Introduction

1.1 The National Disability Insurance Scheme (NDIS), established in 2013 under the National Disability Insurance Scheme Act 2013 (NDIS Act), provides funding for supports for people with permanent and significant disability. Commonwealth, state and territory governments jointly fund the NDIS under bilateral arrangements. The NDIS Quality and Safeguards Commission (NDIS Commission, or Commission) was established on 1 July 2018 as the regulator for the NDIS. The NDIS Commission regulates registered and unregistered NDIS providers (as defined in section 9 of the NDIS Act) and workers to improve the quality and safety of NDIS services and advance the human rights of people with disability.

1.2 The NDIS Commission is a non-corporate Commonwealth entity under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner) is the accountable authority for the NDIS Commission.⁴ In September 2024 an Associate Commissioner, with lived experience of disability, was appointed to assist the Commissioner with registration and reform responsibilities.

NDIS Commissioner’s regulatory functions

1.3 The NDIS Act sets out the powers and functions of the NDIS Commissioner. The NDIS Commissioner’s core functions (set out in section 181E of the NDIS Act) are:

• to uphold the rights of, and promote the health, safety and wellbeing of people with disability receiving supports or services, including those received under the NDIS;
• to develop a nationally consistent approach to managing quality and safeguards for people with disability receiving supports or services, including those received under the NDIS;
• to promote the provision of advice, information, education and training to NDIS providers and people with disability;
• to secure compliance with the NDIS Act through effective compliance and enforcement arrangements;
• to promote continuous improvement amongst NDIS providers and the delivery of progressively higher standards of supports and services to people with disability;
• to develop and oversee the broad policy design for a nationally consistent framework relating to the screening of workers involved in the provision of supports and services to people with disability;
• to provide advice or recommendations to the National Disability Insurance Agency (NDIA) or its Board in relation to the performance of the NDIA’s functions;
• to engage in, promote and coordinate information sharing to achieve the objects of the NDIS Act; and
• to provide NDIS market oversight, including by monitoring changes in the NDIS market which may indicate emerging risk, and monitoring and mitigating the risks of unplanned service withdrawal.

1.4 The NDIS Act also sets out the Commissioner’s functions relating to: provider registration and reportable incidents (section 181F); complaints management (section 181G); behaviour support oversight (section 181H); and establishing, operating and maintaining a worker screening database (section 181Y). The NDIS Commissioner may make guidelines relating to the performance of functions and powers (subsection 181D(2)).

1.5 The NDIS Rules are legislative instruments made under the NDIS Act to support administration of the Scheme. NDIS Rules relevant to the Commissioner’s functions include rules on complaints management and resolution; worker screening; provider registration; and protection and disclosure of information.

1.6 The NDIS Act and the Regulatory Powers (Standard Provisions) Act 2014 empowers authorised NDIS Commission persons to: monitor, investigate and issue civil penalty provisions, infringement notices, compliance notices and banning orders; vary or revoke banning orders and infringement notices; and seek injunctions from the relevant court.⁵

1.7 Numbers of complaints and reportable incidents notices received by the Commission, and behaviour support plans lodged with the Commission, from 2018–19 to 2023–24 are set out at Figure 1.1.⁶ Details of when NDIS Commission quality and safeguarding functions were rolled out to each state and territory are in Figure 1.2.

Figure 1.1: Complaints and reportable incidents received, and behaviour support plans lodged from 2018–19 to 2023–24

Note: The ANAO used publicly reported figures. Paragraphs 4.94 to 4.96 discuss NDIS Commission quarterly reporting data quality issues.

Source: ANAO representation of information from NDIS Commission Annual Reports and Quarterly Performance Reports.

1.8 Not all NDIS providers are required to be registered with the NDIS Commission to deliver services and supports. Providers must be registered to provide: specialist disability accommodation (SDA); specialist behaviour support services; supports or services to NDIS participants with NDIA managed funding⁷; plan management services; and if they plan to use, or use, regulated restrictive practices.⁸ Unregistered providers can deliver supports and services to participants who self-manage or plan-manage their NDIS funding. Registered providers must comply with both the NDIS Code of Conduct and NDIS Practice Standards, while unregistered providers are held to account against the Code of Conduct.⁹

1.9 The final report of the Independent Review into the NDIS, published in October 2023, stated:

The NDIS Quality and Safeguards Commission (NDIS Commission) does not have visibility of the significant unregistered provider market. This means the NDIS Commission cannot effectively monitor the market or proactively intervene to prevent harm and promote quality improvement, and has fewer options for taking action against providers if something goes wrong.¹⁰

1.10 At the time of the audit, the NDIS Commission did not have data on the total number of unregistered NDIS providers operating in the market. The Commission advised the ANAO in April 2025:

The NDIS Commission does not have full visibility of the market it regulates. It sources data about the unregistered market through data sharing with the NDIA. The NDIS Commission undertakes analysis of claims for payment for services delivered by registered and unregistered providers to plan-managed and NDIA-managed participants. The NDIS Commission does not have visibility of payment arrangements for self-managed participants.

1.11 NDIA reporting on unregistered providers from 2021–22 to 2024–25 is set out in Table 1.1.

Table 1.1: NDIA quarterly reporting on active unregistered providers and plan managed payments

Note a: Figures in this table relate to active providers who received payment in quarter four for supporting NDIS participants. NDIA reporting on unregistered providers was not available prior to 2021–22 and did not include annualised figures.

Note b: This information was not reported. Total unregistered providers have not been included in this table due to data limitations.

Source: NDIA quarterly reports to disability ministers.

1.12 The NDIA reported that in the fourth quarter of 2024–25 there was a total of 16,363 active registered providers and 254,018 active unregistered providers.¹¹ Of the 254,018 unregistered providers, 181,938 received plan-managed payments.

NDIS Commission funding

1.13 Funding of $209.0 million over four years was provided in the 2017–18 Federal Budget to establish the Commission and commence operations from 1 January 2018.¹² Under a phased roll out to introduce a nationally consistent system, the NDIS Commission progressively replaced quality and safeguarding arrangements in states and territories between 1 July 2018 and 1 December 2020. From 1 July 2021 the NDIS Commission began implementing all quality and safeguarding functions nationally (see Figure 1.2).

Figure 1.2: Phased rollout of the NDIS Commission

Source: ANAO representation of publicly available information.

1.14 The Commission has received additional resourcing to carry out its functions through terminating Budget measures.

• The 2020–21 Federal Budget provided the NDIS Commission additional funding of $93 million over four years to support the NDIS Commission to regulate providers nationally, improve the quality and safety of NDIS supports and expand its compliance and investigative capacity.
• The 2023–24 Federal Budget provided the Commission further funding of $142.6 million over two years to support the Commission in carrying out its role, including to minimise risks to participants, address outstanding casework, uplift internal ICT capability and to improve market quality and participant experience.
• The 2024–25 Federal Budget allocated $160 million over four years to upgrade the Commission’s information technology systems.
• The 2024–25 Mid-Year Economic and Fiscal Outlook extended terminating funding for the NDIS Commission by $143.9 million over two years from 2025–26 to ‘ensure [it is] appropriately resourced to continue to support NDIS Participants.’

1.15 Table 1.2 sets out the departmental resourcing and average staffing level for the NDIS Commission since commencement.

Table 1.2: NDIS Commission departmental resourcing and average staffing levels 2018–19 to 2025–26

Note a: Estimated actual figure reported in the Social Services Portfolio Budget Statements 2025–26.

Source: ANAO representation of information from Social Services Portfolio Budget Statements.

1.16 The NDIS is a demand-driven program and is projected to continue growing. Table 1.3 shows the increase in NDIS participants, registered providers and scheme payments between 2018–19 and 2024–25. Budget Paper No. 1 for the 2024–25 Federal Budget stated, ‘NDIS Commonwealth funded participant payments growth is expected to average 9.2 per cent per year over the projections period’ (to 2034–35).¹³

Table 1.3: NDIS participants, providers and payments as at 30 June annually

Note a: The NDIS Commission commenced operation in New South Wales and South Australia in July 2018. It commenced in all states and territories, except Western Australia, in July 2019. From July 2021, the Commission was fully operational at a national level. Figure 1.2 sets out details of the Commission’s phased rollout.

Note b: The NDIS was progressively rolled out to each State and Territory over a four-year period from July 2016. The NDIS was at full national scheme from 1 July 2020.

Note c: The NDIS Commission transitioned 9,703 providers from the NDIA in New South Wales and South Australia on 1 July 2018. Approximately 1700 transitioned providers did not commence a process to retain their registration with the NDIS Commission.

Source: NDIS Commission Annual Reports and Quarterly Performance Reports; NDIA Quarterly Reports to disability ministers; and NDIS Commission documentation.

NDIS Commission governance structure

1.17 Prior to July 2024 the Executive Leadership Team (ELT) was the NDIS Commission’s key governance body with oversight of the Commission’s performance. In July 2024 a new governance structure was approved, which replaced the ELT and the ELT+ (membership was the ELT and Senior Executive Service Band 1s) with the Finance, Staffing and Strategic Investment Committees. In November 2024 the Finance, Staffing and Strategic Investment Committees were replaced with the Executive Management Group (EMG) and the Senior Leadership Group (SLG). The diagram at Figure 1.3 reflects the Commission’s internal governance structure at 13 November 2024.

Figure 1.3: NDIS Commission governance structure

Source: ANAO representation of NDIS Commission documentation.

NDIS reform

1.18 The NDIS environment has been subject to non-legislative review in recent years including:

• the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability¹⁴;
• Joint Standing Committee on the NDIS’s inquiry into the NDIS Quality and Safeguards Commission¹⁵;
• Independent Review into the NDIS¹⁶;
• the NDIS Provider and Worker Registration Taskforce¹⁷;
• Independent review of the adequacy of the regulation of the supports and services provided to Ms Ann-Marie Smith, an NDIS participant, who died on 6 April 2020 (the Robertson Review)¹⁸; and
• Review into services provided by Irabina Autism services to NDIS participant (the Boland Review).¹⁹

1.19 In April 2023 the Minister for the NDIS announced that National Cabinet had agreed to an NDIS Financial Sustainability Framework, which sets an annual scheme growth target of eight per cent by July 2026. In March 2024 the Australian Government introduced the National Disability Insurance Scheme Amendment (Getting the NDIS Back on Track) Bill 2024 No. 1 (the Bill) to Parliament. In May 2024 the 2024–25 Federal Budget Strategy and Outlook stated that the Bill, and subsequent amendments to NDIS rules and other legislative instruments, ‘will moderate growth in NDIS expenditure, by determining NDIS participant plan budgets more consistently based on participant need and supporting participants to spend in accordance with their plans.’²⁰ The Bill was passed in August 2024 and took effect in October 2024.

1.20 On 16 September 2024, the Minister for the NDIS announced the registration requirement for all platform providers²¹, supported independent living (SIL) providers and support coordinators. No changes or transition to the mandatory registration of these providers will happen before 1 July 2025.

1.21 In October 2024 the Minister for the NDIS announced a second tranche of proposed amendments to the NDIS Act intended to improve the protections and quality and safety of supports for participants. Public consultation on the proposed legislative changes was opened between October and December 2024. As at June 2025 the Australian Government was yet to determine the timing of the release and public consultation for the exposure draft of a further amendment bill.

Rationale for undertaking the audit

1.22 The NDIS Commission is the regulator for the NDIS. The NDIS provides funding to a large number of participants — as at 30 June 2025 there were 739,414 NDIS participants with approved plans.²² The NDIS also forms a significant portion of government spending, with total scheme payments of $46.3 billion in 2024–25.²³ The NDIS operating environment has been subject to a number of reviews in recent years, which have made a range of recommendations including seeking improvements in information sharing, provider registration, restrictive practices, complaints handling and compliance and enforcement arrangements. This audit provides independent assurance to Parliament over whether the NDIS Commission is effectively exercising its regulatory functions.

Audit approach

Audit objective, criteria and scope

1.23 The objective of the audit was to assess the effectiveness of the NDIS Commission in exercising its regulatory functions.

1.24 To form a conclusion against the objective, the following high-level criteria were applied:

• Does the NDIS Commission have effective intelligence gathering and information sharing arrangements in place?
• Has the NDIS Commission developed a risk-based strategy to guide regulatory decision-making?
• Has the NDIS Commission effectively implemented risk responsive and proportionate monitoring, compliance and enforcement activities?

1.25 This audit focussed on the period 1 July 2022 to 30 June 2024. Periods outside this were considered where relevant and to provide context.

1.26 Key focus areas examined by the ANAO were intelligence, information sharing, risk management, strategy, monitoring, compliance and enforcement activities and performance reporting. The ANAO did not examine in detail the other key functions of the Commission, including provider registration, quality auditor appointments and worker screening.

Audit methodology

1.27 The audit methodology included:

• review and analysis of NDIS Commission records;
• walkthroughs of NDIS Commission systems and processes;
• visits to NDIS Commission offices in Canberra, Brisbane and Melbourne;
• meetings with NDIS Commission and NDIA officials; and
• reviewing 21 citizen contributions received.

1.28 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $725,400.

1.29 The team members for this audit were Freya Mathie, Sophie Capel, Rory Tredinnick, Andrew McIntyre, Jake Farquharson, Sonya Carter, Alexandra Collins and Corinne Horton.

2.1 The National Disability Insurance Scheme Act 2013 (NDIS Act) establishes requirements for the NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner) relating to intelligence gathering and information sharing. Sections 181F and 181G of the NDIS Act require the Commissioner to collect, correlate, analyse and disseminate information on incidents and complaints. Section 181H of the Act requires the Commissioner to collect, analyse and disseminate data and other information relating to the use of behaviour supports and restrictive practices by National Disability Insurance Scheme (NDIS) providers.

2.2 Effective information sharing is a key factor in enabling the NDIS Commission to carry out its regulatory functions. Subsection 181E(h) of the NDIS Act establishes that a core function of the NDIS Commissioner is ‘to engage in, promote and coordinate the sharing of information to achieve the objects of this Act’. Sections 60, 67A and 67E of the NDIS Act and the National Disability Insurance Scheme (Protection and Disclosure of Information—Commissioner) Rules 2018 set out the information handling requirements for the Commission, including the use and disclosure of NDIS Commission information. Section 9 of the NDIS Act defines protected NDIS Commission information as ‘information about a person (including a deceased person) that is or was held in the records of the Commission’.

Does the NDIS Commission have systems and processes for collecting, correlating, and analysing intelligence to support its regulatory approach?

Information collection and storage

Information management

2.3 The National Archives’ Building trust in the public record policy requires entities to ‘implement fit-for-purpose information management processes, practices and systems’ and states that poor information management includes where information is ‘siloed in different systems where all needed information cannot be retrieved, or information cannot be exchanged’.²⁴

2.4 The NDIS Commission developed an Information Management Policy in October 2021, which established the Commission’s records management responsibilities in accordance with the Archives Act.²⁵ The Policy was supported by the Information Governance Framework, approved in November 2021, which sets out the governance arrangements for managing Commission information assets including data, records and information.²⁶

2.5 The Information Management Policy stated that Archiving and Records Compliance (ARC) was the Commission’s official Electronic Document and Records Management System (EDRMS) ‘for the capture and management of information assets’. The policy also stated that COS, Parliamentary Document Management System (PDMS, which is used for ministerial and parliamentary business) and LEX (used for legal matter management) were ‘endorsed for the capture and storage of specific information assets’.

2.6 The Executive Leadership Team (ELT) considered internal advice in July 2022 that:

COS is the main business system used to create, capture and manage digital information documenting the core or unique functions and activities of the NDIS Quality and Safeguards Commission (NDIS Commission). COS holds high-value and high-risk information – information that is the authoritative source of truth.

2.7 The Information Management Policy was reviewed and updated in January 2024 and states that staff are required to capture and store information on the Commission’s endorsed EDRMS — the ARC system — unless there is another NDIS Commission approved system that is fit for purpose to capture the information.

2.8 The Commission uses other systems, in addition to ARC, for collection, storage and use of information. COS is used to workflow and manage compliance actions and investigations. This is inconsistent with the 2024 Information Management Policy. The Commission advised the ANAO in April 2025 that ‘COS is not considered fit for purpose and will be replaced by the DART [Data and Regulatory Transformation] Program, which is underway’.²⁷ The Commission has not documented approval for COS to be a system ‘fit-for-purpose to capture the information’ as required by the 2024 Information Management Policy.

Privacy policy

2.10 The Australian Privacy Principles require entities, including the NDIS Commission, to have a clearly expressed and up-to-date policy about the management of personal information.²⁸ The NDIS Commission established a Privacy Policy in December 2023. Prior to this, the Commission had separate ‘internal’ and ‘external’ privacy policies. The 2023 Privacy Policy and preceding ‘external’ privacy policy included the information required by the Privacy Principles.

IT system limitations

2.11 COS was developed by the Department of Social Services to support the commencement of the Commission’s operations on 1 July 2018. Following machinery of government changes in 2020, Services Australia manages, maintains and undertakes development of COS. Changes have been made to COS over time, including the addition of modules to support the Commission’s functions. Internal advice to the ELT in July 2022 reported that COS had functionality gaps and had been non-compliant with Australian Government record keeping and metadata requirements since 2018. In response to this advice, the ELT agreed ‘in-principle’ that, as a short-term solution to risks associated with information management functionality gaps, data from COS be manually transferred to ARC pending an upcoming Digital and Data Strategy and project.

2.12 In December 2022 the Digital and Data Strategy project reported the following gaps in the NDIS Commission’s capabilities to the ELT:

• limited ability to manage workflow activities and track progress with applications and complaints;
• extensive off-system usage across the main operational functions with various workarounds used to complete operational tasks²⁹;
• limited ability to identify and manage risks based on individual cases or systemic risk;
• the current systems reinforce functional silos and do not support effective operations and information sharing; and
• lack of automation of simple activities leading to lost time and repetition of processes.

2.13 In December 2022 the ELT endorsed ‘in-principle’ the Data and Digital Strategy, including a technology investment roadmap for new capability delivery, subject to the Commission’s consideration of ELT comments and feedback. The ELT did not approve the final Strategy.

2.14 An August 2024 outsourced ‘Enterprise Prioritisation Model’ report (see further discussion from paragraph 3.38) assessed that COS was an ‘inadequate’ supporting system and noted ‘a significant occurrence of off-system matter data because of the low capability of the COS system.’

2.15 The NDIS Commission’s information management systems do not support the collection of accurate, integrated and reliable information on regulated entities, activities and individuals supports. Such information is important to inform regulators in assessing risks of non‐compliance and the development of targeted compliance and enforcement strategies.³⁰ As discussed in paragraph 1.14, the Commission was allocated $160 million in the 2024–25 Federal Budget for technological uplift under the DART project.

Information correlation and analysis

2.16 Sources of information and intelligence received by the NDIS Commission include complaints; reportable incidents; tip-offs; social media and open-source intelligence scans and alerts; NDIA data (including participant, linked provider, payment and claims data); Australian Securities and Investments Commission data; the Australian Business Register data; criminal history checks; and data from the Australian Financial and Security registers.

2.17 The NDIS Commission had not established a strategic framework or formalised processes for its analysis activities. The NDIS Commission has undertaken activities to analyse the information it has gathered, through developing intelligence products and conducting own motion inquiries.

Intelligence products

2.18 The NDIS Commission established a Risk, Intelligence and Delivery Team in September 2023. Since September 2023, the Commission has produced intelligence products, including intelligence briefs, intelligence assessments, intelligence alerts and entity summaries.

2.19 The Commission develops intelligence products when information is received indicating regulatory risks, or on internal request from areas within the Commission. Products are disseminated to relevant areas within the Commission and uploaded to ARC. Guidance was available to Commission staff on producing the intelligence products, including templates for developing information reports, intelligence assessments, entity summaries and information assessments.

2.20 In July 2024, the NDIS Commission advised the ANAO that, due to system limitations, it does not conduct automated risk-profiling or assign risk ratings to individual providers. The Risk, Intelligence and Delivery Team produces entity summaries on request from other areas within the Commission to inform decisions across all functions of the Commission including compliance and enforcement, complaints and reportable incidents. The entity summary report template contains the caveat: ‘The analysis in this report utilises data and information available at the time of preparation. The information in this document is NOT EVIDENCE and intended as a basis for further consideration.’ In April 2025, the NDIS Commission further advised the ANAO that:

This product provides a single view of a provider and was developed to assist compliance teams who were struggling with the limitations of the Commission Operating System (COS) to get a holistic view of a provider. This product brings together data from across multiple modules of COS as well as data held in the warehouse that isn’t readily accessible to all Commission staff (due to lack of systems to extract and synthesize the data).

2.21 The Risk, Intelligence and Delivery Team priorities from October 2024 related to: improving data accuracy and quality controls; streamlining information sharing between government entities; producing information reports to feed into the intelligence cycle; and providing ‘tactical/operational support’ to specific investigations or compliance matters. In November 2024, the NDIS Commission advised the ANAO that it was developing an ‘Intelligence Hub’ to centrally house all intelligence products relating to NDIS providers and environmental risks, and to provide an avenue for assessment of systemic and emerging risk. In August 2025, the Commission advised the ANAO that the Intelligence Hub continued to be in the testing phase.

Own motion inquiries

2.22 Section 29 of the National Disability Insurance Scheme (Complaints Management and Resolution) Rules 2018 and section 27 of the National Disability Insurance Scheme (Incident Management and Reportable Incidents) Rules 2018 allow the NDIS Commissioner to authorise an own motion inquiry into a complaint or reportable incident, or a series of complaints or reportable incidents relating to supports delivered by NDIS providers.

2.23 Between 1 July 2022 and 30 April 2025, the NDIS Commission conducted three own motion inquiries. Table 2.1 outlines the purpose and dates of these inquiries.

Table 2.1: Own motion inquiries published by the NDIS Commissioner

Note a: The own motion inquiry into platform providers in the NDIS market was conducted under the Commissioner’s core functions assigned by the NDIS Act, and not under the inquiry powers established by the NDIS Rules.³¹

Note b: ‘Platform provider’ refers to a NDIS provider that uses a profile-based platform to connect participants with workers to deliver NDIS supports, for example via an app or website where participants and workers create a ‘profile’. Platform providers may be registered or unregistered NDIS providers.

Source: ANAO representation of NDIS Commission documentation.

2.24 In October 2024, the NDIS Commission advised the ANAO that ‘There is no formal standard approach for establishing Own Motion Inquiries (OMI)’ and that ‘Once an OMI is published, an Action Plan is developed to track organisational accountability and progress against any recommendations made and to support the consequent evaluation process.’ Action plans had not been developed for the two own motion inquiries into aspects of supported accommodation and platform providers. As at August 2025, the Commission was undertaking part 2 of the own motion inquiry into support coordination and plan management. Part 2 of the own motion inquiry is an action plan based on Part 1 of the own motion inquiry into support coordination and plan management.

Information assurance arrangements

Australian Data and Digital Strategy reporting

2.28 The Australian Data and Digital Strategy, published in December 2023, is ‘the first combined data and digital strategy for the Australian Government, as a blueprint for the use and management of data and digital technologies through to 2030.’³² The strategy commits Government to ‘growing data and digital maturity in [Australian Public Service] entities.’

2.29 In July 2024 the NDIS Commission completed a Data Maturity Assessment Tool developed by the Department of Finance to support delivery of the Data and Digital strategy. The assessment scores are presented at Table 2.2. The Commission noted it had low data maturity and that the DART project alongside the Commission’s business-as-usual work would address the data maturity issues. The Commission does not have a target for data maturity over time. The Commission intends to compare results from subsequent years to assess data maturity improvement.

Table 2.2: Data Maturity Assessment — Mean maturity scores

Note: The minimum maturity score in each category is zero. The maximum maturity score in each category is five.

Source: ANAO representation of NDIS Commission documentation.

Data quality activities

2.30 In July 2024 the NDIS Commission conducted an internal data quality review of compliance and investigation matters created in COS between 1 July 2023 and 30 June 2024.³³ The review was conducted to support improved data entry and address data errors. The review included analysis of: compliance and investigation matters by source and risk rating; assignment status by source and risk rating; matters allocated to states and territories; and number of each type of regulatory action taken. The review identified 118 data entry errors to be rectified.

2.31 In September 2024, the NDIS Commission advised the ANAO that it does not conduct quality reviews on other data held in COS or regularly assess the quality of the information needed to support effective regulation. The NDIS Commission Data Quality Framework was endorsed by the Executive Management Group in November 2024. In April 2025 the NDIS Commission advised the ANAO that it is currently conducting a systemic Data Quality Assessment, which includes development of quality profiles to support ongoing monitoring.

Has the NDIS Commission established and implemented arrangements to facilitate information sharing with relevant stakeholders?

Information sharing arrangements

2.32 The NDIS Commission has had a national Engagement Plan since January 2021. The plan aimed to provide transparent, timely, clear and appropriate communications and engagement with key stakeholders, including participants, peak bodies, government agencies and providers. In September 2022, the engagement plan was replaced by the Engagement Strategy 2022–23, which outlined engagement principles and approaches for various stakeholder groups. A draft 2024 Communications and Engagement Framework was prepared for ELT approval in February 2024 and was not finalised. The draft framework recommended engagement actions for the Commission to communicate effectively with different stakeholder groups and proactively manage risk in the disability sector.

2.33 The NDIS Commission Engagement Principles were agreed by the ELT in June 2024 and published on the Commission’s website in July 2024.³⁴ The Engagement Principles outline the Commission’s goals, approach and methods to support the prioritisation of engagement with at risk and hard to reach stakeholder groups. In April 2025 the Commission advised the ANAO that the engagement principles ‘guide all Commission staff in how to undertake engagement activities in their operational work’ and that they ‘guide BAU [business-as-usual] activities of the Commission, including the design and delivery of regulatory campaigns and consultation on proposed reforms.’

Arrangements with Australian Government entities

Statement of intent for information disclosure

2.34 Subsection 67A(3) of the NDIS Act provides for the disclosure of protected Commission information to the NDIA.³⁵ In July 2018, the NDIS Commission and the NDIA agreed to a Statement of Intent for Information Disclosure between the NDIA and the NDIS Commission. The statement established overarching principles to guide the sharing of information between the entities in accordance with the NDIS Act and Privacy Act.

2.35 Between July 2019 and March 2020, to support information and intelligence sharing under the Statement of Intent for Information Disclosure, the Commission and the NDIA established five joint operational protocols covering:

• market stewardship and oversight (updated December 2020);
• complex supports (updated June 2021);
• regulatory interfaces (provider registration, fraud and compliance) and addendums (updated September 2022);
• complaints handling and reportable incidents (updated June 2023); and
• data access and transfer (updated September 2023).

2.36 All protocols specify information sharing roles and responsibilities, the information to be disclosed, and relevant legislation. Two protocols define protected NDIS Commission and NDIA information. One protocol sets out a matrix for expected response times based on risk. Three protocols provide options for the entities to specify response timeframes.

2.37 The NDIS Commission and the NDIA agreed via the statement of intent to review the statement and joint operational protocols ‘within three months of implementation and every 12 months thereafter or more frequently as indicated.’ In June 2023 the NDIS Commission engaged an external consultant, on behalf of the NDIA and the Commission, to review the joint operational protocols and recommend improvements.³⁶ The review recommended that the protocols be ‘consolidated into one document that clearly articulates its purpose and scope’ and that aims to facilitate effective information sharing and decision-making to mitigate risks to NDIS participants. In response to the review and in line with the ministerial direction issued in October 2023 (discussed at paragraph 3.4), the Commission and the NDIA drafted an overarching Joint Operational Protocol dated March 2025. The Joint Operational Protocol, including seven supporting schedules, was finalised on 23 May 2025.

2.38 The 2023 review also recommended that the Statement of Intent for Information Disclosure between the NDIA and the NDIS Commission ‘be reviewed to reflect the current NDIS environment and Participant-centric objectives.’ It also noted that ‘Ideally any Statements would be signed by the current heads of each agency at any time.’ The statement of intent set out that the Commission and the NDIA would ‘achieve close cooperation by holding regular meetings to oversee the operation and refinement of the Statement of Intent and Operational Protocols’. Between July 2018 and April 2025, meetings between the Commission and the NDIA were held in August 2024, November 2024 and February 2025. As at August 2025 the statement of intent had not been reviewed. The NDIS Commission advised the ANAO in August 2025 that the Joint Operational Protocol and supporting schedules enable the exchange of information to occur between the Commission and the NDIA. The Commission further advised that elements of the 2018 Statement of Intent have been superseded by the Joint Operational Protocol and work is underway to update the Statement of Intent.

Memoranda of understanding

2.40 The NDIS Commission has memoranda of understanding to support information sharing with the Australian Competition and Consumer Commission (ACCC), dated February 2024; and the Australian Health Practitioner Regulation Agency (Ahpra), effective from 22 June 2021. In June 2024, the NDIS Commission could not confirm whether information had been shared with Ahpra under the Memorandum of Understanding (MoU). In August 2025 the NDIS Commission advised the ANAO that an MoU with the Aged Care Quality and Safety Commission was being consulted on.

2.41 The Commission is party to the Fraud Fusion Taskforce, established in the October 2022–23 Federal Budget to address fraud and serious non-compliance in the NDIS.³⁷ The Fraud Fusion Taskforce MoU, dated 5 June 2023, aims, among other things, to facilitate the exchange of data, information and intelligence between entities to achieve the taskforce’s purpose. The MoU refers to the protected information provisions of the NDIS Act and agrees that parties will comply with the NDIS Act and relevant privacy and secrecy laws. The MoU states that it commences once it is signed by a minimum four entities, including the NDIA and Services Australia. The Commission does not hold a copy of the MoU signed by other entities and therefore does not have the enabling documentation completed to support the work of the taskforce.

Other arrangements

2.42 The NDIS Commission has arrangements in place to access databases of the Australian Federal Police (the Australian Federal Police database), the Australia Taxation Office (the Australian Business Register Explorer database) and the NDIA (the NDIS Commission Search Tool database). The Commission had separate internal polices to guide this access. The Commission is developing an overarching internal policy to facilitate a consistent process for the access and receipt of protected information from all partner agencies.

Arrangements with state and territory government entities

2.43 The NDIS Commission has internal guidance, dated December 2020, on information sharing between the Commission and state and territory government entities. The guidance is intended to inform a national approach to information sharing and includes: information sharing principles; protected information provisions; NDIS Act and Privacy Act obligations; and an Information Disclosure Notice template. As at February 2025 the NDIS Commission had 79 agreements (in the form of information disclosure schedules) in place with state and territory government entities and area health services. Information disclosure schedules detail the type of information that may be requested, the legislative mechanisms that enable information disclosure, and the process of disclosure.

2.44 As at August 2025 the Commission was undertaking work to review the memoranda of understanding and information sharing arrangements with Commonwealth and state and territory stakeholders.

Record keeping for information disclosures

2.45 Section 13 of the National Disability Insurance Scheme (Protection and Disclosure of Information—Commissioner) Rules 2018 (Disclosure Rules) sets out that if ‘the Commissioner discloses NDIS information under section 67E of the Act (other than subparagraph 67E(1)(b)(ii)), the Commissioner must ensure that a record of that disclosure is made’. This record must include: a description or summary of the information disclosed; the recipient and purpose of the disclosure; details of the request for information; and a summary of the decision if there was an exception not to de-identify personal information or consult with the affected individual.³⁸

2.46 The NDIS Commission developed A Guide to Disclosure of Information, dated June 2024; and a Staff Guide to Protected Commission Information and Information Disclosure, dated November 2022. These guidance documents define protected Commission information, circumstances and methods for authorised disclosures, and consequences of unauthorised disclosures.

2.47 The NDIS Commission retained an Information Disclosure Record of its disclosures to federal, state and territory government entities under section 67E of the NDIS Act. The Commission’s ‘Guide to Disclosure of Information’ established this as the ‘Commission’s section 67E record’. For the period July 2018 to March 2025 the Information Disclosure Record recorded 224 disclosures (summarised at Table 2.3).

Table 2.3: Summary of NDIS Commission disclosures under section 67E the NDIS Act for the period July 2018 to March 2025

Source: ANAO analysis of the NDIS Commission Information Disclosure Record.

2.48 Disclosures set out in the Information Disclosure Record were inconsistent with the requirements of section 13 of the Disclosure Rules.

• Six records did not include a description or summary of the information disclosed (paragraph 13(2)(a)).
• Two records did not state the recipient of the disclosure (paragraph 13(2)(b)).
• Six records did not include the purpose of the disclosure (paragraph 13(2)(c)).
• ‘External request’ records did not consistently capture details of the disclosure request (paragraph 13(2)(d)) and the Information Disclosure Record document did not provide a field to capture this information.
• One hundred and eighty three records captured decisions not to de-identify personal information and not to consult affected individuals before disclosing NDIS information under an exception in subsections 10(3), 11(6) or 11(7) of the Disclosure Rules. Of the 183, eight of these records did not state whether an exception applied.

2.49 The Information Disclosure Record did not include a disclosure to the Aged Care Quality and Safeguards Commission in June 2024 that was specified as being made under section 67E of the NDIS Act in Commission documentation. The Commission did not have a quality assurance process for the Information Disclosure Record to ensure the accuracy and completeness of the record to meet the requirements of section 13 of the Disclosure Rules.

Stakeholder engagement with the disability sector

2.52 Between July 2022 and April 2025, the NDIS Commission engaged with the disability sector via committees, and through mechanisms to promote voluntary compliance and seek feedback.

Stakeholder engagement committees

2.53 The NDIS Commission had established stakeholder engagement committees through which it shared information and consulted with representatives from the disability sector, as set out in Table 2.4.

Table 2.4: NDIS Commission stakeholder engagement committees active between November 2019 and April 2025

Note a: The Disability Sector Consultative Committee and the Industry Consultative Committee were retired in November 2022 and replaced by the Consultative Committee in August 2023.

Note b: The Consultative Committee was active as at April 2025.

Source: ANAO representation of NDIS Commission documentation.

2.54 Between July 2022 and November 2022, the Disability Sector Consultative Committee and Industry Sector Consultative Committee met in accordance with their respective terms of reference. No meetings were held between November 2022 and August 2023, when governance arrangements for the committees changed. Between August 2023 and March 2025, the Consultative Committee met six times, largely in accordance with timeframes set out in the committee’s terms of reference.

2.55 Minutes were not recorded for the four Disability Sector Consultative Committee and Industry Sector Consultative Committee meetings held in the period reviewed by the ANAO. Minutes for the Consultative Committee meetings held since August 2023 were recorded and Communiques from these meetings were also available on the Commission’s website. The Commission advised the ANAO in April 2025 that committee outcomes and actions have informed Commission activities including: changes to the complaints function; website updates; educational videos; activities of the Fair Price Taskforce and campaign; updating participant and provider information packs; and the establishment of Reconciliation and Disability Action Plans.

Mechanisms promoting voluntary compliance and seeking feedback

2.56 The NDIS Commission undertook a range of activities promoting voluntary compliance and sharing information with the disability sector. These activities included webinars, Communities of Practice sessions, Disability Advocacy Forums, and newsletters.³⁹ The Commission also: conducted meetings and training with individual providers, health services and peak bodies; responded to email and phone enquiries; engaged in social media; and published media releases. The Commission also published information online including practice alerts⁴⁰, policy guidance, and participants fact sheets. The NDIS Commission tracked participation in these activities and social media engagement.

2.57 Between July and October 2023, the Commission sought feedback on the quality of consumer information via six disability advocacy focus groups and 19 focus groups of people living with disability. The Commission sought views about what makes a service or support safe and good quality; how useful the current information provided by the Commission was; what information participants already used; what new information was needed; and how to best increase participant awareness of their rights and make it easier to raise concerns with their provider or the Commission.

2.58 The NDIS Commission undertook stakeholder sentiment surveys in 2023 and 2024. The surveys explored the views and experiences of people with disability, representatives, advocates, providers, workers and the public interacting with the Commission. The surveys were primarily conducted to provide data for reporting against the Commission’s performance metrics, including stakeholder-related performance. Performance reporting is discussed in Chapter 4.

2.59 The 2023 stakeholder sentiment survey resulted in 1,908 surveys completed from 9,889 invitations to stakeholders who interacted with the NDIS Commission, representing a response rate of 19 per cent. The 2024 stakeholder sentiment survey resulted in 10,949 completed surveys from a broader range of NDIS Commission stakeholders than the 2023 survey, including those who interacted with the NDIS Commission and those who did not. The 2024 survey used a different methodology so results were not directly comparable with the 2023 survey.

2.60 The 2024 results indicated that awareness of the Commission varied between 64 per cent for people with disability to 97 per cent for NDIS service providers. Eighty-three per cent of survey respondents indicated that they trust the Commission between ‘a little’ and ‘completely’ to provide support if there are issues with NDIS services — 24 per cent indicated ‘a lot’ or ‘completely’ trusted the Commission; 40 per cent ‘moderately’ trusted the Commission; and 18 per cent trusted the Commission ‘a little’. Thirty-eight per cent of NDIS participants, and 39 per cent of people with disability and representatives, ‘trust’ or ‘strongly trust’ the NDIS Commission to fulfill its role and functions. Fifty-four per cent of providers and 50 per cent of workers indicated that they ‘trust’ or ‘strongly trust’ the Commission.

3.1 Paragraph 181D(4)(b) of the National Disability Insurance Scheme Act 2013 (NDIS Act) requires the NDIS Quality and Safeguards Commissioner (NDIS Commissioner, or Commissioner) to use their best endeavours to ‘conduct compliance and enforcement activities in a risk responsive and proportionate manner.’ Best practice regulators take a risk-based approach to compliance activities and are informed by data, evidence and intelligence. Regulators that assess the risk of non-compliance are better positioned to focus limited resources on areas of greatest impact.⁴¹

Has the NDIS Commission developed a compliance and enforcement strategy and program of work informed by risk?

Ministerial Statement of Expectations and Regulator Statement of Intent

3.2 Resource Management Guide 128: Regulator Performance (RMG 128) describes the purpose of Ministerial Statements of Expectation and Regulator Statements of Intent. Ministerial Statements of Expectations:

are issued by the responsible Minister to a regulator or an entity with regulatory functions, to provide greater clarity about government policies and objectives relevant to the regulator’s statutory objectives and how it conducts its operations. The regulator responds to a Ministerial Statement of Expectations with a Regulator Statement of Intent that, in turn, identifies how it will deliver on the Government’s expectations.⁴²

RMG 128 sets out an expectation that a Ministerial Statement of Expectations will be issued or refreshed every two years, or earlier if there is a change in minister or change in regulator leadership.

3.3 The Minister for the NDIS (the minister) issued a Statement of Expectations to the NDIS Commissioner on 20 December 2022. The Statement of Expectations included the expectation that the Commission ‘strengthen compliance and enforcement operation in a proportionate risk-based manner, and prevent and respond to non-compliance with responsive risk-based regulatory approaches.’⁴³ The NDIS Commissioner responded with a Statement of Intent dated March 2023.⁴⁴ The Statement of Intent did not specify how the Commission would meet this expectation.

3.4 On 13 October 2023, the minister issued a direction to the NDIS Commissioner under subsection 181K(1) of the NDIS Act.⁴⁵ The ministerial direction included, among other matters, a direction for the Commissioner to respond to a statement of expectations, if issued, within 28 days by providing a statement of intent detailing how the Commissioner intends to meet the minister’s expectations; and a direction to report to the minister every three months on the progress of the intended actions contained in any statement of intent provided to the minister. Between October 2023 and July 2024 the NDIS Commissioner reported progress against the statement of intent to the minister on four occasions at three monthly intervals (reporting required under the ministerial direction is discussed further at paragraphs 4.67 and 4.68).

3.5 A new Commissioner was appointed on 1 October 2024 and a new minister was appointed on 20 January 2025. A new statement of expectations was not prepared or issued.⁴⁶ On 13 May 2025, there was a further change in minister with two minsters for the NDIS appointed.⁴⁷ To meet government expectations set out in RMG128, a new statement of expectations is needed.

Compliance and enforcement strategy

Regulatory approach

3.9 The NDIS Quality and Safeguards Commission Regulatory Approach (Regulatory Approach), published in January 2023, defines the Commission’s regulatory intent.⁴⁸ The Regulatory Approach states that it builds on the NDIS Quality and Safeguards Commission Strategic Plan 2022–2027⁴⁹ to define the focus of the Commission’s regulatory activity and strategies used to conduct effective and efficient regulation. It also states that the Commission’s ‘regulatory considerations align with our areas of focus as detailed in the Strategic Plan.’

3.10 The Regulatory Approach sets out three regulatory approaches the NDIS Commission intends to focus on: high intensity responses, targeted campaigns, and regulatory activities (defined at paragraph 3.13). A range of reactive and proactive regulatory levers and tools are identified for the NDIS Commission to meet its regulatory intent.⁵⁰

3.11 The Regulatory Approach was updated in March 2024 to include a Human Rights Action Statement and five risk priorities (discussed from paragraph 3.35). The updated Regulatory Approach was published on the NDIS Commission website in August 2024.⁵¹

Operating Model

3.12 The Regulatory Approach committed: ‘To support our regulatory approach we will implement a new operating model, to maximise our resources in a way that is focussed on the best outcomes for people with a disability.’ The NDIS Quality and Safeguards Commission Operating Model (Operating Model), published internally in January 2023, sets out the framework, regulatory functions, and the Strategic Plan principles that guide how the NDIS Commission achieves its regulatory objectives. The Operating Model characterises the Commission’s approach to regulation, including enforcement and compliance, as risk-based and cross references RMG 128.

3.13 Consistent with the Regulatory Approach, the Operating Model sets out the three regulatory approaches the Commission intends to focus on.

• High intensity responses are action-orientated immediate responses to situations where participants are at severe risk.
• Targeted campaigns are data-driven responses to emerging risks, with work seeking to manage current and future issues and promote best practice.
• Regulatory activities are risk-based responses to situations where participants or markets are at risk, as well as the day-to-day regulatory work of the NDIS Commission.

3.14 The Operating Model sets out three ‘high level processes’ that outline steps to deliver each of the regulatory approaches. The processes outline key roles, responsibilities and that outcomes should be assessed to inform future activities. The Operating Model does not set out detailed procedures.

3.15 On 24 January 2023, the Commission’s Executive Leadership Team (ELT) noted internal advice that ‘The NDIS Commission currently makes little use of data to inform the identification of emerging risks’ and that the Commission would need to ‘significantly increase’ its data analysis capability to support the delivery of the Operating Model. The ELT also noted internal advice that the Operating Model was designed to enable implementation of the Commission’s regulatory approaches, and that it ‘explains to Providers, workers, participants and the public, how the Commission will regulate the industry in the best interests of NDIS participants.’ The ELT agreed to provide feedback on the Operating Model by 31 January 2023 and that there would be an additional discussion with a view to approve the Operating Model. Additional discussion did not take place and there is no record of the model’s approval.

3.16 The document was not made publicly available as intended. The Commission advised the ANAO in April 2025 that the Operating Model was an internal document on how it operationalises the Regulatory Approach, which may change with the development of the Enterprise Prioritisation Model (discussed from paragraph 3.38). While external publication is not a legislated requirement, RMG 128’s best practice guidance states that ‘Transparency in process supports community trust by demonstrating a regulator’s priorities and integrity. Regulators should clearly communicate regulatory processes and be transparent about the decision-making criteria.’⁵²

Compliance and Enforcement Policy

3.17 The NDIS Commission Compliance and Enforcement Policy, dated November 2022, was in effect until September 2024 when it was updated.⁵³ The NDIS Commission advised the ANAO in September 2024 that two prior versions of the Compliance and Enforcement Policy were developed in 2018 and 2019. There was no record of the 2018 policy or the final 2019 policy.

3.18 The 2022 Compliance and Enforcement Policy stated compliance and enforcement actions are determined on a case-by-case basis and take into account the seriousness of the issue, the appropriateness of the response and the likelihood of further harm.⁵⁴ The Policy stated that ‘The NDIS Commission will take a responsive and proportionate approach to regulation, applying the strongest actions to the most serious issues and breaches.’

3.19 The 2022 Compliance and Enforcement Policy set out ‘integrated strategies’ to achieve the Commission’s objectives, including to ‘analyse emerging risks to identify potential market risks to inform compliance and enforcement measures, and identify priorities for regulation.’⁵⁵ The 2022 Policy does not detail how these strategies would be implemented including roles, responsibilities or timeframes. The 2022 Policy also set out the range of administrative and court-based compliance and enforcement actions available to the Commission.⁵⁶

3.20 In 2023–24 the NDIS Commission reviewed the Compliance and Enforcement Policy as part of the Operational Policy and Practice Optimisation Project (discussed from paragraph 4.56) and published an updated Compliance and Enforcement Policy, dated September 2024. The 2024 Compliance and Enforcement Policy establishes overarching compliance and enforcement principles.⁵⁷ One principle, ‘risk-based, proportionate and intelligence led,’ states that the Commission’s compliance priorities (discussed from paragraph 3.21) inform targeted compliance and enforcement activities in response to identified risks and known harms. The 2024 Policy aligns with the Commission’s Regulatory Approach, reiterating the regulatory levers and approaches available to the Commission.

Compliance priorities

3.21 Establishing annual compliance priorities (also referred to as ‘compliance and enforcement priorities’ and ‘regulatory priorities’) is one way regulators may prioritise resources on areas of highest risk.⁵⁸ The NDIS Commission states that it ‘monitors time-critical or emerging areas of risk’ and ‘key quality and safeguarding issues’ that informs the development of compliance priority areas for the coming year.⁵⁹

3.22 The NDIS Commission established the compliance priorities set out at Table 3.1 for 2021–22, 2023–24 and 2024–25. The NDIS Commission’s compliance priorities were not informed by risk or data, and the Commission does not have a process for setting compliance priorities. The Operating Model states that ‘the work within the regulatory activities process is informed by the NDIS Commission’s Compliance Priorities and Risk Assessments.’ The Commission did not complete any risk assessments to inform the regulatory activities process work.

Table 3.1: NDIS Commission compliance priorities

Note a: Priorities that carried over from or overlapped with the previous year are highlighted.

Source: ANAO representation of the NDIS Commission’s Compliance Priorities.⁶⁰

3.23 The Commission did not establish compliance priorities for 2022–23. Internal advice to the ELT in July 2023 stated that ‘New priorities were not established in 2022–23, however, the Commission continued in 2022–23 to undertake and reporting [sic] on regulatory activities aligned with 2021–22 priorities.’ The Commission reported internally on the 2021–22 compliance priorities on one occasion, in July 2023. Internal reporting on compliance priorities for 2023–24 did not take place. Compliance priorities were reported in the NDIS Commission’s Annual Report for 2021–22 but not for 2022–23 or 2023–24.

3.24 The 2021–22 priorities were approved by the acting Commissioner on 17 August 2021 and the 2023–24 priorities were approved by the ELT on 17 October 2023. Noting the ‘time-critical’ nature of the priorities and their role in addressing ‘key quality and safeguarding issues’ (see paragraph 3.21), delays in finalising annual compliance priorities creates risk that resources are not directed towards areas of highest risk. The 2024–25 compliance priorities were approved by the Deputy Commissioner, Regulatory Operations Division on 21 August 2024. The 2025–26 compliance priorities were approved by the Executive Management Group on 27 May 2025. The Commission advised the ANAO in August 2025 that the 2025–26 compliance priorities were published on 1 July 2025.

3.25 The NDIS Commission did not develop action plans responding to the 2021–22 compliance priorities in 2021–22 or 2022–23. The Commission developed an ‘action plan’ responding to one of the eight 2023–24 compliance priorities: COVID-19 and other emergency management and response. The Commission had action plans in place to respond to the 2024–25 compliance priorities.

3.26 The NDIS Commission advised the ANAO in January 2025 that, prior to the Regulatory Approach and the Operating Model, ‘compliance priorities (compliance and enforcement priorities) were the overarching guidance document for the Commission from 2019’. The compliance priorities, apart from those in 2023–24, were one to two page documents identifying high level focus areas, lacking strategic guidance on the Commission’s approach to compliance and enforcement or consideration of risk.

Does the NDIS Commission have an appropriate framework for assessing, prioritising, and managing risks of non-compliance?

3.29 A best practice principle included in RMG 128 sets out that actions undertaken by regulators are proportionate to the risk of regulatory non-compliance being managed.⁶¹ Clear and consistent processes for understanding which regulated entities, activities and individuals pose the highest risk of non-compliance with regulatory requirements will position regulators to design and implement risk-based compliance programs.⁶² Regulators that assess the risk of non-compliance are better positioned to target regulatory activities towards areas of greatest impact.

3.30 Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires accountable authorities of Commonwealth entities to establish and maintain an appropriate system of risk oversight and management for the entity. The Commonwealth Risk Management Policy supports section 16 of the PGPA Act and complements RMG 128. The Commonwealth Risk Management Policy states that entities must embed risk management into decision-making, formalise their approach to risk management, and support a culture where risk is managed across all levels of the entity and individuals are encouraged to adopt positive risk behaviours.

Enterprise risk

Enterprise Risk Management Framework and Policy

3.31 The NDIS Commission has an Enterprise Risk Management Framework and Policy (Risk Management Framework), which describes the policy and organisational arrangements for the management of risk throughout the Commission to help meet its legislative and other Commonwealth requirements.⁶³ The Risk Management Framework was developed by the Commission in 2018. It was reviewed and updated in June 2021 and again in January 2024. The Risk Management Framework was supported by the Enterprise Risk Management Guide, which detailed the practical application of enterprise risk management. The guide was developed in 2018 and updated in June 2021 alongside the Framework. In April 2025 the Commission advised the ANAO that a review of the guide commenced in 2024 and had not been completed ‘as financial pressures have necessitated the re-prioritisation of resources.’

3.32 The 2024 Risk Management Framework sets out risk management guiding principles and associated behaviours. These are intended to inform the development of plans to manage risk within NDIS Commission operations. Internal Commission documentation identified that the Framework ‘principally focusses on corporate risk such as loss of skilled personnel or capacity, financial or reputational impacts on the Commission or disruption to its services or systems.’ The Risk Management Framework does not link to the Regulatory Approach.

Corporate Plan reporting

3.33 The NDIS Commission published enterprise risks in its Corporate Plans for 2022–23, 2023–24 and 2024–25, along with high-level management arrangements addressing those risks. The Corporate Plans for 2023–24 and 2024–25 state that the NDIS Commission actively monitors and manages enterprise risk according to the Risk Management Framework.

3.34 Two enterprise risks reported in the Corporate Plans for 2023–24 and 2024–25 are ‘Participants’ rights’ and ‘Regulatory Approach.’ These include elements of regulatory risk, specifically provider non-compliance and participant harm. In the absence of a framework to assess, prioritise and manage the risks of provider non-compliance, it is difficult for the Commission to demonstrate regulatory activities are being targeted towards areas of greatest impact. In April 2025 the Commission advised the ANAO that it is ‘developing an Enterprise Prioritisation Model to take an enterprise-wide approach to risk and prioritisation’ (discussed from paragraph 3.38).

Regulatory risk

3.35 Commencing in mid-2023, the NDIS Commission undertook a ‘Regulatory Risk Review’ project, which consisted of an environmental scanning exercise to develop high level risk priorities to guide the assessment of regulatory risks. In October 2023, internal advice to the ELT proposing draft ‘priority risks’ noted that the Commission did not have an overarching strategic approach to regulatory risk. The advice also stated that a risk-based approach required the Commission to define key risks, prioritise regulatory activity and deploy resources based on the identified risks.

3.36 In December 2023, the ELT endorsed the priority risks and noted internal advice that ‘[t]he risk is that the NDIS Commission continues to have no overarching guidance for risk to promote a consistent national approach across functions.’ In March 2024, the ELT agreed that the priority risks be incorporated into the Regulatory Approach. The updated Regulatory Approach was published in August 2024 stating, ‘[t]he NDIS Commission has identified five priorities that pose an unacceptable risk of harm for participants if not addressed through policies, procedures and actions.’ The priority risks, published as ‘risk priorities’ are listed in Table 3.2.

Table 3.2: NDIS Commission risk priorities

Source: ANAO representation of the NDIS Commission’s risk priorities.⁶⁴

3.37 There was no project documentation for the Regulatory Risk Review project, including risk assessments underpinning the risks. The published ‘risk priorities’ did not include guidance on risk tolerances, treatments or controls to support the Commission to respond in a proportionate and efficient way to the harms being managed.

Enterprise Prioritisation Model

3.38 The NDIS Commission engaged consultants to develop an Enterprise Prioritisation Model (EPM).⁶⁵ The EPM aims to set out a uniform approach to classifying the risk and priority of operational work coming into the Commission, to provide greater clarity for staff on how to assess risk, assign priority, triage and allocate work (referral of matters is discussed at paragraph 4.43). There was one consultant report on the EPM project, dated August 2024. There was no project plan for implementation of the EPM project; however, the Commission developed a project scoping paper, risk schedule and risk management plan for implementation of the EPM.

3.39 In April 2025 the NDIS Commission advised the ANAO that the EPM ‘will include assessing, prioritising and monitoring regulatory risks’ and that:

the model also focuses on the way we handle matters between operational teams and encompasses streamlined processes and workflows to prevent duplicated efforts, ensuring we get to the right work at the right time and regulate the safety and quality of NDIS supports and service for people with disability in a responsive fashion.

3.40 A draft EPM was circulated internally within the Commission in October 2024. The draft EPM consisted of a process whereby regulatory matters would be recorded, assessed and allocated for actioning according to prioritisation criteria for how ‘serious’, ‘systemic’ or ‘strategic’ a matter is. It did not include procedures, timeframes, or roles and responsibilities for intake and assessment processes. In August 2025, the NDIS Commission advised the ANAO that the ‘Enterprise Prioritisation Model’ was renamed to the ‘Risk-Based Regulation Prioritisation Model’ in July 2025. The NDIS Commission is implementing a phased approach to the roll out of the prioritisation model, with full implementation expected in October 2025.

4.1 Regulators have a responsibility to give confidence to Parliament, the government and the community that regulated entities are complying with their statutory obligations and that appropriate enforcement action is taken when a regulated entity fails to meet its obligations.

4.2 The functions of the NDIS Commissioner in relation to monitoring, compliance and enforcement are set out in section 181E of the NDIS Act. Monitoring, investigation and enforcement powers are set out in Division 8 of Part 3A of Chapter 4 of the NDIS Act.

Has the NDIS Commission established arrangements to monitor compliance, the market and unplanned service withdrawals?

Monitoring provider compliance

4.3 The NDIS Commission’s 2024 Compliance and Enforcement Policy defines monitoring as:

Regulatory activity involving collecting, analysing and evaluating information to monitor providers or workers to determine compliance with the requirements and obligations of the NDIS Act, including the NDIS Code of Conduct and the Rules.⁶⁶

4.4 The policy also states that routine monitoring may include ‘reviewing intelligence and data, reportable incidents and complaints made to the NDIS Commission’ and that the Commission ‘may conduct site visits and compliance audits to ensure providers are adhering to the conditions of their registration and to identify any non-compliance.’⁶⁷

Monitoring provider compliance with conditions of registration

4.5 The NDIS Act requires the NDIS Commissioner to monitor registered NDIS provider compliance with conditions of registration including worker screening in accordance with the NDIS Practice Standards (subsection 181F(c)) and behaviour support plans (subparagraph 181H(d)(i)). After the commencement of worker screening within the NDIS on 1 February 2021, state and territory government NDIS worker screening units had granted more than 112,000 worker clearances by 30 June 2021. The cumulative number of individuals holding a clearance as at 30 June 2025 was 1,354,714.

4.6 The NDIS Commission developed guidelines in August 2021 for monitoring provider compliance with provisional and mid-term audit requirements under the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018.⁶⁸ The guidelines include how the monitoring will be undertaken, data and sources of data to be used, and monitoring timeframes.

4.7 People who are in ‘risk-assessed roles’ need to undergo worker screening. Risk assessed roles include work that is likely to have more than incidental contact with people with disability, or where NDIS workers are undertaking specific roles or providing specific supports.⁶⁹ Worker screening is undertaken by state and territory government worker screening units to assess whether a person who works, or seeks to work, with people with disability poses a risk to them.⁷⁰ Screening takes place during application for worker screening clearances or when new information emerges that may indicate if a worker is not safe to provide services to people with disabilities.

4.8 The NDIS Commission advised the ANAO in July 2024 that changes made to the status of a person from ‘cleared’ to ‘suspended’ or ‘excluded’ by a state or territory worker screening unit are reflected in the National Worker Screening Database, visible in the Commission Operating System (COS) if a search of the worker is conducted. The Commission further advised that it generates a list of excluded workers that can be used to review key persons for registered providers (for new applications and existing registrations) and their suitability to hold registration. The NDIS Commission is undertaking a project to review worker exclusions issued by state and territory worker screening units, to assess if further regulatory action is needed to stop excluded workers from engaging in the market in other roles and making recommendations to the Commissioner’s delegate on compliance action needed (delegations are discussed at paragraph 4.53).

4.9 The National Disability Insurance Scheme (Restrictive Practices and Behaviour Support) Rules 2018 sets out conditions for registration for providers if regulated restrictive practices are used in the provision of NDIS funded supports.⁷¹ The NDIS Commission Behaviour Support Compliance Strategy 2022–24, dated December 2022, guides the Commission’s monitoring of and regulatory action against behaviour support providers. The strategy sets out compliance monitoring activities relating to identifying trends; using existing data systems to tailor monitoring activities; and using a risk-based approach to monitor behaviour support plans and restrictive practices. It also establishes the preventative goal of using local intelligence and data to monitor providers and act in cases of non-compliance. The strategy noted the limited capacity of COS ‘for recording any activity from a Behaviour Support function perspective’ and that ‘[t]he NDIS Commission’s Data and Digital Strategy should improve recording and access to data for analyses’.

4.10 Under the Behaviour Support Compliance Strategy 2022–24, the Commission conducted three reviews to evaluate the quality of Behaviour Support Plans in 2022, 2023 and 2024. The median scores (with a highest possible score of 24) were 12 in 2021–22, 15 in 2022–23 and 14 in 2023–24. The Commission undertook a project to review behaviour support plan quality and compliance in June 2024. The June 2024 project report noted that the project was the first time that a compliance component had been part of behaviour support plan quality and compliance reviews. As at 30 June 2024, the project had resulted in 42 compliance matters being assessed, actioned and closed, with the Commission using non-statutory tools including education, corrective action requests and warning letters (compliance and enforcement tools are discussed from paragraph 4.47). The project report set out recommendations relating to improvements when undertaking future campaigns, improvements to the referrals process, and the value of engaging with providers.

4.11 The Commission also undertook a two-stage ‘Compliance Sprint’ in October and November 2023 targeting specific contraventions of the NDIS Act and NDIS Rules; and high-risk practices, including restricted practices.⁷² The first stage resulted in 17 providers being issued with 62 infringement notices totalling $1.1 million and four compliance notices. Projected outcomes for the second stage were 25 infringement or compliance notices and one banning order.

Regulatory compliance campaigns

4.12 The NDIS Commission Operating Model, dated January 2023, sets out the ‘high level process’ for targeted campaigns. The NDIS Commission implemented the Regulatory Compliance Campaigns Framework in July 2024. The framework stated that compliance campaigns are aligned to the Commission’s strategic and compliance priorities, that they use data and intelligence, to ‘address the highest priority risks to participant safety and service quality’, which are typically ‘systemic non-compliance’. In October 2024, the Commission advised the ANAO that prior to the framework, campaigns were planned using four documents titled ‘site information’, ‘remote travel and risk assessment’, ‘campaign brief’ and ‘campaign planning’. One out of the 11 campaigns reviewed by the ANAO had all four documents completed.

4.13 The NDIS Commission’s 2022–23 Annual Report outlined information on five place-based and four thematic campaigns that took place in 2022–23.⁷³ Complete records were not kept for the nine campaigns. Learnings from the campaigns have not been incorporated into future campaigns and compliance activities. The NDIS Commission’s 2023–24 Annual Report stated that remote place-based campaigns were conducted in the Top End and the Anangu Pitjantjatjara Yankunytjatjara Lands in 2023–24. Commission documents show these campaigns took place in July and August 2024.

4.14 During 2022–23 and 2023–24 there was no evidence of risk informing the selection of campaign locations or topics. Approved final reports for campaigns in 2023–24 included two approaches to selecting providers for site visits. Two campaign reports considered provider characteristics⁷⁴ and the other campaign report focused on the top 10 providers receiving the most NDIS funding. Final reports set out the alignment of each campaign to the Commission’s 2023–24 compliance priorities (compliance priorities are discussed from paragraph 3.21). Complaints data was included in campaign planning documents for two of the 2023–24 place-based campaigns.

4.15 The NDIS Commission monitors providers for compliance with conditions of registration, reviews behaviour support plans, and undertakes regulatory compliance campaigns. The NDIS Commission does not have an overarching framework, policy or strategy that sets out the compliance monitoring activities to be undertaken by the Commission, or how the Commission monitors compliance in line with risk. In the absence of a risk framework to guide regulatory activities (see paragraphs 3.29 to 3.34) it is unclear how the Commission monitors compliance in a risk responsive and proportionate manner.

Market monitoring and unplanned service withdrawals

4.18 Subsection 181E(i) of the NDIS Act states that a core function of the NDIS Commissioner is to ‘provide NDIS market oversight’ by ‘monitoring changes in the NDIS market which may indicate emerging risk’ and ‘by monitoring and mitigating the risks of unplanned service withdrawal’.

4.19 The NDIS Commission and the National Disability Insurance Agency (NDIA) established a ‘Market Stewardship & Oversight’ operational protocol, which was updated in December 2020. The protocol states:

Due to the recent commencement of the NDIS Commission operations across all states and territories, the role of the NDIS Commissioner in providing NDIS market oversight is currently being developed in accordance with section 181E. This protocol will be revised when this work is complete.

4.20 The protocol sets out, among other roles, the following roles and responsibilities for the Commission relating to market monitoring and unplanned service withdrawals.

• Identify and monitor changes in the NDIS market that may indicate emerging risk.
• Monitor and mitigate risks of unplanned service withdrawal arising from quality and safeguards issues and refer to the NDIA for action to ensure continuity of support for participants.
• Share information to assist States and Territories manage and mitigate risks of unplanned service withdrawal.

4.21 The Commission advised the ANAO in April 2025 that:

While there is no whole of Commission approach to monitoring prospective service withdrawals, in accordance with sections 13 & 13A of the NDIS (Provider Registration and Practice Standards) Rules 2018, registered NDIS Providers are obliged to notify the Commissioner of a planned service withdrawal or any significant change to service delivery.

4.22 The Joint Operational Protocol between the NDIA and the NDIS Commission, approved in May 2025 (discussed at paragraphs 2.37 to 2.38) includes the Regulatory Interfaces: Provider Registrations and Exits Schedule. The schedule sets out the roles and responsibilities, including joint responsibilities, for responding to planned and unplanned exits of NDIS providers from the NDIS market. The schedule sets out a ‘provider exit roadmap’ that includes actions that each entity will take in response to provider exits, to mitigate risks relating to the continuity of supports to NDIS participants arising from planned and unplanned provider exits.

4.23 The NDIS Commission advised the ANAO in June 2024 that it has undertaken market monitoring through developing Market Insights Dashboards and related reporting; complaints analysis; and own motion inquiries. Own motion inquiries are discussed in Chapter 2, from paragraph 2.22.

Quarterly Market Insights Dashboard

4.24 In June 2024 the acting NDIS Commissioner was provided with advice that the Commission ‘undertakes regular data collection and interrogation activities to identify trends and inform the Commission’s understanding of the market’ and noted the first Market Insights Dashboard for the third quarter of 2023–24. The Commission subsequently produced dashboards covering the first, second and fourth quarters of 2023–24.

4.25 These quarterly dashboards reported on the topics of provider information, market trends, supported independent living, support coordination, plan management, behaviour support and participants in remote and very remote areas. Data was included on the top 10 registered and unregistered providers (represented by payments claimed and participants supported), registered providers entering the market and deregistration.⁷⁵ From the second quarter of 2024–25, new categories of reporting included ‘early childhood intervention’, therapeutic supports, personal activities, community participation, group and centre based activities and household tasks. Dashboard reporting relied on NDIA data on payment claims for services delivered by providers to plan-managed and NDIA-managed participants, as well as data on provider status, number of participants and market segmentation.

4.26 The Commission used the dashboard reporting to provide executive oversight to the Regulatory Coordination Committee and the Commissioner of some elements of the NDIS market including market trends, themes and areas of emerging risk on a quarterly and annual basis.

Market reporting and complaints data

4.27 In May 2024 the NDIS Commission completed a high-level analysis of complaints data to ‘support the Commission’s understanding of the market landscape’, with the aim of identifying ‘patterns and vulnerabilities that highlight risks to inform the prioritisation of strategic decisions about future market stewardship activities and direction’. The Commission reviewed 1,500 complaints made between October 2023 and December 2023 to identify themes, support or services type, and registration status that related to the complaint.⁷⁶ The Commission reported difficulties in undertaking the review due to issues ‘such as system limitations, data quality issues and inconsistencies in data capture.’ The Commission identified areas of higher risk for participants and risks and drivers to inform further regulatory policy and frameworks.

4.28 There has not been another complaints data report, and there is no plan for regular review of complaints data or reporting on outcomes. The Commission advised the ANAO in April 2025 that these reports are a point in time analysis of data sources, which require significant manual review and analysis. The Commission further advised that current resourcing and workloads mean this work is not done on an ongoing basis but learnings have been used to inform new system design.

Monitoring and mitigating the risks of unplanned service withdrawal

4.29 The NDIS Commission has not documented its approach to maintaining effective oversight of the market and monitoring and mitigating the risks of unplanned service withdrawals. Although the Commission has undertaken market monitoring activities, it is not clear how these activities have been used to inform a risk-based and proportionate approach to regulating the NDIS market. It is not clear in the absence of a documented approach how the Commission has undertaken the core function of the Commissioner to monitor and mitigate the risks of unplanned service withdrawal.

4.30 The Commission advised the ANAO in August 2025:

It should be noted that currently there is no requirement for all providers to be registered. This makes monitoring and mitigating the risk of unplanned service withdrawal difficult as the Commission does not have oversight of all the NDIS providers delivering services in the market.

Has the NDIS Commission effectively detected and addressed non-compliance, including through enforcement action?

Detecting non-compliance

4.35 Complaints and reportable incidents received are a key mechanism used by the NDIS Commission for detecting non-compliance. The Commission may also detect provider non-compliance through information sharing and analysis (discussed from paragraph 2.16) and compliance monitoring activities (discussed from paragraph 4.3).

Complaints

4.36 Part 3 of the National Disability Insurance Scheme (Complaints Management and Resolution) Rules 2018 enable a person to make complaints to the NDIS Commissioner about issues connected with supports or services delivered by providers.⁷⁷ It establishes a framework for the management of complaints by the Commission. Figure 4.1 shows the number of complaints received and closed in 2022–23 and 2023–24.

Figure 4.1: Complaints received and closed by the NDIS Commission in 2022–23 and 2023–24

Source: ANAO representation of NDIS Commission data.

4.37 The Commission developed a Complaints Manual in 2021. A decision was made to cease using the Complaints Manual in 2023 and the manual was not replaced. As part of the Enterprise Prioritisation Model project (discussed from paragraph 3.38), in August 2024 GSA Management Consulting reported to the Commission that off-system records were kept during intake and assessment of complaints matters due COS useability issues (discussed from paragraph 2.11). The report noted that Commission teams had ‘adapted processes locally, and the COS application has not updated, reducing confidence in the data quality for reporting purposes.’

Reportable incidents

4.38 Sections 20 to 21 of the National Disability Insurance Scheme (Incident Management and Reportable Incidents) Rules 2018 require registered providers to notify the NDIS Commission of alleged or actual reportable incidents within 24 hours or five days, depending on the incident.⁷⁸ Reportable incident notification numbers are included in the NDIS Commission’s quarterly performance reports.⁷⁹ In Quarter 3 of 2024–25, the NDIS Commission received 15,723 reportable incidents, including 6,907 related to unauthorised restrictive practices. Since the fourth quarter of 2022–23, reports have included comparative figures for previous reporting quarters. Of the five reporting quarters where comparative figures were available, all figures changed in the next quarterly report.⁸⁰ Inconsistencies in data reported are discussed further from paragraph 4.94.

Quality assurance for complaints and reportable incidents

4.39 In April 2023, the Commission developed ‘self-reflective questions’ for complaints officers to prompt consideration of good complaint management. There is no quality assurance process to review the effectiveness of the handling of complaints or reportable incidents.

4.40 The NDIS Commission advised the ANAO in April 2025 that the Commission is currently working towards establishing a formal Quality Assurance Management Framework, which will support the implementation of the Enterprise Prioritisation Model (discussed from paragraph 3.38). The Commission further advised that informal quality assurance activities include managerial review of work and that there is a formal reconsideration process whereby complainants who are unsatisfied with the determination may seek a review.

4.41 The absence of quality assurance processes reduces confidence over outcomes and data and makes it difficult for the Commission to assess the effectiveness of complaints and reportable incidents in detecting non-compliance and leading to effective compliance outcomes. For complaints and reportable incidents data to contribute to a risk responsive and proportionate monitoring approach, the Commission needs systems, policies and processes that support accurate data.

Addressing non-compliance

4.42 When non-compliance has been detected, the suspected non-compliance is referred within the Commission as a compliance matter and allocated to a team to investigate, which may lead to enforcement action, as discussed below.

Referral of matters for potential compliance action

4.43 Matters relating to Behaviour Support Plans and Restrictive Practices are referred to the Practice Quality Division and all other matters are referred to the Regulatory Operations Division. In July 2024 the NDIS Commission advised the ANAO that an Operational Assessment team was established in January 2024 to deliver a review and assurance function over high-risk matters and process guidance material was in development. As of August 2025, the NDIS Commission was developing a new approach to triaging and referring compliance and investigation matters through the Risk-Based Regulation Prioritisation Model, formerly the Enterprise Prioritisation Model (discussed at paragraphs 3.38 to 3.40).

Investigating non-compliance

4.44 The NDIS Commission conducts investigations into suspected non-compliance, including when matters reported through complaints and reportable incidents mechanisms have not been resolved. As a non-corporate Commonwealth entity, the NDIS Commission is required to follow the Australian Government Investigations Standards (AGIS) — the minimum standards for government entities conducting investigations relating to the programs and legislation they administer.

4.45 In April 2024, the Commission commenced work to map existing policies, procedures and projects against AGIS requirements to identify gaps and where the Commission was not meeting the AGIS. The mapping showed the Commission was partially compliant with AGIS requirements relating to personnel, information and evidence management, and investigative practices; and non-compliant with the quality assurance requirement of the AGIS to ‘have an investigations Quality Assurance Policy in place’.⁸¹ The Commission commenced a project in August 2024 to determine how to address the gaps identified by the mapping exercise to achieve compliance with the AGIS. The development of a quality assurance framework for investigations was not in scope for this project.

4.46 In September 2024, the Commission advised the ANAO that ‘It is necessary to have established compliance and investigation processes in place prior to developing and implementing a quality assurance framework’ and that it planned to do so after completion of those works. In April 2025, the Commission further advised the ANAO that the AGIS project will be rescoped with other projects underway relating to evidence management and compliance. No date has been set for this work to be completed. There was no timeline for the implementation of a quality assurance framework.

Compliance and enforcement actions

4.47 The NDIS Commissioner has broad powers under the NDIS Act and the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) to ensure provider compliance. The NDIS Commission’s 2024 Compliance and Enforcement Policy describes its compliance and enforcement tools as statutory and non-statutory. The policy states that the statutory tools set out in the NDIS Act and Regulatory Powers Act are ‘our most serious tools to enforce the law’. The compliance and enforcement tools used by the Commission are outlined in Appendix 3. The Commission’s Compliance and Enforcement Policy sets out the considerations undertaken in deciding how to use compliance tools, including the seriousness of the non-compliance; the seriousness and likelihood of past and future harm to any participant; deterrence value; and the actions of the provider in response to the non-compliance.⁸²

4.48 Table 4.1 sets out compliance actions reported by the NDIS Commission in its Quarterly Performance Reports.⁸³ Further detail on compliance actions is set out in Appendix 3. The ANAO found inconsistencies with data in the NDIS Commission’s external reporting, which is discussed from paragraph 4.94. The Commission’s Compliance and Enforcement Policy classified ‘corrective action requests’ and ‘warning letters’ as non-statutory tools. Education is also classified as non-statutory by the ANAO for the purposes of Table 4.1 and Table 4.2. The proportion of statutory and non-statutory compliance tools used in 2022–23 and 2023–24 is set out in Table 4.2.

Table 4.1: Compliance and enforcement actions in 2022–23, 2023–24 and 2024–25 (to 31 March 2025)

Note a: ‘Other’ includes banning order variation and revocation, compliance notice variation, conditions on registration, infringement notice withdrawal, other registration activities and withdrawal of suspension.

Note b: ‘Education’ includes engagement the NDIS Commission has with a provider through site visits to raise awareness about their obligations, including under the NDIS Code of Conduct and the NDIS Practice Standards; and correspondence that is sent to providers reminding them of and reinforcing their obligations.

The NDIS Commission advised the ANAO in August 2025 that there was an increase in 2023–24 education outcomes due to a targeted campaign to educate providers, including sending 19,590 written warnings and education letters to providers.

Source: ANAO analysis of NDIS Commission Quarterly Performance reports.

4.49 The NDIS Commission reported a 3.73 times increase in the use of compliance and enforcement tools between 2022–23 and 2023–24. In 2022–23, 2023–24 and 2024–25 to March 2025, education was reported as the most used compliance tool and refusal of registration was reported as the next most used tool. The Commission advised the ANAO in January 2025 that an injunction had not been used as a compliance tool. The use of statutory compliance tools as a proportion of total compliance tools has increased each year from 28 per cent in 2022–23 to 41 per cent in 2024–25 (to 31 March 2025) as shown in Table 4.2.

Table 4.2: Proportion of statutory and non-statutory compliance tools used by the NDIS Commission in 2022–23, 2023–24 and 2024–25 (to 31 March 2025)

Note: Data included in this table is the sum of the original figures reported by the Commission for registered providers, unregistered providers and individuals.

Source: ANAO analysis of NDIS Commission Quarterly Performance reports.

4.50 Regulators should implement an appropriate quality assurance framework over their activities to provide assurance that their regulation is consistent, legally valid and contributes to the desired regulatory outcomes. In the absence of quality assurance processes for addressing complaints, reportable incidents, compliance matters and investigations, the NDIS Commission is not able to assess the effectiveness of responses to identified non-compliance.

Delegations for compliance and enforcement actions

4.53 An appropriate system of internal control includes documented delegations identifying individuals or classes of officials to whom functions, duties or powers are delegated.⁸⁴ Sections 202A and 202B of the NDIS Act permit the NDIS Commissioner to delegate their powers and functions under the NDIS Act. Under section 202B of the NDIS Act, the Commissioner may delegate any of the powers and functions relating to compliance and enforcement (under Division 8 of Part 3A of Chapter 4 of the NDIS Act) to Commission Senior Executive Service (SES) employees. Powers and functions relating to infringement and compliance notices may be delegated to Executive Level Australian Public Service (APS) employees. Between 1 July 2022 to 15 July 2024 delegations relating to the use of statutory compliance and enforcement tools by Commission staff were in place and in compliance with the NDIS Act.

4.54 The delegations relating to regulatory powers and functions were updated in September 2024 and April 2025. In the July 2024 instrument of delegation, all regulatory powers and functions were able to be delegated to SES Band 1 and 2 positions. The September 2024 instrument of delegation, effective from 1 October 2024, included the additional role of SES Band 3 officers that regulatory powers and functions could be delegated to under section 202B of the NDIS Act (to account for the Associate Commissioner role, which commenced in October 2024). In the April 2025 delegations, Executive Level staff positions were included in addition to the SES positions for delegating functions relating to compliance and infringement notices, in line with the NDIS Act. For these functions, the Commissioner also set out mandatory training requirements in the delegation instrument to be completed by staff in all the positions prior to exercising the related powers.

Policies and procedures supporting compliance and enforcement action

4.55 Framework documents such as policies, plans, internal procedures, and external guidance help ensure compliance activities achieve intended outcomes. Of the 14 compliance actions (or compliance tools) available to the Commission, policies had been developed for all 14 compliance actions and procedures supported nine compliance actions.⁸⁵

4.56 The NDIS Commission advised the ANAO in August 2024 that, during 2022–23, it had undertaken a project to develop standard operating procedures for all regulatory tools available to the Commission. The project had not been finalised and was subsumed into the Operational Policy and Practice Optimisation (OPPO) project, scheduled to take place between September 2023 and June 2024. The goal of the OPPO project was to ‘ensure the Commission has an operational policy framework that meets our needs now and in the future with a review and update of policies and procedures that are efficient and effective and aligned with the new Framework’.

4.57 The NDIS Commission identified two key issues to be addressed by the OPPO project:

• there was no ‘framework to support efficient and effective policies and procedures being developed and maintained’; and
• the ‘current suite of policies and procedures do not support the Commission’s national operating model and are not fit for purpose’.

4.58 The Commission also identified three benefits of the project: improved clarity for staff on ‘how to do their job effectively’; policies and procedures are accessible to staff; and the ‘Commission’s regulatory performance is collaborative, transparent and defensible.’⁸⁶ The Compliance and Enforcement Policy was reviewed as part of this work. The OPPO Project concluded on 23 June 2024. In September 2024, the Strategic Investment Committee approved the Operational Policy Framework that ‘sets out the principles, hierarchy, categories, lifecycle, governance, and storage activities’ for all Commission policies.⁸⁷

4.59 The Commission advised the ANAO in April 2025 that the realignment work to streamline, simplify and develop new internal policies, procedures and supporting resources was still progressing, with the majority of work planned to be completed by June 2025. In August 2025, the Commission further advised the ANAO that:

The OPPO Project was delivered in November 2024 by way of final report. Work continues on progressing new policies as the need is identified and existing policies are being enhanced. A dedicated team within the NDIS Commission is responsible for the ongoing management of operational policies. Part of their role is to ensure alignment with the Risk-Based Regulation Prioritisation Model and the NDIS Commission’s Regulatory Learning and Development Program to support regulatory capability uplift across all operational functions engaging in regulatory activities.

The Risk-Based Regulation Prioritisation Model, previously named the Enterprise Prioritisation Model is discussed from paragraph 3.38.

4.60 The NDIS Commission advised the ANAO in April 2025 that the policies for the 14 compliance actions referred to in paragraph 4.55 were rescinded when the new Compliance and Enforcement Policy was approved and published in September 2024. The Commission further advised that the policies are no longer for external use and are being used internally as guidelines until realignment work is completed.

4.61 The NDIS Commission does not have guidance on what compliance tool is the most suitable to use in specific circumstances. The Commission advised the ANAO in July 2024:

Developing guidance for staff on how to determine the appropriate regulatory action to take was not within the scope of the Investigations Improvement Project. It was recognised that a separate and significant piece of work on how to determine which regulatory action/s are appropriate and proportionate is needed.⁸⁸

4.62 During 2022–23 to 2023–24, the Commission undertook two projects aimed at developing policies and procedures for all compliance actions available to the Commission. As at May 2025, the Commission did not have fit-for-purpose policies and procedures in place for compliance actions, increasing the risk of inconsistent regulatory outcomes.

Has the NDIS Commission established performance monitoring, measurement and reporting arrangements to assess effectiveness of its regulatory activities?

4.65 Section 39 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 16F of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) require accountable authorities to prepare annual performance statements, which are included in the entity’s annual report that is tabled in the Parliament. These statements measure and assess the entity’s performance in achieving its purpose against the performance measures and targets set out in its corporate plan. High quality performance statements enable entities to show the Parliament and the public whether policies and programs are delivering the results intended with the resources provided and provide a valuable evidence base for entities to justify new policy proposals and evaluate existing policy and program settings.⁸⁹

4.66 Since 1 July 2023, government expectations for regulator performance reporting are that corporate plans should include regulatory performance information; and annual reports should report on performance outcomes with reference to the three regulator best practice principles: continuous improvement and building trust; risk-based and data driven; and collaboration and engagement.⁹⁰

Monitoring NDIS Commission performance

Ministerial reporting and oversight

4.67 On 13 October 2023, the Minister for the NDIS (the minister) issued a direction to the NDIS Commissioner under section 181K of the NDIS Act to develop and publish compliance and enforcement policies and procedures concerning the use of restrictive practices by NDIS providers. It also directed the Commission to report to the minister every three months on: the implementation of and compliance with the policies; compliance actions taken; and the progress of the Commissioner’s intended actions contained in the Statement of Intent (the Statement of Intent is discussed at paragraphs 3.2 to 3.4).⁹¹

4.68 Between October 2023 and July 2024, the NDIS Commissioner reported to the minister on four occasions at three monthly intervals. The reports addressed requirements specified in the direction, except for the average time between notification of a reportable incident and resulting compliance or enforcement action. The Commission advised the minister this was due to ‘system limitations’ (IT system issues are discussed at paragraphs 2.11 to 2.15). Reporting included the number of complaints received, finalised and referred for compliance action; compliance and investigation matters commenced; safeguarding matters resolved within 48 hours; active compliance and investigation matters; reportable incident notifications received; and reportable incidents referred to regulatory operations compliance. Data on compliance outcomes does not reconcile with data reported in the NDIS Commission’s quarterly reporting in the same period (discussed from paragraph 4.94) or with data reported to the minister in the subsequent reporting period.

Executive reporting and oversight

4.69 Arrangements were in place, but were not fully executed, for Executive Leadership Team (ELT) oversight of NDIS Commission performance. Between 1 July 2022 to 30 June 2024, the ELT received internal Commission reporting. This included reports on strategic initiatives, strategies and plans relating to Commission functions, risk management, a draft corporate plan, budget, business processes, governance, key regulatory functions and performance.

4.70 The ELT charter set out its performance reporting and oversight responsibilities including monitoring and governing the Commission’s overall performance, financial position and key regulatory functions. It also included reporting on performance accurately and transparently; and recommending the Commission’s Corporate Plan (which set out the Commission’s performance measures), Annual Report (which include Annual Performance Statements), and financial statements to the Commissioner for approval. The charter was not updated following its initial approval in 2018.

4.71 The NDIS Commission Planning and Performance Framework, approved by the ELT in March 2024, assigned ELT members responsibility as the data and performance measure owners and for providing assurance for the Annual Performance Statement results to the Commissioner. Of the 44 ELT meetings that took place between 1 July 2022 to 30 June 2024, the ELT considered information on the NDIS Commission’s performance measures on seven occasions. The ELT reviewed the 2021–22 and 2022–23 Annual Reports and 2022–23 and 2023–24 Corporate Plans. There was no evidence that the ELT recommended or endorsed them to the NDIS Commissioner as required by its charter.

4.72 Certifications to the Commissioner and the Audit and Risk Committee were made by individual ELT members responsible for each of the Commission’s performance measures. Each certification stated that the relevant performance measure response in the 2021–22 and 2022–23 Annual Performance Statements ‘is accurate and true, is not misleading, is based on properly maintained records, and accurately represents the Commission’s performance as it relates to the measure in question’ and that the Annual Performance Statements comply with the PGPA Act and PGPA Rule. Paragraph 4.82 discusses instances where there was no evidence of the basis of the 2022–23 performance results.

4.73 The ELT did not have a forward work plan prior to July 2023. There was an ELT forward agenda covering the period July 2023 to December 2024. Between July 2023 and April 2024, agenda items for the Corporate Plan, Annual Performance Statements and Annual Report were not allocated in the forward agenda. Agenda items for the Corporate Plan, Annual Performance Statements and Annual Report were allocated to scheduled meetings in May, July and August 2024 respectively. The Executive Management Group (EMG) created a forward agenda for the period November 2024 to December 2025. Agenda items were allocated for performance measures, the Corporate Plan and the Annual Report. The terms of reference for the EMG and Senior Leadership Group (SLG) do not directly allocate responsibility for oversight of the NDIS Commission’s Annual Performance Statements, Annual Report or Corporate Plans. The NDIS Commission advised the ANAO in August 2025 that responsibility for oversight of these documents is incorporated within the EMG terms of reference statement that the EMG ‘Determines the NDIS Commission’s performance controls, governance and assurance arrangements, including frameworks for ensuring risk management, compliance with the law, government policy and organisational policies.’

Performance measurement and reporting

Planning and Performance Framework

4.74 The ELT approved the NDIS Commission’s Planning and Performance Framework in March 2024. The Framework includes information on the Commonwealth Performance Framework, key performance documents, and relevant legislation, rules and guides. It contains Commission specific guidance on entity purpose, the alignment of performance measures (see Appendix 4) and targets with reference to the PGPA Rule, and documentation and reporting requirements. The Framework does not include guidance on reconciling performance outcomes with reference to the regulator best practice principles (discussed at paragraph 4.66) or integrating Ministerial Statements of Expectations (discussed at paragraphs 3.2 to 3.4) into performance reporting.⁹²

4.75 In June 2024 the NDIS Commission advised the ANAO that ‘[p]rior to the implementation of the Framework, the methodology for reporting against performance measures were [sic] held at a divisional level with no level of standardisation in place.’ The NDIS Commission’s 2022–23 and 2023–24 Annual Reports did not explain how it determined if performance measures and targets were, in 2022–23 ‘met’, ‘working towards’, ‘not met’ and ‘in progress’; and in 2023–24, ‘not achieved’, ‘partially achieved’ or ‘achieved’. The Framework does not include guidance on these ratings.

Audit and Risk Committee charter expectations

4.77 The Audit and Risk Committee (ARC) Charter, dated August 2023, set out the expected areas for consideration in relation to the NDIS Commission’s performance reporting:

• NDIS Commission’s Portfolio Budget Statements (PBS) and Corporate Plan (CP) contain appropriate details of how the NDIS Commission’s performance will be measured and assessed.
• Systems and procedures for assessing, monitoring and reporting on achievement of the NDIS Commission’s performance in the Annual Performance Statement (APS) are fit for purpose, including the approach to measuring performance throughout the financial year against the performance measures included in the PBS and CP.
• Contents of the three prime performance documents (PBS, CP & APS) comply with the requirements of the relevant sections of the PGPA Act and PGPA Rules [sic].
• NDIS Commission has appropriate risk, control, assurance and certification processes in place for the timely completion and quality certification of its APS, including its inclusion in the Annual Report.⁹³

4.78 The ARC’s expected deliverable was to provide the NDIS Commissioner with an annual statement of advice stating whether the Commission’s Annual Performance Statement complies with the PGPA Act, PGPA Rule and relevant guidance, whether the performance arrangements are fit for purpose, any areas of concern and suggestions for improvement.⁹⁴

4.79 The 2024 ARC Charter requirements regarding performance reporting were largely similar to those in 2023.⁹⁵ The 2024 Charter required the ARC to advise the Commissioner whether the Annual Performance Statements were ‘as a whole is appropriate’, rather than whether they complied with the PGPA Act, PGPA Rule and supporting guidance.

Annual Performance Reporting 2022–23

4.80 ARC members were provided the final draft of the Corporate Plan 2022–23 for review and endorsement on 19 August 2022. Prior to the Corporate Plan’s publication on 31 August 2022, an ARC member advised the Commission on 22 August 2022:

whilst the ARC members can review the document, we cannot endorse it or in anyway [sic] provide formal advice on the appropriateness of performance reporting. Normally the ARC’s review of the Corporate Plan would be supported by a number of assurance documents which are not attached and then we would provide advice on appropriateness.

4.81 On 27 September 2023, the ARC considered an internal audit report that assessed the design of the Commission’s 2022–23 performance measures against legislative requirements and better practice guidance. The report advised that ‘Performance measures and targets which do not adequately address requirements of Section 16EA of the PGPA Rule, may impact the NDIS Commission’s compliance with finance law.’⁹⁶ The report made recommendations addressing the need for a framework for monitoring, reporting and assuring performance information, for performance measures and targets to address PGPA Rule requirements, and for greater alignment between performance information in the Commission’s Portfolio Budget Statements and Corporate Plan. An ELT member approved the internal audit report prior to it being provided to the ARC. It was not reviewed by the full ELT. Implementation of the report’s recommendations, including progress and closure, was reported to the ARC in March and June 2024 and a Planning and Performance Framework was approved in March 2024 (discussed in paragraph 4.74).

4.82 On 27 September 2023, the ARC noted the draft 2022–23 Annual Performance Statements, which stated there was no data available to establish a baseline for three performance measures related to restrictive practices and providers registered (performance measures 1.2.2, 1.2.3 and 3.3.2) ‘due to system capability restrictions and lack of matured data.’ Annual Performance Statements Certifications from two ELT members also stated that there was no data available for these measures. Results were reported for these measures in the 2022–23 Annual Report with a statement that there was ‘limited data available as the development of reporting mechanisms is in progress.’ There was no evidence of the Commission’s methodology of how results for performance measures 1.2.2, 1.2.3 and 3.3.2 were produced. As discussed at paragraph 4.72, ELT certifications assured the Commissioner that the Annual Performance Statements were accurate, not misleading, based on properly maintained records and presented a reasonable and fair analysis.

4.83 On 27 September 2023 the ARC: queried the performance measurement scale and made suggestions for including further information for one performance target in the next financial year; noted some information was lacking in relation to one target; and expressed its concerns about the Annual Performance Statements compliance with the PGPA Act, the time given to the ARC to review the statements, and the Commission’s continued ‘emerging maturity’ level.

4.84 The ARC’s 2022–23 Statement of Advice to the Commissioner, dated 28 September 2023, stated that Annual Performance Statements and reporting arrangements were only ‘partially in compliance with the key requirements of the PGPA Act, Rules and relevant RMGs.’ The Commissioner approved the Annual Report, including the Annual Performance Statements, on 11 October 2023. The Commissioner’s Statement of Preparation for the 2022–23 Annual Performance Statements assessed that they were prepared under paragraph 39(1)(a) of the PGPA Act, ‘were based on properly maintained records, accurately reflect the performance of the entity’ and complied with section 39(2) of the PGPA Act (which requires compliance with the PGPA Rule).⁹⁷

Annual Performance Reporting 2023–24

4.85 ARC members were provided the draft of the Corporate Plan 2023–24 for review and feedback on 14 August 2023. On 15 August 2023, an ARC member advised the Commission’s Chief Operating Officer:

I can’t see a clear line of sight between purpose, key activities and then the performance measures, and also the measures included in the PBS. I also don’t think many measures would fully meet the requirements of S16EA. A description of the methodology or survey approach for each measure would help … I would be concerned about confirming the appropriateness of the measures without further information and/or discussion.

4.86 There was no evidence that the requested out of session discussion or the provision of further information occurred. The Corporate Plan was published on 31 August 2023 in compliance with the time frame requirements of subsection 16E(3) of the PGPA Act.

4.87 On 27 September 2024, the ARC considered an internal audit report on the draft 2023–24 Annual Report and its compliance with the PGPA Act and PGPA Rule. Compliance analysis did not assess whether the NDIS Commission had met government expectations, which commenced for the 2023–24 reporting period, that entities reconcile performance outcomes with regulator best practice principles (discussed at paragraph 4.66).⁹⁸ The internal audit report advised that the draft Annual Performance Statements had improved relative to 2022–23 but that ‘there is need for improvement before the performance statements would be likely to pass an external audit process’ and that:

the NDIS Commission would need to better demonstrate there is sufficient support and logic in the performance analysis as to how the target had been achieved, or not achieved. Specifically:

• Strengthening the performance measure narratives, particularly around clearly stating the overall result and performing meaningful evaluations that is relevant to the performance measure and target;
• Collating and storing documentation and data to verify the claims and figures presented in the analysis, which will support the completeness, accuracy and reliability of the performance result reported; and
• Further detailing methodologies and the underlying data verifiability and reliability in some areas.

4.88 The internal audit report stated that the annual reporting could benefit from Annual Report writing that is ‘in line with better practice’ and ‘strengthening quality assurance activities for annual performance statements.’ In regard to strengthening the performance measure narrative, the report noted that it was challenging to assess whether some performance results were sufficiently supported by evidence where the performance measure or target did not have a defined benchmark of success.

4.89 On 27 September 2024, the ARC ‘noted’ the 2023–24 Annual Performance Statements, ‘noted’ an inconsistency between performance measure 1.2.1 and headline statement 1.2, questioned survey data reliability, and agreed to draw the Commissioner’s attention to data for performance measures 1.1.1 and 1.2.1.

4.90 The ARC’s 2023–24 Statement of Advice to the Commissioner, dated 27 September 2024, stated that the Annual Performance Statements and reporting arrangements had ‘improved significantly’ from 2022–23 but had ‘not yet fully met, [sic] the standard of being substantially compliant with the key requirements of the PGPA Act, Rules and relevant RMGs.’ The Statement of Advice did not address specific performance measures. The acting Commissioner approved the Annual Report, including the Annual Performance Statements, on 30 September 2024. The acting Commissioner’s Statement of Preparation for the 2023–24 Annual Performance Statements assessed that they ‘accurately present the NDIS Commission’s performance for the year ended 30 June 2024 and comply with subsection 39(2) of the PGPA Act’.⁹⁹

Annual Performance Reporting 2024–25

4.91 On 13 June 2024, the ARC was advised that the NDIS Commission’s 2024–25 Portfolio Budget Statements (PBS) included ‘incorrect performance tables’ due to an ‘administrative error’ and that this would be ‘rectified via the Mid-Year Economic and Fiscal Outlook budget for 2024–25’. The 2023–24 PBS measures and targets had been published instead of updated performance measures and targets for 2024–25. The 2024–25 Corporate Plan, dated 30 August 2024, stated that performance measures and targets had been aligned to the 2024–25 PBS but did not disclose the publishing error. The February 2025 NDIS Commission’s Portfolio Additional Estimates Statements included the updated performance measures for 2024–25.

4.92 On 27 September 2024, the ARC considered an internal audit report on the 2024–25 Corporate Plan and the compliance of the Performance Measures with the PGPA Rule and Resource Management Guide 131: Developing performance measures (RMG 131).¹⁰⁰ The report identified areas for improvement including the need for ‘a clear read from the PBS to the Corporate Plan’ and to fully align the Corporate Plan’s performance measures with sections 16E and 16EA of the PGPA Rule and RMG 131. Areas for improvement included: defining year-on-year performance targets; defining baseline data and data measurement methodologies; including quality assurance processes ‘for off system data’; and ‘Improving the alignment and rationale of the targets in how they support the performance measures and the overall objectives and purpose of the NDIS Commission.’ The Corporate Plan did not meet government expectations, which commenced from 1 July 2023, that regulators include performance information on the Commission’s regulatory functions with reference to the regulator best practice principles set out in RMG 128 (discussed at paragraph 4.66).¹⁰¹

4.93 As with the 2023 internal audit report (discussed at paragraph 4.81), the 2024 internal audit report was not provided to the Finance Committee, the Strategic Investment Committee or the EMG and the SLG, which replaced the ELT from July 2024 (discussed at paragraph 1.17). Without access to these reports and the actions required from them, the executive has not had sufficient oversight of the Commission’s overall performance and reporting to discharge its responsibilities in relation to the Commission’s Annual Performance Statements, Annual Report or Corporate Plans.

Performance reporting data quality

4.94 Between 1 July 2022 and 30 June 2024 the NDIS Commission published quarterly reports containing information relating to its regulatory activities, including compliance outcomes.¹⁰² The 2023–24 Annual Performance Statements, tabled in the Parliament, included compliance outcome data reported under Performance Measure 3.1 for 2022–23 and 2023–24.¹⁰³ Data in the Annual Performance Statements does not reconcile to the data in the quarterly reports. There was no record of the data sources or methodology used to determine the figures published in the Annual Performance Statements. Variances within compliance action data reported between quarterly reports also do not reconcile. Assurance over the completeness and accuracy of the NDIS Commission’s publicly reported performance data for 2023–24 could not be obtained.

4.95 In April 2025 the NDIS Commission advised the ANAO, in relation to these variances, that:

Data was extracted at the end of the financial year to calculate the performance results in order to incorporate quarterly data entered retrospectively. This minimises the impact from off systems data and accounts for variations in the same timeframe.

4.96 The NDIS Commission does not have processes in place to assure itself of complete and accurate performance information when known data quality issues exist, including errors in data captured in COS, discussed at paragraphs 2.30 and 2.31.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• In July 2024 the NDIS Commission implemented a Regulatory Campaigns Framework (paragraph 4.11).
• The Data Quality Framework was finalised in November 2024 (paragraph 2.31).
• Developing an Intelligence Hub to house intelligence and provide an avenue for assessment of systemic and emerging risk (paragraph 2.21).
• The Joint Operational Protocol between the National Disability Insurance Agency and the NDIS Quality and Safeguards Commission, including seven supporting schedules, was finalised on 23 May 2025 (paragraph 2.37).
• Drafting a memorandum of understanding with the Aged Care Quality and Safety Commission (paragraph 2.40).
• Developing an internal policy to facilitate a consistent process for the access and receipt of protected information from partner agencies (paragraph 2.42).
• Developing the Risk-Based Regulation Prioritisation Model, formerly the Enterprise Prioritisation Model, to streamline the workflows according to risk priority and other defined criteria; including a new approach to triaging compliance and investigation matters (paragraphs 3.38 to 3.40; and paragraph 4.41).

Appendix 3 Compliance and enforcement tools and actions

1. The NDIS Commission’s Compliance and Enforcement Policy sets out a description of the compliance and enforcement tools used by the Commission. These are set out in Table A.1. All compliance and enforcement actions reported by the Commission for 2022–23, 2023–24 and 2024–25 (to 31 March 2025) are set out in Table A.2.

Table A.1: Compliance and enforcement tool descriptions

Source: ANAO representation of information in the NDIS Commission’s Compliance and Enforcement Policy, September 2024, pp. 8, 10–11, available from https://www.ndiscommission.gov.au/sites/default/files/2025-02/NDIS%20Commission%20Compliance%20and%20Enforcement%20Policy%20-%203%20September%202024.pdf [accessed 16 June 2025].

Table A.2: Compliance and enforcement actions in 2022–23, 2023–24 and 2024–25 (to 31 March 2025)

Key: – not reported.

Source: ANAO analysis of NDIS Commission Quarterly Performance reports.

Appendix 4 NDIS Commission Performance Measures

1. The performance measures for the NDIS Commission as set out in the 2024–25 Portfolio Additional Estimates Statements and the Commission’s Corporate Plan are set out in Table A.3.¹⁰⁴ The performances measures for Program 1.2 changed in 2024–25 from performance measures for 2022–23 and 2023–24.

Table A.3: NDIS Commission Performance Measures 2024–25

Source: Australian Government, Portfolio Additional Estimates Statements 2024–25 the Social Services Portfolio, Commonwealth of Australia, Canberra, 2024, pp. 123–125, available from https://www.dss.gov.au/system/files/documents/2025-02/2024-25dsspaes-accessible.pdf [accessed 12 June 2025].