This article provides guidance on how information demonstrating compliance with outcomes and indicators of the NDIS Practice Standards is gathered, verified and evaluated.



In order to register (and remain registered) with the National Disability Insurance Scheme (NDIS) Quality and Safeguards Commission, a provider must be assessed by auditors as meeting the relevant standards and other requirements of the NDIS Practice Standards (Practice Standards).

This article provides guidance on how information to demonstrate compliance with the NDIS Practice Standards is gathered, verified and evaluated.An overview of the Practice Standards and quality indicators is first provided to give context.

More detailed analysis and references to legislation discussed in this article is available in the full text guidance note here.

What are the NDIS Practice Standards?

The NDIS Practice Standards are made up of a series of high level, participant focussed quality outcomes. Providers are assessed against the quality outcomes for the Practice Standards that apply to the type of supports they are registered to provide.

Quality indicators

Within each outcome there are indicators that auditors use to assess whether the provider has demonstrated conformity with quality outcomes.

The NDIS Quality Indicator Guidelines (Quality Indicator Guidelines) describe the systems, processes, structures, skills and behaviours that are required to achieve the quality outcome.

The Quality Indicators Guidelines identify what is required for delivery of quality, safe and person-centred supports but they do not give detailed descriptions of how systems and processes are to be implemented; the means by which the requirements of each standard are established and maintained is determined by the provider according to the size and scale of the business and the scope and complexity of supports or services that are delivered.

How are the requirements of the indicators implemented?

The regulatory framework is designed to accommodate providers of varied size and scale.  So, implementation of some of the standards will vary according to what is relevant and proportionate to the size and scale of the individual provider and scope and complexity of supports delivered.  However, the nature of some quality indicators will require that processes or systems are implemented in a certain way.  For example, the indicator for medication management requires that:

records clearly identify the medication and dosage required by each participant, including all information required to correctly identify the participant and to safely administer the medication.

This indicator, by its very nature, requires that written records are kept which contain information about dosage and enable identification of the individual. Others, such as ‘…Each participant’s legal and human rights are understood and incorporated into everyday practice…’ (person centred supports) could be met if staff demonstrate that they understand the legal and human rights that apply and there is evidence showing how staff incorporate those rights into service provision.

Assessing compliance with quality outcomes

The main things considered by the auditor are:

  • what is documented (internal processes, policies, procedures, SOPs or work instructions);
  • whether the systems that are required have been established and how they operate; and
  • the applicable standards, criteria and requirements set out in the Quality Indicator Guidelines and NDIS Rules that are being audited.

The methods for gathering audit evidence depend on whether the audit is for certification or verification, the defined audit objectives, scope and criteria, as well as the duration and location of the audit.

Further commentary on certification and verification audits is available here.

What kind of information will be collected?

At a minimum, the auditor will examine documents and records that are relevant to the scope of audit, the provider’s responses to the self-assessment and where applicable, the NDIS quality audit history (prior outcomes, corrective actions and reports).

The auditor may also gather information from interviews, observations or feedback. Where required, information related to interfaces between functions, activities and processes, will be collected using the sampling methodologies set out the NDIS Quality Auditor Guidelines (Quality Auditor Guidelines).

Verifying information

Auditors will consider whether the information gathered provides sufficient, objective evidence to demonstrate that requirements are being met. The following factors are considered when verifying information:

  • complete – all expected content is contained in the documented information;
  • correct – the content conforms to other reliable sources, such as standards and regulatory requirements;
  • consistent – the documented information in itself and with related documents; and
  • current – the content is up to date.

Evaluating audit evidence and audit conclusions

Audit conclusions will consider the following:

  • the extent of any non-conformities with the audit criteria and robustness of systems, including effectiveness of systems in meeting intended outcomes, identification of risks and effectiveness of actions taken by auditee to address risks;
  • if the required system(s) are effectively implemented, maintained and improved;
  • if the audit objectives were achieved, the coverage of the audit scope and fulfillment of the audit criteria; and
  • similar findings made in different areas that were audited or from a joint or previous audit.

Conformity is evaluated using the rating scale set out in the Quality Auditor Guidelines.  Commentary on the rating scale is available in the full text version of this guidance note here.

Critical risks

Any uncontrolled risk that may impact on participant safety is a “critical risk”. Critical risks are to be notified to the NDIS Commission within 24 hours, or if the risk relates to criminal acts or child protection, the Commission and the authorities must be notified immediately. A critical risk also includes “incidents that must be covered” in the provider’s incident management system. That is, incidents that occur (or are alleged to occur) in connection with the provision of supports that have (or could have) caused harm to a person with disability, reportable incidents and acts by a person with disability that have cause serious harm (or risk of serious) harm to another person.

For more information, contact Michael Pagsanjan (