This guide draws in part from “Conducting Internal Audits: A Balancing Act of Clinical and Operational Needs” by Mark Palmieri, Psy.D., BCBA-D (BehaviorLive), and extends it with peer-reviewed research from our library of 27,900+ ABA research articles. Citations, clinical framing, and cross-links below are synthesized by Behaviorist Book Club.
View the original presentation →Internal audits are among the most underutilized tools available to ABA organizations. Done well, they surface risk before it becomes a billing denial, a compliance violation, or a client harm event. Done poorly — or not done at all — they leave organizations reacting to problems that proactive review would have prevented.
The tension between clinical and operational teams in ABA settings is well-documented. Clinical staff are focused on treatment quality, individualization, and the client-therapist relationship. Operational staff track authorizations, utilization rates, session note conversion timelines, denial percentages, and cash flow. These priorities intersect and occasionally conflict: a clinician who extends sessions based on clinical need may create billing complications; an operations team that flags a provider for low utilization may inadvertently pressure clinical decisions. Without a shared accountability structure, these tensions can escalate to organizational dysfunction.
Internal audits create that shared structure. By identifying Key Performance Indicators (KPIs) that span both clinical and operational domains, and by establishing regular review cadences, organizations can surface misalignment before it creates harm. An audit process that examines authorization compliance alongside treatment plan update timelines, or that tracks denial rates alongside fidelity scores, provides a multidimensional picture of organizational health that neither team can produce independently.
For BCBAs in supervisory or administrative roles, understanding the audit function is both a professional competency and an ethical responsibility. BACB Ethics Code 1.03 (Accountability) and 4.09 (Addressing Conditions That Interfere with Service Delivery) require that BCBAs identify and address organizational conditions that create risk for clients. An internal audit process is one mechanism for fulfilling that obligation systematically rather than reactively.
This course addresses how to design audit processes that serve both clinical quality and operational compliance — identifying relevant KPIs, structuring data collection and review cycles, categorizing organizational risk, and communicating findings to stakeholders in ways that drive action rather than defensiveness.
ABA organizations operate within a complex compliance environment shaped by state Medicaid regulations, commercial insurance contracts, BACB ethics requirements, and federal healthcare laws including HIPAA. Non-compliance in any of these domains creates financial risk (denials, clawbacks, exclusion from networks), legal risk (fraud and abuse exposure), and reputational risk (loss of referral relationships, regulatory action). The stakes are high, and many organizations discover compliance failures only after payers conduct their own audits — at which point remediation is more expensive and the damage to relationships is already done.
The internal audit function in ABA has its roots in healthcare quality improvement more broadly. Concepts like utilization review, concurrent review, and retrospective audit come from hospital and managed care contexts and have been adapted for the ABA setting with varying degrees of rigor. What distinguishes high-functioning ABA organizations is not the presence of auditing alone but the integration of audit findings into operational and clinical improvement cycles.
KPI selection is foundational to effective auditing. Common operational KPIs include authorization approval rate and timeline, session note conversion rate within required timeframes, claim submission lag, denial rate by reason code, and re-authorization success rate. Common clinical KPIs include treatment plan update compliance, session fidelity scores, assessment-to-treatment plan alignment, and caregiver training completion rates. Organizations that track only operational KPIs may achieve billing efficiency at the expense of clinical quality; those that track only clinical KPIs may produce excellent treatment while creating unsustainable financial risk.
Collection and sharing of audit data requires deliberate design. Raw data without context produces defensiveness; a 15% denial rate means very different things depending on payer mix, service type, and regional norms. Presenting findings alongside benchmark comparisons, trend analysis, and clear corrective recommendations creates conditions for productive action. Stakeholder reporting formats should differ by audience — executive leadership needs summary dashboards, clinical supervisors need team-level breakdowns, and front-line staff need individual feedback tied to specific, correctable behaviors.
For clinicians, the most immediate implication of internal audit processes is that clinical decisions are visible and accountable. Treatment plan update timelines, session cancellation rates, assessment frequencies, and the alignment between authorized services and delivered services are all audit-able. Clinicians who understand this operate differently than those who view their work as insulated from administrative scrutiny.
Authorization compliance is a domain where clinical and operational interests directly intersect. Providing services outside the authorized scope — different service codes, higher hours, non-approved interventions — creates denial risk regardless of clinical rationale. Clinicians who understand authorization structures can build them into treatment planning, ensuring that the interventions they want to deliver are aligned with what has been approved before service delivery begins rather than after.
Session note quality is a recurring audit finding in ABA organizations. Notes that are vague, templated, internally inconsistent, or disconnected from the treatment plan fail both clinical and billing standards. Clinically, a note should document what happened in the session, what data were collected, and what clinical decisions resulted. Operationally, a note must support the billed procedure code, demonstrate medical necessity, and meet payer-specific documentation requirements. These standards are complementary, not competing — a note that accurately captures a high-quality clinical session will generally meet documentation requirements as well.
Denial analysis provides valuable information about where clinical practice and payer expectations are misaligned. A cluster of medical necessity denials for a specific client may indicate that the treatment plan is not sufficiently documenting functional impairment. A pattern of timely filing denials may indicate a workflow breakdown between clinical documentation and billing submission. Treating denial data as clinical intelligence rather than purely administrative noise allows organizations to make targeted improvements that serve both financial health and treatment quality.
The ABA Clubhouse has 60+ on-demand CEUs including ethics, supervision, and clinical topics like this one. Plus a new live CEU every Wednesday.
BACB Ethics Code 1.03 requires that behavior analysts accurately represent their qualifications, services, and outcomes to stakeholders. In an organizational context, this applies to how clinical performance is reported upward — overstating fidelity, minimizing documentation gaps, or selectively presenting audit data to protect individuals or teams from accountability is an ethics violation, not simply a management decision.
Ethics Code 4.09 (Addressing Conditions That Interfere with Service Delivery) is particularly relevant to audit findings. When an audit surfaces conditions — inadequate supervision, authorization gaps, documentation failures — that are interfering with clients receiving appropriate services, the BCBA has an ethical obligation to act. Documenting the finding and taking no corrective action is insufficient. The audit is not an end in itself; it is a mechanism for identifying problems that must then be addressed.
The use of audit data in performance management decisions raises ethical questions about fairness and transparency. Staff should generally know in advance what metrics are tracked, how they are calculated, and what benchmarks are expected. Retrospective discipline based on metrics that were never communicated creates mistrust and legal risk. An ethically structured audit program communicates expectations clearly, applies standards consistently across staff, and uses findings primarily to improve systems rather than to punish individuals.
Confidentiality considerations apply when audit data includes client identifiers. Aggregate de-identified reporting is appropriate for most organizational review purposes. When specific client-level data must be reviewed (in cases of a denial under appeal, for example), HIPAA-compliant minimum-necessary standards apply. BCBAs with dual clinical and operational responsibilities must be clear about which role they are operating in when accessing client records for audit purposes.
Risk categorization is a key decision-making skill in the audit function. Not all compliance gaps carry equal risk, and organizations that treat every finding as equally urgent quickly exhaust their remediation capacity. A tiered risk framework — distinguishing between high-risk findings that require immediate escalation, moderate-risk findings that should be addressed within a defined timeframe, and low-risk findings that can be addressed in routine process improvement — allows organizations to allocate remediation resources proportionally.
High-risk categories typically include findings that create immediate client safety risk, that involve potential fraud and abuse exposure (billing for services not delivered, falsification of documentation), or that represent systematic non-compliance affecting large volumes of claims. These require supervisor notification, documentation of the finding and response, and in some cases reporting to regulatory bodies. Ethics Code 4.11 addresses the obligation to report when ethics violations are identified and organizational responses are inadequate.
Moderate-risk findings — authorization utilization patterns that suggest under-delivery, treatment plan update gaps, sporadic documentation deficiencies — warrant formal corrective action plans with defined timelines and measurable criteria. High-functioning organizations treat these findings as system improvement opportunities rather than individual disciplinary events. The question to ask is not only 'who is responsible for this gap?' but 'what process should be in place to prevent this gap?'
KPI benchmarking is essential for calibrating risk assessments. An authorization denial rate that is alarming in one payer context may be normal in another. Accessing industry benchmarks, comparing performance across locations within the same organization, and tracking trends over time provides context that prevents both over-reaction to noise and under-reaction to genuine deterioration. Decision rules should be established prospectively — specifying in advance what finding severity or threshold triggers escalation to executive leadership, a formal corrective action plan, or external counsel.
BCBAs in supervisory or administrative roles should treat internal auditing as a core competency, not a function relegated to billing or operations staff alone. Clinical leadership that is fluent in authorization data, denial patterns, and documentation quality is better positioned to advocate for their teams, protect clients, and demonstrate the value of clinical rigor to operational stakeholders.
If your organization lacks a formal audit process, start with the two or three KPIs that carry the greatest risk given your payer mix and service model. Authorization utilization compliance and session note conversion timelines are often the highest-yield starting points. Establish a monthly review rhythm, create simple data displays that make trends visible, and designate clear owners for corrective action.
Cross-functional communication between clinical and operational leadership is the most important structural element of a high-functioning audit process. Regular joint review sessions — where clinical supervisors and operations managers review the same data together — build shared ownership of outcomes and prevent the organizational fragmentation that allows problems to persist in the gap between teams.
Use audit findings to improve training and systems, not only to manage individual performance. A documentation quality finding that affects fifteen clinicians is not fifteen individual failures — it is a training and system design problem that requires a systemic solution.
Ready to go deeper? This course covers this topic in detail with structured learning objectives and CEU credit.
Conducting Internal Audits: A Balancing Act of Clinical and Operational Needs — Mark Palmieri · 1 BACB Supervision CEUs · $30
Take This Course →We extended this guide with research from our library — dig into the peer-reviewed studies behind the topic, in plain-English summaries written for BCBAs.
200 research articles with practitioner takeaways
188 research articles with practitioner takeaways
149 research articles with practitioner takeaways
You earn CEUs from a dozen different places. Upload any certificate — from here, your employer, conferences, wherever — and always know exactly where you stand. Learning, Ethics, Supervision, all handled.
No credit card required. Cancel anytime.
All behavior-analytic intervention is individualized. The information on this page is for educational purposes and does not constitute clinical advice. Treatment decisions should be informed by the best available published research, individualized assessment, and obtained with the informed consent of the client or their legal guardian. Behavior analysts are responsible for practicing within the boundaries of their competence and adhering to the BACB Ethics Code for Behavior Analysts.