Penalties & enforcement
Can the NDIS Commission audit you without warning?
Routine certification and verification audits are scheduled and pre-arranged. But the NDIS Commission can initiate unannounced compliance contact, investigations, and short-notice document requests at any time - usually triggered by a complaint, an incident, or another regulator.
Short answer: Your scheduled certification or verification audit is always pre-arranged with your approved quality auditor. The NDIS Quality and Safeguards Commission itself, however, has separate powers to make short-notice or no-notice contact - and uses them when a complaint, a reportable incident, or another regulator's referral justifies it.
The two things people mix up
When providers ask "can the Commission audit me without warning?" they usually mean one of two very different things. Pulling them apart is most of the answer.
1. Scheduled audits — booked, never surprises
Stage 1 (desk) and Stage 2 (site) certification audits, and verification audits for lower-risk supports, are scheduled months in advance between you and your approved quality auditor. You agree dates, scope, and sampling. You receive document requests in writing well before any site visit. Surveillance audits within a registration cycle (mid-cycle check-ins) are also pre-booked. None of these are unannounced.
2. Commission compliance contact — can be short-notice
Separately, the NDIS Commission itself - not your quality auditor - has statutory powers to compel information, attend premises, and open investigations under the NDIS Act 2013. This is a regulatory function, not an audit. It can happen with very little notice if there's a trigger. The trigger is almost always a complaint, a reportable incident, intelligence from another regulator, or media reporting.
What the Commission can actually do without notice
- Issue a notice to produce documents (section 55A). A formal demand for specified records within a stated window (commonly 14–28 days). You don't get prior warning of the notice itself - it arrives by registered post or email.
- Attend premises with a Commission inspector (section 60 powers of entry). For registered providers, the Commission can enter business premises during reasonable hours to inspect records, interview workers, and observe service delivery. Consent is usually requested first; if refused, a monitoring warrant can be sought.
- Issue an interim banning order. In cases of immediate participant risk, an interim banning order can be issued same-day or within 24 hours, without prior consultation. The order is effective from the date stated - you respond afterwards, not before.
- Open a compliance investigation. Triggered by complaints, reportable incidents, or intelligence sharing. You may not be told an investigation is open until the Commission contacts you formally.
- Refer the matter to another body. ASIC for director-disqualification issues, the ATO for financial misconduct, state police for criminal conduct, or Fair Work for wage/employment matters. You won't be warned in advance.
What triggers a no-notice approach
The Commission doesn't conduct random unannounced inspections of providers as a matter of routine. What you should expect, in declining order of likelihood:
Most common trigger
A complaint reaches the Commission - from a participant, a family member, a worker (current or former), or a member of the public. Most complaints close without formal action. A subset escalate. See the Commission complaint process.
Second most common
A reportable incident - a death, a serious injury, abuse, neglect, or unauthorised restrictive practice - has been notified by you (as the Act requires) or by someone else. The reportable-incident pathway can trigger compliance follow-up even if you reported it correctly. See reportable incident requirements.
Less common but rising
Intelligence-sharing referrals. The Commission has memoranda of understanding with the ATO, ASIC, AUSTRAC, Fair Work, state coroners, state police, the NDIA, and the Aged Care Quality and Safety Commission. A concern surfaced by any of those bodies can land on the Commission's desk without you knowing.
Occasional
Media reporting or social-media exposure of a safeguarding concern. The Commission monitors published reporting and will follow up on credible allegations even where no complaint has been lodged.
The unregistered-provider angle
The Commission's powers extend to all providers delivering NDIS supports, not just registered ones. An unregistered provider can be the subject of a complaint, investigation, banning order, or civil penalty just as easily as a registered one. The recent reform direction - including the SIL mandatory-registration deadline - is in part a response to enforcement gaps in the unregistered space.
What "ready for an unannounced contact" actually means
You can't prevent a complaint. You can prevent the downstream cost of one. A well-run provider can produce, within a few hours of any Commission contact:
- The compliance file for any worker the Commission names (screening, training, induction, signed code-of-conduct).
- The participant file - service agreement, support plan, risk assessment, recent progress notes, incident reports.
- The reportable-incident log with timestamps, internal follow-up actions, and the Commission notification reference number.
- The most recent organisation-wide policy set (safeguarding, behaviour support, complaint handling, conflict of interest) with version dates.
- A short, factual chronology of the worker's tenure and the participant's service history.
If any of that takes more than a working day to assemble, you're relying on memory and luck. Both run out under Commission pressure.
If the Commission contacts you tomorrow
Three rules, in order:
- Don't reply substantively until you've engaged a lawyer. An acknowledgement is fine; an explanation is not. See the full first-72-hours playbook in how to respond to a Commission notice.
- Issue an internal preservation hold. Suspend any auto-deletion of emails, rosters, incident reports, or participant records related to the matter. Document destruction during an investigation is a serious aggravating factor.
- Notify your insurer. Most professional indemnity and regulatory-defence policies require notification within a tight window (often 7 days). Late notification can void coverage.
This is general information, not legal advice. Specific Commission powers, response strategies, and statutory deadlines vary case-by-case. Engage a lawyer with NDIS regulatory experience before responding to anything formal from the Commission.
How Checkbase helps
The single best preparation for any Commission contact - announced or otherwise - is being able to produce the underlying records within a few hours, not a few days. Checkbase keeps worker compliance, participant files, incident logs, and a timestamped audit trail in one place. The same auditor portal that runs your scheduled certification audit can be used to share evidence with the Commission or your lawyer at short notice.
Frequently asked questions
Can my approved quality auditor turn up unannounced?
No. Approved quality auditors operate to the rules of the certification scheme. Audit dates, scope, and the document request list are agreed with you in advance. The Commission is a regulator with statutory powers; an approved quality auditor is a conformity-assessment body. Different beasts.
Can the Commission interview my staff without me there?
Under section 55A powers, the Commission can require a person to give information or attend for examination. Staff have the right to legal representation in any such interview and should generally decline to be interviewed without it. As the employer you don't have an automatic right to be present, but staff should be informed of their right to seek their own advice first.
What about the AAT and review rights?
Most adverse Commission decisions - compliance notices, registration variations, banning orders - are reviewable by the Administrative Appeals Tribunal (now the Administrative Review Tribunal). Strict time limits apply. Interim banning orders can be reviewed urgently. This is another reason to engage a lawyer the day a notice arrives.
Does this all change after 1 July 2026?
The 1 July 2026 SIL mandatory-registration deadline extends the registered-provider perimeter, which extends the Commission's direct audit reach. The underlying powers - notices to produce, powers of entry, interim banning orders - already exist for unregistered providers. The practical effect of the reform is more providers inside the registered system and more scheduled audits in the calendar, not new no-notice powers.
Statutory references on this page are to the National Disability Insurance Scheme Act 2013 (Cth) and the rules made under it. Section numbers can change as the Act is amended; treat any specific reference as a pointer, not a citation. Confirm current section numbers with your lawyer.
Related terms
- Penalties & enforcement
How long does an NDIS Commission investigation take?
A practical walkthrough of how a Commission matter actually unfolds from complaint to outcome - the four stages, typical durations, what speeds things up, and what slows them down.
Read - Penalties & enforcement
How to respond to an NDIS Commission notice
You got the letter. Here's the disciplined first 72 hours, the standard mistakes to avoid, and when you absolutely need a lawyer. General information, not legal advice.
Read - Penalties & enforcement
The NDIS Commission complaint process
Who can complain to the NDIS Commission, what they do with the complaint, how long it takes, and what providers should do when one lands on them.
Read - Penalties & enforcement
What happens if you fail an NDIS audit?
How NDIS auditors classify findings, the timelines and consequences for each category, and what providers can actually do when a finding lands.
Read - Penalties & enforcement
NDIS Reportable Incident requirements
What counts as a Reportable Incident, the 24-hour and 5-business-day reporting clocks, the categories of conduct that trigger reporting, and the penalties for not reporting.
Read - Penalties & enforcement
Recent NDIS banning orders: patterns from 2024–2026
What gets you banned, in practice. Conduct patterns drawn from the public NDIS Commission register - neutral, citation-only, no named individuals.
Read
Track every NDIS document in one place
Checkbase keeps your worker screening, participant files, governance, insurance, and audit evidence on one continuously-updated page. Built for Australian NDIS providers, 1–50 staff.