Building a compliance register from scratch is one of the most practical things an Australian business can do to get its compliance program under control. The register itself isn’t complicated — it’s a structured record of every legal obligation your business faces, who owns each one, and what evidence demonstrates compliance. But building it correctly, so it actually functions as a compliance management tool rather than a document that sits in a shared drive untouched, requires a deliberate process. This guide takes you through that process step by step.
The compliance register is distinct from the compliance audit. The register is the ongoing management tool — the live document that tracks the current status of every obligation. The audit is the periodic review that verifies whether the register is accurate. You build the register first; the audit is what keeps it honest. Our compliance audit checklist covers the audit process in detail. This guide focuses on building the register itself.
Before You Start: What You Need
Before populating a single row of the register, you need two things: clarity on the regulatory frameworks that apply to your business, and a template structure to build in. Most Australian businesses should work in a spreadsheet for their initial build — Excel or Google Sheets are entirely adequate for a register with up to 50–60 obligations and a single primary compliance owner. Our compliance register template provides the seven-column structure that this guide will populate.
What you also need — and this is often underestimated — is dedicated time. Building a compliance register properly requires the business owner, compliance manager, or operations lead to sit down and work through each regulatory framework systematically. This isn’t a 30-minute exercise. For a business with a standard compliance footprint (employment, WHS, basic privacy, tax, consumer law), expect 4–6 hours for the initial build. For businesses in regulated industries, more. Budget accordingly and treat it as an investment rather than an overhead.
Step 1: Conduct a Compliance Scope Assessment
The compliance scope assessment identifies every regulatory framework that applies to your business. It’s the most important step in the process — if you miss a framework here, you’ll have a compliance register that appears complete but has material gaps. The scope assessment should examine your business across four dimensions: size, industry, location, and activities.
Size: Some obligations only apply above certain thresholds. Privacy Act obligations (under the Australian Privacy Principles) apply to businesses with annual turnover exceeding $3 million, with certain exceptions for health service providers and others regardless of turnover. Payroll tax obligations vary by state and apply only above a payroll threshold. Knowing your size allows you to correctly include or exclude threshold-based frameworks.
Industry: Most industries in Australia carry at least one industry-specific regulatory layer on top of the universal frameworks. Financial services businesses need an Australian Financial Services Licence and must meet AFSL conditions, responsible lending obligations, and from July 2026, AML/CTF program requirements under Tranche 2 of the Anti-Money Laundering regime. NDIS providers have NDIS Practice Standards. Construction businesses need contractor licensing. Food businesses need food safety programs. Identify every industry-specific framework that applies before you begin.
Location: Some compliance obligations vary by state or territory. WHS legislation is harmonised under the model WHS Act in most jurisdictions, but Victoria uses its own Occupational Health and Safety Act 2004. Payroll tax rates and thresholds differ by state. Long service leave obligations differ across jurisdictions. If your business operates in multiple states, each relevant jurisdictional variation should be captured.
Activities: Specific activities trigger specific obligations. Do you collect personal information? Privacy Act obligations apply. Do you employ staff? Fair Work Act and superannuation obligations apply. Do you supply goods or services to consumers? The Australian Consumer Law applies. Do you have a physical workplace? WHS obligations apply. Work through your business activities systematically to make sure no obligation-triggering activity is overlooked.
For a comprehensive overview of all applicable frameworks for Australian businesses, our business compliance obligations guide covers the five core frameworks and major industry-specific additions in detail.
Step 2: Break Each Framework into Specific Obligations
This is the step that separates a useful compliance register from a compliance theatre document. Each regulatory framework creates multiple specific obligations — and each specific obligation should be a separate row in the register. Not one row for “Fair Work compliance”. Not one row for “Privacy Act compliance”. Each specific, verifiable requirement gets its own entry.
The test for specificity is: can you verify compliance with this obligation by looking at the entry alone, without needing to interpret a general statement? “Comply with the Fair Work Act” fails this test. “Issue pay slips within one business day of each pay period containing the required information under s536 of the Fair Work Act 2009” passes it — you know exactly what you need to do and exactly what evidence would demonstrate compliance.
For the Fair Work Act alone, a well-built register will typically have 8–12 separate obligation entries: pay slip provision, time and wages record-keeping, Modern Award rate compliance, superannuation contributions, NES leave entitlements, parental leave obligations, flexible working arrangement processes, notice and redundancy obligations, employment contract requirements, and STP reporting. Each of these is a separate obligation with its own owner, evidence, and review date.
This granularity is what makes the register operational. When a Fair Work inspector asks for evidence of record-keeping compliance, you go to the record-keeping row and retrieve the specific evidence reference. When an obligation is flagged as Action Required, you know exactly what needs to be fixed — not “something about the Fair Work Act.”
Step 3: Set Up the Register Structure
With your obligation list prepared, set up the register in your chosen tool. The standard structure uses seven columns: Obligation, Source, Owner, Status, Review Date, Evidence, and Notes. Each column serves a specific purpose and all seven are necessary — removing any column typically creates the same gaps that make unstructured compliance management unreliable.
Obligation — the specific, verifiable legal requirement as described in Step 2.
Source — the legislation and section number: “Fair Work Act 2009, s536” or “Privacy Act 1988, APP 1”. The section reference matters — when the law is amended, it’s clear which register entries need reviewing.
Owner — the named individual responsible for ensuring this obligation is met. Not a team, not a role title — a specific person by name. Named ownership is what converts the register from a document into an accountability system.
Status — three values only: Compliant, Action Required, or Under Review. Resist the urge to add more status values; they create maintenance overhead without improving the register’s usefulness.
Review Date — the date by which this obligation should next be reviewed. Most obligations: quarterly. High-risk obligations (AML/CTF, privacy breach notification, WHS incident management): monthly.
Evidence — a reference to the specific document, record, or system output that demonstrates compliance. Not “yes, we do this” — a specific, retrievable reference: “Pay slip template — /HR/Payslips/Template_2026.xlsx, last updated March 2026.”
Notes — supplementary context: upcoming regulatory changes, dependencies, jurisdictional notes, open action items. Notes should be supplementary, not essential — the first six columns should tell the compliance story without requiring the Notes column to interpret them.
Step 4: Assign Named Owners to Every Obligation
Go through every entry in the register and assign a named owner — the specific person accountable for ensuring that obligation is met. In small businesses, most obligations will sit with the business owner, HR manager, or operations manager. In larger organisations, obligations are distributed across function heads. The rule is simple: every obligation has exactly one named owner.
Ownership assignments that read “HR team” or “Finance department” or “Management” provide no accountability. When an obligation falls out of compliance, there is no specific person responsible for catching it. Named ownership means that when an obligation is due for review, there is one person who receives the reminder, reviews the evidence, and updates the status. If that person leaves the organisation, the register is updated to name their replacement — ideally as part of the handover process.
Don’t be concerned if most obligations in a small business land with one or two people. That’s normal and appropriate. The goal isn’t even distribution of obligations — it’s clear accountability for each one.
Step 5: Conduct the Initial Status Assessment
For each obligation, assess the current compliance status based on the available evidence. This is often the most revealing part of the initial register build. Obligations that were assumed to be compliant frequently turn out to have gaps: a privacy policy that hasn’t been updated since 2022, a pay slip template that doesn’t include all required fields, a superannuation payment that’s been made to a non-complying fund.
Treat the initial status assessment as a compliance gap analysis. Where evidence is missing, the status should be set to Action Required — not Compliant — until the gap is remediated. Where the compliance position is unclear (you’re not sure whether the obligation applies, or whether the current practice meets it), set the status to Under Review and get the clarity needed before moving to Compliant.
This initial assessment will typically surface a number of Action Required items. That’s not a failure — it’s the register working as intended. The purpose of building the register is to identify these gaps before a regulator does. The action items from the initial build become your compliance remediation plan. Prioritise by regulatory risk: unpaid superannuation and WHS hazards carry personal director liability and demand immediate attention; administrative gaps like an outdated privacy policy can be remediated on a short but non-urgent timeline.
Step 6: Attach Evidence to Every Compliant Obligation
For every obligation you’ve assessed as Compliant, the Evidence column must contain a specific, retrievable reference to the document, record, or system output that demonstrates compliance. “Yes, we do this” is not evidence. “Pay slip template at /HR/Payslips/Template_2026.xlsx, confirms all s536 fields included, verified March 2026” is evidence.
The evidence reference should be specific enough that someone unfamiliar with the obligation could retrieve it and verify compliance without assistance. Think about what a regulator, auditor, or new compliance manager would need to see. The evidence column is what makes the register audit-ready — when a regulator asks for evidence of a specific obligation, the register tells you exactly where to look.
Evidence should be dated. An undated evidence reference creates ambiguity about whether the evidence is current. “Privacy policy — legalcompliance.au/privacy — reviewed and updated March 2026” is more useful than “Privacy policy — see website.” When the evidence is updated (new policy version, updated template, refreshed training record), the evidence reference and date in the register should be updated at the same time.
Step 7: Set Review Dates and Put Them on the Calendar
Assign a review date to every obligation in the register. For most obligations, the review date should be three months from the date of the initial build — establishing a quarterly review cycle from the outset. For high-risk obligations (AML/CTF, privacy breach notification, WHS incident notification), set a monthly review date.
Then — and this step is critical — put the quarterly compliance review on the calendar before you close the spreadsheet. A review date in a register that no one checks is decorative. The mechanism that keeps the register current is the calendared review, not the review date field itself. Schedule the first quarterly review on the day you complete the initial build, and set it as a recurring event so future reviews are automatically scheduled.
The quarterly review is not a full audit. It’s a maintenance cycle: obligation owners confirm their obligations are still being met, update the status if anything has changed, refresh evidence references if documents have been updated, and note any regulatory changes that might affect upcoming obligations. The full audit — which tests the evidence rather than just confirming the stated status — should happen annually.
Step 8: Establish a Process for Regulatory Change Monitoring
A compliance register built against today’s regulatory position will become inaccurate over time as the law changes. Australian regulatory requirements change constantly: the superannuation guarantee rate changes annually, Modern Award minimum rates change each July following the Fair Work Commission annual wage review, and new regulatory regimes like AML/CTF Tranche 2 take effect in 2026 and affect approximately 80,000 businesses that had no previous AUSTRAC obligations.
A manual monitoring process for regulatory change typically involves: subscribing to regulator update services (Fair Work Ombudsman, OAIC, ATO, ASIC, SafeWork all publish newsletters and legislative update services); setting aside time at each quarterly review to check for changes affecting current obligations; and maintaining a watch list of upcoming regulatory changes in the Notes column of relevant obligations.
For businesses with complex compliance footprints or high-risk regulatory exposures, manual monitoring is inadequate. Purpose-built compliance management software can monitor Australian legislative and regulatory changes automatically and alert obligation owners when changes affect their obligations. Lahebo’s detailed step-by-step compliance register guide covers the regulatory monitoring process in depth, including how to configure obligation libraries to automatically flag legislative updates.
Common Mistakes When Building a Compliance Register
Listing frameworks rather than obligations. “Fair Work Act” is a framework, not an obligation. “Issue pay slips within one business day of each pay period” is an obligation. The register can only be used to manage compliance if it contains specific, verifiable requirements — not general framework references that could mean anything.
Setting all obligations to Compliant on the initial build. The most common mistake in first-time register builds is marking everything Compliant before the evidence has been verified. This creates a register that appears complete but provides no compliance protection. The initial build is a gap analysis — set statuses based on evidence, not optimism.
Building the register and then not reviewing it. A compliance register built once and never reviewed reflects the compliance position of the business on the day it was built — not today. The quarterly review is not optional. Without it, the register becomes progressively less accurate and provides diminishing protection over time.
Not updating the register when obligations change owners. When the person responsible for an obligation leaves or changes roles, the obligation doesn’t automatically transfer to their replacement. The register must be updated, and a formal handover process should ensure the new owner understands the obligation, knows where the evidence is, and has the review date in their calendar.
Building a register without a compliance scope assessment. A register built without a prior scope assessment will be incomplete. You’ll capture the obligations you already know about and miss the ones you don’t. The scope assessment is the foundation — don’t skip it. See our guide to compliance management in Australia for how the scope assessment fits into the broader compliance program.
When to Move to Purpose-Built Software
A spreadsheet compliance register is appropriate for most small to medium Australian businesses at the outset. It becomes inadequate when certain conditions apply: multiple people need to update the register simultaneously, creating version control problems; the register exceeds 40–50 obligations and becomes difficult to navigate; the business needs an automated audit trail of every status change and evidence update; or the business needs systematic regulatory change monitoring rather than manual subscription management.
When these conditions apply, purpose-built compliance management software addresses the limitations of the spreadsheet by providing multi-user access with role-based permissions, automated audit trails, obligation libraries mapped to Australian regulatory frameworks, and regulatory change monitoring. The transition from spreadsheet to software is straightforward: the register structure is the same, and a well-maintained spreadsheet register provides all the data needed to populate a software platform.
Frequently Asked Questions
How long does it take to build a compliance register from scratch?
For a typical Australian SME with a standard compliance footprint, expect 4–6 hours for the initial build: 1–2 hours for the compliance scope assessment, 2–3 hours to break frameworks into specific obligations and populate the register, and 1 hour to assign owners, set initial statuses, and attach evidence references. Businesses in regulated industries (financial services, health, NDIS) should budget 8–12 hours. The initial build is the most time-intensive part of maintaining a compliance register; quarterly reviews should take 1–2 hours once the register is established.
Do I need a lawyer to build a compliance register?
Not for the register itself. The standard compliance frameworks — Fair Work Act, WHS, Privacy Act, tax obligations, consumer law — are well-documented and most businesses can identify and document their obligations without legal advice. Where legal advice is valuable is in the compliance scope assessment for regulated industries (financial services, health) where the regulatory framework is complex and the consequences of missing an obligation are severe. A lawyer can also assist with specific obligation questions: whether the Privacy Act applies to your business, whether a particular contract clause creates a compliance obligation, or how a new regulatory change affects your existing obligations.
What’s the difference between this guide and the compliance register template?
The compliance register template provides the structural framework — the seven-column layout and the rules for each column. This guide covers the process: how to identify which obligations to include, how to word them correctly, how to conduct the initial status assessment, and how to keep the register current over time. The template is the tool; this guide is how to use it. For the template structure itself, see our compliance register template guide.
How many obligations should my register have?
A typical Australian SME with 15–30 employees and a standard regulatory footprint will have 35–60 specific obligations in a well-built register. Businesses in regulated industries will have substantially more. If your initial register has fewer than 20 obligations and you have employees, operate a physical workplace, collect customer data, and supply goods or services, it’s likely that the scope assessment needs revisiting — there are almost certainly obligations missing. A register that appears to have very few obligations is usually a sign that frameworks have been listed rather than obligations broken down.