Author
Queensland Audit Office

Regulatory compliance is an entity's adherence to laws, regulations, policies and guidelines relevant to its business processes.

In our audit work, we have identified areas where entities have not managed their regulatory obligations effectively. This article shows you how we evaluate the effectiveness of regulatory compliance and provides our insights on what entities can do to ensure they continue to meet their obligations.

Why is regulatory compliance important?

We live in a complex world that is ever-changing, including the extent of rules and regulations which need to be adhered to.

Governing an entity effectively includes ensuring that it has an efficient and effective compliance framework covering the relevant laws and regulations. 

A compliance framework is an organisation’s first line of defence in demonstrating that they have taken all reasonable steps to meet their regulatory requirements.

How do we evaluate the effectiveness of regulatory compliance?

We assess the following six areas to determine how effective entities are in administering legislation. These are areas all agencies should consider:

1. Understanding of the intent

  • Do we fully understand the intent of the legislation that we are administering?
    • What outcome(s) is the legislation aiming for?
    • What are our obligations in enforcing the legislation?
    • What powers do we have regarding enforcement?
  • Do our policies and procedures support the legislation’s intent?

2. Aligning roles and responsibilities to action that intent

  • Are compliance roles and responsibilities clear?
  • Do staff know what they are accountable for?

3. Identifying skills and resources

  • Have we got the right skills and resources to fulfil our obligations under the legislation?
    • Do we have access to staff who understand current practices?
    • Can staff apply the legislation effectively?  
  • Do we need additional expertise to address emerging trends?
    • What are the emerging risks for example, technology advancement, changes in business arrangements?
    • Is anything preventing us from effectively addressing these risks?

4. Having well-defined processes and policies in place

  • What processes and policies do we have in place to support the administration?
  • Are there escalation processes in place to address unforeseen or complex circumstances?
  • Are we clear on what documentation needs to be retained to provide evidence of meeting regulatory obligations?

5. Designing and implementing internal controls that promote accountability and prevent non-compliance

  • Is the design able to detect potential non-compliance? 
  • Have we implemented the controls effectively?
  • Do we test the effectiveness of these controls periodically?
  • How do we provide assurance to our key stakeholders?

6. Using the right tools to support decision making and record keeping

  • Are the tools designed to support the work you do?
  • Have the tools captured what are required for reporting, analysis and decision making?

By answering the questions, entities can identify if there are gaps in their current processes.