Eight facilities. 1,200 staff. One Excel spreadsheet, updated quarterly by the compliance team.
The spreadsheet said every credential was current. Green across the board.
Forty-seven staff were working with expired credentials.
AHPRA registrations lapsed. First aid certificates expired six weeks ago. Manual handling, working with children checks, the things you need before you touch a patient or stand in a room with a minor. All expired. All showing green in the tracker because the tracker was last updated three months prior, and in those three months nobody sat down to check again because the quarterly cycle said the next check wasn't due yet.
The spreadsheet wasn't wrong. It accurately reflected the state of things on the day someone sat down and manually checked every registration. The problem is that credentials don't expire quarterly. They expire continuously. A nurse's AHPRA registration expires on a Tuesday. She's rostered Wednesday. She works the shift.
Nobody knows.
How does the roster know what the spreadsheet hasn't been told? It doesn't. The rostering system pulls from its own data. The compliance spreadsheet sits in a SharePoint folder. Two systems. Two update cycles. No connection between them. The roster checks availability and qualifications as entered, and it has no idea that the qualification it's relying on was verified 11 weeks ago and expired last Thursday.
Think about what's actually at risk. A nurse working with a lapsed AHPRA registration isn't just a compliance issue. Professional indemnity insurance may not cover incidents involving unregistered practitioners, which means that's not a fine you're looking at, it's an uninsured clinical event, and the regulator doesn't care that your spreadsheet was updated last quarter. They care that the worker was unregistered when they provided care.
The WHS exposure is the same shape. Manual handling certificate expired. Worker lifts a resident. Injures their back. Was the worker trained and certified to perform that task on that day? The spreadsheet says yes. The certificate says no.
The insurer will go with the certificate.
This is the same pattern I see everywhere. Each system does its job. The HR system holds the credential data. The rostering system schedules the shifts. The compliance tracker records the last known state. But nothing connects them, nothing asks the question that matters: right now, today, does this person's credential status in the source registry match what the rostering system is relying on?
The fix isn't a better spreadsheet. Not a more diligent compliance officer updating monthly instead of quarterly. The fix is a live check, credential status verified against the source registry before shift assignment, not after audit.
The compliance team at this organisation was doing exactly what they were asked to do. They weren't negligent. They were working inside a governance model that couldn't keep pace with reality. Quarterly verification against continuous expiry.
The maths doesn't work.
Forty-seven staff. Eight facilities. All compliant on paper.