Finding Reports
Finding Reports
Introduction
A Finding Report in CERRIX documents findings, conclusions, and actions from audits or assessments. It provides a structured approach to:
Record audit results and observations
Document underlying risks and root causes
Link follow-up actions (MoIs) to findings
Why Use Finding Reports in CERRIX?
Finding Reports consolidate everything in one place:
Audit results and assessment scores
Individual findings and observations
Improvement measures and follow-up actions
Status tracking from draft to closure
This consolidation eliminates scattered spreadsheets and email threads. Everything related to an audit exists in a single, searchable location.
What You Can Do with Finding Reports
Create new finding reports for audits or assessments
Add detailed assessments with scores and ratings
Link MoIs (Measures of Improvement) to track follow-up
Generate reports for management or external auditors
Track resolution status across all findings
Finding Report Workflow
Each Finding Report moves through a straightforward workflow:
Draft – Report is being prepared, findings are being documented
In Review – Internal validation and quality check
Approved – Findings are confirmed and accepted
Follow-up ongoing – Linked MoIs are being executed
Closed – All actions complete, audit cycle finished
This workflow ensures findings progress from identification to resolution with clear status visibility.
Finding Reports Workspace
The Finding Reports workspace provides an overview of all audit reports and findings in your organisation.
What You See
The workspace displays all reports with key information:
Report Type – Audit, assessment, review, or other category
Responsible – Who owns the report
Auditor – Who conducted the audit
Status – Current workflow stage
Score – Overall rating or assessment outcome
Due date – When follow-up actions should be complete
Workspace Functions
Advanced configuration opens detailed filter options. Search by:
Report type (internal audit, external audit, self-assessment)
Status (draft, in review, approved, closed)
Responsible party or auditor
Date ranges
Assessment scores or ratings
Table configuration controls which columns appear in the list. Show only the information relevant to your current task.
Preset management saves your filter and column settings:
Click + to save a preset with a descriptive name (e.g., "Open Audits – My Department")
Click ***** to set a default preset that loads automatically
Click X to remove unwanted presets
Exporting Reports
You can export Finding Reports to Excel or PDF for distribution to management or external stakeholders. Exports include all visible columns based on your current filter settings.
Creating a Finding Report
How to Get Started
Navigate to the Finding Reports workspace
Click Add finding report in the top right corner
You'll be presented with a form to capture the core report information.
Essential Information
Report type – Select the category that best describes your audit:
Internal audit
External audit
Self-assessment
Compliance review
Risk assessment
Other (specify)
Report number – Enter your internal or external audit reference number. This helps track the report across systems and makes it easy to reference in meetings or correspondence.
Object name – Describe the subject or entity being audited:
Department name
Process (e.g., "Accounts Payable Process")
System (e.g., "HR Information System")
Location or business unit
Be specific so users immediately understand what was assessed.
Roles and Responsibilities
Responsible – The person accountable for addressing findings and implementing improvements. This is often a department head or process owner, not the auditor.
Auditor – The person or team who conducted the audit and documented findings. They maintain oversight of follow-up actions.
Audit Context
Scope & Objective – Explain what was included in the audit:
Which processes, systems, or controls were reviewed
What the audit was trying to achieve
What risks or compliance requirements were evaluated
What was explicitly excluded from scope
Clear scope prevents confusion about what was and wasn't assessed.
Conclusion – Summarise the overall findings:
Were controls adequate and effective?
What significant gaps or weaknesses were identified?
What is the overall risk rating or assessment outcome?
What are the key priorities for improvement?
The conclusion should be executive-level summary that captures the essence of the audit without requiring readers to review every detail.
Supporting Documents
Attach relevant files such as:
Complete audit reports
Work papers
Evidence files
Methodology documentation
External auditor reports
Documents remain accessible throughout the finding report lifecycle and provide supporting detail for assessments and MoIs.
Saving the Report
Click Save to create the finding report. It now appears in the Finding Reports workspace and is ready for you to add assessments and improvement measures.
Adding Assessments to a Finding Report
An Assessment represents a specific finding or observation within the broader Finding Report. You can add multiple assessments to capture individual control failures, process gaps, or compliance issues.
Why Use Assessments?
Assessments provide granular detail. Instead of one overall audit score, you might have:
Access control assessment (score: 3/5)
Change management assessment (score: 4/5)
Data backup assessment (score: 2/5)
Incident response assessment (score: 3/5)
This granularity shows exactly where strengths and weaknesses lie.
How to Add an Assessment
Open an existing Finding Report
Navigate to the Assessments tab
Click Add assessment
Complete the assessment details:
Assessment date – When was this specific finding observed or evaluated?
Assessment type – Categorise the assessment:
Operational
IT/Technical
Compliance
Financial
Data protection/privacy
Security
Score – Select the outcome:
Numerical rating (1-5 scale, where 5 is excellent)
Descriptive rating (Effective, Needs improvement, Inadequate)
Pass/Fail
Custom scoring based on your organisation's methodology
Choose the scoring approach that aligns with your audit framework.
Assessor – Who performed this specific assessment? This might be different from the overall Auditor if multiple team members contributed to different sections.
Comments – Provide detail about the finding:
What specifically was observed or tested
Why this represents a concern or strength
What evidence supports the assessment
Any relevant context or mitigating factors
Good comments help readers understand not just the score but the reasoning behind it.
Saving the Assessment
Click Save to add the assessment to the finding report. You can add as many assessments as needed to fully document all findings from the audit.
Viewing All Assessments
The Assessments tab shows all individual assessments in a list, making it easy to:
Compare scores across different areas
Identify patterns (e.g., all IT controls scored low)
Prioritise improvement efforts
Generate detailed reports for stakeholders
Linking MoIs to Finding Reports
Every significant finding should lead to one or more improvement actions. MoIs provide the structured follow-up mechanism.
When to Create MoIs
Create MoIs for findings that require action, such as:
Control deficiencies that need remediation
Process gaps requiring procedure updates
Training needs
Technology improvements
Policy changes
Not every finding needs an MoI. Minor observations or positive findings typically don't require formal improvement actions.
How to Link MoIs
Open the Finding Report
Navigate to the Linked Measures of Improvement tab
Click Add MoI
Complete the MoI details following the structure described in the Measures of Improvement training:
Name and description of the improvement
Responsible party and reviewer
Due date and priority
Expected outcomes
Click Save MoI
The MoI is now linked to the finding report and visible in both locations.
Tracking Follow-Up
Once MoIs are created and linked:
The Auditor can monitor progress via the Finding Report
Status updates in the MoI automatically reflect in finding report views
Deadlines and priorities help ensure timely resolution
Completion of all MoIs enables finding report closure
Closing the Loop
When all linked MoIs are completed and accepted:
The Auditor reviews whether findings have been adequately addressed
The Finding Report status can progress to "Closed"
The audit cycle is complete with documented evidence of resolution
This closed-loop process demonstrates that findings weren't just noted but actually resolved.
Best Practices
Write Clear, Actionable Findings
Good findings are specific and actionable. Compare:
Weak: "Access control needs improvement"
Strong: "15 terminated employees retained active network accounts for an average of 23 days after departure, creating unauthorised access risk"
The strong finding provides concrete evidence and explains the risk, making it clear why action is needed.
Use Consistent Scoring
Within an audit, apply scoring consistently. If a score of "3" means "adequate but needs minor improvement," use that definition for every assessment. Inconsistent scoring makes reports difficult to interpret.
Link Findings to Risks and Controls
When you create assessments, reference specific risks or controls that are affected. This creates traceability between your finding reports and your risk register, making it easy to see how audit results inform risk management.
Set Realistic Due Dates for MoIs
When creating improvement actions, work with the Responsible party to establish achievable deadlines. Overly aggressive dates lead to missed commitments and erode confidence. Overly generous dates reduce urgency. Find the balance.
Document Management Response
For each significant finding, capture how management intends to respond. This might be:
Agreement to implement the recommendation
Acceptance of the risk with justification
Disagreement with the finding (with supporting rationale)
Management response demonstrates accountability and helps auditors understand organisational priorities and constraints.
Close Reports When Complete
Once all MoIs are resolved and the audit cycle is finished, close the finding report. Open reports from completed audits make it difficult to understand what still requires attention.
Closed reports remain accessible for reference and demonstrate your organisation's audit resolution track record.
Reporting and Analysis
Finding Reports enable powerful reporting capabilities:
Trend Analysis
Track findings over time:
Are the same issues appearing in multiple audits?
Are scores improving or declining?
Which departments have the most findings?
Trends reveal systemic issues that need strategic attention.
Priority Identification
Generate reports showing:
All open findings by priority
Overdue MoIs linked to findings
Departments with the most critical findings
This helps leadership allocate resources to the highest-priority improvements.
Audit Evidence
Finding Reports provide audit trail evidence showing:
What was assessed and when
What findings emerged
What actions were taken
When resolution was achieved
This documentation is invaluable during regulatory examinations or external audits.
Exercises
Exercise 1: Create a New Finding Report
Create a Finding Report for a fictional audit in your training environment
Complete the fields:
Report Type: Internal Audit
Responsible: Assign to yourself or a training colleague
Auditor: Assign an auditor role
Scope & Objective: Describe what you're auditing (e.g., "Review of access control procedures in HR system")
Conclusion: Write a brief overall assessment
Save the report
Exercise 2: Add Assessments
Open your Finding Report
Add at least two assessments with different types and scores:
Assessment 1: Type = IT, Score = 3/5, Comments = specific finding
Assessment 2: Type = Compliance, Score = 4/5, Comments = specific finding
Save each assessment
Review the Assessments tab to see your findings listed
Exercise 3: Link an MoI
Navigate to the Linked Measures of Improvement tab
Create a new MoI or link an existing one
Ensure the MoI has:
Clear description of required improvement
Assigned Responsible party
Realistic due date
Verify the link is visible in both the Finding Report and the MoI workspace
Track the MoI through its workflow until closure
Last updated