Authority Documents (ADs)

Owned by Vicki McEwen
Last updated: Dec 28, 2022

An Authority Document is an official document that contains authoritative rules, guidelines, standards, or best practice guidelines created by relevant authoritative bodies and subject matter experts. These authoritative rules can come in the form of regulations, principles, standards, guidelines, best practices, policies, and procedures. There is also a legal hierarchy to the Authority Documents that we track, which will be described below.

Authority Document Types

As part of the UCF Mapping Team, you will be working with a variety of Authority Documents published by many different oversight bodies. Below are the types of documents that you will be working with followed by a brief description of each:

  • Statutes (Bills or Acts)
  • Regulations
  • Regulatory Directive or Guidance
  • Contractual Obligation
  • International or National Standard
  • Self-regulatory Body Requirements
  • Audit Guideline
  • SafeHarbor
  • Best Practice Guideline
  • Vendor Documentation
  • Organizational Governance Documents


Statutes, Regulations, and Directives are rules of law that, if not followed, can result in penalties. Regulations state that something must be done. Formal regulations are promulgated by governmental agencies to interpret or expand the reach of statutes. "Regulations" promulgated by Self-regulatory bodies are not the same as regulations passed by legislative bodies. "Self-regulatory bodies" are not part of the government and do not have the force of law behind their requirements, but failure to comply with those requirements may disqualify an entity from participating in certain businesses.

Regulatory Directives or Guidance documents can be legislative acts or organizational directives. They normally leave those entities that follow them with a certain amount of leeway as to the exact rules to be adopted. Some regulators like FDA are empowered to make regulations that impose criminal penalties for non-compliance. Directives are only enforceable against and binding for the group they address.

Contractual Obligations are just that — contracts. Failure to comply with contractual obligations creates a breach of contract and, depending on the contract terms, may result in a variety of fines and, potentially, the loss of contractual rights.

Standards are levels of quality or attainment that are generally accepted within an industry. Standards determine what must be done, but are not enforceable by law. However, failure to follow standards may result in actions contrary to regulations, which are enforceable by law.

Audit Guidelines are designed to allow an organization to judge whether or not a regulation is being satisfied. Some industries have created and mandated their own auditing standards. Some Audit Guidelines derive authority from Contractual Obligations that call for the organization to follow guidelines set forth by a self-regulatory body as well as the contracting agency's audit guides as well. Finally, there are other audit guidelines that are inherent and are also safe harbors (more on that below) that define standards and can be used as Audit Guidelines. Failure to pass an audit brings with it "audit items" and other modes of enforcement that are only as strong as the standard, contractual obligation, regulatory guidance, or regulation that calls for the audit.

Safe Harbors are shortcuts used by regulators to ensure that the majority of people are in compliance with a law without requiring an in-depth analysis of each particular case. Thus, the safe harbor provides that if you take the steps required to be within the safe harbor, then you will (more or less) automatically be in compliance with that particular aspect of the law or regulation.

Best Practices are programs, initiatives, or activities that are considered leading edge, or exceptional models for others to follow. Best practices set the example of how to do something the best way. Best practices are not enforceable by law.

Vendor Documentation is usually treated as a form of best practice, or minimum standard of due care. Vendor documentation following regulatory guidance is treated with the same accord as a safe harbor

Organizational Governance Documents are documents that contain policies, standards, procedures, and practices designed to provide reasonable assurance that business objectives will be achieved and undesired events will be managed. They provide a description of conditions that must be met in order to satisfy a core requirement. Failure to follow organizational directives will directly lead to regulatory fines and penalties.