The audit finding is the artefact by which audits change organisations. Findings written well drive specific, targeted corrective action that addresses the underlying issue and prevents recurrence. Findings written poorly produce defensive responses, generic remediation that does not address the actual gap, and the same finding appearing again at the next audit. The difference is craft, not authority. The auditor who writes findings well consistently produces better operational outcomes than the auditor with equivalent technical knowledge who writes findings poorly.
The Four Components Every Finding Needs
Criterion — the specific requirement (clause, control, policy, regulation) that the finding is against. Condition — what was observed during the audit. Cause — why the gap exists, at the level that matters for corrective action. Consequence — what the gap implies for the organisation if uncorrected. Findings missing any of these components are weaker than they should be. Findings with all four are concrete enough to act on and defensible enough to stand up under management response.
Specificity That Drives Specific Action
A finding that says "documentation is inadequate" produces a corrective action of "improve documentation" and no actual change. A finding that says "the supplier risk assessment procedure (POL-027) does not address the requirement in ISO 27001 A.5.19 to evaluate suppliers prior to engagement; three of five suppliers reviewed during this audit were engaged without documented prior evaluation" produces a corrective action with a specific target. The specificity is in the criterion (which control), the condition (what was observed, with the actual evidence), and the cause (which procedure is the gap, or what made the procedure inadequate).
Cause Analysis That Drives Root-Level Fix
A finding whose cause is identified as "the employee did not follow procedure" produces a corrective action of "retrain the employee." The same situation recurs because the underlying conditions were unaddressed. Strong auditors push past proximate cause to systemic cause — what about the work environment, process design, or organisational structure made the deviation likely or even unavoidable. The corrective action then addresses the system, and recurrence rates fall measurably.
A pattern in repeat findings: the same nonconformity appears at the next surveillance audit, sometimes the next two surveillance audits. The corrective actions taken were operationally responsive but addressed symptoms rather than causes. The auditor who can push the cause analysis deeper at finding time prevents the same finding from recurring; the auditor who accepts shallow cause analysis is implicitly accepting that the system will keep producing the same defect.
Tone That Produces Engagement Rather Than Defensiveness
Findings are tested against management. A finding written as accusation produces defensive response; the conversation becomes about whether the finding is fair rather than how to address it. A finding written factually, evidenced specifically, and framed in terms of the requirement rather than personal failure produces engagement. The tone is professional, not adversarial — and the difference shows up in how quickly and substantively corrective actions get implemented.
Severity Classification That Means Something
Major nonconformity, minor nonconformity, observation, opportunity for improvement — most audit programmes use this hierarchy or something similar. The classifications mean specific things and matter for the audit conclusion. A finding misclassified as a major when it is a minor inflates the severity of the audit report; a finding misclassified as a minor when it is a major underplays a serious issue. Strong auditors classify deliberately, using consistent criteria, and can defend the classification under challenge from management.
Components of a Finding That Holds Up
- Criterion stated explicitly with the specific requirement reference
- Condition described factually with evidence (specific examples, samples, observations)
- Cause analysis at the systemic level, not just the proximate one
- Consequence stated in terms of risk or impact, not vague concern
- Severity classified deliberately and defensibly
- Tone professional and factual, oriented to the requirement not to personal performance
- Sufficient specificity that corrective action can be targeted, not generic
Why the Craft Matters
A senior auditor whose findings reliably drive substantive corrective action becomes one of the most valuable assets in the audit function — the audits they run produce real management system improvement rather than documentation cycles. The craft of finding writing is one of the genuine differentiators in the profession, learnable but rarely taught explicitly. Investing in it produces returns across an audit career that technical specialisation alone does not match.