Running an NDIS registered service is demanding. Between delivering support, managing staff, and keeping up with regulatory changes, compliance can sometimes slip without providers even realising it. The NDIS Quality and Safeguards Commission doesn’t wait for things to go catastrophically wrong before it acts. Audits, complaints, and incident reports all create compliance touchpoints, and when gaps emerge, the consequences can range from corrective action notices to registration suspension.
Here are the ten most common ways NDIS providers get into trouble with the NDIS Commission and what you can do to prevent each one.
1. Failing to Report Incidents Correctly
Incident management is one of the most scrutinised areas in any audit. Providers frequently fall short not because incidents aren’t recorded, but because they aren’t reported to the NDIS Commission within required timeframes, or because the internal classification of severity is wrong. Most reportable incidents, including alleged abuse, neglect, serious injury, and participant deaths, must be reported within 24 hours of key personnel becoming aware. An initial notification is just the first step: a more detailed follow-up report is also required within five business days. A policy that sits in a drawer doesn’t count. Staff need to know what constitutes a reportable incident and exactly what to do when one occurs.
Prevention: Ensure your incident management policy is current, staff are trained on it, and your reporting workflows are tested, not just documented.
2. Not Having Behaviour Support Plans in Place
The NDIS (Restrictive Practices and Behaviour Support) Rules 2018 create distinct obligations for two types of providers: specialist behaviour support providers, who develop behaviour support plans, and implementing providers, who use regulated restrictive practices when delivering supports. Both carry serious compliance risk when things go wrong. Implementing providers are commonly caught out because regulated restrictive practices are being used without an authorised plan in place, or because the plan exists but staff aren’t implementing it correctly. Implementing providers also have a monthly reporting obligation. They must report on the use of regulated restrictive practices through the NDIS Commission Portal, even in months where a practice was not used. Unauthorised use of a restrictive practice is a reportable incident and must be notified within five business days, or within 24 hours if it has resulted in harm to a participant.
Prevention: Audit every participant who has behaviours of concern. Confirm whether a behaviour support plan is in place, who the specialist behaviour support provider is, whether the plan is lodged in the NDIS Commission Portal, and whether your staff understand their implementation and monthly reporting obligations.
3. Inadequate Worker Screening
Worker screening is non-negotiable. Engaging a worker in a risk-assessed role or key personnel position who doesn’t hold a current NDIS Worker Screening clearance is a direct compliance breach. Risk-assessed roles include those that involve the direct delivery of supports or services to people with disabilities, or more than incidental contact as an ordinary part of the role. Key personnel, including CEOs, directors, and executive staff, must also hold a clearance. This applies to employees, volunteers, contractors, and students on placement where they are in risk-assessed roles. Providers are sometimes caught out by failing to verify clearances before a worker starts, or not maintaining records that flag expiry dates.
Prevention: Build a screening register into your HR processes. Check clearances before commencement and set calendar reminders for renewals. Remember that clearances are valid for five years but can be revoked at any time.
4. Outdated or Inadequate Policies
The NDIS Commission’s Regulatory Reform Roadmap signals continued scrutiny of provider governance and documentation. Providers that registered years ago and haven’t revisited their policies since are operating on a foundation that may no longer meet current NDIS Practice Standards. Policies aren’t a one-time exercise; they need to reflect how your organisation actually operates, reference current legislation, and be reviewed at least annually.
Prevention: Schedule annual policy reviews and map each policy to the relevant Practice Standard. If your policies and templates are generic or predate significant regulatory changes, it’s time to update them.
5. Poor Complaints Management
Every provider must have a functioning complaints management system. Where providers fall down is in the detail: complaints aren’t logged formally, outcomes aren’t communicated to the person who complained, and there’s no evidence of systemic review. The NDIS Commission expects providers to treat complaints as improvement opportunities, not inconveniences. Participants also have the right to complain directly to the NDIS Commission, and patterns of complaints will attract attention.
Prevention: Train all staff on the complaints process, not just managers. Ensure your complaints register captures resolution and timeframes, and that you can produce this evidence if asked.
6. Insufficient Staff Training and Supervision
NDIS Commission training requirements are tied directly to the supports being delivered. Providers must ensure workers have the skills, knowledge, and qualifications required for their role and that ongoing supervision is occurring. A common compliance gap is onboarding that covers the bare minimum, followed by little ongoing oversight. When something goes wrong, and the Commission investigates, inadequate training records are often part of the problem.
Prevention: Implement a structured induction that includes NDIS-specific training, and document ongoing supervision and professional development. Platforms that deliver verifiable online training make this significantly easier to evidence.
7. Not Understanding the NDIS Commission Statement of Intent and Statement of Expectations
The NDIS Commission Statement of Expectations is issued by the Minister for the NDIS to the Commission, setting out the government’s expectations for how the Commission performs its regulatory functions. The NDIS Commission Statement of Intent is the Commission’s formal response, outlining how it will meet those expectations. Together, these documents signal the Commission’s regulatory priorities and the standard of accountability it holds itself to, including its commitment to being a formidable regulator that uses all available statutory powers. Providers who understand these documents are better placed to anticipate where regulatory focus will fall and how the Commission is likely to exercise its powers.
Prevention: Read both documents. Make sure your leadership team understands the Commission’s stated regulatory priorities and approach so you can position your compliance activity accordingly.
8. Failing to Engage with Audits Properly
Registration audits, both certification and verification, catch providers out when documentation is missing, staff can’t answer questions about policies, or there’s a gap between what the policy says and what actually happens in practice. Providers sometimes treat audits as a bureaucratic hurdle rather than an operational review. Auditors speak with staff, observe practice, and review records. If your team doesn’t know your policies, that’s a problem no amount of good paperwork can fix.
Prevention: Prepare for audits operationally, not just administratively. Brief staff on key policies. Conduct internal mock audits to identify gaps before the real one.
9. Mismanaging Participant Funds
Financial mismanagement, whether deliberate or through poor systems, is one of the fastest ways to attract Commission scrutiny. Overcharging, claiming for services not delivered, and inadequate record-keeping around service agreements all raise red flags. The NDIS Commission is a member agency of the Fraud Fusion Taskforce, a 24-agency operation led by the NDIA and Services Australia. Financial irregularities are increasingly identified through cross-agency data sharing, and the consequences extend well beyond compliance action to criminal prosecution.
Prevention: Ensure your service agreements are accurate, your claiming is aligned to what’s delivered, and your financial records are audit-ready at all times, not just during compliance events.
10. Not Acting on Previous Compliance Concerns
Receiving a complaint, corrective action notice, or audit finding and failing to address it meaningfully is one of the most serious mistakes a provider can make. The NDIS Commission monitors whether providers follow through on commitments. Providers that appear to promise change without delivering it are at significantly higher risk of escalated regulatory action, including banning orders against key personnel.
Prevention: When compliance concerns arise, treat them as urgent. Document your corrective actions, set timeframes, and close the loop in writing with the Commission where required.
The Pattern Underneath All of It
Most NDIS Commission compliance problems share a common thread: the gap between policy and practice. A policy manual that doesn’t translate into how staff actually work is a liability, not an asset. Genuine compliance lives in the day-to-day in how incidents are handled, how restrictive practices are monitored, how complaints are received, and how workers are supported to do their jobs well.
The NDIS Commission’s approach to regulation is evolving. The Regulatory Reform Roadmap signals greater emphasis on continuous improvement and provider accountability, not just point-in-time audits. Providers who build compliance into their culture rather than treating it as an audit-time exercise are far better positioned to meet that standard. If your policies, procedures, or training systems need strengthening, the time to act is before the Commission makes contact, not after.
