The Complete NDIS Audit Preparation Checklist (2026)

Most NDIS providers don't fail their audit on service delivery. They fail on documentation.

The auditor isn't watching you deliver supports — they're checking whether you can prove you delivered them, in the way you promised, to the standard the NDIS Practice Standards require, across the entire window since your last audit.

The good news: the documentation gaps that drive most non-conformities are predictable, fixable, and the same five issues show up across hundreds of audit reports. This guide walks through the audit landscape, the five most common failure modes, the four areas of the NDIS Practice Standards Core Module that every audit touches, and a 90-day prep timeline that gets you to "audit-ready" without a 3-week scramble.

Two types of NDIS audit — know which applies to you

Before anything else, know what you're up against. The NDIS Quality and Safeguards Commission distinguishes between two main audit types.

Verification audit — for providers delivering lower-risk supports. Document-based remote review. Typically 6–12 hours of auditor work, no site visit. Initial registration is generally approved within 4–6 weeks. Reviews evidence against the Core Module of the NDIS Practice Standards only.

Certification audit — for providers delivering higher-risk or more complex supports (SIL, specialist behaviour support, specialist disability accommodation, high intensity daily personal activities, early childhood supports, specialised support coordination). Comprehensive review including a site visit, staff interviews, and direct observation of how you deliver services. 12–36 hours of auditor work. Initial registration takes 3 months to a year. Reviews against both the Core Module and any relevant Supplementary Modules.

If you're certification-registered, your cycle is also different: you get a mid-term audit at 18 months into your registration period, then a renewal audit at 3 years. Verification providers skip the mid-term and just have initial + renewal.

In addition to these, the Commission can require a condition audit at any time during your registration period, and you may need an out-of-cycle audit if you want to change the supports you're registered to deliver.

The audit type determines your evidence burden. If you've drifted between supports — or your registration mix has expanded since your last audit — confirm with your auditor or the Commission which framework applies to your next review.

The five non-conformities that drive most audit findings

Across audit reports, the same five gaps come up repeatedly. None are about how you deliver services — all five are about whether your documentation can prove it.

1. Outdated policies

Policies and procedures get written before initial registration and then quietly drift out of date. The NDIS Practice Standards update; the Pricing Arrangements update; your services evolve; staff turnover changes the team that owns each policy. Eighteen months later, the auditor pulls your incident management policy and finds it references a framework name that hasn't existed for three years.

Fix: every policy has a named owner, a review date no more than 12 months old, and an audit trail of revisions. The owner reviews and either updates or formally re-confirms within 12 months of the last review date — even a "reviewed, no change required" entry counts as evidence the system is working.

2. Gaps in worker screening records

Every worker who delivers NDIS supports must hold a valid NDIS Worker Screening Check, and every worker must complete the NDIS Worker Orientation Module. The audit doesn't sample — it scans for completeness. One worker without a current Check, one missing Orientation Module record, and you have a finding.

The pattern that catches most providers: a worker's Check expires, they continue working for a few weeks while HR processes the renewal, and that small window shows up in the audit evidence.

Fix: 30-day expiry alerts before any worker certification lapses. No exceptions, no "we'll renew it Monday" — workers come off the roster the day a certification expires until evidence of renewal is on file.

3. Incomplete incident management logs

Incidents happen. Auditors don't penalise that. What they penalise is incomplete records — incidents recorded but not investigated, investigations completed but not closed, closed incidents that didn't capture lessons learned. The Commission expects a closed loop from "incident occurred" to "improvement implemented."

Fix: every incident has six fields filled before close — what happened, who was involved, what was investigated, what was found, what changed as a result, and date of completion. Missing any one of the six = open incident = potential finding.

4. Weak complaints handling evidence

Complaints management is one of the most-watched areas under the Provider Governance and Operational Management standard. Most providers think they handle complaints well in practice; few have the documentation to prove it.

The auditor wants to see a complaints register that captures every complaint (verbal, written, anonymous), the response timeline for each, the outcome, and — where applicable — the participant's confirmation that the matter was resolved.

Fix: complaints register with mandatory fields. Verbal complaints recorded by the staff member who received them, same day. Response within the timeline you've published in your complaints policy (usually 48 hours acknowledgment, 30 days resolution).

5. Static risk registers

A risk register that hasn't changed since initial registration is the single clearest signal to an auditor that risk management isn't really happening. Risk evolves. New participants bring new risks; new services bring new risks; regulatory changes bring new risks. A register frozen at initial registration is documentation theatre.

Fix: quarterly review of the risk register with documented changes. Even if no risks change in a quarter, the documented "reviewed, no change required" entry beats silence.

What the auditor actually checks (the Core Module)

Every NDIS provider is audited against the four areas of the Core Module of the NDIS Practice Standards. The summary version, in the order auditors typically work through them:

Rights and Responsibilities. Are participant rights upheld? Is informed consent obtained and documented? Are complaints managed and resolved? Are participants supported to exercise choice and control over the supports they receive?

Provider Governance and Operational Management. Is there a sound governance structure with documented decision-making? Are risks identified, assessed, and managed across the operation? Is financial management transparent? Is there a continuous improvement system that tracks issues, fixes them, and learns from them?

Provision of Supports. Are supports delivered safely, consistently, and in line with each participant's NDIS plan and goals? Are supports adjusted as participant needs change? Are progress notes complete and timely? Are workers competent and supervised?

Support Provision Environment. Are the physical environments where supports are delivered safe, accessible, and appropriate? This covers participants' homes, your premises, and community settings where you deliver services.

If you deliver complex or high-risk supports, you're also audited against the relevant Supplementary Modules — High Intensity Daily Personal Activities, Specialist Behaviour Support, Implementing Behaviour Support Plans, Early Childhood Supports, Specialised Support Coordination, or Specialist Disability Accommodation. Each has its own evidence requirements specific to the support type.

A 90-day audit prep timeline

The single biggest predictor of a clean audit isn't budget or external consultants — it's the timeline you give yourself.

Day 90 to Day 60. Pull your last self-assessment against the Practice Standards. Map each outcome to the documentation that supports it. Identify gaps. Assign each gap to a named owner with a deadline before Day 30.

Day 60 to Day 30. Close gaps. Update policies. Reconcile worker certifications against the roster. Run a sample audit on your own incident records — pull 10 random incidents from the last 12 months and check each one is complete by the six-field test. Run a sample audit on progress notes — pull 20 random shifts from the last 6 months and check each has a same-day note. Whatever you find, fix.

Day 30 to Day 7. Internal dry run. Walk through each Practice Standard outcome as if you were the auditor. For each, can you produce the evidence in under 5 minutes? If no, the evidence isn't really where you think it is.

Day 7 to Day 0. Stop changing anything. Brief the team. Make sure everyone knows what the audit covers, who's interviewing whom, and what their role is on the day.

If you're reading this with less than 30 days to your audit, you've still got time — but the priority order shifts. Focus on the top five non-conformities first; they're where most audits go sideways.

Get the full checklist

The above is the structure. The complete NDIS Audit Preparation Checklist — broken down outcome-by-outcome across the Core Module and each Supplementary Module, with specific evidence requirements, common gap patterns, and a 15-question self-assessment scoring sheet — is available as a free downloadable PDF.

Download the NDIS Audit Preparation Checklist (PDF) — 7 pages, free, founder-led email list. Single-click unsubscribe at any time. No nurture sequence, no sales follow-up.

If you'd rather have the workflow run inside your software — same-day notes enforced, worker certifications tracked with expiry alerts, audit pack export by Practice Standard, incident closure rules baked in — try Tendaroo free for 30 days. No credit card, no demo call.