Why document control matters for NDIS providers
The NDIS Quality and Safeguards Commission requires registered providers to maintain an information management system that ensures their policies, procedures, and records are accurate, current, and accessible. This obligation flows from Quality Indicator 2.4 — Information Management under the NDIS Practice Standards Core Module.
In practical terms, document control is the system a provider uses to manage the lifecycle of every document — from creation and approval through to amendment, archiving, and eventual disposal. Without it, you cannot reliably answer the question every auditor will ask: "How do you know the policy your staff are following is the current, approved version?"
The consequences of poor document control are significant. Auditors examining provider files routinely find:
- Multiple versions of the same policy in circulation simultaneously
- Policies with no effective date or approval signature
- Review dates that have passed without evidence of review
- Staff who have never received training on amended policies
- Documents that reference legislation that has since been updated
Each of these findings can trigger a non-conformance against Quality Indicator 2.4, which requires additional evidence, corrective action plans, and potentially a follow-up audit — all of which delay your registration and add cost.
Quality Indicator 2.4 requires providers to demonstrate they have systems to create, review, and manage records, information, and communications. The supporting quality indicators assess whether information is accurate, up to date, and accessible to the people who need it — including participants and workers.
Document control fundamentals: the core elements
Every controlled document in your NDIS policy library should include a consistent set of identifying information, usually presented in a document control box at the top of the first page. This box does two things: it tells the reader which version they are looking at, and it gives the auditor at-a-glance evidence that your document management system is functioning.
The essential document control box fields
| Field | Purpose | Example |
|---|---|---|
| Document title | Unique identifier for the document | Incident Management Policy |
| Document number | Reference code for the document register | POL-001 |
| Version number | Identifies which iteration this is | Version 2.1 |
| Effective date | Date from which this version applies | 1 March 2026 |
| Review date | Date by which the document must be reviewed | 28 February 2027 |
| Approved by | Name and role of the approving authority | Jane Smith, CEO |
| NDIS Practice Standard | Links the document to the relevant standard | Core Module Outcome 2.4 |
| Related documents | Cross-references linked policies or forms | Incident Report Form (F-001) |
The document number convention you choose does not matter as much as the consistency with which you apply it. A simple prefix system works well for small providers: POL for policies, PRO for procedures, FOR for forms, REG for registers, GUI for guides. Sequential numbering within each category (POL-001 through POL-025) gives you a logical filing structure that maps directly to your Document Control Register.
Version numbering convention
The most auditor-friendly version numbering system uses a two-part numeric format:
- 1.0 — Initial approved version
- 1.1, 1.2, 1.3 — Minor amendments (typographical corrections, updated contact details, clarifying language without changing the substance of the policy)
- 2.0 — Major revision (policy position changes, new legislative requirements incorporated, significant rewrites)
Some providers prefer a date-stamped approach (V1-2026-03) which makes the chronology immediately obvious. Either system is acceptable provided it is applied consistently and every version is recorded in your Document Control Register.
What your Document Control Register must include
Your Document Control Register is the master index of every controlled document your organisation holds. It is the first thing many auditors will request, because a complete, current register demonstrates that your document management system is actively maintained rather than assembled just before the audit.
A compliant Document Control Register should capture the following information for each document:
- Document number (e.g., POL-001)
- Document title
- Document type (Policy / Procedure / Form / Register / Guide)
- Current version number
- Effective date of current version
- Scheduled review date
- Document owner (the role responsible for keeping it current)
- Approving authority
- NDIS Practice Standard outcome it addresses
- Location where the document is stored and accessed
- Status (Active / Under Review / Superseded / Archived)
The register should also include a version history for each document — recording when each prior version was effective, who approved it, and why it was revised. This version history is what allows you to produce a superseded document if an auditor asks to see what your policy said during a particular period — for example, when investigating an incident that occurred 18 months ago.
Document Control Register — Ready to Use
The SIL Rescue Kit includes a pre-built Document Control Register (Register 48) populated with all 65 documents in the kit. Every policy, form, and guide is already numbered, dated, and mapped to the relevant Practice Standard outcome.
Get the SIL Rescue Kit — $297Review cycle requirements by document type
The NDIS Practice Standards do not prescribe specific review intervals for every document type, but the NDIS Commission's auditor guidance and general quality management principles establish clear expectations. Most approved quality auditors (AQAs) will assess whether your review cycle is appropriate for the risk level of each document.
| Document type | Recommended review cycle | Trigger for earlier review |
|---|---|---|
| Policies | Annual (every 12 months) | Legislative change, Practice Standards update, significant incident, audit finding |
| Procedures | Annual (every 12 months) | Change in how supports are delivered, staffing changes, new equipment or technology |
| Forms and templates | Every two years | Policy changes that affect what the form captures, legislative updates |
| Registers | Ongoing (live documents) | N/A — registers are updated as events occur, not reviewed on a schedule |
| Position descriptions | Every two years or when a role changes significantly | Award changes, new qualifications required, restructure |
| Service agreements | Annual or at each plan review | Participant's NDIS plan is reviewed, supports change, fee schedule updates |
Annual reviews do not always mean rewriting a policy. A review can conclude that no changes are needed — but the review itself must be documented. Record the date of review, the name of the person who conducted it, and the outcome (no changes / minor amendments / major revision). Update the version number and effective date accordingly, even if the content is unchanged.
Scheduling your review programme
The most practical approach for small providers is to stagger policy reviews across the year rather than attempting to review all documents simultaneously. Divide your policy library into four groups and assign each group a quarter:
- Q1 (January–March): Governance, HR, and risk management policies
- Q2 (April–June): Support delivery and practice standards policies
- Q3 (July–September): Safety, environment, and infection control policies
- Q4 (October–December): Complaints, incidents, and quality improvement policies
This staggered approach prevents review bottlenecks, distributes the workload across the year, and ensures that no policy goes more than 12 months without a documented review.
Staff access and acknowledgement
Having current, approved policies is only half the battle. Auditors will also assess whether staff have actually read those policies and understand their obligations. This is Quality Indicator 2.6 territory (Human Resource Management) but it intersects directly with document control: your system for notifying staff of policy updates is part of your information management framework.
Induction acknowledgement
At induction, every new worker should sign a Code of Conduct Acknowledgement that confirms they have received, read, and understood the organisation's policies and procedures. This acknowledgement should list the specific documents provided, with a space for the worker's signature and the date. Store these signed acknowledgements in each worker's personnel file.
Policy update notification
When a policy is revised, your system for notifying workers must be documented and followed. Options include:
- Email notification with the updated document attached, requiring a reply to confirm receipt
- A shared drive update with a notification to all staff and a log of who accessed the document
- Team meeting agenda item with attendance and discussion recorded in the meeting minutes
- A fresh written acknowledgement for major revisions (signature on the policy update notification form)
For minor amendments (version 1.0 to 1.1), email notification with a brief summary of what changed is generally sufficient. For major revisions (version 1.0 to 2.0) — particularly those that change how staff deliver supports, handle incidents, or administer medication — a written re-acknowledgement is best practice and will be expected by auditors reviewing high-risk policy areas.
What to record in your Training Register
Your Training Register (or a dedicated Policy Acknowledgement Register) should capture:
- Worker name
- Document title and version number
- Date acknowledgement was received
- Method (signed form, email confirmation, training session)
When an auditor asks "can you show me that your staff know your incident management process?", a Training Register showing every worker's acknowledgement of the current version of your Incident Management Policy is the correct answer.
Electronic vs paper document management
Both electronic and paper-based document management systems are acceptable under the NDIS Practice Standards, provided the system is reliable, accessible, and maintains version integrity. In practice, most small providers use a combination — electronic master copies with paper-based forms completed in the field.
Electronic systems
Electronic document management offers significant advantages for NDIS compliance: version control is automatic, distribution is instant, and access logs provide evidence that staff have opened documents. Common approaches for small providers include:
- Shared cloud folders (Google Drive, SharePoint, Dropbox): Low cost, easy to implement, accessible from any device. Use a clear folder structure and ensure only the current version is in the accessible folder — move superseded versions to an archive subfolder.
- Intranet or staff portal: More structured than a shared folder. Allows you to set permissions, track document access, and push notifications when documents are updated.
- Practice management software: Some NDIS-specific platforms include document libraries. Check whether the platform maintains version history and generates access logs before committing to this approach.
Paper systems
If you use a paper-based system, the key requirements are:
- Maintain a single master copy of each document (clearly marked as the master)
- Control the distribution of copies (record who received what, when)
- Physically destroy or mark as "superseded" any copies of old versions when a policy is updated
- Store superseded versions securely (not accessible to staff as working documents)
Pure paper systems are increasingly difficult to defend to auditors because they cannot easily demonstrate that staff are using the current version. If you are using paper, consider at minimum a hybrid approach where the master policy library is electronic and paper is used only for forms completion.
How to handle policy updates mid-year
Circumstances requiring a mid-cycle policy update are common — a change to the NDIS (Provider Registration and Practice Standards) Rules, a significant incident, a complaint that reveals a gap in your procedures, or an audit finding. When this happens outside your scheduled review programme, follow this process:
- Draft the amendment: Identify the specific change needed and draft the amended sections. Use track changes or clearly mark amendments for the approver's review.
- Obtain approval: Route the draft to the designated approving authority (typically the CEO or Practice Manager). Record the approval date.
- Increment the version number: A substantive change mid-cycle warrants at least a minor version increment (e.g., 1.0 to 1.1). If the change is fundamental, a major version is appropriate (1.0 to 2.0).
- Update the effective date: The new effective date is the date from which staff are expected to follow the revised policy — typically the date of approval or a specified date shortly after (allowing time to notify staff).
- Update the Document Control Register: Record the new version, effective date, reason for amendment, and approving authority in the register.
- Archive the superseded version: Move the previous version to your archive with a clear "superseded" marking. Do not delete it — you may need it for audit purposes.
- Notify staff: Distribute the updated document through your established notification process and record acknowledgements.
- Update the review date: The revised document's next scheduled review date should be 12 months from the new effective date.
Document this process itself in a Policy Update or Document Amendment Procedure. Auditors want to see that your mid-cycle updates follow the same controlled process as scheduled reviews — not that they happen ad hoc without oversight.
What auditors check: common non-conformances
Document control non-conformances appear in a significant proportion of NDIS certification audit reports. Understanding what auditors actually examine helps you prepare targeted evidence rather than producing documents in a panic.
Most common document control non-conformances
| Non-conformance finding | Root cause | How to prevent it |
|---|---|---|
| Policies with no version number or effective date | Documents created without a standard template | Use a consistent document control box on every controlled document |
| Review date has passed with no documented review | No review schedule or no process to trigger reviews | Use a calendar reminder system and document every review outcome |
| Multiple versions of the same policy accessible to staff | Old versions not archived when new version published | Archive superseded versions immediately; communicate the update to all staff |
| No evidence staff have read updated policies | No acknowledgement process for policy updates | Implement a policy acknowledgement form and record in Training Register |
| Document Control Register incomplete or not maintained | Register created for the audit but not kept current | Designate a document controller responsible for maintaining the register |
| Policies reference superseded legislation | Policies copied from old templates without updating references | Check all legislation references at each annual review |
The auditor's document review process
During a certification audit, your auditor will typically:
- Request your Document Control Register to see the full list of documents
- Select a sample of documents (often 5–10) to examine in detail
- Check that each sampled document has a current version number, effective date, review date, and approval authority
- Cross-reference the Document Control Register entry against the actual document
- Ask to see evidence that staff have been notified of recent policy updates
- Check that superseded versions are archived and not accessible as working documents
The auditor may also interview workers to assess their knowledge of specific policies. If a support worker cannot explain your incident reporting procedure, that is evidence that your document distribution and training process is not effective — which can escalate from a minor non-conformance to a major one.
Document retention: how long to keep superseded versions
Record retention for NDIS providers is governed by a combination of Commonwealth legislation (including the NDIS Act 2013 and related Rules) and state/territory laws. The key retention periods you need to know are:
| Record type | Minimum retention period | Notes |
|---|---|---|
| Participant support records | 7 years from last service | For participants under 18, until age 25 or 7 years, whichever is longer |
| Incident and complaint records | 7 years from date of record | Must include all correspondence and outcomes |
| Superseded policy versions | 7 years from supersession date | Auditors may need to determine what policy applied at the time of a historical incident |
| Worker records (screening, training) | 7 years from end of employment | Includes worker screening check results, training certificates |
| Financial records | 7 years (ATO/ASIC requirement) | Participant billing, invoices, financial statements |
| Participant consents | 7 years from last service | Consent to collect/share information, service agreements |
For superseded policies specifically, the 7-year retention period is important because a provider may face a complaint or investigation years after an incident. Being able to produce the version of your policy that was in force at the time of the incident is critical evidence. Mark superseded documents clearly ("SUPERSEDED — Effective [date] to [date]") and store them in a secure archive separate from your current policy library.
Disposal of records
When records reach the end of their retention period, dispose of them in a way that protects participant and worker privacy. For paper records, use a cross-cut shredder or a document destruction service. For electronic records, ensure files are permanently deleted (not just moved to a recycling bin) and that backups are also purged. Document the disposal itself — a simple record of what was destroyed, when, and by whom satisfies privacy obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Do not dispose of any records relating to a participant while they are still receiving services, or if you have any reason to believe a complaint or investigation may arise. When in doubt, retain the record.
A well-implemented document control system is not just about audit compliance — it is the foundation of a well-run organisation. When your team knows where to find the current policy, when they last read it, and when it was last reviewed, they operate with confidence. That confidence translates directly into better support for participants. The administrative investment in good document control is modest; the cost of getting it wrong — delayed certification, compliance notices, or worse — is not.
If you are a SIL provider preparing for your certification audit, the SIL Rescue Kit provides 65 audit-ready documents including a pre-built Document Control Register that maps every policy, form, and register to the relevant NDIS Practice Standard. For day-to-day compliance support, the free Notes Rewriter tool helps your support workers write shift notes that meet NDIS documentation standards.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.