How do companies handle low severity audit findings? Are they represented differently, in the report, compared to high and medium severity findings, and are the action plans monitored in the same way? We are considering reducing the frequency of monitoring for these actions.
Sort by:
We've moved away from writing up low risk findings for the most part (communicating them verbally instead, and not having formal monitoring or follow up), and try to get the audit client to focus on medium / high risk findings. There may be exceptions to that, particularly in the Financial Services space where some regulators expect all findings to be documented.
We have avoided designating audit findings and recommendations as High, Medium and Low in our reporting and action plan tracking and have instead taken an approach of evaluating whether we need to attach a recommendation to a low-impact finding at all, or if we can just flag it in the narrative of the report or even in an appendix and then leave it to the business to address or not. We have a hard enough time driving to implementation of action plans in response to the more impactful observations and recommendations.
We take a similar approach to what Peter describes - we don't include low rated findings in our final report, but do share them with functional management for their awareness. There are no associated action plan commitments, and no follow up performed by the audit team.