A compliance audit is the systematic process of reviewing your business’s actual practices against its legal obligations — identifying gaps, collecting evidence, and generating a remediation plan. For Australian businesses managing compliance manually, the checklist is the operational core of that process: it determines what gets examined, how it gets examined, and what a finding looks like. This guide provides the compliance audit checklist structure, explains how to work through each area, and covers what to do with the results.
Unlike a compliance register — which tracks ongoing obligations — a compliance audit is a point-in-time review. The register tells you what your obligations are and their stated status; the audit verifies whether the status is accurate by examining the evidence. The two tools are complementary: a well-maintained compliance register template makes the audit faster because the evidence references are already recorded. An audit without a register often reveals that the register itself is the first thing that needs building.
What a Compliance Audit Examines
A compliance audit for an Australian business should examine every regulatory framework that applies to the organisation. The scope depends on the business’s size, industry, and activities — but most Australian businesses should audit at minimum across employment law, work health and safety, privacy (if applicable), tax and corporate obligations, and consumer law. Our business compliance obligations guide covers each of these frameworks in detail.
The audit doesn’t examine every conceivable compliance question — it examines the specific obligations that apply to the business and determines whether each is being met. A small professional services firm with five employees will have a different scope from a 100-person manufacturer. The checklist structure below covers the core areas applicable to most Australian businesses; industry-specific areas (financial services licensing, food safety, NDIS, construction licensing) should be added as relevant.
The Compliance Audit Checklist: Six Core Areas
Area 1: Employment Law and Fair Work Obligations
Employment law is the most frequently audited area for Australian businesses — and the most common source of compliance failures. The Fair Work Ombudsman’s enforcement statistics consistently show that pay slip obligations, record-keeping requirements, and Modern Award compliance are the areas where businesses most often fall short. The audit checklist for this area should cover:
Pay slips: Are pay slips issued within one business day of each pay period? Do they contain all required information — employer name and ABN, employee name, classification, pay rate, gross and net amounts, deductions, superannuation contributions, and leave balances? (Fair Work Act 2009, s536)
Time and wages records: Are employment records maintained for all current and former employees for at least seven years? Do records include the information required under the Fair Work Regulations 2009? (Fair Work Act 2009, s535)
Modern Award compliance: Is the correct Modern Award identified for each employee? Are pay rates at or above the current Award minimum rates? Has the business updated rates following the most recent Fair Work Commission annual wage review? (Effective first full pay period after 1 July each year)
Superannuation: Are superannuation guarantee contributions paid at the current rate (11.5% for 2024–25, increasing to 12% from 1 July 2025) for all eligible employees? Are contributions paid on time — by the 28th of the month following each quarter? Are contributions made to a complying fund?
National Employment Standards: Are NES entitlements (annual leave, personal leave, parental leave, flexible working, notice periods, redundancy pay) correctly applied? Is leave accrued, tracked, and paid correctly on termination?
Employment contracts: Do written contracts exist for all employees? Do contracts reflect the correct Award, classification, and entitlements? Do contracts contain prohibited terms (such as contracting out of NES entitlements)?
Area 2: Work Health and Safety
WHS compliance audits in Australia operate under the model Work Health and Safety Act 2011 (adopted in all jurisdictions except Victoria, which uses the Occupational Health and Safety Act 2004 with equivalent obligations). The audit checklist for WHS should cover:
Primary duty of care: Has the business identified all foreseeable risks to the health and safety of workers and others? Are risk management procedures documented, implemented, and reviewed? (WHS Act 2011, s19)
Officer due diligence: Do officers (directors, senior managers with significant influence over the business) have documented evidence of their due diligence activities — acquiring and keeping current knowledge of WHS matters, understanding the nature of the business’s hazards, and taking active steps to ensure the business complies? (WHS Act 2011, s27)
Incident notification: Is there a documented procedure for notifying the relevant regulator of serious injuries, dangerous incidents, and deaths? Are the notification triggers clearly understood by relevant staff? Are records of all incidents (including near-misses) maintained? (WHS Act 2011, s35–38)
Consultation: Are workers consulted on matters affecting their health and safety? Is there a health and safety representative (HSR) or health and safety committee where required?
Safe work method statements and procedures: Are safe work method statements (SWMS) prepared for high-risk construction work where required? Are induction and training records current?
Area 3: Privacy and Data Protection
Privacy obligations under the Privacy Act 1988 apply to businesses with annual turnover exceeding $3 million, and to certain other entities regardless of turnover (including health service providers, credit reporting bodies, and businesses handling employee records for related companies). From 2024, amendments to the Privacy Act have expanded notification obligations and increased penalties. The audit checklist for privacy should cover:
Privacy policy: Is a current privacy policy published on the business’s website? Does it describe what personal information is collected, why it is collected, how it is used and disclosed, and how individuals can access and correct their information? (APP 1)
Collection and consent: Is personal information collected only for purposes disclosed to the individual? Is sensitive information (health, genetic, biometric, etc.) collected only with explicit consent or where a permitted exception applies? (APP 3)
Data breach response: Is there a documented Notifiable Data Breach (NDB) response procedure? Does the procedure include the 30-day assessment and notification timeframe? Has the procedure been tested? (Privacy Act 1988, Part IIIC)
Cross-border disclosures: If personal information is disclosed to overseas recipients (including cloud service providers), has the business assessed whether those recipients are subject to an equivalent privacy law? Is the disclosure covered by a permitted exception? (APP 8)
Access and correction: Is there a documented process for responding to access and correction requests within the required timeframe (30 days)? (APP 12, APP 13)
Area 4: Tax and Corporate Obligations
Tax and corporate compliance involves both the Australian Taxation Office (ATO) and ASIC obligations. Failures in this area often involve timing — lodging late, paying late, or failing to notify of changes. The audit checklist should cover:
BAS lodgement: Are BAS lodgements made on time (monthly, quarterly, or annually depending on registration)? Is GST correctly calculated and reported? Are the current lodgement deadlines documented and calendared?
PAYG withholding: Is PAYG withholding correctly calculated and remitted? Are payment summaries (income statements) provided to employees and lodged with the ATO via STP?
Single Touch Payroll: Is the business registered for and reporting through Single Touch Payroll? Are reports lodged on or before each payday?
ASIC obligations: Are annual reviews lodged on time and fees paid? Are details (registered office, officeholder details, share structure) current with ASIC? For companies with a financial reporting obligation, are financial statements prepared and lodged on time?
Director duties: Are directors aware of and documenting their duties under the Corporations Act 2001? Are related party transactions properly approved? Is the business trading solvently?
Area 5: Consumer Law
The Australian Consumer Law (ACL), contained in Schedule 2 of the Competition and Consumer Act 2010, applies to all businesses supplying goods or services to consumers. It is enforced by the ACCC and state fair trading bodies. The audit checklist for consumer law should cover:
Consumer guarantees: Are staff aware of the statutory guarantees that apply to goods and services supplied to consumers (acceptable quality, fitness for purpose, matching description, repairs and spare parts, express warranties honoured)? Are refund and remedy policies consistent with these guarantees?
Misleading and deceptive conduct: Are marketing materials, website claims, and sales representations accurate and not likely to mislead? Is pricing clearly disclosed, including all required fees and charges?
Unfair contract terms: Do standard-form contracts with consumers and small businesses comply with the unfair contract terms regime? Have contracts been reviewed against the types of terms the ACCC and courts have found to be unfair?
Product safety: If supplying physical goods, are the goods compliant with applicable mandatory safety standards? Is there a product recall procedure?
Area 6: Industry-Specific Obligations
In addition to the five universal compliance areas above, most Australian businesses are subject to at least one industry-specific regulatory regime. The audit should include all applicable industry requirements. Common additions include:
Financial services: AFSL conditions, responsible lending obligations, breach reporting obligations to ASIC, AML/CTF program requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. From 1 July 2026, Tranche 2 of the AML/CTF regime extends to lawyers, accountants, real estate agents, and other designated service providers.
Health and NDIS: Registration conditions, quality and safety standards, mandatory reporting obligations, NDIS Practice Standards, complaints handling requirements.
Food businesses: Food safety programs, licensing requirements, temperature control records, allergen management, labelling compliance.
Construction and trades: Contractor licensing, building code compliance, home warranty insurance where applicable, trust account requirements.
How to Conduct the Audit
Step 1: Define Scope and Assign Responsibility
Before starting, document the scope of the audit — which areas will be covered, which legal entities are included, and what the audit period is (typically the preceding 12 months). Assign a lead auditor — typically the compliance manager, operations manager, or an external adviser — and confirm who will provide evidence for each area. In larger organisations, area leads (HR for employment, finance for tax, IT for privacy) typically prepare their own evidence packages.
Step 2: Request and Gather Evidence
For each checklist item, identify the evidence that would demonstrate compliance. Common evidence types include: policies and procedures (with version dates and approval records); operational records (pay slips, payroll records, BAS lodgements, incident reports); system outputs (PAYG summaries from accounting software, STP submission records); and contracts (employment agreements, supplier agreements). Request evidence at least two weeks before the audit date — evidence gathering is typically the most time-consuming part of the process.
Step 3: Test and Verify
For each checklist item, the audit tests whether the evidence demonstrates compliance — not just whether a policy exists, but whether the policy is being followed. Common testing approaches include: sampling (checking 10–15 pay slips for correct content rather than reviewing every pay slip ever issued); document review (reviewing the privacy policy for required content); process walkthroughs (asking the person responsible to describe how they would handle a data breach notification); and system checks (verifying that STP is reporting and submissions are being made).
Step 4: Document Findings
Each checklist item should be recorded with one of three outcomes: Compliant (evidence demonstrates compliance); Non-Compliant (evidence is absent or demonstrates non-compliance); or Unable to Determine (evidence is insufficient to make a determination). For non-compliant items, record specifically what is missing or incorrect — not just “non-compliant with privacy policy obligations” but “privacy policy last updated November 2023 — does not reflect current APP 1 requirements following 2024 amendments.”
Step 5: Prioritise and Remediate
Not all findings are equal. Prioritise remediation by: regulatory risk (enforcement-active areas like Fair Work, ATO, and OAIC attract higher priority); penalty exposure (unpaid superannuation carries personal director liability; privacy breach penalties increased significantly in 2024); and effort required (some items, like updating a privacy policy, can be resolved quickly; others, like restructuring employment contracts, require more time). Lahebo’s analysis of the compliance obligations framework for Australian businesses is a useful reference when prioritising across multiple regulatory areas.
Step 6: Update the Compliance Register
Every audit finding should feed back into the compliance register. Non-compliant items should be updated to “Action Required” status in the register, with the specific gap documented in the notes column and a remediation deadline set. Compliant items should have their evidence references updated to reflect the current evidence reviewed during the audit and the review date updated. The audit is what keeps the register accurate; the register is what enables the next audit to be faster.
Compliance Audit Frequency: How Often?
For most Australian businesses, a full compliance audit should be conducted annually. Trigger-based reviews should be conducted whenever a material change occurs — acquiring a new business unit, entering a new industry, significantly expanding the workforce, receiving a regulatory inquiry, or when a new regulatory regime takes effect (such as the AML/CTF Tranche 2 changes from 1 July 2026).
An annual full audit doesn’t mean compliance review happens only once a year. The compliance register should be reviewed quarterly, with obligation owners confirming that their obligations are current. The annual audit is the deeper verification that the quarterly reviews are accurate — it tests the evidence, not just the stated status. Think of the quarterly reviews as maintenance and the annual audit as a full service.
Common Compliance Audit Mistakes
Auditing policies rather than practices. A compliance audit that only checks whether policies exist is a policy audit, not a compliance audit. The question the audit should answer is whether the policy is being followed — not whether the policy exists. A privacy policy on a website is not evidence of privacy compliance; evidence of staff training, data handling procedures, and breach response testing is.
No register to audit against. An audit without a compliance register is a discovery exercise, not a compliance audit. Without a baseline of obligations, it’s impossible to know whether the audit scope covers all applicable obligations or just the ones the auditor happens to know about. If the business doesn’t yet have a compliance register, building one is the prerequisite to conducting a meaningful audit. See our guide to the compliance management process for how the two tools work together.
Findings without action. The purpose of a compliance audit is remediation, not documentation. An audit report that identifies 12 non-compliant items and then sits in a shared drive unacted upon has created a liability rather than reduced one — the business now has documented evidence that it knew about the gaps and did nothing. Every non-compliant finding needs a named owner, a specific remediation action, and a deadline.
Treating the audit as a one-time exercise. A compliance audit conducted once and never repeated is a snapshot of compliance at a single point in time. Australian regulatory requirements change constantly — Award rates, superannuation guarantee rates, privacy obligations, and from July 2026 AML/CTF obligations for a large new tranche of businesses. An audit that doesn’t recur on a defined schedule provides diminishing protection over time.
When to Engage External Help
Internal compliance audits are appropriate for most small to medium businesses as a starting point. External compliance audits — conducted by lawyers, specialist compliance consultants, or accredited auditors — are warranted when: the business operates in a heavily regulated industry (financial services, health, NDIS) where internal expertise may be insufficient; a regulatory inquiry or investigation has been received or is anticipated; the audit scope includes complex legal questions requiring legal advice; or the organisation needs an independent audit opinion for investors, insurers, or enterprise clients.
External auditors are also worth engaging when a business is building its compliance program for the first time. The first compliance scope assessment and register build often benefits from external guidance to ensure all applicable obligations are captured. After the initial program is established, internal teams can typically maintain it with periodic external reviews. Purpose-built compliance management software can reduce the need for external support by providing structured workflows, obligation libraries, and regulatory change monitoring.
Frequently Asked Questions
What is the difference between an internal compliance audit and an external audit?
An internal compliance audit is conducted by staff within the organisation, typically the compliance manager, operations manager, or a designated internal auditor. It tests whether the business is meeting its legal obligations and updates the compliance register accordingly. An external compliance audit is conducted by an independent third party — a law firm, specialist compliance consultant, or accredited auditor. External audits provide an independent opinion, are more rigorous, and are required in some regulated industries. Most businesses should conduct internal audits annually and engage external auditors periodically or when triggered by significant events.
What happens if an audit finds we’re non-compliant?
A non-compliant finding in an internal audit is a positive outcome — it means the business has identified a gap before a regulator does. The appropriate response is to update the compliance register to reflect Action Required status, assign a named owner to each non-compliant item, set a remediation deadline, and track completion. For serious non-compliance (unpaid superannuation, unaddressed WHS hazards, or significant privacy breaches), legal advice should be sought about voluntary disclosure obligations and the appropriate remediation pathway. Voluntarily remedying non-compliance before regulatory contact is typically treated more favourably than remedying it after.
Do I need to keep records of the compliance audit?
Yes. The audit report, evidence reviewed, and remediation plan should be retained. The retention period should match the most demanding record-keeping obligation applicable to the business — typically seven years under the Fair Work Act, five years under the Tax Administration Act, and seven years under the Corporations Act. The audit records serve as evidence of the compliance program in any regulatory or civil enforcement context.
Can I use this checklist for my industry-specific audit?
The checklist covers the six core areas applicable to most Australian businesses. Industry-specific obligations (financial services, health, NDIS, food, construction) should be added as additional sections. In regulated industries, the relevant regulator often publishes an authoritative compliance guide or self-assessment tool — the AFCA, ASIC, NDIS Quality and Safeguards Commission, and SafeWork all publish sector-specific compliance resources. These should be incorporated into the industry-specific section of the audit checklist.