NDIS Audit Non-Conformities: How to Write a Corrective Action Plan
Receiving an NDIS audit non-conformity can feel alarming, but a well-structured NDIS audit corrective action plan is your clearest path back to full compliance. Whether you are facing a minor improvement requirement or a major non-conformity that demands urgent attention, understanding exactly what auditors expect — and how to respond genuinely — determines whether your registration recommendation proceeds on schedule. This guide walks you through every component of a compliant corrective action plan, explains the difference between minor and major ratings, and gives you a realistic timeline so there are no surprises along the way.
What Is an NDIS Audit Corrective Action Plan?
An NDIS audit corrective action plan (CAP) is a formal written response that a registered NDIS provider submits when an approved quality auditor (AQA) identifies a non-conformity against the NDIS Practice Standards. It documents the immediate fix, the root cause, the preventive action, and the timeframes for completion.
The Commission and your auditor use the CAP to verify that the gap has been genuinely addressed, not merely noted on paper. A superficial response is one of the most common reasons providers face delayed registration recommendations or, in serious cases, additional audit requirements.
Non-Conformity Ratings: Minor vs Major
Not all audit findings carry the same urgency. The NDIS Commission framework uses a simple rating scale, and your response obligations differ significantly depending on which rating you receive.
Minor Non-Conformities (Rating: 1)
A minor non-conformity indicates an improvement is needed but the risk to participants is low. Importantly, an auditor can still recommend you for certification or verification even when minor non-conformities are present. However, you must address them within 18 months — either at your mid-term audit or at recertification, whichever comes first.
Common examples of minor non-conformities include:
- A service agreement template missing one required clause
- A staff training record not updated within the required timeframe
- An incident report completed late but accurately
- A policy that references outdated legislation but is otherwise sound
- One participant file lacking a signed consent form addendum
Because these findings do not block your recommendation, providers sometimes treat them with less urgency. That approach is risky. Auditors review minor non-conformity closure at the mid-term audit, and unresolved items can be re-rated or escalated if systemic patterns emerge.
Major Non-Conformities (Rating: 0)
A major non-conformity indicates a high-risk gap that could directly harm participants or undermine the integrity of your service delivery. The auditor cannot submit a recommendation to the Commission until you have addressed the finding and they have verified the closure through a close-out process.
You are typically given up to three months to address a major non-conformity. After you implement changes, the auditor must verify the evidence before finalising their report. This verification step is sometimes called a close-out audit, depending on the complexity of the finding.
Major non-conformities commonly arise from:
- Absent or completely non-functional incident management systems
- Workers delivering high-risk supports without current screening clearances
- No documented risk assessment process for complex participants
- Key personnel changes not reported to the Commission
- Systemic failure to obtain informed consent from participants
If you have concerns about your incident management processes, our NDIS incident management guide covers both the reporting obligations and the system requirements auditors look for.
The 4 Core Components of a Corrective Action Plan
Regardless of whether a non-conformity is minor or major, every CAP must include four specific components. Leaving out any one of them is a common audit corrective action mistake that forces providers into a back-and-forth with their auditor.
1. Correction (Immediate Fix)
The correction is what you have already done or will do immediately to address the specific instance identified by the auditor. Think of it as the “stop the bleeding” step.
For example, if the auditor found that a worker’s NDIS Worker Screening check had lapsed, the correction would be: “Worker suspended from participant-facing duties pending clearance renewal. Application submitted [date].” This action directly resolves the observed evidence but does not prevent it from happening again — that is the job of the next two components.
2. Root Cause Analysis
Root cause analysis is the most important and most often skimmed component of any non-conformity response. Auditors are trained to distinguish between a genuine investigation and a description that simply restates the finding in different words.
Ask “why” repeatedly until you reach the actual system failure. If a consent form was missing, the surface cause might be “staff did not complete the intake checklist.” However, the root cause might be “the intake checklist is not embedded in the case management system as a mandatory field, so staff can progress to service delivery without completing it.”
A shallow root cause analysis produces a shallow corrective action. That weakens your CAP and often results in the same finding reappearing at the next audit cycle.
3. Corrective Action (Preventive Measure)
The corrective action addresses the root cause and prevents recurrence. This is not the same as the correction. Where the correction fixed the individual instance, the corrective action fixes the system that allowed the instance to occur.
Strong corrective actions typically involve process changes, system configuration updates, policy revisions, or embedded training. Weak corrective actions say things like “staff will be reminded” or “manager will monitor more closely” — these are management intentions, not system changes, and they rarely satisfy an auditor.
For worker screening expiry, a system-level corrective action might read: “Expiry dates for all screening checks entered into the HR module with automated alerts at 90 days and 30 days prior to expiry. Process owner: HR Manager. Verification: monthly compliance report generated and reviewed at team meeting.”
Refer to the NDIS worker screening guide for the specific check types and expiry rules that your CAP may need to reference.
4. Timeframes and Responsible Persons
Every action in the CAP must have a specific completion date and a named responsible person or role. Vague language such as “as soon as possible” or “the management team” is not acceptable.
Use a table format within your CAP document where possible, with columns for action, owner, target date, and evidence of completion. This structure makes it straightforward for the auditor to verify each item during the close-out review.
The NDIS Audit Corrective Action Plan Timeline
Understanding the standard close-out timeline helps you plan resources and avoid missing the submission deadline. This is particularly important for major non-conformities where the clock starts immediately after Stage 2.
| Milestone | Timeframe | What Happens |
|---|---|---|
| Stage 2 audit complete | Day 0 | Auditor identifies and documents non-conformities |
| CAP submitted | Within 7 calendar days | Provider submits written corrective action plan to auditor |
| Implementation period | Weeks 1–8 | Provider implements corrective actions and gathers evidence |
| Close-out audit | Weeks 8–12 | Auditor reviews evidence and verifies closure |
| Commission recommendation submitted | After close-out | Auditor submits final report to NDIS Commission |
The 7 calendar day submission deadline is firm. You receive written notification of the non-conformity from your auditor, and the clock starts from that date. Many providers underestimate how quickly seven days passes when they are also running day-to-day operations, so assign CAP preparation as an immediate priority task.
For minor non-conformities, the close-out process is less intensive. Evidence can often be submitted in writing to the auditor rather than requiring an on-site visit. However, for major non-conformities, the close-out audit typically involves the auditor reviewing your updated documentation, interviewing staff, and observing changed processes where relevant.
How to Write a Genuine Audit Corrective Action
Experienced auditors have reviewed hundreds of CAPs. They can identify within a few sentences whether a provider has genuinely investigated the root cause or is writing what they think the auditor wants to hear. Performative CAPs are not only unhelpful — they can actually raise concern about the provider’s commitment to continuous improvement.
Structure Each Non-Conformity Entry Correctly
Your CAP should address each non-conformity individually, using this structure:
- Audit Criteria: The specific NDIS Practice Standard module and indicator number (e.g., “Practice Standard 1.4 – Feedback and Complaints”)
- Non-Conformity Description: Restate the auditor’s exact finding in your own words to demonstrate you have understood it
- Objective Evidence: The evidence the auditor cited to support the finding
- Correction: Immediate action taken
- Root Cause Analysis: Investigated cause of the systemic failure
- Corrective Action: System-level change to prevent recurrence
- Target Date: Specific completion date
- Responsible Person: Named role or individual
- Evidence of Completion: What document or record will demonstrate closure
This structure directly mirrors how auditors are trained to evaluate CAPs. It also makes your close-out review faster because the auditor can move through each item systematically. Review your NDIS compliance checklist alongside the CAP to ensure you are not inadvertently creating new gaps while fixing existing ones.
Involve the Right People
The people who deliver services are often best placed to identify why a process failed. Involve frontline workers and team leaders in the root cause analysis, not just senior management. This produces more accurate findings and increases staff buy-in for the corrective actions.
Additionally, ensure your responsible persons are genuinely accountable. Assigning every action to the CEO or Director signals to auditors that the organisation has not embedded quality ownership at the appropriate operational level.
Avoid These Common CAP Mistakes
Providers frequently make several avoidable errors when writing corrective action responses:
- Copying the auditor’s language without analysis: Restating the finding is not a root cause
- Vague actions: “Training will be provided” without specifying content, delivery method, or completion timeline
- No evidence plan: Failing to specify what documentation will demonstrate closure
- Unrealistic timelines: Promising 48-hour fixes for systemic issues that require policy rewrites and staff training
- Single-person dependency: Corrective actions that rely entirely on one person’s vigilance rather than system controls
Your NDIS Practice Standards guide can help you interpret the specific requirements behind each audit criterion so that your root cause analysis is grounded in what the standard actually demands.
PAA: People Also Ask About NDIS Audit Corrective Action Plans
How long do you have to submit an NDIS corrective action plan?
You must submit your corrective action plan within 7 calendar days of written notification of the non-conformity from your approved quality auditor. This deadline applies to both minor and major non-conformities. Missing this deadline delays the entire audit recommendation process and may prompt the auditor to raise governance concerns.
What is the difference between a minor and major non-conformity in an NDIS audit?
A minor non-conformity (rated 1) indicates an improvement is needed but poses low participant risk. The auditor can still recommend certification or verification. A major non-conformity (rated 0) presents higher risk, blocks the Commission recommendation, and requires a verified close-out process — typically within three months — before the auditor can finalise their report.
Can an NDIS provider fail an audit due to a corrective action plan?
An auditor does not fail a provider solely because of a CAP. However, if major non-conformities are not addressed within the agreed timeframe, or if a provider’s CAP responses are not genuine or implemented as described, the auditor cannot submit a positive recommendation. This can lead to registration being refused or conditions being applied to any registration granted.
Maintaining Compliance After the Close-Out Audit
Closing out a non-conformity is not the end of the compliance journey. The actions you take between audits determine whether similar findings recur. Building a structured internal audit program is the most reliable way to catch gaps before an external auditor does.
A practical approach includes monthly checks on operational compliance indicators, quarterly reviews of one or two Practice Standards modules, and an annual comprehensive review of all standards. Our NDIS provider registration checklist provides a useful framework for ongoing compliance monitoring across all registration areas.
Additionally, your CAP findings should feed directly into your governance reporting framework. Board members and senior leaders should see non-conformity data as part of regular quality reports, not just as an audit-week activity. This demonstrates the kind of organisational commitment to quality that distinguishes high-performing providers during the NDIS Code of Conduct assessment components of future audits.
Worker screening is a perennial source of audit findings because expiry management is often manual. Integrating screening check expiry dates into your rostering or HR system with automated alerts eliminates a significant source of minor non-conformities. Explore how NDIS rostering software can automate compliance tracking alongside scheduling.
How Inficurex Helps With NDIS Audit Compliance
Preparing for and responding to NDIS audits involves managing dozens of moving parts — from participant file completeness to worker screening status, incident reporting, and policy currency. Inficurex’s NDIS software for providers centralises these functions so your compliance evidence is always audit-ready.
The platform helps you track training completion, manage worker screening expiry dates, maintain incident records aligned with SIRS requirements, and generate the compliance reports that underpin a genuine CAP. Rather than scrambling to compile evidence in the days after an audit, your team can access structured records at any time. Providers using Inficurex report significantly reduced preparation time for both initial audits and close-out reviews. If you are working through a corrective action plan right now, speak with the Inficurex team to see how the platform can support your implementation.
Frequently Asked Questions
What does CAP stand for in an NDIS audit?
CAP stands for Corrective Action Plan. It is the formal written document a registered NDIS provider submits to their approved quality auditor in response to a non-conformity finding. The CAP must include an immediate correction, root cause analysis, systemic corrective action, and specific timeframes with named responsible persons.
What happens if I miss the 7-day CAP submission deadline?
Missing the 7-calendar-day deadline delays the audit recommendation process. Your auditor may raise concerns about your organisation’s responsiveness and governance. In some cases, late submission can itself become an area of concern during the Commission’s assessment of your registration application. Contact your auditor immediately if you anticipate difficulty meeting the deadline.
Can I add new non-conformities to my CAP that the auditor did not identify?
You can and should include related self-identified gaps in your CAP as part of a thorough root cause analysis. This proactive approach demonstrates genuine commitment to quality and is viewed favourably by both auditors and the Commission. However, keep the CAP focused — self-identified improvements should be documented in your internal quality improvement register separately.
How detailed does a root cause analysis need to be in an NDIS CAP?
Your root cause analysis should be detailed enough to explain the specific system failure, not just the surface event. A useful test: if the same staff member who caused the finding left the organisation, would the problem still be possible? If yes, the root cause has not been fully addressed. Tools like the “5 Whys” technique help reach genuinely systemic root causes rather than individual mistakes.
Does every NDIS audit finding require a close-out audit?
Not always. Minor non-conformities are typically closed through written evidence submission — for example, updated policies, training records, or amended participant files — without requiring an auditor to attend on-site. Major non-conformities generally do require an auditor verification step, which may involve a site visit, document review, and staff interviews, depending on the nature and complexity of the finding.
What evidence should I attach to my corrective action plan?
Attach evidence relevant to the correction you have already implemented, such as updated policies, signed training records, system screenshots, or revised intake forms. For actions still in progress, provide a specific timeline and describe what evidence will exist upon completion. Auditors assess both the quality of the plan and the completeness of evidence submitted alongside it.
How do NDIS Practice Standards relate to non-conformity ratings?
Each non-conformity is mapped to a specific NDIS Practice Standard module and indicator. The rating (minor or major) reflects the severity of the gap against that indicator. You can access the full NDIS Practice Standards on the Commission website to understand exactly what each indicator requires and how auditors assess conformance.
Are corrective action plans shared with the NDIS Commission?
Your CAP is reviewed by your approved quality auditor. The auditor then includes a summary of non-conformities and their closure status in the audit report submitted to the NDIS Quality and Safeguards Commission. The Commission does not typically receive the full CAP document, but it does see the auditor’s assessment of whether actions were genuine and completed within timeframes.