How to use this checklist: Work through each item with your documentation in front of you. Items tagged HIGH are the most common audit failure points. If you answer No to any item, address it before your next reporting period — not after an audit notice arrives.
Section 1 — Incident Reporting
1
Priority 1 incidents reported to the NDIS Commission within 24 hours
Reportable incidents involving serious injury, death, abuse, neglect, or unlawful sexual or physical contact must be notified within 24 hours of the provider becoming aware. Five business days for full written report.
2
Priority 2 incidents documented and reported within 5 business days
Lower-severity reportable incidents require a written report to the NDIS Commission within 5 business days. Check that all Priority 2 incidents in the past 12 months have a completed written report on file.
3
Incident reports are written in objective, factual language
Reports must describe what happened — not why, and not your interpretation. Check that reports avoid subjective language ("the participant was being difficult") and instead describe observable behaviour ("the participant raised their voice and left the room").
Section 2 — Shift Notes & Case Documentation
4
Shift notes are written in third person, past tense, with no bullet points
NDIS Practice Standards expect structured narrative notes, not shorthand. Audit-ready shift notes read like a professional record: "Jordan participated in meal preparation, demonstrating improved fine motor skills when handling utensils." Not: "helped with cooking — good today."
5
Case notes reference the participant's NDIS goals
Every shift note should connect the support provided to at least one participant goal. Auditors look for evidence that funding is being used to work toward the participant's plan objectives. Notes that describe support without referencing goals fail this check.
6
Progress notes demonstrate measurable change toward goals
Progress notes go further than shift notes — they must show movement. Compare where the participant started against where they are now. Vague progress notes ("doing well") don't satisfy this requirement. Use specific observations and metrics where possible.
Section 3 — Restrictive Practices & Behaviour Support
7
All restrictive practices are authorised and documented
Any use of a restrictive practice — including chemical, mechanical, physical, environmental, or seclusion — must be authorised by the relevant state/territory body and documented with date, duration, and reason for each use. Unauthorised use is a Priority 1 reportable incident.
8
Behaviour support plans are current and accessible to all workers
If a participant has a behaviour support plan (BSP), it must be up to date, implemented consistently, and accessible to every worker supporting that participant. Workers who don't know a plan exists — or can't access it — is a finding auditors raise regularly.
Section 4 — Participant Records & Service Agreements
9
Service agreements are current, signed, and stored for all active participants
A signed service agreement must exist for every participant you are actively billing. Expired agreements — or unsigned agreements — are a common audit finding. Check expiry dates now and flag any agreements due for renewal in the next 60 days.
10
Participant consent is documented for data collection and sharing
Under the Privacy Act 1988 and NDIS Practice Standards, participants must consent to how their information is collected, stored, and shared. Consent must be documented — a verbal agreement is not sufficient. Review consent forms for all participants, especially those onboarded before your current privacy policy.
Section 5 — Worker Compliance
11
All workers have a current NDIS Worker Screening Check
Every worker who delivers direct supports to NDIS participants must hold a valid NDIS Worker Screening Check from their state or territory. Checks do not transfer between states. Confirm each worker's clearance is current, note the expiry date, and set a reminder at least 60 days before it lapses.
How to read your results
11 / 11
Strong position — review annually and after any audit
8–10
Action needed — address gaps before next reporting period
≤ 7
High risk — prioritise HIGH-tagged items immediately
Common questions about NDIS audits
What does an NDIS audit checklist include?
An NDIS audit checklist covers the areas the NDIS Commission reviews most: incident reporting timeframes (24-hour and 5-day rules), shift note quality and structure, restrictive practice authorisation, current service agreements, participant consent records, and worker screening clearances. This checklist covers all 11 of those areas.
What are the most common NDIS audit failure points?
The most common failures are: late or missing reportable incident notifications (Priority 1 must be reported within 24 hours), subjective or opinionated language in shift notes, restrictive practices used without state/territory authorisation, expired or unsigned service agreements, and workers with lapsed NDIS Worker Screening Checks.
What is a Priority 1 NDIS reportable incident?
A Priority 1 reportable incident must be notified to the NDIS Commission within 24 hours. Priority 1 incidents include: death of a participant, serious injury requiring hospital treatment, sexual misconduct, abuse or neglect causing significant harm, and any unauthorised restrictive practice. A written follow-up report must be submitted within 5 business days.
How long do NDIS providers need to keep records?
Under the NDIS Practice Standards, participant records — including shift notes, incident reports, and progress notes — must be retained for a minimum of 7 years from the date of creation. If the participant was a minor, records must be kept until 7 years after they turn 25. Records must be stored securely and be accessible for NDIS Commission audits.
How do I prepare for an NDIS audit?
To prepare for an NDIS audit: check all reportable incidents were notified on time; review shift notes for objective, third-person language and goal references; verify restrictive practices have state/territory authorisation; confirm signed service agreements exist for every active participant; and ensure every worker has a current NDIS Worker Screening Check. Work through this checklist to find gaps before an auditor does.