Follow Up and Remediation Plans

Earlier, we described the audit work product as findings. After each audit, your assessor should provide the organization with a list of findings --- items that did not comply with the assessor’s expectations. At a minimum, these findings should also include a general assessment of the organizational risk, and recommended plans of action.

Once received, it’s up to your organization’s GRC professionals to manage the findings, and there are two critical tasks that should be undertaken. First, the organization should respond to each finding. You can do this by creating a management response which lists each finding, and provides a high-level overview as to whether you agree, disagree, or partially agree with the finding, the assessor’s view or risk, and/or the assessor’s recommended remediation plans. If you disagree, or partially agree, you should also state your reasons for doing so. Second, each management response should be recorded and used to create plans of action and milestones (POAMs) for remediation of any items the organization plans to address. These POAMs operate as previously discussed in other lessons.