NDIS Audits: Why They’re a Reality Check, Not a Trap

Will, EnableUs Community

Welcome to the show -- and Winter, the sentence I wish more providers heard earlier is this: [firm] an NDIS audit is NOT a trap. It's an independent check that what you say you do matches what you actually do.

Winter, EnableUs Community

[curious] That phrase -- "matches what you actually do" -- is the bit people miss, hey. Because the panic usually kicks in at the word audit, like someone's coming in to catch you out, when really they're asking: are participants safe, are they treated with respect, and do your day-to-day supports line up with the standards?

Will, EnableUs Community

Exactly. [matter-of-fact] An NDIS audit is a formal review against the NDIS Practice Standards, done by an approved auditor on behalf of the Commission. And the standards are really the gold standard for person-centred practice. So the audit isn't some weird side quest -- it's the mechanism that checks whether your service is actually safe, respectful, and delivering quality outcomes.

Winter, EnableUs Community

[skeptical] Okay, but let me push on that. If it's so straightforward, why does "audit" still make people feel like they've just been called into the principal's office?

Will, EnableUs Community

Because the consequences are real. And in 2026, the environment is tighter than it's ever been. The Commission isn't just waiting for an audit date anymore. Under its 2025 to 2027 roadmap, monitoring is more data-led, more continuous, and way more intelligence-driven. So by the time an auditor turns up, they've often already got a picture of your risk profile from complaints, incident reports, and broader data patterns.

Winter, EnableUs Community

That phrase -- "already got a picture" -- that's the unnerving part. [short pause] It's not once every few years with a clipboard. It's more like your business leaves a trail all the time.

Will, EnableUs Community

Yep, that's it. And the reason is the scale. As at 30 June 2025, there were 739,414 NDIS participants with approved plans. Total scheme payments hit $46.3 billion in 2024-25. Once you're dealing with that many people and that much money, oversight can't be casual.

Winter, EnableUs Community

[responds quickly] Seven hundred and thirty-nine thousand, four hundred and fourteen. That's not a niche program anymore -- that's basically a city the size of a major population centre relying on this system to work properly.

Will, EnableUs Community

Right. And then look at the trend lines. Complaints to the Commission went from 1,422 in 2018-19 to 29,054 in 2023-24. That's not a small lift. That's a complete change in the volume of risk signals coming into the regulator.

Winter, EnableUs Community

[grave] Twenty-nine thousand and fifty-four. I'm gonna remember that number because it tells you this isn't theoretical. That's thousands of moments where something felt wrong enough for someone to complain.

Will, EnableUs Community

And compliance action followed. In 2023-24, the Commission finalised 35,519 compliance actions against registered and unregistered providers and individuals. In one quarter alone more recently, it carried out 6,841 compliance and enforcement activities, including banning orders, 1,108 registration refusals, and more than 1,000 corrective action requests.

Winter, EnableUs Community

Wait -- 1,108 registration refusals? In one quarter? That's the bit that snaps you out of the old mindset. This isn't a regulator quietly filing paperwork. This is active.

Will, EnableUs Community

[firm] Very active. And there are some grim examples behind that. In 2024-25, one provider was ordered to pay about $1.9 million in relation to the death of an NDIS participant and serious risk to two others. Another was ordered to pay $2.2 million relating to the death of a participant. Another paid $2 million for failing to keep participants and workers safe, plus $500,000 for not notifying reportable incidents on time.

Winter, EnableUs Community

[softly] The "$500,000 for not notifying on time" part matters too. Because sometimes people think compliance is separate from care -- like paperwork over here, real support over there. But late incident reporting can hide risk. It can stop problems being seen before they get worse.

Will, EnableUs Community

That's exactly the point. Audits exist because participants can't afford providers who look good on paper but fall apart in practice. And the Commission will act. In December 2025, Auspicare Pty Ltd had its registration revoked after an audit found major non-conformities. That revocation took effect on 19 January 2026. So yes, an audit should be taken seriously -- but not feared as some mystery. It's a reality check. If your systems are real, if your practice is real, the audit is where that shows.

Winter, EnableUs Community

[reflective] I think that's the reframe. Don't ask, "How do I survive an audit?" Ask, "If someone independent tested what we claim, would the evidence hold up?" They're very different questions.

Winter, EnableUs Community

So let's make this practical. People hear all these audit types and their eyes glaze over. In plain English, what's the difference between verification and certification?

Will, EnableUs Community

[calm] Verification is the lighter pathway for lower-risk, lower-complexity supports. It's basically a desktop review done every three years. The auditor looks at your organisational documents -- insurance, staff qualifications and experience, and your policies for things like risk, incidents, and complaints. No site visit. Report goes to the Commission within 14 days.

Winter, EnableUs Community

So verification is: show me the paperwork, show me the credentials, show me the systems. No one standing in the office kitchen opening cupboards. [chuckles]

Will, EnableUs Community

[laughs] Pretty much. Certification is the heavier pathway for higher-risk or more complex supports. It's a two-stage process. Stage 1 is the document review, similar to verification. Stage 2 is the onsite assessment -- site visit, interviews with staff and participants, and checks that the policies aren't just written nicely but actually understood and used. That report goes in within 28 days of completion.

Winter, EnableUs Community

The "Stage 2 onsite" bit is the whole game, isn't it? Because anyone can have a beautiful complaints policy in a folder. The harder question is whether the team on a Tuesday afternoon actually knows what to do with a complaint.

Will, EnableUs Community

Yes. [emphatic] Auditors are looking for real implementation. Do staff use the processes properly? Are participant rights visible in everyday support? Does risk management reduce harm in practice? When there's an incident, is the response timely, documented, and used to prevent it happening again? That's what they care about.

Winter, EnableUs Community

Let me try and say that back. [questioning tone] It's less "can you show me a policy called dignity and respect" and more "can you show me dignity and respect happening in actual service delivery"?

Will, EnableUs Community

Almost -- and the extra layer is evidence. Not just vibes, not just intentions. Evidence that governance is accountable, decisions are transparent, risks are managed proactively, emergencies are considered, and participant input isn't decorative. The 2025 Practice Standards really push that continuous improvement mindset.

Winter, EnableUs Community

[skeptical] And this is where some providers get caught, I reckon. They think passing means having documents. But auditors are checking whether staff understand those documents, whether participants experience the rights described in them, and whether leaders can prove the systems actually work.

Will, EnableUs Community

That's it. And the findings have gradings. If you get a major non-conformity in any area, you've got three months to fix it, and your registration doesn't progress until it's addressed and the quality audit is successfully completed. If it's a minor non-conformity, you've generally got longer to fix it and you can continue through the registration process.

Winter, EnableUs Community

Three months for a major non-conformity -- that is not much time if the issue is structural. If your incident process is broken, or your governance is patchy, you're not fixing that with one frantic weekend and a new template.

Will, EnableUs Community

No, you're not. [serious] And serious or systemic non-conformities can lead to conditions on registration, mandatory mid-term audits at your expense, suspension for specific support categories, or in the worst cases, revocation entirely. So the cost of treating compliance like an afterthought is very high.

Winter, EnableUs Community

And this is where I think people still make the wrong comparison. They compare the cost of preparation with the cost of the audit itself. But the real comparison is preparation versus conditions, suspension, or losing registration.

Will, EnableUs Community

Beautifully put. Which is why internal auditing matters so much. If you run internal audits at least twice a year, you're pressure-testing your own business before the external auditor does. You're finding gaps early, closing them before they become non-conformities, and keeping participant safety and quality front and centre.

Winter, EnableUs Community

[warmly] Twice a year is such a useful number because it makes readiness a routine, not a panic. It's like checking the smoke alarms before summer, not after the kitchen's on fire.

Will, EnableUs Community

Exactly. And in this environment, that's the mindset shift. Don't prepare for an audit as an event. Build your service so the audit simply confirms what's already true.

Winter, EnableUs Community

[reflective] Because the sharpest version of this, really, is that the audit isn't the only moment you're being judged anymore. Your complaints data, your incident trends, your decisions -- they're all speaking for you before anyone walks through the door.

Will, EnableUs Community

[firm][short pause] So run the business as though you're always being assessed... because in the only way that matters, you are.