NDIS Internal Audits: How to Stay Compliant Between Audits (Checklist Included)

Why Internal Audits Matter

Most NDIS providers think of audits as something that happens to them — every 18 months or three years when the NDIS Commission sends in the auditors.

But the most successful providers treat audits as something they do for themselves.

That’s what an internal audit is: a regular, self-led check to make sure your systems are working, your documentation is up to date, and your practice aligns with the NDIS Practice Standards.

Internal audits don’t just reduce stress at external audit time — they:

• Catch compliance gaps early

• Build evidence of continuous improvement

• Strengthen governance and risk management

• Protect participants and staff through proactive oversight

💡 Think of it like a service check for your business — a quick tune-up that keeps everything running smoothly before problems arise.

What Is an NDIS Internal Audit?

An internal audit is a structured review of how your business meets the NDIS Practice Standards across all areas — governance, rights, service delivery, incidents, feedback, privacy, and human resources.

It typically involves:

• Reviewing your policies and procedures

• Checking that staff are following them in practice

• Verifying that registers, records, and evidence are up to date

• Identifying areas for improvement

• Documenting actions and assigning responsibilities

The goal isn’t to “pass” or “fail” — it’s to improve.
An internal audit gives you confidence that you can prove your systems work before an external auditor ever asks.

How Often Should You Conduct an Internal Audit?

There’s no fixed rule, but here’s a practical rhythm that works for most providers:

• Quarterly: Spot checks on high-risk areas (incidents, feedback, restrictive practices, risk management).

• Bi-annually: Partial internal audit covering all key NDIS Practice Standards.

• Annually: Full internal audit using your Internal Audit Schedule or checklist.

For behaviour support or complex support services, it’s smart to complete smaller, focused reviews every 3–6 months — especially in areas like restrictive practice reporting, staff training, and participant risk management.

What to Include in an NDIS Internal Audit

Your internal audit should mirror what an external auditor would look for — just in a more supportive, reflective way.

Here’s what to check across each area:

Governance and Risk

• Business and Operational Plan reviewed and current

• Risk Management Policy and Procedure in use

• Risk Register updated and rated

• Business Continuity Plan in place and tested

• Continuous Improvement Plan active

Rights and Responsibilities

• Participant Handbook and Rights and Advocacy Policy up to date

• Staff can explain participant rights and informed consent processes

• Evidence of advocacy referrals where relevant

Service Delivery

• Service Agreements and consent forms signed and current

• Case notes and participant files complete

• Risk assessments and behaviour plans reviewed within due dates

Feedback and Complaints

• Feedback and Complaints Register complete and current

• Complaints closed with outcomes recorded

• Evidence of analysis and learning (linked to Continuous Improvement Register)

Incident Management

• Incident Register reviewed

• Corrective and Preventative Action (CAPA) Register updated

• Debriefs and investigations documented

• Reportable incidents lodged within NDIS timeframes

Human Resources

• Worker Screening and WWCC checks recorded

• Induction and training records up to date

• Supervision or performance review notes accessible

Privacy and Confidentiality

• Current Privacy Policy and Procedure in use

• Staff confidentiality agreements signed

• Secure data storage evident

Restrictive Practices (if applicable)

• Behaviour Support Plans current

• Restrictive practice use authorised and reported monthly

• Reduction strategies documented

Support Coordination or Specialist Modules

• Risk matrices, stakeholder mapping, and progress reports maintained

• Escalation or crisis responses documented

How to Conduct the Audit Step-by-Step

Here’s a simple process that turns your audit into a repeatable system:

Step 1 – Gather Your Evidence

Collect all the documents and records you’ll review:

• Policies and procedures

• Registers (risk, incident, complaints, CAPA, CI)

• Forms and templates

• Staff and participant records

🗂 Pro tip: Create an “Internal Audit Evidence” folder in your compliance drive.

Step 2 – Review and Record Findings

Use your Internal Audit Template to rate each area:

• Compliant – Evidence meets expectations

• Partially compliant – Minor improvements required

• Non-compliant – Immediate action needed

Make short notes about what evidence you saw and where it’s stored.

Step 3 – Identify Gaps and Actions

Every gap should lead to a corrective or preventative action.
Add these to your Continuous Improvement Register, with due dates and responsible staff.

Example:

Policy review overdue — schedule policy review meeting and update version control by end of month.

Step 4 – Follow Up and Close the Loop

A good internal audit doesn’t end with the checklist — it ends when the improvements are completed.
Schedule a short follow-up review 1–2 months later to confirm actions have been implemented.

Use meeting minutes or management notes as follow-up evidence.

Common Mistakes Providers Make in Internal Audits

Even experienced providers slip up. Avoid these pitfalls:

• No evidence attached: Notes like “reviewed” without proof. Always attach or reference where evidence lives.

• No follow-up: You identify issues but never confirm fixes.

• Audit fatigue: Same staff reviewing the same areas each time — rotate roles if possible.

• Out-of-date documents: Forgetting version control.

• No link to improvement: Internal audits should feed directly into your Continuous Improvement Plan.

💡 Auditors love seeing that you found and fixed something before they arrived — it shows your systems are working.

How Internal Audits Link to Continuous Improvement

Your internal audit findings are the foundation of your Continuous Improvement system.

Every “partially compliant” or “non-compliant” area becomes an opportunity to strengthen your practice.
Use your Continuous Improvement Register or Plan to record:

• What was identified

• What was changed

• Who was responsible

• When it was completed

• What the outcome was

This shows a full quality cycle — evidence, action, and review.
It’s one of the most powerful ways to demonstrate embedded practice during an NDIS audit.

Tools That Make It Easier

You don’t need to reinvent the wheel.

Swell Policy Studio’s templates are designed to simplify every part of the internal audit process:

✅ Internal Audit Template – A ready-to-use checklist that mirrors what auditors assess.
✅ Continuous Improvement Register – Tracks actions, responsibilities, and outcomes.
✅ Compliance Calendar – Helps you plan quarterly and annual checks.
✅ Document Control Register – Keeps version control tight and audit-ready.

🧩 All of these are included in our Core Module Packs — available in three tailored versions:

• Core (General) – For disability support and community access providers

• Core (Behaviour Support) – For PBS practitioners and implementing providers

• Core (Support Coordination) – For support coordinators managing risk and outcomes

👉 Explore Core Packs here

How to Prepare Staff for Internal Audits

Even though internal audits are management-led, involving your team is key.
Here’s how to make it a collaborative, positive process:

• Communicate early: Let staff know what you’re reviewing and why.

• Use it as learning, not judgement: Frame it as a shared quality check, not a test.

• Share results openly: Discuss improvements and celebrate good practice.

• Link findings to training: If gaps show up in documentation or awareness, use them to plan PD sessions.

This turns compliance from a “paperwork exercise” into an ongoing culture of accountability and growth.

Final Thoughts: Internal Audits Are Your Best Insurance

Think of your internal audits as your business’s quality assurance system.
They help you:

• Catch issues before the Commission does

• Build confidence with auditors

• Strengthen your systems year-round

When you can say it, show it, and prove it, you’ll never dread an audit again.

🌿 Ready to start your own internal audit?

The tools inside our Core Module Packs make it easy to check compliance, record evidence, and track improvements — all in one place.
👉 View the packs here.