CONFIDENTIAL -- AZ1.AI Inc. -- Internal Use Only
CFS-008: Regulatory Compliance Matrix
1. Executive Summary
The CODITECT Financial Suite must operate across 30+ tax and regulatory jurisdictions from launch. This document maps every compliance requirement by country, including accounting standards, e-invoicing mandates, tax reporting obligations, data privacy laws, and audit trail requirements.
Core architecture principle: The compliance engine is modular -- each jurisdiction is a plugin that can be added, updated, or deprecated independently. This enables rapid geographic expansion without re-architecting the platform.
2. Accounting Standards Matrix
2.1 Standards Coverage
| Standard | Jurisdictions | Priority | Status |
|---|
| IFRS | 140+ countries (EU, Brazil, UK, Australia, India, Nigeria) | Phase 1 | Core |
| US GAAP (ASC) | United States | Phase 1 | Core |
| BR GAAP (CPC) | Brazil (converged with IFRS) | Phase 1 | Core |
| UK GAAP (FRS 102) | United Kingdom | Phase 2 | Planned |
| Indian GAAP (Ind AS) | India (converged with IFRS) | Phase 4 | Planned |
| OHADA | West/Central Africa (17 countries) | Phase 4 | Planned |
2.2 Multi-GAAP Reporting Requirements
| Capability | Implementation |
|---|
| Parallel books | Entity-level GAAP assignment, journal entries posted to all applicable books |
| GAAP differences | Adjustment journal entries between standards (e.g., lease accounting IFRS 16 vs ASC 842) |
| Disclosure requirements | Standard-specific disclosure checklists per reporting period |
| Transition support | Opening balance migration tools for standard transitions |
| Audit trail | Complete audit trail per GAAP book, cross-referenced |
3. E-Invoicing Mandate Matrix
3.1 Global E-Invoicing Requirements
| Country | Mandate | Format | Model | Timeline | Priority |
|---|
| Brazil | NF-e, NFS-e, CT-e | XML (ABNT) | Clearance (real-time government validation) | Active | Phase 1 |
| Mexico | CFDI 4.0 | XML | Clearance (PAC intermediary) | Active | Phase 2 |
| India | GST e-Invoice | JSON (via IRP) | Clearance (Invoice Registration Portal) | Active (expanding) | Phase 4 |
| Italy | FatturaPA / SDI | XML (FatturaPA) | Clearance (Sistema di Interscambio) | Active | Phase 3 |
| France | Factur-X | CII/UBL hybrid | Clearance (PPF/PDP) | 2026 large, 2027 all | Phase 3 |
| Germany | XRechnung | UBL/CII | Post-audit (B2G), clearance planned (B2B) | 2027 large, 2028 all | Phase 3 |
| Spain | Verifactu / SII | XML | Real-time reporting | 2026 | Phase 3 |
| Poland | KSeF | XML | Clearance (National e-Invoice System) | 2026 | Phase 3 |
| Belgium | Peppol BIS | UBL | Network (Peppol) | 2026 B2B | Phase 3 |
| Portugal | SAF-T PT | XML | Post-audit | Active | Phase 2 |
| UK | MTD / Peppol | Various | Post-audit + Network | Expanding | Phase 2 |
| Saudi Arabia | FATOORAH / ZATCA | XML (UBL 2.1) | Clearance | Active (phased) | Phase 4 |
| Nigeria | FIRS e-Invoice | TBD | Planned | In development | Phase 4 |
| Australia | Peppol | UBL | Network (B2G), voluntary B2B | Active (expanding) | Phase 4 |
| Colombia | DIAN e-Invoice | XML (UBL 2.1) | Clearance | Active | Phase 4 |
3.2 E-Invoicing Architecture
| Component | Technology | Purpose |
|---|
| Format Engine | Template-based XML/JSON generation per jurisdiction | Produce compliant document formats |
| Validation Engine | Schema validation + business rule checks pre-submission | Ensure compliance before submission |
| Signing Module | Digital certificate management (X.509, A1/A3 for Brazil) | Legally sign documents |
| Submission Gateway | Per-jurisdiction API connectors | Submit to government/clearance systems |
| Response Handler | Status tracking, rejection handling, resubmission logic | Manage lifecycle |
| Archive | Immutable storage per legal retention requirements | Meet retention mandates |
4. Tax Reporting Matrix
4.1 Tax Report Requirements by Jurisdiction
| Country | Key Tax Reports | Frequency | Digital Filing |
|---|
| Brazil | SPED Fiscal (EFD-ICMS/IPI), SPED Contribuicoes (EFD-PIS/COFINS), ECF, ECD, DCTF, DIRF, REINF | Monthly + Annual | Mandatory (SPED system) |
| United States | 1099/W-2 (information), 941 (payroll), state sales tax, 1120/1065 (income) | Quarterly + Annual | E-file (IRS MeF) |
| Mexico | DIOT (VAT), ISR (income), IEPS (excise), CFDI (real-time) | Monthly | SAT portal |
| United Kingdom | VAT Return (MTD), CT600 (corporation tax), P11D (benefits), RTI (payroll) | Quarterly + Annual | HMRC MTD API |
| Portugal | SAF-T, IES, IRC, IVA | Monthly + Annual | Portal das Financas |
| France | CA3 (VAT), DAS2, liasse fiscale, FEC | Monthly + Annual | impots.gouv.fr |
| Germany | UStVA (VAT), E-Bilanz, Zusammenfassende Meldung | Monthly + Annual | ELSTER |
| India | GSTR-1/3B (GST), TDS returns, ITR (income) | Monthly + Annual | GST portal + e-filing |
| Nigeria | VAT returns, CIT, WHT returns | Monthly + Annual | FIRS portal |
| Australia | BAS (GST), PAYG, STP (payroll), TFN | Quarterly + Annual | ATO portal |
4.2 Brazil SPED Compliance (Phase 1 Deep Dive)
| SPED Obligation | Content | Frequency | Deadline | Format |
|---|
| EFD-ICMS/IPI | State tax transactions, inventory | Monthly | 20th of following month | TXT (SPED layout) |
| EFD-Contribuicoes | PIS/COFINS federal contributions | Monthly | 10th business day of 2nd following month | TXT (SPED layout) |
| ECD | Digital accounting bookkeeping (GL, balance sheet) | Annual | Last business day of June | TXT (SPED layout) |
| ECF | Corporate income tax (IRPJ/CSLL) | Annual | Last business day of July | TXT (SPED layout) |
| REINF | Withholding tax events | Semi-monthly | 15th of following month | XML (eSocial) |
| DCTF | Federal tax declarations and credits | Monthly | 15th of 2nd following month | PGD application |
CBS/IBS Tax Reform Impact (2026-2033):
| Phase | Timeline | Change | CODITECT Response |
|---|
| Transition start | 2026 | CBS (federal) at 0.9%, IBS (state/municipal) testing | Dual calculation engine: old taxes + new CBS/IBS |
| Gradual phase-in | 2027-2028 | CBS rate increases, IBS activated | Parallel reporting: old and new systems simultaneously |
| Crossover | 2029-2032 | Old taxes gradually reduced, new taxes increased | Automated transition tracking per entity |
| Full implementation | 2033 | PIS/COFINS/IPI/ICMS/ISS fully replaced by CBS/IBS | Legacy tax modules deprecated, CBS/IBS fully operational |
5. Data Privacy & Protection Matrix
5.1 Privacy Regulations by Jurisdiction
| Regulation | Jurisdiction | Key Requirements | Data Residency | Penalty |
|---|
| LGPD | Brazil | Consent, data subject rights, DPO, breach notification (72hr) | Brazil preferred (not mandatory) | Up to 2% of revenue (R$50M cap) |
| GDPR | EU/EEA | Consent, data subject rights, DPO, breach notification (72hr), DPIA | EU/EEA (adequacy or SCCs for transfers) | Up to 4% of global revenue or EUR 20M |
| CCPA/CPRA | California, US | Opt-out of sale, right to delete, privacy notice, data minimization | No residency requirement | $7,500 per intentional violation |
| POPIA | South Africa | Consent, data subject rights, Information Regulator registration | South Africa (for certain categories) | Up to R$10M or imprisonment |
| PDPA | India | Consent, data subject rights, data fiduciary obligations | India (for critical data) | Up to INR 250 crore |
| PDPA | Singapore | Consent, data protection, breach notification (3 days) | No strict residency | Up to SGD 1M or 10% of turnover |
| Privacy Act | Australia | APPs, data breach notification (30 days), overseas disclosure | No strict residency | Up to AUD 50M |
| UK GDPR | United Kingdom | Same as EU GDPR post-Brexit, UK ICO oversight | UK adequacy with EU | Up to 4% of global revenue or GBP 17.5M |
5.2 Data Privacy Architecture
| Control | Implementation |
|---|
| Data classification | All fields tagged: PII, financial, regulatory, public |
| Consent management | Per-purpose consent tracking with withdrawal capability |
| Data subject rights | Self-service portal for access, correction, deletion, portability |
| Data minimization | Collection limited to stated purposes; automated retention enforcement |
| Encryption | AES-256 at rest, TLS 1.3 in transit, field-level for PII |
| Data residency | Region-specific storage with geo-fencing (GKE multi-region) |
| Breach notification | Automated detection, 72-hour notification workflow, template per jurisdiction |
| DPO integration | DPO dashboard with compliance status, incident log, DPIA tracker |
| Cross-border transfers | Standard Contractual Clauses (SCCs), adequacy assessments, transfer impact assessments |
| Anonymization | Automated PII stripping for analytics, AI training, and cross-tenant aggregation |
6. Audit Trail & Record Retention
6.1 Retention Requirements by Jurisdiction
| Country | Financial Records | Tax Records | E-Invoices | Audit Logs | Format |
|---|
| Brazil | 5 years (civil), 10 years (tax) | 5 years from year-end | 5 years (NF-e) | 5 years | Original digital + PDF |
| United States | 7 years (IRS), varies by state | 7 years (federal) | 7 years | 7 years | Original + readable format |
| Mexico | 5 years | 5 years from filing | 5 years (CFDI) | 5 years | XML original |
| United Kingdom | 6 years (Companies Act) | 6 years (HMRC) | 6 years | 6 years | Original digital |
| France | 10 years (Code de Commerce) | 6 years (general) | 10 years | 10 years | FEC-compliant |
| Germany | 10 years (HGB) | 10 years (AO) | 10 years (GoBD) | 10 years | GoBD-compliant (unalterable) |
| India | 8 years (Companies Act) | 6 years (Income Tax) | As per GST rules | 8 years | Original digital |
| Australia | 7 years (Corporations Act) | 5 years (ATO) | 5 years | 7 years | Original digital |
6.2 Audit Trail Architecture
| Requirement | Implementation |
|---|
| Immutability | Append-only audit log, cryptographic hash chain (blockchain-inspired) |
| Completeness | Every create, read, update, delete operation logged with user, timestamp, before/after values |
| Searchability | Full-text search + structured query on audit log (Elasticsearch) |
| Export | One-click export per entity, per period, per jurisdiction (PDF, CSV, JSON) |
| Tamper detection | Hash verification on export; any gap or modification is flagged |
| Access control | Audit log access restricted to authorized roles; read-only for all |
| Clock synchronization | NTP-synchronized timestamps, UTC storage, local timezone display |
7. Chart of Accounts Regulatory Requirements
7.1 Mandatory Chart of Accounts by Country
| Country | Standard CoA | Mandatory | Mapping Required |
|---|
| Brazil | SPED referential CoA (RFB) | Yes (for SPED reporting) | Map custom CoA to SPED codes |
| France | Plan Comptable General (PCG) | Yes (legally required) | Must follow PCG structure |
| Germany | SKR03 / SKR04 (DATEV) | No (standard practice) | E-Bilanz taxonomy mapping |
| Spain | Plan General de Contabilidad (PGC) | Yes (legally required) | Must follow PGC structure |
| Portugal | SNC (Sistema de Normalizacao Contabilistica) | Yes | SAF-T taxonomy mapping |
| Mexico | Codigo agrupador SAT | Yes (for CFDI) | Map to SAT catalog |
| United States | None (flexible) | No | Industry standards (SIC) |
| United Kingdom | None (flexible) | No | XBRL taxonomy for CT600 |
| India | Schedule III (Companies Act) | Yes (for statutory reporting) | Ind AS disclosure mapping |
7.2 CODITECT CoA Architecture
| Feature | Implementation |
|---|
| Flexible structure | User-defined CoA with unlimited levels |
| Regulatory mapping | Each account maps to 1+ regulatory taxonomy codes |
| Multi-mapping | Single account can map to SPED + IFRS + local GAAP simultaneously |
| Validation | Real-time validation that all required regulatory accounts have mappings |
| Templates | Pre-built CoA templates per jurisdiction (Brazil CPC, US GAAP, French PCG, etc.) |
| Migration | Import existing CoA from CSV/Excel with AI-assisted mapping suggestions |
8. Digital Signature & Certificate Requirements
8.1 Digital Certificate Matrix
| Country | Certificate Type | Authority | Use Case | Required For |
|---|
| Brazil | ICP-Brasil (A1 software / A3 hardware) | ITI-authorized CAs | NF-e signing, SPED submission, e-CAC access | All e-invoicing and SPED |
| Mexico | FIEL / e.firma | SAT | CFDI signing, SAT portal access | All CFDI operations |
| Italy | Qualified Electronic Signature | AgID-accredited | FatturaPA signing, SDI submission | E-invoicing |
| France | Qualified Electronic Seal | eIDAS-compliant CA | Factur-X signing | B2B e-invoicing (2026+) |
| India | Class 2/3 Digital Signature | CCA-licensed CAs | GST filing, ITR filing, MCA filings | Tax and corporate filing |
| EU (general) | eIDAS Qualified Signature | EU trust service providers | Cross-border document signing | Legal validity |
8.2 Certificate Management Architecture
| Feature | Implementation |
|---|
| Storage | HSM-backed key storage (Google Cloud KMS) for A1 certificates |
| Rotation | Automated expiry alerts (90, 60, 30, 7 days), renewal workflow |
| Multi-entity | Per-entity certificate assignment, separate key pairs |
| Delegation | Authorized proxy signing (accountant signs on behalf of client entity) |
| Audit | All signing operations logged with certificate serial, timestamp, document hash |
| Backup | Encrypted certificate backup per entity, recovery procedure documented |
9. Anti-Money Laundering (AML) & KYC Considerations
9.1 AML Requirements for Financial Software
| Requirement | Implementation | Jurisdictions |
|---|
| Transaction monitoring | Configurable thresholds, pattern detection, alert generation | Brazil (COAF), US (FinCEN), EU (AMLD) |
| Suspicious activity flags | AI-based anomaly detection on transaction patterns | All jurisdictions |
| KYC data collection | Client onboarding captures required identification data | All jurisdictions |
| Beneficial ownership | Entity structure recording, UBO identification | EU, US (CTA), Brazil |
| Reporting | Suspicious Transaction Report (STR) generation assistance | All jurisdictions |
| Record keeping | 5-10 year retention of transaction and KYC records | All jurisdictions |
Note: CODITECT is a software platform, not a financial institution. AML obligations primarily fall on the accounting firm and their clients. CODITECT provides tools that assist partners in meeting their AML obligations but does not replace the firm's own compliance program.
10. Compliance Engine Architecture
10.1 Modular Design
┌──────────────────────────────────────────────────┐
│ Compliance Engine │
├──────────────────────────────────────────────────┤
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Brazil │ │ US │ │ UK │ ... │
│ │ Plugin │ │ Plugin │ │ Plugin │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │
│ ┌────┴──────────────┴──────────────┴──────────┐ │
│ │ Common Compliance Layer │ │
│ │ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │ │
│ │ │Validator│ │ Formatter│ │ Submitter │ │ │
│ │ └─────────┘ └──────────┘ └──────────────┘ │ │
│ └──────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────┤
│ ┌──────────────────────────────────────────────┐ │
│ │ Regulatory Update Service │ │
│ │ • Rate changes • Format updates │ │
│ │ • New mandates • Deadline changes │ │
│ └──────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────┘
10.2 Plugin Interface
Each jurisdiction plugin implements:
| Method | Purpose |
|---|
validate_transaction() | Validate transaction against jurisdiction rules |
calculate_tax() | Calculate applicable taxes for a transaction |
format_report() | Generate jurisdiction-specific report format |
submit_report() | Submit to government system via API |
check_status() | Check submission status and handle responses |
get_deadlines() | Return filing deadlines for the current period |
get_rate_tables() | Return current tax rates and thresholds |
10.3 Regulatory Update Workflow
| Step | Process | SLA |
|---|
| 1 | Regulatory change detected (monitoring + partner alerts) | Continuous |
| 2 | Impact assessment (which tenants, which reports affected) | 48 hours |
| 3 | Plugin update development and testing | 2 weeks (standard), 48 hours (emergency) |
| 4 | Staged rollout (canary -> 10% -> 50% -> 100%) | 1 week (standard) |
| 5 | Partner notification with changelog and migration guide | Before rollout |
| 6 | Post-deployment verification and monitoring | 72 hours |
11. Compliance Monitoring & Alerts
11.1 Automated Compliance Alerts
| Alert Type | Trigger | Action |
|---|
| Filing deadline approaching | 14, 7, 3, 1 days before deadline | Email + in-app notification to partner |
| Missing required data | Report generation attempted with incomplete data | Block generation, show missing fields |
| Certificate expiring | 90, 60, 30, 7 days before expiry | Email + in-app alert + partner portal banner |
| Regulatory rate change | New rates published | Notification + automatic rate table update |
| Submission rejected | Government system returns rejection | Immediate alert with rejection reason and fix guidance |
| Anomaly detected | Transaction pattern outside normal range | Review queue item for partner |
| Retention threshold | Records approaching retention expiry | Archive warning + export reminder |
11.2 Compliance Dashboard
| Widget | Content |
|---|
| Filing calendar | Upcoming deadlines by entity, jurisdiction, status |
| Submission status | Recent filings with acceptance/rejection status |
| Certificate health | All certificates with expiry countdown |
| Audit readiness score | Per-entity compliance readiness (0-100%) |
| Regulatory news feed | Recent changes affecting tenant jurisdictions |
| Exception log | Compliance exceptions requiring attention |
12. Implementation Priority
| Phase | Jurisdictions | Compliance Modules | Timeline |
|---|
| Phase 1 | Brazil, US | SPED (ECD/ECF/EFD), NF-e, US GAAP reporting, US tax forms | Months 1-6 |
| Phase 2 | Mexico, UK, Portugal | CFDI, MTD VAT, SAF-T PT | Months 7-12 |
| Phase 3 | France, Germany, Spain, Italy, Poland, Belgium | Factur-X, XRechnung, Verifactu, FatturaPA, KSeF, Peppol | Months 13-18 |
| Phase 4 | India, Nigeria, Australia, Colombia, Saudi Arabia | GST e-Invoice, FIRS, Peppol AU, DIAN, FATOORAH | Months 19-24 |
Hal Casteel
CEO/CTO, AZ1.AI Inc.
Copyright © 2026 AZ1.AI Inc. All rights reserved.
Unauthorized distribution or reproduction is strictly prohibited.