Does the NDIS Code of Conduct apply to my contractors and agency staff, not just employees?

Yes. The NDIS Code of Conduct applies to all 'workers' as defined by the NDIS Commission, which includes employees, contractors, volunteers, students on placement, and labour hire staff. Your policy scope must reflect this, and all workers must receive induction and sign an acknowledgement before providing supports.

How often should a provider review their Code of Conduct policy?

At minimum, annually. Reviews should also be triggered by legislative or Practice Standards changes, significant incidents, or internal audit findings. Auditors check the version date and may ask what prompted the most recent review, so document the review outcome even when no changes are made.

What happens if an auditor finds workers cannot explain the Code of Conduct obligations?

This typically results in a non-conformance against the NDIS Practice Standards, specifically the workforce governance and capability requirements. The organisation will be required to implement a corrective action plan, which usually means additional mandatory training and a follow-up evidence submission within a specified timeframe.

Is a Code of Conduct policy required for verification audits, or only certification audits?

Both. All registered NDIS providers — regardless of registration group or audit type — must comply with the Code of Conduct. For verification audits the evidence requirements may be lighter, but the policy itself, worker acknowledgements, and basic training records are still assessed.

How does the Code of Conduct relate to mandatory reporting and reportable incidents?

Obligation 5 of the Code requires workers to promptly raise concerns about quality and safety. Obligations 6 and 7 require action to prevent and respond to abuse and sexual misconduct. These directly link to reportable incident obligations under the NDIS (Incident Management and Reportable Incidents) Rules, meaning a Code breach involving a participant may simultaneously trigger a mandatory report to the NDIS Commission.

Can a provider use a generic template Code of Conduct policy for an audit?

A template can be a useful starting point but cannot be used unmodified. Auditors look for contextualisation — the policy must reflect your service type, participant cohort, worker roles, and internal breach procedures. A generic document that does not name your organisation, describe your specific supports, or reference your linked policies is unlikely to satisfy an approved quality auditor.

NDIS Code of Conduct Policy: What Auditors Look For

Why Your Code of Conduct Policy Is a Primary Audit Target

The NDIS Code of Conduct sits at the heart of every approved quality audit. It is one of the foundational requirements for all registered NDIS providers — including Supported Independent Living (SIL) providers — and auditors assess it early because it touches virtually every other practice standard. A policy that exists on paper but is not embedded in daily operations is one of the most common reasons providers receive non-conformances.

The NDIS Commission enforces the Code of Conduct under the National Disability Insurance Scheme Act 2013 and the NDIS (Code of Conduct) Rules. With the strengthened 2026 registration requirements placing increased emphasis on governance, risk, and evidence of continuous improvement, getting this policy right is more important than ever.

The Seven Code of Conduct Obligations Auditors Test Against

Your policy must address all seven obligations under the NDIS Code of Conduct. Auditors use these as a direct checklist. They are:

Act with respect for individual rights to freedom of expression, self-determination, and decision-making in accordance with applicable laws and conventions.
Respect the privacy of people with disability.
Provide supports and services in a safe and competent manner with care and skill.
Act with integrity, honesty, and transparency.
Promptly take steps to raise and act on concerns about matters that may impact the quality and safety of supports provided to people with disability.
Take all reasonable steps to prevent and respond to all forms of violence against, and exploitation, neglect, and abuse of, people with disability.
Take all reasonable steps to prevent and respond to sexual misconduct.

A policy that omits or vaguely describes any of these seven areas will generate an auditor finding. Each obligation should be explained in plain language that a support worker can understand and apply on shift.

Document Structure: What Auditors Expect to See

Auditors are not just reading your policy — they are assessing whether it is fit for purpose and operational. The following structural elements are expected in a compliant Code of Conduct policy:

Purpose and scope: Who the policy applies to (employees, contractors, volunteers, students on placement) and what services it covers.
Reference to the NDIS Code of Conduct: An explicit link to the Commission's published obligations, not a paraphrase that strips out accountability language.
Worker obligations in plain language: Translated into concrete, role-specific behaviours workers are expected to demonstrate.
Breach procedure: What happens when the Code is breached — investigation steps, escalation, and potential consequences including termination or referral to the Commission.
Reporting obligations: How workers raise concerns, who they report to, and what protections exist for those who speak up (noting whistleblower provisions).
Link to related policies: Cross-references to your incident management, complaints handling, restrictive practices, and safeguarding policies.
Version control and review date: Document number, version, date of last review, and name of approving authority (usually the Responsible Person or Board).

Evidence Auditors Will Request

Having a written policy is necessary but not sufficient. Auditors request evidence that the policy is genuinely implemented. During a certification or verification audit, expect requests for:

Staff Induction and Training Records

Auditors will ask to see records showing that every worker — including casual and agency staff — has received Code of Conduct training as part of induction. This means signed acknowledgement forms or a training register with completion dates. A gap in the record for even one worker is a finding.

Signed Acknowledgements

Workers should sign a declaration confirming they have read, understood, and agree to comply with the Code of Conduct. Auditors spot-check personnel files. If acknowledgements are missing or undated, expect a non-conformance.

Refresher Training Evidence

One-off induction training is insufficient. Auditors look for annual or periodic refresher training, particularly where there have been incidents, new legislative updates, or turnover of key staff. Under the strengthened 2026 framework, ongoing worker capability is a specific focus area.

Incident and Complaint Files Linked to Code Obligations

When reviewing incident records, auditors check whether Code of Conduct obligations were considered in the organisation's response. For example, an incident involving a worker acting outside their role should reference which Code obligation was breached and what action was taken. If incident files are silent on this, it suggests the policy is not embedded in operations.

Restrictive Practice Authorisation Records

For SIL providers, auditors cross-reference Code of Conduct records with restrictive practice registers. Unauthorised use of regulated restrictive practices is a direct Code breach. Evidence of proper authorisation, reporting to the Commission, and staff training on behaviour support plans is expected.

Common Non-Conformances — and How to Fix Them

Non-Conformance	Why It Happens	The Fix
Policy does not address all seven Code obligations	Template copied from another sector or outdated source	Map your policy headings directly to each of the seven obligations and verify against the Commission's current published rules
No signed acknowledgements on file	Verbal-only induction or lost paperwork	Implement a digital HR onboarding form with a mandatory Code of Conduct declaration field; backfill existing staff
Policy not reviewed in the last 12 months	No scheduled review cycle in governance calendar	Add an annual review task to the compliance calendar with a named owner; record review outcomes even when no changes are made
Breach procedure is vague or missing	Policy focuses on obligations but not consequences	Add a dedicated section: what constitutes a breach, who investigates, timeframes, and potential outcomes including mandatory reporting to the Commission
Incident records do not reference Code implications	Staff completing incident forms without Code of Conduct training	Update incident form to include a Code of Conduct implications field; retrain team leaders on completing this field
Policy applies to employees only, not contractors	Scope section uses employment-only language	Extend scope to all workers as defined by the Commission — this includes volunteers, students, and labour hire staff

A Sample Policy Excerpt Auditors Consider Compliant

The following is a realistic example of how the obligation around preventing violence, abuse, neglect, and exploitation can be written in a compliant policy:

Obligation 6 — Prevention of Violence, Abuse, Neglect and Exploitation

All workers engaged by [Organisation Name] must take all reasonable steps to prevent and respond to all forms of violence against, and exploitation, neglect, and abuse of, participants. This includes:

Immediately reporting any observed or suspected abuse to the Responsible Person and, where required, to the NDIS Commission via the Provider Portal;

Following the organisation's Incident Management Policy when a reportable incident has occurred or is suspected;

Never using physical, verbal, financial, or emotional abuse against any participant under any circumstances;

Completing the organisation's mandatory safeguarding training within the first week of employment and refresher training annually.

Breach of this obligation will be treated as serious misconduct and may result in immediate suspension pending investigation, termination of engagement, and referral to the NDIS Commission or relevant authorities.

How Auditors Assess Policy Under the Strengthened 2026 Framework

The strengthened NDIS Practice Standards that form part of the 2026 registration reforms place additional weight on governance and continuous improvement. For Code of Conduct policies specifically, auditors will probe:

Whether the Responsible Person has formally approved the policy and can articulate their oversight role;
Whether the policy has been updated to reflect any legislative changes since its last review;
Whether the organisation can demonstrate a feedback loop — that is, lessons from incidents and complaints have been used to improve the policy or worker training;
Whether workers at different levels (team leaders, support workers, casual staff) can explain their obligations in their own words during staff interviews.

That last point matters more than many providers expect. Auditors conduct worker interviews as a standard part of mid to high-intensity audits. A support worker who cannot explain what the Code of Conduct requires of them is a red flag, regardless of how well-written the policy document is.

Preparing Your Policy for the Next Audit

A practical pre-audit review of your Code of Conduct policy should cover the following steps:

Check that all seven obligations are addressed explicitly, not just referenced by name.
Confirm the policy scope includes all worker categories — employees, contractors, labour hire, volunteers, and students.
Pull training records and confirm every current worker has a dated, signed acknowledgement on file.
Review the most recent three to five incident files and confirm Code of Conduct implications were considered in each response.
Check the policy version date — if it has not been reviewed in the past year, schedule an immediate review and document the outcome.
Brief team leaders on the worker interview questions auditors commonly ask, so staff can answer confidently.

If you are building or overhauling your compliance document suite, the 74-document audit-ready SIL compliance kit available at ndiscompliant.com.au includes a fully structured Code of Conduct policy, acknowledgement form, breach procedure, and linking guidance to align it with your incident and complaints frameworks.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.