Understanding the NDIS Related Portals

BusinessEducation

Listen

All Episodes

Audio playback

What Auditors Expect to See Inside Your Digital Access Setup

Get your NDIS organisation audit-ready by mastering PRODA access controls. This episode breaks down what auditors look for, how to avoid common pitfalls, and practical steps to keep your digital access secure and compliant.

This show was created with Jellypod, the AI Podcast Studio. Create your own podcast with Jellypod today.

Is this your podcast and want to remove this banner? Click here.

Chapter 1

Audit Under the Microscope

Will, EnableUs Community

Alright, welcome back to Navigating PRODA! I'm Will, and as always, I'm joined by Winter. Today, we're diving into what auditors actually expect to see inside your digital access setup—so if the word "audit" makes you break out in a sweat, stick around.

Winter, EnableUs Community

Hey everyone! Yeah, this is one of those topics that sounds dry, but honestly, it can make or break your NDIS business. Auditors aren't just ticking boxes—they're looking for real evidence that you take privacy, security, and governance seriously, especially when it comes to PRODA access.

Will, EnableUs Community

Exactly. And it's not just about having a PRODA account. Auditors want to know: who manages your logins, how you handle staff roles, what your onboarding and offboarding processes look like, and—big one—how you keep those logins secure. No shared passwords, no mystery users, none of that.

Winter, EnableUs Community

Yeah, and if you can't answer those questions clearly, that's a red flag. Like, if someone asks, "Who manages PRODA access in your org?" and you get blank stares or five different answers, that's not a good look.

Will, EnableUs Community

I actually saw this play out once. There was a provider who, uh, failed their audit because they were still using a shared "admin@provider.com" login. No one could say who last changed the password, or who even had access. The auditor just shook their head and wrote them up for a compliance breach. It was awkward, but honestly, it could've been avoided with a bit of process.

Winter, EnableUs Community

Oof, that's rough. And it's not just about ticking off a list—it's about protecting participant data. If you can't show who has access to what, you can't prove you're keeping info secure. That's why governance and privacy are so front and centre in these audits.

Will, EnableUs Community

Yeah, and as we've talked about in earlier episodes, PRODA is the gateway to all your sensitive NDIS info. So, if your access setup is messy, it kind of tells auditors your whole approach to compliance might be a bit, uh, casual. And that's not what you want.

Chapter 2

Building Bulletproof Access Controls

Winter, EnableUs Community

So, let's talk about what a solid access control setup actually looks like. First, you need a clear process for adding and removing users—no more "just give them the login and hope for the best." Keep a user list that's always up to date, and make sure permissions actually match what people do in their jobs.

Will, EnableUs Community

Yeah, like, don't give everyone full admin rights just because it's easier. Assign roles like Provider Administrator, Finance Officer, or Support Coordinator based on what people actually need to do. And, uh, make sure you document who has what role and why.

Winter, EnableUs Community

And separation of duties is huge. The person submitting claims shouldn't be the same person approving them. It's tempting to shortcut that if you're a small team, but auditors really look for it. Plus, it helps catch mistakes before they become big problems.

Will, EnableUs Community

Yeah, and don't forget about regular reviews. At least every three to six months, check if everyone still needs the access they have. I mean, people change roles, leave, or sometimes just don't need certain permissions anymore.

Winter, EnableUs Community

Totally. I worked with a provider who started doing quarterly user audits, and the first time they did it, they found two ex-employees who still had PRODA access. No one had noticed! It was a bit embarrassing, but way better to catch it themselves than have an auditor find it.

Will, EnableUs Community

Yeah, and that's why it's so important to have your Registration Authority Contact—your RAC—actually understand their job. They're the ones who should be overseeing onboarding and offboarding, not just rubber-stamping requests. If you get asked in an audit, "Who's your RAC and what do they do?" you want a clear answer, not a shrug.

Winter, EnableUs Community

And if you're not sure who your RAC is, or what they're supposed to be doing, that's your homework for today. Seriously, it's one of those things that comes up in audits all the time.

Chapter 3

Evidence and Accountability Essentials

Will, EnableUs Community

Alright, so you've got your processes sorted, but what about evidence? Auditors want to see proof—like a staff access register with PRODA usernames, roles, when access was granted or revoked. Not passwords, obviously, just the usernames and roles.

Winter, EnableUs Community

And don't forget your digital access policy. That should spell out how you grant, review, and revoke access, what you do if someone loses their credentials, how you handle MFA resets, and even your exit checklist for staff leaving. If you can show that, you're already ahead of a lot of providers.

Will, EnableUs Community

Yeah, and sometimes auditors will ask for screenshots—like, show us your MyPlace role assignments, or how your PRODA organisation is linked. Just make sure you redact any sensitive info before you hand those over. No one needs to see your full email or anything like that.

Winter, EnableUs Community

The biggest audit fails I see? Shared accounts, incomplete records, and no clear accountability. If you can't show who manages permissions, or your access register is out of date, that's where things unravel fast.

Will, EnableUs Community

Yeah, and honestly, centralising all your documentation makes life so much easier. I worked with a provider who kept everything—policies, access logs, screenshots—in one compliance folder. When audit time came, they just handed it over and the auditor was, like, almost impressed. It took all the stress out of it.

Winter, EnableUs Community

That's the dream, right? And it's not just about passing audits—it's about building trust with your team and the people you support. If you show you take this stuff seriously, it sets the tone for your whole organisation.

Will, EnableUs Community

Alright, that's a wrap for today. If you want to make audits less scary, start with your PRODA access controls. Keep things clean, document everything, and review regularly. We'll be back soon with more tips to help you master the admin side of NDIS.

Winter, EnableUs Community

Thanks for listening, everyone! If you found this helpful, share it with your team, and let us know what topics you want us to cover next. See you next time, Will.

Will, EnableUs Community

See you, Winter. Take care, everyone!