Most AFSLs and ACLs have compliance calendars, registers and reporting frameworks in place. On paper, obligations are mapped, tasks are allocated and reviews are scheduled. However, audit outcomes consistently show that the existence of these tools does not always translate into effective control.
From a governance perspective, the issue is rarely a lack of documentation. It is a lack of oversight and assurance that compliance obligations are being completed as intended, on time, and to an appropriate standard.
Audit findings commonly identify calendars that are outdated, incomplete or disconnected from actual business practices. Key obligations may be listed, but ownership is unclear, dependencies are not tracked, and completion is recorded without sufficient evidence. In some cases, registers exist but are not actively maintained or reviewed, resulting in gaps between what the framework says should occur and what is happening in practice.
A recurring weakness is the absence of effective oversight. Compliance activities are often treated as administrative tasks rather than governance controls. Where completion is self‑reported without independent review, escalation or testing, licensees may have limited visibility over whether obligations have genuinely been met. This is particularly evident in areas such as adviser monitoring, training completion, breach identification, outsourcing reviews and policy attestation processes.
Auditors expect compliance calendars and registers to operate as live control tools, not static reference documents. This includes clear ownership of each obligation, defined review cycles, evidence of completion, and documented oversight by Responsible Managers or compliance leadership. Importantly, there should be a clear link between compliance activities, risk assessment and Board or RM reporting.
Where these elements are missing, licensees may have a false sense of control. The framework exists, but it does not provide assurance. In an audit or regulatory review, this can quickly expose governance weaknesses, particularly where issues have gone unidentified or unaddressed over time.
Effective compliance control requires more than calendars and registers. It requires active oversight, regular review and clear accountability to demonstrate that obligations are being managed, not just recorded.
Call To Action
Weaknesses in compliance calendars, registers and oversight continue to feature in audit findings.
AICS provides Compliance Framework Reviews and Governance Toolkits designed to assess whether compliance obligations are appropriately captured, owned, evidenced and overseen in practice.
These tools and reviews can be used to test existing compliance calendars and registers or incorporated into broader audit and governance engagements.
Contact AICS to discuss a compliance framework review or governance uplift support.
Sources
ASIC – AFS Licensee Obligations (s912A)
ASIC – Regulatory Guide 104: AFS Licensing – Meeting the General Obligations
ASIC – Risk Management Systems (Regulatory Guide 259)
