While researching another project, I noticed a recurring accessibility theme across several sources, often centered on the same ideas, such as budget and resources, accessibility as a business function, internal accountability is essential, and visibility to all stakeholders.
That theme immediately took me back to my time in higher education, where I led campus accessibility efforts. At some point during that time, it occurred to me that accessibility might receive greater organizational visibility and support if it were included in the institution's internal audit process. Sadly, that idea never gained traction.
Fast forward to today. Organizations are steadily treating accessibility as a business function, complete with budgets, clearly defined ownership, performance expectations, and executive visibility. So. If accessibility is critical enough to warrant that level of investment and accountability, then shouldn't it also be subject to the same oversight and accountability mechanisms as any other critical business operation? Why isn't accessibility routinely included in internal audit activities?
Why Accessibility Deserves a Place in the Internal Audit Process
Digital accessibility should be considered a core component of institutional governance and risk management. Inaccessible websites, student learning platforms, course materials, and third-party technologies can create legal exposure and interrupt online services for faculty, staff, and students. These are exactly the kinds of risks internal audits are designed to identify and mitigate. For example:
Governance & Policy Enforcement
If accessibility policies exist but aren’t consistently applied, that’s a breakdown in digital governance. An internal audit can uncover whether standards are actually being applied and adhered to or simply documented and forgotten.
Procurement & Vendor Risk
Third-party tools, SaaS platforms, and other campus-wide information systems often come with accessibility barriers baked in. If vendors aren’t contractually required to meet accessibility standards, organizations can inherit risk without realizing it. An internal audit is one of the few functions that can identify that disconnect.
Operational Consistency
Coming across a single webpage with missing ALT text and non-descriptive link text is one thing, but discovering hundreds of inaccessible webpages, all produced by inconsistent development standards and workflows, is a process issue. An internal audit is designed to precisely identify possible root causes, including inconsistent training, weak QA checkpoints, poorly defined ownership, or a lack of standardized testing criteria.
Regulatory & Legal Exposure
Accessibility has become increasingly regulated in the public sector and educational organizations, with enforcement now a reality, as evidenced by current ADA regulatory deadlines. Internal audits already evaluate compliance risk across an organization, so including accessibility in the same risk register should be a natural extension of that work.
What Does an Internal Audit of the Accessibility Function Look Like?
An effective internal audit should examine more than just the accessibility of a university's public website. Internal audit teams should evaluate policies, governance structures, procurement procedures, training programs, testing practices, and remediation workflows.
Some questions to ask would be:
- Does the institution have an accessibility policy?
- Are accessibility requirements incorporated into contracts and requests for proposals?
- How are accessibility issues identified, tracked, and resolved?
- Is there evidence of ongoing monitoring and continuous improvement?
Asking these questions can help shift the perception of accessibility from a one-time compliance project to an ongoing institutional responsibility.
Note: There is no internal audit rule book for the digital accessibility function. Internal auditors normally follow a combination of professional auditing standards, state requirements, institutional policies, and applicable laws and regulations. The questions above are not prescriptive audit requirements but are intended as practical starting points that represent the types of controls, governance practices, and risk-management activities commonly found in mature accessibility programs.
Strategic Risk Management
Perhaps most importantly, internal audits help leadership develop a greater understanding of accessibility and gain insights into risks that might otherwise go unnoticed. Accessibility teams understand the technical challenges, but an internal audit report can translate those challenges into organizational risks that resonate with executives, compliance officers, and governing boards. This can result in stronger accountability, better resource allocation, and more sustainable accessibility programs.
Additionally, if a complaint is filed, organizations that can demonstrate documented policies, monitoring processes, remediation efforts, and governance controls will be in a much stronger position to address that complaint.
Accessibility is a legal compliance, risk management, and governance issue. Incorporating accessibility into the internal audit process can help colleges and universities go beyond reactive remediation and establish the controls needed to support long-term compliance.
Institutions that make that shift will be better equipped to reduce risk, strengthen trust, and create user experiences that work for everyone.
And for some organizations, including accessibility in the internal audit process can reinforce its importance as an organizational priority and increase its visibility and legitimacy, helping it gain greater attention and support across the institution.
Resources
- Global Internal Audit Standards
- The Impact of Digital Transformation on the Internal Audit Function: A Literature Review
A human author creates the DubBlog posts. The AI tools Gemini and ChatGPT are sometimes used to brainstorm subject ideas, generate blog post outlines, and rephrase specific sections of content. Our marketing team carefully reviews all final drafts for accuracy and authenticity. The opinions and perspectives expressed remain the sole responsibility of the human author.
