Esc
↑↓ navigate   Enter open   Esc close
Intermediate Writing 8 min read

Writing SOX Audit Findings in Clear Business English

Learn how to write SOX audit findings using the condition-criteria-cause-effect-recommendation structure, risk ratings, and management response language for IT audit professionals.

By the Coders Lingo Editorial Team

#audit#compliance#writing#business-english

Why Audit Findings Must Be Written With Precision

An audit finding is not just a record of what went wrong. It is a formal document that will be read by management, external auditors, the board’s audit committee, and — in the case of a material weakness — disclosed in public financial statements. The language you use has legal and regulatory consequences.

For IT audit professionals, writing findings clearly in business English is as critical as performing the audit work itself. This guide walks through the standard finding structure, the vocabulary of risk ratings, and the language conventions that make findings credible and actionable.

The Audit Finding Structure

A complete, well-formed audit finding has five elements. Most professional audit standards (IIA, PCAOB, SOX Section 404) implicitly or explicitly require all five.

ElementDefinitionPurpose
ConditionWhat the auditor observed — the factual findingEstablishes the basis of the finding
CriteriaThe standard, policy, or requirement that the condition violatesEstablishes that there is a gap
CauseThe root reason the gap existsDirects remediation efforts
EffectThe risk or impact of the conditionJustifies the risk rating
RecommendationThe corrective action management should takeMakes the finding actionable

Findings that omit any element are weaker: a finding without a stated cause produces remediations that treat symptoms; a finding without an effect produces under-resourced remediation.

Writing Each Element

Condition

Write the condition in plain, factual language. Avoid editorialising.

  • Weak: “Management failed to implement adequate controls over privileged access.”
  • Strong: “Testing identified 14 user accounts with privileged access to the production database that had not been subject to the required quarterly access recertification during the audit period.”

The strong version names the control (quarterly recertification), quantifies the exception (14 accounts), and anchors the finding in the audit period.

Criteria

Cite the specific policy, standard, or regulation. Do not paraphrase.

  • “Per the organisation’s Access Control Policy (Section 4.2), privileged access accounts must be reviewed and recertified by the system owner on a quarterly basis.”

Cause

Diagnose the root cause, not the symptom.

  • Symptom (not the cause): “The access recertification was not completed.”
  • Root cause: “The system owner was not aware that the production database was in scope for the access recertification process, as it was not included in the list of in-scope systems communicated by the IT risk team.”

Common root causes in ITGC findings: lack of awareness, inadequate process documentation, unclear ownership, tool limitations, resource constraints.

Effect

State the risk that the condition creates for the organisation.

  • “Without periodic recertification, terminated employees or individuals who have changed roles may retain access to sensitive financial data, increasing the risk of unauthorised data access or manipulation and potentially impacting the integrity of financial reporting.”

Tie the effect to financial reporting integrity wherever possible in a SOX context — this is what makes the finding relevant to SOX Section 404.

Recommendation

Make recommendations specific and actionable.

  • Vague: “Management should improve its access management processes.”
  • Specific: “Management should update the inventory of in-scope systems requiring quarterly access recertification to include the production database, assign a named owner for each recertification, and implement automated reminders via the GRC tool 30 days before each recertification deadline.”

Risk Ratings

Most audit functions use a three or four-level risk rating scale.

RatingDefinition
Critical / HighSignificant probability of financial misstatement, regulatory breach, or material loss
Medium / ModerateNotable control weakness with potential for significant impact if unaddressed
LowMinor gap with limited potential for impact; best practice improvement
Informational / AdvisoryObservation that does not rise to the level of a finding but warrants management attention

In SOX audits, findings are also classified as control deficiency, significant deficiency, or material weakness (see the ITGC vocabulary guide). These classifications override or inform your internal risk rating.

Management Response Language

After receiving a draft finding, management writes a formal response. The standard structure is:

  1. Acceptance or partial acceptance: “Management accepts this finding.” / “Management partially accepts this finding; however, we note that…”
  2. Remediation action: The specific steps management will take
  3. Responsible owner: The named individual responsible for remediation
  4. Target completion date: A specific date, not “as soon as possible”

As an auditor reviewing management responses, look for responses that:

  • Directly address the root cause (not just the symptom)
  • Contain a specific, testable remediation action
  • Have a realistic but timely completion date

Example Audit Finding Sentences

  1. “Testing of 30 change requests selected from the audit period identified four instances where code was promoted to the production environment by the same individual who developed the change, representing a segregation of duties failure in the change management process.”
  2. “The criteria for this finding is the organisation’s Change Management Policy (Section 3.1), which requires that all production deployments be approved by an individual with no development access to the code being deployed.”
  3. “The root cause of this finding is the absence of a technical control in the deployment pipeline that would prevent a developer from self-approving their own deployment requests.”
  4. “Management has accepted this finding and will implement a mandatory second-approver requirement in the CI/CD pipeline by 30 June, with the infrastructure engineering team responsible for the configuration change.”
  5. “This finding is rated Medium; while no evidence of unauthorised changes was identified during the audit period, the absence of preventive controls creates a risk of undetected manipulation of financial reporting data in future periods.”

Common Language Errors in Audit Findings

Passive voice overuse: The passive voice is appropriate for describing evidence (“No exceptions were identified”) but should not obscure the finding. “Controls were not operating effectively” — says what happened, but not who owns it. Add the owner: “The IT risk team’s controls for…”

Vague quantification: Avoid “several,” “a number of,” “some.” Always use exact counts: “3 of 25 items tested” or “12 accounts.” Exact numbers make findings harder to dispute and easier to track at remediation.

Conflating condition and cause: A common error is stating the cause in the condition element: “Due to the absence of a monitoring tool, the batch job failures were not detected.” The condition is “batch job failures were not detected.” The cause is “the absence of a monitoring tool.”