Finding
Definition
A discrete, evidence-backed statement that a specific control is absent, misconfigured, or insufficient. Each finding contains an issue statement, evidence, risk rating, impact description, and recommendation. Findings are the unit of communication between the auditor and the auditee.
Related terms
- Executive summary
- The opening section of an audit report written for non-technical leadership. It states the audit scope, overall posture, the most material findings...
- Management response
- The audited organisation's formal reply to each finding, included in the report. It states whether the recommendation is accepted, rejected, or accepted...
- Nonconformity
- The ISO 27001 term for a finding that represents a failure to meet a requirement of the standard or the organisation's own...
- Observation
- A noted issue or improvement opportunity that does not constitute a formal finding because it lacks sufficient evidence or does not violate...
- Risk rating
- A classification of a finding's severity, typically Critical, High, Medium, Low, or Informational, derived from a likelihood-by-impact matrix. The rating determines remediation...
Explained in
- Audit Report Structure and Communicating FindingsA discrete, evidence-backed statement that a specific control is absent, misconfigured, or insufficient. Each finding contains an issue statement, evidence, ri...