NDIS Quality & Safeguards

The NDIS Audit Process: A Step-By-Step Guide for Providers

ndis audit process guide with checklist

The NDIS Audit Process: A Step-By-Step Guide for Providers

Operating an NDIS organisation is a great responsibility governed by regulation through registration, policies and procedures, and the audit process.

Although registration and policies present their own challenges, certainly one of the biggest unknowns as an NDIS provider is the audit process…

We hear so many questions on this topic:

  • What is an NDIS audit?
  • Do we really have to take it?
  • What types of audits are there?
  • How much do they cost?
  • What if we fail an audit?

… and so on.

Clearly, there’s a lot of confusion around the NDIS audit process so it’s time to shed some light on the matter and ensure that you’re ready to push forward with your business.

Safeguards Fundamentals: What is an NDIS Audit?

Due to the NDIS’s focus on delivering qualitative, reliable, and fair services to all Australians with special needs, the NDIA constantly monitors how service providers perform.

Not only that… 

It also sets some ground rules.

These are the so-called NDIS Practice Standards: a set of policies that all NDIS care providers must implement in their operations and render effective as soon as possible.

It’s important to understand these as they lay the foundations for the NDIS audit process. Everything revolves around the terms set forth by the Quality and Safeguards Commission.

Based on these terms, independent auditors chosen by the NDIA are then asked to review each provider’s policies and see if they are implemented in the correct way.

In Layman’s terms, an audit is a “test” mandated by the NDIS Commission and executed by private organizations to ensure that all providers meet basic quality standards.

Yes, they are mandatory for all NDIS care providers.

And yes, you cannot escape them.

As you’ll see in the upcoming sections, that is not as bad of a thing as it sounds. The process may be strict in some areas but there are plenty of good reasons for it…

How the NDIS Audit Process Works

In this section, you’ll get answers to all the burning questions you have about the NDIS process, but we also think it’s important that you understand what each step looks like.

By gaining a complete understanding, you’ll spend less time scrambling for the right documentation and invest it back where it matters—delivering great care services. 

So, where does the process start?

Step 1: Getting Registered

There’s no auditing required if you’re not registered to the NDIS. This should come as an obvious reminder but the line between unregistered and registered is often thin.

When you register with the NDIS, you are given the notice to undertake a mandatory audit within 12 to 18 months. This isn’t nearly enough time for most NDIS care providers.

Depending on your experience level, organization size, and supports offered, you may want to start collecting the necessary paperwork before you actually register.


Because audits start from the very beginning!

When you first register with the NDIS, you are asked to complete a self-assessment against the NDIS Practice Standards as well as a “Scope of Audit” document.

You then send this out to auditors who will inspect it for inaccuracies. So, it’s important that you think about your policies and procedures slightly into the future.

Step 2: Understanding Policies & Procedures

The most important thing in the process is for you (and all stakeholders) to understand the policies and procedures behind the NDIS and why you need them in the first place.

This is the second question that gets thrown around after providers realize they have to undertake an audit. It’s natural to feel overwhelmed sometimes but making the commitment to ensure that your services are always fair and qualitative is of utmost importance.

In other words, you have to take an audit because it ensures that the quality of your services matches the nationwide commitment proposed by the NDIA towards people with special needs.

Think about it as a way to improve your services rather than being scrutinized. In most cases, you’ll already have a solid foundation in helping people with disabilities. 

Procedures make this quality foundation a recurring process, allowing you to provide high-quality services at scale without breaking a sweat.

NOTE: The outcomes of policy implementations expected by auditors are shown in the NDIS Practice Standards. Always keep this document as a reference to test your policies.

Step 3: Differences Between Verification & Certification

Another recurring question is which type of audit should a provider ask for based on what they offer. This is a tricky question due to the vast nature of the NDIS.

There are, however, two specific types of audits:

  1. The verification audit (low-risk supports), and;
  2. The certification audit (higher risk supports).

Since this is an extremely important distinction, we’ll separate the two audits and go more in-depth about which is more relevant to you specifically.

The Verification Audit

A “verification” audit is required for sole proprietors or smaller organizations delivering low-risk supports to NDIS participants. These audits must be performed every 3 years.

Since they assume lower risk, verification audits are done off-site and they are generally less expensive than certification audits (which require multiple stages of assessment).

From initial inquiry to reporting and decision, an auditing body will go through a few steps to ensure that all correct documentation is in place to verify your operation:

  1. You, the provider, should initiate the first inquiry by using the Scope of Audit document previously discussed and choosing an auditor that fits your needs;
  2. Once you’ve gathered a few quotes, you can go ahead and sign the proposal which suits your situation best. This will kick off the “audit planning” phase where you will discuss all the details of your verification audit with the certification body;
  3. Custom details on hand, you are ready to gather up all your documentation and send it over to the auditor which will review it directly from your NDIS portal;
  4. The auditor will go ahead and run a so-called “desktop audit” (an off-site assessment) by checking your documentation and running through various requirements: incident management, complaints management, risk management, safety policies, and other operational requirements based on your state, size of organization, scope of work, and delivery of supports;
  5. A report is prepared to highlight all the aspects of your audit and how you can go about improving your policies and procedures in case of non-conformity, and;
  6. The certification body takes a decision on verification. You will get verified in case you are given a rating of “Conformity” or higher (see Step 5).

All steps must be covered to ensure a smooth NDIS audit process. For more information, check out this handy verification guidebook offered for free by the BSI auditor.

The Certification Audit

A “certification” audit is a more thorough, on-site assessment that develops in multiple stages instead of a few steps like the verification audit and can take months to complete.

The two core stages are usually the following:

  1. Document review: Auditors go through your documentation in a process similar to the one explained for the verification audit. Any failure or areas of concern are then reported at the end so that you can start working on them before stage 2.
  2. On-site assessment: Unlike the verification audit, NDIS providers offering high-risk supports must undertake an on-site assessment where the auditors will examine the environment of service delivery as well as potential policy failures.

On top of this, certification bodies will also interview both team members and clients to get a full, unbiased picture of how the organization performs and its fallacies.

At the end of stage 2 (including all interviews), you will receive a report similar to the verification audit. For more information, here’s a certification guidebook from BSI.

Step 4: Costs & Auditing Bodies

“Ok, so how much does it cost to undertake an audit?” This is the most dreaded question often asked from providers, and the answer isn’t always a walk in the park either.

Audits can range anywhere from $500 to $10K+ depending on the organization’s size, scope, and supports. Verification audits are usually cheaper as they are handled remotely.

There’s one thing you have to remember in particular…

Audits are undertaken by private companies!

This means that you’ll receive wildly different quotes from various vendors for the same scope of work (the NDIA mandates the same auditing requirements for all auditors).

It’s crucial that, out of the 15+ auditors available, you ask for 3 to 5 quotes—not just one. This way, you can compare the offers and understand what the landscape looks like.

As audit prices aren’t strictly controlled by the NDIS Commission, you’ll want to do some research beforehand and get the best quote by:

  • Researching the auditors that cater to your needs
  • Looking into and understanding their application process
  • Filling out the right options (sole trader vs. organization for example)
  • Estimating the right amount of participants you’ll serve (this is huge!)
  • Partnering with other providers in your area to understand their experience
  • Including the supports you plan to offer (on top of existing ones)
  • Declaring the right number of staff internally
  • Sending out up to five requests

You should take this opportunity to figure out the ins-and-outs of how the NDIS is evolving across Australia. As a developing scheme, things can change quite often.

As you build up the insights necessary, you’ll have a much better understanding of the auditing landscape and how you can benefit from the auditors’ expertise.

Step 5: How Do You “Pass” an Audit?

There is no “passing” an audit. Instead, auditors work with so-called major or minor “non-conformities” based on a number of factors:

  • Self-assessment completed in the NDIS portal
  • Findings based on documentation offered by the provider
  • Compliance with the NDIS Practice Standards
  • Clear identification of the registration classes
  • Any additional requirements for your case

In case of verification audits, and with the right amount of information in their hands, auditors can then proceed to stage 2 of their operation which is the on-site inspection.

These factors contribute to a rating from 0 to 3: the latter being “BEST PRACTICES IMPLEMENTED” and the former being “REQUIRES URGENT WORK”.

For each rating, here’s the outcome:

  1. A rating of 0 (major non-conformities) means the provider isn’t able to demonstrate appropriate preparation, quality assurance, or implementation of policies and procedures and is, therefore, precluded a recommendation for either verification or certification.
  2. A rating of 1 (minor non-conformities) means the provider has evidence of correct policy and procedure implementation without the appropriate documentation to back them up. This usually requires non-urgent but still important corrective action.
  3. A rating of 2 (conformity) means the provider can clearly provide evidence of proper policy implementation and documentation based on the factors previously discussed, allowing for recommendation to either verification or certification.
  4. A rating of 3 (conformity with elements of best practice) means the provider is going above and beyond by not only providing the minimum requirements but also implementing innovations for swift, appropriate service delivery.

You could say that ratings 2 and 3 are a “pass” but that’s not the correct way to look at it. The only time you face deregistration is if you keep ignoring major non-conformities.

Tips for a Successful NDIS Audit

There are a few pointers you can leverage to ensure a successful NDIS audit. Some require practical knowledge of your documentation whereas others are more experiential. To make the best out of your audit:

» Be hungry for knowledge and best practices

As a busy care provider, it’s easy to fall into the trap of thinking that there’s no time or space for best practices. In reality, embedding a culture of continuous education and training throughout your organization is a more forward-thinking approach.

» Keep important documentation always at hand

You should always keep a copy of the NDIS Practice Standards at hand to review every time you go through a specific process, policy, or procedure. This way, you’ll be able to compare your services to the expected outcomes and self-assess.

» Don’t keep clients out of the loop

Your clients are as much a stakeholder as any team member in your organization. Don’t keep them out of the loop… Communicate changes to your processes with them and help them understand why you’re taking a certain direction with your services.

» Make a commitment

In different ways, all companies are making a commitment to serve their clients for the better. In this case, it’s important that you commit to preparing for your audit ASAP, even as you register with the NDIS. Be proactive in looking for solutions at each step.

» Partner up

When you don’t know where to find the right information, close partnerships with those who do. You don’t have to go at it alone, there are plenty of local NDIS providers who’ve been there before and who’d love to lend a hand. Ask away and partner up!

As a participant, who would you rather work with: a provider with a track record for consistent quality of service, or a provider that looks unorganized and “too busy”?

Keep that question in mind every time a new prospect approaches you.

Consistent Quality = Happy Participants

helping participants is the purpose of the ndis audit process

The ultimate goal of an NDIS audit is to help providers offer a quality experience for participants on a consistent basis.

That’s why they’re called “procedures”!

Step-by-step, all NDIS providers (large and small) can provide services that are at the bleeding edge of best practices, leading their niche and teaching others.

The three things you need to get there?

Policies, procedures, and audits.

Keep a backlog of all the improvements you’ve made and see where you land in a year’s time. You’ll be happy to realize that policies make you less “busy” and more “proactive”.

That’s what participants (and auditors) want.

Originally published Oct 1, 2020

Frequently Asked Questions

What is an NDIS audit?

An NDIS audit is a “test” mandated by the NDIS Quality and Safeguards Commission to ensure that the supports offered by providers are provably qualitative and fair. Whenever you register with the NDIS, you are given a time interval of around 12 to 16 months to prepare and implement all the necessary policies and procedures requested. Audits are undertaken by private companies that have close ties with the NDIA.

Is the NDIS audit process mandatory?

Yes, it is. Failure to comply with NDIS audits usually ends in: 1) deregistration from the NDIS, and; 2) loss of business and client funding related to your organization. It’s important that you keep a copy of the NDIS Practice Standards around at all times to better understand how the quality safeguards apply to your organization. You should also work with a quality-first mindset, ensuring that all standards are met daily.

How much does an NDIS audit cost?

There are two types of audits depending on the supports that you offer: 1) verification audits for low-risk supports, and; 2) certification audits for high-risk supports. The former starts at around $500 and can go up to $3/4K whereas the latter starts at around $3K and can go up to $8/10K depending on your organization’s size and structure. You should request quotes from different auditors as they can vary greatly.

What are the requirements to pass the NDIS audit process?

There is no “passing” or “failing” an audit. These checks must be booked every so often, either from a remote location or in-house, to ensure that your operation is operating correctly against NDIS requirements. If you have trouble meeting all the requirements and auditors notice this, you will receive so-called “non-conformity” notifications that have to be addressed in a certain time frame depending on the urgency of the matter.