NDIS Audit Preparation: 7-Section Compliance Checklist for Providers

An NDIS audit is not an event you survive – it is a process you control. Providers who treat audit preparation as a 2-week scramble before their assessment date consistently face non-conformances, costly rework, and audit delays that set their business back by months. Providers who prepare systematically across a structured 90-day timeline walk into their audit with documented evidence, confident staff, and the expectation of a clean outcome.

At HCPA, we have supported 10,500+ NDIS providers through registration, compliance, and audit cycles – applying our Regulatory Growth framework to turn every compliance requirement into a competitive advantage. Our team includes experienced internal auditors who conduct pre-audit reviews for every client, identifying gaps before the NDIS Commission’s appointed auditor sees them. The result is an audit pass rate that reflects the quality of our preparation process, not luck. Our full compliance package is available for $4,400, and it is designed to make your audit a confirmation of what you already know rather than a test of what you have missed.

This guide gives you the 7-section NDIS audit preparation checklist HCPA uses in pre-audit reviews, along with the 90-day timeline that gives providers enough runway to fix real gaps before the auditor arrives. HCPA consultants average a 3-year tenure with individual clients, which means the preparation approach below reflects long-term compliance knowledge, not a generic template.

What Is an NDIS Audit?

An NDIS audit is a formal assessment conducted by an NDIS Commission-approved quality auditor to verify that a registered provider meets the requirements of the NDIS Practice Standards. Every registered NDIS provider undergoes an audit as part of their initial registration, and then at renewal – typically every 3 years for established providers, or more frequently if compliance concerns have been identified.

There are two types of NDIS audit: a verification audit, which assesses documentation only and applies to lower-risk registration groups, and a certification audit, which includes both document review and on-site assessment – including interviews with staff, participants, and participant representatives. The type of audit you face depends on the registration groups you hold.

Non-conformances identified during an audit result in a formal corrective action requirement. Minor non-conformances require documented remediation within a defined timeframe. Major non-conformances can result in registration conditions, suspension of registration, or, in serious cases, cancellation of registration. Understanding what auditors look for – and preparing for it – is the most important compliance investment a provider can make.

The 90-Day NDIS Audit Preparation Timeline

Effective NDIS audit preparation starts 90 days before your audit date, not 90 hours before. Here is how HCPA structures the preparation timeline for every client.

Days 1-30: Gap Analysis and Documentation Review

The first 30 days are diagnostic. You are not fixing anything yet – you are identifying everything that needs to be fixed. This includes a systematic review of all documentation against the NDIS Practice Standards, an assessment of your incident and complaints registers, a review of worker screening and training records, and an audit of participant records for completeness and currency.

The gap analysis phase is where HCPA’s pre-audit review provides the highest value. Our internal auditors review your documentation using the same framework the Commission’s appointed auditor will use, identifying non-conformances before they become audit findings. Every gap identified in the first 30 days gets a specific remediation plan – a policy to be updated, a training record to be completed, a process to be documented.

Days 31-60: Remediation and Evidence Building

The middle 30 days are operational. Every gap identified in the first phase gets closed. Policies are updated, training is completed, incident registers are reviewed for completeness, participant records are brought up to standard, and governance documentation is strengthened. This phase requires active work from your team, not just your compliance consultant.

Evidence building is as important as remediation. Auditors do not take your word for anything – they look for documented evidence that your systems work as described. This means your continuous improvement register should show active use, your complaints management system should have records that demonstrate responsiveness, and your governance documentation should reflect real management activity, not templates populated with placeholder content.

Days 61-90: Mock Audit and Final Preparation

The final 30 days before audit are about verification and confidence building. HCPA conducts a mock audit for every certification audit client – a structured practice run that simulates the interview and document review process with your actual team. Mock audits surface gaps that documentation review misses, particularly gaps in staff knowledge and the ability to articulate your systems under questioning.

Final preparation also includes evidence file organisation. Your audit evidence file should be structured to allow an auditor to verify compliance against each Practice Standard without difficulty. Poorly organised evidence files slow down audits and create the impression of disorganisation, even when compliance is strong.

Section 1: NDIS Worker Screening and Training Records

Worker screening is one of the most common areas of non-conformance in NDIS audits. The requirements are clear – every worker who delivers NDIS supports must hold a valid NDIS Worker Screening Check, and every worker must complete the NDIS Worker Orientation Module. However, maintaining compliance across a workforce that includes employees, contractors, and volunteers requires active management systems, not one-time onboarding processes.

Worker Screening Audit Preparation Checklist

• Confirm all workers have a valid NDIS Worker Screening Check recorded in your system
• Check expiry dates for all clearances – clearances expiring within 6 months should be flagged for renewal
• Verify all workers have completed the NDIS Worker Orientation Module and that completion records are documented
• Confirm all mandatory training requirements for your registration groups are met and documented
• Review contractor and volunteer screening records – they are held to the same standards as employees
• Ensure your recruitment processes include screening checks as a mandatory step before commencement

HCPA’s compliance system tracks both worker screening and training records for every client, generating alerts when renewals are due and ensuring no gaps exist in the evidence file before audit.

Section 2: Incident Management and Reportable Incident Register

Incident management is a high-priority area for NDIS auditors. Auditors look for evidence that your organisation identifies incidents consistently, responds to them appropriately, reports reportable incidents to the NDIS Commission within the required timeframes, and uses incident data to drive continuous improvement.

Incident Management Audit Preparation Checklist

• Review your incident register for completeness – every incident should have a recorded date, description, classification, immediate response, and outcome
• Verify all reportable incidents were notified to the NDIS Commission within 24 hours of becoming aware
• Confirm final reports were submitted for all reportable incidents within the required timeframe
• Check that incident investigations were conducted and documented for serious incidents
• Review whether incident trends have been analysed and whether analysis has informed process improvements
• Ensure all staff are trained in incident identification and reporting requirements

A common audit finding is incomplete incident records – incidents that were managed well in practice but documented poorly. Auditors cannot assess what is not recorded. Every incident needs a complete record.

Section 3: Complaints Management System

Your complaints management system is not just a compliance requirement – it is evidence that your organisation takes participant feedback seriously. Auditors look for systems that are genuinely accessible, that respond to complaints promptly, and that use complaint data to improve service quality.

Complaints Management Audit Preparation Checklist

• Verify your complaints policy is current, accessible to participants, and includes information about the right to contact the NDIS Commission
• Review your complaints register for completeness – each complaint should have a recorded date, nature, response, resolution, and timeframe
• Confirm that participants are actively informed of their right to make complaints, including to external bodies
• Check that your complaints process is accessible to participants, their families, and their representatives to raise concerns – including concerns about the provider itself
• Verify complaints have been used to inform continuous improvement actions
• Ensure all staff understand the complaints process and can explain it to participants

Section 4: Participant Records and Support Plans

Participant records are a core focus of certification audits. Auditors review support plans for individualisation, currency, and evidence that participants have been involved in their development. Generic support plans – regardless of how comprehensive the template is – are a significant audit risk.

Participant Records Audit Preparation Checklist

• Review support plans for all current participants – plans should be individualised, current, and reflect the participant’s goals and preferences
• Verify that participants (or their representatives) have been involved in developing and reviewing their support plans
• Confirm consent records are complete and current for all participants
• Check that risk assessments are documented and current for participants with identified risks
• Verify that progress notes are being recorded consistently and reflect actual service delivery
• Ensure records storage meets privacy and security requirements

Section 5: Governance and Management Practices

Governance requirements are often underestimated by smaller providers. Auditors look for evidence that governance is an active practice – regular management meetings with minutes, documented oversight of key compliance functions, clear accountability structures, and evidence that leadership is engaged with compliance management.

Governance Audit Preparation Checklist

• Confirm management meeting minutes are documented and cover compliance-relevant topics
• Review your organisational chart and ensure accountability for compliance functions is clearly assigned
• Verify that key policies are current, approved by leadership, and accessible to staff
• Confirm that leadership has reviewed incident data, complaint data, and continuous improvement activity
• Check that financial management documentation meets requirements for your registration groups
• Ensure delegation authorities and decision-making processes are documented

Section 6: Risk Management and Continuous Improvement

Your continuous improvement register – a log of improvement actions taken in response to identified gaps, incidents, complaints, and audit findings – is one of the most scrutinised documents in a certification audit. Auditors look for evidence that continuous improvement is a genuine organisational practice, not a register created for audit purposes. This is a critical distinction – auditors can identify when continuous improvement records have been populated in preparation for audit rather than maintained as a living document.

Risk management documentation should demonstrate that your organisation proactively identifies and manages risks, not just responds to incidents after they occur. Your risk register should be current, reviewed regularly, and connected to your quality management practices.

Section 7: Restrictive Practice Documentation (Where Applicable)

Providers registered for higher-risk registration groups – including SIL, behaviour support, and specialist supports – face heightened scrutiny around restrictive practice documentation. Restrictive practices must be authorised, documented, monitored, and reported in compliance with state and territory requirements as well as NDIS Commission requirements.

Restrictive Practice Audit Preparation Checklist

• Verify that all use of restrictive practices is authorised under the relevant state or territory framework
• Confirm that behaviour support plans are in place for all participants where restrictive practices are used
• Check that restrictive practice use is being monitored and reported to the NDIS Commission as required
• Verify that reduction plans are in place and that restrictive practice use is being actively reduced where possible
• Ensure all staff involved in implementing restrictive practices have completed required training

Restrictive practice non-conformances are among the most serious findings an NDIS auditor can record. Providers registered for higher-risk registration groups – including SIL, behaviour support, and specialist supports – face heightened scrutiny in this area. The risk of a major non-conformance – and the cost of remediation and re-assessment – significantly exceeds the cost of getting this right before audit.

Frequently Asked Questions

How long does an NDIS audit take?

A verification audit typically takes 1-2 days and involves document review only. A certification audit typically takes 2-5 days depending on the size of the organisation and the number of registration groups being assessed. Certification audits include on-site assessment, staff interviews, and participant interviews in addition to document review.

What happens if I receive a non-conformance in my NDIS audit?

Minor non-conformances require you to submit a corrective action plan and evidence of remediation within a specified timeframe (typically 3 months). Major non-conformances are more serious and may result in registration conditions, suspension, or cancellation. The key to managing non-conformances is responding promptly with genuine remediation, not just documentation of intent.

What is the difference between a verification and certification audit?

Verification audits apply to lower-risk registration groups and involve document review only. Certification audits apply to higher-risk registration groups and include both document review and on-site assessment. The type of audit required is determined by the registration groups you hold, not by your choice.

How much does it cost to prepare for an NDIS audit?

HCPA’s full compliance package, which includes quality management system setup, registration strategy, pre-audit review, mock audit support, and ongoing compliance advisory, is available for $4,400. For providers approaching renewal who are already registered, we offer a standalone audit preparation engagement. The cost of preparation is substantially lower than the cost of a failed audit, which typically involves re-assessment fees, remediation costs, and the operational disruption of addressing major non-conformances under time pressure.

Can I prepare for an NDIS audit myself?

Yes, and this checklist gives you the framework to do so. However, providers who prepare independently typically miss non-conformances that experienced internal auditors identify immediately, because the gaps are in areas the provider considers compliant. An independent pre-audit review adds an objective assessment that self-review cannot replicate.

How often do NDIS providers need to be audited?

Initial registration requires an audit before registration is granted. Renewal audits are required every 3 years for established providers, though the NDIS Commission can require more frequent audits if compliance concerns have been identified. Providers who expand their registration groups may also trigger additional audit requirements.

Pass Your NDIS Audit the First Time

Audit preparation is not about creating documentation for an auditor. It is about maintaining the operational standards that make audit documentation a natural byproduct of how you run your business. Providers who operate compliantly every day – not just in the 90 days before audit – consistently achieve clean audit outcomes. Providers who scramble consistently face non-conformances and the cost of remediation.

HCPA has built the systems, experience, and industry networks that make NDIS audit preparation systematic rather than stressful. Our team includes experienced internal auditors who have assessed providers against every registration group in the NDIS framework. Our client network includes support coordinators and LACs who understand what best-practice providers look like from the outside. And our 3-year average client tenure means we are with you through your first audit, your first renewal, and the Regulatory Growth decisions that follow.

The full HCPA compliance package is available for $4,400. It includes your quality management system, registration group strategy, pre-audit review, mock audit support, and ongoing compliance advisory. For providers who are already registered and approaching their renewal audit, we offer a standalone audit preparation engagement that covers the 7-section checklist above in full, with gap analysis and remediation support.

Book your free strategy session today and find out exactly where your compliance stands – before your auditor does. Visit our NDIS services overview to understand the full scope of what HCPA offers registered providers.

For personalised audit preparation support, contact HCPA today.