ELI5: What are Findings and Remediation?
Findings are the problems the inspector found — like a broken lock on the gym door. Remediation is fixing those problems — installing a new lock and testing it. Each finding comes with a deadline for getting it fixed.
Definition
Audit findings are documented issues, weaknesses, or deficiencies identified during an audit, along with supporting evidence. Each finding typically includes a description of the issue, the control objective that was not met, the risk or impact, and a recommendation for remediation. Remediation is the process of addressing findings through corrective action — implementing missing controls, patching vulnerabilities, updating policies, or retraining staff — within agreed timelines.
Key Details
- Findings are typically rated by severity: Critical, High, Medium, Low (or equivalent)
- Each finding should be assigned an owner responsible for remediation and a target completion date
- Remediation tracking is maintained in the risk register or a dedicated finding tracker
- Follow-up audits or management attestations verify that findings have been remediated
- Exam tip: findings without remediation plans are just documentation of risk; the value is in the corrective action
Connections
- Parent: audits-and-assessments — findings and remediation are the output and follow-through of the audit process
- See also: risk-register
- See also: after-action-review