Why Your NDIS Quality Management System Is at Risk Right Now
With the Australian Government's strengthened NDIS Practice Standards taking full effect and mandatory provider registration now firmly on the agenda for 2026, the NDIS Quality and Safeguards Commission is conducting more rigorous audits across all registration groups — particularly for Supported Independent Living (SIL) and other high-intensity supports. Quality management systems that were adequate under previous frameworks are now being found non-conformant.
The errors below are not hypothetical. They represent the pattern of non-conformances that approved quality auditors regularly flag against the NDIS Practice Standards and the Commission's Code of Conduct. If your quality management system contains any of these, address them before your next audit cycle.
Mistake 1: Treating Policies as Static Documents
One of the most common findings across all registration groups is a policy library that has not been reviewed within the timeframe specified in the organisation's own document control procedure. The NDIS Practice Standards require providers to maintain, review, and continually improve their quality management system. When an auditor finds policies dated several years ago with no evidence of review, this is a clear non-conformance.
The fix: Establish a scheduled review calendar — minimum annually for high-risk policies such as incident management, restrictive practices, and complaints — and record the review in a version-controlled register. A simple table in your Document Control Policy showing document name, version, review date, and responsible person satisfies this requirement.
Mistake 2: Incident Recording Without a Feedback Loop
Providers often have an incident register and comply with the Commission's mandatory notification timelines, but the data sits in a spreadsheet and goes nowhere. The NDIS Practice Standards require that incidents are not only reported but analysed for trends and used to drive systemic improvements. An incident management system that records events without demonstrating what changed as a result will fail the continuous improvement standard.
The fix: Add a mandatory "corrective action" column to your incident register. At each governance meeting, review aggregated incident data and document what action was taken — even if the action is "no trend identified; monitoring continues." This evidence of analysis is what auditors are looking for.
Mistake 3: Worker Screening and Training Records That Cannot Be Produced on the Day
Under the NDIS (Worker Screening) Act and the Practice Standards, registered providers must ensure every worker who delivers supports holds a current NDIS Worker Screening Check and has completed required training, including the NDIS Worker Orientation Module. During an audit, the auditor will request these records. Providers who cannot produce a complete, up-to-date register — or who have expired checks that have not been renewed — face serious non-conformances that can result in conditions on their registration.
The fix: Maintain a live worker compliance register that shows, for each worker: Worker Screening Check status and expiry, Worker Orientation Module completion, any mandatory training relevant to the supports delivered (e.g., medication management, behaviour support), and date of last supervision. Review this register at least monthly and set automated reminders for upcoming expiries.
Mistake 4: A Risk Register That Does Not Reflect Actual Operations
Many providers have a generic risk register that was created at registration and never updated. The NDIS Practice Standards require risk management to be an active, ongoing process — not a document produced for audit and then shelved. Risks relevant to SIL specifically include environmental hazards in participants' homes, medication management risks, staffing ratio risks, and risks arising from participants' individual support needs as documented in their NDIS plans.
The fix: Your risk register should be a living document, reviewed quarterly at minimum. Each risk should have an owner, a rating, a control measure, and a residual risk rating. For SIL providers, individual participant risk assessments should cross-reference the organisational risk register so that risks identified at the individual level inform the system level.
Mistake 5: Complaints Management That Ends at Acknowledgement
The NDIS Code of Conduct and Practice Standards require providers to have an accessible, transparent, and effective complaints management process. The most common failure is not in receiving complaints — it is in closing the loop. Providers often acknowledge a complaint, resolve it at the individual level, but do not document what systemic change (if any) resulted. This means the same complaint recurs, and when it does, it becomes a pattern that attracts significant scrutiny.
The fix: Every resolved complaint should include a "systemic implication" field. Even a response of "isolated incident; no systemic change required" — backed by analysis — is acceptable. Where a systemic change is warranted, document it in your continuous improvement register and track whether the change was implemented.
Mistake 6: Restrictive Practices Documentation That Is Incomplete or Unauthorised
For SIL providers supporting participants with complex support needs, restrictive practices compliance is one of the highest-risk areas. The NDIS (Restrictive Practices and Behaviour Support) Rules require that any regulated restrictive practice is authorised under state or territory law, implemented in accordance with a behaviour support plan developed by a registered behaviour support practitioner, and reported to the Commission via the required reporting mechanism. Auditors consistently find that providers are implementing practices that meet the definition of a regulated restrictive practice but have not been properly authorised or reported.
The fix: Conduct an internal audit of all support plans for participants in your SIL services. For any plan that contains a strategy that could constitute a regulated restrictive practice — even if described euphemistically — verify that authorisation is in place, a registered behaviour support practitioner is engaged, and reporting is current. Do not wait for an auditor to identify this gap.
Mistake 7: No Clear Continuous Improvement Register
The overarching purpose of a quality management system under the NDIS Practice Standards is continuous improvement. Yet many providers cannot produce, on audit day, a clear register showing improvements that have been identified, planned, and implemented over the past 12 months. Improvement actions buried in board minutes or team meeting notes — rather than in a dedicated continuous improvement register — are difficult for auditors to trace and assess.
The fix: Maintain a simple continuous improvement register with columns for: date identified, source (incident, complaint, audit finding, staff suggestion, participant feedback), improvement action, responsible person, target completion date, and status. Review this register at every governance meeting and reference it in your management review.
What Auditors Check: A Quick Reference
| Quality System Element | Common Non-Conformance | Standard Reference |
|---|---|---|
| Document control | Policies not reviewed within scheduled period | NDIS Practice Standards — Quality Management |
| Incident management | No evidence of trend analysis or corrective action | NDIS Practice Standards — Incident Management |
| Worker screening | Expired or missing NDIS Worker Screening Checks | NDIS Worker Screening Act 2020 |
| Risk management | Risk register not reviewed or not reflective of operations | NDIS Practice Standards — Risk Management |
| Complaints management | No systemic improvement actions documented | NDIS Practice Standards — Complaints Management |
| Restrictive practices | Unauthorised practices or incomplete reporting | NDIS (Restrictive Practices and Behaviour Support) Rules 2018 |
| Continuous improvement | No dedicated improvement register with traceable outcomes | NDIS Practice Standards — Quality Management |
Preparing for the Strengthened 2026 Framework
The strengthened NDIS Practice Standards introduce more explicit requirements around participant outcomes, governance accountability, and evidence of person-centred practice at the systems level — not just the individual support level. This means your quality management system documents need to demonstrate, not just claim, that participant feedback drives operational decisions.
Start by auditing your existing quality management system against each of the seven mistake areas above. Where you find gaps, prioritise remediation in this order: worker screening and restrictive practices first (highest participant safety risk), then incident and complaints management, then document control and continuous improvement infrastructure.
For SIL providers who need a comprehensive starting point, the 74-document audit-ready SIL compliance kit from ndiscompliant.com.au covers each of these elements with templates, registers, and policies designed specifically for the 2026 standards — a practical shortcut if you are building or rebuilding your quality system from scratch.
The most important thing is to treat your quality management system as a genuine operational tool, not a compliance filing cabinet. Auditors can tell the difference, and more importantly, so can the participants in your care.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.