Most small providers we talk to come in with one of two starting positions. They either have nothing — a few Word documents copied from a friend's organisation — or they have too much: a 400-page operations manual that was photocopied from a defunct provider and that nobody on the team has read. Both fail the same audit, for the same reason: the documents don't map cleanly to NDIS Practice Standards Outcomes, and an auditor cannot tell where Outcome 2.4 (Incident Management) is actually addressed.
This article gives you the working checklist we use: 25 policies, organised by the four Core Module divisions, with a brief on what each one needs to cover. If you want the broader registration picture first, our SIL provider registration guide walks through the 7-step Commission process; this article zooms into the documentation layer specifically.
Why 25 policies, not 5 or 50
There is no number mandated by the NDIS Commission. Some providers we've audited internally had 12 broad omnibus policies — and were marked non-conformant because the auditor couldn't find Outcome 2.4 inside the "Operations Manual." Others had 90 micro-policies, which produced version-control hell and a manager who couldn't say what was in any of them. 25 is the working number we landed on because:
- Every Practice Standard Outcome gets coverage. Auditors map your documents to the Outcomes, not the other way around. 25 policies give you one-to-one coverage for each Outcome, plus a few discrete docs (privacy, code of conduct, restrictive practices) that pull weight across multiple Outcomes.
- Each document is short enough to be read. 6-10 pages per policy is the sweet spot. Anything longer and staff don't actually read it; anything shorter and the auditor flags it as inadequate.
- Version control stays sane. 25 documents means roughly one annual policy review per fortnight if you space them evenly. 50+ policies and the review cycle becomes a second job.
Core Module 1 policies (Rights & Responsibilities)
This module covers how participants experience your service as people, not as line items. Five policies plus a participant rights statement.
| Policy | What it must cover |
|---|---|
| Person-Centred Supports | How participant goals drive your support delivery (Outcome 1.1) |
| Cultural Safety | Aboriginal & Torres Strait Islander participants, CALD participants, LGBTQI+ inclusion (Outcome 1.2) |
| Privacy & Confidentiality | Australian Privacy Principles (APP) application, participant records handling (Outcome 1.3) |
| Independence & Informed Choice | Decision-making support, dignity-of-risk framework (Outcome 1.4) |
| Safeguarding (VANED) | Violence, abuse, neglect, exploitation & discrimination prevention (Outcome 1.5) |
| Complaints & Feedback | How participants raise concerns, escalation pathway to NDIS Commission (Outcome 1.5) |
The most-flagged failure here is the cultural safety policy reading as a single paragraph. Auditors want concrete practice: how a CALD participant's interpreter access is funded, how an Aboriginal participant's family yarning circle is integrated into support planning. Our cultural safety policy guide has the practical version of what this looks like.
Core Module 2 policies (Governance & Operations)
This is the heaviest division — six policies plus the operational backbone documents. Auditors spend the largest single chunk of audit time here.
| Policy | What it must cover |
|---|---|
| Governance Framework | Key personnel, board/committee structure, conflict of interest (Outcome 2.1) |
| Risk Management | Risk identification, treatment, register maintenance, SIL-specific risks (Outcome 2.2) |
| Emergency & Disaster Management | Fire, flood, pandemic, participant medical emergency, site-specific evacuation (Outcome 2.2) |
| Quality Management & Continuous Improvement | Internal audit programme, CI register, audit cycle (Outcome 2.3) |
| Information Management | Records retention, data breach response, cloud system use (Outcome 2.4) |
| Incident Management | Reportable incidents, internal incidents, NDIS Commission notifications under Section 73Z (Outcome 2.4) |
| Financial Management | Pricing, claims accuracy, participant fund handling (Outcome 2.5) |
| Human Resources | Recruitment, supervision, performance management framework (Outcome 2.6) |
| Recruitment & Selection | Worker screening pre-employment process, reference checks (Outcome 2.6) |
| Worker Screening | NDIS Worker Screening Check management, register maintenance, expiry tracking (Outcome 2.6) |
| Supervision | Frequency, documentation, performance review cycle (Outcome 2.6) |
| Work Health & Safety | WHS Act compliance, manual handling, lone-worker risk (Outcome 2.6) |
The two policies we see causing the most non-conformances are Risk Management and Quality Management. Risk registers that haven't been touched in 12 months get flagged immediately; internal audit policies with zero internal audits ever conducted get flagged within minutes. Our risk management policy guide and continuous improvement policy guide walk through what "actually used" looks like for both.
Core Module 3 policies (Provision of Supports)
Four policies covering the operational interaction between you and participants.
| Policy | What it must cover |
|---|---|
| Access to Supports | Intake, eligibility check, service-entry process (Outcome 3.1) |
| Support Delivery | Service agreement use, shift handover, progress notes standards (Outcome 3.2) |
| Person-Centred Support Planning | Goal-linked planning, participant involvement in plan review (Outcome 3.2) |
| Transition Policy | Service exit, transfer to another provider, end-of-service planning (Outcome 3.4) |
The Support Delivery policy is where the policy-practice gap shows up most. Your policy says shift notes are written within 24 hours; the auditor pulls a random shift and finds the notes 4 days late. The fix is operational, not documentary — but the documentation has to match the operational reality.
Skip the policy-from-scratch grind
The Complete SIL Kit ships with all 25 policies pre-mapped to Practice Standards Outcomes, plus the 25 forms and 10 registers that turn them into audit evidence. $297 early bird. 30-day guarantee.
See what's in the kit →Core Module 4 policies (Supports Environment)
This is the SIL-specific division. Five policies covering the physical environment auditors will walk through during the on-site visit.
| Policy | What it must cover |
|---|---|
| Safe Environment | House inspection schedule, hazard management, environmental risk (Outcome 4.1) |
| Participant Money & Property | Petty cash handling, participant fund segregation, property register (Outcome 4.2) |
| Medication Management | MAR usage, storage, PRN procedures, error reporting (Outcome 4.3) |
| Mealtime Management | Dysphagia risk, dietary plans, mealtime supervision (Outcome 4.4) |
| Infection Prevention & Control | Hand hygiene, PPE, outbreak response, hospital-discharge readmission (Outcome 4.5) |
If you have any participants requiring complex medication regimes, behaviour support plans with restrictive practice authorisation, or high-intensity supports, you also need an additional supplementary-module policy set. Our high-intensity daily activities module guide walks through the additional 8-12 documents that module requires.
Beyond policies: registers, forms, and evidence
A policy on its own does not pass an audit. Auditors check policies against three pieces of evidence: the policy itself, the operational record (forms and registers showing the policy is implemented), and observable practice (interviews with staff confirming they know it). 25 policies need roughly:
- 25 forms and templates — service agreement, incident report, support plan, MAR, induction checklist, supervision record, etc. The forms turn policies into transactions auditors can sample.
- 10 operational registers — incident register, complaint register, worker screening register, training register, risk register, CI register, etc. The registers prove the policy is being used over time.
- 3-5 guides / checklists — audit evidence checklist, registration walkthrough, kit README. These tie the policy + form + register architecture together for whoever has to operate it.
This is why the Complete SIL Kit is 74 documents, not 25. Each policy comes with its corresponding form(s) and register(s), pre-mapped so the auditor doesn't have to hunt. For a deeper view of the document-to-evidence mapping, see our SIL audit survival guide — the cornerstone reference for the kit's full structure.
What makes a SIL policy actually pass an audit
From the auditor side of the table, three things separate a policy that passes from one that gets flagged:
- It is customised. Auditors recognise template language at 20 paces. "Generic SIL Provider Pty Ltd" or unedited placeholder text is an immediate non-conformity signal. Every policy in your suite should be Find-and-Replace edited with your real organisation name, real ABN, real key personnel, real participant cohort, real geographic scope.
- It cross-references the Practice Standard. Each policy should have a header line citing the specific Outcome it addresses ("This policy addresses NDIS Practice Standards Core Module Outcome 2.4 — Incident Management"). Auditors map your documents to Outcomes; cite the Outcome up front and save them the work.
- It is implemented. The policy says incidents are reviewed monthly; the CI register shows the most recent review was last week. The policy says all staff sign a code-of-conduct acknowledgement; the HR file shows every staff member has signed it. Policy + matching evidence is the audit pass pattern.
For a worked example of what an auditor actually looks at when they pick up one of these policies, our NDIS audit evidence guide walks through the three-leg evidence model (policy + implementation record + observable practice) for each Outcome. The free Notes Rewriter is the operational tool we recommend for the shift-notes side of Outcome 3.2 — most support workers learn to write Practice-Standards-aligned notes by watching their own notes get rewritten in front of them.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.