Whether you are facing your first NDIS certification audit or preparing for a mid-term review, the process can feel overwhelming. Auditors assess dozens of areas across your organisation, and a single gap in documentation or policy can trigger a non-conformity finding.
This guide breaks down exactly what NDIS auditors look for in 2026, the documentation you need to have ready, and the most common mistakes that lead to corrective action requests. Use the checklists below to prepare your team well before audit day.
What are the two types of NDIS audit?
As of 2026, the NDIS Quality and Safeguards Commission mandates two audit pathways: verification audits for lower-risk registration groups and certification audits for higher-risk supports. Approximately 60% of registered NDIS providers undergo the simpler verification pathway, while providers delivering behaviour support, SDA, or early childhood services require full certification.
Verification audits are for providers in lower-risk registration groups. These are simpler, desktop-based assessments that check your policies and procedures against the NDIS Practice Standards core module.
Certification audits are for providers delivering higher-risk supports such as behaviour support, specialist disability accommodation, or early childhood intervention. These involve on-site assessments, staff interviews, and participant feedback collection.
What documents do you need for an NDIS audit?
Every NDIS provider must have at least 12 core documents current and accessible at audit time. The NDIS Quality and Safeguards Commission updated its Practice Standards guidance in late 2025, placing greater emphasis on evidence of implementation rather than policy existence alone. Missing even one of these documents can result in a non-conformity finding.
- Governance framework with clear organisational structure
- Risk management policy and register (reviewed within the last 12 months)
- Complaints and feedback policy with documented resolution process
- Incident management policy aligned with NDIS reportable incident requirements
- Worker screening records for all staff (NDIS Worker Screening Check)
- Staff training register showing mandatory training completion dates
- Participant service agreements (signed, current, reviewed annually)
- Individual support plans with evidence of participant involvement
- Privacy and information management policy
- Conflict of interest policy and declarations
- Business continuity and emergency management plan
- Evidence of continuous improvement activities
What do NDIS auditors focus on in 2026?
In 2026, the NDIS Commission has flagged four priority areas for auditor attention: restrictive practices reporting, worker screening compliance, participant-centred planning, and incident management. Providers operating in these areas should expect auditors to request detailed evidence trails, not just policies on paper.
1. How are restrictive practices assessed during an NDIS audit?
If your organisation uses any form of restrictive practice, auditors will verify that every instance is authorised, reported to the Commission, and documented with a plan to reduce or eliminate the practice over time. This includes environmental restrictions, chemical restraint, and seclusion. As of March 2026, incomplete restrictive practices reporting remains the single most common finding in certification audits across Australia.
2. What worker screening records do auditors check?
Every worker in a risk-assessed role must hold a valid NDIS Worker Screening Check. Auditors cross-reference your full staff list against screening records. In 2025-26 audits, the most common gaps involved contractors, agency staff, and volunteers who were missed during onboarding. Providers with more than 50 staff are particularly vulnerable to screening lapses.
3. How do auditors assess participant-centred planning?
Auditors want to see evidence that participants are genuinely involved in their support planning. Generic, copy-paste support plans will raise concerns. Look for documented goals in the participant's own words, regular review meetings, and evidence of choice and control in service delivery.
4. What does a mature incident management system look like?
The Commission expects incidents to be reported within 24 hours for serious events, with root cause analyses completed within 30 days and corrective actions tracked to closure. Auditors will sample recent incidents and follow the paper trail from report through to resolution. Providers using paper-based systems consistently score lower in this area.
What are the most common NDIS audit failures?
Based on published NDIS Commission compliance data from 2025-26, the six most common reasons providers receive non-conformity findings are related to the gap between documented policy and actual practice. Staff who cannot describe how policies work in real situations are the number one trigger for corrective action requests.
- Policies exist on paper but staff cannot describe how they work in practice
- Training records are incomplete or missing for casual and agency workers
- Service agreements have not been reviewed or updated since initial sign-up
- Incident reports lack follow-up actions or evidence of resolution
- Continuous improvement register has no entries from the past 6 months
- Risk register has not been reviewed since initial creation
How should you prepare your team for an NDIS audit?
Your audit is not just about having the right documents. Auditors will speak with staff, participants, and families. Research from the NDIS Commission shows that providers who conduct at least one mock audit in the 90 days before their scheduled assessment are significantly less likely to receive major non-conformity findings.
- Run a mock audit. Walk through each Practice Standard module and ask staff to explain how your organisation meets each requirement. Identify gaps early.
- Brief all staff. Every team member should understand your complaints process, incident reporting steps, and where to find key policies. Even support workers on the ground should be able to answer basic questions.
- Collect participant feedback. Do not wait for the auditor to ask. Gather recent feedback, satisfaction surveys, and examples of how you have acted on input from participants.
- Review your continuous improvement register. Add at least 3 to 5 meaningful entries from the past quarter. Auditors want to see an organisation that actively improves, not one that treats compliance as a box-ticking exercise.
What happens after an NDIS audit?
If you receive non-conformity findings, you will be given a timeframe to address each finding, typically 30 to 90 days depending on severity. As of 2026, the Commission requires providers to submit a formal corrective action plan within 14 days of receiving findings, with evidence of completion due by the deadline. Document your corrective actions thoroughly and submit evidence of completion.
Use your audit findings as a genuine improvement opportunity. The providers who perform best in audits are those who embed compliance into their daily operations rather than scrambling to prepare when the audit is announced.
How can you stay audit-ready year-round?
The best approach to NDIS compliance is continuous readiness. Australian providers who use digital compliance management tools report spending 60% less time preparing for audits compared to those relying on manual processes. Set quarterly review dates for your key documents, maintain a running continuous improvement register, and ensure your incident management system captures everything in real time. When your next audit rolls around, you will be ready without the last-minute stress.
Keep Your NDIS Compliance on Track
CareIQ helps providers manage incident reports, staff compliance, and documentation in one place. Stay audit-ready every day of the year.
Start Your Free TrialFrequently Asked Questions
What is the difference between an NDIS verification audit and a certification audit?
A verification audit is a simpler, desktop-based assessment for providers in lower-risk registration groups, checking policies against the NDIS Practice Standards core module. A certification audit is for higher-risk supports such as behaviour support or specialist disability accommodation, involving on-site assessments, staff interviews, and participant feedback collection.
How often do NDIS providers need to be audited?
NDIS providers must complete a full audit every three years for certification renewal. The NDIS Quality and Safeguards Commission may also conduct mid-term audits or unannounced compliance checks at any time, particularly if complaints or incidents have been reported against the provider.
What happens if you fail an NDIS audit?
If you receive non-conformity findings, you are given 30 to 90 days (depending on severity) to address each finding and submit evidence of corrective action. Serious failures may result in conditions on your registration, suspension, or revocation by the NDIS Quality and Safeguards Commission.
What documents do NDIS auditors check first?
Auditors typically begin with your governance framework, risk management register, incident management records, worker screening documentation, and participant service agreements. These five areas account for the majority of non-conformity findings across Australian NDIS audits.
How can NDIS providers stay audit-ready year-round?
Set quarterly review dates for key documents, maintain a running continuous improvement register, ensure your incident management system captures data in real time, and run internal mock audits at least twice per year. Using dedicated NDIS compliance software automates expiry tracking and documentation management.