HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ Audit Reporting
Audit Reporting

The Three Words That Kill an Audit Finding: "Management Has Noted"

Kamran Iqbal, CIA, CISA, CFE, CRMA January 2026 6 min read
Every internal auditor has seen it. A significant finding is raised, the draft report goes through review, the deadline arrives — and the response comes back: "Management has noted." Three words. No action. No commitment. No accountability. This is not a management response. It is a governance failure dressed in professional language.

Why This Response Destroys Audit Value

A management response to an audit finding is not a formality. It is a commitment — a documented statement of what management will do, by when, and who is accountable for doing it. When management responds with three hollow words and nothing more, it signals that the finding will go nowhere, that the audit function's work carries no consequences, and that the governance function the audit committee is relying on produces reports rather than change.

The problem compounds over time. When audit functions accept vague management responses without challenge, they train management that vagueness is acceptable. The next cycle produces more of the same. Eventually the audit report becomes a procedural document that everyone produces and no one acts on — and internal audit has become a compliance exercise rather than a governance tool.

What a Complete Management Response Must Contain

A complete, professional management response contains four elements. First, acknowledgement of the finding — confirming that management agrees with the observation, understands the risk it represents, and accepts the need for corrective action. Second, the specific corrective action — not a generic commitment to "review" or "consider" but a concrete, verifiable activity. Third, a responsible owner — a named individual accountable for ensuring the action is completed. Fourth, a completion date — a specific target date by which the action will be implemented and available for follow-up verification.

When any of these elements is missing, the response is incomplete — regardless of how many words it contains. "Management has noted and will take appropriate action as resources allow" contains thirty words and zero governance value. The four elements are the minimum professional standard, not an aspiration.

The Internal Auditor's Responsibility

Accepting a vague management response is not a neutral act. It is a decision to allow a governance gap to persist unaddressed. Internal auditors who receive inadequate responses have a professional obligation to push back — to request specific, complete responses before the finding is closed.

This pushback is not comfortable. Audit teams face pressure to close findings quickly, avoid conflict with management, and keep reporting cycles moving. The professionalism required is the ability to hold the standard regardless of that pressure — because the audit committee and board are relying on the assumption that closed findings have been genuinely addressed. An audit function that cannot hold this standard under pressure is not providing independent assurance; it is providing managed comfort.

An audit report that contains a finding rated High and a management response that says "noted" has not resolved a high-risk issue. It has documented one and left it in place. That difference matters enormously to every stakeholder relying on the audit function's work.

Escalation When Management Will Not Engage

When management consistently provides inadequate responses, escalation is both appropriate and professionally required. The first level is the senior manager responsible for the auditee area — bringing the inadequate response to their attention and requesting a complete one. The second level is the CAE engaging at senior management level. The third level — for significant findings that remain unaddressed — is escalation to the audit committee, which has the authority and governance responsibility to require management action.

The escalation path should be documented in audit function policies and communicated to management at each engagement's opening meeting. When management knows in advance that inadequate responses will be escalated, the frequency of "management has noted" decreases significantly. The audit function's consistent willingness to use the escalation path is what gives the entire audit process its credibility as a governance mechanism.

The Audit Committee's Role

Audit committees that receive reports showing high rates of finding closure should periodically enquire about the quality of management responses, not just their quantity. A follow-up audit programme that independently verifies implementation of corrective actions — rather than relying on management's own confirmation — provides the governance assurance that transforms audit from a reporting exercise into a genuine accountability mechanism. The three words that kill an audit finding can be countered by three questions from the audit committee: What specifically was done? By whom? And has the auditor independently verified it?

Share

Request Training

CTC Global delivers expert-led training on Audit Reporting topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
Writing High-Impact Audit FindingsA practical guide to crafting findings that lead to real action and change.
Book
Internal Audit Quality Assurance in PracticeA comprehensive guide to building and sustaining audit quality programmes.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global’s training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on Audit Reporting and related topics.

← Back to All Articles & Insights