Do plan management providers need to be registered with the NDIS Commission?

Yes. Plan management is a registered support under the NDIS. Providers must hold active NDIS Commission registration and comply with the relevant Practice Standards modules, including the Core Module and the Plan Management Supplementary Module, and must pass an approved quality audit.

What is the Plan Management Supplementary Module?

It is the additional Practice Standards module that applies specifically to plan management providers. It sets outcome requirements around financial administration, participant budget transparency, and ensuring participants retain genuine choice and control over their supports — on top of the universal Core Module requirements.

How often must plan management policies be reviewed?

The NDIS Practice Standards require providers to have a systematic approach to reviewing their policies. Annual review is the widely adopted standard, and auditors will check that each document carries a review date and evidence of having been assessed. Policies that have never been reviewed since original registration are a common non-conformance finding.

Can a plan management provider also deliver other NDIS supports?

Yes, but this heightens conflict of interest obligations significantly. If your organisation delivers both plan management and direct supports, your conflict of interest policy must explicitly address how you prevent plan management staff from directing participants toward your own service delivery arm, and how you disclose this arrangement to participants.

What must a plan management provider do if a participant's budget is nearly exhausted?

Proactive budget monitoring and timely communication to participants is a Practice Standards requirement. When a participant's budget is approaching exhaustion within a plan period, your procedure should require staff to notify the participant promptly, explain options (such as plan review requests to the NDIA), and document that notification was given.

What happens if a plan management provider fails their audit?

If an approved quality auditor finds significant non-conformances, the NDIS Commission may refuse registration, impose conditions on the registration, or require the provider to address deficiencies within a set timeframe before registration is confirmed or renewed. Serious non-conformances can result in suspension or banning orders under the NDIS Act.

NDIS plan management provider: policies and procedures you need (2026)

Why plan management providers face heightened compliance obligations in 2026

Plan management is one of the NDIS's most operationally sensitive provider types. Because plan managers hold direct access to participants' funded budgets — processing invoices, tracking expenditure, and advising on support choices — the NDIS Commission treats them as a higher-accountability registration group. The 2026 strengthening of the NDIS Practice Standards has sharpened the audit scrutiny applied to this group, with renewed emphasis on genuine implementation rather than policy documents that exist only on paper.

If you are registering as a plan management provider for the first time, renewing your registration, or preparing for a re-audit, this guide walks through the core policies and procedures your organisation must have in place — what they need to cover, how they should be structured, and the most common gaps auditors find.

Registration requirements for plan management providers

Plan management sits under its own NDIS registration group. To be registered, providers must meet the relevant modules of the NDIS Practice Standards and undergo an audit conducted by an approved quality auditor. Depending on your organisation's size and complexity, that audit will be either a verification audit or a certification audit. Most plan management organisations above a small sole-trader threshold fall into certification, which involves a more thorough document and evidence review.

The Practice Standards modules most directly applicable to plan management providers include the Core Module and the Plan Management Supplementary Module. Together they set the mandatory outcomes your policies must support.

The essential policies and procedures every plan management provider needs

The list below reflects requirements drawn from the NDIS Practice Standards, the NDIS Code of Conduct, and the broader legislative framework under the National Disability Insurance Scheme Act 2013. Each policy must be more than a written document — auditors expect staff training records, version control, and evidence of actual use.

1. Financial management and invoicing policy

This is the cornerstone document for plan managers. It must describe:

How invoices are received, verified against the participant's plan budget, and processed
Timeframes for processing payments to service providers
How you ensure claims are made only for supports that are reasonable and necessary under the participant's plan
Processes for identifying and acting on invoices that appear incorrect, duplicate, or potentially fraudulent
How budget tracking information is communicated to participants on a regular basis

The NDIS Commission has signalled that financial governance documentation will receive close scrutiny under the 2026 framework, particularly in relation to fraud prevention and participant transparency.

2. Participant choice and control policy

Plan managers occupy a unique position: they are funded to support participant choice, not to direct it. Your policy must articulate how your organisation actively preserves and promotes participants' rights to choose their own supports and service providers, including providers who are not registered with the NDIS Commission. It must also document how staff avoid steering participants toward particular providers — which connects directly to the conflict of interest requirements below.

3. Conflict of interest policy

This is one of the most commonly cited gaps in plan management audits. The policy must:

Define what constitutes a conflict of interest in the plan management context (including financial relationships between your organisation and service providers)
Require staff and directors to declare conflicts
Set out how declared conflicts are managed and recorded
Prohibit the plan manager from directing participants toward providers in which the organisation has a financial interest without full, informed disclosure

4. Complaints management policy and procedure

Under the NDIS Practice Standards, all registered providers must have a documented complaints management system. For plan managers this must include:

How participants and their representatives can lodge a complaint (multiple accessible channels)
Timeframes for acknowledging and resolving complaints
How complaints are recorded, investigated, and closed
How outcomes are fed back to complainants
Escalation to the NDIS Commission where required

5. Incident management policy and procedure

Plan managers must have a documented incident management system that aligns with the NDIS Commission's incident management requirements. This includes identifying what constitutes a reportable incident, internal reporting timeframes, and the obligation to notify the NDIS Commission of certain incident types within the legislatively mandated windows. Staff must be trained on what to report and how.

6. Privacy and information management policy

Plan managers handle sensitive financial and personal information about participants. Your privacy policy must address obligations under the Privacy Act 1988 (Cth), including the Australian Privacy Principles, as well as NDIS-specific information-sharing obligations. Document how participant data is stored, who can access it, how long it is retained, and how breaches are identified and responded to.

7. Worker screening and human resources policy

All workers in plan management roles who have more than incidental contact with participants must hold a current NDIS Worker Screening Check. Your HR policy must document the pre-employment checks required, how clearances are verified and monitored, and what happens when a worker's clearance status changes.

8. Code of Conduct compliance policy

The NDIS Code of Conduct applies to all registered providers and their workers. Your policy should make explicit how the organisation ensures workers understand and comply with each element of the Code, including obligations around acting with integrity, respecting participant privacy, and reporting concerns about the conduct of others.

Step-by-step: building an audit-ready policy framework

Map the standards to your operations. Work through the Plan Management Supplementary Module and the Core Module of the Practice Standards. For each outcome, identify which internal process or document addresses it.
Draft or update each policy. Use plain language. Each policy should state its purpose, scope, the specific procedures staff must follow, roles and responsibilities, and how compliance is monitored.
Align your procedures with the policy. Policies describe what you do; procedures describe how. Both layers must exist and must be consistent with each other.
Version control and approval. Every document must carry an approval date, a review date (typically annual), and the name or role of the approving authority. Auditors check this.
Train your staff. Hold training sessions and keep attendance records. Auditors will ask for evidence that workers have read and understood key policies — not just that the documents exist.
Build your evidence folder. For each policy, collect real evidence of implementation: complaint logs, incident registers, budget reports sent to participants, conflict of interest declarations, worker screening records.
Conduct an internal audit before your external audit. Use the NDIS Commission's self-assessment tools and run a gap analysis against the Practice Standards modules at least three months before your audit date.

A sample excerpt: financial management policy statement

Policy element	Example statement
Invoice verification	All invoices received from service providers are checked against the participant's current NDIS plan, confirmed supports, and available budget before a claim is submitted to the NDIS portal.
Processing timeframe	Verified invoices are processed and payment initiated within five business days of receipt, unless additional verification is required.
Budget reporting	Participants receive a budget statement at least monthly, showing expenditure to date, remaining funds by support category, and any invoices currently under review.
Suspicious invoices	Where an invoice cannot be matched to an agreed support or appears inconsistent with the participant's known circumstances, it is flagged and held pending clarification with the participant before processing.

Common non-conformances auditors find in plan management organisations

Conflict of interest policy exists but declarations are never collected. The register is blank; staff have never been asked to complete one.
Complaints log is empty. Organisations claim no complaints have been received, but no system exists to capture them. Auditors treat an empty log with no supporting process as a non-conformance.
Budget reporting is ad hoc. Participants receive updates only when they ask, rather than on a regular scheduled basis as the policy states.
Policies have never been reviewed. Documents carry an approval date from the original registration period with no evidence of subsequent review.
Worker screening is incomplete. One or more staff members are performing plan management functions without a current clearance on file.

Getting your documentation right before the audit

The 2026 framework expects plan management providers to demonstrate a living compliance culture, not a filing cabinet of unread PDFs. If your organisation is building its compliance library from scratch or auditing what you already have, a structured document kit calibrated to the current Practice Standards saves significant time. The ndiscompliant.com.au 74-document audit-ready SIL compliance kit covers the full range of NDIS Practice Standards policies and can be adapted to plan management contexts — worth reviewing alongside the Commission's own self-assessment tools.

Begin your audit preparation early, map every policy to its corresponding Practice Standards outcome, and make sure your evidence of implementation is as strong as the documents themselves.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.