← All insights Audit preparation

Most providers can produce policies. Fewer can demonstrate a system.

An audit-defensible organisation isn't necessarily larger or more resourced. It's structurally coherent. Here's where that distinction shows up, and why it changes the audit experience entirely.

Adam Stefano
Adam Stefano
Registered Psychologist & Co-Founder, Cenaris
12 May 2026
8 min read

Most NDIS providers can produce policies. Fewer can demonstrate a system. The distinction becomes visible the moment an audit moves beyond document existence and starts testing how your organisation actually functions.

Auditors are not assessing whether you value quality. They are examining whether your organisation can demonstrate control: consistently, traceably, and under scrutiny.

What an audit-defensible provider can show.

Six things, in plain language:

  1. How each requirement in the NDIS Practice Standards is operationalised.
  2. How risks are identified and actively governed.
  3. How incidents trigger structured responses.
  4. How corrective actions are verified before closure.
  5. How leadership oversees compliance, not just reads about it.
  6. How documentation remains current and controlled.

This is not about volume of paperwork. It is about structural integrity.

Why "we have a policy for that" isn't enough.

The NDIS Practice Standards are outcome-based. They describe what must be achieved but do not prescribe how you must organise your systems to achieve it. Most audit findings arise not because a document is missing, but because the links between standards, controls, evidence, risk and governance are weak or unclear.

Audit defensibility is not perfection. It is structural clarity.

A practical structural test.

Pick a single Core Module standard. Risk Management is a useful one. Now attempt to map it end-to-end:

  1. Identify every operational control that supports it.
  2. Gather the evidence demonstrating those controls are functioning.
  3. List the current enterprise risks linked to that standard.
  4. List the open corrective actions tied to those risks.
  5. Produce the board-level documentation that shows leadership has reviewed it.

If completing this exercise requires searching across disconnected systems, structural consolidation may be necessary. The exercise itself will tell you whether you have a system or a stack of folders.

Where to start.

You do not need to discard what you already have. The transition from document-based to system-based compliance starts with one question, asked of one standard: can I follow the line from obligation to evidence to oversight, without leaving this room?

If the answer is no, the gap isn't a missing document. It's a missing link. The audit readiness check takes about two minutes and surfaces those links, or where they are absent, across the four domains.

Want Adam to walk through this with you?

A 20-minute call, no slide deck, no pitch.

Book a call

Keep reading

NDIS Standards

The structural model: Standards, Controls, Evidence, Risks, Governance.

6 min · 28 Apr 2026
Audit prep

Five structural properties that determine audit strength.

5 min · 2 Apr 2026
Governance

Fragile vs defensible: a tale of two risk registers.

7 min · 21 Mar 2026