An audit isn't a test of your folders — it's a test of whether your service actually runs the way your policies say, and whether you can prove it. Here's what auditors really look for.
The Accorda Team · 28 June 2026
Ask most providers what an audit is about and you'll hear some version of the same answer: having your paperwork in order. A full folder of policies. A binder you can hand over.
It's an understandable belief. It's also the wrong one — and it's the reason good services still get caught out.
An auditor isn't there to admire your document library. They're there to work out one thing: do you actually run your service the way the standards expect, and can you prove it? Policies matter, but only as the starting point. What an auditor is really testing is whether those policies are alive in the day-to-day — followed, evidenced, current, and improving.
This post is about the auditor's mindset: what they're looking for and why. If you want the practical, step-by-step prep checklist, that lives in our companion guide, How to Prepare for an NDIS Audit. This one is the thinking behind it — and it applies whether you're an NDIS provider, an aged care service, an allied health or dental practice, or an early learning service.
Here's the shift that trips people up. Having a policy is not the same as having a control.
A policy that sits in a shared drive, written once and never looked at again, tells an auditor very little. It shows intent. It doesn't show practice. And practice is what's actually being assessed.
When an NDIS approved quality auditor sits down with you, the conversation moves quickly from what your policies say to what actually happens. They'll ask how you identify and escalate risk, how incidents get reported, how restrictive practices are monitored — and then they'll ask the question that matters most:
"Can you show me?"
That's the whole audit in three words. Not "do you have a policy on this," but "show me it working." The auditor wants real examples — incident reports, complaints records, training logs, staff sign-offs, supervision notes — not the policy on its own. They're looking for evidence that your systems are working, not just that they exist.
Why it matters: a policy nobody has read isn't protecting anyone, and an auditor knows it. The thing that turns a policy into a control is the trail behind it — proof that the right people read it, understood it, and act on it. If you can't show that, the policy is decoration.
Incidents are where audits get real, fast. Not because incidents are bad — every service has them — but because how you handle one tells an auditor almost everything about how your service runs under pressure.
An auditor doesn't just want to see that an incident was logged. They follow the trail end to end. Was it recorded promptly? Was it triaged — assessed for severity and for whether it was reportable? Was the right person notified inside the required timeframe? Were corrective actions assigned, and were they actually closed out? Did anything change as a result?
A logged incident with no follow-through is, if anything, worse than no record at all. It shows you saw the problem and didn't act on it. What an auditor is checking is whether you respond, not just whether you record.
Why it matters: this is where the gap between "we have a process" and "we run the process" shows up most plainly. A clean, traceable incident history — open through to close-out, each one linked to the policy it relates to — is one of the strongest pieces of evidence you can put in front of an auditor. A pile of half-finished records is one of the weakest.
Out-of-date documents are the easiest finding an auditor can make. They don't require interpretation or judgement. The policy says it was last reviewed three years ago and the standard expects an annual review — that's a finding, written up in seconds.
The same goes for credentials and licences. A support worker whose Worker Screening clearance has lapsed. A clinician whose registration expired last month. A first aid certificate that ran out and nobody noticed. These aren't grey areas. They're binary, they're easy to check, and they're embarrassing to be caught on — because they signal that nobody was watching.
Currency is quietly one of the most revealing things an auditor looks at, because it's a proxy for whether your systems run on their own or only when someone remembers. A service where everything was "updated last week, just before the audit" tells a different story to one where reviews and renewals happen on schedule, all year round.
Why it matters: lapses like these are entirely preventable, which is exactly why auditors look for them. Getting caught on a lapsed credential or a stale policy isn't a sign of bad care — it's a sign of a system that depends on memory. And memory is the first thing to fail when you're busy.
If all of this feels like the goalposts have moved, that's because, across the sector, they have.
The clearest example is aged care. The Strengthened Aged Care Quality Standards took effect on 1 November 2025 under the new Aged Care Act 2024. They're deliberately more detailed and measurable than the standards they replaced — built on a recommendation from the Royal Commission into Aged Care Quality and Safety that the old standards were too broad and too hard to assess. The defining change is the move from process to outcomes: it's no longer enough to describe what you intend to do. You have to be able to demonstrate, in your everyday records, what you actually did and what difference it made.
It's not only aged care. NDIS audits have long centred on evidence against the Practice Standards and their quality indicators. Early learning services are assessed and rated against the National Quality Standard. Allied health and dental practices live under their own accreditation and registration expectations. Different frameworks, same underlying direction: regulators increasingly want proof of outcomes, captured as you go, not a folder assembled the week before they arrive.
The services that handle this well aren't the ones with the thickest binders. They're the ones who've built evidence capture into daily work — so the proof already exists when it's asked for, instead of being reconstructed under pressure.
There's one more thing auditors look for that surprises people: they want to see that you change.
A service that runs exactly the same way it did three years ago — same policies, same processes, no response to new regulations or lessons learned — isn't a safe bet in an auditor's eyes. It's a static system in a sector that never stops moving. Supporting continuous improvement is an explicit purpose of the audit itself, not an afterthought.
So they'll look for the signs of a service that responds. Policies updated when the rules changed. Incidents that led to a corrective action and a genuine fix. Feedback and complaints that turned into something. Regulatory changes that were picked up and acted on. The point isn't to prove you're flawless — it's to prove you notice, adapt, and get better.
Why it matters: "we've always done it this way" is not a defence an auditor accepts. A living system, with a visible record of responding to change, is far more reassuring than a perfect-looking one that hasn't moved in years.
Reframe the whole thing and audits get less frightening. You're not being asked to produce a flawless folder on demand. You're being asked to show that your service genuinely runs the way it's supposed to — and that you can prove it without a fortnight of frantic preparation.
That's the job Accorda is built to do. It keeps your policies and staff sign-offs in one place, so "can you prove your staff follow it" has an answer. It records, triages and closes out incidents with a full history linked to the relevant policy, so the trail an auditor follows is already there. It tracks credentials and licences so nothing lapses unnoticed. And when an auditor asks, you can pull a one-click evidence pack instead of starting a scramble.
It won't run your service for you — good care still comes from your team. What it does is make good practice provable on the day someone asks. That's the difference between dreading an audit and being quietly ready for one.
Want to walk into your next audit with the evidence already in order? Take a look at how Accorda keeps your policies, incidents and credentials audit-ready at accorda.com.au.
NDIS Quality and Safeguards Commission — The quality audit process
NDIS Quality and Safeguards Commission — NDIS Practice Standards
Aged Care Quality and Safety Commission — Strengthened Aged Care Quality Standards
Australian Government Department of Health, Disability and Ageing — Strengthening the Aged Care Quality Standards
ACECQA — National Quality Framework
This article is general information for Australian care and regulated businesses and isn't legal or compliance advice. Requirements differ by sector, registration and service type, and they change over time. Always check the current standards that apply to your service. Last updated June 2026.
Start today
Try Accorda free for 14 days. Full features, no credit card, no auto-charge.
