When Audit Findings Require a Corrective Action Plan
Under 2 CFR 200.511(c), the auditee must prepare a corrective action plan to address each audit finding included in the auditor's reports. This is not discretionary — every finding in the schedule of findings and questioned costs requires a written response from management. The corrective action plan is submitted as part of the single audit reporting package to the Federal Audit Clearinghouse (FAC) and becomes a matter of public record.
Not all findings carry the same weight, however. The severity and type of finding dictate the level of federal agency attention it will receive, the urgency of the corrective action expected, and the potential consequences for your organization's future funding. Understanding the classification of findings is the first step in crafting an appropriate response.
Understanding Audit Finding Types
Single audit findings are classified along two dimensions: the nature of the internal control deficiency and the type of compliance issue identified. These classifications are defined by Government Auditing Standards (GAGAS) and 2 CFR 200 Subpart F.
Internal Control Deficiency Classifications
| Classification | Definition | Severity |
|---|---|---|
| Deficiency in Internal Control | A control is designed, implemented, or operated in a way that does not allow management or employees to prevent or detect misstatements on a timely basis | Lowest — communicated to management but not required to be reported in the single audit |
| Significant Deficiency | A deficiency or combination of deficiencies in internal control that is less severe than a material weakness but important enough to merit attention by those charged with governance | Moderate — reported in the single audit; requires corrective action |
| Material Weakness | A deficiency or combination of deficiencies in internal control such that there is a reasonable possibility that a material misstatement will not be prevented or detected and corrected on a timely basis | Highest — reported in the single audit; triggers enhanced federal oversight; prevents low-risk auditee status |
Compliance Finding Types
| Finding Type | Definition | Implications |
|---|---|---|
| Noncompliance | The entity did not comply with a requirement applicable to a federal program | Corrective action required; may trigger additional monitoring |
| Material Noncompliance | Noncompliance that could have a direct and material effect on a major program | Modified opinion on compliance for the program; elevated federal agency review; may result in conditions on award or withholding of funds |
| Questioned Costs | Costs that are questioned because of noncompliance with a provision of law, regulation, contract, grant, cooperative agreement, or the cost principles (2 CFR 200 Subpart E) | Known questioned costs (documented) or likely questioned costs (projected from sample); may require repayment to the federal government |
A single finding can involve multiple classifications simultaneously. For example, a finding might identify a material weakness in internal controls over procurement, material noncompliance with the procurement standards in 2 CFR 200.320, and $45,000 in questioned costs related to procurements that lacked required competitive bidding. Each element of the finding must be addressed in your corrective action plan.
Anatomy of an Effective Corrective Action Plan
Under 2 CFR 200.511(c), the corrective action plan must address each audit finding and include the name of the contact person responsible for corrective action, the planned corrective action, and the anticipated completion date. In practice, effective CAPs go well beyond these minimum requirements. Federal agencies and cognizant auditors evaluate CAPs for specificity, feasibility, and evidence that the organization genuinely understands the root cause of the finding.
Every corrective action plan should contain the following elements:
| Element | Description | Example |
|---|---|---|
| Finding Reference | The finding number from the schedule of findings (e.g., 2025-001) | Finding 2025-001: Procurement — Lack of Required Competition |
| Management Response | Whether management agrees or disagrees with the finding, and the basis for any disagreement | Management concurs with the finding. The organization did not obtain required competitive bids for 3 of 12 sampled procurements. |
| Root Cause | The underlying reason the noncompliance or control deficiency occurred | The procurement policy was last updated in 2018 and did not reflect current threshold levels. Staff turnover in the finance department resulted in new employees not receiving procurement training. |
| Corrective Action Steps | Specific, measurable actions the organization will take to resolve the finding and prevent recurrence | (1) Revise procurement policy to reflect current 2 CFR 200 thresholds. (2) Train all staff involved in purchasing. (3) Implement a procurement checklist for all purchases over $10,000. (4) Conduct quarterly internal procurement reviews. |
| Responsible Person | The name and title of the individual accountable for implementing the corrective action | Jane Smith, Chief Financial Officer |
| Completion Timeline | Specific dates (not vague timeframes) for each corrective action step | Policy revision: March 31, 2026. Staff training: April 30, 2026. Checklist implementation: May 15, 2026. First quarterly review: July 31, 2026. |
Writing the Management Response
The management response is the narrative section of the CAP where your organization formally addresses the finding. It is read by the cognizant or oversight federal agency, by pass-through entities, and by anyone who looks up your organization on the FAC — including reviewers of your future grant applications. The management response should be professional, specific, and demonstrate accountability.
Best practices for management responses:
- Agree when the finding is valid. If the auditor correctly identified a deficiency or noncompliance issue, concur with the finding. Disagreeing with a factually accurate finding damages your credibility with the federal agency and signals that your organization may not take the issue seriously.
- Disagree with documented basis. If you believe the finding is factually incorrect — for example, the auditor did not consider documentation that was provided, or the cited compliance requirement does not apply to your program — you may disagree. Provide specific evidence supporting your position. The cognizant agency will review both positions and make a determination.
- Partial agreement. You may agree with the condition described but disagree with the severity classification or the amount of questioned costs. Document the specific basis for your partial disagreement.
- Acknowledge the root cause. Federal agencies want to see that you understand why the issue occurred, not just that you are promising to fix it. A response that identifies staff turnover, outdated policies, or system limitations as contributing factors demonstrates analytical maturity.
- Describe actions already taken. If you have already begun corrective action (for example, if you updated a policy between year end and the draft audit report), describe the actions taken and the effective date. This demonstrates responsiveness and may influence how the federal agency treats the finding.
Federal Agency Review of Findings and CAPs
After the single audit reporting package is submitted to the FAC, the cognizant or oversight federal agency reviews the findings and your corrective action plans. The distinction between cognizant and oversight agency matters:
- Cognizant agency for audit. For entities expending more than $50 million in federal awards, the cognizant agency is the federal agency that provides the predominant amount of direct funding. The cognizant agency has responsibility for negotiating indirect cost rates and conducting or arranging for the audit.
- Oversight agency for audit. For entities expending less than $50 million, the oversight agency is the federal agency providing the predominant amount of direct funding. The oversight agency provides technical advice and reviews audit results but has a lighter touch than the cognizant agency.
The reviewing agency will assess whether your corrective action plan is adequate, request additional information if needed, and issue a management decision within six months of the FAC submission. The management decision documents the agency's conclusions on each finding and may include specific requirements for your organization — such as additional monitoring, conditions on awards, repayment schedules for questioned costs, or approval of your corrective actions.
For pass-through awards, the pass-through entity (typically a state agency) is responsible for follow-up on findings related to federal funds it distributed. Pass-through entities may impose additional requirements beyond what the federal agency mandates, including more frequent financial reporting, restricted drawdown schedules, or on-site monitoring visits. This is particularly relevant for organizations receiving CSBG or other block grant funds through state agencies.
Questioned Cost Resolution Process
Questioned costs are costs that the auditor identifies as potentially unallowable, unsupported by adequate documentation, or otherwise noncompliant with federal requirements. They are categorized as known questioned costs (specific costs identified by the auditor) or likely questioned costs (projected from sample testing to the population).
The resolution process for questioned costs follows these stages:
- 1. Auditor identification. The auditor reports questioned costs in the schedule of findings and questioned costs. The finding must identify the compliance requirement that was violated, the amount of known questioned costs, and the amount of likely questioned costs (if sampling was used).
- 2. Management response. In your corrective action plan, address the questioned costs directly. If you agree the costs are unallowable, acknowledge them and describe how you will prevent similar costs in the future. If you believe the costs are allowable, provide supporting documentation and your rationale.
- 3. Federal agency review. The cognizant or oversight agency (or pass-through entity for sub-awards) reviews the questioned costs and your response. They may request additional documentation, conduct their own analysis, or accept your response.
- 4. Management decision. The agency issues a management decision that either sustains the questioned costs (you must repay) or allows them. For sustained questioned costs, the agency will specify whether repayment must be in cash, can be offset against future drawdowns, or can be satisfied through adjustments to future budgets.
- 5. Appeal (if applicable). If you disagree with the management decision, most federal agencies have an appeal process. The specific procedures vary by agency. For HHS programs, the Departmental Appeals Board handles contested findings. Consult your legal counsel before initiating an appeal.
The threshold for reporting questioned costs in the single audit is $25,000. Findings with questioned costs below this amount are still reported if they involve material weakness or material noncompliance, but questioned costs below the threshold are not individually reported in the SF-SAC data collection form. This does not mean they are insignificant — they still represent compliance issues that require corrective action.
Impact on Future Funding and Monitoring
Audit findings have downstream consequences that extend well beyond the current audit cycle. Understanding these consequences should inform how seriously your organization treats the corrective action process.
Risk Profile and Low-Risk Auditee Status
Under 2 CFR 200.520, an entity qualifies as a low-risk auditee if it has been audited under the single audit requirements for the previous two years, received unmodified opinions on its financial statements and major program compliance, had no material weaknesses, and had no findings that the cognizant/oversight agency determined to be not corrected. Low-risk auditees benefit from reduced audit scope (the auditor can test as few as 20% of federal expenditures as major programs, compared to 40% for non-low-risk entities). Losing low-risk status means a more extensive (and expensive) audit.
A single material weakness finding disqualifies your organization from low-risk status for the current audit and potentially the following year. Rebuilding low-risk status requires two consecutive clean audits.
Impact on Grant Applications
Federal agencies routinely review FAC filings as part of pre-award risk assessments. Under 2 CFR 200.206, the federal awarding agency must review applicant risk before making an award, and audit history is one of the factors considered. Organizations with a pattern of findings, material weaknesses, or unresolved questioned costs may receive additional conditions on new awards, be required to submit more frequent financial reports, or — in severe cases — be deemed too high-risk to receive an award.
For FQHCs, audit findings can also affect HRSA's assessment during Operational Site Visits and Non-Competing Continuation reviews. HRSA monitors the FAC and may incorporate audit findings into its oversight activities for the Health Center Program independently of the single audit follow-up process.
Enhanced Monitoring and Special Conditions
Federal agencies and pass-through entities may impose enhanced monitoring in response to audit findings. This can include:
- More frequent financial reporting (monthly instead of quarterly)
- Restricted drawdowns (requiring prior approval for each draw request)
- On-site monitoring visits
- Requirements to submit corrective action progress reports
- Special conditions on the Notice of Award (e.g., requiring specific training, hiring, or system changes before funds can be expended)
Enhanced monitoring consumes significant staff time and diverts resources from program delivery. The administrative burden of responding to frequent reporting requirements and monitoring visits is an underappreciated cost of audit findings. Factor this into your organization's cost-benefit analysis when allocating resources to compliance infrastructure.
How Findings Affect Subsequent Audits
The auditor is required to follow up on prior-year findings as part of each subsequent single audit (2 CFR 200.511(b)). The follow-up involves:
- Summary schedule of prior audit findings. Your organization must prepare a summary schedule that reports the status of all findings from the prior audit. For each finding, indicate whether corrective action was taken and the finding is fully resolved, corrective action was taken and the finding is partially resolved, corrective action is planned but not yet implemented, or management disagrees with the finding.
- Auditor follow-up testing. The auditor will test whether the corrective actions described in your prior-year CAP have actually been implemented. If the auditor determines that the corrective action has not been implemented or is not effective, the finding will be reported again as a repeat finding.
- Repeat finding implications. Repeat findings carry escalated consequences. They signal that the organization has been unable or unwilling to address known deficiencies. Federal agencies treat repeat findings more seriously than first-time findings and may impose progressively more restrictive conditions. Programs with prior-year findings are also more likely to be classified as high risk for major program determination purposes, meaning they will be tested again in the subsequent audit.
Common CAP Mistakes
Federal agencies and auditors see the same corrective action plan failures repeatedly. Avoid these common mistakes to increase the likelihood that your CAP will be accepted and that the finding will be cleared in the subsequent audit:
| Mistake | Why It Fails | Better Approach |
|---|---|---|
| Vague corrective actions (“We will improve our procedures”) | Not testable — the auditor cannot verify implementation of a vague commitment | Specify exact actions: “Revise procurement policy to require three written quotes for purchases above $10,000” |
| No timeline or “immediately” | “Immediately” is not a date; it provides no benchmark for follow-up | Use specific dates: “Policy revision by March 31, 2026; staff training by April 30, 2026” |
| Wrong responsible party | Naming a junior staff member when the issue requires organizational policy change signals lack of leadership commitment | Name the person with authority to implement the change (CFO, Executive Director, Compliance Officer) |
| Addressing symptoms without root cause | Fixing the specific transaction without addressing the systemic issue guarantees a repeat finding | Identify the root cause (training gap, policy gap, system limitation) and address it directly |
| Disagreeing without evidence | Blanket disagreements without documentation undermine credibility | If you disagree, provide specific documentation and cite the applicable regulation supporting your position |
| Overpromising | Committing to actions your organization cannot realistically complete creates repeat findings when the auditor follows up | Set realistic timelines that account for budget approvals, hiring, and implementation; it is better to extend a timeline than to miss it |
Sample Corrective Action Plan Structure
The following structure illustrates how an effective corrective action plan addresses a single finding. Use this as a template, adapting the content to your specific finding:
| Section | Content |
|---|---|
| Finding Reference | Finding 2025-001: Allowable Costs — Inadequate Time and Effort Documentation (ALN 93.224, HRSA Health Center Program) |
| Finding Summary | The auditor identified that 4 of 15 sampled employees who split time between the HRSA 330 program and other funding sources did not have current time and effort certifications. Salary costs of $38,400 charged to ALN 93.224 for these employees are questioned. The condition represents a significant deficiency in internal controls over allowable costs and noncompliance with 2 CFR 200.430. |
| Management Response | Management concurs with the finding. The organization's time and effort certification process lapsed during Q3 when the HR coordinator who administered the process resigned. The vacancy was not filled for three months, during which time certifications were not distributed or collected. |
| Root Cause | The time and effort process was dependent on a single employee with no backup. The organization did not have an automated reminder system or written procedures that another employee could follow during the vacancy. |
| Corrective Actions | (1) Develop written time and effort procedures that can be executed by any trained finance staff member (complete by March 15, 2026). (2) Implement electronic time and effort tracking with automated reminders for certification deadlines (complete by April 30, 2026). (3) Cross-train at least two additional staff members on the time and effort process (complete by April 30, 2026). (4) Conduct monthly compliance checks to verify all certifications are current (ongoing, beginning May 2026). (5) Obtain retroactive certifications for the affected employees for the questioned period and submit to HRSA with supporting payroll documentation (complete by March 31, 2026). |
| Responsible Person | Maria Garcia, Chief Financial Officer |
| Anticipated Completion | All corrective actions completed by April 30, 2026, with ongoing monthly monitoring beginning May 2026. |
Notice how this sample addresses the specific finding, identifies a root cause beyond the immediate transaction, describes concrete and measurable steps, names a senior leader as the responsible party, and includes specific dates for each action. This level of specificity gives the federal agency confidence that the organization understands the issue and has a viable plan to resolve it.
Building a Compliance Culture That Prevents Findings
The most effective corrective action is preventing findings in the first place. Organizations with strong compliance cultures share several characteristics that consistently produce clean audits:
- Year-round compliance, not audit-season compliance. Organizations that maintain their documentation, controls, and processes continuously — rather than scrambling before audit fieldwork — consistently receive clean audits. Compliance is a daily practice, not an annual event.
- Internal monitoring. Conduct quarterly internal compliance reviews that mirror what the auditor will test. Sample your own procurement files, time and effort records, drawdown timing, and reporting submissions. Identify and fix issues before the auditor does.
- Staff training. Every employee who touches federal funds — from program staff who initiate purchases to finance staff who record transactions — should understand the basic compliance requirements that apply to their work. Annual training on allowable costs, procurement rules, and time and effort documentation prevents the most common findings.
- Board oversight. The board of directors should receive regular reports on compliance status, including the status of any prior-year findings, the results of internal monitoring, and the timeline for the upcoming audit. Board engagement in compliance demonstrates the “tone at the top” that auditors and federal agencies value.
- Documentation standards. Establish clear expectations for what documentation is required for every transaction type and where it is stored. A procurement file template, a grant file checklist, and a standardized time and effort process eliminate the documentation gaps that generate findings. For the regulatory framework underlying these requirements, see our 2 CFR 200 compliance guide.
Connecting Audit Results to Organizational Improvement
A single audit finding, while unwelcome, provides actionable intelligence about where your organization's compliance infrastructure is weakest. Treat each finding not as a failure but as a diagnostic tool. The corrective action planning process is an opportunity to strengthen your systems in ways that benefit the organization beyond the immediate audit requirement.
For example, a procurement finding that leads you to implement a procurement tracking system may also reduce costs by identifying duplicate purchasing, improving vendor management, and ensuring you consistently obtain competitive pricing. A time and effort finding that leads you to implement an electronic tracking system may also improve project management by providing better data on how staff time is allocated across programs.
The organizations that respond most effectively to audit findings are those that use the findings as a catalyst for systemic improvement, rather than treating the corrective action plan as a compliance exercise to be completed and forgotten. Build the corrective action into your organization's operational DNA, and the finding becomes a net positive for your compliance posture going forward.