If you’re preparing for your NDIS audit, you might be wondering what happens if something goes wrong, after hearing horror stories about providers fail their audit.
Here’s the truth: you can’t technically “fail” an NDIS audit. What can happen is that auditors identify non-conformities: a gap between your current practice and what the NDIS Practice Standards require.
But, rest assured! Contrary to what you might be worried about, a non-conformity isn’t the end of the world. In many ways, it’s actually very valuable. In my experience in audit-land, the providers who handle non-conformities well can end up coming out stronger. Let’s walk through how the process works.
If you’re a fan of legislation, much of these requirements are outlined in the National Disability Insurance Scheme (Approved Quality Auditors Scheme) Guidelines 2018.
Understanding non-conformities
When an auditor assesses your service against the NDIS Practice Standards, each outcome gets a rating. At the simplest level, there are three possible results: conforming (you meet the standard), minor non-conformity (there’s a gap, but it’s not high-risk), or major non-conformity (there’s a significant gap or high risk).
A minor non-conformity typically means you have processes in place, but something isn’t quite working as it should. Maybe your complaints policy exists but you can’t demonstrate that complaints are being reported to your governing body in a timely way, or your risk register exists on paper but hasn’t been reviewed in three years. The intent is there, but the implementation needs some work or tweaking.
A major non-conformity is more serious. It means that during the audit, you haven’t been able to demonstrate appropriate processes, systems, or structures to meet the required outcome, and the gap presents a high risk. It’s also worth noting that three minor non-conformities within the same module can be escalated to a major non-conformity, as a signal that there are systemic issues in that area of your operations.
There’s also a category called critical risk, which involves serious breaches such as criminal acts or child protection concerns. These thankfully aren’t common, but do trigger immediate reporting to the NDIS Commission and relevant authorities by the auditor, and the audit might stop until the Commission advises next steps. For most providers reading this article, critical risks won’t be relevant, but it’s worth knowing the category exists.
The corrective action process
So you’ve just finished your audit, and the auditor has confirmed that they’ve found some non-conformities. Whether you receive a minor or major non-conformity (or many), the first step is the same: you need to submit a corrective action plan to your auditor within seven calendar days of written notification.
Your corrective action plan should cover four things: the correction (how you’ll fix the immediate issue), a root cause analysis (why the gap occurred in the first place), the corrective action (what you’ll change to prevent it from recurring), and clear timeframes with responsible people assigned to each action.
This seven-day window can feel tight, but it’s not asking you to fix everything immediately, it’s just asking you to demonstrate that you understand the problem and have a credible plan to address it.
Minor non-conformities: what happens next
If you receive only minor non-conformities with an accepted corrective action plan, your auditor can still recommend you for certification or verification. You don’t need to wait until the issue is fully resolved.
However, please don’t just forget about it! Minor non-conformities must be closed out within eighteen calendar months, typically at your mid-term or recertification audit, whichever comes first. At that point, the auditor will check that the corrective actions you committed to have actually been implemented and are working in practice.
If you haven’t closed out a minor non-conformity within eighteen months, it escalates to a major non-conformity. Important note here: once a minor has been escalated to a major, it can’t be downgraded back to a minor. You’ll have three months to close it out completely, or potentially have your certification suspended.
Major non-conformities: a faster timeline
Major non-conformities work differently. Your auditor cannot recommend you for certification until the major is either closed out entirely or downgraded to a minor. This means you’ll need to undergo a follow-up audit, sometimes called a close-out audit or progress review, to demonstrate that you’ve addressed the issue.
As the risk is greater, the timeline is tighter: you have three calendar months from the initial written notification to either close out the major non-conformity or have it downgraded to a minor. If you’re going through an initial certification audit, failing to meet this deadline means the auditor may submit a “not recommended for certification” outcome to the Commission.
For providers who are already certified, failure to close or downgrade a major within three months can result in automatic suspension of the certification decision.
The follow-up audit may be conducted as a desktop review, but if the issues are serious or involve critical risks, an on-site follow-up may be required. Either way, this will almost always involve an additional cost on top of your original audit fees.
The downgrade pathway
Sometimes a major non-conformity gets downgraded to a minor at the follow-up audit. You’ve made enough progress that the gap is no longer high-risk, but there’s still work to do.
If this happens, you don’t get a fresh eighteen months. Instead, you have twelve months from the date of the original finding to fully close out the non-conformity. In practice, that means nine months remaining after the three months it took to achieve the downgrade.
This matters because if you don’t close it out within that twelve-month window, your certification can be suspended. A downgraded major cannot be escalated back to a major and then downgraded again, the clock keeps ticking from the original finding.
Why non-conformities aren’t the end of the world
Here’s the perspective shift that helps most providers: a non-conformity is a known gap. The alternative is an unknown gap – a problem in your processes that nobody has identified, creating risk for your participants, your staff, and your organisation without anyone knowing about it.
The NDIS Practice Standards are built on continuous improvement, and a non-conformity isn’t a judgement that you’re a bad provider. It’s an opportunity to identify where your systems aren’t working as well as they could, understand why, and make meaningful changes.
The providers auditors see struggle most aren’t the ones who get non-conformities, but the ones who treat compliance as a box-ticking exercise, buy generic templates that don’t match their actual practice, and never look at their policies again until the next audit. When their processes have gaps, they don’t know about it until something goes wrong with a participant, which is a lot worse than an auditor identifying the issue first.
The providers who handle non-conformities well treat them as useful information. They do the root cause analysis properly, not just to satisfy the auditor but because they genuinely want to understand what went wrong. They implement changes that actually work for their business rather than copying someone else’s procedures. And they end up with stronger systems as a result.
What to do if you get a non-conformity
First, don’t panic! Take some time to understand exactly what the auditor has identified and why it matters, and don’t be afraid to reach out for clarification if you don’t understand what they’ve written.
Second, write a genuine corrective action plan. Don’t write a plan that tells the auditor what you think they want to hear, but one that actually addresses the root cause of the problem, because this is what will lead to real improvement. If your incident management isn’t driving continuous improvement, the fix isn’t to add more columns to your register, it’s to build genuine review processes into how you operate.
Third, implement what you commit to. The auditor will check at your next audit that your corrective actions are actually in practice, not just documented. If you are concerned about how an auditor might interpret a non-conformity, it helps to know the right questions to ask before engaging a new NDIS auditor.
Finally, try to see it as what it is: useful feedback about where your systems can improve. The goal shouldn’t be a perfect audit with no findings! The goal should be to build a service that genuinely protects and supports the participants who rely on you.
