WCAG Conformance vs Accessibility Audit: They're Different (2026)

Two terms that get conflated often: WCAG conformance and accessibility audit. They're related but structurally distinct. WCAG conformance is a claim about your site's compliance status — typically expressed in an accessibility statement, an ACR (Accessibility Conformance Report), or a VPAT (Voluntary Product Accessibility Template). An accessibility audit is a deliverable produced by an evaluator that documents specific findings against WCAG criteria. You need both, but for different reasons. This article walks through the distinction and when each matters.

What's the Structural Difference?

WCAG conformance is a public-facing claim: "this site conforms to WCAG 2.2 Level AA as of [date]." It's a binary or graded statement about compliance status, intended for users, customers, regulators, and procurement evaluators. An accessibility audit is an internal-or-private deliverable: a document that lists every WCAG criterion evaluated, the status of each (pass / fail / not applicable), specific evidence per finding, and remediation recommendations.

The conformance claim is what you publish. The audit is what supports the claim. A merchant who publishes a conformance claim without an underlying audit is making an unsubstantiated claim — exactly what the FTC's April 2025 enforcement against accessiBe for "false, misleading, or unsubstantiated" accessibility claims targeted. For broader audit-deliverable context, see accessibility audit guide and accessibility audit reports complete guide for 2025.

What Is an ACR (Accessibility Conformance Report)?

An ACR is a structured conformance-claim document, typically used in B2B procurement and federal contracting contexts. The most common ACR format in the US is the VPAT (Voluntary Product Accessibility Template), originally produced for federal Section 508 procurement. ACRs include: product/site identification, applicable accessibility standards (WCAG 2.2 AA, Section 508, EN 301 549), per-criterion conformance status with brief explanation, summary statement of overall conformance level.

ACRs are typical deliverables when: a B2B customer asks "are you accessible?" before signing a contract, a federal agency evaluates a product for procurement under Section 508, a procurement team requires an ACR as part of vendor evaluation. ACRs are typically prepared by the merchant or vendor (not by an external auditor); the underlying basis for the ACR is the merchant's accessibility audit. For VPAT-specific context, see VPAT accessibility conformance report.

What Is an Accessibility Audit Deliverable?

An accessibility audit is a comprehensive findings document produced by an evaluator — internal team, external accessibility-specialist firm, or accessibility-platform-driven combination. The audit covers: scope (which pages, flows, components were evaluated), methodology (automated scan tools used, manual evaluation methods, screen-reader testing, keyboard-only testing), per-criterion findings with specific evidence (URLs, screenshots, code snippets, scanner output), severity ranking (critical, serious, moderate, minor), and remediation recommendations.

A thorough audit deliverable is typically 50-200+ pages for a Shopify storefront, depending on scope and detail. The findings underlie any conformance claim, ACR, or VPAT. When supervisory authorities, courts, or procurement teams require evidence of compliance, the audit is the primary documentary evidence. For audit-content context, see accessibility audit expectations and interpret WCAG audit report.

When Do You Need a Conformance Claim?

You need a public conformance claim (in your accessibility statement) when: required by EAA/BFSG (any merchant subject to EU regulation), required by procurement context (federal Section 508, B2B procurement, enterprise vendor evaluation), strategically valuable for marketing or trust-signaling (consumer brands signaling commitment to accessibility), or required for state-specific compliance (some California state agencies require ACRs from vendors).

For most Shopify merchants, the conformance claim lives in the accessibility statement at /pages/accessibility-statement; the ACR/VPAT is needed only if the merchant has B2B or government procurement needs. For broader accessibility-statement context, see shopify accessibility statement template generator 2026 and accessibility statement guide.

When Do You Need an Audit Deliverable?

You need an audit deliverable when: documenting conformance for a published conformance claim, defending against an accessibility lawsuit (audit is primary evidence of remediation effort), responding to a supervisory-authority inquiry under EAA/BFSG, supporting a B2B customer's procurement evaluation (some customers require third-party audit reports beyond ACR), or planning a remediation roadmap (audit findings drive remediation prioritization).

The audit cadence question: continuous (monthly or quarterly via accessibility platform) vs annual one-time engagement. The hybrid pattern is increasingly standard — daily/monthly automated scans plus monthly expert manual audits via platform, supplemented by annual deeper audit if specific procurement or litigation context requires it. For audit-cadence context, see continuous monitoring vs point-in-time audits and automated vs one-time audits.

How Are Conformance Claims and Audits Related in Compliance Posture?

Three structural relationships. The audit underlies the claim. A defensible conformance claim is supported by a recent audit that evaluated the criteria the claim cites. An ACR is essentially a structured summary of audit findings. Audit findings drive remediation; remediation completion supports updated claim. Audits identify non-conformances; remediation addresses them; updated audit confirms remediation; updated claim reflects new conformance posture. Claim staleness vs audit recency are tracked. Compliance regulators evaluate claims based on the date of last review; audits older than 12 months are typically considered stale for compliance documentation purposes.

For continuous-compliance context, see accessibility audits vs remediation effectiveness and audit vs remediation strategy guide.

What Happens When the Claim and Audit Don't Match?

This is the FTC's accessiBe case in structural terms. The merchant publishes a conformance claim ("WCAG 2.2 AA conformant") that the underlying audit cannot support. Supervisory authorities, plaintiffs' counsel, and procurement evaluators discover the gap. Consequences range from procurement disqualification, lawsuit exposure, and regulatory enforcement (FTC, FBA, BAuA, DGCCRF depending on jurisdiction).

The defensive posture: never publish a conformance claim stronger than your audit supports. If audit shows known non-conformances, the conformance claim should disclose them (per EAA explicit requirement). Honest disclosure is structurally superior to overstated claim. For broader risk context, see overlay-installed still sued pattern analysis and accessibility overlays lawsuits truth.

What Does TestParty's Approach Look Like?

TestParty produces both audit deliverables and conformance-claim documentation. Approach: source-code remediation against WCAG 2.2 AA (the underlying compliance work), daily automated scans plus monthly expert manual audits (the audit deliverable updated continuously), accessibility statement template generation (the conformance claim formatted appropriately), ACR/VPAT generation for B2B procurement contexts. Compliance scope spans ADA Title III, WCAG 2.2 AA, EAA Directive 2019/882, BFSG, BITV 2.0 alignment, CIPA, and GDPR. TestParty was named to the Forbes Accessibility 100 in 2025 and has remediated 1,575,000+ WCAG issues across 100+ brands.

In our experience working with 100+ brands, the alignment of conformance claim and audit is the single most-defensible compliance posture. Brands that publish well-supported claims face lower lawsuit and enforcement exposure; brands that overstate claims face higher exposure regardless of underlying remediation. For broader compliance-posture context, see shopify accessibility audits what to expect on demand.

Frequently Asked Questions

Do we need an ACR/VPAT if we're a consumer-direct Shopify brand? Typically no. ACR/VPAT are most relevant for B2B and government procurement contexts. Consumer-direct Shopify brands typically need a published accessibility statement (which functions similarly to an ACR for consumer audiences) and underlying audit documentation, but not the formal ACR/VPAT format.

How often should we update our audit deliverable? Continuous (monthly automated scans, monthly expert manual review) is the increasingly-standard pattern. Annual one-time engagements are weaker because they leave 12-month gaps where issues are introduced and unmonitored. Most brands at material accessibility-compliance investment are on continuous monitoring; some supplement with annual deep-dive audits for specific procurement or litigation contexts.

Can we use automated scan output as our audit? For complete documentation, no. Automated scans cover the WCAG criteria that fit pattern-matching (~40-50% of total criteria); manual review covers cognitive accessibility, complex business-logic flows, dynamic-content edge cases. A complete audit combines both. Brands relying solely on automated scans typically have audit gaps that show up in real-world enforcement or litigation.

Who should perform our audit — internal or external? Both have a role. Internal accessibility champions can run continuous-monitoring audits; external audit firms or accessibility-platform-supported audits provide independent validation. Many brands run continuous internal audit through their platform plus annual external validation; this combines real-time visibility with independent credibility.

Is the conformance claim in our accessibility statement legally binding? Yes — to the extent that it represents a public claim about your site's compliance status. False claims expose you to UCL/FTC/state-AG enforcement and to plaintiff's-counsel use as evidence of misrepresentation. Publish only conformance claims your audit substantiates; this is the structural rule for risk reduction.

What's the difference between a VPAT and an EAA accessibility statement? VPAT is a US-origin format for Section 508 procurement; emphasis is on per-criterion status reporting in a standardized template. EAA accessibility statement is an EU-origin format with required fields specified by the directive; emphasis is on user-facing communication and supervisory-authority contact. Both are conformance-claim documents but for different audiences and contexts.

Can a single audit cover multiple Shopify storefronts? Yes if the storefronts share theme, app stack, and Liquid customizations. Sub-stores or multi-region variants of a primary storefront can typically be audited together. Significantly different sub-stores may need separate audit treatments. For multi-property context, see enterprise accessibility platforms.

How do we update our conformance claim after remediation? Update the date on the accessibility statement, update the conformance level if it changed (e.g., from "WCAG 2.2 AA except [list]" to "WCAG 2.2 AA"), update the known-non-conformances section, republish to /pages/accessibility-statement. The platform-managed update flow simplifies this; manual updates are also straightforward via Shopify's /pages/ interface.

TestParty practices a cyborg approach to content: AI assists with research and drafting, our accessibility experts validate every claim. This article represents our editorial perspective based on public data as of the publication date. We compete in the digital accessibility space — which means we have informed opinions, but also a vested interest. All sources are cited so you can draw your own conclusions.