How to Beat an NDIS Audit Before It Starts

Welcome to the show. Will, I want to start with the sentence that should make every provider sit up straight: an NDIS audit can absolutely be lost MONTHS before the auditor ever logs in. Yeah — and usually not because the provider is doing nothing. It’s because they’re doing what feels productive in the final week: polishing templates, chasing signatures, renaming files, building folders. But the providers who pass first go don’t treat audit readiness like a rescue mission. They treat it like ordinary operations. And that sounds simple, but it’s a pretty sharp mindset shift, hey. Because a lot of people hear “audit prep” and think, right, document pack, couple of late nights, we’ll sort it. You’re saying that’s already too late? Usually, yes. The real start point is a gap analysis. Map every quality indicator that applies to your registration groups against the evidence you ACTUALLY hold right now. Not what you think exists. Not what someone says is “probably in HR”. The evidence you can locate, open, and explain. “Every quality indicator” is the bit people gloss over. Because once you say that out loud, it stops being a vague confidence exercise and becomes, hang on, we need proof line by line. Exactly. And there’s a brutal but useful rule here: a gap you find internally costs you time. A gap your auditor finds can mean a non-conformity and potentially months of delay. That difference — time versus delay with a rating attached — is why gap analysis matters so much. Months of delay. That’s the phrase that sticks. Because people assume the risk is embarrassment, when really the risk is operational drag... services, cash flow, stress, all of it. And here’s the tension point I see all the time: providers think they’re ready because they have documents. But auditors are not checking whether you own a PDF. They’re asking whether your evidence matches practice. So the better question is not, “Do we have this policy?” It’s, “Would an auditor believe this is how we really operate?” That “believe” test is uncomfortable. Let me try it back: if your incident policy says staff report immediately, but your incident register shows patchy entries and missing actions, the policy actually hurts you a bit, doesn’t it? Pretty much. Same with participant notes. If your procedure says notes are completed in real time, and your file sample looks retrospective or inconsistent, the mismatch is the story. Auditors notice when the organisation on paper looks cleaner than the organisation in practice. It’s like showing up to inspection with a beautifully laminated menu and no food in the kitchen. That’s exactly it. Pretty document control won’t save weak evidence. And to be fair, this is fixable if you start early enough. A checklist helps because you can assign owners, timeframes, and see compliance progress by department instead of hoping it all magically comes together. So before anyone starts panic-updating folders, the first practical move is brutally honest self-audit. Open the evidence. Match it to the quality indicator. If you can’t find it, that’s a gap. If you can find it but it doesn’t reflect current practice, that’s also a gap. Yes. And current means current. Reviewed dates current. Version numbers current. Legislation references current. Services described current. If a document talks about how your business operated two years ago, that’s not evidence of quality management in 2026. That’s a fossil. Alright, let’s get into the checklist areas that actually trip people up. Because there are a few repeat offenders here, and none of them are mysterious. The big seven are governance, policies and procedures, workforce compliance, participant records and service delivery, incidents and complaints, insurance and business documents, and pricing compliance. Different providers will feel pain in different places, but those are the zones where non-conformities keep appearing. Take governance first. That sounds very boardroom, very abstract. What does an auditor actually want to see there? They want to see that the organisation is structured, accountable, and being actively overseen. So: a current organisational chart. A business continuity plan reviewed within the last 12 months and reflecting current operations. A current risk management framework and risk register with risks actually reviewed and treated. A legislative compliance register that reflects current laws and standards for your registration groups. And a quality improvement plan with recent actions and documented outcomes. That “within the last 12 months” on the business continuity plan — that’s one of those dates that can quietly catch people out, right? Because the plan exists, but the review date is stale. Exactly. And stale is visible. Same story with policies and procedures, which is probably the easiest place to lose confidence fast. Complaints, incidents, risk, participant rights, privacy, staff training — all of those need to be current, version-controlled, and aligned with how the business really runs today. And this is where people get a bit overconfident because they’ve got a giant policy library. But if one policy references old Commission guidance, or mentions services you don’t even deliver anymore, that giant library starts looking... not impressive. More like neglected. A big folder of outdated policies is just a big folder of evidence against you. Incomplete or outdated documentation is one of the most common audit failures. That’s why a document control system matters — review dates, version numbers, revision history. Workforce compliance feels even more concrete. This is the area you hear about constantly: screening, checks, training, files. Yep, and it’s one of the most straightforward to get right if you manage it consistently. Every worker in a risk-assessed role needs a current NDIS Worker Screening Check. Anyone supporting participants under 18 needs a current Working With Children Check. Relevant staff should have completed the NDIS Worker Orientation Module with certificates saved on file. Infection control and PPE training should be completed and recorded. Position descriptions should match current roles and required qualifications. And worker files should include signed employment agreements, qualification evidence, and induction records. The one I always remember there is the Orientation Module certificate. Such a small file, but if it’s missing across multiple staff, it tells a bigger story about weak file discipline. That’s right. And for 2026, workforce capability is central — staff assignments need to line up with participant needs, skills, and competencies. So it’s not just “is there a person?” It’s “is this the RIGHT person, and can you evidence that?” Which takes us straight into participant files. Because auditors will sample them, remote or onsite, and each file has to tell a coherent story. Exactly. Every active participant should have a current, signed service agreement. Support plans should be individualised, linked to the participant’s goals, and reviewed on time. Consent forms need to be completed, signed, and stored correctly. Shift notes and progress notes should be consistent and written in real time — not backfilled later. And there should be evidence that participant feedback was collected and used to improve services. So if an auditor opens a sampled file and sees a signed agreement from ages ago, a generic support plan, and patchy notes, the problem isn’t just admin. The problem is that the support story doesn’t hold together. Exactly. The file should show what was agreed, what was delivered, what changed, and how the participant’s voice was captured. If that chain breaks, confidence drops fast. Then incidents and complaints — and this is one where timeframes matter, not just good intentions. Very much so. Your incident register should include the date, description, response taken, and outcome or corrective action for every entry. Reportable incidents must be notified to the NDIS Commission within required timeframes: two business days for incidents involving death, serious injury, or abuse, and five business days for other reportable incidents. Complaints registers should show acknowledgement, investigation, resolution, and documented outcomes. And your continuous improvement plan should reflect lessons learned from both incidents and complaints. Two business days and five business days — those are the numbers to pin on the wall. Because “we meant to follow up” is not a timeframe. Correct. Then the less glamorous but still critical pieces: insurance and business documents. Public liability insurance current, and the certificate of currency must match the legal entity name EXACTLY. Professional indemnity current and covering all registration groups. Workers compensation current if you employ staff. ABN and business name registration accessible and current. NDIS registration certificate saved and any conditions noted and actioned. “Matches the legal entity name exactly” is one of those tiny admin details that can punch way above its weight. It can. Same with pricing compliance, which gets underestimated all the time. Non-compliance with pricing arrangements is one of the most common issues identified in audits. Providers need to confirm claims were within the NDIS Pricing Arrangements and Price Limits 2025-26, verify invoicing systems were updated with the current pricing catalogue effective from 1 July 2025, and make sure service agreements reflect current pricing where changes affected the participant. So if your software still charges an old rate after 1 July 2025, that’s not just a bookkeeping glitch. That’s a compliance issue. Exactly. And that’s why the final move is a mock audit. Work through your evidence register as if you’re the external auditor seeing the business for the first time. Ask a trusted colleague, board member, or external consultant to review the bundle critically — not kindly, critically. The non-conformities they find are the ones you want to fix before audit day. Because the goal isn’t to look ready. It’s to be the kind of provider whose evidence, files, training records, and pricing all say the same thing without you having to talk your way around it. And when that happens, the audit stops feeling like a performance. It just looks like your business on an ordinary Tuesday. That’s the standard. See you next time.