This article discusses the NDIS Practice Standard audit methods and provides commentary on mid-term audits.


Audits of NDIS providers against the NDIS Practice Standards are conducted either by way of ‘certification’ or ‘verification’. This article examines each of these audit methods and discusses how mid-term audits are carried out.  Refer to the full text guidance note for more information about mid-term audits and details of the legislation and other resources cited in this article, available here.

This article should be read alongside our guidance document ‘Audits of compliance with the NDIS Practice Standards’ and ‘How auditors manage compliance problems’ which describes the kind of information auditors collect, how audit evidence is evaluated and processes for dealing with non-compliance.


Certification audits

Certification involves an assessment against the relevant standard by conducting a desk audit of relevant documentation (this is referred to as “stage one”) together with an inspection of the sites, facilities, equipment and services used, or proposed to be used in the delivery of supports or services in relation to the standard and interviews with relevant persons (key personnel, persons receiving or to receive supports). The activities carried out onsite form “stage two” of the audit.

During certification, audit evidence is gathered from:

  • interviews with participants;
  • information from family, friends, carers nominees or independent advocates (with participant consent);
  • the support plan and evidence of delivery of supports to execute the plan; and
  • all the supports delivered by the provider to the participant.

The methods for gathering audit evidence audit depend on the defined audit objectives, scope and criteria (as defined in the scope of audit), as well as the duration and location of the audit. Amendments introduced by the NDIS Commission in January 2020 clarify that the certification assessment must be proportionate to:

  • size of the provider;
  • scale of the provider, having regard to the geographical areas and number of locations (sites) from which the provider is (or will); and
  • scope and complexity of supports or services delivered, or to be delivered.

If required, information related to interfaces between functions, activities and processes, will be collected using an appropriate sampling method. When sampling, auditors are required to prioritise ‘high risk’ registration groups using the audit and sampling methodologies set out in Annex B of the NDIS Approved Quality Auditor Scheme Guidelines (Auditor Scheme Guidelines).

The auditor’s certification report will demonstrate the relationship between actual and expected outcomes and corroborate evidence that is triangulated (wherever possible) form a variety of reliable sources.  It will include evidence from documented records and interviews with stakeholders that is, or can be, substantiated in the information provided, with relevant and quantified examples.


Use of outcomes and evidence from comparable quality audit processes

Under the NDIS Provider Registration Rules, the NDIS Commission may authorise (if it considers appropriate) a quality auditor to assess compliance by conducting a review of the outcomes and evidence from a comparable quality audit process. This may reduce the burden for providers operating across multiple regulatory regimes, but what quality audit processes are comparable? More importantly, which regulatory frameworks have standards that are comparable to the NDIS Practice Standards?

A key question will be the extent to which standards within other regulatory frameworks make adequate provision for the quality and safety issues associated with the provision of supports to people with disability. Could this also include, for example, the Aged Care Quality Standards for dignity and choice, assessment and planning, personal care and clinical care?  These standards overlap with quality indicators for the NDIS Practice Standards, are they are sufficiently comparable?


Verification audits

Verification involves an assessment against the relevant standard by conducting a desk audit, which includes review of relevant documentation in relation to the standard.

Providers that are audited by verification need to demonstrate conformity with the Practice Standards in Schedule 8 of the Provider Registration Rules.  These are:

  • Human Resource Management;
  • Incident Management;
  • Complaints Management; and
  • Risk Management.

The quality outcomes for these Practice Standards also appear in the “Core Module” of the Practice Standards that apply to certification, however the quality indicators are not identical.  Note however, that providers undergoing verification are required to establish and maintain systems for incident management, risk management and complaints management.


Verifying information

When carrying out a verification or certification audit, the auditor will consider whether the information gathered provides sufficient, objective evidence to demonstrate that requirements are being met. The following factors are considered when assessing if the available information is acceptable as audit evidence:

  • complete – all expected content is contained in the documented information,
  • correct – the content conforms to other reliable sources, such as standards and regulatory requirements,
  • consistent – the documented information in itself and with related documents, and
  • current – the content is up to date.

Further commentary on non-conformities and corrective actions is available on the MPS Law website.


Evaluating audit evidence

After reviewing audit evidence, the auditor evaluates whether the provider has demonstrated “conformity” (compliance) with the quality indicators that apply.  Audit conclusions will consider the following issues:

  • extent of any non-conformities with the audit criteria and robustness of systems, including the effectiveness of systems in meeting intended outcomes, identification of risks and effectiveness of actions taken by auditee to address risks,
  • if the required system(s) are effectively implemented, maintained and improved,
  • if the audit objectives were achieved, the coverage of the audit scope and fulfillment of the audit criteria, and
  • similar findings made in different areas that were audited or from a joint or previous audit.


Mid-term audits

Amendments that came into effect 1 January 2020 require providers who are certified to undergo a mid-term audit against certain quality standards during their period of registration.  The standards reviewed at the mid-term audit are:

  • governance and operational management (Part 3, Schedule 1, Provider Registration Rules);
  • any standard previously identified as requiring corrective action; and
  • any standard that the NDIS Commission has specified.

Importantly, providers that deliver only specialist disability accommodation do not need to undergo a mid-term audit.  Sole providers and businesses that operate as a partnership, who delivery only early intervention supports are also excluded. The amendments change the previous position that surveillance audits were to be conducted annually as part of the audit program for each certified provider, unless the auditor met the “good performance criteria”.

Guidance on the rating scale that auditors use to evaluate compliance with the Practice Standards is available on the MPS Law website.

For more information, contact Michael Pagsanjan (