Welcome to the show. Winter, here's the uncomfortable bit up front: a desk-based NDIS audit can be HARDER than an onsite one, because your documents have to do 100% of the talking. The "100%" is the part that lands for me. Onsite, a provider might lean on a confident manager, a tidy office, staff who sound switched on. Remote? None of that helps if the file says version 1.0, last reviewed... 2022. Exactly. And that's the trap. Providers hear "remote" or "desk-based" and think, beauty, less intense. But for verification pathway providers, the whole audit is done this way. And for certification providers, Stage 1 is generally remote before the onsite Stage 2. So that first impression is often just... documents. Wait -- Stage 1 is not the big walkaround, it's the document test first? Yep. Stage 1 is a high-level review of the provider's system: policies, procedures, forms, key personnel information. The auditor is checking whether systems are in place to meet the NDIS Practice Standards before you even get to Stage 2. So when you say "system", you don't just mean a nice policy folder. You mean: can the provider PROVE the machinery exists? That's it. Auditors are looking for evidence of three things: that systems are in place, that those systems are used consistently, and that the documentation demonstrates compliance. Not intention. Not effort. Evidence. Which is a bit brutal, actually. Because a provider can sound very sincere in a meeting -- "oh yes, we take incident management seriously" -- but if the incident policy is outdated and the incident log is patchy, the sincerity buys you exactly nothing. Exactly nothing is harsh... but fair. And 2026 makes this sharper, not softer. The Commission isn't just looking for the existence of policies. It's looking for whether they're actively implemented in daily practice. That's where people get caught. They submit a policy and think, done. It isn't done. Let me try to say that back. A policy is like the promise. Evidence is the footprint. So if you've got an incident management policy, the auditor also wants completed incident reports, records of review and action taken, and then proof something changed after the incident -- like an entry in the continuous improvement register. Is that the shape of it? That's the shape of it. Policy plus proof it's followed. Same with training. Same with complaints. Same with risk. A restrictive practices policy, for example, isn't persuasive on its own. Auditors want to see the system operating in the real world and protecting participant rights in the real world. I think that's the real tension in remote audits. There's nowhere to hide behind being personable. There's no, "if the auditor visits, they'll see we're a good team." Your cloud folder becomes the office tour. Your file names become the conversation. Your review dates become your credibility. Beautifully put. And the providers who tend to pass comfortably are usually not the ones doing a panicked clean-up two weeks before. They're the ones whose daily workflows already produce the records auditors need. That's the secret -- if there is one. Audit readiness is really operational discipline in disguise. And if your daily workflow doesn't create those records, a remote audit exposes that fast. Because there's no verbal explanation to smooth over a risk register that hasn't been updated since you first wrote it. Or an incident policy that still references old NDIS Act provisions. Remote audits are unforgiving like that. The upside, though, is they're predictable. The auditor is asking one basic question over and over: show me the system, show me it's being used, and show me it aligns with the Practice Standards. Alright, so if panic and polished talk won't save you, what's the best prep move? Like, the one thing providers should do before they upload a single document? Build an evidence register. For me, that's the single most useful tool. It's a structured document that maps each relevant NDIS Practice Standard and quality indicator to the exact supporting evidence -- file name, file location, and when it was last reviewed or updated. The "file name, file location, review date" trio is gold. Because that's not just a list -- it's almost like GPS for your compliance. You're telling the auditor, and yourself, where every proof point lives. Yes. And it does two jobs at once. First, it shows you your gaps before the auditor finds them. Second, it signals organised, controlled compliance. You're showing that this isn't random. It's systematic. And if you're on the NDIS Commission portal, where the number of uploads is limited, that evidence register also stops the whole thing turning into a lucky dip. You're not just tossing in documents and hoping the right ones float to the top. Exactly. And because auditors may ask for extra policies, procedures, and supporting documents beyond what's uploaded to the portal, you want a clearly labelled secondary package ready to send directly when requested. Not assembled in a panic at 9:40 at night. Okay, let's get concrete. The six areas auditors focus on most -- because I reckon listeners should be able to picture six folders in their head. Good way to frame it. Folder one: service delivery records. Folder two: participant rights and consent documentation. Folder three: incident and complaint management systems. Folder four: workforce compliance -- screening, qualifications, training. Folder five: governance and risk management frameworks. Folder six: continuous improvement evidence. Service delivery, rights and consent, incidents and complaints, workforce, governance and risk, continuous improvement. Those six. And for each one, you're not just dropping in a policy PDF, right? Right. For each area, prepare a concise bundle with the policy, the supporting procedure, and the implementation evidence side by side. So, say complaints management: complaint policy, complaint procedure, complaints log, records of action taken, maybe meeting minutes where trends were reviewed, and any improvement action that followed. The meeting minutes point matters. Training attendance records, minutes, practical examples, case studies -- those are the documents that prove the policy escaped the page and entered the building. Or, well... entered the cloud. Entered the cloud, yes. And because digital systems are standard now -- cloud storage, secure practice management platforms, digital incident reporting tools -- auditors may also ask how participant information is protected, not just where it's stored. Security controls matter. Being able to explain them shows compliance maturity. That's a really useful distinction: not "we store it in the cloud," but "here's how access is controlled, here's how participant information is protected." The where is basic. The how is the compliance question. Spot on. And then there is the practical presentation piece. Your folder structure should be intuitive enough that the auditor can navigate independently. Clear file names. Grouped by Practice Standard module. Version numbers. Review dates. A well-organised submission sends a signal before the auditor reads a word. Can I push on that? Some providers hear "presentation" and think this is cosmetic. Like, nice labels, nice folders, done. But that can't be the lesson. No, that's a fair push. Organisation doesn't replace substance. It just removes friction. If the evidence is weak, a tidy folder won't save you. But if the evidence is strong, poor organisation can still create doubt, slow follow-up, and make you look less in control than you are. Which brings us to follow-up requests. Because remote audits are rarely one-and-done. The auditor is probably coming back with, "can you send X, clarify Y, show me Z." Almost certainly. Respond quickly, accurately, and transparently. If you need a day or two to locate something, say that proactively. Don't go silent. Slow responses can signal disorganisation or weak compliance, and neither helps. The one that sticks with me most is continuous improvement. In 2026, that's not a nice extra. Auditors increasingly want to see how leaders learn from incidents, complaints, risks, participant feedback -- how the organisation gets better over time. Yes. Include your continuous improvement register or quality improvement plan as a standard part of the submission. If it's well maintained and genuinely reflects operations, it says more about your compliance culture than almost anything else. It proves you're not just reacting to problems. You're reviewing them, learning from them, and strengthening systems over time. And maybe that's the cleanest way to think about a remote audit: it's not asking whether you can talk compliance. It's asking whether your organisation leaves a trail of evidence that compliance is happening when nobody's watching. That's the test. If your documents can stand on their own, the audit gets simpler. If they can't, the distance doesn't make it easier -- it makes the gaps louder. Thanks for listening.
Audio Coursesby Jellypod