What is the minimum content a consent policy must contain to pass an NDIS audit?

At a minimum, your consent policy must define informed and voluntary consent, explain how participants can withdraw consent at any time, describe how you support participants with reduced decision-making capacity, cover the role of authorised representatives, and specify how consent is documented and reviewed. Auditors also expect the policy to address specific high-risk consent situations such as restrictive practices and information sharing.

How often should a SIL provider review participant consent forms?

Best practice, consistent with NDIS Practice Standards expectations, is to review consent documents at least annually and whenever there is a significant change in the participant's circumstances, capacity, or support needs. Auditors check whether reviews have actually been conducted and recorded — not just whether a review schedule is written in the policy.

Does consent need to be in writing for NDIS audit purposes?

Written consent is strongly recommended and is the standard auditors expect to see in participant files. Where a participant communicates via AAC or other methods, the method of consent should be recorded in the file alongside any supporting documentation. Verbal-only consent with no contemporaneous record is a common audit finding.

What happens if a participant lacks capacity to consent to a support?

Your policy must describe how you identify and respond to reduced decision-making capacity. Where a participant cannot consent independently, consent is typically sought from an authorised representative (such as a guardian or nominee). Auditors check that your records document who provided consent, on what basis, and that the arrangement is reviewed as capacity may change over time.

Is consent training for staff a separate audit requirement?

Yes. Auditors request training records as part of their evidence review and interview staff to assess whether training has translated into practice. Training records must show that all staff delivering supports have received induction training on the consent policy and any relevant refresher training following policy updates.

Can a participant withdraw consent from a restrictive practice mid-plan?

Yes. Participants or their authorised representatives can withdraw consent for a regulated restrictive practice at any time. When this occurs, your policy must specify immediate steps — including notifying your Behaviour Support Practitioner and ceasing the practice — and how the change is documented. Auditors pay close attention to whether this process is actually followed in practice.

NDIS Consent Policy: What Auditors Look For

Why Consent Policy Is a Priority Audit Target

Consent sits at the intersection of nearly every NDIS Practice Standard. It underpins supported decision-making, restrictive practice authorisation, information sharing, and service agreements. For Supported Independent Living (SIL) providers in particular, where participants live in shared environments and rely on staff for daily support, the risk of consent being implied rather than genuinely given is high.

The NDIS Commission's approved quality auditors are trained to look beyond a document on paper. They assess whether consent is embedded in your operations — from intake through to exit — and whether participants with complex communication needs receive the same standard of consent practice as everyone else.

With the strengthened NDIS Practice Standards taking effect, the audit lens on consent has sharpened considerably. Providers who treat consent as a single form at onboarding are regularly finding conformance gaps during certification and verification audits.

The Core Standards Auditors Apply

Your consent policy must be assessed against several overlapping frameworks:

NDIS Practice Standards — Rights and Responsibilities: Participants must be supported to exercise choice and control, including the right to make decisions about their own lives and to provide or withdraw consent freely.
NDIS Practice Standards — Support Provision: Consent must be documented before supports commence and refreshed when supports change materially.
NDIS Practice Standards — Governance and Operational Management: Your organisation must have a documented policy, assign responsibility for consent management, and ensure staff are trained.
Restrictive Practices: Any use of regulated restrictive practices requires participant consent (or, where the participant lacks capacity, consent from their authorised representative) alongside state or territory behaviour support approval. Auditors treat this as a separate but connected consent stream.
Privacy Act 1988 (Cth): Consent to collection, use, and disclosure of personal information must be documented and aligned with your Privacy Policy.

Exactly What Auditors Check: An Audit Lens Walkthrough

The following reflects the standard audit methodology used by approved quality auditors conducting certification or verification audits against the NDIS Practice Standards.

1. Policy Document Review

Auditors request your consent policy and look for the following elements:

A clear definition of consent that includes voluntariness, capacity, specificity, and the right to withdraw at any time without penalty
How your organisation supports participants with diminished or fluctuating decision-making capacity (including supported decision-making approaches)
The role of authorised representatives, nominees, and guardians — and how their authority is verified and recorded
How consent is obtained for specific high-risk activities including sharing personal information with third parties, photography and video, restrictive practices, and changes to support arrangements
Version control, review frequency (auditors commonly expect at least annual review), and document approval authority

2. Staff Interviews

Auditors interview a sample of direct support workers and team leaders. Common questions include:

"What do you do if a participant says they don't want to do something today?"
"How do you record that a participant has given consent for a support?"
"What would you do if a participant's decision-making capacity appeared to change?"

If staff responses are inconsistent with your written policy, this is typically recorded as a non-conformance — even if the policy document itself is sound. The gap between policy and practice is one of the most common audit findings in SIL environments.

3. Participant File Review

Auditors sample participant files and look for:

Document	What Auditors Verify
Service agreement	Signed, dated, current — participant or representative signature confirmed
Consent to share information forms	Specific (names the recipient), dated, not open-ended
Photography/media consent	Separate from general consent; reviewed at least annually
Restrictive practice consent	Aligned with the behaviour support plan; authorised representative documented where relevant
Communication support records	Evidence that AAC, interpreter, or Easy Read materials were used where needed

4. Training Records

Auditors check that all staff who deliver supports have completed consent training. They look for:

Induction training covering your consent policy
Refresher training records — particularly after policy updates
Any scenario-based or competency-assessed training for high-risk consent situations (such as restrictive practice or health procedures)

5. Complaints and Incident Records

Auditors cross-reference consent with your complaints and incident register. They are looking for patterns that may indicate systemic consent failures — for example, repeated incidents where a participant was not given choice about an activity, or complaints relating to information being shared without permission.

Common Non-Conformances — and How to Fix Them

Non-Conformance 1: Generic or blanket consent forms

A consent form that covers everything in one signature does not meet the specificity requirement. Auditors look for consent that is purpose-specific. Fix: Use separate consent documents for information sharing, media, restrictive practices, and health procedures. Each form should name the purpose, the parties, and the duration.

Non-Conformance 2: No supported decision-making process documented

If your policy does not describe how staff support participants with cognitive impairment or communication needs to make genuine decisions, this is a gap. Fix: Add a section on supported decision-making frameworks, including how communication supports are arranged and documented.

Non-Conformance 3: Consent forms that are never reviewed

A consent form signed at intake and never reviewed becomes stale — especially as participants' circumstances, capacity, and support needs evolve. Fix: Build consent review into your annual planning cycle and record each review in the participant file.

Non-Conformance 4: Staff unable to articulate the policy

Policy-to-practice gaps are cited repeatedly in audit reports. Fix: Scenario-based training, not just policy read-and-sign, embeds understanding. Run brief team meeting exercises on common situations: what happens if a participant withdraws consent mid-support? What if a participant's guardian disagrees with the participant?

Non-Conformance 5: Inadequate record of capacity assessment process

Where a participant's decision-making capacity is in question, auditors expect to see a record of how this was assessed and by whom, and how the decision to involve a representative was made. Fix: Document the capacity assessment process in your policy and record outcomes in the participant file.

A Realistic Policy Excerpt (Template Snippet)

The following is an illustrative excerpt from a consent policy clause. Adapt it to your organisation's processes and have it reviewed by a compliance professional.

3.2 Withdrawal of Consent

A participant or their authorised representative may withdraw consent for any support or information-sharing arrangement at any time. Withdrawal does not require a reason and must not result in any reduction in the quality of other supports provided.

When consent is withdrawn:
(a) the support worker or coordinator records the withdrawal in the participant's file on the same day;
(b) the relevant consent form is marked as withdrawn with the date and initialling staff member's name;
(c) the Team Leader is notified within 24 hours; and
(d) where the withdrawal relates to a regulated restrictive practice, the Behaviour Support Practitioner is notified immediately.

A participant's withdrawal of consent for one activity does not constitute withdrawal of consent for all supports under the service agreement.

Preparing for Your Next Audit

Pull all consent-related documents from participant files and check they are signed, dated, and purpose-specific.
Review your consent policy against the current NDIS Practice Standards — confirm it addresses supported decision-making and capacity assessment.
Run a staff knowledge check — ask three or four direct support workers what they would do if a participant said no to a scheduled support activity.
Verify training records show induction and refresher completion for all active staff.
Cross-check your incident and complaints register for any consent-related themes.
Confirm your consent review cycle is documented and that reviews have actually occurred.

If you are building or overhauling your consent framework as part of broader audit preparation, the 74-document SIL compliance kit available at ndiscompliant.com.au includes a consent policy template, participant-facing consent forms in Easy English, a capacity assessment record, and a staff training checklist — all aligned to the current NDIS Practice Standards.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.