NDIS Auditors are checking three things. Whether your documentation describes the business you’re actually running, whether your records show that system has been used, and whether your team and the people you support can speak to how it works. That’s most of it.
Once providers get through their first audit and become familiar with whats being tested, a lot of the anxiety around audit preparation falls away.
This article walks through the three things that matter, and a few things that don’t.
Consistency between documents and practice
Your incident management policy says incidents are recorded within 24 hours, reviewed by the manager, and discussed at the next team meeting. The auditor reads the policy, opens your incident register, looks at your meeting minutes, and asks the manager what happened after the last incident. Three checks, and they either line up or they don’t.
The auditor isn’t trying to catch you out (eally, it’s much more enjoyable for us to engage collaboratively). They’re checking that the system on paper and the system in operation are the same shape. They’re checking to see if your policies describe a quarterly leadership review but you’re a actually sole director, or if your supervision policy describes structured monthly one-to-ones but you in practice have casual conversations with no records of them. None of these are catastrophic on their own, but this type of mismatch becomes clear to an audit team early on, and it can shape how the rest of the audit goes.
So, tip number 1. Make sure your documents describe your business. If you’ve purchased generic policy templates online, either change the policy to describe what you genuinely do, or change what you do to match the policy. Both are valid, but the one thing that doesn’t work is leaving the gap and hoping no one notices.
Evidence records
A working quality system produces evidence and records over time. This includes things like incident reports, complaint files, supervision notes, training records, continuous improvement entries, internal audit findings, participant feedback, and more. Your policies might be perfect but your auditors need to see this extra evidence to really understand how your system is operating.
An empty register is a pretty common signal that something isn’t working. For the most part, a blank complaints register doesn’t mean participants are happy, it means they don’t know how to make a complaint or your staff aren’t making a record when they do. A continuous improvement log with three entries from the day you set it up doesn’t mean nothing has improved, but it does suggest that improvement isn’t being tracked. You don’t need a million records but you do need to be able to evidence what’s happening in you organisation.
Worth doing before audit: open your registers (complaints, incidents, COI, continuous improvement) and read them. Are the entries accurate? Do they show reflection as well as fact, what happened, what was done, what was learned? If they do, your audit is mostly a question of whether your policies describe the system that produced them. If they don’t, go back to the policies and get them updated.
Whether your team can speak to the system
Auditors talk to the executive and management, but they’re also going to speak to your front-level staff. They’ll want to ask support workers what they would do if a participant disclosed something concerning, managers how they monitor whether supports are being delivered as planned, plan managers how they handle a queried invoice.
The answers from your staff ideally will be coherent and match what’s written down. If the policy describes a process no one in the business has heard of, things get tricky. But If your team can describe how they actually do the work and it lines up with the documentation, it’s two thumbs up.
For solo operators/one-person businesses, the equivalent is whether you can speak to your own system without having to look anything up. If you can describe how you handle incidents, complaints, and continuous improvement in your own words, your system is probably working. If you have to read it off the policy before you can explain it to your auditor, you may have some work to do.
What auditors don’t care about
Auditors don’t tend to be immediately impressed by you having a 700 page policy manual. A short policy that describes your actual practice is better than a forty-page document covering scenarios that don’t apply to your day-to-day. Bigger isn’t always better.
Whether your policies use the Commission’s exact phrasing doesn’t really matter. While it can be helpful to point auditors in the right direction, there’s no requirement to lift wording from the Practice Standards verbatim. If it works for you, plain English that describes what you do is fine.
Branded headers, glossy covers, professionally typeset binders are lovely but there’s no space in audit reports to give you a rating for this. Beautifully designed manuals fail often when the system underneath isn’t working.
If you don’t deliver a service, you don’t need a policy for it. Proportionality is a real principle in NDIS audit, a small therapy practice doesn’t need the same documentation footprint as a fifty-staff SIL provider.
The bottom line
Auditors are looking for evidence that your service is being run thoughtfully, that the people in it understand what they’re doing, and that there are systems to catch problems before participants are harmed by them. The Practice Standards describe what good looks like, and the audit tests whether you’ve achieved it.
If your documents describe your business, your records show the system has been used, and your team can speak to how the work gets done, you’re well on your way to a good outcome.
