Do all registered NDIS providers need a quality management system?

Yes. All registered NDIS providers must comply with the NDIS Practice Standards, which require documented quality and safeguarding systems. The depth of documentation and the audit type (certification vs. verification) depends on the registration groups and the risk level of the supports delivered.

What is the difference between a certification audit and a verification audit?

A certification audit applies to providers delivering higher-risk supports such as SIL, behaviour support, and early childhood interventions. It involves document review, staff interviews, participant interviews, and site visits. A verification audit applies to lower-risk support categories and focuses primarily on document review and self-attestation.

How often does an NDIS quality management system need to be updated?

The NDIS Commission does not prescribe a fixed update interval, but documents must remain current and reflect actual practice. Most providers review their QMS annually at minimum. Updates are also required whenever the Practice Standards change, when a significant incident occurs, or when audit findings identify gaps.

What happens if a SIL provider fails their certification audit?

The approved quality auditor reports non-conformances to the NDIS Commission. Depending on severity, the Commission may place conditions on registration, require a remediation plan, suspend registration, or in serious cases revoke it. Minor non-conformances typically result in a corrective action period before re-audit.

Does a quality management system need to be certified to ISO 9001?

No. The NDIS Commission does not require ISO 9001 certification. Providers must demonstrate conformance with the NDIS Practice Standards as assessed by an NDIS-approved quality auditor — not a general ISO certification body. ISO 9001 may complement an NDIS QMS but is not a substitute or requirement.

Are unregistered NDIS providers required to have a QMS?

Unregistered providers are not subject to NDIS Commission audit and are not required to hold a formal QMS. However, they must comply with the NDIS Code of Conduct, and the Commission can investigate complaints and incidents involving them. Participants using self-managed or plan-managed funds should still expect unregistered providers to operate safely and ethically.

Do you need an NDIS quality management system? Provider requirements

Who needs an NDIS quality management system?

A quality management system (QMS) is not optional for most registered NDIS providers. The NDIS Commission requires registered providers to implement, maintain and continuously improve a documented system that demonstrates compliance with the NDIS Practice Standards and the NDIS Code of Conduct. The level of rigour required depends on the registration groups your organisation holds and the risk profile of the supports you deliver.

Providers registered to deliver higher-risk supports — including Supported Independent Living (SIL), Specialist Disability Accommodation (SDA), behaviour support, early childhood supports, and daily activities involving personal care — must undergo a certification audit by an NDIS-approved quality auditor. These providers face the most demanding QMS requirements. Providers of lower-risk supports generally undergo a verification audit, which has a lighter touch but still requires documented policies, procedures and evidence of compliance.

Unregistered providers are not audited by the NDIS Commission, but they remain bound by the Code of Conduct and can be investigated and sanctioned by the Commission if a complaint or serious incident is raised.

What the NDIS Practice Standards actually require

The NDIS Practice Standards set out the quality outcomes that registered providers must achieve. They are structured into a core module applicable to all registered providers, and supplementary modules that apply depending on the supports delivered. SIL providers, for example, are required to meet supplementary standards covering household tasks, 24-hour support, and supported living arrangements.

Across the core module, a compliant QMS must address:

Rights and responsibilities — systems that actively uphold each participant's rights, including decision-making autonomy and freedom from abuse, neglect, and exploitation
Governance and operational management — clear organisational structure, defined accountability, fit-and-proper-person requirements for key personnel, and documented risk management processes
The provision of supports — person-centred planning, support coordination, transition planning, and documented service agreements and support plans
The support worker environment — worker screening (NDIS Worker Screening Check), induction, competency-based training, supervision, and performance management

In addition, three specific compliance obligations form an essential part of every registered provider's QMS:

Incident management — a documented system for identifying, recording, managing, and notifying the NDIS Commission of reportable incidents, including alleged abuse and neglect
Complaints management — an accessible, transparent process for receiving, investigating, and resolving complaints, with evidence that participants are informed of their right to complain
Restrictive practice authorisation — for SIL and disability support providers, documented processes for the use, monitoring, reporting and reduction of any regulated restrictive practices, including compliance with state or territory authorisation requirements

The strengthened 2026 framework: what has changed

The NDIS Commission has continued to strengthen the Practice Standards framework in preparation for the mandatory registration changes flowing from the 2023 NDIS Review and subsequent legislative amendments. Providers that have not updated their QMS documentation since the initial rollout of the Practice Standards risk non-conformances against the current expectations auditors apply.

Key areas of heightened auditor focus in the current period include:

Evidence of a genuine continuous improvement cycle — auditors now look for documented improvement actions arising from complaints, incidents, internal audits, and participant feedback, not just a policy that states improvement will occur
Worker screening and ongoing monitoring — providers must have systems to verify that all workers and volunteers in risk-assessed roles hold a valid NDIS Worker Screening clearance and that clearances are monitored for currency
Participant feedback mechanisms — documented, accessible and culturally appropriate ways for participants to provide feedback, with evidence those responses feed into service improvement
Governance documentation — particularly for SIL providers, auditors expect clear delegations of authority, a risk register reviewed at board or management level, and financial management processes that protect participant funding

What a compliant QMS looks like in practice

A QMS is more than a folder of policy documents. It is an interconnected set of procedures, forms, registers, training records, and review mechanisms. At minimum, a SIL provider's QMS should include:

A quality policy and continuous improvement plan
Governance and risk management policy and risk register
Incident management policy and reportable incident register
Complaints management policy, complaint register, and participant feedback forms
Worker screening, recruitment, induction, and training framework
Support planning and review procedures, including individual support plans and service agreements
Restrictive practice policy, authorisation register, and monthly monitoring records (if applicable)
Safeguarding and abuse prevention policy
Privacy and information management policy
Internal audit schedule and audit reports

Each of these must be reviewed and updated regularly — not left static after initial registration. Auditors will ask for evidence of the review date, who conducted it, and what changes were made.

Audit types and what auditors check

The NDIS Commission authorises a small number of approved quality auditors to conduct audits on its behalf. Auditors assess conformance against the Practice Standards using a combination of:

Document review (policies, procedures, registers, training records)
Worker interviews (testing whether staff can describe and apply the documented procedures)
Participant interviews (assessing whether participants actually experience the rights and person-centred outcomes the standards require)
Site visits (for SIL providers, inspecting supported living environments)

Common non-conformances identified during SIL audits include: incident registers that are incomplete or lack follow-up actions; restrictive practice records that are not being submitted to the Commission within required timeframes; worker screening gaps where casual or subcontracted staff have not been verified; and continuous improvement plans that exist on paper but show no evidence of actions being completed.

Consequences of not having an adequate QMS

The NDIS Commission has broad powers to act where a provider's QMS is inadequate or where audit findings reveal non-conformance. Outcomes can include:

Conditions placed on your registration
Suspension or revocation of registration
Compliance notices requiring remediation within a specified timeframe
Banning orders against key personnel
Civil penalties for breaches of the Code of Conduct

Beyond regulatory consequences, a weak QMS creates operational risk: undetected incidents, unresolved complaints, and unsupported workers all represent direct harm to participants and reputational damage to the organisation.

Getting your QMS audit-ready

Building a QMS from scratch is time-consuming. Many SIL and disability support providers find it practical to start from a comprehensive template library and adapt documents to their specific operating context, rather than drafting from a blank page. The ndiscompliant.com.au audit-ready SIL compliance kit includes 74 pre-built documents aligned to the current Practice Standards — covering every module a SIL provider is audited against — which can significantly reduce the time between initial registration and audit readiness.

Regardless of which approach you take, the following steps will help ensure your QMS meets Commission expectations:

Map your registration groups to the relevant Practice Standards modules to identify every outcome your QMS must address
Conduct a gap analysis against the current Practice Standards (not a previous version)
Draft or update each required policy and procedure, ensuring plain language and accessibility
Embed your QMS into day-to-day operations — train staff, use the forms, run the registers
Schedule and complete at least one internal audit before your external certification audit
Review and update all documents on an annual cycle at minimum, or whenever regulatory requirements change

Summary

Registered NDIS providers delivering SIL and other higher-risk supports are required to maintain a documented, operational quality management system that meets the NDIS Practice Standards. The system must cover governance, incident and complaints management, restrictive practices, worker screening, and continuous improvement — and must be capable of withstanding certification audit scrutiny. Providers that treat the QMS as a one-time paperwork exercise rather than a living operational framework are the ones most likely to receive non-conformance findings. Building and maintaining a current, evidence-based QMS is not just a compliance obligation — it is the foundation of safe, person-centred support delivery.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.