What is the NDIS governance and operational management standard?

It is one of the NDIS Practice Standards that requires registered providers to have documented governance structures, clear leadership accountability, risk management systems, and processes for continuous improvement. It applies to all registered providers and is examined in detail during certification and verification audits.

How far back do auditors look at incident and complaints records?

Approved quality auditors typically request records covering the current registration period or the period since the last audit. For a first certification audit this is commonly 12 months of operational records. The exact scope is confirmed by your auditor in the pre-audit documentation request.

Does the board or governing body need to be directly involved in NDIS compliance?

Yes. The Practice Standards require governance bodies to actively oversee quality and safety. Auditors will look for board or senior leadership meeting minutes that include standing discussion of incident data, complaint trends, risk management and, for SIL providers, the use of any regulated restrictive practices.

What happens if an auditor finds a governance non-conformance?

A non-conformance is recorded in the audit report and the provider must submit a corrective action plan within the timeframe set by the NDIS Commission. Minor non-conformances may be conditions on registration. Major non-conformances can delay or prevent registration and, in serious cases, may trigger a Commission compliance investigation.

Are SIL providers subject to more intensive governance scrutiny than other providers?

SIL providers generally undergo certification audit rather than verification audit because SIL is a higher-risk registration group under the NDIS rules. Certification audit is more comprehensive and includes a desktop review of governance documents plus on-site interviews with participants, staff and management.

How often do SIL providers need to be audited?

Registered providers are audited on registration and then at intervals set by the NDIS Commission, typically every three years for certification registrations, with a mid-term surveillance audit that may also apply. Check current Commission guidance as audit cycles can be adjusted by the Commission.

NDIS Governance Framework: What Auditors Look For

Why Governance Is the Lens Through Which Everything Else Is Judged

When an approved quality auditor walks through your organisation's records, they are not simply ticking boxes. They are asking one underlying question: does this provider's leadership genuinely control the quality and safety of what is happening on the ground? Governance is the mechanism through which that control is exercised. If the governance framework is weak, every other system — incident management, risk, complaints, restrictive practices — becomes suspect, regardless of how well written individual policies may be.

With mandatory registration expanding under the strengthened NDIS Practice Standards framework taking effect progressively from 2026, SIL and disability-support providers face intensified scrutiny. Understanding precisely what auditors are looking for allows you to build a governance structure that passes audit on substance, not just on the day.

The Four Pillars Auditors Always Examine

1. Accountability Structures and Board or Leadership Oversight

Auditors begin by mapping who is responsible for what. They will request your organisational chart, your instrument of delegation, and your board or governance committee meeting minutes. They want to see that:

Governing body members have clearly documented roles and responsibilities under the NDIS Practice Standards (Support Item 1: Governance and Operational Management).
Leadership meets regularly and that minutes record substantive discussion of quality and safety outcomes — not merely financial or administrative matters.
There is a named person with clear authority and accountability for NDIS compliance at the executive level.
Conflicts of interest are disclosed and managed through a documented, enforced process.

A common non-conformance is governance documentation that exists in isolation from practice. Auditors will cross-reference what board minutes record against what staff can articulate and against what actually occurred in incidents or complaints.

2. Risk Management Systems

The NDIS Practice Standards require providers to implement a risk management framework proportionate to the scale and complexity of their supports. For SIL providers, this carries particular weight given the continuous and residential nature of care.

Auditors will look for:

A documented risk register that is actively reviewed — not a static document created at registration and never updated.
Evidence that environmental and participant-specific risks are identified, rated, and mitigated with named owners and review dates.
A clear link between the risk register and the governance body — risks above a defined threshold should be escalated to leadership and reflected in meeting records.
Business continuity and emergency management plans that are tested and known to staff.

Auditors pay particular attention to whether risk management is proactive or purely reactive. A provider who can only identify risks in hindsight — through incident reviews — will be found to have an inadequate system.

3. Incident Management and Mandatory Reporting

Under the NDIS (Incident Management and Reportable Incidents) Rules, providers must have a compliant incident management system and must report certain categories of incidents to the NDIS Commission within defined timeframes. Auditors verify both the system design and its actual operation.

What auditors check in your incident system:

Written policies that clearly define what constitutes a reportable incident and what constitutes an internal incident.
A log of all incidents recorded over the audit period — not just those that were reported to the Commission.
Evidence of timely notification to the Commission for reportable incidents (the specific timeframes are set out in the Incident Rules and vary by incident type).
Root-cause analysis or post-incident review records that demonstrate learning and corrective action.
Governance oversight — board or senior management review of incident data and trends, not just individual events.

A high-risk finding at audit is an incident log that shows a significant gap between the number of incidents recorded and the number reported. Auditors are trained to identify patterns suggesting underreporting, particularly for incidents involving restrictive practices or abuse.

4. Complaints Management

The NDIS Code of Conduct and Practice Standards both require providers to have an accessible, responsive complaints system. Auditors are not only checking that the system exists — they are checking that participants actually know about it and that outcomes are tracked and fed back into quality improvement.

Key evidence auditors request:

Your complaints policy and procedure, including how participants are informed of their right to complain to the NDIS Commission directly.
A complaints register covering the audit period, with resolution times and outcomes recorded.
Evidence that complaints have influenced practice — for example, a complaint that triggered a policy revision or a staff training response.
Easy-to-read or accessible format complaints information provided to participants.

Strengthened Standards: What Has Changed for 2026

The strengthened NDIS Practice Standards introduce more explicit expectations around participant voice in governance, worker screening oversight, and the management of behaviour support and restrictive practices at the governance level.

For SIL providers specifically, auditors are now examining whether:

Behaviour support plans and any use of regulated restrictive practices have senior leadership visibility and are subject to periodic governance review — not just managed at a clinical or support coordination level.
The provider can demonstrate how participant feedback and outcomes data flow into governance decision-making.
Worker screening obligations are tracked centrally and there is a governance-level process to identify and respond to any lapse in clearance status.

Common Non-Conformances Found at SIL Audits

Non-Conformance	What the Auditor Finds	The Fix
Governance documents not current	Policies reference superseded legislation or old Commission rules	Annual policy review schedule with sign-off records
Board minutes lack substance	Minutes show attendance and financial reports only	Standing agenda items for quality, safety, incidents and complaints
Risk register is static	One register created at registration, never revised	Quarterly risk register review with version history
Incident underreporting	Internal log has many more incidents than Commission reports	Decision matrix defining reportable categories; staff training
Complaints system not accessible	No easy-read or translated complaints information	Accessible format collateral in participant folders and entry areas
Restrictive practices not at governance level	RP register held by one coordinator with no leadership oversight	Monthly RP register presented to senior management; board notified of new or ongoing authorised practices

Practical Steps to Prepare Your Governance Framework for Audit

Map your governance documents against the Practice Standards. Each Standard should be traceable to at least one policy, a responsible person, and a review date.
Audit your incident log. Compare every internal incident record against your Commission notification log. Investigate any gaps before the auditor does.
Review your last six months of board or governance meeting minutes. If quality and safety are not standing agenda items, add them now and generate at least two prior meetings' worth of records that demonstrate the discussion.
Test your complaints system with staff. Ask frontline workers what they would do if a participant wanted to make a complaint. If they cannot answer clearly, your system has a training and communication gap.
Bring your risk register current. Convene a risk review session, update ratings, assign owners, and document the session. Date-stamp all changes.
Check worker screening status centrally. Run a report to confirm every current worker and volunteer holds a valid NDIS Worker Screening clearance, and document this check.
Prepare your governance folder for the auditor. This should include your constitution or trust deed, board member register, delegation instrument, conflict of interest register, current policy list with version dates, and the last 12 months of governance meeting minutes.

Building Governance That Holds Up Under Scrutiny

The difference between providers that pass audit comfortably and those that receive non-conformances is almost always the same: the high performers have governance that is lived, not just documented. Senior leaders can speak to their quality data. Staff know the complaints process. Incident trends appear in board reports. Policies are version-controlled and reviewed on a schedule that is itself documented.

If you are preparing for your first certification audit or an upcoming renewal, the ndiscompliant.com.au 74-document audit-ready SIL compliance kit covers the full governance document suite — policies, registers, templates and board reporting tools — structured to align with both current and strengthened Practice Standards requirements.

Governance is not a one-time exercise. Auditors are evaluating a system in operation. The strongest evidence you can present is a consistent, dated record of a governance body that takes its NDIS obligations seriously every month — not just in the weeks before an audit.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.