Audit Findings and Management Response Process

The audit findings and management response process defines how identified deficiencies, exceptions, and control gaps are formally documented, communicated, and resolved following an audit engagement. Applicable across internal audits, external financial statement audits, and regulatory examinations, this process establishes the structured handoff between auditors and the audited organization. Understanding its mechanics matters because unresolved findings can escalate into regulatory enforcement actions, restatements, or material weaknesses disclosed in public filings.

Definition and scope

An audit finding is a documented observation that arises when audit evidence reveals a departure from a stated criterion — a policy, regulation, accounting standard, or control objective. The finding is not a final judgment but a formal assertion that requires a response. The scope of the findings process extends from initial identification during fieldwork through management's written response, remediation planning, and follow-up verification.

Audit findings are classified by severity. The most consequential classification under Sarbanes-Oxley Section 404 is the material weakness, defined by the Public Company Accounting Oversight Board (PCAOB) in AS 2201 as a deficiency, or combination of deficiencies, in internal control over financial reporting that creates a reasonable possibility of a material misstatement going undetected. Below that threshold sits the significant deficiency, which is less severe but still warrants attention from those charged with governance. A third tier, the control deficiency (or simply "deficiency"), represents the broadest category — any shortfall in design or operation of a control that does not rise to significant deficiency level.

The Institute of Internal Auditors (IIA) Global Internal Audit Standards require that findings include four elements: criteria (the benchmark), condition (what was observed), cause (why the gap exists), and effect (the risk or consequence). These four components anchor the finding in evidence and prevent ambiguity during the response phase.

How it works

The findings and response cycle follows a structured sequence:

1. Draft finding issuance — The auditor documents the finding using the criteria-condition-cause-effect framework and shares a draft with management before the final report is issued. This draft review period — typically 10 to 15 business days in most engagement letters — allows management to identify factual errors without altering the auditor's professional judgment.

2. Management response preparation — Management prepares a formal written response that either agrees with the finding, partially agrees, or disagrees. A response that agrees must include a corrective action plan (CAP) specifying the remediation steps, the responsible owner, and a target completion date.

3. Final report incorporation — The management response is reproduced verbatim or summarized alongside the finding in the final audit report, preserving both the auditor's position and management's commitment on the record. For audit report types in financial services, the format of this inclusion varies: external auditors typically reference material weaknesses in the auditor's report itself, while internal audit reports embed the full response within the finding narrative.

4. Remediation execution — Management implements the corrective action. For internal control deficiencies under SOX, the remediation must be operative for a sufficient period — generally one complete reporting cycle — before an auditor can test and conclude that the deficiency is resolved.

5. Follow-up audit or verification — The audit committee or internal audit function tracks open findings and verifies closure. PCAOB AS 2201 requires the external auditor to evaluate whether prior-year material weaknesses have been remediated before issuing an unqualified opinion on internal controls.

Common scenarios

Agreed finding with corrective action plan — The most common outcome. Management concurs with the finding, assigns an owner, and sets a remediation date. This is standard for control deficiencies and significant deficiencies identified in internal versus external audits across banking and securities firms.

Partial agreement — Management accepts the condition but disputes the cause or effect assessment. This scenario frequently arises in compliance audits where management contends that a compensating control mitigates the risk, even if the primary control failed. The auditor retains the finding but may modify the risk rating.

Disagreement — Management formally disputes the finding, asserting that the criteria applied was incorrect or that no condition exists. Disagreements are recorded in the report and may be escalated to the audit committee. Under FINRA audit obligations for broker-dealers, disagreements that affect regulatory capital calculations carry heightened scrutiny because Net Capital Rule compliance (SEC Rule 15c3-1) is a bright-line requirement.

Repeat finding — A finding that recurred from a prior audit cycle signals that a prior CAP was either not implemented or ineffective. Regulatory examiners — including FDIC examiners under the FDIC's audit requirements framework — treat repeat findings as indicators of systemic control failure rather than isolated incidents, which can accelerate the severity classification upward.

Decision boundaries

Several factors determine how a finding is classified and how urgently a response is required.

Materiality threshold — A finding's classification as a deficiency, significant deficiency, or material weakness turns on whether a misstatement arising from the control gap could be material to the financial statements. Audit materiality in financial services is quantified at engagement inception, typically as a percentage of a base such as pre-tax income, total assets, or revenue — though qualitative factors can override quantitative thresholds.

Pervasiveness — A control failure affecting a single transaction type is treated differently from one affecting entity-level controls or the financial close process. Pervasive deficiencies are more likely to reach the material weakness threshold under AS 2201.

Compensating controls — The existence of an effective compensating control can reduce a deficiency's severity rating. However, auditors assess whether the compensating control is reliable, consistently applied, and documented — not merely asserted by management.

Response timeliness — Findings identified during a regulatory examination carry different response deadlines than internal audit findings. Matters Requiring Attention (MRAs) issued by federal bank examiners typically demand a management response within 90 days, a timeline set by the relevant supervisory agency's examination guidelines rather than negotiated between parties.

References

• PCAOB AS 2201 — An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
• Institute of Internal Auditors (IIA) — Global Internal Audit Standards
• SEC — Regulation S-X and Reporting Requirements
• FDIC — Financial Institution Examination Guidance
• FINRA — Broker-Dealer Financial Responsibility Rules
• PCAOB — Auditing Standards Index