If you’re an NDIS provider, passing your audit is a important part of keeping your registration, protecting participants, and showing that your service is safe and high quality.

But let’s be honest: NDIS audits can feel daunting. Between policies, paperwork, staff interviews, and compliance checks, it’s easy to feel overwhelmed.

That’s why we’ve created this guide. Whether you're new to the audit process or preparing for your next cycle, this article breaks down everything you need to know—step by step. From the different types of audits, how the process works, what questions to expect, and how to avoid common mistakes, you’ll find clear and practical tips to help you approach your next audit with confidence.

What is an NDIS audit?

An NDIS audit is an official check carried out by an independent audit team to ensure your organisation meets the rules and standards set by the NDIS Quality and Safeguards Commission. These audits confirm that you provide safe, respectful, and high-quality NDIS support to the participants.

During an audit, the auditors evaluate four main areas:

• How well your organisation operates: auditors review your daily practices, procedures, and the overall quality of your services.
• Compliance with NDIS rules and standards: they ensure you're following all legal requirements and guidelines from the NDIS.
• Record keeping: the auditors check your files, documentation, and how you manage participant information.
• Participant satisfaction and safety: auditors speak directly with NDIS participants, their families, and your staff to understand how participants feel about your services.

These audits typically occur every few years and provide valuable feedback on your strengths and areas needing improvement. Although audits might feel intimidating, they play a crucial role in maintaining trust and safety in the NDIS sector, protecting both participants and your organisation.

Why are NDIS audits important?

NDIS audits matter because they help protect participants and ensure providers deliver high-quality, safe support. Audits keep everyone accountable by checking that providers stick to the standards and rules set by the NDIS Quality and Safeguards Commission.

Here’s why audits are crucial:

• Participant safety and rights: Audits make sure participants feel safe, respected, and listened to. Auditors talk directly to participants, providing a clear picture of the quality of services from the participant’s point of view.
• Quality assurance: Regular audits push providers to continuously improve their services. They identify areas where providers excel and point out where changes are needed.
• Compliance with regulations: Audits check that providers follow NDIS rules closely. This helps avoid problems down the line, such as penalties, loss of registration, or harm to participants.
• Transparency and trust: By verifying provider practices, audits build confidence among participants, their families, and the broader community. They demonstrate your commitment to high standards.

In short, NDIS audits aren’t just about ticking boxes. They help providers offer better care, give participants peace of mind, and ensure the whole system operates smoothly, safely, and ethically.

How do NDIS audits work?

NDIS audits follow a clear, structured process designed to assess if your organisation complies with NDIS standards. Knowing each step can help you feel prepared and confident.

Here's a straightforward breakdown of the audit process:

Step 1: Engage with an auditor

For verification and certification audits, the audit process starts with you. If you're a new provider applying for registration or an existing provider looking for renewal or change, the first step is to complete an online self-assessment through the NDIS Commission portal. 

This assessment helps generate an Initial Scope of Audit, outlining which NDIS Practice Standards and modules apply to your organisation.

Next, you need to engage an Approved Quality Auditor. You’ll send them your Scope of Audit so they can provide a quote and propose a timeline. Once you accept the quote, the auditor will work with you to confirm:

• Your registration groups
• The number of participants, staff, and locations
• What your audit will cover
• The audit plan and dates

Keep in mind: You pay for the audit, and the cost depends on your organisation’s size, services, and complexity.

Step 2: Document review (Stage 1 Audit)

At stage 1 audit, auditors begin by looking at your organisation’s documents, such as policies, procedures, and, and evidence (professional qualifications, or insurances). Their goal is to check if your documents are complete, up to date, and aligned with the NDIS Practice Standards.

Before moving to Stage 2, the auditor must share the findings from Stage 1 with you:

• If no major issues are found, you should receive the Stage 1 findings at least one week before your Stage 2 audit.
• If non-conformities are found, the findings must be given to you at least two weeks before Stage 2.

The Stage 1 findings should clearly explain:

• Whether your documentation meets the expected standards
• Which registration groups and supports are being audited
• Who your key personnel are
• How many participants do you support
• Suggestions for how staff and participants will be involved in the next stage

Step 3: On-site visit (Stage 2 Audit)

The stage 2 audit applied to certification and recertification audits. Auditors typically visit your site. They’ll speak with your team, participants, and sometimes family members or carers, to gain insight into your daily practices. The main goal of Stage 2 is to validate that your actual practices match what’s written in your policies. In other words: are you really doing what you say you’re doing?

Stage 2 should happen within three months of finishing your Stage 1 audit. If you operate across multiple locations, the auditors might visit a specific location instead of every location. Before the visit, your auditor will provide an audit plan. This plan outlines what they’ll look at, who they’ll speak to, and how the audit will be carried out.

During the audit, the auditors will:

• Observe how things are done day to day
• Review documents and records
• Speak with staff, participants, and possibly carers or family members

Step 3: Auditor evaluation and reporting

The auditors evaluate all gathered information and then write a detailed report. This report highlights strengths, identifies areas for improvement, and recommends actions your organisation needs to take.

The audit report is submitted to the NDIS Commission:

• Verification audit: up to 14 days after the completion.
• Certification audit: up to 28 days after the completion.
• Mid-term audit: up to 28 days after the completion.

Step 4: Audit outcome

The audit report is reviewed by the NDIS Quality and Safeguards Commission, which decides whether your organisation meets the required standards. Depending on the findings, you may need to take specific actions to address any issues raised.

Step 5: Continuous improvement

Once the audit is complete, your job isn’t done. It's essential to use the audit findings to continuously improve your services. If you provide higher-risk NDIS support, follow-up audits may occur 12 to 18 months after the initial audit. So it’s important to ensure your business is actually putting into practice what’s written in your policies and procedures.

What are common NDIS audit results and how to handle them?

Once your audit is complete, you’ll receive a report that outlines how well your organisation meets the NDIS Practice Standards. This report doesn’t just pass or fail you—it gives you a breakdown of what’s working, what needs fixing, and what must be improved right away.

Here are the most common outcomes and how to respond:

1. Conformity (Rating 2)

This means your organisation is meeting the required standards. Auditors may even note a Rating of 3 if the provider is exceeding the standards. No action is needed—just keep up the good work and continue reviewing your practices regularly to stay on track.

2. Minor non-conformity (Rating 1)

The NDIS provider partially meets the standard, but there is a small issue was found. It is not a serious risk but still needs to be addressed. This could be a missing document, outdated policy, or inconsistent process.

How to handle it: You’ll need to submit a corrective action plan. Fix the issue within the timeframe given and provide evidence to show it’s been resolved.

3. Major non-conformity (Rating 0)

The provider fails to meet a key requirement. This could be a missing critical process (for example, no incident management system) or a high-risk failure in practice. If you receive this result, your registration won’t pass until you fix the issues and successfully complete the quality audit.

How to handle it: You have 3 months to fix the issue, so act fast. You’ll need to submit a detailed action plan and show auditors you’ve fixed the issues. In some cases, a follow-up audit may be required.

What are the types of NDIS audits?

There are different types of NDIS audits. Each type has a specific purpose depending on your organisation’s size, scope of service, and the NDIS program of support you provide. Here are the main audit types:

• Certification audit
• Verification audit
• Mid-term audit
• Condition audit
• Out-of-cycle audit

Verification audit

Verification audits are for registered NDIS providers that deliver lower-risk, lower-complexity supports. For example, household tasks, community nursing care, and therapeutic support. Verification audits only have a Stage 1 audit.

Certification audit

Certification audits are for registered NDIS providers offering higher-risk or more complex supports. For example, the development of daily living and life skills supported independent living or short/medium term accommodation. Certification audit involves both stage 1 and stage 2 audits.

Mid-term audit

A mid-term audit is a check-up for NDIS providers delivering higher-risk services. It happens 12–18 months after your registration date. Providers who went through the verification audit don’t need to complete a mid-term audit. The goal of a mid-term audit is to make sure you’re still meeting the standards halfway through your registration.

This audit is usually a smaller, on-site visit that focuses on a few key areas:

• The Governance and Operational Management standards (part of the Core Module)
• Any standards you had to correct from your last audit
• Any extra focus areas identified by the NDIS Commission

By 12 months into your registration:

• Find an auditor from the Approved NDIS Auditor list.
• Confirm the scope and timing of your audit with the auditor.
• Review the relevant NDIS Practice Standards you'll be assessed against.
• Start collecting the necessary documents and evidence.
• Let your staff and participants know that auditors will be visiting and observing your operations.

During the audit: Auditors will check if your everyday practices match your policies. If they find non-conformities (minor or major), be ready to provide extra information or an action plan quickly.

By 18 months into your registration:

• Make sure your auditor submits the final audit report to the NDIS Commission on time.
• If any corrective actions are outstanding, address them without delay.

Condition audit

A condition audit is an audit that the NDIS Commission can require at any time during your registration period. It’s not routine like other audits—this one is triggered by specific concerns or conditions related to your registration.

You may have a condition audit if:

• You only completed a provisional certification audit when you first registered
• Not all services or support classes were observed during your last audit (for example, you hadn’t started delivering them yet)
• You have outstanding minor non-conformities
• The Commissioner has concerns about your service and needs a targeted review

In these cases, the NDIS Commission will outline the scope and timing of the audit as part of your registration conditions. This means you must engage an auditor and complete the audit according to the Commission’s instructions.

Condition audits help the Commission monitor compliance and make sure all registered providers maintain safe and high-quality support for participants.

Out-of-cycle audit

An out-of-cycle audit is an audit that providers request when they want to change or expand their registration scope. For example, when you're planning to offer a new type of support or add new registration groups or modules.

The audit will help decide whether your organisation can safely and effectively deliver the new supports you're adding.

Key points about out-of-cycle audits:

• They can occur at any time during your registration period
• They usually involve an on-site assessment of the new services or sites
• The audit scope focuses only on the new areas you’re applying to add

How to prepare for an NDIS audit

Preparing well for your NDIS audit makes the whole process smoother and less stressful. Here are practical steps you can take to get ready:

1. Understand the NDIS Practice Standards

Start by reading the NDIS Practice Standards and Quality Indicators The more familiar you are with what's expected, the easier it is to identify what’s missing. Make sure all required documents and systems are up to date:

• NDIS Policies and procedures
• Participant files and service agreements
• Staff qualifications
• Incident, risk, and complaint management documents and system
• Care management system

2. Inform NDIS participants and staff

Inform participants about the audit, letting them know they can choose whether to participate. Make sure that their feedback is valued, and confidential, and will help improve services. 

Staff should also know that they may be interviewed. Explain how auditors might ask questions about their roles, policies, participant care, and incident procedures.

3. Communicate with your auditor

Once your audit is scheduled, stay in close contact with your auditor. They’ll provide an audit plan, you can use it to confirm who needs to be available and what sites or services are in scope.

Are NDIS participants involved in NDIS audits?

Yes, NDIS participants may be involved in the stage 2 NDIS audit. The participants help auditors understand if the NDIS services are safe, respectful, and effective.

However, participating in an NDIS audit is optional, and participants can decline at any time. If the participants choose to participate, they can decide how they want to be interviewed:

• Talking to auditors face-to-face
• Joining a phone or video call
• Giving permission for auditors to review their service files

Participants can also have a support person with them, such as a friend, family member, interpreter, or advocate, as long as that person doesn’t work for the provider.

Participants can ask questions, skip anything they don’t feel comfortable answering, and stop the chat whenever they like.

What are the typical questions NDIS auditors ask participants?

Auditors ask several questions to understand how well your service supports participants. Here are some common questions auditors may ask participants:

• Do you feel safe and respected by your NDIS support workers?
• Are you happy with the support you receive?
• How often do you talk about your needs with your provider?
• What happens if you’re not happy with your support?
• Are you given a chance to share your ideas or feedback?
• Do you know what to do in an emergency or disaster?
• Do you feel the staff are good at their jobs?

These conversations usually take around 20 minutes. There are no right or wrong answers. What matters most is that participants feel safe to speak freely.

What are common mistakes providers should avoid?

NDIS audits can be smooth when you’re prepared. However, some mistakes can delay the process, lead to non-compliance, or even put your registration at risk. Here are the most common mistakes to watch out for:

1. Poor record-keeping: Missing, outdated, or incomplete policies and procedures are one of the biggest red flags in any audit.

2. Ignoring previous audit recommendations: If you receive minor non-conformity or major non-conformity results, you’re expected to resolve any issue. Otherwise, your registration can delay or you will fail to comply with compliance standards and can't continue providing services.

3. Inadequate staff training: Your team must know what’s in your policies, and how to apply it in practice. If staff are unsure of how to report incidents, handle complaints, or describe their role, it raises serious concerns about service quality and safety.

4. Lack of internal checks: If you’re under the certification pathway, a mid-term audit is required 12–18 months into your registration. To avoid surprises, regularly check your compliance through internal reviews. File audits, policy reviews, and mock audits can help you catch and fix issues early—before they become major problems.

Stay NDIS audit ready with Pnyx

At Pnyx, we understand that NDIS audits can feel like overwhelming, but they don’t have to be. Pnyx care management software is built to help you organise progress notes, policies and procedures and stay audit-ready every day, not just when auditors are coming.

Besides, with Pnyx quality management software, you can take things even further by managing incidents, complaints, and risks in one simple platform. You’ll be able to:

• Respond to incidents and complaints quickly, ensuring consistent, high-quality care
• Track resolution processes to stay compliant and ready for any audit
• Use real-time reporting to spot trends, reduce risk, and improve your services

Want to see how it works? Book a demo and discover how Pnyx can help you pass your next NDIS audit—and stay ready, always.

FAQ

1. What is the difference between a certification audit and a verification audit?

A certification audit applies to providers delivering higher-risk or more complex NDIS supports. It involves both Stage 1 (document review) and Stage 2 (on-site assessment).
A verification audit is for lower-risk services and only requires a desktop review of key documents—no site visit needed.

2. Do NDIS participants have to be involved in the audit?

No, participation is voluntary. Participants can choose whether to speak with auditors, and how—face-to-face, by phone, or by allowing access to their files. They can also have a support person with them and may stop at any time.

3. How often do NDIS audits happen?

Audits typically occur at registration and renewal, but mid-term audits may be required 12–18 months in for higher-risk providers. Additional audits—like condition or out-of-cycle audits—can happen any time based on changes to your registration or concerns from the NDIS Commission.