What is the difference between a certification audit and a verification audit under the NDIS?

A certification audit is a full assessment that includes on-site visits and participant interviews, required for higher-risk registration groups including SIL. A verification audit is a desktop-only document review used for lower-risk support types. SIL providers almost always require certification.

How long does an NDIS certification audit typically take?

The duration varies by organisation size and the number of sites, but certification audits commonly span one to three days on-site plus a desktop review period before and after. The NDIS Commission publishes guidance on audit timelines, and your approved quality auditor will confirm the schedule in advance.

What happens if an auditor finds a non-conformance during my NDIS audit?

Non-conformances are categorised as minor or major. For minor non-conformances, providers are typically given a corrective action period to provide evidence of resolution. Major non-conformances may result in conditions on registration or, in serious cases, referral to the NDIS Commission for regulatory action.

Do NDIS auditors interview participants during a SIL audit?

Yes. Participant interviews are a standard part of certification audits. Auditors speak with participants (and where appropriate, their nominees or support networks) to verify that the experience of support matches what the provider's documents describe. Participant feedback carries significant weight in the audit outcome.

What restrictive practice documents must a SIL provider have ready for audit?

Providers must have current state or territory authorisation documents for each participant subject to a regulated restrictive practice, a behaviour support plan prepared by a registered practitioner, and records of monthly reporting to the NDIS Commission. Evidence of a reduction goal must also be documented.

How far back do auditors look at incident and complaint records?

Auditors typically review the period since your last audit or, for new providers, since registration. In practice, most auditors will examine at least the preceding twelve months of incident and complaint records. Providers should ensure records are complete, accurate, and retrievable for the full audit period.

NDIS What Auditors Check: A Worked Example

What NDIS Approved Quality Auditors Actually Check

If you provide Supported Independent Living (SIL) or other high-intensity supports, registration renewal means facing an approved quality auditor (AQA). Many providers arrive at audit day with policies they have never stress-tested against the audit framework. This article walks through the process as it applies to the strengthened NDIS Practice Standards — including a realistic worked example — so you know exactly what scrutiny your documents and practices will face.

The Audit Framework: A Quick Orientation

NDIS audits are conducted against the NDIS Practice Standards made under the National Disability Insurance Scheme Act 2013. The standards are organised into a core module (applicable to all registered providers) and supplementary modules for higher-risk support types, including SIL, specialist behaviour support, and high-intensity daily activities.

From 2026, the strengthened registration framework introduced by the NDIS Commission places greater emphasis on governance accountability, cultural safety, and participant voice. Providers seeking or renewing registration for SIL will face supplementary module requirements in addition to the core module — meaning the audit scope is broader than it was for many providers under earlier frameworks.

Audits take two forms:

Certification audit — a full on-site assessment plus desktop document review, used for higher-risk registration groups including SIL.
Verification audit — a lighter desktop-only review for lower-risk supports.

SIL providers almost always require certification, which means auditors will visit your sites, speak with participants, and examine records in depth.

The Seven Areas Auditors Examine

1. Governance and Operational Management

Auditors look for evidence that your organisation has a functioning governance structure — including a board or leadership team that actively monitors quality and safety. They will ask for:

Your organisational chart and role descriptions for key personnel
Minutes from governance or quality committee meetings
Evidence that leadership reviews incident data and acts on trends
A documented continuous improvement register with closed-loop actions

A common non-conformance here is a quality register that lists actions but has no completion dates, responsible persons, or evidence that items were ever resolved.

2. Provision of Supports

This is the heart of the SIL audit. Auditors check whether participants receive the supports described in their NDIS plans and service agreements, and whether those supports are delivered in a way that upholds the Practice Standards. Evidence examined includes:

Current, signed service agreements for each participant
Support plans that reflect each participant's goals, preferences, and identified risks
Daily progress notes or shift records showing that supports were actually delivered
Evidence that participants were involved in developing their own plans

3. Support Planning and Review

Auditors want to see that support plans are living documents, not filed-and-forgotten templates. They check review dates, whether participants (and where appropriate, their nominees or support networks) signed off on the plan, and whether the plan was updated when a participant's circumstances changed.

4. Incident Management

Under the NDIS (Incident Management and Reportable Incidents) Rules 2018, registered providers must have an incident management system. Auditors examine:

Your written incident management policy and procedure
Your incident register for the audit period
Evidence of timely reporting of reportable incidents to the NDIS Commission
Post-incident reviews and actions taken to prevent recurrence
Records showing that participants were notified and supported following incidents

A frequent finding is that incidents are logged but post-incident reviews are not documented, or that minor incidents that should have triggered a reportable incident notification were not escalated.

5. Complaints Management

Providers must have an accessible complaints process. Auditors check that participants know how to complain (including to the NDIS Commission directly), that all complaints are recorded, and that the organisation responds within its stated timeframes. They may speak directly with participants to ask whether they feel safe raising concerns.

6. Restrictive Practices

For SIL providers, this is often the highest-risk area. The use of regulated restrictive practices requires prior authorisation from the relevant state or territory body, and any use must be reported to the NDIS Commission. Auditors check:

Whether your staff can correctly identify regulated restrictive practices
Current authorisation documents for each participant where a practice is used
Behaviour support plans prepared by a registered behaviour support practitioner
Evidence that restrictive practice use is being reduced over time (the reduction goal is mandatory)
Monthly reporting to the NDIS Commission where applicable

7. Worker Screening and Training

Every worker providing NDIS supports in a risk-assessed role must hold a current NDIS Worker Screening Check. Auditors check your worker screening register against your roster and interview records. They also examine training records for mandatory topics: the NDIS Code of Conduct, safeguarding, manual handling, medication management (for SIL), and any role-specific competencies.

Worked Example: A Policy Excerpt Under Scrutiny

The following is a realistic example of how an auditor might evaluate a provider's incident management policy excerpt. This is a teaching illustration, not a real case.

Policy excerpt (as submitted)	Auditor finding
"All incidents will be reported to management and recorded in our system within a reasonable timeframe."	Non-conformance (minor). The NDIS (Incident Management and Reportable Incidents) Rules require specific timeframes for reportable incidents (for example, immediate notification requirements for certain incident types). "Reasonable timeframe" does not meet the specificity required. Recommended fix: state explicit timeframes aligned to the Rules.
"Management will review incidents monthly."	Observation. Monthly review may be insufficient for high-frequency or high-severity incidents. Auditor noted no evidence of interim review triggers. Recommended fix: include a risk-based escalation trigger so serious incidents are reviewed immediately.
"Participants will be informed of the outcome of their incident."	Conformance. Policy states the requirement clearly. Auditor checked three incident files and found written evidence of participant notification in two of the three. One file lacked evidence — flagged for follow-up but not a formal non-conformance given overall pattern of compliance.

The lesson from this example: auditors are not looking for perfect prose. They are checking whether your policy reflects the actual legal requirements, and whether your records demonstrate that staff follow the policy in practice. A gap between policy and practice is weighted more heavily than imprecise wording alone.

How to Prepare: A Pre-Audit Checklist

Map every Practice Standard requirement to a specific document or evidence source in your organisation.
Conduct an internal mock audit at least three months before your scheduled audit date.
Review your incident register for the past twelve months and confirm every reportable incident was notified on time.
Pull your worker screening register and verify every active worker has a current clearance.
Check that all restrictive practice authorisations are current and that behaviour support plans have not expired.
Speak with participants or their representatives and ask whether they know how to make a complaint — auditors will ask this too.
Ensure your continuous improvement register has evidence of closed actions, not just open items.

Bringing It Together

Audit readiness is not a one-week sprint before your certification date — it is the ongoing discipline of running your organisation according to the Practice Standards every day. The providers who perform best at audit are those whose staff can explain what the policies require without looking them up, and whose records tell a consistent story across documents, rosters, and interviews.

If you are working through your document gap before a 2026 certification audit, ndiscompliant.com.au offers a 74-document audit-ready SIL compliance kit that maps directly to the Practice Standards — a practical starting point for providers building or rebuilding their evidence base.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.