Findings Are Tuition, Not Penalties
Three engagements into my career, I made my first significant finding. I walked into the closing meeting expecting a thank you. I got forty-five minutes of negotiation instead — because the COO and I were having two different conversations about what a finding even is.
Three engagements into my career, I made my first significant finding.
Procurement had a workflow gap. Approval limits were set in two systems, and the values didn't match. For about eight months, a specific class of purchase orders had been going through with the wrong approval ceiling. The total exposure was somewhere around four million dollars. No fraud, no loss — just a sloppy integration that no one had caught.
I was proud. I wrote it up carefully. I sat in the closing meeting expecting the COO to thank me.
What I got, instead, was forty-five minutes of the COO explaining why the finding was technically wrong, why our sample was unrepresentative, why our threshold was overly aggressive, and why, on balance, this wasn't really a finding at all. I left the room with the wording softened into mush, the rating downgraded from "moderate" to "low," and a quiet understanding from my engagement partner that we should pick our battles.
I assumed I had failed at audit politics.
What I had actually failed at was something deeper, and it took me ten years to name it. I had walked in expecting the finding to be a penalty — for the COO and his team — when the COO walked in expecting it to be tuition: a thing the organization had to pay to learn something about itself.
We were having two different conversations.
The problem with how findings are framed
Most audit teams, in most organizations I've worked with, talk about findings as if they are debt.
You can hear it in the language. We issue findings. We track them. We age them. We escalate them. The vocabulary is procedural and slightly punitive. The finding is a thing that exists because someone, somewhere, failed to do something they should have done. Now there's an open item, and it must be closed.
This vocabulary makes the relationship between audit and the business adversarial by default. Of course the COO pushed back. From his frame, my finding was a permanent black mark — three pages in next quarter's audit committee pack about something his team had gotten wrong. The cheapest move available to him was to negotiate the rating down. So that's what he did.
If I'd walked in with the same data and said, "Here's something this control set is paying you to learn — let's figure out what's worth changing," the conversation could have gone differently. Same finding, different relationship.
It took me a long time to realize the relationship is not a soft skill. It's the actual product.
The amplifying problem
When findings are framed as penalties, three predictable things happen.
First, management negotiates ratings instead of root causes. The energy that should go into understanding why the gap exists goes into arguing whether the gap matters. Two completely different conversations, and only one of them produces improvement.
Second, findings accumulate without compounding. A finding tracker with 600 open items is not an organization that's learning fast. It's an organization that's writing IOUs to itself, none of which will ever be paid in full. Each finding gets "closed" with a remediation that doesn't change the underlying conditions. Six months later, a similar finding shows up in a different process, and we write the IOU again.
Third, the audit function becomes structurally pessimistic. When the unit of output is a penalty, the path to looking productive is to issue more of them. Teams optimize for severity counts. The CAE starts each board meeting with a list of bad news. Over time, the function loses access to the strategic conversations — because no one wants to invite the bad-news department to the strategy offsite.
I've watched this dynamic kill three audit functions I admired. None of them got fired. They just got slowly excluded.
The reframe
Findings are tuition.
The organization is paying a small amount of pain — exposure, awkwardness, an open tracker item — in exchange for a piece of learning it didn't have before. The unit of value is not the finding itself. The unit of value is the capability the finding generates.
This reframe sounds like a semantic trick. It isn't. It changes what you measure, what you celebrate, and what you escalate.
When findings are tuition:
- A finding that produces no organizational learning is a failed finding — even if it's technically valid.
- A finding that produces a permanent capability change (a new control, a new design pattern, a new training arc) is a successful finding — even if the rating is "low."
- The tracker isn't a debt ledger. It's a learning ledger. The right question for each item isn't "is it closed?" but "what is the organization different at, now that this finding exists?"
The COO, in retrospect, would have agreed with this framing instantly. His mistake was assuming I wouldn't. My mistake was confirming his suspicion.
What this looks like operationally
Three moves that have worked, across many teams.
1. Pair every finding with a capability statement
When you write up an issue, add a one-sentence line: "After this finding closes, the organization will be able to do X that it cannot reliably do today." If you can't write that line, the finding has no learning embedded. It's a penalty.
2. Track capability acquisition, not just issue closure
A finding can be technically closed without the underlying capability being acquired. "We trained the team" is not a capability. "Our integration tests now block this gap before deployment" is. Modern issue trackers let you anchor a finding to both a remediation step and a permanent capability artifact (a control, a process change, a monitoring rule). If your tool only tracks the remediation, you'll close items without learning.
3. Celebrate findings that get reused
When a finding from procurement generates a control pattern that prevents a similar issue from arising in HR six months later — that's the moment internal audit earned its budget for the year. Most teams don't even notice this is happening. The ones that do start to see findings as compounding assets instead of unpaid bills.
One last thing
I went back, eight years later, to that same procurement workflow. The integration was clean. The thresholds matched. The control owner had built a small reconciliation job that ran every Friday. When I asked the new controller why, she pulled out a runbook her predecessor had written. The first line said:
"In 2017, we had an audit finding that taught us we don't trust our integration values. This is how we make that finding never need to be raised again."
The organization had paid tuition. It had learned something. The finding had compounded into capability.
The COO who fought me on it had become CFO. He invited me to coffee that week and apologized for the closing meeting. He said something I've thought about a lot since.
"We didn't know how to receive a finding. You didn't know how to give one. We both got better."
That's the work. That's the relationship. Findings are tuition.