Skip to content
Nusantech
← Back to insights

The 90-minute LMS audit diagnostic: test your platform before the regulator does

Insights · Education · 7 min read ·

In our previous post on why most enterprise LMS deployments fail their first audit we covered the four failure modes that come up consistently in compliance-training reviews. The most common reaction we get from heads of L&D after reading it is the same: "I think we're probably fine, but I cannot actually prove it without running something past compliance."

This post is the something to run.

The diagnostic below is what we walk through with a client before either committing to a remediation programme on the existing platform or recommending a full migration. It is deliberately time-boxed - ninety minutes total, two people, six checks. If your team cannot get this done in a single working session, that itself is a finding.

Who runs this and when

You need two people in the room:

  • An operations person with full admin access to the LMS. Not someone borrowing credentials. The administrator who actually maintains the system day-to-day.
  • A reader who is going to write down the results honestly. Internal audit, compliance, or an outside delivery lead - someone whose job is not to defend the platform.

Run the diagnostic when any of these triggers fire:

  • A regulator audit is scheduled within the next six months.
  • A new regulation is taking effect that changes the scope of who has to complete what (financial-services AML refresh, healthcare continuing-education changes, export-controls expansions, data-privacy training mandates).
  • M&A activity is bringing a new training population under your remit.
  • Your LMS vendor was acquired, repositioned, or shipped a major version release in the last 12 months.
  • Your mobile or field workforce is expanding faster than your desktop workforce.
  • Your compliance team has raised the question.

If none of those have fired but you are reading this post, run it anyway. The cost of finding out you are fine is ninety minutes. The cost of finding out the other way is measured in remediation programmes.

The protocol

Six checks. Total time ninety minutes plus a few minutes between. Tick pass or fail next to each. Be honest. The diagnostic only works if the reader will not let the operator wave failures away.

Check 1: The five-minute sanity export (10 minutes)

Pick one regulation that genuinely applies to a real cohort - AML for client-facing banking staff, GxP for pharma manufacturing, HSE for energy operations. The operator pulls the completion report for that regulation, last 90 days.

Note three things:

  • How many clicks to produce the report? A regulator can ask at any moment; if the report needs an internal request to the LMS vendor or a custom export run, that itself is a finding.
  • How long did the export take to generate? Over five minutes for 90 days of data on a single-regulation report is slow. Over an hour means the system is not built for this.
  • What format came out? A schema-preserving CSV or relational export is fine. A SaaS-styled PDF is not - PDFs do not let you cross-reference against HR data, and regulators frequently ask for the underlying records, not the rendered summary.

Pass: under 5 minutes, structured format, includes per-record timestamps and version identifiers.

Check 2: The version trail (15 minutes)

Pick a course that was updated within the last twelve months. Find one learner who completed the course before the update AND one who completed the new version after.

Ask:

  • Does the system distinguish which version each learner took?
  • Can it produce evidence of the content the learner was assessed against, not just the current content?
  • If an auditor asked "what was in module 4 of this course as of 8 March 2025," can you answer with certainty?

Most off-the-shelf LMS platforms answer "the current version" and treat the content as mutable. That is fine for a marketing tutorial and a finding for a compliance training.

Pass: distinct version records visible per learner, with retrieval of the historical content.

Check 3: The override audit (15 minutes)

Pull one completion record at random. Look at the metadata.

Ask:

  • Was this record marked complete by the learner, or by an administrator overriding it?
  • If administratively edited, can you see who, when, and what changed?
  • If a deadline was extended, was the extension logged with the reason?

A surprising number of LMS platforms record "marked complete" without preserving whether the completion was earned or granted. The first time a regulator asks "show me all administratively-marked completions in the last quarter and the rationale for each", a system without override provenance fails immediately.

Pass: every administrative action recorded with actor, timestamp, prior-state and new-state, and (ideally) a free-text reason field.

Check 4: The mobile reality check (20 minutes)

This one needs a real phone, not a desktop browser emulator. Borrow a learner's device if you have to - the credentials of someone in your field workforce, not the IT manager's curated demo phone.

Sequence:

  • Open the LMS mobile app. Pick a course module you have not opened on this device before.
  • Turn off Wi-Fi. Turn off cellular. Genuinely offline.
  • Try to access the module. Try to complete it. Try to capture whatever evidence the module asks for (assessment answers, signatures, photos).
  • Reconnect. Wait for sync. Check the desktop admin: did the completion show up correctly, with the offline timestamp preserved?

If your platform has no mobile app at all, that is the result. If it has a mobile web view but no offline support, that is also the result. If it crashes offline or loses captured data, that is the result. We have run this check on enterprise LMS deployments and seen all three outcomes.

Pass: native app, offline content access, offline completion capture, conflict-resolving sync on reconnect with timestamps preserved.

Check 5: The cohort scope test (20 minutes)

Ask the operator, out loud: "Show me all users subject to regulation X who have not completed the relevant training as of today."

The filter has to combine at minimum: role, jurisdiction, hire date, tenure, and whatever data-access privilege the regulation hinges on. The data feeding those filters has to be current as of today, not as of the last manual tag refresh.

Build the query live. Time it. Watch how the operator constructs it.

Pass: the operator can build this in the admin UI in under 15 minutes, the result reconciles against your HR system as of today, and the report exports in a useful format.

If the answer requires a vendor support ticket, the answer is no.

Check 6: The eight-field audit trail spot check (10 minutes)

Open one completion record. Look for all eight fields covered in the original failure-modes post:

  1. Who took the course (verified identity, not just a username).
  2. When they took it (timestamp).
  3. What version of the course (immutable reference).
  4. What environment (production, never staging or sandbox).
  5. What client (browser, mobile app, device fingerprint).
  6. What network (corporate, public, VPN).
  7. Whether any administrative override was applied.
  8. The before-and-after state of every transition (not just "marked complete" but the full state machine).

Tick off which fields are visible. Six or more out of eight is acceptable. Less than six and the audit is going to find it.

How to read the results

Add up the passes.

Five or six pass. Probably audit-ready. Document this protocol, run it quarterly, archive the result. The diagnostic has paid for itself just by giving you written evidence that you tested the system.

Three or four pass. Real gaps, but not catastrophic. A remediation programme can usually close them within 3-6 months without replacing the platform. The two failure modes to prioritise first are typically the audit-trail completeness (check 6) and the cohort scoping (check 5) - those are the ones the regulator will probe first.

Zero, one, or two pass. Full audit risk. The system is not built for compliance training, and bolting it on after the fact is rarely cheaper than migrating to a platform that was. Remediation timelines from this position are typically 6-12 months and almost always benefit from a parallel-track migration plan as a hedge.

What to do if you fail

Three options, in order of cost and disruption.

  • Vendor-side remediation. Open a ticket. Ask for the specific gaps to be addressed by a specific date. Useful when the gap is configuration rather than architecture, and when your vendor has a track record of shipping requested features. Less useful when the gap is structural.
  • Wrap the LMS with a custom reporting layer. Build a thin compliance reporting and audit-trail enrichment service that sits between your LMS and your regulator-facing reports. Lets you keep the existing LMS for content delivery while patching the audit story. This is the most common middle path we have shipped.
  • Migrate. When the structural gaps are too large to patch (no mobile architecture, no version-locking, no cohort model), the audit risk usually beats the migration cost. Quote the vendor exit cost stack honestly before deciding.

A note on bias

This diagnostic was designed by the team that maintains NusaLMS, and the four failure modes it tests against are the modes we built our platform around. That is the bias up front.

The diagnostic is published anyway, because (1) the checks are platform-agnostic - any honest auditor would run a near-identical protocol, and (2) if your existing LMS clears all six, you do not need us. If it does not, the gap is what we exist to close.

If you would like a delivery lead to run this with you against your current platform, book a 30-minute call and bring an operator with admin access.

Get in touch

Tell us about
your project.

We reply within one business day. For procurement and RFP enquiries, we can provide a formal capability statement.

Send project brief →Book a 30-min call

Singapore · Jakarta · Asia-Pacific delivery