Understanding Payment Integrity Audits

Payment Integrity Audits. Even the name sounds scary. But they don’t have to be. Rob unpacks everything you need to know about what they are, the evidence the NDIA asks for and how providers can prepare.

By Rob Woolley

Updated 24 Feb 202525 Feb 20258 min read
Cartoon image of a computer screen showing a spreadsheet and chart, calculator and pencil

I used to think the scariest thing imaginable was a knock on my door when I wasn’t expecting anyone, or a group facilitator saying “let’s go around the circle and say something interesting about ourselves”. That was until the rollout of the NDIA’s Payment Integrity Audits (PIAs). True terror.

I’m (half) joking - a PIA doesn’t have to be as scary as those things. But it may come as an unwelcome surprise.

Let’s unpack what a PIA is, how they work, the evidence the NDIA asks for, and how providers can prepare.

What is a Payment Integrity Audit?

A PIA is when the NDIA asks for further information about NDIS claims. This generally falls into two categories:

  • Pre-Payment Integrity - after a claim has been made but before the NDIA pays it.
  • Post-Payment Integrity - after a claim has been paid by the NDIA.

PIAs can be random, or prompted by a third party tip-off, or specific red flags raised within the NDIA’s systems.

PIA can happen to Agency-, Plan- or Self Managed claims. But anecdotally we are seeing more for Agency- and Plan- Managed claims.

They can also happen to both registered and unregistered providers, and for any service type. Although, there seem to be some services that are experiencing more PIAs (including Short Term Accommodation, Supported Independent Living, Support Coordination and some Allied Health supports).

Payment Integrity Audits are conducted by a dedicated team within the NDIA, not Planners or LACs. And it seems those teams are being beefed up significantly. Late in 2024, lots of job ads went live for senior roles in the Scalable Responses team, Claims and Payments team, and the Fraud team.

What is their purpose (other than to put providers through the wringer)?

The clue is in the name - PIAs are checking the integrity of NDIS claims. These enquiries might be about genuine fraud or misuse of funds, but many are about checking that the provider is billing against the person’s plan correctly. This is a tad tricky for providers at the moment, given all the discrepancies between the updated NDIS Act, the PAPL, Operational Guidelines, Frequently Asked Questions on the NDIA’s website, and whatever answer we get from Provider Support on that particular day.

I sound cynical, but that’s partly cos I’m English so I didn’t see the sun in my childhood. I’m not against PIA as a tool for picking up genuinely dodgy practices… but they are also a blunt tool that create a mammoth amount of work for providers doing the right thing.

How do they work?

Generally, the NDIA will email the provider to inform them a PIA is being conducted, often as a Request for Information with a reference number. The email will specify whether specific invoices are being audited, or all services for a particular participant, or all services billed in a time period.

If the NDIA hasn’t paid the claims yet, the funds will be frozen until the PIA is completed. If the claims have already been paid, the PIA can go one of two ways:

  • If the NDIA are satisfied that the claims were legitimate, no further action is taken.
  • If the NDIA isn’t satisfied with the evidence provided, the NDIA can retrospectively ‘cancel’ the payment and deduct this amount from the next claim made by the provider.

As an example, let’s say a Plan Manager processes a claim for a Short Term Accommodation (STA) service totaling $12,000. The NDIA pays the claim. Several weeks later, the NDIA conducts a Post-Payment Integrity Audit on the STA claim and is not satisfied with the response. The NDIA would inform the Plan Manager and withhold $12,000 from the Plan Manager’s next claim.

The Plan Manager might try pass the debt on to the STA provider, or the STA provider might try to claim it from the participant. Or the Plan Manager might just eat the debt - but that’s not very financially sustainable!

And $12,000 can be on the light end - we’ve heard of claims well into six figures being retrospectively cancelled due to a lack of evidence provided.

What evidence does the NDIA ask for?

The evidence the NDIA asks for is varied, and might be individualised to specific services or concerns. But broadly, PIAs might ask:

  • Whether the service was funded or mentioned in the Plan.
  • The purpose of the support/service and a description.
  • Evidence that the person agreed to the service.
  • Case notes, support plans and support logs related to the services in question.
  • Copies of timesheets and rosters.
  • Copies of all invoices for specific participants.
  • Evidence of what activities were completed during the service.
  • Copies of Service Agreements related to the services and participants in question.
  • Travel logs for provider travel and mileage logs for transport services.
  • Evidence that supports were capacity building and offered value for money.
  • For some services, why that support was required instead of a cheaper option. E.g. why was 1:1 necessary rather than 1:3? Or why was High Intensity Support required rather than Standard Intensity?

In case you weren’t sure - yes this can be a huge amount of information to collect.

What can providers do to prepare for an audit?

The first thing to do is not to panic. Easier said than done, I know. But not responding to a PIA isn’t an option, and the longer a provider takes to collate the evidence, the longer until the payment is resolved. In a recent legal case, the NDIA stated that the median amount of time it takes to complete this kind of investigations is 60 days, so the sooner we start that clock running, the sooner it will be completed. However, I’ve also heard of situations where the NDIA has completed the audit and released payment in a handful of days.

So, keep calm, while at the same time dropping everything to respond. Legal advice is an option but doesn’t guarantee success.

The changes to the NDIS Act in 2024 (specifically Section 45A) stacked the odds in the NDIA’s favour by making it clear that information needs to be provided in the “approved form” determined by the NDIA. PIAs can be held up if the NDIA needs to come back to the provider because the information isn’t in the right format (this will be outlined in the original email/letter), or if they can’t access the information (if it’s in something like a Dropbox folder). So double and triple check that you’re collecting and collating information in the correct format.

Provide the information requested, but it also pays to know when to push back and escalate. I’ve seen Requests for Information that are requesting information based on questionable billing rules. The NDIA is not a perfect machine. So it sometimes helps to ask for further clarity or to escalate it within the NDIA.

And as always, an ounce of prevention is worth a pound of cure. So providers should be building their record keeping and invoicing systems with PIAs in mind.

If the idea of a PIA makes you understandably anxious, check out our workshop: Succeeding at Payment Integrity Audits.

Authors

Rob Woolley

Explore DSC