Written By Hannah Qaisir

Ticking Boxes Isn’t Quality: What High-Performing Organisations Do Differently

Date: 15th June, 2026.

Authored By: James Sheridan | james@sheridanconsult.co.uk

Most internal audits in health and social care do not fail because the organisation lacks commitment. They fail because the audit has been designed to confirm rather than to challenge.

I see this regularly. A manager walks through the building with a checklist. The boxes are ticked. The report is filed. Nothing changes. Six months later, the same checklist produces the same findings. And when an external inspection arrives, the gaps that were always there are suddenly visible to everyone except the people who were supposed to find them.

That is not an audit programme. That is a paper trail.

The purpose of internal audit is not to produce documentation. It is to generate an honest picture of how care is actually being delivered, where the risks are, and what needs to change. Done properly, it is one of the most powerful tools a quality-focused organisation has. Done badly, it creates a false sense of assurance that leaves both service users and providers exposed.

This article sets out what a functioning internal audit programme actually looks like in a health and social care context and why getting it right matters more in 2026 than it ever has.

Why the Bar Has Raised

The CQC is currently ahead of schedule to complete 9,000 assessments by September 2026, following years of inspection backlogs and sustained criticism of the regulator's effectiveness. For providers who have not been assessed in several years, that backlog is clearing quickly. The likelihood of an assessment in the next twelve months is higher now than it has been since before the pandemic.

At the same time, the CQC's evolving assessment framework has shifted the question it asks. It is no longer simply: do you have a policy for this? It is: what difference does your policy make to the people in your service? That is a fundamentally different standard and internal audit is the mechanism by which organisations should be honestly answering that question for themselves, before an inspector does it for them.

The most frequent compliance failures identified in CQC assessments cluster predictably around the same areas: medication management, incident reporting, right-to-work and DBS records, and training compliance. These are not complex or obscure requirements. They are areas where organisations consistently overestimate how well their internal controls are functioning because the controls have never been genuinely tested.

What Most Audit Programmes Get Wrong

The most common failure is designing audits to measure process compliance rather than care outcomes. A checklist that confirms medication is stored correctly tells you something. A checklist that tells you nothing about whether the right person received the right medication at the right time and whether anyone would know if they had not tells you very little about safety.

The second failure is frequency without follow-through. Auditing the same area annually and filing the results is not a quality management system. It is record keeping. ISO 9001:2015 the internationally recognised standard for quality management is explicit on this point: there must be a documented process for identifying nonconformities, completing corrective actions, and verifying that those actions have actually worked. The audit cycle is not complete until the improvement has been evidenced.

The third failure is exclusion. Audits are most effective when they are not viewed as a management exercise. Engaging frontline staff, and where appropriate service users, in the audit process strengthens the relevance of findings and ensures that changes reflect what is actually happening at the point of care delivery not what managers assume is happening.

The Components of an Audit Programme That Works

A functioning internal audit programme in health and social care has five components. None of them is complicated. All of them require genuine commitment from leadership.

  1. A planned audit schedule, not a reactive one. Audits should be mapped to risk areas with higher consequence of failure should be audited more frequently and more rigorously. Medication management, safeguarding, and staffing compliance warrant more scrutiny than, say, the visitors' log. A risk-rated audit schedule is a direct expression of Clause 6 of ISO 9001: planning that reflects where things could go wrong.

  2. Clear standards against which to audit. Every audit needs a defined benchmark. In health and social care, these come from the CQC's fundamental standards, the organisation's own policies and procedures, and sector-specific guidance. Auditing without a clear standard produces opinion rather than evidence. The PDSA cycle Plan, Do, Study, Act provides a widely used and practical framework for structuring this process.

  3. Auditors who are independent of the area being audited. A manager auditing their own team is not an independent audit. It is a self-assessment. Peer review where staff from one team assess another's practice produces more objective findings and builds wider organisational awareness of quality standards. For smaller organisations, this may mean bringing in external support for higher-risk areas.

  4. A functioning corrective action process. Every finding must generate an action, an owner, a deadline, and a verification step. The single most common gap I see in audit programmes is findings that are acknowledged and never resolved. An audit that identifies a risk and produces no change is worse than no audit at all it creates documented evidence that a problem was known and left unaddressed.

  5. Reporting that reaches leadership. Audit findings should not live in a quality manager's folder. They should be reported upward, discussed at governance level, and used to inform strategic decisions about resource, risk, and improvement priorities. This is the management review requirement under Clause 9 of ISO 9001 and it is the link between operational audit activity and organisational accountability.

The Governance Connection

Internal audit and governance are not separate functions. They are two sides of the same accountability structure. An organisation with strong governance but a weak audit programme is operating on assumptions. An organisation with thorough audits but no governance mechanism to act on them is generating findings that go nowhere.

The CQC's well-led domain assesses both. It looks for evidence of clear governance systems, of learning from incidents, and of continuous improvement. A well-designed internal audit programme is simultaneously the most practical way to demonstrate compliance with all three and the most honest way to identify where the organisation is falling short before an inspector does.

A Final Reflection

Organisations that implement internal audit well do not do so because they are afraid of inspection. They do so because they understand that quality cannot be assumed it has to be evidenced, tested, and continuously improved. The audit programme is how that happens in practice.

If your current audit activity consists of checklists that are completed and filed, I would encourage you to ask a harder question: what would this audit need to look like to find something we do not already know? The answer to that question is where genuine quality assurance begins.

Over the coming weeks I will be sharing more practical reflections on quality management, compliance leadership, and what good governance actually looks like in health and social care settings. Follow along if these topics are relevant to your work.

Hannah Qaisir
Next