The NDIS Audit Process and Responding to Audit Outcomes

This article is the final of three that will help you prepare for and undertake your NDIS Audit.
Two men sit smiling at each other reviewing documentation to represent the ndis audit process

In this three-part NDIS Audit Preparation series, we have so far looked at how to complete your Self-Assessment against the NDIS Practice Standards (an important first step towards NDIS Audit) and answered common questions our clients ask about the NDIS audit process.

But what about the audit itself – what do you need to prepare for? What happens? And just as importantly, what happens if an auditor finds areas of non-compliance?

The Key Things Auditors Look For

The NDIS Auditor’s job is to assess how you comply with the requirements of the NDIS Practice Standards, or put another way, how you demonstrate compliance with the Standards. To do this, they’ll be looking for three key things:

  1. Do you have a process in place?
  2. Are you executing the process?
  3. Do your clients agree that you are executing the process, and how well?

Do you have a process in place?

The most straightforward way to provide evidence that you have processes in place is through Policies and Procedures – however, it doesn’t end there.

Your auditor won’t just be looking for policies and procedures – they’ll want to make sure that:

  • your policies and procedures comply with all relevant requirements (e.g. the NDIS Practice Standards, NDIS Act 2013 and related legislation and all other relevant Federal, State and Local Government legislation and requirements that apply to running a business);
  • you understand the policies and procedures – and can speak to certain processes when asked about them;
  • you actually implement your policies and procedures on the ground – that is, staff and participants know the policies and processes that apply to them and the business and staff follow the processes as they are set out; and
  • your policies and procedures are reviewed and updated regularly.

Most importantly – your policies and procedures must be specifically tailored to your business and how it operates – off the shelf high level documents are not good enough. They need to set out who’s responsible for what in your business, as well as reporting, record keeping and review processes.

Are you executing the process?

As I’ve already emphasised, having policies and procedures does not mean you’re going to pass an NDIS Audit. A fundamental part of the Certification NDIS Audit process (where a 2nd stage audit is conducted on site) is an assessment of whether you’re actually DOING what your policies and procedures SAY you’ll do. This comes down to awareness and training – all of your staff must be familiar with the policies and procedures that apply to them and be following the processes they set out in their day-to-day practise.

NDIS Auditors will ask you and your staff about your knowledge of your policies and procedures and the processes you follow on a daily basis.

Do your clients agree that you are executing the process, and how well?

The key purpose of the NDIS audit process is to determine whether your business can continuously provide quality and safe services to clients. Auditors will interview a selection of your clients to help them determine this. They’ll specifically be looking to understand:

  • how clients can contribute to the improvement of policies and procedures that impact them;
  • whether clients can – and feel comfortable to – make complaints about your service, without the fear of retribution or losing their service;
  • whether feedback is regularly obtained from clients to gauge their satisfaction with your service delivery; and
  • what continuous improvement practices are in place to ensure processes are regularly monitored, reviewed and updated to meet the needs of clients.

NDIS Audit Process

See Your Most Common NDIS Audit Questions Answered for detail on the processes leading up to audit and the difference between Verification and Certification Audits. Once you’ve chosen an auditor using your Initial Scope of Audit, you’ll need to book in your audit date. The NDIS audit process from there is as follows:

Verification

Document Review
  • Your auditor will review your documentation and verify whether it and your self-assessment responses , demonstrate that you can comply with the Standards. They will also consider outcomes from previous audits, any corrective actions and audit reports that resulted from previous audits and any additional requirements identified by the NDIS Commission.
Recommendation
  • The auditor will submit their findings to the NDIS Commission, within no more than 14 calendar days of completing their audit.
Decision
  • The NDIS Commission will make a final decision, based on the audit findings as well as a suitability assessment of your business and its key personnel (based on the details you submitted in your initial online application).

Certification

Audit Program Confirmation
  • our auditor will prepare an Audit Program based on the scope of your audit, taking into account your location/s and number of delivery sites; the NDIS Registration Groups you’re intending to deliver; the number and types of clients you have (including disability type, age groups, and factors such as Indigenous or Culturally and Linguistically Diverse background); how many staff your business has; and the results of any previous audits.
Stage 1 – Desktop Review
  • Your auditor will review your documentation and verify whether it and your self-assessment responses , demonstrate that you can comply with the Standards. They will also consider outcomes from previous audits, any corrective actions and audit reports that resulted from previous audits and any additional requirements identified by the NDIS Commission.
Client Interviews Confirmed
  • Your auditor will request a de-identified list of your clients and from this, they will select the clients they want to interview at their onsite assessment. You must obtain consent from clients prior to the Onsite Assessment and provide this to the Audit Team.
Audit Plan Confirmation
  • Your auditor will confirm an Audit Plan with you that includes details of any non-conformities identified in Stage 1 and the audit methodology that will be followed. You will be required to sign a copy of the Audit Plan before your onsite assessment.
Stage 2 – Onsite Assessment
  • Within three months of Stage 1 completion, your Audit Team will visit you in person to interview your key staff; interview a selection of clients and their family / friends / carers / nominees / independent advocates; and review your documentation again. The documentation review will also include a review of client and staff records. At the end of the audity, your Audit Team will hold a closing meeting with you, where they will provide you with a high-level overview of the audit. They must also provide you with a summary of their findings and any non-compliances they have identified.
Recommendation
  • The auditor will submit their findings to the NDIS Commission, within no more than 14 calendar days of completing their audit.
Decision
  • The NDIS Commission will make a final decision, based on the audit findings as well as a suitability assessment of your business and its key personnel (based on the details you submitted in your initial online application).

Audit findings

Standards have a large number of criteria (for instance, there are a total of 63 NDIS Practice Standards, each with an expected outcome and a number of indicators associated with them) and different findings can be determined for different criteria. The different NDIS Audit findings include:

Conformity with Elements of Best Practice

This is where you can clearly demonstrate that you conform with best practice (or exceed the set requirements) against the criteria being assessed. Best practice is demonstrated through innovative, responsive service delivery, underpinned by the principles of continuous improvement of the systems and processes used.

Met / Conformity

This is where no issues are identified, and your business is assessed to have met – or conformed with – the requirements of the specific criteria.

Auditors can only recommend certification or verification against the NDIS Practice Standards if you have demonstrated that all criteria in the relevant NDIS Practice Standards have been met. The only exception is where there is an accepted Corrective Action Plan in place for a minor non-conformity (see below).

Minor Non-conformity

This is where there is a process in place but there are elements missing, or part of the process is not working as it should be (for example, complaints are not reported to the business’ governing body in a timely manner).

Certification or verification may be recommended where minor non-conformities have been identified, however, you must have provided your auditor with an acceptable Corrective Action Plan setting out how you intend to rectify the non-conformity, within 7 days and prior to the recommendation being made. Timeframes given to rectify minor non-conformities can vary.

Severe / Major Non-conformity

This occurs where there is no process in place (for example, no complaints procedure) or the process that is in place is ineffective (for example, no one is following the complaints procedure that is in place, such as recording, reviewing and responding to complaints). Multiple minor non-conformities within the same criterion may also constitute a major non-conformity.

Where a major non-conformity is identified, you must provide the Audit Team with a Corrective Action Plan setting out how you intend to rectify it within 7 days. Major non-conformities must be fully addressed within 30 days. Where a Severe or Major Non-conformity is identified, certification may be granted once the non-conformity is rectified.

Notifiable Non-conformity

This is where there is a very serious breach of legislation or where auditors have serious concerns about harm to clients occurring. Notifiable non-conformities must be reported to the relevant government department. Criminal acts or child protection concerns must also be reported to relevant authorities such as the Police. It is unlikely that an audit would continue if a notifiable non-conformity were identified.

Conditions

Audit reports may also include conditions that your business must meet in order to be recommended for full certification. Audit reports may also identify opportunities for improvement, which should be acted upon in the way and timeframe recommended by the Audit Team.

Dealing with Audit Outcomes

If non-conformities are identified in your audit, don’t panic! Non-conformities don’t necessarily mean you’ll fail your audit (and one or two minor non-conformities are actually quite common). Your auditor will explain these to you and the steps you’ll need to take to rectify them. In most cases, once non-conformities have been rectified, your auditor will be able to recommend Verification or Certification.

If no non-conformities are identified in your audit – well done! This is a great outcome – take the time to celebrate your success, and then continue to focus on delivering high quality and safe services to your clients.

So, there you have it. This and my last two posts on Audit Preparedness (3 Tips for Completing Your NDIS Self-Assessment and Your Most Common NDIS Audit Questions Answered) have contained a lot of detail about the NDIS Audit process, but this is all intended to help you feel more confident at your next audit. If you want more information or need help preparing for your audit, we have a range of resources available exclusively on Provider Institute. Consider becoming a member today!.