I tracked staff certifications in a spreadsheet for 3 years. Here's what an NDIS audit found.

Why spreadsheets fail at expiry tracking

A spreadsheet is a brilliant tool for one person, on one machine, tracking a small list of things that change occasionally. That's not what NDIS staff compliance is. NDIS staff compliance is dozens of workers, dozens of document types, different expiry windows, different states, different visa rules, different audit cycles - all changing constantly.

Three failure modes show up at almost every provider that grows past about ten staff:

Date logic that doesn't alert you

A conditional-format cell that turns red when =TODAY()-Expiry>0 tells you a clearance has expired. It does not tell you that a clearance is about to expire. By the time the cell goes red, the worker has been non-compliant for days - and you only see it when you happen to open the file.

Version control nobody owns

One spreadsheet becomes two when the office manager goes on leave. Two becomes three when a regional team lead wants their own view. Three becomes “which one is the source of truth?” the day an auditor asks for the staff matrix. The evidence the auditor sees and the evidence the team uses day-to-day are no longer the same document.

No proactive surfacing

Spreadsheets are passive. They wait to be opened. The Melbourne provider's three workers didn't expire mysteriously - the dates were sitting in column F the whole time. Nobody saw them because nobody looked, and nothing prompted them to look. The audit was the prompt. Audits should not be the prompt.

What auditors actually ask about at a Tier 1 audit

Most providers think the auditor will ask for “the staff spreadsheet.” They won't. Auditors sample. They pick a handful of workers - usually three to six, depending on organisation size - and ask to see the documentary evidence for each clearance, on the date of the audit, with the renewal window visible.

The spreadsheet is fine for the moment they ask “who do you have on staff?” It collapses the moment they ask “can I see the actual NDIS Worker Screening certificate for Priya Sharma, dated within the last five years?”

The four documents above are sampled at almost every Tier 1 certification audit. None of them sit naturally inside a spreadsheet. They are PDFs, scans, and renewal receipts that need to be findable in seconds, attached to the right worker, with the right expiry date next to them.

For the full list of artefacts the Commission samples, see our Tier 1 audit checklist - 38 documents grouped by domain, with the indicator each one evidences. And our NDIS Worker Screening explainer walks through the state-by-state rules.

The three things a compliance system has to do

None of these are exotic. They are what every other regulated sector - aged care, finance, healthcare - figured out a decade ago, and what disability providers are now expected to figure out before 1 July 2026.

Alerting. Expiry windows that fire on a schedule, to the right person, with enough lead time to actually renew. Not a red cell. An email, an in-app notification, a task on a manager's dashboard - 60 days out, 30 days out, 7 days out. The clearance never expires by surprise because someone is always told it's about to.

Role-based view. The owner sees the whole org. The team lead sees their team. The worker sees their own documents and what they need to upload next. The auditor, when they're given access, sees a read-only sample, scoped and time-bound. Nobody is editing the same row at the same time, and nobody sees what they shouldn't.

Audit trail. Every upload, every status change, every renewal. Timestamped, attributed, and queryable. The auditor's question “when did this CPR certificate get renewed?” has a one-click answer. There is no scrolling through email threads. There is no “I think Aroha re-uploaded it in March.”

That's the bar. Anything below it is the same trap the Melbourne provider walked into - a system that worked right up until the day it didn't.