Why One Service Can Trigger a Bigger NDIS Audit
This episode breaks down how registration group choices shape your audit pathway, including the difference between verification and certification and why one higher-risk service can shift the whole application. It also covers what changes under certification, from onsite assessments and participant interviews to the conditional audit clock after your first participant.
Is this your podcast and want to remove this banner? Click here.
Chapter 1
The registration group decision that quietly decides your audit
Will, EnableUs Community
Welcome to the show. I'm Will with Winter, and Winter, I wanna start with the bit that catches people out: a provider can spend weeks polishing policies, lining up insurance, getting forms ready... and the decision that most changes the whole registration process might be the tick-boxes they choose right at the start for registration groups.
Winter, EnableUs Community
[curious] The tick-boxes. Not the hundred-page policy folder -- the groups? Because that's a bit counterintuitive. People assume the hard part comes after the application opens.
Will, EnableUs Community
Exactly. But those groups decide your audit pathway. And once that pathway is set, it affects cost, timeline, complexity, and really the level of compliance pressure you'll be under. In simple terms, lower-risk, lower-complexity supports usually go down verification. Higher-risk or more complex supports go down certification.
Winter, EnableUs Community
[questioning tone] Give me the concrete version of that. What's a verification-style group versus a certification-style one?
Will, EnableUs Community
Sure. Verification examples include Household Tasks, which is 0120, Travel and Transport Assistance, 0108, Assistive Products for Personal Care and Safety, 0103, Home Modification Construction and Installation, 0160, and Innovative Community Participation, 0116. Those are generally lower-risk supports. On the certification side, you're looking at groups like Assistance with Daily Personal Activities, 0107, Specialist Behaviour Support, 0110, High Intensity Daily Personal Activities, and Support Coordination at Levels 2 and 3 under 0132.
Winter, EnableUs Community
[skeptical] So 0120 Household Tasks might be a desktop document review, but 0107 Assistance with Daily Personal Activities is a whole different world because the participant is more directly relying on the provider for care.
Will, EnableUs Community
That's it. And I think that's the important lens -- not just what service sounds attractive in a business plan, but how much risk sits inside that service. Once you move into personal care, behaviour support, high-intensity supports, specialist coordination... the Commission expects a deeper audit against the Practice Standards.
Winter, EnableUs Community
And here's the bit I reckon people underestimate: they think, "We'll mostly do low-risk work, and maybe ONE higher-risk line just to keep our options open." [pauses] That "one" is the trap, isn't it?
Will, EnableUs Community
[matter-of-fact] Yep. One high-risk group can escalate the whole application. That's the one-way rule every provider needs to know. If all your selected groups sit under the verification module, you may be eligible for verification. But if ANY selected group falls under the core module, or if you're registering for a supplementary module, the pathway becomes certification.
Winter, EnableUs Community
ANY. That's the word that sticks. There's no neat little fence around the risky bit. You don't get to say, "Well, just audit Household Tasks at verification level and leave the rest for later."
Will, EnableUs Community
No, and that's where optimistic planning hits compliance reality. A provider might say, "We'll do Household Tasks, Travel and Transport, and maybe High Intensity Daily Personal Activities down the track." But if they include High Intensity in the application now, they haven't built a nice future option. They've changed the entire audit type today.
Winter, EnableUs Community
[dryly] That's like popping one complicated item into your online cart and suddenly the shipping triples.
Will, EnableUs Community
[chuckles] Honestly, not a bad analogy. Because the pathway doesn't sort of drift upward -- it jumps. Verification is one audit style. Certification is another. And the source material makes an important point here too: even if you have some low-risk groups, your scope can still end up under the core module depending on your selected groups and self-assessment answers.
Winter, EnableUs Community
So let me try to say it back. If I choose only low-risk groups like 0120 and 0108, I'm generally in verification territory. If I add 0107, or Specialist Behaviour Support 0110, or anything tied to a supplementary module, then the whole application shifts to certification. Not part of it -- all of it.
Will, EnableUs Community
[warmly] That's the cleanest version. And it's why group selection isn't admin trivia. It's strategy. Before you even open the portal, you need to know what services you can actually deliver safely, with your current workforce, qualifications, and systems -- not the version of your business you hope exists in two years.
Chapter 2
What certification really changes, and why smart providers start smaller
Winter, EnableUs Community
Okay, so once that jump happens -- verification to certification -- what actually changes in real life? Because "different pathway" can sound a bit abstract.
Will, EnableUs Community
[calm] In real life, verification is mainly a desktop review of evidence under the Verification Module. Your auditor reviews documents remotely -- qualifications, experience, insurance, that sort of thing. No site visit, no participant interviews, no onsite assessment. And once the audit's completed, the auditor submits the report to the Commission within 14 days.
Winter, EnableUs Community
Fourteen days, desktop only -- that is a very different feel from certification.
Will, EnableUs Community
Massively different. Certification is broader and deeper. It's a two-stage process. Stage One is generally remote, where the auditor reviews your self-assessment and the attachments you uploaded to the Commission portal. Stage Two is onsite. That's where they review more documentation, interview staff and participants, and look at how your systems work in practice. The report goes in within 28 days of completion.
Winter, EnableUs Community
[sharper] Wait -- 28 days, onsite, interviews with participants and staff. So we're not talking about whether the policy exists. We're talking about whether the business can actually LIVE the policy.
Will, EnableUs Community
That's exactly the difference. Certification looks at the core module, and sometimes supplementary modules as well. So auditors are assessing governance, operational management, risk management, delivery of supports, and the delivery environment. They may review staff credentials, service-delivery evidence, and depending on your scope, quite a bit more.
Winter, EnableUs Community
This is where new providers can get blindsided, I think. Because they think registration ends when approval lands. But for certification providers, there's that extra audit after services start.
Will, EnableUs Community
[serious] Yes -- the conditional audit. Three months after you onboard your first participant and sign a service agreement, you must have that audit completed. Auditors can be onsite for up to four hours, reviewing client files and staff files and interviewing staff and participants. And the practical tip from the source is really important: book it at least a month ahead, because auditors are often busy.
Winter, EnableUs Community
Three months after the FIRST participant. That is such a specific trigger. I can imagine someone celebrating their first service agreement and not realizing they've just started another compliance clock.
Will, EnableUs Community
Right, and if services begin between 12 and 18 months from registration, that conditional audit gets rolled into the mid-term audit, which has to commence no later than 18 months after initial registration. So timing matters.
Winter, EnableUs Community
And then you've got supplementary modules. That's where the scope can get even more specialised, yeah?
Will, EnableUs Community
Yeah. There are five of them in the source material: High Intensity Daily Personal Activities, Specialist Behaviour Support, Implementing Behaviour Support Plans, Early Childhood Supports, Specialist Support Coordination, and Specialist Disability Accommodation. Each adds more assessment requirements, more documentation, and specific workforce qualification expectations. High Intensity has another layer again -- workers are assessed against the High Intensity Skills Descriptors.
Winter, EnableUs Community
[reflective] So the strategic answer is almost boring... but in a good way. Be honest about what your business can do NOW. If your current team, systems, and evidence suit Household Tasks or Travel and Transport, register for that cleanly. Don't bolt on Specialist Behaviour Support just because it looks good on a growth slide.
Will, EnableUs Community
[softly] Exactly. Start with the groups that match your present capability, get through audit well, and then expand later through a variation when the workforce and systems are genuinely ready. Because the supports you select are the supports you'll be audited against. And I reckon that's the question worth sitting with: are you choosing groups for the business you have... or the business you're still imagining?
Winter, EnableUs Community
[warmly] That's the line, isn't it. Choose for the business you can stand behind today -- and build the rest on purpose.