Welcome to the show -- and Winter, the part that catches people out is this: the NDIS audit starts BEFORE any auditor shows up, before any site visit, before any report. It really starts when you submit your application through the NDIS Commission's Applications Portal and the Commission sends back your Initial Scope of Audit. That phrase -- Initial Scope of Audit -- sounds dry, but it's doing a LOT of work, yeah? Because that's not just admin. That's the document that tells you whether you're on verification or certification, which registration groups are being assessed, and which practice standards or modules are in play. Exactly. Keep that document safe. I mean it. It's the foundation document for everything that follows in 2026. If you're a low-risk, lower-complexity provider, the scope will usually point you toward verification. If you're delivering higher-risk supports and services, that's generally certification. And that difference changes the shape, cost, and timing of the whole process. So let me say it back and you tell me if I've got it wrong. The Initial Scope of Audit is basically your audit map. Not the audit itself -- the map. It tells you which road you're on, what gets checked, and who you need to engage next. That's a good way to put it. And the next move is choosing an approved quality auditor from the Commission's current list. There's no fee to register with the NDIS Commission itself, but there IS a cost for the auditor. And that cost can vary a fair bit depending on your size, your scope, and how many participants you support. That pricing piece matters. The range people remember is usually the audit itself later -- around $900 to $1,800 for verification, and roughly $3,000 to $12,000 or more for certification. But the pressure point starts earlier, doesn't it? Because if approved auditors are busy, your timeline blows out before you've even uploaded a policy. Yep. Auditor availability is a genuine bottleneck, especially when application volumes spike. So providers should get quotes from multiple approved quality auditors and do it EARLY. Once you sign a service agreement, the auditor confirms your scope -- your registration groups, your participants, your workers, your sites -- and then builds the audit plan you'll work to. And this is where I think people slip into wishful thinking. They think, I'll submit the application now, sort the auditor later, no worries. But "later" can mean weeks of waiting, and those weeks aren't neutral. They're delay stacked on delay. Right, and the irony is the real audit work hasn't even started yet. You're still in setup. But setup decides whether the rest feels orderly or chaotic. If your scope is clear, your auditor is engaged early, and your audit plan is locked in, then Stage 1 feels manageable. If not, you end up scrambling for documents while waiting on dates. I think that's the first useful reframe for providers: stop imagining the audit as one big inspection day. It's more like a relay. The Commission hands you the Initial Scope of Audit, then you hand that to an approved quality auditor, and if that first handoff is messy, the baton's already on the floor. Alright, let's make the verification-versus-certification split really plain. Verification is the lighter pathway for lower-risk supports. It's a remote desktop audit. For verification providers, Stage 1 document review is basically the whole thing. No separate onsite Stage 2. Certification is the heavier pathway for higher-risk services, and it has two parts: Stage 1 document review, then Stage 2 onsite assessment. And that Stage 1 review is remote for both pathways, which surprises some people. For verification, auditors are checking that systems are in place to meet the Verification Module. It happens every three years. Providers typically answer around FOUR questions in the self-assessment. Certification providers, by contrast, might be dealing with 22 or more, plus broader evidence against the NDIS Practice Standards. Four versus 22 is not a tiny difference. That's not "slightly more paperwork." That's a totally different level of preparation. And the advice in the source material is refreshingly practical: keep responses concise, around 300 words each, then back them up with actual evidence. Yep. Concise matters. Auditors don't want padded essays. For certification, Stage 1 is really a readiness check -- policies, procedures, staff qualifications, worker screening checks, templates, forms, how your management system looks on paper. Usually there's also a brief online meeting so the auditor can understand your organisation and the services you're planning to deliver. And at the end of that first stage, certification providers get a Stage 1 report. Not a final verdict -- more like a list of areas the auditor wants to probe in Stage 2. That's the part I think people underestimate. If something looks weak on paper in Stage 1, it doesn't disappear. It follows you into the onsite assessment. Exactly -- and the clock starts. Stage 2 should take place within THREE months of Stage 1 being completed. That three-month window is a critical timing requirement. Miss it, and you can trigger delays and complications that are totally avoidable. Three months. That's the number I'd write on a whiteboard in massive letters. Because Stage 2 isn't just a polite chat over coffee. It can run around four hours, or multiple days if the organisation is larger or more complex. The auditor's looking at how the standards actually show up in day-to-day operations. That's where they ask practical questions: how do you onboard participants, how do you manage risks and incidents, how do you get informed consent, how do you uphold participant rights. They'll interview key personnel, workers, and participants. They'll review participant files and worker files. And the onsite piece can cover head office, SIL sites, SDA sites, and other office locations. The sampling bit is another one that catches people off guard. When you said workers, participants, and sites -- that's not random in the casual sense. The auditor determines sample numbers using a formula. So if a provider thinks, oh, they'll just glance at one file and move on... no. The sampling is part of the method. And then there's participant engagement, which is a big surprise for new providers. Participants are directly involved in certification audits. Providers need to let participants know they're automatically enrolled in the audit unless they opt out. If someone doesn't want to participate, that needs to be documented. That "automatically enrolled unless they opt out" phrase is the one people remember. And there's a process around it. The auditor asks for a de-identified client list, selects the clients they want to interview during the onsite assessment, and the provider must obtain consent from those clients before the onsite visit and give that consent to the audit team. Which means participant interviews are not an optional extra. They're a genuine component of Stage 2. So providers should prepare participants appropriately -- not coach them, obviously, but make sure they understand what the audit is, what they'll be asked, and that they absolutely have the right to opt out. Can we talk ratings for a second? Because people hear "passed" or "failed," but the report is more granular than that. There are four possible scores against each practice standard or quality indicator: best practice, conformity, minor non-conformity, and major non-conformity. That's right. Best practice means the provider can clearly demonstrate conformity with best practice -- innovative, responsive service delivery, backed by continuous improvement. Conformity means requirements have been met. Minor non-conformity means partially met. Major non-conformity means not met. And the timing matters here too: the audit report goes to the Commission up to 14 days after a verification audit, and up to 28 days after a certification audit. The five calendar day deadline is the one I'd underline. If there's a MAJOR non-conformity, the auditors require a Corrective Action Plan, and if you miss that five-day deadline to submit it, you can create expensive delays for your registration. Five days is not "I'll get to it next week." And if it's a major non-conformity, you've got three months to fix the issue before registration can progress. With a minor non-conformity, there's more flexibility and the registration process can continue. But either way, corrective actions aren't cosmetic. The auditor and the Commission want evidence that the problem is actually being addressed. Which brings us to the deeper test underneath all of this. Auditors are not looking for a perfect organisation. They're looking for genuine systems that WORK. Policies can't just be off-the-shelf, high-level documents someone bought online and never really integrated. They need to be tailored to your business -- who does what, how reporting works, what records are kept, when reviews happen. And not just tailored -- implemented and understood. Your documents have to show that you understand the standards, that you actually use those processes on the ground, and that staff and participants know the policies that apply to them. That's the through-line from the Initial Scope of Audit all the way to the three-year cycle, including the 18-month midterm audit for certified providers. Yeah. In the end, the question isn't "Can you produce a nice folder for audit day?" It's "Can you prove this business is run in a way that participants, workers, and the Commission can trust?" If the answer's yes, the audit feels like evidence. If the answer's no... the paperwork won't save you.
Audio Coursesby Jellypod