| This guide walks you through exactly how to use the Effective Policy Compliance Management System (CMS) to prepare for your NDIS audit — whether it’s your first Stage 1 or you’re heading into a recertification. Follow the steps in order and you’ll go into your audit confident, organised, and fully prepared. |
Understanding the Two-Stage Audit Process
NDIS certification audits, whether provisional or full, are conducted in two stages. Understanding what each stage requires is the first step to being prepared.
Stage 1 — The Desktop Audit
Stage 1 is a desktop review. Auditors check that all the correct documents are in place and that your evidence is compiled, organised, and ready to be systematically reviewed. No face-to-face interview is required at this stage; it’s about your paperwork.
Stage 2 — The Face-to-Face Audit
Stage 2 moves into a face-to-face assessment, conducted in person or via video call. Auditors will interview you and your staff, review your registers, and assess how well you understand and implement your policies and procedures.
| 💡 Tip: In between Stage 1 and Stage 2, use the time to thoroughly read your policies. Auditors will ask you questions — you must know your own documents. |
Step 1 — Organise Your Three Folders
The simplest and most effective way to present your Stage 1 evidence is in three clearly labelled folders. This makes it easy for auditors to find what they need without wading through a disorganised mess.
| 📁 Folder 1 — Identification Documents | |
| ☐ | 100 points of ID for every staff member (licence, passport, Medicare card, bank card) |
| ☐ | Working With Children Check for all staff |
| ☐ | National Police Check for all staff |
| ☐ | Worker Screening Check for all staff (mandatory from 2 February) |
| ☐ | Qualifications certificates for all staff |
| ☐ | Registration with professional body where applicable (nurses, psychologists, OTs, physios, accountants, etc.) |
| ☐ | NDIS Commission 90-minute Mandatory Worker Orientation Module certificate — every staff member AND all directors/board members |
| 📁 Folder 2 — Key Business Documents | |
| ☐ | Professional Indemnity Insurance — business and any ABN subcontractors |
| ☐ | Public Liability Insurance — business and any ABN subcontractors |
| ☐ | Directors Liability Insurance (if Pty Ltd) |
| ☐ | Accident & Injury Insurance (if not covered by workers comp) |
| ☐ | Workers Compensation Insurance |
| ☐ | NDIS Participant Service Agreement |
| ☐ | Complaints Policy |
| ☐ | Incident Management Policy |
| ☐ | All other policies and procedures |
| 📁 Folder 3 — Governance Documents | |
| ☐ | Organisational chart |
| ☐ | Staff vetting and due diligence records |
| ☐ | Business Plan |
| ☐ | Strategic Plan |
| ☐ | Job descriptions for all roles |
| ☐ | Business Continuity Plan |
| ☐ | Effective Policy Compliance Management System (CMS) |
| ⚠️ Important: Keep all folders together and never separate them. The most common disasters happen when registers and documents get split up and go missing. Your CMS is governance and it belongs in Folder 3. |
Step 2 — Complete Your CMS Registers
The Effective Policy Compliance Management System is an Excel-based tool that gives you a helicopter view of everything in your business. Instead of hunting through 20 different folders to find when someone’s licence expires, your CMS lets you see it all at a glance, sortable by due date, sortable by staff member, always up to date.
Your CMS has colour-coded tabs. Here’s what they mean:
| Red Tabs | Must be completed for Stage 1, even if you have no clients yet. These registers don’t require participant data. |
| White Tabs | Complete these once you have clients. Required for recertification audits and any provider with active participants. |
Red Tab Registers — Required for Stage 1
1. Key Decision & Governance Log
Record every significant decision your business makes, especially those with financial impact or business risk. For each entry, ask yourself: does this decision represent a risk? If yes, transfer it immediately to your Corporate Risk Register. This register acts as your meeting minutes when you’re not yet large enough to hold formal staff meetings.
2. Regulatory Compliance Register
This is one of your most important registers. List every insurance, licence, registration, and certification for the business and every staff member, including car registrations and licences for anyone driving while working. The most critical column is the Due Date. Review this register weekly and follow up on renewals well in advance.
| ⚠️ Why this matters: If a staff member’s licence is even one day expired and they have an accident while working, every insurance policy you hold — including your business insurances — can be voided. You, as the business owner, carry the liability. |
3. HR Training Matrix
Record all training and continuing professional development for each staff member. When onboarding someone new, conduct a training needs analysis to identify gaps. Document the training name, the date completed, and file the certificate because if you can’t show the certificate, as far as the auditor is concerned, it didn’t happen.
At minimum, every staff member should have training in: abuse and neglect, manual handling, complaints, and incident management.
4. Staff HR Matrix
A register of all staff credentials: qualifications, professional body registrations, Working With Children Checks, Police Checks, First Aid, CPR, Worker Orientation Module, and Worker Screening Checks. Include the date you sighted each document and the due date for renewal. Every column must be filled and leave nothing blank.
| 💡 Tip: Even though police checks don’t have a formal expiry date, consider requiring annual renewal. Uber drivers get one yearly; your staff are working with a far more vulnerable population. |
5. Policy Review Schedule
List all your policies and assign a planned review date for each. Ideally, begin reviewing your policies around six months before your next audit. When you update a policy, document why it was updated and communicate the changes to your team. A policy nobody knows has been changed is a policy that might as well not exist.
6. Corporate Risk Register
This is your most important governance tool. Identify the risks your business faces: financial, operational, regulatory, environmental, and staffing. For each risk, rate its likelihood and potential impact, then identify a management strategy and a review date.
Risk likelihood x impact = risk rating. Use the rating matrix provided in your CMS to score each risk. Every column must be complete. Never leave blank cells. An empty column in a risk register is an invitation for the auditor to flag it as incomplete.
7. Asset Register
Record every significant asset your business purchases (set your own threshold, for example, anything over $200 or $500). Include serial numbers and locations so you can track assets, identify losses, and manage the retirement of equipment over time.
8. Delegation Register
This is your Plan B. If something happens to you, such as illness, accident, or otherwise; who has the authority to keep the business running? List the key decisions and actions within your business and formally delegate authority to a named person. This must be in writing, not just verbal. Auditors will ask for it.
White Tab Registers — Required Once You Have Clients
If you’re a new provider with no clients yet, you won’t need these for your first audit. However, if you already have participants in your service, complete these as well.
- Support Plan Review Schedule — track when each participant’s individual support plan is due for review
- Participant Risk Register — document identified risks for each participant (allergies, seizures, behaviours) with a management strategy for each
- Staff Performance Appraisal Schedule — ensure no performance review is forgotten
- Staff Supervision Schedule — especially important for staff working with complex or high-needs clients
- Complaints Register — document all complaints, outcomes, and any improvements made
- Feedback Register — record feedback from participants, families, and staff
- Incidents Register — mandatory; document every incident and conduct root cause analysis for serious events
- Quality Improvement Register — record improvements made as a result of complaints, incidents, feedback, and your own observations
- Grievance Register — a formal record of any grievances raised
- Restrictive Practices Register — mandatory if any participant has an approved restrictive practice
- Internal Audit Schedule — plan your mid-term internal review so you’re ready for your next certification audit
- Conflict of Interest Register — declare organisational and participant-related conflicts of interest with your management strategy
Step 3 — A Critical Rule for Every Register
| The evidence must match the register. If it’s in the register but not in the folder, it didn’t happen. If it’s in the folder but not in the register, you have no oversight. Both must exist together. |
Every register in your CMS is the helicopter view. The folders are the evidence on the ground. Together, they demonstrate to auditors that you understand your obligations, you’re actively monitoring compliance, and you’re running a well-governed service.
Additionally, no column in any register should ever be left blank. If a field is not applicable, type ‘N/A’. A blank column tells an auditor the register is incomplete and they will flag it, every time.
Step 4 — Preparing for Stage 2
Once your Stage 1 desktop audit is complete and any identified gaps have been addressed, you’ll move to Stage 2. Here’s how to prepare:
Know Your Policies
Read every policy in your folder. All of them. Auditors will ask you about your complaints process, your incident management process, and your safeguarding procedures. You are the owner, and you must know your own documents. If you can’t explain your own policies, it reflects poorly on your governance.
Prepare Your Quality Improvement Register
If you’ve been operating for any length of time, your Quality Improvement Register should show activity. The four ‘rivers’ that feed your quality improvement are: complaints, incidents, feedback, and work health and safety issues. If you walk into a second or third audit with an empty quality improvement register, an auditor will ask why and ‘we’ve been too busy’ is not an answer.
Check That All Registers Are Current
Go through every red-tab register in your CMS. Are all due dates filled in? Are all columns populated? Are the documents in your folders up to date and matching what’s in your registers? If anything is out of date or missing, address it before your Stage 2 date.
Keep All Registers Together
Don’t separate your CMS or your folders. The most common audit disasters come from registers and documents being split up, moved, or lost. Your CMS, all tabs together belong in Folder 3 as a single, complete document.
Your Audit Readiness Checklist at a Glance
- Folder 1 — Identification Documents compiled and complete
- Folder 2 — Key Business Documents compiled and complete
- Folder 3 — Governance Documents (including CMS) compiled and complete
- All red-tab CMS registers completed with no blank columns
- All white-tab CMS registers completed (if you have clients)
- Every document in your folders has a corresponding entry in your CMS
- Due dates are filled in for every expiring document
- Regulatory Compliance Register reviewed — no expired documents
- Corporate Risk Register completed with likelihood, impact, rating, and management strategies
- Delegation Register in place and in writing
- Business Continuity Plan documented
- All policies read and understood by you and your team
- Quality Improvement Register shows activity (for providers with clients)
- Stage 2 interview preparation: review your policies, procedures, and how to explain them clearly
| Remember: audit preparation is not just about passing a test. The discipline of maintaining your CMS between audits reduces your business risk, protects your participants, and keeps your team working in a well-governed, compliant service. The work you put in now pays off every day you operate — not just on audit day. |
Questions? Contact Effective Policy for support with your CMS and audit preparation.
