Tatum Steers and Jess are the co-founders of Audit Ready Consultants and Hirey. They are approved NDIS auditors with over 17 years of experience in the disability and aged care sector, across roles spanning support coordination, quality, compliance, strategy, and operations. They are based in WA and Victoria respectively, and work with providers nationally.
We've been on the other side of the fence.
Between us, we've completed hundreds of audits across Australia — reviewing providers of every shape and size, delivering supports under every module, operating in every state. And after all of that, the problems we keep seeing aren't unique. They aren't even surprising anymore.
That's not a criticism. It's an observation. The same gaps keep showing up because the system is genuinely complicated, the pressures on providers are real, and compliance rarely gets the time and attention it deserves until an audit is looming.
This article is about changing that.
Watch our webinar with Jessica from Audit Ready.
First, a clarification worth making: NDIS providers don't technically fail their audits. But if you receive major or minor non-conformances, the consequences are very real. You may face a re-audit. Conditions can be placed on your registration. And every time you have to go through the process again, there's an operational and financial cost attached to it.
The goal isn't to pass an audit. The goal is to run a quality service every day, so that when an auditor walks in, they're just confirming what you already know about your own organisation.
So what gets in the way of that?
This is the most common gap we see, and it shows up in two ways. Either staff are doing things differently to what your documentation describes, or staff have no idea what the documentation says in the first place.
During a certification audit, auditors read through all your policies before they come on site. When they arrive and start talking to your team, they're asking questions based on what they've already read. If your staff just rattle off what they do on a daily basis and it doesn't match the documentation, that's a gap. Even if your policy exists, if the evidence of practice doesn't, you have a problem.
A note on purchased policy packs: there's nothing wrong with using them as a starting point, but auditors see them constantly. If your logo is on the cover but the content hasn't been edited to reflect your actual business, we can tell. And so can anyone else reading it.
Weak incident management shows up in a few different ways: incomplete incident reports, incidents that were clearly reportable but never lodged with the NDIS Commission, and no evidence that management has ever looked at the data to identify trends.
It's one thing to have incidents documented. It's another to have followed through on the investigation, closed them out, and asked the bigger question: what is this telling us about how we operate? If the same incident keeps occurring with a particular participant or with the same staff members, that pattern needs to be addressed at the root.
Staff don't need to quote the NDIS Practice Standards from memory. But they do need to understand what those standards are asking of the organisation, and what that means for how they do their job.
Training gaps come up often, and infection control is a classic example. The standards require refresher training, not just an induction tick-box. What "reasonable" looks like will vary by organisation, but yearly or bi-yearly is a safe benchmark. One-off training with no follow-up is one of the most straightforward non-conformances to receive, and one of the easiest to avoid.
If your quality and compliance knowledge exists primarily in the brain of one manager, your organisation is at risk. That information needs to be in your systems, understood across the team, and visible to leadership on a regular basis.
When auditors walk in and the organisation scrambles to pull together answers, it's obvious. The goal is for an auditor to walk in and see a team that operates this way every day, not a team that's been on its best behaviour for the past fortnight.
When audit preparation is something that happens in November because the audit is in December, it's already too late to be doing it well. Compliance has to be embedded into how you run the business day to day. Not as an add-on. Not as a project. As the way things work.
Since the 2021 updates to the Practice Standards, emergency and disaster planning has been a non-negotiable. We see two extremes: providers who've created plans so complex that no one could follow them in an actual emergency, and providers who haven't addressed it at all.
Your emergency plans need to exist on paper, be practical, be understood by both staff and participants, and be updated regularly. A plan that no one can follow is the same as having no plan.
Here's the honest version: no one is looking for perfection. Auditors want to see that you're in control.
That means your systems exist, your staff understand their obligations, incidents are captured and followed up, and risks are identified with mitigation strategies in place. Consistent evidence across the organisation that you know what you're doing and you're doing it every day.
Check whether your practice matches your policies. Pick three or four policies at random. Read them word for word. Ask yourself honestly: is this what we actually do? If it reads like you're seeing it for the first time, something needs to change.
Review your last quarter of incidents. Are they documented? Are the reportable ones reported to the Commission, within the 24-hour window? Are they closed out? Are there patterns you haven't addressed?
Identify your top three risks. Compliance, OHS, staffing, participant safety, governance — whatever is most relevant to your organisation. Write them down. Start thinking about what you would do to reduce the impact if any of them eventuated.
Audit readiness isn't just about audits. It's about how you run your service every single day.
Watch our webinar with Jessica from Audit Ready.
Audit Ready works with NDIS providers across Australia to get their systems, policies, and processes genuinely ready — not just audit-day ready. Whether you need a gap analysis, a policy review, support preparing your evidence, or a fractional quality and compliance manager to work alongside your team, we can help. Book a one-to-one session or reach out via our website: auditreadyconsultants.com.au
If payroll compliance is keeping you up at night too, Pay Cat is purpose-built for SCHADS Award providers. The same principle applies: you need a system doing the heavy lifting in the background so you can focus on delivering quality supports. Chat with the Pay Cat team at paycat.com.au
Who is Pay Cat?
Simplify Payroll. Stay Compliant.
Pay Cat is Australian payroll software built for modern award compliance. We help businesses stay on top of their payroll obligations, including the correct calculation and reporting of termination payments. If you are working through a redundancy and want to make sure the numbers are right before you process, we are here to help.