The Anatomy of an Effective Finding
An effective audit finding is built on the condition-criteria-cause-effect framework. Each element serves a distinct purpose in constructing the case for change.
Condition is what the auditor found — the specific, factual observation. The condition must be precise enough to be verifiable and concrete enough to be actionable. "Controls over purchase order approvals were inadequate" is a topic sentence, not a finding. "Seventeen percent of purchase orders in the sample were approved by the same individual who created them, contrary to the segregation of duties requirement in the Procurement Policy" is a finding.
Criteria is what should have been the case — the applicable policy, standard, regulation, or best practice against which the condition is measured. Effective criteria citations are specific and traceable. "Per Section 4.2 of the Procurement Policy (revised March 2025), purchase order creation and approval must be performed by different individuals for all orders above $1,000" gives management a precise reference point and closes the door on the response that the requirement was unknown or ambiguous.
Cause is why the gap between condition and criteria exists. Root cause is the most frequently omitted element of audit findings — and its absence is one of the primary reasons corrective actions fail to address the underlying problem and findings recur. "The segregation of duties requirement was not enforced in the system configuration, allowing the same user role to create and approve purchase orders" points management toward a specific, fixable problem rather than leaving them to guess.
Effect is the consequence — what has happened or could happen as a result of the control weakness. Effect creates urgency and justifies the finding's risk rating. Quantified effects are consistently more persuasive than qualitative ones: "This created the opportunity for unauthorised procurement totalling approximately $340,000 during the review period" is more compelling than "this creates a risk of unauthorised purchases."
Writing for the Decision-Maker
The primary audience for an audit finding is a manager who needs to understand the problem, agree it is worth addressing, and know what needs to change. Writing that requires the reader to extract the key message from dense technical language, to infer significance from audit jargon, or to navigate ambiguous recommendations will consistently produce delayed, incomplete, or misguided management action.
Every finding should pass a simple test: can the responsible manager read it, understand what went wrong, understand why it matters, and know what needs to change — without asking the auditor for clarification? If not, the finding needs to be rewritten. This standard is not optional for professional audit communication.
The auditor who writes clearly is not simplifying the work — they are taking responsibility for the communication, not just the observation. That responsibility is a core part of the professional obligation, not an optional skill enhancement.
Recommendations That Are Actually Actionable
A recommendation that says "management should strengthen controls over the purchase order approval process" is a direction, not an action. The manager reading it does not know what specifically to do, by when, or how to measure success. Recommendations that drive action specify the particular change required: "Reconfigure the purchase order module to prevent the same user from creating and approving orders, and conduct a retrospective review of all orders above $1,000 approved by a single individual during the current financial year." This recommendation is specific, implementable, and verifiable — all three of which are necessary for a corrective action to be completed rather than approximated.
Calibrating Finding Severity Honestly
The risk rating assigned to a finding communicates its significance and drives the urgency of management's response. Ratings that are systematically too low — because auditors are reluctant to deliver difficult messages — train management to treat all findings as moderate-priority regardless of their actual governance significance. Ratings that are systematically too high lose discriminatory power and generate pushback that undermines audit credibility. Honest, consistently applied rating criteria, supported by clear documentation of the factors that drove the rating, are the foundation of a finding portfolio that management and the audit committee can trust to reflect actual risk.