What is the difference between a reportable incident and an internal incident for NDIS providers?

A reportable incident is defined in the NDIS Act and includes participant death, serious injury, abuse, neglect, and unauthorised use of restrictive practices — these must be notified to the NDIS Commission within set timeframes. An internal incident is any other adverse or near-miss event your organisation captures in its register for quality and safety purposes, even if Commission notification is not required.

How long must NDIS providers keep incident register records?

The NDIS Commission's requirements align with the broader principle that records must be retained long enough to support audit, complaint investigation, and participant rights. Most providers operate on a minimum seven-year retention period for participant-related records, though you should confirm this against your state or territory privacy and health records legislation.

Do SIL providers need a separate incident register for restrictive practices?

Not necessarily a separate register, but restrictive practice incidents must be clearly identifiable within your incident register and linked to Behaviour Support Plan review and NDIS Commission notification. Auditors will look for a way to filter or extract RP-related incidents to verify compliance with the regulated restrictive practices framework.

What is the initial notification timeframe for reportable incidents under the NDIS?

For the most serious reportable incidents — including death and serious injury — providers must submit an initial notification to the NDIS Commission as soon as practicable and no later than 24 hours after becoming aware. A full written report must follow within the timeframe specified by the Commission, which varies by incident type.

Can an incident register be electronic, or does it need to be paper-based?

Electronic registers are acceptable and are generally preferred because they support date-stamping, access control, and trend reporting. The key requirement is that the register is retrievable, tamper-evident, and available for auditors to inspect. Cloud-based incident management software, spreadsheets, and purpose-built compliance platforms are all used by registered providers.

What triggers a major non-conformance finding in incident management during an NDIS audit?

Common triggers for a major non-conformance include: failure to notify the NDIS Commission of reportable incidents, no documented investigation process, a pattern of incidents with no corrective action, and evidence that the incident management system is not implemented in practice. Major non-conformances can result in conditions on your NDIS registration.

NDIS Incident Register: What Auditors Look For in 2026

Why the Incident Register Is a Priority Audit Document

For Supported Independent Living (SIL) providers and registered NDIS organisations, the incident register is one of the first documents an approved quality auditor requests. It functions as the primary evidence base for your organisation's commitment to participant safety, transparent reporting, and continuous improvement — all of which sit at the heart of the NDIS Practice Standards and the strengthened 2026 registration framework.

An incomplete or poorly maintained register does not just create an audit finding. It signals systemic risk to participants, which auditors treat as a significant non-conformance under the Core Module on Incident Management.

What the NDIS Practice Standards Require

The NDIS Practice Standards (Quality Indicators) require registered providers to maintain a documented incident management system. For SIL and other higher-risk registration groups, this includes:

A written incident management policy and procedure
A register that captures all incidents — both reportable incidents (notified to the NDIS Commission) and internal incidents
Timely internal reporting, escalation pathways, and investigation processes
Evidence that corrective and preventive actions were implemented and closed out
Regular management review of incident trends

The strengthened Practice Standards framework, progressively implemented from 2024–2026, places heightened emphasis on participant outcomes and demonstrable safety culture. Auditors now look beyond procedural compliance toward evidence that the system actually drives improvement.

Exactly What Auditors Examine: Field by Field

When an approved quality auditor opens your incident register, they work through a structured checklist. The following are the specific elements auditors verify against the Practice Standards quality indicators.

1. Incident Identification Fields

Unique incident reference number — each record must be individually identifiable
Date and time of the incident
Date and time the incident was first reported internally — auditors calculate whether internal reporting met your own policy timeframe
Location — site, address, or "in community"
Participant identifier (de-identified or initials where the register is a shared document)
Category of incident — e.g. injury, medication error, missing person, unauthorised restrictive practice
Incident description — factual narrative of what happened, not conclusions

2. Reportable Incident Classification

Auditors cross-reference the register against your NDIS Commission portal submissions. They verify that every incident classified as a reportable incident under section 73Z of the National Disability Insurance Scheme Act 2013 (including death, serious injury, abuse, neglect, or unauthorised use of a restrictive practice) was notified to the NDIS Commission within the required timeframes — an initial notification within 24 hours for the most serious incidents, with a detailed written report to follow.

A common audit finding is where the register shows an incident that meets the definition of a reportable incident, but no corresponding Commission notification exists. This is treated as a direct non-conformance.

3. Investigation Documentation

Who conducted the investigation and their role
Date the investigation commenced and concluded
Root cause or contributing factors identified
Whether the participant (and their nominated representative) was informed and involved
Whether police, safeguarding, or other external bodies were notified where applicable

4. Corrective and Preventive Actions (CAPAs)

This is where many SIL providers lose points. Auditors look for:

Specific actions assigned — not generic statements like "staff will be reminded"
Named responsible person for each action
Due date
Completion date and evidence of closure (e.g. training record, policy update, supervision note)
Whether the CAPA was reviewed to confirm it was effective

5. Management Review and Trend Analysis

Auditors look for evidence that management regularly reviews aggregated incident data — typically through meeting minutes, quality committee reports, or documented management reviews. The register should feed a visible improvement loop, not sit as a static log. Providers operating SIL houses should be able to show analysis by incident type, location, support worker, time of day, or participant — demonstrating the organisation is using data to prevent recurrence.

Common Non-Conformances Found During NDIS Audits

Non-Conformance	Root Cause	Fix
Incident recorded but no Commission notification submitted	Staff unclear on reportable incident definition	Decision flowchart in incident policy + quarterly register cross-check
CAPA recorded as "complete" with no evidence	No closure procedure	Require supporting document attachment before status can change to closed
Delay between incident and internal report exceeds policy timeframe	After-hours escalation pathway unclear	On-call manager protocol documented and tested in drills
Participant not informed of incident outcome	No step in procedure requiring participant communication	Add mandatory "participant/representative notified" field with date
Register not reviewed at management level	No meeting agenda item or quality committee	Monthly standing agenda item; minutes retained
Restrictive practice incidents not separately flagged	Register template does not distinguish RP incidents	Add RP category and link to Behaviour Support Plan review workflow

Restrictive Practices: A Register Within a Register

For SIL providers, any unauthorised or unplanned use of a restrictive practice must be captured as a reportable incident. Auditors specifically look for a clear trail from the incident record through to Behaviour Support Plan (BSP) review, NDIS Commission notification, and — where the practice is regulated — confirmation that the required consent or authorisation exists. The absence of a separate restrictive-practice column or sub-register is a recurring audit gap.

Sample Register Fields: A Practical Template Structure

The following fields represent a minimum-viable incident register structure that maps to the Practice Standards quality indicators. Your register may be digital (spreadsheet, incident management software) or paper-based, but must be retrievable and auditable.

Incident ID
Date/time of incident
Date/time of internal report
Participant identifier
Site/location
Category (injury / medication / missing person / abuse / neglect / RP / other)
Reportable incident? (Yes / No / Under review)
NDIS Commission notification date (if applicable)
Description of incident
Immediate actions taken
Investigating officer and date assigned
Investigation completion date
Root cause / contributing factors
Participant / representative notified (date)
CAPA 1, 2, 3 — action / responsible person / due date / completion date / evidence
Closed date and authorising manager
Management review date

Preparing Your Register for Audit

In the weeks before a certification or verification audit, run an internal audit of your incident register using the same lens an approved quality auditor would apply:

Pull every incident from the past 12 months and check for completeness against each field above
Cross-reference reportable incidents against Commission portal submissions — verify dates and incident IDs match
Confirm every open CAPA has a due date and responsible person
Collect evidence documents for closed CAPAs and attach them to the record
Print or export management review minutes that reference incident data
Confirm staff training records show incident management induction for all support workers

If your organisation uses the ndiscompliant.com.au 74-document audit-ready SIL compliance kit, the incident register template and accompanying CAPA tracker are pre-formatted to these exact auditor expectations — saving significant setup time.

What Happens When Auditors Find Gaps

Non-conformances in incident management are graded by severity. A missing field on a low-risk internal incident may be a minor finding with a corrective action timeframe. Failure to notify the NDIS Commission of a reportable incident, or evidence of a pattern of missed notifications, can escalate to a major non-conformance, potentially triggering conditions on your registration or referral to the NDIS Commission's compliance team. Under the strengthened 2026 framework, the Commission has increased its focus on proactive compliance monitoring, meaning gaps that once passed unnoticed are now more likely to be identified.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.