"Audit-ready" is one of those NDIS sector phrases that gets used so loosely it's almost meaningless. Vendors slap it on anything they want to sell you. So let's be specific: an audit-mapped NDIS document is one structured to meet the evidence requirements of the NDIS Practice Standards, customised to your operation, version-controlled, cross-referenced, acknowledged by staff, and with an implementation record. The seven tests below are what an Approved Quality Auditor runs in the first five minutes of opening your policy binder — and what we built into all 74 documents in the Complete SIL Kit.
What "audit-ready" actually means
Important framing: audit-ready means the document is structured to meet evidence requirements. It does not mean it will pass an audit on its own. A document survives audit when it has the seven properties below AND the manager can explain what it says AND staff can describe how they follow it AND the implementation record exists. Documents are necessary, not sufficient. Anyone selling a kit that promises "100%" anything on the documents alone is overselling. See our 5 reasons SIL providers fail audits for the policy-practice gap — the most common failure mode that documents alone cannot solve.
Test 1: Does it have a document control box?
The first thing an auditor opens a policy file and looks for: a control box at the top of the document showing title, document number, version, approval date, next review date, owner/author, and the relevant NDIS Practice Standard reference. No control box = the document looks ad-hoc, the document looks not-managed, the document loses credibility before the auditor has read a single paragraph. Auditors expect this on every policy, every procedure, every form, every register.
Fail example: a Word doc titled "Incident_Policy_v3_FINAL_FINAL.docx" with no header metadata, no review dates, no author.
Pass example: the document opens with a 6-row control table (title, doc number, version, approved date, next review date, NDIS Practice Standard ref) before any content.
Test 2: Does it reference the Practice Standard?
Every policy and procedure must explicitly reference which Practice Standard Outcome it addresses. The Outcome 2.4 Incident Management policy should say "This policy addresses NDIS Practice Standards Core Module Outcome 2.4." The Outcome 1.5 Complaints policy should say "This policy addresses NDIS Practice Standards Core Module Outcome 1.5." Without the reference, the auditor has to guess which Quality Indicators your document satisfies — and auditors don't guess in your favour.
If you're not sure which Outcome a given policy maps to, our SIL Audit Survival Guide maps every one of the 65 kit documents to a specific Practice Standard Outcome.
Test 3: Is it customised to your operation?
Auditors recognise templates downloaded from the internet. They see hundreds of them per year. A template that still says [YOUR ORGANISATION NAME] or [INSERT ABN HERE] is the same as no document — worse, because it suggests the policy isn't real. Every kit document we ship has highlighted placeholders specifically so you cannot miss them. The customisation loop:
- Run Find & Replace across all docs for your organisation name, ABN, key personnel, addresses
- Read each document to add any operational specifics (your specific SIL house addresses, your staff structure, your participant population)
- Have someone else read each doc to catch un-customised placeholders
- Approve the document (manager sign-off in the control box)
This is what Doc 65 (the implementation README) in the kit walks you through. Customisation takes 4-8 focused hours for a 74-doc pack. Not 4-8 weeks of "as I get to it."
Test 4: Is it version-controlled?
Document control isn't optional — it's NDIS Practice Standards Outcome 2.5 (Information Management). The kit's Doc 48 (Document Control Register) lists every policy with its current version, last approval date, next review date, and document owner. An auditor opens the register, picks three random documents, and checks that the version they're holding matches the version in the register. If those don't match, you've got a Document Control non-conformance and an auditor who now trusts the rest of your documentation less.
This is also why a vendor-supplied kit must ship with the document control register pre-populated. If you have to invent it after purchase, you've doubled the customisation work for no reason.
Test 5: Does it cross-reference related documents?
The 32 NDIS Practice Standards Outcomes don't live in isolation. An incident triggers a complaint sometimes (1.5), a reportable incident notification sometimes (2.4), a risk register update sometimes (2.2), and a continuous improvement entry sometimes (2.3). An audit-ready Incident Management Policy references its related documents: the incident report form (Doc 26), the incident register (Doc 41), the reportable incident quick reference (Doc 62), the complaints policy (Doc 02), the risk register (Doc 47), and the continuous improvement register (Doc 43). Auditors follow these cross-references to test whether the whole system hangs together.
This is one place where cheap kits really do fall apart: each document was written in isolation, so cross-references are missing or inconsistent. Our 74-doc kit was written with the cross-reference map drawn first — every policy references the forms and registers it actually depends on.
74 documents that pass all 7 tests
Document control box, Practice Standard reference, customisable placeholders, version-controlled, cross-referenced, staff acknowledgement section, implementation guidance. $297 early bird.
See what's in the kit →Test 6: Does staff acknowledgement evidence exist?
Test 6 lives outside the document itself: every policy that staff must follow needs an acknowledgement record proving staff have read and understood it. The Doc 31 (Code of Conduct Acknowledgement) is one example — every staff member signs that they've read the Code, dated, kept on file. The Doc 46 (Code of Conduct Training Register) is the master list of who has been trained on what, when. Together they answer the auditor question: "do your staff actually know what this policy says?"
For policies without a formal acknowledgement form, the implementation pattern is: manager runs a 15-30 minute training session on each major policy, staff sign an attendance record, and the attendance record goes into the training register (Doc 45). Three policies per session, one session per fortnight, the full kit gets through staff training in 8-10 weeks. Audit interview questions test this — auditors will ask staff "when did you last get training on incident management?" and the answer needs to match the register.
Test 7: Is there an implementation record?
The seventh test is the one that breaks "documents only" kits. An audit-ready policy needs an implementation record that shows the policy in operation. Examples:
- Incident Management Policy: the implementation record is the incident register with at least one completed entry. (Auditors don't expect zero incidents — they expect a working incident-handling process.)
- Risk Management Policy: the implementation record is the risk register with current entries reviewed in the last quarter.
- Internal Audit Policy: the implementation record is the schedule (Doc 51) plus at least one completed internal audit report (Doc 52).
- Worker Screening Policy: the implementation record is the worker screening register (Doc 44) with every staff member's clearance number, issue date, and expiry date.
- Support Delivery Policy: the implementation record is shift notes / progress notes in every participant file, showing day-to-day evidence of support delivery (this is where the free Notes Rewriter earns its keep — staff use it daily to write Practice-Standards-aligned notes).
If a kit only ships policies (Test 1-5) but no forms or registers (Test 6-7), it's solving half the problem. The reason our kit is 74 documents instead of 25 is because the 40 forms-and-registers half is where audits actually get won or lost.
How to apply all seven before audit
Work through this sequence at least 6-8 weeks before your booked certification audit:
- Spot-check Test 1 across every document. Open 5 random docs from your binder. Is the control box present and populated? If any is missing, fix that first.
- Map every doc to its Practice Standard (Test 2). Use Doc 63 (Audit Evidence Checklist) in the kit, or our SIL Audit Survival Guide. Every Outcome needs at least one document; every doc needs to reference its Outcome.
- Run Find & Replace to nail Test 3. Search the whole folder for
[YOUR ORGANISATION,[INSERT,[ABN,[ADDRESS. Zero results means you've customised cleanly. - Build the Document Control Register (Test 4). Doc 48 in the kit ships pre-populated; you just update version numbers as you approve each doc.
- Trace one cross-reference chain (Test 5). Pick the Incident Management Policy and follow every cross-reference it makes. Each referenced document should exist and be the version listed in the control register.
- Run staff acknowledgement training (Test 6). See section above — 8-10 weeks at 3 policies per fortnight.
- Populate the registers (Test 7). Even if you're a new provider, every register should have at least a "register established" entry plus any operational entries since.
For the broader pre-audit picture, our 2026 audit checklist walks through every Outcome in detail. For the audit day itself, the audit-day checklist covers the operational specifics. And if you want every one of the 65 kit documents pre-built with the seven tests already baked in, the Complete SIL Kit ($297 early bird, GST-inclusive AUD) is built around exactly this checklist.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.