The 7 things every NDIS provider needs audit-ready in 2026: (1) current core policies reviewed within 12 months, (2) a worker screening register with renewal alerts, (3) real-time incident logs meeting 24-hour notification rules, (4) signed participant service agreements and individual support plans, (5) a documented complaints register, (6) a live risk register with review dates, and (7) current insurance and financial records. Below is the full checklist, plus free NDIS policy templates, audit cost ranges, and what to do if you fail.
Key Takeaways
- Know your audit type: verification audits are document-based with no site visit, while certification audits include site visits, staff interviews, and direct observation of service delivery.
- The five most common non-conformities are outdated policies, gaps in worker screening records, incomplete incident management logs, weak complaints handling evidence, and static risk registers that have not been updated since initial registration.
- Every worker's NDIS Worker Screening Check must be current - the first wave of five-year checks started expiring in February 2026, so audit your team's status now and set renewal reminders at 90, 60, and 30 days.
- The auditor market contracted in 2026: QIP exited NDIS auditing on 30 April 2026 and Citation Certification concludes on 30 June 2026, so remaining audit slots are tight and you should book your auditor early.
- Auditors want to see that policies are implemented in practice, that staff know about them and follow them, and that evidence proves it - a policy document alone is not enough.
NDIS audit checklist at a glance
| # | Evidence area | What auditors look for |
|---|---|---|
| 1 | Governance and policies | All core policies dated and reviewed within the past 12 months, with version numbers and staff acknowledgement records |
| 2 | Worker screening register | Every worker's NDIS Worker Screening Check status, with renewal alerts at 90/60/30 days |
| 3 | Incident management | Real-time logs meeting the 24-hour notification rule for serious incidents and 5-day reports for unauthorised restrictive practices |
| 4 | Participant records | Signed service agreements, individual support plans, progress notes, and evidence of choice and control |
| 5 | Complaints register | A populated log showing investigation, outcome, and any systemic improvements |
| 6 | Risk register | A live document with identified risks, mitigation strategies, and review dates, not a static PDF |
| 7 | Insurance and financials | Current public liability, professional indemnity, workers compensation certificates, and financial sustainability indicators |
If you are starting from scratch, our free NDIS policy templates cover all 12 Core Module policy areas, and the audit cost calculator gives you a budget range in 60 seconds.
If you are an NDIS provider in Australia, an audit is coming. Whether you are registering for the first time, renewing your existing registration, or hitting your mid-term check, the audit process is where the rubber meets the road. And in 2026, the stakes are higher than ever.
With mandatory registration for SIL providers kicking in on 1 July 2026, thousands of providers will be going through an NDIS audit for the first time this year. At the same time, the NDIS Quality and Safeguards Commission is raising the bar on what "compliance" actually looks like in practice. The old approach of pulling everything together the week before your auditor arrives is not going to cut it anymore.
This guide is the evidence checklist: what to have ready, the non-conformities that trip providers up, and how to organise it all. For how the audit process itself works (the two pathways, Stage 1 and Stage 2, mid-term audits, auditor selection, and what happens after the report goes to the Commission), see our companion guide to the NDIS audit pathways.
Which Audit Type Are You Preparing For?
Your registration groups determine the pathway. Verification audits (document-only, no site visit) apply to lower-risk supports such as therapeutic supports and standard support coordination. Certification audits (two stages, with an on-site visit, staff interviews, and observation) apply to higher-risk supports such as personal care, SIL, specialist behaviour support, and early childhood supports. Certification-pathway providers also complete a mid-term audit at roughly 18 months, focused on governance and operational management. If you are not sure which pathway your groups trigger, the registration groups guide maps all 36 groups to their audit type, and the audit pathways guide walks through each stage in detail. The checklist below applies to both pathways; certification providers simply need to evidence more of it in practice, not just on paper.
What Auditors Actually Look For
The NDIS Practice Standards are structured around four core areas. Understanding what sits behind each one will help you prepare your evidence and identify gaps before your auditor does.
Rights and Responsibilities. Your practice needs to demonstrate that participants understand their rights, can exercise choice and control, and have access to effective complaints and feedback processes. Auditors look for things like signed service agreements, accessible information about rights, evidence that participants are involved in planning their supports, and records showing how complaints were handled and resolved.
Governance and Operational Management. This is the backbone of your compliance. Auditors want to see that your organisation has a clear governance structure, a risk management framework, a quality management system, and documented policies that are reviewed regularly. They will check that your financial management is sound, your insurance is current, and your human resource practices include proper worker screening and training records.
Provision of Supports. This area covers how you actually deliver services. Auditors look for evidence that supports are person-centred, that there is continuity of support when staff change, that transitions in and out of your service are managed well, and that you maintain proper records of what supports were delivered, by whom, and when. Incident management falls here too, so your reportable incident records need to be complete and demonstrate compliance with mandatory notification timeframes.
Support Provision Environment. If you provide services in a physical setting (like SIL accommodation or day programs), auditors assess the safety and suitability of the environment. This includes fire safety, emergency procedures, WHS compliance, and whether the setting supports participants' independence and dignity.
For each area, the auditor is not just checking that a policy exists. They want to see that the policy is implemented in practice, that staff know about it and follow it, and that there is evidence to prove it. If your registration groups also trigger one of the four Specialist Modules (high intensity supports, behaviour support, early childhood, or specialist support coordination), our Practice Standards modules guide covers what each module adds on top of the Core Module.
The 2026 Audit Preparation Checklist
Here is what you should have ready before your auditor walks in the door (or, for verification audits, before you submit your documentation package).
Governance and policies. Confirm that all core policies are current, dated, and have been reviewed within the past 12 months. This includes your governance framework, risk management plan, quality management system, privacy and confidentiality policy, complaints and feedback policy, incident management policy, and code of conduct. Every policy should have a version number, a review date, and evidence of staff acknowledgement. If you need a starting point, ClinicComply offers free NDIS policy templates aligned to every Core Module 1 requirement.
Worker screening and HR records. Build a register of every worker's NDIS Worker Screening Check status, including issue date, expiry date, and clearance outcome. Remember that the first wave of five-year checks started expiring in February 2026, so audit your team's status now. You also need training records showing that staff have completed relevant induction training, including the NDIS Code of Conduct and any role-specific competencies.
Incident management records. Ensure every reportable incident has been logged with the correct timeframes: immediate notification within 24 hours for serious incidents, and a detailed five-day report for unauthorised restrictive practices. Your records should show the incident details, who was notified, what actions were taken, and what preventative measures were put in place afterwards.
Participant records. For each participant, have their service agreement, individual support plan, progress notes, and any records of how they have exercised choice and control. Auditors want to see that supports are genuinely tailored to the individual, not delivered from a one-size-fits-all template.
Complaints register. Maintain a log of all complaints and feedback received, how they were investigated, what the outcome was, and whether any systemic improvements resulted. Even if you have had zero complaints, document that the process exists and that participants know how to use it.
Risk register. Your risk management framework should be a living document, not something you wrote once and filed away. Auditors look for identified risks, mitigation strategies, regular review dates, and evidence that risks are actively monitored.
Insurance and financial records. Have your current certificates of insurance ready (public liability, professional indemnity, workers compensation). Auditors may also review financial sustainability indicators to confirm you can continue operating.
If tracking all of this across spreadsheets and shared drives sounds like a nightmare, that is because it usually is. ClinicComply maps every NDIS Practice Standard to a live checklist with evidence linking, deadline tracking, and status dashboards, so you always know exactly where you stand. Start your free 30-day trial to get audit-ready.
5 Common Non-Conformities (And How to Avoid Them)
These are the issues that trip up providers most often during audits. If you can get ahead of these five, you are in strong shape.
1. Outdated or missing policies. The most common finding is policies that have not been reviewed in over a year, or that do not reflect current operations. If your practice has grown, changed locations, or added new support types since your last review, your policies probably need updating. Set a recurring 12-month review cycle for every policy and stick to it. Our NDIS policy templates cover all 12 required policy areas and can be customised to your organisation.
2. Gaps in worker screening records. Auditors check that every worker has a current, valid NDIS Worker Screening Check. If even one worker has an expired or missing check, that is a non-conformity. Build a centralised tracking system with automated reminders at 90, 60, and 30 days before each expiry.
3. Incomplete incident management records. Having an incident management policy is not enough. Auditors want to see that incidents are logged in real time, reported within the required timeframes, investigated thoroughly, and followed up with preventative actions. A common gap is logging the incident but not recording the follow-up or the lessons learned.
4. Weak complaints handling evidence. If your complaints register is empty and you claim you have never received a complaint, auditors get suspicious. Even informal feedback counts. Document everything, including how complaints were resolved and whether they led to any service improvements. If you genuinely have not received complaints, document the steps you take to actively seek participant feedback.
5. Risk management as a static document. A risk register that was written during your initial registration and never updated is a red flag. Your risk management framework needs to show regular reviews, new risks identified over time, and evidence that mitigation strategies are working. Auditors want to see a living system, not a dusty PDF.
What Happens If You Fail Your NDIS Audit?
First, take a breath. A non-conformity is not the end of the world. Here is how the process works.
If your auditor identifies minor non-conformities, you will typically be given a defined period (usually a few weeks) to provide evidence that you have addressed the issue. This is called a corrective action plan. You document what you will change, implement the change, and submit evidence back to the auditor.
For major non-conformities, the consequences are more serious. The auditor may recommend conditions on your registration, or in severe cases, the NDIS Commission may suspend or refuse your registration. Major non-conformities usually involve direct risks to participant safety, like missing worker screening checks for staff actively delivering supports, or a complete absence of incident reporting processes.
The key thing to understand is that auditors are not trying to catch you out. They want to see that you have systems in place, that those systems work, and that when things go wrong, you respond appropriately. A provider who had an incident but managed it well and documented the learnings will score better than a provider who claims nothing has ever gone wrong.
If you receive a corrective action plan, treat it as a priority. Address the findings promptly, implement genuine improvements (not just paperwork fixes), and keep records of everything you did. This evidence will be reviewed at your next audit or mid-term check. The exact resolution windows (12 months for minor non-conformities, 7 days plus a 3-month follow-up for major ones) are covered in the audit pathways guide.
Budgeting for Your Audit
As a quick budgeting guide: verification audits typically run $3,000 to $6,000, certification audits $8,000 to $20,000 or more, and mid-term audits $4,000 to $10,000, scaling with sites, support complexity, and the modules in scope. The free NDIS audit cost estimator gives you a tailored range in 60 seconds, and the audit pathways guide covers choosing an approved quality auditor, including the 2026 market exits (QIP left on 30 April 2026 and Citation Certification concludes NDIS auditing on 30 June 2026), which have tightened auditor availability. Factor in preparation costs too: gap analysis, policy updates, staff training, and any compliance systems. Some providers spend more on preparation than the audit itself, which is usually a sign they are taking it seriously.
Your Audit Timeline: Working Backwards from Your Due Date
If your audit is in three months or less, here is a practical timeline.
Months 2 to 3 out: Run an internal gap analysis against every applicable Practice Standard. Identify missing or outdated policies. Check every worker's screening status. Review your incident and complaints records for completeness.
Month 1 to 2 out: Close the gaps you found. Update policies, renew expired screening checks, complete missing documentation. Run a mock audit if possible, or have a colleague walk through your evidence as if they were an auditor.
Final 2 weeks: Organise your evidence so it is easy to navigate. Whether you use folders on a shared drive or a compliance platform like ClinicComply, the auditor needs to find what they are looking for quickly. Brief your staff on what to expect, especially if interviews are part of the process. Make sure everyone knows your key policies and can articulate how they apply to their daily work.
Frequently Asked Questions
What do NDIS auditors look for?
Auditors assess whether your organisation achieves the outcomes the Practice Standards describe, not just whether policies exist. Across the seven evidence areas, they look for current and version-controlled policies, a complete worker screening register, real-time incident logs that meet notification timeframes, individualised participant records, a populated complaints register, a living risk register, and current insurance. At certification audits they also test whether staff can describe the policies in their own words.
What documents do I need for an NDIS audit?
At a minimum, you need current versions of all core policies (governance, risk management, complaints, incident management, privacy, code of conduct), worker screening records for every staff member, incident and complaints logs, participant service agreements and support plans, staff training records, insurance certificates, and your risk register. Certification audits may also require evidence related to supplementary modules specific to your registration groups.
What training records do I need for an NDIS audit?
For every worker, auditors expect induction records showing completion of the NDIS Worker Orientation Module and Code of Conduct training, role-specific competency records matched to the supports the worker delivers, and evidence of ongoing supervision or professional development. For high-intensity supports, competency assessments must map to the specific clinical task (for example, enteral feeding or seizure response), not to a generic care qualification. Keep the records against each worker with dates and assessor names.
How do I run an internal NDIS audit before the real one?
Work through each applicable Practice Standard two to three months out and ask three questions of every requirement: does a current policy cover it, is there evidence the policy operates in practice, and could a staff member describe it unprompted. Log every gap with an owner and a fix-by date, then close gaps in priority order: worker screening first, incident records second, then participant records and policies. Re-test the worst areas in a mock interview a fortnight before the audit.
What does an NDIS auditor ask staff during interviews?
At certification audits, auditors ask frontline staff to describe in their own words how they would respond to common scenarios: recognising and reporting an incident, handling a complaint, supporting a participant's choice and control, and following any clinical procedure relevant to their role. They compare answers against your written policies. A policy that staff cannot describe is recorded as a finding, so interview preparation means making policies operational, not coaching scripted answers.
How do I prepare for an NDIS mid-term audit?
Mid-term audits focus primarily on governance and operational management. Make sure your governance framework, risk register, and quality management system are current. Review any corrective actions from your initial audit to confirm they are still in place. Check that your worker screening records are up to date and that your incident management records show consistent compliance since your last full audit.
Is there a way to track NDIS compliance continuously instead of scrambling before each audit?
Yes. Compliance platforms like ClinicComply map every NDIS Practice Standard requirement to a live checklist, with evidence linking, automated deadline reminders, and real-time compliance scoring. Instead of preparing for your audit in a last-minute rush, you maintain audit readiness year-round. This is the approach the NDIS Commission is increasingly expecting from providers as the sector moves toward continuous compliance monitoring.
The providers who do well in NDIS audits are not the ones who prepare the hardest in the final week. They are the ones who build compliance into their daily operations and keep their documentation current all year round. The 2026 regulatory environment is making that shift from optional to essential. Get started now, and your next audit will be the least stressful part of your year. Explore our NDIS compliance resources for more practical guides, or start your free 30-day trial to get your compliance organised today.