What to expect from your NDIS Certification audit

A Certification audit is more involved than a Verification audit, there are significantly more standards, more evidence required, site visits, and interviews with management, staff and participants. The structure however is predictable. Once you know what each stage involves and what auditors are looking for in it, preparing for your audit becomes a clearer task.

This article walks through the Certification audit from start to finish: how the scope gets set, the standards you’ll be assessed against, the documents and records you’ll need, what happens at Stage 1 and Stage 2, and how the decision is made.

Are you on the Certification pathway?

The audit you undergo is determined by the registration groups you select in your application. Higher-risk registration groups trigger Certification and lower-risk groups are eligible for a Verification audit. The Initial Scope of Audit document generated by the NDIS Commission portal once you submit your application will confirm which pathway applies to you.

If you’re not sure which pathway you’re on, our comparison of Certification vs Verification audits walks through the differences.

Tip: Only apply for the registration groups you actually intend to deliver. Adding extra groups just in case can unintentionally trigger a much more expensive audit and create non-conformance risk if you aren’t prepared for the additional standards.

What you’ll be assessed against

A Certification audit assesses you against the Core Module of the NDIS Practice Standards, which covers four sets of standards:

• Rights and Responsibilities of Participants: including privacy, dignity, independence, decision-making support, and freedom from violence, abuse, neglect, exploitation and discrimination.
• Provider Governance and Operational Management: including governance, risk management, quality management, information management, feedback, complaints, incident management, human resources, and continuity of supports.
• Provision of Supports: including access to supports, support planning, service agreements, support delivery, and transitions to and from a provider.
• Provision of Supports Environment: including safe environment, participation and inclusion, service-related risks, management of medication, mealtime management, and waste management.

If your registration groups also trigger one or more supplementary modules (e.g. high intensity daily personal activities, behaviour support) you’ll be assessed against those in addition to the Core Module. Your Initial Scope of Audit will list any supplementary modules that apply.

Documents and evidence you’ll need

The auditor will review your policies, your records, and evidence that your system is being used. The list below is not exhaustive but it covers the categories every Certification provider needs to have ready:

• Policies and procedures demonstrating how you meet the Core Module standards. These need to describe how your business operates, not a generic version of how a service might run.
• Service agreements with current participants, demonstrating the required information is included and that participants are aware of and have agreed to what’s included.
• Participant records including support plans, risk assessments, consent documentation, and progress notes.
• Incident records with entries showing how incidents have been recorded, investigated, and resolved.
• Complaints records with evidence of how complaints have been received and addressed.
• Continuous improvement register or records showing genuine improvement activity over time.
• Workforce records including NDIS Worker Screening clearances, NDIS Worker Orientation Module completion, qualifications, right-to-work evidence, induction records, and supervision records.
• Risk register or similar documentation listing your identified organisational risks and the controls in place to manage them.
• Insurance certificates including public liability, professional indemnity (where relevant), and any other insurance specific to your services.
• Emergency and disaster management plan with evidence it has been tested and reviewed.
• Internal audit records including audit findings and actions taken to address gaps.

If you’re missing any of these, that’s the work to focus on before the audit. For more info on this, see my article on what NDIS auditors are looking for.

Stage 1: Desktop review

A Certification audit happens in two stages. Stage 1 is a desktop review, conducted before the auditor visits your site.

You provide your documentation electronically, either uploaded to the NDIS Commission’s portal or uploaded to a portal the auditor sets up/secure file transfer. The auditor reads through your policies and records, identifies any obvious gaps, and provides a report to help you prepare further for the site visit. They may come back with clarifying questions or requests for additional evidence at this stage, which is normal and easier to handle if you have someone available to respond promptly.

The Stage 1 review usually takes one to two weeks, depending on how quickly you respond to questions and how clean the documentation is.

Stage 2: Site visit

Stage 2 is the on-site portion of the audit. The auditor (or a team of auditors, for larger providers) visits your premises and spends time observing how the service operates, reviewing physical records, and interviewing staff and participants.

The auditor or their admin team will work with you regarding sampling: selecting a subset of participant files, staff files, and records to look at in detail. The number of files sampled is determined by a formula based on the size of your business (the square root of your participant or staff numbers, roughly), and the auditor will let you know which files they want to see.

How long the site visit takes depends on the size and complexity of the provider. For a small Certification provider with one location and a handful of staff, the visit might one day. For a larger provider with multiple sites or supplementary modules, it can be several days.

During the site visit, the audit team will:

• Review physical files and environments: checking that medication storage, vehicle records, participant files, or other physical evidence supports what the policies describe.
• Interview the executive team and management: covering governance, oversight, how decisions are made, and how the system is monitored.
• Interview staff: asking how they handle incidents, how they support participants with specific needs, what training they’ve received, and how they raise concerns.
• Interview participants and their families (where consent is given): asking about their experience of the service, whether they feel safe and listened to, and whether they know how to make a complaint.
• Verify evidence sampled at Stage 1: confirming that the records reviewed remotely match what’s actually held on-site.

For providers delivering services from participants’ homes or in the community rather than a fixed premises, the site visit is sometimes conducted at the provider’s office (with separate arrangements for participant interviews), and might include the auditor accompanying a worker on a shift. Your auditor will discuss the arrangements with you in advance.

Participant and staff interviews

The interview component is important, but remember that the auditor isn’t testing whether your staff or participants can quote the policy verbatim (honestly it would be odd if they could do that!). They’re testing whether what staff and participants describe is consistent with what the documentation says. If your policy describes how concerns are raised and your support workers describe a different process, or no process at all, that’s likely to end up in a non-conformance. If your participants describe a service that doesn’t match your service model, same thing.

The preparation that helps is making sure your team understands the systems they’re part of, not coaching them on what to say. Staff who can describe how their work actually happens, in their own words, do well in interviews. It’s generally quite obvious to auditors when staff have been trained on what to say (and what not to say) by management.

Participant interviews are voluntary and the auditor will ask which participants are willing to be interviewed. You’ll need to facilitate the contact, and participants are interviewed without you in the room.

The decision

After Stage 2, the auditor compiles their findings into an audit report. The report identifies any non-conformances (minor or major) and either recommends or doesn’t recommend you for certification.

If non-conformances are identified, you’ll have time to respond. Minor non-conformances typically need to be closed out within eighteen months, while major non-conformances are more serious and need to be either closed out or downgraded within three months, often via a follow-up audit. Critical non-conformances are rare and trigger immediate reporting to the Commission and other authorities if relevant. For more detail on how non-conformances work, our article on audit non-conformities covers it further.

Once your audit report is complete and any required follow-ups are done, the auditor submits their recommendation to the NDIS Commission. The Commission performs the final assessment and, if approved, issues your registration certificate. From the auditor’s submission to the certificate being issued, processing usually takes several months to more than a year, depending on the Commission’s current workload.

Timeline overview

Roughly, from application to registration certificate:

• Application submission to Initial Scope of Audit: Immediately.
• Engaging an auditor and receiving quotes: One to two weeks.
• Stage 1 desktop review: One to two weeks.
• Stage 2 site visit: One to several days, scheduled around the auditor’s availability.
• Audit report and any follow-up actions: Two to four weeks.
• Commission processing: Several months to more than a year, variable and (unfortunately) out of your hands.

Frequently Asked Questions

How much does a Certification audit cost? Significantly more than a Verification audit, and the range varies widely based on your participant numbers, staff numbers, sites, and supplementary modules. As a rough guide, expect $7,000 to $12,000+ for an initial Certification audit, with mid-term audits and renewals priced separately.

Can I be present during participant interviews? No. Participant interviews are conducted without you so that participants can speak openly. You facilitate the scheduling and may be present for introductions but don’t sit in.

What happens if I get a major non-conformance? You have three months to either close it out completely or have it downgraded to a minor non-conformance. Until that happens, your auditor cannot recommend you for certification.

Do I need to be at the site visit the whole time? Someone authorised to make decisions for the business need to be available throughout for interviews and to answer questions. A site visit where the auditor can’t access decision-makers tends to go badly.

How often does the Certification audit happen? Initial certification is followed by a mid-term audit at roughly the eighteen-month mark, and then a renewal audit is due three years after your registration approval date. Each audit is its own event, with its own scope and cost.