How auditors actually sample — the part most checklists skip

An NDIS certification audit for a Supported Independent Living (SIL) provider is conducted by an approved quality auditor against the relevant NDIS Practice Standards. The auditor does two things on the day. First, they read your policies. Second — and this is the part that decides the result — they sample: they pick records out of your system and check whether the thing your policy promises actually happened.

Policies are easy to produce. You can buy them, write them, or download a template pack in an afternoon. The auditor knows this. So they spend most of their time on the second activity, because a shelf of perfect policies tells them nothing about whether your service is safe. The records do.

Here's the mental model that changes how you prepare. The auditor is not trying to read everything. With a small SIL service they may look at every participant, but with a larger one they choose a cross-section — a few houses, a few support types, a few participants with higher risk profiles. Then within each sampled file, they don't read every page either. They pick a date, an incident, a medication round, a goal, and they follow the thread. If the thread runs unbroken from policy to record to outcome, you pass that outcome. If it breaks anywhere, that's a non-conformity.

The thing to internalise

You don't get to choose which file the auditor opens. That means the standard isn't "my best file is good" — it's "any file they could pick is complete." A small provider with five participants should treat all five files as if each will be the one that's sampled, because it might be.

The "trace test": one record, followed end to end

The single most useful way to prepare is to do to yourself what the auditor will do: pick one event and trace it through every record it should have touched. Auditors call this the document trail or evidence chain. If a link is missing, the chain is broken — and a policy with no matching record reads, to an auditor, like a process that exists on paper but not in the house.

Take an incident as the worked example. A participant has a fall on a Tuesday night shift. Here is the full chain the auditor expects to be able to follow:

  1. Incident Management Policy — defines what counts as an incident, who reports, and the timeframes
  2. Incident report — completed at the time, on the shift, with who/what/when/where and the immediate action taken
  3. Incident register entry — the event logged centrally so patterns can be monitored
  4. Investigation / review — for serious incidents, a record of what was looked into and found
  5. NDIS Commission notification — if it met the reportable threshold, evidence it was lodged within the required timeframe
  6. Corrective action — what you changed (a handrail, a support plan update, retraining) and an entry in the continuous improvement register
  7. Progress notes around the date — the shift notes that should corroborate the incident actually happened as reported

Run that trace on three or four real events before your audit. The gaps you find are exactly the gaps the auditor will find — except you'll have found them first, with time to fix them.

See where you stand in 4 minutes — free

Our SIL Readiness Scorecard walks you through the outcomes auditors sample most heavily and scores your readiness. No email wall to see your result, no sales call. Use it to find your gaps before an auditor does.

Take the free SIL Readiness Scorecard →

The SIL audit checklist (by what gets sampled)

Below is the checklist organised the auditor's way — by the record that gets pulled, not just the policy that should exist. For each Practice Standard area, it shows the document the auditor expects on the shelf, the operational record they will actually sample, and the broken-link failure that gets a non-conformity raised. You can download a print-friendly version further down.

Practice Standard area Record the auditor samples The break that fails the outcome
Person-centred supports & participant goals A participant's support plan plus the recent progress notes for that participant Notes that never reference the participant's goals — supports delivered, but no evidence they're goal-directed
Choice, control & dignity of risk A completed dignity-of-risk assessment and records of participant decision-making A blanket restriction or "house rule" applied with no individual risk assessment or consent on file
Privacy & consent Signed consent-to-collect and consent-to-share forms in the sampled participant file Information shared with third parties with no signed consent to back it
Service agreements The signed SIL service agreement for the sampled participant Unsigned, undated, or missing agreement; terms that don't match what's actually delivered
Incident management A specific incident traced from report → register → notification → corrective action An incident in the notes with no report; a report with no register entry; a reportable incident with no Commission notification
Complaints & feedback The complaints register and the resolution record for a logged complaint Empty register that doesn't match the obvious reality that complaints occur; complaint logged but no outcome recorded
Risk management The current risk register with residual ratings; the home's risk assessments A risk register last reviewed two years ago; participant-specific risks not assessed
Worker screening The worker screening register cross-checked against a sampled staff member's clearance A worker delivering supports with an expired, pending, or missing NDIS Worker Screening Check
Training & supervision The training register and supervision notes for the sampled worker Mandatory training overdue; "we do supervision" with no signed supervision record to prove it
Medication management (SIL) Current medication administration records (charts) for a sampled participant Blank signature boxes, gaps, or charts that don't match the prescribed regime
Restrictive practices Any restrictive practice in use, traced to its authorisation and behaviour support plan A restrictive practice used without authorisation, or used with no reporting to the Commission
Safe SIL environment The completed, dated house safety-inspection checklist and fire/evacuation records An inspection checklist that's a blank template, or one not done since the house opened

Notice the pattern in the middle column: in every row the auditor pulls a record, not a policy. And notice the right column: almost every failure is a missing or broken link, not a missing policy. That is the whole game.

Incidents and reportable incidents — the highest-stakes sample

Of everything an auditor samples, incident management carries the most weight, because it's where participant safety is most directly tested. It's also where the timeframes are hard and checkable.

Under the NDIS (Incident Management and Reportable Incidents) Rules, for a reportable incident a registered provider must submit an immediate notification within 24 hours of key personnel becoming aware of it, and a more detailed five-day notification form within five business days. There's a specific carve-out: the use of a restrictive practice that is unauthorised or not in line with a behaviour support plan is notified within five business days — unless it caused harm to the person, in which case the 24-hour rule applies. Source: NDIS Quality and Safeguards Commission.

An auditor sampling your incidents will check three things, in order:

The finding nobody recovers from gracefully

An event in your progress notes that clearly met the reportable threshold, with no notification on file, is among the most serious things an auditor can find. It's not a paperwork gap — it reads as a participant-safety obligation that was missed. Build the reportable-incident decision tree into your incident form so the call gets made at the time, not reconstructed under audit pressure.

Medication, restrictive practice and the SIL house

SIL is sampled harder than most registration groups on the physical-environment outcomes, because the auditor can stand in the house and compare your documentation to what's in front of them. Three samples come up almost every time.

Medication administration records

The auditor pulls current medication charts for a sampled participant and looks for integrity: every administration signed, no unexplained blanks, charts matching the prescribed regime, and staff medication competency records on file for whoever signed. A single run of blank signature boxes is enough to open a finding, because in a SIL context a missed or unrecorded medication is a direct safety risk.

Restrictive practices

If any restrictive practice is in use — including the subtle ones like a locked cupboard, a sensor, or a routine that limits a participant's movement — the auditor traces it to a current authorisation and a behaviour support plan, and checks it's being reported to the Commission. A restrictive practice in use with no authorisation is both an audit non-conformity and a separate reportable matter.

The house safety inspection

The most common SIL-specific miss is the safety inspection checklist that exists as a blank template in the policy folder but was never actually completed and dated for the house. The auditor will ask to see the done ones, with dates, signatures, and evidence that hazards found were actioned. A template is a policy; a completed, dated checklist is the evidence.

Staff files — sampled the same way participant files are

Providers often prepare participant files carefully and forget that staff files get sampled with the same trace logic. For each sampled worker delivering NDIS supports, the auditor expects to follow a clean chain:

The recurring failure here is the worker who started before their screening cleared, or whose check lapsed and nobody tracked the renewal. A live worker screening register that flags expiries is cheap insurance against a finding that calls your whole governance into question.

Score yourself before the auditor does

You don't need to wait for the auditor to find out where you stand. Two quick self-tests, done honestly, predict your result better than any number of perfect policies:

  1. The trace test. Pick three real events — an incident, a medication round, a participant goal — and follow each through every record it should have touched. Count the broken links.
  2. The "any file" test. Open the participant file you'd least want the auditor to open. If that one's complete, you're audit-ready. If your readiness depends on which file gets picked, you're not.

If you'd rather be walked through it, the free SIL Readiness Scorecard structures these checks for you and gives you a readiness score against the outcomes that get sampled most — without an email wall to see the result.

The honest options for fixing the gaps

Once you know your gaps, there are three honest ways to close them. We sell one of them, so here's the straight version of all three.

1. Hire a consultant

A good NDIS consultant will build your system, sit with you, and project-manage the audit. It's the lowest-effort route and it works. The cost is the catch: from what small providers tell us, full SIL audit-preparation engagements commonly land in the $4,400–$8,000+ range, sometimes more for complex services. If you have the budget and little time, this can be money well spent — especially if your gaps are about implementation rather than documents, because no template fixes a habit.

2. Do it entirely yourself

Everything you need is published. The NDIS Practice Standards, the reportable-incident rules, and the audit guidance are all on the Commission's site. If you have the time and the appetite to read closely and build your own templates and registers, $0 in tools is genuinely achievable. The cost here is your hours and the risk of missing a requirement you didn't know to look for.

3. Use an audit-mapped template kit

This is the middle path, and it's what we built. The SIL Rescue Kit ($297) is 74 documents — every policy, form, and register a SIL provider needs — each mapped to the Core Module Practice Standard outcome it answers, plus an audit evidence checklist mapped to the indicators an auditor samples. It does the documentation half for the price of a template pack, so your time goes into the half a kit can't do for you: actually running the registers and accumulating real records.

Where a $297 kit helps — and where it doesn't

A template kit fixes missing documents. It cannot fix missing implementation — only real operational practice produces a real incident report or a real medication chart. That's why we tell people to start their registers months before the audit, not the week before. If your gaps are purely "I don't have the documents," a kit is the obvious-value option versus four-figure consulting. If your gaps are "we don't actually follow our own process yet," start now — no purchase fixes lost time.

The documentation half, mapped to what auditors sample

74 audit-ready SIL documents — policies, forms, and registers — each mapped to a Practice Standard outcome, plus an evidence checklist built around the records auditors actually pull. A one-off $297 versus $4,400–$8,000+ for consulting.

Get the SIL Rescue Kit — $297

Important: This article is general guidance about NDIS compliance, not legal or professional advice. Audit sampling, sample sizes, and findings are at the discretion of your approved quality auditor, and requirements change as the NDIS Commission updates its Practice Standards and rules. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.