Third-Party AODA Audit: When You Need One and What to Expect

A third-party accessibility audit is one conducted by an external specialist who is independent of your organization. It differs from an internal review not just in who conducts it, but in what it is worth: third-party audits carry significantly more credibility in compliance contexts, complaint responses, and procurement requirements.

93% Student Satisfaction (2K ratings)

Quantity Discounts

Price per course

6 to 20 courses

$20.95

21 to 50 courses

$17.95

51 to 200 courses

$13.95

201+ courses

Custom offer

Not every organization needs a third-party audit at all times. But there are specific situations where commissioning one is not just advisable — it is the most defensible decision your organization can make.

⚖️

What makes an audit 'third-party'?

A third-party accessibility audit is conducted by a specialist who has no direct stake in the outcome — not an employee of your organization, not the agency that built your website, and not a platform provider whose product is being tested. The independence matters because:

An agency that built your website has an incentive to underreport accessibility issues it introduced during development
An internal team member may not have the specialized WCAG expertise or AT testing skills that a dedicated accessibility specialist brings
Regulators, funders, and legal counsel place more weight on findings from an independent party who has no conflict of interest
A third-party auditor brings perspective from testing many different websites and technologies — recognizing patterns that an internal reviewer familiar with their own content might miss

Who is NOT a third-party auditor

Your web development agency, even if they offer accessibility services, is not an independent third party when auditing work they built. Neither is a team member who switches hats from developer to auditor. And a platform's built-in accessibility checker is not an audit at all. Independence means the auditor has nothing at stake in the outcome.

🎯

Eight situations where a third-party audit is the right choice

Situation 01

Before filing your AODA compliance report

Why external: The compliance report is a legal declaration. Filing it without an independent assessment of your actual compliance status creates legal exposure. A third-party audit gives you the evidence base for a defensible declaration.

What to ask for: Full AODA organizational audit covering website, policies, training records, and employment practices. Allow 4–8 weeks before your filing deadline.

Situation 02 — Urgent

After receiving an accessibility complaint

Why external: A complaint triggers scrutiny. The most effective response is evidence that your organization identified the accessibility gap and is actively remediating it. A third-party audit conducted after a complaint demonstrates good-faith effort in a way an internal review does not.

What to ask for: Scoped audit focused on the area of the complaint, with broader site coverage if appropriate. Urgent timeline — engage an auditor within days of receiving the complaint.

Situation 03 — Urgent

During or following a government compliance review

Why external: If the Accessibility Directorate of Ontario has notified your organization of a compliance review or audit, a third-party audit conducted concurrently or immediately afterward demonstrates that you are taking the review seriously and actively identifying and addressing gaps.

What to ask for: Full AODA audit or website-only audit depending on what the compliance review focuses on. Timeline: as quickly as possible.

Situation 04

Before launching a major new website or digital product

Why external: A pre-launch audit is the most cost-effective point to fix accessibility issues — changes to design and code are far cheaper before launch than after. A third-party pre-launch audit gives you an independent sign-off and avoids launching with known compliance gaps.

What to ask for: Website accessibility audit against WCAG 2.0 Level AA. Allow 2–3 weeks before launch, with remediation time built in.

Situation 05

After a major website redesign or platform migration

Why external: Redesigns and platform migrations introduce new accessibility issues even when the previous site was largely compliant. The new CMS, new templates, and new components need independent testing before they go live with customers.

What to ask for: Full website audit of the new platform covering all new templates, interactive components, and user journeys.

Situation 06

For procurement and contract requirements

Why external: Government contracts, grant applications, and some B2B procurement processes require evidence of AODA compliance. A third-party audit report is the most credible form of evidence for external stakeholders who cannot verify your internal processes.

What to ask for: Website accessibility audit with a written compliance statement. Confirm the required scope and format with the procuring organization.

Situation 07

When your last audit is more than two years old

Why external: Websites change continuously. An audit from 2022 does not reflect new content, new components, or new accessibility issues introduced since then. For active websites, an audit more than two years old has limited value as compliance evidence.

What to ask for: Full website audit or at minimum a review of the highest-traffic pages and any sections added since the last audit.

Situation 08

When your in-house team lacks AT testing expertise

Why external: Screen reader testing requires trained specialists. If your internal review did not include NVDA and VoiceOver testing by someone who understands how AT users navigate the web, it missed the issues most likely to prevent blind users from completing tasks.

What to ask for: Website accessibility audit including full AT testing. Can supplement an internal audit that covered automated and manual testing but not screen readers.

🔍

How to choose a third-party AODA audit provider

The accessibility audit market includes dedicated consultancies, generalist web agencies with accessibility practice areas, and individual consultants. Quality varies significantly. Here is how to evaluate potential providers.

Question to ask	What to look for
Does the provider conduct manual testing, or only automated scanning?	✓ Green flag: Explicit confirmation that manual WCAG testing is included alongside automated tools. ✗ Red flag: Quote is based on axe or Lighthouse reports only — this is not a professional audit.
Do they test with screen readers?	✓ Green flag: Confirms NVDA + Firefox and VoiceOver + Safari testing by a trained AT tester. ✗ Red flag: Describes 'checking ARIA attributes' as their AT testing — this is code review, not AT testing.
What credentials does the testing team hold?	✓ Green flag: IAAP WAS (Web Accessibility Specialist) or CPACC, or demonstrable AT testing experience. ✗ Red flag: No accessibility-specific credentials; accessibility offered alongside SEO, UX, and general web services.
Can they provide a sample audit report?	✓ Green flag: Sample shows specific WCAG references, severity ratings, screenshots, code examples, and fix guidance per issue. ✗ Red flag: Sample report is a spreadsheet of URLs with brief descriptions or an automated scan export.
Is your organization's agency the auditor?	✓ Green flag: Independent auditor with no prior work on the site being tested. ✗ Red flag: The audit is conducted by the same agency that built the website — not an independent third party.
What does the engagement include post-report?	✓ Green flag: A walkthrough call to review findings with your team; option for post-remediation retesting. ✗ Red flag: Report delivered with no follow-up support or explanation.

📅

What to expect from a third-party AODA audit engagement

Stage	What happens	Client involvement
Scoping call (day 1–2)	The auditor defines the pages to be tested, confirms the testing standard (WCAG 2.0 Level AA), agrees on the report format, and discusses any known issues or areas of concern.	Provide a list of key pages, user journeys, and any previous audit findings. One hour of your time.
Testing (days 3–10)	The auditor runs automated scans, manual WCAG testing, and screen reader evaluation across the agreed scope. For full AODA audits, this includes document and policy review.	Minimal — provide login credentials for authenticated pages if needed. Respond to any technical questions promptly.
Report production (days 11–14)	The auditor consolidates all findings, assigns severity ratings, writes remediation guidance, and produces the executive summary and remediation roadmap.	None — auditor working independently.
Report delivery and walkthrough (day 14–16)	The report is delivered. A walkthrough call reviews the key findings, explains the remediation roadmap, and answers questions from your development and compliance teams.	Attend with your developer, content lead, and compliance lead. One to two hours.
Remediation period	Your team implements fixes based on the remediation roadmap. The auditor is available for clarification questions on specific findings.	Lead your development team through the issues list. Track progress against the remediation roadmap.
Retesting (optional, days 30–60 post-delivery)	The auditor retests resolved issues to confirm they have been fixed correctly. Produces a retest report documenting which issues pass and which require further work.	Provide access to the updated site. Review retest findings with your development team.

⚖️

Internal audit vs third-party audit: when each is appropriate

Use case	Internal audit	Third-party audit
Day-to-day development QA	✓ Ideal	Not needed
Content team checks before publishing	✓ Ideal	Not needed
Annual internal compliance review	✓ Suitable	Recommended as supplement
Pre-launch testing for new website	△ Partial	✓ Recommended
Filing AODA compliance report	✗ Insufficient	✓ Required
Responding to accessibility complaint	✗ Insufficient	✓ Required
Government compliance review response	✗ Insufficient	✓ Required
Procurement compliance evidence	✗ Insufficient	✓ Required
Post-redesign validation	△ Partial	✓ Recommended

❓

Frequently asked questions

Is a third-party AODA audit legally required?

Not explicitly. AODA does not require organizations to commission a third-party audit. However, the compliance report that organizations with 20 or more employees must file every three years is a legal declaration of compliance. Filing it based on an internal review that lacks professional methodology, AT testing, or independence is a legal risk. Most organizations commission a third-party audit before filing to ensure the declaration is well-founded.

How long does a third-party AODA audit take?

From initial scoping to report delivery, a third-party audit of a small to medium website typically takes two to four weeks. A full organizational audit covering website, policies, training, and employment documentation typically takes four to six weeks. Timeline depends on auditor availability, website complexity, and how quickly your organization can provide necessary access and documentation.

Can my web agency audit our website for AODA compliance?

Not independently. Your web agency is not an independent third party if they built or currently manage the website being audited. Their interests are not fully aligned with finding and reporting all accessibility issues — particularly those introduced during their own development work. If your agency offers accessibility services, they can be involved in remediation, but the audit itself should be conducted by an independent party.

What credentials should an AODA auditor have?

The International Association of Accessibility Professionals (IAAP) offers two widely recognized credentials: the Web Accessibility Specialist (WAS), which covers technical WCAG testing and screen reader evaluation, and the Certified Professional in Accessibility Core Competencies (CPACC). WAS is the more relevant credential for WCAG testing. Ask any potential auditor about their AT testing experience specifically — credentials are useful indicators but hands-on screen reader testing skill is what matters in practice.

What documentation should I have ready before an audit starts?

For a website audit: a list of key pages and user journeys to prioritize, login credentials for any authenticated sections, and details of any previous audit findings. For a full AODA organizational audit: your written accessibility policy, your multi-year accessibility plan, training records, and any compliance report filings. Having these ready at the start speeds up the process significantly.

How do I know if an audit report is credible?

A credible third-party audit report documents the testing methodology clearly, names the specific tools and AT combinations used, includes the dates of testing, provides WCAG criterion references and severity ratings for every issue, includes screenshots or code excerpts, and gives specific remediation guidance. A report that lists issues without context, does not mention testing methodology, or is clearly an automated scan export presented as a manual audit is not credible.

On this page

01 What makes an audit third-party? 02 8 situations where you need one 03 How to choose a provider 04 What to expect from an engagement 05 Internal vs third-party: when each fits 06 FAQs

Commission an independent AODA accessibility audit

Our third-party AODA audits are conducted by experienced accessibility specialists, fully independent of your development team. We cover automated scanning, manual WCAG testing, and screen reader evaluation — and we deliver a report your development team can act on and your compliance team can file with confidence.

Aoda Training