Every SIL provider with a Stage 2 audit on the calendar between now and 1 July 2026 has the same question: which policies do I actually need? The honest answer is that the count went up last year and almost no one's templates have caught up.
The old NDIS Practice Standards numbering — 1.1 Rights, 1.4 Human Resources, 2.4 Risk Management — gave operators an obvious map to about a dozen policies. That map is now outdated. The 2025 Core Module reorganised the Standards into 22 outcomes, and the Applicant Portal now asks for evidence against each one. Plus another 8 supplementary policies that the Commission expects every provider to hold standalone, regardless of how they map to the Core Module.
That's not a target. It's the floor. Specialist Disability Accommodation, High Intensity Daily Personal Activities, plan management or support coordination services on top of SIL all add their own. But for a registered SIL provider serving children with no other extras, 35 is the working number — 34 if no participants are under 18.
This piece walks through what those 35 are, which seven the Commission rejects applications on most often, and — most importantly — what an auditor actually does with them once you've got them.
Why it's no longer 12
The 2018 Practice Standards were organised around four standards (Rights, Governance, Provision of Supports, Service Environment) with a small number of indicators under each. Most providers built a policy library that mapped roughly one document per indicator. A dozen policies, signed and dated, was a defensible position.
The 2025 Core Module didn't add new ground — it broke the existing ground into smaller pieces and asked for evidence against each piece individually. Where the old framework had "1.1 Person-centred supports", the new framework has three separate outcomes: 1.2 Individual Values & Beliefs, 1.3 Privacy & Dignity, and 1.4 Accessible Communication. Three sentences in a single old policy now need to be three policies, each tailored, reviewed, and acknowledged by your team.
Add in policies the Commission has always wanted standalone — Code of Conduct adoption, Whistleblower process, Drug & Alcohol (Worker Fitness for Duty), Document Control — and add a Child Safe Standards policy for any provider with even one participant under 18, and the count is 35. Twenty-six map directly to a Core Module outcome. Eight sit alongside as cross-cutting supplementary policies. One — Child Protection — is conditionally required when a child is on the books.
Important nuance
This count is for a SIL provider on the basic registration track. If you also deliver SDA, HIDPA, plan management, or support coordination, the NQSC asks for additional outcome-specific policies under each. Allied health practices and OT-only providers register against a different module set entirely. The 35 below is the SIL baseline, not the universal answer.
The seven SIL Blockers
Of the 35, seven get the most weight in a Stage 2 audit for an adult-only SIL service. We call them SIL Blockers because the Commission rejects SIL applications on these specifically — repeatedly and predictably — when the policy is missing, generic, or out of date. (When children are on the books, Child Protection is treated as an eighth — see the section after the policy tables.)
If you fix nothing else before your registration submission, fix these seven first. Each one has a specific test the auditor runs against the policy itself, plus the operational evidence that proves you live it.
Incident Management PS 2.6
The auditor opens your policy and checks two things: does it list the Commission's reportable-incident categories (death, serious injury, abuse, neglect, unlawful sexual or physical contact, restrictive practice use), and does it commit to the 24-hour notification window for the reportable subset.
Then they sample one incident from the last 12 months and check the policy was followed end-to-end: notification timestamp, investigation steps, family contact, prevention actions, Commission reference number on file. A policy without a single proven walk-through is treated as a template.
Worker Screening PS 2.7
The policy needs to name the three mandatory checks (NDIS Worker Screening Check, First Aid, Working with Children Check) and commit to a recheck cadence — typically annual for First Aid and on expiry for the rest. It also needs an explicit rule for what happens to a worker whose check lapses mid-roster: they don't work the next shift, and the cover-shift workflow is documented.
The audit test: pick a worker, pick a date, prove the worker was cleared on that date. Reconstructing this from memory after the fact is where most providers fail.
Safeguarding PS 1.5
The policy needs to cover violence, abuse, neglect, exploitation, and discrimination — five named categories, each with a definition aligned to the NDIS Practice Standards glossary, and each with a worker-facing reporting process that doesn't require the worker to identify the perpetrator first.
An auditor will also check that this policy and your Incident Management policy cross-reference each other. If the safeguarding incident-reporting flow doesn't connect to the formal incident register, the auditor sees two parallel systems, and starts questioning whether either is real.
Risk Management PS 2.2
This is the one most templates fail. The policy can't be generic risk-management theory — it needs to name the actual operational risks for your service: workforce shortages, single-worker shifts in high-needs houses, medication errors, transport incidents, restrictive practice escalation. Each named risk needs a control and a review cadence.
The auditor will then ask to see your risk register. If the policy commits to maintaining one and you can't produce it inside two minutes, the policy reads as aspirational.
Service Agreements with Participants PS 3.3
The audit test is simple: pull a participant's file. Is there a signed Service Agreement on the file, was it explained in a format the participant could understand, and does it match the supports actually being delivered.
The policy itself needs to commit to a Service Agreement for every participant before supports start, an annual review cadence, and a process for amending the agreement when supports change. "We have a template" doesn't pass; "every participant has one signed within five business days of supports commencing" does.
Mealtime Management PS 4.4
This was elevated from a sub-clause to its own outcome in 2025 after several coronial findings. If any of your participants have dysphagia, choking risk, or a mealtime management plan from a Speech Pathologist, you need a policy that names how those plans are stored, shared with workers per shift, and reviewed.
If none of your participants currently have mealtime needs, you still need the policy — the Commission expects providers to be ready to support mealtime needs that emerge during a placement, not only those identified at intake.
Medication Management (HIDPA) HIDPA
If you administer any medication — including PRN, S4, S8, or assistance with self-administration — your Medication Management policy needs to align to the High Intensity Daily Personal Activities skills descriptors. Witness requirements for S8, refusal protocols, missed-dose escalation, and the chain from Medication Administration Record back to prescription.
The auditor will pick one medication round and trace it: who was rostered to administer, did they sight the participant first, was the dose given on time, was it recorded with the right status (given / refused / withheld / missed), and did the prescription on file match the dose administered.
The other 19 outcome-aligned policies
The remaining 19 of the 26 outcome-aligned policies don't get the same audit weight as the seven blockers, but every one is asked for in the Applicant Portal. Missing one doesn't sink the application — leaving five blank does.
Grouped by NQSC standard:
Each of these has an Applicant Portal evidence prompt. "Provide a copy of your Privacy and Dignity policy" is non-negotiable — even if the file you upload is two pages and references your Person-Centred Supports policy for the operational detail.
The eight supplementary policies
The Core Module covers what NQSC reviews against. The supplementary policies are what NQSC reviewers expect to see anyway, regardless of whether they map cleanly to a 2025 outcome. Some come from the NDIS Code of Conduct, some from Fair Work, some from related legislation the Commission cross-references during a Stage 2 visit.
The Document Control policy is the one most providers don't realise is needed. It's how you prove every policy on the list above has a version number, a last-reviewed date, a named reviewer, and a circulation record. Without it, the auditor can't verify any of the others are actually current.
The 35th: Child Protection (Child Safe Standards)
Any provider with even one participant under 18 needs a Child Protection policy that goes beyond the general Safeguarding policy at PS 1.5. The Child Safe Standards are a separate framework — the National Principles for Child Safe Organisations, published by the Australian Human Rights Commission and endorsed by every state, territory, and the Commonwealth — and the NDIS Commission tests against them when children are on the books.
If you don't currently support any children, you don't need this policy. The moment you do, the policy needs to be in place before the first shift.
Child Protection (Child Safe Standards) NPCSO
The policy needs to cover all ten National Principles, name the state-specific Reportable Conduct Scheme that applies to your operation, and operationalise the worker screening, mandatory reporting, and worker-child boundary rules that flow from them. Sample test the Commission runs:
- Pick a worker who supports a child participant — is their Working with Children Check verified directly with the issuing body (not just sighted), and recorded with a verification date?
- Pick a child participant — at intake, were they told (in language they could understand) how to raise a concern, who the Child Safety Officer is, and that raising a concern doesn't affect their supports?
- Pick the most recent state Reportable Conduct Scheme matter the org is aware of — was the notification made within the legislated window? (In NSW: 7 business days from the head of the org becoming aware.)
- Are worker-child communications kept on org-controlled channels, with parent/guardian access on request?
Sub-clauses providers most often get wrong: not training workers in mandatory reporting (which is each worker's individual statutory obligation, not something the org reports on their behalf); allowing personal-device contact with child participants; failing to verify WWCC directly with the issuing body, treating sighted-and-photographed as sufficient.
The state element matters. The Reportable Conduct Scheme operates differently in NSW, Victoria, ACT, Tasmania (rolling out), Western Australia (rolling out), and isn't yet a scheme in some other jurisdictions — your policy needs to name the law that actually applies to where your service is delivered. A generic national-template version won't pass.
What makes a policy pass — versus just exist
Having all 35 policies on file is necessary. It isn't sufficient. The Commission's Stage 2 process is a sampling process — they don't read every policy, they pick a few and audit them deeply. A policy passes the audit when four things are true:
This is the bar a Stage 2 auditor applies. It's also why "buy a policy pack and sign it" almost never passes on its own. The pack gets you the document; the four conditions above are operational practice.
Five steps between now and 1 July 2026
If you're a SIL provider on the registration path, here's the working sequence:
None of this is glamorous. It's the unsexy compliance work that registered providers have done for years. The 1 July 2026 deadline just makes it everyone's problem instead of only the providers who chose to register early.
One more thing
The Commission's auditors increasingly ask for proof that the policy is reachable on demand — meaning a worker on a 3am shift can pull up the relevant section of the Behaviour Support Plan Implementation policy without calling head office. Paper folders in the office count for less than they used to. A digital surface that workers can search from a phone is starting to be expected.
Where Aura OS fits in
This is the work that PolicyDesk in Aura OS automates. The 35 templates above ship inside the app, branded to your org with your name, ABN, and address substituted on first run. They're aligned to the 2025 Core Module numbering — every practiceStandard field on every template was rewritten to match the current framework.
PolicyDesk also runs the relevance check. A solo SIL operator with no medication doesn't need to be scored against Mealtime Management or Medication Management — the app filters those into a "Not applicable to your service" section so the audit-readiness score reflects what actually applies to you.
Workers see a different view: a personal training-record strip with each policy and an "I've read this" button. Acknowledgements are versioned, so re-issued templates trigger a fresh acknowledgement automatically.
And when an auditor asks for a specific policy, PolicyDesk's Share for audit generates a one-time public URL — branded with your logo, footer-stamped with a SHA-256 tamper-evidence hash, print-friendly. The auditor opens it on their device with no Clearline account required.
Free until you outgrow it.
All 35 policy templates — including Child Protection — the relevance filter, worker acknowledgements, and audit-ready PDF downloads are on the free Aura OS plan. No credit card. The seven SIL Blockers (eight if you serve children) are pre-filled with the operational language that audit reviewers consistently accept on first pass.