20 Most Common NDIS Compliance Mistakes and How to Avoid Them

Documentation Mistakes (1-5)

Mistake 1: Policies Exist but Have Never Been Reviewed

The problem: The provider purchased or wrote policies when they first registered but has never updated them. Review dates are years old. Version numbers are still 1.0. The policies reference outdated legislation or organisational details that have changed.

Why auditors care: Practice Standards Outcome 2.3 (Quality Management) requires regular review of policies as part of continuous improvement. Policies that have not been reviewed demonstrate a lack of active quality management. If your risk management policy still references your old trading name or a director who left two years ago, the auditor knows nobody has looked at it.

How to fix it: Schedule an annual policy review cycle. Review at least a quarter of your policies each quarter so the workload is manageable. Update version numbers, review dates, and approval records. Record all reviews in your document control register. Even if no changes are needed, document that a review was conducted and the policy remains current.

Mistake 2: Progress Notes Are Vague, Subjective, or Missing

The problem: Shift notes say things like "Had a good day" or "Was aggressive this morning" without specific details, times, observations, or goal references. Some shifts have no notes at all. Notes contain subjective judgements rather than objective observations.

Why auditors care: Progress notes are primary evidence of support delivery. They demonstrate that supports were provided in accordance with the participant's plan and goals, that staff are competent, and that participant wellbeing is monitored. Vague or missing notes suggest supports were either not delivered properly or not documented — and the auditor cannot distinguish between the two.

How to fix it: Train all staff in objective, goal-linked note writing. Use structured formats (SOAP or DAP). Implement a note review process where team leaders check notes regularly. Our free Notes Rewriter tool converts informal shift notes into compliant, objective progress notes automatically. Set a non-negotiable rule: no note, no shift is considered complete.

Mistake 3: No Document Control System

The problem: The provider has policies saved in multiple locations (email, shared drives, paper folders) with no version control. Staff are working from different versions. Nobody knows which version is current. There is no document control register.

Why auditors care: Document control demonstrates governance. If staff are using outdated policies, the risk of non-compliant practice increases. The auditor needs to verify that the documents they review are the current, approved versions and that staff can access them.

How to fix it: Create a document control register listing every organisational document with its title, document number, current version, approval date, next review date, and storage location. Implement a single source of truth for current documents. Remove all old versions from circulation. Train staff on where to find current documents.

Mistake 4: Service Agreements Are Incomplete or Unsigned

The problem: Service agreements are missing key elements (cancellation terms, complaint process, participant rights), are not signed by both parties, or do not exist at all for some participants. Some agreements are years old and have never been updated to reflect changes in supports.

Why auditors care: The Practice Standards require service agreements for all ongoing support arrangements. The agreement protects both the participant and the provider. Auditors will sample several participant files and check that each has a current, signed service agreement that accurately reflects the supports being delivered.

How to fix it: Audit every participant file for a current, signed service agreement. Ensure agreements include all required elements: supports to be delivered, costs, payment terms, cancellation policy, complaint process, participant rights, transition arrangements, and consent provisions. Review and update agreements when support arrangements change.

Mistake 5: Records Retention Is Non-Existent

The problem: The provider has no records retention policy. Old records are randomly deleted or discarded. Electronic records have no backup system. Paper records are stored in boxes with no indexing. When asked for historical records, staff cannot locate them.

Why auditors care: The Practice Standards require records to be maintained securely for at least seven years. Records are evidence of past compliance and are needed for investigations, complaints, and reviews. A provider that cannot produce historical records raises serious concerns about information management and governance.

How to fix it: Implement a records retention schedule aligned with NDIS requirements (minimum seven years). Set up automated backups for electronic records. Index paper records and store them securely. Include records management in your privacy policy and information management procedures.

Workforce Mistakes (6-10)

Mistake 6: Expired or Missing Worker Screening Checks

The problem: Workers in risk-assessed roles do not have current NDIS Worker Screening Check clearances. Clearances have expired without renewal. New workers started before their checks were processed and were not supervised by a cleared worker. The worker screening register is incomplete or out of date.

Why auditors care: Worker screening is a fundamental safeguarding requirement. An unchecked worker in a risk-assessed role is a direct safety risk to participants. This is frequently a major non-conformance that can delay or prevent registration.

How to fix it: Audit your worker screening register immediately. Verify every worker in a risk-assessed role has a current clearance. Set calendar reminders for expiry dates (checks are valid for five years). Implement a policy that no worker commences in a risk-assessed role without either a current clearance or documented supervised arrangement pending clearance.

Mistake 7: No Evidence of Staff Training

The problem: Training has been delivered but there is no evidence — no training register, no attendance records, no completion certificates, no competency assessments. When the auditor asks "show me your training records," the response is "we do training but we don't keep records."

Why auditors care: The Practice Standards require that workers are trained, competent, and supervised. Without training records, there is no way to verify this. The training register is one of the first documents auditors request.

How to fix it: Maintain a comprehensive training register recording: training topic, date, duration, trainer, method (face-to-face, online, on-the-job), attendees, and next due date. Retain all completion certificates and attendance records. Include mandatory training topics: Worker Orientation Module, Code of Conduct, incident reporting, complaints, manual handling, medication management, first aid, infection control, and fire safety.

Mistake 8: Supervision Is Informal or Unrecorded

The problem: Supervision happens informally — a quick chat in the hallway or at handover — but there are no formal supervision records. When the auditor asks for supervision records, the provider has none or has hastily created backdated records.

Why auditors care: The Practice Standards require regular, structured supervision. Supervision records demonstrate that workers are supported, that performance issues are addressed, and that professional development is ongoing. Informal supervision, while valuable, does not replace documented formal supervision.

How to fix it: Schedule formal supervision sessions (every 4-6 weeks for support workers, more frequently for new staff). Use a supervision record template that captures: date, duration, topics discussed, actions arising, worker wellbeing check, and next session date. Both the supervisor and worker should sign the record. Store records in the worker's personnel file.

Mistake 9: Code of Conduct Acknowledgements Are Missing

The problem: Workers have not signed a Code of Conduct acknowledgement, or acknowledgements were signed at induction but never renewed. The provider cannot produce evidence that all current workers have acknowledged the Code.

Why auditors care: While not explicitly legislated, signed Code of Conduct acknowledgements are the standard evidence that workers are aware of their obligations. Auditors expect to see a signed acknowledgement for every worker in their personnel file, obtained at induction and renewed annually.

How to fix it: Implement a Code of Conduct acknowledgement form that workers sign at induction. Schedule annual re-acknowledgement (often combined with annual Code of Conduct refresher training). Maintain a Code of Conduct register tracking acknowledgement dates for all workers. Include agency staff and regular volunteers.

Mistake 10: Induction Processes Are Incomplete

The problem: New workers start without completing a full induction. Induction checklists are partially completed or missing. Workers begin delivering supports before they have been trained in participant-specific requirements (BSPs, mealtime management plans, individual support plans).

Why auditors care: Inadequate induction directly affects participant safety and quality of support. A worker who has not been inducted on a participant's BSP may inadvertently use an unauthorised restrictive practice. A worker who has not been trained in mealtime management may provide the wrong food texture, risking aspiration.

How to fix it: Create a comprehensive induction checklist covering: organisational orientation, Code of Conduct, incident reporting, complaint procedures, WHS, manual handling, infection control, medication management, participant-specific training, and Worker Orientation Module completion. No worker should deliver unsupervised supports until the induction checklist is fully completed and signed.

Incident and Complaint Mistakes (11-14)

Mistake 11: Incidents Are Not Reported to the NDIS Commission

The problem: Reportable incidents occur but are not notified to the NDIS Commission within the required 24-hour timeframe. Sometimes incidents are not recognised as reportable. Sometimes they are managed internally without external notification. Sometimes the reporting process is simply not understood.

Why auditors care: Failure to report reportable incidents is one of the most serious compliance breaches. It can indicate a culture of concealment, inadequate incident management training, or systemic governance failures. The NDIS Commission has publicly stated that late or non-reporting is an enforcement priority.

How to fix it: Train all staff to recognise the six categories of reportable incidents: death, serious injury, abuse or neglect, unlawful sexual or physical contact, sexual misconduct, and unauthorised restrictive practices. Create a clear escalation pathway. Designate a responsible person for Commission notifications. Implement a "when in doubt, report" culture. Test your reporting process through scenario exercises.

Mistake 12: The Incident Register Is Incomplete

The problem: The incident register exists but is incomplete. Incidents are recorded but investigation findings, corrective actions, and outcomes are missing. The register has gaps — months where no incidents were recorded, even though the provider was operating. There is no link between incidents and continuous improvement activities.

Why auditors care: The incident register demonstrates the full cycle of incident management: identification, recording, investigation, response, review, and improvement. A register with missing fields suggests that incidents are not being properly investigated or that learning is not occurring. A register with suspicious gaps suggests under-reporting.

How to fix it: Review your incident register for completeness. Ensure every entry includes: date, description, persons involved, immediate response, investigation findings, root cause (where identifiable), corrective actions, responsible person, completion date, and review outcome. Link serious or recurring incidents to entries in your continuous improvement register.

Mistake 13: Complaints Are Discouraged or Ignored

The problem: The complaints process is not accessible. Participants do not know how to complain. Complaints are received but not recorded or resolved. Staff are defensive when complaints are made. There is no evidence that complaints have led to improvements.

Why auditors care: An accessible, responsive complaints process is a safeguarding mechanism. If participants cannot complain safely, concerns go unreported and harm may continue. Auditors interview participants about their awareness of the complaints process and check whether complaints have been acted on.

How to fix it: Make your complaints process genuinely accessible: provide information in easy-read format, display it in service locations, include it in service agreements, and remind participants regularly. Record all complaints in your complaints register with full details of investigation, response, and outcome. Include information about the NDIS Commission's complaints line (1800 035 544) in all participant-facing materials.

Mistake 14: No Connection Between Incidents/Complaints and Continuous Improvement

The problem: Incidents and complaints are managed in isolation. The same types of incidents recur because root causes are never addressed. The continuous improvement register is empty or contains only generic entries. There is no evidence that feedback has driven tangible changes.

Why auditors care: The continuous improvement system is the mechanism that turns reactive incident management into proactive quality improvement. Auditors look for a clear line from incident/complaint to investigation to root cause to corrective action to improvement. Without this line, the provider is managing symptoms rather than causes.

How to fix it: At minimum, conduct a monthly review of all incidents and complaints to identify trends and themes. Record improvement opportunities in your CI register with specific actions, responsible persons, timelines, and evidence of completion. Demonstrate that changes have been implemented and evaluated for effectiveness.

Governance and Quality Mistakes (15-17)

Mistake 15: No Internal Audit Program

The problem: The provider relies entirely on external audits to assess compliance. No internal audits have been conducted. There is no internal audit schedule, no internal audit reports, and no evidence of self-assessment between external audits.

Why auditors care: Internal auditing is a key component of quality management under Practice Standards Outcome 2.3. It demonstrates that the provider is proactively monitoring their own compliance rather than waiting for an external auditor to identify problems. Providers who conduct internal audits typically have fewer non-conformances at external audit.

How to fix it: Establish an internal audit schedule that covers all Practice Standard outcomes over a 12-month cycle. Conduct quarterly internal audits focusing on different outcome areas. Document findings, corrective actions, and follow-up. Use the NDIS Practice Standards quality indicators as your audit criteria — they are the same criteria external auditors use.

Mistake 16: Key Personnel Changes Not Notified

The problem: Directors, senior managers, or other key personnel have changed since registration, but the NDIS Commission has not been notified. The provider's registered details are out of date. New key personnel have not been assessed for fitness and propriety.

Why auditors care: Key personnel bear personal responsibility for organisational compliance. The NDIS Commission must assess all key personnel to ensure they are fit and proper persons. Failing to notify changes undermines the Commission's oversight function and is a breach of registration conditions.

How to fix it: Notify the NDIS Commission of all key personnel changes within the required timeframe (check current requirements, as timeframes may have changed). Submit the relevant notification forms and supporting documentation. Ensure all current key personnel are recorded accurately with the Commission.

Mistake 17: Risk Management Is a Document, Not a Process

The problem: The provider has a risk management policy and a risk register, but both are static documents that were created once and never updated. Risk assessments have not been conducted for new services, locations, or participant cohorts. The risk register does not reflect the provider's actual risk profile.

Why auditors care: Risk management under Practice Standards Outcome 2.2 requires an active, ongoing process — not a document that sits in a folder. Auditors look for evidence that risks are regularly assessed, that the risk register is current and reflective of actual operations, and that risk controls are implemented and reviewed.

How to fix it: Review your risk register quarterly. Add new risks as they emerge (new participants, new staff, new locations, incidents, complaints, environmental changes). Review existing risk ratings and controls. Document all changes. Ensure risk management is a standing agenda item at management meetings.

Participant Rights Mistakes (18-20)

Mistake 18: Participants Are Not Involved in Their Support Plans

The problem: Support plans are written by staff without meaningful participant input. Participants have not seen or agreed to their support plans. Plans do not reflect the participant's goals, preferences, or communication needs. Plans are generic rather than individualised.

Why auditors care: Person-centred practice is foundational to the NDIS Practice Standards. Practice Standards Outcome 1.1 requires that participants are actively involved in decisions about their supports. When auditors interview participants and they are unaware of their support plan or say they were not involved in developing it, this is a significant concern.

How to fix it: Involve participants (and their families/nominees where appropriate) in developing and reviewing their support plans. Document their input, preferences, and goals. Provide plans in accessible formats. Review plans regularly and whenever circumstances change. Get participant sign-off (or documented agreement) on the plan.

Mistake 19: Restrictive Practices Are Used Without Proper Authorisation

The problem: The provider uses restrictive practices (environmental restrictions, chemical restraint, physical restraint) without proper authorisation, without a current BSP, or without reporting to the NDIS Commission. Staff may not recognise certain practices as restrictive (e.g., locked cupboards, restricted internet access, routine sedating medication).

Why auditors care: Unauthorised use of restrictive practices is a reportable incident and one of the NDIS Commission's highest enforcement priorities. It directly violates participants' human rights. This is frequently a major non-conformance that can result in immediate conditions on registration or suspension.

How to fix it: Audit all current practices for any that restrict participants' rights or freedom. Ensure all restrictive practices are authorised by the relevant state/territory body, documented in a current BSP, reported to the NDIS Commission, and monitored for reduction and elimination. Train all staff to recognise restrictive practices including environmental and chemical restraints that are commonly overlooked.

Mistake 20: Participants Do Not Know Their Rights

The problem: Participants have not been informed of their rights including the right to complain, the right to access advocacy, the right to dignity of risk, the right to privacy, and the right to be free from abuse and neglect. No participant rights statement has been provided. Information is not available in accessible formats.

Why auditors care: Practice Standards Outcome 1.5 requires that participants are informed of their rights and that the provider actively promotes and protects those rights. Auditors interview participants and ask whether they know their rights, whether they know how to complain, and whether they feel safe. If participants cannot answer these questions, the provider has a compliance gap.

How to fix it: Provide every participant with a rights statement at service commencement, in a format they can understand. Include rights information in service agreements. Display rights information in service locations. Provide information about independent advocacy services. Revisit rights information regularly — not just at intake. Ensure staff understand and actively promote participant rights.

These 20 mistakes are not theoretical — they are the findings that auditors identify most frequently across Australian NDIS providers. The good news is that every one of them is fixable with the right systems, documentation, and organisational commitment. Start by addressing the mistakes most relevant to your organisation, and work through the rest systematically before your next audit.

For detailed guidance on audit preparation, see our NDIS Audit Day Guide. For a complete checklist of what you need before registration, see our New Provider Checklist.