Australia: How to score an A+ at your next financial services licensee compliance audit

When did you sit your last exam? Remember the mixed feelings of anticipation and dread? You probably recall the feeling more vividly than the subject matter. Memories like that are not stored in the same part of your brain as birthday parties and pony rides. Instead, they're jammed together with other repressed memories that you'd rather forget about.

Now, think back to when you last blitzed an exam. Recall that feeling of elation, relief and joy? That's the feeling you'll get if you work through this article and make required changes before your business is subject to an external Australian Financial Services (AFSL) compliance audit.

This article is a new edition of an article we wrote for Money Management in 2006. Since then, we've conducted an extensive Jim Collins-style research project on a sample of 47 licensee reviews conducted by our lawyers, looking for common themes and learning points. We've also been appointed external experts on some enforceable undertakings and imposed AFSL conditions.

Firstly, what is a compliance audit?

The person conducting the audit refers to it as a "review" because it sounds nicer. The subject of the review, however, refer to it as an "audit". Regardless, a compliance audit for our purposes occurs when external compliance consultants visit your business and assess it against the requirements of the financial services laws, your AFSL conditions, ASIC guidance and best practice. Then they provide you with a report. If the audit is the result of a special licence condition on your licence, or enforceable undertaking, the consultant will look at other matters, as dictated by ASIC, and will provide the reports to you and ASIC.

When you first applied for your licence, you probably told ASIC that you would have an annual compliance audit. There's no law that says you have to do it,1 but your undertaking to ASIC during the application process arguably imposes an obligation on the licensee to have it done annually, at least for the first year or two. As time goes on, this may change.

How does it compare to a Registered Auditor's review?

Annual financial audits by ASIC-registered auditors are compulsory for all AFSL holders, unless they hold a limited AFSL and don't touch client money. Some licensees wholly rely on the financial audit and don't separately engage an external compliance auditor.

Each year, you must lodge your profit and loss statement and balance sheet with ASIC, along with an Auditor's report. When conducting the audit and providing their report in FS71, the auditors need to:

  • Include their opinion on the effectiveness of your internal controls used to comply with certain parts of the Act (dealing with client money and property, handling insurance payments, keeping records, lodging documents, appointing auditors and other conduct requirements).
  • Report to ASIC within 7 days if they become aware of a contravention of a condition of your AFSL (or a number of other provisions). Your AFSL requires you to establish and maintain compliance measures that ensure, as far as is reasonably practicable, that you comply with the provisions of the financial services laws. There is no significance test attached to this obligation ¡V they need to report even the most technical breach.
  • Report to ASIC within 28 days after becoming aware of circumstances such that they have reasonable grounds to suspect a contravention of the Corporations Act 2001 (the Act). A significance test applies. ASIC gives guidance to auditors about what it considers as ¡§significant¡¨ in RG 34, and uses a civil penalty provision as an example (eg. if an auditor becomes aware of your failure to comply with FoFA¡¦s conflicted remuneration provisions, it would need to report this to ASIC).
  • Make certain ¡§reasonable assurance¡¨ statements (eg. ¡§in our opinion, the internal control is effective¡K¡¨) and make certain ¡§limited assurance¡¨ statements (eg. ¡§nothing has come to our attention that causes us to believe that internal control is not effective¡¨).

The Guidance Statement GS003 sets out that financial auditors should look at a number of documents, and determine whether you as licensee are meeting your obligations. It goes on to discuss what we call the "10 commandments" found in section 912A of the Act. In our experience, auditors tend to focus on the financial obligations imposed on the licensee, and will spend some time checking over breach, risk and complaints registers. They'll also cast their eye over your compliance manual.

In contrast, the advantages of an external legal review are:

  • There¡¦s no legal obligation on the reviewer to report any identified breaches to ASIC, unless the review is mandated by ASIC through imposed licence conditions or an enforceable undertaking. The reviewer can often help you resolve the issues after compiling the report.
  • If the reviewer is a law firm, it¡¦s likely that client privilege will protect the report (except in the case of ASIC-mandated reviews).
  • Good external legal reviewers don¡¦t look at your financial position, but will consider your overall compliance framework, and test whether it is actually working in practice. This involves going to the next ¡§layer¡¨ of detail, when considering your documentation, and then systematically testing it by talking to relevant staff, including advisers. Importantly, it should include considering client-facing documents such as FSGs and SOA templates.

It's also worth noting that nearly every licensee dealer group that's entered into an enforceable undertaking with ASIC has been subject to an annual financial audit. We know of one large dealer group that, before being subject to an Enforceable Undertaking (EU), had never had an external compliance audit conducted, and relied wholly on registered auditor reviews. Of course, your overall compliance culture is your best line of defence against entering into an EU, and a strong record of external review is just one indicator of that.

So here are our conclusions. Take heed of what follows!

  1. Consider your compliance culture

Did you know that "Culture" is defined in the Commonwealth Criminal Code? It's also referred to extensively by the Courts and ASIC. Culture is the link between procedural compliance and behavioural compliance. If behaviour is non-compliant, even the slickest compliance framework is going to fall over. It is easy to pick up quickly on an organisation's compliance culture. Poor compliance culture indicators that we commonly come across are:

  • Inadequate compliance resources.
  • Lack of ASIC-reported breaches on the breach register.
  • Missing procedures, or procedures that haven¡¦t been updated in the last 12 months.
  • Poor understanding of key obligations by client-facing staff.
  • High compliance staff turnover.
  • Compliance staff not being involved in the decision-making process from the start.

In contrast, healthy cultures demonstrate characteristics like:

  • Genuine buy-in from senior management. This is easy to see ¡V do they devote their time to compliance matters? We had one dealer group client whose CEO sat in on every Responsible Manager training session we ran for their team and AFS licensee network, annually for four years! He also chaired the compliance committee.
  • An appropriately skilled and resourced compliance team.
  • A compliance manager that gets invited to key decision-making meetings, before the decisions are being made.
  • A compliance manager with direct access to the top levels of management.
  • A compliance committee that reviews the 5 key registers (risks, conflicts, training, breaches, complaints) on an ongoing basis.
  • Up-to-date procedures that reflect actual practice.

Changing your compliance culture requires buy-in, identification of barriers to improvement, the formulation of strategies to continually strive for improvement, and the allocation of sufficient resources.

Our licensee reviews consider around 19 different topics (Compliance Arrangements, Responsible Managers, Breach Reporting, etc). By far the most recommendations (173) were under the Compliance Arrangements heading. Common recommendations related to:

  • Consolidating and updating existing compliance procedures.
  • Ensuring adequate staff to get the job done.
  • Separating roles to ensure proper reporting lines.
  • Strengthening the compliance committee by changing its makeup, function or standing agenda items.
  1. Keep up-to-date records if you advise retail clients

Do you know what your AFSL says about record keeping? It says you need to keep records of every version Financial Services Guide (FSG), every Statement of Advice (SoA), as well as certain information that supports your SoA, for at least 7 years. It's not enough that you have an agreement with your authorised representatives to access their documents. It's established best practice for licensees to keep their own (usually electronic) copies of such documents. You need to be able to show your auditor how you do that.

Over the years, some licensees have been unable to show how different versions and copies of documents are retained for the required period. This is changing and it is now more common that registers are fairly well maintained, based on the reviews that we've conducted.

  1. Have a "living" risk management system.

Award winning author Arie de Geus wrote a book "The Living Company" which chronicled his findings after researching 27 companies that ranged in age from 100 to 700 years old. What do you think was one of his key observations amongst those companies? Meticulous, systemic risk management.

It comes as no surprise that the Act and your licence conditions both require you to have a risk management system, unless you're APRA regulated, in which case you'll have one under a different set of laws anyway. It should conform to the relevant standard (ISO 31000:2009 is the most recent, at the time of writing), and it needs to be updated on an ongoing basis. The managers and owners of your business are intuitively thinking about risk, so it shouldn't be difficult to capture those thoughts in a disciplined, methodical manner, as part of your ongoing compliance framework. Risk management analysis also benefits from involving "ground level" staff in the process – not just senior management.

We made 86 related recommendations in the reports we analysed, and we observed that in many instances, systems were out of date, improperly completed, poorly integrated with Board or holding company risk frameworks, or simply misunderstood. In the most part, most risk management systems we reviewed did not comply with the ISO standard.

  1. Show how your responsible managers are maintaining competence

You should have a written, forward looking training plan and an up-to-date training register that shows that your responsible managers receive ongoing training. The responsible managers should collectively oversee all the financial services and financial products named on your AFSL, and their training should reflect this. A responsible manager training plan should also show ongoing regulatory training. This might be seminars, courses and monthly regulatory updates. If you've got a Key Person condition on your licence, you should also consider training up a successor who can step in if the Key Person leaves the business.

Bigger licensees tended to have more recommendations on this topic than smaller licensees. Of the 112 recommendations made in the sample reviews, the main topics related to inadequate training or understanding of key regulatory matters, succession planning, and ensuring that there were adequate responsible managers. Another interesting challenge faced by lots of businesses was maintaining "competence" in financial products that the business was not currently offering.

  1. Keep a tight leash on your outsourced providers

Show how you select and monitor your outsourced providers. They can cause you to breach your licence. For example, it's your fault if your auditors don't submit your financial reports to ASIC within 2, 3 or 4 months of the end of your financial year (this depends on what type of entity the licensee is). You should be monitoring them with KPIs, and have recourse if they cause you to breach your licence. Your outsourcing procedure should show who you outsource to, and how you monitor them.

Common issues we have identified in this area are a lack of legal review of key clauses in business-critical IT contracts, lack of ongoing monitoring, and lack of a formal review or appointment process.

  1. Have a breach reporting procedure that works

If you've been operating your AFSL for some time, an empty breach register is a clear sign that something is wrong. The complexities of this regime dictate that your business will breach its licence at some time, if not often. A breach could be forgetting to provide an FSG. It could be failing to tell ASIC that you changed your registered address within 10 business days.

All staff should be trained on what constitutes a breach. If a breach is significant, then it should be reported to ASIC within 10 business days of it being identified.

Every process needs to comprehensively cover identification (do your staff know what a breach or incident is?), classification (is it a breach of the financial services laws?) and action (what are we going to do about it?). Over the years, we have found that licensees have become good at recording breaches. However, larger licensees often struggle with documenting all the breaches they pick up from adviser reviews, and appropriately remediating them.

  1. Have a robust complaints handling process for retail clients

Complaints handling and breach reporting are reactive processes. For these processes to work effectively, it is important to know when to react. This means that staff need to be trained on what is a complaint (example: is it a complaint or a query?), and how to escalate complaints. Also, there needs to be a robust framework in place to identify breaches, escalate as appropriate and report within the required timeframe.

We found that a common problem is that client-facing staff do not understand what constitutes a "complaint", and the internal process is often not followed properly. We often recommend that policies be updated and refresher training be rolled out.

  1. Sign off your promo material

Does your website and advertising include the warnings required by law? We have found this to be a common oversight by licensees. You should have a documented process for signing off promotional material. For example, anything containing general advice to retail clients should be signed off by an RG 146-compliant person.

In our experience, websites often include words like "independent", "impartial" and "unbiased" which are restricted for most licensees who receive commission payments. When was the last time you did a search? Try typing "independent site:[your web address]" into Google and see what happens.

  1. Follow your recruitment process

In September 2011, ASIC released a report (Report 251) that summarised its findings from surveying the 20 largest licensees that provide financial product advice to retail clients. You may recall that ASIC asked the licensees a huge list of questions which caused a bit of a stir at the time in terms of the resources required to answer them. ASIC then released another report, Report 362, in July 2013, following responses from the second phase of questions targeted at the top 21-50 licensees. Both reports should be compulsory reading for anyone wanting to achieve an A+ in their next licensee review. Both reports also make comment about ASIC's concern that a poor appointment process may result in you taking on a "bad apple" adviser, which may in turn cause you a world of grief. ASIC has also released a guide called HB 322-2007 Reference Checking in the Financial Services Industry, in conjunction with Standards Australia. It includes loads of useful checklists and procedures that you can implement straight into your business.

We often tell licensees that it's not enough to rely on your external recruiter conducting the reference checks – you should have records on file that also show full RG 146 qualifications (including a skills module), as well as ongoing high-level monitoring of initial advice for an initial period. Other observations we made related to inconsistencies in employment contracts, and a lack of discipline in following the appointment protocol (this was often tied to rapid business growth or a lack of resources in HR).

  1. Your monitoring and supervision framework should be risk-based and fully resourced.

Are your reviewers ensuring that personal advice to retail clients meets the Best Interest obligations? No doubt you have just updated your monitoring and supervision framework to take into account FoFA in all its glory.

Monitoring and supervision is more than just an annual review. In our experience, it includes peer review, new adviser-file reviews, "anti-fraud audits", interactive training, "circular folders" that include the week's advice documents, and mentoring systems. ASIC noted in Report 362 that the average number of advisers for each file reviewer was 53. In our view, that ratio can be higher and still successful if there are good compliance systems that are asking the right questions and addressing them.

  1. Have an IT resources procedure

Your procedures should make sure the business maintains adequate IT resources. You also need a backup procedure and disaster recovery plan. In our experience, the biggest failure in this area is the lack of testing that takes place. Many licensees don't really truly test their IT backup plans. We've seen reports of IT systems tests that took three attempts before they successfully allowed the business to continue operating off-site. Have you made even one attempt? In an effort to be true to our word, we commissioned a test of our law firm backup processes. We discovered that they were completely inadequate, and put in place simple steps to address those shortfalls.

In addition to testing their own backup processes, dealer groups should be seeing evidence of tests being done by their software providers. This is particularly relevant to advisers given that most advice is stored in the cloud by third-party software vendors.

  1. Keep your compensation arrangements updated

If you're required to have PI insurance, then make sure you get legal signoff if you renew your policy but change the terms. Alternatively, you can ask your broker to answer the following question, in writing: Can you please confirm that our PI policy complies with the requirements of RG 126 and, can you please explain any conditions or exceptions to your answer? The worst answer we've seen from a broker is "yes, the policy complies with RG 126, subject to the terms of the policy." That answer is useless.

  1. Check your disclosure documents

This area is commonly less than perfect. We routinely find that FSGs do not comply with the various legal requirements. Also, SoA templates are often too long and complicated. Who conducted your last SoA review? Sometimes an SoA is prepared by someone who has so much time invested in it, they will be reluctant to hack it into one third the size, which is exactly what it may need. Try getting an external party to have a go at simplifying your advice document.

  1. Update your research process

If you service retail clients, and research your products, then you need to have a procedure that sets out why you've chosen the products you have, and how advisers can deal with non-approved products. ASIC and the tribunals and Courts have made it clear that adopting someone else's rating system, per se, is not good enough. Make sure your procedure is followed, and that it explains what a representative must do if he or she wants to recommend a product not on the list. With the onset of FoFA, a big challenge for licensees with related party products on their list is showing that the related party product will result in the client being "better off" by switching to it. How does your business address this issue?

  1. Use your conflicts of interest register

When the requirement to have a conflicts of interest procedure and register came into force in 2005, most people scratched something together and put it in their compliance manual. But, does it actually contain identified conflicts? Does it show that conflicts are being managed? If you're stumped for any conflicts, ASIC released a discussion paper in April 2006, which is packed full of examples. Also, the introduction of "conflicted remuneration" under FoFA should result in you updating your conflicts of interest procedures. It is no longer enough to manage some conflicts by "disclosing" them – they must simply be avoided. That said, disclosure is generally done quite well.

We made 74 recommendations in our sample reviews, and they related to updating conflicts registers, better managing related party products, capturing meaningful disclaimers from advisers who may have relationships with external parties, and training staff on what actually constitutes a conflict. In our view, with the onset of FoFA, this is one of most topical issues facing the industry.

  1. Be prepared for changes

A good compliance audit will invariably suggest changes. Amongst other things, a compliance audit stocktakes and reviews your compliance framework as a whole and assesses whether the framework is really addressing the key issues and risks. We find that new compliance managers who commission a review are open to the recommendations. Entrenched compliance managers will, understandably, tend to defend their programs.

According to ASIC's Enforceable Undertaking with City Index Australia Pty Ltd, entered into on 8 April 2013, City Index took 11 months to fully implement certain recommendations. We suggest that you devote as many resources as you need to have a speedy implementation in a shorter timeframe!

As you can see, preparing for a compliance audit is not a walk in the park. But, if you are constantly working on developing a positive culture of compliance, it won't be impossible. Think of compliance audits as a tool for positive change and a roadmap for navigating through the numerous regulatory obligations faced by licensees. You don't know what you don't know. Accordingly, any breaches, findings and recommendations in the report will ultimately make your business a better business, if you act on them in the right way, quickly.


1That said, there is a law that requires licensees to monitor and supervise their representatives, and Responsible Entities of managed investment schemes do require an annual compliance plan audit.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.