Using Audits as Assurance Evidence, Not a Tick-Box Exercise

Audits are one of the most frequently cited forms of evidence during CQC assessments, yet they are also one of the most misunderstood. Providers often complete large numbers of audits without realising that volume alone offers little assurance.

This expectation links closely to quality assurance systems and CQC’s wider approach to Quality Statements. Inspectors want to see how audits are used to manage risk and improve outcomes, not simply whether they exist.

A final useful step in connecting governance, inspection, and compliance is to review the adult social care compliance and governance knowledge centre as part of ongoing development.

Strong providers treat audits as active tools. They show how findings lead to action, how risks are reduced and how improvements are sustained over time.

Why this matters

An audit that identifies issues but does not lead to change provides limited assurance. Inspectors will look beyond completion dates and scores to understand what happened next.

They will test whether audits lead to action, whether improvement is sustained and whether leadership understands the risks identified.

Clear framework for using audits as assurance evidence

The first step is to identify risks through audits. The second is to take clear action. The third is to re-check outcomes. The fourth is to demonstrate improvement over time.

This creates a full audit cycle that inspectors recognise as credible assurance.

Operational example 1: Preventing audits being completed without meaningful action

Step 1. The Registered Manager reviews audit areas across the service, identifies high-risk priorities and records audit schedules, expectations and risks in governance planning documents and quality assurance frameworks.

Step 2. The provider defines audit expectations, sets requirements for identifying risks and records audit standards and reporting processes in governance procedures and operational documentation.

Step 3. Staff complete audits in practice areas, identify issues and record findings, risks and required actions in audit tools and governance documentation systems.

Step 4. The Registered Manager reviews audit findings, prioritises risks and records actions, responsibilities and timescales in governance reports and action tracking documentation.

Step 5. The provider reviews action completion monthly, identifies delays or risks and records oversight decisions, improvements and further actions in governance dashboards and quality assurance reports.

What can go wrong is that audits are completed but no action is taken. Early warning signs include repeated issues or unchanged audit results. Escalation should involve leadership intervention and accountability. Consistency is maintained through action tracking.

Governance focuses on action completion, risk prioritisation and accountability. The Registered Manager reviews this regularly, with provider oversight monthly. Action is triggered by incomplete or delayed responses.

The baseline issue may be audit-only activity. Improvement is shown through completed actions and reduced risks. Evidence includes audit tools, action plans and governance reports.

Operational example 2: Demonstrating re-audit and measurable improvement following identified risks

Step 1. The Registered Manager identifies areas requiring follow-up, reviews previous audit findings and records priorities, risks and required improvements in governance tracking systems and audit documentation.

Step 2. The provider defines re-audit expectations, sets timelines and records requirements for measuring improvement in governance procedures and quality assurance documentation.

Step 3. Staff complete re-audits in identified areas, assess changes and record findings, outcomes and improvements in audit tools and governance documentation systems.

Step 4. The Registered Manager reviews re-audit results, compares outcomes and records improvements, ongoing risks and required actions in governance reports and audit documentation.

Step 5. The provider reviews improvement trends monthly, identifies risks and records oversight decisions, improvements and further actions in governance dashboards and quality assurance reports.

What can go wrong is that improvements are assumed but not verified. Early warning signs include lack of re-audit or unclear outcomes. Escalation should involve structured follow-up. Consistency is maintained through re-audit cycles.

Governance focuses on improvement, verification and outcome tracking. The Registered Manager reviews this regularly, with provider oversight monthly. Action is triggered by lack of improvement.

The baseline issue may be unverified change. Improvement is shown through measurable outcomes. Evidence includes re-audit data, governance reports and audit comparisons.

Operational example 3: Linking audits to risk management and leadership oversight

Step 1. The Registered Manager reviews audit findings alongside risk registers, identifies connections and records risks, priorities and escalation requirements in governance tracking systems and risk documentation.

Step 2. The provider defines escalation processes, sets expectations for leadership oversight and records requirements for reviewing audit risks in governance procedures and operational documentation.

Step 3. Staff escalate identified risks through reporting systems, follow procedures and record actions, outcomes and escalation in governance records and operational documentation systems.

Step 4. The Registered Manager reviews escalated risks, ensures leadership awareness and records decisions, actions and oversight in governance reports and audit documentation.

Step 5. The provider reviews risk trends monthly, identifies priorities and records oversight decisions, improvements and further actions in governance dashboards and quality assurance reports.

What can go wrong is that audit risks are not escalated or reviewed. Early warning signs include unresolved issues or repeated incidents. Escalation should involve senior leadership review. Consistency is maintained through structured governance.

Governance focuses on risk identification, escalation and oversight. The Registered Manager reviews this regularly, with provider oversight monthly. Action is triggered by recurring risks.

The baseline issue may be disconnected audit systems. Improvement is shown through integrated risk management. Evidence includes risk registers, governance reports and audit data.

Commissioner expectation

Commissioners expect audits to demonstrate real assurance. They look for clear evidence of risk identification, action and improvement.

They also expect providers to show that audit systems are meaningful and embedded.

Regulator / Inspector expectation

Inspectors expect audits to show a full cycle. They look for evidence of findings, action, re-checking and sustained improvement.

They also expect leadership oversight. Audit results must be understood and acted upon.

Conclusion

Using audits as assurance evidence requires providers to demonstrate more than completion. They must show how audits identify risks, drive action and lead to measurable improvement.

Governance ensures that audit systems remain effective. Leaders must define how findings are reviewed, how actions are tracked and how improvement is sustained.

Outcomes are evidenced through audit tools, action plans, re-audit results and governance reports. Consistency is maintained through structured audit cycles, regular review and leadership accountability. Strong providers demonstrate that audits are not a tick-box exercise — they are active tools that improve care and reduce risk.

Latest from the knowledge hub

⬅️ Return to Knowledge Hub Index