regulatory compliance to a number of internal and external
               stakeholders. For example, an organization’s Board of Directors (or,

               more commonly, that board’s Audit Committee) may require periodic
               reporting on compliance obligations and status. Similarly, PCI DSS
               requires organizations that are not compelled to conduct a formal
               third-party audit to complete and submit a self-assessment report
               outlining their compliance status.