What Triggers a Corrective Action Plan
A corrective action plan (CAP) is required whenever an Approved Quality Auditor (AQA) issues a non-conformance finding during an NDIS audit. This can happen at any stage of the audit cycle:
- Initial certification audit: When you are first applying for NDIS registration and the auditor identifies gaps in your compliance with the NDIS Practice Standards
- Mid-term surveillance audit: The 18-month check that verifies ongoing compliance
- Renewal audit: The recertification audit at the end of your 3-year registration period
- Unscheduled audit: An audit directed by the NDIS Commission in response to concerns
Both minor and major non-conformances require corrective action. The difference lies in the urgency, depth, and verification requirements. For a detailed explanation of the two types, see our NDIS Audit Non-Conformances guide.
Structure of an Effective Corrective Action Plan
An effective corrective action plan is not a vague promise to improve. It is a structured, evidence-based document that demonstrates you understand the problem and have a concrete plan to fix it — both immediately and systemically.
CAP Template Structure
Your corrective action plan should include the following sections:
| Section | What to Include | Why It Matters |
|---|---|---|
| 1. Non-Conformance Reference | Audit finding number, Practice Standard outcome, classification (minor/major) | Links your CAP directly to the specific audit finding |
| 2. Description of Finding | Restate the auditor's finding in your own words, acknowledging the gap | Demonstrates you understand what was found |
| 3. Root Cause Analysis | Structured analysis of why the non-conformance occurred (5 Whys, fishbone, or narrative analysis) | Shows you have looked beyond the symptom to the underlying cause |
| 4. Immediate Corrective Actions | Specific actions to fix the identified problem, with responsible person and target date | Addresses the immediate gap found by the auditor |
| 5. Preventive Actions | Systemic changes to prevent the same type of problem recurring, with responsible person and target date | Demonstrates you are making lasting improvements, not quick patches |
| 6. Evidence of Completion | List of specific documents or records you will produce to demonstrate each action has been completed | Gives the auditor clear evidence to verify closure |
| 7. Monitoring and Review | How you will monitor the effectiveness of your corrective actions over time | Shows sustainability — the fix will not lapse once the auditor stops watching |
When writing your CAP, use SMART criteria for each action item: Specific (what exactly will be done), Measurable (how will you know it is done), Achievable (is it realistic), Relevant (does it address the root cause), Time-bound (when will it be completed). Vague actions like "improve staff training" will be rejected. Specific actions like "deliver 2-hour incident management refresher training to all support staff by 15 June 2026, assessed via written competency quiz" will be accepted.
Root Cause Analysis Techniques
The root cause analysis is arguably the most important section of your corrective action plan. Auditors can immediately tell when a provider has only addressed the symptom (e.g., "we updated the form") without understanding why the gap existed in the first place.
The 5 Whys Technique
The 5 Whys is the simplest and most widely used root cause analysis technique. You start with the non-conformance and ask "why" repeatedly until you reach the fundamental cause. Typically, five iterations are sufficient, though you may need fewer or more.
Example: Missing Worker Screening Checks
Non-conformance: Three out of ten direct support staff do not have current NDIS Worker Screening Checks on file.
- Why? The screening checks were not obtained before these staff commenced delivering supports.
- Why? The recruitment procedure does not include a mandatory screening verification step before the first shift.
- Why? The recruitment procedure was last updated in 2023, before NDIS Worker Screening was mandatory in our state.
- Why? There is no process for reviewing and updating procedures when legislative or regulatory requirements change.
- Why? The document control system does not include trigger-based reviews tied to regulatory changes — only time-based annual reviews.
Root cause: The document control and policy review system lacks a mechanism for trigger-based reviews when regulatory requirements change, leading to outdated procedures that miss new compliance obligations.
The Fishbone (Ishikawa) Technique
The fishbone diagram organises potential causes into categories. For NDIS compliance, useful categories include:
- People: Knowledge gaps, staffing levels, turnover, accountability
- Process: Missing procedures, unclear workflows, inadequate checklists
- Policy: Outdated documents, incomplete coverage, poor communication
- Management: Insufficient oversight, unclear responsibilities, lack of monitoring
- Resources: Time constraints, technology gaps, funding limitations
- Environment: Multiple locations, remote work, high-turnover context
For each category, list the specific contributing factors that led to the non-conformance. This technique is particularly useful when a non-conformance has multiple interacting causes.
Choosing the Right Technique
| Situation | Recommended Technique |
|---|---|
| Single, clear cause | 5 Whys — quick and direct |
| Multiple contributing factors | Fishbone — captures complexity |
| Recurring non-conformance | Both — 5 Whys for depth, fishbone for breadth |
| Systemic failure across multiple areas | Fishbone — identifies cross-cutting themes |
Evidence Requirements for Closing Non-Conformances
Your corrective action plan must specify what evidence you will produce to demonstrate each action has been completed. The auditor will verify this evidence before closing the non-conformance.
Types of Acceptable Evidence
- Updated documents: Revised policies, procedures, or forms with clear version control showing the date of revision
- Training records: Attendance lists, training materials, competency assessment results, signed acknowledgement forms
- Operational records: Completed incident reports, supervision session records, participant feedback forms
- Meeting minutes: Records of team meetings, management reviews, or board meetings where corrective actions were discussed
- Registers: Updated entries in your worker screening register, training register, or continuous improvement register
- System screenshots: If you use electronic systems, screenshots showing updated processes or completed tasks
- Photographs: Physical evidence such as updated noticeboards, safety equipment, or environmental modifications
Evidence must be contemporaneous — created at the time the action was taken, not fabricated retrospectively. Auditors can easily identify backdated documents. If you update a policy, the version history should show the actual date of revision. If you train staff, the training records should include the actual date of training. Fabricating evidence is a serious integrity issue that can lead to refusal of registration.
Timeframes: Minor vs Major
| Aspect | Minor Non-Conformance | Major Non-Conformance |
|---|---|---|
| CAP submission | Within 30 days of finding (typical) | Within 14 days of finding (typical) |
| Implementation deadline | Up to 12 months | 90 days (typical) |
| Verification method | Checked at next scheduled audit | Must be verified before report finalisation |
| Follow-up audit | Usually not required | Desktop review or on-site visit may be required |
| Additional cost | Minimal (part of next audit) | $500 — $4,000 for follow-up verification |
Avoid Corrective Actions Entirely
The SIL Rescue Kit provides 65 audit-ready documents covering every Core Module outcome — the same gaps that generate corrective action plans. Invest $297 in prevention instead of thousands in remediation.
Get the SIL Rescue Kit — $297Example: CAP for Missing Training Records
This example demonstrates how to write a corrective action plan for a common minor non-conformance.
The Finding
Non-conformance NC-03 (Minor) — NDIS Practice Standards Core Module, Outcome 2.6 (Human Resource Management): Staff training records were incomplete. Of 10 staff files reviewed, 4 did not contain evidence of training in the organisation's incident management procedure. The training register does not track individual staff training completion.
Root Cause Analysis (5 Whys)
- Why were training records incomplete? — Training was delivered verbally during team meetings but not formally recorded.
- Why was training not formally recorded? — There was no standardised training record template or sign-off sheet.
- Why was there no template? — The training procedure does not specify how training must be documented.
- Why is the procedure unclear? — The HR policy addresses the need for training but does not prescribe documentation standards.
- Why? — The policy was drafted with a focus on what training is required, not how it is evidenced.
Root cause: The HR policy and training procedure do not specify documentation standards for training delivery, and there is no standardised template for recording attendance and competency outcomes.
Corrective and Preventive Actions
| Action | Type | Responsible | Due Date | Evidence |
|---|---|---|---|---|
| Deliver incident management refresher training to all 10 support staff, with written competency quiz | Corrective | Team Leader | 30 April 2026 | Training attendance list, completed quiz sheets, training materials |
| Complete missing training records for the 4 identified staff members | Corrective | HR Officer | 30 April 2026 | Updated staff files with training records |
| Create standardised training record template with fields for date, topic, trainer, attendees, competency outcome, and signatures | Preventive | HR Officer | 15 April 2026 | Completed template document with version control |
| Update HR policy Section 6.4 to specify training documentation requirements | Preventive | Compliance Manager | 30 April 2026 | Updated policy (Version 2.0) with tracked changes |
| Implement centralised training register spreadsheet with individual tracking per staff member | Preventive | HR Officer | 15 April 2026 | Populated training register with historical data |
| Add quarterly training compliance review to management meeting agenda | Monitoring | Director | Ongoing (first review May 2026) | Meeting minutes showing training compliance discussion |
Example: CAP for Incomplete Incident Reports
This example demonstrates a corrective action plan for a major non-conformance — requiring faster action and deeper systemic fixes.
The Finding
Non-conformance NC-01 (Major) — NDIS Practice Standards Core Module, Outcome 2.4 (Incident Management): The organisation's incident management system is not functioning effectively. Of 8 incidents reviewed, 5 had no root cause analysis, 3 had no evidence of management review, and 1 reportable incident was not reported to the NDIS Commission within the required 24-hour timeframe. Staff interviewed could not describe the incident reporting process.
Root Cause Analysis (Fishbone)
People
- Support staff have not received formal training on the incident management procedure since their induction
- High staff turnover means newer staff have limited understanding of reporting requirements
Process
- The incident report form does not include a section for root cause analysis — staff do not know it is required
- There is no defined workflow for incident escalation and management review
- Reportable incident criteria are not clearly documented or communicated to staff
Policy
- The incident management policy references root cause analysis but the corresponding procedure does not operationalise it
- The policy does not define timeframes for management review of incidents
Management
- No one is assigned responsibility for monitoring incident register completeness
- Incidents are recorded but there is no regular review or trend analysis
Root cause: The incident management system has multiple interconnected failures — an incomplete incident report form, a gap between policy intent and procedural guidance, insufficient staff training, and no management oversight mechanism to catch gaps in real time.
Corrective and Preventive Actions
| Action | Type | Responsible | Due Date | Evidence |
|---|---|---|---|---|
| Complete root cause analysis and management review for all 8 outstanding incidents | Corrective | Compliance Manager | 20 April 2026 | Updated incident files with completed analysis and sign-off |
| Submit the overdue reportable incident to the NDIS Commission with explanation for delay | Corrective | Director | 8 April 2026 | NDIS Commission submission confirmation |
| Redesign incident report form to include mandatory sections for root cause analysis, corrective actions, management review, and NDIS Commission reporting assessment | Preventive | Compliance Manager | 15 April 2026 | New incident report form (Version 2.0) |
| Update incident management procedure to include: step-by-step escalation workflow, management review within 48 hours, root cause analysis within 7 days, and reportable incident notification within 24 hours | Preventive | Compliance Manager | 20 April 2026 | Updated procedure document with version control |
| Create and distribute a Reportable Incidents Quick Reference Card for all staff | Preventive | Team Leader | 25 April 2026 | Quick reference card, distribution sign-off sheets |
| Deliver mandatory 3-hour incident management training to all support staff, including scenario-based assessment | Preventive | Team Leader | 10 May 2026 | Training materials, attendance records, assessment results |
| Assign Compliance Manager as incident register owner with fortnightly completeness review | Monitoring | Director | 15 April 2026 | Delegated responsibility memo, fortnightly review records |
| Add monthly incident trend analysis to management meeting agenda | Monitoring | Director | Ongoing (first: May 2026) | Meeting minutes with incident analysis discussion |
Summary
Writing an effective NDIS corrective action plan is a skill that every provider should develop. The key principles are:
- Understand the finding — make sure you know exactly which Practice Standard outcome is not met and what evidence the auditor relied on
- Dig to the root cause — use structured techniques like the 5 Whys or fishbone diagram to identify systemic causes, not just surface symptoms
- Be specific — every action should have a clear responsible person, deadline, and expected evidence
- Fix and prevent — address both the immediate problem (corrective actions) and the systemic gap (preventive actions)
- Produce evidence — document everything as you go, with contemporaneous records
- Monitor — build in ongoing review mechanisms so the fix sticks
The best corrective action plan is the one you never need to write. Thorough preparation — including complete documentation, staff training, and functioning compliance systems — prevents most non-conformances from arising. Our free NDIS Notes Rewriter helps with day-to-day documentation, and the SIL Rescue Kit provides the complete policy and procedure framework you need from the start.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.