Step 4: Certification audit - stage 2

Evidence of implementation

It is very important to note for stage 2 audits that the audit team will be looking for evidence of implementation through day-to-day practices, records and processes.

Stage 2 audits usually take place on-site but may be conducted by videoconference in certain circumstances. Interviews should always be conducted with due consideration to privacy and confidentiality for participants.

Audit plan

The Approved Quality Auditor will plan the stage 2 audit with you. You will be asked for de-identified demographic information about your NDIS participants, which the audit team will use in conjunction with information about your scope to develop an audit plan.

The audit plan will include:

  • Opening and closing meetings. The opening meeting will seek agreement again on the schedule, explain privacy considerations, introduce the audit team etc. The closing meeting will provide a summary of key findings, including any areas representing barriers to the auditor recommending registration. These are known as nonconformities.
  • Times allocated to review records (including registers, participant records), as well as interviewing a sample of participants, governing body personnel, staff, and other key stakeholders (for example, behaviour support provider if you are implementing behaviour support plans). A minimum of five participants are required.

You can provide feedback on the audit plan, and make sure that the suggested times are suitable for the relevant interviewees. If necessary, you will need to facilitate appropriate support for participants to engage in the audit process, for example, advocates, interpreters, chosen supporters.


You are required to advise all NDIS participants that they are automatically enrolled in the audit process unless they decide to ‘opt out’. If NDIS participants do not want to participate in the audit process that is fine, though you would need to document that decision and let the audit team know. 

The audit team will need to be able to look at evidence, such as the NDIS participant’s file. You will need to obtain consent from the NDIS participant or substitute decision-maker should they agree to be involved in the audit. Consent can apply to the participant engaging directly with the audit team, file access, or both.  

Note: It is a mandatory requirement that records of workers are sampled and reviewed during an audit. As such, consent is not required from workers.


The length of time of the audit will differ for each RAC provider and will depend upon a range of factors including numbers of workers, participants, sites and types and complexity of supports provided.

Minimum duration of an audit is four hours, and most audits are conducted by a two person auditor team. 

  • Provide accessible information about the audit process to NDIS participants and other key stakeholders about the upcoming audit. 
  • Keep in contact with the audit team about the plan for stage 2 and discuss ways to best engage NDIS participants, based on your personal knowledge of them.
  • Identify any support requirements for participants such as independent advocates or interpreters and let the audit team know about appropriate terminology – for example, you may not use the term ‘participant’.
  • Suggest environments for interviews that provide for adequate privacy for NDIS participants, workers and other stakeholders involved.
  • Be aware that the audit team will need to interview a sample of workers across a range of roles (support staff, leadership and management) as well as governing body personnel.  
  • Ensure that you get to see the Audit plan, and speak to the audit team prior to the audit about any concerns with timing etc.

What the audit team may ask NDIS participants

The audit team may ask NDIS participants the following using communication most likely to be understood:

  • how does your NDIS provider talk about your support needs with you?
  • do you feel that you are treated with respect?
  • what do you do if you wish to make a complaint?
  • how do you get the opportunity to provide feedback?
  • do you feel that the staff are good at providing supports?

What the audit team may ask staff

The audit team may ask workers the following: 

  • how long have you worked for this NDIS provider?
  • what is the process if the NDIS participant wants to make a complaint? 
  • what is the process if there is an incident? 
  • what training have you had? 
  • do you have a position description? 
  • do you have performance reviews? 
  • did you have an induction? Can you describe it? 
  • have you completed the NDIS Worker Orientation module? 
  • do you have regular supervision?

They may ask senior management/governing body personnel running the service the following: 

  • how does the NDIS participant have input into processes such as protection of rights and provision of supports? 
  • how do you manage quality and safeguards of supports for NDIS participants?
  • how do you ensure currency in relation to legislative requirements? 
  • how do you manage supervision, training and professional development of workers supporting NDIS participants?
  • how is conflict of interest managed?
  • how are continuity of supports for NDIS participants managed?
  • Try not to be too nervous about the audit process. Being well prepared will make the process so much easier.
  • If the audit team does come across any nonconformities, they will let you know during the audit – there shouldn’t be any surprises at the closing meeting. Major nonconformities are a barrier to certification by the auditor (and registration by the NDIS Commission), though certification can still be recommended for minor nonconformities, as long as there is a corrective action plan put in place within seven days that is acceptable to the auditor for correcting the minor non-conformities. 
  • If there are any major nonconformities, you will be advised to prepare a ‘corrective action plan’, and a follow up desktop review takes place by the approved quality auditor within three calendar months.  The NDIS Commission is unable to register a provider with major conformities.

After the audit

You should receive from the audit team a:

  • written copy of the audit findings at the closing meeting
  • copy of the full audit report for comment before it is submitted to the NDIS Commission (which needs to happen within 28 calendar days of the final day of the on-site audit.)

To find out about progress of your registration renewal or application status after the audit has been finalised, you should email the NDIS Commission Provider Registration team.

Remember that the NDIS Commission must undertake suitability assessment of your application and each key personnel. This can take time. The NDIS Commission’s Provider Registration team will contact you and/or your auditor if information from your application or the audit is missing, or if information needs clarification.