5 Audit Findings Every CFO Gets (And How to Eliminate Them for Good)

Your auditor just handed you the management letter. Five control findings. Last year you had two.

You know what's coming: the audit committee wants explanations. Your CEO wants a remediation plan. And your auditor just added 15% to next year's fee quote because "control environment concerns require additional testing."

Each finding costs you $5,000-$15,000 in immediate remediation work. But the real cost is the distraction. 

Your controller spends 60 hours documenting corrective actions instead of closing the quarter. Your team scrambles to implement new procedures while trying to keep up with daily operations. And next year's audit will specifically test whether you actually fixed these issues.

But most audit findings are predictable and preventable.

The same five control weaknesses show up in audit after audit: weak user access controls, poor data integrity, untested backups, manual journal entry processes, and inadequate patch management. 

Companies with mature control environments rarely see these findings. Companies with manual processes and informal controls see them every year.

This article shows you exactly why auditors flag these five findings, what they're actually looking for, and the specific controls you need to implement to eliminate them. Practical steps you can execute this quarter to prevent findings next audit.

Because the industry average is 2-3 findings per year. If you're at 5, you're not unlucky. You're behind.

Let's fix that.
‍

5 Most Common Control Findings

Your auditor's management letter lists five findings. You read through them thinking, "These sound familiar."

They should. These are the same five control weaknesses that show up in audit after audit, across industries, across company sizes. They're not unique to your business. They're the predictable result of manual processes, informal controls, and reactive management.

Here's what your auditor found, why it keeps happening, what it's costing you, and exactly how to fix it before next year's audit.
‍

Finding #1: Inadequate User Access Controls

What your auditor sees:

Too many people have administrative access to your ERP. Former employees still have active accounts. Users have access to functions they don't need for their job. Nobody's reviewing who can do what.

Your auditor pulls the user access report and finds:

• 12 people have admin rights (you have 40 employees)
• 3 former employees still have active logins
• Your AP clerk can approve their own invoices
• Your accountant who records journal entries can also approve them

That's a segregation of duties failure. It's also Finding #1 in your management letter.

Why it happens:

• Manual access provisioning. When someone gets hired, IT sets up their account with "standard access." But "standard" means different things to different people. So everyone gets more access than they need.
• No periodic review. Nobody's checking quarterly to see who has access to what. Former employees don't get deactivated because there's no formal offboarding checklist.
• No segregation of duties enforcement. Your ERP doesn't prevent conflicts. It's up to someone to manually notice that the same person can enter and approve transactions. Nobody's checking.

The cost:

• Immediate: $8,000-$12,000 in remediation. You need to document all current access, identify conflicts, remediate them, and create a quarterly review process.
• Ongoing: 10-15% audit fee increase. Your auditor now has to do expanded testing because they can't rely on your access controls.
• Risk exposure: If fraud occurs and your access controls are weak, your D&O insurance might not cover it.

How to fix it:

1. Implement role-based access control (RBAC). Define standard roles: AP Clerk, Accountant, Controller, etc. Document what access each role needs. Provision new users based on role, not custom requests.

Example roles and access:

• AP Clerk: Can enter invoices, cannot approve payments
• Accountant: Can enter journal entries, cannot approve them
• Controller: Can approve journal entries, cannot enter them
• Admin: Full system access (limit to 2-3 people maximum)

2. Create a formal access request and approval process. New user access requires:

• Written request from hiring manager
• Role assignment based on job function
• IT provisioning based on role template
• Documented approval

3. Implement quarterly access reviews. Every 90 days:

• Pull complete user access report
• Review with department managers
• Deactivate terminated employees
• Remove excess permissions
• Document the review

One NetSuite services firm we support automated their quarterly access reviews using saved searches that flag inactive users and segregation of duties conflicts. 

Review time dropped from 8 hours to 45 minutes per quarter.

4. Enforce segregation of duties. Your ERP should prevent these conflicts:

• Same person entering and approving transactions
• Same person requesting and approving purchases
• Same person handling cash and recording cash receipts

If your ERP can't enforce this, document compensating controls (like monthly review by a supervisor).
‍

Finding #2: Weak Data Integrity Controls

What your auditor sees:

Your GL doesn't reconcile to your subledgers. AR aging shows balances that don't match the GL. Inventory balances in your warehouse management system don't match your ERP. And nobody noticed until the auditor pointed it out.

Your auditor tests a sample of transactions and finds:

• GL balance for AR: $2.1M
• AR subledger total: $2.3M
• Variance: $200K unreconciled difference
• Last reconciliation: Never

That's a material weakness. It's Finding #2.

Why it happens:

Manual processes with no validation. Your team enters data in multiple systems. Nobody's checking if they match.

No automated reconciliations. You rely on someone manually pulling reports from two systems and comparing them in a spreadsheet. If they're busy, it doesn't happen.

No data validation rules. Your ERP accepts obviously wrong entries. Invoice amount: negative $500,000. Customer name: blank. Ship date: 1/1/1900. The system doesn't stop you.

The cost:

• Immediate: $10,000-$15,000 in remediation. You need to reconcile everything retroactively, document the differences, and implement controls.
• Risk exposure: If your data is wrong, your financial statements might be wrong. That's a restatement waiting to happen.
• Management distraction: Your team spends 100+ hours unwinding errors instead of closing the month.

How to fix it:

1. Automate subledger reconciliations. Set up daily or weekly automated reports that compare:

• AR subledger to GL
• AP subledger to GL
• Inventory system to GL
• Bank accounts to GL

One software company we worked with had recurring exchange rate discrepancies between their invoices and GL. We built an automated validation that flagged mismatches daily instead of discovering them at month-end. Time saved: 6-8 hours per close.

2. Implement data validation rules at entry. Your ERP should reject:

• Negative invoice amounts (unless explicitly approved)
• Blank required fields
• Invalid dates
• Duplicate transaction IDs
• Amounts exceeding approval thresholds without authorization

3. Create exception-based monitoring. Instead of reviewing every transaction, monitor for exceptions:

• Transactions over $50,000
• Journal entries without supporting documentation
• Changes to vendor banking information
• Transactions posted to closed periods

4. Establish formal reconciliation procedures. For critical accounts:

• Reconcile weekly (not monthly)
• Document the reconciliation
• Investigate variances immediately (not at month-end)
• Require supervisor review and approval
  ‍

Finding #3: Inadequate Backup and Disaster Recovery Testing

What your auditor sees:

Your IT team runs nightly backups. But nobody's tested whether they actually work. Your disaster recovery plan is a Word document from 2018 that nobody's ever followed.

Your auditor asks: "When did you last test restoring from backup?"

Your IT manager says: "We assume they work."

That's Finding #3.

Why it happens:

• Complacency. Backups run automatically every night. You get a success email. You assume everything's fine.
• Fear of disruption. Testing a full restore requires downtime or a test environment. Nobody wants to disrupt operations to test something that "probably works."
• No formal plan. You don't have a documented schedule for testing backups or disaster recovery procedures.

The cost:

Immediate: $5,000-$8,000 in remediation. Document backup procedures, test a restore, create a disaster recovery plan.

Catastrophic risk: 

If you have a real disaster and discover your backups don't work, you could lose months of financial data. That's a company-ending event.

How to fix it:

1. Test backup restores quarterly. Don't just check that the backup job completed. Actually restore data from backup and verify it's complete and accurate.

Testing checklist:

• Select a backup from last month
• Restore to test environment
• Verify data completeness
• Test key transactions
• Document results
• Update procedures based on findings

2. Maintain documented disaster recovery procedures. Your plan should include:

• Step-by-step restore process
• Contact information for key vendors
• Recovery time objectives (how fast can we be back up?)
• Recovery point objectives (how much data can we afford to lose?)
• Assigned responsibilities (who does what during recovery?)

3. Schedule and document maintenance. Create a calendar:

• Weekly: Verify backup completion
• Monthly: Review backup logs for errors
• Quarterly: Test restore procedures
• Annually: Full disaster recovery drill

One ERP consulting firm we support runs quarterly disaster recovery tests. 

They discovered that their backup was missing a critical database table. They found it during a test, not during an actual disaster. 

That test saved their business.
‍

Finding #4: Manual Journal Entry Process with Weak Controls

What your auditor sees:

Journal entries are created in a spreadsheet, then manually entered into the system. 

Some entries are approved, some aren't. Supporting documentation exists sometimes. There's no systematic way to track who entered what or whether it was reviewed.

Your auditor tests a sample of 25 journal entries:

• 8 have no supporting documentation
• 12 were posted without approval
• 5 posted directly to closed periods with no explanation
• 3 were entered and approved by the same person

That's Finding #4.

Why it happens:

• Manual processes. Someone creates a journal entry in Excel, emails it to accounting, accounting enters it in the ERP, someone (maybe) approves it.
• No workflow enforcement. Your ERP doesn't require approval before posting. It's up to people to remember to follow the procedure.
• No documentation requirements. The system doesn't force you to attach supporting documentation. Some people do it, some don't.

The cost:

Immediate: $6,000-$10,000 in remediation. Document all journal entries retroactively, implement approval workflows, train staff.

Risk exposure: 

Manual journal entries are the #1 fraud vector. If you can't prove entries were properly approved and supported, auditors assume fraud risk.

How to fix it:

1. Implement automated journal entry workflows. Your ERP should enforce:

• Entry created by one person
• Review and approval by a different person
• Supporting documentation attached before approval
• Approval thresholds (entries over $10K require Controller approval)

2. Require supporting documentation. No documentation = no posting. Period.

Required documentation for common journal entries:

• Accruals: Calculation worksheet showing methodology
• Reclassifications: Explanation of why reclassification is needed
• Corrections: Original error and correction impact
• Allocations: Allocation basis and calculation

3. Create standard journal entry templates. For recurring entries (depreciation, allocations, accruals), create templates with:

• Predefined GL accounts
• Calculation formulas
• Required supporting documents
• Approval routing

4. Implement monthly review of manual journal entries. Your controller should review:

• All manual journal entries over $5,000
• Any entries posted to prior periods
• Any entries without supporting documentation
• Any entries entered and approved by same person (should be zero)

One promotional products supplier we worked with was manually calculating revenue recognition every month. We automated their revenue recognition schedules in NetSuite so entries post automatically based on contract terms. 

Manual journal entries dropped by 80%. Audit finding eliminated.
‍

Finding #5: Inadequate System Patch and Update Management

What your auditor sees:

Your ERP is running software from 2019. Critical security patches haven't been applied. Your IT team has no formal schedule for updates.

Your auditor asks: "When did you last apply security patches?"

Your IT manager says: "We're waiting for a good time to do maintenance."

That's Finding #5.

Why it happens:

Fear of disruption. Updates sometimes break things. So you avoid them to maintain stability.

No maintenance window. Your business runs 24/7, so there's never a "good time" for downtime.

No formal policy. Nobody's responsible for tracking patches or scheduling updates. It happens when someone remembers to do it.

The cost:

Immediate: $5,000-$8,000 in remediation. Apply overdue patches, document update procedures, create maintenance schedule.

Security risk: Unpatched systems are vulnerable to known exploits. If you get breached because you didn't apply a known security patch, your insurance won't cover it.

Compliance risk: Some regulations (SOX, HIPAA, PCI-DSS) require timely application of security patches.

How to fix it:

1. Establish a formal patch management policy. Your policy should define:

• Who's responsible for monitoring security bulletins
• How quickly patches must be applied (critical: 30 days, high: 60 days, medium: 90 days)
• Testing requirements before production deployment
• Exception process for delayed patches

2. Schedule regular maintenance windows. Pick a time that minimizes disruption:

• Monthly maintenance window: Third Sunday of each month, 2am-6am
• Quarterly major updates: Coordinate with period close (after close completes)
• Emergency patches: Applied immediately for critical security issues

3. Test before production deployment. Don't apply patches directly to production:

• Apply to test environment first
• Test critical business processes
• Document any issues
• Deploy to production only after successful testing

4. Document all updates. Maintain a log showing:

• Date patch released
• Date patch tested
• Date patch deployed to production
• Issues encountered
• Responsible person
  ‍

True Cost of Control Findings

Let's add it up.

1. Direct audit costs:

• Finding remediation: 5 findings × $8,000 average = $40,000
• Audit fee premium: Base fee $150,000 × 15% increase = $22,500
• Total direct cost: $62,500

2. Indirect costs:

• Management time: 150 hours across Controller and CFO × $150/hour = $22,500
• Staff time: 200 hours of accounting team remediation × $75/hour = $15,000
• Total indirect cost: $37,500

Total cost of 5 control findings: $100,000

And that's assuming you fix everything before next year's audit. If findings persist, your audit fee increases compound. Second year with material weaknesses? Add another 20%.

3. Regulatory exposure:

For SOX-compliant companies, control findings trigger additional reporting requirements. Material weaknesses must be disclosed in your 10-K. That impacts your stock price and credibility with investors.

For non-public companies, repeated control findings can impact:

• Bank covenants (lenders care about control environment)
• M&A valuations (buyers discount for control risk)
• Insurance premiums (D&O insurance costs increase)

One software company we supported had 4 control findings two years in a row. Their bank required quarterly reporting instead of annual because of "control environment concerns." 

The additional compliance work cost them $30,000 per year.
‍

Path to Zero Findings

Here's your roadmap:

Step 1: Assess your current control environment (Week 1)

Run a self-assessment:

• Who has access to what systems?
• When did you last test backups?
• How are journal entries approved?
• When did you last apply security patches?
• What subledger reconciliations exist?

Document the current state. Be honest about gaps.

Step 2: Document required controls (Week 2-3)

Based on your industry and size, determine what controls you actually need:

• SOX requirements (if public or preparing for IPO)
• COSO framework basics
• Industry-specific requirements (HIPAA, PCI-DSS, etc.)
• Auditor expectations

Create a controls matrix showing:

• Required control
• Current state
• Gap
• Remediation owner
• Target completion date

Step 3: Close the gaps (Week 4-12)

Prioritize based on audit risk:

• Start with user access controls (highest risk)
• Then data integrity controls
• Then backup testing
• Then journal entry workflows
• Finally patch management

Implement one control at a time. Test it. Document it. Move to the next.

Step 4: Test control effectiveness (Quarterly)

Before your auditor tests your controls, test them yourself:

• Pull sample transactions
• Verify controls operated as designed
• Document results
• Fix any exceptions

Step 5: Maintain ongoing discipline

Controls aren't one-time. They require ongoing attention:

• Monthly: Review access, reconciliations, journal entries
• Quarterly: Test backups, review exceptions, update documentation
• Annually: Full control assessment, update policies

The role of outsourcing:

Companies that outsource accounting functions typically have stronger control environments. Why?

Outsourcing partners specialize in controlled processes. They have:

• Documented procedures for everything
• Automated reconciliations and validations
• Formal approval workflows
• Regular control testing
• Professional audit preparation

One ERP services provider we support went from 5 audit findings to zero after outsourcing their GL maintenance and close process. Their outsourcing partner brought documented controls, automated reconciliations, and quarterly control testing. 

Total time to remediate: 6 months.

Their auditor specifically noted in the management letter: "Control environment significantly improved due to outsourced accounting function with formal control framework."
‍

Your Control Environment Is a Choice

You have five audit findings this year. The industry average is 2-3.

Next year, you could be explaining the same findings to the audit committee again. Or you could be the CFO who cut findings to zero and reduced audit fees by 15%.

The difference? Ninety days of focused remediation starting this week.

Book your audit readiness assessment.

We'll walk through your five findings, show you which controls to implement first for maximum audit impact, and give you the documented framework your auditor expects to see.

Your audit partner already told you what's broken. We'll show you exactly how to fix it before they come back next year.

Book Your Audit Readiness Assessment →

‍