Do You Have to Remediate Audit Findings?

Former President John F. Kennedy once said that “an error does not become a mistake until you refuse to correct it.”

That mindset suggests that JFK would’ve had a bright future in compliance had he been born a few decades later and not been destined to lead the country for a time. Because he’s right—there’s a reason the most common terminology in our business is “findings” or “exceptions.”

Should your audit turn anything of the like up, you’ll have a chance to correct them. But oftentimes, organizations wonder if they really have to fix these findings. Maybe you’re wondering too.

Schellman has been in the audit business for twenty years now. We started with the precursor to SOC, and now we perform an entire suite of compliance services and turn up findings every day. We’ve also witnessed the consequences organizations have faced when they’ve avoided remediation, and we don’t want you to fall victim to the same.

That’s why in this article, we’ll give you two really good reasons to make the effort to fully remediate any findings your audit reveals. We’ll also delve into why it’s important to do that promptly rather than wait to act, address why this is even a debate, and we’ll even provide alternatives to full remediation, just in case.

Read on, and you’ll have a thorough understanding of the reasoning behind remediation and therefore be better equipped to truly maximize your audit results.

Two Reasons Why You Need to Remediate Your Audit Findings

“Do we have to fix this?” The true answer is that it depends, but we’ll tell you that not remediating findings can make for some serious repercussions.

After all, some examinations and certifications have requirements that necessitate the need for remediation of any findings or negative results, even providing a specific length of time given to remediate and prove it done that depends on the severity of the issue and/or the type of certification or assessment.

Of course, there are also some assessments where remediation of findings is not required. But even still, why would you not want to remediate any findings? Because there are two very good reasons why you should.

1.      You’ll Remain Vulnerable.

If your auditor finds something that they report, that suggests there’s a breakdown in your controls. Not remediating the related processes or procedures leaves you susceptible to breaches and other attacks, which is precisely what you’re being audited to help you avoid.

Yes, it’s entirely possible that the finding was the result of an isolated event—meaning your controls otherwise operate effectively—but refusing to look at the root cause of the issue increases the risk that it’ll occur again.

So, you’ll be vulnerable, but it could get even worse—if the finding wasn’t an isolated event, just the concept of repeated issues could demonstrate to your customers that you’re not mature enough in your processes to prevent, detect, or correct vulnerabilities.

2.      You Open Yourself Up to Loss of Revenue.

And that’s not what your customers—or prospective customers—will want to hear. Choosing not to remediate findings could cause a loss of business or worse, legal predicaments for a breach of contract or non-compliance with industry rules or regulations.

Oftentimes, organizations will make commitments to customers within a master service agreement, service level agreement, or sales contract. Those commitments can include commitments regarding response time, incident response, breach notification, etc. Does that sound familiar?

When findings result in failed commitments or non-compliance, not only could it have an unfavorable outcome for your assessment, but it could mean your customers take their business elsewhere.

Can’t Remediate? Mitigate (For the Time Being).

That all sounds dire, so you’re probably more convinced now to go ahead and take care of all your findings.

But we recognize that sometimes, you just don’t have the resources. Maybe you’re a small organization without available horsepower to help, or you’re limited by a small budget with no room for remediation of findings.

Lacking available personnel or having budgetary limitations does not give you a pass by any means, but it would make sense for those kinds of organizations to seek short-term alternatives.

If you can’t swing full remediation, you should at least seek to manage the associated risk to start:

  • Look for improvement areas and research methods to implement risk-mitigating processes that show maturity and growth within your organization.
  • Performance of root cause analyses could assist in strengthening existing processes while also helping to discover other risk-mitigating controls and new processes that could be implemented.

As we mentioned earlier, there are some assessments and certifications where you just can’t get around complete remediation. Even if you’re limited in resources at this point, the fact that you’re being audited at all suggests that you’ve got mature enough processes to implement risk-mitigating controls and bring the issue into acceptable risk tolerance.

This mitigation route, of course, is just a temporary stopgap—you should absolutely still remediate everything more comprehensively when you find the room in your budget and schedule.

When Should You Remediate Findings?

Any action you take should be as immediate as possible.

We mentioned before that different audits have different requirements. If you’re seeking an ISO certification of some kind, check out this article that deconstructs all the details for findings—or nonconformities—and how to resolve any that arise.

So let’s talk about SOC reports instead, because it’s a little different. During a SOC examination, you’ll have the opportunity to remediate:

  • If the finding is discovered before the report date (Type 1 reports); or
  • If the finding is discovered before the end of the reporting period (Type 2 reports).

But that’s the distinction in opportunity. There’s also an important distinction that should be noted regarding what happens to the findings within the report for Type 1 and Type 2 audits.

  • For Type 1 reports, you have up until the report date to remediate any discovered audit findings. Once remediated, such findings will not be included in the report.
  • For Type 2 reports, whether remediated or not, the finding(s) will still appear within your report.
    • However, your corrective efforts can also be included. Additionally, you’ll have the option to provide further clarification and detail on completed and future efforts in an added section of the report.
    • It makes sense then, that you should consider timely remediation efforts for identified findings so that you can demonstrate to users of your report that you were timely in addressing any identified finding(s). 

Of course, due to those aforementioned elements like budgets and available personnel—as well as the number of findings that may turn up—you may not get everything remediated ahead of the required dates.

You’ll have to use professional judgment in determining which findings to remediate first. When you create an action plan, classify it by order of risk, especially when investments are required. Address high-risk findings first, and take care of the lower priority ones where and as resources permit.

Setting Expectations for Potential Findings

So, do you have to remediate? Probably, but now you understand why it’s very beneficial to do so. Whether you take action if and when the time comes will ultimately depend on your assessment or certification requirements and what level of risk appetite your organization, customers, and business partners are willing to tolerate.

As auditors, we can tell you firsthand that perfection is not the goal of an audit. You’re in a constant state of risk management, corrective action, and process improvement, or at least you should be, and that’s likely going to mean adjusting and remediating things as you find them.

Kennedy said that for an error to not be a mistake, it should be corrected. At the very least, consider how the users of your report would react to recurrence of vulnerabilities—“errors”—documented within the assessment results, and if such issues would discourage them from your services.

For more information on how to ensure you get what you need from your SOC examination, read our other content that will help you take steps for a better experience:

About the Author

Nick Bruce

Nick Bruce is a Senior Associate with Schellman & Company, LLC based in Atlanta, GA. Prior to joining Schellman in 2015, Nick worked as a Senior Associate. among the "Big 4" specializing in SOX ITGC evaluation for financial statement audit and SSEA 18 compliance in the technology, insurance and not for profit industries. As a part of the SOC Services group, Nick helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. Nick has served clients in both the internal and external audit capacities. During this time, Nick has obtained a CISA professional license and has obtained hands-on experience working with major platforms and databases including Windows, Unix, Oracle DB, SQL Server, DB2, and SAP.

More Content by Nick Bruce
Previous Video
Which Trust Services Categories Should I Include In My Next SOC 2 Report?
Which Trust Services Categories Should I Include In My Next SOC 2 Report?

Next Video