The ANAO says the NDIS is adequately enforcing standards, but adds the Quality and Safeguards Commission needs to refine its strategy urgently. Media reaction unsurprisingly seized on the fact that 90 percent of providers operate in a wild west with no scrutiny at all.

The report was cautiously optimistic. The Australian National Audit Office agrees there is strong enforcement of the scheme: 35,519 compliance actions were taken in 2023/24, almost 3.7 times higher than the previous year. But complaints are soaring too: from 1,422 in 2018–19 to a staggering 29,054.

With 739,414 participants, the NDIS has become a national juggernaut careering out of control. The ANAO found the NDIS Quality and Safeguards Commission is doing a credible job of policing the small percentage of the scheme it oversees.

The problem is that this is not nearly enough to give the broader public confidence the scheme is working effectively.

Still, the auditor flagged weak spots. Intelligence systems are underdeveloped, data gaps remain, and there’s no framework for risk-based regulation. But most critically, the Commission regulates only a fraction of providers—leaving unregistered operators largely beyond its sight.

Minister McAllister sees progress:

“We appreciate the Commission’s full commitment to addressing all the audit’s findings,” she says, in reference to the NDIA’s willingness to strengthen procedures. And the Commission has already launched a new DART program, designed to bring better data and risk-based regulation into focus.

In other corners, media outlets are less impressed. News Ltd dubbed the scheme a “wild west,” saying over 90% of providers evade scrutiny—framing it as a regulatory failure.

This builds on Bill Shorten’s comments last year, singling out “dodgy providers” and blaming them for derailing the scheme.

It’s fair warning: the NDIS Commission must implement better monitoring, sharper intelligence, and stronger oversight to safeguard participants and taxpayer trust.

________________________

[continued from newsletter]

The NDIS Quality and Safeguards Commission made headlines in the report again and again - but not always for the right reasons.

Its enforcement arm has flexed hard over 2023/24: 35,519 compliance actions, up nearly 270% year-on-year. Complaints nearly doubled to 29,054. Meanwhile, the NDIS continued its expansion—739,414 participants, and $46.3 billion disbursed in 2024–25.

Yet the audit found slipping vigilance in core areas. Incredibly, the Commission still lacks a risk framework to guide its decisions. It has limited visibility into the sprawling provider network. An amazing number, 94% of active providers, remain unregistered (these receive 42% of plan-managed funds. Unlike registered providers, these operators skirt regulation entirely.

The Commission also has issues with data: intelligence systems such as COS fall short of government metadata and record‑keeping standards, and performance reports don’t align with annual statements. Quality assurance is patchy.

Ten Steps Toward a Smarter Regulator

The ANAO made 10 recommendations, all accepted by the Commission (although one only “in principle” - suggesting the NDIA has no intention of actioning it). They include establishing a risk-based strategy, compliance monitoring plans linked to risk profiling, and public reporting on priorities. Importantly, a quality assurance framework will now be developed for investigations and compliance actions.

The Commission hasn’t waited. Its Data and Regulatory Transformation (DART) initiative is intended to boost market visibility through better data analysis and risk assessment. A Risk-Based Regulation Prioritisation Model is slated to roll out in October 2025. Supporting enforcement with historic findings and predictive data—it could reshape regulatory strategy.

The ‘Wild West’

While the audit strikes a hopeful tone, the media unsurprisingly emphasized risk and chaos. The Daily Telegraph seized on the huge weakness revealed by the audit in its headline:

“The watchdog has no eyes on over 90 per cent of providers.”

In the same vein, Sky News reported the audit found the Commission “only reviews registered providers,” feeding fears about a regulatory black hole. The implication is obvious. What’s the point of the process if it’s so easy to evade?

Rebuilding Trust Through Risk Management

At its heart, this audit is about trust. The NDIS Commission has shown it can act decisively, but now it needs to act smartly.

Developing a risk-based approach will help it target resources where harm is most likely. Aligning data, ensuring oversight of both registered and unregistered providers, and boosting transparency will help build confidence across government and the community.

With DART, the risk model, and bolts of quality assurance in place, the Commission is moving from reaction to strategy. If analysts are right, 2025 may mark a turning point—when the NDIS Commission evolves from reactive regulator to strategic guardian.