When you ask a CFO or company secretary how they track ASIC obligations across their corporate group, the answer is usually one of three things: a shared spreadsheet, a calendar reminder set by someone who left eighteen months ago, or "Sarah knows."
The obligations they're tracking are the obvious ones — annual reviews, annual statements, change of officer details. The ones they're missing are the ones that sit in the gaps: between entities, between state and federal requirements, between what the trust deed says and what the register actually reflects.
It's the obligations you don't know you have that create enforcement risk. And most corporate groups are flying blind on at least 70% of them.
There's a fundamental difference between the obligations that are visible and the obligations that exist.
Visible obligations are the ones that arrive in your inbox — the ASIC annual statement, the renewal reminder, the accountant's end-of-financial-year checklist. These are the obligations that your current tracking system was built around, because they're the ones that announce themselves.
The obligations that exist include everything else. Officer duty disclosure obligations triggered by appointments you made two years ago. Trust compliance requirements embedded in deed clauses you haven't read since the structure was established. Cross-entity reporting requirements created when one entity became a controller of another through a restructure your solicitor did eighteen months ago.
A corporate group with 15 entities typically has 45–60 discrete ASIC and corporate compliance obligations. The average in-house team tracking those with a spreadsheet or practice management calendar is aware of 10–15 of them.
The rest exist. They just aren't on anyone's radar until something goes wrong.
The most dangerous obligations aren't the obscure ones. They're the ones that look obvious in retrospect but are systematically invisible until enforcement.
Officer duty notification obligations are one of the most commonly missed categories. Every time a director or secretary changes, there are downstream obligations that extend beyond the ASIC change of details form. If that director holds positions across multiple entities in the group — and they almost always do — the obligation chain multiplies. The form that gets lodged is the one someone thought to lodge. The ones they didn't think to lodge sit there accumulating latent non-compliance.
Trust compliance obligations are perhaps the most underestimated category. Most groups think of trust compliance as an accounting and tax matter, not a corporate compliance matter. But trust deeds routinely impose corporate governance obligations — trustee meeting requirements, distribution minutes, beneficiary notification obligations, register maintenance — that sit entirely outside the ASIC framework but create real liability when not met.
Cross-entity requirements created by structural relationships are the third major blind spot. When Entity A becomes a controller of Entity B through a shareholding restructure, it may create lodgement obligations, beneficial ownership disclosure obligations, and related party reporting requirements that nobody specifically designed and nobody specifically tracks.
These obligations don't hide. They're just not in the places your current system looks for them.
The problem with spreadsheet-based obligation tracking isn't that it's unsophisticated. It's that it creates confidence that isn't warranted.
When your compliance calendar has 23 items on it and you've ticked 23 items, you feel compliant. The system has confirmed that you've done everything on your list. What it cannot confirm is whether your list contains everything you're obligated to do.
Spreadsheets track what someone decided to put in the spreadsheet. They don't track obligations that emerged after the spreadsheet was built. They don't track obligations that nobody thought to add. They don't track the chain reactions that occur when you change a structure, add an entity, or make a corporate appointment.
Calendar reminders have the same structural failure. They remind you of what you already know. They have no mechanism to surface what you don't.
The false sense of compliance created by a well-maintained spreadsheet is, in some respects, worse than having no system at all. No system creates obvious anxiety. A well-maintained spreadsheet creates visible evidence that everything is under control — even when it isn't.
A compliance calendar is static. It holds a list of obligations, associates each with a date, and sends reminders. It does not know what obligations exist unless someone tells it. It does not know when new obligations arise unless someone adds them.
Continuous obligation monitoring is dynamic. It starts from the entity structure — every entity, every officer, every shareholding relationship, every trust arrangement — and derives the obligations that exist from that structure. When the structure changes, the obligation set updates automatically.
The practical difference is significant. When you appoint a new director across three entities in your group on a Monday, a compliance calendar requires someone to manually add the new obligations triggered by that appointment to the tracking system. Continuous obligation monitoring derives those obligations automatically from the appointment event and adds them to the obligation set without human intervention.
When you acquire a new entity and fold it into your group structure, a compliance calendar requires someone to map the obligations for that entity and add them. Continuous obligation monitoring reads the entity's corporate history, identifies its outstanding obligations, maps its relationships to the rest of the group, and calculates the obligations that arise from those relationships — immediately, without a manual audit.
The goal isn't to automate the compliance calendar you have. It's to replace the compliance calendar with something that knows what obligations actually exist.
When people think about the cost of missed ASIC obligations, they think about late lodgement fees. Those are real — ASIC's penalty regime for late lodgements has increased significantly in recent years — but they're the smallest component of the actual cost.
The real costs fall into three categories:
Enforcement escalation. A missed lodgement that goes unnoticed can escalate from a late fee to a formal compliance notice to a show-cause notice to deregistration proceedings or personal liability for directors. The escalation path depends on the nature of the obligation and how long it remains unaddressed, but the common factor is that early, cheap interventions become unavailable as time passes.
Transaction risk. In M&A, financing, and restructuring transactions, due diligence invariably surfaces compliance history. Missing obligations discovered during due diligence create price adjustments, deal conditions, or deal failure. A missed ASIC obligation that costs $82 to fix costs considerably more when it's discovered by a buyer's legal team at heads of agreement stage.
Director personal liability. Australian corporate law creates personal liability for directors who fail to take reasonable steps to ensure corporate compliance. Most directors are unaware of the extent of that liability. The question in an enforcement context isn't whether the company failed to comply — it's whether the director took reasonable steps to prevent that failure. "We had a spreadsheet and Sarah knew" is not, in practice, a compelling answer to that question.
The starting point for obligation mapping isn't the ASIC register. It's the structure.
Week 1: Entity inventory. List every entity in the group. Not just the entities you actively think about — every entity, including dormant ones, shelf companies, dormant trusts, and holding structures that haven't been touched in years. Dormant entities accumulate obligations silently.
Week 2: Structural relationship mapping. For each entity, map its relationships — shareholding relationships, trustee relationships, controller relationships, related party relationships. The obligations triggered by these relationships are often the most invisible.
Week 3: Obligation derivation. For each entity and each relationship, identify the obligations that arise. This step benefits enormously from technology — an AI-powered compliance engine can derive obligations from entity data that would take weeks to map manually.
Week 4: Gap analysis and remediation. Compare the obligations you've derived against what your current system is tracking. The gap is your compliance liability. Prioritise by severity and age, and begin working through the remediation queue.
The 30-day timeline is achievable for groups up to about 30 entities. Above that, technology is essentially required — the manual mapping work becomes too large to complete in a reasonable timeframe without automation.
The compliance problem that most corporate groups have isn't that their current system is inadequate for their current structure. It's that their current system doesn't scale — and they're adding entities faster than manual processes can track.
A scalable obligation framework has three characteristics:
Structure-driven, not calendar-driven. Obligations are derived from the entity structure, not manually entered into a calendar. When the structure changes, the obligation set changes automatically.
Event-triggered, not scheduled only. In addition to date-based compliance triggers, the framework responds to events — appointments, changes of details, structural changes, acquisitions. An event that creates a new obligation should create the corresponding entry in the obligation tracking system automatically.
Auditable at the entity and portfolio level. The framework should be able to answer two questions on demand: "What are the outstanding obligations for this entity?" and "What is our total compliance position across the portfolio?" A framework that can answer the first question but not the second leaves the board flying blind on aggregate risk.
Building this framework manually is possible for small corporate groups. For groups above 15–20 entities, the complexity outpaces manual processes, and technology becomes a practical requirement rather than a convenience.
The groups that get this right aren't the ones with the most sophisticated spreadsheets. They're the ones that replaced the spreadsheet with a system that derives obligations from structure rather than relying on someone to remember to add them.
Start with a statutory records audit for every acquired entity. The audit should examine the ASIC register against the entity's internal records (share register, minute book, officer register) to identify discrepancies that may indicate missed lodgements or unrecorded changes. Also examine the entity's relationship with the rest of your group — the acquisition itself may have created cross-entity obligations that need to be tracked going forward.
Obligation tracking asks: "What do we need to do and when?" Compliance monitoring asks: "Are we doing what we're supposed to be doing, and what would happen if we're not?" Obligation tracking is a forward-looking scheduling function. Compliance monitoring is a continuous status assessment that evaluates your actual compliance position against your full obligation set — including obligations you may not have known about when you built your tracking system.
AI tools have become significantly more capable at document analysis over the past two years, and can extract obligation-relevant provisions from trust deeds and constitutions with reasonable accuracy. The practical caveat is that trust deeds vary enormously in drafting quality and structure, and AI extraction should be reviewed by someone with trust deed experience before being relied upon for compliance tracking. The output of AI analysis is a strong starting point, not a definitive list.
ASIC's enforcement pathway for missed lodgements typically begins with an automated late fee and proceeds to a compliance notice if the obligation remains unaddressed. Continued non-compliance can result in a show-cause notice, voluntary deregistration offers, or forced deregistration for companies ASIC determines are not actively compliant. For more serious failures — particularly those involving officer duties or misleading filings — ASIC has civil and criminal enforcement powers that can result in personal liability for directors and secretaries.
The board needs to understand aggregate risk, not individual obligations. Effective board reporting on compliance status typically uses a RAG (red/amber/green) framework applied at the entity level — each entity is scored on its current compliance position, and the board sees the portfolio view rather than 300 individual obligation statuses. The supporting detail should be available if the board asks for it, but the headline reporting should give the board an immediate read on where the compliance risk sits.
We use cookies to improve your experience. Essential cookies are always active. You can accept all cookies or choose essential only.