Respond to Audit Findings

When an audit finding related to data governance is issued — whether from Internal Audit, an external auditor, or a regulatory examination — log it immediately in CoComply's Findings Management module (within the Assure section). Create a new Finding record and populate: finding source (Internal Audit, OCC, FRB, FDIC, External Audit), finding title, full description, the specific data asset or report schedule affected, the regulatory citation if applicable, the severity (Critical, High, Medium, Low), and the issued date. Assign a Finding Owner from the relevant business or data team.

• Use CoComply's Finding Categories to tag the type of deficiency: Data Ownership Gap, DQ Control Failure, Policy Non-Compliance, Lineage Documentation, Certification Miss.
• Link the finding to the specific CDE or report in CoComply's catalog — this enables traceability from finding to asset.
• If the finding references a policy gap, link it to the relevant policy in the Policies module.

Before drafting a management response, identify the root cause of the finding. Was this a process failure (no one performed the control), a people failure (wrong owner assigned), a technology gap (CoComply was not used consistently), or a policy gap (no standard existed)? Document the root cause directly in CoComply's Finding record. A strong root cause statement is the foundation of a credible management response and a durable remediation plan — auditors and examiners read these carefully.

• Use the Five Whys method: ask why the control failed, then why that happened, and keep going until you reach a systemic cause.
• Avoid blaming individuals — frame root causes at the process or system level.
• If the root cause is a CoComply adoption gap (the tool was available but not used), note the specific workflow that was skipped and why.

In CoComply, the Management Response field is where your institution formally responds to the auditor or examiner. Write a response that: acknowledges the finding without being defensive, states the root cause clearly, describes the specific remediation actions you will take, and commits to a realistic target remediation date. Responses are version-controlled in CoComply, so auditors can see if the response has been revised after submission.

• Commit to specific actions, not vague commitments. 'We will update our CDE ownership assignments for all Tier 1 assets by [date]' is better than 'We will improve data governance.'
• For regulatory examination findings, confirm your response with Legal and Compliance before submission.
• If the finding has a regulatory deadline (e.g., an MRA with a specific due date), set that date as the Target Remediation Date in CoComply.

Break the remediation plan into specific tasks in CoComply's Findings Management module. Each task should have a clear owner, due date, and expected deliverable. Common remediation task types include: updating CDE ownership records, completing missing data quality checks, revising a policy or procedure, running a missed certification cycle, or training a team on a CoComply workflow. Track task completion in CoComply — the Finding status updates automatically as tasks are marked complete.

• Set milestone check-ins at 25%, 50%, and 75% completion for findings with long remediation timelines.
• If a task is blocked — waiting on a system change, a vendor, or a budget approval — log the blocker in CoComply and escalate proactively rather than letting the due date slip quietly.
• For high-severity findings, schedule a bi-weekly status review between the Finding Owner and the Data Governance Lead.

Remediation is not complete until you have evidence that the control is operating. In CoComply, attach evidence directly to the Finding record: updated CDE ownership screenshots, completed attestation records, revised policy documents, DQ check results, or training completion logs. Evidence is stored in CoComply's immutable evidence vault with timestamps. When Internal Audit or an examiner returns to validate the remediation, this package is ready instantly.

• Evidence should demonstrate that the control is operating, not just that a one-time fix was made.
• For DQ-related findings, attach the most recent DQ check results showing the finding metric has returned to an acceptable threshold.
• For ownership findings, attach a screenshot of the updated CoComply ownership record with the new owner's name and assignment date visible.

Once all remediation tasks are complete and evidence is attached, update the Finding status to Remediated and submit to the original finding issuer (Internal Audit or examiner) for validation. In CoComply, the finding is not marked Closed until the issuer confirms the remediation is adequate. After closure, set a monitoring flag on the affected CDE or report — CoComply will surface any future DQ failures or ownership gaps on the same asset in the Operate module's monitoring dashboard.

• Ask Internal Audit to document their validation conclusion in CoComply rather than in a separate email — keeps the full lifecycle in one place.
• Monitor for recurrence for at least two certification cycles after finding closure.
• Use the Findings Trend view in the Operate module to identify patterns across findings — recurring themes across multiple findings may indicate a systemic control gap.