Lifecycle
Clinical audit cycle management for CQC-regulated providers
Clinical audit is the quality-improvement methodology that compares actual practice against a defined standard, identifies the gap, makes changes, and re-audits to test whether the gap has closed. Reg 17 (good governance) treats it as the headline evidence for the “assess, monitor and improve” clause. The pattern most providers fall into is running audits to evidence that audits are happening, rather than to drive change. The point of the cycle is the second loop.
What the regulation expects
Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 requires providers to have an effective system for assessing, monitoring and improving the quality and safety of the services provided. Clinical audit is the most recognisable evidence channel for the “monitoring and improving” element. The regulation does not prescribe specific audits, frequencies, or formats; it expects the system to produce evidence that the provider is using the findings.
The conventional audit cycle has four stages: define the standard (typically against NICE guidance, published Royal College standards, or local policy), collect the data, compare against the standard, change practice to close the gap, then re-audit to test the change. The complete loop is what the inspector reads as evidence; a single-loop audit (data collected, gap identified, no re-audit) is the most common form of partial compliance.
For independent secondary care, the expected audit programme is sector-specific: WHO surgical safety checklist compliance, antimicrobial stewardship, controlled-drug stock checks, IPC audits, consent documentation audits, hand hygiene compliance, and other audit topics that map to the regulated activities the service is delivering.
What providers most often miss
Across the inspection portfolio Klaudiusz worked over thirteen years inside CQC, three clinical-audit patterns surfaced more than any others.
One: the audit closes at the data-collection stage. The team designs the audit, collects the data, presents the findings to the governance meeting. The next quarter, a new audit topic starts. The original audit never produced a defined change to practice or a re-audit. The findings sit in a slide deck on the network drive. The team did the work and cannot point to what changed.
Two: the standard is local rather than referenced.The audit defines the standard as “our policy” or “current practice”. When the inspector asks where the standard came from, the team cannot cite an external reference. A standard that is whatever the service is currently doing is not a standard; it is a baseline. The audit cycle requires the comparison against an independent reference (NICE, Royal College, sector guidance) so the gap analysis carries weight beyond internal consensus.
Three: the re-audit is scheduled but never happens.The action plan from the first audit includes “re-audit in six months”. Six months later, no re-audit runs. Twelve months later the team cannot say whether the changes worked. The re-audit is the inspectable evidence that the change stuck; without it, the audit is compliance theatre. The cycle is named the audit cycle for a reason.
What an inspector looks for in the audit programme
The standard inspector reading is at three levels: the annual audit programme as a whole, two or three sampled audits in depth, and the link between audit findings and the wider improvement action programme.
At the programme level the test is whether the audit topics map to the regulated activities, whether the programme covers the high-risk areas the sector profile implies, and whether the programme repeats over the year so the cycle actually completes. A programme with twenty topics in a year, none re-audited, is a pattern. A programme with twelve topics, six of them re-audits of last year's work, is a different pattern.
At the sampled-audit level the test is whether the standard is named with a citation (NICE guidance, Royal College reference, statutory regulation), whether the data collection methodology is described in enough detail that the result is reproducible, whether the findings include a quantified comparison against the standard, and whether the action plan from the audit ties into the improvement-actions register.
At the linkage level the test is whether actions that originated from audits get worked through the improvement-action lifecycle and whether the re-audit picks up the action's effect. The cycle is complete when the re-audit data shows the gap closing. The cycle is partial when the re-audit shows the gap unchanged and the team has no explanation. The cycle is inspectable evidence of well-led when the team has an explanation for what worked, what did not, and why.
How Verivius handles clinical audit
Verivius runs the audit programme through the assurance calendar: each audit topic is a recurring calendar item with a defined standard (with the external reference cited), a defined cadence, a named owner, and a results-against-standard field at completion. The action plan from each audit links into the improvement- actions register so actions get worked through the normal lifecycle. The re-audit appears on the calendar automatically based on the cadence so the cycle completes by default rather than by remembering to re-schedule. Aggregate views show the trailing 12-month audit programme so the well-led question (are we re-auditing what we should be?) has a visible answer. For the full feature walk-through see what Verivius actually does.
See also the Day-to-day use section on the FAQ for the short answers across every lifecycle.
Common questions on clinical audit
Does CQC require a specific audit programme?
No. Reg 17 sets the outcome (an effective system for monitoring and improving quality and safety) but does not prescribe specific audits. The inspector reads the audit programme against the regulated activities the service delivers; a programme that omits high-risk topics relevant to the service profile is the gap. Sector-specific audit calendars (WHO surgical safety checklist, IPC, controlled-drug stock checks, etc.) are de-facto expectations even where not statutorily prescribed.
What standard should we audit against?
Where NICE guidance applies, NICE is the standard reference. Royal College specialty-specific standards cover the next layer (Royal College of Surgeons of England intercollegiate surgical curriculum, Royal College of Anaesthetists guidance on consent for anaesthesia, and equivalent bodies per specialty). Where neither applies, an explicit local policy with a dated review cycle can serve as the standard, but the audit needs to acknowledge the policy is the standard rather than an external benchmark.
How often should we re-audit?
The re-audit cadence shapes around the action plan. If the audit produced actions with a six-month implementation window, a re-audit at month seven or eight tests whether the changes stuck. The general rule is the re-audit follows the action timeline, not a fixed annual rhythm. Persistent gaps from the first audit warrant a tighter re-audit cadence; successfully closed gaps move to a longer cadence for assurance.
Who should run audits?
The named auditor needs sufficient independence from the practice being audited that the result is credible. A consultant auditing their own theatre list is a conflict; a peer consultant auditing the same list is acceptable; an external reviewer is ideal where the topic is high-stakes (mortality review, never-event review, certain post-incident audits). The platform records the named auditor on each audit so the independence question is visible.
How does this fit with quality improvement projects?
Audit and QI are adjacent but distinct. Audit compares actual against standard; QI uses methods (PDSA cycles, run charts, driver diagrams) to implement and test changes. A QI project often follows an audit finding; the audit identifies the gap and QI executes the change. The two integrate through the action lifecycle: audit-spawned actions that involve QI methodology link to a QI record that carries the change history.
Related sample policies
Verivius-authored templates that pair with this page. Verbatim statutory text plus plain-British summary and adoption sections; for adaptation, not adoption unchanged.
See how the audit cycle works inside Verivius
A 20-minute conversation walks through how the assurance calendar drives the audit programme, how audits link into the improvement-actions register, and how the re-audit appears automatically so the cycle actually completes.
Worth reading alongside: the improvement-action-plans page for how audit-spawned actions work through the closure loop, and the risk-register page for how audit results feed the residual-risk re-assessment.
Related sample policy templates: Infection prevention and control · Good governance (Reg 17).
50% off for 12 months. Mock Inspection at the design-partner rate.
Last reviewed 30 May 2026