Why Your NDIS Audit Scope Might Be Wrong

Welcome to the show -- if your Initial Scope of Audit says Module 2A and you prepared for the core module only, you're not "a bit underdone"... you're preparing for the WRONG audit. And that's the bit that catches people, hey. Not because they ignored compliance completely, but because they saw "certification audit" and thought, right, governance, incident management, worker screening, participant rights... done. Then the Scope lands and it's not just core. It's core PLUS the specialist layer tied to their registration groups. Exactly. The NDIS Practice Standards are modular by design. Core module is the base for every certification-pathway provider. Then supplementary modules sit on top for specific supports that carry extra risk or extra technical requirements. So if you're delivering specialist supports in 2026, the real question isn't "Have we done the core?" It's "Which extra modules has the Commission actually scoped us for?" Let me push on that. Because I can hear a provider saying, "Hang on, if we know what services we deliver, why does the Initial Scope of Audit matter so much?" Because the Initial Scope of Audit is the Commission's definitive statement of what the auditor will assess. Not your assumptions. Not the way your website describes your services. Not what your ops team reckons you mostly do. The Scope links your approved or applied registration groups to the exact modules. Miss that document, or skim it, and you can build a beautiful evidence pack for standards nobody is actually testing. That phrase -- "beautiful evidence pack" -- I have seen that movie. Gorgeous policies, tidy folders, all colour-coded... and then one ugly question from the auditor: "Show me your evidence for the supplementary module attached to this registration group." Silence. Yep. That's the tension. A provider can look prepared on paper and still fail because preparation wasn't matched to scope. Say you've applied for High Intensity Daily Personal Activities. If your team only assembled core evidence -- complaints, risk, HR, governance -- but didn't line up participant-specific training evidence for the high intensity supports actually delivered, the audit risk is still massive. And the surprise one for a lot of providers is Module 2A. If workers are implementing Behaviour Support Plans and that includes regulated restrictive practices, that can push the provider into the certification pathway even if other parts of the business might've looked more like verification. That's not a tiny admin detail. That's the whole pathway changing. That's one of the biggest gotchas. Module 2 is for specialist behaviour support practitioners doing functional behaviour assessments and developing Behaviour Support Plans. Module 2A is different -- it's about implementing those plans. Different role, different evidence, different risks. And if restrictive practices are being implemented, auditors want to see the implementation framework, worker understanding, monitoring, reporting -- the full chain. So let me try to explain it back. Core module says, "Show me your organisation is safe and well run." Supplementary modules say, "Now show me you're safe and competent in THIS exact kind of support." And if your registration groups say high intensity, behaviour support, early childhood, specialist support coordination, SDA -- whatever it is -- then your evidence has to match that exact lane. Almost -- and the missing piece is simultaneity. It's not core OR supplementary. Auditors assess whether you're meeting both at once. So the governance system in core has to actually support the specialist practice in the supplementary module. Your incident learnings, supervision, competencies, continuous improvement -- all of it has to connect. Which is why reading the Scope carefully is more than admin. It's strategy. It's the map. If the map says Module 4 and you're revising Module 3, you're not behind -- you're lost. Alright, let's get practical. If somebody opens that Scope and sees a specialist module, what are auditors actually digging into? Because "supplementary requirements" can sound weirdly abstract until you're the one trying to prove them. Start with Module 1: High Intensity Daily Personal Activities. This is one of the most heavily scrutinised modules because the risk of harm is direct and serious if supports are done badly. We're talking complex bowel care, enteral feeding, subcutaneous injections, tracheostomy management, urinary catheter management, ventilator management, and complex wound management. And the memorable bit there is not just the list -- it's "participant-specific". Generic training is not enough, right? RIGHT. That's the fact to hold onto. For high intensity supports, auditors will review the High Intensity Skills Descriptors against your workforce training records in detail. Generic certificates don't cut it. Evidence needs to be support-specific, participant-specific where required, current, and delivered by an appropriately qualified health practitioner. So for complex bowel care, for example, workers need training tied to that participant's needs, that type of complex bowel care, and the relevant skills descriptor. Same principle for enteral feeding and the other high intensity activities. So if a provider proudly produces one manual handling cert and one medication module from two years ago... that's basically bringing a butter knife to a surgical audit. A brutal image, but yes. The auditor is asking: who was trained, by whom, for which participant, for which support, and when? And can you prove competency is maintained? If your documents describe a system but day-to-day practice doesn't show that system operating, that's where findings start stacking up. Now behaviour support. This is where the numbering alone can trip people up. Module 2 versus Module 2A sounds like a technicality. It isn't. No. Module 2 is Specialist Behaviour Support -- conducting functional behaviour assessments and developing Behaviour Support Plans. Providers in that space need practitioners with specialist skills in positive behaviour support, and the Commission checks suitability against the Positive Behaviour Support Capability Framework. That's the framework with four levels: Core, Proficient, Advanced, and Specialist. Those four levels -- Core, Proficient, Advanced, Specialist -- are exactly the kind of detail an auditor will want evidence for, not just a vague, "Yeah our practitioner's experienced." Experience compared to WHAT framework? Correct. And auditors also expect providers to understand the NDIS Restrictive Practices and Behaviour Support Rules 2018, plus relevant state and territory laws and policies. Then Module 2A is the implementation side: workers understanding the plan, using it correctly, monitoring what happens, and reporting on any regulated restrictive practices contained in it. Here's where I think some providers kid themselves. They say, "We don't write the Behaviour Support Plan, so it's not really our risk." But if your worker is the one implementing the restrictive practice at 7:30 on a Tuesday morning, it is VERY much your risk. That's exactly right. The implementation risk sits with the provider delivering the support. And that escalation point matters: implementing restrictive practices under Module 2A puts you in the certification audit pathway regardless of other registration groups. That catches people off guard because they think the specialist bit is incidental. It isn't incidental to the Commission. Then the other three modules are quieter, maybe, but not lighter. Early Childhood Supports, Module 3 -- that now covers children from birth up to nine years of age after the 2025-26 update. Providers need workforce qualifications in the relevant allied health disciplines, evidence that the key worker model is actually operating, and proof families are involved in goal-setting and review. And there's a nuance there. If Early Childhood Intervention is provided only by an individual or partnership, they don't have to do a mid-term audit. But organisations delivering early childhood supports alongside other certification groups still go through the full audit cycle. That's one of those details that changes planning and budget if you miss it. Module 4, Specialist Support Coordination, is another one where qualification evidence matters more than people think. The October 2025 Qualification and Professional Associations Required Documentation Guide is the key source there. For Level 3 Specialist Support Coordination -- 0132 -- practitioners need relevant qualifications, current professional memberships, and demonstrated experience in complex case management. And auditors will look at risk management too, because Level 3 is all about participants facing the most complex barriers to implementing their plans. So it's not enough to say, "Our coordinator is experienced." Show the qualifications, show the memberships, show the professional development, show how complex risks are identified and managed. Then Module 5, Specialist Disability Accommodation. SDA providers need to evidence how they meet the extra accommodation-related standards, and if they're only registered for SDA, they don't require a mid-term audit. But -- and this is the 2026 edge -- from 1 July 2026, SIL-specific Practice Standards are being implemented, which means providers in that space really can't rely on last year's understanding. That's the broader lesson across all five modules. In 2026, "we've always done it this way" is weak evidence. Auditors want current alignment: current scope, current qualifications, current participant-specific training where required, current legislative references in policies, current continuous improvement actions tied to incidents and feedback in the specialist area. So maybe the sharpest prep question isn't, "Are we ready for audit?" Maybe it's, "Ready for which module, exactly?" Because if the Scope says High Intensity, or 2A, or 0132, the evidence has to say the same thing back. Read the Scope like it's the exam paper. Then make every training record, qualification file, policy, and practice example answer THAT paper -- not the one you wish you'd been given.