TL;DR. Compliance training quiz questions across HR / harassment prevention, cybersecurity, anti-bribery / FCPA, and data privacy (GDPR/CCPA). Use for annual training certification.
HR / Harassment prevention (10)
Harassment: — **Unwelcome conduct based on a protected characteristic, severe or pervasive enough to create a hostile work environment**.Two types of sexual harassment: — **Quid pro quo and hostile work environment**.If you witness harassment: — **Report through your company's channel**.Retaliation against a reporter is: — **Itself a violation, regardless of underlying claim outcome**.Possible harassing conduct includes: — **Slurs, jokes, physical contact, offensive displays, intimidation**.Protected classes under US federal law (partial): — **Race, colour, religion, national origin, sex, age (40+), disability, genetic info**.Investigation confidentiality is: — **Maintained to the extent possible; not guaranteed**.Managers have a heightened obligation to: — **Report what they witness or learn of**.Bystander intervention: — **Action to stop harassment by speaking up, supporting, or reporting**.EEOC filing statute of limitations: — **180 days (300 in some states)**.Cybersecurity (10)
Phishing: — **Fraudulent attempt to obtain sensitive info by impersonating a trusted entity**.First sign of phishing: — **Unexpected credential request, urgency, sender address mismatch**.Strong password: — **At least 12 characters, mixed types, unique per service**.2FA: — **Two factors: knowledge + possession or biometric**.Suspect phishing email: — **Don't click; report via company tool**.Ransomware: — **Malware that encrypts files and demands payment**.Public Wi-Fi: — **Use VPN for any work-related activity**.Tailgating: — **Following authorised person through a secure door**.Least privilege: — **Grant only the access needed**.First action after suspected breach: — **Notify IT/security immediately**.Anti-bribery / FCPA (10)
FCPA prohibits: — **Bribery of foreign government officials by US-connected entities**.Facilitating payment: — **Small payment to expedite routine action; narrowly permitted, must be documented**.Gifts to officials: — **Generally prohibited; nominal, transparent, documented if permitted**.UK Bribery Act vs FCPA: — **Covers private bribery, no facilitating payment exception**.Third-party intermediaries: — **Major FCPA risk; due diligence required**.Records of payments to officials must: — **Accurately reflect the nature; no misclassification**.FCPA penalty includes: — **Criminal fines, prison for individuals, civil penalties**.Suspected bribery should be: — **Reported through compliance channel**.Hospitality to officials: — **Reasonable, customary, related to legitimate business, documented**.Books and records: — **Must accurately reflect all transactions**.Data privacy (10)
GDPR applies to: — **Personal data of individuals in EU/EEA, regardless of org location**.Max GDPR fine: — **€20M or 4% of global annual revenue (whichever higher)**.Data subject: — **An identifiable natural person whose data is being processed**.Right to be forgotten: — **GDPR Article 17 — right to erasure under certain conditions**.CCPA rights for California residents: — **Know, request deletion, opt out of sale, non-discrimination**.GDPR breach notification: — **Within 72 hours of awareness**.Data minimisation: — **Collect only necessary personal data**.HIPAA covers: — **Protected health information in the US**.GDPR lawful bases: — **Consent, contract, legal obligation, vital interests, public task, legitimate interests**.DPO required for: — **Public authorities and orgs with large-scale sensitive data processing**.[Safety Training Quiz Questions](/blog/safety-training-quiz-questions)[Customer Service Quiz Questions](/blog/customer-service-quiz-questions)[Employee Onboarding Quiz Guide](/blog/employee-onboarding-quiz-guide)Compliance domains that need quiz programs
Compliance training tends to cluster around the same core areas in most regulated industries:
Data protection (GDPR, CCPA, HIPAA). What constitutes personal data, lawful basis for processing, breach notification timelines.Anti-bribery and corruption (FCPA, UK Bribery Act). Gift policy thresholds, third-party due diligence, red flags.Workplace harassment and discrimination. Recognizing behavior, reporting paths, retaliation prevention.Information security (SOC 2, ISO 27001). Phishing recognition, password hygiene, incident reporting.Industry-specific (HIPAA for healthcare, FINRA for finance, FERPA for education). Domain-specific regulations.Anti-money-laundering (AML / KYC). Suspicious activity recognition, customer identification.Code of conduct. Conflict of interest, insider trading, gifts and entertainment.Health and safety. Domain-specific (OSHA in US, equivalents elsewhere).A complete compliance program rotates these topics across the year rather than dumping them all into one annual training day.
Auditors increasingly want item-level documentation, not just completion checks. Question formats that produce strong evidence:
Scenario MCQs. "An employee receives a $200 gift from a vendor. Their first action is:" — tests judgment under real conditions.Identification items. "Which of the following is personally identifiable information?" — tests definitional fluency.Procedural ordering. "Order these breach-response steps correctly." — tests sequential mastery.SATA. "Which of these constitute conflicts of interest?" — reveals partial knowledge.Threshold recall. "Discount approval over [$X] requires manager sign-off." — for policy boundaries.Avoid pure-recall items ("What does GDPR stand for?") unless asked specifically; they don't predict on-the-job behavior.
Cadence that builds compliance fluency
Once-a-year mandatory training accomplishes the box-check but not the behavior change. Programs that change behavior:
Quarterly micro-quizzes. 10-15 questions per quarter on a rotating topic. Spaced exposure beats annual cramming.New-hire gauntlet. Days 1, 7, 30, 60, 90 quizzes. Builds compliance fluency before independent work.Post-incident retraining. After a near-miss or actual incident, the relevant team takes a focused quiz on contributing factors. Tighter feedback loop.Role-specific deep dives. Finance staff get AML quizzes; HR staff get harassment quizzes; engineering gets data-handling. Generic training for all wastes everyone's time.Annual cumulative. Once a year, a longer mixed quiz covering all domains. The documentation auditors expect.Documentation that satisfies auditors
What an auditor wants to see:
Per-employee, per-quiz, per-item records. Not just "completed".Timestamps. When the training was taken, how long it took.Pass/fail with thresholds. Most auditors want >80% as a pass.Remediation evidence for failures. What happened when an employee failed; retake records.Question bank archives. What questions were used in which quarter.Update logs. When question banks were revised; why.A quiz program that exports CSV with all of this satisfies most auditor requests. Tools that hide the data behind a "completion dashboard" only often fail at audit time.
Common compliance training failures
Treating it as box-check. Employees know when training is theater. Engagement drops; behavior doesn't change.Outdated content. Regulations and policies change. Annual review of every question bank is the minimum.Translation issues. Multilingual workforces need translated questions reviewed by native-speaking compliance staff, not literal translation.Difficulty too low. Everyone scores 100% on questions answered by reading the question stem carefully. Real difficulty improves real learning.Penalty-based use. Tying bonuses to quiz scores creates gaming. Keep stakes appropriate to the formative-vs-summative distinction.Build a compliance quiz →
Ready to create your first quiz?
Use AI to generate quizzes from your own study materials in seconds.
Try SimpleQuizMaker Free