View/Export Results
Manage Existing Surveys
Create/Copy Multiple Surveys
Collaborate with Team Members
OR
Sign inSign in with Facebook
Sign inSign in with Google

Compliance Survey Template

Use this compliance survey template to score policy awareness, training effectiveness, speak-up confidence, reporting channel clarity, and perceived risk hotspots. Pick a 5-minute pulse or a 12-minute annual baseline, then use the built-in scorecard and action-plan table to assign owners, due dates, and follow-up pulses.

10
Questions
5 min
Completion Time
4.3
☆☆☆☆☆
11.8k+
Uses
Use This Template Copy & Edit
How familiar are you with the company's compliance policies and procedures?
Extremely familiar
Very familiar
Somewhat familiar
Not very familiar
Not familiar at all
Compliance policies and procedures are clearly communicated to me.
1
2
3
4
5
Strongly disagree Strongly agree
Have you completed the required compliance training within the past 12 months?
Yes
No
Which is your primary source of compliance guidance?
Employee handbook
Intranet portal
Training modules
Supervisor or manager
Other
I feel comfortable reporting compliance concerns or violations.
1
2
3
4
5
Strongly disagree Strongly agree
Have you ever reported a compliance concern or violation?
Yes
No
Prefer not to say
I am confident that reported compliance concerns are addressed promptly and effectively.
1
2
3
4
5
Strongly disagree Strongly agree
What suggestions do you have to improve our compliance program?
What department are you in?
What is your role level?
Staff/Associate
Supervisor/Team Lead
Manager
Director
Executive
Other

Trusted by 5000+ Brands

Trusted by Red Bull, Yale, Apple, Harvard, Shopify and more

Compliance survey questions (core + optional regulation/topic add-ons)

Outcome: You will leave this section with a ready question set for a 5-minute pulse or a 12-minute annual survey, mapped to a simple scorecard you can trend over time.

Pick one: Enterprise (one instrument for everyone) vs Department (tailor examples, keep meaning) vs Topic module (add ABC/privacy/harassment, etc.).

  • Do this now: Lock 6-8 core items you will never change (for trending).
  • Do this now: Add 4-8 optional items based on your scope and current risk focus.
  • Do this now: Decide where you allow open-ended questions (usually 1-2 prompts max for anonymity and analysis speed).

How to assemble the 5-minute pulse vs 12-minute annual

5-minute pulse (quarterly or post-training)

Use 6-10 total questions: 6-8 core items + 0-2 optional module items + 1 open-text prompt. Goal: trend your scorecard and detect new hotspots fast.

12-minute annual baseline

Use 18-28 total questions: 10-14 core items + 6-12 module items + 1-2 open-text prompts. Goal: diagnose causes and set next-year program priorities.

Wording rule that protects data quality

Write items as neutral, single-idea statements (not accusations), and anchor sensitive items to a time window (for example, "In the last 12 months..."). If you need a refresher on survey basics, follow the checklist in AAPOR's Best Practices for Survey Research.

Core scorecard domains

People: culture, training, speak-up comfort. Process: reporting channels, controls, investigations handling. Risk: pressure points, third parties, hotspots. Outcomes: confidence that issues are handled fairly and without retaliation.

Core question bank (use these for every run)

"I know where to find our Code of Conduct and key policies when I need them."

Why it matters: Low scores usually mean your policy library is hard to find, not that people are unwilling to comply.

When to use: Include in every run as your Awareness anchor.

Likert Segment by: function, region, manager vs IC

"I understand the compliance risks that matter most for my role."

Why it matters: Role clarity beats generic messaging; this item tells you if training and manager coaching connect to day-to-day work.

When to use: Always; trend it after major policy or process changes.

Likert Segment by: role family, tenure band, site type

"In the last 12 months, I completed the compliance training required for my role."

Why it matters: You need a self-reported cross-check for LMS data gaps (especially for contractors, acquired entities, and frontline access issues).

When to use: Annual baseline; optional on pulses if you just launched training.

Yes/No Segment by: location type, employee type, access method

"The compliance training I received was relevant to situations I actually face at work."

Why it matters: Relevance predicts behavior change better than completion; low scores point to content that feels generic or outdated.

When to use: Include in every run if training is a primary control.

Likert Segment by: training audience, role level

"I feel safe raising a compliance or ethics concern without fear of retaliation."

Why it matters: This is your speak-up culture headline metric; it often explains under-reporting even when channels exist.

When to use: Always; treat it as a top-level outcome to protect.

Likert Segment by: manager vs IC, tenure band, region

"I know how to report a compliance or ethics concern (for example, manager, Compliance, hotline)."

Why it matters: Confusion about reporting paths delays escalation and increases risk.

When to use: Always; pair with an item about confidence in fair handling.

Likert Segment by: location, shift, job type (frontline/corporate)

"If I report a concern, I believe it will be handled fairly and consistently."

Why it matters: Perceived fairness drives future reporting; low scores often indicate slow response times or inconsistent outcomes communications.

When to use: Always; trend after case-management process changes.

Likert Segment by: function, region, manager vs IC

"Leaders in my area act in line with our values, even when under pressure to deliver results."

Why it matters: Pressure is where standards slip; this item helps you locate tone and incentive problems.

When to use: Always; use as a People-to-Risk bridge item.

Likert Segment by: business unit, role level

Optional: 2 fast open-text prompts (keep neutral)

  • Optional: "What is one thing we could do to make it easier to do the right thing in your role?" (feeds People/Process)
  • Optional: "What compliance risk worries you most in your area today?" (feeds Risk)

Topic add-on modules (turn on only what you need)

Pick 1-3 modules for your annual survey. For pulses, pick 0-1 module so you can keep the survey short and trend core items. Keep the response format consistent (see Likert scale question design), and avoid yes/no items unless you truly need a count.

"I understand the rules on gifts, meals, and entertainment with customers, suppliers, or public officials."

Why it matters: Gifts and hospitality are common gray areas; confusion shows up before incidents do.

When to use: Turn on for sales, procurement, government-facing roles, or high-risk countries. Feeds: Awareness/Training (People) and Risk.

Likert Segment by: role family, region, third-party contact frequency

"In the last 12 months, I disclosed a potential conflict of interest when it applied to me (or I know how to do so)."

Why it matters: People often fail to disclose because they are unsure what counts; this item reveals disclosure friction.

When to use: Turn on when you have annual COI attestations or frequent vendor/partner decisions. Feeds: Process (controls) and Awareness.

Multiple choice Segment by: manager vs IC, procurement exposure, tenure

"I know how to get help if I experience or witness harassment or discrimination."

Why it matters: This is about access and clarity, not blame; it complements speak-up confidence with a specific, sensitive topic.

When to use: Turn on if your compliance survey covers workplace conduct, or if recent events suggest under-reporting. For background on why reporting climate matters, see the EEOC's Select Task Force report on workplace harassment. Feeds: Speak-up and Reporting.

Likert Segment by: location type, shift, manager vs IC

"I know what to do if I suspect a phishing attempt or a possible data/privacy incident."

Why it matters: In many programs, reporting speed is the control; this item exposes confusion that increases impact.

When to use: Turn on when data handling and access are key risks, or after a security campaign. Feeds: Awareness/Process.

Likert Segment by: access level, remote vs onsite, role type

"I feel comfortable asking questions about competition/antitrust rules before I act."

Why it matters: The safe path is to ask early; discomfort signals risk in sales, partnerships, and trade group participation.

When to use: Turn on for commercial teams or when you operate in tightly regulated markets. Feeds: Speak-up and Risk.

Likert Segment by: function, seniority, region

"I know how long I must keep key records for my role, and where to store them."

Why it matters: Records failures create legal exposure even when behavior is otherwise compliant.

When to use: Turn on for functions with regulated retention (finance, quality, legal, operations). Feeds: Awareness/Process.

Likert Segment by: function, system used, location type

"I know what due diligence or approvals are required before we engage a third-party (agent, reseller, supplier)."

Why it matters: Third parties are a common risk pathway; this item surfaces process confusion that creates exceptions.

When to use: Turn on when you rely on vendors/resellers or operate in high-risk markets. Feeds: Process and Risk.

Likert Segment by: procurement exposure, region, role family

Who should take the compliance survey (and how to sample safely)

Outcome: You will have a respondent list (or a safe sampling plan) plus a short segmentation plan that protects anonymity.

Pick one: Census (invite everyone) vs Sample (invite a designed subset) based on your size and the level of change you need to track.

  • Do this now: Decide your primary reporting cuts (for example: function + region + manager vs IC).
  • Do this now: Write your minimum subgroup size rule (example: "Report only groups with n >= 10").
  • Do this now: Document your sampling approach so you can repeat it next quarter/year.

Primary respondent groups

  • All employees: Use for your annual baseline and for culture/speak-up items that need broad coverage.
  • Managers (add-on cut): Include managers in the same instrument, then segment results. Add 1-2 manager-only items only if you can report them safely.
  • Compliance champions / local ethics reps (optional module): Run a short add-on pulse after the main survey to capture process-level feedback without mixing audiences.

When to include contractors or third parties

Optional: Third-party module. Include contractors, agents, or key vendors when they follow your policies, complete your training, or represent your brand to customers/government. Keep the core items the same, and add 3-5 third-party process questions (due diligence clarity, reporting channels, retaliation fear).

Sampling guidance you can run this week

Enterprise rollouts

Invite everyone if you can. If your org is very large, sample by region/function so each major group has enough responses for safe reporting, then keep the same design for trending.

Department rollouts

Invite the full department, but keep shared core items unchanged. Swap only examples and labels (for example, "shift" vs "team") so item meaning stays stable.

Wording tweaks without changing meaning

  • Frontline vs corporate: Replace "intranet" with "breakroom board / manager / QR code" but keep the same underlying question (ability to find policies, how to report).
  • Remote/hybrid: Add an example like "Teams/Slack" in the reporting channels item, but do not add extra concepts (keep one idea per item).
  • Global audiences: Translate with a back-translation check, and keep the response scale labels identical across languages.
Minimize re-identification risk (especially with comments)

Do not ask for exact team, site, job title, or a manager name in demographics. Set a minimum subgroup size (example: n >= 10 or n >= 15), and only publish segmented results that meet it. If you include comments, warn employees not to include names or case details, and review comments before sharing verbatims.

Anonymous vs confidential compliance surveys (tradeoffs that affect honesty)

Outcome: You will choose an administration mode (anonymous or confidential) and write down the safeguards that make employees believe you.

Pick one: Pick anonymous if you want more candid program-health signals. Pick confidential if you need follow-up and routing (and you can protect trust).

  • Do this now: Write one sentence for your invite: "This survey is for program improvement, not discipline."
  • Do this now: Set your subgroup reporting threshold (example: publish results only for groups with n >= 10).
  • Do this now: Decide how you will handle open-ended questions so people do not self-identify.
Decision factor Anonymous survey Confidential survey
Best for Culture and program-health diagnostics (awareness, training relevance, speak-up confidence). When you must follow up on specific issues, route requests for help, or validate remediation at an individual level.
Expected candor Typically higher for sensitive topics because perceived personal risk is lower. Often lower unless you have strong trust, clear limits, and a credible non-retaliation message.
Follow-up ability Limited (you can only follow up at group level). High (you can clarify answers, connect people to resources, and close the loop directly).
Perceived risk to employees Lower if you avoid small demographic cuts and limit identifying details in comments. Higher unless you minimize identifiers and clearly separate survey data from investigations workflows.
Recommended safeguards Third-party hosting (optional), minimum subgroup size, short demographics, careful verbatim handling. Limit who can access raw data, separate access from line managers, publish aggregate-only results, document retention rules.
Open-text prompts Use 0-2 prompts; include a warning: "Do not include names or case details." Use prompts only if you can protect access and handle disclosures responsibly; avoid collecting unnecessary personal details.
Good fit with security expectations Strong fit when you cannot guarantee follow-up privacy across regions and teams; align your handling to your security and privacy practices. Strong fit when you can demonstrate data controls (access limits, retention, audit trails) and explain them in plain language.

Why privacy conditions matter: Disclosure can change when respondents believe their identity can be inferred. A randomized trial on sensitive survey topics found that privacy conditions can affect disclosure patterns; use that as a practical warning to keep identity risk low if you want honest answers (see Impact of different privacy conditions on disclosure of sensitive information).

Boundary (set this in writing): Use the survey for program improvement, not case intake or discipline. If someone reports misconduct, route them to your established reporting channels and investigations process. This template provides operational guidance, not legal advice.

Launch checklist: communications, timing, and reminders that increase participation

Outcome: You will have a launch plan (invite list, message copy, reminder schedule, and manager do/don't instructions) you can execute in the next 1-7 days.

Pick one: Pulse (5 minutes; trend + early warning) vs Annual (12 minutes; diagnosis + planning). Then match your reminder schedule to the length.

  • Do this now: Put your survey on the calendar for a normal work week (avoid performance reviews and big reorganizations unless that is what you are measuring).
  • Do this now: Choose anonymous vs confidential and state it in the first two lines of the invite.
  • Do this now: Decide who owns the close-the-loop message (Compliance + HR is a common pairing).
  1. Build the audience list
    Pull a current roster, then remove tiny groups you cannot report safely. If you run global, verify language needs and local reporting norms before you hit send.
  2. Send a pre-note (24-72 hours before)
    Use a short heads-up from a credible leader (Compliance/Legal + HR). State purpose, length, and how you protect anonymity/confidentiality.
  3. Send the invitation with plain-language trust cues
    Include: (1) time estimate, (2) anonymity/confidentiality statement, (3) non-retaliation reminder, (4) what you will publish (themes + actions). Align any data handling claims with your security and privacy practices.
  4. Schedule reminders (do not spam)
    Common approach: 2 reminders for a pulse, 2-3 for an annual survey. Send at different times to reach shift workers. Response rates in web surveys depend on contact design and reminders, so treat your reminder plan as a real lever, not an afterthought (see Factors affecting response rates of the web survey).
  5. Give managers a do/don't script
    Do: encourage participation, allow time, reinforce non-retaliation. Don't: collect names, ask for screenshots, stand over someone while they answer, or push for "right answers".
  6. Close the field and publish a timeline
    Tell people when the survey closes and when they will see results (example: "We will share themes and actions within 3 weeks"). Then stick to it.

Copy/paste invitation script (edit the brackets)

  • Subject: [5-minute] Compliance survey -- your feedback, protected
  • Body line 1: This survey takes about [5/12] minutes and is [anonymous/confidential].
  • Body line 2: Use it to tell us what makes compliance easy or hard in your role. Please do not include names or case details in comments.
  • Body line 3: We will share high-level themes and 3-5 actions with owners and due dates by [date]. Retaliation for raising concerns is not allowed.

Results guide: scorecard + SWOT summary + action plan template

Outcome: You will produce a one-page scorecard (0-100), set red/amber/green (RAG) thresholds, and fill an action-plan table with owners, due dates, and a follow-up pulse date.

Pick one: Trend-first (keep items identical; watch movement) vs Diagnosis-first (add modules; explain root causes). Most teams do trend-first on core items and diagnosis-first on rotating modules.

  • Do this now: Write your 5 domains: Awareness, Training, Speak-up, Reporting, Leadership.
  • Do this now: Decide your minimum subgroup size for reporting (example: n >= 10) and apply it to every cut.
  • Do this now: Lock your response scale and scoring approach (see Likert scale question design).
  • Score Likert items on 0-100: Map responses to points (example for 5-point: Strongly disagree=0, Disagree=25, Neutral=50, Agree=75, Strongly agree=100). Average items within each domain to get domain scores.
  • Roll up to People / Process / Risk / Outcomes: People = Training + Speak-up + Leadership; Process = Reporting + key control/process items; Risk = hotspots/pressure items; Outcomes = fairness/consistency confidence. Put these four numbers on a single slide for leadership.
  • Set RAG thresholds you can explain: Use internal starter thresholds until you have your baseline (then adjust if needed): Red < 60, Amber 60-74, Green >= 75. Change the cutoffs only between cycles, not midstream, so your trend is stable.
  • Segment with purpose (and protect anonymity): Use only cuts you can act on (region, function, tenure band, manager vs IC, training completion). Suppress any cut below your minimum subgroup size, and avoid sharing raw comments outside a small review group.
  • Write a SWOT summary in 15 minutes: Strengths (2-3 high greens), Weaknesses (2-3 reds), Opportunities (1-2 fixes that raise multiple domains), Threats (1-2 emerging risks or pressure points). Use this as your quarterly agenda.
  • Run a quarterly improvement cadence: Publish actions, deliver fixes, then re-pulse the same core items. This aligns with continual improvement expectations in compliance management systems guidance like ISO 37301:2021 compliance management systems.

Action-plan table (copy into your tracker)

Finding (score + segment) Root cause hypothesis Owner Fix Due date Success metric Follow-up pulse date
Speak-up score 58 (Red) in Region B Fear of retaliation + low confidence in fair handling Compliance + HRBP Manager talk-track + case-handling SLA + publish outcomes themes [ / Date ] Internal starter targets (adjust after baseline): Speak-up score +10; hotline awareness +15 [Date]
Training relevance 62 (Amber) in Sales Scenarios not aligned to sales motions L&D + Sales Ops Replace 3 scenarios; add micro-learning for gifts/COI [Date] Internal starter targets (adjust after baseline): Relevance score >= 75; completion rate maintained [Date]
Interpretation rule that prevents bad decisions

Do not treat one low item as proof of wrongdoing. Treat it as a process signal, assign an owner to investigate causes (policy access, training relevance, manager behavior), and confirm with follow-up questions or a targeted pulse.

Frequently Asked Questions

How often should we run a compliance survey (pulse vs annual)?

Run a 12-minute annual baseline for full coverage, then run a 5-minute pulse quarterly (or right after major training/policy changes) to track trend. Keep your core scorecard items identical year over year, and rotate optional modules so you can diagnose new risks without breaking trend lines.

Should a compliance survey be anonymous or confidential?

Pick anonymous when your main goal is candid program-health feedback, especially on speak-up and retaliation concerns. Pick confidential when you need follow-up or routing, then protect trust by minimizing identifiers, limiting access to raw data, and applying minimum subgroup size rules in reporting.

What demographics should we include without increasing re-identification risk?

Collect only what you will use: function, broad region/location, manager vs individual contributor, and tenure band are usually enough. Add a "Prefer not to say" option, avoid exact team/site/job title, and only report segmented cuts that meet your minimum subgroup size.

Can we use compliance survey responses for discipline or performance decisions?

No -- treat the survey as a program improvement tool, not evidence for discipline. If someone discloses misconduct, direct them to established reporting channels and investigations processes rather than trying to resolve it through survey data.

How do we avoid leading or loaded compliance questions?

Use neutral, behavior-based wording (for example, "I know how to report a concern") and keep one idea per question. Avoid double-barreled items ("training is clear and useful") and assumptions of wrongdoing; add one improvement-focused open-text prompt instead of accusation-style questions.

How do we close the loop after the survey to maintain trust?

Publish high-level findings first (what you heard), then publish 3-5 actions with an owner and due date (what you will do). Schedule a follow-up pulse on the same core items and be explicit about what you can and cannot change so employees see progress without overpromising.

Related Survey Templates

BusinessInternal Control Survey Template (ICSA) - COSO-Aligned, SOX-Ready
Use template →
EmployeeEmployee Cyber Security Survey Questions + Template (Phishing, MFA, Reporting)
Use template →
BusinessLogistics Survey Template (Free)
Use template →
BusinessCrisis Management Survey Template (Free)
Use template →
BusinessOperational Efficiency Survey Template (Free)
Use template →
BusinessPhysical Security Survey Template (Free)
Use template →
EmployeeEmployee Morale Survey Template (Free)
Use template →
SatisfactionPost Call Survey Template (Free)
Use template →
TrainingPost Training Feedback Survey Template (Free)
Use template →
MarketingPrice Evaluation Survey Template (Free)
Use template →

About the Author

Michael Hodge

Michael specializes in survey methodology, questionnaire design, and data quality. He writes practical guides to help organizations collect accurate, actionable feedback.

FREE TO START -- NO CREDIT CARD REQUIRED

Create Your Compliance Survey Template Now.

Start Building ➔