The NDIS Quality and Safeguards Commission has signalled a significant increase in unannounced compliance activities throughout 2026. This shift follows recommendations from the NDIS Review and growing concern about provider quality. Unlike scheduled certification audits, unannounced audits can occur at any time and are specifically designed to observe how services actually operate day to day, not how they look during a planned visit.

Triggers for unannounced audits include participant complaints, reportable incident patterns, whistleblower disclosures, and intelligence gathered through the Commission's own monitoring. Providers who have had conditions placed on their registration, or who operate in higher-risk registration groups such as Specialist Disability Accommodation (SDA) or behaviour support, face elevated likelihood of an unannounced visit.

The Commission has also expanded its field team and cross-agency data-sharing agreements, meaning that patterns visible in worker screening, incident reports, or complaints data can now be triangulated faster than ever. Providers should assume that their digital footprint across the NDIS ecosystem is actively monitored.

During an unannounced audit, Commission officers assess real-time compliance against the NDIS Practice Standards. This means they are not reviewing pre-prepared folders; they are walking through your service delivery environment, speaking with participants and staff, and requesting documents on the spot. The goal is to capture a genuine snapshot of how the organisation operates.

Key areas auditors examine include participant safety and wellbeing, staff qualifications and worker screening status, incident management records, restrictive practice authorisations, complaints handling processes, and evidence that participants are genuinely involved in their own planning. Auditors will also look for governance documentation such as current policies, risk registers, and evidence of internal reviews or self-assessments.

Auditors are trained to identify discrepancies between documented policies and actual practice. For example, if your policy states that all workers undergo annual refresher training, the auditor may ask a random frontline worker when they last completed training and then cross-check training records. This observe-then-verify approach is central to the unannounced methodology.

The most effective preparation for an unannounced audit is to build compliance into daily operations rather than treating it as a periodic event. This means shifting from a "get ready for audit" mindset to a "stay ready always" culture. Providers who achieve this typically invest in compliance operating systems, regular internal checks, and a culture where frontline workers understand their obligations.

Establish a rolling internal audit calendar where different Practice Standard modules are reviewed each month. Assign responsibility for each module to a named staff member. Ensure that evidence is captured as close to the point of service delivery as possible, rather than reconstructed weeks later. Digital compliance platforms that timestamp evidence and link it to specific controls are invaluable here.

The Commission publishes compliance findings that highlight recurring gaps across the sector. Understanding these patterns helps providers focus their preparation on the areas most likely to attract scrutiny.

Among the most common findings are expired worker screening checks, incomplete incident records, outdated or generic policies not tailored to the specific services being delivered, lack of evidence of participant involvement, and insufficient governance over restrictive practices. Many of these issues stem from administrative drift rather than deliberate non-compliance. Once a provider reaches a certain size, manual tracking of these obligations becomes unsustainable.

FormaOS provides NDIS registered providers with a compliance operating system purpose-built for continuous audit readiness. It maps every NDIS Practice Standard module to operational controls, assigns ownership, tracks evidence freshness, and generates audit-ready reports at any time. When the Commission arrives unannounced, providers using FormaOS can produce evidence in minutes, not days.

Role-based access ensures the right staff members maintain the right evidence, while automated reminders prevent administrative drift on worker screening renewals, training currency, and policy review cycles.