SIL 2026 deal: 50% off for 3 months with code SIL2026 · 5 weeks left until mandatory registration.

See pricing

How-to

Walking through the NDIS Tier 1 audit checklist (with the things providers commonly miss)

A narrative walkthrough of the 38-artefact NDIS Tier 1 certification audit checklist - bucket by bucket, with the omissions auditors actually find. Companion to the static catalogue guide.

8 min read
Hand ticking off items on a printed project checklist with an item awaiting sign-off circled in amber - the practical work of walking the NDIS certification audit list bucket by bucket.

The SIL Tier 1 audit checklist is a flat catalogue: 38 artefacts, organised by category, with triggers and tags against each one. It is the reference. This post is the narrative — a walkthrough of the same material in the order an auditor actually works through it, with the omissions that turn up at almost every audit.

If you are within 90 days of certification, the catalogue tells you what you need. This post tells you where the quiet gaps usually sit, and how to close them before the auditor finds them.

The seven evidence buckets

Auditors do not work through 38 artefacts in catalogue order. They group evidence into seven buckets and sample across each. If a bucket is empty, the audit pauses on that bucket until you can produce the evidence or the non-conformance is recorded. If a bucket is full but inconsistent (e.g. a Participant Register that doesn't match the Service Agreements on file), the inconsistency itself is the finding.

1. Governance & strategy

5 artefacts

Constitution, board minutes, conflict-of-interest register, strategic plan, organisational risk register.

What providers commonly miss

  • Strategic plan dated but never reviewed against the operating year.
  • Conflict-of-interest register that captures directors but not contracted clinicians.
  • Risk register with no quarterly review evidence - auditors expect a versioned trail, not one PDF.

2. Insurance & licensing

3 artefacts

Public Liability, Professional Indemnity, Workers Compensation - current Certificates of Currency.

What providers commonly miss

  • Insurance certificate expired between desk audit and site visit. Re-checked at both stages.
  • Coverage levels below the Practice Standards minimum (Public Liability $20M is the de facto floor).
  • No evidence of broker conversation if a claim is open or a renewal is in dispute.

3. Policies & procedures

7 artefacts

Code of Conduct, Incident Management, Complaints Handling, Privacy, Restrictive Practices, Risk Management, Worker Onboarding.

What providers commonly miss

  • Templated policies from a sector body, never localised. Auditors check the org name, the named officers, and the version date.
  • Restrictive Practices policy that doesn't reference state authorisation pathways alongside the federal regime.
  • Complaints Handling without a named escalation route to the Commission as a final option.

4. Worker register & screening

9 artefacts

Worker register, NDIS Worker Screening Checks, WWCC where applicable, mandatory training matrix, position descriptions, signed Code of Conduct agreements, performance review evidence.

What providers commonly miss

  • Worker register includes employees but not subcontractors. Auditors sample both.
  • Mandatory training matrix that says 'complete' for everyone but no certificates attached.
  • NDIS Worker Screening that expired between rostering and audit date. The single most-cited finding nationally.

5. Participant register & files

8 artefacts

Participant register, Service Agreements, support plans, risk assessments, emergency plans, consent forms, communication assessments, advocacy records.

What providers commonly miss

  • Service Agreement signed but missing a corresponding Schedule of Supports for the current plan period.
  • Risk assessment dated more than 12 months ago.
  • Consent forms for sharing information with allied health but not for other providers - auditors test both.

6. Incident & complaint registers

4 artefacts

Incident Register, Reportable Incidents log, Complaints Register, evidence of close-out for each.

What providers commonly miss

  • Incidents recorded but never closed out - open status from 14+ months ago is a major flag.
  • Reportable Incident timestamps that don't show the 24-hour clock starting from awareness.
  • Complaints Register that only captures formal written complaints. Auditors expect verbal complaints to be logged too.

7. Audit log & continuous improvement

2 artefacts

Internal audit schedule (with evidence of execution) and a continuous-improvement register tracking findings and actions.

What providers commonly miss

  • Internal audit schedule that exists on paper but has no completed audits in the last 12 months.
  • Continuous improvement register treated as a complaint-response log, not a forward-looking improvement programme.

The bucket that breaks most providers

Buckets 1–3 (governance, insurance, policies) are usually fine. They're owned by leadership, they don't change daily, and an in-house compliance lead can keep them current with a quarterly review.

Bucket 4 (worker register and screening) is where providers come unstuck. Not because the documents are hard to obtain — every NDIS worker has the same five or six certificates — but because the state of those documents changes weekly. A WWCC expires. A new contractor starts a shift before their screening clears. A long-tenured worker's CPR refresher lapses by a week. None of those are scandalous individually. All of them are evidence at the audit.

This is what the spreadsheet failure-mode post is about. The choice isn't between a spreadsheet and a system — it's between knowing about an expiring clearance 30 days before, or learning about it from an auditor 5 minutes after a worker's shift began.

Bucket 5: where Service Agreements get sloppy

Participant file sampling at certification is small in number but deep in scrutiny. Auditors typically sample five to ten participants and ask for the complete evidence stack on each. The single most-cited finding in this bucket: the Service Agreement is signed and on file, but the corresponding Schedule of Supports — the document that converts the agreement into specific funded categories with dollar amounts — is missing, expired, or doesn't match the current NDIA plan.

The audit logic is simple. The Service Agreement is the contract. The Schedule of Supports is what gets billed against. If they don't line up, the provider is either over-billing (charging for supports not in the schedule) or providing supports without lawful billing cover. Both are findings.

The 90-day fix for Bucket 5

Pick five participants at random — ideally across different service types. For each, run the four-way check:

  1. Current Service Agreement on file, signed by both parties, dated within 12 months?
  2. Schedule of Supports attached, dated for the current NDIA plan period?
  3. Support plan referencing the actual supports being delivered?
  4. Risk + emergency plan dated within 12 months?

If any one of those is missing for one of your five, it's missing across more than you think. Run the check on every active participant before audit week.

What to do this week

Five concrete actions that close more than half of avoidable findings:

  1. Export your worker list with every clearance expiry beside the name. Sort by expiry. The workers expiring in the next 60 days are your priority. Renew now, don't wait for the automatic email from the screening unit.
  2. Pull five participant files at random. Run the four-way Service Agreement check above. Document the result.
  3. Open every incident on your register. Close out anything older than 90 days with a written outcome. Don't fabricate — if there's no genuine close-out, log it as an unresolved matter with a date and action owner.
  4. Date-stamp every policy. If a policy hasn't been reviewed in 12 months, add a one-page annexure noting the date of last review, the reviewer, and any changes (even “no changes required” counts). Auditors care about the trail, not the perfection.
  5. Run an insurance currency check. Confirm Public Liability, Professional Indemnity, and Workers Comp all extend past the planned audit date. Request fresh Certificates of Currency from your broker if any expire within 90 days of audit.

How Checkbase fits into this

Checkbase keeps every artefact across the seven buckets in one place, with expiries surfaced before they become findings and a Tier 1 lens that filters the catalogue down to exactly what the certification audit asks for. On audit day, the auditor sees a coherent evidence pack, not a scramble. That's the difference between a clean recommendation and a remediation cycle.

The narrative version is this post. The reference is the full SIL Tier 1 audit checklist. The pillar context is the Tier 1 registration playbook, and the 90-day prep timeline is in the NDIS Audit Guide.

Start your 14-day trialSee the full checklist

See Checkbase in action

Book a personalised demo or start your free 14-day trial today.

Try for free
Reform updates

Plain-English reform updates, when they happen.

No spam, no weekly newsletter for the sake of it. Just the bits NDIS providers actually need to know.

By subscribing you agree to receive marketing emails from Checkbase. Unsubscribe any time. See our privacy policy.