What to Expect from an NDIS Audit
Verification Audits Versus Certification Audits
NDIS providers are assessed through one of two audit types, and which one applies depends on the registration groups a provider holds. Verification audits are conducted for lower risk supports and rely primarily on a review of policies, procedures, and records against a defined set of indicators.
Certification audits apply to higher risk supports, such as accommodation services or specialist behaviour support, and involve a more rigorous assessment against the full NDIS Practice Standards, including on site observation and staff interviews. Certification is also a recurring process, generally conducted at the midpoint of a registration period as well as at renewal, so providers holding certified registration groups should expect the audit cycle to repeat well before their certificate expires. Understanding which audit type applies before committing time and resources to preparation is the first practical step, and it is one many providers in Chatswood get wrong when expanding into new registration groups without reassessing their audit obligations first.
Who Conducts NDIS Audits
Audits are carried out by approved quality auditors engaged directly by the provider, not by the NDIS Commission. These auditors are independent bodies approved through the Joint Accreditation System of Australia and New Zealand, and providers select and pay for their own auditor from the approved list.
The auditor's role is to test evidence objectively against the practice standards and report findings to the Commission, which then makes the registration decision. Providers should treat the relationship with their auditor as a formal compliance process rather than a collaborative exercise, since the auditor is not permitted to advise a provider on how to fix the gaps they are assessing. This independence is a deliberate feature of the system, and it means the responsibility for identifying and closing gaps before the audit sits squarely with the provider, not with the auditor engaged to test it.
What Auditors Look At
Auditors examine whether a provider's documented systems are both adequate on paper and genuinely operating in practice. This includes governance arrangements, incident management and reportable incident processes, complaints handling, risk management, human resources practices such as worker screening and induction, and, for certification audits, direct observation of service delivery against participant goals.
Participant records and consent documentation also receive close attention, as does evidence that participants and their families have had genuine input into planning and reviewing their supports. A strong quality management system ties these elements together so that evidence is consistent across policy documents, staff practice, and participant records, which is precisely what auditors are trained to cross check during a site visit or document review.
Common Non-Conformances
The most frequent findings relate not to the absence of policies but to the gap between policy and practice. Common issues include incident registers that are not updated in line with actual events, complaints records that lack evidence of resolution or follow up, worker files missing current screening checks, and risk assessments that have not been reviewed within required timeframes.
Other recurring findings include rostering practices that do not reflect participant support needs, training records that cannot demonstrate staff competency in areas such as behaviour support or medication management, and policies that reference outdated legislation or superseded versions of the practice standards. Providers operating across multiple sites, including those based in Penrith, often find that inconsistency between locations, rather than any single failing, drives the bulk of non-conformances raised during certification audits. A practice standards module assessed as strong at one site can still be marked non-conforming overall if another site cannot demonstrate the same evidence.
How to Prepare
Preparation should begin well before the audit is booked, ideally through an internal review against the applicable practice standards to identify and close gaps in advance. This includes ensuring staff understand and can articulate the organisation's policies during interviews, that records genuinely reflect day to day practice, and that governance and compliance arrangements are documented and operating as described.
A mock audit or internal file review, conducted against the same indicators the approved quality auditor will use, is one of the more effective ways to surface issues while there is still time to address them. Structured audit preparation in the months leading up to an audit typically focuses on closing the gap between what is written down and what front line staff and management can demonstrate under questioning, rather than simply producing more paperwork.
What Happens If You Fail
A non-conformance does not automatically mean registration is refused. Auditors classify findings as minor or major, and providers are generally given a defined period to submit a corrective action plan addressing each finding, with the auditor then verifying that the correction has been made.
Major non-conformances, or a pattern of unresolved minor findings, carry greater risk, potentially delaying registration or renewal, or triggering closer scrutiny in subsequent audit cycles. In more serious cases, the Commission can also impose conditions on a provider's registration or request additional evidence before a decision is finalised. Providers that treat corrective action seriously, rather than as a box ticking formality, generally clear the process without lasting impact on their standing with the Commission, and often emerge with stronger operational systems than they had going in.
Need Help With This?
Speak with one of our NDIS consultants about your registration, audit, or compliance requirements.
Book a Free Consultation