What is the Governance and Operational Management module in the NDIS Practice Standards?

It is one of the core modules of the NDIS Practice Standards that every registered provider must meet. It covers how an organisation is led, how risks and finances are managed, how workers are screened and trained, and how incidents, complaints, and quality improvement are handled. Auditors assess it by examining objective evidence, not just stated intentions.

How far back do auditors look at governance evidence?

Approved quality auditors typically request records covering at least the 12 months prior to audit. For incident and complaints registers this may extend further if the provider has a longer history. Governance meeting minutes, training records, and worker screening registers are all expected to cover this period.

Do SIL providers face different governance requirements from other NDIS providers?

SIL providers must meet the same Governance and Operational Management module requirements as all registered providers, but auditors apply heightened scrutiny because participants live in provider-managed settings. Worker screening, incident management, and participant rights documentation receive particular attention in SIL audits.

What happens if a non-conformance is found in the Governance module?

The auditor records the finding, specifies whether it is a major or minor non-conformance, and outlines what corrective action is required. You must provide a corrective action plan within the timeframe specified. Unresolved major non-conformances can lead to conditions on your registration or referral to the NDIS Commission for regulatory action.

How often should governance policies be reviewed?

The NDIS Practice Standards do not prescribe a single timeframe for all policies, but the expectation is a documented and followed review cycle — typically annual for high-risk policies such as incident management and restrictive practices, and at least every two years for lower-risk operational policies. Review must be evidenced with signed records or meeting minutes.

Is a risk register mandatory for NDIS registration?

A formal risk management framework, including a risk register, is required to meet the Governance and Operational Management module. Auditors expect the register to be current, reviewed by leadership on a regular basis, and directly connected to your governance meetings — not simply a document that exists but is never referenced.

Governance and Operational Management: Evidence Checklist for Your NDIS Audit

Why Governance and Operational Management Is a High-Risk Audit Area

Governance and Operational Management sits at the core of the NDIS Practice Standards — it is the module that gives auditors a picture of whether your organisation is genuinely led and managed, or simply running on good intentions. Under the strengthened 2026 NDIS registration framework, the NDIS Quality and Safeguards Commission has signalled closer scrutiny of how providers demonstrate systemic rather than incidental compliance. For SIL providers in particular, where participants live in provider-managed environments, governance failures carry direct safety consequences.

Approved quality auditors assess this module against the NDIS Practice Standards (Quality Indicators) and look for objective, dated evidence. Producing a folder of undated policies on audit day is one of the most common reasons providers receive non-conformance findings. This checklist covers every evidence category an auditor will typically examine, common gaps, and what "good" looks like.

What Auditors Are Assessing

The Governance and Operational Management module requires that a registered NDIS provider can demonstrate:

Clear leadership and accountability structures, including defined roles and responsibilities at board or executive level.
Policies and procedures that are current, accessible to workers, and reviewed on a defined cycle.
A functioning risk management framework covering operational, financial, and participant-safety risks.
Effective management of human resources, including NDIS Worker Screening checks, induction, and ongoing training.
Systems to identify, record, and respond to incidents, complaints, and reportable incidents as required under the NDIS (Incident Management and Reportable Incidents) Rules 2018.
Financial management processes that protect participant funds and organisational viability.
A continuous quality improvement (CQI) cycle that is driven by data, not just goodwill.

The Evidence Checklist

Work through each category below. For each item, confirm the document exists, is current (reviewed within the stated period), and is accessible to relevant staff. Tick items you can produce immediately; flag gaps for remediation before your audit date.

1. Governance Structure and Leadership

Organisational chart showing governance tiers (board/committee, management, frontline).
Position descriptions for all leadership roles, including accountability statements.
Board or management-committee meeting minutes for at least the past 12 months, showing quorum, decisions, and actions.
Terms of reference or constitution confirming the governance body's legal status and decision-making authority.
Conflict-of-interest register, reviewed and signed at each meeting.
Delegation of authority schedule — who can sign contracts, approve expenditure, and take disciplinary action.

2. Policies, Procedures, and Document Control

Policy register listing every policy, its version number, last review date, and next review date.
Evidence of periodic policy review (meeting minutes, sign-off forms) — auditors expect at least an annual cycle for high-risk policies.
Staff acknowledgement records confirming workers have read and understood key policies.
Document-control procedure explaining how superseded versions are removed from circulation.

3. Risk Management

Risk management policy and framework document.
Organisational risk register, including risk ratings, treatment plans, and owners.
Evidence the risk register is reviewed regularly by leadership (meeting minutes with agenda item).
Business continuity and emergency management plan, tested within the past 12 months.
Insurance certificates of currency covering public liability and professional indemnity at levels appropriate to your service scope.

4. Human Resources and Worker Screening

NDIS Worker Screening register, including check status, clearance number, and expiry for every worker who delivers supports to participants.
Evidence that screening checks were confirmed before workers commenced NDIS-related work (offer letters or onboarding checklists with dates).
Induction records signed by each worker, covering Code of Conduct obligations, mandatory reporting, and participant rights.
Training register showing mandatory training (e.g., behaviour support, First Aid, safeguarding) is current for all relevant staff.
Supervision schedule and records — particularly important for SIL where workers operate with limited oversight.
Performance management and disciplinary procedure.

5. Incident Management

Incident management policy aligned to the NDIS (Incident Management and Reportable Incidents) Rules 2018.
Incident register, including date, description, classification (reportable or non-reportable), actions taken, and closure date.
Evidence that reportable incidents were notified to the NDIS Commission within required timeframes — initial notification and final report.
Root-cause analysis or investigation records for serious incidents.
Evidence that learnings from incidents have been fed back into policy or practice (the CQI loop).

6. Complaints Management

Complaints management policy and procedure, including how participants are informed of their right to complain to the NDIS Commission.
Complaints register covering all complaints received, response timeframes, resolution, and whether the complainant was satisfied.
Easy-read or accessible complaints information provided to participants — evidence of how this is communicated at intake.
Analysis of complaint trends reviewed by management (board minutes or management reports).

7. Financial Management

Financial management policy covering budget approval, expenditure authorisation, and participant-funds handling.
Most recent financial statements or audit (external audit for incorporated bodies).
Evidence of budget monitoring — management accounts or finance committee reports from the past year.
Fraud prevention or financial-integrity procedure.
For SIL providers managing participant funds: individual participant financial ledgers and reconciliation records.

8. Continuous Quality Improvement

CQI policy or framework describing how the organisation identifies, prioritises, and tracks improvement activities.
CQI register or improvement plan with actions, owners, target dates, and status.
Evidence that participant feedback (surveys, meetings, complaints) informs the CQI cycle.
Evidence that worker feedback (team meetings, exit interviews) is also captured.
Management review meetings that formally discuss quality data — minutes demonstrating this.

Common Non-Conformances in This Module

Based on the types of findings the NDIS Commission regularly identifies, the most frequent problems in Governance and Operational Management are:

Policies exist but are not reviewed. A policy dated several years ago with no documented review cycle is treated as non-current evidence. Fix: build a review calendar and minute the review at your management meeting.
Worker screening gaps. Auditors cross-reference screening registers against payroll or rosters. Workers found to have commenced before a clearance was confirmed is a significant finding. Fix: build a checklist into your onboarding workflow that gates access to participant-facing work.
Incident register not closed out. Open incidents with no resolution date or corrective action signal the management system is not functioning. Fix: designate a responsible officer and set a mandatory review date for every incident.
Risk register not connected to governance. A risk register that lives in a spreadsheet but is never tabled at a board or management meeting is not a functioning system. Fix: make it a standing agenda item.
No evidence of participant involvement in CQI. The Practice Standards require that improvement activity is informed by participant experience. Fix: document how participant surveys or feedback sessions feed directly into your CQI register.

Preparing Your Evidence Folder

Organise evidence in labelled sections that mirror the quality indicators in the Practice Standards. Auditors working on desktop audits will expect documents to be findable quickly. For each document, confirm it carries a version number, author, approval date, and next review date in the header or footer.

If you are preparing for a mid-registration review or full audit under the strengthened 2026 framework, consider running an internal mock audit against this checklist three to four months before your scheduled audit date. This gives you time to remediate gaps without last-minute pressure.

Providers building their documentation from scratch — particularly new SIL entrants — may find a structured, pre-mapped compliance kit useful. The 74-document audit-ready SIL compliance kit from ndiscompliant.com.au is built around the current Practice Standards modules, including Governance and Operational Management, and can significantly reduce the time spent drafting and cross-referencing policies.

A Note on the 2026 Strengthened Framework

The NDIS Commission's strengthened registration and practice standards changes place greater emphasis on provider governance maturity — not just documented policies, but evidence that leadership is actively using those systems to drive accountability and quality. Auditors under the new framework are expected to probe whether governance processes are genuinely embedded in organisational culture, which means verbal descriptions and paper policies alone are unlikely to satisfy a finding. Your meeting minutes, registers, and corrective-action logs are your best witnesses.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.