Skip to main content

DVS Independent Audit Program

DVS Independent Audit Program for Private Sector Users

This information guides all private sector users on the Document Verification Service (DVS) Independent Audit Program. If you are a business user, identity service provider (IDSP) or a gateway service provider (GSP), you may be selected to participate in the program. Once selected, participation is mandatory.

We engage an independent auditor to conduct a detailed assessment of a sample of DVS users each year. The auditor assesses how these selected users comply with their participation agreements and the DVS access policy. This is a separate process to the annual compliance reporting that all DVS users must complete.

The auditor produces reports for each organisation. These reports include findings of non-compliance, recommendations for remediation and opportunities for better practice. We then work with users to remediate any compliance issues based on these reports.

Obligation to cooperate with the program

As a business user, IDSP or GSP, you have signed a participation agreement that requires you to fully cooperate with the program. You are required to provide us and the independent auditor with prompt access to relevant records, systems, premises and facilities when asked to do so. For business users and IDSPs, this includes any of your records or information that may be held by your GSP.

You must cooperate with the program to be compliant with your participation agreement. We may suspend or terminate your DVS access if you do not comply with your obligations.

You can find the audit clauses in your participation agreement as follows:

  • Business users – Clauses 6.1 to 6.2
  • Identity service providers – Clauses 6.1 to 6.4
  • Gateway service providers – Clauses 6.1 to 6.3

Participating in the program

Selection for the audit process

Each year a sample of business users, IDSPs and GSPs are selected to be included in the program. The sample is chosen by the external auditor using an analysis of key risk factors.

We will send you a letter if you are selected to be part of this sample. The letter sets out the criteria you will be audited against. If we do not contact you, you are not required to participate in the program that year. You could still be selected in a future year.

Requests for information

After you have been selected, the independent auditor will send you an email with a comprehensive overview of the audit process. The email will explain the audit process, including the timeframes for when you will be expected to provide information.

The email will also include a Request for Information (RFI). The RFI outlines the information the auditor needs to assess your compliance. You will have 10 business days to respond to the RFI. The auditor may send you more RFIs if they need more information.

To assess your use of the DVS the auditor may also conduct interviews with your relevant personnel, ask you to go through your business processes with them and inspect or review your documentation.

Audit report

The auditor will prepare a draft audit report for your organisation based on the information they gather. We review these reports before they are sent to you. When relevant, audit reports outline any findings of non-compliance with clauses of your participation agreement. Recommendations to remediate non-compliance are made based on these findings. Audit reports may also identify better practice opportunities to assist you in complying with your obligations.

Remediation

If your organisation is non-compliant, you must work with the auditor and us to remediate this. You are required to respond to the auditor’s report with a management response. This management response must set out actions you will take to address the audit report’s recommendations. The response must also outline when you plan to put these recommendations in place. We must agree to your management response.

We and the auditor will work directly with you to guide remediation. The audit will remain open until remediation is complete. You may receive requests for evidence of remediation before the audit process is closed. You will be deemed compliant once all areas of non-compliance are remediated.

Further information

For more information about the program and the requirement for cooperation, contact IVSAudits@ag.gov.au.

This information is not, and should not be taken as, legal advice.