NDIS Practice Standard 2 (Governance and Operational Management) covers how you run your organisation — not just how you deliver supports. It is the most comprehensive standard and the one most likely to generate non-conformances. AuditCore was designed around S2 requirements, with dedicated modules for every quality indicator: incident management, risk, HR, policies, and governance oversight.
S2.1 — Governance and Accountability
Auditors look for evidence that your governance body (board, committee, or management) is actively overseeing compliance — not just receiving reports. Evidence includes board meeting minutes, delegations of authority, and documented oversight of serious incidents and complaints.
S2.2 — Risk Management
AuditCore's Internal Audit AI maps your governance records, risk management, incident system, and HR screening against every S2 indicator — and generates a gap report instantly.
See Internal Audit AI →Your risk management framework must be documented, reviewed regularly, and actively used. Auditors check your risk register for currency, your incident data for risk identification, and whether identified risks have mitigation actions with owners and review dates. AuditCore's risk module links incident data to your risk register automatically.
S2.3 — Quality Management
Continuous improvement is a formal requirement under S2.3. Your CI Register must show evidence of improvement activities — not just compliance tasks. AuditCore auto-populates your CI Register from incident findings, complaint resolutions, and internal audit results.
S2.4 — Information Management
Participant records, worker records, and governance documents must be secure, accurate, and accessible. Auditors check your document control system, your data retention practices, and whether you have a privacy breach response procedure.
S2.5 — Incident and Complaint Management
This quality indicator generates more non-conformances than any other in S2. Auditors verify that every reportable incident was notified to the Commission within five business days, that all incidents are logged and classified, and that your complaint register is complete. AuditCore tracks the five-day countdown for every incident automatically.
S2.6 — Human Resources and Worker Screening
Every worker who has more than incidental contact with NDIS participants must have a current NDIS Worker Screening Check. Auditors verify this — and they check it against your service agreement dates, not just your current worker list. AuditCore tracks check status and expiry for every worker and alerts you at 90, 60, and 30 days before expiry.
S2.7 — Continuity of Supports
Your business continuity plan must address how you would maintain participant supports during a crisis — staff shortage, natural disaster, or system failure. Auditors want to see a written plan, evidence it has been tested, and confirmation that participants would be notified promptly if their supports were disrupted.
Standard S2 requires a documented continuous improvement system. AuditCore's CI Register auto-populates from incidents, complaints, and audit findings — satisfying this requirement automatically.
See the CI Register →Most Common S2 Non-Conformances
- Incident notification not made within five business days
- Worker screening checks expired or missing for some workers
- Risk register not reviewed in the past 12 months
- No evidence of governance oversight in meeting minutes
- CI Register empty or not linked to actual improvement activities
- Business continuity plan not tested or not up to date