NDIS Audit Preparation: A Complete Checklist for 2026

NDIS audits are not a one time event. They are a recurring reality for every registered provider in Australia. Whether you are facing a verification audit or a full certification audit, the outcome depends almost entirely on what you have been doing in the months and years leading up to the auditor's visit. Providers who treat audit preparation as a continuous process pass with confidence. Those who scramble in the final weeks almost always have gaps.

This guide covers the complete checklist for 2026, including the 18 QMS registers you should be maintaining, the specific areas auditors prioritise, and how automated systems compare to manual record keeping when it comes to audit readiness.

Why Audit Prep Should Be Continuous

The NDIS Quality and Safeguards Commission expects providers to demonstrate ongoing compliance, not point in time compliance. An auditor who sees registers that were clearly populated in a rush the week before the audit will flag that as a concern. Dated entries should show consistent, regular activity throughout the audit period.

Continuous compliance means that every incident, complaint, worker screening update, and participant record change is documented as it happens. Not at the end of the month. Not when someone reminds you. As it happens. This is the fundamental difference between providers who view compliance as a burden and those who view it as part of their daily operations.

The practical benefit of continuous compliance goes beyond audit outcomes. When your registers are current, you have real time visibility into your organisation's risk profile. You can see which workers have certifications expiring next month, which incidents are still awaiting CAPA follow through, and which complaints have not yet been resolved. This is operational intelligence, not just compliance paperwork.

The 18 QMS Registers Explained

A robust Quality Management System for NDIS providers includes 18 registers across five categories. Here is what each category covers and why it matters.

Governance and Risk (4 registers)

Risk Register: Documents identified risks to your organisation, participants, and workforce. Each entry should include the risk description, likelihood, consequence, current controls, and review date. Auditors want to see that risks are actively managed, not just listed.

Continuous Improvement Register: Tracks improvement actions arising from incidents, complaints, feedback, and internal reviews. Every entry should have a clear action, responsible person, target date, and completion status. This register demonstrates that your organisation learns from events and takes measurable steps to improve.

Policy and Procedure Register: Lists all organisational policies with version numbers, review dates, and approval records. Policies must be reviewed at least annually, and the register should show evidence of these reviews even when no changes were made.

Internal Audit Register: Records your internal audit schedule and findings. Self assessment is a core expectation. Auditors look for evidence that you audit your own processes and act on the results.

Incidents and Safety (4 registers)

Incident Register: Every incident involving a participant, worker, or visitor must be recorded with date, time, location, persons involved, description, immediate actions taken, and outcome. This is typically the first register auditors review.

Reportable Incidents Register: A subset of the incident register covering incidents that meet the NDIS Commission's reportable criteria. These include death, serious injury, abuse, neglect, unauthorised restrictive practices, and sexual misconduct. Each reportable incident must show evidence of notification to the Commission within required timeframes.

Restrictive Practices Register: If your organisation uses any form of restrictive practice (even environmental restrictions like locked cupboards), each instance must be authorised, documented, and regularly reviewed. Unauthorised restrictive practices are a major audit failure point.

Hazard Register: Identifies workplace and service delivery hazards, their assessed risk level, and the controls in place to mitigate them. Regular workplace inspections should feed into this register.

Complaints and Feedback (2 registers)

Complaints Register: Records all complaints received, the investigation process, outcome, and any actions taken. Complaints must be acknowledged within 24 hours and resolved within a reasonable timeframe. The register should show that complainants were informed of the outcome.

Feedback Register: Captures positive feedback, suggestions, and informal concerns that do not rise to the level of a formal complaint. This register demonstrates that your organisation actively seeks and responds to feedback from participants, families, and workers.

Workforce and Screening (4 registers)

Worker Screening Register: Tracks NDIS Worker Screening Check status for every worker. Each entry must include the check type, clearance number, issue date, expiry date, and current status. No worker should be delivering services with an expired or pending screening check.

Training Register: Documents all training completed by workers, including mandatory induction, annual refreshers, and role specific training. Auditors check that training is current and relevant to each worker's role.

Qualifications Register: Records formal qualifications held by workers, particularly where qualifications are required for their role (such as nursing or allied health registrations).

Personnel File Checklist: Ensures each worker's file contains all required documents: employment contract, position description, screening checks, qualifications, training records, and emergency contacts.

Participant Records (4 registers)

Participant Register: A central record of all active participants with their key details, plan dates, support categories, and assigned workers.

Service Agreement Register: Tracks the status of every service agreement: draft, sent, signed, or expired. Each agreement should link to the participant's current NDIS plan and show the agreed support items and pricing.

Consent Register: Documents all consents obtained from participants or their nominees, including consent for information sharing, photography, medication administration, and participation in activities.

Medication Register: If your organisation administers or assists with medication, this register must record every instance with the medication name, dose, time, administering worker, and participant acknowledgement.

What Auditors Check First

While auditors will review all aspects of your QMS, experienced providers know that certain areas receive more scrutiny than others.

The incident register and reportable incidents log are almost always the starting point. Auditors look for completeness (every incident documented), timeliness (documented promptly, not days later), and follow through (every incident has an outcome and, where appropriate, a CAPA plan with evidence of completion).

Worker screening records are checked against your active roster. If a worker appeared on last week's roster and their NDIS Worker Screening Check expired two months ago, that is an immediate finding. Auditors may also spot check individual personnel files for completeness.

CAPA plans receive particular attention because they demonstrate your organisation's commitment to learning and improvement. A CAPA plan that identifies a corrective action but shows no evidence of implementation is worse than having no plan at all, as it suggests awareness without action.

Worker Screening Requirements

Every worker who delivers NDIS funded supports must hold current screening checks. The six mandatory certifications that auditors verify are:

• NDIS Worker Screening Check: Mandatory for all workers in risk assessed roles. Valid for 5 years. Must be verified before the worker commences.
• Working with Children Check (WWCC): Required in all states and territories for workers supporting participants under 18. Validity period varies by state.
• First Aid Certificate: Current first aid certification. Must be renewed every 3 years.
• CPR Certificate: Current CPR certification. Must be renewed annually.
• Driver Licence: Required for workers who transport participants or drive as part of their role.
• Car Insurance: Comprehensive car insurance required for workers using their own vehicle for work purposes.

Tracking these across a team of 20 or more workers, each with different expiry dates and renewal cycles, is where most providers struggle. A missed expiry is not just an audit finding. It is a safeguarding risk.

Common Audit Failures and How to Avoid Them

Missing CAPA follow through: The most frequent failure. Providers identify issues and create action plans but do not follow through to completion. Set automated reminders for every CAPA action and assign clear ownership.

Expired certifications on active workers: Workers continue to deliver services after their screening checks or certifications have expired. Implement automated expiry alerts at 60, 30, 14, 7, and 3 days before expiry, and block workers from being rostered once expired.

Retrospective data entry: Registers that show a burst of entries in the weeks before an audit suggest that records were not maintained continuously. Auditors can identify this pattern easily. The solution is to make register entry part of daily workflow, not a separate compliance task.

Incomplete incident documentation: Incidents recorded with minimal detail, missing immediate actions, or without a documented outcome. Use structured incident forms that require all fields to be completed before submission.

No evidence of participant involvement: Auditors look for evidence that participants are involved in decisions about their support. Progress notes should reference participant goals and preferences. Service agreements should show participant or nominee signatures.

Automated vs Manual Compliance Tracking

Manual compliance tracking using spreadsheets and Word documents is how most providers start. It works when you have 5 workers and 10 participants. It breaks down rapidly as you grow.

The core problem with manual tracking is that it relies on someone remembering to update the register, check expiry dates, follow up on CAPA actions, and review entries for completeness. When that person is busy, sick, or on leave, the system stops working.

Automated compliance platforms solve this by making register entry a byproduct of daily operations. When a worker logs an incident through the app, the incident register, reportable incidents assessment, and CAPA plan are all generated automatically. When a certification is uploaded, the system extracts the expiry date and sets reminders automatically. When a service agreement is signed digitally, the agreement register updates itself.

The result is a QMS that is always current, always complete, and always ready for audit. No scrambling. No backfilling. No gaps.