New website upgrades! What’s new

Auditing in a Pandemic

We’ve been fielding loads of questions about what audits might look like in a COVID-19 environment. We don’t have all the answers yet but Jess takes a look into into this evolving new world.

By Jessica Quilty

Updated 15 Apr 202422 Apr 2020

The NDIS Quality and Safeguards Commission (NDIS Commission) recently put out advice regarding audits acknowledging:

  • The critical focus for NDIS providers right now is managing infection risk and business continuity.
  • This will likely affect audit readiness and capacity (particularly on-site activities).

Auditors have been instructed to:

  • Review audit practices to minimise risk of exposure to COVID-19.
  • Engage with providers scheduled for upcoming audits to confirm availability to continue.
  • Delay or reschedule audit dates where providers are not in a position to proceed.

The NDIS Commission has advised that it has written directly to registered NDIS providers who are due to commence the registration renewal process, or who have commenced the process. They have advised providers about variations that have been made to their registration, to allow additional time to complete the registration renewal process, including audits.

What does this mean for my organisation?

It depends on your organisations’ situation, any registration monitoring and where you are within the audit cycle - the Commission is providing targeted advice. We’ve heard some providers have had their audit times extended, others are continuing with the audit process as per schedule, but remotely.

Remote auditing

Where practicable, many NDIS approved auditors are continuing with their audit activities remotely. The NDIS (Approved Quality Auditors Scheme) Guidelines 2018 require that auditors be accredited to the IAF MD4 standard to undertake remote off-site stage 2 auditing.

The IAF MD4 standard refers to the Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing/Assessment Purposes.  

The IAF MD4 states that as information and communication technology (ICT) becomes more sophisticated, it can be used to optimise audit assessment effectiveness and efficiency, and to support and maintain the integrity of the auditing process.

Examples of the use of ICT during audit assessments may include:

  • Meetings through teleconference facilities, including audio, video and data sharing – for example remote interviews with staff and Participants.
  • Document and record audit through remote access – for example access to staff and Participant files, complaint and incident records.
  • Recording of information and evidence through still video, video or audio recordings – for example a visual inspection of sites.
  • Providing visual/audio access to remote or potentially hazardous locations.

 The objectives of IAF MD4 are:

  • To provide a methodology for the use of ICT that is sufficiently flexible and non-prescriptive to optimise the conventional audit process.
  • To ensure that adequate controls are in place to avoid abuses that could compromise the integrity of the audit process.
  • To support the principles of safety and sustainability measures to ensure that security and confidentiality is maintained throughout audit activities.


So how can providers prepare for remote audit activities?

  • Request an audit plan from your auditor - the audit should follow the same methodology of a conventional on-site audit.
  • Identify each stage of the audit process and what technologies are available. For example do all the key personnel who would normally be at an opening meeting have access to teleconferencing to enable participation?
  • Identify which Participants have been selected to participate in the audit and what technologies they have access to e.g. telephone, video conference etc.
  • Identify what support Participants and staff will require to participate remotely.
  • Ensure confidentiality of responses so views can be shared openly with auditors.
  • Update any confidentiality agreements.
  • Establish which records the auditor will want to review and how they can be made available e.g. remote desktop access, file or screen sharing.
  • Ensure the security of information is upheld in a remote environment. The IA4 MDF iterates that the security and confidentiality of electronic or electronically-transmitted information is particularly important when using ICT for auditing purposes. The Office of the Australian Information Commissioner (OAIC) has released privacy guidance to help organisations keep workplaces safe and handle personal information appropriately as part of their COVID-19 response.
  • Use this opportunity to identify how you can leverage ICT to share information, communicate and check in with staff and Participants beyond the audit process.
  • If you have any concerns just talk them through with your auditor.

What are auditing bodies saying?

Some approved auditing bodies have published their response to COVID-19 and remote stage 2 auditing on their website – see below:


If you are concerned

If you have concerns that audit preparation will likely take the focus away from your core important work of keeping people safe, you should chat to your auditor to discuss your situation. The Commission has advised it will continue to monitor the impact of COVID-19 and will make further adjustments to providers’ registration where necessary. If providers have a query about their registration renewal they can contact the Provider Registration team at [email protected] or on 1800 035 544.


Jessica Quilty

Explore DSC

Subscribe to the newsletter you’ll actually want to read

Learn from the humans obsessed with Australia’s NDIS. 50,000 readers strong.

Explore DSC Learning