What happens if you fail an NDIS audit?

In plain English

An NDIS audit doesn't have a pass/fail stamp the way a school exam does. Instead, the auditor records every discrepancy between your practice and the NDIS Practice Standards as a non-conformance, classified by severity. The auditor reports those findings to the NDIS Commission, which decides what happens next.

A handful of minor non-conformances is normal — even well-run providers usually pick up a few. Major non-conformances are serious: they can suspend new certifications, block your registration renewal, and require a focused remediation audit. Severe non-conformance involving actual or risk of harm to participants escalates to formal Commission enforcement — conditions on registration, suspension, revocation, banning orders, or civil penalty proceedings.

The three non-conformance categories

Minor non-conformance

A documentation gap, isolated procedural slip, or recordkeeping inconsistency that doesn't put any participant at risk. Examples: a Service Agreement that hasn't been reviewed in 13 months instead of 12; one worker missing a refresher training certificate; an Incident Register entry without a close-out date.

Consequence: the auditor records the finding and requires a corrective action plan, usually within 30 days of the audit report. Once accepted by the auditor, certification proceeds. The Commission is notified but doesn't typically take separate action on minor findings.

Major non-conformance

A systemic failure, a finding that affects multiple participants, or a single finding that put a participant at identifiable risk. Examples: no behaviour support plan for a participant subject to a restrictive practice; a pattern of unsigned Service Agreements across the sample; workforce screening that wasn't checked before a worker started shifts; medication administration without a current chart.

Consequence: the auditor cannot recommend certification (or recertification) until the major non-conformance is closed. The provider must submit evidence of remediation — not just a plan — and the auditor verifies the close-out, often via a focused remediation audit. The Commission is notified within 5 business days of the auditor identifying the finding. Timeline to resolution: typically 60–120 days. New participants may not be onboarded during this window.

Severe non-conformance

A finding involving actual harm, imminent risk of serious harm, deliberate falsification of records, or repeated non-conformance with previous corrective actions. Examples: a participant injury concealed from incident reporting; a worker continuing to deliver supports after a banning order; an unauthorised restrictive practice causing physical harm; a backdated Service Agreement.

Consequence: the auditor must notify the Commission immediately under section 73T of the NDIS Act (auditor reporting obligations), regardless of audit stage. The Commission can impose immediate conditions on registration, suspend registration pending investigation, or (in the most serious cases) cancel registration and pursue civil penalties or criminal charges. Banning orders against individual workers or controllers follow in parallel.

The auditor's reporting obligations

Approved Quality Auditors are independent third parties, but they're also bound to the NDIS Commission. Under the NDIS Practice Standards and the auditor agreement with the Commission, auditors must:

• Report all major and severe non-conformances to the Commission within 5 business days.
• Report any actual or alleged harm to a participant immediately, regardless of severity classification.
• Decline to certify (or recommend de-certification of) any provider with unresolved major findings.
• Provide the Commission with the underlying audit evidence on request, including worker rosters reviewed, participant files sampled, and copies of policies inspected.

Auditors that fail to escalate findings can lose their NDIS-approved status, so they err on the side of reporting. A provider that argues with the auditor about the classification rarely improves the outcome — the better path is to focus on remediation evidence.

What the corrective action plan must contain

The Commission expects a structured response, not a written apology. A credible corrective action plan includes:

1. Root cause analysis — not “the worker forgot,” but why your process allowed the forgetting. Was it absence of a system, an unclear procedure, an unmonitored expiry, or a missing supervisory checkpoint?
2. Immediate action — what you've already done to remove the risk (e.g. removed the worker from shift, updated the chart, contacted the participant, filed the missing Reportable Incident).
3. Systemic fix — the change to your policy, process, training, supervision, or tooling that stops the same gap recurring.
4. Verification mechanism — how you'll confirm the fix is working in 30, 60, 90 days. Sign-offs, internal audits, dashboard checks.
5. Evidence pack — the artefacts that prove each step happened, with dates and authors. This is what the auditor verifies.

When registration gets suspended or revoked

The Commission can impose conditions on, suspend, or revoke registration under sections 73N and 73P of the NDIS Act where:

• A major non-conformance hasn't been remediated within the agreed timeframe.
• A severe non-conformance has been identified and the Commissioner considers participants are at risk.
• The provider has repeatedly failed to meet conditions of registration.
• The provider has provided false or misleading information to the auditor or Commission.
• A key personnel test — for owners, directors, or controllers — can't be satisfied (e.g. someone with disqualifying convictions).

Conditions on registration are the most common formal response — for example, the provider must accept no new participants, must engage an independent reviewer, must submit weekly compliance reports. Conditions are public on the Commission's Regulatory Actions register.

Suspension and revocation are rarer but well documented. During 2024–25 the Commission cancelled the registration of dozens of providers, mostly for serious conduct failings combined with poor cooperation with the investigation.

What it means for participants

When the Commission imposes conditions, suspends, or cancels a registration, NDIA-funded participants need continuity arrangements. The Commission and NDIA coordinate transitions: existing participants may continue to receive supports through the now-conditioned provider for a defined window while alternative providers are arranged, or the NDIA may step in with emergency support coordination.

Providers that cooperate with transition arrangements get significantly more leniency on the underlying compliance matter than those that try to retain participants in defiance of Commission action.

How to reduce the probability of failure

The audit findings that get providers in trouble are remarkably consistent. The same five categories show up year after year in the Commission's published enforcement actions:

1. Worker screening expired or unverified before shift.
2. Service Agreements unsigned, expired, or stale.
3. Risk and emergency plans older than 12 months.
4. Incident Register entries without close-out evidence.
5. Restrictive practices used without an authorised plan.

Every one of those is detectable in advance. The providers that pass cleanly are not necessarily the ones with the best participant outcomes — they're the ones with the best documentation hygiene. See the NDIS Audit Guide for the 90-day prep playbook, and the SIL Audit Checklist for the full document catalogue.

How Checkbase helps

Checkbase tracks every expiring screening, missing Service Agreement, stale risk plan, and open incident in one place — with the auditor-aligned status colours and a clean evidence pack you can hand to a remediation auditor on request. Providers that come out of major non-conformance fastest are the ones who can produce a coherent, timestamped remediation record. That's the use case Checkbase was built for.

Frequently asked questions