Two of Australia’s largest NDIS approved quality auditors have left the market in 2026. QIP departed on 30 April. Citation Certification concluded all NDIS auditing on 30 June. At the same time, thousands of SIL providers are entering the registration system for the first time, all needing certification audits.
The result: fewer auditors, more demand, longer wait times. If your NDIS audit preparation isn’t already underway, the window to secure an auditor and get ready is tighter than it’s been in years.
Here’s what you need to know about the current audit environment, the five non-conformities that trip up providers most often and what you can do to avoid them.
Certification vs Verification: Which One Applies to You
Not every provider goes through the same audit. Your pathway depends on the supports you deliver.
A verification audit is document-based with no site visit. It covers the NDIS Practice Standards Core Module and applies to providers delivering lower-risk supports like assistance with daily life tasks or community participation. Auditors review your policies, procedures, insurance certificates, worker screening records and key operational documents.
A certification audit is more intensive. It includes a site visit, staff interviews and observation of service delivery in action. It covers both the Core Module and relevant Supplementary Modules. Certification applies to providers delivering higher-risk supports including SIL, Specialist Disability Accommodation, behaviour support, early childhood supports, specialist support coordination and high-intensity daily personal activities.
Certification audits run in two stages. Stage 1 is a desktop review of your documentation. Stage 2 is on-site, where auditors assess how your policies translate into practice. A mid-term review happens at 18 months, and the full audit cycle repeats every three years.
If you’re a SIL provider registering for the first time under the mandatory registration requirement from 1 July 2026, you’re on the certification pathway. That means both stages, plus the new SIL Practice Standards module.
The Auditor Shortage Is Real
With QIP and Citation Certification out of the market, the pool of approved quality auditors has shrunk at the worst possible time. Active auditors now include BSI Group ANZ, DNV, Global-Mark, SAI Global, HDAA, Platinum Certification, Quantum Certification Services, Certifii and several smaller firms.
Meanwhile, demand is surging. Every unregistered SIL provider that applies for registration by 1 October 2026 needs a certification audit. Providers already registered are hitting their three-year renewal cycles. And mid-term reviews continue to run on schedule.
The practical impact: if you haven’t booked your auditor yet, do it now. Wait times are stretching and will get worse through the second half of 2026.
The Five Non-Conformities That Catch Providers Every Time
Auditors see the same problems again and again. Here are the five most common non-conformities and how to avoid them.
1. Outdated policies.
Your policies need to reflect your current operations, not what you planned when you first registered. If your incident management policy references a process your team stopped following two years ago, that’s a non-conformity. Review every policy annually at minimum and update the version control register to show when each document was last reviewed.
2. Gaps in worker screening records.
Every worker in a risk-assessed role needs a current NDIS Worker Screening Check. The first wave of five-year clearances started expiring in February 2026. If you haven’t audited your team’s screening status recently, do it before your audit date. Set automated renewal reminders at 90, 60 and 30 days before expiry. A platform like FlowLogic can track every credential and flag upcoming expiries so nothing slips through.
3. Incomplete incident management logs.
It’s not enough to report incidents. Auditors want to see that you recorded them consistently, responded appropriately, followed up and used the findings to improve your services. If your incident register has gaps, missing follow-up actions or no evidence of pattern analysis, that’s a red flag. Every incident should have a clear record of what happened, what you did about it and what changed as a result.
4. Weak complaints handling evidence.
The NDIS Practice Standards require a complaints management system that is accessible, responsive and documented. Auditors look for evidence that complaints are logged, investigated, resolved and communicated back to the complainant. If your complaints data lives in email threads or a single staff member’s notebook, you’ll struggle to demonstrate compliance.
5. Static risk registers.
A risk register that hasn’t been updated since your last audit is a common and avoidable non-conformity. Your register should be a living document, reviewed quarterly at minimum, with new risks added as they emerge and existing risks re-assessed based on your operational experience.
If you receive a major non-conformity (a zero rating) in any area, you have three months to fix the issue. Your registration won’t progress until the non-conformity is resolved and the auditor is satisfied.
How to Prepare: A Practical Checklist
Book your auditor now.
Contact an auditor from the NDIS Commission’s approved list and lock in your dates. Don’t wait for your renewal notice.
Run a self-assessment against the Practice Standards.
Go through each standard in the Core Module (and your relevant Supplementary Modules) and honestly assess where you sit. Document the gaps.
Consider a mock audit.
Many compliance consultants offer practice audits 3 to 6 months before the real one. The findings give you a focused list of gaps to close and reduce staff anxiety on the day.
Get your evidence in order.
Auditors don’t just want to see documents. They want to see that your team knows the documents exist, understands them and follows them in practice. Run a quick staff survey or spot-check to see whether your frontline workers can describe your incident reporting process or complaints procedure without prompting.
Centralise everything.
If your policies, screening records, incident logs and complaints data sit in different systems, pulling together audit evidence becomes a scramble. Having everything in one platform means you can produce what an auditor asks for in minutes, not days.
For more practical guides on staying audit-ready, the FlowLogic blog covers compliance, workforce and operations topics regularly.
Frequently Asked Questions
What is the difference between a certification and verification audit?
Verification is document-based with no site visit, covering the Core Module for lower-risk supports. Certification includes a site visit, staff interviews and covers both Core and Supplementary Modules for higher-risk supports like SIL and behaviour support.
How often do NDIS audits happen?
Certification audits run on a three-year cycle with a mid-term review at 18 months. Verification audits also follow a three-year cycle.
Which NDIS auditors have left the market in 2026?
QIP departed on 30 April 2026 and Citation Certification concluded all NDIS auditing on 30 June 2026. Providers previously using these auditors need to engage a new approved quality auditor.
What happens if I get a major non-conformity?
You have three months to fix the issue. Your registration will not progress until the non-conformity is resolved and the auditor confirms it has been addressed.
What are the most common NDIS audit failures?
The five most common non-conformities are outdated policies, gaps in worker screening records, incomplete incident management logs, weak complaints handling evidence and static risk registers.
Do SIL providers registering for the first time need a certification audit?
Yes. SIL is classified as a higher-risk support, so all SIL providers must complete a certification audit. The new SIL Practice Standards module applies from 1 July 2026.