Back to Articles

NDIS Audit Checklist 2025-26

Use this practical 2025-26 NDIS audit checklist to review documentation, policies, records, and evidence.

8 min read

NDIS Audit Checklist 2025-26

NDIS audits can feel overwhelming when records are spread across different systems, progress notes vary by worker, and managers are unsure whether evidence is complete. The best time to prepare for an audit is not the week before. It is during everyday service delivery.

This NDIS audit checklist is designed for support coordinators, team leaders, operations managers, and small-to-medium providers who want a practical way to review their documentation. It is not legal advice and does not replace professional audit guidance. It is a plain-English operational checklist to help your team identify documentation gaps before they become problems.

1. Participant Records

Start with participant files. Each participant record should be organised, current, and easy to retrieve.

Check whether you have:

  • participant contact details
  • emergency contacts
  • service agreement or relevant engagement records
  • current NDIS plan details where applicable
  • goals and support needs
  • consent records
  • risk assessments
  • communication preferences
  • behaviour support information where relevant
  • incident history and follow-up

The key question is: if a reviewer asks how your team understands and supports this participant, can the record answer clearly?

2. Progress Notes

Progress notes are often the largest body of evidence a provider has. They should show what support was delivered and how it related to participant needs or goals.

Review a sample of notes and ask:

  1. Does each note include date, time, duration, participant, and worker?
  2. Does it describe the actual support delivered?
  3. Does it include the participant's response or engagement?
  4. Does it identify the level of prompting or assistance?
  5. Does it connect to a goal, routine, or support need where relevant?
  6. Does it record changes, risks, incidents, or follow-up?
  7. Is the language factual and respectful?

If many notes say "usual support," "good day," or "no issues," your team needs a stronger template.

3. Incident and Risk Records

Incident records should be complete, timely, and linked to follow-up actions. A good incident process does not stop at recording what happened. It also shows what the provider did next.

Check:

  • incident date and time
  • people involved
  • what happened
  • immediate action taken
  • notifications made
  • participant outcome
  • follow-up actions
  • review by manager
  • any changes to risk controls or support plans

For risks that do not become incidents, make sure progress notes still capture changes that require monitoring.

4. Staff Records and Training

Audits often look at whether staff are suitable, trained, and supported. Your records should show that workers understand their role and receive relevant guidance.

Check whether staff files include:

  • identity and employment records
  • role descriptions
  • qualifications where required
  • screening checks where applicable
  • induction records
  • training completion
  • supervision notes
  • performance or competency records
  • incident debriefs where relevant

Training records should match the supports delivered. If a worker supports participants with complex needs, the provider should be able to show appropriate training and supervision.

5. Policies and Procedures

Policies should not exist only to satisfy an audit. They should reflect how the provider actually works.

Review key policies such as:

  • privacy and data handling
  • incident management
  • complaints and feedback
  • risk management
  • medication support where applicable
  • worker screening
  • participant rights
  • service delivery
  • record keeping
  • emergency and business continuity

Check whether staff know where policies are stored and whether procedures match day-to-day practice.

6. Claims and Billing Evidence

Claims should be supported by service records. If the provider claims for a support, there should be documentation showing what was delivered.

Review a sample of claims and check:

  • participant name or identifier
  • support date
  • support duration
  • support item or category
  • progress note for the same service
  • worker record or roster
  • service agreement alignment
  • any travel, cancellation, or non-face-to-face evidence

The claim and note should tell the same story. If admin staff need to guess from vague notes, that is a risk.

7. Privacy and Data Security

Participant information should be stored securely and accessed only by people who need it for their role.

Check:

  • where participant records are stored
  • who has access
  • whether old staff access has been removed
  • whether files are shared through personal email or messaging apps
  • whether records are backed up
  • whether changes are logged
  • whether AI tools use participant data for training
  • whether data can be exported if needed

Data security is not just an IT issue. It is part of participant trust.

8. Complaints and Feedback

Providers should be able to show how complaints and feedback are received, recorded, investigated, and resolved.

Check:

  • complaint records
  • date received
  • person responsible
  • actions taken
  • communication with participant or representative
  • outcome
  • improvements made

Even informal feedback can be useful evidence of continuous improvement when recorded properly.

9. Internal Quality Reviews

The best audit preparation is regular internal review. Do not wait until an external audit to discover that notes are vague or records are missing.

Set a routine to review:

  • a sample of progress notes each month
  • incident follow-up
  • claims matched against notes
  • overdue documentation
  • staff training gaps
  • participant file completeness

Small regular checks are easier than a large emergency clean-up.

How Provider Shield Helps With Audit Readiness

Provider Shield helps NDIS providers improve documentation quality before audit time. Guided input prompts help support workers capture the right details during or shortly after a shift. AI structuring turns those inputs into clearer progress notes that are easier for team leaders to review.

The platform supports goal-linked documentation, audit trail logging, and more consistent note formats across teams. This helps managers spot missing details earlier and reduces the risk of relying on vague notes when evidence is needed.

Provider Shield does not guarantee audit outcomes and does not replace professional advice. It helps providers build a stronger documentation process, which is one of the most practical ways to improve audit readiness.

Conclusion

NDIS audit readiness is built through daily habits. Clear progress notes, organised participant records, complete incident follow-up, and reliable claims evidence all matter.

Use this checklist to review your current records and identify the gaps that need attention. If your team needs a better way to create structured, audit-ready documentation, Provider Shield can help. Visit https://www.providershield.com.au/en to learn more.

Ready to streamline your NDIS compliance?

Discover how Provider Shield can help you manage documentation, stay audit-ready, and focus on delivering quality support.

Start free trial
Previous: Top 5 Documentation Mistakes That Get NDIS Providers FlaggedNext: How to Write a Compliant NDIS Progress Note (With Real Examples)

Related Articles

NDIS Price Guide 2025-26 Key Changes

Review key NDIS Price Guide 2025-26 changes and what providers should check before submitting claims.

Read article

Top 5 Documentation Mistakes That Get NDIS Providers Flagged

Avoid common NDIS documentation mistakes that can increase audit risk or make claims harder to justify.

Read article

Australian Data Sovereignty for NDIS Providers

Learn why Australian data sovereignty matters for NDIS providers handling participant and service records.

Read article
Security & Data Sovereignty

Participant data stored
in Australia.

Provider Shield stores participant progress notes in Microsoft Azure infrastructure in the Australia East region. AI processing runs in the same region. Your data is not used to train AI models.

Azure Sydney only

Primary data is stored in Microsoft Azure's ap-southeast-2 (Sydney) region. Some processing services may involve global infrastructure.

Privacy Act 1988 aligned

Designed to handle participant information in a manner consistent with the Privacy Act 1988 and the Australian Privacy Principles. Providers retain their own compliance obligations.

Data never trained on

Your documents are never used to train AI models. Every session is stateless and fully deleted on completion.

Zero third-party sharing

We do not sell, share, or transfer participant data to any third party β€” ever. You remain the sole data controller.

Important AI Disclaimer

Legal

Provider Shield uses AI to assist with compliance checks. Results are for guidance only and do not constitute legal, financial, or professional advice. Always verify critical decisions with a qualified NDIS compliance specialist before submission.