The 2023 NDIS Review changed everything. Disability providers across Australia must now register with the NDIS to remove poor-quality and unsafe supports from the market. Your audit pathway depends entirely on what you do. Verification audits suit lower-risk services while certification audits apply to more complex supports. Certified providers face mid-term audits around 18 months into their three-year registration cycle, and everyone needs to renew their registration every three years.

Compliance with the NDIS Practice Standards isn’t negotiable. It’s the foundation of quality participant support. Miss the mark on non-conformities, and you’ll have just five calendar days to submit a Corrective Action Plan to the NDIS Commission. That’s why proper preparation makes the difference between smooth sailing and costly complications.

This step-by-step guide breaks down exactly how to master the NDIS audit process, meet every requirement, and maintain your registration without the headaches most providers experience.

Step 1: Understand the NDIS Audit Process

Think of NDIS audits as quality checkpoints that determine whether you can deliver services to participants. Get this foundation right, and everything else becomes significantly easier.

What is the NDIS audit, and why does it matter

NDIS audits are formal assessments where independent auditors evaluate your service delivery against established quality standards. These auditors examine your work practices, compliance with NDIS rules, record-keeping systems, and most importantly. How participants experience your support.

The audit team operates completely independently from both your organisation and the NDIS Commission. Expect them to visit your premises, scrutinise documentation, observe your day-to-day operations, and conduct interviews with staff and participants.

Why does this matter for your business? These evaluations directly protect participant rights and safety. Successfully pass your audit, and you unlock the ability to:

• Deliver services to NDIA-managed participants
• Build a solid reputation for quality and compliance
• Avoid devastating consequences like service restrictions or complete deregistration

The NDIS Commission makes registration decisions based entirely on your audit results. Approval, rejection, or delays all hinge on how well you perform.

Types of audits: verification vs certification

Your audit pathway depends on the risk level of support you provide. The NDIS Commission makes this determination for you:

Verification Audits suit providers delivering lower-risk supports like plan management, therapy services, or early intervention. Many verification providers already meet requirements through professional bodies like AHPRA. This streamlined approach includes:

• Desktop evidence review only (no site visits)
• Assessment against the four verification module outcomes
• Completion timeframes are measured in weeks rather than months

Certification Audits apply to higher-risk supports, including personal care, community nursing, or Supported Independent Living (SIL).

This comprehensive process involves:

• Stage 1: Document review and systems assessment
• Stage 2: On-site inspection with staff and participant interviews
• Assessment against core modules plus applicable supplementary modules

Critical timing requirement: certification audits must be completed within three months of finishing Stage 1.

How the NDIS Practice Standards apply

The NDIS Practice Standards set quality benchmarks for registered providers while informing participants about the service expectations they should receive.

Standards are organised into specific modules:

• Core module for all higher-risk support providers
• Supplementary modules based on your specific support types
• Verification module for lower-risk support providers

Each module contains outcomes (participant-focused goals) and quality indicators that auditors use for assessment.

Your organisation receives ratings for each standard:

• 3 – conforms with elements of best practice
• 2 – conforms with NDIS Practice Standards
• 1 – minor non-conformity
• 0 – major non-conformity

Major non-conformities require resolution within three months before registration can proceed. Evidence requirements scale proportionally with your organisation’s size and support scope.

Step 2: Register and Prepare for Audit

Registration kicks off your audit journey properly. Get this foundation right, and the rest of the process becomes significantly more manageable.

Create a PRODA account and start your application

Your Provider Digital Access (PRODA) account is your gateway to the NDIS Commission portal. This secure system handles all your registration communications, so setting it up correctly matters.

What you’ll need to get started:

• Personal details (full name, date of birth, email address)
• Three different Australian identity documents with matching names
• Organisational information, including corporate structure and governance details
• Contact information for all key personnel

Once your PRODA account is active, you’ll receive a unique Registration Authority (RA) number. This number identifies your account throughout the process. Important note: Your PRODA account belongs exclusively to you. Never share login details with anyone, regardless of employment changes.

The clock starts ticking once you begin your application. You’ll have 60 days to complete all requirements, and accuracy is non-negotiable. False or misleading information will result in application rejection, so double-check every detail before submitting.

Complete the self-assessment accurately

Think of your self-assessment as the roadmap for your auditor. This document guides them through your organisation and demonstrates how you meet NDIS Practice Standards.

Your responses need to cover five key areas:

• How you meet each outcome and its specific indicators
• Which policies and procedures support your compliance
• How staff understand their compliance responsibilities
• Your monitoring systems for ongoing compliance
• Any gaps you’re working to address

Before starting your self-assessment, develop comprehensive policies aligned with the NDIS Practice Standards. Your responses should directly reference these documents. Auditors will check that your actual practices match what you’ve claimed.

The workload varies significantly between audit types. Verification providers typically answer around 4 questions, while certification providers may tackle 22 or more. Keep responses concise (around 300 words each) and upload supporting documents as evidence.

Select your registration groups carefully

Registration groups determine everything: your audit pathway, requirements, and ongoing obligations. Choose wisely because these decisions shape your entire compliance journey.

Start by honestly assessing your organisation’s capacity against participant needs. Only select registration groups you can confidently deliver. Here’s the key consideration: if your application mixes verification and certification groups, you’ll complete the more rigorous certification audit process.

Quick reference for common registration groups:

• Accommodation assistance and assistive products → typically verification audits
• High-intensity daily personal activities and specialist positive behaviour support → certification audits required

Review the complete registration group list on the NDIS Commission website to confirm which audit type applies to each service category. This preparation step prevents costly surprises later in the process.

Smart preparation at this stage, accurate self-assessment, strategic registration group selection, and thorough documentation create the foundation for audit success.

Step 3: Choose Your Audit Pathway and Auditor

Your registration application has been submitted. The next step determines everything about your audit experience, from timeline to cost.

How to determine your audit type

Your registration groups make this decision for you. The NDIS Commission looks at the supports you’ve selected and assigns the appropriate pathway based on risk level:

Verification audits suit providers delivering lower-risk supports and services. Think plan management, therapy services, or early intervention. Many providers in this category already meet requirements through professional bodies like AHPRA. The process is straightforward with a desktop review of your documentation against Verification Module requirements. No site visits required.

Certification audits apply when you’re offering higher-risk or complex support. Personal care, community nursing, or Supported Independent Living (SIL) all fall into this category. This path involves both the Core Module assessment plus any relevant Supplementary Modules from the NDIS Practice Standards.

Mix low and high-risk supports in your application? You’ll face the full certification audit regardless. Your scope of audit document, generated automatically after submitting your self-assessment, spells out exactly which pathway you’re on.

Finding and engaging an Approved Quality Auditor

Only Approved Quality Auditors (AQAs) can determine whether you meet NDIS Practice Standards. These independent bodies hold accreditation from the Joint Accreditation Scheme of Australia and New Zealand (JAS-ANZ) and NDIS Commission approval.

Smart auditor selection considers several factors:

• Experience with your specific service types
• Availability that matches your required timeframes
• Auditor location (local Australian teams vs interstate)
• Responsiveness during the quoting process
• Transparent fee structures with no hidden costs

AQAs won’t quote without your scope of audit document. It defines exactly what they’re assessing. Request quotes from multiple auditors once you receive this document.

The auditor’s communication style during initial contact often predicts how the entire relationship will unfold. Choose someone who understands your service model and aligns with your organisation’s values.

Understanding the scope of the audit

Your scope of audit document serves as the blueprint for everything that follows. Generated automatically by the NDIS Commission, it specifies:

• Required audit type (verification or certification)
• Your selected registration groups
• Organisational details and service locations
• Modules and standards requiring assessment

Once you’ve selected an auditor, they’ll review this document with you to confirm accuracy. Auditors need your written permission before making any portal changes to your application.

For certification audits, the scope governs both stages. Stage 1 covers documentation and systems review, while Stage 2 must occur within three months and includes on-site visits, service delivery observation, plus staff and participant interviews.

Maintain open dialogue with your auditor throughout this process. They can clarify requirements and explain how the scope translates into specific evidence needs for your organisation’s size and service complexity.

Step 4: Get Your Documents and Team Ready

Your documentation and staff preparation determine whether your audit runs smoothly or becomes a costly nightmare. Both verification and certification audits require organised records and properly trained teams.

Policies and procedures to have in place

Smart providers review their policies against the NDIS Practice Standards before submitting their registration application. Here’s your essential preparation checklist:

• Know which NDIS Practice Standards apply to your services
• Review every policy document against these requirements
• Create an action plan for any gaps you discover
• Prepare your self-assessment with solid supporting documentation
• Ensure specialised support policies meet clinical requirements

Stage 1 audits focus on your self-assessment responses and the policies backing them up. Stage 2 is where auditors see if you actually follow what you’ve written down.

Training and qualifications of staff

Your team’s readiness directly affects your audit results. Poor preparation here costs money and delays registration.

Start with these fundamentals:

• Train your team on relevant NDIS Practice Standards
• Make sure everyone understands what happens during the audit
• Keep detailed records of qualifications and training for all staff
• Check that qualifications match your registration group requirements

Different registration groups demand different qualifications. High-intensity daily activities need registered or enrolled nurses or staff trained by clinicians with documented evidence. Specialist disability accommodation doesn’t set minimum qualifications, but you must prove your team has suitable experience.

Plan management services require something specific: a complete list of all workers plus certified copies of their qualifications and professional memberships.

Managing document access and confidentiality

How you handle sensitive information shows auditors your commitment to participant privacy and professional standards.

Consider your options for providing auditor access:

• Limited system access with temporary permissions
• Secure email sharing for specific documents
• Cloud-based folders with controlled access
• Clear version control so current policies stay current

Australian privacy laws aren’t optional, as you must comply with the Privacy Act 1988 and relevant health records legislation. That means secure storage, restricted access to authorised staff only, and clear communication with participants about information use.

Participant records need special attention. Support plans, progress notes, consent forms, and service agreements prove you’re delivering person-centred supports that meet Practice Standards requirements.

Step 5: Complete the Audit and Respond to Results

Your preparation work pays off here. The actual audit process and responding to results require a clear understanding of what happens next and how to handle findings properly.

What happens during Stage One and Stage Two audits

Stage One focuses entirely on your documentation. Auditors work remotely, examining your self-assessment responses and attached policies to gauge your readiness. They often request additional documents beyond what you’ve uploaded to the NDIS Commission portal when assessing Practice Standards compliance. You’ll receive a Stage One report at least one week before Stage Two begins (two weeks if non-conformities were found).

Stage Two must happen within three months of completing Stage One. Here’s where documentation meets reality. The auditor visits your premises to verify that your policies and procedures are actually working in practice. This means:

• Staff and participant interviews
• Client and staff file reviews
• Direct observation of service delivery
• Physical environment assessments

Verification audits typically need only Stage One, as they apply to lower-risk supports.

Understanding audit ratings and non-conformities

Each Practice Standard gets rated on a scale of 0 to 3:

• 3 – Conforms with elements of best practice
• 2 – Conforms with NDIS Practice Standards
• 1 – Minor non-conformity
• 0 – Major non-conformity

Minor non-conformities flag risks that could potentially impact participant safety. Think appropriate policies without supporting documentation, or documented processes lacking implementation evidence.

Major non-conformities occur when you can’t demonstrate that appropriate systems exist to meet standards, presenting a higher risk. Three minor non-conformities within the same practice standard equal one major non-conformity.

Corrective actions and timelines

Non-conformities aren’t the end of the world. You have seven calendar days to submit a Corrective Action Plan outlining specific steps to address identified issues.

Minor non-conformities give you 18 months to implement corrections, reviewed at your next mid-term or recertification audit. Leave them unresolved, and they escalate to major non-conformities.

Major non-conformities need resolution within three months, followed by a separate close-out audit to verify implementation. Your registration stops until all major non-conformities are resolved or downgraded.

Most providers receive some non-conformities, so it’s normal. View them as opportunities for improvement and work with your auditor to resolve them effectively, rather than stressing about perfection.

Conclusion

The NDIS audit process doesn’t have to cost you thousands in stress and complications. These five steps give you exactly what you need to pass your audit and maintain registration without the usual headaches.

Getting your audit right comes down to preparation. Know whether you need verification or certification based on your registration groups. This single decision shapes everything from your timeline to your budget. Build comprehensive policies that align with NDIS Practice Standards before you apply, not after you’re scrambling to meet deadlines.

Your team makes or breaks your audit outcome. Staff who understand both the standards and what auditors actually look for will save you from costly non-conformities. Keep qualification records current, document training properly, and ensure everyone implements policies consistently.

Here’s something most Australian providers get wrong: non-conformities aren’t failures. They’re improvement opportunities. The real goal isn’t just ticking compliance boxes. It’s about delivering safe, quality supports that participants can rely on. Your Corrective Action Plan becomes a roadmap for delivering better service, not just a regulatory requirement.

Think the audit process seems overwhelming? Break it into these manageable steps, and you’ll find it much more straightforward. Proper preparation, organised documentation, and quick responses to findings will keep your registration active without unnecessary complications.

Your structured approach to audits benefits everyone. Your business operations, your staff confidence, and most importantly, the NDIS participants who depend on your quality services.