External advisers, reviewers, validators, and compliance consultants now sit inside almost every high-stakes decision an RTO makes. They shape assessment tools. They run validation panels. They draft training and assessment strategies. They review mapping. They prepare providers for regulatory scrutiny. When the advice is strong, the provider lifts. When the advice is weak, the regulatory and financial consequences land on the provider alone, not on the consultant who wrote the document. That is why due diligence before engagement matters more than any clause in the contract that follows. This is a practical guide to doing it properly.
Every RTO CEO knows the moment. A re-registration is approaching. A scope change is being considered. An enforcement letter has arrived. A validation cycle is overdue. A new training product needs development. A self-assurance exercise has flagged a weakness that the team cannot fix alone. The decision to engage external support is made quickly, often under pressure, and often on the strength of a recommendation, a familiar name, or a confident sales conversation. Weeks later, the provider is locked in. The fee has been paid. The documents have been produced. And the real test, whether the work actually holds up against the Standards for RTOs 2025 and the evidence ASQA will look at, has not yet begun.
This is where due diligence before engagement becomes one of the highest-value decisions a CEO or board can make. It costs almost nothing. It takes a few hours of structured questioning. And it can save six figures of rectification cost, months of regulatory exposure, and, in some cases, the registration itself. The responsibility cannot be delegated away. New owners under ASQA's change of ownership guidance are responsible for addressing any existing or outstanding non-compliances and liable for any sanctions that follow. The same principle applies to any provider accepting advisory work. The document produced becomes the RTO's evidence. The consultant's logo is not what the regulator is looking at.
What follows is a structured approach any RTO can use before signing an engagement. It is built around the questions that actually surface the difference between reassurance and assurance. Each section can be turned into an internal procurement checklist and used consistently across every engagement. Owners, CEOs, boards, and compliance managers should expect to use it on every adviser, every validator, and every reviewer, regardless of how well they know the person or the firm.
Start with credentials, because the 2025 Standards now require it
The Credential Policy, which forms part of the Standards for Registered Training Organisations 2025 and came into effect on 1 July 2025, is the first due diligence instrument any RTO has. It is public. It is specific. It is binding. And it defines the minimum credentials any person must hold to make assessment judgements, to provide direction, to deliver TAE training and assessment, and to participate in validation. A CEO who does not know what credentials the adviser holds is not ready to engage that adviser.
Under Section 1A of the Credential Policy, a person delivering training and assessment, including making assessment judgements, must hold a TAE40122 Certificate IV in Training and Assessment or its successor, TAE40116, TAE40110, a diploma or higher-level qualification in adult education or VET, or a secondary teaching qualification combined with a specified assessor skill set. Under Section 2A, delivery of training and assessment for TAE Training Package products requires the person to hold the qualification or skill set at least to the level being delivered, with the TAE50122 Diploma of Vocational Education and Training or its successor required for delivery of the Certificate IV in Training and Assessment itself. Under Section 3A, at least one person on a validation panel must hold one of the specified training and assessment validation credentials, which include the TAE40122 Certificate IV, the TAESS00019 Assessor Skill Set, or a diploma or higher-level qualification in adult education or VET.
Before any engagement, request a copy of the adviser's current credentials. A PDF transcript, a certificate, or an academic record. Compare it line by line against the Credential Policy section that matches the work they are being engaged to perform. If the adviser is being engaged to design, deliver, or assess TAE training products, their credentials must meet Section 2A, not just Section 1A. If the adviser is being engaged to lead or participate in validation, at least one panel member must meet Section 3A. If the work involves advising on assessment judgements, the adviser making those judgements must hold a Section 1A credential. These are not formalities. They are the regulator's floor. An engagement that does not clear this floor produces evidence that the regulator can disregard.
Credentials are not enough. Test current industry skills too.
The 2025 Standards require trainers and assessors to hold current industry skills and knowledge relevant to, and at least to the level of, the training product being delivered or assessed. That obligation extends logically to anyone advising an RTO on how to design, deliver, assess, or validate that training product. An adviser who holds a strong training credential but has not worked in the actual industry for ten years is not qualified to contextualise or validate assessment tools for that industry. The question must be asked directly. When did the adviser last work in the industry that the training product prepares learners for? What role did they hold? What evidence of currency can they produce?
Acceptable evidence includes recent employment records, paid engagements with industry employers, participation on industry advisory panels, published industry articles, recent industry CPD, current licences or registrations held in the industry, and recent site-based project work. A LinkedIn profile is not evidence. A website bio is not evidence. Speaking at conferences is not evidence of current industry skill. The provider should be prepared to say no to any engagement where the adviser cannot produce current industry currency evidence aligned to the training product in question. The regulator will ask the same question if the evidence is ever tested.
Ask how they work, not who they have worked with
Client lists are the weakest form of due diligence in the sector. A long list of past clients proves that the adviser has been paid. It proves nothing about the quality of the work produced, whether those clients later faced regulatory findings, or whether the documents the adviser delivered held up under scrutiny. The stronger line of questioning is about methodology. How does the adviser actually do the work?
For assessment review, ask the adviser to describe their process. Do they read the unit of competency first, including all elements, performance criteria, performance evidence, knowledge evidence, foundation skills, and assessment conditions? Do they map each task back to the unit before judging alignment? Do they test the tool against the Rules of Evidence (valid, sufficient, authentic, current) and the Principles of Assessment (fair, flexible, valid, reliable)? Do they examine the assessor observation instrument, the model answers, the assessor benchmarks, and the reasonableness of the required responses? An adviser who cannot describe this process in specific terms is describing opinion, not methodology.
For validation, ask how the adviser structures the panel, what evidence they bring to the session, how they record the challenge and response, how they handle disagreement, and how they close out findings. Ask what their position is when they identify foundational defects rather than minor improvements. An adviser who has never terminated an engagement or delivered bad news to a provider is an adviser who has not yet been seriously tested. For training and assessment strategy work, ask how the adviser gathers evidence of current delivery practice, how they verify trainer credentialling, and how they validate the strategy against the Standards for RTOs 2025. For compliance support, ask how the adviser tests the operation of policies rather than just their existence. Polished policies are not compliance. Operational evidence is.
Test their currency with the 2025 Standards, specifically
The Standards for RTOs 2025 have been in force since 1 July 2025. They are structured as Outcome Standards, Compliance Requirements, and the Credential Policy. The 2026 Annual Declaration on Compliance, which opened on 3 March 2026 and closed on 31 March 2026, was the first full reporting cycle under the new framework. Any adviser currently practising in the sector should be able to speak fluently about all four components. If the adviser is still speaking primarily in the language of the 2015 Standards, naming Clauses rather than Standards, or referring to Quality Indicators and the Users Guide as their primary reference, they are advising against a framework that no longer exists.
Useful diagnostic questions include the following. How are the Outcome Standards different from the Compliance Requirements in practice? Where does the Credential Policy apply, and how does it interact with the Outcome Standards? What is the CEO signing when they submit the Annual Declaration on Compliance? Which ASQA Practice Guides sit alongside the Standards, and how are they used? What is the regulator's current position on AI in assessment and validation? An adviser who cannot answer these questions quickly and correctly should not be drafting the provider's evidence.
Ask for a sample of work that is theirs, not their firm's
Before signing, request two or three de-identified samples of work that the specific consultant has produced. Not the firm's marketing collateral. Not a case study written by the firm's communications team. The actual drafted assessment tool, the actual validation report, the actual training and assessment strategy, and the actual rectification plan. Read it the way a performance assessment officer would read it. Does it demonstrate clear alignment with a unit of competency or a Standard? Does the mapping support the evidence claimed? Does the language carry the definitive weight the regulator expects, or does it hedge with 'may', 'should', 'at least', and 'one or more'? Is the contextualisation real, or is the same generic language pasted into every document with different cover pages?
The sample work test is the single most revealing step in due diligence. A consultant who resists providing de-identified samples, or who provides only glossy marketing material, is protecting something. A consultant whose sample work is weak, even if presented confidently, is a risk. The strongest consultants welcome this step because their work speaks for itself. Whatever sample is provided should be read by the RTO's most experienced internal compliance person, not only by the CEO. If the provider does not have that capability internally, bring in a second independent reviewer for the sample review only. The cost of a second opinion before engagement is a fraction of the cost of rectification after engagement.
Warning signs that should stop the engagement before it starts
Some patterns in adviser behaviour are so consistently associated with poor outcomes that they should be treated as stop signals. An adviser who cannot produce their own credentials quickly is not a viable option under the Credential Policy. An adviser who cannot describe their methodology in specific terms is relying on reputation rather than process. An adviser who promises audit success, guarantees compliance outcomes, or claims 100 per cent success rates is making a claim no legitimate consultant can verify and no honest consultant would make. ASQA does not pre-approve documents, and compliance is assessed against the provider's evidence at the time of the assessment, not against the consultant's track record.
Other warning signs are more subtle but equally material. Advisers who dismiss concerns raised by the RTO's internal staff without engaging with the details. Advisers who describe previous providers' issues in ways that breach confidentiality, because the same will happen with the current engagement. Advisers who cannot explain how their work maps to the 2025 Standards specifically, rather than to the 2015 framework. Advisers who pressure providers to sign quickly, to bypass internal review, or to skip validation steps because 'we have done this many times before'. Advisers who are unwilling to have their work independently reviewed by a second qualified professional. Advisers who cannot provide current industry currency for the training products they are advising on. Each of these is a reason to pause. Two or more in combination are a reason to stop.
A particularly dangerous warning sign is the adviser who speaks in generalities about every training product in every industry. Training package requirements are specific. Performance evidence is specific. Assessment conditions are specific. An adviser who has never actually worked in the industry to which a training product relates, who has never held a role in that industry, and who cannot speak to the real operational environment in which the competency is performed, cannot contextualise the assessment for that training product. The surface-level adviser is the one whose work looks professional until a performance assessment officer opens it.
Structure the engagement to protect the provider, not the adviser
The contract matters, but due diligence is mostly done before the contract is drafted. The engagement letter should record the specific deliverable, the specific Standards and units of competency it must satisfy, the specific quality tests the work must pass (Rules of Evidence, Principles of Assessment, Credential Policy requirements, ASQA Practice Guide alignment), and the specific process for internal review and sign-off. It should record that the adviser is responsible for delivering work that meets these tests, and that payment milestones are tied to the work clearing those tests, not merely to delivery of documents.
Engagement terms should also include an independent review. Any substantive deliverable, an assessment tool, a validation report, a training and assessment strategy, or a rectification plan, should be reviewed by a second qualified professional before the provider accepts it as final. This is not distrust. It is insurance. The cost is modest. The value is disproportionate. If the original adviser resists independent review, that is itself a finding. Confidential information can be protected by non-disclosure agreements. Quality cannot be protected by any document that prevents a second professional from testing the work.
Finally, the engagement should clarify who holds intellectual property in the work, how the adviser will support the provider if questions arise during a later performance assessment, and what the adviser's obligations are to update the work if the Standards, training products, or ASQA Practice Guides change during the engagement period. An adviser who resists these terms is protecting their margin. An adviser who accepts them is treating the relationship as a professional one.
Keep the board in the loop on every substantive engagement
Quality Area 4 of the 2025 Outcome Standards places governance squarely on the board. At the ASQA regulatory update in Brisbane in March 2026, only 6 per cent of providers in the room reported feeling most confident with Quality Area 4 Governance. That number is a map of where external advisory work most often goes wrong. A board that does not know which consultants are engaged, on what scope, for what deliverables, and against what quality tests is a board that cannot meet its own governance obligations. The CEO who signs the 2026 Annual Declaration on Compliance is signing for the whole of the provider's evidence, including work produced by external advisers that the board never saw.
The practical response is simple. Every substantive advisory engagement above a defined threshold should be reported to the board before it is signed, with the due diligence checklist attached. The board should ask three questions every time. Do we have evidence that the adviser meets the Credential Policy requirements for the work they are being asked to do? Do we have evidence of their current industry currency for the training products involved? Do we have a plan for an independent review of the work before we accept it as our evidence? These are governance questions, not operational questions. They belong at the board level because the exposure sits at the board level.
Due diligence does not end when the invoice is paid
The final due diligence step happens after the adviser has delivered the work. Before the deliverable enters the provider's evidence base, it must be tested internally. An assessment tool produced by an external consultant is validated by the RTO's own validation process, led by people who meet the Section 3A Credential Policy requirements. A training and assessment strategy produced by an external consultant is tested against the RTO's actual delivery practice, not assumed to be accurate. A rectification plan produced by an external consultant is reviewed against the specific non-compliance findings it is meant to address, line by line.
This step is where the value of earlier due diligence is either confirmed or lost. A strong adviser will welcome internal validation because their work holds up. A weak adviser will resist it because their work does not. At this point, the provider has the evidence it needs to make a final judgment about the relationship. If the work holds up, the relationship has proven itself and can be continued with confidence. If the work does not hold up, the engagement must be closed out honestly, the deliverable must not be submitted as the provider's evidence without correction, and the lesson must be captured for future procurement decisions. In no circumstance should weak advisory work be accepted into the RTO's evidence simply because it has been paid for. The fee is sunk. The regulatory exposure is not.
The quiet discipline that separates strong RTOs from vulnerable ones
The RTOs that will navigate the 2025 Standards, the 2026 Annual Declaration, and the years of enforcement activity that follow are not the ones with the most impressive consultant rosters. They are the ones with the most disciplined procurement of advisory expertise. They ask for credentials before they ask for proposals. They test the methodology before they test the price. They verify current industry currency before they accept advice on training products. They review sample work before they sign engagement letters. They build an independent review into every substantive deliverable. They keep boards informed of every material engagement. They test deliverables against the Standards before accepting them as evidence. And they treat the after-engagement validation step as non-negotiable.
None of this requires a large organisation. A two-person RTO can run this discipline as effectively as a fifty-site provider. What it requires is the decision to treat every advisory engagement as a high-stakes procurement rather than a relationship purchase. That decision alone removes most of the exposure that sends otherwise capable providers into rectification cycles. Strong consultants welcome this discipline because it rewards the work they have already done to earn it. Weak consultants avoid it because it exposes the gap between their presentation and their practice.
The VET sector has invested heavily in the language of quality. The 2025 Standards invest that language with consequence. Providers who match the Standards with equally disciplined due diligence before they engage external support are providers who stop being vulnerable to someone else's weak work. That is the shift this sector needs. Not more trust in names. More discipline in verification. No more reliance on reputation. More reliance on evidence. The fee is paid once. The consequences of the work remain with the RTO forever.
