ASIC's posture toward gatekeepers has shifted. The regulator's enforcement frame is less interested in the entity that committed the breach and more interested in the directors, auditors, and senior advisers who, in its view, ought to have prevented it. Boards have noticed. The question is whether they have read the shift correctly.
The dominant board response has been a tactical one. Indemnification arrangements are reviewed. Side A and Side B coverage of D&O policies are tested. Limits are increased. Brokers are retained to benchmark the program against peer entities. None of this is unreasonable. It also answers the wrong question.
The exposure that gatekeeper enforcement creates is not principally financial. It is documentary.
ASIC's investigative apparatus reads documents. Notices to produce, compulsory examinations, and the statutory powers under s33 of the ASIC Act are document-led instruments. When the regulator is forming a view on whether a director's conduct fell short of the standard, the work is reconstructing the contemporaneous record. Was the question raised? Was the answer probed? Was the inquiry recorded? Did the director ask, or did the director rely?
That distinction (inquiry versus reliance) is doing more work in the modern director-duty case than the law's substantive content ever did.
The statutory standard has not materially changed. A director must exercise reasonable care and diligence. A director may rely on information provided by management, auditors, and other competent sources, if that reliance is reasonable in the circumstances and if the director makes proper inquiry where the circumstances call for it. The text has been stable for decades. What has changed is the regulator's willingness to test the second limb under contested conditions, and the documentary infrastructure available to reconstruct what a director actually did.
In that environment, the strategic question for a board is not how much insurance is enough. It is whether the documentary record of the board's work would, on cold inspection by a third party, demonstrate inquiry where inquiry was due.
Most board records we see do not.
The structural problem is that contemporary board paper architecture is built for efficiency, not for evidentiary defence. Pre-read materials are dense, summarised by management, and signed off in committees that meet on a calendar rhythm rather than an issue rhythm. Minutes record decisions but rarely record the contours of the discussion that produced them. Where directors raise concerns, those concerns are summarised in management's voice, often in the next paper, often after the relevant decision has been taken. The record reads, on review, like a body that approved what was put to it.
That record does not demonstrate inquiry. It demonstrates reliance. Whether that reliance was reasonable, when contested, is answered by inference. The inferences run in the regulator's favour where the documentary trail is thin.
The fix is not more paper. It is structural. Three observations on the architecture.
First, the reliance ledger. Directors are entitled to rely on management. They should know, at any moment, what they are relying on, who they are relying on, and what work was done before they were asked to rely. This is not a matter for a casual conversation in a meeting; it is a matter for a written reliance basis that sits behind every material decision. A reliance basis generated after the fact reads like a reliance basis generated after the fact. The discipline is to commit it before, in real time, on the same page as the decision.
Second, triggered escalation. Most board paper architectures rely on management to escalate. That model fails at the points where it is most consequential to succeed – the points where management has reasons not to escalate. A board that takes its inquiry obligations seriously builds a different design. Standing items on regulatory exposures, a defined trigger architecture (what will be brought, by when, to which committee), and a willingness for non-executive directors to ask outside the meeting cycle when the trigger is met. The triggers are themselves a documentary artefact. They demonstrate that the board did not wait to be told.
Third, the minute discipline. Minutes that record only resolutions are minutes optimised for legal economy and not for evidentiary value. In the regulatory case, what is contested is not the resolution; it is the inquiry that preceded it. A minute that captures, briefly but specifically, the questions raised, the concerns probed, and the assurances sought is a minute that demonstrates the work the law requires. It is an unfashionable view, because it produces longer minutes. The legal department prefers shorter minutes. The legal department is not the audience that matters when the regulator is reading them.
The auditor question is downstream of the same observation. ASIC's interest in auditors as gatekeepers is, in substance, an inquiry into whether the auditor exercised the professional scepticism the standard requires. The audit working papers are the material record. The auditor who has, over the audit period, raised matters with the audit committee, recorded those matters in working papers, and probed management responses in writing has a defensible record. The auditor whose working papers reflect the management narrative without independent contour does not.
For the board, this matters in two ways. The board's relationship with the auditor is itself a director-inquiry surface. The audit committee that has not asked the auditor probing questions on the matters most likely to fail has not done its work. And the audit committee's records of its interactions with the auditor are part of the contemporaneous documentary trail the regulator will reconstruct.
The strategic implication is not that boards should brace for litigation. It is that the architecture of board inquiry (paper, minute, escalation, reliance) is a defensive asset whose value compounds. The board that designs this architecture before the contested matter arrives carries a record that demonstrates inquiry. The board that designs it after the contested matter arrives carries a record that demonstrates retrospective construction. The latter is, increasingly, the case the regulator builds.
We will not translate this into a list of recommendations. The substantive design choices are matter-specific. They depend on the entity's risk profile, the practice areas where it is exposed, the quality of its management cohort, and the litigation tail it is exposed to. What is general is the framing: gatekeeper enforcement is a documentary game; the documentary record is constructed in real time, board paper by board paper; and the board has more agency in designing that record than its current architecture suggests.
One open question on the auditor-gatekeeper intersection. As the standard for what an auditor's reasonable inquiry looks like rises – driven by climate-related disclosure, AI-supported financial controls, and the accelerating complexity of group-level material – the audit committee will be sitting between two gatekeepers whose obligations are migrating in parallel. The boards that anticipate the migration will integrate the audit committee's inquiry architecture with the board's own. The boards that do not will find that the gap between the two becomes the regulator's case.
This is general analysis. It is not advice on any specific matter. Readers should not act on it without engaging appropriate counsel.
