An audit finding is an issue identified by the auditor during the audit process that needs attention from management. Findings range from minor bookkeeping errors to significant weaknesses in internal controls that could lead to material misstatement of the financial statements. How your organisation responds to audit findings directly affects the quality of your financial reporting and your relationship with your auditor.
What are findings in an audit?
Audit findings are the results of the auditor’s testing and analysis. When the auditor examines your financial records, internal controls and compliance with accounting standards, any issues they identify are documented as findings.
Not all findings are equal. Some are observations that the auditor wants to bring to management’s attention. Others are significant enough to affect the audit opinion. The auditor categorises each finding based on its severity and its potential impact on the financial statements.
Findings typically appear in two places: the management letter (which lists control weaknesses and recommendations) and the audit report itself (if the findings affect the opinion on the financial statements).
What are the 5 elements of an audit finding?
A well-documented audit finding contains five elements. This structure, used by internal and external auditors alike, makes findings clear and actionable:
- Condition. What the auditor actually found. The factual description of the issue – for example, “12 out of 50 purchase orders tested had no evidence of management approval before the goods were ordered.”
- Criteria. What should have happened. The standard, policy or regulation that was breached – for example, “The company’s procurement policy requires written approval from a budget holder for all purchases over £500.”
- Cause. Why the issue occurred. The root cause, not just the symptom – for example, “The approval workflow in the procurement system was not configured to enforce the £500 threshold, and manual checks were inconsistent.”
- Effect. The actual or potential impact. What happened or could happen as a result – for example, “Unauthorised expenditure totalling £23,400 was incurred during the period. There is a risk of further unauthorised spending.”
- Recommendation. What corrective action the auditor suggests – for example, “Configure the procurement system to require electronic approval for orders above £500 and implement monthly exception reporting.”
This five-element structure ensures that management understands not just what went wrong, but why it matters and what to do about it. It also makes it easier to track whether corrective actions have been implemented by the next audit.
What are the 5 C’s of audit findings?
The 5 C’s are an alternative framework for structuring audit findings, commonly used in internal audit. They overlap with the five elements above but use slightly different language:
- Condition – what is happening (the current state)
- Criteria – what should be happening (the expected state)
- Cause – why the gap exists
- Consequence – what the impact is (equivalent to “effect”)
- Corrective action – what needs to change (equivalent to “recommendation”)
Whether you use the five elements or the 5 C’s doesn’t matter much in practice. What matters is that every finding is documented clearly enough for someone who wasn’t involved in the audit to understand the issue and take action.
Common audit findings in UK statutory audits
Based on our experience auditing UK companies across multiple sectors, these are the findings we see most often:
Weak segregation of duties
One person handling too many steps in a financial process – raising invoices, approving payments and reconciling the bank account, for instance. In smaller organisations this is sometimes unavoidable, but the auditor will flag it as a control weakness and look for compensating controls.
Incomplete or late bank reconciliations
Bank reconciliations not performed monthly, or performed but with old unmatched items carried forward for months without investigation. This is one of the simplest internal controls, and auditors expect it to be done consistently.
Revenue recognition issues
Recording revenue in the wrong period, failing to defer income received in advance, or not following the five-step model under FRS 102. Revenue is always a significant audit area because it has the biggest impact on reported profit.
Missing supporting documentation
Invoices without purchase orders, journal entries without explanations, or estimates without documented assumptions. If the auditor can’t see the evidence, they can’t verify the transaction. Missing documentation increases audit time and audit fees.
Non-compliance with accounting standards
Applying FRS 102 incorrectly – common areas include lease accounting (Section 20), financial instruments (Section 11), and related party disclosures (Section 33). The auditor checks that the accounting treatment and disclosures comply with the applicable framework.
Poor control over journal entries
Manual journal entries that aren’t reviewed or approved, posted by people who shouldn’t have access, or lacking adequate descriptions. ISA (UK) 240 specifically requires auditors to test journal entries as part of their fraud risk procedures.
How to manage audit findings effectively
Receiving audit findings isn’t a sign of failure. Every organisation gets them. What distinguishes well-run companies is how quickly and thoroughly they respond.
Respond formally in writing
For each finding, provide a written management response that states whether you agree with the finding, what corrective action you’ll take, who is responsible, and the target completion date. This response goes into the auditor’s working papers.
Prioritise by risk
Focus on findings that affect the accuracy of the financial statements first, then control weaknesses that could lead to future problems. Not everything needs to be fixed immediately, but everything needs a plan.
Track progress
Maintain an audit findings tracker – a simple spreadsheet works – listing each finding, the agreed action, the responsible person and the status. Review it at board meetings or audit committee meetings. When the auditor comes back next year, they’ll check whether last year’s findings have been addressed.
Fix root causes, not symptoms
If the finding is “bank reconciliation not done in October”, the corrective action shouldn’t just be “do the October reconciliation.” It should address why it didn’t happen – staff absence, lack of training, unclear responsibilities – and prevent it happening again.
Related reading
- The Audit Process: A Step-by-Step Overview
- What Is an Audit Trail?
- Audit Adjustments Explained
- Material Misstatement in Audit
How Audit Group can help
Our audit approach is designed to produce clear, practical findings that your finance team can act on. We don’t bury issues in jargon or generate pages of generic observations. Every finding comes with specific, achievable recommendations tailored to your business. Get in touch to discuss your audit requirements.
