What is the ISAL framework? 


Clear training and guidance for staff on compliance needs and clarity of expectations, to empower colleagues to self-serve and build compliance into their activities in a tailored and proportionate way, where it makes the most sense.


Targeted support available to those who need it, where it adds the most value - freeing colleagues to support more valuable activity, more quickly.


Internal Audit, working with the compliance leads, will spot check that compliance issues are being dealt with appropriately, providing clear conclusions and precise actions for follow up.


Deans, Head of Professional Services, and managers are responsible for securing the proper conduct of their staff in relation to compliance and taking appropriate action where processes are not followed. Leaders will support a local culture of compliance, aligned with the institutional approach.

Find out more about the ISAL Framework in the video below:


Training and self-help resources are fundamental to the Inform pillar of the ISAL framework for many compliance areas.

The University’s Mandatory Training Policy sets out what training must be undertaken by staff. Learning and development is an important part of the induction of new staff and updating the skills and knowledge of existing staff. You can learn more about what training is mandatory for your role on the Mandatory training page.

Please note that not all compliance areas have mandatory training.

What are first, second and third line controls?

Internal auditors talk about three types of control:

First Line Controls: compliance leads have primary responsibility to own and manage the risks associated with their areas. This tends to lead to checking all such activities and ultimately policing by a single person or team. This is inefficient and disempowers colleagues.

Second Line Controls: tools, policies and techniques are supplied to support colleagues to manage risk and compliance in their activities. Targeted support is available, where self-service is not possible or appropriate.

Third Line Controls: post hoc assurance is provided by internal audits and learning is shared to improve processes and understanding.

Our current way of operating is to rely too heavily on first line controls, which slows processes down, creates bottlenecks, and makes it difficult to respond to opportunities in a timely fashion.

In implementing the ISAL framework, we will rebalance our controls with a greater focus on second and third line controls. We will help colleagues to take responsibility for compliance in their activities, by setting clear expectations and providing intuitive tools to help them to secure compliance.

What’s the difference between policies and guidance?

The Project Board has endorsed a new way of thinking about how we write and present our policies, procedures, guidance and toolkits. The following guide explains the reasons why we think most policies should be as brief and focussed as possible and why greater effort should be placed on writing clear guidance and developing supporting tools:

Guide on writing policies, procedures, guidance and toolkits (to follow)

How can I get involved?

Whether you have responsibility for leading a particular compliance regime for the University or you are responsible for securing compliance within the scope of your role, you will have something valuable to contribute to the work of Project Compliance.

If you would like to discuss the work of Project Compliance at all, please contact John Houghton (Project Manager):