What to expect in the ACCC accreditation process?

Many of our clients push hard and fast to achieve compliance, complete their audit, and submit their CDR application to the ACCC to get accredited. What happens next?


Well... initially it’s pretty anti-climatic. Not much. The application is acknowledged and it’s a waiting game for weeks before the ACCC will set up an initial call to discuss your application.


We don’t typically join those calls, but the ACCC has told us that our clients may request we join those calls. That was in response to our feedback that we get second hand queries coming our way and it might be easier for all involved if we addressed those directly. The call is positioned as a semi-casual meet and greet, to get to know your business, use case and team, and ask a few questions that helps with the review process. In that, they’ll tell you there’s other questions coming in written form and you’ll likely receive that a couple of weeks later to respond to in writing.


What sort of questions do they ask, and why? 


We commonly see requests for confirmations of their understanding, clarifications to better understand your compliance activities, and sometimes requests to include additional activities or attestations to fill what they may see as gaps from their expected standard. 


We’re told some questions are inevitable. We see three drivers of these questions:

  • It’s part of the due diligence process to “kick the tyres” (paraphrased by us) to get comfortable with your compliance that upholds the standard of information security and CDR Rules. 
  • The compliance activities aren’t a clear cut checklist. It varies from company to company and based on your CDR environment and use case. Those variables and your way of being compliant often needs some clarifications by the ACCC to properly understand. AND 
  • Deloitte is engaged by the ACCC to review the assurance reports. You could view this one of two ways; (1) that applies a rigorous process and identifies any gaps missed by the firm that completed your audit, or (2) Deloitte needs to prove their worth by raising items one way or another (and may not reflect actual gaps). 


What’s the timeline to be accredited?


The minimum timeline we’ve seen for accreditation was about 10 weeks from when the application was submitted. And we’ve heard reports of others taking several months where there’s been significant queries back and forth. Our longest was 4 months from the application where the ACCC probed deep and requested updates in relation to legal entities, branding, and the segregation from their international business, that took some time to work through. 


Can you shorten the timeline? 


The best way to make it a fast accreditation process, is to get it all right the first time. We’ve continually updated our reporting templates to cover the items the ACCC expects and based on their ongoing feedback. We use software to comprehensively identify and map controls that offers some redundancy and gives more confidence that all bases are covered. 


Our fastest accreditation - publicly covered in an AWS webinar for our client Payble - had good controls and compliance coverage, quick responsiveness to the ACCC’s questions, and productive dialogue in their initial meeting to be able to identify and address the queries in the first instance. It still had two rounds of back and forth with ACCC team, but Payble responded to each within 24 hours. They communicated their urgency based on a planned funding round (worth noting to the ACCC). And in the second round of responses they explained their position on the queried topics - like  adequacy of insurance - and also offered concessions, eg. If the ACCC believes X after reading our response, we can commit to implementing that prior to going live with the CDR data. That sort of framing can take it off the critical path for an accreditation decision. 


Is there a difference between Sponsored and Unrestricted accreditations by the ACCC? 


It’s early stages for the sponsored accreditation model, that’s been live since February 2022 (now early March). Our expectation from looking at the sponsored self-attestation forms is that it’s likely to lead to an increased number of questions from the ACCC. That’s because;

  • They can’t rely on the information  being validated and attested to by an experienced and qualified audit firm; 
  • The forms in their current design  include a higher level of detail - that can raise more questions - compared to assurance reports that are high-level in nature with the audit and auditors judgement applied at the more detailed level; 
  • Theres more questions to ask by the ACCC in relation to the role played by the sponsor, the level of expertise in-house or engaged in consultants to aid in achieving and validating the compliance, and how ongoing compliance will be maintained and validated over time. In the unrestricted model those are standard with a few audit firms known to the ACCC that supported all of the accreditations.


Ready to plan your CDR accreditation?


Get in touch with our friendly team to discuss your business goals, timing and any other parts of your plans. 


Not sure which CDR access model is right for you? Read our post on the available models or get in touch to discuss further. 


About AssuranceLab


AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.

Some additional information in one line