:format(webp))
The Australian National Audit Office (ANAO) recently completed an audit into the performance of the NDIS Quality and Safeguards Commission (NDIS Commission). Now, we know ‘audit’ is one of the few words in the English language that can simultaneously trigger a panic attack and put most people into REM state faster than any sleeping pill. But trust us, the findings are actually quite interesting. Also, for every registered provider who has undergone an audit lately, isn’t there a part of you that wants to know how the NDIS Commission fares when audited itself?
Audit scope
This ANAO audit was designed to give Parliament independent assurance about whether the NDIS Commission is exercising its regulatory powers effectively.
In undertaking its assessment, the ANAO explored three broad questions:
- Does the NDIS Commission have effective intelligence gathering and information sharing arrangements in place?
- Has the NDIS Commission developed a risk-based strategy to guide regulatory decision-making?
- Has the NDIS Commission effectively implemented risk responsive and proportionate monitoring, compliance and enforcement activities?
The audit focused on the two-year period from July 2022 to June 2024. It analysed NDIS Commission records, walked through its systems and processes, visited offices, held meetings with NDIS Commission and NDIA staff and received 21 submissions from the public. If you think the cost of an NDIS audit is high, this one totaled a cool $725K.
What did it find?
The ANAO concluded that the NDIS Commission is only partly effective in fulfilling its regulatory role. The ANAO noted that the NDIS Commission does not have full visibility of the market, as most providers are unregistered and therefore outside its direct oversight. From 2023–24 to 2024–25, the number of active providers grew by 25%, with unregistered providers making up 94% of the market and receiving 42% of plan-managed NDIS payments.
The NDIS Commission has undertaken a significant increase in compliance activity, with actions rising from 9,520 in 2022–23 to 35,519 in 2023–24, alongside a sharp growth in complaints from 16,305 to 29,054. Since being formed in 2018 (and going national in 2021), the NDIS Commission hasn’t developed a system for assessing, prioritising and managing risks associated with provider non-compliance. Meaning decisions about what compliance and enforcement actions the NDIS Commission takes, aren’t guided by a risk-based framework. It also lacks a quality assurance process to assess its effectiveness in detecting and addressing non-compliance. In the absence of such a framework, regulatory decision-making and finite resources aren’t necessarily channelled into the areas of highest risk. The ANAO also reports that NDIS Commission hasn’t addressed risks of unplanned service withdrawal, despite this being one of its core functions under the NDIS Act.
The NDIS Commission’s intelligence gathering and information-sharing arrangements are also only partly effective. While policies for information and data management are in place, limitations of its Commission Operating System (COS) restrict its ability to analyse information and identify issues. While the NDIS Commission shares information with the NDIA and state and territory governments, documentation supporting these arrangements was found to be incomplete. The ANAO found the Statement of Intent (an agreement between the NDIA and the NDIS Commission that sets out how they will share information and work together to protect participants) to be out of date and inconsistent with newer operational protocols. There was also no mechanism to ensure the NDIS Commission’s disclosure records meet legislative requirements.
The ANAO reports trust in the regulator remains low, despite engagement with the disability sector through committees, compliance activities and surveys. In the 2024 stakeholder survey, only 24% of respondents said they trusted the NDIS Commission “a lot” or “completely.”
The ANAO also looked at the NDIS Commission’s Own Motion Inquiries (OMIs). Between July 2022 and April 2025, the NDIS Commission conducted three OMIs:
- Aspects of Supported Accommodation (published January 2023)
- Platform Providers in the NDIS Market (published September 2023)
- Support Coordination and Plan Management, Part 1 (published August 2023)
The NDIS Commission told the ANAO that it didn’t have a standard process for deciding whether to conduct an OMI, but claimed it develops an action plan to track the progress against recommendations when an OMI concludes. However, the ANAO found that no action plans were created for 2 out of 3 inquiries (supported accommodation and platform providers).
Oversight of performance was also considered weak. Senior executive and Audit and Risk Committee review processes were in place, but not fully carried out. Until 2024, there was no standardised framework for determining whether it met its Annual Performance Statement obligations. The ANAO also found that the NDIS Commission’s Planning and Performance Framework failed to meet government expectations for regulators. Moreover, the data in its quarterly reports could not be reconciled with its 2023–24 Annual Performance Statements, raising concerns about accuracy and reliability.
ANAO recommendations
On information gathering and sharing arrangements, the ANAO recommended that the NDIS Commission:
- Develop a risk-based plan to guide information analysis and correlation activities.
- Create guidance on establishing and conducting OMIs.
- Introduce a quality assurance process for ensuring information disclosure records are compliant and complete.
- Update the Commission’s Information Management Policy to cover all its systems.
- Refresh the Statement of Intent for information disclosure with the NDIA and document information-sharing arrangements with other regulators.
NDIS Commission response: The NDIS Commission agreed with these recommendations and has begun a series of reforms. Since July 2025, it has run fortnightly intelligence roundtables to bring together different teams to create a more unified approach to managing information and intelligence. It is also piloting a new Risk-Based Regulation Prioritisation Model, which is a framework for assessing systemic risks and recommending interventions (such as OMIs). The NDIS Commission is developing a quality assurance process for information disclosures.
Alongside this, the NDIS Commission is rolling out a $160 million Data and Regulatory Transformation (DART) program to replace COS and improve how it manages data. Information-sharing arrangements are being refreshed, a new Joint Operational Protocol with the NDIA was finalised in May 2025, with work underway to update the Statement of Intent.
On developing a risk-based approach to decision-making, the ANAO made the following recommendations:
- Report to the Minister on how the NDIS Commission will become a risk-responsive regulator (with a refreshed Ministerial Statement of Expectation and responding Regulator Statement of Intent).
- Develop a process for setting compliance priorities based on risk, with action plans and regular public reports.
- Create a regulatory risk framework, underpinned by evidence and data, with clear risk tolerances, profiling and links to compliance actions.
NDIS Commission response: The NDIS Commission agreed with all three recommendations. It has begun redefining its official Statement of Expectation with the government and has published compliance priorities for the next financial year. It has also began implementing a new Risk-Based Regulation Prioritisation Model which aims to identify systemic risks.
On monitoring, compliance and enforcement the ANAO recommended the NDIS Commission:
- Adopt an entity wide compliance monitoring strategy.
- Implement a strategy that sets out the Commission’s approach to market oversight including mitigating the risks of unplanned service withdrawal.
- Enhance market oversight by working with the NDIA to update the Joint Operational Protocol on stewardship.
- Provide assurance that the NDIS Commission is taking effective regulatory action by introducing quality assurance processes for complaints, reportable incidents, compliance matters and investigations.
- Finalise and implement policies and procedures to ensure a consistent and fit for purpose approach to compliance.
- Improve performance monitoring and reporting by aligning its Planning and Performance Framework with government expectations and strengthening the accuracy and transparency of its data.
NDIS Commission response: The NDIS Commission accepted the ANAO’s recommendations (but only agreed in principle to the last recommendation on data and performance monitoring). It committed to strengthening market oversight, rolling out its new Risk-Based Regulation Prioritisation Model, introducing quality assurance and finalising procedures and guidance. On data and performance reporting, the NDIS Commission noted challenges with the way it collects data, but said it is on a “maturity journey” to improve. It has introduced Methodology Control Documents and will enhance its Planning and Performance Framework and Data Quality Framework, with full implementation expected by mid-2027.
In a media release, the NDIS Commission says it welcomes the ANAO’s report, accepting all recommendations with work already underway to improve its data, systems and regulatory tools. Commissioner Louise Glanville said the organisation is maturing into a risk-based regulator with a strong focus on protecting the rights of participants. While the ANAO highlighted that the NDIS Commission still lacks oversight of unregistered providers, the NDIS Commission has committed to working with government and stakeholders on reforms to provider registration and to becoming a “formidable regulator.”
You can find the full report, summary and recommendations on the ANAO website.
