Compliance tracking: in-house, your HR system, or a dedicated platform

Most care providers start with a spreadsheet. As the workforce grows and the rules tighten, that spreadsheet becomes a liability, and there are three common next moves: build something better in-house, such as a SharePoint library or a Power Apps form; lean on the credential tracker bundled into your applicant tracking (ATS) or HR system; or move to a platform built for care compliance.

This guide lays out the honest tradeoffs across all three so you can decide with eyes open. It is written for providers across Aged Care, Disability and Childcare, where the screening rules differ but the underlying problem is the same: knowing, at any moment, exactly who is cleared to work.

What a DIY tracker does well

An in-house build genuinely solves part of the problem. With SharePoint, Power Apps or a similar low-code tool, you can:

• Store credential documents in one place instead of email folders and filing cabinets.
• Record expiry dates and trigger reminder emails before a clearance lapses.
• Build a simple dashboard showing who is missing what.
• Shape the data model exactly to your organisation's roles and sites.

For a small, stable workforce, that may be enough. It keeps documents organised and gives managers a prompt before something expires. If your organisation has strict data-residency requirements, an in-house store also gives you direct control over where the documents live.

Where a DIY tracker hits its limit

The gap is verification at source. A tracker can hold a copy of a Working With Children Check card or an AHPRA registration number, but it cannot confirm those are current against the authoritative register. That confirmation requires accredited access to:

• State and territory Working With Children Check portals.
• The AHPRA register of practitioners.
• Government ban registers and worker screening clearance status.

These feeds are not open APIs you can wire into a SharePoint flow. Verifying a credential at source means an accredited layer queries the issuing register and returns current status. A DIY tool falls back on a person manually re-checking each portal, which is exactly where lapses slip through: someone forgets, a card is suspended between checks, or a banning order is issued and never noticed.

The maintenance burden as rules change

The single most underestimated cost of building in-house is keeping up with regulation. The care sector is in the middle of a sustained reform wave, and every change means re-coding your tracker's logic.

Recent and upcoming examples include:

• The new Aged Care Act commenced on 1 November 2025, with worker screening narrowed to two options: a police certificate under 3 years old or an NDIS Worker Screening Clearance. A further strengthened national screening process is expected from mid-2026. See the Aged Care act provider screening checklist.
• The National Early Childhood Worker Register went live on 27 February 2026, with approved providers required to update worker records within 14 days of an engagement or change.
• A national Aged Care worker register and registration scheme are on the horizon, which will reshape how portable credentials work. See future Aged Care worker register.

Each of these shifts the rules your tracker has to encode. With a DIY build, that re-work lands on your team every time a regulator moves. A platform absorbs the rule changes on the vendor's side, then re-evaluates every worker's status against the new logic. That is the difference between maintaining a system and consuming one.

For Disability and Childcare specifically, remember that the NDIS Worker Screening Check includes a police-history component, and a Working With Children Check incorporates a criminal history assessment, so a separate police check is generally not required. The exact relationship varies by jurisdiction, so check your state's rules. A DIY tracker built by someone unfamiliar with that can end up double-listing a police check as a separate requirement, creating phantom non-compliance and wasted chasing.

Build cost versus subscription, honestly

The cost comparison is rarely as simple as build price against annual fee.

A DIY build carries:

• The initial development cost, in either internal time or contractor fees.
• Ongoing maintenance every time a rule, role or site changes.
• The cost of someone manually re-checking source registers, because the build cannot.
• Key-person risk if the one developer who understands it leaves.

A subscription platform carries a predictable annual fee, with rule maintenance, source verification where available, and support folded in. The tradeoff is less control over the data model and a dependency on the vendor's roadmap.

It is tempting to assume that a large organisation with its own platform team is the exception, and is better off building. We do not think that holds. A capable team can certainly build the storage, the dashboard and the reminders. What it cannot build, however much engineering you throw at it, is accredited verification at source, a compliance engine that keeps pace with regulation across three sectors, or a network that makes each hire easier as it grows. Those are not a function of headcount. So even at scale the real choice is rarely build versus buy: it is build the part you could always build, then integrate a specialist layer for the part you structurally cannot. Where data residency or control genuinely matter, that is a requirement to put to the platform, not a reason to rebuild compliance from scratch. A small or growing provider that wants its team focused on care, not on tracking regulatory changes, will find a platform pays for itself the first time a rule shifts. For a structured way to weigh vendors against a build, see choosing care sector compliance software.

The compliance module in your ATS or HR system

There is a third option that often gets overlooked, because it feels like you already have it: the credential-tracking feature bundled into your applicant tracking or HR system. If you are already paying for it, switching it on looks like the obvious move.

It is worth being fair about what these systems are for. An applicant tracking system (ATS) like JobAdder or LiveHire, or an HR system like Employment Hero or ELMO, is built to run the whole employee lifecycle: advertising roles, screening applicants, onboarding, leave, performance, payroll and more. They are genuinely good at that breadth, and the credential tracker that ships alongside it will store documents and flag expiry dates well enough.

The problem is depth. Compliance is one feature among dozens in a product whose job is everything else, so it rarely goes beyond storage and reminders. In practice that leaves the same gaps as a basic build:

• It does not verify at the source, so it shows what was uploaded, not whether a clearance is still valid today.
• It does not understand care-sector rules: which screening a given role needs across Aged Care, Disability and Childcare, or how those rules change. It is a generic document field, not a compliance engine.
• It does not keep pace with reform. A generalist vendor serving every industry will not re-code its logic each time an Australian care regulator moves.
• It does not monitor continuously for a suspended card or a fresh banning order.

This is not a knock on HR systems. The breadth that makes them valuable for everything else is exactly why their compliance corner is thin: a product trying to do all of HR cannot also go deep on one sector's screening law. It only somewhat solves the problem, and for care compliance specifically, it barely scratches the surface of what you actually need.

The better pattern is not to rip out your HR system. It is to keep it for what it does well and connect a dedicated compliance layer alongside it, so the depth sits where the rules actually live.

Not every dedicated platform is more than a filing cabinet

So a dedicated platform it is. Even then, the decision is not over, because platforms are not all the same. A surprising number of compliance platforms are, underneath, a tidy digital filing cabinet: somewhere to upload a document, store an expiry date and fire a reminder. That is a genuine improvement on a shared drive, but it reproduces the same two gaps a DIY tracker has. It does not confirm a credential at its source, and it does not understand what each role in each sector actually requires. The provider is still the one reading the rules, deciding what applies and chasing what is missing.

So when you compare platforms, the question is not "does it store documents and remind me", because almost all of them do. The questions that separate them are:

• Does it verify at the source where that is possible, or only hold what someone typed in?
• Does it monitor the sources it tracks, so a fresh banning order or a Working With Children Check status change surfaces between checks (with broader continuous monitoring being worked towards), and track expiry on the rest, or does it only watch the expiry date you entered?
• Does it know the rules for each role and sector, and update them when regulation changes, or is it a blank container you configure and re-configure yourself?

A platform that only answers the first half of each question is a filing cabinet with a login. The interpretation, the verification and the keeping-current still land on your team. The whole reason to leave a spreadsheet behind is to move that work somewhere else, so it is worth checking the platform actually does.

Does it get better as it grows?

There is one more difference between a filing cabinet and a network, and it is the one that compounds over time. A DIY tracker, and a storage-and-reminders platform, are silos: the work you put in benefits only you, and it is worth exactly as much on day one thousand as on day one. Another provider adopting the same software does nothing for yours.

A worker-held model with a network around it behaves differently. As more of the sector takes part, and as your own use builds up, the platform gets more useful rather than sitting still:

• Workers stop re-uploading. Because the Career Passport belongs to the worker and travels with them, someone who has already had their credentials reviewed arrives with that work done, so onboarding starts from a clear record instead of a fresh paperwork round.
• The feedback gets richer. The more workers take part, and the more places they have worked through Koora, the fuller and more useful their feedback records become, so a provider has more to go on.
• It becomes a place to find workers. With more workers on Koora, it is also somewhere providers and workers can find each other directly, which can cut the reliance on agency fees and job ads posted elsewhere.
• Kooka AI grows with your data. Kooka AI, Koora's assistant, can securely draw on your own workforce records to help you navigate compliance as the rules keep changing. To be precise, that does not mean we train a model on your data. It means the assistant has guarded, permissioned access to your own records, so its answers are grounded in your actual workforce rather than generic advice.

That is a virtuous circle: each participant makes the platform a little more useful for the next, and the value builds with the network and your own use rather than sitting still. A filing cabinet, however well organised, does not have that property. We will be honest that this is the model working as designed, not a finished network. Koora is early, and the circle only turns as the sector takes part. But it is a structural advantage a storage tool can never grow into.

What stays your responsibility either way

Whichever path you take, the legal obligation does not move. The provider remains responsible for sighting evidence and deciding who is cleared to work. A platform can pre-clear credentials, surface issues and reduce manual chasing, but it does not replace that duty, and any tool that claims to should be treated with caution. Convenience and rigour have to sit together.

It is also worth being clear that compliance status is current-state. A tracker, DIY or platform, shows you where things stand when the report runs. It does not reconstruct a historical "was compliant on this date" record unless it was built to log status over time.

Authoritative sources

• Aged Care workforce screening requirements (Department of Health, Disability and Ageing)
• NDIS Worker Screening (NDIS Quality and Safeguards Commission)
• National Early Childhood Worker Register (ACECQA)
• AHPRA register of practitioners

Where Koora fits

Koora is built to be the second kind of platform, not a filing cabinet with a login. It is a purpose-built compliance layer for the care sector, and the difference is in what sits beneath the documents.

• A compliance engine holds the actual requirements for each role across Aged Care, Disability and Childcare, so Koora knows what a given worker needs rather than leaving you to configure it. When a rule changes, Koora updates that logic centrally and re-evaluates every affected worker, so your team is not re-coding a tracker each time a regulator moves.
• Three levels of assurance, made explicit on every credential: manually reviewed, verified at source, or verified and continuously monitored. The top tier applies where the source supports it today, namely ban registers and Working With Children Checks, and is being extended to more credentials. You can see at a glance how strong each check is, instead of treating every uploaded file as equally trustworthy.
• Verification at source where it is available, such as Working With Children Checks and AHPRA registration, with monitoring of ban registers and Working With Children Checks so a status change or banning order surfaces rather than sitting unnoticed, and expiry tracking on the rest. NDIS Worker Screening verification at source is on the roadmap; today those clearances are reviewed.
• A worker-held, portable Career Passport, so the review work travels with the worker between employers instead of being repeated at every door.

It also connects to the systems you already run, through API and webhooks, with a direct integration built for a specific tool on request, so your compliance view sits alongside your rostering and HR stack.

What Koora does not do is take the obligation off your desk. You keep the decision on who is cleared to work and the duty to sight evidence. Koora does the pre-clearance, the verification it is allowed to do, and the watching, so that decision starts from a clear, current picture. That is the line between consuming a compliance system and maintaining one.