An audit finding is a determination made by an auditor during an assessment. Findings can be positive (conformity), negative (nonconformity), or formulated as improvement potential (observation). ISO audits distinguish between major nonconformity, minor nonconformity, and observation.
ISO 27001 Clause 9.2 (Internal Audit) and Clause 10.1 (Continual Improvement) provide the framework for handling findings. Each nonconformity requires a root cause analysis and a corrective action with a deadline. Major nonconformities jeopardize certification and must be resolved before the next surveillance audit. In Cenedril, you document audit findings in the internal audit report and track corrective actions as tasks.