Welcome to the show -- and Winter, the sentence I wish more providers heard earlier is this: an NDIS audit is NOT a trap. It's an independent check that what you say you do matches what you actually do. That phrase -- "matches what you actually do" -- is the bit people miss, hey. Because the panic usually kicks in at the word audit, like someone's coming in to catch you out, when really they're asking: are participants safe, are they treated with respect, and do your day-to-day supports line up with the standards? Exactly. An NDIS audit is a formal review against the NDIS Practice Standards, done by an approved auditor on behalf of the Commission. And the standards are really the gold standard for person-centred practice. So the audit isn't some weird side quest -- it's the mechanism that checks whether your service is actually safe, respectful, and delivering quality outcomes. Okay, but let me push on that. If it's so straightforward, why does "audit" still make people feel like they've just been called into the principal's office? Because the consequences are real. And in 2026, the environment is tighter than it's ever been. The Commission isn't just waiting for an audit date anymore. Under its 2025 to 2027 roadmap, monitoring is more data-led, more continuous, and way more intelligence-driven. So by the time an auditor turns up, they've often already got a picture of your risk profile from complaints, incident reports, and broader data patterns. That phrase -- "already got a picture" -- that's the unnerving part. It's not once every few years with a clipboard. It's more like your business leaves a trail all the time. Yep, that's it. And the reason is the scale. As at 30 June 2025, there were 739,414 NDIS participants with approved plans. Total scheme payments hit $46.3 billion in 2024-25. Once you're dealing with that many people and that much money, oversight can't be casual. Seven hundred and thirty-nine thousand, four hundred and fourteen. That's not a niche program anymore -- that's basically a city the size of a major population centre relying on this system to work properly. Right. And then look at the trend lines. Complaints to the Commission went from 1,422 in 2018-19 to 29,054 in 2023-24. That's not a small lift. That's a complete change in the volume of risk signals coming into the regulator. Twenty-nine thousand and fifty-four. I'm gonna remember that number because it tells you this isn't theoretical. That's thousands of moments where something felt wrong enough for someone to complain. And compliance action followed. In 2023-24, the Commission finalised 35,519 compliance actions against registered and unregistered providers and individuals. In one quarter alone more recently, it carried out 6,841 compliance and enforcement activities, including banning orders, 1,108 registration refusals, and more than 1,000 corrective action requests. Wait -- 1,108 registration refusals? In one quarter? That's the bit that snaps you out of the old mindset. This isn't a regulator quietly filing paperwork. This is active. Very active. And there are some grim examples behind that. In 2024-25, one provider was ordered to pay about $1.9 million in relation to the death of an NDIS participant and serious risk to two others. Another was ordered to pay $2.2 million relating to the death of a participant. Another paid $2 million for failing to keep participants and workers safe, plus $500,000 for not notifying reportable incidents on time. The "$500,000 for not notifying on time" part matters too. Because sometimes people think compliance is separate from care -- like paperwork over here, real support over there. But late incident reporting can hide risk. It can stop problems being seen before they get worse. That's exactly the point. Audits exist because participants can't afford providers who look good on paper but fall apart in practice. And the Commission will act. In December 2025, Auspicare Pty Ltd had its registration revoked after an audit found major non-conformities. That revocation took effect on 19 January 2026. So yes, an audit should be taken seriously -- but not feared as some mystery. It's a reality check. If your systems are real, if your practice is real, the audit is where that shows. I think that's the reframe. Don't ask, "How do I survive an audit?" Ask, "If someone independent tested what we claim, would the evidence hold up?" They're very different questions. So let's make this practical. People hear all these audit types and their eyes glaze over. In plain English, what's the difference between verification and certification? Verification is the lighter pathway for lower-risk, lower-complexity supports. It's basically a desktop review done every three years. The auditor looks at your organisational documents -- insurance, staff qualifications and experience, and your policies for things like risk, incidents, and complaints. No site visit. Report goes to the Commission within 14 days. So verification is: show me the paperwork, show me the credentials, show me the systems. No one standing in the office kitchen opening cupboards. Pretty much. Certification is the heavier pathway for higher-risk or more complex supports. It's a two-stage process. Stage 1 is the document review, similar to verification. Stage 2 is the onsite assessment -- site visit, interviews with staff and participants, and checks that the policies aren't just written nicely but actually understood and used. That report goes in within 28 days of completion. The "Stage 2 onsite" bit is the whole game, isn't it? Because anyone can have a beautiful complaints policy in a folder. The harder question is whether the team on a Tuesday afternoon actually knows what to do with a complaint. Yes. Auditors are looking for real implementation. Do staff use the processes properly? Are participant rights visible in everyday support? Does risk management reduce harm in practice? When there's an incident, is the response timely, documented, and used to prevent it happening again? That's what they care about. Let me try and say that back. It's less "can you show me a policy called dignity and respect" and more "can you show me dignity and respect happening in actual service delivery"? Almost -- and the extra layer is evidence. Not just vibes, not just intentions. Evidence that governance is accountable, decisions are transparent, risks are managed proactively, emergencies are considered, and participant input isn't decorative. The 2025 Practice Standards really push that continuous improvement mindset. And this is where some providers get caught, I reckon. They think passing means having documents. But auditors are checking whether staff understand those documents, whether participants experience the rights described in them, and whether leaders can prove the systems actually work. That's it. And the findings have gradings. If you get a major non-conformity in any area, you've got three months to fix it, and your registration doesn't progress until it's addressed and the quality audit is successfully completed. If it's a minor non-conformity, you've generally got longer to fix it and you can continue through the registration process. Three months for a major non-conformity -- that is not much time if the issue is structural. If your incident process is broken, or your governance is patchy, you're not fixing that with one frantic weekend and a new template. No, you're not. And serious or systemic non-conformities can lead to conditions on registration, mandatory mid-term audits at your expense, suspension for specific support categories, or in the worst cases, revocation entirely. So the cost of treating compliance like an afterthought is very high. And this is where I think people still make the wrong comparison. They compare the cost of preparation with the cost of the audit itself. But the real comparison is preparation versus conditions, suspension, or losing registration. Beautifully put. Which is why internal auditing matters so much. If you run internal audits at least twice a year, you're pressure-testing your own business before the external auditor does. You're finding gaps early, closing them before they become non-conformities, and keeping participant safety and quality front and centre. Twice a year is such a useful number because it makes readiness a routine, not a panic. It's like checking the smoke alarms before summer, not after the kitchen's on fire. Exactly. And in this environment, that's the mindset shift. Don't prepare for an audit as an event. Build your service so the audit simply confirms what's already true. Because the sharpest version of this, really, is that the audit isn't the only moment you're being judged anymore. Your complaints data, your incident trends, your decisions -- they're all speaking for you before anyone walks through the door. So run the business as though you're always being assessed... because in the only way that matters, you are.
Audio Coursesby Jellypod