NDIS Verification Audit: Module Compliance Process

If you are registering as an NDIS provider for lower-risk supports, the NDIS verification audit is your entry point to the market. It is a desktop-based compliance review conducted by an approved quality auditor, and passing it is a legal requirement before the NDIS Commission will grant or renew your provider registration. Understanding what the audit assesses, how the process works, and what evidence you need to prepare is the difference between a smooth approval and a costly delay.

This guide walks you through every stage of the verification audit process, from understanding which providers need it through to preparing your evidence and avoiding the most common failure points. Whether you are a first-time applicant or approaching a renewal, this is what you need to know.

What Is an NDIS Verification Audit?

An NDIS verification audit is a formal compliance assessment conducted by an NDIS Commission-approved quality auditor. It is one of two audit pathways under the NDIS Quality and Safeguards Framework. The other pathway, certification, applies to providers delivering higher-risk supports such as specialist disability accommodation, early childhood intervention, and behaviour support.

The verification audit is a desktop review only. There is no on-site visit from the auditor. Instead, you submit documentary evidence – policies, procedures, records, and supporting documentation – and the auditor assesses whether your organisation meets the required NDIS Practice Standards for your registration groups.

The audit is not a box-ticking formality. The NDIS Commission uses it to verify that you have functional systems in place across four core operational modules before you are permitted to deliver funded supports to NDIS participants. Failing to demonstrate compliance across all four modules will result in non-registration or a conditional outcome that delays your ability to trade.

Which Providers Need a Verification Audit?

The NDIS Commission classifies all supports and services into registration groups and assigns each group a risk tier. Lower-risk registration groups require verification, while higher-risk groups require certification. Common supports requiring only verification include:

• Plan management (Registration Group 0106)
• Support coordination (Registration Group 0132)
• Assistive technology and equipment
• Home modifications
• Therapeutic supports (some sub-categories)
• Interpreting and translation
• Community participation and social supports (lower-risk activities)

If your intended registration groups fall entirely within the lower-risk tier, verification is your pathway. If you are registering for a mix of lower-risk and higher-risk supports, you will need certification for the higher-risk groups and may need verification for the remainder, depending on your specific registration scope.

Unsure which pathway applies to your service mix? Reviewing the full NDIS provider registration checklist will clarify the requirements for your registration groups before you engage an auditor.

NDIS Verification Audit Requirements: The 4 Core Modules

The verification audit assesses compliance against four modules drawn from the NDIS Practice Standards. Each module has defined quality indicators, and you must provide documentary evidence demonstrating that your systems meet each indicator. The four modules are:

Module 1: Workforce Governance

This module assesses whether your organisation has appropriate systems to manage the people delivering supports. Evidence requirements include employment screening records (NDIS Worker Screening Checks), staff qualification records, induction documentation, supervision structures, performance review processes, and policies covering worker conduct and code of ethics. The auditor is verifying that you know who is delivering your services and that you have governance mechanisms to ensure those workers meet NDIS standards.

Module 2: Incident Management

This module assesses whether your organisation has a functional system for identifying, recording, managing, and reporting incidents. You need a written incident management policy, a clear escalation and reporting procedure (including NDIS reportable incident obligations), incident register templates, and evidence that staff are trained on the process. The NDIS Commission expects that incidents involving participants – including near misses – are captured and reviewed, not buried.

Module 3: Complaints Management

This module assesses whether participants and their supporters have accessible, safe pathways to raise concerns about your services. Evidence includes a complaints policy, a documented complaints process (intake, investigation, resolution, and escalation), a complaints register, and information about external complaint bodies such as the NDIS Commission itself. Accessibility is a key consideration here – your complaints process must be available in plain English and suitable for participants with varied communication needs.

Module 4: Financial Management

This module assesses whether your organisation has sound financial governance that protects participant funds. For plan management providers, this module carries significant weight and includes evidence of financial policies, bank account controls, invoicing and payment processes, reconciliation procedures, and how participant budgets are tracked and reported. For other provider types, the requirements focus on financial viability, insurance coverage, and sound financial controls.

The Verification Audit Process: How It Works

The verification audit follows a defined sequence. Knowing each stage in advance removes uncertainty and helps you prepare efficiently.

1. Application lodged with NDIS Commission: You submit your provider registration application through the NDIS Commission portal, selecting your registration groups and audit pathway (verification).
2. Approved auditor engaged: You select and engage an NDIS Commission-approved quality auditor. This is your responsibility and your cost. The auditor must be independent of your organisation.
3. Evidence submission: The auditor provides a document request list aligned to the four modules. You compile and submit your documentary evidence, typically via a secure document portal.
4. Desktop review: The auditor reviews your submitted documentation against the NDIS Practice Standards indicators. There is no site visit. The auditor may request clarification or additional documents during this stage.
5. Audit report issued: The auditor produces a report with a compliance finding for each module – either compliant, non-compliant, or compliant with conditions. The report is submitted to the NDIS Commission.
6. Registration decision: The NDIS Commission reviews the audit report and makes a registration decision. A compliant finding across all modules supports approval. Non-compliant findings will delay or prevent registration.

The typical end-to-end timeline from application to registration decision is 3 to 6 months, though this varies based on your preparation, the auditor’s availability, and the Commission’s assessment queue. Providers who submit complete, well-organised evidence packages consistently move through the process faster. For a full overview of what NDIS auditors look for during the review, understanding their assessment methodology helps you package your evidence correctly.

How to Prepare Your Evidence for a Verification Audit

Evidence preparation is where most providers either succeed or stumble. The auditor is not assessing whether your policies look professional – they are assessing whether your systems are functional, documented, and actually implemented. Here is how to prepare effectively:

Map your evidence to each module

Before you submit anything, create a simple document map that lists each quality indicator for the four modules and identifies which document in your evidence package addresses that indicator. This prevents gaps and makes the auditor’s job easier, which often results in fewer clarification requests and faster turnaround.

Use current, signed, and dated documents

Undated policies, draft documents, and unsigned procedures are common failure triggers. Every policy and procedure must be finalised, dated, version-controlled, and approved by the relevant person in your organisation. Auditors look for evidence of active governance, not aspirational documentation.

Demonstrate implementation, not just intent

A policy alone is rarely sufficient. Auditors want to see that the policy is actually used. For incident management, include a completed sample incident record (de-identified). For complaints management, include a completed sample complaints register entry. For workforce governance, include sample induction checklists and Worker Screening Check confirmation records. Evidence of implementation is what differentiates a compliant organisation from one that has written policies but no operational reality behind them.

Organise by module, not by document type

Submit your evidence in a clearly labelled folder structure organised by module. Auditors reviewing dozens of submissions each month will progress more efficiently through a well-organised package, and any request for clarification will be narrower in scope.

Common Verification Audit Failures (and How to Avoid Them)

Most verification audit failures are preventable. The following are the most frequently cited non-compliance findings and what to do about each one:

• Missing or incomplete Worker Screening Check records: Every worker (employed or contracted) who delivers supports must have a current NDIS Worker Screening Check. Gaps in records – particularly for contractors and sole traders – are a leading cause of non-compliance in Module 1. Audit every worker record before submission.
• Incident management policy not linked to NDIS reportable incident categories: A generic incident policy is not sufficient. Your incident policy must reference the specific NDIS reportable incident categories and the required timeframes for notifying the Commission (24 hours for priority incidents, 5 days for others).
• Complaints process not accessible: If your complaints information is only available in dense policy language with no accessible or plain English version, auditors may flag it as not meeting participant accessibility requirements.
• Financial policies without participant fund protection mechanisms: For plan management providers especially, vague financial policies that do not address how participant NDIS funds are separated, tracked, and reconciled will trigger non-compliance in Module 4.
• Undated or draft documentation submitted: Any document without a current date, version number, or approval signature signals to the auditor that your governance systems are not operational. This is one of the easiest failures to prevent with a final document review before submission.

Getting targeted NDIS audit support before you submit your evidence package significantly reduces the risk of these failure points. A pre-submission review identifies gaps before the auditor does, giving you time to address them without affecting your timeline.

Verification Audit as a Regulatory Growth Entry Point

Providers sometimes approach the verification audit as a compliance hurdle to get past. That framing underestimates its strategic value. Passing your NDIS verification audit is not just a legal requirement – it is your formal entry into the NDIS market for the lower-risk supports sector, which includes some of the highest-volume service categories in the entire scheme.

Plan management alone supports over 200,000 NDIS participants annually. Support coordination is one of the most in-demand services across both urban and regional areas. Passing verification unlocks access to this market. Every day spent on incomplete preparation is a day of lost revenue and delayed growth.

Beyond initial registration, the systems you build for verification – your incident management framework, your complaints process, your workforce governance structure – become the operational foundation of your business. Organisations that build these systems well from the outset grow faster, retain clients longer, and face fewer regulatory disruptions than those that treat compliance as a minimum-effort exercise.

Understanding the full scope of NDIS registration requirements from the start positions you to build a compliant, scalable organisation rather than one that perpetually reacts to regulatory pressure. Verification is the beginning of that journey, and getting it right sets the trajectory for everything that follows.

Providers who invest in compliance infrastructure at the verification stage consistently find that how to pass your NDIS audit becomes less about surviving a review and more about demonstrating the operational excellence that their participants already experience day to day.

How HCPA Gets You Verification-Ready

HCPA’s team of Regulatory Growth Consultants has supported hundreds of providers through the NDIS verification audit process. Our approach is built on one principle: you should pass your audit on the first attempt, fully and without conditions. That is why HCPA carries a 99% first-attempt pass rate across all audit support engagements.

When you work with HCPA on verification readiness, we start by assessing your current compliance position across all four modules. We identify exactly what you have, what you are missing, and what needs to be strengthened before your evidence package goes to the auditor. We do not hand you a generic policy template and wish you luck – we work through your specific registration groups, your service delivery model, and your organisational structure to build an evidence package that genuinely reflects how your organisation operates.

Our consultants understand what approved quality auditors look for at each module. We have reviewed the same documentation types that auditors assess, across dozens of provider types and registration group combinations. That experience translates directly into faster preparation, fewer gaps, and a higher-quality submission for your organisation.

We also support providers post-registration – helping you maintain compliance systems, prepare for audit renewals (every three years), and grow your registration scope as your service offering expands. Regulatory compliance is not a one-time event. It is an ongoing operational discipline, and HCPA is structured to support you at every stage of that journey.

If you are preparing for an NDIS verification audit or want to understand what your current compliance position looks like, book a free consultation with our team. We will walk through your registration groups, your evidence requirements, and a clear plan to get you audit-ready as efficiently as possible.

Do not leave your market entry to chance. Contact HCPA today and let our Regulatory Growth Consultants guide your verification audit from preparation through to registration approval.