If you are an NDIS provider in Australia, an audit is coming. Whether you are registering for the first time, renewing your existing registration, or hitting your mid-term check, the audit process is where the rubber meets the road. And in 2026, the stakes are higher than ever.
With mandatory registration for SIL and platform providers kicking in on 1 July 2026, thousands of providers will be going through an NDIS audit for the first time this year. At the same time, the NDIS Quality and Safeguards Commission is raising the bar on what "compliance" actually looks like in practice. The old approach of pulling everything together the week before your auditor arrives is not going to cut it anymore.
This guide breaks down exactly what you need to know and do to walk into your 2026 NDIS audit with confidence.
Verification vs Certification: Which Audit Do You Need?
Not all NDIS audits are the same, and the type you need depends on the support categories you are registered (or applying) to deliver.
Verification audits are the lighter-touch option. They are document-based reviews with no site visit required. Your auditor examines your policies, procedures, and supporting documentation against the NDIS Practice Standards Core Module. Verification audits typically apply to lower-risk support types like household tasks, community participation, and early childhood supports.
Certification audits are more comprehensive. They include a site visit, staff interviews, and direct observation of how you deliver services. Your auditor assesses your practice against both the Core Module and any relevant Supplementary Modules for your registration groups. Certification audits apply to higher-risk supports like behaviour support, specialist disability accommodation, and supported independent living.
If you are a SIL provider registering before the July 2026 deadline, expect a certification audit. The new SIL Practice Standards taking effect from 1 July add extra requirements around quality and safety in shared accommodation, so make sure you are preparing against the updated standards.
There is also the mid-term audit, which happens roughly 18 months into your three-year registration cycle for certification-level providers. This is a focused review of your governance and operational management. Think of it as a health check rather than a full exam, but do not underestimate it. Non-conformities found at mid-term still need to be addressed.
What Auditors Actually Look For
The NDIS Practice Standards are structured around four core areas. Understanding what sits behind each one will help you prepare your evidence and identify gaps before your auditor does.
Rights and Responsibilities. Your practice needs to demonstrate that participants understand their rights, can exercise choice and control, and have access to effective complaints and feedback processes. Auditors look for things like signed service agreements, accessible information about rights, evidence that participants are involved in planning their supports, and records showing how complaints were handled and resolved.
Governance and Operational Management. This is the backbone of your compliance. Auditors want to see that your organisation has a clear governance structure, a risk management framework, a quality management system, and documented policies that are reviewed regularly. They will check that your financial management is sound, your insurance is current, and your human resource practices include proper worker screening and training records.
Provision of Supports. This area covers how you actually deliver services. Auditors look for evidence that supports are person-centred, that there is continuity of support when staff change, that transitions in and out of your service are managed well, and that you maintain proper records of what supports were delivered, by whom, and when. Incident management falls here too, so your reportable incident records need to be complete and demonstrate compliance with mandatory notification timeframes.
Support Provision Environment. If you provide services in a physical setting (like SIL accommodation or day programs), auditors assess the safety and suitability of the environment. This includes fire safety, emergency procedures, WHS compliance, and whether the setting supports participants' independence and dignity.
For each area, the auditor is not just checking that a policy exists. They want to see that the policy is implemented in practice, that staff know about it and follow it, and that there is evidence to prove it.
The 2026 Audit Preparation Checklist
Here is what you should have ready before your auditor walks in the door (or, for verification audits, before you submit your documentation package).
Governance and policies. Confirm that all core policies are current, dated, and have been reviewed within the past 12 months. This includes your governance framework, risk management plan, quality management system, privacy and confidentiality policy, complaints and feedback policy, incident management policy, and code of conduct. Every policy should have a version number, a review date, and evidence of staff acknowledgement.
Worker screening and HR records. Build a register of every worker's NDIS Worker Screening Check status, including issue date, expiry date, and clearance outcome. Remember that the first wave of five-year checks started expiring in February 2026, so audit your team's status now. You also need training records showing that staff have completed relevant induction training, including the NDIS Code of Conduct and any role-specific competencies.
Incident management records. Ensure every reportable incident has been logged with the correct timeframes: immediate notification within 24 hours for serious incidents, and a detailed five-day report for unauthorised restrictive practices. Your records should show the incident details, who was notified, what actions were taken, and what preventative measures were put in place afterwards.
Participant records. For each participant, have their service agreement, individual support plan, progress notes, and any records of how they have exercised choice and control. Auditors want to see that supports are genuinely tailored to the individual, not delivered from a one-size-fits-all template.
Complaints register. Maintain a log of all complaints and feedback received, how they were investigated, what the outcome was, and whether any systemic improvements resulted. Even if you have had zero complaints, document that the process exists and that participants know how to use it.
Risk register. Your risk management framework should be a living document, not something you wrote once and filed away. Auditors look for identified risks, mitigation strategies, regular review dates, and evidence that risks are actively monitored.
Insurance and financial records. Have your current certificates of insurance ready (public liability, professional indemnity, workers compensation). Auditors may also review financial sustainability indicators to confirm you can continue operating.
If tracking all of this across spreadsheets and shared drives sounds like a nightmare, that is because it usually is. ClinicComply maps every NDIS Practice Standard to a live checklist with evidence linking, deadline tracking, and status dashboards, so you always know exactly where you stand. Start your free 30-day trial to get audit-ready.
5 Common Non-Conformities (And How to Avoid Them)
These are the issues that trip up providers most often during audits. If you can get ahead of these five, you are in strong shape.
1. Outdated or missing policies. The most common finding is policies that have not been reviewed in over a year, or that do not reflect current operations. If your practice has grown, changed locations, or added new support types since your last review, your policies probably need updating. Set a recurring 12-month review cycle for every policy and stick to it.
2. Gaps in worker screening records. Auditors check that every worker has a current, valid NDIS Worker Screening Check. If even one worker has an expired or missing check, that is a non-conformity. Build a centralised tracking system with automated reminders at 90, 60, and 30 days before each expiry.
3. Incomplete incident management records. Having an incident management policy is not enough. Auditors want to see that incidents are logged in real time, reported within the required timeframes, investigated thoroughly, and followed up with preventative actions. A common gap is logging the incident but not recording the follow-up or the lessons learned.
4. Weak complaints handling evidence. If your complaints register is empty and you claim you have never received a complaint, auditors get suspicious. Even informal feedback counts. Document everything, including how complaints were resolved and whether they led to any service improvements. If you genuinely have not received complaints, document the steps you take to actively seek participant feedback.
5. Risk management as a static document. A risk register that was written during your initial registration and never updated is a red flag. Your risk management framework needs to show regular reviews, new risks identified over time, and evidence that mitigation strategies are working. Auditors want to see a living system, not a dusty PDF.
What Happens If You Fail Your NDIS Audit?
First, take a breath. A non-conformity is not the end of the world. Here is how the process works.
If your auditor identifies minor non-conformities, you will typically be given a defined period (usually a few weeks) to provide evidence that you have addressed the issue. This is called a corrective action plan. You document what you will change, implement the change, and submit evidence back to the auditor.
For major non-conformities, the consequences are more serious. The auditor may recommend conditions on your registration, or in severe cases, the NDIS Commission may suspend or refuse your registration. Major non-conformities usually involve direct risks to participant safety, like missing worker screening checks for staff actively delivering supports, or a complete absence of incident reporting processes.
The key thing to understand is that auditors are not trying to catch you out. They want to see that you have systems in place, that those systems work, and that when things go wrong, you respond appropriately. A provider who had an incident but managed it well and documented the learnings will score better than a provider who claims nothing has ever gone wrong.
If you receive a corrective action plan, treat it as a priority. Address the findings promptly, implement genuine improvements (not just paperwork fixes), and keep records of everything you did. This evidence will be reviewed at your next audit or mid-term check.
How Much Does an NDIS Audit Cost in 2026?
Audit costs vary depending on the type of audit, the size of your organisation, the number of registration groups, and which auditor you use. Here are rough ballpark figures to help you budget.
Verification audits typically range from $3,000 to $6,000 for a straightforward assessment of a small to mid-sized provider.
Certification audits are more expensive, generally ranging from $8,000 to $20,000 or more. The cost increases with the number of sites, the complexity of your supports, and the number of supplementary modules being assessed.
Mid-term audits usually fall between $4,000 and $10,000, depending on your provider profile.
These figures cover the audit itself. Factor in additional costs for gap analysis or pre-audit consultancy (if you use one), policy development or updates, staff training, and any technology or systems you invest in to manage compliance. Some providers spend more on preparation than the audit itself, which is actually a sign they are taking it seriously.
One important note for 2026: QIP, one of Australia's major NDIS auditors, is exiting the market on 30 April 2026. If QIP is your current auditor, you need to switch to a JAS-ANZ approved alternative now. Demand for audit slots will spike as the July deadline approaches, so do not wait.
Your Audit Timeline: Working Backwards from Your Due Date
If your audit is in three months or less, here is a practical timeline.
Months 2 to 3 out: Run an internal gap analysis against every applicable Practice Standard. Identify missing or outdated policies. Check every worker's screening status. Review your incident and complaints records for completeness.
Month 1 to 2 out: Close the gaps you found. Update policies, renew expired screening checks, complete missing documentation. Run a mock audit if possible, or have a colleague walk through your evidence as if they were an auditor.
Final 2 weeks: Organise your evidence so it is easy to navigate. Whether you use folders on a shared drive or a compliance platform like ClinicComply, the auditor needs to find what they are looking for quickly. Brief your staff on what to expect, especially if interviews are part of the process. Make sure everyone knows your key policies and can articulate how they apply to their daily work.
Frequently Asked Questions
How long does an NDIS audit take?
A verification audit is typically completed within a few weeks since it is entirely document-based. Certification audits usually take one to three days on-site, depending on the size and complexity of your organisation, plus time before and after for document review and report writing. The full process from booking your auditor to receiving your final report can take anywhere from six to twelve weeks.
What documents do I need for an NDIS audit?
At a minimum, you need current versions of all core policies (governance, risk management, complaints, incident management, privacy, code of conduct), worker screening records for every staff member, incident and complaints logs, participant service agreements and support plans, staff training records, insurance certificates, and your risk register. Certification audits may also require evidence related to supplementary modules specific to your registration groups.
What is the difference between a verification and certification audit?
A verification audit is a document-based review with no site visit. It covers the NDIS Practice Standards Core Module and applies to lower-risk support types. A certification audit includes a site visit, staff interviews, and observation of service delivery. It covers both the Core Module and relevant Supplementary Modules, and applies to higher-risk supports like behaviour support, SIL, and specialist disability accommodation.
Can I choose my own NDIS auditor?
Yes. You can select any auditor approved by the JAS-ANZ (Joint Accreditation System of Australia and New Zealand). It is worth comparing quotes from multiple auditors, as pricing and availability vary. Keep in mind that QIP is exiting NDIS auditing on 30 April 2026, so if they are your current auditor, you will need to engage an alternative.
What happens if I get a non-conformity during my audit?
For minor non-conformities, you will be given a timeframe to submit a corrective action plan showing how you have addressed the issue. For major non-conformities, the NDIS Commission may impose conditions on your registration or, in serious cases, suspend it. The best approach is to address findings promptly, implement genuine operational improvements, and keep thorough records of everything you did to resolve the issue.
How often do NDIS audits happen?
NDIS registration runs on a three-year cycle. Providers on the certification pathway also have a mid-term audit at approximately 18 months. If the NDIS Commission has concerns about your compliance at any point, they can initiate additional compliance reviews outside of these scheduled audits.
How do I prepare for an NDIS mid-term audit?
Mid-term audits focus primarily on governance and operational management. Make sure your governance framework, risk register, and quality management system are current. Review any corrective actions from your initial audit to confirm they are still in place. Check that your worker screening records are up to date and that your incident management records show consistent compliance since your last full audit.
Is there a way to track NDIS compliance continuously instead of scrambling before each audit?
Yes. Compliance platforms like ClinicComply map every NDIS Practice Standard requirement to a live checklist, with evidence linking, automated deadline reminders, and real-time compliance scoring. Instead of preparing for your audit in a last-minute rush, you maintain audit readiness year-round. This is the approach the NDIS Commission is increasingly expecting from providers as the sector moves toward continuous compliance monitoring.
The providers who do well in NDIS audits are not the ones who prepare the hardest in the final week. They are the ones who build compliance into their daily operations and keep their documentation current all year round. The 2026 regulatory environment is making that shift from optional to essential. Get started now, and your next audit will be the least stressful part of your year. Explore our NDIS compliance resources for more practical guides, or start your free 30-day trial to get your compliance organised today.