SIL 2026 deal: 50% off for 3 months with code SIL2026 · 5 weeks left until mandatory registration.

See pricing

THE NDIS AUDIT GUIDE

The NDIS audit guide - what auditors check, when, and how to prepare.

A complete NDIS audit guide for verification and certification audits. The 90-day readiness playbook, week-by-week prep, common findings, and how to stay audit-ready continuously instead of scrambling at the last minute.

Last updated 17 May 2026 · 12 min read

Get started

See how Checkbase keeps your team audit-ready.

Try for free
14-day free trialNo credit card required

What an NDIS audit actually checks

An NDIS audit is conducted by an independent NDIS Commission-approved quality auditor. They test your provider against the NDIS Practice Standards - the universal Core Module plus any supplementary modules that apply to your registration groups. The audit can be either a verification audit (desk-based only, lower-risk supports) or a certification audit (desk + on-site, higher-risk supports including SIL).

In both cases, the auditor is testing the same thing: does your evidence prove the standards are being met in practice, not just claimed in policy? Auditors look at completed records, signed agreements, current screenings, participant outcomes, and incident-handling history - not templates or aspirational documents.

The Core Module covers four outcome areas: rights of participants, provider governance and operational management, provision of supports, and the supports environment. Each one has specific quality indicators that translate into testable evidence requirements.

Verification audit

Desk-based, lower-risk supports

For registration groups like household tasks, low-cost equipment, and domestic assistance. The auditor reviews your evidence pack remotely. No on-site visit. Typically 2–4 weeks end-to-end.

Certification audit

Desk + on-site, higher-risk supports

For SIL, behaviour support, early childhood, and specialist support coordination. Stage 1 desk audit followed by Stage 2 on-site visit. Typically 6–12 weeks end-to-end. See our Tier 1 registration breakdown.

The 90-day audit-prep timeline

Ninety days is the minimum realistic window for most providers with reasonably current documentation. Less than that and you're either doing a partial readiness pass or relying on auditor leniency. More is always better - six months is comfortable for certification.

  1. Weeks 1–2

    Audit type confirmed, scope locked, auditor engaged

    Confirm verification vs certification, registration groups, and applicable supplementary modules. Sign the audit agreement and lock the Stage 1 evidence-pack due date. Run a Practice Standards self-assessment to map your gaps before evidence collection starts.

  2. Weeks 3–4

    Governance, policies, insurance

    Refresh or write your policy stack against the Practice Standards (8–12 core policies for most providers). Confirm insurance certificates are current. Map your continuous-improvement and risk registers to the audit schema.

  3. Weeks 5–6

    Worker compliance brought up to standard

    Every active worker with current 100-point ID, NDIS Worker Screening, WWCC, CPR/first aid, infection control, medication management (where applicable). Code of Conduct acknowledgments captured. Performance review history visible. Onboarding sequences documented.

  4. Weeks 7–8

    Participant files

    Service Agreement + Schedule of Supports current and signed for every participant. Individual risk assessments and emergency plans dated within the last 12 months. Support plans current. Medication charts and mealtime forms completed where in scope. Progress notes sampled and reviewed for completeness.

  5. Week 9

    Internal Stage 1 dry-run

    Run the auditor's evidence schema against your records as if you were the auditor. Identify the gaps the real auditor will find. Fix them now while you have time. This is the highest-leverage week of the entire prep cycle.

  6. Week 10–11

    Stage 1 pack submitted

    Ship the evidence pack to your auditor. Respond to clarifications quickly. For verification-only audits this is effectively the end of the audit; for certification, it sets up Stage 2.

  7. Week 12

    Stage 2 site visit (certification only)

    On-site visit. Auditor interviews staff and participants, observes service delivery, tests your systems against your written processes. The on-site visit is not a documentation review - it's a sense-check that what you said exists actually works.

See Checkbase in action

Book a personalised demo or start your free 14-day trial today.

Try for free

The artefact checklist

Below is the condensed audit-evidence schema. The deeper version, mapped artefact-by-artefact to the SIL certification audit, lives in our SIL audit checklist guide.

Worker compliance

  • 100-point ID + working rights
  • NDIS Worker Screening (current)
  • Working with Children Check
  • CPR / first aid certificate
  • Infection control training
  • Medication management training
  • Code of Conduct acknowledgment
  • Induction checklist + training plan

Participant records

  • Service Agreement + Schedule of Supports
  • Individual Risk Assessment (≤12 months)
  • Individual Emergency Plan
  • Support Plan
  • Medication Chart + management forms
  • Mealtime Management Forms (if relevant)
  • Progress notes (sampled)
  • Incident reports + complaint history

Governance & ops

  • Practice Standards self-assessment
  • Continuous Improvement Plan + register
  • Risk Register + treatment plans
  • Insurance certificates (PI, PL, vehicle)
  • Policy stack (8–12 core policies)
  • Reportable Incident register
  • Restrictive Practice register (if relevant)
  • Workforce capability framework

The auditor doesn't want to see some of these - they want all of them, current, signed, and findable in less than 60 seconds. Anything else is a finding.

Common audit findings (and how to avoid them)

Across verification and certification audits, the same six findings account for the majority of corrective actions. Each one is preventable with continuous tracking - but disastrous to fix in the week before Stage 1.

  • Workforce screening lapses

    An NDIS Worker Screening or WWCC that has expired between application and audit. Auditors check every active worker against the date of audit - even one expired check tied to a worker on shift becomes a major non-conformance, especially under the Practice Standards Reform tightening from late 2026.

  • Missing or out-of-date Service Agreements

    A participant is being supported, but the Service Agreement is unsigned, expired, or doesn't match the current Schedule of Supports. Auditors sample 5–10 participant files at certification - one missing agreement is enough to require a corrective action.

  • Risk and emergency plans older than 12 months

    Individual Risk Assessments and Emergency Plans dated more than 12 months ago without a documented review. Auditors treat the 12-month review cycle as a hard line, not a guideline - older plans without a review note read as a governance gap.

  • Continuous-improvement evidence that isn't evidence

    A blank Continuous Improvement Register, or one with three vague entries from 18 months ago. The Practice Standards expect a live register with input from incidents, complaints, participant feedback, and management review - auditors specifically look for cause-and-effect chains.

  • Training records that prove attendance, not competency

    A signed attendance sheet for medication management training is not the same as evidence that the worker is competent to administer medication. SIL certification auditors increasingly ask for a competency assessment alongside the training record - particularly for high-risk supports.

  • Incident records without close-out

    Reportable incidents logged but missing the Commission notification, the participant communication, or the post-incident review. Auditors track each incident through to its corrective action - open loops become findings.

For the financial side of getting audit-ready badly - banning orders, contravention fines, and the 2025 Bill - see our upcoming NDIS penalties guide.

What auditors literally ask for

Below are the 10 most-requested artefacts, paired with the kind of verbatim question an auditor will ask in Stage 1 or during the on-site visit. If you can answer each one in under sixty seconds with the evidence to back it up, you're audit-ready.

  • Worker screening register

    Show me your current list of active workers with the expiry date of every NDIS Worker Screening, WWCC, and First Aid certificate.

  • Service Agreements

    Pick three participants at random - show me the signed Service Agreement plus the matching Schedule of Supports for each.

  • Individual Risk Assessment

    Walk me through how you identified the risks in this participant's plan and what controls you put in place.

  • Continuous Improvement register

    Show me three improvements you've made in the last 12 months. What triggered them, who was responsible, and how do you know they worked?

  • Reportable Incident log

    Take me through your most recent reportable incident from the moment it happened to where it sits today.

  • Complaint and feedback

    How does a participant or family member raise a concern, and how do you know the resolution is actually closing the issue?

  • Training matrix

    Show me the training plan for a worker who started in the last six months. Where are you up to and how do you assess competency?

  • Policy attestation

    Pick any policy from your stack - show me when it was last reviewed and who is the accountable officer.

  • Restrictive practice register (if in scope)

    Show me every regulated restrictive practice currently in use and the authorisation behind each one.

  • Insurance currency

    Show me your current Public Liability and Professional Indemnity certificates, and confirm the cover meets the registration thresholds.

See it for yourself

Book a personalised demo or start your free trial — set up in an afternoon.

Try for free

Be continuously audit-ready, not panic-ready

The audit-prep pattern that fails is the one most providers default to: months of business-as-usual, then a ninety-day sprint, then a quiet exhale once the auditor leaves. The pattern that works is the opposite - every worker screening, participant file, governance record, and incident closure tracked continuously, so any week of the year could be your audit week.

Checkbase is purpose-built for that pattern. The dashboard surface below shows exactly what an audit-ready provider sees on day one of a normal Tuesday: a compliance ring scoring the provider against the Practice Standards in real time, a rail of expiring documents ranked by urgency, and an Auditor Portal you can open from any participant or worker file.

Live demo: SIL evidence pack as it appears in the auditor portal. Categories, item counts, and the time-boxed magic link are all real product surfaces.

Live compliance score

Provider-wide score updates the moment a document expires, a worker is added, or a participant's plan rolls over. No spreadsheet refresh.

SIL audit lens

Filter every list - workers, participants, documents - to the artefacts an auditor will ask for at certification. The rest is hidden until you need it.

Evidence Pack export

Generate a single branded PDF organised by audit category. Or share a time-boxed magic link with the auditor with a 6-digit OTP.

Frequently asked questions

Sources and further reading

Related pillar

SIL mandatory registration → 1 July 2026

Related pillar

NDIS Tier 1 registration playbook

Deep dive

38-document certification audit checklist

Coming soon

NDIS penalties explained

Be audit-ready every day, not just the week before.

Checkbase tracks every worker screening, participant file, and governance record continuously - so when the auditor asks, you're already there.

Try for free