Welcome to the show. Winter, the number that should make every NDIS provider sit up in 2026 is this: the most common reason for non-compliance is NOT missing policies. It's missing or delayed EVIDENCE. And that lands a bit hard, because heaps of providers hear "audit" and think, right, print the policies, make the folders look beautiful, job done. But you're saying the folders can be full and you still fail? Exactly. A policy on incident management, an invoice, a training certificate -- each one on its own is just a loose tile. The auditor wants the mosaic. Can you link the worker who was trained, to the participant who received the service, to the note written at the time, to the agreement that authorised it, to the process you say you follow? If those links are weak, it looks like compliance on paper only. That phrase -- "the story of the service" -- I think that's the bit people miss. So not just, "yes, we have a privacy policy," but, "here's where privacy was explained, here's the signed consent, here's how the record was stored, here's who had access." It's almost like the auditor is tracing footprints. That's a good way to put it. They're tracing footprints. And in 2026 they're much less impressed by shelf-ready documents than by active systems. A policy last reviewed three years ago? That's not proof of a living compliance system. That's proof you had a document once. Brutal... but fair. And this is where I wanna push a little. If a provider genuinely has all the required policies -- incident management, complaints, privacy, risk, workplace health and safety, emergency planning -- shouldn't that count for a lot? It counts, sure. It's necessary. It's just not sufficient. Under the core module alone, you've got four required procedures, five required processes, and twelve required documents. That sounds like a lot -- and it is -- but auditors aren't stopping at, "tick, policy exists." They're asking whether those documents are current, version-controlled, relevant to your actual services, and visible in daily practice. Wait -- four procedures, five processes, twelve documents under the core module alone? I'm not going to forget that. Because it explains why providers get overwhelmed and then default to admin theatre. Lots of tabs open, not much linkage. Admin theatre is exactly it. The antidote is an evidence register. Before you send anything to an auditor, build one structured document that maps every relevant NDIS Practice Standard and quality indicator to the evidence that supports it. Give me the bones of that register. What's actually in it? Each line should show the quality indicator, the exact document or record that satisfies it, where that document is stored, its version number, and when it was last reviewed. Simple, but powerful. Because every gap you find in that register is a gap your auditor would've found instead. And the storage location part matters more than people think. If your auditor has to ask three times where the risk register lives, or whether the complaint log is in SharePoint or a desktop folder called "Final Final Use This One"... confidence drops pretty quickly. Yes. Organisation is evidence too. Especially now that digital systems are standard. Cloud storage, practice management platforms, digital incident tools -- all great. But auditors may ask not just where participant information is stored, but how it's protected. Who has access? What's the control? What's the backup? Can management explain it clearly? So the real tension in an audit isn't neat folders versus messy folders. It's whether your system actually WORKS in practice. Full folders can still hide empty proof. That's the whole game. Evidence beats paperwork because paperwork describes intention. Evidence shows what really happened. Alright, so if I'm a provider and I'm 90 days out from audit, what are the actual buckets? Because this is where people start panic-downloading random PDFs. Five main buckets. Governance documents, policies and procedures, workforce documentation, participant records, and insurance plus financial compliance. And each one has details auditors look for very closely. Let's do governance first. What are the non-negotiables? Organisational structure, risk management framework, current risk register, legislative compliance register, quality improvement plan with recent actions and outcomes, business continuity and emergency management plan, and conflict of interest policy. Those pieces show oversight. Not just that support happens, but that the organisation is controlled and accountable while it happens. "Recent actions and outcomes" in the quality improvement plan -- that's the phrase I'd underline. Because a quality plan with no recent action is just a wish list. Exactly. Then policies and procedures: they need to be current, tailored to your real operations, and version-controlled. Required areas include incident management and reportable incidents, complaints handling, participant rights and responsibilities, privacy and confidentiality, risk management, WHS, emergency and disaster management, plus restrictive practices and medication management where applicable. And "version-controlled" means the file itself tells a story too, right? Title, version number, review date. If the review date says 2023 and we're sitting in 2026, you've basically told the auditor this system hasn't been actively maintained. That's right. Then worker files -- one of the most time-intensive and one of the most scrutinised areas. Every file should include the NDIS Worker Screening Check clearance and expiry date, Working With Children Check where applicable, signed employment agreement, position description, induction records, mandatory training completions including the NDIS Worker Orientation Module and infection control training, and any relevant qualifications or professional registrations. The expiry date on the screening check -- that's the bit people miss. They have the clearance copy, but not the live status or expiry. And for plan management, it's even more specific, yeah? Yeah. For plan management providers, auditors can ask for a list of all workers delivering plan management services, certified copies of qualifications and associated professional memberships, and worker screening clearances for each worker. And because the Commission portal has upload limits, it's smart to have a clearly labelled secondary document pack ready to send directly to the auditor. That secondary pack is such a practical point. It's one of those boring little moves that saves you heaps of stress later. Now, participant records. This is where many providers underestimate the standard. For each sampled file, auditors may look for a current signed service agreement specific to that person, a personalised support plan linked to their goals, completed consent forms, progress notes written at or near the time of service delivery, case notes for significant events or changes, feedback records, and evidence of incidents or complaints plus how they were resolved. Let me try to play that back. Progress notes are the daily proof -- what happened, when, by whom. Case notes are the bigger-picture proof -- changes, decisions, major events. Is that close? Very close. Progress notes are daily operational evidence; case notes are strategic evidence. And the timing matters. Completing notes within 24 hours of service delivery is strongly recommended. When notes are late, the auditor starts wondering what was remembered later, what was reconstructed, and what might not line up. Within 24 hours -- that's the number. Because once you're writing a support note days later, you're not documenting, you're kind of narrating from memory. And memory is a terrible compliance tool. Last bucket: insurance and financials. Your public liability certificate, professional indemnity where applicable, and workers compensation if you employ staff. Those certificates must be current and must EXACTLY match your legal entity name and ABN. Any mismatch between the insurance entity and the registered provider name is an immediate flag. The word "exactly" is doing a lot of work there. Not "close enough," not trading name versus company name if they don't line up -- EXACT match. And on the financial side, service agreements need to reflect the 2025-26 NDIS Pricing Arrangements and Price Limits, which have been in effect since 1 July 2025. Yes -- and if agreements still reference outdated rates, they need updating and re-signing. That's one of those details that feels administrative until an auditor sees it as evidence your controls aren't current. So let's put the 90-day window around all of this. First 30 days: map the audit requirements, build the checklist, review existing docs. Days 31 to 60: gather evidence, clean up policies, run a mock audit. Days 61 to 90: final readiness checks, staff refreshers, close gaps. Ninety days isn't about being fancy. It's about not turning audit prep into a last-minute crisis. And that timeline matters because 2026 audits are asking a deeper question. Not "do you have a policy?" but "can you show us risk is actively managed, participant rights are protected in real life, incidents lead to learning, and improvement actions actually happen?" Which is a different standard altogether. It's not document ownership. It's operational proof. Right. Every document should connect to an action, a decision, or a real service moment. If it doesn't, the auditor may see paper. But what they're looking for now is practice. And that's the shift worth sitting with. In 2026, the safest-looking provider isn't the one with the thickest folder. It's the one that can prove, line by line, that the system lives in the work.
Audio Coursesby Jellypod