it, mark as submitted, and verify the entire process is captured in the audit trail. This compliance system replaces manual spreadsheet tracking, reduces missed deadlines, and provides the audit evidence that regulators require.
Regulatory Compliance
This guide is hands-on and practical. The full curriculum covers the conceptual foundations in depth with structured lessons and quizzes.
Go to lesson