NDIS Internal Audit: How to Conduct One Before the Real Thing

/ NDIS Compliance / By

NDIS Internal Audit: How to Conduct One Before the Real Thing

Running an NDIS internal audit is one of the most effective steps a registered provider can take to avoid costly surprises during the real thing. When an Approved Quality Auditor arrives, they will examine every layer of your operations — from participant file completeness to staff training records to physical premises. Providers who wait until they receive an audit notice are already behind. This guide explains exactly how to plan, structure, and execute an internal audit process for NDIS providers, including the five planning levels, four core audit areas, a practical frequency schedule, and how to integrate findings into your governance framework.

What Is an NDIS Internal Audit?

An NDIS internal audit is a systematic, self-directed review of your organisation’s compliance against the NDIS Practice Standards and Commission requirements. It is conducted by your own staff or an appointed internal reviewer — not an external Approved Quality Auditor — before the formal certification or verification audit.

Unlike the official audit, an internal audit is not reported to the NDIS Commission. However, it generates the evidence, systems, and documentation your organisation needs to pass the formal process with confidence.

Five Levels to Consider When Planning Your Internal Audit Process

Before you begin any audit self-assessment, you need to map out the scope of your review. The NDIS internal audit planning process operates across five levels. Skipping any one of them leads to gaps that auditors will find.

Level 1: Map Your Organisation

Start by listing all the registration groups your organisation holds. Identify which NDIS Practice Standards modules apply to each group. This mapping exercise answers a critical question: what exactly does your organisation need to be compliant with?

Ask yourself which departments or managers are responsible for each module. This immediately clarifies accountability and helps you assign internal audit tasks to the right people.

Level 2: Know Your Auditor Resources

An internal audit is only as good as the people conducting it. Identify who within your organisation has sufficient knowledge of the NDIS Practice Standards to perform a credible review. This might be your compliance manager, quality officer, or an experienced service manager.

Smaller providers may not have dedicated compliance staff. In those cases, consider whether a contracted consultant can assist with the initial audit template and methodology, even if your own team carries out the ongoing reviews.

Level 3: Understand Your Service Complexity

Providers delivering high-risk supports — such as behaviour support, supported independent living, or restrictive practices — face a more complex audit than those providing lower-risk services like plan management or therapeutic supports.

Your internal audit process needs to reflect that complexity. A provider delivering specialist disability accommodation will require a fundamentally different internal review checklist than one providing only community access. Audit depth must match service risk.

Level 4: Factor In Your Staff Count

Staff count directly affects both audit scope and the time required. Larger workforces mean more worker screening checks to verify, more training records to review, and a greater volume of staff interviews to prepare for.

As part of your pre-audit review, document the total number of staff, their roles, and their compliance status across mandatory requirements such as NDIS Worker Screening, first aid, and mandatory reporter training.

Level 5: Account for All Offices and Outlets

If your organisation operates across multiple locations, each site requires inclusion in your internal audit scope. The NDIS Commission considers each outlet separately. Accordingly, your internal review must assess premises compliance, local documentation practices, and site-specific incident histories at every location.

Remote or regional offices often have higher compliance risk due to geographic isolation and staffing challenges. Give these sites additional attention in your internal audit schedule.

The Four Core Areas of an NDIS Internal Audit

Once you have mapped your organisation across the five planning levels, the audit self-assessment itself focuses on four main areas. Each area corresponds to what an Approved Quality Auditor will examine during a formal certification or verification audit.

Area 1: Documentation

Documentation is the foundation of NDIS compliance. Your internal audit should systematically check that all required documents exist, are current, and are accessible. Key items include:

  • Policies and procedures aligned with the current NDIS Practice Standards
  • Participant service agreements, signed and dated
  • Progress notes completed consistently and within required timeframes
  • Incident and complaint records with appropriate follow-up documented
  • Risk assessments and individual support plans, reviewed within required periods
  • Consent forms for photography, information sharing, and restrictive practices
  • Staff qualification certificates, police checks, and NDIS Worker Screening clearances

A common finding in formal audits is documentation that exists but has not been kept current. Your internal audit must verify both existence and currency.

Area 2: Participant Processes

This area examines how your organisation actually delivers supports to participants — not just what your policies say you do, but what happens in practice. Your internal audit process should review:

  • Whether support plans reflect individual goals and are reviewed regularly
  • How participants and their representatives are involved in planning decisions
  • Whether complaints and feedback mechanisms are accessible and promoted
  • How your organisation manages transitions between services or providers
  • Whether participants receive clear information about their rights

Formal auditors increasingly focus on outcomes-based evidence — they want to see that participants are achieving meaningful goals, not merely that your policies describe how they should. Your internal review must include a sample of participant files reviewed against actual outcomes.

Area 3: Staff Processes

Staff process compliance covers everything from recruitment screening to ongoing training and performance management. During your internal audit, review:

  • Recruitment records showing mandatory checks were completed before employment began
  • Induction training completion records
  • Ongoing mandatory training logs (first aid, infection control, manual handling, NDIS Code of Conduct)
  • Supervision records and performance review documentation
  • Staff understanding of the NDIS Code of Conduct obligations

Staff interviews form a significant part of formal certification audits. Furthermore, staff are sometimes unaware of key policies or cannot locate documentation. Testing this internally — by asking staff where they would find a particular policy — reveals gaps before auditors do.

Area 4: Physical Premises

Physical premises compliance is often overlooked until the day before an audit. Your internal review should physically inspect each location and check:

  • Emergency evacuation plans displayed and current
  • First aid kits stocked and within expiry
  • Workplace health and safety obligations met
  • Accessibility features appropriate for participants attending the premises
  • Confidential records stored securely
  • Medication storage meeting relevant guidelines (where applicable)

A formal auditor conducting a Stage 2 on-site visit will physically walk through your premises. Therefore, your internal audit must replicate that process at every registered outlet.

Internal Audit Frequency: Monthly, Quarterly, and Annual Schedules

A strong internal audit process is not a single annual event. Instead, it operates on a layered schedule with different levels of depth at different intervals. This approach distributes the compliance workload across the year and catches issues while they are still manageable.

Monthly: Operational Compliance Indicators

Monthly reviews should focus on real-time operational indicators — the metrics that signal whether day-to-day compliance is functioning. Specifically, these include:

  • Training completion rates: are staff completing required training within timeframes?
  • Incident reporting timeliness: are reportable incidents being logged within required timeframes?
  • Worker screening status: have any clearances expired or been revoked?
  • Outstanding complaint actions: are all open complaints being tracked to resolution?

Monthly checks do not require deep file reviews. Rather, they function as an early warning system. If incident reporting timeliness falls below expected levels, you can investigate and correct before a pattern develops. For guidance on incident obligations, see our NDIS incident management guide.

Quarterly: Module-Level Reviews

Quarterly reviews involve a deeper pre-audit review of one or two specific NDIS Practice Standards modules. Rotate through your registered modules over the course of the year so that each module receives detailed attention at least once annually.

A quarterly review for a particular module might involve pulling a sample of participant files related to that service type, interviewing the responsible manager, and checking that all associated policies have been actioned. Document the findings and any corrective actions identified.

Annual: Comprehensive Full-Scope Review

The annual internal audit is the closest equivalent to a formal external audit. It should cover all registered modules, all locations, and all four audit areas. The annual audit produces a complete picture of your organisation’s compliance status and forms the foundation of your evidence portfolio for the next formal audit cycle.

Schedule your annual internal audit at least three to four months before your formal audit date. This gives you enough time to address any significant gaps identified. For a structured approach to formal audit preparation, see our NDIS compliance checklist.

Integrating Internal Audit Findings Into Your Governance Reporting Framework

An internal audit that produces findings but no governance response is a missed opportunity. Every finding from your internal audit process should flow into your organisation’s governance reporting framework — whether that is a board report, a quality committee meeting, or an executive leadership review.

Governance integration serves several important purposes. First, it ensures that leadership has visibility over compliance risks and can allocate resources to address them. Second, it creates a documented chain of evidence demonstrating that your organisation takes a proactive, systematic approach to quality improvement — which is exactly what auditors want to see.

Your governance reports should summarise:

  • Key findings from each internal audit cycle
  • Corrective actions raised, assigned, and their due dates
  • Actions completed since the last report
  • Emerging risk areas and the steps being taken to address them
  • Overall compliance trend across the reporting period

This reporting structure aligns directly with the NDIS Commission’s expectations under the governance and operational management standards. Consequently, it doubles as evidence for the formal audit itself.

How to Document Your Internal Audit Process

Audit self-assessment documentation is what transforms your internal review from an informal check into a credible quality management activity. Without documentation, there is no evidence. Your internal audit records should capture:

Who Was Involved

Record the names and roles of everyone who participated in the review. Note who reviewed each module, who was interviewed, and who reviewed the findings. This demonstrates accountability and helps repeat the process consistently.

Methodology Used

Describe how the review was conducted. Did you use a structured checklist? Did you conduct file sampling? Did you interview staff or observe service delivery? A clear methodology makes your internal audit repeatable and comparable across cycles.

Evidence Reviewed

List the specific evidence examined — for example, which participant files were sampled, which training records were checked, and which policies were reviewed against current standards. This level of detail is important when you need to demonstrate to an external auditor that your internal process was thorough.

Findings and Actions

For each finding, record the issue identified, the standard it relates to, the severity, the corrective action required, the person responsible, and the deadline. Use a simple tracking register to monitor action completion between cycles. This mirrors the corrective action plan process used in formal audits.

Common Questions About NDIS Internal Audits

Is an internal audit required by the NDIS Commission?

The NDIS Commission does not formally require providers to conduct internal audits. However, the governance and operational management standards require providers to have systems for monitoring compliance and continuous improvement. A structured internal audit process is the most practical way to meet this requirement. Providers that cannot demonstrate ongoing monitoring activity are at higher risk of non-conformities in formal audits.

Can an internal audit replace the formal NDIS certification audit?

No. Only an NDIS Commission-approved Approved Quality Auditor can conduct the formal certification or verification audit required for registration. An internal audit is a preparatory tool — it identifies gaps and builds readiness, but it carries no weight with the Commission as evidence of compliance unless it is referenced in your continuous improvement documentation.

How long does an NDIS internal audit take?

Duration varies significantly depending on your organisation’s size and service complexity. A smaller provider delivering one or two service types might complete a comprehensive internal audit in one to two days. A larger multi-site provider delivering high-risk supports could require several weeks to complete a full-scope internal audit across all locations and modules. Quarterly module reviews typically take two to four hours per module for a well-organised provider.

What happens if my internal audit finds serious gaps?

Finding gaps is the entire purpose of the exercise. When your pre-audit review identifies serious non-compliance — for example, missing worker screening clearances or incomplete incident reports — you should treat it as an urgent corrective action item. Assign a responsible person, set a deadline, and track resolution through your governance reporting. Document everything. Resolving issues before the formal audit is far preferable to having an auditor discover them and raise a major non-conformity.

Should I use a checklist for my NDIS internal audit?

Yes. A structured checklist aligned to the NDIS Practice Standards is the most reliable tool for ensuring completeness. Without a checklist, reviews tend to focus on familiar areas and skip less obvious requirements. The checklist should be updated whenever the NDIS Practice Standards or Commission requirements change. Many providers maintain module-specific checklists that are used by both internal reviewers and as staff self-assessment tools.

How do I prepare staff for auditor interviews through internal audits?

One of the most valuable functions of an internal audit is preparing staff for formal auditor interviews. During your internal review, conduct practice interviews with key staff. Ask the same types of questions a formal auditor would ask — about how incidents are reported, where policies are located, and how participant complaints are handled. Staff who have experienced a structured internal interview are far more confident and accurate during the real audit. This preparation directly reduces the risk of non-conformities arising from staff responses.

How Inficurex Helps With NDIS Internal Audits

Maintaining compliance across documentation, incidents, staff records, and participant processes is significantly easier when your systems are purpose-built for NDIS providers. Inficurex’s NDIS provider software centralises the records your internal audit will need to review — including participant files, progress notes, incident logs, and staff training records — all in one platform.

When your data is organised and accessible, your internal audit process takes hours rather than days. You can run compliance checks, identify gaps in documentation, and produce evidence portfolios without hunting through paper files or disconnected systems. Inficurex helps providers build the kind of audit-ready operations that make both internal reviews and formal audits straightforward.

Learn more about how Inficurex supports provider compliance at inficurex.com/ndis-software-for-providers.

Frequently Asked Questions

What is the difference between an NDIS internal audit and a self-assessment?

A self-assessment is the formal process completed in the NDIS Commission portal during registration or renewal, where providers assess their compliance against Practice Standards. An NDIS internal audit is a broader, ongoing operational review conducted by the provider themselves. Both are important, but the internal audit is more comprehensive and operates throughout the registration period rather than only at renewal time.

Who should conduct an NDIS internal audit?

Ideally, the internal audit is led by a compliance manager, quality officer, or senior manager with strong knowledge of the NDIS Practice Standards. For smaller providers, a board member, director, or contracted compliance consultant can conduct the review. The key requirement is that the reviewer understands what compliance evidence looks like and can objectively assess gaps.

How many Practice Standards modules should I audit each quarter?

A practical approach is to audit one to two modules per quarter, rotating through your full list over the year. Providers with four to six registered modules can complete a full cycle annually using quarterly reviews. Providers with more modules may need to prioritise higher-risk services for more frequent review and cover lower-risk modules on an annual basis.

What records should I keep from an internal audit?

Keep a record of the audit date, reviewer names, scope covered, methodology used, evidence reviewed, findings, and all corrective actions with assigned owners and deadlines. Store these records securely and make them available for at least three years. They form part of your continuous improvement evidence, which is relevant to both mid-term and recertification audits.

Can internal audit findings be used as evidence during a formal audit?

Yes. Auditors often ask providers to demonstrate their continuous improvement systems. Showing a structured internal audit schedule, documented findings, and completed corrective actions is strong evidence of a functioning quality management system. This kind of evidence can positively influence an auditor’s overall assessment of your governance practices.

How does an internal audit relate to the NDIS Practice Standards?

The NDIS Practice Standards set the benchmark that your internal audit measures against. Each standard describes what good practice looks like. Your internal audit checklist should map directly to these standards so that every area covered in a formal audit is also covered in your internal review. The NDIS Commission’s audit guidance provides further detail on what auditors look for in each module.

What is the best way to track corrective actions from an internal audit?

Use a simple corrective action register — a spreadsheet or built-in compliance tool — that records each finding, the standard it relates to, the action required, the responsible person, the due date, and the completion status. Review this register at each governance meeting and at the start of every new audit cycle. Unresolved corrective actions from previous internal audits should be the first item reviewed at the start of each new cycle.

How does an internal audit help with NDIS registration renewal?

An internal audit directly supports NDIS registration renewal by ensuring your evidence portfolio is complete and your compliance gaps are identified and addressed before you engage an Approved Quality Auditor. Providers who enter the renewal process with current internal audit records can respond more confidently to auditor questions and are less likely to receive non-conformities that delay the Commission’s decision on their renewal application.


Scroll to Top