Documenting Findings
A finding represents an exception identified during fieldwork where an observed condition deviates from the expected criteria. AIIA uses the CCCER framework to structure every finding for consistency and clarity.
Creating a Finding
From a Workpaper
- Open the engagement → navigate to the Workpapers tab
- Open the workpaper where you identified the exception
- Click + New Finding
- The finding is automatically linked to the workpaper and engagement
From the Findings Module
- Navigate to Findings → + New Finding
- Select the Engagement this finding belongs to
- Optionally link to a specific Workpaper
The CCCER Framework
Every finding in AIIA follows the CCCER structure:
| Component | Field | Description | Required |
|---|---|---|---|
| Condition | description | What is happening — the observed state or issue | ✅ |
| Criteria | criteria | What should be happening — the standard, policy, or regulation | Optional |
| Cause | cause | Why it is happening — the root cause of the exception | Optional |
| Effect | effect | What is the impact — the risk or consequence | Optional |
| Recommendation | recommendation | How to fix it — the suggested corrective action | Optional |
Click AI Draft Finding to have the AI auto-generate CCCER components based on your workpaper content and test results. The AI analyzes the test procedures, evidence, and results to suggest a structured finding draft.
Example Finding
| Component | Example Content |
|---|---|
| Condition | 12 of 50 sampled purchase orders were approved by users below the required authorization threshold. |
| Criteria | Company Policy FIN-003 requires purchases above SAR 10,000 to be approved by a department director or above. |
| Cause | The approval matrix in the ERP system was not updated following the December 2025 organizational restructuring. |
| Effect | Unauthorized expenditures totaling SAR 847,000 bypassed the intended approval controls, increasing risk of financial misstatement. |
| Recommendation | Update the ERP approval matrix to reflect current organizational roles and implement quarterly reconciliation of approval limits against the HR org chart. |
Severity Classification
Set the severity level to prioritize remediation:
| Severity | Criteria | Response Timeframe |
|---|---|---|
| Critical | Material control failure, immediate financial/safety risk | Immediate remediation required |
| High | Significant control weakness, potential regulatory impact | Remediation within 30 days |
| Medium | Moderate control gap, efficiency/compliance concern | Remediation within 90 days |
| Low | Minor observation, best practice improvement | Remediation within 180 days |
Click AI Suggest Severity to get an AI-recommended severity based on the finding description, industry benchmarks, and historical findings. The suggestion includes a confidence score and reasoning.
Finding Lifecycle
| Status | Description | Who |
|---|---|---|
| DRAFT | Finding being drafted by auditor | Auditor |
| MANAGEMENT_RESPONSE | Awaiting management's response and action plan | Audit Client / Management |
| FINAL | Finding finalized and included in report | Manager / CAE |
| CLOSED | Remediation verified and finding closed | Manager / CAE |
Linking Evidence
Every finding should reference supporting evidence:
- Click Link Evidence on the finding
- Select evidence files already uploaded to the workpaper
- Or upload new evidence directly to the finding
- Evidence maintains full chain-of-custody (SHA-256 hash, timestamp, uploader)
Versioning
Findings are governed records with automatic versioning:
- Every edit creates a new
FindingVersionwith a JSON snapshot of the content - The version history records who changed what and when
- Previous versions are immutable — no edits can be retroactively applied
- Versioning ensures a complete audit trail for regulatory compliance
AI-Assisted Features
| Feature | Description |
|---|---|
| AI Draft Finding | Generates CCCER components from workpaper test results |
| AI Suggest Severity | Recommends severity based on finding content |
| AI Check Recurring | Searches historical findings for similar patterns across past engagements |
| AI Clarity Check | Reviews finding language for objectivity and clarity |
All AI-generated finding content is marked as a suggestion. The auditor must review, modify if needed, and explicitly click Apply before the content is saved. Every AI interaction is logged in the audit trail with the ai_execution_id field.
Required Permissions
| Action | Permission |
|---|---|
| Create findings | finding:create (Auditor, Manager, CAE) |
| Edit draft findings | finding:update (Auditor — own findings; Manager/CAE — all) |
| Finalize findings | finding:finalize (Manager, CAE) |
| Close findings | finding:close (Manager, CAE) |
| Delete draft findings | finding:delete (Manager, CAE — draft status only) |