An RTO's Guide to the 2025 Standards for RTOs and Their IT Obligations in 2026

This is an IT operator’s perspective on the systems and software Australian RTOs are using to operate under ASQA’s 2025 Standards for RTOs. It isn’t legal advice, an ASQA compliance opinion, or a VET regulatory ruling. Whether any particular control satisfies your obligations is your compliance officer’s, your VET consultant’s, or ASQA’s call. We implement the technical stack. They sign off on whether it clears the bar.

The 2025 Standards have been in force since July last year, and the audit cycle is now well underway. The RTOs we work with are starting to see what ASQA actually asks for in practice, and the gap between what the Standards say and what the audit team wants to see is wider on the IT side than most providers expected. Information management, recordkeeping, and the systems behind quality assurance are getting closer scrutiny than they did under the 2015 framework.

The shift is not radical, but it is real. The 2025 Standards expect an RTO to be able to demonstrate, on demand, that the right person had access to the right record at the right time, and that the integrity of training and assessment evidence has been preserved. Most RTOs we onboard built their systems for the 2015 audit posture, where evidence was a folder you handed over. The 2026 audit posture is closer to a query you have to answer.

What did the 2025 Standards for RTOs change for IT?

The 2025 Standards reorganised obligations into a smaller set of principles-based outcomes, with practice guides explaining what compliance looks like. For IT, the most consequential changes are tighter information-management expectations, clearer recordkeeping requirements (assessment records retained for a minimum of two years), and a stronger emphasis on evidence integrity. The Standards do not prescribe specific technologies, but the outcomes implied are difficult to deliver without modern identity controls, retention discipline, and proper backup.

That last sentence is the crux. The 2025 Standards are technology-neutral by design. ASQA does not tell you to use Microsoft 365, or any particular Student Management System, or any particular LMS. It tells you the outcome it expects: that you can produce student records and assessment evidence on demand, that the records are accurate and complete, that they were generated in a controlled environment, and that they have been preserved for the required period. The outcomes are the obligation; the technology is the means.

In practice, achieving those outcomes without a properly-configured identity layer, a Student Management System with audit logging, a backup regime that has been tested, and a retention policy that has been operated is hard. Most RTOs have parts of this in place. The 2025 audit cycle is exposing where the parts do not connect.

What records does an RTO actually have to retain, and for how long?

Assessment records (evidence of the assessment activities that supported the issuance of a qualification or statement of attainment) must be retained for a minimum of two years from the date of the assessment, with longer retention applying for some funded programs. Student records (USI, enrolment, training plan, results) follow a longer retention period set by the AVETMISS reporting framework and the Higher Education Standards Framework. Trainer and assessor records (qualifications, credentials, currency evidence) must be retained while the trainer is active and for a defined period after they leave.

For most RTOs, the retention obligations stack. The same student record may be subject to a two-year minimum from one rule, a five-year minimum under a state funding agreement, and an indefinite retention obligation if there is an active dispute. The IT system that holds these records has to honour the longest applicable rule for any given record. This is the area where retention labelling at the document level (rather than blanket folder-level rules) earns its cost.

Practical example. A funded student completes a Diploma in November 2024. The two-year minimum says the assessment evidence can be deleted in November 2026. The state funding contract says retain for five years from completion: November 2029. The student lodges a dispute about an assessment outcome in January 2026. The dispute resolution doesn’t conclude until April 2027. The retention horizon for that student’s record is now driven by the dispute (record retained until the dispute is closed plus the applicable post-resolution window), not the original calendar minimum. An RTO using a flat retention rule deletes the record at the wrong time. An RTO using event-driven retention does not.

Which 2025 Standards for RTOs obligations have IT implications?

Most of them, indirectly. The Standards covering information management, recordkeeping, governance, and student support all assume an underlying IT environment that operates the way the principles describe. The clearest direct IT obligations sit in the information management and recordkeeping standards, but governance and student-support standards lean on IT in ways that an audit will surface.

The mapping that has been most useful in CCP engagements with RTO clients is roughly as follows. Information management and recordkeeping (including the practice guide on Information): identity controls, retention labels, audit logging, backup and recovery testing, document-management discipline. Governance (the standards covering management of the RTO’s operations): change-management evidence, vendor management for outsourced systems (LMS, SMS, proctoring, third-party assessors), incident-response process. Student support and engagement (the standards covering student information, training delivery, and student welfare): the student-facing systems (LMS, student portal, assessment portal) and the records they generate. Quality of training and assessment: the integrity of the assessment evidence (timestamps, version control, tamper-resistance), the linkage between trainer credentials and the units they assessed, and the audit-grade traceability of moderation and validation.

The 2015 Standards touched on most of this but did not insist on demonstrable evidence to the depth the 2025 Standards do. The shift is from “we have a policy” to “we can show the policy was followed”.

What systems do RTOs typically run, and where are the weak points?

A typical mid-size RTO runs a Student Management System (aXcelerate, VETtrak, JobReady, Wisenet, RTOmanager and similar), a Learning Management System (Moodle, Canvas, Cloud Assess, etc.), Microsoft 365 for general business productivity, an accounting system, and various point tools for credentialling, assessor management, and proctoring. The weak points cluster in three places.

First, the integrations between systems. Where the SMS, LMS, and Microsoft 365 environments have grown organically over years, the join is usually some combination of CSV exports, manual data entry, and a handful of fragile API integrations. ASQA’s audit posture under the 2025 Standards increasingly asks for a single answer to questions like “show me every record relating to this student”. An RTO with three disconnected systems can usually assemble that answer over a few hours; the 2025 audit cycle expects it inside the meeting. Second, the access controls on the LMS and SMS. Default configurations of the major SMS platforms tend to be relaxed for usability. Trainers often have access to records they no longer need; ex-staff sometimes still have access months after they have gone. Third, the backup and recovery posture for the SMS and LMS. Most RTOs we onboard rely on the vendor’s backup schedule without ever having tested a restore. ASQA does not require a tested restore in so many words, but a recovery failure during an audit period would expose the RTO to the loss-of-records branch of the recordkeeping obligations.

USI and AVETMISS reporting integration

USI handling and AVETMISS reporting are areas where IT and compliance overlap in ways that catch RTOs out. USI verification has to be performed before issuance of a qualification, and the evidence of verification has to be retained. AVETMISS submissions have to reconcile to the underlying student records. An RTO whose USI verification logs live in the SMS but whose AVETMISS reporting runs from a separate spreadsheet has a reconciliation problem waiting for the next ASQA audit. The fix is integration discipline, not new software.

When did the 2025 Standards for RTOs commence?

The 2025 Standards commenced on 1 July 2025. The 2015 Standards continue to apply to compliance behaviour from before that date. ASQA has been clear that audits conducted from late 2025 onwards apply the 2025 Standards to current operations.

For RTOs that did the heavy lifting in the lead-up to commencement, the system is now operational. For RTOs that took the position that they would adjust as audits surfaced gaps, the surfacing is now happening. The 2026 Annual Declaration on Compliance is the moment most RTOs are taking to validate their operating posture against the 2025 Standards in detail.

What does the 2026 Annual Declaration require RTOs to attest to?

The 2026 Annual Declaration is an attestation to ASQA that the RTO has continued to comply with the Standards across the reporting period. Under the 2025 Standards, the attestation language has tightened: providers are confirming their ongoing compliance with a more outcomes-focused framework. ASQA has indicated it will continue to use Annual Declarations as a trigger for audit-cycle activity where the responses suggest material compliance risk.

For an RTO operating in an environment that has not been re-baselined against the 2025 Standards, the Annual Declaration is the moment where unattested gaps become attested gaps. Better to identify and remediate them in the lead-in to the Declaration than to make an attestation that does not survive a follow-up audit.

What software is worth shortlisting for an RTO under the 2025 Standards?

Three patterns are working for mid-size Australian RTOs operating under the 2025 Standards. A tightly-integrated SMS with a strong audit-logging and retention story (some of the Australian SMS vendors have invested heavily in this since the new Standards landed; others have not). A Microsoft 365 backbone with proper identity, retention labels, conditional access, and DLP applied to the document store, integrated with the SMS and LMS rather than parallel to them. And a clear posture on backup and recovery, including tested restores against both the SMS and the LMS at least annually.

The choice of SMS is the most consequential decision. An SMS without audit logging at the field level cannot demonstrate “who changed what when” to ASQA’s satisfaction. An SMS without robust role-based access control cannot enforce the principle of least privilege the Standards expect. RTOs that are due an SMS refresh should be evaluating against the 2025 Standards directly, not against the 2015-era criteria most procurement processes still use.

Off-the-shelf versus custom build

There is no case for a custom-built SMS or LMS in an Australian RTO of CCP’s typical client size. The off-the-shelf market is mature, the vendors compete on features, and the cost of getting custom development wrong in a regulated environment is high. The decision is between off-the-shelf options, not between off-the-shelf and bespoke.

What is realistic is integration work to wire the off-the-shelf SMS, LMS, and Microsoft 365 environment together in a way that the 2025 Standards can be operated against. That integration work is where most of the real implementation effort lands.

Microsoft 365 licensing for RTOs

If the RTO’s recordkeeping evidence relies on Microsoft 365 for retention labelling, audit logging, and access control (most do), the licence tier matters. Business Premium covers the basic retention and access-control features. E3 with the E5 Security add-on, or full E5, adds advanced auditing, eDiscovery, and conditional-access features that audits increasingly look for. RTOs on Business Standard will struggle to produce the evidence the 2025 Standards imply.

The licence step-up is a real cost line. For an RTO of 50 staff plus contracted trainers, the difference between Business Premium and E3 plus E5 Security across all named users is meaningful annually. It should be modelled in the IT budget before the next audit cycle, not after.

What does Standards 2025 compliance cost an RTO to operate?

For a 30-to-100-seat Australian RTO, the typical IT-side annual operating cost of running compliantly with the 2025 Standards is in the 20,000 to 60,000 Australian-dollar range across software licensing, integration support, and backup-and-recovery discipline. One-off remediation projects (typically the year an RTO catches up on a deferred SMS replacement, an integration project, or a major access-control remediation) can be a multiple of that.

The cost varies most with the maturity of the existing environment. An RTO with a recent SMS, a clean Microsoft 365 tenant, and a documented retention policy that has been operated runs at the lower end of the range. An RTO with an end-of-life SMS, a Microsoft 365 environment without retention labels, and an undocumented backup schedule sits at the higher end and usually needs a one-off catch-up project before the operating cost stabilises.

What this means for the CEO and the compliance officer

It means the IT environment is now part of the compliance environment in a way it was not under the 2015 Standards. The CEO needs to be confident that the IT systems will not surface a finding in the next audit, and the compliance officer needs to be confident that the IT vendor (internal or external) understands the 2025 Standards in enough detail to translate them into configuration.

The practical version of that confidence is two things. A walk-through of the IT environment against the 2025 Standards before the next ASQA contact, with the gaps documented and the remediation roadmapped. And a standing operational discipline: monthly access reviews, quarterly retention-policy validation, annual backup-restore testing, and a documented change-management process for SMS, LMS, and Microsoft 365 changes that affect compliance evidence.

What CCP does about the 2025 Standards for RTOs

We do not interpret the Standards. We set up the IT systems an RTO needs to operate compliantly against them, and we keep those systems audit-ready.

For an RTO client, the work usually breaks into three streams. The Microsoft 365 stream covers identity, retention labels, conditional access, audit logging, and the licence uplift where the existing tier cannot carry the audit posture. The SMS and LMS stream covers configuration, integration, access-control review, and the recovery-testing discipline that turns vendor backup into demonstrable resilience. The evidence stream makes sure every claim the RTO makes in its compliance documentation can be backed up by audit-grade evidence from the IT environment.

The interpretation of the Standards, the design of the RTO’s compliance framework, and the assessment of whether any particular control satisfies a particular Standard remain with the RTO’s compliance officer and its VET consultant. Our boundary is explicit. We handle the machinery. They handle the interpretation.

RTOs that did the catch-up work in late 2025 are now in a steady operational rhythm. RTOs that deferred it are increasingly hitting it in the lead-up to the 2026 Annual Declaration. The window to remediate without external pressure is shorter than it was a year ago.

Primary sources

• 2025 Standards for Registered Training Organisations, Department of Employment and Workplace Relations. Accessed 5 March 2026.
• Practice Guides for the 2025 Standards, ASQA’s published practice guides explaining how the Standards apply in operation. Accessed 5 March 2026.
• Practice Guide: Information, ASQA’s practice guide on information management obligations. Accessed 5 March 2026.
• Prepare now: the 2026 Annual Declaration on Compliance, ASQA’s guidance on the 2026 Annual Declaration cycle. Accessed 5 March 2026.