Key Facts
- A finding has five elements: condition, criteria, cause, effect, and recommendation. Your response has to engage all of them.
- Material weakness > significant deficiency. Material weakness means a control gap big enough that a material problem could slip through undetected.
- Questioned costs ≠ disallowed costs. Questioned is flagged; disallowed is the agency's decision after resolution.
- Corrective action plan required by 2 CFR 200.511. One CAP per finding, addressing root cause, with owner and timeline.
- Management decision within 6 months — the agency must resolve findings under 2 CFR 200.521.
Summary
Getting an audit finding feels worse than it usually is. Most organizations get findings at some point — repeat federal grantees almost all have a finding history. What separates a manageable situation from a damaging one is how you respond. A finding that's acknowledged honestly, traced to its root cause, and fixed with a credible corrective action plan closes out and fades. A finding you minimize, deflect, or paper over with a vague promise comes back next year as a repeat finding, and repeat findings are what really hurt your standing.
This guide covers the vocabulary you need — material weakness, significant deficiency, questioned costs — and then the part that matters most: writing a corrective action plan the agency will accept and that actually prevents the problem from recurring.
The Anatomy of a Finding
Every audit finding under 2 CFR 200.516 is built from five elements, and understanding them is half the battle, because your response has to answer each one:
Condition — what the auditor actually found. ("Three of 25 sampled payroll charges lacked time-and-effort certifications.") Criteria — the rule that was broken. ("2 CFR 200.430 requires records that accurately reflect the work performed.") Cause — why it happened. ("The organization had no procedure requiring effort certification before charging payroll.") Effect — the consequence. ("$14,200 in payroll costs could not be supported.") Recommendation — what the auditor suggests. ("Implement a monthly effort certification process.")
Notice the cause. That's the one your corrective action plan has to attack. A weak CAP responds to the condition ("we'll get certifications for those three charges") and ignores the cause ("we have no process"). The agency wants the process fixed, not just the three transactions.
Material Weakness vs. Significant Deficiency
These two terms get confused constantly, so here's the clean version. Both describe deficiencies in internal control over compliance. The difference is severity.
A significant deficiency is a control weakness — or combination of weaknesses — that's less severe than a material weakness but important enough that those charged with governance should know about it. It's a "you need to fix this" finding.
A material weakness is more serious: a deficiency, or combination of deficiencies, in internal control such that there's a reasonable possibility that material noncompliance with a compliance requirement won't be prevented, or detected and corrected, on a timely basis. In plain terms, the control gap is big enough that a significant problem could get all the way through your system undetected. Material weaknesses draw more agency scrutiny and are weighed heavily in risk assessments that determine future award conditions.
Auditors also distinguish a control deficiency (the underlying weakness) from noncompliance (an actual violation of a requirement). A single problem can be reported as both — a noncompliance finding and the control weakness that allowed it.
GrantMetric Analysis
- A repeat finding is far worse than a first-time finding. Agencies and pass-through entities track findings year over year in the summary schedule of prior audit findings. A finding that shows up two or three years running tells them your corrective action plans aren't real — you wrote words to close the finding but never fixed the process. Repeat findings drive higher risk ratings, which drive more restrictive award conditions, more monitoring, sometimes specific conditions under 200.208. The whole point of a CAP is to make sure the finding doesn't come back.
- You can dispute a finding — but pick your battles and do it in the right place. The auditee has the right to respond, and your views go into the audit report. If a finding is factually wrong, say so clearly and with evidence. But disputing a finding just because you don't like it, when the auditor is basically right, wastes credibility you'll want later. The smarter move on most findings is to agree, fix it, and move on. Save the fight for findings that are genuinely incorrect or where the questioned cost is large and defensible.
- Questioned costs are a negotiation, not a verdict. When the auditor questions a cost, it goes to the federal awarding agency to resolve via a management decision (200.521). That's your opening. If you can produce documentation that was missing during fieldwork, or show the cost was genuinely allowable, you can get the question resolved in your favor before it ever becomes a disallowance. Don't treat a questioned cost as money already lost — treat it as a cost you now have a defined window to defend.
Questioned Costs and What Comes Next
Under 2 CFR 200.516, the auditor reports known questioned costs greater than $25,000 for a type of compliance requirement, plus known questioned costs when likely questioned costs exceed that threshold. A questioned cost is the auditor saying "this might not be allowable" — because it potentially violates the award, isn't adequately documented, or looks unreasonable.
The finding then goes to the Federal Audit Clearinghouse, and the federal awarding agency or pass-through entity issues a management decision under 200.521 — generally within six months of accepting the audit report. The management decision states whether the agency sustains the questioned cost. If it does, you repay. If you've successfully shown the cost was allowable, the question is resolved without repayment. This is why your response window matters so much: a questioned cost is not yet lost money.
Writing a Corrective Action Plan That Closes
The corrective action plan is required by 2 CFR 200.511(c) and submitted with the audit. For each finding it should state: whether you agree with the finding (and if not, why, with specifics); the specific corrective actions you'll take; the responsible official by title; and the anticipated completion date. That's the skeleton. Here's what makes one actually work.
Fix the cause, not the symptom. If the finding is missing effort certifications, the corrective action isn't "obtain the missing certifications" — it's "implement a monthly effort-certification procedure, assign the finance director to enforce it, train all PIs by [date], and verify compliance in monthly reviews." Name a real person by title. Give a real date that's soon but achievable (an aggressive date you'll miss is worse than a realistic one). And make it verifiable — write it so that six months later, someone can check whether you actually did it.
And then do it. The most common failure isn't a bad CAP — it's a fine CAP that nobody implements, so the finding repeats. Calendar the completion date. Assign it. Follow up.
Corrective Action Plan Checklist
- Identify the cause, not just the condition. Your CAP must attack why it happened, or the finding repeats.
- State agreement or specific, evidenced disagreement. Don't dispute findings that are basically right.
- Name a responsible official by title and give a realistic completion date.
- Make the action verifiable. Someone should be able to confirm it was done.
- Defend questioned costs before the management decision. Produce missing documentation early.
- Implement and track it. Calendar the date, assign it, and verify — repeat findings are the real damage.