The AFA doesn't want your policy. It wants your evidence.
The email lands on a Tuesday at 5:43 PM.
"Please provide evidence of your internal control plan and its execution."
You have a code of conduct. A risk map. A polished slide deck. What you don't have is proof that controls actually ran, at the right level, by the right people, with findings escalated and fixed.
That is the unglamorous core of Loi Sapin II: controls are only real if they leave a trail.
This post is about building that trail.
The AFA's three levels are a filing system, not a framework
The AFA's recommendations describe three autonomous levels of control and evaluation. Most compliance teams treat them as organizational theory. The AFA treats them as a document request.
- Level 1 (preventive): Operational checks run before a decision or transaction goes through. Owner: operations, finance, procurement, sales.
- Level 2 (detective): Testing that Level 1 happened and the program works. Owner: compliance or a second-line function.
- Level 3 (audit): Independent, periodic assessment reporting to top management.
Control level | Purpose | Typical owner | Cadence | Evidence |
|---|---|---|---|---|
Level 1 (preventive) | Stop bad decisions before they happen | Operations, finance, procurement, sales | Continuous | Approvals, checklists, system logs, signed forms, timestamps |
Level 2 (detective testing) | Verify Level 1 execution, spot weaknesses | Compliance, risk, quality | Monthly to quarterly | Control plan, sampling rationale, test sheets, exceptions log, corrective actions, management reporting |
Level 3 (audit) | Independently assess design and effectiveness | Internal audit or independent function | Annual to multiannual | Audit plan, working papers, audit report, ratings, follow-up tracking |
The most common failure: teams implement Level 1 activities (approvals, checklists, due diligence steps) but never design the evidence outputs. Level 2 becomes a yearly scramble. Level 3 becomes an opinion, not an audit.
"We do it" is not an answer. The AFA is asking: show me the file.
What evidence each level actually requires
The AFA is explicit: your Level 2 plan should define, for each control, the scope, method, sampling rationale, frequency, expected formalization, reporting, corrective measures, and retention. Here's what that means in practice.
Level 1: Operational breadcrumbs
Level 1 evidence is repetitive by design. Examples that hold up under AFA scrutiny:
- Gifts and hospitality: Approval request, approver identity, threshold rule applied, supporting documents, register entry.
- Third-party onboarding: Completed questionnaire, screening record, decision note, contract clause inclusion.
- High-risk payments: Four-eyes validation record, segregation of duties trace, invoice detail check, proof of service.
What fails: email approvals scattered across inboxes. Not because email is prohibited, but because retrieval and completeness collapse under audit pressure.
Level 2: Proof you tested, not that you planned
A Level 2 control without documentation is worse than no control because it creates a false narrative. Your minimum evidence set:
- A written Level 2 control plan (what you test, why, how often)
- A sampling file (selection logic, representativeness of risk)
- Test workpapers (what you checked, what you found, what counts as a failure)
- An exceptions and remediation log (owner, deadline, completion proof)
- A summary escalated to management, because escalation is part of effectiveness
Level 3: Audit-grade documentation
If you call something an audit, the AFA expects audit discipline:
- Audit charter or mandate (independence, reporting line)
- Audit program (scope, tests, interviews, data sources)
- Working papers
- Audit report with findings and recommendations
- Documented follow-up and closure
A slide deck is not an audit report.
The evidence map by Sapin II component
Sapin II component | Level 1 evidence | Level 2 evidence | Level 3 evidence |
|---|---|---|---|
Risk mapping | N/A (AFA notes no Level 1 here) | Scope review, methodology, action plan progress, incident integration | Independent review of governance, resources, program consistency |
Code of conduct | Approvals and logs for governed situations (gifts, conflicts) | Sampling tests, diffusion/access checks, post-update reviews | Audit of effectiveness, accessibility, integration into training |
Training | Attendance records, knowledge check results | Coherence check between risk map, target populations, content | Audit of governance, quality, linkage to code and speak-up |
Third-party evaluation | Complete onboarding file, formalized decision | Sample review, periodic refresh verification, vigilance checks | Audit of full lifecycle and alignment with risk mapping |
Internal alert system | Channel functionality proof, triage steps, confidentiality controls | Case sample review, timing quality, response quality | Systemic analysis feeding back into risk map |
Accounting controls | Four-eyes validations, access rights, automated checks | Sample testing, synthesis, corrective actions | Audit of design, resourcing, alignment to risk mapping |
The goal isn't to copy this table into a policy. The goal is to build evidence outputs you can retrieve in minutes, not reconstruct in a panic.
What an AFA-ready evidence pack looks like
A compliance officer at a 900-person industrial group runs a quarterly Level 2 cycle across three topics: third parties, gifts and hospitality, and commission accounting entries.
Every quarter, she produces five documents:
- Quarterly control memo (scope, sample size, method)
- Sample list (with selection logic)
- Test results sheet (pass, fail, comments)
- Issues log (owner, deadline, status)
- Summary note to management
When internal audit arrives, it doesn't redo her work. It audits whether her testing is well-designed, run consistently, and followed up. That is how the three levels reinforce each other.
Evidence that can't be retrieved isn't evidence. The AFA expects conservation and archiving with versioning and dates, within data protection limits.
Stop treating internal control as a concept. Treat it as a production line of evidence: Level 1 generates operational proof. Level 2 generates testing proof. Level 3 generates independent assurance.
If you can't produce those artifacts on demand, you don't have three levels. You have good intentions.
FAQ
Do we really need three levels for Loi Sapin II? The AFA says "ideally up to three levels" (proportionality applies). But you still need a credible second-line testing mechanism and an independent review at some cadence.
What's the minimum Level 2 evidence? A written control plan, traceable sample selection, documented test results, an issues log with owners and deadlines, and proof of escalation to management.
Can compliance test controls it designed? Be careful. The AFA flags self-review risk, especially for risk mapping. Where unavoidable, document compensating measures: peer review, independent sign-off, or audit involvement.
Are screenshots acceptable evidence? Sometimes, but screenshots without timestamps, context, or case linkage are fragile. Prefer system exports and workflow logs that show who did what, when, and under which rule.
How does Naltilia support control evidence? Naltilia structures risk-based controls, automates evidence collection, and tracks remediation against your risk assessment, so "show me" becomes a two-click export, not a two-week fire drill.
If you're still chasing evidence across shared drives and inboxes, take a look at Naltilia or contact our experts. We help compliance teams turn internal control from a concept into a documented, audit-ready practice.
