Inside the Quality Auditor Guidelines

Wondering how the NDIS audit process is going to go down? Jess delves deep in to the NDIS Quality Audit Guidelines to explain how your organisation is going to be assessed at audit time.

By Jessica Quilty

Updated 15 Apr 202420 Nov 2019

Audits can be daunting, particularly if this your first rodeo. To help soothe the nerves it’s useful to understand what the process will look like, what you can expect from your auditor, the assessment criteria and what happens if you get a non-conformity. Hopefully you can get some information from your auditing body but if you aren’t there yet, there is a wealth of information in the NDIS (Approved Quality Auditors Scheme) Guidelines 2018. If you are too busy running your organisation to decipher the 54 pages here are a few key takeaways.

Getting started

When you renew or make an application for registration for the first time you will need to undertake a self-assessment against the NDIS Practice Standards.

  • Once you’ve done this you will receive an initial ‘scope of audit’ document that you can provide to as many auditors as you like for a quote.
  • If you are in scope for a verification audit, but the cost of undertaking a certification audit would be less (very unlikely), then the auditor should supply a quote for both for you to choose from (unfortunately this doesn’t apply in reverse).
  • Once the preferred auditor has been selected, you can provide them with a unique reference number so they can access your records on the NDIS Commission system.
  • Prior to conducting the audit, the auditor will review the initial scope of audit with you and confirm all the details like registration groups, number of Participants, workers etc.
  • The auditor can update your provider record on the Commission’s system to accurately reflect the scope of audit or other details you have provided.
  • The agreed final scope of audit is provided to the Commission, and shared with you, the provider.
  • Next you get ready for audit!

Stage 1 audit – verification and certification audits

Both verification and certification audits have a stage 1 component. The difference is verification audits only have the one stage whereas certification audits will go on to a stage 2 audit.  Stage 1 is generally conducted offsite unless you choose to combine it with your stage 2 onsite. Unless there was a reason, such as a cost saving, this may not necessarily benefit a provider.

The auditor will review:

  • the self-assessment responses you completed in the NDIS portal and the other documents you submitted to be reviewed e.g. policies, procedures, forms, qualifications etc.
  • any prior NDIS provider certification or verification outcome, corrective actions and audit report, if applicable, and
  • any additional requirements raised by the Commission.

Stage 1 findings

Prior to undertaking a stage 2 certification audit, the auditor must give you the findings of the stage 1 audit. This must be done two weeks prior to your stage 2 audit if a non-conformity has been found, or one week if no non-conformities have been identified. We hear that that this is not always happening so confirm those timeframes with your auditor.

If the audit team believes you are unlikely to be suitably prepared for your stage 2 audit, they will inform you and the Commission that the next stage is likely to be delayed while you address the non-conformities.

The stage 1 findings should include:

  • whether the range of documents and information supplied displayed sufficient content to meet the requirements of the relevant NDIS Practice Standards; and
  • clear identification of the registration class(es)/groups that will be included in the audit, key personnel, number of Participants, and a proposal for how key personnel and Participants are best involved in the audit.

This information should help you prepare for your stage 2 and make sure everyone is available to participate.

Stage 2 audit (certification only)

Stage 2 audits should commence within three months of the completion of the stage 1 audit and are generally done onsite unless an exemption applies (see more about exemptions below). If you have a number of sites the auditor may visit a sample of those. So what can you expect in a stage 2 audit?

  • The auditor should develop an audit plan that is proportionate and incorporates all the required information, seeking your written agreement to the plan. 
  • The auditor will visit you to evaluate the effectiveness and implementation of your systems in meeting the NDIS Practice Standards.
  • This generally involves viewing practices, and records and speaking with staff and Participants to validate your systems.

In summary, the stage 2 audit seeks to validate that you are doing what you say you are doing in your documents and that you are achieving those practice standard outcomes. We cannot stress how important it is to align practice with policy. We talk more about this in past articles – A new way of thinking about quality, practice makes perfect.

Opt-Out sampling

Opt Out sampling is used, which means your need to advise all your Participants that they are automatically enrolled into the audit process (i.e. they may be contacted by the audit team for interviews and/or have their files, records or plans reviewed to ensure compliance with the standard). In the event that a Participant does not want to participate in this audit process, you need to document and communicate this to your auditor. Prior to commencing the inspection and interviews, you must obtain informed consent from each Participant selected to be part of the audit.

Remote stage 2 auditing

In limited circumstances the auditor may conduct a stage 2 audit remotely where it is appropriate to proportionality, the auditor is accredited to IAF MD4 and at least one of the following applies:

  • the NDIS provider operates in remote or regional areas (as defined within the Accessibility/Remoteness Index of Australia)
  • the NDIS provider operates from virtual sites; or
  • the NDIS provider provides classes of supports involving limited interaction with Participants.

Mid-term audits

Mid-term audits are conducted within 18 months of a certification audit unless one of the exceptions below applies. The mid‑term audit will review:

  • The Governance and Operational Standards within the Core Module
  • Any standards that required a correction action plan in the last certification audit  
  • Any additional standard specified by the Commission
  • Any additional modules you are required to be certified against as a result of updating your organisation’s registration groups with the Commission (if applicable).

Mid-term audit exemptions

You don’t have to have mid-term audits if:

  • You are registered for specialist disability accommodation (SDA) only (add just one extra registration group and that changes)
  • You are an individual or partnership and registered for early intervention supports for early childhood only
  • You only require a verification audit.

Complicated huh?

Provisional audits

Provisional audits apply to providers registering as a new provider (that will be subject to certification) that have not yet commenced service delivery. The audit is designed to check if you are ready to provide services, so you need to have your documented processes and infrastructure set up and ready to go.

A provisional audit consists of:

  • a stage one audit (off-site), and
  • an initial stage two onsite audit without full sampling – for example it does not require witnessing or interview because it occurs prior to service commencing
  • this could also be done as a combined onsite audit.

The outcome of a provisional audit is a qualified certification decision. A further stage 2 audit will be required once you are commencing services (generally no later than the first mid-term audit).

Number of auditors

Certification or Recertification Audit = at least two auditors.

Provisional Audits, Mid-term Audits and Verification Audits = at least one auditor.

*Note the Commission can grant special approval for just one auditor in exceptional circumstances.


So how do you get assessed? There are four possible scores against each practice standard – note these are taken directly from the Guidelines:

3 - Conformity with elements of best practice - The NDIS provider can clearly demonstrate conformity with best practice against the criteria. Best practice is demonstrated through innovative, responsive service delivery, underpinned by the principles of continuous improvement of the systems, processes and associated with the outcomes.

2 – Conformity - The NDIS provider can clearly demonstrate that the outcomes and indicators are met as proportionate to the size and scale of the provider ‑ evidence may include practice evidence, training, records and visual evidence. This would mean there was negligible risk and certification can be recommended.

1 - Minor Non-conformity – A rating 1 will require a corrective action plan which reduces the likelihood of any risks identified occurring or impacting participant safety before certification or verification can be recommended ‑ one of two situations usually exists in relation to minor non‑conformity:

  • There is evidence of appropriate process (policy/procedure/guideline etc.), system or structure implementation, without the required supporting documentation
  • A documented process (policy/procedure/ guideline etc.), system or structure is evident but the provider is unable to demonstrate implementation review or evaluation where this is required

0 - Major Non-conformity - The NDIS provider is unable to demonstrate appropriate processes systems or structures to meet the required outcome and indicators and/or the gaps in meeting the outcome present a high risk ‑ Three Minor Non‑Conformities within the same module may also constitute a Major Non‑Conformity ‑ A rating of 0 will preclude a recommendation for certification.

Timeframe for correcting Non-conformities

The auditor will require you to present a corrective action plan within seven calendar days of written notification of the non-conformity.

Major Non-conformities

The auditor will review the implemented corrective actions within three months of receiving the corrective action plan and can, if necessary, conduct an on-site follow up.

  • Critical risks or other serious matters would normally require an on-site follow up or re-audit within three months.
  • Major non-conformities that are not downgraded or closed within three months will result in automatic suspension of the certification.

Minor Non-conformities

  • Minor non-conformities must be closed out within 18 months, otherwise it will be escalated to a major non-conformity.
  • If a minor non-conformity has been escalated to a major non-conformity, it must be closed out within three months. Failure to do so will result in automatic suspension of certification (i.e. you can’t just downgrade it back to a minor non-conformity).
  • If a major non-conformity was downgraded to a minor non-conformity you must have fully closed it out within 12 months of the original finding otherwise your certification will be automatically suspended.

Where the auditor has raised a major or minor non-conformity, the relevant NDIS Practice Standards will be audited at the next mid-term or recertification audit (whichever comes first) to ensure that the processes developed as part of the corrective action plan have been put into practice.

The NDIS Commission makes the decision

Once the audit has been completed, the auditor will submit their outcome to the NDIS Commission to make a decision. The NDIS Commission assesses your application considering the outcomes of the audit and an assessment of the suitability of your organisation and key personnel. Once the Commission makes a decision, they will contact you to let you know the outcome and the reasons. Some applications take longer to process than others. The timeframe depends on various factors, including the size and scale of your organisation, as well as the complexity and range of supports and services you deliver.

For successful applicants: you will receive a certificate of registration outlining the services or supports you are registered to provide, the period of registration, and any conditions you must follow.

For unsuccessful applicants: you may contact the NDIS Commission to request a review within three months of the decision. If your application is still unsuccessful following the review, you may seek a further review by the Administrative Appeals Tribunal. See NDIS Commission Website.

Recertification / reverification

You will have a recertification or reverification audit every third year but no earlier than six months before the registration renewal date. It’s always a good idea to give yourself between 3-6 months to make sure you have time to address any of those non-conformities. Your head might spinning right now so that might be a conversation for another day.

This is just a quick review of the points we find most relevant for providers to be across. If you want more detail on sampling methodology and all that fun stuff here is some great bedtime reading  NDIS (Approved Quality Auditors Scheme) Guidelines 2018.


Jessica Quilty

Explore DSC

Subscribe to the newsletter you’ll actually want to read

Learn from the humans obsessed with Australia’s NDIS. 50,000 readers strong.

Explore DSC Learning