A compliance register is the operational backbone of any compliance program — the structured document that records every legal obligation your business is subject to, who owns it, what its current status is, and where the evidence lives. For most Australian businesses starting out, a well-designed template is the most practical starting point. This guide provides the template structure, explains how to populate it correctly, and covers when a spreadsheet template is the right tool and when you’ve outgrown it.
The compliance register template outlined here is based on standard practice for Australian compliance management and is appropriate for businesses with up to 50–60 tracked obligations. It can be implemented in Excel, Google Sheets, or any comparable spreadsheet tool. The structure is designed to be immediately usable — the sections below explain each column and how to populate it correctly so the register works as a genuine compliance management tool rather than a document that checks a box and collects dust.
What Is a Compliance Register?
A compliance register is a structured record of every compliance obligation applicable to a business — derived from legislation, regulations, licence conditions, codes of practice, and other authoritative sources. Each entry records the specific obligation, its legal source, the person responsible for ensuring it is met, the current status, the next review date, and the evidence of compliance.
The compliance register is distinct from a general risk register. A risk register records potential adverse events and their likelihood and impact. A compliance register records specific legal requirements and the status of compliance with each one. The two tools serve different purposes and should be maintained separately, though they are often managed within the same system. For more on how these tools relate to each other, see our compliance management guide.
A well-maintained compliance register enables a business to: immediately identify which obligations are current and compliant; quickly locate evidence of compliance when a regulator asks; identify obligations that are overdue for review; assign and track ownership across the team; and demonstrate the existence of a compliance program to clients, investors, or regulators.
The Seven-Column Template Structure
The standard Australian compliance register template uses seven columns. Each serves a specific purpose — and each is essential. Removing columns to simplify the template typically creates the same gaps that make unstructured compliance management unreliable.
Column 1: Obligation
This is the specific legal requirement — not the legislation name, but the precise obligation the legislation creates. The test is: can you verify compliance with this obligation by looking at the entry alone? “Privacy Act compliance” fails this test. “Maintain a current privacy policy published on the website describing data handling practices” passes it. Each obligation should be worded as a specific, verifiable requirement.
Column 2: Source
The legislation, regulation, or other instrument that creates the obligation. For Australian obligations, this typically includes the Act name and relevant section number: “Privacy Act 1988, APP 1” or “Fair Work Act 2009, s535 (time and wages records)”. Including the section reference allows the obligation to be tracked against legislative amendments — if the section is amended, it’s clear which register entries may need updating.
Column 3: Owner
The named individual responsible for ensuring the obligation is met. Not a team, not a role title — a specific person by name. If the person in that role changes, the register should be updated to reflect the new owner. Named ownership is what converts a compliance register from a document into an accountability system. An obligation without a named owner is an obligation at risk.
Column 4: Status
The current compliance status. A simple three-value system works for most businesses: Compliant (obligation is being met and evidence is current); Action Required (obligation is not currently being met or evidence is out of date); Under Review (obligation is being assessed following a regulatory change or other trigger). Avoid elaborate status taxonomies — they create maintenance overhead without improving the register’s usefulness.
Column 5: Review Date
The date by which the obligation should next be reviewed and the status updated. Most obligations should be reviewed quarterly as a minimum; high-risk obligations (AML/CTF, privacy breach notification, WHS incident management) warrant monthly review. The review date creates the schedule that keeps the register current — without it, obligations are reviewed only when something prompts attention, which is typically too late.
Column 6: Evidence
A reference to the specific document, record, or output that demonstrates compliance with this obligation. In a spreadsheet, this is typically a link to a file or a description: “Pay slip template — /HR/Payslips/Template_2026.xlsx” or “Privacy policy — legalcompliance.au/privacy”. The evidence column is what makes the register audit-ready — when a regulator asks for evidence of a specific obligation, the register tells you exactly where to find it. The evidence should be kept current: an outdated privacy policy linked as evidence for a privacy obligation is worse than no evidence, because it suggests the business believed it was compliant when it wasn’t.
Column 7: Notes
Free-text for context that doesn’t fit the other columns: upcoming regulatory changes affecting this obligation, open action items, dependencies on other obligations, or jurisdictional notes for businesses operating in multiple states. Notes shouldn’t be required to understand the core obligation entry — if the obligation, status, and evidence are properly filled in, Notes are supplementary context rather than essential information.
How to Populate the Template: Step by Step
Step 1: Conduct a Compliance Scope Assessment
Before you can populate the register, you need to know which obligations apply to your business. A compliance scope assessment systematically identifies every regulatory framework applicable to the business based on its size, industry, location, and activities. For most Australian businesses, this includes Fair Work Act obligations, WHS obligations, Privacy Act obligations (if turnover exceeds $3M or the business is a health service provider), tax and ASIC obligations, consumer law obligations, and any industry-specific requirements. Our business compliance obligations guide covers the major Australian frameworks in detail.
Step 2: Translate Frameworks into Specific Obligations
Each regulatory framework creates multiple specific obligations. The Fair Work Act creates obligations around record-keeping, pay slip provision, leave entitlements, Modern Award minimum rates, superannuation contributions, and more. Each of these should be a separate entry in the register — not one entry for “Fair Work compliance”. The discipline of breaking frameworks into specific obligations is what makes the register actionable: you can verify a specific obligation; you can’t verify a general framework.
Step 3: Assign Every Obligation to a Named Owner
Go through every entry and assign a named owner. For small businesses, most obligations will sit with the business owner, HR manager, or operations manager. The goal isn’t to distribute obligations evenly — it’s to ensure every obligation has exactly one person accountable for it. Ownership can change when staff change; the register should be updated when that happens, with a handover process to ensure the new owner understands the obligation and its evidence requirements.
Step 4: Assess Current Status and Attach Evidence
For each obligation, assess the current compliance status and attach or reference the evidence. This is often the most revealing part of the initial register build — obligations that were assumed to be compliant frequently turn out to have gaps in evidence, outdated documentation, or unclear ownership. Treat the initial status assessment as a compliance gap analysis: where evidence is missing or status is uncertain, treat the obligation as Action Required until the gap is resolved.
Step 5: Set Review Dates and Establish a Review Schedule
Assign a review date to every obligation and put the quarterly review on the calendar. The review date is what makes the register a living document rather than a one-time exercise. At each review, the owner confirms that the obligation is still being met, updates the evidence if needed, and identifies any regulatory changes that might affect the obligation. A compliance register that isn’t reviewed on schedule is a compliance register that silently falls out of date.
The Template in Practice: Common Mistakes to Avoid
The most common mistakes in compliance register maintenance are predictable — and largely avoidable with the right structure and discipline.
Obligations listed at framework level rather than specific requirement level. “Privacy compliance” is not an obligation you can verify. “Notify affected individuals and the OAIC within 30 days of identifying an eligible data breach” is. The specificity of obligations is what makes the register useful for compliance management rather than compliance theatre.
Stale evidence. Evidence attached to an obligation when the register was first built — but not updated since — provides a false sense of security. A pay slip template from 2023 attached as evidence for a 2026 Modern Award rate obligation is worse than no evidence, because it suggests the business believed it was compliant with the current rate when the template may predate wage increases. Evidence should be dated and updated whenever the underlying obligation is reviewed.
No named owner. Obligations without named owners don’t get reviewed, don’t get updated, and don’t get flagged when they fall out of compliance. The “team is responsible” or “HR handles it” ownership assignments that appear in many spreadsheet registers are the compliance equivalent of no ownership at all.
No review schedule. A compliance register built once and never reviewed again is a compliance register that reflects how the business operated when the register was built — not how it operates now, and not the current state of Australian regulatory requirements. The review schedule is the mechanism that keeps the register current.
No monitoring process for regulatory change. A register built against the current legal position will become inaccurate as the law changes — and Australian law changes constantly. The superannuation guarantee rate changes annually. Award rates change each July. Lahebo’s detailed guide to how to build a compliance register covers the regulatory monitoring process in depth, including how to track legislative updates across the key Australian frameworks.
When to Move Beyond a Spreadsheet Template
The compliance register template described above is appropriate for businesses with manageable compliance footprints and a single compliance owner. It becomes inadequate — and introduces compliance risk rather than reducing it — when certain conditions apply:
Multiple obligation owners. Shared spreadsheets break down as version control tools when multiple people are updating the same document. Two owners updating different copies produce divergent registers; only one person editing at a time creates bottlenecks; and audit trails are impossible to reconstruct from version history. The moment multiple people need to own obligations, a shared spreadsheet is the wrong tool.
More than 30–40 obligations. A 40-obligation register in a well-structured spreadsheet is manageable. A 60-obligation register with multiple frameworks, multiple owners, and dependencies between obligations starts to generate the version control and navigation complexity that defeats the purpose of the register. The administrative overhead of maintaining the register begins to crowd out the compliance work it’s meant to support.
Regulatory change monitoring. A spreadsheet has no capacity to monitor regulatory change automatically. For businesses with obligations that track closely to active enforcement areas — employment law, privacy, AML/CTF from July 2026 — the failure to systematically monitor regulatory change is a material compliance risk. Purpose-built compliance management software addresses this by monitoring Australian legislative and regulatory changes and alerting owners when their obligations are affected.
Audit trail requirements. A spreadsheet doesn’t automatically maintain a timestamped history of every update, review, and status change. For businesses that may need to demonstrate the history of their compliance program — to the Fair Work Ombudsman, OAIC, or an enterprise client — the absence of an audit trail is a significant gap that a spreadsheet cannot fill.
Frequently Asked Questions
How many obligations should a compliance register typically have?
A typical Australian SME with 15–30 staff and a standard regulatory footprint (employment law, WHS, basic privacy obligations, tax, corporate obligations, consumer law) will typically have 35–60 specific obligations in a well-structured register. Businesses in regulated industries — financial services, health, NDIS — will have substantially more. The goal isn’t to minimise the number of entries; it’s to ensure every applicable specific obligation is captured. A register with 20 entries for a business that has 50 applicable obligations doesn’t provide compliance protection — it provides a false sense of it.
How often should the compliance register be reviewed?
At minimum, quarterly for most obligations. High-risk obligations (AML/CTF, privacy incident response procedures, WHS incident notification protocols) warrant monthly review. The quarterly review cycle should be calendared in advance — not treated as something to do when something goes wrong. An event-driven review schedule is the compliance equivalent of only servicing your car when the engine warning light comes on.
Does the compliance register need to be kept confidential?
The compliance register is an internal management document and does not need to be published externally. However, it should be accessible to relevant obligation owners within the organisation, and producible quickly if a regulator requests evidence of the compliance program. The existence of a compliance register — and the ability to produce it — is typically treated as evidence of a documented compliance program, which is relevant to both regulatory and civil enforcement outcomes.
What is the difference between a compliance register and a risk register?
A compliance register tracks specific legal obligations and the status of compliance with each one. A risk register tracks potential adverse events, their likelihood, impact, and mitigation measures. They serve different purposes and have different structures. Many businesses maintain both — the compliance register drives legal obligation management, while the risk register drives broader operational risk management. Some compliance software integrates both into a unified GRC (governance, risk, and compliance) platform, but for businesses starting out, maintaining them as separate documents is entirely appropriate.
Can I use the same template across multiple entities?
The template structure is the same, but each legal entity should maintain its own register — because obligations are entity-specific. A group of companies doesn’t share compliance obligations; each entity has its own obligations under the Fair Work Act, Privacy Act, Corporations Act, and so on. If you manage compliance across multiple entities, the administrative burden of maintaining separate registers is one of the strongest arguments for purpose-built software with multi-entity support.
2 thoughts on “Free Compliance Register Template for Australian Businesses”