Auditors don't read your policies first. They test whether your operation can produce evidence on demand. And they do it with a deliberately hard question: pick a participant, pick a date, pick a Practice Standard — now show me everything.

If you can answer in a minute, the rest of the audit gets easier. The auditor relaxes. They start asking follow-up questions instead of forensic ones.

If you can't, the next hour is spent watching someone search filing cabinets, email colleagues, and explain why the answer lives in three different spreadsheets. By the time you find it, the auditor has already written the opening paragraph of the report.

With 1 July 2026 approaching and mandatory SIL registration locked in, every provider needs to understand exactly what that first minute looks like. Here's what auditors actually test — and what it takes to pass.

The three questions

Every NDIS Commission engagement — whether it's a Stage 1 desktop audit, a Stage 2 on-site audit, a complaint investigation, or a spot check triggered by a reportable incident — boils down to three questions. Everything else is detail.

Question 01

Can you prove it happened on a specific day?

The auditor picks a participant name from your list and a random date. They want to see:

  • Every shift that covered that participant on that day, with start time, end time, worker name, and handover record
  • Every medication administered, with dose, time, status (given, refused, missed, withheld) and any witness required
  • Every progress note logged during those shifts, with the observation and any goal context
  • Any incidents that occurred, with report-by-timestamp and Commission notification status

A single missing line — "I can't find the 14 March shift record" — is enough to open a formal finding. It doesn't matter if you have 364 perfect days. The audit tests whether your system produces evidence on any day.

Question 02

Can you prove the worker was qualified on that day?

Worker screening isn't tested in the abstract. It's tested against a specific shift on a specific date. The auditor asks:

  • Who worked the 14 March shift?
  • Was their NDIS Worker Screening check valid on 14 March?
  • Was their First Aid current on 14 March?
  • Was their supervision up to date on 14 March — meaning the most recent supervision session had occurred within the last 90 days?

This is where most providers get caught. A worker's clearance is current today, but on 14 March it might have been expired. Without a historic record — meaning a system that snapshots worker screening status at the time of each shift — you're reconstructing from memory, and you'll get it wrong.

The Commission knows this. It's one of the reasons they test historic dates, not today's state.

Question 03

Can you prove you responded when something went wrong?

Incident management is the pillar that converts a good audit into a bad one fastest. The auditor picks an incident — any incident — and asks:

  • Was this reportable under NDIS Commission rules? (Death, serious injury, abuse, neglect, unlawful sexual or physical contact, restrictive practice use.)
  • If reportable, was it notified within the required 24-hour window?
  • What investigation steps did you take? CCTV review, staff interviews, family contact, prevention actions?
  • What was the Commission reference number, and is it linked to the incident record?

The specific check the Commission runs during Stage 2 audits is to match an incident record against the NDIS Commission's own reportable-incidents database. If you reported it — but can't produce a reference number — the auditor notes a documentation gap. If you didn't report something that should have been reported, you have a finding.

Why sixty seconds is the right benchmark

An auditor's first minute tells them three things: whether your compliance system exists, whether it's used at the workforce level, and whether it can survive scrutiny.

Sixty seconds is not an arbitrary claim. It's the approximate time it takes to:

  • Open a software system
  • Search for the specific participant
  • Navigate to the specific date
  • Export or display the evidence pack

If that takes a minute, your compliance system is live and load-bearing. If it takes ten minutes, it's a snapshot of a system that exists somewhere else — usually a combination of paper files, shared drives, and institutional knowledge trapped in one person's head. The auditor will note which one it is before they ask the next question.

"Sixty seconds tells an auditor your compliance system is live. Ten minutes tells them it's reconstructed from memory."

What "ready to produce" looks like in practice

A provider walks into an audit with the 60-second test in mind. The auditor picks 14 March and participant M.T. The provider opens their compliance system, types "M.T." and "14 March", and produces — on one screen or one PDF — the following seven sections:

  1. Shifts. Every shift that covered M.T. on 14 March. Start time, end time, worker name, participant wellbeing check, kilometres travelled, handover acknowledgement from the next worker.
  2. Progress notes. Every observation logged during those shifts. Goal context where relevant.
  3. Medications. Every dose scheduled and administered, with status and time. Any PRN doses. Any refusals with reason. Any S4 or S8 witness records.
  4. Incidents. Any incident that occurred or had ongoing management on 14 March. Reportable status, Commission reference, investigation step status.
  5. Handovers. The written handover record at each shift change, with the acknowledgement timestamp of the receiving worker.
  6. Policies. The relevant policies in effect on 14 March, with their last review date and Practice Standard alignment.
  7. Worker screening (as of 14 March). Not today's state — the state of every worker's screening, training currency, and supervision record on that specific date.

Seven sections. One participant. One date. Produced in under a minute. That's the test.

The supervision trap

The most commonly-missed evidence in a Stage 2 audit isn't shift records or incident reports. It's supervision records within the 90-day cadence required under the Practice Standards.

Providers routinely meet the standard in spirit — staff are getting supervision — but fail to log it in a way that reproduces on demand, by date, by worker. Auditors test this specifically because they know it's the weakest evidence layer in most providers.

What to do between now and 1 July 2026

If you're in the 260,000 providers that need to register (or the SIL-specific subset that needs to clear the new Practice Standards by 1 July), treat this as a five-step checklist:

01
Move compliance off spreadsheets. Any evidence system that relies on a spreadsheet filed in a folder structure fails the 60-second test. The system has to be live — structured data, indexed by participant and date, queryable on demand.
02
Capture worker-screening history. Not just current status. Every time a worker's clearance is updated, you need a historic row. When the auditor asks "what was their status on 14 March?" you answer from data, not memory.
03
Close the supervision-cadence gap. One supervision session per worker every 90 days. Logged with date, supervisor, duration, and the specific areas reviewed. Auditors will sample three workers and ask for the last four sessions each.
04
Run a dry-run audit. Pick a random participant and a random date from the last 90 days. Can you produce the seven-section evidence pack in under a minute? If not, fix the gap before the Commission finds it.
05
Engage an auditor early. The NDIS Commission maintains a list of approved quality auditors. Stage 1 plus Stage 2 runs 6–12 weeks end-to-end. Book it now for mid-year audit slots — they fill.

One number worth anchoring on

9 weeks
Between today and 1 July 2026

Nine weeks is enough to fix a compliance system. It's not enough to build one from scratch. Pick the hour this week when you will run your first dry-run audit. Put the participant name and the date in your calendar. Then honour that appointment the way the Commission would.

Aura OS runs this audit in sixty seconds.

Pick a participant. Pick a date. Pick a Practice Standard. Aura OS produces the full seven-section evidence pack — shifts, notes, incidents, handovers, policies, worker screening as of that date, supervision records ±90 days — as a branded PDF, ready to email to your auditor.

$49 per month AUD, GST inclusive. Seven-day free trial, no card. Australian data.

Start free — 7-day Pro trial See the pricing maths
RP
Richard Patriquin

Richard is the founder of Clearline Health and the operator behind Safe Haven Housing, a Gold Coast SDA investment business that runs multiple SIL houses. Aura OS was built out of the compliance gaps he and his operators hit in real houses.