Andrew ChilesSummary
Repeat audit findings are rarely about a single missed task. Auditors often see the same issue return when the underlying system never changes: ownership is ambiguous, governance does not enforce deadlines, staffing and training are inconsistent, and tracking lives in brittle spreadsheets or email threads instead of a structured workflow. Public audit reports illustrate this pattern across sectors: a public university with an uncorrected repeat investment accounting issue (financial and public sector), a federal agency with multi-year open cybersecurity remediation items (IT and cybersecurity), and a managed care plan with a repeat pediatric lead exposure guidance finding (healthcare). [1]
Breaking the cycle requires treating every finding as a managed corrective action program: assign accountable owners, define timelines and evidence, monitor aging and overdue items, and escalate based on risk. Federal grant rules explicitly expect follow-up, including tracking prior findings and documenting recurrence reasons, corrective actions, responsible contacts, and anticipated completion dates. [2]
AuditFindings supports this approach with centralized issue tracking beyond spreadsheets: imported issue logs, assignment workflows, dashboards that surface priorities and missing metadata, age and past-due calculations, mass edits for rapid cleanup, and configurable reminder notifications that drive follow-through. [3]
Evidence From Public Reports: Three Repeat Finding Case Studies
Auditors document repeats in plain language: “a similar finding was noted,” “recommendations remained open,” or “this is a repeat.” The table below compares three public reports across financial, IT and cybersecurity, healthcare, and public sector contexts.
| Organization | Audit type | Repeat finding | Years repeated | Consequences noted in report | Remediation taken or directed |
| Florida Agricultural and Mechanical University (FAMU) | Operational audit with financial controls focus (public sector) | Special Investments with State Treasury (SPIA) balances and income recorded without records demonstrating the basis, noted as similar to a prior report; prior audit follow-up states corrective action not taken | Report No. 2022-093 and report No. 2025-037 (Oct 2024) | Risk of unreliable financial records; report quantifies SPIA balance ($56.5M) and income ($1.9M over 18 months) tied to the control gap | Auditor recommends corrective action; report explicitly states corrective action had not been taken for the prior finding [4] |
| U.S. General Services Administration (GSA) | FY 2024 FISMA performance audit (IT and cybersecurity, public sector) | Prior-year security control weaknesses (example: audit log monitoring and access review/recertification) first reported in FY 2022; certain recommendations remained open in FY 2023 and were followed up in FY 2024 | FY 2022 to FY 2024 | Residual cybersecurity exposure implied by open items; report tracks closure status by year and labels some 2023 findings as still “Open” | Recommendations include implementing documented review processes and independent recertification; status tracking shows some items closed in FY 2023 and FY 2024, and some 2023 items still open [5] |
| CalOptima Health Plan (California DHCS medical review audit) | Medical review compliance audit (healthcare) | Blood lead screening: failure to ensure providers deliver anticipatory guidance for lead exposure; explicitly labeled a repeat of the prior audit’s finding | “Repeat of the 2022 audit’s finding 2.1.1” in the 2024 report | Report warns child members may be at risk of lead poisoning if guidance is not provided | Recommendation to implement a process ensuring age-appropriate anticipatory guidance is provided and monitored [6] |
These are not edge cases. They are examples of a common audit reality: repeats happen when corrective action is not fully implemented, not validated for effectiveness, or not sustained over time. The GSA report illustrates how auditors track open recommendations across years (and explicitly notes why FY 2022 items were followed up again in FY 2024). [5]
What Auditors Say: Patterns Behind Repeat Findings
Auditors tend to interpret repeat findings as signals about the organization’s follow-through system, not just an isolated miss.
In healthcare compliance work, auditors often document that a written policy or tool exists, but the operational mechanism is incomplete. In the CalOptima case, the plan described using a review tool, but auditors noted the standards were not updated to include required criteria, and the organization acknowledged it lacked an alternate process to ensure the guidance was delivered. The result: the finding reappeared and was explicitly labeled a repeat. [6]
In IT and cybersecurity audits, auditors frequently focus on the “last mile” mechanics: evidence of periodic review, timely updates to remediation artifacts, and accountability for overdue items. In the GSA FISMA report, auditors identified POA&M updates that had not been refreshed for “Delayed” items since August 2022, and listed at least one prior-year finding as still open. That is the texture of cybersecurity repeat findings: the remediation plan exists, but governance and operational discipline around it is weak. [7]
Auditor commentary also highlights that repeat findings should be explicitly tracked and evaluated in status reporting. ISACA guidance on follow-up processes recommends analyzing and flagging repeat findings and using escalation for long-outstanding issues, because reopened or repeat issues can indicate the internal control environment did not actually improve. [8]
Regulatory frameworks reinforce this expectation. Under 2 CFR 200.511, auditees are responsible for follow-up and corrective action on all audit findings, including producing a summary schedule of prior audit findings and a corrective action plan. When findings recur, the schedule must describe recurrence reasons and planned corrective action, and corrective action plans must name responsible contacts and anticipated completion dates. [2]
Root Causes and Remediation Playbook
Repeat findings usually cluster into five root causes. Each has a practical remediation approach, and each maps cleanly to how audit issue management should work.
Governance gaps show up when management does not routinely review open issues, or review is high level but not action-driving. Remediation: establish a cadence (monthly or quarterly) where leadership reviews open issues by risk, overdue status, and repeat flags; enforce escalation when due dates slide. AuditFindings supports governance visibility with dashboards that summarize non-archived issues, show issues by priority and status, and surface “problem issues” like no due date or no status set. [9]
Ownership ambiguity is the classic driver of “everyone thought someone else had it.” Remediation: assign a single accountable owner per issue (even if multiple contributors execute tasks), and make ownership visible to the organization. AuditFindings supports this through assignment workflows and dashboard widgets that list “Issues Assigned to Me,” reinforcing that an assignee is expected to complete or ensure completion of corrective action. [10]
Resourcing and training constraints become repeats when staff turnover, vacancies, or skill gaps prevent execution. The FAMU report explicitly links untimely personnel evaluations to turnover, lack of training, and supervisors neglecting responsibilities, and recommends accountability and training improvements. Remediation: treat corrective actions as resourced work, not side work; define training and handoff steps as part of the action plan; use aging and past-due metrics to justify resource allocation. AuditFindings supports this by calculating issue age and past-due days based on issue dates, due dates, and actual resolution dates, enabling leaders to see when the backlog is becoming structural. [11]
Poor tracking mechanics are often the hidden source: spreadsheets without reminders, broken version control, missing due dates, and no structured evidence capture. Remediation: centralize all findings across audits in a single system; standardize required fields (owner, status, due date, priority); require documented evidence of completion and effectiveness testing. AuditFindings supports migration beyond spreadsheets by importing issues from .xls, .xlsx, or .csv, mapping spreadsheet columns to system fields, and highlighting that status, issue date, and target resolution date are highly recommended for system reporting. [12]
Culture and incentives matter when corrective action is treated as optional, or when closing items is rewarded more than fixing root causes. Remediation: require evidence-based closure, re-test high-risk fixes, and tie performance metrics to sustained closure (no reopens). AuditFindings supports reinforcement through configurable notifications (including reminders prior to due dates, recurring “issue is open” emails, and “issue is past due” emails), making it harder for the organization to quietly ignore outstanding items. [13]
How AuditFindings Supports Sustainable Closure
AuditFindings is most effective when used as a workflow tool, not just a repository. The operational pattern it enables aligns with how auditors expect follow-up to work: assign, schedule, track, document, and report.
First, it brings fragmented remediation into one place. Teams can import existing issue logs from Excel or CSV, map fields, and validate that the import succeeded. That reduces the friction of abandoning spreadsheets and starts remediation with historical context intact. [14]
Second, it creates visible accountability. Issues can be assigned to users so that assignees see their obligations directly in dashboard views. This makes ownership explicit and supports cross-functional remediation when internal controls span departments (finance, IT, compliance, operations). [10]
Third, it operationalizes prioritization and governance. The platform dashboard emphasizes non-archived issues and provides views by priority and status, plus filters for audit, audit type, department, region, and tags. This matters when organizations face a multiplicity of audits: governance can slice the issue universe into board-ready narratives and execution-ready worklists. [15]
Fourth, it reduces “administrative drag” that often causes repeats. Mass edits allow teams to update status, priority, target resolution dates, and assignments in bulk, which is particularly useful right after an audit report drops or when cleaning up a backlog. [16]
Finally, reminders and age tracking help prevent silent schedule drift. Notification settings can be configured to send reminders prior to due dates and recurring notices while issues remain open or past due. Combined with issue age and past-due calculations, this makes it much easier to detect early when a corrective action program is failing and likely to generate repeats. [17]
[1] [4] [11] https://www.famu.edu/administration/audit/pdf/external_audits/FY%2023-24%20AG%20Operational%20Audit_final_2025-037.pdf
[2] https://www.ecfr.gov/current/title-2/subtitle-A/chapter-II/part-200/subpart-F/subject-group-ECFRc3bd6ae97de5a40/section-200.511
[3] [12] [14] https://support.auditfindings.com/hc/en-us/articles/203412629-Importing-Issues
https://support.auditfindings.com/hc/en-us/articles/203412629-Importing-Issues
[5] [7] https://www.gsaig.gov/sites/default/files/audit-reports/FY2024%20Independent%20Performance%20Audit%20on%20the%20Effectiveness%20of%20GSA%27s%20Information%20Security%20Program%20%20Practices.pdf
[6] https://www.dhcs.ca.gov/services/Documents/MCQMD/Compliance%20Unit-CAP/2024-CalOptima-Audit-Report.pdf
[8] https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2025/follow-up-audits-and-follow-up-process-the-auditors-impact-litmus-tool
[9] [15] https://www.auditfindings.com/audit-issue-tracking-system-overview/platform-dashboard/
[10] https://support.auditfindings.com/hc/en-us/articles/203412569-Assign-Issues-To-Others
https://support.auditfindings.com/hc/en-us/articles/203412569-Assign-Issues-To-Others
[13] [17] https://support.auditfindings.com/hc/en-us/articles/115002604533-Configure-Notification-Settings
https://support.auditfindings.com/hc/en-us/articles/115002604533-Configure-Notification-Settings
[16] https://support.auditfindings.com/hc/en-us/articles/203412649-Mass-Edits
https://support.auditfindings.com/hc/en-us/articles/203412649-Mass-Edits