Does every NDIS provider need a quality management system?

All registered NDIS providers must have a QMS that meets the NDIS Practice Standards. The specific modules required depend on your registration groups. Providers of higher-risk supports — including SIL — must meet additional modules beyond the Core Standards.

How long does it take to write an NDIS QMS from scratch?

Building a compliant QMS from scratch typically takes several weeks to months depending on the size of your organisation and the number of registration groups you hold. Using a pre-built template framework aligned to the Practice Standards can significantly reduce that timeline.

How often must an NDIS QMS be reviewed?

The NDIS Practice Standards require continuous improvement, which means ongoing monitoring rather than a single annual review. Most auditors expect to see documented evidence of at least annual internal audits of each policy area, plus prompt reviews triggered by incidents, complaints, regulatory changes, or audit findings.

What is the difference between a certification audit and a verification audit for NDIS providers?

A certification audit applies to providers in higher-risk registration groups (such as SIL) and involves a more thorough, independent assessment of your QMS against all applicable Practice Standards modules, including on-site visits and participant interviews. A verification audit is a desktop-based review for lower-risk registration groups and checks a narrower set of requirements.

What happens if an NDIS provider fails their quality audit?

The NDIS Commission may issue a non-conformance notice requiring corrective action within a specified timeframe, impose conditions on your registration, suspend or cancel registration in serious cases, or refer conduct to other regulators. Providers are given the opportunity to address non-conformances before a final determination.

Can I use a generic ISO 9001 quality management system for NDIS registration?

ISO 9001 provides a useful quality management framework, but it does not cover the NDIS-specific requirements in the Practice Standards, such as the incident management rules, NDIS Worker Screening Check obligations, or behaviour support requirements. Your QMS must be adapted to specifically address the NDIS Commission's requirements.

How to write an NDIS quality management system (2026 template + example)

What is an NDIS quality management system and who needs one?

An NDIS quality management system (QMS) is the documented framework that proves to the NDIS Quality and Safeguards Commission — and to an approved quality auditor — that your organisation consistently delivers safe, high-quality supports. It is not a single document; it is a living system of interconnected policies, procedures, records, and improvement cycles.

Any registered NDIS provider must have a QMS. Under the strengthened NDIS Practice Standards that came into effect from 2024 and continue to apply through 2026 and beyond, the requirements have been tightened — particularly for providers of higher-risk supports such as Supported Independent Living (SIL), specialist disability accommodation, and behaviour support.

Unregistered providers are not required to hold registration, but the moment your organisation seeks or renews registration, you will be audited against the Practice Standards and your QMS will be examined in detail.

Core elements every NDIS QMS must contain

The NDIS Practice Standards are organised into four core modules plus additional modules for higher-risk supports. Your QMS must map to each applicable module. The table below summarises the non-negotiable components.

QMS component	Relevant Practice Standard area
Quality and safeguarding policy	Rights and responsibility of participants
Incident management policy and procedure	Incident management (Core module)
Complaints management policy and procedure	Feedback and complaints (Core module)
Worker screening and NDIS Worker Screening Check records	Human resources (Core module)
Restrictive practices policy (if applicable)	Behaviour support module
Risk management framework	Risk management (Core module)
Continuous improvement / audit schedule	Continuous improvement (Core module)
Participant rights and NDIS Code of Conduct acknowledgement	Rights and responsibility of participants

Step-by-step: how to write your NDIS QMS

Map your registration groups to the applicable Practice Standards. Log in to the NDIS Commission portal and identify every support category (registration group) you hold or intend to apply for. Each group triggers specific modules. SIL providers, for example, must meet the Core Standards plus the High Intensity Daily Personal Activities module.
Draft a top-level quality policy statement. This is a one- to two-page document signed by your CEO or Board Chair. It states your organisation's commitment to quality, safety, and the NDIS Code of Conduct. Auditors look for evidence that leadership owns the QMS — not just administration staff.
Write your incident management procedure. The NDIS Commission requires you to record, assess, manage, and — for reportable incidents — notify the Commission within mandated timeframes. Your procedure must define what constitutes a reportable incident, who is responsible for notifying the Commission, and how you investigate and learn from incidents. Include your internal reporting forms as attachments.
Write your complaints management procedure. Participants and their families must be able to raise concerns without fear of retribution. Your procedure must describe how complaints are received (verbally, in writing, anonymously), acknowledged, investigated, and resolved, and how outcomes are communicated back to the complainant. Reference the participant's right to take complaints directly to the NDIS Commission.
Document your worker screening and human resources processes. Every worker in a risk-assessed role must hold a current NDIS Worker Screening Check from their state or territory screener. Your QMS must describe how you verify clearances before commencement, how you track expiry dates, and how you handle a clearance being suspended or cancelled. Include a register template.
Build your risk management framework. Document how you identify, assess (likelihood × consequence), treat, and monitor risks at both organisational and participant levels. Include your risk matrix, register template, and review frequency. For SIL providers, individual risk assessments for each participant's home environment are a specific auditor focus.
Create a continuous improvement register. Auditors want to see that your organisation learns. Maintain a log of improvement actions triggered by incidents, complaints, audits, and staff feedback. Record the action, the person responsible, the target date, and the outcome. Review and update this register at least quarterly.
Schedule your internal audits. Set a calendar of internal reviews — at least annually for each policy area, more frequently for high-risk procedures. Document the audit outcomes and any corrective actions.
Compile and version-control the full QMS. Number each document, record the date of last review, and name the responsible position (not a person's name, as staff turn over). Store in a location all relevant staff can access and a nominated person controls.

Template excerpt: incident management policy (filled-in example)

Below is a realistic excerpt showing the style and content level auditors expect. Adapt headings, scope, and role titles to your organisation.

Policy title: Incident Management Policy
Document number: QMS-INC-001
Version: 3.0  |  Review date: June 2027
Policy owner: Quality and Compliance Manager

Purpose
This policy ensures that Sunrise Disability Services identifies, records, manages, and
learns from incidents affecting NDIS participants, consistent with the NDIS
(Incident Management and Reportable Incidents) Rules 2018 and the NDIS Practice
Standards (Core Module — Incident Management).

Scope
All employees, contractors, and volunteers delivering NDIS supports.

Reportable incident categories
• Death of a participant
• Serious injury of a participant
• Abuse or neglect of a participant
• Unlawful sexual or physical contact with a participant
• Unauthorised use of a restrictive practice
• A participant unexpectedly absconding from a supervised environment

Notification timeframe — reportable incidents
Initial notification to the NDIS Commission must occur within 24 hours of the
provider becoming aware. A full written report is due within 5 business days.

Procedure steps
1. Staff identifies incident → completes Incident Report Form (INC-F-001)
2. Supervisor notified within 2 hours
3. Quality and Compliance Manager assesses reportability within 4 hours
4. If reportable: Commission notified via provider portal within 24 hours
5. Investigation completed → root cause documented → improvement action recorded
   in Continuous Improvement Register (QMS-CI-001)
6. Participant and/or family informed of outcome (where appropriate and safe)

Related documents: INC-F-001 Incident Report Form | QMS-CI-001 Continuous
Improvement Register | QMS-HR-001 Worker Screening Policy

What approved quality auditors check

When you undergo a certification or verification audit, your auditor is assessing conformance against the Practice Standards — not just whether documents exist, but whether they are implemented in practice. Common non-conformances for SIL providers include:

Policies that are present but not followed — staff cannot describe the procedure during interviews, or records do not reflect the documented process.
Stale documents — policies dated several years ago with no evidence of review, especially where regulations have since changed.
Incomplete worker screening registers — missing expiry dates, or no process for monitoring ongoing clearance status.
Incident records with no learning outcomes — incidents logged but no corrective action documented in the improvement register.
Participant records that lack individual risk assessments — particularly in SIL settings where home-environment and medication risks must be assessed per person.
No evidence leadership reviews the QMS — management meeting minutes or sign-off records showing the quality policy is actively monitored by senior leadership are expected.

Keeping your QMS current for 2026

The NDIS Commission continues to strengthen its framework following the Independent Review and subsequent government commitments. For 2026 specifically, providers should ensure their QMS documents reflect the updated incident management rules, any state-specific behaviour support legislative requirements, and the strengthened requirements around participant rights and the NDIS Code of Conduct.

Build a review trigger into your QMS: any time the NDIS Commission publishes updated practice guidelines, rules, or registration conditions, a nominated staff member reviews affected policies within 30 days.

If you are preparing for registration or re-registration as a SIL or higher-intensity support provider and want a ready-made foundation, the 74-document audit-ready SIL compliance kit available at ndiscompliant.com.au covers every module discussed here and is structured to map directly to auditor checklists — which can considerably reduce the time needed to build your QMS from scratch.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.

What is an NDIS quality management system and who needs one?

Core elements every NDIS QMS must contain

Step-by-step: how to write your NDIS QMS

Template excerpt: incident management policy (filled-in example)

What approved quality auditors check

Keeping your QMS current for 2026

Frequently asked questions

Also read

Get the free SIL Readiness Pack