TRW Law Firm – Global Header
Book Consultation

Compliance Audits & Training

by Tahmidur Remura Wahid | Sep 3, 2025 | Uncategorized | 0 comments

Compliance Audits & Training

Compliance Audits & Training (2025): The Complete Playbook for Companies in Bangladesh — with Dubai & London Context

By TRW Law Firm — Regulatory, Investigations & Workforce Compliance (Dhaka • Dubai • London)

Why this guide

Compliance is no longer a binder on a shelf; it’s an operating system that protects licenses, clears bank approvals, satisfies buyers/donors, keeps insurers comfortable, accelerates M\&A and, bluntly, stops bad headlines. In Bangladesh—where your business likely touches multiple regulators (NBR, Bangladesh Bank, BSEC, BTRC, DIFE, environment, local authorities)—a smart audit-and-training program is the single best way to detect risk early and embed the right behaviors.

If you’re a foreign company entering or scaling in Bangladesh, you also need cross-border alignment with your head-office standards and with rules your teams in Dubai (UAE mainland and free zones) and London (UK) already follow. This guide gives you a field-tested, step-by-step method to build and run a program that works in all three locations without fragmenting your controls.

Tahmidur Remura Wahid 162

Use this as your operating blueprint. Statutory rates, thresholds, and formats evolve; confirm numbers at implementation. No external links are included, by request.

Part A — What “compliance audits & training” really mean (done right)

  • Compliance audits: recurring, risk-based checks of whether your policies, controls, and records meet law, license conditions, standards you’ve promised to customers/bankers/buyers, and your own code of conduct. They are independent of line management, documented to a forensic standard, and culminate in remediation that actually gets done.
  • Compliance training: task-focused, role-based learning that changes behavior: short modules, local language, examples from your processes, manager toolkits, and measurement of behavior change. It is not a one-off slideshow.

Design principle: Treat both as part of one loop: Risk map → Controls → Audits → Findings → Remediation → Training → Metrics → Board. Rinse and repeat. When this loop runs monthly/quarterly, you stop “unknown unknowns.”

Part B — The regulatory landscape you must build for

Bangladesh: multisector, document-heavy

  • NBR (Tax & VAT): registrations, withholding, VAT credits, transfer pricing, e-filings, e-BIN, e-TIN, and documentation of supply chains.
  • Bangladesh Bank (BB): foreign exchange approvals and reports, outward remittances (royalties/dividends/management fees), AML/CFT, payments/PSP/MFS rules, ICT & cloud standards for banks and digital banks.
  • BSEC (listed companies): governance, insider trading, related-party approvals, financial reporting, and investor communications.
  • RJSC (company secretarial): filings, annual returns, resolutions, share allotments, capital changes, charges.
  • DIFE/Labour: standing orders/service rules, registers, wages/OT/payslips, POSH (anti-harassment) committee, safety & welfare.
  • BTRC/Telecom: service/user licenses, type approval, import NOCs, spectrum, lawful interception, data retention, spam/A2P hygiene.
  • Environment: ECA/ECR, site clearances, effluent and emissions monitoring, waste manifests.
  • Local authorities: trade licenses, fire licenses, factory licenses, signage, and site usage.
  • Data & cyber: evolving data-protection regime; cyber incident and log-retention expectations; banking/telecom sector specifics.

Dubai / UAE: license-first, sector overlays

  • Mainland economic departments and free zones (DIFC/ADGM/JAFZA etc.) set license scopes, governance, and in free zones often whistleblowing/data standards.
  • Sector regulators (especially DFSA/FSRA in financial centers, telecom, health, and education) impose control and training requirements.
  • AML/CFT for designated non-financial businesses & professions (DNFBPs), and financial institutions.
  • Labor and immigration compliance, corporate governance for larger entities and government-related entities.

London / UK: control culture, individual accountability

  • Company law and FRC/BEIS governance expectations for boards and audit committees; robust whistleblower protection.
  • FCA/PRA (if regulated): systems & controls (SYSC), conduct rules training, SMCR accountability maps.
  • Health & Safety Executive standards, ICO data-protection enforcement, competition law scrutiny.
  • Strong expectations for documented risk assessments, board oversight, and management attestations.

Takeaway: Build one global standard that meets UK-level expectations (documentation, independence, anti-retaliation), then bolt on Bangladesh specifics (registers, approvals, sector filings) and UAE nuances (licensing, free-zone regimes). This avoids three different programs and keeps your auditors, buyers, and banks calm.

Part C — The 10-component compliance framework (copy this)

  1. Risk taxonomy: legal, financial, operational, cyber, safety, third-party, ESG.
  2. Risk register with owners, inherent/residual risk, controls, KRIs.
  3. Control library mapped to laws, licenses, and contracts.
  4. Audit universe listing locations, processes, and systems.
  5. Annual audit plan risk-weighted; include surprise checks.
  6. Issue lifecycle with severity ratings, owners, and due dates.
  7. Training curriculum by role/function with languages.
  8. Case & incident management (hotline/discipline/data incidents).
  9. Board dashboard (KPIs, trends, red flags).
  10. Policy & SOP library with version control and attestations.

Part D — Building the audit program, step by step

Step 1: Map your obligations (Bangladesh core)

  • Corporate/RJSC: annual returns, director changes, share allotments, charge creation/satisfaction, minutes books.
  • Tax/VAT/NBR: registrations, returns, source tax deduction and deposit, VAT e-filings, TP documentation, customs records for HS codes and bonded warehouses.
  • FX/BB: BOI/registration or approvals for foreign investment; reporting for inbound equity; dividend repatriation files; royalty/service fee approvals; export proceeds realization; BAFEDA rates alignment; AML/CFT program.
  • Securities/BSEC (if applicable): board composition, audit committee, RPT approvals, insider lists, periodic disclosures.
  • Labour/DIFE: appointment letters, standing orders, wages/OT, registers (attendance, leave, fines, accidents, maternity), safety committee minutes, POSH committee functioning.
  • Telecom/BTRC: service or user licenses, type approvals, import NOCs, numbering/short codes, spectrum logs, LI and data retention setup, spam/A2P controls.
  • Environment: ECC, ETP/STP operations, stack/effluent testing, hazardous waste manifests.
  • Trade: LC files, import/export documentation, BoE and shipping papers, Incoterms, inspection certificates.
  • Data/Cyber: security baselines, incident handling, log retention, vendor security.

Dubai & London add-ons: license scope in the UAE (free zone vs. mainland), governance and AML expectations; UK board/audit-committee documentation, training attestations, and data-privacy controls.

Step 2: Build your audit universe

List all auditable entities: head office, factories, warehouses, branches, depots, call centers, data centers/cloud tenants, shared services, C\&F agents (documentation), large suppliers (if contractually auditable), distributors (for competition/brand compliance), and high-risk third-party processors (payroll, IT).

Step 3: Risk-rate and prioritize

Score by regulatory impact, financial exposure, frequency of errors, history, and change (new system/vendor/regulator). In Bangladesh, anything touching NBR, BB, BSEC, BTRC, DIFE, or environment should land in the top tiers.

Step 4: Audit plan and cadence

  • Quarterly: tax/VAT, FX/BB outward remittances, payroll/wages/OT, procurement & AP, bonded-warehouse/inventory, telecom spam/A2P and LI tests, cyber incident register review.
  • Biannual: corporate secretarial, environment, safety & POSH, data-privacy baseline, third-party due diligence.
  • Annual: full governance review (board, audit committee), training effectiveness, competition/antitrust health check, ESG claims.

Step 5: Fieldwork (Bangladesh-fit)

  • Data room: registers and filings in Bangla/English, payment challans, bank SWIFT/BEFTN proofs, customs packs, numbering/spectrum letters, safety logs, and board/audit committee minutes.
  • Sampling: risk-based; for wages, draw samples across grades and shifts; for VAT, sample input credits and mismatched invoices; for FX, sample each category (dividend, royalty, service fee, freight).
  • Walkthroughs: payroll run, OT approvals, invoice intake, GRN/three-way match, LC opening and amendment, data-incident playbook, spam/A2P throttling, LI test calls (for operators).
  • Interviews: HR/payroll clerks, tax lead, FX desk, procurement, warehouse, QA, safety officer, hotline owner, IT/security.

Step 6: Grading and reporting

  • Severity (Critical/Major/Moderate/Low) and themes (policy gap, control design, execution, documentation).
  • Issue facts with evidence, risk, root cause, owner, due date, and fix.
  • Close-out: require evidence of fix, not just an email promise.
  • Board pack: top ten risks, overdue issues, repeat findings, improvement trend.

Part E — The training program that actually changes behavior

1) Architecture

  • Foundational (all staff): code of conduct, anti-bribery/anti-retaliation, data hygiene, speak-up, safety basics.
  • Role-based:
  • Finance/Tax: VAT, WHT, TP basics, documentation, invoice red flags.
  • Treasury/Legal: FX approvals, dividend files, royalty/supporting docs, AML gatekeeping.
  • HR/Factory: wages/OT math, registers, POSH committee, domestic inquiries.
  • Procurement & Logistics: conflicts, vendor due diligence, bonded-warehouse controls, Incoterms.
  • Sales/Distribution: competition/antitrust (RPM, MFN, trade associations), advertising claims, channel policies.
  • IT/Security: incident classification, logging, LI and data retention where applicable, vendor access.
  • Telecom operations: license conditions, numbering hygiene, spam/A2P filters, lawful-interception testing.
  • Board & C-suite: fiduciary and oversight duties, audit committee playbook, dawn-raid and crisis roles.
  • Locales & language: Bangla-first for Bangladesh; Arabic/English in Dubai; English in London, with accessibility for non-native speakers.

2) Modality & frequency

  • Micro-learning: 10–15 minute modules; one topic per week for frontline staff, monthly for corporate teams.
  • Workshops: quarterly deep-dives for finance/tax, FX/BB, procurement, and safety/POSH committees.
  • Simulations: dawn-raid tabletop, FX file “build & defend,” bonded-warehouse spot check, LI test call drill, data-incident tabletop.
  • Manager toolkits: five-minute huddles with talking points and job aids.
  • Attestations: annual for code and key policies; event-based for role changes.
  • Refresher cadence: annual baseline modules + rolling micro-nudges.

3) Measurement & effectiveness

  • Pre/post tests; target 80%+ mastery.
  • Behavioral KPIs: drop in repeat audit findings; reduction in invoice exceptions; on-time FX filings; hotline usage and zero-retaliation rate; safe behavior observations.
  • Manager scorecards: training completion, audit issue closure, incident response quality.
  • Board dashboard: training coverage, pass rates, behavior change metrics.

Part F — Bangladesh “hot spots” your audits and training must cover

  1. Wages & OT math: correct base, legal multipliers, payslip transparency; alignment with sector minimums; registers accurate and contemporaneous.
  2. Standing orders/service rules: certified where required; disciplinary due-process (show-cause → inquiry → reasoned order).
  3. POSH: functioning complaint committee with woman chair and external member; case logs; protection from retaliation; periodic training.
  4. FX/BB: dividend repatriation files; royalty/management fee approvals; export proceeds realization; service import documentation; AML/CFT risk assessments.
  5. VAT/TAX: e-filings, input credit support, withholding deposits on time, TP files, customs classification and valuation consistency.
  6. Telecom/BTRC: correct license class; type approvals; import NOCs; numbering/short codes; spam/A2P controls; LI testing and data retention; spectrum logs.
  7. Environment & safety: ECC, ETP/STP performance; waste manifests; fire drills; PPE; safety committee action logs.
  8. Competition: RPM and MFN creep in distribution; trade association hygiene; hub-and-spoke risks via shared distributors.
  9. Third-party risk: C\&F agents, customs brokers, distributors, and cash-collection agencies; due diligence, contracts with audit rights, and payment transparency.
  10. Data & cyber: incident playbook; log retention; vendor security; proportionate handling of personal data in case files.

Part G — Foreign companies: 25 cautions when operating in Bangladesh

  1. “Facilitation” payments are bribes—train and enforce zero tolerance with real scenarios.
  2. Document everything—boards in the UK/UAE expect forensic-grade files; Bangladesh regulators often ask for originals/certified copies.
  3. Bangla-first policies, posters, and training for frontline teams.
  4. Chain-of-custody for documents and devices; courts and regulators value it.
  5. Domestic inquiries mandatory for dismissals—skipping them loses cases.
  6. Supplier & contractor inclusion—extend hotline and training to their staff.
  7. Distributors—competition training (no RPM/MFN without legal review); licensed channels only.
  8. Bonded-warehouse—frequent spot checks; reconcile yield, scrap, and night dispatches; GPS and weighbridge controls.
  9. C\&F agents—UBO checks, site visits, control clauses, audit rights, payment terms via bank only.
  10. FX remittances—require documentation; plan timelines; keep central bank engagement professional and complete.
  11. VAT credits—don’t book without matching documentation and supplier compliance.
  12. Payroll—biometrics with liveness; headcount roll calls; bank/MFS reconciliation; payslips match registers.
  13. POSH—do it properly; buyers check this first.
  14. Data—collect minimally; keep investigations on-shore when feasible; use secure transfers if cross-border.
  15. Telecom tech—no unapproved devices; type approval first; import NOCs for shipments.
  16. Numbers/codes—short codes and sender IDs must be allocated; throttle spam; keep complaint logs.
  17. Whistleblowing—confidential internal channels; anti-retaliation that actually works.
  18. Board oversight—quarterly dashboards with trends, not anecdotes.
  19. Dawn-raid readiness—front-desk scripts; counsel on speed dial; log everything taken/copied.
  20. M\&A—clean teams for competitively sensitive info; pre-close conduct rules.
  21. Leases & licenses—sites must match trade and factory licenses; mismatches invite inspection.
  22. Training proof—attendance, tests, and manager confirmations; buyers and regulators request them.
  23. CSR/Donations—screen beneficiaries; avoid political or front entities; require reports.
  24. Gifts/Hospitality—strict thresholds; prior approvals; transparent registers.
  25. Speak-up culture—publish anonymized case studies and fixes; this makes the system real.

Part H — Cross-border alignment: Dhaka ↔ Dubai ↔ London

  • One policy set, three addenda: global code, anti-bribery, competition, privacy, investigations; then Bangladesh, UAE, and UK annexes for local specifics (hotline prescriptions, due-process, free-zone rules, PIDA).
  • Shared controls: same AP/GL red-flag analytics, procurement approvals, third-party due diligence, and incident playbooks across offices.
  • Training translations: Bangla and Arabic plus English; same scenarios localized (e.g., bonded-warehouse in BD; free-zone customs in UAE; SMCR conduct in UK).
  • Board reporting: one dashboard with geography filters; consistent severity ratings and issue taxonomy.

Part I — 30/60/90-day build plan (greenfield or turnaround)

Days 1–30 — Stabilize

  • Appoint Compliance Lead and Audit Manager; publish a CEO note.
  • Map obligations and create your risk register with owners.
  • Stand up a compliance calendar (Bangladesh filings, Dubai license anniversaries, UK board events).
  • Select a case/audit tool (even a disciplined spreadsheet can work at the start) and set issue lifecycle rules.
  • Run two quick audits: (1) wages/OT/payslips & POSH, (2) FX outward remittances and supporting files.
  • Launch foundational training (code, speak-up, anti-bribery, safety basics).

Days 31–60 — Institutionalize

  • Approve annual audit plan and perform two process audits (VAT/AP; bonded-warehouse/inventory).
  • Build role-based training tracks and manager toolkits; implement attestations.
  • Create hotline (web, WhatsApp, phone) and anti-retaliation standard; integrate with HR and investigations.
  • Start a third-party due-diligence sweep: top 50 vendors/agents by spend/risk; re-paper contracts (audit rights, ABC/AML clauses).
  • Test data-incident and dawn-raid simulations.

Days 61–90 — Assure

  • Close findings with evidence of fix; run a repeat test on one area to prove improvement.
  • Conduct board briefing with dashboard; agree on quarterly targets.
  • Publish an anonymized case study of a finding and its fix; celebrate behavior change.
  • Lock the 12-month roadmap (below).

Part J — Twelve-month maturity roadmap

  1. Coverage: audit 100% of high-risk processes and 60–70% of medium risk; rotate the rest.
  2. Findings: reduce repeat findings by 50%; close 90% of “Major+” issues within target time.
  3. Training: >95% completion for foundational modules; role-based modules >85% within 90 days.
  4. Behavior change: measurable drops in invoice exceptions, FX file returns, LI/Spam infractions, and POSH procedural gaps.
  5. Speak-up: rising hotline usage with zero retaliation; monthly checks prove it.
  6. Third-party: all high-risk partners vetted and contracted with audit rights; at least one audit performed on each of the top ten.
  7. Data & cyber: incident tabletop twice; patch cadence meets policy; logs retained and sampled quarterly.
  8. Cross-border sync: Dhaka, Dubai, and London share one dashboard and taxonomy; local annexes updated twice a year.

Part K — Functional audit checklists (ready to use)

1) Tax & VAT (NBR)

  • Registrations valid; e-TIN and e-BIN mapped to all sites.
  • VAT credits supported by compliant invoices; supplier compliance verified.
  • WHT deducted and deposited on time with certificates issued.
  • TP documentation current; intercompany agreements consistent.
  • Customs files complete; HS codes consistent; bonded-warehouse reconciliations.

2) FX & Bangladesh Bank

  • Dividend files: audited accounts, board resolutions, tax clearance, banker confirmations, and remittance approvals.
  • Royalties/management fees: agreements, benchmarking, approvals, Form usage, remittance proofs.
  • Export proceeds: realization within time; discrepancy handling; bank statements reconciled.
  • AML/CFT: risk assessment, KYC files, STRs if applicable; training records.

3) Labour & POSH

  • Appointment letters and ID; standing orders certified where needed.
  • Wages/OT math compliance; payslips accurate; registers up to date.
  • Safety committee, drills, PPE logs; accident register and closures.
  • POSH committee functioning; case handling timelines; anti-retaliation proofs.

4) Telecom/BTRC (where applicable)

  • Correct license category; valid type approvals and import NOCs.
  • Numbering/short codes allocation and utilization; spam/A2P throttling; complaint logs.
  • LI interfaces tested; data retention per license; spectrum logs.
  • Partner agreements (aggregators, resellers) reviewed and compliant.

5) Procurement & AP

  • Vendor due diligence; UBO and conflict disclosures.
  • Three-way match; duplicate and round-sum flags monitored.
  • Segregation of duties; approval hierarchies enforced in ERP.
  • Gifts/hospitality registers; marketing services tied to deliverables.

6) Data & Cyber

  • Incident classification; 24/72-hour playbook; past incident logs complete.
  • Access controls (MFA, least privilege); vendor access and offboarding.
  • Log retention; DLP and CASB baselines; periodic access reviews.
  • Investigations data handling proportionate; cross-border transfers minimized.

Part L — Training outlines (plug-and-play)

Foundational (All staff, 45–60 minutes total, micro-modules)

  • Speak-Up & Anti-Retaliation (10 minutes)
  • Anti-Bribery & Gifts (10 minutes)
  • Data Hygiene & Phishing (10 minutes)
  • Safety Basics (10 minutes)
  • Competition Basics for Sales/Marketing (optional 10 minutes)

Role-based (Quarterly)

  • Finance/Tax: VAT credits and WHT traps; invoice red flags; TP essentials (30 minutes)
  • FX/Governance: dividend/royalty file “build & defend”; AML gatekeeper role (30 minutes)
  • HR/Factory: registers, payslips, POSH case flow, domestic inquiries (45 minutes)
  • Procurement/Logistics: conflicts, bonded-warehouse controls, C\&F risks (30 minutes)
  • Sales/Distribution: RPM/MFN, trade associations, online channel rules (30 minutes)
  • IT/Security: incident classification, logs, vendor access, investigations data (45 minutes)
  • Telecom Ops: license conditions, LI/data retention, spam/A2P (30 minutes)
  • Board/C-suite: oversight, dashboards, crisis/dawn-raid roles (30 minutes)

Part M — How to prove effectiveness (and satisfy any regulator or buyer)

  • Audit evidence: complete workpapers, samples, screenshots, reconciliations, walk-through notes.
  • Before/after charts: issue counts, severity mix, closure times, repeat rates.
  • Training lift: pre/post assessment deltas; behavior KPIs moving the right way.
  • Culture: whistleblowing awareness scores, hotline usage trends, zero retaliation confirmations.
  • Management attestations: quarterly sub-certifications by process owners.
  • Independent assurance: annual external review of the program’s design and effectiveness.

Part N — FAQs (fast, practical answers)

Do we need a separate “compliance audit team” if we already have internal audit?
Not necessarily. Many firms run compliance audits within Internal Audit but with a dedicated compliance specialist and a legal/compliance sign-off. What matters is risk-based planning, independence, and issue closure discipline.

How often should we train?
Foundational annually (with micro-nudges during the year); role-based quarterly for high-risk teams; new joiners within 30 days. Managers need targeted refreshers aligned with audit findings.

Should training be the same across Dhaka, Dubai, and London?
Core content should match; local addenda should address Bangladesh registers and due-process, UAE licensing/free-zone nuances, and UK conduct/data expectations.

What’s the biggest cause of repeat findings?
Ownership and incentives. Fix it by naming a single owner, setting a deadline, tying part of managers’ KPIs to issue closure, and re-testing within one quarter.

Can we rely on vendor certifications instead of auditing them?
Start with certifications, but sample audit high-risk vendors annually. Paper alone won’t catch reality in logistics, bonded-warehouse, or call-center environments.

What if a finding suggests criminal conduct?
Escalate to Legal immediately; preserve evidence; consider whistleblower protection; assess regulator notifications; and plan a defensible investigation with due-process.

Part O — The TRW method (how we make this painless)

  • Blueprint & build: risk registers, calendars, policy stacks, control libraries mapped to Bangladesh, UAE, and UK requirements.
  • Audit factory: workpaper templates, sampling plans, issue lifecycles, dashboards; shadow audits to embed skills in your team.
  • Training studio: Bangla/English/Arabic micro-learning, workshops, simulations, manager toolkits, and certification tracking.
  • Rapid remediation: FX files rebuilt, VAT packs reconstructed, POSH committees operationalized, telecom license hygiene restored, dawn-raid drills run.
  • Board packs: clear metrics and “storyline” every quarter; we present alongside management if desired.
  • Cross-border alignment: one program across Dhaka, Dubai, and London—localized where it matters, harmonized where it counts.

Contact TRW Law Firm
Phones: +8801708000660 · +8801847220062 · +8801708080817
Emails: [email protected] · [email protected] · [email protected]
Offices: Dhaka — House 410, Road 29, Mohakhali DOHS • Dubai — Rolex Building, L-12 Sheikh Zayed Road • London — (by appointment)

Final word

A great compliance program in Bangladesh isn’t mysterious: know your obligations, build controls people can actually use, audit them with rigor, fix what you find, and train the exact teams who run the risks—then show the board the movement in numbers. If you operate across Dhaka, Dubai, and London, aim high and harmonize: UK-grade governance, UAE licensing discipline, and Bangladesh document reality, all in one loop. Do this well and inspections are routine, bank and buyer audits are uneventful, exports and remittances flow, and your people know exactly how to do the right thing—every month, not just once a year.

Loading…

Loading… | 5 MIN READ | BY TAHMIDUR REMURA WAHID