Compliance control monitoring. A case study

Imagine walking through EuroServices Group’s headquarters on the first week of each quarter. Corridors are lined with piles of lever-arch files, local teams are on frantic video calls, and the group compliance officer keeps refreshing her inbox waiting for yet another oversized spreadsheet. Everyone knows the drill: it is control-monitoring season.

1. Case study context: a company drowning in its own controls

EuroServices Group 8 000 employees, six EU countries, and exposure to Sapin II, the UK Bribery Act, FCPA (through US clients), antitrust rules, AML, GDPR, and strict health-and-safety obligations.

Over the past five years the group has checked all the “best practice” boxes:

• Formal risk maps for corruption, fraud, competition and money-laundering
• Written policies and codes of conduct in five languages
• A yearly internal-control plan led by regional compliance officers
• Dozens of preventive, detective and corrective controls

On paper it looks impeccable, yet every audit leaves management with the same question: Do the controls really work day after day? The answer should come from quarterly monitoring, but that is where the machinery grinds to a halt.

What monitoring actually looks like

Every quarter group compliance circulates a tab in Excel listing forty key controls:

• Gifts and hospitality approvals over €150
• Third-party due diligence for high-risk suppliers
• Competition-law training completion for sales staff
• Conflicts-of-interest declarations for key managers
• Transaction screening for AML-sensitive activities

Local teams must hunt for evidence—screenshots from the ERP, email approvals, LMS exports—paste or attach everything into the template, explain deviations, and send the file back by email. Group compliance then uploads the material to a shared drive, consolidates numbers manually and prepares slides for the board.

Across six countries and four quarters the process produces thousands of emails and hundreds of files. Skilled compliance professionals spend evenings copy-pasting instead of analysing risk. By the time the quarter-end pack reaches the board, the underlying data is already stale.

2. Why control monitoring becomes burdensome and costly

2.1 More controls than capacity

A solid risk assessment often yields a long list of controls: approvals, reconciliations, exception reports, remedial training. Few organisations take the next step—capacity modelling—to ask whether enough people and systems exist to test those controls regularly. The result is an oversized universe with insufficient resources, leading either to superficial box-ticking or to heroic overtime that burns out regional teams.

2.2 Fragmented data and systems

Each control lives in its own silo:

• Expenses system for gifts and hospitality
• Procurement portal for third-party screening
• LMS for training completion
• Separate AML or sanctions screening software
• Email chains for one-off approvals

Because there is no integration, monitoring means exporting raw data, reformatting, sampling manually, and saving evidence in ad-hoc folders. It is pure operational drag: high-skill staff performing low-skill repetitive tasks.

2.3 Human bottlenecks and expertise

Evaluating exceptions is not clerical work. Someone must judge whether an unapproved invoice is a genuine oversight or a red flag, whether late training is systemic, whether a pattern hides collusive behaviour. The pool of people able to make those calls is small—central compliance and internal audit—so everything queues for their review, driving cost up and speed down.

2.4 Lack of standardisation

Templates, wording and sampling vary by country. When group compliance tries to consolidate results, they discover they are comparing apples to oranges. Extra time is wasted reconciling formats instead of discussing risk.

3. Replaying the story with AI and GenAI in the loop

Picture the same company two years later, after rolling out an AI-powered control-monitoring engine. The objective is not to replace people but to industrialise the boring part—data collection, sampling, first-level analysis—so experts can focus on judgment and remediation.

3.1 Connecting directly to source systems

The project starts with mapping data sources and granting read-only API access:

• ERP and finance modules for payments and vendor master data
• HRIS for roles, training logs, and segregation of duties
• Expense management for gifts, travel and hospitality
• Procurement or due-diligence portals for third-party screening
• Case-management systems for whistleblowing and incident follow-up

Controls are codified once using plain-language rules, for example:

• “Sample 30 high-risk invoices per quarter and verify dual approval”
• “Flag any payment to an intermediary above €15 000 in a country scoring below 45 on Transparency International’s CPI”
• “List sales employees whose competition-law training is older than 24 months”

AI agents query the systems on schedule, pull relevant records and attach them as structured evidence. Human reviewers no longer spend evenings searching for PDFs.

3.2 Using GenAI to pre-analyse exceptions

Large language models digest unstructured inputs and suggest concise narratives:

• Summaries: “Out of 120 invoices sampled, five lacked documented approval, three related to missing supporting documents, two reflected late sign-off.”
• First-draft narratives for the quarterly report, ready for human sign-off.
• Automatic classification of findings according to predefined materiality thresholds.

The expert still validates, but admin time collapses from days to hours.

3.3 Moving from quarterly panic to continuous monitoring

Once data flows run automatically the marginal cost of more frequent testing approaches zero. Some controls run weekly, or even daily, creating near-real-time dashboards that surface patterns—a sudden spike in gifts for one subsidiary, persistent late approvals, an uptick in whistleblower cases linked to a single manager. Compliance can launch targeted deep-dives instead of broad, shallow sampling.

3.4 Standardised dashboards for management and regulators

All indicators feed a live compliance dashboard showing:

GenAI creates a board-ready one-pager each quarter, and when an auditor requests documentation (“Show the past 12 months of competition-law monitoring in Spain”), the extract is produced in seconds instead of weeks.

3.5 Freeing people for human-only tasks

With manual grunt work off their plate, compliance professionals can

• Challenge whether controls are truly risk-driven
• Investigate root causes of recurring gaps
• Engage with business leaders on culture, incentives and tone at the top
• Design smarter mitigation actions that reduce underlying risk instead of multiplying paperwork

4. Design principles (and pitfalls) for AI-driven monitoring

1. Start with the risk map, not the technology. Focus on the 20 most critical controls before scaling further.
2. Keep humans in the loop. AI flags and drafts, but closure decisions and disciplinary steps stay with qualified staff.
3. Document every rule. Sampling method, data source, threshold and logic must be auditable. Regulators cannot approve a black box.
4. Protect data and privacy. Apply role-based access, encryption in transit and at rest, and standard GDPR safeguards.
5. Measure outcomes, not input volume. The objective is fewer material breaches, not more dashboards.

Companies that follow these principles transform monitoring from a quarterly scramble into an always-on radar that detects emerging risk early and supports smarter resource allocation.

5. Where Naltilia fits in

Naltilia’s platform was designed precisely for this challenge. By combining secure data connectors, AI-powered control testing and GenAI narrative generation, the solution automates up to 80 per cent of manual monitoring work. Compliance officers receive daily exception alerts, interactive dashboards, and ready-to-share evidence packs—all within a single workspace that is auditable and GDPR-compliant.

More importantly, Naltilia lets teams right-size their control universe. Real usage statistics reveal which controls operate flawlessly and which ones drain resources without reducing risk, enabling data-driven simplification.

Want to see how EuroServices Group could have avoided the quarterly drama? Keep reading our series on technology-enabled risk management, starting with our guide on how to build a compliance risk map in 6 steps.

Frequently asked questions

Is AI-based monitoring accepted by regulators? Most European regulators, including the French AFA and the UK Serious Fraud Office, do not prescribe specific tools. They expect effective, risk-based monitoring and auditable evidence. A documented AI process with human oversight meets those expectations.

Does continuous monitoring replace internal audit? No. It provides a first line of defence that allows audit to focus on design effectiveness, root-cause analysis and cultural factors instead of routine sampling.

How long does it take to integrate core systems? Typical midsize groups connect finance, HR and expense systems in four to six weeks using standard APIs. More specialised tools (e.g., legacy LMS) may require custom adapters but do not usually exceed three months.

Can small compliance teams benefit as much as large groups? Absolutely. Automation brings the biggest ROI where headcount is limited. Even a two-person compliance function gains real-time visibility that manual processes could never deliver.

Ready to stop working for spreadsheets and start focusing on real risk? Request a personalised demo of Naltilia’s AI-powered monitoring engine and discover how your team can regain weeks of productive time every quarter.