NDIS Compliance Starts After Registration

Will, EnableUs Community

[warmly] Welcome to the show. Winter, I wanna start with a moment a lot of providers know well: that Certificate of Registration arrives, you exhale, maybe even celebrate a bit... and then the real work starts the NEXT day.

Winter, EnableUs Community

[curious] The next day is the bit that gets people, hey. Because that certificate feels like a finish line, but you're saying it's more like being handed the keys to a car and then being told, right, now prove you can drive it safely every single day.

Will, EnableUs Community

Exactly. And in the NDIS world, that's not just a nice metaphor. Registration is the starting line. The obligations do not pause once approval comes through. In 2025 and 2026, with the Commission pushing harder into continuous compliance monitoring and stronger enforcement, you can't treat compliance like a project you finished once.

Winter, EnableUs Community

[skeptical] "Continuous compliance monitoring" is one of those phrases that sounds very official and a bit abstract. When you say continuous, do you mean they expect you to be audit-ready all the time, not just when the calendar says renewal?

Will, EnableUs Community

[matter-of-fact] That's it. Not perfect every second, obviously, but evidence-ready. Your incident reports, shift notes, participant feedback, governance decisions -- they need to be documented when they happen. Not rebuilt six months later from memory because an audit is coming up.

Winter, EnableUs Community

And that reconstructed-from-memory thing is so human. [softly] People think, I'll remember. I will absolutely fix that file next week. Then suddenly it's three months later and someone's trying to explain why a record was backdated.

Will, EnableUs Community

Yep. And before any of that, the biggest early mistake is even more basic: providers do not read their Certificate of Registration carefully enough, early enough. I mean BEFORE taking on the first participant, not after.

Winter, EnableUs Community

Wait -- before the first participant specifically?

Will, EnableUs Community

Yes, because the certificate can include conditions you must comply with, and additional conditions can be imposed under Section 73G of the NDIS Act. That's the sort of detail people skim past. But those conditions can include further assessments or audits required by the Commission. If you miss them, you're not just disorganised -- you may be non-compliant.

Winter, EnableUs Community

[questioning tone] Section 73G is one of those tokens I'd circle in red. Because if your certificate quietly says, here's an extra assessment you need, and you don't notice... that's not a small admin slip. That's the foundation.

Will, EnableUs Community

[calm] That's right. And certification pathway providers need to pay really close attention to one requirement that catches people off guard: the conditional audit. Three months after you onboard your first participant and sign a service agreement, that conditional audit must be completed.

Winter, EnableUs Community

Three MONTHS. That's the number that sticks. Not "sometime early on," not "when you get around to it." Three months after the first participant and signed service agreement.

Will, EnableUs Community

And the audit is not just a paperwork glance. Auditors will review client files and staff files, and they'll interview staff and participants. They're checking whether your organisation is actually following its own policies and procedures in service delivery, and whether you're conforming with the applicable NDIS Practice Standards.

Winter, EnableUs Community

So let me say it back -- and you tell me if I've got it wrong. [hesitates] A lot of providers think, we've got policies in a folder, beauty, job done. But the conditional audit is really asking, are those policies alive in the business? Can we see them in files, in staff behaviour, in participant experience?

Will, EnableUs Community

[responds quickly] That's a very good way to put it. Auditors can tell the difference between a document that exists and a system that's actually operating. And that's why the shift to continuous monitoring matters so much. The Commission is looking less at periodic snapshots and more at whether compliance is built into daily operations.

Winter, EnableUs Community

[reflective] Which, honestly, changes the psychology of the whole thing. If you're waiting for renewal season to get serious, you're already late. The question isn't "can we pass an audit?" It's "if someone asked today, could we prove what we're doing today?"

Will, EnableUs Community

[firm] Exactly. And for newly registered providers, that mindset is gold. Read the certificate carefully. Understand every condition. Know if Section 73G adds something extra. Know whether that three-month conditional audit applies to you. Because once registration begins, the clock is already running.

Winter, EnableUs Community

[curious] Alright, so if chapter one is don't get caught celebrating too long, chapter two is probably... what does good daily discipline actually look like?

Will, EnableUs Community

[laughs softly] Pretty much. And I'd start with worker screening, because it's one of the most common compliance gaps auditors find. NDIS Worker Screening Checks last five years, and a big wave of first-round renewals started flowing through in late 2025.

Winter, EnableUs Community

Five years sounds generous until everyone hits renewal at once. And the bit I think people miss is timing -- workers can renew up to 90 days before expiry, but they need to submit at least 7 days before expiry for continuous coverage. Seven days is not much margin.

Will, EnableUs Community

No, it isn't. And government screening units process the clearances, but they don't proactively monitor your whole workforce for you. So providers need a worker compliance register: screening check number, expiry date, Working With Children Check, professional registrations, mandatory training completion dates -- all of it.

Winter, EnableUs Community

That register is basically your early-warning radar. Because one expired clearance found in an audit isn't just one expired clearance. It can trigger a bigger question: if this slipped, what else in governance is slipping?

Will, EnableUs Community

[matter-of-fact] Exactly. Then there are policies. They are living documents, not something you write once and forget. At minimum, review them annually, and also whenever the Commission releases updated guidance. The 2025 Practice Standards update lifted expectations around business continuity plans, participant communication strategies, and staff training for critical incidents.

Winter, EnableUs Community

[sharply] Business continuity, participant communication, critical incident training -- those are not cosmetic tweaks. If your policy still references old legislation or old practice, an auditor will spot that straight away, won't they?

Will, EnableUs Community

They will. And just as importantly, they'll notice if the policy doesn't match what actually happens on the ground. So keep worker files current, participant records current, incident documentation current. Daily notes matter. Feedback records matter. Governance decisions matter. Clean records are no longer optional admin -- they're proof of compliance.

Winter, EnableUs Community

I always think of it like this: if your service existed only through its records, would it still make sense? Could someone see who worked, what support was delivered, what went wrong, what changed, and what you did about it?

Will, EnableUs Community

That's a strong test. And then you've got the audit rhythm. Certification pathway providers may face that conditional audit three months after the first participant and service agreement. Mid-term audit comes 18 months into the registration period. Then every registered provider renews every three years.

Winter, EnableUs Community

Eighteen months is a very memorable checkpoint. Not year one, not year two -- 18 months. And renewal starts earlier than people think too, right?

Will, EnableUs Community

Right. The Commission generally notifies providers about six months before registration expires. But waiting for that notification is a mistake. Renewal needs updated policies and procedures, updated training records, and evidence of staff qualifications and experience. If you're scrambling at the six-month mark, your systems were too loose long before that.

Winter, EnableUs Community

[serious] And there are other audit triggers too. A condition audit can be required at any time. An out-of-cycle audit might be needed if you want to change the supports and services you provide during the registration period. So it's not just a neat little timetable where nothing unexpected happens.

Will, EnableUs Community

Exactly. Plus pricing and claiming rules sit underneath all of this. Registered providers have to charge within NDIS Pricing Arrangements and Pricing Limits, and claiming anomalies can attract scrutiny well before a scheduled audit. So your invoicing and claiming records need to be accurate in real time.

Winter, EnableUs Community

And then there's the big shift coming on 1 July 2026. Supported Independent Living providers and platform providers move into mandatory registration. That's not a minor policy nudge -- that's the sector saying, if you're in SIL or you're operating a platform model, the compliance baseline has changed.

Will, EnableUs Community

[reflective] Yes. Same quality standards, strict requirements, audits, suitability assessments, reporting obligations, worker screening checks. For providers already registered, it's a reminder that registration is not a badge. It's an operating discipline. For providers coming into mandatory registration, it's a signal to get governance, documentation, and training sorted now.

Winter, EnableUs Community

[warmly] Which is maybe the most useful way to look at all this. Compliance isn't there to ruin your week. It's the structure that shows families, participants, staff, and the regulator that your service can be trusted -- not once, but continuously. Thanks for listening.