Our experience with regulatory compliance is one of the cornerstones of the company. From the introduction of SOX in 2002 to the recent overhaul of Data Protection Regulations, our teams have helped organisations navigate these ever-changing areas with confidence, leveraging technology and automation for increased efficiencies along the way.

Winterhawk offers a wide range of compliance and regulatory consulting services, across multiple industry sectors. Whatever enterprise systems your organisation may be running (Microsoft, Workday, Infor, Oracle, SAP etc.), our consultants have a wealth of experience and bespoke content to help you address every challenge with the latest regulations.



A UK equivalent of the U.S. Sarbanes-Oxley Act (or SOX) is expected to be finalised in late 2022, and is likely to come into force a year or two after that. Read our latest article to find out more, including what you can do now in preparation for UK SOX – based on U.S. experiences, it’s going to take a couple of years for companies to prepare.

Click the thumbnail to read our case study in a new window – Winterhawk Delivers Bespoke SAP GRC Process Control Platform to facilitate SOX Compliance.

Financial Controls

The Sarbanes–Oxley Act of 2002 enacted July 30, 2002, also known as Sarbanes–Oxley or SOX, is a United States law. It contains eleven sections, created following a number of corporate and accounting scandals, including Worldcom & Enron. The bill covers responsibilities of a public corporation’s board of directors, add criminal penalties for certain misconduct.

Whether you need support for the Sarbanes-Oxley Act (SOX) of 2002 or a country variant, we have a wealth of experience in implementing, streamlining and automating SOX controls to alleviate effort and spend.

Examples include:

  • I-SOX
  • C-SOX
  • German Corporate Governance Code 2002
  • Code Tabaksblat
  • Loi sur la Sécurité Financière
  • Corporate Law Economic Reform Program Act 2004
  • Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari
  • J-SOX
  • TC-SOX 11

Winterhawk’s Data Privacy Consultants  have created a framework for Sarbanes-Oxley covering both Section 302 (corporate responsibility for financial reports) and Section 404 (management assessment of internal controls) with over 100 controls.

Data Privacy

The Datalagen (Data Act) was the world’s first country specific data privacy / protection law, passed in 1973 in Sweden. 45 years later, General Data Protection Regulation (GDPR) came into force across Europe – prior to 25 May 2018 (the date of the act becoming law), digital and technological advancements had outgrown the legislation in place for data protection; furthermore, the requirements varied from one country to another. The need to synchronise data privacy laws and bring them into the 21st century was clear, and plans to do so under the General Data Protection Regulation (GDPR) began. The reform is the most significant change to data privacy in Europe in over 20 years. It replaces the Data Protection Directive and is designed to harmonise data privacy regulations across Europe, to protect and empower all EU citizens’ data privacy and to reshape the approach to data privacy in organisations across the region.

Outside of Europe many countries have their own Data Protection and increasing Cyber Protection laws. Here are some examples:

  • Argentina: Personal Data Protection Act (DPA) of 2000
  • Australia: Privacy Act 1988 – updated in 2018 (APP entities)
  • Brazil: Brazilian Internet Act of 2014
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000
  • Chile: Protection of Personal Data of 1998
  • Colombia: Decree 1377 of 2020
  • Dubai: DIFC Data Protection Law of 2020
  • Hong Kong: Personal Data Privacy Ordinance (PDPO) of 1996
  • India: Information Technology Act of 2000
  • Israel: Privacy Protection Act (PPA) of 1981
  • Indonesia: Electronic Information and Transaction Law No. 11 of 2008
  • Japan: Act on the Protection of Personal Information (APPI) Act No. 57 of 2003
  • Malaysia: The Personal Data Protection Act (PDPA) of 2010
  • Mexico: Protection of Personal Data in the Possession of Private Parties (LFPDPPP) of 2011
  • New Zealand: The New Zealand Privacy Act 2020 – December 2020
  • Philippines: Republic Act No. 10173, known as the Data Privacy Act of 2012
  • Korea: Personal Information Protection Act (PIPA) of 2011
  • Russia: The Russian Federal Law On Personal Data (OPD) of 2007
  • Singapore: Personal Data Protection Act (PDPA) of 2012
  • South Africa: Protection of Personal Information Act 4 (POPIA) of 2013
  • Thailand: Personal Data Protection Act B.E. 2562 (Thai PDPA) of 2019
  • Ukraine: The Law of Ukraine “On Personal Data Protection” No. 2297 VI of 2011
  • Vietnam: Law on Cyber Information Security Law No. 86/2015/QH13 (LCIS) of 2016; Law on Cyber Security Law No.24/2018/QH14 (LCS) of 2019

Winterhawk offers a range of services to assist with your compliance.

  • Data Privacy and Protection Education & Training
  • GDPR Audit Assessment 
  • GDPR and Data Privacy Compliance Service
  • GDPR Compliance & Digital Transformation Solutions

Winterhawk’s Data Privacy Consultants have also compiled a best practice GDPR governance framework, based on 13 overarching governance processes, with activities that organisations are required to perform to demonstrate effective GDPR compliance. Over 140 controls.

The California Consumer Privacy Act (CCPA) bill was passed on June 28, 2018, and became effective on January 1, 2020.

The CCPA enhances privacy rights for residents of California and applies any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:

  • Has annual gross revenues in excess of $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
  • Earns more than half of its annual revenue from selling consumers’ personal information.

Very similar to the European GDPR, CCPA aims to protect personal information in a number of categories, and people are entitled to know  what personal data is being collected about them, whether their personal data is sold or disclosed and to whom (and be able to say “no” to such a sale), have access to their personal data upon request, and be able to request deletion and correction.

Winterhawk offers a range of services to assist with your compliance.

  • Data Privacy and Protection Education & Training
  • CCPA Audit Assessment 
  • CCPA and Data Privacy Compliance Service
  • CCPA Compliance & Digital Transformation Solutions

Our best practice framework for Foreign Corrupt Practices Act (FCPA) contains: Conduct a Baseline Risk Assessment, Assign Managerial and Governance Responsibility, Corporate Policies, Communication to and Training, Certifications of Compliance, Intermediary and M&A Due Diligence Checklists, Contract Provisions for Third Parties, Reporting Mechanisms for Anti-Corruption Violations, Periodic Compliance Reviews, Internal Investigation Procedures. Over 100 controls across 11 categories.

Cyber Security Risks

Cyber Security is about protecting the devices we use, and the services we access, from attacks designed to extract data or hold data for ransom. It’s also about preventing unauthorised access and visibility to the vast amounts of personal information we store. As data volumes have grown, and with computing technology now firmly embedded in our working and personal lives, the challenges grow exponentially year-on-year to protect ourselves and our organisations. Winterhawk has developed a best practice library split across 27 different risk categories. 450+ cyber security risks.

Illegal Payments

Anti-Bribery – covering compliance with global and regional laws, regulations and professional standards (suspected wrongdoing, clients or third parties, facilitation payments, entertainment, donations, sponsorships, insider trading and accounting controls). Over 50 controls.

Anti-Money Laundering  (AML) – Identity verifications, watchlist screening / sanctions checks, Policies, Controls, Procedures, Awareness & Training, Record Keeping, Risk Assessment, Client due diligence (CDD), Supervision, Monitoring. 46 controls across 8 risk sections.

Other areas of experience:

  • Financial Close & Consolidation
  • Hazardous Waste
  • Health & Safety (Safety, Occupational Health)
  • HIPAA (healthcare)
  • HR
  • Human Rights (Compliance, Ethical Business, Equal Opportunities, Resettlement & Land Compensation, Encroachment, Damage)
  • ISO 31000, ISO 27001, ISO 27002, ISO 9001, ISO 22301
  • ITAR


  • Local Buying & Vendor management (Equipment, Security, Assessments)
  • NIST Cybersecurity Framework COBIT
  • Order to Cash
  • Procure to Pay
  • Tax Management (Relationships with Authorities, Compliance, Audits)
  • Third Party Outsourcing (SSAE16)
  • Travel & Expense

Get in touch

Drop us a line to discuss how Winterhawk can support your compliance and regulatory needs.