With Clinical Audit Awareness Week approaching fast, NQICAN chair Carl Walker shows us how to make the most of an evidence-based approach to improving our clinical practice. Don’t rely on mere quality assurance when you have a chance to really make things better.
When resources are limited, organizations focus on the mandatory requirements set by regulators and compliance bodies. In the US context, this increasingly means meeting standards tied to frameworks like the Sarbanes-Oxley Act, GAAP compliance requirements, and PCAOB guidelines for publicly reporting entities. Healthcare organizations face a similar dynamic, where staff prioritize mandatory reporting over proactive improvement work. A lack of expertise in extracting and analyzing information from clinical and financial systems further compounds the issue.
From an early age, even at high school, I wanted to be a statistician. I based my work experience around that, and I moved schools so that I could do an A-level in statistics. I went on to study statistics at university, and that taught me how to use data to make decisions.
While primary care has better EHRs than the secondary care setting, it is still quite hard to get actionable data out of those systems. That makes it hard to use the data to drive improvement. Having better IT for accessing and analyzing performance data would help organizations understand how they are doing and where change is needed most.
Having a systematic approach to quality improvement and auditing is critical. There is a quote that says, "All processes will fail if you do not follow them from start to finish, no matter what you are doing." You cannot just collect your data and present it back as an improvement. You have to look at where you are not making an improvement, find out what the standards are, put together a useful action plan, and then monitor the effects of that action to see if it has made a difference. It is all about defining what you want to achieve from the start and identifying the measurements that will tell you whether you are doing what you should be doing.
Read more:
Leveraging Digital Health and Big Data to Enhance Your Practice: Part 2
I've had my national role over the past 2-3 years, which has allowed me to cast my net over a wider area and it's a good way to put back into the system in terms of sharing my experiences and pitfalls. I get to share what works and what doesn't.
What is Evidence-Based Auditing?
At its core, an evidence-based audit is a structured process of collecting, evaluating, and interpreting audit evidence to reach a well-supported conclusion about an organization's financial statements, clinical outcomes, or operational practices. Audit evidence is all the information an auditor gathers, whether from direct procedures or other sources, to form the basis of their opinion. This includes both information that supports management's assertions and information that contradicts them.
In financial contexts, the goal of evidence-based auditing is typically to determine whether financial statements comply with recognized standards such as GAAP (Generally Accepted Accounting Principles). The Public Company Accounting Oversight Board (PCAOB), established under the Sarbanes-Oxley Act of 2002, defines audit evidence as all information used by auditors in arriving at the conclusions on which their opinion is based. For healthcare and clinical settings, the same principles apply: evidence gathered through systematic review tells you whether care processes meet defined standards and where improvement is needed.
Evidence-based auditing is not a single event. It is a repeating cycle of planning, gathering evidence, evaluating findings, and acting on what you learn. Whether you are reviewing patient records, payroll data, or billing accuracy, the fundamental discipline remains the same: your conclusions must be grounded in sufficient, appropriate evidence rather than assumption or anecdote.
Effective projects that I’ve been involved with would be the readmission to hospital audits we’ve done in collaboration with primary care colleagues. In the past, we audited that readmission and then liaised with their GP to find out whether there was a care package put in place or whether they were aware that the patient had been discharged. We looked at whether there was anything we could have done to prevent that readmission and if we could have provided better information on how to treat and manage that patient in the home setting.
Essential Characteristics of Reliable Audit Evidence
Not all audit evidence carries equal weight. For evidence to be useful, it must meet specific quality criteria. These characteristics are recognized across financial, clinical, and operational audit frameworks.
Sufficiency refers to the quantity of evidence gathered. More evidence is generally required when audit risk is elevated or when the area under review involves significant complexity. As the PCAOB notes, increasing audit risk increases the amount of evidence an auditor should obtain.
Appropriateness captures the quality of the evidence, encompassing both relevance and reliability. Evidence is relevant when it relates directly to the assertion or standard being tested. It is reliable when it comes from a credible, independent source and has not been manipulated.
Reliability increases when evidence is obtained from external sources rather than internal ones, when it is gathered directly by the auditor rather than provided by the client, and when it exists in documentary form rather than oral statements. Strong internal controls within an organization also increase the reliability of internally generated evidence. When internal controls are well designed and consistently applied, the risk of material error in the records they govern is lower, which means auditors can place greater trust in those records.
Relevance means the evidence actually addresses the objective of the audit procedure. Gathering large volumes of irrelevant data does not substitute for a smaller body of targeted, well-chosen evidence.
Compliance with GAAP or other recognized standards provides the benchmark against which audit evidence is evaluated. Evidence that cannot be tied back to a clear standard is difficult to interpret and weakens the audit's conclusions.
Discover more about the essential features of Medesk and claim your free access today!
Explore now >>Core Methods for Obtaining Audit Evidence
The PCAOB outlines seven primary procedures auditors use to collect evidence. Understanding these methods helps both financial and clinical auditors design appropriate testing strategies.
- Inspection involves examining records or documents, whether maintained by the organization being audited or obtained from external parties. Reviewing signed contracts, patient records, or original invoices are all forms of inspection.
- Observation means watching a process or procedure being performed. An auditor observing a physical inventory count, or a clinical reviewer watching a medication administration workflow, is gathering firsthand evidence about whether a process operates as documented.
- Inquiry involves asking questions of personnel inside or outside the organization. Inquiry alone is generally not sufficient as audit evidence because responses cannot always be independently verified, but it is a useful starting point for identifying areas that warrant deeper investigation.
- Confirmation is the process of obtaining a direct response from a third party to verify a specific assertion. Confirming account balances directly with a bank, or verifying a patient referral with the receiving provider, are common examples.
- Recalculation involves checking the mathematical accuracy of documents or records. This can be as straightforward as re-adding a column of figures or as complex as recomputing a depreciation schedule.
- Reperformance means independently executing a procedure that was originally performed by the organization, such as re-running an aged accounts receivable analysis.
- Analytical procedures involve evaluating financial or operational data by studying relationships and identifying unusual patterns or deviations that may indicate errors, fraud, or process failures.
How to Design an Evidence-Based Audit
Designing an effective evidence-based audit requires shifting your focus from simply seeking answers to requiring documented proof. Many audit programs blur the lines between what is asked and what is proven. This often leads to "verbal compliance," where an organization or department simply confirms that a process is being followed without providing the underlying data to substantiate that claim. Structuring audits around verifiable proof prevents this verbal compliance and ensures that findings are defensible.
Every effective evidence-based audit question should be broken down into three distinct parts: Control Intent, Evaluation, and Evidence.
First is Control Intent. This defines the specific outcome the control is expected to achieve. Before designing the audit procedure, the auditor must clearly understand what constitutes a successful outcome. Whether the focus is on medication administration protocols, financial reconciliations, or system access reviews, clarity of intent prevents subjective audits.
Second is Evaluation. This is the auditor’s documented conclusion regarding the status of the control. Using standardized outcomes like "Acceptable," "Minor Issue," or "Major Issue" reduces ambiguity and creates comparability across different audit cycles. However, a rating without underlying support is merely an opinion. This is why managing audit risk is critical. When audit risk is high, the sufficiency and appropriateness of the evidence gathered must be robust enough to withstand intense regulatory scrutiny.
Third is Evidence. This element specifies exactly what artifacts, records, or observations were reviewed to reach the conclusion. By requiring recorded evidence rather than implied or optional support, organizations create discipline without unnecessary rigidity. Linking evaluation directly to physical or digital evidence transforms a simple questionnaire into a rigorous, evidence-based audit.
Real-World Examples of Audit Evidence in Practice
Audit evidence appears in many forms depending on the type of audit and the stage at which it is gathered. The following examples illustrate how evidence functions across different contexts.
Bank reconciliations provide evidence that an organization's cash records match the bank's records. Auditors review these reconciliations to identify discrepancies or unauthorized transfers, ensuring that the reported cash balances are accurate.
Inventory observations require the auditor to be physically present during a stock count. This firsthand observation provides strong evidence that the inventory exists and is in the stated condition.
Invoices and purchase orders support assertions about expenditure and procurement. Matching invoices to approved purchase orders and delivery receipts provides a three-way confirmation that a transaction was legitimate and accurately recorded.
Payroll records are reviewed to confirm that compensation expenses are accurately stated and that payments were made only to active employees. Auditors typically cross-reference payroll data against HR records to detect ghost employees or unauthorized pay adjustments.
Electronic Health Record (EHR) data is the clinical equivalent. In a healthcare audit, EHR extracts can confirm whether clinical protocols were followed, whether documentation supports the level of care billed, and whether patient outcomes align with treatment plans. Getting actionable information out of EHR systems remains a practical challenge, but when the data is accessible, it is powerful evidence.
Contracts and legal agreements confirm the existence and terms of significant business relationships. These are particularly important in compliance audits where specific contractual obligations must be met.
Third-party confirmations, such as bank confirmations or supplier statements, are preferred by auditors precisely because they come from independent sources and are therefore harder to fabricate or manipulate.
Across all these examples, the principle is consistent: evidence closest to an independent, external source and supported by clear documentation carries the most weight in forming a reliable audit opinion.
Challenges in Collecting Audit Evidence
While the principles of evidence collection are straightforward, the execution is often fraught with operational hurdles. One of the primary challenges is managing high volumes of data. Organizations generate massive amounts of transaction data, and filtering through this information to identify relevant, testable items can overwhelm audit teams.
Ensuring data quality is another significant hurdle. Evidence is only reliable if the underlying data is accurate and complete. If an organization's internal controls are weak, the data extracted for the audit may contain errors or omissions, forcing auditors to perform additional cleansing procedures before testing can even begin.
Access limitations also complicate evidence collection. Auditors frequently need to navigate complex permission structures to access specific financial modules or clinical EHR systems. Delays in obtaining the necessary system access can bottleneck the entire audit timeline. Overcoming these challenges requires proactive communication, robust data analytics tools, and a clear mapping of where critical evidence resides within the organization's IT infrastructure.
Best Practices for Organizing Audit Records
Proper organization of audit records is essential for a smooth evidence-based audit. A disorganized audit trail increases the time required to verify findings and raises the risk of missing critical documentation. Implementing a few core best practices can streamline the entire process.
Digitizing records is the first crucial step. Relying on physical paper files slows down retrieval and increases the risk of loss or damage. A centralized, secure digital repository allows auditors to quickly search for and retrieve the evidence they need using metadata tags and indexing.
Establishing clear retention schedules is equally important. Organizations must define exactly how long different types of audit evidence need to be kept to satisfy regulatory mandates like the Sarbanes-Oxley Act or healthcare privacy laws. Retaining records longer than necessary creates unnecessary storage costs and security risks, while destroying them too early can result in severe compliance penalties.
Finally, standardize your file naming conventions and folder structures. When both internal staff and external auditors know exactly where to locate specific financial reconciliations or clinical compliance reports, the audit becomes faster and less disruptive.
Understanding Audit Risk
Audit risk is the risk that an auditor reaches an incorrect conclusion, most often by issuing a clean opinion when a material misstatement or compliance failure actually exists. Understanding audit risk is fundamental to deciding how much evidence to gather and what procedures to use.
Audit risk is generally understood as the product of three component risks.
Inherent risk is the susceptibility of an assertion to a material misstatement, assuming no related controls are in place. Some areas carry higher inherent risk by their nature. Complex financial instruments, related-party transactions, and high-volume billing processes in healthcare all represent elevated inherent risk.
Control risk is the risk that a material misstatement will not be prevented or detected by the organization's internal controls. Strong, well-functioning internal controls reduce control risk. When an auditor evaluates internal controls and finds them effective, they can rely on those controls as a form of audit evidence and reduce the extent of their direct testing.
Detection risk is the risk that the auditor's own procedures will fail to detect a misstatement that exists. Auditors can manage detection risk by adjusting the nature, timing, and extent of their procedures. When inherent risk and control risk are high, detection risk must be kept low, which means gathering more evidence and using more rigorous procedures.
The PCAOB's standards on audit evidence, including AS 1105, are built around the principle that auditors must calibrate their evidence-gathering to the overall level of audit risk. Understanding where risk is concentrated helps auditors allocate their effort efficiently and focus on the areas where incorrect conclusions would matter most.
Technology, AI, and Data Analytics in Audit Evidence Collection
The way audit evidence is gathered and evaluated is changing rapidly. Artificial intelligence, big data, and audit data analytics are giving auditors the ability to work with far larger datasets than traditional sampling-based approaches allowed.
Traditional auditing relied on testing a sample of transactions and inferring conclusions about the full population. Audit data analytics tools now allow auditors to test entire populations of transactions, identifying anomalies and patterns that a sample-based approach might miss entirely. This increases both the quality and the coverage of the evidence gathered.
AI tools are being applied to tasks such as contract review, invoice matching, and anomaly detection in financial records. In clinical settings, machine learning models can flag documentation gaps, coding inconsistencies, or deviation from clinical protocols across thousands of patient records simultaneously.
Big data introduces new sources of evidence, including external market data, social media signals, and real-time operational feeds, but it also introduces new questions about reliability. Evidence drawn from unverified external sources must be evaluated carefully before it can support an audit conclusion. The PCAOB issued staff guidance in October 2025 specifically addressing how auditors should evaluate the reliability of external information provided in electronic form, which reflects how central these questions have become.
For healthcare organizations using platforms that integrate EHR data with quality reporting, these tools represent an opportunity to make the kind of continuous, evidence-based improvement highly achievable.
Best Practices for Audit Documentation
Audit documentation is the written record of the procedures performed, the evidence obtained, and the conclusions reached during an audit engagement. Good audit documentation does more than satisfy a compliance requirement. It creates institutional memory, supports quality control, and makes future audits faster and more reliable.
Several practical principles help organizations build strong documentation habits.
Document contemporaneously. Evidence should be recorded as it is gathered, not reconstructed after the fact. Contemporaneous records are more accurate and are treated as more credible during review.
Link evidence to objectives. Each piece of documentation should be clearly connected to the specific assertion or standard it supports. Reviewers should be able to follow the logic from objective to procedure to evidence to conclusion without needing to guess at the connection.
Maintain version control. When documents are updated or superseded, earlier versions should be retained and clearly labeled. This is particularly important for organizations subject to regulatory review.
Standardize working paper formats. Consistent templates for checklists, memos, and testing schedules reduce the risk that important steps are missed and make it easier for a second reviewer to follow the work.
Protect and retain records appropriately. The Sarbanes-Oxley Act sets specific retention requirements for audit documentation of public companies. Healthcare organizations face similar requirements under federal and state regulations. Secure storage, clear access controls, and defined retention schedules are non-negotiable components of a compliant documentation system.
Strong audit documentation is ultimately what makes an evidence-based audit defensible. The quality of the underlying procedures matters, but if those procedures are not documented clearly, the evidence they produced cannot be relied upon with confidence.
Frequently Asked Questions
What is the difference between sufficient and appropriate audit evidence? Sufficiency refers to the quantity of audit evidence gathered. Appropriateness measures the quality of that evidence, specifically its relevance to the assertion being tested and its reliability. An auditor must obtain evidence that is both sufficient in volume and appropriate in quality to form a defensible conclusion.
Why is audit evidence important in healthcare compliance? In healthcare, evidence-based auditing ensures that clinical protocols are followed and regulatory standards are met. Gathering concrete evidence protects patient safety and prevents fraudulent billing practices. It also provides the documentation required to satisfy federal and state healthcare mandates.
How do auditors evaluate the reliability of evidence? Auditors generally consider evidence obtained from independent external sources to be more reliable than internally generated evidence. Evidence gathered directly by the auditor is also more reliable than information provided by the client. Furthermore, documentation in the form of paper or electronic records is preferred over oral statements.


