Audit snapshot

Why did we do this audit?

  • The National Disability Insurance Scheme (NDIS) is an area of significant government expenditure with growing numbers of participants and providers.
  • The NDIS Quality and Safeguards Commission (NDIS Commission) has been in operation since July 2018 and regulates registered and unregistered NDIS providers.

Key facts

  • In Quarter 4 of 2024–25 there were 16,363 active registered and 254,018 active unregistered providers.
  • The number of complaints received reported by the NDIS Commission has increased each year since its commencement, from 1,422 complaints in 2018–19 to 29,054 complaints in 2023–24.
  • The NDIS Commission finalised 35,519 compliance actions against registered and unregistered NDIS providers and individuals in 2023–24.

What did we find?

  • The NDIS Commission is partly effective in exercising its regulatory functions.
  • The NDIS Commission has partially effective systems and processes for intelligence gathering and largely effective information sharing arrangements.
  • The NDIS Commission has not established a regulatory risk framework to guide decision-making.
  • The NDIS Commission has taken compliance and enforcement action. It does not have risk responsive and proportionate monitoring, compliance and enforcement activities, and performance reporting could be improved.

What did we recommend?

  • There were 10 recommendations to the NDIS Commission to improve effectiveness in exercising its regulatory functions.
  • The NDIS Commission agreed to nine recommendations and agreed in principle to one recommendation.

15,064

complaints closed by the NDIS Commission in 2023–24.

3.7

times increase in the NDIS Commission’s compliance actions from 2022–23 to 2023–24.

452%

growth in the number of NDIS participants from 2018–19 to 2024–25.

Summary and recommendations

Background

1. The NDIS Quality and Safeguards Commission (NDIS Commission, or Commission) began operating on 1 July 2018. The powers and functions of the NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner), as regulator of the National Disability Insurance Scheme (NDIS) are set out in the National Disability Insurance Scheme Act 2013 (NDIS Act). The NDIS Commission regulates registered and unregistered NDIS providers (as defined in section 9 of the NDIS Act) and workers to improve the quality and safety of NDIS services and advance the human rights of people with disability.

2. The NDIS Commissioner’s core functions (set out in section 181E of the NDIS Act) include to secure compliance with the NDIS Act through effective compliance and enforcement; to engage in, promote and coordinate information sharing to achieve the NDIS Act’s objectives; and to provide NDIS market oversight by monitoring and mitigating market-related risks. The NDIS Act also sets out the Commissioner’s functions relating to provider registration and reportable incidents (section 181F); complaints management (section 181G); behaviour support oversight (section 181H); and establishing, operating and maintaining a worker screening database (section 181Y).

Rationale for undertaking the audit

3. The NDIS Commission is the regulator for the NDIS. The NDIS provides funding to a large number of participants — as at 30 June 2025 there were 739,414 NDIS participants with approved plans.1 The NDIS also forms a significant portion of government spending, with total scheme payments of $46.3 billion in 2024–25.2 The NDIS operating environment has been subject to a number of reviews in recent years, which have made a range of recommendations including seeking improvements in information sharing, provider registration, restrictive practices, complaints handling and compliance and enforcement arrangements. This audit provides independent assurance to Parliament over whether the NDIS Commission is effectively exercising its regulatory functions.

Audit objective and criteria

4. The objective of the audit was to assess the effectiveness of the NDIS Commission in exercising its regulatory functions.

5. To form a conclusion against the objective, the following criteria were adopted:

  • Does the NDIS Commission have effective intelligence gathering and information sharing arrangements in place?
  • Has the NDIS Commission developed a risk-based strategy to guide regulatory decision-making?
  • Has the NDIS Commission effectively implemented risk responsive and proportionate monitoring, compliance and enforcement activities?

Conclusion

6. The NDIS Commission is partly effective in exercising its regulatory functions. The Commission does not have full visibility of the market it regulates. From 2023–24 to 2024–25 the total number of active providers grew by 25 per cent, with active registered providers and active unregistered providers growing by 15 per cent and 26 per cent respectively.3 In regulating a market that is expected to see continued growth in the number of participants and providers, the Commission’s effectiveness as a regulator would be improved by taking a risk-based approach to regulating the NDIS that is underpinned by quality data, and targets available resources to areas of greatest risk.

7. The NDIS Commission has partly effective intelligence gathering and information sharing arrangements in place. The Commission has established policies relating to information management and the management of personal information. The effectiveness of the Commission’s collection, correlation and analysis of intelligence has been impacted by limitations of the Commission Operating System (COS). The Commission engages with the disability sector and has documented arrangements to support information sharing with some government entities. These arrangements are not complete and are under review. The Commission does not have processes to ensure information disclosures meet legislative requirements.

8. Regulatory decision-making is not guided by a risk-based strategy. Since commencing operations in 2018 and becoming a national operation in 2021, the Commission has not established a framework for assessing, prioritising and managing risks of provider non-compliance. In the absence of a regulatory risk framework and assessment of regulatory risks, the Commission’s overarching compliance and enforcement approach and regulatory decision-making has not been informed by risk.

9. The Commission has implemented a range of compliance activities. It has not effectively implemented risk responsive and proportionate monitoring, compliance and enforcement activities. The Commission does not have oversight of all the NDIS providers delivering services in the market as there is no requirement for all providers to be registered. In the fourth quarter of 2024–25, 94 per cent of active providers were unregistered and received 42 per cent of plan managed NDIS payments.

  • The Commission’s arrangements to monitor the market and provider compliance did not include arrangements to monitor and mitigate the risks of unplanned service withdrawal — a core function of the NDIS Commissioner under the National Disability Insurance Scheme Act 2013 (NDIS Act).
  • The Commission undertook 9,520 compliance actions in 2022–23; increasing 3.73 times in 2023–24 to 35,519 compliance actions. Additionally, the Commission has seen large growth in the number of complaints received from 16,305 in 2022–23 to 29,054 in 2023–24. The NDIS Commission does not have quality assurance processes for compliance activities. In the absence of a quality assurance program the Commission is not able to assess its effectiveness in detecting and addressing non-compliance.
  • The NDIS Commission had arrangements for executive oversight of annual performance although these were not fully executed. The Commission has developed a Planning and Performance Framework, but this does not address government expectations for regulators. Data reported in the Commission’s quarterly performance reports could not be reconciled with the data reported in the Commission’s 2023–24 Annual Performance Statements.

Supporting findings

Information gathering and sharing arrangements

10. The NDIS Commission has policies that set out its information management and privacy obligations in accordance with the Archives Act 1983 and the Australian Privacy Principles. The Commission has systems for storing, correlating and analysing information. These had not been sufficiently documented in accordance with the Commission’s Information Management Policy. COS has capability limitations and was assessed by the Commission as being non-compliant with Australian Government record keeping and metadata requirements. The Commission has conducted a range of activities to analyse information and intelligence gathered. A strategic framework or formalised processes have not been established for its analysis activities. The Commission has developed a data quality framework. The Commission has not implemented arrangements for assurance over the quality, accuracy, and completeness of the information held by the Commission. (See paragraphs 2.3 to 2.31)

11. The NDIS Commission has arrangements to share information with Australian Government entities, including the National Disability Insurance Agency (NDIA), and state and territory government entities. Documentation supporting these arrangements is not complete. The disclosure record for information shared does not meet the requirements of the National Disability Insurance Scheme Rules 2018. The NDIS Commission shares information and seeks feedback from the disability sector through stakeholder engagement committees and undertakes a range of activities to assist voluntary compliance. The NDIS Commission undertook stakeholder sentiment surveys in 2023 and 2024 to assist in assessing whether the activities of the Commission were meeting the needs of the sector. Responses to the 2024 survey indicated 24 per cent of respondents trusted the Commission ‘a lot’ or ‘completely’ to provide support if there are issues with NDIS services. Forty per cent of respondents ‘moderately’ trusted the Commission; and 18 per cent trusted the Commission ‘a little’ to provide this support. (See paragraphs 2.32 to 2.60)

Risk-based approach to regulatory decision-making

12. The Minister for the NDIS issued a Statement of Expectations to the NDIS Commissioner on 20 December 2022 and the NDIS Commissioner responded with a Statement of Intent dated March 2023. The NDIS Commission has not sought a new Statement of Expectations consistent with government expectations of regulators. The Commission published annual compliance priorities for 2019–20 to 2021–22, 2023–24 and 2024–25. The compliance priorities are not risk-based or informed by data and the Commission has not established arrangements to address or report on specific priorities. The Commission has an overarching approach to compliance and enforcement through the Regulatory Approach, Operating Model and Compliance and Enforcement Policy. These are not informed by risk. (See paragraphs 3.2 to 3.28)

13. The NDIS Commission has not implemented a framework for assessing and managing regulatory risk. In its Corporate Plans for 2023–24 and 2024–25, the NDIS Commission reported on the management of two enterprise risks relating to provider non-compliance and participant harm. The Commission assessed these risks under the Enterprise Risk Management Framework, which was designed to assess and manage the Commission’s operational risks. In August 2024, the NDIS Commission updated the Regulatory Approach with five risk priorities that create an unacceptable risk of harm for participants if not addressed. After these priorities were endorsed the Commission continued to have no overarching strategic approach to regulatory risk. (See paragraphs 3.29 to 3.45)

Monitoring, compliance, and enforcement

14. Compliance monitoring activities were not carried out under a risk-based strategy or work program. The Commission has not established or documented an approach to monitoring and mitigating the risks of unplanned service withdrawals — a core function of the NDIS Commissioner under the NDIS Act. (See paragraphs 4.3 to 4.34)

15. The NDIS Commission has established arrangements to detect and address non-compliance but does not have overarching procedural guidance for the end-to-end management of compliance matters. The Commission does not have quality assurance processes for compliance activities, including investigations. In the absence of quality assurance processes and up-to-date policies the Commission is unable to assesses its effectiveness in detecting and addressing non-compliance. (See paragraphs 4.35 to 4.64)

16. Arrangements were in place, but were not fully executed, for NDIS Commission senior executive oversight and the Audit and Risk Committee review of annual performance. Prior to March 2024, the NDIS Commission did not have a standardised framework to support Annual Performance Statement obligations. The Planning and Performance Framework does not address government expectations for regulators. Data reported in the NDIS Commission’s quarterly reports does not reconcile with the 2023–24 Annual Performance Statements. (See paragraphs 4.65 to 4.101)

Recommendations

Recommendation no. 1

Paragraph 2.25

To support intelligence and information analysis, the NDIS Commission implement:

  1. an overarching risk-based plan to guide information analysis and correlation activities; and
  2. guidance on establishing and conducting own motion inquiries.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 2

Paragraph 2.50

The NDIS Commission develop and implement a quality assurance process to meet legislative requirements and ensure completeness of the information disclosures record.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 3

Paragraph 3.6

The NDIS Commission:

  1. prepare for a refreshed Ministerial Statement of Expectations with close engagement with the appropriate minister and portfolio secretary; and
  2. prepare and issue a responding Regulator Statement of Intent in a timeframe consistent with the Direction to the NDIS Quality and Safeguards Commissioner under section 181K of the National Disability Insurance Scheme Act 2013 – No. 1/2023.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 4

Paragraph 3.27

The NDIS Commission:

  1. develop a process for setting compliance priorities to ensure they are risk-based;
  2. implement action plans to ensure that regulatory interventions are driven by compliance priorities;
  3. regularly report on compliance priorities and action plans, including publicly; and
  4. publicly outline its regulatory processes and decision-making criteria to support public understanding of how the Commission regulates the NDIS.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 5

Paragraph 3.41

The NDIS Commission develop, document and maintain a framework to assess, prioritise and manage regulatory risks. Regulatory priorities should be underpinned by risk assessment, data and evidence. The framework should articulate how identified risks are managed in line with well-defined risk tolerances, risk-profiling, and appropriate compliance actions.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 6

Paragraph 4.16

The NDIS Commission develop and implement an entity-wide compliance monitoring strategy, consistent with its Compliance and Enforcement Policy, that includes the monitoring activities the Commission intends to undertake, frequency of planned activities, links compliance monitoring activities to identified risks, and sets out reporting arrangements and intended results.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 7

Paragraph 4.31

The NDIS Commission:

  1. develop and document a strategy or plan that sets out the Commission’s approach to market oversight, including monitoring and mitigating the risks of unplanned service withdrawal; and
  2. works with the NDIA to update the joint operational protocol on market stewardship and oversight to include the Commission’s planned approach to market oversight developed in part (a) above.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 8

Paragraph 4.51

To provide assurance that the NDIS Commission is taking effective regulatory action using powers provided under the NDIS Act and meeting the requirements of the Australian Government Investigations Standards, the NDIS Commission implement quality assurance processes for complaints, reportable incidents, compliance matters and investigations.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 9

Paragraph 4.63

The NDIS Commission support staff to apply a consistent approach to compliance actions through:

  1. finalising fit-for-purpose policies and procedures for compliance actions; and
  2. developing guidance to assist staff with selecting and using the most suitable compliance tool for specific circumstances.

NDIS Quality and Safeguards Commission response: Agreed.

Recommendation no. 10

Paragraph 4.97

The NDIS Commission:

  1. implement measures to address errors in the Commission’s data holdings;
  2. ensure the accuracy of performance reporting in compliance with the PGPA Act and PGPA Rule, and address issues identified in relation to Annual Performance Statements for Commonwealth entities in line with expectations;
  3. accurately record and explain performance in line with regulator performance expectations; and
  4. disclose and provide written explanation for changes to and errors in publicly reported information to enhance the transparency and public confidence of performance reporting.

NDIS Quality and Safeguards Commission response: Agreed in principle.

Summary of entity response

17. The proposed audit report was provided to the NDIS Commission. The NDIS Commission’s summary response is reproduced below, and its full response is at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.

The NDIS Quality and Safeguards Commission (NDIS Commission) appreciates the work of the ANAO in assessing the Commission’s regulatory functions. The NDIS Commission is committed to improving its existing processes and becoming a formidable human rights regulator that applies an intelligence led risk-based, approach to its meet legislated outcomes.

The NDIS Commission acknowledges the findings of the report and agrees to action all recommendations and opportunities for improvement. The NDIS Commission has designed and is delivering a Data and Regulatory Transformation (DART) program that will provide access to reliable data and improve visibility of the market to support intelligence led risk-based regulation in alignment with ANAO report recommendations.

The NDIS Commission has taken steps to improve its regulatory processes through establishing a Risk-Based Regulation Prioritisation Model (the Model). The Model will provide a consistent approach to assessing risk and prioritising compliance activities. The NDIS Commission is applying a phased approach to implementation of the Risk-Based Regulation Prioritisation Model with its full roll out in October 2025.

The NDIS Commission will prioritise the establishment of a quality assurance framework to assess and continuously improve its regulatory processes. The NDIS Commission is committed to action all report recommendations to continue to protect and promote the rights, safety and wellbeing of people with disability and ensure a sustainable future for the NDIS.

Key messages from this audit for all Australian Government entities

18. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.

Group title

Governance and risk management

Key learning reference
  • Regulators need complete, accurate and reliable data to understand the risks relating to who they regulate and the market they are regulating.
  • Regulators have a purpose and the exercise of regulatory functions should build trust and confidence in the people they are regulating for.
  • Basing compliance activities on clearly articulated risk-based and data informed priorities assists regulators in appropriately allocating resources in proportion to compliance risk.

1. Background

Introduction

1.1 The National Disability Insurance Scheme (NDIS), established in 2013 under the National Disability Insurance Scheme Act 2013 (NDIS Act), provides funding for supports for people with permanent and significant disability. Commonwealth, state and territory governments jointly fund the NDIS under bilateral arrangements. The NDIS Quality and Safeguards Commission (NDIS Commission, or Commission) was established on 1 July 2018 as the regulator for the NDIS. The NDIS Commission regulates registered and unregistered NDIS providers (as defined in section 9 of the NDIS Act) and workers to improve the quality and safety of NDIS services and advance the human rights of people with disability.

1.2 The NDIS Commission is a non-corporate Commonwealth entity under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner) is the accountable authority for the NDIS Commission.4 In September 2024 an Associate Commissioner, with lived experience of disability, was appointed to assist the Commissioner with registration and reform responsibilities.

NDIS Commissioner’s regulatory functions

1.3 The NDIS Act sets out the powers and functions of the NDIS Commissioner. The NDIS Commissioner’s core functions (set out in section 181E of the NDIS Act) are:

  • to uphold the rights of, and promote the health, safety and wellbeing of people with disability receiving supports or services, including those received under the NDIS;
  • to develop a nationally consistent approach to managing quality and safeguards for people with disability receiving supports or services, including those received under the NDIS;
  • to promote the provision of advice, information, education and training to NDIS providers and people with disability;
  • to secure compliance with the NDIS Act through effective compliance and enforcement arrangements;
  • to promote continuous improvement amongst NDIS providers and the delivery of progressively higher standards of supports and services to people with disability;
  • to develop and oversee the broad policy design for a nationally consistent framework relating to the screening of workers involved in the provision of supports and services to people with disability;
  • to provide advice or recommendations to the National Disability Insurance Agency (NDIA) or its Board in relation to the performance of the NDIA’s functions;
  • to engage in, promote and coordinate information sharing to achieve the objects of the NDIS Act; and
  • to provide NDIS market oversight, including by monitoring changes in the NDIS market which may indicate emerging risk, and monitoring and mitigating the risks of unplanned service withdrawal.

1.4 The NDIS Act also sets out the Commissioner’s functions relating to: provider registration and reportable incidents (section 181F); complaints management (section 181G); behaviour support oversight (section 181H); and establishing, operating and maintaining a worker screening database (section 181Y). The NDIS Commissioner may make guidelines relating to the performance of functions and powers (subsection 181D(2)).

1.5 The NDIS Rules are legislative instruments made under the NDIS Act to support administration of the Scheme. NDIS Rules relevant to the Commissioner’s functions include rules on complaints management and resolution; worker screening; provider registration; and protection and disclosure of information.

1.6 The NDIS Act and the Regulatory Powers (Standard Provisions) Act 2014 empowers authorised NDIS Commission persons to: monitor, investigate and issue civil penalty provisions, infringement notices, compliance notices and banning orders; vary or revoke banning orders and infringement notices; and seek injunctions from the relevant court.5

1.7 Numbers of complaints and reportable incidents notices received by the Commission, and behaviour support plans lodged with the Commission, from 2018–19 to 2023–24 are set out at Figure 1.1.6 Details of when NDIS Commission quality and safeguarding functions were rolled out to each state and territory are in Figure 1.2.

Figure 1.1: Complaints and reportable incidents received, and behaviour support plans lodged from 2018–19 to 2023–24

Figure 1.1 is a bar graph showing the number of complaints received, reportable incidents notices received (excluding unauthorised restrictive practices) and behaviour support plans lodged between 2018–19 and 2023–24. The figure shows that all categories increased.

Note: The ANAO used publicly reported figures. Paragraphs 4.94 to 4.96 discuss NDIS Commission quarterly reporting data quality issues.

Source: ANAO representation of information from NDIS Commission Annual Reports and Quarterly Performance Reports.

1.8 Not all NDIS providers are required to be registered with the NDIS Commission to deliver services and supports. Providers must be registered to provide: specialist disability accommodation (SDA); specialist behaviour support services; supports or services to NDIS participants with NDIA managed funding7; plan management services; and if they plan to use, or use, regulated restrictive practices.8 Unregistered providers can deliver supports and services to participants who self-manage or plan-manage their NDIS funding. Registered providers must comply with both the NDIS Code of Conduct and NDIS Practice Standards, while unregistered providers are held to account against the Code of Conduct.9

1.9 The final report of the Independent Review into the NDIS, published in October 2023, stated:

The NDIS Quality and Safeguards Commission (NDIS Commission) does not have visibility of the significant unregistered provider market. This means the NDIS Commission cannot effectively monitor the market or proactively intervene to prevent harm and promote quality improvement, and has fewer options for taking action against providers if something goes wrong.10

1.10 At the time of the audit, the NDIS Commission did not have data on the total number of unregistered NDIS providers operating in the market. The Commission advised the ANAO in April 2025:

The NDIS Commission does not have full visibility of the market it regulates. It sources data about the unregistered market through data sharing with the NDIA. The NDIS Commission undertakes analysis of claims for payment for services delivered by registered and unregistered providers to plan-managed and NDIA-managed participants. The NDIS Commission does not have visibility of payment arrangements for self-managed participants.

1.11 NDIA reporting on unregistered providers from 2021–22 to 2024–25 is set out in Table 1.1.

Table 1.1: NDIA quarterly reporting on active unregistered providers and plan managed payments

 

2021–22

(April – June)

2022–23

(April – June)

2023–24

(April – June)

2024–25

(April – June)

Number of active unregistered providers in the quarterly report perioda

Active unregistered providers — Plan-managed

122,945

154,409

176,403

181,938

Active unregistered providers — Self-managed

b

b

55,777

126,974

Plan managed payments in the quarterly report period

Payments to service providers by plan managers in Q4 ($ billion)

3.3

4.8

6.2

7.3

Proportion of plan managed payments to registered providers (%)

61

57

56

57

Proportion of plan managed payments to unregistered providers (%)

39

43

43

42

Proportion of plan managed payments to providers with unknown registration status (%)

1

1

         

Note a: Figures in this table relate to active providers who received payment in quarter four for supporting NDIS participants. NDIA reporting on unregistered providers was not available prior to 2021–22 and did not include annualised figures.

Note b: This information was not reported. Total unregistered providers have not been included in this table due to data limitations.

Source: NDIA quarterly reports to disability ministers.

1.12 The NDIA reported that in the fourth quarter of 2024–25 there was a total of 16,363 active registered providers and 254,018 active unregistered providers.11 Of the 254,018 unregistered providers, 181,938 received plan-managed payments.

NDIS Commission funding

1.13 Funding of $209.0 million over four years was provided in the 2017–18 Federal Budget to establish the Commission and commence operations from 1 January 2018.12 Under a phased roll out to introduce a nationally consistent system, the NDIS Commission progressively replaced quality and safeguarding arrangements in states and territories between 1 July 2018 and 1 December 2020. From 1 July 2021 the NDIS Commission began implementing all quality and safeguarding functions nationally (see Figure 1.2).

Figure 1.2: Phased rollout of the NDIS Commission

Figure 1.2 is a diagram representing the rollout of the NDIS Commission. It spans from the amendment of the NDIS Act to establish the NDIS Commission in December 2017 and includes three phases of rollout.

Source: ANAO representation of publicly available information.

1.14 The Commission has received additional resourcing to carry out its functions through terminating Budget measures.

  • The 2020–21 Federal Budget provided the NDIS Commission additional funding of $93 million over four years to support the NDIS Commission to regulate providers nationally, improve the quality and safety of NDIS supports and expand its compliance and investigative capacity.
  • The 2023–24 Federal Budget provided the Commission further funding of $142.6 million over two years to support the Commission in carrying out its role, including to minimise risks to participants, address outstanding casework, uplift internal ICT capability and to improve market quality and participant experience.
  • The 2024–25 Federal Budget allocated $160 million over four years to upgrade the Commission’s information technology systems.
  • The 2024–25 Mid-Year Economic and Fiscal Outlook extended terminating funding for the NDIS Commission by $143.9 million over two years from 2025–26 to ‘ensure [it is] appropriately resourced to continue to support NDIS Participants.’

1.15 Table 1.2 sets out the departmental resourcing and average staffing level for the NDIS Commission since commencement.

Table 1.2: NDIS Commission departmental resourcing and average staffing levels 2018–19 to 2025–26

Financial year

Departmental resourcing (estimate) from Portfolio Budget Statements

($’000)

Average staffing level

(Budget)

Average staffing level

(Actual)

2018–19

37,270

164

111.8

2019–20

50,437

237

211.75

2020–21

96,615

350

255

2021–22

87,672

342

352

2022–23

108,570

565

595

2023–24

156,837

683

1,035

2024–25

207,926

908

911a

2025–26

220,198

892

       

Note a: Estimated actual figure reported in the Social Services Portfolio Budget Statements 2025–26.

Source: ANAO representation of information from Social Services Portfolio Budget Statements.

1.16 The NDIS is a demand-driven program and is projected to continue growing. Table 1.3 shows the increase in NDIS participants, registered providers and scheme payments between 2018–19 and 2024–25. Budget Paper No. 1 for the 2024–25 Federal Budget stated, ‘NDIS Commonwealth funded participant payments growth is expected to average 9.2 per cent per year over the projections period’ (to 2034–35).13

Table 1.3: NDIS participants, providers and payments as at 30 June annually

 

2018–19a

2019–20a

2020–21

2021–22

2022–23

2023–24

2024–25

NDIS participantsb

133,888

367,612

466,619

534,655

610,496

661,268

739,414

Registered providers

8,003c

17,253

17,834

19,739

16,378

19,144

22,955

Total scheme payments ($ billion)

10.5

17.6

23.3

28.6

35.1

41.8

46.3

               

Note a: The NDIS Commission commenced operation in New South Wales and South Australia in July 2018. It commenced in all states and territories, except Western Australia, in July 2019. From July 2021, the Commission was fully operational at a national level. Figure 1.2 sets out details of the Commission’s phased rollout.

Note b: The NDIS was progressively rolled out to each State and Territory over a four-year period from July 2016. The NDIS was at full national scheme from 1 July 2020.

Note c: The NDIS Commission transitioned 9,703 providers from the NDIA in New South Wales and South Australia on 1 July 2018. Approximately 1700 transitioned providers did not commence a process to retain their registration with the NDIS Commission.

Source: NDIS Commission Annual Reports and Quarterly Performance Reports; NDIA Quarterly Reports to disability ministers; and NDIS Commission documentation.

NDIS Commission governance structure

1.17 Prior to July 2024 the Executive Leadership Team (ELT) was the NDIS Commission’s key governance body with oversight of the Commission’s performance. In July 2024 a new governance structure was approved, which replaced the ELT and the ELT+ (membership was the ELT and Senior Executive Service Band 1s) with the Finance, Staffing and Strategic Investment Committees. In November 2024 the Finance, Staffing and Strategic Investment Committees were replaced with the Executive Management Group (EMG) and the Senior Leadership Group (SLG). The diagram at Figure 1.3 reflects the Commission’s internal governance structure at 13 November 2024.

Figure 1.3: NDIS Commission governance structure

Figure 1.3 is a diagram showing the governance structure for the NDIS Quality and Safeguards Commission. At the top is the NDIS Quality and Safeguards Commissioner, followed by the Executive Management Group. Below are six main groups: Senior Leadership Group, Regulatory Coordination Committee, Workplace Consultative Committee, Health and Safety Committee, Data Stewards Working Group, and Regulatory Reform Working Group.

Source: ANAO representation of NDIS Commission documentation.

NDIS reform

1.18 The NDIS environment has been subject to non-legislative review in recent years including:

  • the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability14;
  • Joint Standing Committee on the NDIS’s inquiry into the NDIS Quality and Safeguards Commission15;
  • Independent Review into the NDIS16;
  • the NDIS Provider and Worker Registration Taskforce17;
  • Independent review of the adequacy of the regulation of the supports and services provided to Ms Ann-Marie Smith, an NDIS participant, who died on 6 April 2020 (the Robertson Review)18; and
  • Review into services provided by Irabina Autism services to NDIS participant (the Boland Review).19

1.19 In April 2023 the Minister for the NDIS announced that National Cabinet had agreed to an NDIS Financial Sustainability Framework, which sets an annual scheme growth target of eight per cent by July 2026. In March 2024 the Australian Government introduced the National Disability Insurance Scheme Amendment (Getting the NDIS Back on Track) Bill 2024 No. 1 (the Bill) to Parliament. In May 2024 the 2024–25 Federal Budget Strategy and Outlook stated that the Bill, and subsequent amendments to NDIS rules and other legislative instruments, ‘will moderate growth in NDIS expenditure, by determining NDIS participant plan budgets more consistently based on participant need and supporting participants to spend in accordance with their plans.’20 The Bill was passed in August 2024 and took effect in October 2024.

1.20 On 16 September 2024, the Minister for the NDIS announced the registration requirement for all platform providers21, supported independent living (SIL) providers and support coordinators. No changes or transition to the mandatory registration of these providers will happen before 1 July 2025.

1.21 In October 2024 the Minister for the NDIS announced a second tranche of proposed amendments to the NDIS Act intended to improve the protections and quality and safety of supports for participants. Public consultation on the proposed legislative changes was opened between October and December 2024. As at June 2025 the Australian Government was yet to determine the timing of the release and public consultation for the exposure draft of a further amendment bill.

Rationale for undertaking the audit

1.22 The NDIS Commission is the regulator for the NDIS. The NDIS provides funding to a large number of participants — as at 30 June 2025 there were 739,414 NDIS participants with approved plans.22 The NDIS also forms a significant portion of government spending, with total scheme payments of $46.3 billion in 2024–25.23 The NDIS operating environment has been subject to a number of reviews in recent years, which have made a range of recommendations including seeking improvements in information sharing, provider registration, restrictive practices, complaints handling and compliance and enforcement arrangements. This audit provides independent assurance to Parliament over whether the NDIS Commission is effectively exercising its regulatory functions.

Audit approach

Audit objective, criteria and scope

1.23 The objective of the audit was to assess the effectiveness of the NDIS Commission in exercising its regulatory functions.

1.24 To form a conclusion against the objective, the following high-level criteria were applied:

  • Does the NDIS Commission have effective intelligence gathering and information sharing arrangements in place?
  • Has the NDIS Commission developed a risk-based strategy to guide regulatory decision-making?
  • Has the NDIS Commission effectively implemented risk responsive and proportionate monitoring, compliance and enforcement activities?

1.25 This audit focussed on the period 1 July 2022 to 30 June 2024. Periods outside this were considered where relevant and to provide context.

1.26 Key focus areas examined by the ANAO were intelligence, information sharing, risk management, strategy, monitoring, compliance and enforcement activities and performance reporting. The ANAO did not examine in detail the other key functions of the Commission, including provider registration, quality auditor appointments and worker screening.

Audit methodology

1.27 The audit methodology included:

  • review and analysis of NDIS Commission records;
  • walkthroughs of NDIS Commission systems and processes;
  • visits to NDIS Commission offices in Canberra, Brisbane and Melbourne;
  • meetings with NDIS Commission and NDIA officials; and
  • reviewing 21 citizen contributions received.

1.28 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $725,400.

1.29 The team members for this audit were Freya Mathie, Sophie Capel, Rory Tredinnick, Andrew McIntyre, Jake Farquharson, Sonya Carter, Alexandra Collins and Corinne Horton.

2. Information gathering and sharing arrangements

Areas examined

This chapter examines whether the NDIS Quality and Safeguards Commission (NDIS Commission, or Commission) has effective intelligence gathering and information sharing arrangements in place.

Conclusion

The NDIS Commission has partly effective intelligence gathering and information sharing arrangements in place. The Commission has established policies relating to information management and the management of personal information. The effectiveness of the Commission’s collection, correlation and analysis of intelligence has been impacted by limitations of the Commission Operating System (COS). The Commission engages with the disability sector and has documented arrangements to support information sharing with some government entities. These arrangements are not complete and are under review. The Commission does not have processes to ensure information disclosures meet legislative requirements.

Areas for improvement

The ANAO made two recommendations to the Commission aimed at documenting processes to guide information gathering, analysis and sharing; and meeting legislative requirements relating to information disclosures.

The ANAO also suggested that the Commission could update the Information Management Policy; and review the Statement of Intent for Information Disclosure between the National Disability Insurance Agency (NDIA) and the NDIS Commission.

2.1 The National Disability Insurance Scheme Act 2013 (NDIS Act) establishes requirements for the NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner) relating to intelligence gathering and information sharing. Sections 181F and 181G of the NDIS Act require the Commissioner to collect, correlate, analyse and disseminate information on incidents and complaints. Section 181H of the Act requires the Commissioner to collect, analyse and disseminate data and other information relating to the use of behaviour supports and restrictive practices by National Disability Insurance Scheme (NDIS) providers.

2.2 Effective information sharing is a key factor in enabling the NDIS Commission to carry out its regulatory functions. Subsection 181E(h) of the NDIS Act establishes that a core function of the NDIS Commissioner is ‘to engage in, promote and coordinate the sharing of information to achieve the objects of this Act’. Sections 60, 67A and 67E of the NDIS Act and the National Disability Insurance Scheme (Protection and Disclosure of Information—Commissioner) Rules 2018 set out the information handling requirements for the Commission, including the use and disclosure of NDIS Commission information. Section 9 of the NDIS Act defines protected NDIS Commission information as ‘information about a person (including a deceased person) that is or was held in the records of the Commission’.

Does the NDIS Commission have systems and processes for collecting, correlating, and analysing intelligence to support its regulatory approach?

The NDIS Commission has policies that set out its information management and privacy obligations in accordance with the Archives Act 1983 (Archives Act) and the Australian Privacy Principles. The Commission has systems for storing, correlating and analysing information. These had not been sufficiently documented in accordance with the Commission’s Information Management Policy. COS has capability limitations and was assessed by the Commission as being non-compliant with Australian Government record keeping and metadata requirements. The Commission has conducted a range of activities to analyse information and intelligence gathered. A strategic framework or formalised processes have not been established for its analysis activities. The Commission has developed a data quality framework. The Commission has not implemented arrangements for assurance over the quality, accuracy, and completeness of the information held by the Commission.

Information collection and storage

Information management

2.3 The National Archives’ Building trust in the public record policy requires entities to ‘implement fit-for-purpose information management processes, practices and systems’ and states that poor information management includes where information is ‘siloed in different systems where all needed information cannot be retrieved, or information cannot be exchanged’.24

2.4 The NDIS Commission developed an Information Management Policy in October 2021, which established the Commission’s records management responsibilities in accordance with the Archives Act.25 The Policy was supported by the Information Governance Framework, approved in November 2021, which sets out the governance arrangements for managing Commission information assets including data, records and information.26

2.5 The Information Management Policy stated that Archiving and Records Compliance (ARC) was the Commission’s official Electronic Document and Records Management System (EDRMS) ‘for the capture and management of information assets’. The policy also stated that COS, Parliamentary Document Management System (PDMS, which is used for ministerial and parliamentary business) and LEX (used for legal matter management) were ‘endorsed for the capture and storage of specific information assets’.

2.6 The Executive Leadership Team (ELT) considered internal advice in July 2022 that:

COS is the main business system used to create, capture and manage digital information documenting the core or unique functions and activities of the NDIS Quality and Safeguards Commission (NDIS Commission). COS holds high-value and high-risk information – information that is the authoritative source of truth.

2.7 The Information Management Policy was reviewed and updated in January 2024 and states that staff are required to capture and store information on the Commission’s endorsed EDRMS — the ARC system — unless there is another NDIS Commission approved system that is fit for purpose to capture the information.

2.8 The Commission uses other systems, in addition to ARC, for collection, storage and use of information. COS is used to workflow and manage compliance actions and investigations. This is inconsistent with the 2024 Information Management Policy. The Commission advised the ANAO in April 2025 that ‘COS is not considered fit for purpose and will be replaced by the DART [Data and Regulatory Transformation] Program, which is underway’.27 The Commission has not documented approval for COS to be a system ‘fit-for-purpose to capture the information’ as required by the 2024 Information Management Policy.

Opportunity for improvement

2.9 The NDIS Commission could update the Information Management Policy to include expectations for all Commission systems that are being used to collect, store and use information. This could include setting out whether systems, other than ARC, are endorsed business systems for the capture and storage of specific information.

Privacy policy

2.10 The Australian Privacy Principles require entities, including the NDIS Commission, to have a clearly expressed and up-to-date policy about the management of personal information.28 The NDIS Commission established a Privacy Policy in December 2023. Prior to this, the Commission had separate ‘internal’ and ‘external’ privacy policies. The 2023 Privacy Policy and preceding ‘external’ privacy policy included the information required by the Privacy Principles.

IT system limitations

2.11 COS was developed by the Department of Social Services to support the commencement of the Commission’s operations on 1 July 2018. Following machinery of government changes in 2020, Services Australia manages, maintains and undertakes development of COS. Changes have been made to COS over time, including the addition of modules to support the Commission’s functions. Internal advice to the ELT in July 2022 reported that COS had functionality gaps and had been non-compliant with Australian Government record keeping and metadata requirements since 2018. In response to this advice, the ELT agreed ‘in-principle’ that, as a short-term solution to risks associated with information management functionality gaps, data from COS be manually transferred to ARC pending an upcoming Digital and Data Strategy and project.

2.12 In December 2022 the Digital and Data Strategy project reported the following gaps in the NDIS Commission’s capabilities to the ELT:

  • limited ability to manage workflow activities and track progress with applications and complaints;
  • extensive off-system usage across the main operational functions with various workarounds used to complete operational tasks29;
  • limited ability to identify and manage risks based on individual cases or systemic risk;
  • the current systems reinforce functional silos and do not support effective operations and information sharing; and
  • lack of automation of simple activities leading to lost time and repetition of processes.

2.13 In December 2022 the ELT endorsed ‘in-principle’ the Data and Digital Strategy, including a technology investment roadmap for new capability delivery, subject to the Commission’s consideration of ELT comments and feedback. The ELT did not approve the final Strategy.

2.14 An August 2024 outsourced ‘Enterprise Prioritisation Model’ report (see further discussion from paragraph 3.38) assessed that COS was an ‘inadequate’ supporting system and noted ‘a significant occurrence of off-system matter data because of the low capability of the COS system.’

2.15 The NDIS Commission’s information management systems do not support the collection of accurate, integrated and reliable information on regulated entities, activities and individuals supports. Such information is important to inform regulators in assessing risks of non‐compliance and the development of targeted compliance and enforcement strategies.30 As discussed in paragraph 1.14, the Commission was allocated $160 million in the 2024–25 Federal Budget for technological uplift under the DART project.

Information correlation and analysis

2.16 Sources of information and intelligence received by the NDIS Commission include complaints; reportable incidents; tip-offs; social media and open-source intelligence scans and alerts; NDIA data (including participant, linked provider, payment and claims data); Australian Securities and Investments Commission data; the Australian Business Register data; criminal history checks; and data from the Australian Financial and Security registers.

2.17 The NDIS Commission had not established a strategic framework or formalised processes for its analysis activities. The NDIS Commission has undertaken activities to analyse the information it has gathered, through developing intelligence products and conducting own motion inquiries.

Intelligence products

2.18 The NDIS Commission established a Risk, Intelligence and Delivery Team in September 2023. Since September 2023, the Commission has produced intelligence products, including intelligence briefs, intelligence assessments, intelligence alerts and entity summaries.

2.19 The Commission develops intelligence products when information is received indicating regulatory risks, or on internal request from areas within the Commission. Products are disseminated to relevant areas within the Commission and uploaded to ARC. Guidance was available to Commission staff on producing the intelligence products, including templates for developing information reports, intelligence assessments, entity summaries and information assessments.

2.20 In July 2024, the NDIS Commission advised the ANAO that, due to system limitations, it does not conduct automated risk-profiling or assign risk ratings to individual providers. The Risk, Intelligence and Delivery Team produces entity summaries on request from other areas within the Commission to inform decisions across all functions of the Commission including compliance and enforcement, complaints and reportable incidents. The entity summary report template contains the caveat: ‘The analysis in this report utilises data and information available at the time of preparation. The information in this document is NOT EVIDENCE and intended as a basis for further consideration.’ In April 2025, the NDIS Commission further advised the ANAO that:

This product provides a single view of a provider and was developed to assist compliance teams who were struggling with the limitations of the Commission Operating System (COS) to get a holistic view of a provider. This product brings together data from across multiple modules of COS as well as data held in the warehouse that isn’t readily accessible to all Commission staff (due to lack of systems to extract and synthesize the data).

2.21 The Risk, Intelligence and Delivery Team priorities from October 2024 related to: improving data accuracy and quality controls; streamlining information sharing between government entities; producing information reports to feed into the intelligence cycle; and providing ‘tactical/operational support’ to specific investigations or compliance matters. In November 2024, the NDIS Commission advised the ANAO that it was developing an ‘Intelligence Hub’ to centrally house all intelligence products relating to NDIS providers and environmental risks, and to provide an avenue for assessment of systemic and emerging risk. In August 2025, the Commission advised the ANAO that the Intelligence Hub continued to be in the testing phase.

Own motion inquiries

2.22 Section 29 of the National Disability Insurance Scheme (Complaints Management and Resolution) Rules 2018 and section 27 of the National Disability Insurance Scheme (Incident Management and Reportable Incidents) Rules 2018 allow the NDIS Commissioner to authorise an own motion inquiry into a complaint or reportable incident, or a series of complaints or reportable incidents relating to supports delivered by NDIS providers.

2.23 Between 1 July 2022 and 30 April 2025, the NDIS Commission conducted three own motion inquiries. Table 2.1 outlines the purpose and dates of these inquiries.

Table 2.1: Own motion inquiries published by the NDIS Commissioner

Own motion inquiry title

Date published

Purpose

Own motion inquiry into aspects of supported accommodation

January 2023

To enable the NDIS Commissioner to identify trends in issues that are occurring in supported accommodation, what is causing those issues, models of best practice to eliminate or address these issues, and how the NDIS Commission can use its powers to support the delivery of higher standards of support in these settings.

Own motion inquiry into platform providers in the NDIS marketa

September 2023

To understand the experience of participants that use platform providersb

Own motion inquiry into support coordination and plan management, part 1

August 2023

To examine the NDIS Commission’s complaints and reportable incidents data to identify quality and safeguarding concerns in support coordination and plan management, and to identify the positive contribution good support coordination and plan management can make to quality and safeguarding in the NDIS.

     

Note a: The own motion inquiry into platform providers in the NDIS market was conducted under the Commissioner’s core functions assigned by the NDIS Act, and not under the inquiry powers established by the NDIS Rules.31

Note b: ‘Platform provider’ refers to a NDIS provider that uses a profile-based platform to connect participants with workers to deliver NDIS supports, for example via an app or website where participants and workers create a ‘profile’. Platform providers may be registered or unregistered NDIS providers.

Source: ANAO representation of NDIS Commission documentation.

2.24 In October 2024, the NDIS Commission advised the ANAO that ‘There is no formal standard approach for establishing Own Motion Inquiries (OMI)’ and that ‘Once an OMI is published, an Action Plan is developed to track organisational accountability and progress against any recommendations made and to support the consequent evaluation process.’ Action plans had not been developed for the two own motion inquiries into aspects of supported accommodation and platform providers. As at August 2025, the Commission was undertaking part 2 of the own motion inquiry into support coordination and plan management. Part 2 of the own motion inquiry is an action plan based on Part 1 of the own motion inquiry into support coordination and plan management.

Recommendation no.1

2.25 To support intelligence and information analysis, the NDIS Commission implement:

  1. an overarching risk-based plan to guide information analysis and correlation activities; and
  2. guidance on establishing and conducting own motion inquiries.

NDIS Quality and Safeguards Commission response: Agreed.

2.26 The NDIS Commission has begun the process of improving communication and engagement to better synergise the various intelligence related functions operating within the Commission. Bringing together fortnightly round table meetings of staff from Fraud Fusion Taskforce, Data and Insights, Risk Intelligence and Delivery and Market Insights areas. This group will work towards planning and delivering a more unified approach to intelligence analysis across the business, taking into consideration the diverse functions of the NDIS Commission. The first formal meeting is taking place on the 22 July 2025. The anticipated implementation date of governance oversight and processes for intelligence is Quarter 4 of financial year 2025–26.

2.27 In addition to the Own motion inquiries (OMI) initiated at the Commissioner’s discretion, the new Risk-Based Regulation Prioritisation Model is piloting assessment of systemic risks by a whole-of-Commission decision-making panel. The panel would recommend planned interventions including OMI for decision by the Commissioner. If this pilot process of establishing and conducting OMIs is successful, guidance documents will document this process. The anticipated implementation date is Quarter 4 of financial year 2025–26.

Information assurance arrangements

Australian Data and Digital Strategy reporting

2.28 The Australian Data and Digital Strategy, published in December 2023, is ‘the first combined data and digital strategy for the Australian Government, as a blueprint for the use and management of data and digital technologies through to 2030.’32 The strategy commits Government to ‘growing data and digital maturity in [Australian Public Service] entities.’

2.29 In July 2024 the NDIS Commission completed a Data Maturity Assessment Tool developed by the Department of Finance to support delivery of the Data and Digital strategy. The assessment scores are presented at Table 2.2. The Commission noted it had low data maturity and that the DART project alongside the Commission’s business-as-usual work would address the data maturity issues. The Commission does not have a target for data maturity over time. The Commission intends to compare results from subsequent years to assess data maturity improvement.

Table 2.2: Data Maturity Assessment — Mean maturity scores

Category

Mean score

Data analytics

1.0

Data management – Architecture

0.8

Data management – Integration

2.0

Data management – Operations

1.3

Data management – Risk

3.2

Data management – Strategy and governance

1.8

Data quality management

0.3

Master and reference data management

1.0

Metadata management

1.3

   

Note: The minimum maturity score in each category is zero. The maximum maturity score in each category is five.

Source: ANAO representation of NDIS Commission documentation.

Data quality activities

2.30 In July 2024 the NDIS Commission conducted an internal data quality review of compliance and investigation matters created in COS between 1 July 2023 and 30 June 2024.33 The review was conducted to support improved data entry and address data errors. The review included analysis of: compliance and investigation matters by source and risk rating; assignment status by source and risk rating; matters allocated to states and territories; and number of each type of regulatory action taken. The review identified 118 data entry errors to be rectified.

2.31 In September 2024, the NDIS Commission advised the ANAO that it does not conduct quality reviews on other data held in COS or regularly assess the quality of the information needed to support effective regulation. The NDIS Commission Data Quality Framework was endorsed by the Executive Management Group in November 2024. In April 2025 the NDIS Commission advised the ANAO that it is currently conducting a systemic Data Quality Assessment, which includes development of quality profiles to support ongoing monitoring.

Has the NDIS Commission established and implemented arrangements to facilitate information sharing with relevant stakeholders?

The NDIS Commission has arrangements to share information with Australian Government entities, including the NDIA, and state and territory government entities. Documentation supporting these arrangements is not complete. The disclosure record for information shared does not meet the requirements of the National Disability Insurance Scheme Rules 2018. The NDIS Commission shares information and seeks feedback from the disability sector through stakeholder engagement committees and undertakes a range of activities to assist voluntary compliance. The NDIS Commission undertook stakeholder sentiment surveys in 2023 and 2024 to assist in assessing whether the activities of the Commission were meeting the needs of the sector. Responses to the 2024 survey indicated 24 per cent of respondents trusted the Commission ‘a lot’ or ‘completely’ to provide support if there are issues with NDIS services. Forty per cent of respondents ‘moderately’ trusted the Commission; and 18 per cent trusted the Commission ‘a little’ to provide this support.

Information sharing arrangements

2.32 The NDIS Commission has had a national Engagement Plan since January 2021. The plan aimed to provide transparent, timely, clear and appropriate communications and engagement with key stakeholders, including participants, peak bodies, government agencies and providers. In September 2022, the engagement plan was replaced by the Engagement Strategy 2022–23, which outlined engagement principles and approaches for various stakeholder groups. A draft 2024 Communications and Engagement Framework was prepared for ELT approval in February 2024 and was not finalised. The draft framework recommended engagement actions for the Commission to communicate effectively with different stakeholder groups and proactively manage risk in the disability sector.

2.33 The NDIS Commission Engagement Principles were agreed by the ELT in June 2024 and published on the Commission’s website in July 2024.34 The Engagement Principles outline the Commission’s goals, approach and methods to support the prioritisation of engagement with at risk and hard to reach stakeholder groups. In April 2025 the Commission advised the ANAO that the engagement principles ‘guide all Commission staff in how to undertake engagement activities in their operational work’ and that they ‘guide BAU [business-as-usual] activities of the Commission, including the design and delivery of regulatory campaigns and consultation on proposed reforms.’

Arrangements with Australian Government entities
Statement of intent for information disclosure

2.34 Subsection 67A(3) of the NDIS Act provides for the disclosure of protected Commission information to the NDIA.35 In July 2018, the NDIS Commission and the NDIA agreed to a Statement of Intent for Information Disclosure between the NDIA and the NDIS Commission. The statement established overarching principles to guide the sharing of information between the entities in accordance with the NDIS Act and Privacy Act.

2.35 Between July 2019 and March 2020, to support information and intelligence sharing under the Statement of Intent for Information Disclosure, the Commission and the NDIA established five joint operational protocols covering:

  • market stewardship and oversight (updated December 2020);
  • complex supports (updated June 2021);
  • regulatory interfaces (provider registration, fraud and compliance) and addendums (updated September 2022);
  • complaints handling and reportable incidents (updated June 2023); and
  • data access and transfer (updated September 2023).

2.36 All protocols specify information sharing roles and responsibilities, the information to be disclosed, and relevant legislation. Two protocols define protected NDIS Commission and NDIA information. One protocol sets out a matrix for expected response times based on risk. Three protocols provide options for the entities to specify response timeframes.

2.37 The NDIS Commission and the NDIA agreed via the statement of intent to review the statement and joint operational protocols ‘within three months of implementation and every 12 months thereafter or more frequently as indicated.’ In June 2023 the NDIS Commission engaged an external consultant, on behalf of the NDIA and the Commission, to review the joint operational protocols and recommend improvements.36 The review recommended that the protocols be ‘consolidated into one document that clearly articulates its purpose and scope’ and that aims to facilitate effective information sharing and decision-making to mitigate risks to NDIS participants. In response to the review and in line with the ministerial direction issued in October 2023 (discussed at paragraph 3.4), the Commission and the NDIA drafted an overarching Joint Operational Protocol dated March 2025. The Joint Operational Protocol, including seven supporting schedules, was finalised on 23 May 2025.

2.38 The 2023 review also recommended that the Statement of Intent for Information Disclosure between the NDIA and the NDIS Commission ‘be reviewed to reflect the current NDIS environment and Participant-centric objectives.’ It also noted that ‘Ideally any Statements would be signed by the current heads of each agency at any time.’ The statement of intent set out that the Commission and the NDIA would ‘achieve close cooperation by holding regular meetings to oversee the operation and refinement of the Statement of Intent and Operational Protocols’. Between July 2018 and April 2025, meetings between the Commission and the NDIA were held in August 2024, November 2024 and February 2025. As at August 2025 the statement of intent had not been reviewed. The NDIS Commission advised the ANAO in August 2025 that the Joint Operational Protocol and supporting schedules enable the exchange of information to occur between the Commission and the NDIA. The Commission further advised that elements of the 2018 Statement of Intent have been superseded by the Joint Operational Protocol and work is underway to update the Statement of Intent.

Opportunity for improvement

2.39 The NDIS Commission, in partnership with the NDIA, could review the Statement of Intent for Information Disclosure between the NDIA and the NDIS Commission to ensure the statement reflects the current operating environment and is consistent with the changes set out in the Joint Operational Protocol.

Memoranda of understanding

2.40 The NDIS Commission has memoranda of understanding to support information sharing with the Australian Competition and Consumer Commission (ACCC), dated February 2024; and the Australian Health Practitioner Regulation Agency (Ahpra), effective from 22 June 2021. In June 2024, the NDIS Commission could not confirm whether information had been shared with Ahpra under the Memorandum of Understanding (MoU). In August 2025 the NDIS Commission advised the ANAO that an MoU with the Aged Care Quality and Safety Commission was being consulted on.

2.41 The Commission is party to the Fraud Fusion Taskforce, established in the October 2022–23 Federal Budget to address fraud and serious non-compliance in the NDIS.37 The Fraud Fusion Taskforce MoU, dated 5 June 2023, aims, among other things, to facilitate the exchange of data, information and intelligence between entities to achieve the taskforce’s purpose. The MoU refers to the protected information provisions of the NDIS Act and agrees that parties will comply with the NDIS Act and relevant privacy and secrecy laws. The MoU states that it commences once it is signed by a minimum four entities, including the NDIA and Services Australia. The Commission does not hold a copy of the MoU signed by other entities and therefore does not have the enabling documentation completed to support the work of the taskforce.

Other arrangements

2.42 The NDIS Commission has arrangements in place to access databases of the Australian Federal Police (the Australian Federal Police database), the Australia Taxation Office (the Australian Business Register Explorer database) and the NDIA (the NDIS Commission Search Tool database). The Commission had separate internal polices to guide this access. The Commission is developing an overarching internal policy to facilitate a consistent process for the access and receipt of protected information from all partner agencies.

Arrangements with state and territory government entities

2.43 The NDIS Commission has internal guidance, dated December 2020, on information sharing between the Commission and state and territory government entities. The guidance is intended to inform a national approach to information sharing and includes: information sharing principles; protected information provisions; NDIS Act and Privacy Act obligations; and an Information Disclosure Notice template. As at February 2025 the NDIS Commission had 79 agreements (in the form of information disclosure schedules) in place with state and territory government entities and area health services. Information disclosure schedules detail the type of information that may be requested, the legislative mechanisms that enable information disclosure, and the process of disclosure.

2.44 As at August 2025 the Commission was undertaking work to review the memoranda of understanding and information sharing arrangements with Commonwealth and state and territory stakeholders.

Record keeping for information disclosures

2.45 Section 13 of the National Disability Insurance Scheme (Protection and Disclosure of Information—Commissioner) Rules 2018 (Disclosure Rules) sets out that if ‘the Commissioner discloses NDIS information under section 67E of the Act (other than subparagraph 67E(1)(b)(ii)), the Commissioner must ensure that a record of that disclosure is made’. This record must include: a description or summary of the information disclosed; the recipient and purpose of the disclosure; details of the request for information; and a summary of the decision if there was an exception not to de-identify personal information or consult with the affected individual.38

2.46 The NDIS Commission developed A Guide to Disclosure of Information, dated June 2024; and a Staff Guide to Protected Commission Information and Information Disclosure, dated November 2022. These guidance documents define protected Commission information, circumstances and methods for authorised disclosures, and consequences of unauthorised disclosures.

2.47 The NDIS Commission retained an Information Disclosure Record of its disclosures to federal, state and territory government entities under section 67E of the NDIS Act. The Commission’s ‘Guide to Disclosure of Information’ established this as the ‘Commission’s section 67E record’. For the period July 2018 to March 2025 the Information Disclosure Record recorded 224 disclosures (summarised at Table 2.3).

Table 2.3: Summary of NDIS Commission disclosures under section 67E the NDIS Act for the period July 2018 to March 2025

Relevant subsection from section 67E of the NDIS Act

Number of disclosures

Disclosure for purposes of Commonwealth Department or authority —subparagraph 67E(1)(b)(i)

74

Disclosure for purposes of State/Territory Department or authority — subparagraph 67E(1)(b)(iv)

85

Disclosure to State/Territory Department or authority with responsibility for people with disability — subparagraph 67E(1)(b)(iii)

9

Disclosure in the public interest — paragraph 67E(1)(a)

40

Disclosure with consent — subparagraph 67E(1)(b)(ii)

1

Not specified

15

Total

224

   

Source: ANAO analysis of the NDIS Commission Information Disclosure Record.

2.48 Disclosures set out in the Information Disclosure Record were inconsistent with the requirements of section 13 of the Disclosure Rules.

  • Six records did not include a description or summary of the information disclosed (paragraph 13(2)(a)).
  • Two records did not state the recipient of the disclosure (paragraph 13(2)(b)).
  • Six records did not include the purpose of the disclosure (paragraph 13(2)(c)).
  • ‘External request’ records did not consistently capture details of the disclosure request (paragraph 13(2)(d)) and the Information Disclosure Record document did not provide a field to capture this information.
  • One hundred and eighty three records captured decisions not to de-identify personal information and not to consult affected individuals before disclosing NDIS information under an exception in subsections 10(3), 11(6) or 11(7) of the Disclosure Rules. Of the 183, eight of these records did not state whether an exception applied.

2.49 The Information Disclosure Record did not include a disclosure to the Aged Care Quality and Safeguards Commission in June 2024 that was specified as being made under section 67E of the NDIS Act in Commission documentation. The Commission did not have a quality assurance process for the Information Disclosure Record to ensure the accuracy and completeness of the record to meet the requirements of section 13 of the Disclosure Rules.

Recommendation no.2

2.50 The NDIS Commission develop and implement a quality assurance process to meet legislative requirements and ensure completeness of the information disclosures record.

NDIS Quality and Safeguards Commission response: Agreed.

2.51 The NDIS Commission has commenced work on a quality assurance process and established a working group to progress. The anticipated implementation date is Quarter 3 of financial year 2025–26.

Stakeholder engagement with the disability sector

2.52 Between July 2022 and April 2025, the NDIS Commission engaged with the disability sector via committees, and through mechanisms to promote voluntary compliance and seek feedback.

Stakeholder engagement committees

2.53 The NDIS Commission had established stakeholder engagement committees through which it shared information and consulted with representatives from the disability sector, as set out in Table 2.4.

Table 2.4: NDIS Commission stakeholder engagement committees active between November 2019 and April 2025

Committee

Timeframe active

Membership

Purpose

Planned meeting frequency

Disability Sector Consultative Committeea

November 2019 to November 2022

Representatives from disability sector organisations

Chair: NDIS Commissioner

To provide high-level evidence-based advice to the Commissioner on national issues, which influence the delivery of quality and safe NDIS supports and services.

Three times per year or more frequently if required

Industry Sector Consultative Committeea

November 2019 to November 2022

Representatives from disability industry sector organisations

Chair: NDIS Commissioner

To provide high-level evidence-based advice to the Commissioner on national issues, which influence the delivery of quality and safe NDIS supports and services.

Three times per year or more frequently if required

Consultative Committeeb

Since August 2023

People with disability, NDIS providers, disability representatives, disability advocacy organisations, disability researchers, people with experience in governance and regulation

Chair: NDIS Commissioner

To help the NDIS Commission make decisions and develop informed policy about the role and functions of the NDIS Commission. The Committee connects people from the NDIS Commission with stakeholders to ensure that the voice of the participant is considered as part of the decision-making process and the development of policy.

Four times per year

         

Note a: The Disability Sector Consultative Committee and the Industry Consultative Committee were retired in November 2022 and replaced by the Consultative Committee in August 2023.

Note b: The Consultative Committee was active as at April 2025.

Source: ANAO representation of NDIS Commission documentation.

2.54 Between July 2022 and November 2022, the Disability Sector Consultative Committee and Industry Sector Consultative Committee met in accordance with their respective terms of reference. No meetings were held between November 2022 and August 2023, when governance arrangements for the committees changed. Between August 2023 and March 2025, the Consultative Committee met six times, largely in accordance with timeframes set out in the committee’s terms of reference.

2.55 Minutes were not recorded for the four Disability Sector Consultative Committee and Industry Sector Consultative Committee meetings held in the period reviewed by the ANAO. Minutes for the Consultative Committee meetings held since August 2023 were recorded and Communiques from these meetings were also available on the Commission’s website. The Commission advised the ANAO in April 2025 that committee outcomes and actions have informed Commission activities including: changes to the complaints function; website updates; educational videos; activities of the Fair Price Taskforce and campaign; updating participant and provider information packs; and the establishment of Reconciliation and Disability Action Plans.

Mechanisms promoting voluntary compliance and seeking feedback

2.56 The NDIS Commission undertook a range of activities promoting voluntary compliance and sharing information with the disability sector. These activities included webinars, Communities of Practice sessions, Disability Advocacy Forums, and newsletters.39 The Commission also: conducted meetings and training with individual providers, health services and peak bodies; responded to email and phone enquiries; engaged in social media; and published media releases. The Commission also published information online including practice alerts40, policy guidance, and participants fact sheets. The NDIS Commission tracked participation in these activities and social media engagement.

2.57 Between July and October 2023, the Commission sought feedback on the quality of consumer information via six disability advocacy focus groups and 19 focus groups of people living with disability. The Commission sought views about what makes a service or support safe and good quality; how useful the current information provided by the Commission was; what information participants already used; what new information was needed; and how to best increase participant awareness of their rights and make it easier to raise concerns with their provider or the Commission.

2.58 The NDIS Commission undertook stakeholder sentiment surveys in 2023 and 2024. The surveys explored the views and experiences of people with disability, representatives, advocates, providers, workers and the public interacting with the Commission. The surveys were primarily conducted to provide data for reporting against the Commission’s performance metrics, including stakeholder-related performance. Performance reporting is discussed in Chapter 4.

2.59 The 2023 stakeholder sentiment survey resulted in 1,908 surveys completed from 9,889 invitations to stakeholders who interacted with the NDIS Commission, representing a response rate of 19 per cent. The 2024 stakeholder sentiment survey resulted in 10,949 completed surveys from a broader range of NDIS Commission stakeholders than the 2023 survey, including those who interacted with the NDIS Commission and those who did not. The 2024 survey used a different methodology so results were not directly comparable with the 2023 survey.

2.60 The 2024 results indicated that awareness of the Commission varied between 64 per cent for people with disability to 97 per cent for NDIS service providers. Eighty-three per cent of survey respondents indicated that they trust the Commission between ‘a little’ and ‘completely’ to provide support if there are issues with NDIS services — 24 per cent indicated ‘a lot’ or ‘completely’ trusted the Commission; 40 per cent ‘moderately’ trusted the Commission; and 18 per cent trusted the Commission ‘a little’. Thirty-eight per cent of NDIS participants, and 39 per cent of people with disability and representatives, ‘trust’ or ‘strongly trust’ the NDIS Commission to fulfill its role and functions. Fifty-four per cent of providers and 50 per cent of workers indicated that they ‘trust’ or ‘strongly trust’ the Commission.

3. Risk-based approach to regulatory decision-making

Areas examined

This chapter examines whether the NDIS Quality and Safeguards Commission (NDIS Commission, or Commission) had developed a risk-based strategy to guide regulatory decision-making.

Conclusion

Regulatory decision-making is not guided by a risk-based strategy. Since commencing operations in 2018 and becoming a national operation in 2021, the Commission has not established a framework for assessing, prioritising and managing risks of provider non-compliance. In the absence of a regulatory risk framework and assessment of regulatory risks, the Commission’s overarching compliance and enforcement approach and regulatory decision-making has not been informed by risk.

Areas for improvement

The ANAO made three recommendations to the Commission aimed at strengthening the Commission’s risk-based approach to regulatory decision-making, including through an updated Ministerial Statement of Expectation and corresponding regulator Statement of Intent; improving management of non-compliance risks; and developing a risk framework to inform compliance actions.

3.1 Paragraph 181D(4)(b) of the National Disability Insurance Scheme Act 2013 (NDIS Act) requires the NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner) to use their best endeavours to ‘conduct compliance and enforcement activities in a risk responsive and proportionate manner.’ Best practice regulators take a risk-based approach to compliance activities and are informed by data, evidence and intelligence. Regulators that assess the risk of non-compliance are better positioned to focus limited resources on areas of greatest impact.41

Has the NDIS Commission developed a compliance and enforcement strategy and program of work informed by risk?

The Minister for the NDIS issued a Statement of Expectations to the NDIS Commissioner on 20 December 2022 and the NDIS Commissioner responded with a Statement of Intent dated March 2023. The NDIS Commission has not sought a new Statement of Expectations consistent with government expectations of regulators. The Commission published annual compliance priorities for 2019–20 to 2021–22, 2023–24 and 2024–25. The compliance priorities are not risk-based or informed by data and the Commission has not established arrangements to address or report on specific priorities. The Commission has an overarching approach to compliance and enforcement through the Regulatory Approach, Operating Model and Compliance and Enforcement Policy. These are not informed by risk.

Ministerial Statement of Expectations and Regulator Statement of Intent

3.2 Resource Management Guide 128: Regulator Performance (RMG 128) describes the purpose of Ministerial Statements of Expectation and Regulator Statements of Intent. Ministerial Statements of Expectations:

are issued by the responsible Minister to a regulator or an entity with regulatory functions, to provide greater clarity about government policies and objectives relevant to the regulator’s statutory objectives and how it conducts its operations. The regulator responds to a Ministerial Statement of Expectations with a Regulator Statement of Intent that, in turn, identifies how it will deliver on the Government’s expectations.42

RMG 128 sets out an expectation that a Ministerial Statement of Expectations will be issued or refreshed every two years, or earlier if there is a change in minister or change in regulator leadership.

3.3 The Minister for the NDIS (the minister) issued a Statement of Expectations to the NDIS Commissioner on 20 December 2022. The Statement of Expectations included the expectation that the Commission ‘strengthen compliance and enforcement operation in a proportionate risk-based manner, and prevent and respond to non-compliance with responsive risk-based regulatory approaches.’43 The NDIS Commissioner responded with a Statement of Intent dated March 2023.44 The Statement of Intent did not specify how the Commission would meet this expectation.

3.4 On 13 October 2023, the minister issued a direction to the NDIS Commissioner under subsection 181K(1) of the NDIS Act.45 The ministerial direction included, among other matters, a direction for the Commissioner to respond to a statement of expectations, if issued, within 28 days by providing a statement of intent detailing how the Commissioner intends to meet the minister’s expectations; and a direction to report to the minister every three months on the progress of the intended actions contained in any statement of intent provided to the minister. Between October 2023 and July 2024 the NDIS Commissioner reported progress against the statement of intent to the minister on four occasions at three monthly intervals (reporting required under the ministerial direction is discussed further at paragraphs 4.67 and 4.68).

3.5 A new Commissioner was appointed on 1 October 2024 and a new minister was appointed on 20 January 2025. A new statement of expectations was not prepared or issued.46 On 13 May 2025, there was a further change in minister with two minsters for the NDIS appointed.47 To meet government expectations set out in RMG128, a new statement of expectations is needed.

Recommendation no.3

3.6 The NDIS Commission:

  1. prepare for a refreshed Ministerial Statement of Expectations with close engagement with the appropriate minister and portfolio secretary; and
  2. prepare and issue a responding Regulator Statement of Intent in a timeframe consistent with the Direction to the NDIS Quality and Safeguards Commissioner under section 181K of the National Disability Insurance Scheme Act 2013 – No. 1/2023.

NDIS Quality and Safeguards Commission response: Agreed.

3.7 With the recent appointment of Minister for Health and Ageing, Disability and the National Disability Insurance Scheme the Hon Mark Butler and the Minister for the National Disability Insurance Scheme Senator the Hon Jenny McAllister, the NDIS Commission has begun the process of engaging with the portfolio agency the Department of Health, Disability and Ageing to support drafting of the Statement of Expectations.

3.8 This will be worked through at an officer level working group to ensure close engagement during drafting of a Ministerial Statement of Expectations and a timely responding Regulator Statement of Intent.

Compliance and enforcement strategy

Regulatory approach

3.9 The NDIS Quality and Safeguards Commission Regulatory Approach (Regulatory Approach), published in January 2023, defines the Commission’s regulatory intent.48 The Regulatory Approach states that it builds on the NDIS Quality and Safeguards Commission Strategic Plan 2022–202749 to define the focus of the Commission’s regulatory activity and strategies used to conduct effective and efficient regulation. It also states that the Commission’s ‘regulatory considerations align with our areas of focus as detailed in the Strategic Plan.’

3.10 The Regulatory Approach sets out three regulatory approaches the NDIS Commission intends to focus on: high intensity responses, targeted campaigns, and regulatory activities (defined at paragraph 3.13). A range of reactive and proactive regulatory levers and tools are identified for the NDIS Commission to meet its regulatory intent.50

3.11 The Regulatory Approach was updated in March 2024 to include a Human Rights Action Statement and five risk priorities (discussed from paragraph 3.35). The updated Regulatory Approach was published on the NDIS Commission website in August 2024.51

Operating Model

3.12 The Regulatory Approach committed: ‘To support our regulatory approach we will implement a new operating model, to maximise our resources in a way that is focussed on the best outcomes for people with a disability.’ The NDIS Quality and Safeguards Commission Operating Model (Operating Model), published internally in January 2023, sets out the framework, regulatory functions, and the Strategic Plan principles that guide how the NDIS Commission achieves its regulatory objectives. The Operating Model characterises the Commission’s approach to regulation, including enforcement and compliance, as risk-based and cross references RMG 128.

3.13 Consistent with the Regulatory Approach, the Operating Model sets out the three regulatory approaches the Commission intends to focus on.

  • High intensity responses are action-orientated immediate responses to situations where participants are at severe risk.
  • Targeted campaigns are data-driven responses to emerging risks, with work seeking to manage current and future issues and promote best practice.
  • Regulatory activities are risk-based responses to situations where participants or markets are at risk, as well as the day-to-day regulatory work of the NDIS Commission.

3.14 The Operating Model sets out three ‘high level processes’ that outline steps to deliver each of the regulatory approaches. The processes outline key roles, responsibilities and that outcomes should be assessed to inform future activities. The Operating Model does not set out detailed procedures.

3.15 On 24 January 2023, the Commission’s Executive Leadership Team (ELT) noted internal advice that ‘The NDIS Commission currently makes little use of data to inform the identification of emerging risks’ and that the Commission would need to ‘significantly increase’ its data analysis capability to support the delivery of the Operating Model. The ELT also noted internal advice that the Operating Model was designed to enable implementation of the Commission’s regulatory approaches, and that it ‘explains to Providers, workers, participants and the public, how the Commission will regulate the industry in the best interests of NDIS participants.’ The ELT agreed to provide feedback on the Operating Model by 31 January 2023 and that there would be an additional discussion with a view to approve the Operating Model. Additional discussion did not take place and there is no record of the model’s approval.

3.16 The document was not made publicly available as intended. The Commission advised the ANAO in April 2025 that the Operating Model was an internal document on how it operationalises the Regulatory Approach, which may change with the development of the Enterprise Prioritisation Model (discussed from paragraph 3.38). While external publication is not a legislated requirement, RMG 128’s best practice guidance states that ‘Transparency in process supports community trust by demonstrating a regulator’s priorities and integrity. Regulators should clearly communicate regulatory processes and be transparent about the decision-making criteria.’52

Compliance and Enforcement Policy

3.17 The NDIS Commission Compliance and Enforcement Policy, dated November 2022, was in effect until September 2024 when it was updated.53 The NDIS Commission advised the ANAO in September 2024 that two prior versions of the Compliance and Enforcement Policy were developed in 2018 and 2019. There was no record of the 2018 policy or the final 2019 policy.

3.18 The 2022 Compliance and Enforcement Policy stated compliance and enforcement actions are determined on a case-by-case basis and take into account the seriousness of the issue, the appropriateness of the response and the likelihood of further harm.54 The Policy stated that ‘The NDIS Commission will take a responsive and proportionate approach to regulation, applying the strongest actions to the most serious issues and breaches.’

3.19 The 2022 Compliance and Enforcement Policy set out ‘integrated strategies’ to achieve the Commission’s objectives, including to ‘analyse emerging risks to identify potential market risks to inform compliance and enforcement measures, and identify priorities for regulation.’55 The 2022 Policy does not detail how these strategies would be implemented including roles, responsibilities or timeframes. The 2022 Policy also set out the range of administrative and court-based compliance and enforcement actions available to the Commission.56

3.20 In 2023–24 the NDIS Commission reviewed the Compliance and Enforcement Policy as part of the Operational Policy and Practice Optimisation Project (discussed from paragraph 4.56) and published an updated Compliance and Enforcement Policy, dated September 2024. The 2024 Compliance and Enforcement Policy establishes overarching compliance and enforcement principles.57 One principle, ‘risk-based, proportionate and intelligence led,’ states that the Commission’s compliance priorities (discussed from paragraph 3.21) inform targeted compliance and enforcement activities in response to identified risks and known harms. The 2024 Policy aligns with the Commission’s Regulatory Approach, reiterating the regulatory levers and approaches available to the Commission.

Compliance priorities

3.21 Establishing annual compliance priorities (also referred to as ‘compliance and enforcement priorities’ and ‘regulatory priorities’) is one way regulators may prioritise resources on areas of highest risk.58 The NDIS Commission states that it ‘monitors time-critical or emerging areas of risk’ and ‘key quality and safeguarding issues’ that informs the development of compliance priority areas for the coming year.59

3.22 The NDIS Commission established the compliance priorities set out at Table 3.1 for 2021–22, 2023–24 and 2024–25. The NDIS Commission’s compliance priorities were not informed by risk or data, and the Commission does not have a process for setting compliance priorities. The Operating Model states that ‘the work within the regulatory activities process is informed by the NDIS Commission’s Compliance Priorities and Risk Assessments.’ The Commission did not complete any risk assessments to inform the regulatory activities process work.

Table 3.1: NDIS Commission compliance priorities

2021–22

2023–24

2024–25

Quality and safety in mealtime supports

Impact on participants of poor behaviour support plan qualitya

Quality and compliance relating to behaviour support plansa

Management of conflicts of interest

Participant choice and control in supported accommodationa

Quality and safe supports and services, including supported accommodationa

Safeguards for NDIS participants receiving assistance in their homes

Reducing and preventing fraud in the NDIS and risks to participantsa

Penalties for fraud or criminal conducta

Unauthorised restrictive practicesa

Issues and risks for participants through the use of unauthorised restrictive practicesa

Registered providers must follow registration conditions

Prevention of harma

Prevention of harm to participantsa

Rights of people with disability

COVID-19 preparedness and responsea

COVID-19 and other emergency management and responsea

N/A

Incident management and responsea

Incident management responsea

N/A

N/A

Participants living in supported boarding houses

N/A

     

Note a: Priorities that carried over from or overlapped with the previous year are highlighted.

Source: ANAO representation of the NDIS Commission’s Compliance Priorities.60

3.23 The Commission did not establish compliance priorities for 2022–23. Internal advice to the ELT in July 2023 stated that ‘New priorities were not established in 2022–23, however, the Commission continued in 2022–23 to undertake and reporting [sic] on regulatory activities aligned with 2021–22 priorities.’ The Commission reported internally on the 2021–22 compliance priorities on one occasion, in July 2023. Internal reporting on compliance priorities for 2023–24 did not take place. Compliance priorities were reported in the NDIS Commission’s Annual Report for 2021–22 but not for 2022–23 or 2023–24.

3.24 The 2021–22 priorities were approved by the acting Commissioner on 17 August 2021 and the 2023–24 priorities were approved by the ELT on 17 October 2023. Noting the ‘time-critical’ nature of the priorities and their role in addressing ‘key quality and safeguarding issues’ (see paragraph 3.21), delays in finalising annual compliance priorities creates risk that resources are not directed towards areas of highest risk. The 2024–25 compliance priorities were approved by the Deputy Commissioner, Regulatory Operations Division on 21 August 2024. The 2025–26 compliance priorities were approved by the Executive Management Group on 27 May 2025. The Commission advised the ANAO in August 2025 that the 2025–26 compliance priorities were published on 1 July 2025.

3.25 The NDIS Commission did not develop action plans responding to the 2021–22 compliance priorities in 2021–22 or 2022–23. The Commission developed an ‘action plan’ responding to one of the eight 2023–24 compliance priorities: COVID-19 and other emergency management and response. The Commission had action plans in place to respond to the 2024–25 compliance priorities.

3.26 The NDIS Commission advised the ANAO in January 2025 that, prior to the Regulatory Approach and the Operating Model, ‘compliance priorities (compliance and enforcement priorities) were the overarching guidance document for the Commission from 2019’. The compliance priorities, apart from those in 2023–24, were one to two page documents identifying high level focus areas, lacking strategic guidance on the Commission’s approach to compliance and enforcement or consideration of risk.

Recommendation no.4

3.27 The NDIS Commission:

  1. develop a process for setting compliance priorities to ensure they are risk-based;
  2. implement action plans to ensure that regulatory interventions are driven by compliance priorities;
  3. regularly report on compliance priorities and action plans, including publicly; and
  4. publicly outline its regulatory processes and decision-making criteria to support public understanding of how the Commission regulates the NDIS.

NDIS Quality and Safeguards Commission response: Agreed.

3.28 The NDIS Commission published its annual compliance priorities for 2025-26 on 1 July 2025. Regular reporting will be supported by the implementation of the Risk-Based Regulation Prioritisation Model. A communications plan has also been developed to support increased awareness and stakeholder engagement. The anticipated implementation date is Quarter 4 of financial year 2025–26.

Does the NDIS Commission have an appropriate framework for assessing, prioritising, and managing risks of non-compliance?

The NDIS Commission has not implemented a framework for assessing and managing regulatory risk. In its Corporate Plans for 2023–24 and 2024–25, the NDIS Commission reported on the management of two enterprise risks relating to provider non-compliance and participant harm. The Commission assessed these risks under the Enterprise Risk Management Framework, which was designed to assess and manage the Commission’s operational risks. In August 2024, the NDIS Commission updated the Regulatory Approach with five risk priorities that create an unacceptable risk of harm for participants if not addressed. After these priorities were endorsed, the Commission continued to have no overarching strategic approach to regulatory risk.

3.29 A best practice principle included in RMG 128 sets out that actions undertaken by regulators are proportionate to the risk of regulatory non-compliance being managed.61 Clear and consistent processes for understanding which regulated entities, activities and individuals pose the highest risk of non-compliance with regulatory requirements will position regulators to design and implement risk-based compliance programs.62 Regulators that assess the risk of non-compliance are better positioned to target regulatory activities towards areas of greatest impact.

3.30 Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires accountable authorities of Commonwealth entities to establish and maintain an appropriate system of risk oversight and management for the entity. The Commonwealth Risk Management Policy supports section 16 of the PGPA Act and complements RMG 128. The Commonwealth Risk Management Policy states that entities must embed risk management into decision-making, formalise their approach to risk management, and support a culture where risk is managed across all levels of the entity and individuals are encouraged to adopt positive risk behaviours.

Enterprise risk

Enterprise Risk Management Framework and Policy

3.31 The NDIS Commission has an Enterprise Risk Management Framework and Policy (Risk Management Framework), which describes the policy and organisational arrangements for the management of risk throughout the Commission to help meet its legislative and other Commonwealth requirements.63 The Risk Management Framework was developed by the Commission in 2018. It was reviewed and updated in June 2021 and again in January 2024. The Risk Management Framework was supported by the Enterprise Risk Management Guide, which detailed the practical application of enterprise risk management. The guide was developed in 2018 and updated in June 2021 alongside the Framework. In April 2025 the Commission advised the ANAO that a review of the guide commenced in 2024 and had not been completed ‘as financial pressures have necessitated the re-prioritisation of resources.’

3.32 The 2024 Risk Management Framework sets out risk management guiding principles and associated behaviours. These are intended to inform the development of plans to manage risk within NDIS Commission operations. Internal Commission documentation identified that the Framework ‘principally focusses on corporate risk such as loss of skilled personnel or capacity, financial or reputational impacts on the Commission or disruption to its services or systems.’ The Risk Management Framework does not link to the Regulatory Approach.

Corporate Plan reporting

3.33 The NDIS Commission published enterprise risks in its Corporate Plans for 2022–23, 2023–24 and 2024–25, along with high-level management arrangements addressing those risks. The Corporate Plans for 2023–24 and 2024–25 state that the NDIS Commission actively monitors and manages enterprise risk according to the Risk Management Framework.

3.34 Two enterprise risks reported in the Corporate Plans for 2023–24 and 2024–25 are ‘Participants’ rights’ and ‘Regulatory Approach.’ These include elements of regulatory risk, specifically provider non-compliance and participant harm. In the absence of a framework to assess, prioritise and manage the risks of provider non-compliance, it is difficult for the Commission to demonstrate regulatory activities are being targeted towards areas of greatest impact. In April 2025 the Commission advised the ANAO that it is ‘developing an Enterprise Prioritisation Model to take an enterprise-wide approach to risk and prioritisation’ (discussed from paragraph 3.38).

Regulatory risk

3.35 Commencing in mid-2023, the NDIS Commission undertook a ‘Regulatory Risk Review’ project, which consisted of an environmental scanning exercise to develop high level risk priorities to guide the assessment of regulatory risks. In October 2023, internal advice to the ELT proposing draft ‘priority risks’ noted that the Commission did not have an overarching strategic approach to regulatory risk. The advice also stated that a risk-based approach required the Commission to define key risks, prioritise regulatory activity and deploy resources based on the identified risks.

3.36 In December 2023, the ELT endorsed the priority risks and noted internal advice that ‘[t]he risk is that the NDIS Commission continues to have no overarching guidance for risk to promote a consistent national approach across functions.’ In March 2024, the ELT agreed that the priority risks be incorporated into the Regulatory Approach. The updated Regulatory Approach was published in August 2024 stating, ‘[t]he NDIS Commission has identified five priorities that pose an unacceptable risk of harm for participants if not addressed through policies, procedures and actions.’ The priority risks, published as ‘risk priorities’ are listed in Table 3.2.

Table 3.2: NDIS Commission risk priorities

Priority

Risk

Uphold participants’ rights, dignity and aspirations, and promote participants’ health safety and wellbeing.

Participants’ rights and ability to exercise choice and control in pursuit of their goals and the planning and delivery of their supports may be denied or undermined by provider or worker failings or misconduct, failure to support adequate decision making capacity or inadequate regulatory responses.

Safeguard participants against (i.e. identify, prevent and respond to) all forms of violence, exploitation, neglect and abuse including sexual violence and misconduct.

Participants’ safety may be put at risk and participants may be subject to violence, exploitation, neglect or abuse due to deliberate actions by providers, workers or support persons, or due to inadequate systems, knowledge or training.

Ensure providers and workers act with integrity, honesty and transparency and are suitable to enter, or remain in, the NDIS market.

Unsuitable persons may gain access to or remain in the NDIS market, causing harm to participants and undermining the integrity of the NDIS.

Promote quality by maintaining appropriately robust governance, records and operational management systems.

Participants may experience harm due to the failure of providers to implement and maintain a complaints management and resolution system or the failure to operate effective reportable incidents and information management systems or maintain appropriate and accurate records.

Deliver effective oversight to address NDIS market challenges.

Participants’ access to services and supports may be compromised by market challenges impacting growth, diversity, quality, cost of or accessibility to services and supports, or by inadequate stewardship, such as if the NDIS Commission does not work in collaboration with other regulators.

   

Source: ANAO representation of the NDIS Commission’s risk priorities.64

3.37 There was no project documentation for the Regulatory Risk Review project, including risk assessments underpinning the risks. The published ‘risk priorities’ did not include guidance on risk tolerances, treatments or controls to support the Commission to respond in a proportionate and efficient way to the harms being managed.

Enterprise Prioritisation Model

3.38 The NDIS Commission engaged consultants to develop an Enterprise Prioritisation Model (EPM).65 The EPM aims to set out a uniform approach to classifying the risk and priority of operational work coming into the Commission, to provide greater clarity for staff on how to assess risk, assign priority, triage and allocate work (referral of matters is discussed at paragraph 4.43). There was one consultant report on the EPM project, dated August 2024. There was no project plan for implementation of the EPM project; however, the Commission developed a project scoping paper, risk schedule and risk management plan for implementation of the EPM.

3.39 In April 2025 the NDIS Commission advised the ANAO that the EPM ‘will include assessing, prioritising and monitoring regulatory risks’ and that:

the model also focuses on the way we handle matters between operational teams and encompasses streamlined processes and workflows to prevent duplicated efforts, ensuring we get to the right work at the right time and regulate the safety and quality of NDIS supports and service for people with disability in a responsive fashion.

3.40 A draft EPM was circulated internally within the Commission in October 2024. The draft EPM consisted of a process whereby regulatory matters would be recorded, assessed and allocated for actioning according to prioritisation criteria for how ‘serious’, ‘systemic’ or ‘strategic’ a matter is. It did not include procedures, timeframes, or roles and responsibilities for intake and assessment processes. In August 2025, the NDIS Commission advised the ANAO that the ‘Enterprise Prioritisation Model’ was renamed to the ‘Risk-Based Regulation Prioritisation Model’ in July 2025. The NDIS Commission is implementing a phased approach to the roll out of the prioritisation model, with full implementation expected in October 2025.

Recommendation no.5

3.41 The NDIS Commission develop, document and maintain a framework to assess, prioritise and manage regulatory risks. Regulatory priorities should be underpinned by risk assessment, data and evidence. The framework should articulate how identified risks are managed in line with well-defined risk tolerances, risk-profiling, and appropriate compliance actions.

NDIS Quality and Safeguards Commission response: Agreed.

3.42 Since July 2024, the model has undergone testing and by the end of 2025, all complaints, incidents and enquires to the NDIS Commission will be assessed and managed using a new prioritisation model.

3.43 The model establishes a consistent, efficient and responsive process for prioritising matters based on the level of risk to NDIS participants.

3.44 It marks a shift from focusing on individual complaints and incidents to addressing broader systemic risks, aligning with best practice adopted by most Australian government regulators. We identify and evaluate risks based on:

  • impact on human rights and participant safety
  • provider or worker compliance with NDIS legislation and rules
  • alignment with strategic priorities or emerging risks.

3.45 The anticipated timeframe is in line with full implementation of the Risk-Based Regulation Prioritisation Model in December 2025.

4. Monitoring, compliance and enforcement

Areas examined

This chapter examines whether the NDIS Quality and Safeguards Commission (NDIS Commission, or Commission) has effectively implemented risk responsive and proportionate monitoring, compliance and enforcement activities.

Conclusion and findings

The Commission has implemented a range of compliance activities. It has not effectively implemented risk responsive and proportionate monitoring, compliance and enforcement activities. The Commission does not have oversight of all the NDIS providers delivering services in the market as there is no requirement for all providers to be registered. In the fourth quarter of 2024–25, 94 per cent of active providers were unregistered and received 42 per cent of plan managed NDIS payments.

  • The Commission’s arrangements to monitor the market and provider compliance did not include arrangements to monitor and mitigate the risks of unplanned service withdrawal — a core function of the NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner) under the National Disability Insurance Scheme Act 2013 (NDIS Act).
  • The Commission undertook 9,520 compliance actions in 2022–23; increasing 3.73 times in 2023–24 to 35,519 compliance actions. Additionally, the Commission has seen large growth in the number of complaints received from 16,305 in 2022–23 to 29,054 in 2023–24. The NDIS Commission does not have quality assurance processes for compliance activities. In the absence of a quality assurance program the Commission is not able to assess its effectiveness in detecting and addressing non-compliance.
  • The NDIS Commission had arrangements for executive oversight of annual performance although these were not fully executed. The Commission has developed a Planning and Performance Framework, but this does not address government expectations for regulators. Data reported in the Commission’s quarterly performance reports could not be reconciled with the data reported in the Commission’s 2023–24 Annual Performance Statements.

Areas for improvement

The ANAO made five recommendations aimed at: implementing a risk-based approach to compliance monitoring through developing a compliance monitoring strategy; developing arrangements for National Disability Insurance Scheme (NDIS) market oversight; providing assurance that the Commission is taking effective regulatory actions and meeting government expectations through implementing quality assurance processes; finalising procedures and guidance; and improving performance reporting, including through addressing errors in data holdings.

The ANAO also suggested that the NDIS Commission could strengthen the Planning and Performance Framework’s alignment with government expectations.

4.1 Regulators have a responsibility to give confidence to Parliament, the government and the community that regulated entities are complying with their statutory obligations and that appropriate enforcement action is taken when a regulated entity fails to meet its obligations.

4.2 The functions of the NDIS Commissioner in relation to monitoring, compliance and enforcement are set out in section 181E of the NDIS Act. Monitoring, investigation and enforcement powers are set out in Division 8 of Part 3A of Chapter 4 of the NDIS Act.

Has the NDIS Commission established arrangements to monitor compliance, the market and unplanned service withdrawals?

Compliance monitoring activities were not carried out under a risk-based strategy or work program. The Commission has not established or documented an approach to monitoring and mitigating the risks of unplanned service withdrawals — a core function of the NDIS Commissioner under the NDIS Act.

Monitoring provider compliance

4.3 The NDIS Commission’s 2024 Compliance and Enforcement Policy defines monitoring as:

Regulatory activity involving collecting, analysing and evaluating information to monitor providers or workers to determine compliance with the requirements and obligations of the NDIS Act, including the NDIS Code of Conduct and the Rules.66

4.4 The policy also states that routine monitoring may include ‘reviewing intelligence and data, reportable incidents and complaints made to the NDIS Commission’ and that the Commission ‘may conduct site visits and compliance audits to ensure providers are adhering to the conditions of their registration and to identify any non-compliance.’67

Monitoring provider compliance with conditions of registration

4.5 The NDIS Act requires the NDIS Commissioner to monitor registered NDIS provider compliance with conditions of registration including worker screening in accordance with the NDIS Practice Standards (subsection 181F(c)) and behaviour support plans (subparagraph 181H(d)(i)). After the commencement of worker screening within the NDIS on 1 February 2021, state and territory government NDIS worker screening units had granted more than 112,000 worker clearances by 30 June 2021. The cumulative number of individuals holding a clearance as at 30 June 2025 was 1,354,714.

4.6 The NDIS Commission developed guidelines in August 2021 for monitoring provider compliance with provisional and mid-term audit requirements under the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018.68 The guidelines include how the monitoring will be undertaken, data and sources of data to be used, and monitoring timeframes.

4.7 People who are in ‘risk-assessed roles’ need to undergo worker screening. Risk assessed roles include work that is likely to have more than incidental contact with people with disability, or where NDIS workers are undertaking specific roles or providing specific supports.69 Worker screening is undertaken by state and territory government worker screening units to assess whether a person who works, or seeks to work, with people with disability poses a risk to them.70 Screening takes place during application for worker screening clearances or when new information emerges that may indicate if a worker is not safe to provide services to people with disabilities.

4.8 The NDIS Commission advised the ANAO in July 2024 that changes made to the status of a person from ‘cleared’ to ‘suspended’ or ‘excluded’ by a state or territory worker screening unit are reflected in the National Worker Screening Database, visible in the Commission Operating System (COS) if a search of the worker is conducted. The Commission further advised that it generates a list of excluded workers that can be used to review key persons for registered providers (for new applications and existing registrations) and their suitability to hold registration. The NDIS Commission is undertaking a project to review worker exclusions issued by state and territory worker screening units, to assess if further regulatory action is needed to stop excluded workers from engaging in the market in other roles and making recommendations to the Commissioner’s delegate on compliance action needed (delegations are discussed at paragraph 4.53).

4.9 The National Disability Insurance Scheme (Restrictive Practices and Behaviour Support) Rules 2018 sets out conditions for registration for providers if regulated restrictive practices are used in the provision of NDIS funded supports.71 The NDIS Commission Behaviour Support Compliance Strategy 2022–24, dated December 2022, guides the Commission’s monitoring of and regulatory action against behaviour support providers. The strategy sets out compliance monitoring activities relating to identifying trends; using existing data systems to tailor monitoring activities; and using a risk-based approach to monitor behaviour support plans and restrictive practices. It also establishes the preventative goal of using local intelligence and data to monitor providers and act in cases of non-compliance. The strategy noted the limited capacity of COS ‘for recording any activity from a Behaviour Support function perspective’ and that ‘[t]he NDIS Commission’s Data and Digital Strategy should improve recording and access to data for analyses’.

4.10 Under the Behaviour Support Compliance Strategy 2022–24, the Commission conducted three reviews to evaluate the quality of Behaviour Support Plans in 2022, 2023 and 2024. The median scores (with a highest possible score of 24) were 12 in 2021–22, 15 in 2022–23 and 14 in 2023–24. The Commission undertook a project to review behaviour support plan quality and compliance in June 2024. The June 2024 project report noted that the project was the first time that a compliance component had been part of behaviour support plan quality and compliance reviews. As at 30 June 2024, the project had resulted in 42 compliance matters being assessed, actioned and closed, with the Commission using non-statutory tools including education, corrective action requests and warning letters (compliance and enforcement tools are discussed from paragraph 4.47). The project report set out recommendations relating to improvements when undertaking future campaigns, improvements to the referrals process, and the value of engaging with providers.

4.11 The Commission also undertook a two-stage ‘Compliance Sprint’ in October and November 2023 targeting specific contraventions of the NDIS Act and NDIS Rules; and high-risk practices, including restricted practices.72 The first stage resulted in 17 providers being issued with 62 infringement notices totalling $1.1 million and four compliance notices. Projected outcomes for the second stage were 25 infringement or compliance notices and one banning order.

Regulatory compliance campaigns

4.12 The NDIS Commission Operating Model, dated January 2023, sets out the ‘high level process’ for targeted campaigns. The NDIS Commission implemented the Regulatory Compliance Campaigns Framework in July 2024. The framework stated that compliance campaigns are aligned to the Commission’s strategic and compliance priorities, that they use data and intelligence, to ‘address the highest priority risks to participant safety and service quality’, which are typically ‘systemic non-compliance’. In October 2024, the Commission advised the ANAO that prior to the framework, campaigns were planned using four documents titled ‘site information’, ‘remote travel and risk assessment’, ‘campaign brief’ and ‘campaign planning’. One out of the 11 campaigns reviewed by the ANAO had all four documents completed.

4.13 The NDIS Commission’s 2022–23 Annual Report outlined information on five place-based and four thematic campaigns that took place in 2022–23.73 Complete records were not kept for the nine campaigns. Learnings from the campaigns have not been incorporated into future campaigns and compliance activities. The NDIS Commission’s 2023–24 Annual Report stated that remote place-based campaigns were conducted in the Top End and the Anangu Pitjantjatjara Yankunytjatjara Lands in 2023–24. Commission documents show these campaigns took place in July and August 2024.

4.14 During 2022–23 and 2023–24 there was no evidence of risk informing the selection of campaign locations or topics. Approved final reports for campaigns in 2023–24 included two approaches to selecting providers for site visits. Two campaign reports considered provider characteristics74 and the other campaign report focused on the top 10 providers receiving the most NDIS funding. Final reports set out the alignment of each campaign to the Commission’s 2023–24 compliance priorities (compliance priorities are discussed from paragraph 3.21). Complaints data was included in campaign planning documents for two of the 2023–24 place-based campaigns.

4.15 The NDIS Commission monitors providers for compliance with conditions of registration, reviews behaviour support plans, and undertakes regulatory compliance campaigns. The NDIS Commission does not have an overarching framework, policy or strategy that sets out the compliance monitoring activities to be undertaken by the Commission, or how the Commission monitors compliance in line with risk. In the absence of a risk framework to guide regulatory activities (see paragraphs 3.29 to 3.34) it is unclear how the Commission monitors compliance in a risk responsive and proportionate manner.

Recommendation no.6

4.16 The NDIS Commission develop and implement an entity-wide compliance monitoring strategy, consistent with its Compliance and Enforcement Policy, that includes the monitoring activities the Commission plans to undertake, frequency of planned activities, links compliance monitoring activities to identified risks, and sets out reporting arrangements and intended results.

NDIS Quality and Safeguards Commission response: Agreed.

4.17 The NDIS Commission will develop a Compliance Monitoring Strategy detailing relevant functions and how the monitoring is operationalised across the NDIS Commission. The anticipated implementation date is Quarter 4 of financial year 2025–26.

Market monitoring and unplanned service withdrawals

4.18 Subsection 181E(i) of the NDIS Act states that a core function of the NDIS Commissioner is to ‘provide NDIS market oversight’ by ‘monitoring changes in the NDIS market which may indicate emerging risk’ and ‘by monitoring and mitigating the risks of unplanned service withdrawal’.

4.19 The NDIS Commission and the National Disability Insurance Agency (NDIA) established a ‘Market Stewardship & Oversight’ operational protocol, which was updated in December 2020. The protocol states:

Due to the recent commencement of the NDIS Commission operations across all states and territories, the role of the NDIS Commissioner in providing NDIS market oversight is currently being developed in accordance with section 181E. This protocol will be revised when this work is complete.

4.20 The protocol sets out, among other roles, the following roles and responsibilities for the Commission relating to market monitoring and unplanned service withdrawals.

  • Identify and monitor changes in the NDIS market that may indicate emerging risk.
  • Monitor and mitigate risks of unplanned service withdrawal arising from quality and safeguards issues and refer to the NDIA for action to ensure continuity of support for participants.
  • Share information to assist States and Territories manage and mitigate risks of unplanned service withdrawal.

4.21 The Commission advised the ANAO in April 2025 that:

While there is no whole of Commission approach to monitoring prospective service withdrawals, in accordance with sections 13 & 13A of the NDIS (Provider Registration and Practice Standards) Rules 2018, registered NDIS Providers are obliged to notify the Commissioner of a planned service withdrawal or any significant change to service delivery.

4.22 The Joint Operational Protocol between the NDIA and the NDIS Commission, approved in May 2025 (discussed at paragraphs 2.37 to 2.38) includes the Regulatory Interfaces: Provider Registrations and Exits Schedule. The schedule sets out the roles and responsibilities, including joint responsibilities, for responding to planned and unplanned exits of NDIS providers from the NDIS market. The schedule sets out a ‘provider exit roadmap’ that includes actions that each entity will take in response to provider exits, to mitigate risks relating to the continuity of supports to NDIS participants arising from planned and unplanned provider exits.

4.23 The NDIS Commission advised the ANAO in June 2024 that it has undertaken market monitoring through developing Market Insights Dashboards and related reporting; complaints analysis; and own motion inquiries. Own motion inquiries are discussed in Chapter 2, from paragraph 2.22.

Quarterly Market Insights Dashboard

4.24 In June 2024 the acting NDIS Commissioner was provided with advice that the Commission ‘undertakes regular data collection and interrogation activities to identify trends and inform the Commission’s understanding of the market’ and noted the first Market Insights Dashboard for the third quarter of 2023–24. The Commission subsequently produced dashboards covering the first, second and fourth quarters of 2023–24.

4.25 These quarterly dashboards reported on the topics of provider information, market trends, supported independent living, support coordination, plan management, behaviour support and participants in remote and very remote areas. Data was included on the top 10 registered and unregistered providers (represented by payments claimed and participants supported), registered providers entering the market and deregistration.75 From the second quarter of 2024–25, new categories of reporting included ‘early childhood intervention’, therapeutic supports, personal activities, community participation, group and centre based activities and household tasks. Dashboard reporting relied on NDIA data on payment claims for services delivered by providers to plan-managed and NDIA-managed participants, as well as data on provider status, number of participants and market segmentation.

4.26 The Commission used the dashboard reporting to provide executive oversight to the Regulatory Coordination Committee and the Commissioner of some elements of the NDIS market including market trends, themes and areas of emerging risk on a quarterly and annual basis.

Market reporting and complaints data

4.27 In May 2024 the NDIS Commission completed a high-level analysis of complaints data to ‘support the Commission’s understanding of the market landscape’, with the aim of identifying ‘patterns and vulnerabilities that highlight risks to inform the prioritisation of strategic decisions about future market stewardship activities and direction’. The Commission reviewed 1,500 complaints made between October 2023 and December 2023 to identify themes, support or services type, and registration status that related to the complaint.76 The Commission reported difficulties in undertaking the review due to issues ‘such as system limitations, data quality issues and inconsistencies in data capture.’ The Commission identified areas of higher risk for participants and risks and drivers to inform further regulatory policy and frameworks.

4.28 There has not been another complaints data report, and there is no plan for regular review of complaints data or reporting on outcomes. The Commission advised the ANAO in April 2025 that these reports are a point in time analysis of data sources, which require significant manual review and analysis. The Commission further advised that current resourcing and workloads mean this work is not done on an ongoing basis but learnings have been used to inform new system design.

Monitoring and mitigating the risks of unplanned service withdrawal

4.29 The NDIS Commission has not documented its approach to maintaining effective oversight of the market and monitoring and mitigating the risks of unplanned service withdrawals. Although the Commission has undertaken market monitoring activities, it is not clear how these activities have been used to inform a risk-based and proportionate approach to regulating the NDIS market. It is not clear in the absence of a documented approach how the Commission has undertaken the core function of the Commissioner to monitor and mitigate the risks of unplanned service withdrawal.

4.30 The Commission advised the ANAO in August 2025:

It should be noted that currently there is no requirement for all providers to be registered. This makes monitoring and mitigating the risk of unplanned service withdrawal difficult as the Commission does not have oversight of all the NDIS providers delivering services in the market.

Recommendation no.7

4.31 The NDIS Commission:

  1. develop and implement a strategy or plan that sets out the Commission’s approach to market oversight, including monitoring and mitigating the risks of unplanned service withdrawal; and
  2. works with the NDIA to update the joint operational protocol on market stewardship and oversight to include the Commission’s planned approach to market oversight developed in part (a) above.

NDIS Quality and Safeguards Commission response: Agreed.

4.32 The NDIS Commission supports the recommendation to develop a strategy that clearly sets out the NDIS Commission’s approach to market oversight, including identifying how we monitor and mitigate the risks of unplanned service withdrawal.

4.33 We will respond to this recommendation through activities that include contributing with the NDIA to the Provider Registrations and Exits Schedule Oversight Group, which considers how we can monitor and mitigate the risks of unplanned service withdrawal and contributes to informing our market oversight activities.

4.34 The NDIS Commission is working collaboratively with the National Disability Insurance Agency (NDIA) and the Department of Health, Disability and Ageing to develop a series of guiding documents that make up the updated Market Stewardship Framework (MSF). The MSF will include the NDIS Commission’s planned approach to market oversight and will provide an update to the current Market Enablement Framework, which was published in 2018 by the NDIA.

Has the NDIS Commission effectively detected and addressed non-compliance, including through enforcement action?

The NDIS Commission has established arrangements to detect and address non-compliance but does not have overarching procedural guidance for the end-to-end management of compliance matters. The Commission does not have quality assurance processes for compliance activities, including investigations. In the absence of quality assurance processes and up-to-date policies the Commission is unable to assesses its effectiveness in detecting and addressing non-compliance.

Detecting non-compliance

4.35 Complaints and reportable incidents received are a key mechanism used by the NDIS Commission for detecting non-compliance. The Commission may also detect provider non-compliance through information sharing and analysis (discussed from paragraph 2.16) and compliance monitoring activities (discussed from paragraph 4.3).

Complaints

4.36 Part 3 of the National Disability Insurance Scheme (Complaints Management and Resolution) Rules 2018 enable a person to make complaints to the NDIS Commissioner about issues connected with supports or services delivered by providers.77 It establishes a framework for the management of complaints by the Commission. Figure 4.1 shows the number of complaints received and closed in 2022–23 and 2023–24.

Figure 4.1: Complaints received and closed by the NDIS Commission in 2022–23 and 2023–24

Figure 4.1 is a bar graph showing the number of complaints received and closed by the NDIS Commission in 2022–23 and 2023–24. In 2022–23 the NDIS Commission received 16,305 complaints and closed 12,221 complaints. In 2023–24 the NDIS Commission received 29,054 complaints and closed 15,064 complaints.

Source: ANAO representation of NDIS Commission data.

4.37 The Commission developed a Complaints Manual in 2021. A decision was made to cease using the Complaints Manual in 2023 and the manual was not replaced. As part of the Enterprise Prioritisation Model project (discussed from paragraph 3.38), in August 2024 GSA Management Consulting reported to the Commission that off-system records were kept during intake and assessment of complaints matters due COS useability issues (discussed from paragraph 2.11). The report noted that Commission teams had ‘adapted processes locally, and the COS application has not updated, reducing confidence in the data quality for reporting purposes.’

Reportable incidents

4.38 Sections 20 to 21 of the National Disability Insurance Scheme (Incident Management and Reportable Incidents) Rules 2018 require registered providers to notify the NDIS Commission of alleged or actual reportable incidents within 24 hours or five days, depending on the incident.78 Reportable incident notification numbers are included in the NDIS Commission’s quarterly performance reports.79 In Quarter 3 of 2024–25, the NDIS Commission received 15,723 reportable incidents, including 6,907 related to unauthorised restrictive practices. Since the fourth quarter of 2022–23, reports have included comparative figures for previous reporting quarters. Of the five reporting quarters where comparative figures were available, all figures changed in the next quarterly report.80 Inconsistencies in data reported are discussed further from paragraph 4.94.

Quality assurance for complaints and reportable incidents

4.39 In April 2023, the Commission developed ‘self-reflective questions’ for complaints officers to prompt consideration of good complaint management. There is no quality assurance process to review the effectiveness of the handling of complaints or reportable incidents.

4.40 The NDIS Commission advised the ANAO in April 2025 that the Commission is currently working towards establishing a formal Quality Assurance Management Framework, which will support the implementation of the Enterprise Prioritisation Model (discussed from paragraph 3.38). The Commission further advised that informal quality assurance activities include managerial review of work and that there is a formal reconsideration process whereby complainants who are unsatisfied with the determination may seek a review.

4.41 The absence of quality assurance processes reduces confidence over outcomes and data and makes it difficult for the Commission to assess the effectiveness of complaints and reportable incidents in detecting non-compliance and leading to effective compliance outcomes. For complaints and reportable incidents data to contribute to a risk responsive and proportionate monitoring approach, the Commission needs systems, policies and processes that support accurate data.

Addressing non-compliance

4.42 When non-compliance has been detected, the suspected non-compliance is referred within the Commission as a compliance matter and allocated to a team to investigate, which may lead to enforcement action, as discussed below.

Referral of matters for potential compliance action

4.43 Matters relating to Behaviour Support Plans and Restrictive Practices are referred to the Practice Quality Division and all other matters are referred to the Regulatory Operations Division. In July 2024 the NDIS Commission advised the ANAO that an Operational Assessment team was established in January 2024 to deliver a review and assurance function over high-risk matters and process guidance material was in development. As of August 2025, the NDIS Commission was developing a new approach to triaging and referring compliance and investigation matters through the Risk-Based Regulation Prioritisation Model, formerly the Enterprise Prioritisation Model (discussed at paragraphs 3.38 to 3.40).

Investigating non-compliance

4.44 The NDIS Commission conducts investigations into suspected non-compliance, including when matters reported through complaints and reportable incidents mechanisms have not been resolved. As a non-corporate Commonwealth entity, the NDIS Commission is required to follow the Australian Government Investigations Standards (AGIS) — the minimum standards for government entities conducting investigations relating to the programs and legislation they administer.

4.45 In April 2024, the Commission commenced work to map existing policies, procedures and projects against AGIS requirements to identify gaps and where the Commission was not meeting the AGIS. The mapping showed the Commission was partially compliant with AGIS requirements relating to personnel, information and evidence management, and investigative practices; and non-compliant with the quality assurance requirement of the AGIS to ‘have an investigations Quality Assurance Policy in place’.81 The Commission commenced a project in August 2024 to determine how to address the gaps identified by the mapping exercise to achieve compliance with the AGIS. The development of a quality assurance framework for investigations was not in scope for this project.

4.46 In September 2024, the Commission advised the ANAO that ‘It is necessary to have established compliance and investigation processes in place prior to developing and implementing a quality assurance framework’ and that it planned to do so after completion of those works. In April 2025, the Commission further advised the ANAO that the AGIS project will be rescoped with other projects underway relating to evidence management and compliance. No date has been set for this work to be completed. There was no timeline for the implementation of a quality assurance framework.

Compliance and enforcement actions

4.47 The NDIS Commissioner has broad powers under the NDIS Act and the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) to ensure provider compliance. The NDIS Commission’s 2024 Compliance and Enforcement Policy describes its compliance and enforcement tools as statutory and non-statutory. The policy states that the statutory tools set out in the NDIS Act and Regulatory Powers Act are ‘our most serious tools to enforce the law’. The compliance and enforcement tools used by the Commission are outlined in Appendix 3. The Commission’s Compliance and Enforcement Policy sets out the considerations undertaken in deciding how to use compliance tools, including the seriousness of the non-compliance; the seriousness and likelihood of past and future harm to any participant; deterrence value; and the actions of the provider in response to the non-compliance.82

4.48 Table 4.1 sets out compliance actions reported by the NDIS Commission in its Quarterly Performance Reports.83 Further detail on compliance actions is set out in Appendix 3. The ANAO found inconsistencies with data in the NDIS Commission’s external reporting, which is discussed from paragraph 4.94. The Commission’s Compliance and Enforcement Policy classified ‘corrective action requests’ and ‘warning letters’ as non-statutory tools. Education is also classified as non-statutory by the ANAO for the purposes of Table 4.1 and Table 4.2. The proportion of statutory and non-statutory compliance tools used in 2022–23 and 2023–24 is set out in Table 4.2.

Table 4.1: Compliance and enforcement actions in 2022–23, 2023–24 and 2024–25 (to 31 March 2025)

Compliance outcome

2022–23

2023–24

2024–25 (to 31 March 2025)

Statutory compliance tools

Banning order

92

129

135

Vary, suspend or revoke registration

29

197

369

Civil penalty proceedings

1

4

6

Infringement notice

12

138

73

Compliance notice

17

44

76

Enforceable undertaking

6

0

Refusal of registration

2,484

10,547

4,015

Othera

4

22

22

Non-statutory compliance tools

Corrective action request

606

248

1,045

Warning letter

48

3,556

338

Educationb

6,227

20,628

5,427

Total

9,520

35,519

11,506

       

Note a: ‘Other’ includes banning order variation and revocation, compliance notice variation, conditions on registration, infringement notice withdrawal, other registration activities and withdrawal of suspension.

Note b: ‘Education’ includes engagement the NDIS Commission has with a provider through site visits to raise awareness about their obligations, including under the NDIS Code of Conduct and the NDIS Practice Standards; and correspondence that is sent to providers reminding them of and reinforcing their obligations.

The NDIS Commission advised the ANAO in August 2025 that there was an increase in 2023–24 education outcomes due to a targeted campaign to educate providers, including sending 19,590 written warnings and education letters to providers.

Source: ANAO analysis of NDIS Commission Quarterly Performance reports.

4.49 The NDIS Commission reported a 3.73 times increase in the use of compliance and enforcement tools between 2022–23 and 2023–24. In 2022–23, 2023–24 and 2024–25 to March 2025, education was reported as the most used compliance tool and refusal of registration was reported as the next most used tool. The Commission advised the ANAO in January 2025 that an injunction had not been used as a compliance tool. The use of statutory compliance tools as a proportion of total compliance tools has increased each year from 28 per cent in 2022–23 to 41 per cent in 2024–25 (to 31 March 2025) as shown in Table 4.2.

Table 4.2: Proportion of statutory and non-statutory compliance tools used by the NDIS Commission in 2022–23, 2023–24 and 2024–25 (to 31 March 2025)

 

2022–23

2023–24

2024–25

(to 31 March 2025)

Compliance outcome classification

Count

Percentage

(%)

Count

Percentage

(%)

Count

Percentage

(%)

Statutory

2,639

28

11,087

31

4,696

41

Non-statutory

6,881

72

24,432

69

6,810

59

Total

9,520

100

35,519

100

11,506

100

             

Note: Data included in this table is the sum of the original figures reported by the Commission for registered providers, unregistered providers and individuals.

Source: ANAO analysis of NDIS Commission Quarterly Performance reports.

4.50 Regulators should implement an appropriate quality assurance framework over their activities to provide assurance that their regulation is consistent, legally valid and contributes to the desired regulatory outcomes. In the absence of quality assurance processes for addressing complaints, reportable incidents, compliance matters and investigations, the NDIS Commission is not able to assess the effectiveness of responses to identified non-compliance.

Recommendation no.8

4.51 To provide assurance that the NDIS Commission is taking effective regulatory action using powers provided under the NDIS Act and meeting the requirements of the Australian Government Investigations Standards, the NDIS Commission implement quality assurance processes for complaints, reportable incidents, compliance matters and investigations.

NDIS Quality and Safeguards Commission response: Agreed.

4.52 The NDIS Commission will meet this recommendation through delivery of a quality assurance framework and progressing the implementation of Risk-Based Regulation Prioritisation Model across all operational areas. Tracking compliance against Australian Government Investigation Standards will also be supported by the continuing delivery of the regulatory learning and development program. The anticipated implementation date is Quarter 4 of financial year 2025–26.

Delegations for compliance and enforcement actions

4.53 An appropriate system of internal control includes documented delegations identifying individuals or classes of officials to whom functions, duties or powers are delegated.84 Sections 202A and 202B of the NDIS Act permit the NDIS Commissioner to delegate their powers and functions under the NDIS Act. Under section 202B of the NDIS Act, the Commissioner may delegate any of the powers and functions relating to compliance and enforcement (under Division 8 of Part 3A of Chapter 4 of the NDIS Act) to Commission Senior Executive Service (SES) employees. Powers and functions relating to infringement and compliance notices may be delegated to Executive Level Australian Public Service (APS) employees. Between 1 July 2022 to 15 July 2024 delegations relating to the use of statutory compliance and enforcement tools by Commission staff were in place and in compliance with the NDIS Act.

4.54 The delegations relating to regulatory powers and functions were updated in September 2024 and April 2025. In the July 2024 instrument of delegation, all regulatory powers and functions were able to be delegated to SES Band 1 and 2 positions. The September 2024 instrument of delegation, effective from 1 October 2024, included the additional role of SES Band 3 officers that regulatory powers and functions could be delegated to under section 202B of the NDIS Act (to account for the Associate Commissioner role, which commenced in October 2024). In the April 2025 delegations, Executive Level staff positions were included in addition to the SES positions for delegating functions relating to compliance and infringement notices, in line with the NDIS Act. For these functions, the Commissioner also set out mandatory training requirements in the delegation instrument to be completed by staff in all the positions prior to exercising the related powers.

Policies and procedures supporting compliance and enforcement action

4.55 Framework documents such as policies, plans, internal procedures, and external guidance help ensure compliance activities achieve intended outcomes. Of the 14 compliance actions (or compliance tools) available to the Commission, policies had been developed for all 14 compliance actions and procedures supported nine compliance actions.85

4.56 The NDIS Commission advised the ANAO in August 2024 that, during 2022–23, it had undertaken a project to develop standard operating procedures for all regulatory tools available to the Commission. The project had not been finalised and was subsumed into the Operational Policy and Practice Optimisation (OPPO) project, scheduled to take place between September 2023 and June 2024. The goal of the OPPO project was to ‘ensure the Commission has an operational policy framework that meets our needs now and in the future with a review and update of policies and procedures that are efficient and effective and aligned with the new Framework’.

4.57 The NDIS Commission identified two key issues to be addressed by the OPPO project:

  • there was no ‘framework to support efficient and effective policies and procedures being developed and maintained’; and
  • the ‘current suite of policies and procedures do not support the Commission’s national operating model and are not fit for purpose’.

4.58 The Commission also identified three benefits of the project: improved clarity for staff on ‘how to do their job effectively’; policies and procedures are accessible to staff; and the ‘Commission’s regulatory performance is collaborative, transparent and defensible.’86 The Compliance and Enforcement Policy was reviewed as part of this work. The OPPO Project concluded on 23 June 2024. In September 2024, the Strategic Investment Committee approved the Operational Policy Framework that ‘sets out the principles, hierarchy, categories, lifecycle, governance, and storage activities’ for all Commission policies.87

4.59 The Commission advised the ANAO in April 2025 that the realignment work to streamline, simplify and develop new internal policies, procedures and supporting resources was still progressing, with the majority of work planned to be completed by June 2025. In August 2025, the Commission further advised the ANAO that:

The OPPO Project was delivered in November 2024 by way of final report. Work continues on progressing new policies as the need is identified and existing policies are being enhanced. A dedicated team within the NDIS Commission is responsible for the ongoing management of operational policies. Part of their role is to ensure alignment with the Risk-Based Regulation Prioritisation Model and the NDIS Commission’s Regulatory Learning and Development Program to support regulatory capability uplift across all operational functions engaging in regulatory activities.

The Risk-Based Regulation Prioritisation Model, previously named the Enterprise Prioritisation Model is discussed from paragraph 3.38.

4.60 The NDIS Commission advised the ANAO in April 2025 that the policies for the 14 compliance actions referred to in paragraph 4.55 were rescinded when the new Compliance and Enforcement Policy was approved and published in September 2024. The Commission further advised that the policies are no longer for external use and are being used internally as guidelines until realignment work is completed.

4.61 The NDIS Commission does not have guidance on what compliance tool is the most suitable to use in specific circumstances. The Commission advised the ANAO in July 2024:

Developing guidance for staff on how to determine the appropriate regulatory action to take was not within the scope of the Investigations Improvement Project. It was recognised that a separate and significant piece of work on how to determine which regulatory action/s are appropriate and proportionate is needed.88

4.62 During 2022–23 to 2023–24, the Commission undertook two projects aimed at developing policies and procedures for all compliance actions available to the Commission. As at May 2025, the Commission did not have fit-for-purpose policies and procedures in place for compliance actions, increasing the risk of inconsistent regulatory outcomes.

Recommendation no.9

4.63 The NDIS Commission support staff to apply a consistent approach to compliance actions through:

  1. finalising fit-for-purpose policies and procedures for compliance actions; and
  2. developing guidance to assist staff with selecting and using the most suitable compliance tool for specific circumstances.

NDIS Quality and Safeguards Commission response: Agreed.

4.64 The NDIS Commission is finalising the development of fit for purpose policies and procedures and will also develop guidance to assist staff on selecting and using the most suitable compliance tools. The anticipated implementation date is Quarter 4 of financial year 2025–26.

Has the NDIS Commission established performance monitoring, measurement and reporting arrangements to assess effectiveness of its regulatory activities?

Arrangements were in place, but were not fully executed, for NDIS Commission senior executive oversight and the Audit and Risk Committee review of annual performance. Prior to March 2024, the NDIS Commission did not have a standardised framework to support Annual Performance Statement obligations. The Planning and Performance Framework does not address government expectations for regulators. Data reported in the NDIS Commission’s quarterly reports does not reconcile with the 2023–24 Annual Performance Statements.

4.65 Section 39 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 16F of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) require accountable authorities to prepare annual performance statements, which are included in the entity’s annual report that is tabled in the Parliament. These statements measure and assess the entity’s performance in achieving its purpose against the performance measures and targets set out in its corporate plan. High quality performance statements enable entities to show the Parliament and the public whether policies and programs are delivering the results intended with the resources provided and provide a valuable evidence base for entities to justify new policy proposals and evaluate existing policy and program settings.89

4.66 Since 1 July 2023, government expectations for regulator performance reporting are that corporate plans should include regulatory performance information; and annual reports should report on performance outcomes with reference to the three regulator best practice principles: continuous improvement and building trust; risk-based and data driven; and collaboration and engagement.90

Monitoring NDIS Commission performance

Ministerial reporting and oversight

4.67 On 13 October 2023, the Minister for the NDIS (the minister) issued a direction to the NDIS Commissioner under section 181K of the NDIS Act to develop and publish compliance and enforcement policies and procedures concerning the use of restrictive practices by NDIS providers. It also directed the Commission to report to the minister every three months on: the implementation of and compliance with the policies; compliance actions taken; and the progress of the Commissioner’s intended actions contained in the Statement of Intent (the Statement of Intent is discussed at paragraphs 3.2 to 3.4).91

4.68 Between October 2023 and July 2024, the NDIS Commissioner reported to the minister on four occasions at three monthly intervals. The reports addressed requirements specified in the direction, except for the average time between notification of a reportable incident and resulting compliance or enforcement action. The Commission advised the minister this was due to ‘system limitations’ (IT system issues are discussed at paragraphs 2.11 to 2.15). Reporting included the number of complaints received, finalised and referred for compliance action; compliance and investigation matters commenced; safeguarding matters resolved within 48 hours; active compliance and investigation matters; reportable incident notifications received; and reportable incidents referred to regulatory operations compliance. Data on compliance outcomes does not reconcile with data reported in the NDIS Commission’s quarterly reporting in the same period (discussed from paragraph 4.94) or with data reported to the minister in the subsequent reporting period.

Executive reporting and oversight

4.69 Arrangements were in place, but were not fully executed, for Executive Leadership Team (ELT) oversight of NDIS Commission performance. Between 1 July 2022 to 30 June 2024, the ELT received internal Commission reporting. This included reports on strategic initiatives, strategies and plans relating to Commission functions, risk management, a draft corporate plan, budget, business processes, governance, key regulatory functions and performance.

4.70 The ELT charter set out its performance reporting and oversight responsibilities including monitoring and governing the Commission’s overall performance, financial position and key regulatory functions. It also included reporting on performance accurately and transparently; and recommending the Commission’s Corporate Plan (which set out the Commission’s performance measures), Annual Report (which include Annual Performance Statements), and financial statements to the Commissioner for approval. The charter was not updated following its initial approval in 2018.

4.71 The NDIS Commission Planning and Performance Framework, approved by the ELT in March 2024, assigned ELT members responsibility as the data and performance measure owners and for providing assurance for the Annual Performance Statement results to the Commissioner. Of the 44 ELT meetings that took place between 1 July 2022 to 30 June 2024, the ELT considered information on the NDIS Commission’s performance measures on seven occasions. The ELT reviewed the 2021–22 and 2022–23 Annual Reports and 2022–23 and 2023–24 Corporate Plans. There was no evidence that the ELT recommended or endorsed them to the NDIS Commissioner as required by its charter.

4.72 Certifications to the Commissioner and the Audit and Risk Committee were made by individual ELT members responsible for each of the Commission’s performance measures. Each certification stated that the relevant performance measure response in the 2021–22 and 2022–23 Annual Performance Statements ‘is accurate and true, is not misleading, is based on properly maintained records, and accurately represents the Commission’s performance as it relates to the measure in question’ and that the Annual Performance Statements comply with the PGPA Act and PGPA Rule. Paragraph 4.82 discusses instances where there was no evidence of the basis of the 2022–23 performance results.

4.73 The ELT did not have a forward work plan prior to July 2023. There was an ELT forward agenda covering the period July 2023 to December 2024. Between July 2023 and April 2024, agenda items for the Corporate Plan, Annual Performance Statements and Annual Report were not allocated in the forward agenda. Agenda items for the Corporate Plan, Annual Performance Statements and Annual Report were allocated to scheduled meetings in May, July and August 2024 respectively. The Executive Management Group (EMG) created a forward agenda for the period November 2024 to December 2025. Agenda items were allocated for performance measures, the Corporate Plan and the Annual Report. The terms of reference for the EMG and Senior Leadership Group (SLG) do not directly allocate responsibility for oversight of the NDIS Commission’s Annual Performance Statements, Annual Report or Corporate Plans. The NDIS Commission advised the ANAO in August 2025 that responsibility for oversight of these documents is incorporated within the EMG terms of reference statement that the EMG ‘Determines the NDIS Commission’s performance controls, governance and assurance arrangements, including frameworks for ensuring risk management, compliance with the law, government policy and organisational policies.’

Performance measurement and reporting

Planning and Performance Framework

4.74 The ELT approved the NDIS Commission’s Planning and Performance Framework in March 2024. The Framework includes information on the Commonwealth Performance Framework, key performance documents, and relevant legislation, rules and guides. It contains Commission specific guidance on entity purpose, the alignment of performance measures (see Appendix 4) and targets with reference to the PGPA Rule, and documentation and reporting requirements. The Framework does not include guidance on reconciling performance outcomes with reference to the regulator best practice principles (discussed at paragraph 4.66) or integrating Ministerial Statements of Expectations (discussed at paragraphs 3.2 to 3.4) into performance reporting.92

4.75 In June 2024 the NDIS Commission advised the ANAO that ‘[p]rior to the implementation of the Framework, the methodology for reporting against performance measures were [sic] held at a divisional level with no level of standardisation in place.’ The NDIS Commission’s 2022–23 and 2023–24 Annual Reports did not explain how it determined if performance measures and targets were, in 2022–23 ‘met’, ‘working towards’, ‘not met’ and ‘in progress’; and in 2023–24, ‘not achieved’, ‘partially achieved’ or ‘achieved’. The Framework does not include guidance on these ratings.

Opportunity for improvement

4.76 The NDIS Commission could strengthen the Planning and Performance Framework’s alignment with government expectations for regulators by including guidance on assessing performance measure results, and on how regulator best practice principles and Ministerial Statements of Expectations are factored into performance reporting.

Audit and Risk Committee charter expectations

4.77 The Audit and Risk Committee (ARC) Charter, dated August 2023, set out the expected areas for consideration in relation to the NDIS Commission’s performance reporting:

  • NDIS Commission’s Portfolio Budget Statements (PBS) and Corporate Plan (CP) contain appropriate details of how the NDIS Commission’s performance will be measured and assessed.
  • Systems and procedures for assessing, monitoring and reporting on achievement of the NDIS Commission’s performance in the Annual Performance Statement (APS) are fit for purpose, including the approach to measuring performance throughout the financial year against the performance measures included in the PBS and CP.
  • Contents of the three prime performance documents (PBS, CP & APS) comply with the requirements of the relevant sections of the PGPA Act and PGPA Rules [sic].
  • NDIS Commission has appropriate risk, control, assurance and certification processes in place for the timely completion and quality certification of its APS, including its inclusion in the Annual Report.93

4.78 The ARC’s expected deliverable was to provide the NDIS Commissioner with an annual statement of advice stating whether the Commission’s Annual Performance Statement complies with the PGPA Act, PGPA Rule and relevant guidance, whether the performance arrangements are fit for purpose, any areas of concern and suggestions for improvement.94

4.79 The 2024 ARC Charter requirements regarding performance reporting were largely similar to those in 2023.95 The 2024 Charter required the ARC to advise the Commissioner whether the Annual Performance Statements were ‘as a whole is appropriate’, rather than whether they complied with the PGPA Act, PGPA Rule and supporting guidance.

Annual Performance Reporting 2022–23

4.80 ARC members were provided the final draft of the Corporate Plan 2022–23 for review and endorsement on 19 August 2022. Prior to the Corporate Plan’s publication on 31 August 2022, an ARC member advised the Commission on 22 August 2022:

whilst the ARC members can review the document, we cannot endorse it or in anyway [sic] provide formal advice on the appropriateness of performance reporting. Normally the ARC’s review of the Corporate Plan would be supported by a number of assurance documents which are not attached and then we would provide advice on appropriateness.

4.81 On 27 September 2023, the ARC considered an internal audit report that assessed the design of the Commission’s 2022–23 performance measures against legislative requirements and better practice guidance. The report advised that ‘Performance measures and targets which do not adequately address requirements of Section 16EA of the PGPA Rule, may impact the NDIS Commission’s compliance with finance law.’96 The report made recommendations addressing the need for a framework for monitoring, reporting and assuring performance information, for performance measures and targets to address PGPA Rule requirements, and for greater alignment between performance information in the Commission’s Portfolio Budget Statements and Corporate Plan. An ELT member approved the internal audit report prior to it being provided to the ARC. It was not reviewed by the full ELT. Implementation of the report’s recommendations, including progress and closure, was reported to the ARC in March and June 2024 and a Planning and Performance Framework was approved in March 2024 (discussed in paragraph 4.74).

4.82 On 27 September 2023, the ARC noted the draft 2022–23 Annual Performance Statements, which stated there was no data available to establish a baseline for three performance measures related to restrictive practices and providers registered (performance measures 1.2.2, 1.2.3 and 3.3.2) ‘due to system capability restrictions and lack of matured data.’ Annual Performance Statements Certifications from two ELT members also stated that there was no data available for these measures. Results were reported for these measures in the 2022–23 Annual Report with a statement that there was ‘limited data available as the development of reporting mechanisms is in progress.’ There was no evidence of the Commission’s methodology of how results for performance measures 1.2.2, 1.2.3 and 3.3.2 were produced. As discussed at paragraph 4.72, ELT certifications assured the Commissioner that the Annual Performance Statements were accurate, not misleading, based on properly maintained records and presented a reasonable and fair analysis.

4.83 On 27 September 2023 the ARC: queried the performance measurement scale and made suggestions for including further information for one performance target in the next financial year; noted some information was lacking in relation to one target; and expressed its concerns about the Annual Performance Statements compliance with the PGPA Act, the time given to the ARC to review the statements, and the Commission’s continued ‘emerging maturity’ level.

4.84 The ARC’s 2022–23 Statement of Advice to the Commissioner, dated 28 September 2023, stated that Annual Performance Statements and reporting arrangements were only ‘partially in compliance with the key requirements of the PGPA Act, Rules and relevant RMGs.’ The Commissioner approved the Annual Report, including the Annual Performance Statements, on 11 October 2023. The Commissioner’s Statement of Preparation for the 2022–23 Annual Performance Statements assessed that they were prepared under paragraph 39(1)(a) of the PGPA Act, ‘were based on properly maintained records, accurately reflect the performance of the entity’ and complied with section 39(2) of the PGPA Act (which requires compliance with the PGPA Rule).97

Annual Performance Reporting 2023–24

4.85 ARC members were provided the draft of the Corporate Plan 2023–24 for review and feedback on 14 August 2023. On 15 August 2023, an ARC member advised the Commission’s Chief Operating Officer:

I can’t see a clear line of sight between purpose, key activities and then the performance measures, and also the measures included in the PBS. I also don’t think many measures would fully meet the requirements of S16EA. A description of the methodology or survey approach for each measure would help … I would be concerned about confirming the appropriateness of the measures without further information and/or discussion.

4.86 There was no evidence that the requested out of session discussion or the provision of further information occurred. The Corporate Plan was published on 31 August 2023 in compliance with the time frame requirements of subsection 16E(3) of the PGPA Act.

4.87 On 27 September 2024, the ARC considered an internal audit report on the draft 2023–24 Annual Report and its compliance with the PGPA Act and PGPA Rule. Compliance analysis did not assess whether the NDIS Commission had met government expectations, which commenced for the 2023–24 reporting period, that entities reconcile performance outcomes with regulator best practice principles (discussed at paragraph 4.66).98 The internal audit report advised that the draft Annual Performance Statements had improved relative to 2022–23 but that ‘there is need for improvement before the performance statements would be likely to pass an external audit process’ and that:

the NDIS Commission would need to better demonstrate there is sufficient support and logic in the performance analysis as to how the target had been achieved, or not achieved. Specifically:

  • Strengthening the performance measure narratives, particularly around clearly stating the overall result and performing meaningful evaluations that is relevant to the performance measure and target;
  • Collating and storing documentation and data to verify the claims and figures presented in the analysis, which will support the completeness, accuracy and reliability of the performance result reported; and
  • Further detailing methodologies and the underlying data verifiability and reliability in some areas.

4.88 The internal audit report stated that the annual reporting could benefit from Annual Report writing that is ‘in line with better practice’ and ‘strengthening quality assurance activities for annual performance statements.’ In regard to strengthening the performance measure narrative, the report noted that it was challenging to assess whether some performance results were sufficiently supported by evidence where the performance measure or target did not have a defined benchmark of success.

4.89 On 27 September 2024, the ARC ‘noted’ the 2023–24 Annual Performance Statements, ‘noted’ an inconsistency between performance measure 1.2.1 and headline statement 1.2, questioned survey data reliability, and agreed to draw the Commissioner’s attention to data for performance measures 1.1.1 and 1.2.1.

4.90 The ARC’s 2023–24 Statement of Advice to the Commissioner, dated 27 September 2024, stated that the Annual Performance Statements and reporting arrangements had ‘improved significantly’ from 2022–23 but had ‘not yet fully met, [sic] the standard of being substantially compliant with the key requirements of the PGPA Act, Rules and relevant RMGs.’ The Statement of Advice did not address specific performance measures. The acting Commissioner approved the Annual Report, including the Annual Performance Statements, on 30 September 2024. The acting Commissioner’s Statement of Preparation for the 2023–24 Annual Performance Statements assessed that they ‘accurately present the NDIS Commission’s performance for the year ended 30 June 2024 and comply with subsection 39(2) of the PGPA Act’.99

Annual Performance Reporting 2024–25

4.91 On 13 June 2024, the ARC was advised that the NDIS Commission’s 2024–25 Portfolio Budget Statements (PBS) included ‘incorrect performance tables’ due to an ‘administrative error’ and that this would be ‘rectified via the Mid-Year Economic and Fiscal Outlook budget for 2024–25’. The 2023–24 PBS measures and targets had been published instead of updated performance measures and targets for 2024–25. The 2024–25 Corporate Plan, dated 30 August 2024, stated that performance measures and targets had been aligned to the 2024–25 PBS but did not disclose the publishing error. The February 2025 NDIS Commission’s Portfolio Additional Estimates Statements included the updated performance measures for 2024–25.

4.92 On 27 September 2024, the ARC considered an internal audit report on the 2024–25 Corporate Plan and the compliance of the Performance Measures with the PGPA Rule and Resource Management Guide 131: Developing performance measures (RMG 131).100 The report identified areas for improvement including the need for ‘a clear read from the PBS to the Corporate Plan’ and to fully align the Corporate Plan’s performance measures with sections 16E and 16EA of the PGPA Rule and RMG 131. Areas for improvement included: defining year-on-year performance targets; defining baseline data and data measurement methodologies; including quality assurance processes ‘for off system data’; and ‘Improving the alignment and rationale of the targets in how they support the performance measures and the overall objectives and purpose of the NDIS Commission.’ The Corporate Plan did not meet government expectations, which commenced from 1 July 2023, that regulators include performance information on the Commission’s regulatory functions with reference to the regulator best practice principles set out in RMG 128 (discussed at paragraph 4.66).101

4.93 As with the 2023 internal audit report (discussed at paragraph 4.81), the 2024 internal audit report was not provided to the Finance Committee, the Strategic Investment Committee or the EMG and the SLG, which replaced the ELT from July 2024 (discussed at paragraph 1.17). Without access to these reports and the actions required from them, the executive has not had sufficient oversight of the Commission’s overall performance and reporting to discharge its responsibilities in relation to the Commission’s Annual Performance Statements, Annual Report or Corporate Plans.

Performance reporting data quality

4.94 Between 1 July 2022 and 30 June 2024 the NDIS Commission published quarterly reports containing information relating to its regulatory activities, including compliance outcomes.102 The 2023–24 Annual Performance Statements, tabled in the Parliament, included compliance outcome data reported under Performance Measure 3.1 for 2022–23 and 2023–24.103 Data in the Annual Performance Statements does not reconcile to the data in the quarterly reports. There was no record of the data sources or methodology used to determine the figures published in the Annual Performance Statements. Variances within compliance action data reported between quarterly reports also do not reconcile. Assurance over the completeness and accuracy of the NDIS Commission’s publicly reported performance data for 2023–24 could not be obtained.

4.95 In April 2025 the NDIS Commission advised the ANAO, in relation to these variances, that:

Data was extracted at the end of the financial year to calculate the performance results in order to incorporate quarterly data entered retrospectively. This minimises the impact from off systems data and accounts for variations in the same timeframe.

4.96 The NDIS Commission does not have processes in place to assure itself of complete and accurate performance information when known data quality issues exist, including errors in data captured in COS, discussed at paragraphs 2.30 and 2.31.

Recommendation no.10

4.97 The NDIS Commission:

  1. implement measures to address errors in the Commission’s data holdings;
  2. ensure the accuracy of performance reporting in compliance with the PGPA Act and PGPA Rule, and address issues identified in relation to Annual Performance Statements for Commonwealth entities in line with expectations;
  3. accurately record and explain performance in line with regulator performance expectations; and
  4. disclose and provide written explanation for changes to and errors in publicly reported information to enhance the transparency and public confidence of performance reporting.

NDIS Quality and Safeguards Commission response: Agreed in principle.

4.98 The NDIS Commission uses live data system where data is extracted at point in time. For each quarterly report, an extract is taken of the data as at the end of the quarter for all quarters included the report. Due to records being backdated, this may mean that there will be a change in the number reported in previous quarters.

4.99 The NDIS Commission is on a maturity journey to embed better practices in performance reporting. Methodology Control Documents were developed to improve reliability of reported performance data.

4.100 The NDIS Commission will continue to strengthen its Planning and Performance Framework and Data Quality Framework, in collaboration with key stakeholders to:

  • Record and track data quality issues and identify opportunities to enhance quality across the data lifecycle;
  • Adequately verify the performance results with quality analysis to ensure the annual performance statements meet the government’s expectations;
  • Keep accurate records on the agreed reporting methodologies, rationale, performance results, changes, and other information to meet its legislative requirements;
  • Actively share changes and learnings in our corporate documents to enhance transparency and public confidence.

4.101 The anticipated implementation date is Quarter 2 of financial year 2026–27.

Appendices

Appendix 1 Entity response

Page one of the response from NDIS Quality and Safeguards Commission. A summary of the response can be found in the summary and recommendations chapter.

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

  • strengthening governance arrangements;
  • introducing or revising policies, strategies, guidelines or administrative processes; and
  • initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

  • In July 2024 the NDIS Commission implemented a Regulatory Campaigns Framework (paragraph 4.11).
  • The Data Quality Framework was finalised in November 2024 (paragraph 2.31).
  • Developing an Intelligence Hub to house intelligence and provide an avenue for assessment of systemic and emerging risk (paragraph 2.21).
  • The Joint Operational Protocol between the National Disability Insurance Agency and the NDIS Quality and Safeguards Commission, including seven supporting schedules, was finalised on 23 May 2025 (paragraph 2.37).
  • Drafting a memorandum of understanding with the Aged Care Quality and Safety Commission (paragraph 2.40).
  • Developing an internal policy to facilitate a consistent process for the access and receipt of protected information from partner agencies (paragraph 2.42).
  • Developing the Risk-Based Regulation Prioritisation Model, formerly the Enterprise Prioritisation Model, to streamline the workflows according to risk priority and other defined criteria; including a new approach to triaging compliance and investigation matters (paragraphs 3.38 to 3.40; and paragraph 4.41).

Appendix 3 Compliance and enforcement tools and actions

1. The NDIS Commission’s Compliance and Enforcement Policy sets out a description of the compliance and enforcement tools used by the Commission. These are set out in Table A.1. All compliance and enforcement actions reported by the Commission for 2022–23, 2023–24 and 2024–25 (to 31 March 2025) are set out in Table A.2.

Table A.1: Compliance and enforcement tool descriptions

Compliance and enforcement tool

Description

Statutory compliance tools

Banning order, banning order variation and banning order revocation

A banning order prohibits or restricts a provider, either permanently, temporarily or conditionally, from engaging in specified activities related to providing supports or services to a person with disability. Banning orders are used as a safeguarding tool to protect people with disability from being harmed by fraudulent, dishonest, and unsafe supports and services. The Commission also has powers to vary or revoke a banning order.

Registration — variation, revocation, suspension

The NDIS Commission has powers to vary, suspend or revoke a registration to address non-compliance with the NDIS Act.

Civil penalty

A civil penalty is a financial penalty imposed by a court for breaching a civil penalty provision. The aim of a civil penalty is deterrence. Whilst civil penalty proceedings are not criminal proceedings, and do not result in a person being convicted of an offence, a court determines culpability and imposes the penalty, which can be significant.

Injunction

An injunction is a court order used to compel a person to take or not take certain action. The Commission may seek an injunction from a court to ensure a provider complies with the NDIS Act.

Enforceable undertaking

An enforceable undertaking is a written commitment by a person that they will take or not take specific action to prevent or respond to a breach of the NDIS Act. It can help the person comply with their current and future obligations. The Commission will only commence an enforceable undertaking where there has been a breach or alleged breach of the NDIS Act.

Infringement notice

The NDIS Commission may issue an infringement notice where there is a reasonable belief that a civil penalty provision of the NDIS Act has been breached. It is an opportunity for the recipient to respond by paying the penalty amount rather than face court proceedings.

Compliance notice

A compliance notice is a written direction to a provider requiring them to take or not take certain action, to address identified non-compliance or possible non-compliance. It can require the provider to produce evidence that it has met the conditions of the notice. The Commission can commence civil penalty proceedings if a provider does not meet the conditions of a compliance notice.

Non-statutory compliance tools

Warning letter

A warning letter sets out brief details of one or more contraventions of the NDIS Act by a provider. It warns them that the Commission may take more formal regulatory action in the future if it is satisfied the provider has breached their obligations.

Corrective action request

Where the nature of non-compliance is non-critical and presents no ongoing or uncontrolled risk of harm to a participant or the integrity of the NDIS, a corrective action request may be issued to a provider, requesting they take action to address it.

Education

Education is a ‘proactive’ lever the NDIS Commission uses to promote quality and participant safety. The Commission states that it educates providers and workers to understand good practice and their legal obligations and work to build their capabilities and educate participants to know their rights.

   

Source: ANAO representation of information in the NDIS Commission’s Compliance and Enforcement Policy, September 2024, pp. 8, 10–11, available from https://www.ndiscommission.gov.au/sites/default/files/2025-02/NDIS%20Commission%20Compliance%20and%20Enforcement%20Policy%20-%203%20September%202024.pdf [accessed 16 June 2025].

Table A.2: Compliance and enforcement actions in 2022–23, 2023–24 and 2024–25 (to 31 March 2025)

Compliance outcome

2022–23

2023–24

2024–25 (to 31 March 2025)

Statutory compliance tools

Banning order

92

129

135

Banning order variation

1

5

15

Banning order revocation

0

1

3

Revocation of registration

14

187

366

Suspended registration

15

9

3

Vary registration

1

Civil Penalty proceedings

1

4

6

Infringement notice

12

138

73

Infringement notice withdrawal

10

Compliance notice

17

44

76

Compliance notice variation

1

1

2

Enforceable undertaking

6

0

Refusal of registration

2,484

10,547

4,015

Conditions on registration

2

4

1

Withdrawal of suspension

0

1

Other registration activities

0

1

Non-statutory compliance tools

Warning letter

48

3,556

338

Corrective action request

606

248

1,045

Education

6,227

20,628

5,427

Total

9,520

35,519

11,506

       

Key: – not reported.

Source: ANAO analysis of NDIS Commission Quarterly Performance reports.

Appendix 4 NDIS Commission Performance Measures

1. The performance measures for the NDIS Commission as set out in the 2024–25 Portfolio Additional Estimates Statements and the Commission’s Corporate Plan are set out in Table A.3.104 The performances measures for Program 1.2 changed in 2024–25 from performance measures for 2022–23 and 2023–24.

Table A.3: NDIS Commission Performance Measures 2024–25

Program

Key activities

Performance measure

Program 1.1 — Support for National Disability Insurance Scheme providers in relation to registration — Support for NDIS providers with the costs of obtaining registration to support service providers with cost of obtaining NDIS registration and to support the provision of education and training for providers, workers and auditors.

Provide support to providers, workers and auditors in relation to the registration process, via administration of the NDIS Commission grants program and management of its deliverables.

The NDIS Commission Grants Program creates resources and opportunities that enhance providers’, workers’ and auditors’ registration and training capability.

Program 1.2 — Program Support for the NDIS Quality and Safeguards Commission — To provide departmental funding for the annual operating costs of the NDIS Commission to enable the NDIS Commission to achieve its outcomes.

Complaints and reportable incidents management, communications and engagement with stakeholders, behaviour support leadership, registration of NDIS service providers, management of worker screening processes, compliance operations, intra-agency operational, legal, policy and administrative support.

The NDIS Commission uses the full range of compliance and enforcement levers available to influence an uplift in quality and safeguarding of NDIS supports and services.

Reduce the risk of harm to participants and lift the quality of service through guidance materials for providers and workers.

The use of restrictive practices is reduced or eliminated through increased quality of behaviour support plans (BSPs), and NDIS Commission programs contribute to an increased number of verified participants with behaviour support plans and a reduction in unauthorised restrictive practices (URPs).

The NDIS Commission support a thriving, diverse, registered NDIS market of providers who provide quality and safe NDIS supports and services.

People with disability know their rights and trust us to support them and their carers and advocates to make complaints, and report violence, abuse, neglect and risk of harm.

Providers and workers have an increased understanding of what quality and safety means to NDIS participants and understand the rights of people with disability as consumers.

     

Source: Australian Government, Portfolio Additional Estimates Statements 2024–25 the Social Services Portfolio, Commonwealth of Australia, Canberra, 2024, pp. 123–125, available from https://www.dss.gov.au/system/files/documents/2025-02/2024-25dsspaes-accessible.pdf [accessed 12 June 2025].

Footnotes

1 National Disability Insurance Agency, Quarterly Report Q4 2024–25, NDIA, 2025, p. 19, available from https://www.ndis.gov.au/media/7891/download?attachment [accessed 15 August 2025].

2 ibid., p. 75.

3 Active providers refer to those who have received payment in a given quarter for supporting NDIS participants. A registered provider has applied for registration with the NDIS Commission and has been issued a certificate of registration, while unregistered providers can deliver supports to self-managed or plan-managed participants but haven’t gone through the formal approval process. See NDIS Quality and Safeguards Commission, About registration, 23 May 2025, available from https://www.ndiscommission.gov.au/provider-registration/about-registration [accessed 20 August 2025].

4 The NDIS Commissioner is the accountable authority for the NDIS Commission under paragraph 181A(3)(b) of the NDIS Act. The NDIS Commissioner is appointed under section 181L of the NDIS Act by the Minister for the NDIS and holds the office for a specified time (not exceeding three years).

From July 2018 to October 2024, there have been three permanent and two acting Commissioners appointed to the role.

5 Sections 18 to 32 of the Regulatory Powers (Standard Provisions) Act 2014 set out monitoring powers including entering premises, operating electronic equipment, securing electronic equipment to obtain expert assistance, securing evidence of a contravention, to ask questions, to seek production of documents, and issuing monitoring warrants. It also sets out obligations and incidental powers of authorised persons.

Sections 73ZF to 73ZQ of the NDIS Act set out to powers to investigate and undertake the compliance action listed in this paragraph.

6 Reportable incidents are defined in subsections 73Z(4) and (5) of the NDIS Act. Under the NDIS Act a reportable incident means: the death of a person with disability; serious injury to a person with disability; abuse or neglect of a person with disability; unlawful sexual or physical contact with, or assault of, a person with disability; sexual misconduct committed against, or in the presence of, a person with disability, including grooming of the person for sexual activity; and the use of a restrictive practice in relation to a person with disability, other than where the use is in accordance with an authorisation (however described) of a State or Territory in relation to the person.

7 NDIS participants may choose their NDIS plan funding to be plan-managed, self-managed, NDIA-managed or a combination of the three options. Plan-managed is when a plan manager supports a participant to manage their funding, including by paying providers. In December 2024 the NDIA reported that 65 per cent of participants used a plan manager.

National Disability Insurance Agency, Quarterly Report Q3 2024–25, NDIA, 2025, p. 105, available from https://www.ndis.gov.au/media/7685/download?attachment [accessed 16 May 2025].

8 A restrictive practice is any practice or intervention that limits a person’s human rights or freedom of movement.

9 National Disability Insurance Scheme (Code of Conduct) Rules 2018, section 6.

10 Recommendation 17 of the Independent Review into the NDIS related to NDIS Commission visibility of unregistered providers: ‘Develop and deliver a risk-proportionate model for the visibility and regulation of all providers and workers, and strengthen the regulatory response to long-standing and emerging quality and safeguards issues.’

Bruce Bonyhady AM, Lisa Paul AO PSM, Working together to deliver the NDIS: Independent Review into the National Disability Insurance Scheme, 2023, p. 208, available from https://www.ndisreview.gov.au/sites/default/files/resource/download/working-together-ndis-review-final-report.pdf [accessed 27 February 2025].

11 The term ‘active’ refers to those providers who have received payment from the NDIA in the quarter for supporting NDIS participants.

12 Australian Government, Budget Paper No. 2: Budget Measures 2017–18, Commonwealth of Australia, Canberra, 2017, p. 154, available from https://archive.budget.gov.au/2017-18/bp2/bp2.pdf [accessed 9 May 2025].

Funding to establish the NDIS Commission was provided to the NDIS Commission, the Department of Social Services, the Department of Human Services, the Office of the Commonwealth Ombudsman, the National Disability Insurance Agency, the Administrative Appeals Tribunal and the Department of Finance.

13 In May 2023 Budget Paper No. 1 for the 2023–24 Federal Budget stated that Commonwealth-funded participant payments growth was expected to average 10.4 per cent over the projections period, compared to 13.8 per cent in the October Budget (2022–23 to 2032–33).

Australian Government, Budget Paper No. 1: Budget Strategy and Outlook 2023–24, Commonwealth of Australia, Canberra, 2023, p. 98, available from https://archive.budget.gov.au/2023–24/bp1/download/bp1_2023–24.pdf [accessed 27 February 2025].

14 The Honourable Ronald Sackville AO, KC, Barbara Bennett PSM, Rhonda Galbally AC, Andre Mason OAM, Alastair McErwin AM, the Honourable John Ryan AM and the Honourable Roslyn Atkinson AO, Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability Final Report, 29 September 2023, available from https://disability.royalcommission.gov.au/publications/final-report-complete-volume-formats [accessed 23 October 2024].

15 Joint Standing Committee on the National Disability Insurance Scheme, NDIS Quality and Safeguards Commission, Commonwealth of Australia, Canberra, 2021, available from https://parlinfo.aph.gov.au/parlInfo/download/committees/reportjnt/024506/toc_pdf/NDISQualityandSafeguardsCommission.pdf;fileType=application%2Fpdf [accessed 27 August 2025].

16 Bruce Bonyhady AM and Lisa Paul AO, PSM, NDIS Review Working together to deliver the NDIS: Independent Review into the National Disability Insurance Scheme, October 2023, available from https://www.ndisreview.gov.au/sites/default/files/resource/download/working-together-ndis-review-final-report.pdf [accessed 23 October 2024].

17 Natalie Wade, Michael Borowick JP, The Honourable Vicki O’Halloran AO CVO and Allan Fels, NDIS Provider and Worker Registration Taskforce Advice, 2024, available from https://www.dss.gov.au/system/files/resources/ndis-provider-and-worker-registration-taskforce-advice.pdf [accessed 22 April 2025].

18 Alan Robertson SC, Independent review of the adequacy of the regulation of the supports and services provided to Ms Ann-Marie Smith, an NDIS participant, who died on 6 April 2020, 2020, available from https://www.ndiscommission.gov.au/sites/default/files/2024-09/independent-review-report-commissioner-public-310820_1.pdf [accessed 25 February 2025].

19 The Hon Jennifer Boland AM, Overview Report of review into services provided by Irabina Autism services to NDIS participants, 15 February 2024, available from https://www.ndiscommission.gov.au/sites/default/files/2024-04/Boland%20Review_Summary%20Report%20redacted.pdf [accessed 25 February 2025].

20 Australian Government, Budget Paper No. 1: Budget Strategy and Outlook 2024–25, Commonwealth of Australia, Canberra, 2024, p. 324, available from https://archive.budget.gov.au/2024-25/bp1/download/bp1_2024-25.pdf [accessed 27 February 2025].

21 A ‘platform provider’ is a fee-based app or website an NDIS participant may use to connect with workers to deliver their NDIS services and supports.

22 National Disability Insurance Agency, Quarterly Report Q4 2024–25, 2025, p. 19, available from https://www.ndis.gov.au/media/7891/download?attachment [accessed 15 August 2025].

23 ibid., p. 75.

24 National Archives of Australia, Building trust in the public record: managing information and data for government and community, National Archives of Australia, Canberra, June 2023, available from https://www.naa.gov.au/sites/default/files/2024-01/building-trust-in-the-public-record-managing-information-and-data-for-government-and-community-v3-1.pdf [accessed 24 March 2025].

25 Under the Archives Act 1983 the National Archives of Australia is responsible for establishing information management standards for Australian Government entities. The Archives Act governs the handling, storage, and disposal of data as part of Commonwealth record keeping requirements.

26 The NDIS Commission’s Information Management-Normal Administrative Practice Policy, developed in November 2021 and updated January 2024, outlines the provisions for the destruction of material that no longer holds ongoing business or evidentiary value, such as duplicates, inconsequential drafts or personal information in accordance with the Archives Act.

27 The NDIS Commission was provided $160 million in the 2024–25 Budget for the Data and Regulatory Transformation (DART) program, to upgrade the Commission’s information technology systems, to better protect the safety of NDIS participants, reduce regulatory burden on NDIS providers, and improve cyber security.

28Privacy Act 1988 (Privacy Act), Schedule 1 subclause 1.3, available from https://www.legislation.gov.au/C2004A03712/latest/text [accessed 26 March 2025].

29 Off system workarounds included using spreadsheets for workflow and case management, and NDIS Commission staff using individual email mailboxes for official correspondence.

30 Australian National Audit Office, Insights: Administering Regulation, ANAO, Canberra, January 2021, available from https://www.anao.gov.au/work/insights/administering-regulation [accessed 29 January 2025].

31 NDIS Commission, Own Motion Inquiry into platform providers in the NDIS market: Terms of Reference, available from https://www.ndiscommission.gov.au/resources/reports-policies-and-frameworks/inquiries-reports-and-reviews/own-motion-inquiry-platform [accessed 23 September 2024].

32 Australian Government, Data and Digital Government Strategy: the data and digital vision for a world-class APS to 2030, 15 December 2023, available from https://www.dataanddigital.gov.au/sites/default/files/2023-12/Data%20and%20Digital%20Government%20Strategy%20v1.0.pdf [accessed 12 September 2024].

33 The NDIS Commission conducts activities to monitor and investigate NDIS providers and persons who provide disability supports and services to NDIS-funded participants. The NDIS Commission records such monitoring and investigation activities as a ‘Compliance and Investigation Matter’ in the Compliance Module in COS.

34 NDIS Quality and Safeguards Commission, Engagement Principles, 2024, available from https://www.ndiscommission.gov.au/sites/default/files/2024-09/General-Engagement-Principles.pdf [accessed 3 April 2025].

35 Section 9 of the NDIS Act defines protected NDIS Commission information as ‘information about a person (including a deceased person) that is or was held in the records of the Commission’.

36 This review was undertaken through a contract with Michelle Dodd Consulting. The contract had a total value of $33,000. See AusTender, Contract Notice View - CN4072775, available from https://www.tenders.gov.au/Cn/Show/575730e7-8d79-4a01-9189-358d96429799 [accessed 13 May 2025].

37 Australian Government entities that are party to the Fraud Fusion Taskforce include: Aged Care Quality and Safety Commission, Attorney-General’s Department, Australian Charities and Not-for-profits Commission, Australian Securities and Investments Commission, Australian Skills Quality Authority, Australian Criminal Intelligence Commission, Australian Federal Police, Australian Taxation Office, Australian Transaction Reports and Analysis Centre (AUSTRAC), Commonwealth Director of Public Prosecutions, Department of Employment and Workplace Relations, Department of Veterans’ Affairs, Department of Education, Department of Health and Aged Care, Department of Social Services, National Disability Insurance Agency, National Indigenous Australians Agency, NDIS Quality and Safeguards Commission, Professional Services Review Agency, Services Australia, and the Tax Practitioners Board.

National Disability Insurance Agency, Fraud Fusion Taskforce, 2025, available from https://www.ndis.gov.au/about-us/improving-integrity-and-preventing-fraud/fraud-fusion-taskforce [accessed 28 April 2025].

38 National Disability Insurance Scheme (Protection and Disclosure of Information—Commissioner) Rules 2018, available from https://www.legislation.gov.au/F2018L00635/latest/text [accessed 4 April 2024].

39 The NDIS Commission distributed email newsletters and alerts to inform NDIS providers and workers about changes, news, and research guiding quality practice.

40 Practice alerts give providers and workers information about quality practice for specific supports and services.

41 ‘Risk based and data driven’ is one of the three best practice principles outlined in the Department of Finance, Resource Management Guide 128: Regulator Performance, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128 [accessed 25 February 2025].

42 Department of Finance, Resource Management Guide 128: Regulator Performance, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128 [accessed 25 October 2024].

43 NDIS Quality and Safeguards Commission, Ministers Statement of Expectations, paragraph 3.10, available from https://www.ndiscommission.gov.au/sites/default/files/2023-06/Attachment%20B%20-%20Ministers%20Letter%20-%20Statement%20of%20Expectations.pdf [accessed 25 November 2024].

44 NDIS Quality and Safeguards Commission, Statement of Intent, available from https://www.ndiscommission.gov.au/sites/default/files/2023-06/Attachment%20A%20-%20NDIS%20Statement%20of%20Intent.pdf [accessed 27 November 2024].

45 Direction to the NDIS Quality and Safeguards Commissioner under section 181K of the National Disability Insurance Scheme Act 2013 – No. 1/2023 (the direction), Schedule 1, https://www.legislation.gov.au/F2023L01383/latest/text [accessed 27 August 2024].

46 See also Auditor-General Report No. 38 2024–25, Ministerial Statements of Expectations and Responding Statements of Intent, ANAO, Canberra, 2025, para 3.16, available from https://www.anao.gov.au/work/performance-audit/ministerial-statements-of-expectations-and-responding-statements-of-intent [accessed 10 June 2025].

The Ministerial Statements of Expectations and Responding Statements of Intent audit also found: the Statement of Expectations for the NDIS Commission fully addressed less than five of the 10 components set out in Resource Management Guide (RMG) 128: Regulator Performance (para 3.27); and the Statement of Intent addressed all four components set out in RMG 128 (para 3.33).

47 The Hon Mark Butler MP was appointed as Cabinet Minister for Disability and the National Disability Insurance Scheme and Senator the Hon Jenny McAllister was appointed Minister for the National Disability Insurance Scheme.

Department of the Prime Minister and Cabinet, Ministry list as at 13 May 2025, available from https://www.pmc.gov.au/sites/default/files/resource/download/ministry-list-13-may-2025.pdf [accessed 15 May 2025].

48 NDIS Quality and Safeguards Commission, Regulatory Approach, 2023, p. 10, available from https://www.ndiscommission.gov.au/sites/default/files/2023-05/Regulatory%20Approach%202023.pdf [accessed 6 May 2025].

49 The Strategic Plan committed to ‘building a regulatory strategy that focuses our regulatory approach to have the greatest impact for NDIS participants and strengthen the integrity of the scheme.’

NDIS Quality and Safeguards Commission, Strategic Plan 2022–2027, 2022, available from https://www.ndiscommission.gov.au/sites/default/files/2022-08/NDIS%20Commission%20-%20Strategic%20Plan%202022%20-%202027.pdf [accessed 6 December 2024].

50 NDIS Quality and Safeguards Commission, Regulatory Approach, 2023, p. 14, available from https://www.ndiscommission.gov.au/sites/default/files/2023-05/Regulatory%20Approach%202023.pdf [accessed 6 December 2024].

51 NDIS Quality and Safeguards Commission, Regulatory Approach, 2024, available from https://www.ndiscommission.gov.au/sites/default/files/2024-09/NDIS-Commission-Regulatory-Approach.pdf [accessed 15 May 2025].

52 Department of Finance, Regulator Performance (RMG 128), Principle 3: Collaboration and engagement, 2023, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128/principle-3-collaboration-and-engagement [accessed 19 February 2025].

In March 2025 the Joint Committee of Public Accounts and Audit recommended (Recommendation 9) that: the Department of Finance updates the requirements for the Regulator Stocktake to require each entity with regulatory functions to publish a Regulator Statement, on a common template and reviewed annually, that would provide, at a minimum, the following:

53 NDIS Quality and Safeguards Commission, Compliance and Enforcement Policy, 2022, p. 7, available from https://www.ndiscommission.gov.au/sites/default/files/2022-11/Compliance%20and%20Enforcement%20Policy%20Nov%202022.pdf [accessed 6 May 2025].

54 The 2022 Compliance and Enforcement Policy uses the Ayres & Braithwaite compliance pyramid to illustrate how the Commission should undertake proportionate regulatory responses.

NDIS Quality and Safeguards Commission, Compliance and Enforcement Policy, 2022, p. 7, available from https://www.ndiscommission.gov.au/sites/default/files/2022-11/Compliance%20and%20Enforcement%20Policy%20Nov%202022.pdf [accessed 6 May 2025].

55 ibid., pp. 5–6.

56 Administrative actions include education, corrective action requests, warning letters, compliance notices, infringement notices, enforceable undertakings, varying, suspending or revoking registration, and bans. Court-based actions include injunctions, taking action to enforce an undertaking, and civil penalties.

57 NDIS Quality and Safeguards Commission, Compliance and Enforcement Policy, 2024, available from https://www.ndiscommission.gov.au/sites/default/files/2025-02/NDIS%20Commission%20Compliance%20and%20Enforcement%20Policy%20-%203%20September%202024.pdf [accessed 2 April 2025].

58 RMG 128 states that:

Strategic management of risk can also improve efficiency by prioritising resources to the areas of highest risk, and increase compliance by focusing limited resources on the areas of the greatest risk of non-compliance. It can also reduce the overall compliance and cost burden by minimising government intervention where the risks are relatively low.

Department of Finance, Regulator Performance (RMG 128), Principle 2: Risk based and data driven, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128/principle-2-risk-based-and-data-driven [accessed 25 February 2025].

The 2023–24 Compliance Priorities state that ‘The NDIS Commission sets regulatory priorities at the commencement of the financial year to enable us to target our effort and resources towards identified areas of heightened risk.’

NDIS Quality and Safeguards Commission, Compliance Priorities 2023–24, 2023, available from https://www.ndiscommission.gov.au/sites/default/files/2023-10/Attachment%20A%20-%20Compliance%20Priorities%202023–24_post%20consult_20102023.pdf [accessed 13 December 2024].

59 NDIS Quality and Safeguards Commission, Compliance and enforcement, 2024, available from https://www.ndiscommission.gov.au/about-us/compliance-and-enforcement [accessed 13 December 2024].

60 NDIS Quality and Safeguards Commission, Compliance and Enforcement Priorities 2021–22, available from https://www.ndiscommission.gov.au/sites/default/files/2024-09/compliance-priorities-2021-22-.pdf [accessed 13 December 2024].

NDIS Quality and Safeguards Commission, Compliance Priorities 2023–24, available from https://www.ndiscommission.gov.au/sites/default/files/2023-10/Attachment%20A%20-%20Compliance%20Priorities%202023–24_post%20consult_20102023.pdf [accessed 13 December 2024].

NDIS Quality and Safeguards Commission, Regulatory Priorities 2024–25, available from https://www.ndiscommission.gov.au/about-us/compliance-and-enforcement#paragraph-id-8636 [accessed 8 May 2025].

61 Department of Finance, Regulator Performance (RMG 128), Principle 2: Risk based and data driven, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128/principle-2-risk-based-and-data-driven [accessed 25 February 2025].

62 Australian National Audit Office, Insights: Administering Regulation, ANAO, Canberra, January 2021, available from https://www.anao.gov.au/work/insights/administering-regulation [accessed 29 January 2025]

63 The 2024 Enterprise Risk Management Framework and Policy stated that it supports compliance with obligations applying to the NDIS Commission including those under the National Disability Insurance Scheme Act 2013, Public Service Act 1999, Public Governance, Performance and Accountability Act 2013, Work Health and Safety Act 2011 and associated regulations, Public Interest Disclosure Act 2013, Commonwealth Risk Management Policy, Commonwealth Procurement Rules and the Commonwealth Grant Rules and Guidelines, Commonwealth Fraud and Corruption Control Framework 2024 and International Standard on Risk Management AS ISO 31000:2019.

64 NDIS Quality and Safeguards Commission, Regulatory Approach, 2024, p. 12, available from https://www.ndiscommission.gov.au/sites/default/files/2024-08/NDIS%20Commission%20Regulatory%20Approach%20-%2030%20Jan%202023_240822.pdf [accessed 4 February 2025].

65 The contract with GSA Management Consulting Pty Ltd for this work had a total value of $218,019.66. See AusTender, Contract Notice View - CN4082710-A1, available from https://www.tenders.gov.au/Cn/Show/c2132ad9-f565-453f-9cb5-70ba736b9bca [accessed 20 May 2025].

66 NDIS Quality and Safeguards Commission, Compliance and Enforcement Policy, NDIS Commission, 2024, p. 4, available from https://www.ndiscommission.gov.au/sites/default/files/2025-02/NDIS%20Commission%20Compliance%20and%20Enforcement%20Policy%20-%203%20September%202024.pdf [accessed 14 March 2025].

67 ibid., p. 9.

68 The type and frequency of audit varies depending on the class of supports provided. For example, new applicants providing lower risk supports are subject to verification assessments rather than provisional audits.

Paragraph 73F(1)(c) of the NDIS Act sets out that a registered NDIS provider is subject to the conditions (if any) determined by the National Disability Insurance Scheme rules under section 73H.

69 A risk-assessed role includes when a worker is involved in the direct delivery of specified supports or services to a person with disability, for example, NDIS workers providing assistance with daily personal activities; assistance to access and maintain employment or higher education; community nursing care; early intervention supports for early childhood; and interpreting and translating.

NDIS Quality and Safeguards Commission, List of Specified Services and Supports for the Purposes of the National Disability Insurance Scheme (Practice Standards - Worker Screening) Rules 2018, available from https://www.ndiscommission.gov.au/sites/default/files/2024-11/list-of-specified-supports-services.pdf [accessed 24 February 2025].

70 Worker screening includes an assessment of national criminal history information held by law enforcement agencies; disciplinary and misconduct information held by the NDIS Commission; and the outcome of any previous NDIS worker screening application within Australia.

71 Regulated restrictive practices include specified forms of seclusion, chemical restraint, mechanical restrain, physical restraint and environmental restraint.

National Disability Insurance Scheme (Restrictive Practice and Behaviour Support) Rules 2018, section 6, available from https://www.legislation.gov.au/F2018L00632/latest/text [accessed 7 April 2025].

72 Paragraphs 21(3)(c)–(f) of the National Disability Insurance Scheme (Restrictive Practice and Behaviour Support) Rules 2018 state that restricted practice must be used as a last resort, be the least restrictive possible practice, reduce the risk of harm to the person with disability or others and be proportionate to the negative consequences of harm.

73 NDIS Quality and Safeguards Commission, NDIS Quality and Safeguards Commission Annual Report 2022–23, 2023, pp. 44-45, 48, 59, 68, 149–150, available from https://www.ndiscommission.gov.au/about-us/corporate-reports [accessed 14 March 2025].

74 Factors considered in selecting providers for site visits included registration type, size, number of participants for whom the provider is the sole provider, registration group and number of behaviour support plans.

75 Certain types of services may only be provided by registered providers and therefore the NDIS Commission would report only data for registered providers for those topics, such as plan management.

76 The report did not distinguish between alleged and confirmed complaints.

77 The NDIS Rules are legislative instruments made under the NDIS Act. See paragraph 1.5.

78 Section 73Z of the NDIS Act defines a reportable incident as: the death of a person with disability; serious injury to a person with disability; abuse or neglect of a person with disability; unlawful sexual or physical contact with, or assault of, a person with disability; sexual misconduct committed against, or in the presence of, a person with disability, including grooming of the person for sexual activity; and the unauthorised use of a restrictive practice in relation to a person with disability.

Section 22 of the National Disability Insurance Scheme (Incident Management and Reportable Incidents) Rules 2018 provides an exemption to section 20 and 21 requirements in circumstances that could prejudice the conduct of a criminal investigation or expose a person with disability to a risk of harm.

79 Prior to April 2023, the Quarterly Performance Report was titled ‘3 month activity report’. The reports are published on the Commission’s website, available from: https://www.ndiscommission.gov.au/about-us/corporate-reports#paragraph-id-8759 [accessed 20 May 2025].

80 Reportable incident reporting did not included reports of unauthorised restricted practices.

81 The AGIS requirements are set out in four ‘streams’: Personnel; Information and Evidence Management; Investigative Practices; and Quality Assurance. The AGIS sets out the following requirement for entities relating to a quality assurance policy: ‘Entities must have an investigations Quality Assurance Policy in place that includes conducting quality assurance activities (type and frequency) for types of investigations; and linking quality assurance activities to an entity’s annual enterprise risk assurance program.’

Australian Government, Australian Government Investigations Standards, Australian Federal Police, Canberra, 2022, section 4.1, p. 16, available from: https://www.ag.gov.au/sites/default/files/2022-12/Australian-Government-Investigations-Standard-2022.pdf [accessed 17 March 2025].

82 NDIS Quality and Safeguards Commission, Compliance and Enforcement Policy, 2024, p. 11, available from https://www.ndiscommission.gov.au/sites/default/files/2025-02/NDIS%20Commission%20Compliance%20and%20Enforcement%20Policy%20-%203%20September%202024.pdf [accessed 19 May 2025].

83 Quarterly performance reports are published on the NDIS Commission’s website: NDIS Quality and Safeguards Commission, Corporate Reports, available from https://www.ndiscommission.gov.au/about-us/corporate-reports#paragraph-id-8669 [accessed 17 March 2025].

84 The Acts Interpretation Act 1901 establishes a framework for delegating legislated functions, duties or powers. See Acts Interpretation Act 1901, sections 34AA and 34AB and Australian Government Solicitor, Legal briefing - Delegations, authorisations and the Carltona principle, 16 June 2022, available from https://www.ags.gov.au/publications/legal-briefing/lb-20220616#12 [accessed 29 January 2025].

85 The ANAO assessed the following compliance actions available to the NDIS Commission: warning letter, corrective action request, obtain information to ensure integrity of the NDIS, obtain information from registered provider, vary registration, suspend registration, revoke registration, compliance notice, enforceable undertaking, injunction, infringement notice, civil penalty, banning order, vary/revoke banning order. See NDIS Quality and Safeguards Commission, Compliance and Enforcement Policy, 2024, pp. 10–11, available from https://www.ndiscommission.gov.au/sites/default/files/2025-02/NDIS%20Commission%20Compliance%20and%20Enforcement%20Policy%20-%203%20September%202024.pdf [accessed 2 April 2025].

86 An improvement notice was issued to the NDIS Commission by Comcare in April 2023 after Comcare found no evidence that strategies to address workplace risks, including excessive workloads, had been implemented by the NDIS Commission. In September 2024, the Acting NDIS Commissioner engaged Elizabeth Broderick AO to lead a review into the workplace culture of the NDIS Commission. The Cultural Review of the NDIS Quality and Safeguards Commission report was published on the Commission’s website in August 2025, available from: https://www.ndiscommission.gov.au/about-us/corporate-reports/broderick-review [accessed 27 August 2025].

87 The contract with Proximity Advisory Services Pty Ltd for this work had a total value of $350,900.00. See Austender, Contract Notice View - CN4002961, available from https://www.tenders.gov.au/Cn/Show/4f0e1477-8006-4f0c-b11d-6b97124e204a [accessed 20 May 2025].

88 The NDIS Commission undertook an Investigation Improvement Project from November 2023 to September 2024 to implement the recommendations from a commissioned review of protracted and complex ongoing investigations in June 2023. The contract with Wisdom Learning Pty Ltd for this work had a total value of $385,480.00. See AusTender, Contract Notice View – CN4052583, available from https://www.tenders.gov.au/Cn/Show/5e37e26e-9595-44d3-83bc-6d4e8ebccd7f [accessed 13 May 2025].

89 Auditor-General Report No. 23 2021–22, Annual Performance Statements Audit, ANAO, Canberra, 2022, paragraph 14, available from https://www.anao.gov.au/sites/default/files/Auditor-General_Report_2021–22_23.pdf [accessed 7 March 2025].

90 Department of Finance, Resource Management Guide 128: Regulator Performance, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128 [accessed 25 February 2025].

91 Direction to the NDIS Quality and Safeguards Commissioner under section 181K of the National Disability Insurance Scheme Act 2013 – No. 1/2023 (the direction), Schedule 1, available from https://www.legislation.gov.au/F2023L01383/latest/text [accessed 27 August 2024].

Subsection 5(3) of Schedule 1 of the direction requires information on compliance and enforcement action to include details of the number and kinds of actions taken, the average time between the receipt of a complaint and any action taken, and the average time between the notification of a reportable incident and any action taken.

92 Department of Finance, Resource Management Guide 128: Regulator Performance, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128 [accessed 25 February 2025].

93 NDIS Quality and Safeguards Commission, Audit and Risk Committee Charter, August 2023, p. 4, available from https://www.ndiscommission.gov.au/sites/default/files/2023-08/ARC%20Charter%20-%208%20August%202023.pdf [accessed 19 March 2025].

94 ibid.

95 NDIS Quality and Safeguards Commission, Audit and Risk Committee Charter, September 2024, available from https://www.ndiscommission.gov.au/sites/default/files/2024-10/ARC%20Charter%20September%202024.pdf [accessed 19 March 2025].

96 Section 16 EA of the PGPA Rule requires performance measures to: relate directly to one or more of the entity’s purposes or key activities; use sources of information and methodologies that are reliable and verifiable; provide an unbiased basis for the measurement and assessment of the entity’s performance; where reasonably practicable, comprise a mix of qualitative and quantitative measures; include measures of the entity’s outputs, efficiency and effectiveness if those things are appropriate measures of the entity’s performance; and provide a basis for an assessment of the entity’s performance over time.

97 NDIS Quality and Safeguards Commission, NDIS Quality and Safeguards Commission Annual Report 2022–23, 2023, p. 54, available from https://www.ndiscommission.gov.au/about-us/corporate-reports [accessed 14 March 2025].

98 Government expectations for regulators are set out in the Department of Finance, Resource Management Guide 128: Regulator Performance, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128 [accessed 25 February 2025].

99 NDIS Quality and Safeguards Commission, NDIS Quality and Safeguards Commission Annual Report 2023–24, 2024, p. 70, available from https://www.ndiscommission.gov.au/sites/default/files/2024-10/20241018_AR_accessible.pdf [accessed 14 March 2025].

100 Department of Finance, Resource Management Guide 131: Developing performance measures, available from https://www.finance.gov.au/government/managing-commonwealth-resources/developing-performance-measures-rmg-131 [accessed 20 May 2025].

101 Department of Finance, Resource Management Guide 128: Regulator Performance, available from https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128 [accessed 25 February 2025].

102 The report was titled ‘Activity Report’ until the fourth quarter of 2022–23 when it changed to ‘Performance Report’ and included more detailed breakdowns of data sets. Reports included data on NDIS participants, complaints, registered providers, audit activity, reportable incidents, unauthorised restrictive practices, behaviour support practitioners, compliance action outcomes, worker screening, Contact Centre engagement, number of contacts received and COVID-19 statistics.

NDIS Quality and Safeguards Commission, Corporate Reports, available from https://www.ndiscommission.gov.au/about-us/corporate-reports#paragraph-id-8777 [accessed 6 March 2025].

103 Performance Measure 3.1 was ‘Quality and safety risks are reduced thorough the use of regulatory levers to exit unscrupulous and ineffective operators and workers from the market.’

NDIS Quality and Safeguards Commission, NDIS Quality and Safeguards Commission Annual Report 2023–2024, 2024, pp. 85–86, available from https://www.ndiscommission.gov.au/sites/default/files/2024-10/20241018_AR_accessible.pdf [accessed 6 March 2025].

104 As set out in paragraph 4.91, the NDIS Commission’s 2024–25 Portfolio Budget Statements (PBS) included the 2023–24 PBS measures and targets, which had been published instead of updated performance measures and targets for 2024–25. The February 2025 NDIS Commission’s Portfolio Additional Estimates Statements included the updated performance measures for 2024–25.