Audit Finding
Definition
An audit finding is a documented result from a compliance audit that identifies a specific condition where requirements are not being met or controls are not operating effectively. Findings include the condition observed, the criteria against which it was measured, the cause of the gap, and the potential effect or risk.
Anatomy of an Audit Finding
Condition
What the auditor observed -- the current state that deviates from the requirement.
Criteria
The standard, regulation, or policy requirement against which the condition is measured.
Cause
The root reason the condition exists -- why the gap occurred.
Effect
The risk or consequence of the condition -- what could happen if the gap is not addressed.
Recommendation
The auditor's suggested corrective action to bring the condition into compliance with the criteria.
Finding vs. Observation
Not all auditor notes carry the same weight. A finding represents a clear deviation from a requirement and must be formally addressed. An observation is a noted condition that does not constitute non-compliance but represents an area for improvement. Understanding this distinction helps organizations prioritize their response appropriately.
Responding to Findings
Do not dispute findings defensively -- understand the auditor's perspective and the evidence basis
Conduct root cause analysis to address underlying issues, not just symptoms
Develop a corrective action plan with specific steps, owners, and deadlines
Implement and test corrective actions before the next audit cycle
Document evidence that demonstrates the finding has been fully resolved
Monitor the corrected control to ensure the fix is sustained