Welcome to the show — Winter, five calendar days. That's the number that tends to make providers sit up straight when an audit finding lands. Five days to submit a Corrective Action Plan. Five DAYS is not much runway. Especially if the finding has just told you, in effect, "that thing you thought was sorted... isn't." And I think that's the emotional trap here, right? People hear non-conformity and they hear failure. Exactly. But a non-conformity is a GAP, not a verdict on whether you're a good provider. In fact, the providers who get hurt most are often the ones saying, "We've never had an issue." Because "no issue reported" is not the same as "system proven." Yeah, I wanna sit on that phrase — "system proven." Because a lot of teams think quiet equals compliant. No complaints, no incidents, no obvious dramas... therefore safe. But an auditor isn't grading the vibe. They're grading evidence against the NDIS Practice Standards. That's it. At the simple level, an outcome gets rated conforming, minor non-conformity, or major non-conformity. Conforming means you meet the standard. Minor means there's a gap, but it's not high risk. Major means you have not demonstrated the processes, systems, or structures needed for that outcome, and the gap presents a HIGH risk. Wait — "high risk" is the bit that changes the temperature. So a major isn't just, "your filing's a bit messy." It's, "you couldn't show the system, and that absence could actually matter to participant safety or service quality." Correct. And there's one detail providers really need to remember: three minor non-conformities in the SAME module can be escalated to a major. That's basically the auditor saying, "This isn't random. This looks systemic." Three minors in one module — that's memorable. You can almost picture the dominoes. One weak policy, one missing register, one training gap... suddenly it's not "a few loose ends," it's a pattern. And above that again is critical risk. That's serious stuff — criminal acts, child protection concerns, those kinds of breaches. If an auditor identifies critical risk, they report immediately to the NDIS Commission and relevant authorities, and the audit might stop while the Commission decides next steps. So we've got four very different lanes here: conforming, minor, major, and critical risk. And if you're listening as a provider, the practical lesson is... don't wait for the label to tell you how serious the weakness is. Right. Because the core tension in a lot of audits is not that providers have NO systems. It's that they have systems that look fine on paper but can't be evidenced in practice. A polished incident management policy with no usable incident log. A complaints process with no complaints register. A training policy with no certificates or attendance records. Ah yes — the beautiful policy binder. Very glossy. Very reassuring. Completely unhelpful when the auditor says, "Show me how this actually works on Tuesday at 2pm." That's the misconception to kill off early: having policies is NOT enough. Auditors aren't just asking, "Did you write the rule?" They're asking, "Did you implement it, review it, and keep evidence that you did?" So let's make this concrete. The first trap is outdated documentation. And this one sounds boring until you realise how fast it tells on you. If a policy still references old legislation, outdated Commission guidance, or services you don't even deliver anymore, that signals your quality system isn't being actively maintained. And the proof auditors want there is basic but specific: version numbers, review dates, and a clear document owner. If your policy has no version control, no revision trail, no nominated owner — that's a red flag straight away. Version number, review date, owner. That's the trio. And it's funny — or not funny — how often busy teams mean to update "next month" and then suddenly the document was last touched two years ago. Second trap: missing implementation evidence. This is probably the big one in remote audits. You can say staff are trained, but where are the attendance records? You can say complaints are handled, but where is the complaints register? You can say incidents are managed, but where are the logs, follow-up notes, and actions taken? Let me try to say that back. A policy is the promise. The evidence is the receipt. If you can't produce the receipt, the auditor can't just take your word for it. Almost — and I'd sharpen it a bit. The evidence isn't just proof that the activity happened once. It's proof that the system operates consistently. Training attendance records, meeting minutes, case examples, registers — all of that shows the policy is alive, not decorative. Decorative is harsh... but fair. Third trap: incident records. And this is where weak record-keeping can do double damage. It can trigger audit issues and it can affect participant safety. Missing progress notes, incomplete incident reports, unsigned service agreements — auditors rely on those records to verify actual practice. Yes, and with incidents especially, the record has to go beyond the first report. It should capture the incident, the response, the review, and the corrective action. If your incident log stops at the initial entry and never shows follow-up, that's a common source of minor non-conformities — and remember, three minors in one module can become a major. That "entries stop at the initial report" line... I think a lot of listeners will recognise it. Not because they're careless, but because operations get busy. Someone logs the event, everyone rushes to deal with the human side — as they should — and then the formal follow-up sort of... drifts. Totally. And that's an important distinction. Compliance drift often happens in GOOD, busy teams. People are helping participants, covering shifts, solving real problems. But the audit question is still, "Can you prove the loop was closed?" Fourth trap: stale risk registers. A risk register from two years ago is basically a fossil. If it doesn't reflect your current participant cohort, service scope, staffing, complaints profile, financial and governance realities — it's not evidence of active risk management. And the NDIS Practice Standards expect providers to identify, analyse, prioritise, and treat risks across the organisation. Not just participant risks — also workers, incident management, complaints management and resolution, financial management, governance, operational management. Auditors want current risk treatment actions, not a spreadsheet gathering dust. A dusty spreadsheet is such a perfect image for this. Fifth trap: workforce compliance gaps. Expired NDIS Worker Screening Checks, missing mandatory training certificates, position descriptions that don't match the real role — these are some of the easiest to prevent and some of the most frequently found. Which is why a workforce compliance register matters so much. Keep it current. Use automated reminders for expiry dates. And under the 2025 Practice Standards, there's more emphasis on ongoing training, supervision, and regular performance reviews. So the workforce file can't just show that somebody was compliant once upon a time. This is the part I find weirdly reassuring. Because none of these traps are mystical. They're admin-heavy, yes. They take discipline. But they're visible. You can find them before the auditor does — if you actually go looking. And that's where internal audits come in. They are your early-warning system, not a box-ticking exercise. If you're not reviewing your evidence regularly, you're flying blind. Quarterly is a solid rhythm: policies, risk register, training records, worker screening, incident logs, complaints, service agreements — all of it. Quarterly is the key word there. Every three months feels frequent enough to catch drift before it becomes habit. So when you say internal audit, what do you actually want providers doing? Map each quality indicator against current evidence. And be ruthless about it. If you cannot locate documented implementation evidence for a quality indicator, treat that as a non-conformity YOU found yourself. Then close it out before the external auditor ever sees it. Not "we probably did it somewhere." Not "Karen would know where that is." If you can't locate it, it effectively doesn't exist for audit purposes. Precisely. And if a non-conformity is found, your Corrective Action Plan needs four components. One: the correction — how you'll fix the immediate non-conformance. Two: root cause analysis — why it happened. Three: corrective action — how you'll fix the ROOT cause so it doesn't recur. Four: timeframes and the responsible people who'll do the work. I like that split between "correction" and "corrective action." Because they're not the same thing. Replacing one missing certificate is a correction. Fixing the broken training tracking process so the next certificate doesn't go missing — that's the corrective action. Exactly. And the timing matters. Major non-conformities have to be closed out before a recommendation is made to the Commission for initial certification, continued certification, or renewal. Where the major doesn't place a participant at risk of significant harm, the provider must submit a corrective action plan to the audit team leader within FIVE days, have it accepted, and then undergo a follow-up audit within three calendar months to close it out or downgrade it. Five days, three months — those are the numbers to remember. And minors have a much longer runway, but not forever. Minor non-conformities must be closed out within 18 calendar months, usually at mid-term or recertification, whichever comes first. And if you don't close out a minor within those 18 months, it escalates to a major. Once that escalation happens, it can't be downgraded back to a minor. So delay has a cost. Which brings us to the bigger point. The strongest providers aren't the ones pretending gaps don't exist. They're the ones using gaps as intelligence. "What did this expose? What system drifted? What would a participant experience if we left this alone?" That's a much more mature posture. And it lines up with where the sector's heading: accountability, transparency, proactive risk management, emergency preparedness, and governance that actually includes participant input. Auditors want to see that feedback isn't just collected — it's acted on. So maybe that's the reframe to leave with: a clean audit is nice, sure. But a provider culture where staff understand compliance, leaders review evidence, and participant voices shape improvement — that's stronger than audit prep. That's operating properly. Find your own gaps early, fix the root cause, and don't confuse paperwork with proof. That's the game. Thanks for listening. See you next time.
Audio Coursesby Jellypod