Key Takeaways
- There are two NDIS audit pathways: verification (document-only, no site visit) for lower-risk supports, and certification (two-stage, with an on-site visit) for higher-risk supports. Your registration groups determine which pathway applies, not the size of your organisation.
- The certification audit runs in two stages: Stage 1 is a desktop documentation review that typically takes 2 to 12 weeks; Stage 2 is an on-site assessment that must commence within three months of Stage 1 completing.
- All certification-pathway providers must complete a mid-term audit approximately 18 months into their three-year registration cycle. Verified providers and providers registered solely for Specialist Disability Accommodation (group 0131) are exempt.
- The mid-term audit focuses primarily on the Governance and Operational Management standards, plus any corrective actions outstanding from the previous audit. It is conducted on-site and carries the same consequences as a full audit if non-conformities are found.
- Minor non-conformities must be closed within 12 months of the date of issue. If not closed in time, they escalate automatically to major non-conformities. Major non-conformities require a corrective action plan within 7 days and a follow-up audit within 3 months. Unresolved major non-conformities result in automatic suspension of certification.
- Your certificate of registration specifies the supports you are approved to deliver, the three-year period of registration, and any conditions the Commission has imposed. It is publicly visible on the NDIS Provider Register.
- Two significant approved quality auditors have exited the NDIS market in 2026: QIP departed on 30 April 2026, and Citation Certification is concluding all NDIS auditing on 30 June 2026. If you relied on either, confirm your replacement auditor now.
The NDIS audit process is discussed most often in terms of what to prepare, but rarely in terms of how it actually works from start to finish. Understanding what happens at each stage, what the Commission does with the audit report, and what your registration certificate actually means is just as important as having your documentation in order. The process has defined timeframes and decision points that providers can miss even when their compliance evidence is solid.
This guide covers the full lifecycle of both audit pathways, explains the mid-term audit and what it assesses, and clarifies what the certificate of registration contains and how long it lasts. For guidance on which audit pathway your registration groups trigger, the NDIS registration groups guide maps all 36 groups to their audit types.
The Two Pathways: Verification and Certification
Every registered NDIS provider uses one of two audit pathways. The pathway is determined by the registration groups you hold.
Verification applies to lower-risk supports: household tasks, community participation, transport, plan management, therapeutic supports (group 0128), assistive technology, standard support coordination (group 0106), and most other groups not listed below. The audit is entirely document-based. No auditor visits your premises. You submit evidence of your qualifications, insurance, and operational policies, and the auditor reviews that documentation against a defined scope. There is no assessment against the NDIS Practice Standards at a verification audit.
Certification applies to higher-risk, higher-complexity supports: personal care (group 0107), high-intensity daily personal activities (group 0104), Supported Independent Living (group 0115), specialist behaviour support (group 0110), early childhood supports (group 0118), innovative community participation (group 0116), development of daily life and life skills (group 0117), and specialist support coordination (group 0132). The certification pathway involves two distinct stages and includes an on-site visit to your service locations.
The contamination rule: if even one of your registration groups requires certification, your entire registration is assessed at certification level. A provider combining therapeutic supports with personal care cannot take the verification pathway. Review your group selections carefully before submitting your application.
The Certification Audit Lifecycle
Step 1: Apply and Engage an Approved Quality Auditor
The process begins when you submit your registration application through the myplace provider portal. As part of that application, you must engage an approved quality auditor (AQA): an independent body approved by the NDIS Commission and accredited by JAS-ANZ (the Joint Accreditation System of Australia and New Zealand). You select your own auditor from the current approved list; the Commission does not assign one.
Audit quotes vary significantly between auditors and by provider scope. The NDIS Audit Cost Estimator provides a budget range before you approach auditors for formal quotes. Certification audits typically range from $8,000 to $20,000 or more, depending on the number of sites, the complexity of supports delivered, and the specialist modules in scope.
Allow time to book. Audit availability tightens sharply before registration deadlines. The market has contracted further in 2026: QIP exited on 30 April 2026, and Citation Certification concludes all NDIS auditing on 30 June 2026. Remaining approved quality auditors are carrying higher volumes. Providers approaching a renewal or initial certification audit should engage their auditor well in advance, not in the final weeks before a deadline.
Step 2: Stage 1 (Desktop Documentation Review)
Stage 1 is a structured review of your documentation, conducted off-site. Your auditor works through your policies, procedures, governance frameworks, and supporting evidence against the NDIS Practice Standards Core Module and any specialist modules applicable to your registration groups. Certification-level providers must demonstrate compliance with the Core Module, which covers rights and responsibilities, governance and operational management, provision of supports, and the support provision environment. Providers of certain support types must also meet specialist module requirements:
- Specialist Module 1 (High Intensity Daily Personal Activities): group 0104
- Specialist Module 2 (Specialist Behaviour Support): group 0110
- Specialist Module 3 (Early Childhood Support): group 0118
- Specialist Module 4 (Specialist Support Coordination): group 0132
The documentation typically requested at Stage 1 includes your governance framework, risk management plan, quality management system, incident management policy, complaints policy, privacy and confidentiality policy, code of conduct, worker screening register, staff training records, participant service agreements, and current insurance certificates. Stage 1 takes two to twelve weeks depending on provider complexity and auditor workload. If significant gaps are identified, you will have an opportunity to address them before Stage 2 proceeds.
For a detailed breakdown of what auditors look for within each evidence area, the NDIS audit preparation checklist covers the seven core categories in full.
Step 3: Stage 2 (On-Site Assessment)
Stage 2 must commence within three months of Stage 1 completing. Auditors visit your service locations to verify that what is documented in Stage 1 reflects how your organisation actually operates. Stage 2 involves interviews with leadership and frontline staff, conversations with participants and their families or support networks, file reviews of participant records, and direct observation of your service environments.
The on-site duration scales with your organisation's size and complexity. A small provider with a single site delivering therapeutic supports will typically complete Stage 2 in a few hours. A large provider with multiple SIL accommodation sites and specialist behaviour support registration can take several days across multiple locations.
What auditors assess at Stage 2 is not whether policies exist, but whether staff understand and consistently apply them. A policy that staff cannot describe in their own words is a finding. The physical environment is also assessed: safety standards, emergency management, and whether the setting supports participant independence and dignity.
Step 4: The Audit Report and Commission Decision
After Stage 2, your auditor prepares and submits a formal audit report to the NDIS Commission. The report must be submitted within 28 days of the certification audit completing. It contains the auditor's findings, any non-conformities identified, and a recommendation on whether registration should be granted.
The Commission then assesses your application independently, including the suitability of your key personnel. There is no legislated timeframe for the Commission to finalise its decision after receiving the audit report. Processing time varies with the complexity and scale of the organisation and current Commission workload. Providers approaching a registration expiry deadline should factor this lag into their planning, completing their audit well before the six-month window opens for renewal.
If the Commission is considering refusing an application, you will be invited to provide information before a final decision is made.
What Your Certificate of Registration Says
A successful application results in a certificate of registration: the formal approval document that makes you a registered NDIS provider. The certificate specifies three things: the supports and services you are registered to deliver (listed by registration group), the period of registration (three years from the date of issue), and any conditions attached to your registration.
Registration conditions can include compliance with the applicable NDIS Practice Standards, behaviour support reporting requirements where relevant, and other operational conditions imposed by the Commission. Conditions appear on the certificate and are also published on the NDIS Provider Register, which is publicly accessible.
Three years is the standard registration period for both verification and certification pathway providers. At expiry, you must apply for renewal and complete another audit. Renewal applications can be submitted no earlier than six months before the expiry date. If the renewal process is not commenced within that window, your registration may lapse. A lapsed registration means you cannot claim NDIA payments for services delivered.
Mid-Term Audits: The 18-Month Check
Certification-pathway providers have a third audit obligation that sits between initial registration and renewal: the mid-term audit, due approximately 18 months into the three-year registration cycle.
The mid-term audit is narrower in scope than a full certification audit. Its primary focus is the Governance and Operational Management standards within the Core Module. It also reviews any corrective actions raised at the previous audit that remain open, any standards specified by the Commission, and any new specialist modules required if you have expanded your registration groups since your last full audit.
The audit is conducted on-site unless you meet the criteria for a remote assessment. It involves document reviews, staff interviews, and participant interviews. The mid-term audit is not a light-touch administrative check: non-conformities found at mid-term carry the same consequences as those found in a full certification audit.
Verified providers do not require a mid-term audit. Providers registered solely for Specialist Disability Accommodation (group 0131) are also exempt.
Failing to complete your mid-term audit by the due date is a breach of a condition of your registration. The Commission may take compliance action, including suspension, if the mid-term is overdue.
Costs typically range from $4,000 to $10,000 depending on the size of your organisation and the number of sites.
Non-Conformity Timeframes
Non-conformities raised at any audit stage have defined resolution windows.
Minor non-conformities must be closed within 12 months of the date of issue, typically at your next mid-term or recertification audit, whichever comes first. If a minor non-conformity is not closed within 12 months, it escalates automatically to a major non-conformity.
Major non-conformities require a corrective action plan submitted to the audit team leader within seven calendar days of written notification. A follow-up audit of the implemented corrective action must be completed within three months. If the non-conformity is not resolved or downgraded at that follow-up, certification is automatically suspended.
For non-conformities that place a participant at direct risk of significant harm, the Commission may be notified immediately and may take compliance action outside the standard timeline.
Choosing an Approved Quality Auditor
Only organisations specifically approved by the NDIS Commission can conduct NDIS Practice Standards audits. The Commission's approved quality auditors list is maintained on its website and was last updated on 27 March 2026. The JAS-ANZ accreditation body manages auditor approvals on behalf of the Commission; it also suspended applications from new auditors following an independent review of the AQA scheme, meaning the pool of approved auditors is fixed for the foreseeable future.
Current active approved quality auditors include BSI Group ANZ, DNV, Global-Mark, SAI Global, HDAA, Platinum Certification, Quantum Certification Services, Certifii, AQC Group, Australian QC, AVA GLC, Sustainable Certification, and Audit Wise Group, among others. The full current list is on the Commission's "Find an auditor" page at ndiscommission.gov.au.
When selecting an auditor, compare quotes, confirm availability for your required timeline, and ask specifically whether the auditor has experience with the specialist modules relevant to your registration groups. Experience levels vary across the AQA pool.
How ClinicComply Helps
Walking into an NDIS certification audit with disorganised documentation is one of the most avoidable ways to receive a non-conformity. ClinicComply maps every applicable Practice Standards criterion, across the Core Module and all four Specialist Modules, to a live evidence checklist. Upload documentation against each criterion, assign preparation tasks to team members with deadlines, and see exactly which areas are evidenced and which are not before Stage 1 begins.
For mid-term audit preparation, the platform tracks outstanding corrective actions from your previous audit and sends automated reminders as the 12-month minor non-conformity close-out deadline approaches. You will see when a finding is at risk of escalating before your auditor does.
The NDIS policy templates library covers every Core Module policy area with ready-to-customise documents. Use the NDIS Compliance Quiz for a rapid gap assessment against your current registration groups. Start a free 30-day trial at cliniccomply.com.au/signup and have your audit documentation organised before your Stage 1 request arrives.
Frequently Asked Questions
What is the difference between an NDIS verification audit and a certification audit?
A verification audit is a document-only assessment with no site visit and no staff interviews. The auditor reviews your qualifications, insurance, and operational policies against a defined scope. It applies to providers of lower-risk supports including therapeutic services, plan management, assistive technology, and standard support coordination. A certification audit involves two stages: a desktop documentation review (Stage 1) followed by an on-site assessment of your service locations, staff, and participant records (Stage 2). Certification audits assess compliance with the NDIS Practice Standards and apply to providers of higher-risk supports including personal care, SIL, specialist behaviour support, and early childhood supports.
How long does an NDIS certification audit take from start to finish?
The full process, from engaging an auditor to receiving your Commission decision on registration, typically takes three to six months. Stage 1 takes two to twelve weeks depending on the complexity of your organisation and auditor workload. Stage 2 must commence within three months of Stage 1 completing and takes anywhere from a few hours to multiple days depending on your provider size. After Stage 2, the auditor has 28 days to submit the report to the Commission. Commission processing time then varies, as there is no legislated timeframe for the Commission to finalise a decision once the report is received.
What does an NDIS certificate of registration include?
Your certificate of registration specifies three things: the registration groups (supports and services) you are approved to deliver, the period of registration (three years from the date of issue), and any conditions the Commission has attached. Registration conditions can include compliance with the applicable NDIS Practice Standards, behaviour support reporting requirements, and other specific operational conditions. The certificate and any conditions are also published on the publicly accessible NDIS Provider Register. The certificate must be renewed every three years through a new audit.
Who needs to complete an NDIS mid-term audit?
Providers who completed a certification audit for their initial or renewal registration must complete a mid-term audit approximately 18 months into their three-year registration cycle. Verified providers do not require a mid-term audit. Providers registered solely for Specialist Disability Accommodation (group 0131) are also exempt. The mid-term audit is a condition of registration, and failing to complete it by the due date may result in the Commission taking compliance action including suspension.
What does the NDIS mid-term audit focus on?
The mid-term audit focuses primarily on the Governance and Operational Management standards within the NDIS Practice Standards Core Module. It also reviews any corrective actions outstanding from your previous audit, any additional standards specified by the Commission, and any new specialist modules required if you have expanded your registration groups since your last full audit. The audit is conducted on-site and involves document reviews, staff interviews, and participant interviews. Non-conformities found at mid-term carry the same resolution requirements as those from a full certification audit.
What happens if I receive a non-conformity at my NDIS audit?
Minor non-conformities must be closed within 12 months of the date of issue. If not closed within that period, they escalate automatically to major non-conformities. Major non-conformities require a corrective action plan submitted to your auditor within seven days of written notification. A follow-up audit must then be completed within three months to verify that the corrective action has been implemented. If the major non-conformity is not resolved at the follow-up audit, certification is automatically suspended. In all cases, you must demonstrate genuine operational improvements and not just documentation updates.
Who are the approved quality auditors for NDIS in 2026?
Approved quality auditors must be approved by the NDIS Commission and accredited by JAS-ANZ. The Commission suspended applications from new auditors following an independent review, so the pool is fixed. Active auditors include BSI Group ANZ, DNV, Global-Mark, SAI Global, HDAA, Platinum Certification, Quantum Certification Services, Certifii, AQC Group, Australian QC, AVA GLC, Sustainable Certification, and Audit Wise Group. QIP departed on 30 April 2026 and Citation Certification concludes NDIS auditing on 30 June 2026. The current full list is on the NDIS Commission's "Find an auditor" page at ndiscommission.gov.au.
When can I apply to renew my NDIS registration?
Renewal applications can be submitted up to six months before your registration expiry date, but no earlier than that window. If you do not commence the renewal process within the six-month window, your registration risks lapsing. A lapsed registration prevents you from claiming NDIA payments for services delivered. Given that the full certification audit and Commission decision process can take three to six months, providers should engage their auditor as soon as the renewal window opens. Verification-pathway providers follow the same timing, though the process is considerably shorter.
Can I deliver NDIS supports while my registration renewal is being processed?
Yes. Your existing registration remains current while the Commission processes a renewal application, provided you submitted the application before your registration expired. For new initial applications, you are not registered until the Commission grants registration and issues the certificate. Unregistered delivery of supports that require registration is a criminal offence: the maximum penalty for delivering SIL without registration from 1 July 2026 is five years imprisonment under the NDIS Amendment (Integrity and Safeguarding) Act 2026. For an overview of what that legislation changed, the NDIS Amendment Bill guide covers the key provisions.