How to Know What to Audit: A Practical Guide for ABA Leaders

If you’re responsible for compliance in an ABA organization, you already know how important regular audits are, but deciding what to audit next isn’t always clear. Maybe you’ve already reviewed session notes, billing, and supervision records and are wondering, “What else should I be looking at?”

The answer lies in building a proactive system that identifies risk before it becomes a problem. The best compliance leaders don’t wait for an external review; they use risk assessments, data, and trends to decide what to audit and when.

In this post, we break down:

• What a risk assessment really means in healthcare and corporate compliance

• Why your risk assessment should drive your audit and monitoring plan

• Five practical places to find your next audit idea (with examples of what to look for)

• How to tell whether your audit findings show isolated errors or systemic risks

The Role of Risk Assessments in Compliance

Before we dive into ideas for your next audit, it’s important to step back and talk about something that should guide all of those decisions: your risk assessment.

n the world of healthcare and corporate compliance, a risk assessment is a structured way of identifying the areas where your organization could be most vulnerable to compliance problems. It’s a process—often done annually—where you systematically evaluate your operations to find where the biggest risks lie.

For ABA organizations, a risk assessment might include reviewing:

• Areas where rules are complex or changing (like payor documentation standards)

• Functions where human error could easily occur (such as billing, data entry, or supervision tracking)

• Topics that have caused issues before—either internally or across the ABA field

• Areas where new laws, payors, or staff changes have been introduced

The goal isn’t to catch anyone doing something wrong; it’s to map out where the organization could go off track and then design audits or monitoring plans to catch those issues early.

Think of your risk assessment as your audit “roadmap.” The topics it identifies as high risk should become the first things you audit or monitor throughout the year. That’s how you move from reactive compliance—responding to problems—to proactive compliance—preventing them.

If you haven’t yet conducted a formal risk assessment, start small: list five to ten areas that keep you up at night or that have generated questions, denials, or inconsistencies in the past year. Those are excellent early audit topics.

Beyond the Risk Assessment: Where Else to Look

Once you’ve built your risk-based audit list, you may still want more ideas to round out your monitoring plan. The following areas can help you find new opportunities to check that your systems are working as intended.

1. New or Changing Processes & Programs

Any time your organization introduces something new—new payors, new codes, new staff, or new processes—there’s a learning curve and a risk of inconsistency.

What to look for:

• Are staff following updated policies or payor rules?

• Do notes support the services billed?

• Is supervision being documented correctly and at the required frequency?

• Are codes being used consistently and accurately?

Compare what’s happening in practice to what your policies or payor manuals say should be happening. Even a short, focused audit can identify small gaps before they turn into systemic issues.

2. Current Events & Regulatory Signals

External audit findings can serve as powerful early warnings. For instance, the Office of Inspector General (OIG) and several state Medicaid agencies have recently audited ABA programs in states like Massachusetts, Indiana, and Wisconsin. Common issues included:

• Missing or incomplete session documentation

• Billing during nontherapy time (e.g., lunch, travel, administrative work)

• Providers billing more than 24 hours in a day

• Services billed under unqualified or improperly supervised staff

What to look for:

• Are your own records detailed enough to justify billed units (start/stop times, activities, signatures)?

• Are paraprofessional services properly supervised and documented?

• Do any of your billing patterns resemble the “red flags” found in those reports?

You can find these audit reports and summaries at oig.hhs.gov/reports/all. They’re public, searchable, and full of practical insight—even if you’re don't bill Medicaid for any of your services. 

3. Internal Data & Outliers

Your own billing and clinical data can reveal opportunities for internal review.

What to look for:

• Providers whose productivity or billing is much higher or lower than peers

• Departments with increased denials or payment delays

• Shifts in revenue or service delivery that don’t have a clear explanation

Outliers aren’t automatically problems, but they’re definitely worth understanding. Reviewing even a few records from these areas helps confirm whether differences are justified or due to inconsistent practices.

4. Contractual Obligations & Policy Updates

When payors or regulators issue new requirements, it’s easy for agencies to lag behind in implementation.

What to look for:

• Do your documentation templates still meet payor and authorization standards?

• Are plan updates and reauthorizations happening within required timeframes?

• Are staff qualifications and credentials verified and up to date?

• Do billing units and modifiers match the most recent guidance?

A quick check against payor contracts and policies helps ensure you’re meeting expectations before an external audit does.

5. Core High-Impact Areas

Some audit areas are worth revisiting regularly because they consistently impact compliance outcomes.

What to look for:

• Documentation: Are session notes clear, complete, and individualized?

• Treatment plans: Are goals measurable, current, and linked to documented services?

• Training and supervision: Are supervision logs complete, signed, and timely?

• Billing: Do claims accurately reflect the service type, time, and provider qualifications?

• Consent and records: Are all required forms current and properly stored?

Rotating through these areas annually ensures balanced attention across your program.

Putting It All Together

A strong compliance plan combines structure (your risk assessment) with curiosity (your ongoing audits). Start with a short list of focus areas, define your audit scope, use checklists that reflect payer and policy requirements, and review results for trends, not blame.

Over time, you’ll create an audit schedule that’s both manageable and meaningful, providing clear evidence that your compliance program is active, intentional, and effective.

What's Next for You and Your Agency?

If you’re finding yourself asking, “What should we audit next?” you’re already thinking like a proactive compliance leader.

The next step is turning those ideas into a structured, risk-based audit program—one that helps you prioritize what to review, track what you find, and adjust your focus as your organization evolves.

That’s where the right level of support makes a difference.

For organizations looking to build and manage their audit systems internally, the ABA Compliance Collective provides the tools, templates, and ongoing guidance to help you create a structured, repeatable compliance program.

And for teams that want a more hands-on approach, ABA Compliance Solutions also offers external audit and consulting services to help you evaluate risk areas, conduct targeted reviews, and strengthen your compliance infrastructure with expert support.

Whether you’re building your system in-house or looking for a partner to guide the process, you don’t have to figure it out alone.

Learn more about your options here:
https://www.abacompliance.com/collective