With Clinical Audit Awareness Week approaching fast, NQICAN chair Carl Walker shows us how to make the most of an evidence-based approach to improving our clinical practice. Don’t rely on mere quality assurance when you have a chance to really make things better.
How did you start your career in healthcare? What drove you to support quality improvement in the way that you do?
From an early age, even at high school, I wanted to be a statistician. I based my work experience around that, and I moved schools so that I could do an A-level in statistics. I went on to study statistics at university, and that taught me how to use data to make decisions.
After I graduated from Coventry university with a Stats & Business degree, I saw a summer job being advertised at the local hospital and I've been here ever since nearly 20 years later. During this time I have had lots of different roles, but essentially, I've found my niche in getting a big drive out of helping clinicians improve what they're doing. Ultimately, it's about using data and measurement to improve patient care, and that's what makes me tick.
There are so many people I've worked with over the years across Leicestershire, and you're always getting new junior doctors and different consultants and medical directors to work under. It keeps life interesting and I don't think I've ever done the same day twice.
I've had my national role over the past 2-3 years, which has allowed me to cast my net over a wider area and it's a good way to put back into the system in terms of sharing my experiences and pitfalls. I get to share what works and what doesn't.
Many doctors in the public and private sectors alike are looking for ways to proactively improve their practice. To inspire our readers to make their own changes, can you give an example of how clinical auditing was done successfully in primary care?
Most of my experience is within an acute teaching hospital rather than in primary care, but I've had contact with GPs at various points over the years. We were looking at pathway audits for pre-admission, post-discharge etc.
One thing I will say is that it's quite difficult, or at least has been in the past, to look at whole pathways in audits. We're doing a scheme within Leicestershire, looking across it and trying to make projects easier and to break down the boundaries. We want to make the governance and sharing of information easier.
Effective projects that I’ve been involved with would be the readmission to hospital audits we’ve done in collaboration with primary care colleagues. In the past, we audited that readmission and then liaised with their GP to find out whether there was a care package put in place or whether they were aware that the patient had been discharged. We looked at whether there was anything we could have done to prevent that readmission and if we could have provided better information on how to treat and manage that patient in the home setting.
Communication via discharge letters and getting feedback about it was good for seeing whether we were giving good and timely information to our primary care colleagues. We examined whether GPs were getting told why their patient had been referred to an emergency or outpatient setting.
The best approach to clinical auditing is to look at and improve our practices to make sure that we are not just meeting current standards but also developing better ones. In your view, what are the main obstacles that prevent clinicians from striving towards improvement rather than the mere assurance of existing standards?
The main obstacle, without a doubt, is the lack of protected time to carry out quality improvement and make joint plans across the board. There's a lack of support in general, and primary care doesn't have an audit department that GPs can go to as such.
Discover more about the essential features of Medesk and claim your free access today!
Explore now >>When resources are limited, you focus on the mandatory requirements set by regulators and compliance bodies. In the US context, this increasingly means meeting standards tied to frameworks like the Sarbanes-Oxley Act, GAAP compliance requirements, and PCAOB guidelines for publicly reporting entities. Healthcare organizations face a similar dynamic, where staff prioritize mandatory reporting over proactive improvement work. There's also a lack of expertise in terms of extracting information from systems and analysing it.
Primary care has better EHRs than the secondary care setting, but it's still quite hard to get actionable data out of those systems. That makes it hard to use the data to drive improvement. Having better IT for accessing and analysing performance data would help organizations understand how they're doing and where change is needed most.
There is a variety of different quality improvements tools available out there. Which are most appropriate for use in the private sector, and why?
I've had quite a few discussions about this recently, and the main thing is having a systematic approach to what you're doing. There's a quote that says, "All processes will fail if you don't follow them from start to finish, no matter what you're doing." The same applies to quality improvement.
You can pick whatever model you want out of the many tools in the toolbox, as long as you carry out the audit or Plan Do Study Act (PDSA) cycle systematically. You can't just collect your data and present it back as an improvement. You have to look at where we're not making an improvement, find out what the standards are, put together a useful action plan, and then monitor the effects of this or that action to see if they have made a difference to patient care.
The model for improvement and the audit cycle are the two key ones that we promote for improvement work. It's all about defining what you want to achieve from the start, and identifying the measurements that will tell you whether you're doing what you should be doing. Learn as you go along to see how the changes are affecting things as you roll them out.
Read more:
Leveraging Digital Health and Big Data to Enhance Your Practice: Part 2
What is Evidence-Based Auditing?
At its core, an evidence-based audit is a structured process of collecting, evaluating, and interpreting audit evidence to reach a well-supported conclusion about an organization's financial statements, clinical outcomes, or operational practices. Audit evidence is all the information an auditor gathers, whether from direct procedures or other sources, to form the basis of their opinion. This includes both information that supports management's assertions and information that contradicts them.
In financial contexts, the goal of evidence-based auditing is typically to determine whether financial statements comply with recognized standards such as GAAP (Generally Accepted Accounting Principles). The Public Company Accounting Oversight Board (PCAOB), established under the Sarbanes-Oxley Act of 2002, defines audit evidence as all information used by auditors in arriving at the conclusions on which their opinion is based. For healthcare and clinical settings, the same principles apply: evidence gathered through systematic review tells you whether care processes meet defined standards and where improvement is needed.
Evidence-based auditing is not a single event. It is a repeating cycle of planning, gathering evidence, evaluating findings, and acting on what you learn. Whether you are reviewing patient records, payroll data, or billing accuracy, the fundamental discipline remains the same: your conclusions must be grounded in sufficient, appropriate evidence rather than assumption or anecdote.
Essential Characteristics of Reliable Audit Evidence
Not all audit evidence carries equal weight. For evidence to be useful, it must meet specific quality criteria. These characteristics are recognized across financial, clinical, and operational audit frameworks.
Sufficiency refers to the quantity of evidence gathered. More evidence is generally required when audit risk is elevated or when the area under review involves significant complexity. As the PCAOB notes, increasing audit risk increases the amount of evidence an auditor should obtain.
Appropriateness captures the quality of the evidence, encompassing both relevance and reliability. Evidence is relevant when it relates directly to the assertion or standard being tested. It is reliable when it comes from a credible, independent source and has not been manipulated.
Reliability increases when evidence is obtained from external sources rather than internal ones, when it is gathered directly by the auditor rather than provided by the client, and when it exists in documentary form rather than oral statements. Strong internal controls within an organization also increase the reliability of internally generated evidence. When internal controls are well designed and consistently applied, the risk of material error in the records they govern is lower, which means auditors can place greater trust in those records.
Relevance means the evidence actually addresses the objective of the audit procedure. Gathering large volumes of irrelevant data does not substitute for a smaller body of targeted, well-chosen evidence.
Compliance with GAAP or other recognized standards provides the benchmark against which audit evidence is evaluated. Evidence that cannot be tied back to a clear standard is difficult to interpret and weakens the audit's conclusions.
Core Methods for Obtaining Audit Evidence
The PCAOB outlines seven primary procedures auditors use to collect evidence. Understanding these methods helps both financial and clinical auditors design appropriate testing strategies.
- Inspection involves examining records or documents, whether maintained by the organization being audited or obtained from external parties. Reviewing signed contracts, patient records, or original invoices are all forms of inspection.
- Observation means watching a process or procedure being performed. An auditor observing a physical inventory count, or a clinical reviewer watching a medication administration workflow, is gathering firsthand evidence about whether a process operates as documented.
- Inquiry involves asking questions of personnel inside or outside the organization. Inquiry alone is generally not sufficient as audit evidence because responses cannot always be independently verified, but it is a useful starting point for identifying areas that warrant deeper investigation.
- Confirmation is the process of obtaining a direct response from a third party to verify a specific assertion. Confirming account balances directly with a bank, or verifying a patient referral with the receiving provider, are common examples.
- Recalculation involves checking the mathematical accuracy of documents or records. This can be as straightforward as re-adding a column of figures or as complex as recomputing a depreciation schedule.
- Reperformance means independently executing a procedure that was originally performed by the organization, such as re-running an aged accounts receivable analysis.
- Analytical procedures involve evaluating financial or operational data by studying relationships and identifying unusual patterns or deviations that may indicate errors, fraud, or process failures.
Real-World Examples of Audit Evidence in Practice
Audit evidence appears in many forms depending on the type of audit and the stage at which it is gathered. The following examples illustrate how evidence functions across different contexts.
Bank statements and reconciliations are among the most common and reliable forms of financial audit evidence. Because they originate from an independent external source, they carry high reliability for confirming cash balances.
Invoices and purchase orders support assertions about expenditure and procurement. Matching invoices to approved purchase orders and delivery receipts provides a three-way confirmation that a transaction was legitimate and accurately recorded.
Payroll records are reviewed to confirm that compensation expenses are accurately stated and that payments were made only to active employees. Auditors typically cross-reference payroll data against HR records to detect ghost employees or unauthorized pay adjustments.
Electronic Health Record (EHR) data is the clinical equivalent. In a healthcare audit, EHR extracts can confirm whether clinical protocols were followed, whether documentation supports the level of care billed, and whether patient outcomes align with treatment plans. As noted in our interview, getting actionable information out of EHR systems remains a practical challenge, but when the data is accessible, it is powerful evidence.
Contracts and legal agreements confirm the existence and terms of significant business relationships. These are particularly important in compliance audits where specific contractual obligations must be met.
Third-party confirmations, such as bank confirmations or supplier statements, are preferred by auditors precisely because they come from independent sources and are therefore harder to fabricate or manipulate.
Across all these examples, the principle is consistent: evidence closest to an independent, external source and supported by clear documentation carries the most weight in forming a reliable audit opinion.
Understanding Audit Risk
Audit risk is the risk that an auditor reaches an incorrect conclusion, most often by issuing a clean opinion when a material misstatement or compliance failure actually exists. Understanding audit risk is fundamental to deciding how much evidence to gather and what procedures to use.
Audit risk is generally understood as the product of three component risks.
Inherent risk is the susceptibility of an assertion to a material misstatement, assuming no related controls are in place. Some areas carry higher inherent risk by their nature. Complex financial instruments, related-party transactions, and high-volume billing processes in healthcare all represent elevated inherent risk.
Control risk is the risk that a material misstatement will not be prevented or detected by the organization's internal controls. Strong, well-functioning internal controls reduce control risk. When an auditor evaluates internal controls and finds them effective, they can rely on those controls as a form of audit evidence and reduce the extent of their direct testing.
Detection risk is the risk that the auditor's own procedures will fail to detect a misstatement that exists. Auditors can manage detection risk by adjusting the nature, timing, and extent of their procedures. When inherent risk and control risk are high, detection risk must be kept low, which means gathering more evidence and using more rigorous procedures.
The PCAOB's standards on audit evidence, including AS 1105, are built around the principle that auditors must calibrate their evidence-gathering to the overall level of audit risk. Understanding where risk is concentrated helps auditors allocate their effort efficiently and focus on the areas where incorrect conclusions would matter most.
Technology, AI, and Data Analytics in Audit Evidence Collection
The way audit evidence is gathered and evaluated is changing rapidly. Artificial intelligence, big data, and audit data analytics are giving auditors the ability to work with far larger datasets than traditional sampling-based approaches allowed.
Traditional auditing relied on testing a sample of transactions and inferring conclusions about the full population. Audit data analytics tools now allow auditors to test entire populations of transactions, identifying anomalies and patterns that a sample-based approach might miss entirely. This increases both the quality and the coverage of the evidence gathered.
AI tools are being applied to tasks such as contract review, invoice matching, and anomaly detection in financial records. In clinical settings, machine learning models can flag documentation gaps, coding inconsistencies, or deviation from clinical protocols across thousands of patient records simultaneously.
Big data introduces new sources of evidence, including external market data, social media signals, and real-time operational feeds, but it also introduces new questions about reliability. Evidence drawn from unverified external sources must be evaluated carefully before it can support an audit conclusion. The PCAOB issued staff guidance in October 2025 specifically addressing how auditors should evaluate the reliability of external information provided in electronic form, which reflects how central these questions have become.
For healthcare organizations using platforms that integrate EHR data with quality reporting, these tools represent an opportunity to make the kind of continuous, evidence-based improvement described throughout this interview far more achievable.
Best Practices for Audit Documentation
Audit documentation is the written record of the procedures performed, the evidence obtained, and the conclusions reached during an audit engagement. Good audit documentation does more than satisfy a compliance requirement. It creates institutional memory, supports quality control, and makes future audits faster and more reliable.
Several practical principles help organizations build strong documentation habits.
Document contemporaneously. Evidence should be recorded as it is gathered, not reconstructed after the fact. Contemporaneous records are more accurate and are treated as more credible during review.
Link evidence to objectives. Each piece of documentation should be clearly connected to the specific assertion or standard it supports. Reviewers should be able to follow the logic from objective to procedure to evidence to conclusion without needing to guess at the connection.
Maintain version control. When documents are updated or superseded, earlier versions should be retained and clearly labeled. This is particularly important for organizations subject to regulatory review.
Standardize working paper formats. Consistent templates for checklists, memos, and testing schedules reduce the risk that important steps are missed and make it easier for a second reviewer to follow the work.
Protect and retain records appropriately. The Sarbanes-Oxley Act sets specific retention requirements for audit documentation of public companies. Healthcare organizations face similar requirements under federal and state regulations. Secure storage, clear access controls, and defined retention schedules are non-negotiable components of a compliant documentation system.
Strong audit documentation is ultimately what makes an evidence-based audit defensible. The quality of the underlying procedures matters, but if those procedures are not documented clearly, the evidence they produced cannot be relied upon with confidence.
