Introduction

The National Disability Insurance Scheme

1.1 The National Disability Insurance Scheme (NDIS) was established under the National Disability Insurance Scheme Act 2013 (NDIS Act) to fund reasonable and necessary supports for eligible people with disability to assist them in participating in economic and social life. To participate in the NDIS, individuals must meet age, residency and disability or early intervention access requirements.³ NDIS participants have their supports costed and funded through a participant plan.⁴ Funded NDIS supports can include help with household tasks, personal care, transport, therapy, training, assistive technology and home modifications.⁵

1.2 The NDIS is an uncapped, demand-driven scheme jointly funded by the Australian, state and territory governments under bilateral agreements (Figure 1.1 shows Australian, state and territory government contributions since 2019–20). In 2023–24, NDIS participant plan expenses totalled $41.85 billion, covering more than 661,000 participants.⁶ By 2033–34, NDIS expenses are expected to increase to $92.72 billion, covering more than 1,021,000 participants.⁷

Figure 1.1: NDIS contributions by jurisdiction (2023–24 dollars), 2019–20 to 2023–24

Source: Productivity Commission, Report on Government Services 2025, Part F, Section 15, 30 January 2025, Table 15A.1, available from https://www.pc.gov.au/ongoing/report-on-government-services/2025/community-services/services-for-people-with-disability [accessed 31 January 2025].

1.3 The Australian Government Minister for the NDIS (NDIS Minister) administers the NDIS Act and exercises statutory powers with the agreement of states and territories. The Disability Reform Ministerial Council, which comprises ministers responsible for disability from the Australian, state and territory governments, makes decisions on NDIS policy issues.

The National Disability Insurance Agency

1.4 The National Disability Insurance Agency (NDIA) was established under the NDIS Act to deliver the NDIS. It is a corporate Commonwealth entity under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Its accountable authority is the NDIA Board, which comprises a chair and up to 11 members appointed by the NDIS Minister in consultation with state and territory members of the Disability Reform Ministerial Council.

1.5 The NDIA’s purpose, as set out in its corporate plan outcomes statement, is to:

Improve the independence, and the social and economic participation of eligible people with disability through the management of a financially sustainable National Disability Insurance Scheme with proper, efficient and effective use of resources.⁸

1.6 As at 30 June 2024, the NDIA reported a total workforce of 16,192 (made up of 7,846 Australian Public Service (APS) employees, 2,143 contractors and 6,203 outsourced workers⁹) at over 150 locations across Australia. In the 2024 APS Census, 22 per cent of NDIA staff identified as having disability.

Paying claims for NDIS supports

1.7 The NDIA receives claims from registered providers and participants with self-managed plans to fund NDIS supports outlined in participant plans.¹⁰ Participant plan expenses represented 95.1 per cent of the NDIA’s total expenses in 2023–24 (with the balance of the NDIA’s total expenses being operating costs and grants).

1.8 There are three arrangements for managing participant plan funding:

• self-managed — participants (or their plan nominee or child representative¹¹) manage their own funding, pay providers directly, and claim reimbursement from the NDIA;
• plan-managed — registered providers (plan managers) manage participants’ funding, purchase NDIS supports from other providers (or reimburse participants when they have directly paid for supports), and claim the costs from the NDIA; and
• NDIA-managed — the NDIA manages participants’ funding, with registered providers making claims directly to the NDIA for NDIS supports provided.

1.9 Participants can choose a combination of these three plan management arrangements, including self-managing part of their plan and having the rest of the plan managed by a plan manager or by the NDIA. Table 1.1 outlines key differences between the participant plan management arrangements.

Table 1.1: Differences between participant plan management arrangements

Key: ✔ Yes ✘ No.

Note a: Proportions do not sum to 100% due to rounding. Q2 2024–25 covers the period 1 September 2024 to 31 December 2024. The proportions have largely remained stable over the past two financial years.

Note b: Some NDIS supports (such as disability accommodation, behaviour support services, and supports that use or are likely to use restrictive practices) can only be provided by registered providers.

Note c: The NDIA publishes the NDIS Pricing Arrangements and Price Limits which lists a catalogue of supports for which providers can lodge claims and maximum prices registered providers can charge for specific supports.

Source: ANAO analysis of NDIA information.

Payment processing systems

1.10 Since 2016, the NDIA has used a client relationship management (CRM) system delivered by Services Australia to manage NDIS participant plans and claims. The NDIA has stated that, for its purposes, the Services Australia CRM system is ‘slow’, ‘clunky’, ‘inefficient’, ‘inflexible’ and ‘at the end of its life’, noting that it has contributed to ‘poor participant experience and NDIS operations’.¹²

1.11 Since 2021, the NDIA has been working on implementing a replacement system called PACE, built on a Salesforce CRM platform in NDIA’s IT environment. After piloting the PACE system in Tasmania from November 2022 to March 2023, the NDIA began rolling out PACE across Australia from 30 October 2023, with the full rollout initially forecast to take up to 18 months. In February 2025, the NDIA removed the forecast timeframe from its website. The NDIA informed the ANAO in June 2025 that, while the delivery of the PACE system has been completed, the migration of participant plans from the previous CRM system to the PACE system is still in progress. It has not set a revised date for the migration process to be completed.

Managing claimant compliance with NDIS claim requirements

1.12 The NDIA has defined compliance on its website as ‘following the rules and standards of the NDIS and Australian laws’ and ‘doing the right thing and using NDIS funds in line with NDIS plans’. It states that compliant activities can include:

• Keeping complete and accurate records, such as invoices and service agreements.
• Making sure claims for payment are complete, truthful and accurate.
• Checking NDIS plans for any mistakes or anything else that doesn’t look right.¹³

1.13 The NDIA has outlined four types of non-compliant activity on its website.

• An error or mistake: when a person does the wrong thing without meaning to and without hoping to gain something for themselves.
• Misuse: when a person uses NDIS funds in ways that are not in line with the participant’s plan or the law.
• Conflict of interest: when a person or organisation has an opportunity to put what will benefit them (their own interests) ahead of in [sic] the interests of the people they support.
• Dishonest behaviour: when someone uses NDIS funds when they know it’s the wrong thing to do. When someone behaves dishonestly, they are taking advantage of participants, their families or carers.¹⁴

1.14 Other types of claim non-compliance that have been identified through the NDIA’s fraud and non-compliance activities include: illegitimate or ‘ghost’ participants; claiming from expired plans; claiming from plans of participants who are incarcerated, in hospital or overseas for long periods (and thus ineligible for NDIS supports); claiming for services outside of plans; claiming for services that were not provided; claiming in advance of service delivery; overstating services, overcharging or duplicate charging; and double-dipping across government programs.

1.15 In 2023–24, the NDIA reported that its compliance integrity activities included:

• [reviewing] 14,531 pre-payment and 66,759 post-payment claims resulting in $57 million in payment cancellations due to noncompliance in 2023–24 (compared with $49 million in 2022–23)
• an enhanced review process for claims received after a plan has expired and increased pre-payment checks on cash reimbursements …
• identifying and stopping claims from participants who have been overseas for more than 6 weeks …
• implementing a new web-based form as part of a redesigned tip-off process …
• changing the claiming process for self-managed claims to require a description for every claim [and]
• conducting integrity campaigns focused on thematic issues.¹⁵

1.16 In October 2024, the NDIS Act was amended to include a new statutory function for the NDIA to ‘prevent, detect, investigate and respond to misuse or abuse of, or criminal activity involving, the [NDIS] (whether systemic or otherwise)’.¹⁶

NDIS Review

1.17 The 2023 Independent Review into the National Disability Insurance Scheme found:

Current NDIS processes and systems don’t provide governments with sufficient information to protect the integrity of the scheme and allow governments to monitor and steward the market …

Incomplete data and limited market visibility also make it difficult to understand the nature and scale of non-compliance, sharp practice and fraud occurring across the scheme.¹⁷

1.18 The review recommended that the Australian Government:

Invest in digital infrastructure for the NDIS to enable accessible, timely and reliable information and streamlined processes that strengthen NDIS market functioning and scheme integrity.¹⁸

Fraud and non-compliance budget measures

1.19 In the 2021–22 Mid-Year Economic and Fiscal Outlook, the Australian Government provided the NDIA $26.5 million funding over two years from 2021–22 for a pilot program ‘to develop and test new compliance capabilities, targeting fraudulent and unethical provider behaviours.’

1.20 In the October 2022 federal Budget, the Australian Government committed $126.3 million over four years from 2022–23 (including $58.4 million for the NDIA) to establish a cross-agency Fraud Fusion Taskforce to address fraud and serious non-compliance in the NDIS, expected to recover $291.5 million in debts from non-compliant NDIS providers. Replacing the previous NDIS Fraud Taskforce, which had been established in 2018, the Fraud Fusion Taskforce is co-led by the NDIA and Services Australia with 19 other entities participating (as at January 2025).

1.21 On 11 April 2023, the National Cabinet committed to ‘an annual growth target in the total costs of the Scheme of no more than 8 per cent by 1 July 2026, with further moderation of growth as the scheme matures.’¹⁹ The Australian Government subsequently committed $732.9 million in the 2023–24 federal Budget to improving the effectiveness and sustainability the NDIS, including $48.3 million over two years from 2023–24 to ‘crack down on fraud and non-compliant payments in the Scheme and to develop a business case for new IT platforms and systems to detect and prevent fraud and non-compliant payments’.²⁰ The government provided a further $83.9 million for the Crack Down on Fraud program in February 2024 and a further $110.4 million in December 2024, bringing the total funding allocation for the program to $242.6 million. In the 2025–26 federal Budget, the government committed a further $151.0 million over four years from 2025–26 for the Crack Down on Fraud program (with ongoing funding of $43.8 million per year from 2029–30) and $17.1 million in 2025–26 to maintain the NDIA’s payment integrity workforce.

1.22 In total, the government has committed more than $495 million over eight years from 2021–22 to 2028–29 for the NDIA to address NDIS fraud and non-compliance.

Rationale for undertaking the audit

1.23 The NDIA paid out $41.85 billion for NDIS claims in 2023–24. In September 2023, the NDIA estimated that 6 to 10 per cent of these outlays could be for non-compliant, fraudulent or incorrect claims. The NDIA Board has a duty under section 16 of the PGPA Act to establish and maintain appropriate systems of risk oversight and management and internal control for the NDIA. It also has a duty under section 10 of the Public Governance, Performance and Accountability Rule 2014 (the Fraud and Corruption Rule) to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the NDIA (including deliberate non-compliance). There has been parliamentary interest in NDIS fraud and non-compliance and its impact on the sustainability of the NDIS. This audit was undertaken to provide assurance to the Parliament on the effectiveness of the NDIA’s arrangements for managing NDIS claim compliance.

Audit approach

Audit objective, criteria and scope

1.24 The objective of the audit was to assess the effectiveness of the NDIA’s management of claimant compliance with NDIS claim requirements.

1.25 To form a conclusion against this objective, the following high-level criteria were adopted.

• Has the NDIA developed and implemented effective frameworks and processes to manage NDIS claim compliance?
• Has the NDIA implemented effective arrangements to oversee, monitor and continuously improve NDIS claim compliance?

1.26 The ANAO focused on the NDIA’s management of NDIS claim compliance from July 2022 to December 2024. The audit did not examine the effectiveness of the NDIA’s broader fraud and corruption controls, the NDIA’s management of serious fraud investigations, or the NDIS Quality and Safeguard Commission’s regulation of compliance by NDIS providers.

Audit methodology

1.27 The audit methodology included:

• review of NDIA data, documentation, policies, procedures and training materials;
• walkthroughs of NDIA systems;
• a site visit to the NDIA’s Adelaide office, South Australia;
• review of contributions from three NDIS providers and one provider organisation made to the audit contribution facility on the ANAO website; and
• meetings with NDIA staff.

1.28 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $748,700.

1.29 The team members for this audit were Daniel Whyte, Steven Meyer, Scott Lang, Tim Fuller, Mary Potter, Nathan Daley, Alexandra Collins and Corinne Horton.

2.1 The NDIA Board has a duty under section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) to establish and maintain appropriate systems of risk oversight and management and internal control for the NDIA. It also has a duty under the 2024 Fraud and Corruption Rule²¹ to ensure the NDIA has appropriate mechanisms for preventing, detecting and responding to fraud and corruption (paragraphs 10(e) and (f)).

2.2 Having a fit-for-purpose framework to ensure claimants comply with legislative and policy requirements is a countermeasure to help prevent fraud and corruption. Foundational prevention controls for government payment schemes include clear and specific claim requirements, robust systems and processes to verify claims, and education and training arrangements for claimants and entity staff. Detection and response controls relevant to claim compliance include data analysis and review processes, tip-off mechanisms, and referral for follow-up action.²²

Has the NDIA established a fit-for-purpose framework for managing NDIS claim compliance?

Compliance and Enforcement Framework (March 2020)

2.3 The NDIA has a Compliance and Enforcement Framework, which was endorsed by the NDIA Board in March 2020 and is published on its website.²³ The framework describes the NDIA’s compliance actions, grouped under four categories:

• prevention strategies — targeted education and outreach campaigns, and broader engagement and communication with the disability sector;
• detection strategies — phone and email tip-offs, data matching and analytics, and intelligence and information sharing;
• compliance monitoring — proactive contact with participants to confirm delivery of supports, targeted and desktop compliance reviews, and investigations; and
• enforcement strategies — criminal sanctions, civil penalties, and administrative actions, including debt recovery and referral to the NDIS Quality and Safeguards Commission (NDIS Commission).

2.4 The framework does not include a description of accountability arrangements for compliance management or performance measures and targets. Further, the compliance actions outlined in the framework do not reflect the NDIA’s current compliance approach. In particular, the prevention strategies do not cover foundational prevention controls for government payment schemes (which are now being implemented through the NDIA’s Crack Down on Fraud program), such as clear and specific claim requirements and robust systems and processes to verify claims prior to payment, including confirming claimants’ identity and validating invoice details.

Fraud and Corruption Control Plan (July 2023)

2.5 The NDIA’s Fraud and Corruption Control Plan was last updated in July 2023 and was endorsed by the NDIA Board in September 2023. A new Commonwealth Fraud and Corruption Control Framework came into effect on 1 July 2024 following amendments to section 10 of the Public Governance, Performance and Accountability Rule 2014 (the Fraud and Corruption Rule).²⁴ As at April 2025, the NDIA Board was non-compliant with the Fraud and Corruption Rule as it had not endorsed an updated Fraud and Corruption Control Plan to meet requirements of the new framework.

2.6 The July 2023 control plan states that the NDIA has ‘zero tolerance for fraud against the Scheme, participants, and the NDIA’. Three of six ‘key fraud risks’ outlined in the plan relate to NDIS claim compliance: ‘financial misappropriation (trusted insiders)’; ‘financial misappropriation (scheme stakeholders)’; and ‘financial misappropriation (external threats)’.²⁵ The plan notes that ongoing monitoring and review of risks and treatments is undertaken through the fraud and corruption risk register (discussed further at paragraph 3.24). The plan outlines ‘key fraud and corruption detection and response strategies’, including: addressing serious and organised fraud through the Fraud Fusion Taskforce and engagement with other agencies; proactive data analytics and intelligence; identity management; and staff integrity risk management. The plan also replicates compliance actions in the 2020 Compliance and Enforcement Framework. While accountability arrangements are outlined in the plan, as of April 2025 they were no longer current.

2.7 In August 2024 the NDIA’s Audit and Risk Strategic Leadership Team Sub-Committee was briefed that the NDIA was non-compliant with six out of eight elements of the 2024 Commonwealth Fraud and Corruption Control Framework, including fraud and corruption control plan requirements. The NDIA Board Audit and Risk Committee was subsequently advised of this non-compliance in November 2024. The NDIA has developed a remediation plan to update its fraud and corruption control framework, with progress reporting being provided to the NDIA Board Audit and Risk Committee. Full compliance is expected to be achieved by 31 December 2025.

Other frameworks relevant to claim compliance

Crack Down on Fraud business case (September 2023)

2.8 A March 2022 review of the NDIA’s fraud intelligence and investigation functions, conducted by Deloitte Touche Tohmatsu (Deloitte)²⁶, found the NDIA had an imbalanced focus on serious and organised crime over opportunistic fraud and non-compliance, and an almost exclusive reliance on tip-offs for monitoring and detection of fraud and non-compliance. Deloitte recommended that the NDIA procure and implement fit-for-purpose IT systems for intelligence analysis, fraud and non-compliance detection, and case management. The NDIA engaged Deloitte in April 2022 to develop a business case for IT upgrades to address these recommendations.²⁷ In early 2023, the NDIA provided a draft business case, based on the Deloitte proposal, to the Department of Finance and Digital Transformation Agency (DTA) for feedback. Feedback from the DTA in March 2023 indicated further work would be needed to meet the standards of a ‘first pass’ business case (under the DTA’s whole-of-Australian Government ICT Investment Approval Process).²⁸

2.9 In March 2023 responsibility for business case development shifted within the NDIA to the Fraud Fusion Taskforce (which had been established in November 2022) and a different IT solution was proposed. A revised proposal for foundational IT platforms to ‘crack down on fraud and non-compliant payments’ was presented to the government in April 2023. The Department of Finance and DTA advised that the proposal did not meet the requirements of the ICT Investment Approval Process. The government decided to provide $48.3 million over two years (from 2023–24) for the NDIA to continue its NDIS claim compliance activities and develop a combined pass business case for further consideration.²⁹ The government also decided that the business case would be subject to the Department of Finance’s gateway review process.³⁰

2.10 In July 2023, the NDIA engaged Boston Consulting Group to project manage and draft the Crack Down on Fraud business case, including drafting any supporting submissions to the government.³¹ The Department of Finance completed a ‘first stage’ gateway review of the program in September 2023, which found there was a clear need for the work proposed and it was aligned with NDIA and government priorities, but a ‘considerable amount of work’ was needed to improve the business case and planning for all stages of implementation was at an early stage.

2.11 The business case for the Crack Down on Fraud program was completed in September 2023.

• The business case provided a detailed description of the business problem to be addressed, which highlighted that:
  • ‘serious gaps’ in the NDIA’s IT systems and controls had left the NDIS vulnerable to non-compliance and misuse and made it a target for fraud; and
  • this had led to participants being targeted by ‘unscrupulous providers’, ‘committed providers’ struggling to compete with ‘unscrupulous providers’, diminishing public trust in the scheme, low motivation and disempowerment of NDIA staff and partners, and challenges to overall scheme sustainability.
• It estimated that the level of fraud, non-compliance and payment error in the NDIS was in the range of 6 to 10 per cent, which equated to ‘leakage’ of $2.0–3.5 billion in 2022–23 and was forecast to increase to $3.6–6.0 billion by 2027–28.³²
• The business case outlined a proposed program to ‘uplift’ the NDIA’s IT capabilities in relation to:
  • strengthened identity and authority controls for interactions with NDIS systems;
  • transparent and consistent ‘omnichannel’ (for example, app, portal and call centre) experiences for participants and providers;
  • secure ‘natural systems’ to facilitate transfer of payment and service data;
  • systems for validating payments in real-time against external data sources;
  • a centralised, integrated ‘data lake’ to enable real-time data analysis;
  • use of advanced analytics and insights tools for fraud detection;
  • a fit-for-purpose, end-to-end fraud case management system;
  • access to payments data for debt and financial management; and
  • cyber resilience to identify security threats and respond to incidents.
• The business case also included a ‘program logic’³³ for ‘making it easier to get it right & harder to get it wrong’, framed around ensuring the ‘right people’, at the ‘right place’ and with the ‘right provider’, get the ‘right services’, ‘right payments’ and ‘right outcomes’ (see Figure 2.1).

2.12 The program of work to ‘uplift’ the NDIA’s IT capabilities outlined in the business case was designed to embed basic preventative controls for a government payment scheme (such as processes to confirm claimants’ identity and validate invoice and payment details) and to establish more advanced detective controls to monitor claiming patterns and identify potential fraud and non-compliance. These capabilities were designed to target significant risks that had been realised in the rollout of the NDIS — namely, that the loose control environment created at the outset enabled ‘unscrupulous people’ and ‘serious organised crime’ to target NDIS participants on a large scale and undermine the financial sustainability of the NDIS.

2.13 The NDIA’s Crack Down on Fraud business case was presented to the government in October 2023. The NDIA’s Crack Down on Fraud program subsequently commenced in February 2024 with the aim of developing new IT platforms and systems to prevent and detect fraud and non-compliance in the NDIS.³⁴ The program envisages a substantial uplift in the NDIA’s prevention and detection controls for NDIS claim compliance. Strategic planning documents for the Crack Down on Fraud program (including the business case) outline a more appropriate control framework than the NDIA’s March 2020 Compliance and Enforcement Framework and July 2023 Fraud and Corruption Control Plan, as they include coverage of basic prevention controls for a government payment scheme. As of April 2025, the NDIA had not updated its corporate frameworks to reflect this change in its compliance approach.

Fraud Fusion Taskforce strategic prevention concepts (October 2023)

2.14 The NDIA co-leads (with Services Australia) the cross-agency Fraud Fusion Taskforce, which was established in November 2022 to address fraud and serious non-compliance in the NDIS (see paragraph 1.20). The NDIA received $58.4 million over four years from 2022–23 for its involvement in the Fraud Fusion Taskforce.

2.15 In October 2023, the Fraud Fusion Taskforce Inter-Departmental Committee³⁵ endorsed 16 ‘strategic prevention concepts’ developed by the NDIA in consultation with the NDIS Commission and Australian Taxation Office (ATO) (see Table 2.1). The NDIA undertook a maturity self-assessment against these concepts in September 2023, rating its ‘current state’ as ‘nil’ and/or ‘ad hoc’ for 15 of the 16 concepts. It also used the framework and maturity assessment to identify seven priority focus areas to ‘uplift’ fraud and non-compliance prevention capability across the ‘NDIS ecosystem’ (six of which overlap with elements of the Crack Down on Fraud program). The NDIA’s self-assessed maturity levels, goal states and priority focus areas are identified in Table 2.1.

Table 2.1: NDIA’s September 2023 self-assessment against strategic prevention concepts^a and priority focus areas^b

Note a: From lowest to highest, the maturity assessment ratings are: nil; ad hoc; developing; managing; and embedded.

Note b: Priority focus areas for capability uplift. Priority concepts 1, 2, 4, 5, 6 and 10 relate to capabilities being built through the Crack Down on Fraud program.

Source: NDIA documentation.

2.16 Similar to the program logic developed for the Crack Down on Fraud program, the Fraud Fusion Taskforce’s strategic prevention concepts outline a more appropriate control framework than the NDIA’s March 2020 Compliance and Enforcement Framework and July 2023 Fraud and Corruption Control Plan. As of April 2025, the NDIA had not updated its corporate frameworks to reflect these concepts.

Has the NDIA established processes for preventing non-compliant NDIS claims?

Identified weakness in NDIS prevention controls

2.19 The March 2022 review of the NDIA’s fraud intelligence and investigation functions (see paragraph 2.8) observed that:

Since inception in 2013, the NDIS has been primarily focussed on transitioning participants into the Scheme from state and territory funded support. As a result, participant growth was rapid, notably growing from 29,719 in 2016 to 466,619 by 30 June 2021, with payments also rising rapidly, from $4 billion in 2016–17 to more than $23 billion by 2020–21. This focus on participant transition has meant that there was insufficient attention on the commensurate growth of a robust control environment and associated systems expected of a scheme of this size and complexity today.

2.20 In undertaking business analysis for the September 2023 Crack Down on Fraud business case, the NDIA identified that its identity and authority controls for individuals and organisations interacting with NDIA systems were ‘catastrophically weak’. It also identified in the business case that its IT systems created a ‘loose control environment’, which included:

• Little or no transparency of what a significant proportion of payments are being used for due to legacy systems that do not allow additional data to be requested from claimants …
• The NDIA immediately paying 98% of claims with no automated pre-payment validation against legislative, regulatory or administrative rules or known risk flags due to a lack of the technology to automatically test claims against those rules and a lack of consolidated data to validate claims (e.g., previous claims to match for duplication)
• Reliance on highly manual processes for all pre-payment and post-payment validation, such that only 0.02% of total NDIS claims are reviewed pre-payment per year and 0.04% are reviewed post-payment per year, due to a lack of automated rules testing and rudimentary validation tools.

2.21 The Crack Down on Fraud business case acknowledged that ‘rudimentary’ pre-payment checks existed within the NDIA’s PACE payment system. These checks, which were introduced in 2022 and 2023, include system-based checks to confirm that the claim service date is in the past, the claim is not a duplicate, and there is sufficient budget in the participant’s plan. Similar checks were also introduced over the same period in the NDIA’s SAP CRM system.³⁶

Crack Down on Fraud ‘uplifts’ to NDIS prevention controls

2.22 In November 2023, the government decided to fund the Crack Down on Fraud program in three tranches in early 2024, 2025 and 2026, subject to advice from the DTA on project delivery status. Between November 2023 and January 2024, the NDIA worked with the DTA to complete ‘pre-start’ activities, including developing a schedule of 34 outcomes or milestones to be delivered over the first two years of the program to support the release of tranche two funding in 2025 and tranche three funding in 2026 (see Appendix 3). In February 2024, the government decided to release tranche one funding of $83.9 million³⁷, and decided that future tranches could be approved through correspondence with the Prime Minister and Minister for Finance, informed by advice from DTA and the Department of Finance.

Crack Down on Fraud ‘tranche one’ project delivery

2.23 The NDIA developed a ‘tranche one baseline plan’ in May 2024, which outlined a suite of 11 projects to deliver the capabilities proposed under the Crack Down on Fraud program (see Appendix 4 for tranche one project details). In June 2024, the NDIA developed a ‘program roadmap’ and ‘project on a page’ plans for the 11 projects. Each ‘project on a page’ plan included: a project description; related program milestones; a project scope; a change impact assessment; risks; dependencies; an outline of project leadership and governance; delivery milestones; and a Gantt chart outlining the delivery schedule.

2.24 Of the 11 projects initiated for tranche one, seven relate to prevention controls for claim non-compliance. These projects are delivering capabilities relating to:

• strengthened identity and authority controls and improved ‘omnichannel’ experiences;
• secure ‘natural systems’ to facilitate transfer of data between the NDIA, providers and other entities;
• cyber resilience to identify security threats and respond to incidents; and
• enhanced systems for validated payments, including ‘integrity uplifts’ for the NDIA’s client relationship management systems.

2.25 Since August 2024 the NDIA has provided monthly project status reports to Crack Down on Fraud oversight committees.³⁸ Project status reporting covering the period of July 2024 to February 2025 indicates implementation challenges emerged with projects relating to identity and authority, natural systems and cyber resilience, including: capacity constraints and prioritisation issues within the NDIA’s Chief Information Officer Division³⁹; and delays in undertaking necessary procurement activities. No significant challenges were reported for the projects relating to validated payments.

2.26 The NDIA reported in February 2025 that 15 of 17 tranche one milestones had been delivered by December 2024 and two milestones had been ‘partially delivered’ (see Appendix 5). To support the closure of program milestones, the NDIA has established a process that involves preparing milestone acceptance briefs. Briefs prepared for milestones due in June 2024 included sections for: due dates and completion dates; acceptance criteria; endorsement by the project owner, business owner and technical owner; and final endorsement by the Crack Down on Fraud program senior responsible officer (General Manager, Integrity Transformation Division). For December 2024 milestones, two additional sections were included in acceptance briefs outlining evidence that the milestone had been delivered and an assurance assessment by the Crack Down on Fraud independent assurer (Sententia Consulting).⁴⁰

2.27 Of the 17 tranche one milestones (see Appendix 5 for milestone details), 10 milestones related to prevention controls for claim non-compliance. As of March 2025:

• three milestones (M1, M2 and M5) had been signed off by the senior responsible officer in January 2025 without supporting evidence or an assurance assessment;
• three milestones (M6, M7 and M8) had been signed off by the senior responsible officer in March 2025 following an assurance assessment of supporting evidence;
• for two milestones (M4 and M9), the independent assurer had requested additional supporting evidence of milestone completion and the milestones had not been signed off by the senior responsible officer; and
• for two milestone (M15 and M17), acceptance briefs had not been completed.

2.28 Prior to undertaking the milestone assurance process, the NDIA had not developed guidance on what types of evidence would be sufficient to support the completion of milestones. Supporting evidence for milestone completion briefs included: screenshots of systems; governance forum papers; technical documentation; online public communications; communications with providers; PowerPoint presentations; emails (for example, confirming the completion of testing); and test completion reports.

2.30 Tranche one of the Crack Down on Fraud program was delivered largely on time, with 13 of the 17 milestones delivered before their target completion dates and the remaining four delivered within one to three months of their target completion dates. Tranche one was also delivered substantially under budget, with total expenditure of $30.1 million against a budget of $82.1 million (the NDIA attributed the underspend to a three-month delay in the release of funding, which impacted high-cost procurement activities).

Crack Down on Fraud ‘tranche two’ project delivery

2.31 In November 2024, the NDIA developed a ‘tranche two baseline plan’, which included status updates for the initial 11 projects (continuing from tranche one) and outlined two new projects to commence in 2025.

2.32 The Department of Finance completed a ‘mid-stage’ gateway review of the Crack Down on Fraud program in November 2024, which found that the overall delivery confidence assessment for tranche two of the program was ‘amber’. The report stated:

The Crack Down on Fraud (CDoF) Program (Program) has delivered some significant achievements and benefits ahead of time in Tranche 1 and has demonstrated through these achievements that the NDIA is capable of adopting a ‘can do’ mindset and approach to deliver government outcomes.

The Agency has been given a substantial and complex reform agenda to deliver in an ambitious timeframe. Unless the Agency’s ability to deliver and embed multiple reforms in parallel increases, including alleviating capacity constraints and system stress points, then it is unlikely Tranches 2 and 3 will be delivered in their entirety as scheduled.

2.33 The report made three recommendations relating to its findings on capacity constraints and system stress points, which were classified as ‘Essential (Do by Q1 2025)’.

• Complete and implement the strategic prioritisation framework to support decision-making across the Agency.
• Establish a critical path identifying the most important activities, including all dependencies and constraints – program, organisation and stakeholder, to better capture program progress and an understanding of risk impacts.
• Conduct an analysis of the end-to-end production line to identify stress points and constraints. Where possible remediate these constraints.

2.34 In December 2024, the NDIA’s Scheme Integrity and Debt Governance Strategic Leadership Team Sub-Committee was briefed on the report and was advised it would be provided with an update on implementation of recommendations in February 2025.⁴¹ As of March 2025, when the sub-committee was dissolved, no briefing on implementation progress had been provided to the sub-committee. In March 2025, the NDIA Board and the Board Audit and Risk Committee were provided updates on the Crack Down on Fraud program, which included brief summaries of the November 2024 gateway review findings and work underway to address recommendations.

2.35 In April 2025, the NDIA reported that the Crack Down on Fraud program had shifted from ‘green’ status in February 2025 to ‘amber’ status in March 2025.⁴² The shift in program status was attributed to two milestones with target completion dates of June 2025 (one of which related to prevention controls) being ‘at risk’ as a result of procurement delays.

ATO vulnerability assessment

2.36 As a component of the Fraud Fusion Taskforce measure, the ATO received $11 million in funding over four years (from 2022–23) to support cross-government fraud prevention capability. Since December 2022 the ATO has worked with the NDIA to scope and commence a vulnerability assessment of the NDIS. The assessment is being conducted in nine tranches covering the participant and provider ecosystems as well as the NDIA’s compliance mechanisms.

2.37 The ATO completed its first tranche assessment of NDIS participant access and authority controls in December 2024, which identified 80 potential or actual vulnerabilities and made 67 recommendations to strengthen controls. While the NDIA has uplifted its access and authority controls through the Crack Down on Fraud program, the findings of the ATO assessment demonstrate that further work is needed to mitigate fraud and non-compliance risks. As of April 2025, the NDIA Board and relevant oversight committees had not been briefed on the findings of the assessment. Further, the NDIA had not responded to the 67 recommendations in the ATO’s first tranche vulnerability assessment or developed an action plan for responding to them. The NDIA informed the ANAO in June 2025 that it would develop an action plan and undertake gap analysis to address the recommendations.

Integrity campaigns

2.38 In parallel with Crack Down on Fraud program activities, the NDIA has implemented ‘campaigns’ relating to NDIS fraud and non-compliance (integrity campaigns). The NDIA describes integrity campaigns as time-limited operational activities targeting specific high-priority integrity vulnerabilities through a mix of interventions. NDIA internal procedural documents outline a five-stage process for conducting an integrity campaign, covering:

• discovery — undertake research to understand the problem being addressed;
• design — explore potential treatments, seek feedback from stakeholders, and develop a proposal (cleared by the Branch Manager, Scalable Integrity Responses);
• build — create artefacts, such as work instructions, templates or talking points;
• execute — apply interventions and manage project, including tracking and reporting on progress and outcomes of activities; and
• review — formally review outcomes and complete a closure report (endorsed by the Branch Manager, Scalable Integrity Responses).

2.39 Between July 2023 and December 2024, the NDIA completed five integrity campaigns. These campaigns were largely used as small-scale trials to gather information on non-compliance risks and test potential preventative and detective approaches to addressing these risks. Table 2.2 provides a description of these campaigns and a summary of their reported outcomes.

Table 2.2: Completed integrity campaigns, July 2023 to December 2024

Source: ANAO analysis of NDIA documentation.

2.40 The NDIA created an integrity campaign tracking spreadsheet, which was incomplete and not up to date. For several integrity campaigns, project management documentation was incomplete and/or there was insufficient evidence of review, clearance or endorsement. While outcomes of integrity campaigns have been reported to governance bodies, closure reports were not prepared for two completed campaigns (plan-manager reimbursements and overseas participants and visas) and closure reports for other campaigns were not endorsed by a senior manager or oversight body.

Other prevention controls

Legislative changes

2.42 Prior to the introduction of the Crack Down on Fraud program, little or no evidence was requested from claimants to substantiate NDIS claims. The September 2023 Crack Down on Fraud business case noted that preventing fraudulent or non-compliant claims based on substantiation may require legislative or regulatory change. In October 2023, the NDIA advised the government that legislative changes to the National Disability Insurance Scheme Act 2013 (NDIS Act) would be needed to require claimants to retain records of expenditure and provide information on request.

2.43 On 3 October 2024 the National Disability Insurance Scheme Amendment (Getting the NDIS Back on Track No. 1) Act 2024 came into effect, which amended the NDIS Act to strengthen the legislative basis for the NDIA’s compliance activities by:

• defining NDIS supports (section 10 of the NDIS Act)⁴³;
• introducing the need for a claim to receive payments for NDIS supports (section 45A of the NDIS Act);
• requiring participants to spend money only on NDIS supports and in accordance with their plan (section 46 of the NDIS Act); and
• introducing a new statutory function for the NDIA to prevent, detect, investigate and respond to misuse or abuse of the NDIS relating to payment claims (section 118 of the NDIS Act).

NDIS website content

2.44 The NDIA maintains a website with detailed information about the NDIS for applicants, participants, providers, other stakeholders and the public, including Our Guidelines which explains how the NDIA makes regulatory decisions.⁴⁴

2.45 The 2023 Independent Review into the National Disability Insurance Scheme was critical of the information provided to participants and providers on NDIS supports, including through the NDIS website, stating:

Current information on what supports can be purchased, what supports are available, and the prices and quality of supports is often hard to find or understand. This affects their ability to exercise informed choice and control over their supports …⁴⁵

2.46 The October 2024 legislative changes to the NDIS Act (see paragraph 2.43) enabled the NDIA Chief Executive Officer to make rules about what are and are not NDIS supports. The NDIA made updates to its website and guidelines in late 2024 to reflect these changes.

2.47 The NDIS website also has webpages on fraud and non-compliance, including:

• pages for participants titled What you need to know about non-compliance, What you need to know about fraud, How to protect your NDIS plan and What are scams?⁴⁶;
• pages for providers titled Provider compliance and Conflicts of interest in the NDIS provider market⁴⁷; and
• pages for a general audience on Improving integrity and preventing fraud, Crack Down on Fraud, Fraud Fusion Taskforce and Useful contacts (for reporting other integrity matters).⁴⁸

Internal education and training

2.48 The NDIA has a mandatory learning policy that requires all staff, contractors and partners in the community⁴⁹ to complete courses listed in the NDIA’s mandatory learning matrix.⁵⁰ The matrix includes a 45-minute e-learning course called ‘Good Compliance Practices’, which must be completed by all staff, contractors and partners in the community within three months of commencement, with refresher training required every two years.

2.49 The learning objectives of the ‘Good Compliance Practices’ course are to: explain the importance of good compliance practice; identify, prevent and report non-compliant behaviours; and identify common warning signs for participants, providers, and staff. The course has sections on non-compliant behaviours such as: error, misuse, conflict of interest, sharp practice, fraud and corruption. It also includes sections on the importance of reporting internal and external fraud, and includes a link to the NDIA’s fraud reporting webform (discussed at paragraph 2.51) and the contact number for the NDIA’s fraud reporting and scams helpline.

2.50 Training completion data provided by the NDIA indicates that completion rates for the ‘Good Compliance Practices’ course were consistently over 80 per cent between July 2022 and December 2024 (see Figure 2.2).

Figure 2.2: Good Compliance Practices completion rates, July 2022 to December 2024

Source: NDIA training completion data.

Has the NDIA established processes to detect and respond to non-compliant NDIS claims?

Tip-off mechanisms

2.51 Tip-offs are a means by which members of the public can report suspected fraud or non-compliant behaviour from NDIS participants, providers or third parties. Tip-offs can be made by phone, email or by completing NDIA’s fraud reporting webform.⁵¹ The NDIA uses tip-offs to inform its fraud and non-compliance prevention, detection and response activities.

2.52 Two internal reviews completed in 2022 identified issues with the NDIA’s tip-off processes.

• The March 2022 review of fraud intelligence and investigation functions (see paragraph 2.8) recommended that the NDIA ‘assess, review and reform its current tip-off assessment process to ensure effective and timely resolution of tip-offs received’, with a view to developing and implementing a new tip-off assessment model. The review also proposed a future case management system where tip-offs could be linked to existing cases and related parties.
• A November 2022 review of the NDIA’s tip-off intake and assessment process, conducted by a consulting firm called Quantium, found:
  • information on tip-offs lacked structure, was often incomplete and was stored in multiple systems;
  • risk-based prioritisation targeted only some risks, with little further analysis to understand broader trends;
  • governance arrangements were informal, with limited reporting of tip-off trends to oversight committees and limited feedback on outcomes and referrals; and
  • manual processes increased assessment time, duplication and the number of inaccurate records.

Tip-off numbers and backlog

2.53 The March 2022 review noted an increasing number of tip-offs were being received, a backlog of unassessed tip-offs had developed, and the NDIA could not address this backlog with its existing resources and systems. The number of tip-offs the NDIA receives has continued to grow since 2022 (see Figure 2.3).

Figure 2.3: Number of tip-offs received by month, January 2022 to December 2024

Source: ANAO analysis of NDIA tip-off data.

2.54 In August 2022, the NDIA reported to the NDIA Board Risk Committee that a ‘backlog strategy’ had been approved by the Chief Risk Officer in May 2022. In the September 2023 Crack Down on Fraud business case, the NDIA noted that existing systems and processes were unable to address the growth in tip-off numbers. In January 2024, the NDIA prepared a ‘proposed remediation plan’ to address the tip-off backlog. After peaking at 6,597 in October 2024, the NDIA has recorded a 34 per cent reduction in tip-off backlog numbers to 4,360 in March 2025.

Tip-off intake and assessment process

2.55 The NDIA has made improvements to its tip-off intake and assessment process since 2022.

• A new webform for fraud tip-offs was launched in February 2024. The webform prompts tip-off reporters to provide details about the person of interest, their fraud or non-compliance concern and to attach any relevant evidence.
• The NDIA has updated its process for assessment and referral of tip-offs. Since October 2024, the NDIA has categorised tip-offs based on fraud and non-compliance ‘vectors’⁵², which informs the referral pathways chosen.
• The NDIA developed a risk-scoring methodology in late 2024 to inform referral pathways within or external to NDIA.

2.56 The NDIA has documented its tip-off process across multiple documents, including standard operating procedures, task cards, workflows and slide decks. The NDIA’s tip-off intake and assessment process is summarised in Figure 2.4.

Figure 2.4: NDIA tip-off intake and assessment process

Source: ANAO analysis of NDIA documentation.

Tip-off outcomes

2.57 Between October 2024 and March 2025, monthly time-series reporting was provided to the Scheme Integrity and Debt Governance Strategic Leadership Team Sub-Committee on the proportion of tip-offs that were received and closed or referred for treatment, as well as analysis of tip-offs by integrity vector. No reporting has been provided to decision-makers or oversight committees on the outcomes of tip-off referrals.

Tip-off redesign project

2.58 The NDIA has identified scope for further improvements to its tip-off intake and assessment process, being progressed through a ‘tip-off redesign’ project. Proposed improvements (to be implemented between 2024–25 and Quarter 2 of 2026–27) include:

• improvements to the webform, including a potential ‘feedback loop’ for staff;
• improvements to the existing risk-scoring methodology;
• development of a tailored tip-off webform for NDIA staff;
• development of a new triage and prioritisation model, incorporating the use of data analytics and risk indicators;
• development of key performance indicators and other metrics for tip-offs;
• establishment of a single NDIS tip-off channel for the NDIA and NDIS Commission; and
• implementation of a quality assurance framework (with a draft Quality Assurance Plan developed in September 2024).

2.59 The NDIA has documented proposed improvements for some individual redesign initiatives. It has not documented its desired end-state for tip-off processes within a completed project plan. The NDIA partly drafted, but did not complete, a ‘project on a page’ plan for the tip-off redesign project. Other documents outlining proposed redesign activities are labelled ‘draft’. The NDIA has not recorded approval or evidence of completion for improvements implemented to date, nor measured the outcomes of implemented improvements.

Manual payment review processes

2.61 The NDIA undertakes manual reviews of claims to detect non-compliance, both pre-payment and post-payment. The NDIA has undertaken some form of manual payment review since April 2020. In May 2023, the NDIA received advice that it was limited in its ability to recover payments as debt, due to difficulties in: determining that spending was not in accordance with a participant’s plan; and setting a hard limit on plan budgets when supports were described generally in participant plans.⁵³ The NDIA subsequently shifted its focus in 2024 from post-payment reviews (which can result in debts arising) to pre-payment reviews (which aim to prevent payment of non-compliant claims).

Post-payment reviews

2.62 Post-payment reviews result from internal referrals (such as tip-offs). The NDIA has documented its post-payment review process in work instructions and workflows. The process includes:

• notifying claimants of the review and requesting information by phone or letter;
• where no response is received, issuing letters to claimants under sections 53 and 55 of the NDIS Act to compel them to supply information;
• undertaking compliance validations to confirm the validity of claims;
• sending letters to claimants outlining review observations and outcomes; and
• if it is determined that a debt should be raised under section 182 of the NDIS Act, referral to the NDIA’s scheme debt team.

2.63 The NDIA’s post-payment review team may also refer matters for further treatment to address fraud and non-compliance risks, including internally to NDIA teams responsible for pre-payment reviews, integrity responses and participant critical incidents, or externally to the NDIS Commission.

2.64 After the May 2023 advice on the NDIA’s ability to recover debts, the NDIA identified issues with debts that had already been raised from post-payment reviews (see Box 1), with internal briefing stating that:

The review of established debts have [sic] uncovered a number of issues in the current [post-] Payment Review process, including:

• Lack of alignment with the NDIS Act (2013), resulting in the raising of unlawful debts.
• Inaccurate or absent references to the Act in outbound comms, jeopardising procedural fairness.
• Inconsistent and incorrect reasons for debt being referenced in outbound comms.
• Lack of confidence in decision making
• Absence of an established quality assurance processes [sic].

2.65 The NDIA has developed a new post-payment review process, documented in a standard operating procedure, task cards, workflows, a decision support tool and new letter templates. The process includes: conducting a risk assessment; determining what claims are ‘in scope’ and ‘out of scope’ for the review; contacting the participant (using standard templates) to request information; determining a debt decision (using the decision support tool); documenting the justification and evidence used to reach a decision; considering procedural fairness; and further referral, if required. As of March 2025, the standard operating procedure and task cards were labelled as ‘development’. In April 2025, the NDIA informed the ANAO that it had begun using this process.

Pre-payment reviews

2.66 The NDIA has undertaken some form of pre-payment review since April 2023. After the Crack Down on Fraud program introduced a 24-hour payment delay capability in March 2024 and a ‘bulk hold’ capability in April 2024⁵⁴, the NDIA was able to shift the focus of its manual payment review efforts to pre-payment reviews. The proportion of NDIS claims reviewed pre-payment (by number) increased from 0.00 per cent in Quarter 3 of 2023–24 to 0.09 per cent in Quarter 2 of 2024–25 (by dollar value the proportion increased from 0.08 per cent to 0.39 per cent over the same period).⁵⁵

2.67 The NDIA carries out pre-payment reviews by holding a selection of claims and requesting evidence of the transaction from the claimant. Figure 2.5 outlines key steps in the process.

Figure 2.5: Manual pre-payment review process

Source: ANAO analysis of NDIA documentation.

2.68 The NDIA targets its pre-payment reviews based on ‘risk profiles’, which outline types of non-compliant claiming behaviour. Risk profiles have been identified based on data analysis and case studies of claiming behaviours that pose high risks of non-compliance and fraud. As of February 2025, the NDIA had five active risk profiles, which were documented in ‘behaviour detection profiles’ outlining the targeted non-compliant behaviours and steps the NDIA can take to detect and respond to the behaviour. The NDIA has documented its pre-payment manual review processes in standard operating procedures, work instructions, workflows and templates. Table 2.3 shows the active risk profiles as at February 2025 and the ANAO’s assessment of the completeness of supporting documentation for the profiles.

Table 2.3: Manual pre-payment review risk profiles, as at February 2025

Key: ◯ Not complete ◔ Partly complete ◑ Half complete ◕ Mostly Complete ● Complete.

Note a: The NDIA identified that more than $336 million was paid on claims made more than 90 days after plan expiry in 2022–23.

Note b: The NDIA analysed $35 million worth of claims greater than $5,000 during 2022–23 and found that 41.2% of claims ($15 million) were rejected, with a further 10.6% ($3 million) unable to be substantiated. The NDIA estimated the total value of claims greater than $5,000 during 2022–23 as $5 billion.

Note c: Between August 2022 and August 2023, the NDIA identified that $126.2 million was paid for reimbursement claims to plan managers.

Note d: The NDIA identified that $920 million was paid for short-term accommodation claims in 2022–23, with approximately $290 million identified as having indicators of potential non-compliance.

Source: ANAO analysis of NDIA documents.

2.69 While process documentation was mostly complete for active risk profiles, behaviour detection profiles were partly documented. Three risk profiles did not have clear, complete criteria for case selection in process documentation. One risk profile (short term accommodation) did not have a behaviour detection profile, and none of the four behaviour detection profiles had been endorsed at a senior level.

2.71 The proportion of claims subject to manual pre-payment reviews has increased over time but remains a small proportion of NDIS claims, both by number and value. As shown in Table 2.4, the number of manual pre-payment reviews conducted represented less than 0.1 per cent of the total number of NDIS claims paid during 2024. Since higher value claims are targeted for review, the value of claims manually reviewed pre-payment approached 0.4 per cent of the total value of NDIS claims paid in Quarters 1 and 2 of 2024–25.

Table 2.4: Number, value and proportion of claims reviewed, 2024

Source: NDIA data.

2.72 As outlined in Figure 2.5, the NDIA may cancel, release or hold claims subject to manual pre-payment review, based on the substantiation it receives from claimants. By dollar value, over 50 per cent of claims reviewed pre-payment were cancelled in 2024. Table 2.5 outlines the value and proportion of reviewed claims cancelled from Quarter 3 2023–24 to Quarter 2 2024–25.

Table 2.5: Value and proportion (by dollar value) of reviewed claims cancelled, 2024

Note a: See Table 2.3 for a description of these risk profiles.

Note b: Targets claims for supports potentially not related to disability, such as real estate or insurance services.

Note c: Participants may endorse providers to make claims against NDIA-managed plans (‘My Provider’). Where providers not listed as ‘My Provider’ submit claims, PACE holds the claim for verification.

Note d: This term refers to locks applied to specific participants or providers, rather than to claim categories. Locks are applied due to integrity concerns and involve manually reviewing all claims from the participant or provider.

Note e: Weighted average represents the proportion by dollar value of claims reviewed in the period that were cancelled.

Source: ANAO analysis of NDIA data.

Identified weaknesses in NDIS detection and response controls

2.73 In relation to detection and response controls for NDIS claim compliance, the March 2022 review of fraud intelligence and investigation functions (see paragraph 2.8) observed that:

• the NDIA’s fraud intelligence and investigations prioritised serious and organised fraud over opportunistic fraud and non-compliance;
• the intelligence team was not resourced or prioritised to produce strategic intelligence to identify emerging fraud risks and threats;
• the existing case management system did not meet requirements;
• the NDIA could do more to leverage inter-governmental data to inform risk detection and compliance intelligence;
• the NDIA relied almost exclusively on reactive tip-offs for detection of non-compliance and fraud, rather than using data analytics for proactive detection; and
• the NDIA made limited use of scalable and repeatable treatment options to deter lower-sophistication, higher-volume fraud activity, which could result in the NDIS being seen as a ‘soft target’.

2.74 The September 2023 Crack Down on Fraud business case also identified weaknesses in the NDIA’s systems for detecting and responding to fraud and non-compliance; in particular:

Inability to identify patterns of non-compliance and fraud or deliver strategic intelligence to stay ahead of threats due to insufficient data capture and storage, analytics, core systems, matching to external sources and cyber capabilities.

Crack Down on Fraud ‘uplifts’ to NDIS detection and response controls

2.75 As outlined at paragraph 2.23, the NDIA initiated 11 projects for tranche one of the Crack Down on Fraud program to ‘uplift’ its fraud and non-compliance prevention, detection and response capabilities (see Appendix 4). Four projects relate to detection and response controls for claim non-compliance, delivering capabilities relating to:

• an integrated ‘data lake’ to enable real-time data analysis;
• analytics and insights tools to detect fraud and non-compliance;
• design and discovery work for an Enterprise Resource Planning system to facilitate end-to-end debt and financial management; and
• a fit-for-purpose, end-to-end fraud case management system.

2.76 Project status reporting covering the period of July 2024 to February 2025 indicates implementation challenges emerged with three of the four projects, which included technical problems, delays in infrastructure delivery and resource shortages.

2.77 As outlined at paragraph 2.25, in February 2024 the NDIA reported that 15 of 17 tranche one milestones had been delivered by December 2024 and two milestones had been ‘partially delivered’. Of the 17 tranche one milestones (see Appendix 5 for milestone details), seven milestones related to detection and response controls for claim non-compliance. As of March 2025:

• one milestone (M3) had been signed off by the senior responsible officer in January 2025 without supporting evidence or an assurance assessment;
• four milestones (M12, M13, M14 and M16) had been signed off by the senior responsible officer in March 2025 following an assurance assessment of supporting evidence;
• for one milestone (M11), the independent assurer had requested additional supporting evidence of milestone completion and the milestone had not been signed off by the senior responsible officer; and
• for one milestone (M10), an acceptance brief had been provided to the independent assurer in March 2025.⁵⁶

2.78 Tranche one was delivered largely on time and under budget (see paragraph 2.30). In April 2025, the NDIA reported that tranche two of the Crack Down on Fraud program had shifted to ‘amber’ status in March 2025, due to two June 2025 milestones (one of which related to detection controls) being ‘at risk’ from procurement delays (see paragraph 2.35).

3.1 The NDIA Board has a duty under section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) to establish and maintain appropriate systems of risk oversight and management and internal control for the NDIA. It also has a duty under the 2024 Fraud and Corruption Rule⁵⁷ to: conduct regular fraud and corruption risk assessments and develop and implement control plans to deal with identified risks (paragraphs 10(a) and (b)); ensure the NDIA has governance structures and processes to effectively oversee and manage risks of fraud and corruption (subparagraph 10(d)(i)); and conduct periodic reviews of the effectiveness of the NDIA’s fraud and corruption controls (paragraph 10(c)).

3.2 Effective management of fraud and non-compliance requires an appropriate governance structure that is proportionate to the operating environment of an entity and integrated with an entity’s risk management framework. Reviewing control effectiveness allows entities to proactively identify and eliminate ‘blind spots’ and challenge assumptions about how effectively controls are operating, which can lead to improved operational efficiency, effectiveness and compliance.⁵⁸

Does the NDIA have effective oversight and monitoring arrangements for NDIS claim compliance?

Oversight and reporting arrangements

Line management responsibilities

3.3 As outlined at paragraph 1.4, the NDIA is governed by the NDIA Board. The Board appoints a Chief Executive Officer (CEO) who is responsible for day-to-day administration of the NDIA. The CEO is supported by Deputy CEOs — in July 2022 the NDIA had three Deputy CEOs, and by March 2025 the number of Deputy CEOs had increased to eight (over the same period the NDIA had four organisational restructures involving changes at the group and divisional level). Figure 3.1 shows changes in Senior Executive Service (SES) line management responsibility for functions related to NDIS claim compliance from July 2022 to December 2024.

Figure 3.1: NDIA responsibilities for claim compliance, July 2022 to December 2024

Note a: Between October 2022 and March 2023, an interim structure was in place as the Fraud Fusion Taskforce (FFT) was established.

Note b: In July 2023 the FFT Branch became the FFT Division and by November 2023 the FFT Capability Branch had been created. The boxes are shaded from white to blue and from grey to white respectively to signify that these changes occurred during the stated period.

Source: ANAO analysis of NDIA organisational structure charts.

3.4 In July 2022, the NDIA’s Chief Risk Officer (an SES Band 2 position) was responsible for fraud and compliance and NDIA’s Chief Financial Officer (an SES Band 2 position) was responsible for managing claims and payments. With the establishment of the Fraud Fusion Taskforce from November 2022, responsibility for NDIS claim compliance-related functions was split across three reporting lines. From January 2024, the NDIA consolidated integrity-related functions, including the Crack Down on Fraud program and Fraud Fusion Taskforce, within a single group under an SES Band 3 Deputy CEO position, with some claim-related functions remaining in the Chief Financial Officer Division.⁵⁹

Broader reporting and oversight arrangements

3.5 Figure 3.2 shows changes in broader reporting and oversight arrangements for NDIS claim compliance from July 2022 to December 2024.

Figure 3.2: Reporting and oversight arrangements for NDIS claim compliance, July 2022 and December 2024

Source: ANAO analysis of NDIA documentation.

3.6 Between July 2022 and December 2024, the NDIA provided reporting to the NDIS Minister, the Disability Reform Ministerial Council, the NDIA Board, board committees, and the NDIA’s Strategic Leadership Team (SLT) (including its predecessor, the Executive Leadership Team). This reporting was provided with varying frequency, generally included updates on the status of integrity initiatives and sometimes included quantitative reporting on program outputs. The Board and Board Audit and Risk Committee largely received reporting on fraud risks and integrity initiatives on a quarterly basis.

3.7 More comprehensive and regular briefing was provided to the Scheme Integrity and Debt Governance (SIDG) SLT Sub-Committee from its establishment in October 2024 to its dissolution in March 2025.⁶⁰ Briefing to the SIDG SLT Sub-Committee included: traffic-light reporting on milestone status for Crack Down on Fraud projects; risk registers and risk status reporting; and dashboards presenting data on outputs and outcomes of claim compliance activities. In March 2025, the NDIA established a new SLT Policy Committee, replacing several SLT sub-committees including the SIDG SLT Sub-Committee. The terms of reference for the new SLT Policy Committee state that it is responsible for ‘Managing overall Scheme coherence, integrity and sustainability’. As of April 2025, the SLT Policy Committee had not held a meeting.

Crack Down on Fraud program governance

3.8 Figure 3.3 shows the governance structure that was in place for the Crack Down on Fraud program in December 2024.

Figure 3.3: Crack Down on Fraud program governance structure (as at December 2024)

Note a: The NDIS Quality and Safeguards Commission (NDIS Commission) was invited to join the board following a recommendation from a June 2024 Department of Finance ‘mid-stage’ gateway review.

Note b: In accordance with the DTA’s Assurance Framework for Digital & ICT Investments, during 2024 the NDIA procured the services of an independent assurer to provide confidence to stakeholders that the program will achieve its scope, time, cost and quality objectives and realise benefits and an independent advisor to provide advice to the senior responsible officer.

Source: NDIA documentation.

3.9 To support the senior responsible officer and program sponsor in managing the Crack Down on Fraud program, the NDIA established a Program Steering Committee and Program Board.

• The Program Board met 10 times from March 2024 to February 2025 and received out-of-session reporting in December 2024. Its purpose has been to ‘provide governance, oversight, and strategic direction to the program in alignment with organisational objectives’ and support the program sponsor in decision-making.
• The Steering Committee met 22 times from November 2023 to November 2024 and received out-of-session reporting in December 2024. It was ceased at the end of 2024 in response to a recommendation from a ‘mid-stage’ gateway review conducted in November 2024. The committee’s purpose was to ‘provide oversight, guidance and support for the effective delivery and implementation of the … program’.

3.10 Both the Program Board and Steering Committee received regular and detailed reporting on Crack Down on Fraud program status, including: status updates on individual projects; project change requests; program risks and issues; outcomes of assurance reviews; and program achievements and outcomes.

Assurance arrangements for the Crack Down on Fraud program

Gateway reviews

3.11 As of April 2025, three gateway reviews had been conducted for the Crack Down on Fraud program: a first-stage review in 2023 and two mid-stage reviews in 2024. The gateway reviews rated the delivery confidence for the program as green/amber or amber with two or three key focus areas rated as amber in each review (see Table 3.1).

Table 3.1: Summary of Crack Down on Fraud program gateway reviews

Note a: There are five delivery confidence ratings: green, green/amber, amber, amber/red and red.

Note b: There are three key focus area ratings: green, amber and red.

Note c: There are three recommendation categories: critical (do now), essential (do by [date]) and recommended.

Note d: A green/amber delivery confidence rating is defined as ‘successful delivery of the program to time, cost, quality standards and benefits realisation appears probable however constant attention will be needed to ensure risks do not become major issues threatening delivery.’

Note e: Amber is defined as ‘There are issues in this Key Focus Area that require timely management attention.’

Note f: An amber delivery confidence rating is defined as ‘successful delivery of the program to time, cost, quality standards and benefits realisation appears feasible but significant issues already exist requiring management attention. These need to be addressed promptly.’

Source: ANAO summary of findings of gateway reviews.

3.12 The June 2024 mid-stage review assessed all recommendations from the September 2023 first-stage review as having been addressed. The November 2024 mid-stage review assessed all recommendations from the June 2024 mid-stage review as having been addressed, except for one recommendation on developing a strategic prioritisation framework that was assessed as partially addressed.

3.13 As outlined at paragraph 2.34, in December 2024 the SIDG SLT Sub-Committee was advised it would be provided with an update on implementation of recommendations from the November 2024 mid-stage review in February 2025. As of March 2025, when the sub-committee was dissolved, no briefing on implementation progress had been provided to the sub-committee. In March 2025, the NDIA Board and the Board Audit and Risk Committee were provided updates on the Crack Down on Fraud program, which included brief summaries of the November 2024 gateway review findings and work underway to address recommendations.

Delivery confidence assessment

3.14 As outlined in Figure 3.3, the Crack Down on Fraud program has engaged an independent assurer (in accordance with the DTA’s Assurance Framework for Digital & ICT Investments⁶¹). The independent assurer (Sententia Consulting) completed a ‘delivery confidence assessment’ report for the Crack Down on Fraud program in September 2024.

3.15 The report assessed overall delivery confidence for the achievement of December 2024 milestones as ‘high’ to ‘medium-high’ across six domains, with:

• ‘purpose, business case and benefits’, ‘governance and leadership’ and ‘status of prior recommendations’ assessed as ‘high delivery confidence’; and
• ‘capability management’, ‘delivery management’ and ‘solution’ assessed as ‘medium-high delivery confidence’.

3.16 The report also assessed delivery confidence for each ‘tranche one’ milestone, with four milestones assessed as complete; five milestones assessed as ‘high delivery confidence’; seven milestones assessed as ‘medium-high delivery confidence’; and one milestone assessed as ‘medium-low delivery confidence’.⁶² The report made five recommendations, including that the program: finalise detailed program benefits management and realisation planning⁶³; simplify governance arrangements to avoid unnecessary blockages, delays or inconsistent advice; and introduce a process for objective ‘sign-off’ of milestone delivery.⁶⁴

3.17 The September 2024 delivery confidence assessment report was provided to the Prime Minister and Minister for Finance in November 2024 to support the release of ‘tranche two’ funding for the Crack Down on Fraud program.

Crack Down on Fraud assurance plan

3.18 The September 2023 Crack Down on Fraud business case (see paragraph 2.11) includes a draft assurance plan, which was updated in December 2023 in response to feedback from the DTA. The assurance plan was finalised and approved by the acting senior responsible officer for the program in December 2024, and was then updated in February 2025 to include a schedule of assurance activities for 2025.

3.19 The February 2025 plan outlined the following planned independent assurer activities:

• milestone completion assurance and a program risk and issues assessment in Quarter 4 of 2024;
• a tranche one closure review and review of program status reporting in Quarter 1 of 2025;
• a benefits realisation review and project deep dive in Quarter 2 of 2025;
• a delivery confidence assessment for tranche two projects in Quarter 3 of 2025; and
• a pre-gateway review assessment in Quarter 4 of 2025 (prior to the scheduled end-stage gateway review).

3.20 As of May 2025, the program risk and issues assessment and tranche two delivery confidence assessment had been completed; draft reports had been prepared for the milestone completion assurance, tranche one closure review and review of program status reporting; and a scoping document had been prepared for the benefits realisation review. Planning had not commenced for the project deep dive, which was scheduled in mid-2025.

Oversight and monitoring of risk

3.21 The NDIA uses an online system called ‘Insight’ to manage risks and issues at the ‘strategic’, ‘enterprise’, ‘fraud’, ‘operational’ and ‘program/project’ levels. As at February 2025, the Insight system contained the following numbers of ‘active’ risks:

• eight strategic risks — including two risks related to claim compliance;
• zero enterprise risks;
• six fraud risks — including the three compliance-related risks outlined at paragraph 2.6;
• 189 operational risks — including seven risks related to claim compliance; and
• 145 program/project risks or issues — including 33 program risks and two issues for the Crack Down on Fraud program and 16 project risks relating to claim compliance.⁶⁵

Strategic, fraud and operational risks

3.22 The NDIA’s two strategic risks that relate to claim compliance are outlined in Table 3.2, and the three fraud risks and seven operational risks related to claim compliance are outlined in Table 3.3.

Table 3.2: NDIA strategic risks related to claim compliance, February 2025

Source: NDIA documentation.

Table 3.3: NDIA fraud and operational risks related to claim compliance, February 2025

Note a: Based on NDIA assessment of control status.

Source: ANAO analysis of NDIA documentation.

3.23 Between July 2022 and December 2024, the NDIA Board received quarterly updates on strategic, fraud and operational risks through a report from the NDIA’s Chief Risk Officer. In September 2024 the NDIA Board increased its rating for the ‘integrity’ strategic risk from ‘high’ to ‘critical’, with a risk appetite of ‘conservative’⁶⁶, a one-year target risk rating of ‘critical’ and a three-year target risk rating of ‘high’. The increased rating was based on the NDIA’s September 2023 Crack Down on Fraud business case (see paragraph 2.11), which estimated that losses to the NDIS from fraud, non-compliance and payment error could increase to $3.6–6.0 billion a year by 2027–28. After raising the ‘integrity’ strategic risk to ‘critical’, the NDIA Board has not received more frequent reporting for this risk.

3.24 In February 2025, the ‘financial misappropriation – scheme stakeholders’ fraud risk had a treated risk rating of ‘high’ (see Table 3.3), which was inconsistent with the NDIA’s ‘critical’ risk rating for the integrity strategic risk. A total of 130 controls had been identified for the NDIA’s three relevant fraud risks. The controls were assessed as ‘good’ or ‘adequate’ and assessments did not include reference to known weaknesses in the NDIA’s identity and authority controls and pre-payment validation controls (outlined at paragraph 2.20). Relevant operational level risks had treated risk ratings of ‘medium’ or ‘high’, with aggregate control ratings of ‘adequate’ or ‘good’ (see Table 3.3), which was also inconsistent with the NDIA’s ‘critical’ risk rating for the integrity strategic risk.

Crack Down on Fraud program risk and issues

3.27 As at February 2025, the NDIA had 33 active risks in Insight associated with the delivery of the Crack Down on Fraud program, categorised into 10 ‘thematic’ risks and 23 ‘program’ risks.⁶⁷ Table 3.4 provides a summary of NDIA’s Crack Down on Fraud risk assessments in Insight. Most risks (76 per cent) did not have aggregate control ratings. Across both thematic and program risks, the NDIA identified 147 unique controls (excluding draft controls). Of these, 59 (40 per cent) were assessed as ‘needs improvement’. Of the 23 program risks, four had a single control.

Table 3.4: Summary of Crack Down on Fraud program risks, as at February 2025

Source: ANAO analysis of NDIA documents.

3.28 As at February 2025, the NDIA had also identified two program ‘issues’ (program risks that have been realised): ‘myGov integration’ and ‘organisational capacity and prioritisation’.

3.29 In June 2024, the NDIA identified ‘myGov integration’ as an issue due to ‘data privacy concerns’ from the Australian Taxation Office and Services Australia. The NDIA identified that this would impact the completion of a Crack Down on Fraud program milestone (‘Participants and nominees log in with a validated myGov account’). The treatment plan for the issue states that the NDIA ‘continues to consult with Services Australia regarding this issue, while continuing to deliver enhanced consumption of myGov for NDIA online services and the mobile app’, but does not list any further actions the NDIA is taking.

3.30 In October 2024, NDIA escalated a program risk (‘organisational capacity and prioritisation’) into a second issue. The NDIA’s treatment plan involves briefing the SLT on the issue, with ‘SLT commitment throughout November [2024] to find resolution’ listed as an action to ensure milestones due at the end of December 2024 were met. The treatment plan did not specify any further actions. The NDIA advised the SIDG SLT Sub-Committee at its 29 October 2024 meeting that:

it has become evident that there is a lack of available capacity to deliver on the [Crack Down on Fraud] Program Government commitments that are tied to PACE. This capacity constraints [sic] exist in both design and technical delivery. This has resulted in the risk being realised and an issue raised.

In Tranche 1, the program has managed a tight delivery schedule, navigating capacity and prioritisation challenges. This has often resulted in change requests to either descope, adjust acceptance criteria or shift milestones, allowing the program to mostly remain on track to deliver what has been promised to Government by December 2024.

An impact of this is an increasing backlog of work to be delivered in 2025 as well as a reduction in the benefits being delivered including non-financial benefits such as an improved experience for participants.

3.31 As of February 2025, the due date for resolution of both issues was recorded as 31 December 2024, and both remained active with their status listed as ‘in progress’.

3.32 The NDIA has provided reporting on the status of Crack Down on Fraud risks at every Crack Down on Fraud Program Board meeting. From June 2024, the Program Board has received monthly reporting on thematic risks, program risks and program issues, which has provided updates and commentary on risk ratings without supporting detail on controls and treatment plans.

3.33 In February 2025, the NDIA engaged its independent assurer (Sententia Consulting) to assess its management of risks and issues under the Crack Down on Fraud program. The independent assurer found that the NDIA had adequate overall processes and mechanisms to identify and manage risks to the program; however, the control and treatment information recorded in Insight often lacked detail and clarity. The independent assurer made six recommendations, addressing risk ownership and management roles, improvements to the NDIA’s monthly risk workshops and review of controls and treatments. The NDIA informed the ANAO in April 2025 that it had accepted the recommendations and was in the process of implementing them.

Does the NDIA use data to support the continuous improvement of NDIS claim compliance?

Payment assurance testing

3.34 The NDIA conducts monthly post-payment assurance testing to: ‘identify potential overpayment claims, payment error trends, claiming behaviours, provider [and participant] risk due to control weakness, systemic issues and share knowledge and in-sights [sic] across the Agency.’ Unlike manual post-payment reviews (see paragraphs 2.62 to 2.65), which are targeted based on compliance risks and tip-offs, post-payment assurance testing is undertaken on statistical samples of claims to estimate the total level of payment errors (including potential fraud and non-compliance) across all NDIS program outlays. The assurance testing is conducted in two streams:

• provider payment correctness testing — which assesses two separate samples of provider claims covering plan-managed and NDIA-managed arrangements; and
• self-managed participant testing — which assesses a sample of participant claims (excluding auto-transport payments) from self-managed arrangements.⁶⁸

3.35 The testing involves writing to participants and providers to request documentation to support claims selected within three samples (self-managed, plan-managed and NDIA-managed), and assessing the documentation provided against standard test questions. Test questions are classified as ‘critical’ (likely to result in financial impacts) and ‘non-critical’ (less likely to result in financial impacts, such as an incorrect Australian Business Number (ABN), provider name or date of service). All critical errors are subject to further validation and, where required and considered economical, recovery action is undertaken in accordance with the NDIA’s debt management procedures.

3.36 Summary results of payment assurance testing are presented in Table 3.5. Provider error rates steadily increased as a proportion of payments between 2019–20 and 2023–24, which led to a more than tenfold increase in the estimated financial impact of errors over the same period. For self-managed participants, the error rate as a proportion of payments increased significantly in 2021–22 and has remained higher than the provider error.

Table 3.5: Summary of estimated financial impact of payment errors

Note a: These estimates are based on extrapolating results from statistical samples. The NDIA does not recover the full estimated financial impact of errors from providers and participants. Provider and participant estimates do not add to totals due to rounding.

Source: NDIA documentation.

3.37 The NDIA’s internal payment assurance framework documents state that: root cause analysis will be conducted at the conclusion of testing; results will be aggregated for each test question; and recommendations addressing root causes will be developed with relevant business areas, including a clear owner and due date where possible. Since Quarter 2 of 2023–24, the NDIA has produced reports for each sampled cohort outlining thematic issues identified through payment assurance testing and recommendations to address these issues. The reports do not include owners of or due dates for recommendations, and the NDIA does not have processes in place to monitor whether recommendations have been implemented.

3.38 The ANAO examines the NDIA’s payment assurance testing as part of its annual financial statements audit process. The ANAO raised a finding in 2021–22 relating to weaknesses in claim compliance controls for self-managed plans, which remained open as of April 2025. The NDIA has assessed that the controls implemented through the Crack Down on Fraud program in 2024 — namely, requiring a description and ABN details for all claims and supporting evidence for claims over $2000 — will address this finding. The ANAO will test the implementation of these controls through its audit of the NDIA’s 2024–25 annual financial statements.

3.39 The NDIA described the payment assurance testing process in September 2023 as ‘very limited scope, light touch’ and ‘UNLIKELY to detect fraud’. Types of fraud and non-compliance that the NDIA identified were not being captured in the testing included: services not delivered; false ABNs; fraudulent invoices; collusion between providers and participants; and ‘manufactured overservicing’. In September 2023, the NDIA estimated that total losses from fraud, non-compliance and payment error were in the range of 6 to 10 per cent of NDIS outlays, which equated to ‘leakage’ of $2.0–3.5 billion in 2022–23 and was forecast to increase to $3.6–6.0 billion by 2027–28 (see paragraph 2.11). The NDIA informed the ANAO in June 2025 that it was progressively delivering new systems and processes to enable it to detect integrity losses that were previously not being detected or measured. In March 2025, the NDIA Board was briefed that ‘Methodologies now being developed are increasingly demonstrating that measurable integrity losses are likely in excess of 10%.’

Corporate performance reporting

3.42 From 2019–20 to 2022–23, the NDIA reported on a corporate plan performance measure on payment errors or anomalies as a proportion of NDIS program outlays (that is, participant plan payments) (see Table 3.6).⁶⁹ This measure reported on the outcomes of the NDIA’s payment assurance testing and was linked to the NDIA’s corporate plan ‘aspiration’ to achieve ‘a financially sustainable NDIS’. The NDIA removed the measure from its corporate plan in 2023–24 without specifying a reason or stating that the previous measure had been removed.

Table 3.6: Payment errors/anomalies as a proportion of payments, 2019–20 to 2023–24

Note a: The result reported in the 2019–20 annual report was 6.2%, which represents the average error rate rather than errors as a proportion of program payments. In the 2020–21 annual report, the 2019–20 result was reported as 1.2%.

Note b: In the 2020–21 annual report, the result was reported as 1.3%. In the 2021–22 annual report, the 2021–22 result was revised to 1.2%.

Note c: The 2023–24 result was not reported in the NDIA’s 2023–24 annual performance statements. The results for provider and participant payment errors were separately reported as a note to its annual financial statements.

Source: NDIA annual reports (2019–20 to 2022–23) and NDIA documentation (2023–24).

3.43 The ANAO issued a qualified audit conclusion for the NDIA’s 2023–24 annual performance statements, in part due to a material omission finding relating to the lack of reporting of performance information on payment compliance and fraud activities, given these activities are a key component of financial sustainability.⁷⁰

Assessment and reporting of benefits from compliance activities

Fraud Fusion Taskforce savings and benefits model

3.44 When the Fraud Fusion Taskforce was established in November 2022, taskforce activities were expected to recover $291.5 million in debts from non-compliant NDIS providers over four years (to June 2026), with $132.5 million expected to be recovered by June 2024. The NDIA informed the ANAO in April 2025 that, between November 2022 and December 2024, debts had been raised of $2.7 million from court reparations for NDIA fraud cases and $40.5 million from other NDIA compliance activities. Correspondence between the NDIA and the Department of Finance from August 2024 indicates that offset savings from the Fraud Fusion Taskforce Budget measure were ‘reversed’ at the request of the NDIA.

3.45 Noting that the original focus on recovered debts was ‘very restrictive’, the NDIA developed a revised ‘savings and benefits model’ for reporting Fraud Fusion Taskforce and Crack Down on Fraud outcomes, which was endorsed by the Fraud Fusion Taskforce Inter-Departmental Committee in April 2024. In November 2024, the NDIA informed the Inter-Departmental Committee that it had ‘socialised’ the proposed metrics and methodologies with the Department of Finance and would seek formal endorsement of the framework. The NDIA also noted that it had expanded the measurement of benefits to include projected ‘flow-on effects’ of preventative measures.⁷¹

Crack Down on Fraud program benefits

3.46 In October 2023, the NDIA made performance commitments to the government, outlined in the benefits realisation plan for the Crack Down on Fraud business case. The commitments included realising $1,023 million in savings and benefits between July 2025 and June 2028, comprising:

• $424 million in net savings to the NDIS from cancelled payments; and
• $599 million in benefits from reutilisation of cancelled payments by participants on services from compliant providers (assumed to result in improved outcomes).

The commitments also included 14 performance measures, primarily relating to enhanced identity and authority controls and reductions in non-compliant claims due to automated and manual validation processes (see Appendix 6).

3.47 In January 2024, in seeking approval for the release of tranche one Crack Down on Fraud funding, the NDIA committed to a further 35 delivery milestones for the first two years of the Crack Down on Fraud program (outlined at Appendix 3). Eight of the January 2024 delivery milestones restated or related to October 2023 performance measures (see Appendix 6).

3.48 During 2024, the NDIA provided regular reporting to the Crack Down on Fraud Program Board against the January 2024 delivery milestones, along with reporting on other program achievements. The NDIA’s program reporting did not include reporting against the October 2023 measures. The NDIA has not provided any reporting to the government against the October 2023 measures.

3.49 In February 2025, the NDIA provided a ‘benefits dashboard’ to the Crack Down on Fraud Program Board that included status reporting against 10 performance measures (‘aligned’ to the fourteen October 2023 measures). All measures were recorded as ‘achieved’, ‘on track’ or ‘over target’. The ANAO identified the following problems with the reporting.

• For financial impact measures, the NDIA reported $388 million in net savings to the NDIS from cancelled payments and $709 million in benefits from reutilisation of cancelled payments (as at September 2024). The reported figures combined actual savings and benefits from cancelled claims with projected savings and benefits from provider bans and manual payment reviews (discussed further at paragraphs 3.50 to 3.53), without providing an explanatory note in the dashboard. The projected savings and benefits are estimates of the potential impact of compliance interventions extrapolated to 30 June 2028, but were applied to the financial year in which the compliance intervention occurred rather than the years in which they are projected to occur.
• Measures relating to use of validated myGov accounts and strengthened credentials were reported as ‘achieved’, as 100 per cent of participants or nominees had the ability to use validated myGov accounts and strengthened credentials by December 2024. These measures had been redefined from ‘use of’ to ‘ability to use’, without an explanatory note in the dashboard. The NDIA informed the ANAO in February 2025 that it did not have robust data on the proportion of participants or nominees who were using validated myGov accounts and strengthened credentials.
• The payment error rate measure was reported as ‘over target’ based on achieving an error rate of 4.19 per cent in 2023–24 against a target for 2025–26 of 5.20 per cent. The NDIA’s reported payment error rate was 5.0 per cent in 2023–24, not 4.19 per cent. Modelling that underpinned the October 2023 measure had projected that the payment error rate would increase to 4.5 per cent in 2023–24, 5.4 per cent in 2025–26 and 5.5 per cent in 2026–27. The actual rate of 5.0 per cent in 2023–24 was above the projected rate of 4.5 per cent, so the measure should have been reported as ‘off track’.

3.50 In October 2024, the NDIA developed a methodology for modelling potential savings and benefits resulting from two compliance interventions that have been applied to providers with identified integrity issues: provider bans and manual payment reviews.⁷² At that time, the methodology involved:

• measuring claiming activity for providers subject to compliance interventions in the year before compliance interventions were applied, and using prior year claiming activity to model potential claiming activity in future years had interventions not been applied (factoring in an assumed growth rate of 4 per cent);
• applying an assumed rate of reduction in claiming activity after compliance interventions were applied⁷³, and calculating the difference between the projected rate of potential claiming activity and assumed rate of reduced claiming activity; and
• extrapolating these assumed effects to project the impacts of compliance interventions over a five-year period.

3.51 The team that developed the methodology provided it to the NDIA’s Analytics, Data and Actuarial Division for peer review in October 2024.⁷⁴ The response later that month stated that the approach was ‘reasonable’, but noted there were ‘risks in setting assumptions and extrapolating results to a larger cost base based on small sample sizes’. After updated analysis was provided in January 2025, the Scheme Actuary responded in March 2025 stating that he had no further comments on the analysis.

3.52 In December 2024, the NDIA provided its projected savings and benefits methodology to the Department of Finance seeking endorsement of the model. The NDIA informed the ANAO in February 2025 that the Department of Finance had advised the NDIA that it did not need to provide endorsement of the model.

3.53 As of April 2025, development of the savings and benefits methodology was continuing. Based on preliminary modelling, the NDIA reported on its website in December 2024 that:

In 2024 alone, the NDIA has: … Implemented integrity interventions estimated to save the Scheme over $200 million in forecast non-compliant payments through providers banned or subject to manual payment reviews. A further $400 million is forecast to be diverted away from dodgy providers into higher quality spending on genuine disability supports and services.⁷⁵

The media release acknowledged that these savings and benefits were ‘forecast’ but did not provide information on the period over which these financial impacts were projected to accrue.

Use of data analytics to support continuous improvement

3.57 In late 2023 the NDIA assessed its ‘current state challenges’ as including:

• limited ability to validate claims and no ability to do this pre-payment;
• unstructured data fragmented across various systems with slow batch-processed data exchange processes and storage constraints; and
• data analytics and insights tools and setup limited to small analytics jobs.

3.58 During 2023 and 2024 the NDIA undertook data analysis of its claims, participant, provider and other data to inform its claim compliance activities, such as manual pre-payment review and campaigns. It produced strategic intelligence reports, which analysed compliance risk areas, as well as other data analysis products such as presentations and campaign artefacts. Data analysis was topic-driven and varied in scope and depth, covering topics such as claiming from expired plans, large anytime drawdowns, short-term accommodation, participants classified as ‘unable to contact’, plan-managed reimbursements and short notice cancellations.

3.59 As outlined at paragraph 2.75, the NDIA’s Crack Down on Fraud program is delivering enhanced detection capabilities, including an integrated ‘data lake’ to enable real-time data analysis and analytics and insights tools to detect fraud and non-compliance. The NDIA’s ‘end state vision’ after implementing these Crack Down on Fraud IT system upgrades (by December 2025) includes:

• the ability to identify and prevent incorrect payments through real time validation against external data sources;
• centralised structured and unstructured data related to participant, provider, plans, services, claims, payments and external data (including metadata); and
• sophisticated fraud detection and pattern analysis models that allow for identification of risks, analysis of behavioural patterns, and flagging of claims for decision/intervention.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• Since August 2024 the NDIA has provided monthly project status reports to Crack Down on Fraud oversight committees — the Crack Down on Fraud Program Board and Crack Down on Fraud Steering Committee (paragraph 2.25).
• In late 2024, the NDIA established a process to support the closure of Crack Down on Fraud program milestones, which involves preparing a milestone acceptance brief, obtaining an assurance assessment from the program’s independent assurer (Sententia Consulting), and final endorsement by the senior responsible officer (paragraph 2.26).
• On 3 October 2024 the National Disability Insurance Scheme Amendment (Getting the NDIS Back on Track No. 1) Bill 2024 came into effect, making amendments to the National Disability Insurance Scheme Act 2013 to strengthen the legislative basis for the NDIA’s compliance activities (paragraph 2.43).
• The NDIA updated its website and guidelines in late 2024 to reflect the legislative changes introduced in October 2024 (paragraph 2.46).
• In late 2024, the NDIA began categorising tip-offs based on fraud and non-compliance ‘vectors’ and developed a risk-scoring methodology to inform referral pathways (paragraph 2.55).
• In late 2024 and early 2025, the NDIA finalised and updated the assurance plan for the Crack Down on Fraud program and included a schedule of assurance activities for 2025 (paragraph 3.18).
• In October 2024, the NDIA developed a methodology for modelling potential savings and benefits resulting from two compliance interventions that have been applied to providers with identified integrity issues: provider bans and manual payment reviews (paragraph 3.50).

Appendix 3 Milestones for release of Crack Down on Fraud ‘tranche one’ and ‘tranche two’ funding

Note a: myGov is an Australian Government web portal established to provide a secure way to access government services online in one place.

Note b: Relationship Authorisation Manager (RAM) is an Australian Government system for businesses to manage authorisations for government online services.

Note c: IP2 and IP3 are identity proofing levels for the Australian Government’s myGovID system: basic (ID1) does not require any documentation; standard (ID2) requires two identity documents (e.g., passport, driver’s licence, birth certificate, etc.); and strong (ID3) requires a passport, one of three identity documents (citizenship certificate, driver’s license or Medicare card) along with a face verification check.

Note d: An Application Programming Interface (API) is a set of functions or procedures that act as an intermediary between two software applications allowing them to communicate with each other.

Source: NDIA documentation.

Appendix 4 Crack Down on Fraud ‘tranche one’ projects

Note a: Delivery milestones are outlined in Appendix 3.

Source: NDIA documentation.

Appendix 5 Crack Down on Fraud ‘tranche one’ milestone delivery status, as at February 2025

Note a: Crack Down on Fraud ‘tranche one’ projects are outlined in Appendix 4.

Note b: myGov is an Australian Government web portal established to provide a secure way to access government services online in one place.

Note c: The NDIA noted in project reporting that it was ‘unable to achieve the full extent of identification benefits that was intended through the implementation of myGov functionality due to legal and policy issues’.

Note d: Relationship Authorisation Manager (RAM) is an Australian Government system for businesses to manage authorisations for government online services.

Note e: The NDIA subsequently reported milestone M10 as delivered on 14 March 2025 and M17 as delivered on 28 February 2025.

Note f: An Application Programming Interface (API) is a set of functions or procedures that act as an intermediary between two software applications allowing them to communicate with each other.

Source: NDIA documentation.

Appendix 6 October 2023 performance measures and related January 2024 milestones for the Crack Down on Fraud program

Note a: IP2 and IP3 are identity proofing levels for the Australian Government’s myGovID system: basic (ID1) does not require any documentation; standard (ID2) requires two identity documents (e.g., passport, driver’s licence, birth certificate, etc.); and strong (ID3) requires a passport, one of three identity documents (citizenship certificate, driver’s license or Medicare card) along with a face verification check.

Note b: A secure verification code (SVC) is a temporary code used for multi-factor identity authentication.

Note c: Relationship Authorisation Manager (RAM) is an Australian Government system for businesses to manage authorisations for government online services.

Source: NDIA documentation.