NDIS Code of Conduct Self-Assessment Checklist for Providers

An NDIS code of conduct checklist is the single most practical tool your organisation can use to confirm compliance before an audit finds a gap first. Every registered NDIS provider must meet all seven obligations under the NDIS Code of Conduct — yet many organisations only discover shortfalls when a complaint is lodged or an auditor arrives. In this guide, you will find a detailed, obligation-by-obligation self-assessment covering every action required to stay compliant, become genuinely audit ready, and protect your participants and your registration.

What Is the NDIS Code of Conduct Checklist?

An NDIS code of conduct checklist is a structured self-assessment tool that maps each of the seven legally required obligations onto specific, measurable workplace actions. Providers use it to identify compliance gaps, prioritise remediation work, and demonstrate a proactive governance posture to the NDIS Quality and Safeguards Commission.

Why Every Provider Needs a Code of Conduct Self-Assessment

The NDIS Code of Conduct applies to all registered providers, unregistered providers, key personnel, and every worker delivering supports. Therefore, compliance is not optional regardless of your organisation’s size. A code of conduct self-assessment is the fastest way to pinpoint vulnerabilities before they escalate.

Moreover, the NDIS Commission actively investigates complaints and can impose civil penalties of up to $330,000 for individuals and $1.6 million for companies. Consequently, a missed obligation is never a minor administrative issue — it is a direct risk to your registration and your participants’ safety.

Who Should Complete This Assessment?

The following roles should complete or contribute to a provider compliance checklist review at least annually:

• Chief Executive Officer or Managing Director
• Quality and Compliance Manager
• Human Resources Manager
• Team Leaders and Supervisors
• Risk and Governance Officers

Furthermore, every worker — not just management — has individual obligations under the Code. Therefore, the assessment should cascade to frontline staff through regular supervision and performance reviews.

The 7 NDIS Code of Conduct Obligations: Checklist by Obligation

The following sections break down each obligation with specific, actionable compliance items. Use this as your core provider compliance checklist during internal reviews, team meetings, or pre-audit preparation.

You can also review the full breakdown of NDIS Code of Conduct obligations for deeper context on each requirement.

Obligation 1: Respect the Rights of People with Disability

This obligation requires providers and workers to actively promote and respect each participant’s independence, dignity, and right to make decisions about their own life.

Checklist items for Obligation 1:

1. Service agreements include rights statements and participant decision-making preferences — review your NDIS service agreement template to confirm this.
2. Staff induction covers rights-based practice with documented sign-off.
3. Policies address informed consent, including for participants with communication support needs.
4. Restriction or modified practice procedures include independent oversight and participant input.
5. Staff can articulate the difference between supported decision-making and substituted decision-making.

Obligation 2: Respect Participants’ Privacy

Workers must handle personal and sensitive information in accordance with the Privacy Act 1988 and the Australian Privacy Principles.

Checklist items for Obligation 2:

1. Privacy policy is current, accessible, and provided to participants on intake.
2. Staff receive training on data handling, secure storage, and information-sharing protocols.
3. Consent forms specify what information is collected, how it is used, and who it is shared with.
4. Digital systems use access controls, passwords, and encryption where required.
5. Privacy breaches are identified, recorded, and notified according to the Notifiable Data Breach scheme.

Obligation 3: Provide Safe, Competent, and Quality Supports

This obligation is the foundation of service delivery quality. As a result, it has the most sub-requirements of any obligation in the Code.

Checklist items for Obligation 3:

1. All workers hold required qualifications and worker screening clearances — see the NDIS worker screening guide for details.
2. Induction covers support delivery standards, risk assessment, and safe handling protocols.
3. Supervision records demonstrate ongoing competency monitoring.
4. Support plans are current, person-centred, and reviewed at the intervals specified in each agreement.
5. Incident management procedures meet NDIS Commission requirements — your NDIS incident management guide should be your reference document here.
6. Complaints process is documented, accessible, and functional.

Obligation 4: Act with Integrity, Honesty, and Transparency

Workers must not misrepresent their qualifications, experience, or the services provided. In addition, providers must manage conflicts of interest transparently.

Checklist items for Obligation 4:

1. Position descriptions accurately reflect required qualifications and do not inflate credentials.
2. Service agreements clearly describe what will be delivered, by whom, and at what cost.
3. Billing and invoicing practices are accurate and transparent — consider a purpose-built NDIS billing software to reduce errors.
4. Conflict of interest policy is in place, understood by all key personnel, and enforced.
5. Gifts and benefits policy prevents inappropriate financial relationships with participants.

Obligation 5: Promptly Raise Concerns about Quality and Safety

Workers must speak up when they observe poor practice, unsafe conditions, or misconduct. Furthermore, providers must create systems that make raising concerns safe and straightforward.

Checklist items for Obligation 5:

1. Whistleblower protection policy meets the requirements of the Corporations Act 2001.
2. Workers know the internal escalation pathway for raising concerns.
3. Workers know how to contact the NDIS Commission directly if internal processes are inadequate.
4. Management response to raised concerns is documented and reviewed for timeliness.
5. Reportable incidents are submitted to the Commission within required timeframes — your NDIS reportable incidents guide specifies each deadline.

Obligation 6: Take All Steps to Prevent Violence, Abuse, Neglect, and Exploitation

This obligation requires active prevention, not just response. Consequently, your systems must address risk before harm occurs.

Checklist items for Obligation 6:

1. All workers have a current NDIS Worker Screening Check clearance before commencing work.
2. Risk assessments for each participant identify vulnerability factors and protective actions.
3. Staff training covers recognising and responding to all forms of abuse and neglect.
4. Restrictive practice policies are documented, authorised, and reported as required.
5. Serious incidents involving abuse or neglect are reported to the Commission as reportable incidents.
6. Staff understand mandatory reporting obligations under state and territory legislation.

Obligation 7: Take All Steps to Prevent Sexual Misconduct

This obligation explicitly prohibits all sexual contact between workers and NDIS participants. Moreover, providers must actively prevent sexual misconduct through systemic controls.

Checklist items for Obligation 7:

1. Code of Conduct policy explicitly states the prohibition on sexual relationships with participants.
2. Staff induction includes training on professional boundaries and sexual misconduct prevention.
3. Lone worker and supported independent living procedures include safeguards against boundary violations.
4. All allegations of sexual misconduct are treated as reportable incidents and investigated immediately.
5. Termination and banning order reporting obligations are understood by key personnel.

How the Code of Conduct Self-Assessment Works in Practice

A code of conduct self-assessment is most effective when it follows a repeatable process. Therefore, consider the following four-stage approach to integrate the checklist into your governance cycle.

Stage 1: Gather Your Evidence

Before rating each item, collect the relevant documents: policies, training records, screening clearances, supervision logs, and incident registers. Incomplete evidence is itself a compliance gap. Consequently, a gap in documentation is treated the same as a gap in practice during an audit.

Stage 2: Rate Each Item

Apply a simple traffic light rating: Green (fully compliant with evidence), Amber (partially compliant — improvement underway), or Red (non-compliant — immediate action required). This approach makes your overall compliance posture visible at a glance.

Stage 3: Build a Remediation Plan

For every Amber and Red item, assign an owner, a remediation action, and a completion date. Furthermore, log the plan in your quality management system so progress can be tracked and reported to the Board or management committee.

Stage 4: Re-Assess and Report

Re-run the assessment quarterly or after any significant incident, staff change, or service expansion. In addition, report the summary outcome to your governance body as part of regular compliance reporting. This creates a documented record of continuous improvement — which auditors look for.

Common Compliance Gaps Found During NDIS Audits

The NDIS Commission consistently identifies several recurring gaps across audit cycles. According to the NDIS Commission’s compliance data, the following issues appear most frequently:

• Outdated worker screening clearances — clearances expire and must be renewed; many providers fail to track expiry dates systematically.
• Inadequate incident management — incidents are under-classified, reported late, or not reported at all. Review your NDIS compliance checklist for reportable incident thresholds.
• Missing or generic support plans — plans that are not individualised or regularly reviewed fail the quality and safety obligation.
• Weak complaints systems — participants do not know how to complain, or complaints are not responded to within reasonable timeframes.
• Undocumented training — staff may have received informal training, but without records, it cannot be evidenced during an audit.
• Privacy policy gaps — policies that predate NDIS-specific obligations or do not address digital data storage.

Becoming NDIS Audit Ready: Practical Steps

Being NDIS audit ready means having current evidence for every compliance requirement — not scrambling to find documents when the auditor’s calendar invite arrives. The following practical steps will help you shift from reactive to proactive compliance.

Maintain a Centralised Compliance Register

A compliance register brings all obligations, evidence links, and review dates into one document. As a result, you can identify what is due for renewal at any time, not just when an audit approaches.

Schedule Regular Internal Audits

Internal audits against the NDIS practice standards guide and the Code of Conduct should occur at least annually. Moreover, spot-check audits following incidents or staff changes strengthen your overall audit readiness posture.

Link Training to Specific Obligations

Each training module your workforce completes should be tagged to the relevant Code obligation. This makes it straightforward to demonstrate that your training programme addresses every element of the Code. Additionally, consider our overview of NDIS Code of Conduct training approaches for workforce development frameworks.

Document Everything

If it is not documented, it did not happen. Supervision conversations, team meetings, incident reviews, and corrective actions must all be captured in writing. Furthermore, use timestamped records wherever possible to establish a clear chronological compliance history.

People Also Ask: NDIS Code of Conduct Checklist

How often should providers complete a code of conduct self-assessment?

Providers should complete a code of conduct self-assessment at least annually, plus after any significant incident, staff turnover, or service scope change. A minimum annual review ensures your provider compliance checklist remains aligned with any updates to the Code or Commission guidance.

However, best-practice organisations conduct quarterly reviews of high-risk obligations — particularly those related to worker screening, incident reporting, and restrictive practices — rather than waiting for the annual cycle.

Does the NDIS Code of Conduct apply to unregistered providers?

Yes. The NDIS Code of Conduct applies to all providers — both registered and unregistered — as well as to all workers and key personnel delivering NDIS supports. As a result, unregistered providers serving self-managed or plan-managed participants have the same behavioural obligations.

The key difference is that unregistered providers are not subject to NDIS Practice Standards audits. Therefore, a code of conduct self-assessment is especially important for unregistered providers who lack the external verification audit process.

What happens if a provider fails a Code of Conduct audit?

If a provider fails to demonstrate compliance with the Code of Conduct, the NDIS Commission can take a range of enforcement actions — from requiring a corrective action plan, to issuing compliance notices, imposing conditions on registration, or commencing deregistration. For serious breaches, the Commission can issue banning orders and pursue civil penalties.

In addition, individual workers can receive personal banning orders preventing them from delivering any NDIS supports. The Commission maintains a public register of banning orders, which participants and families can search. To understand breach consequences in depth, review the NDIS code of conduct breach guidance.

How Inficurex Helps Providers Become Audit Ready

Maintaining a current NDIS code of conduct checklist alongside incident registers, worker screening records, billing, and support plans is a significant administrative burden. Inficurex is purpose-built NDIS provider software that centralises compliance management, automates key reminders, and keeps your documentation audit ready at all times.

With Inficurex, you can link each Code obligation directly to your policies, training records, and incident reports — creating the evidence trail auditors need to see. Furthermore, real-time dashboards surface upcoming clearance renewals, overdue reviews, and open corrective actions before they become compliance gaps.

Moreover, Inficurex integrates incident management, billing, and workforce scheduling so your compliance data is never siloed. Explore how Inficurex supports end-to-end NDIS compliance for providers of all sizes.

Frequently Asked Questions

What are the 7 obligations in the NDIS Code of Conduct?

The seven obligations are: (1) Respect individual rights to freedom of expression, self-determination, and decision-making; (2) Respect the privacy of people with disability; (3) Provide supports and services in a safe and competent manner with care and skill; (4) Act with integrity, honesty, and transparency; (5) Promptly take action to raise and act on concerns about matters that might have an impact on the quality and safety of supports; (6) Take all reasonable steps to prevent and respond to all forms of violence, exploitation, neglect, and abuse; and (7) Take all reasonable steps to prevent and respond to sexual misconduct.

Is the NDIS Code of Conduct a legal requirement?

Yes. The NDIS Code of Conduct is established under the National Disability Insurance Scheme (Code of Conduct) Rules 2018. It is a legally binding instrument. Breaches can result in civil penalties, compliance notices, registration conditions, or banning orders issued by the NDIS Quality and Safeguards Commission.

How do Practice Standards differ from the Code of Conduct?

The Code of Conduct sets behavioural expectations and applies to all providers — registered and unregistered. NDIS Practice Standards set quality and operational benchmarks and apply only to registered providers. They are assessed through formal audits, whereas the Code is enforced primarily through complaints and investigations. For a detailed comparison, see our guide on the NDIS Code of Conduct complete guide for providers.

What evidence should I keep for a Code of Conduct audit?

You should retain training completion records and sign-offs, worker screening clearance certificates with expiry dates, current policies and procedures with version control, incident reports and investigation outcomes, supervision records, complaints register entries and responses, and consent documentation for each participant. Auditors will request a sample of these documents and may interview staff about their understanding of obligations.

How long should compliance records be retained?

NDIS Commission requirements specify that providers retain records for a minimum of 7 years from the date of creation. For records relating to children, retention periods may extend to 25 years or more under state and territory legislation. Therefore, ensure your record management policy reflects both NDIS and jurisdiction-specific requirements.

Can workers be personally held responsible for Code of Conduct breaches?

Yes. The Code of Conduct applies directly to individual workers, not only to their employer organisation. As a result, the NDIS Commission can investigate individual workers, issue personal compliance notices, or apply for banning orders against them — independent of any action taken against the provider organisation. Workers must therefore understand their individual obligations during induction and ongoing training.

What is a compliance notice from the NDIS Commission?

A compliance notice is a formal direction from the NDIS Commission requiring a provider or worker to take specific actions to remedy a breach of the Code of Conduct or Practice Standards. Compliance notices are legally binding. Failure to comply with a notice can result in escalated enforcement action, including deregistration or civil penalty proceedings. The Commission maintains records of compliance notices and enforcement actions.

Where can I find the official NDIS Code of Conduct?

The official Code of Conduct is available on the NDIS Commission website. The full legislative text is published on the Federal Register of Legislation. Providers should also review the worker and provider fact sheets published by the Commission for practical implementation guidance.