New website upgrades! What’s new

Common Audit Fails

From governance to risk and restrictive practices, Team DSC have encountered some common themes in audit fails. Jess is here to help you avoid the standard pitfalls.

By Jessica Quilty

Updated 15 Apr 202419 May 2021

We have now had a couple of years answering the Team DSC Bat Phone as providers transition into the maze that is the NDIS Quality and Safeguarding Framework. Whilst each organisation is different, there are some prevalent non-conformity themes in the audit reports we see. To help you avoid these common pitfalls, we thought we’d share our audit learnings thus far. 



Providers are expected to have robust governance and operational management systems in place. These include a defined structure to meet financial, legislative, regulatory, and contractual responsibilities and to monitor and respond to quality and safeguarding matters. Many providers have not clearly identified what their regulatory requirements are, let alone established a robust system to monitor them. Taking the time to clearly define these requirements can help you sleep better and ensure your systems are fit for purpose. 

The governing body should have clear oversight of risk in the organisation and an understanding of issues relating to quality and safeguarding such as the prevalence of incidents and any concerning trends. Providers are also expected to provide opportunities for people with disability to contribute to the governance of the organisation and the development of organisational policy and processes relevant to support provision and the protection of participant rights.



Many providers lack a comprehensive risk management system that manages the full range of risks, including participant, financial, work health and safety (WHS), and service provision risks. The standards require that support delivery be linked to a risk management system which includes incidents, complaints, WHS, human resources, financial management, information management, and governance. Many providers have the humble home risk assessment from the HACC days that detect trip hazards and barking dogs, but organisational risk as a whole is not always comprehensively assessed. Beginning with an organisational risk register can be a great way to start approaching risk at the broader level before doubling down on the controls. We also need to consider that different participants will have different risks in their lives depending on their individual circumstances, support type, living arrangements, heath, disability, and informal supports. The days of a one-size-fits-all risk response are over. Risk management needs to be highly individualised, proportionate, and support the dignity of risk. 


Behaviour Support and Restrictive Practices

Another source of compliance pain is in the super complex behaviour support and restrictive practice regulation. Implementing providers need to have a comprehensive system in place to meet the requirements of Module 2A (Implementing Behaviour Support Plans) and the NDIS (Restrictive Practices and Behaviour Support) Rules. They also need to ensure that they understand and comply with state or territory requirements, including authorisation where applicable. It is important that everyone in the organisation understands their requirements and that authorisation and reporting systems have been established. If the use of restrictive practices is required, implementing providers must take all reasonable steps to facilitate the development of behaviour support plans by specialist behaviour support providers. Some providers have been followed up with compliance notices after failing to take these reasonable steps (or maintaining records of the steps they have taken). Reasonable steps are outlined in this document. If your delay is due to lack of funding or the inability to engage a practitioner, make sure your documentation is sound and you seek regular advice from the NDIS Quality and Safeguards Commission.


High Intensity Supports

Another area we see providers landing in hot water is the provision of high intensity supports. If you are delivering any of the following, you need to make sure your participants have a support plan developed by an appropriately qualified health practitioner and that your staff’s skills, knowledge and training is consistent with the High Intensity Skill Descriptors. You also need to have relevant policies and procedures that govern these high-risk supports:

  • Complex Bowel Care
  • Tracheostomy Management
  • Catheter Care
  • Subcutaneous Injections 
  • Complex Wound Management
  • Ventilatory Management 
  • Enteral Feeding and Management


Accessibility of information

Pay attention to the standards that state that something is provided in the “language, mode of communication and terms that the participant is most likely to understand”. If your customer-facing information is complicated and inaccessible to participants, you can expect some non-conformities This is particularly the case for service agreements! 


Incidents and Complaints

Now, I don’t see as many non-conformities here, but I just want to highlight that the NDIS Commission has really specific requirements about what your system must do. Get across the Rules, including what your procedures need to cover and your record-keeping requirements.


You bought a Policy Manual

This message might lose me a few friends, but many callers to the Team DSC Bat Phone  purchased a policy manual that claimed to solve all their compliance problems for them. It is not so much a problem if you source some templates and mould them to your business, but you need to know what is in your policy manual and  it should reflect the work that you do. I have seen many comments in audit reports referring to “the organisation’s purchased policies and procedures”. IMHO, the idea that an equipment provider can operate off the same policies and procedures as a supported independent living provider is flawed. Why? Because they do different things. Policies and procedures are not just about paying lip service to the standard to cover your compliance butt. The policy really needs to establish your organisation’s commitments, and your procedures need to guide your important work so make sure they are fit for purpose.


Quality Management

The requirement to have a quality management system is quite new to some providers who haven’t undergone say, an ISO 9001 audit. Most organisations have something in place but haven’t always clearly defined it. The requirement to perform internal audits is also a new concept for many providers. Don’t get caught out. Develop a schedule of audits and a few tools to check that you are doing what you say you are doing. This not only demonstrates a commitment to continuous quality improvement but also helps prepare for the external audit.


A bit about evidence-based auditing

Under the audit guidelines, the auditor needs to use evidence-based auditing, which means they don’t just look at your policies and procedures in isolation. They check them against participants’ experiences, your records, and interviews with staff. These different sources should share a consistent narrative (remember, you can test this with your internal audit). Don’t trip yourself up by committing to doing things you aren’t going to do. You can avoid this by developing procedures that help deliver those practice standard outcomes for people and are fit for purpose, practical, and easy to follow. We know this is a pretty wild concept – policies and procedures that are useful – but look we totally recommend you give it a crack! 


Jessica Quilty

Explore DSC

Subscribe to the newsletter you’ll actually want to read

Learn from the humans obsessed with Australia’s NDIS. 50,000 readers strong.

Explore DSC Learning