When Audits Don’t Deliver Assurance: What HIQA Findings Reveal About Audit Practice in Disability Services

Introduction

HCI has reviewed a sample of HIQA inspection reports for disability services published in March, and one of the clearest themes to emerge is the weakness of audit practice as a source of assurance. Across the reports, providers often had audits and governance systems in place, but inspectors were not always satisfied that these processes were identifying the right issues, reflecting the reality in the centre, or driving timely improvement. In several cases, the issue was not that auditing was absent, but that it was not delivering the level of oversight it was supposed to provide.

That matters because audit should do more than record activity. It should help providers understand whether care is safe, whether risks are being managed, whether actions have been completed, and whether internal assurances can be relied on. In the reports reviewed, HIQA repeatedly found gaps between what had been identified through audit, what was recorded as compliant, and what inspectors saw on the ground. Taken together, these findings raise an important question for providers: if an audit does not lead to action, accuracy or assurance, what value is it really providing?

Audits were identifying issues, but not showing that they had been resolved

One of the most striking themes across the reports was the gap between identifying deficits and demonstrating that they had actually been addressed. In one centre, the provider’s own audit identified deficits in personal planning, annual reviews, goal setting and the absence of some healthcare action plans. However, the associated regulation was later recorded as compliant. When inspectors reviewed the service, those deficits were still outstanding, and when completed actions were requested, they were not available for review. That raises a basic but important audit question: what evidence was used to conclude that compliance had been achieved?

A similar pattern appeared elsewhere, where providers had recognised issues internally but had not translated that into timely or verifiable improvement. In another centre, provider audits had already identified concerns relating to night-time evacuation and premises issues, yet these remained unresolved. The weakness here was not simply the issue itself, but the failure of audit and action tracking to drive closure. When audit systems record concerns but do not support effective follow-through, they stop functioning as a meaningful source of assurance and begin to look more like a paper exercise.

Audit systems were not always identifying the risks that mattered most

Another recurring theme was that monitoring systems were in place, but they were not consistently picking up serious or emerging risks. In one centre, inspectors found that existing audits and planning meetings were not identifying or addressing concerns or risks in the centre. The auditing system was not tailored to identify issues outside the chosen audit theme, which meant there were important gaps in what the system could actually detect. This points to a common weakness in audit design: a process can appear structured and active, while still missing the matters that most affect quality and safety.

In another centre, oversight arrangements failed to identify issues relating to fire safety, maintenance of critical equipment, and an unresolved mould and damp issue in a resident’s bedroom. Immediate actions were issued on the day of inspection. These were not marginal issues. They were significant concerns with the potential to place residents at risk of harm. Where audit practice does not surface that level of risk before an inspection does, it becomes difficult to argue that the provider has effective internal assurance. HIQA is not simply looking for audit activity; it is looking for audit that can reliably detect what matters.

Governance reports and compliance records did not always reflect the reality in the centre

A further issue running through the reports was the reliability of the information produced by governance systems. In one service, governance reports contained inaccurate information, including underreporting of behaviours that challenge and safeguarding concerns. That is more than a documentation issue. If the information being escalated through governance structures is incomplete or inaccurate, then senior oversight is weakened from the start. Providers cannot respond effectively to risks they are not seeing clearly, and inaccurate reporting creates a false sense of compliance.

The same concern sits behind the finding in another service, where deficits remained outstanding despite the associated regulation being recorded as compliant. This is not only a failure of action tracking; it is a failure of governance intelligence. Audit findings, action plans and compliance records should together provide a trustworthy account of the centre’s actual position. When those systems drift away from operational reality, audit stops being a control mechanism and starts becoming a source of misplaced reassurance. That is a serious issue in any regulated service, but especially in settings where providers must be able to demonstrate robust oversight of care and support.

Audit findings were not always converted into timely action

Several of the reports suggest that the problem was not just identification or recording, but the pace and discipline of follow-through. In one of the services, the provider’s response under Regulation 23 included revising audit practice and procedure, introducing a tracker for actions, and making oversight of actions a standing item for senior management meetings. That response is telling in itself. It indicates that stronger action tracking and tighter management oversight were needed to make audit findings meaningful. In other words, the audit process alone was not enough; the provider also needed a clearer mechanism to ensure identified issues were seen through to completion.

That same theme is visible in other centres where known issues remained open over extended periods. In another service, concerns identified through audit had not been acted on adequately. Issues raised by the person in charge were not being responded to adequately by senior management. These findings highlight a wider point: audit is only one part of assurance. It must sit within a governance structure that assigns responsibility, tracks progress, tests whether actions are complete, and checks whether changes have actually improved practice. Without that chain of accountability, audits may generate information, but they do not generate confidence.

What these findings mean for providers

Taken together, these HIQA findings suggest that many providers do not need more audit activity; they need more effective audit practice. A high volume of audits, meetings and trackers does not necessarily mean a provider has good oversight. What matters is whether audit findings are accurate, whether they reflect the real experience of residents and staff, whether actions are completed in a timely way, and whether the provider can show clear evidence that improvement has happened. The reports reviewed show repeated gaps between internal assurance and inspection reality, and that gap is where compliance risk grows.

How HCI Supports Effective Audit and Assurance

HCI supports disability services by delivering a tailored Independent Quality of Care Audit Programme, providing objective oversight and assurance that care is aligned with HIQA requirements and best practice.

Our specialists carry out thorough assessments against the relevant regulations and National Standards through a structured approach that includes offsite documentation review, onsite audits, staff interviews, and observation of practice, resulting in evidence-based findings and clear, actionable recommendations.

Each audit delivers a detailed report outlining areas of good practice alongside a line listing of opportunities for improvement, supported by a Quality Improvement Plan that gives Registered Providers a practical roadmap to strengthen governance, reduce risk, and demonstrate a clear commitment to continuous quality and safety improvement.

Conclusion

The clearest lesson from these reports is that audit should never be treated as evidence of assurance in its own right. An audit only adds value when it identifies the right issues, records them accurately, drives meaningful action, and gives leaders confidence that what is reported matches what is happening in practice. Where that link breaks down, providers are left with systems that appear busy but do not reliably protect service users or support compliance. That is why audit practice matters. It sits at the heart of governance, and when it is weak, the consequences tend to surface across risk, training, health care and safeguarding.

For providers looking to close that gap, the answer is not simply more paperwork. It is a more disciplined approach to governance, stronger action tracking, better visibility of risk, and easier access to the guidance staff need to act consistently.

Alongside HCI’s quality and safety professional services, Cloda can support that effort by making policies and procedures instantly accessible, in plain language and at the point of care, helping staff understand what is required and apply it in practice. When providers are trying to move from audit activity to genuine assurance, that combination of expert support and digital access can make compliance systems more usable, more visible and more effective.

Contact us at info@hci.care or call at +353 (0)1 6292559 to learn how we can support your disability service.