This instrument is made by the Commissioner of the NDIS Quality and Safeguards Commission (the Commissioner). The Commissioner is assisted by the staff of the NDIS Quality and Safeguards Commission (the Commission) to perform a range of functions under the National Disability Insurance Scheme Act 2013 (Act). These include functions related to approved quality auditors and the assessments they conduct under the Act.

This instrument is underpinned by the United Nations Convention on the Rights of Persons with Disabilities (UNCRPD) to prevent exploitation, violence and abuse of people with disability and is intended to uphold the rights of people with disability. To support this, this instrument makes consumer technical experts (CTEs), or people with disability, part of the audit process. The Commission, along with the Department of Social Services, will work closely with key stakeholders to design the CTEs arrangements under this instrument.

Overview of the core accreditation processes for the Approved Quality Auditors Scheme

This instrument supports the delivery of certification and verification services by Certification Bodies seeking accreditation in alignment with ISO/IEC 17065:2012 towards becoming an approved quality auditor under the NDIS Approved Quality Auditors Scheme. The JAS-ANZ accreditation criteria for becoming a Certification Body are set out in subsection 6(4).

The Approved Quality Auditor Scheme provides the framework for auditing of registered NDIS providers, including the approval process for approved quality auditors who will conduct the audits. The standard approval process will recognise accreditation of an auditor to ISO/IEC 17065:2012. The intention of the Approved Quality Auditors Scheme is to set out the accredited third party conformity assessment regime to which NDIS providers will be subject. All registered NDIS providers offering supports and services to participants must meet quality and safety requirements in the Act (and NDIS rules).

The conformity assessment requirements are applied against the NDIS Practice Standards which are set out in legislative instruments made under section 73T of the Act. The NDIS Practice Standards draw on the National Standards for Disability Services and National Standards for Mental Health Services. The development of the NDIS Practice Standards was overseen by a Technical Reference Group. This group included representatives from each of the state and territory governments, the Commonwealth Department of Health, the National Disability Insurance Agency (NDIA), peak bodies representing people with disabilities and disability service providers. Unions and the peak body for disability advocates were also consulted.

The Commissioner approves a person or body to become an approved quality auditor under section 73U of the Act. The assessment of an approved quality auditor (certification, for providers delivering higher risk support classes and verification for providers delivering lower risk support classes) may be relied on by the Commissioner when making decisions under the Act.

For example, the certification and verification attestations of an approved quality auditor may be relied on by the Commissioner in considering whether to register an applicant as a registered NDIS provider. Section 73E(1)(c) of the Act provides: ‘The Commissioner may register a person as a registered NDIS provider if…the applicant has been assessed by an approved quality auditor as meeting the applicable standards and other requirements prescribed by the NDIS Practice Standards’. The outputs of approved quality auditors may be relevant to imposing conditions of registration on registered NDIS providers, or in considering applications for registration (section 73G and section 73E(5)(d) of the Act), varying registration unilaterally (section 73L of the Act) or taking action under (section 73M), suspending registration (section 73N), or revoking registration (section 73P). Conditions of registration may extend to the ‘timing and type of audits’ required of registered NDIS providers (section 73G(3) of the Act).

The Commission may utilise approved quality auditor surveillance activities and outputs for its complaints investigation processes (section 73X of the Act), compliance notices (section 73ZM of the Act), banning orders (section 73ZN of the Act), enforceable undertakings (section 73ZP of the Act), and/or injunctions (section 73ZQ of the Act).

If the criteria in section 73E are met, the Commissioner will issue the applicant with a certificate of registration. The conformity assessment certification or verification will not be publicly displayed or otherwise publicly available unless required to be made available by law. It will be used by the Commissioner to assist with the performance of functions and exercise of decision-making powers under the Act.

Part 1 – Preliminary

1 Name

This instrument is the National Disability Insurance Scheme (Approved Quality Auditors Scheme) Guidelines 2018.

2 Commencement

This instrument commences on the day after it is registered.

3 Authority

This instrument is made under subsection 181D(2) of the National Disability Insurance Scheme Act 2013.

4 Definitions

Note: A number of expressions used in this instrument are defined in section 9 of the Act, including the following:

(a) National Disability Insurance Scheme rules;

(b) NDIS Practice Standards;

(d) nominee;

(e) participant;

(f) plan;

(g) restrictive practice.

In this instrument:

Accreditation Body means the body carrying out the review for the purposes of accrediting a Certification Body.

Act means the National Disability Insurance Scheme Act 2013.

Approved quality auditor means a person or body approved by the Commissioner under section 73U of the Act.

Audit duration means the part of the audit time spent conducting on-site audit activities, from opening meeting to closing meeting, inclusive.

Auditor-in-training is a newly qualified auditor with less than 4 supervised (by an Audit team leader) audits performed over a 12 month period.

Audit Team means a team of at least two persons appointed to conduct an audit.

Audit time means the total time needed to plan and accomplish a complete and effective audit against the applicable standards and other requirements within the scope of audit, and is exclusive of time spent reporting to the Commission.

Audit team leader is an experienced auditor who is qualified to lead audit teams and to supervise auditors-in-training.

Behaviour support plan means:

(a) a comprehensive behaviour support plan; or

(b) an interim behaviour support plan.

Certification or Verification Audit means an audit for the purposes of ascertaining whether an NDIS provider meets the standards required for NDIS provider certification or verification in accordance with this instrument.

Certification Body or CB means a body that has received accreditation by JAS-ANZ against this Scheme, towards becoming an approved quality auditor.

Clinical means a bodily procedure or intervention that requires a measured level of competency.

Commission System means the online system or portal that the Commission, auditors and NDIS providers will use for the purposes of the Act, including the accessing and maintenance of records of registration.

Commission means the NDIS Quality and Safeguards Commission, which is established under section 181A of the Act.

Commissioner means the Commissioner of the NDIS Quality and Safeguards Commission.

Consent is where a participant provides written consent for an auditor to access their records, discuss the participant’s supports or make contact with them, and then disclose those records containing personal information to the Commission. A request for consent is the responsibility of the NDIS provider, and a participant has the right to decline consent for auditing purposes.

Consumer technical expert means a person with disability who has the training, experience or skills to be involved in the audit team.

Corrective action plan means an action plan developed by the provider that defines those corrections and corrective actions to be taken by the provider to address identified non-conformities.

Critical risk means any uncontrolled risk which may impact on participant safety including the ‘incidents that must be covered’ as described in section 9 of the National Disability Insurance Scheme (Incident Management and Reportable Incident) Rules 2018.

Functional behavioural assessment means the process for determining and understanding the function or purpose behind a person’s behaviour, and may involve the collection of data, observations, and information to develop an understanding of the relationship of events and circumstances that trigger and maintain the behaviour.

IAF MD2 means the International Accreditation Forum Inc. Mandatory Document 2017 for the Transfer of Accredited Certification of Management Systems.

Note: This can be accessed here - https://www.iaf.nu/articles/Mandatory_Documents_/38

IEC means the International Electrotechnical Commission.

Initial scope of audit document is automatically generated by the Commission’s system following completion of the application to register as an NDIS provider, or the registration renewal process, containing the NDIS provider’s registration groups, applicable NDIS Practice Standards as well as other key information about the NDIS provider’s service delivery as stated by the provider on the registration application form or through the registration renewal process.

Note: The initial scope of audit document is intended to be used by approved quality auditor to provide a quote for the cost of certification/ verification. Once the NDIS provider has engaged their preferred approved quality auditors the auditor is required to work with the NDIS provider to ensure the scope of audit is correct.

ISO means the International Organization for Standardization.

JAS-ANZ – the Joint Accreditation System of Australia and New Zealand being the body responsible for the accreditation of Certification Bodies (CBs) against this Approved Quality Auditors Scheme to inform the Commissioner’s decision relating to the approval of an approved quality auditor.

Material change means a change of circumstances that materially affects the provider’s ability, or the ability of any of the provider’s key personnel, to provide the supports or services the provider is registered to provide, including as described in section 13 of the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018.

NDIS behaviour support practitioner means a person the Commissioner considers is suitable to undertake behaviour support assessments (including functional behavioural assessments) and to develop behaviour support plans that may contain the use of restrictive practices.

NDIS provider has the meaning under section 9 of the Act.

Nominee has the meaning given under section 9 of the Act.

Outcomes are the elements of quality support which should be achieved for people with disability receiving support, identified through the NDIS Practice Standards.

Participant has the meaning given under section 9 of the Act.

Note: For the purposes of the Scheme and the NDIS Practice Standards, where a participant is supported by a nominee or decision maker (such as a family member), where the context requires the term ‘participant’ should be read as including the nominee or decision maker.

Proportionality pertains to the application of the NDIS Practice Standards. Approved quality auditors are required to assess NDIS provider compliance with the relevant sections of the NDIS Practice Standards in consideration of the size of the organisation and the scale of the services delivered.

Provisional audit is an audit conducted when a new provider is entering the NDIS market, but they do not yet have any participants for the particular registration class.

Qualified certification decision means the outcome of a provisional audit as described in section 27(3) of this instrument.

Registration renewal date means the registration expiry date (or the last date of the period of registration) listed on a registered NDIS provider’s certificate of registration, and is the date by which an application for registration under section 73C of the Act must be commenced in the Commission’s system.

Registration classes (sometimes known as registration groups) are the classes (or groups) of supports and services being delivered under the NDIS categorised into registration classes depending on the type of service or support delivered to participants by the NDIS provider as set out in the table at section 20 of the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018.

Regulated restrictive practice means a restrictive practice that is or involves any of the following:

(a) seclusion, which is the sole confinement of a person with disability in a room or a physical space at any hour of the day or night where voluntary exit is prevented, or not facilitated, or it is implied that voluntary exit is not permitted;

(b) chemical restraint, which is the use of medication or chemical substance for the primary purpose of influencing a person’s behaviour. It does not include the use of medication prescribed by a medical practitioner for the treatment of, or to enable treatment of, a diagnosed mental disorder, a physical illness or a physical condition;

(c) mechanical restraint, which is the use of a device to prevent, restrict, or subdue a person’s movement for the primary purpose of influencing a person’s behaviour but does not include the use of devices for therapeutic or non‑behavioural purposes;

(d) physical restraint, which is the use or action of physical force to prevent, restrict or subdue movement of a person’s body, or part of their body, for the primary purpose of influencing their behaviour. Physical restraint does not include the use of a hands‑on technique in a reflexive way to guide or redirect a person away from potential harm/injury, consistent with what could reasonably be considered the exercise of care towards a person;

(e) environmental restraints, which restrict a person’s free access to all parts of their environment, including items and activities.

Note: For the definition of restrictive practice, see section 9 of the Act.

Scheme means this Approved Quality Auditor Scheme.

Scope of audit means the range of services and supports that are to be assessed by the approved quality auditor as meeting the applicable standards and other requirements prescribed by the NDIS (Provider Registration and Practice Standards) Rules 2018. Services and supports funded through the NDIS are within the scope of audit.

Note: The Commission’s system will automatically generate an initial scope of audit document based on the information entered by the NDIS provider. This document will be emailed to the provider’s primary contact.

Senior Practitioner is responsible for oversight of the use of behaviour support interventions by NDIS providers, the approval of NDIS behaviour support practitioners and leading best practice in behaviour support.

Support plan means a document developed, in consultation with the participant, by an appropriately skilled professional within the provider organisation prior to the commencement of supports.

Stage one audit means an audit as described in section 14 of this instrument.

Stage two audit means an on-site audit as described in section 15 of this instrument.

Surveillance (monitoring) audit means an audit conducted for the purposes subsection 21 of this instrument.

Auditors with technical expertise are auditors who have established and quantifiable technical expertise in a particular area that enables them to form a qualified opinion regarding a particular aspect of an NDIS provider’s activities.

Verification audit means an audit for the purposes of ascertaining whether an NDIS provider meets the standards required for NDIS provider verification in accordance with this instrument.

Witnessed audit is an audit by:

(a) JAS-ANZ of an auditor of an approved quality auditor; or

(b) an approved quality auditor of one of its auditor’s conduct;

and not of the NDIS provider.

Worker means a person employed or otherwise engaged by a registered NDIS provider.

5 Interpretation

(1) A reference in this instrument to a provider includes a reference to a person who is applying to become a registered NDIS provider.

(2) A reference in this instrument to a participant includes a reference to:

(a) a prospective participant; and

(b) a person with disability receiving supports or services from a provider under the arrangements set out in Chapter 2 of the Act; and

(c) a person with disability receiving supports or services from a person included in a class of persons prescribed for the purposes of subparagraph (b)(ii) of the definition of NDIS provider in section 9 of the Act.

(3) A reference in this instrument to a participant providing consent, includes a nominee providing consent on a participant’s behalf.

(4) This instrument is intended to be read in conjunction with:

(a) the United Nations Convention on the Rights of Persons with Disabilities;

(b) ISO/IEC 17065 Conformity Assessment – requirements for bodies certifying products, processes and services;

(d) the International Accreditation Forum Inc. Mandatory Document for the use of Computer Assisted Auditing Techniques (“CAAT”) for Accredited Certification of Management Systems (IAF MD4:2008); and

(e) the International Accreditation Forum Inc. Mandatory Document for the Transfer of Accredited Certification of Management Systems (IAF MD2: 2017).

Note: These are the documents required to fully and properly utilise the technical standards in this instrument. In ISO terms, they are normative references. The document described in paragraphs:

5(4)(a) can be found at: https://www.un.org/development/desa/disabilities/convention-on-the-rights-of-persons-with-disabilities/convention-on-the-rights-of-persons-with-disabilities-2.html
5(4)(b) can be found at: https://www.iso.org/standard/46568.html
5(4)(c) can be found at: https://www.legislation.gov.au/
5(4)(d) and (e) can be found at: https://www.iaf.nu/articles/Mandatory_Documents_/38

Part 2 – Standards and Process Requirements

6 Applicants

(1) An audit for the purposes of Part 3A of Chapter 4 of the Act is conducted by an approved quality auditor.

(2) In deciding whether to approve a person or body as an approved quality auditor under section 73U of the Act, the Commissioner may consider whether that person or body can properly conduct audits in accordance with this instrument.

Note 1: Pursuant to subsection 33(3) of the Acts Interpretation Act 1901, where an Act confers a power to make, grant or issue any instrument of an administrative character, the power shall be construed as including a power exercisable in the like manner and subject to the like conditions (if any) to repeal, rescind, revoke, amend or vary any such instrument.

Note 2: Accordingly, in making a decision to revoke the approval of a person or body to be an approved quality auditor in reliance on subsection 33(3) of the Acts Interpretation Act 1901, the Commissioner may take into account whether they failed to maintain an appropriate standard of auditing, including by reference to the matters in subsection 6(3).

(3) Matters which the Commissioner may (but is not required to) take into account when forming a view under (2) include:

(a) whether the person or body has been accredited by JAS-ANZ;

(b) whether relevant staff of the person or body have completed Commission auditor training; and

(4) For the purposes of this section, accreditation by JAS-ANZ means accreditation by JAS-ANZ by reference to:

(a) the JAS-ANZ Accreditation Manual;

(b) ISO/IEC 17065:2012 - Conformity assessment — Requirements for bodies certifying products, processes and services – available from your national standards writing body,

(d) JAS-ANZ Policy 03/11 - Transfer of Accredited Management Systems Certification.

7 Applicable NDIS Practice Standards

In conducting a certification or verification audit the applicable NDIS Practice Standards to be assessed are:

(a) Schedule 1 – schedule 7 to the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018 set out NDIS Practice Standards that apply in relation to NDIS provider certification;

(b) Schedule 8 to the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018 sets out relevant NDIS Practice Standards that apply in relation to NDIS provider verification; and

(c) Part 2 of the National Disability Insurance Scheme (Practice Standards-Worker Screening) Rules 2018 sets out NDIS Practice Standards that apply in relation to NDIS provider certification and verification.

Note: The National Disability Insurance Scheme (Quality Indicators) Guidelines 2018 set out indicators and other matters to be taken into account when assessing compliance with the NDIS Practice Standards.

8 Application for Audit

(1) On request from the NDIS provider, the approved quality auditor shall provide a quotation for the cost of the certification audit or verification audit, based on the initial scope of audit document supplied by the NDIS provider on the basis that:

(a) the quote will be provided to the NDIS provider on a ‘no-obligation’ basis and free of charge; and

(b) the NDIS provider shall be made aware that any change in the scope of the audit may impact upon the final cost.

Note: An NDIS provider may request quotations from a number of approved quality auditors prior to selecting their preferred supplier.

(2) If the NDIS provider has requested a quote for a verification audit, but the cost of undertaking that verification audit would exceed the cost of performing a certification audit against the Schedule 1 of the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018, then the approved quality auditor should supply the NDIS provider with the requested quote plus the separate costs of undertaking the certification audit.

(3) The NDIS provider may then decide whether to proceed with a verification audit or go through the certification audit process.

(4) Once the preferred approved quality auditor has been selected, the NDIS provider will provide them with a unique reference number that they can use to access the relevant sections of the NDIS provider’s record on the Commission’s system.

(5) Any transfer of JAS-ANZ-accredited NDIS certifications or verifications under this Scheme should be in accordance with the IAF MD2 and the JAS-ANZ Accreditation Manual, except that the auditor receiving the transfer should also notify the Commission no later than 2 business days of receiving notice that the transfer is expected to occur.

(6) The written notification may be provided through the Commission’s system.

9 Audit Application Review and Assessment Process

(1) Prior to conducting certification or verification audits the approved quality auditor shall review the initial scope of audit document.

(2) In consultation with the NDIS provider the approved quality auditor shall review the initial scope of audit supplied by the NDIS provider to confirm (if applicable):

(a) range of registration groups selected to provide reflects actual or intended services provided;

(b) types of participants receiving services, including disability type, age groups, diversity factors such as whether a participant is indigenous or culturally and linguistically diverse;

(d) location and number of sites where supports are provided or coordinated;

(e) number of participants; and

(f) number of workers providing services to participants.

(3) The approved quality auditor should update the NDIS provider’s record on the Commission’s system to accurately reflect the scope of audit or other details about the NDIS provider. This may include uploading evidence. The auditor will need the NDIS provider’s written approval to make these changes.

(4) The final scope of audit shall be agreed once the above and any other relevant factors are ascertained. The agreed final scope of audit shall be provided to the Commission, and shared with the NDIS provider by the approved quality auditor using the Commission’s system.

10 Audit Program

(1) Subject to (2), the audit program for an NDIS provider shall be in accordance with any conditions on the registration of that provider regarding the types or timing of quality audits under section 73G of the Act.

Note: The conditions of registration are set out in the certificate of registration issued by the Commissioner under section 73E(4) of the Act.

(2) If no such conditions are imposed on the registration of an NDIS provider, the certification audit program for the evaluation activities in the initial cycle shall include:

(a) a two-stage initial audit;

(b) where the required assessment method for registration is certification - surveillance (monitoring) audits in the first and second calendar years following the registration decision, except where the provider is registered for specialist disability accommodation only or a provider that is an individual or partnership and registered for early intervention supports for early childhood only; and

Note: This reflects that these registered NDIS providers are not subject to, or have very limited coverage by, Schedule 1 to the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018 - see subsections 20(3),(4) and (5) of that instrument.

(c) a recertification or verification audit in the third year, prior to expiration of certification or verification but no earlier than six months before the registration renewal date.

(3) For the purposes of (2):

(a) the initial cycle is three years long and begins on the registration approval date;

(b) surveillance (monitoring) audits shall be conducted at least once every twelve months, except in registration renewal years;

(c) the date of the first surveillance (monitoring) audit following initial certification shall not be more than twelve months from the registration decision date.

Note: See section 21of this instrument for further information on surveillance requirements.

(4) The determination of the audit program and any subsequent adjustments shall be proportionate to the size of the NDIS provider, the scope and complexity of its management system, products and processes as well as demonstrated level of management system effectiveness and the results of any previous audits.

(5) The Commissioner may authorise an approved quality auditor to assess an applicant or a registered NDIS provider against an applicable NDIS Practice Standards or processes by conducting a review of the outcomes and evidence from a comparable quality audit process undertaken in relation to the applicant or provider, if the Commissioner considers it is appropriate to do.

Note: Section 5 of the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018, authorises the Commissioner to consider comparable quality audit processes.

11 Composition of the audit team – NDIS Provider certification

(1) Subject to (2), an audit team shall consist of at least two auditors.

Note: An auditor includes an auditor-in-training.

(2) The Commissioner may on request or own motion provide one-off special approval for an audit team for a particular audit to consist of one auditor if the Commissioner, is satisfied that there are exceptional circumstances, and issues a notice to that effect, to the approved quality auditor.

(3) An approved quality auditor should request a special approval from the Commission in writing, providing details for why the special approval is sought, no later than ten working days prior to the planned date of the stage two audit.

(4) Wherever possible the composition of the audit team shall reflect the characteristics of the supports provided (or intended to be provided) and the participants receiving (or intended to receive) the supports, such as:

(a) nature of the disability;

(b) cultural background; or

(5) Each audit team shall include a qualified and experienced audit team leader that satisfies the requirements for an audit team leader as described in section 31 of this instrument.

(6) The composition of the audit team shall satisfy the minimum requirements for each service type within the scope of audit.

(7) Where an audit requires particular technical expertise the audit team shall include an auditor with the required expertise, or a technical expert in the relevant field.

(8) Technical experts shall have recognised qualifications and experience in the field or services area to be audited.

(9) For the purposes of (8), a person must be at least a registered nurse with current Australian Health Practitioners Regulation Agency registration, in order to be a technical expert in relation to a clinical matter.

12 Verification audits

Subject to section 9, audits for the purpose of verification shall be confined to those activities in a stage one audit as specified in section 14 this instrument.

13 Certification audits

Audits for the purpose of certification shall comprise both those activities in a stage one audit as specified in section 14, and those activities in a stage two audit as specified in section 15.

14 Stage One Audits

(1) Subject to (2), a stage one audit is an off-site audit that shall incorporate a review of:

(a) the self-assessment responses completed by the NDIS provider as part of the registration application, or registration renewal process and associated documents submitted by the NDIS provider, available through the NDIS provider’s application record accessed through the Commission’s system.

(b) the prior NDIS provider certification or verification outcome, corrective actions and audit report, if applicable; and

Note: The purpose of this review is to allow the approved quality auditor to collect sufficient verifiable information to contribute to stage two of the NDIS provider certification or verification process.

(2) A stage one audit may be conducted on-site where:

(a) the audit is for the purpose of certification or recertification; and

(b) the NDIS provider has given the approved quality auditor prior written agreement to the audit being conducted on-site.

(3) Stage two audits should commence within three months of the completion of the stage one audit.

(4) Prior to undertaking a stage two audit for NDIS provider certification purposes, the approved quality auditor shall:

(a) where an instance of non-conformity has been found, or the audit team suspects an instance is likely to be found - supply the NDIS provider with the findings of the stage one audit at least two weeks before the commencement date of stage two audit;

(b) where no instances of non-conformity are identified or suspected - supply the NDIS provider with the findings of the stage one audit a minimum of one (1) week before the commencement of the stage two audit.

(5) The findings referred to in (4) shall:

(a) state whether the range of documents and information supplied displayed sufficient content to meet the requirements of the relevant modules (or parts) of the NDIS Practice Standards; and

(b) clearly identify the NDIS provider’s registration class(es)/groups that will be included in the audit, key personnel, and number of participants, and propose how key personnel and participants are best involved in the audit.

Note For verification audits the audit findings shall be reported in line with the requirements of subsection 16(6).

(6) If the audit team determines that a NDIS provider is unlikely to be suitably prepared for their stage two audit, the audit team leader shall inform the NDIS provider and also inform the Commission using the Commission’s system that the stage two audit is likely to be delayed while the provider corrects the identified, or likely to be identified, non-conformities.

15 Stage Two Audits

(1) The approved quality auditor shall undertake a stage two audit on-site, and shall evaluate the effectiveness and implementation of the NDIS provider’s systems in addressing all relevant modules or parts of the NDIS Practice Standards.

(2) Prior to going on-site, the approved quality auditor shall:

(a) notify the Commission of the intended date of the audit using the Commission’s system;

(b) check the Commission’s system for any relevant information;

(d) develop an audit plan that is proportionate to the NDIS provider and incorporates information from section 14(4) and the requirements of Annex B (as applicable);

(e) seek written agreement from the NDIS provider of the audit plan, and

(f) keep a copy of the agreed audit plan.

(3) Where a NDIS provider operates in remote or regional areas (as defined within the Accessibility/Remoteness Index of Australia) or meets other criteria specified by the Commission, the Commission may provide one-off special approval to the approved quality auditor to undertake remote off-site auditing when the approved quality auditor:

(a) is accredited to IAF MD 4; and

(b) applies to the Commission in writing no later than ten working days prior to planned date of the stage two audit, to undertake the stage two audit remotely.

(4) When approval for the approved quality auditor to undertake remote, off-site auditing is provided by the Commission, the approved quality auditor shall keep a record of the approval.

(5) During the stage two audit the audit team leader shall:

(a) chair and maintain records of opening and closing meetings with the NDIS provider;

(b) in the event that a critical risk relating to criminal acts or child protection concerns is identified:

(i) immediately notify the approved quality auditor, the Commission and any relevant authorities (such as the police) of the risk; and

(ii) cease the audit until the Commission notifies the approved qualified auditor that it may recommence;

(i) immediately notify the approved quality auditor of the risk; and

(ii) document the critical risk, and mitigations taken to date and then seek sign off by the approved quality auditor prior to submitting to the Commission using the Commission’s system within 24 hours; and

Note: The Commission will acknowledge receipt and make recommendations about next steps - see subsection 16(11).

(d) ensure the NDIS provider receives a written copy of the audit findings at the closing meeting.

(6) The approved quality auditor processes for on-site evaluation meets the minimum requirements for sampling outlined in Annex B of this document, except where the provider is delivering one of the registration group/classes outlined in Annex D in which case no minimum sampling requirements apply.

(7) The approved quality auditor shall have a documented process for the calculation of stage two audit duration. This process shall include as a minimum the following aspects (as applicable):

(a) minimum duration of one day (equating to 8 hours of work);

(b) size and complexity of the service being audited including geographic spread between regional and outreach services from the primary service hub;

(d) sampling methodology applied to scope of audit (where applicable)

(e) approved quality auditor auditing practices;

(f) use of technical experts; and

(g) requirement that time on site comprises at least 80% of the estimated total audit time.

Note: ‘Audit time’ is defined in terms which exclude time spent reporting to the Commission – see section 4.

(8) The auditing process shall be respectful of participants and their family and minimise disruption to service delivery.

(9) Auditors shall collect a range of audit evidence in relation to compliance with the applicable standards in the National Disability Scheme Insurance (Provider Registration and Practice Standards) Rules 2018, including:

(a) information directly from participants;

(b) information from family/friends/carer/nominees and/or independent advocates (with participant consent);

(d) all the supports delivered by the NDIS provider to the participant.

Note: The range of audit evidence under subsection 15(9) of this instrument is not relevant to provisional audits see section 27 of this instrument.

16 Audit Reporting

(1) At the completion of the stage two audit conducted for the purpose of NDIS provider certification, the audit team shall prepare a written report using the Commission’s template and by completing all required fields in the relevant NDIS provider record in the Commission’s system.

(2) The certification audit report shall include the following matters:

(a) whether the NDIS provider will be recommended for full certification or if conditions should be applied to the registration requiring an on-site audit for registration group where service delivery could not be assessed;

(b) an executive summary;

(d) evidence from documented records and interviews with stakeholders that can be substantiated information provided with relevant and quantified examples;

(e) demonstrate the relationship between actual and expected outcomes;

(f) report attainment ratings against each outcome and indicator as determined at the time of the audit;

(g) ensure finding statements and corrective action requests are completed and appropriate to the level of attainment and risk determined;

(h) identify opportunities for improvement; and

(i) certification recommendations against each outcome within the applicable NDIS Practice Standards.

(3) The audit team can only recommend NDIS provider certification or verification where a NDIS provider has demonstrated that all criteria in the relevant NDIS Practice Standards are being met at the level of ‘Conformity’ (except in the circumstances described in 16(4) of this instrument), as described in Annex B, clause 12.

(4) Certification or verification may be recommended where minor non conformities have been identified but the NDIS Provider has demonstrated to the approved quality auditor evidence of an acceptable corrective plan, prior to the recommendation being made.

Note: Timeframes for addressing non-conformities are specified at Annex C.

(5) A rating of ‘0 – Major Non-Conformity’ shall preclude a certification.

(6) At the completion of a verification audit, the audit team shall complete all required fields of the relevant provider record within the Commission’s system.

(7) In the event that a critical risk relating to criminal acts or child protection concerns is identified other than as part of a stage two audit, the audit team leader or the approved quality auditor shall notify the Commission and any relevant authorities (such as the police) of the risk immediately.

(8) In the event that a critical risk not covered by (7) is identified other than as part of a stage two audit, the audit team leader of the approved quality auditor shall notify the Commission of the risk within 24 hours.

(9) Reporting to the Commission should be made through the Commission’s system where possible.

(10) If internet is not available, the approved quality auditor may report by phone, and follow up using the Commission’s system or through email as soon as practicable.

(11) The Commission shall recommend the next course of action in relation to the critical risk not covered by (7).

17 Review

(1) The audit report shall be proof read, independently reviewed, endorsed by the audit team leader, and provided to the NDIS provider for comment, before it is submitted to the Commission using the Commission’s system.

(2) The approved quality auditor shall clearly document any disagreement between the approved quality auditor and NDIS provider.

(3) This review process shall include but is not limited to:

(a) ensuring the report is factual and accurate and meets standards for reporting audit evidence; and

(b) ensuring the audit activities conducted were technically adequate and properly documented;

(4) Every audit report, and any document provided to the approved quality auditor by the NDIS provider as part of a stage one audit, shall be uploaded to the NDIS provider’s record on the Commission’s system by the approved quality auditor within time requirements for submission of information/reports as outlined in the Scheme.

(5) Timeframes for submission are:

(a) For certification audits (including surveillance (monitoring) audits) - no more than twenty eight calendar days post completion of the on-site audit; and

(b) For verification audits – no more than fourteen calendar days post completion of the verification audit.

(6) Where the content of the audit report is deemed by the Commission to be inadequate or incomplete the approved quality auditor may be requested to submit any additional evidence. The approved quality auditor shall submit this evidence within two working days of the request, unless otherwise agreed with the Commission.

18 NDIS Provider Certification or Verification Decision

(1) An approved quality auditor shall not issue a NDIS provider certification or verification decision to the NDIS provider.

(2) An approved quality auditor shall issue a NDIS provider certification or verification decision to the Commission and make a recommendation with the accompanying audit report to the Commission, for consideration in making the registration determination.

Note: The Commission shall notify the approved quality auditor of its registration decision in regards to NDIS provider the approved quality auditor has audited. For registration approvals, the registration decision will include the date of registration, and the period of registration.

(3) The decision to continue NDIS provider certification following a surveillance (monitoring) audit constitutes a certification decision, and requirements of subsections 1 and 2 apply.

19 NDIS Provider Certification and Verification documentation

(1) NDIS provider certification and verification decision documentation shall only be issued by an approved quality auditor to the Commission.

Note: The Commission may consider certification and verification documents from an approved quality auditor when making decisions under the Act.

(2) NDIS provider certification and verification documents issued by the approved quality auditor shall include the name of the NDIS provider, its Australian Business Number and may also include the registered business name (or registered trading name if prior to November 2018).

(3) The documents shall not just show the registered business or trading name, if this is not also the name of the legal or other entity which operates using that name.

(4) NDIS provider certification and verification documents shall state the registration class(es)/ group(s) the NDIS provider is certified or verified in relation to.

(5) Where the provider is registered for the ‘high intensity daily personal activities’ registration class/ group, then the certification documents shall also state which outcomes, as defined in Part 3 of the NDIS (Quality Indicators) Guidelines 2018, were within the audit scope and similarly, which outcomes were not included in the audit scope.

20 JAS-ANZ Register

(1) The JAS-ANZ Register will include information in relation to registered NDIS providers and approved quality auditors.

(2) In relation to registered NDIS providers, JAS-ANZ may include in the JAS-ANZ Register a link to the NDIS provider register published in accordance with section 73SZ of the Act.

(3) In relation to approved quality auditors, JAS-ANZ may include in the JAS-ANZ Register a link to the list of approved quality auditors published by the Commissioner in accordance with section 73U of the Act.

Note: The NDIS Provider Register can be viewed here: www.ndiscommission.gov.au

21 Surveillance (monitoring)

(1) Surveillance (monitoring) activities shall be developed to monitor external and internal changes affecting registered NDIS providers, and be proportionate to the size and scope of the services provided.

Note: See 10(2)(b) for special conditions for surveillance (monitoring) audits for some registration groups

(2) Such activities shall include periodic review of published information including the NDIS provider’s website, monitoring traditional and online media including ‘customer review’ platforms, and as necessary, submitting enquiries and requests for information from registered NDIS providers and relevant oversight bodies (such as government or other regulatory authorities).

(3) For establishing the audit team composition for a surveillance (monitoring) audit, the requirements in section 11 of this instrument apply.

(4) However, such audits may be conducted by a single audit team leader where the auditor is qualified and experienced, appropriate to the size and scope of the registered NDIS provider.

(5) An approved quality auditor shall establish an audit plan which includes fifty per cent of the relevant sections of the NDIS Practice Standards, but must include the governance and operational management, and provision of supports parts of the Standard (as applicable).

(6) In developing the audit plan, the approved quality auditor shall also consider:

(a) any parts of the NDIS Practice Standard that were identified as non-conformities as part of the certification audit;

(b) compliance with any conditions of registration;

(d) internal audits and management review;

(e) effectiveness in achieving the objectives of the NDIS, as applicable to the scope of registration;

(f) effectiveness of the management system given the size and scope of the services provided, and progress of planned activities aimed at continual improvement;

(g) continuing operational control;

(h) accuracy of advertising claims, including websites and social media;

(i) use of marks, and NDIS registration status; and

(j) matters arising from activities in section 21 of this instrument.

(7) For NDIS providers in the second or subsequent NDIS provider certification cycles, the audit program shall be in accordance with section 10 of this instrument.

(8) If the following good performance criteria are met, surveillance (monitoring) activity may be reduced by the Commission if the Commissioner and the approved quality auditor consider this appropriate, to a single on-site audit, planned as close as possible to eighteen months following the date of recertification:

(a) The NDIS provider has demonstrated continuous improvement methodology within its organisational culture as evidenced by ratings of conformity with elements of best practice in the previous certification cycle;

(b) the NDIS provider has not been subject to sanctions, conditions, or other limitations on its registration by the Commission;

(9) Where a registered NDIS provider satisfies this requirement the Commission may modify the existing surveillance (monitoring) audit date.

22 Recertification and reverification

(1) The recertification activity shall include the review of previous surveillance (monitoring) audit reports and consider the performance of the management system over the most recent NDIS provider certification cycle, and shall include the activities in Part 2 of this instrument.

(2) A recertification or reverification audit shall be planned to occur no earlier than six months prior to the registration renewal date, and where possible be conducted before that date to evaluate the continued fulfilment of all requirements of the NDIS Practice Standards, and shall confirm the continued conformity and effectiveness of the NDIS provider’s policies, procedures and practices.

(3) In addition, each recertification audit shall also address:

(a) effectiveness of the service in its entirety, and its continued appropriateness for meeting the conditions of registration of the NDIS provider;

(b) demonstrated commitment to maintain the effectiveness and improvement of the service to enhance overall performance; and

(c) effectiveness of the service with regard to achieving the certified NDIS provider’s objectives and the intended results of its service to participants.

Note: A registered NDIS provider must commence the registration renewal via the Commission’s system to allow recertification to commence.

(4) Recertification or reverification audits shall include a stage one audit which will include a self-assessment from the NDIS provider indicating where any variation or changes to their previous self-assessment have occurred.

(5) For any major non-conformity raised in a recertification or reverification audit, the approved quality auditor shall specify time limits for correction and corrective actions to the registered NDIS provider which are consistent with Annex C.

(6) In any event, corrections shall be implemented and verified prior to the expiration of NDIS provider certification.

(7) When a recertification or reverification audit is successfully completed prior to the expiry of the existing certificate, the expiry date of the new certification or verification decision (‘Decision’) shall be three years from the expiry of such an existing decision. This is unless the Commissioner has varied the certificate of registration under section 73L to be subject to a reduced period of registration, in which circumstances the expiry date of the Decision should align with the end of the period of registration..

(8) The recertification expiry date must align with the registration renewal expiry date.

(9) If the NDIS Provider has commenced the registration renewal application prior to the registration expiry, then the certification or verification shall continue to apply while the recertification or reverification process is undertaken, in accordance with the requirements of Part 2 of this instrument.

(10) The effective date on the certificate shall be aligned with the registration renewal approval date and expiry date, which can only occur if the NDIS provider has commenced the registration renewal process on the Commission’s system prior to the expiry of the registration.

23 Changes Affecting NDIS Provider Certification or Verification Decisions

(1) A NDIS provider seeking to add additional registration groups will do so using the Commission’s system.

(2) The Commission’s system will notify the associated approved quality auditor of the changed scope and whether the NDIS Provider is required to be verified or certified against additional modules or parts of the NDIS Practice Standards.

(3) Changes that do require the NDIS provider to be verified for certified against additional modules or parts of the NDIS Practice Standards shall be considered part of the surveillance (monitoring) audit.

(4) The approved quality auditor may conduct audits of registered NDIS providers at short notice or unannounced to investigate complaints, or in response to material changes.

(5) In the event of (4), the approved quality auditor shall exercise additional care in the assignment of the audit team because of the lack of opportunity for the NDIS providers to object to audit team members.

(6) An approved quality auditor may conduct audits of a registered NDIS provider at short notice or unannounced, if requested in writing by the Commission.

(7) The approved quality auditor shall keep records of all such communication and verification of changes.

(8) If the Commission suspends, revokes, or otherwise varies the registration of an NDIS provider, appropriate action shall include consideration of the change of the scope in future recertification, verification or surveillance activities (if applicable).

24 Termination, Reduction, Suspension or Withdrawal of Certification Verification Decisions

(1) The information to substantiate non-conformity with the NDIS provider certification or verification requirements shall include all relevant, disclosable information about the NDIS provider, and be provided to the Commission, on request.

(2) The approved quality auditor shall keep a record of this information.

(3) The approved quality auditor shall notify the Commission through the Commission’s system seven calendar days prior to suspending or withdrawing NDIS provider certification or verification decision.

(4) The Commission shall take into account the withdrawal of NDIS provider certification or verification decision in considering the ongoing registration of the NDIS provider.

(5) The withdrawal of the NDIS provider certification or verification decision does not necessarily mean the Commission will suspend the registration.

(6) The approved quality auditor shall collaborate with the Commission in formulating all communication relating to withdrawal or suspension of certification or verification decisions and keep a record of all related documents.

(7) The approved quality auditor shall notify the Commission through the Commission’s system seven calendar days prior to making any decisions to resolve a suspension of a verification or certification decision.

25 Records

Records required to be kept in accordance with this instrument are required to be kept for 7 years.

26 Complaints and appeals

No additional requirements to ISO/IEC 17065:2012

27 Provisional audits

(1) An NDIS provider shall be subject to a provisional audit in circumstances where that provider:

(a) has applied for registration that is subject to the certification assessment method; and

Note: ‘Certification’ is defined in section 5 of the National Disability Scheme Insurance (Provider Registration and Practice Standards) Rules 2018 and the classes subject to certification are identified in subsection 20(3) or section 21 of those rules.

(b) is a new provider that has developed systems and processes to deliver NDIS supports and services but has not as yet commenced service delivery.

(2) A provisional audit shall consist of:

(a) a stage one audit (off-site); and

(b) an initial stage two audit (on-site) which has the following modifications to reflect that the provider has not yet commenced service delivery;

(i) subsection 15(9) of this instrument does not apply to the audit; and

(ii) evidentiary requirements in Annex B do not apply to the audit.

Note: A provisional audit does not require witnessing (including interviews) because this audit occurs prior to the provider commencing the delivery of services.

(3) The outcome of a provisional audit is a qualified certification decision.

(4) If a provider that is subject to a qualified certification decision is subsequently registered by the Commissioner, then a further stage two audit (without the modifications specified in subsection 27(2) of this instrument) may be required once the provider has commenced service delivery.

Note: The Commissioner may impose conditions to which the registration of a person as a registered NDIS provider is subject, see section 73G of the Act.

(5) Generally, it would be appropriate for an audit for the purposes as described in subsection (4) to occur no later than the first surveillance (monitoring) audit.

(6) Where the NDIS provider’s systems are assessed as compliant, the process for advising the Commissioner is to use the Commission’s system as for other audit outcomes.

(7) After an audit under subsection (4) of this instrument, the approved quality auditor shall advise the Commissioner whether a full certification decision is appropriate, or if the approved quality auditor suggests the registration of the NDIS provider should continue to be subject to registration conditions relevant to the qualified certification decision.

28 Approved Quality Auditor Personnel

(1) All audit activities, whether performed by the certification body’s personnel or outsourced, shall comply with the requirements of ISO/IEC 17065, including those requirements for identifying the top management having overall authority and responsibility for fulfilling all requirements of this Scheme.

(2) The approved quality auditor shall conduct employment probity checks for all auditors, including contractors, prior to participating on an audit team - probity checks will include national police record checks, and working with children/vulnerable persons checks and referee checks.

(3) National police record and working with vulnerable persons checks (or equivalent) shall be updated at least every three years, or in line with the requirements of the state or territory in which it was issued.

(4) The approved quality auditor shall disseminate in a timely manner all relevant information from the Commission to employed and contracted auditors.

(5) The approved quality auditor and all of their auditors and technical experts shall attend all training or meetings with the Commission as required by the Commissioner, and maintain associated attendance records.

Note: All costs related to the attending meetings and training will be met by the approved quality auditor.

29 Management of Competence for Personnel Involved in the Certification and Verification Process

(1) The approved quality auditor shall have a process for determining the competence criteria for personnel involved in the management and performance of audits and other certification or verification activities for each registration class/group, and for each function in the NDIS provider certification process.

(2) The output of the process shall be the documented criteria of required knowledge and skills necessary for the effective performance of audit, verification and certification tasks.

(3) The approved quality auditor will document this process and make it publicly available.

30 Competence Requirements for Auditors, including auditors with technical expertise

(1) The approved quality auditor shall ensure that all of their auditors (other than consumer technical experts) have:

provided evidence of successful completion of an auditor or lead auditor’s course. As a minimum these courses should meet the requirements of competency standards BSBAUD501 Initiate a quality audit; BSBAUD504 Report on a quality audit; and BSBAUD402 Participate in a quality audit (audit team members) or BSBAUD503 Lead a quality audit (audit team leaders) or NZQA Audit quality management systems for compliance with quality standards (Unit Standard 8084) or equivalent coursework (as documented and justified by the approved quality auditor);

(a) the appropriate disability and cultural awareness, as required by their engagement, and an understanding of disability from a participant perspective. This includes an understanding and awareness of how Culturally and Linguistically Diverse (CALD), Indigenous, and Lesbian, Gay, Bisexual, Trans, Intersex and Queer differences may impact on the Participant’s perspective of disability; and

(b) appropriate knowledge of the operations of the NDIS Practice Standards and this instrument by successfully completing all relevant training offered by the Commission, including auditor training.

31 Audit Team Roles

(1) With respect to an auditor-in-training, an approved quality auditor shall ensure that newly qualified auditors work in a team in a trainee capacity for a provisional period of no fewer than four audits over a twelve-month period which are fully supervised by an experienced audit team leader.

Note: An auditor includes an auditor-in-training. This means that the number of auditors in any audit team includes any auditor-in-training.

(2) An auditor-in training shall not work independently until such time as they have been assessed as competent by an experienced audit team leader.

(3) An audit team leader may be responsible for coordinating the audit and accordingly must have the capability to perform responsibilities including but not limited to:

(a) arranging the audit team;

(b) confirming the membership of the audit team is appropriate to the type of audit being conducted;

(d) ensuring the audit is conducted in accordance with this instrument;

(e) confirming audit arrangements with the NDIS provider.

(4) Subject to (5), prior to undertaking the role of audit team leader, an auditor shall have participated in a minimum of four certification audits comprising at least eight on site days under the supervision of an experienced audit team leader.

(5) In special circumstances, an auditor may undertake the role of audit team leader, if the auditor has accrued equivalent experience to (4) auditing the provision of supports and services to people with disability other than under this Act.

(6) Special circumstances include circumstances where it is not possible for, or reasonable to expect, any auditor to have accrued the experience described at (4)

Example: Until the audit obligations in the Act come into effect (from 1 July 2018) there is no capacity for an auditor to begin to accrue the experience described at (4), however, there is a requirement for there to be audit team leaders from the commencement. As a result, it is anticipated that the special circumstances in (6) are likely to apply in the period immediately following the commencement of the audit obligations, and taper off as it is increasingly reasonable to expect an audit to have experience auditing under this Act.

32 Auditors with Technical Expertise

(1) An approved quality auditor with technical expertise shall audit specified components or modules of the NDIS Practice Standard that require a level of expertise in the service area being audited, as detailed in subsection 11 (7) of this instrument.

(2) Where an auditor is acting as an auditor with technical expertise the auditor shall hold a relevant practising certificate and meet the specific competency requirements as set out in subsection 11(7) of this instrument.

(3) An auditor with technical expertise may participate in an audit as a member of the audit team, or may provide advice or opinion on specific matters.

33..Consumer Technical Experts

(1) Consumer technical experts will initially only be required to form part of the audit team when this is required by the Commissioner in relation to the particular NDIS provider (including when specified as a condition of registration).

(2) A consumer technical expert shall:

(a) possess demonstrated knowledge and skills related to and recent experience of the supports and services delivered under the registration class(es)/groups being audited;

(b) be competent to reach an informed opinion on the appropriateness of the services being offered within the service being audited; and

Note: A consumer technical expert is a person with disability who has the training, experience or skills to be involved in the audit team (see definition in section 4). A person with disability may be included in an audit team, for example, where they have a disability relevant to the supports and services under the registration classes or groups subject to the audit.

34 Evaluation Processes

(1) The approved quality auditor shall:

(a) ensure all of their personnel, including employed or contracted auditors and Consumer Technical Experts comply with the Code of Conduct as outlined in Annex A; and

(b) ensure employed or contracted auditors can demonstrate having undertaken continual professional development through regular participation in education and training relevant to the registration class(es)/group(s) they primarily audit.

(2) The approved quality auditor shall have documented processes for the initial competence evaluation, and ongoing monitoring of competence and performance of all personnel involved in the management and performance of audits and other certification activities, applying the determined competence criteria.

(3) The approved quality auditor shall demonstrate that its evaluation methods are effective:

(a) the output from these processes shall be to identify personnel who have demonstrated the level of competence required for the different functions of the audit and certification process;

(b) competence shall be demonstrated prior to the individual taking the responsibility for the performance of their activities within the approved quality auditor.

(4) The approved quality auditor shall undertake annual performance reviews of all employed and contracted auditors (including audit team leaders) which includes consideration of the most recent witnessed audit

Note: A witnessed audit forms a part of the biennial performance review process required for each and every auditor of the approved quality auditor. If available, findings from a JAS-ANZ witnessed audit performed within two years of the annual performance review may be used in lieu of the above.

(5) At a witnessed audit the witnessing auditor shall:

(a) have the experience of at least an audit team leader;

(b) not be a member of the audit team subject to the witnessed audit,

(6) The witnessing auditor shall focus on the performance of the auditor being witnessed and shall make no judgment of the NDIS provider.

(7) Witnessed audits may move to triennially where the following criteria are met:

(a) the auditor has been employed by the approved quality auditor for a period of two years;

(b) no complaints have been received that relate to the auditor’s performance including outcomes of report reviews;

(c) no non-conformities to the Scheme have been identified during witnessed audits by either the approved quality auditor or the Commission; and

(d) the auditor has undertaken a minimum of six audits within the previous twelve months and continues to participate in at least six audits per annum under this instrument.

(8) The approved quality auditor shall ensure that auditors with technical expertise include within their continual professional development:

(a) education covering all legislation and regulations relevant to the service setting; and

(b) current management of commonly occurring clinical conditions relevant to the service setting (where applicable).

35 Mechanism for Safeguarding Impartiality

(1) The approved quality auditor shall ensure that:

(a) all audit team members complete a conflict-of-interest declaration before every audit;

Note: If a member of an audit team has previously conducted a gap analysis or similar services to the NDIS provider – see paragraph 35(1)(d), this is a conflict of interest that must be declared.

(b) Subject to subsection 35(3) of this instrument, it does not provide training to NDIS providers, auditors or contractors that includes content related to this instrument, the NDIS Practice Standards or the National Disability Insurance Scheme (Quality Indicators) Guidelines 2018.

(c) When providing gap analysis, the approved quality auditor shall not provide auditing services under this instrument to that provider for a period of at least two years following the completion of that gap analysis; and

Note: A gap analysis for the purposes of subsection 35(1)(c) of this instrument is where an NDIS provider engages an approved quality auditor to evaluate their operations in the NDIS market giving consideration to the applicable standards, or education services for that NDIS provider.

(d) Where an audit team member has provided gap analysis to a particular NDIS provider, the approved quality auditor shall not allow that audit team member to provide auditing services under this instrument to that provider for a period of at least two years following the completion of that gap analysis; and

Note: A gap analysis for the purposes of subsection 35(1)(d) of this instrument is where an NDIS provider’s engages an team member (either individually or through another entity) to evaluate their operations in the NDIS market giving consideration to the applicable standards, or education services for an NDIS provider.

(2) For the purposes of this section, gap analysis means an optional on-site review conducted by an auditor who will not be conducting the audit or another organisation suitably qualified to do so. A gap analysis is designed to ascertain the degree of readiness of the NDIS provider to proceed to certification audit by identifying any gaps that may need addressing prior to the certification audit.

(3) Training about an approved quality auditor’s internal processes in relation to this Scheme and delivered in-house by an approved quality auditor to their personnel that have already attended the Commission’s auditor training can be conducted by approved quality auditors.

Note: Training about this instrument, the NDIS Practice Standards or National Disability Insurance Scheme (Quality Indicators) Guidelines 2018 will be provided by the Commission or its representative.

Annex A – Code of Conduct for Approved Quality Auditors (normative)

All approved quality auditor personnel (including auditors) shall:

• act professionally and ethically, and report findings in an accurate, consistent and unbiased manner and in accordance with the requirements of this Scheme and NDIS Practice Standards;

• adhere to the requirements of the Privacy Act 1988 (Cth), the Act and instruments, Competition and Consumer Act 2010 (Cth), Work Health and Safety Act 2011 (Cth) or equivalent Work Health & Safety legislation in the jurisdiction of the NDIS provider, and all other relevant legislation or regulations where applicable;

• not promote or represent any business interests or any entity with which they have an interest or may have an interest while conducting audits;

• not accept any inducement, commission or gift or any other benefit from any interested party whilst engaged to provide any auditing services to the provider;

• not communicate false, erroneous or misleading information that may compromise the integrity of any audit;

• not act in any way that would prejudice the reputation of the Commission or the approved quality auditor;

• cooperate fully with any inquiry in the event of a complaint about their performance as an auditor or any alleged breach of this code;

• accept that providers have the freedom to select and change their approved quality auditor and not to place any undue influence on providers when they are making a decision in this respect;

• refrain from making any comments on any particular auditors or approved quality auditor;

• respect participants’ rights during any interaction especially when assessing vulnerable populations.

All auditors shall (also):

• strive to increase the competence and prestige of auditors by continuing to develop their own auditing skills;

• not misrepresent their own or any other individual’s qualifications, competence or experience nor undertake auditing work beyond the scope of their own qualifications knowledge and expertise;

• not enter into any activity that may be in conflict with the best interests of the Commission or the approved quality auditor or that would prevent the performance of their duties in an objective manner.

Annex B – Audit methodology and sampling (normative)

B.1 Evidence Based Auditing

When conducting audits against the NDIS Practice Standards the approved quality auditor shall consider participants’ experiences of supports as an important part of the triangulation of evidence. In the collection of evidence, the principles of sampling apply to the review of documents, interview attendee selection and observations.

B.2 High Risk Registration Classes/Groups

Sampling shall be prioritised to those registration classes/groups or service processes that are of the ‘highest risk’. These are:

(a) High Intensity Daily Personal Activities;

(b) Specialist Positive Behaviour Support (whether Module 2 and/or 2A);

(d) Specialist Disability Accommodation; and

(e) Specialist Support Coordination

B.3 Sample Methodology

The approved quality auditor shall take appropriate steps to ensure that the provider is made aware of and complies with the sampling methodology requirements (for example, through its contract with the provider).

In particular, the approved quality auditor shall take steps in relation to the following:

(a) The participant sampling methodology used under this Scheme is Opt Out sampling. This means that provider will need to advise all their participants that they are automatically enrolled into the audit process (i.e. they may be contacted by the audit team for interviews and/or have their files, records or plans reviewed to ensure compliance with the standard); and

(b) In the event that a participant do not want to participate in this audit process, the provider needs to document and respect that decision, and communicate it to the auditor. Auditors should document the number of participants that opted out of the sampling, including in the report for the relevant audit.

B.4 Sample Size

Worker files and interviews

The minimum sample requirements for worker files and interviews are determined by reference to the minimum composition requirements for worker sampling (B.5 (e)), and what is needed to ascertain whether the provider is meeting the applicable NDIS Practice Standards (proportionate to the size and scale of their organisation and the risk and complexity of the services delivered).

Participant files and interviews

There are no minimum sampling requirements for registration class(es)/group(s) listed in Annex D including for participant files, participant interviews and multisite sampling. Review of some participant files and participant interviews is expected to occur as a matter of course, however, when the assessment is being conducted using the certification method.

Note: Participant files and participant interviews are a key source of evidence for conformity assessment.

With respect to any registration class (or group), which is not listed in Annex D, approved quality auditors shall determine the minimum sample size in relation to participant files and interviews for all a provider according to the following method:

(a) Step 1 – Identify the total number of participants receiving supports or services from the provider at that time (total participants);

(b) Step 2 – Identify the number of participants receiving only supports or services falling into a category listed in Annex D at that time (Annex D participants);

(c) Step 3 – Subtract the number of Annex D participants from the total participants. The result is the sample population number;

(d) Step 4 – if:

(i) the sample population number is 5 or less, then the sample population number is the minimum sample size for that provider;

Note: Care should be taken to ensure the anonymity of participants where there is a small sample size.

(ii) the sample population number is greater than 5, then the minimum sample size is determined using Step 5;

(e) Step 5 – if

(iii) the audit is for a certification or recertification, then take the square root of the sample population number and round up to the nearest integer. The result is the minimum sample size for the provider;

(iv) the audit is a surveillance (monitoring) audit, then take the square root of the sample population number, multiply by 0.6, then round up to the nearest integer.

Example 1:

Auditor X is engaged by Provider Y to conduct a recertification audit. At that time the provider delivers a range of NDIS supports and services to 40 participants.

- The total participants for Provider Y is 40.

Provider Y is registered for 3 registration groups, and one of them (community nursing care) is listed in Annex D. A total of 12 participants receive a mix of services and supports from the provider (including community nursing care), but 8 receive only community nursing care.

- The Annex D participants for Provider Y is 8.

When step 3 is applied (total participants – Annex D participants), the sample population number for Provider Y is 32.

Because the sample population number is greater than 5, Auditor X must apply Step 5 to determine the minimum sample size.

- The square root of the sample population number is 5.65, which is rounded up to 6.

The minimum sample size for provider Y is 6. This means that Auditor X must consider 6 participant files and 6 participant interviews.

Where an auditor finds non-conformity within the minimum sample sizes the sample size shall be increased by the number of non-conformities to verify whether the case is a system or process failure or a one-off anomaly.

B.5 Sample Composition – files and interviews

(a) Where a provider is registered for a high risk registration class or group (see B.2), the sample must include participant files and participant interviews from all applicable highest risk registration groups. Where the random sample does not include these participants, the sample should be reselected until participants from the highest risk registration groups are included.

(b) The sample should include participant files and interviews from every site included within the sample (in line with multi-site sampling requirements – see B.6)). Sites where supports or services belonging to a high risk registration group are delivered to participants should be included within the sample. If some high risk registration groups are excluded from the sample, due to the sample size, those sites that were not included should be sampled in the next or subsequent audit.

(c) Approved quality auditors shall not allow the provider to pre-select samples. This requirement applies to samples of workers and participants as well as participant files.

(d) Approved quality auditors shall work with the provider to ensure that there is diversity within the sample across the audit cycle and subsequent audit cycles - this is to reduce the risk that the same participants or files are included within the audit sample for surveillance (monitoring) audits or recertification audits.

(e) The workers sampled shall include workers in governance, management and service delivery roles, from all shifts (where applicable).

Note: This requirement may be achieved by interviewing workers working on a day or afternoon shift who also work night shifts as part of rotating duties or relief duties.

B.6 Sample Size and Composition – attendance on site

Where an NDIS provider has a single site, then that site must be attended as part of the certification audit.

Where an NDIS provider has more than one site (including head office), then the minimum number of sites which must be physically attended as part of an audit is determined according to the following methodology:

(a) Step 1 – identify the number of sites operated by the provider, including the head office (total sites);

(b) Step 2 – if:

(ii) The audit is for certification or recertification, take the square root of the total sites, and round up to the nearest integer. This result is the minimum number of the provider’s sites which must be physically attended as part of an audit;

(iii) The audit is a surveillance (monitoring) audit, then take the square root of the total sites, multiply by 0.6, then round up to the nearest integer.

The head office must always be one of the sites physically attended.

Where the provider delivers supports and services belonging to a high risk registration group, at least one site where the provider delivers those supports and services must be among the sites physically attended.

Example 2:

Auditor L is engaged by Provider M to conduct a surveillance (monitoring) audit. Provider R delivers NDIS supports and services through 16 outlets, in addition to its head office.

Auditor L determines that Provider M has 17 sites (total sites), being the number of outlets plus the head office.

The square root of 17 is 4.12. Auditor L multiples this by 0.6 to get 2.47, which Auditor L rounds up to 3.

Auditor L identifies that they must physically attend at least 3 of the provider’s sites as part of the audit.

Auditor L includes the head office in the list, and examines the registration groups of the provider. They identify that specialist positive behaviour support services are delivered to participants at one other site operated by the provider, and that another site was not subject to participant file or interview examination during the previous audit. Auditor L schedules the head office and these two other sites for on-site visits as the minimum, and then looks at whether it would be appropriate to include any others.

B.7 Random Sampling

In every audit, approved quality auditors shall select participant files through random sampling in addition to stratified sampling. On-site auditors are expected to select participants and workers for interview as randomly as possible with the aim of getting a representative sample across age, gender, diversity etc.

B.8 Incidental Sampling

In incidental sampling an auditor selects the sample based on the collection of evidence while following audit trails. Auditors shall not use incidental sampling as the principal form of evidence collection, but to supplement other information collected throughout the audit process.

B.9 Interviewing

Auditors shall use interviews to gather new audit evidence and to corroborate audit evidence. Where possible, interviews should be conducted face to face; however, this should be guided by participant/interviewee preference.

Interviewing of workers, participants and family, friends, carers/nominees, independent advocates (where applicable) shall not take place solely in groups. Interviewing of workers shall include workers directly providing services - it shall not be isolated to the board, senior management or staff employed in a team leader or management capacity.

Interviews with individuals should seek their views on whether the support provider is meeting their expectations and where appropriate assisting them to attain their goals.

Auditors shall use interviewing to corroborate information such as how processes are implemented and their effectiveness. The approved quality auditor shall ensure that when undertaking interviews auditors:

a) Obtain consent from interviewee(s) prior to conducting the interview (including through the use of supported decision making);

b) Conduct interviews in an appropriate environment that provides for adequate privacy;

c) Reduce barriers to effective communication (for example, do not use jargon, and take into account communication requirements or specific cultural requirements);

Where an interpreter is required to assist in an interview, that interpreter should have appropriate, recognized qualifications.

d) Introduce themselves to the interviewee(s) before beginning the interview;

e) Explain the purpose of the interview to the interviewee(s);

f) Explain that the interview is confidential and documented in such a manner to maintain anonymity;

g) Seek permission to take notes;

h) Start the interview using a standard set of questions;

i) Use a balance of open and closed questions;

j) Validate understanding by summarising information or reflecting back to the interviewee; and

k) End the interview by allowing the interviewee to ask any questions or make comments that may not have been covered within the interview.

B.10 Family, Friend, Carer or Nominee

During certification and recertification audits, auditors shall gather information from a sample of family, friends and carers/nominee through either an interview or a survey conducted by the approved quality auditor. The approved quality auditor shall ensure:

a) With the consent of the participant, family, friends, carers/nominees, and independent advocates (where applicable) are interviewed individually or as a group in accordance with their preference either in person or in a telephone interview, and

b) Where an approved quality auditor undertakes a survey of family, friend, carers/nominees the survey is posted or emailed to all family, friends, carers/nominees at least two weeks prior to a certification or recertification audit. If posted, the survey shall include a pre-paid envelope for the return of the survey. Where return of surveys is low, auditors shall look for other forms of evidence to ensure that they have confidence in the system.

B.11 Collection of Audit Evidence

Where an auditor determines that an event poses a serious risk of harm or potential harm to a participant the auditor is required to determine that the service in question has remedied the situation and the risk of reoccurrence is negligible or to further substantiate the risk and make an appropriate audit finding and agree on an action plan. If a critical risk is identified the Commission is to be notified in accordance with section 15(5) of this instrument.

B.12 Ratings

For the purpose of stage one, stage two and surveillance (monitoring) audits the level of compliance with criteria in applicable standards shall be rated as follows:

Rating	Attainment Level	Interpretation
3	Conformity with elements of best practice	The NDIS provider can clearly demonstrate conformity with best practice against the criteria. Best practice is demonstrated through innovative, responsive service delivery, underpinned by the principles of continuous improvement of the systems, processes and associated with the outcomes.
2	Conformity	The NDIS provider can clearly demonstrate that the outcomes and indicators are met as proportionate to the size and scale of the provider - evidence may include practice evidence, training, records and visual evidence. This would mean there was negligible risk and certification can be recommended.
1	Minor Non-conformity	A rating 1 will require a corrective action plan which reduces the likelihood of any risks identified occurring or impacting participant safety before certification or verification can be recommended - one of two situations usually exists in relation to minor non-conformity: There is evidence of appropriate process (policy/procedure/guideline etc.), system or structure implementation, without the required supporting documentation A documented process (policy/procedure/ guideline etc.), system or structure is evident but the provider is unable to demonstrate implementation review or evaluation where this is required
0	Major Non-conformity	The NDIS provider is unable to demonstrate appropriate processes systems or structures to meet the required outcome and indicators and/or the gaps in meeting the outcome present a high risk - Three Minor Non-Conformities within the same module may also constitute a Major Non-Conformity - A rating of 0 will preclude a recommendation for certification.

The audit report shall reflect findings and ratings as determined at the time of the audit, and in accordance with requirements at section 16 of this instrument. This will ensure that appropriate outcomes and associated indicators will be further monitored at subsequent audits.

Annex C – Timeframe for correcting non-conformities

Timeframe for correcting non-conformities

The approved quality auditor shall require a registered NDIS provider to present a corrective action plan to it within seven calendar days of written notification of the non-conformity.
For a major non-conformity, the approved quality auditor shall undertake a desktop review of the implemented corrective actions within three calendar months of receiving the corrective action plan and shall, if necessary, conduct an on-site follow-up.
Critical risks or other serious matters would normally require an on-site follow-up or re-audit within three calendar months.
Major non-conformities shall be downgraded or closed within three calendar months of initial written notification of the non-conformity.
For major non-conformities identified as part of a surveillance (monitoring) or recertification audit, failure to downgrade or close a major non-conformity within three calendar months shall result in automatic suspension of the certification decision made by the approved quality auditor.
Minor non-conformities shall be closed out within twelve calendar months of initial written notification at the surveillance(monitoring) or recertification audit (whichever comes first); otherwise the minor non-conformity shall be escalated to a major non-conformity.
If a minor non-conformity has been escalated to a major non-conformity, failure to close out the major non-conformity within three calendar months shall result in automatic suspension of certification decision made by the approved quality auditor (i.e. a non-conformity that has been escalated to a major non-conformity shall not be downgraded back to a non-conformity).
If a major non-conformity has been downgraded to a minor non-conformity, failure to close out the non-conformity within twelve calendar months from the date of issue of the original finding shall result in automatic suspension of the certification decision of the approved quality auditor (i.e. a major non-conformity downgraded to a minor non-conformity shall be closed out within the remaining nine calendar months and not be escalated to a major non-conformity again)
The approved quality auditor shall conduct a follow-up in the most cost-effective manner that ensures that major non-conformities have been properly downgraded or closed. This may entail a desktop review of documentation, supplemented by telephone interviews of workers and participants, to verify that the requirements of the applicable NDIS Practice Standards have been met.
Where the approved quality auditor has raised a major non-conformity or minor non-conformity, the relevant outcome or outcomes from the applicable NDIS Practice Standards will be audited at the next surveillance or recertification audit (whichever comes first) to ensure that the processes developed as part of the corrective action plan have been put into practice.

Annex D – Registration classes/groups exempted from sampling requirements

Registration Class/Group

accommodation/tenancy assistance

assistive products for personal care and safety

personal mobility equipment

assistance with travel/transport arrangements

vehicle modifications

home modifications

assistive equipment for recreation

vision equipment

community nursing care

innovative community participation

specialised hearing services

household tasks

interpreting and translating

hearing equipment

assistive products in household tasks

communication and information equipment

exercise physiology and personal training

management of funding for supports in participant’s plans

therapeutic supports

specialised driver training

assistance animals

hearing services

customised prosthetics