Skip to main content

Lesson 22 of 25

Writing Findings and Rating Issues (Severity × Likelihood)

5 min read · CAMS-Audit

Structure a finding (condition, criteria, cause, effect, recommendation), rate it low/medium/high by severity and likelihood, and judge materiality individually and in aggregate so systemic patterns surface.

Anatomy of a finding

  • Condition — what is (the problem observed)
  • Criteria — what should be (the standard)
  • Cause — why it happened (root cause)
  • Effect — the impact, and the recommendation

A well-written finding has a standard anatomy, and the exam expects you to know it. The condition is what is, the problem you actually observed. The criteria is what should be, the regulation, policy, or standard the condition falls short of.

The cause is why it happened, the root cause we just covered. The effect is the impact, what could go wrong because of the gap, and it's paired with a recommendation for fixing it. Together these are sometimes called the elements of a finding: condition, criteria, cause, effect.

A finding missing its criteria is just an opinion; a finding missing its effect can't be prioritized. The full anatomy is what makes a finding credible and actionable.

Rating the issue: severity and likelihood

  • Risk = severity of impact × likelihood of occurrence
  • Low / medium / high ratings drive priority
  • High-risk findings demand urgent remediation
  • Rate the risk, not how loud the auditee complains

Every finding gets a risk rating, and the ACAMS program is explicit that auditors determine the risk level of findings, typically low, medium, or high. The rating combines two dimensions: the severity of the impact if the issue is realized, and the likelihood that it occurs. A control gap that's almost certain to be exploited and would cause major regulatory and financial harm rates high; a minor documentation lapse that's unlikely to cause real damage rates low.

The rating drives priority and remediation urgency, so it has real consequences. Rate the risk on its merits, the facts and the impact, not on how loudly the auditee pushes back. Inflating or deflating a rating to manage relationships corrupts the whole purpose.

Material vs. immaterial findings

  • Material — could meaningfully affect the program or its assessment
  • Immaterial — minor, limited consequence
  • Aggregate small findings — a pattern can be material
  • Don't bury a material issue among trivia

The program also asks you to distinguish material from immaterial findings. A material finding is one significant enough to meaningfully affect the AML program or a reasonable assessment of it, the kind a regulator or the board needs to know. An immaterial finding is minor, with limited consequence.

But here's the nuance the exam tests: aggregation. Several small findings that individually look immaterial can together reveal a material, systemic weakness, ten files each missing one element might signal a broken onboarding process. So you evaluate findings both individually and in aggregate.

And never bury a material issue in a long list of trivia where it gets lost; materiality should drive what surfaces to senior leaders.

Writing findings that drive action

  • Objective, fact-based, supported by evidence
  • Specific and clear — name the gap precisely
  • Recommend the 'what,' let management own the 'how'
  • Tie the finding to risk, not to blame

How you write the finding determines whether it gets fixed. Keep it objective and fact-based, every assertion supported by the evidence in your workpapers, because a finding that overreaches its evidence gets dismissed. Be specific: name the gap precisely rather than gesturing at a vague concern.

Recommend what needs to change, the outcome required, while generally leaving the detailed how to management, who own the operations and the remediation plan. And frame the finding around risk and impact, not blame, because the goal is a stronger program, not a culprit. A finding that's specific, evidenced, risk-rated, and constructively phrased is one management can act on; a vague, accusatory one just starts an argument.

Prioritization and consistency

  • A rating scale applied consistently across the function
  • Calibrate so ratings mean the same thing to everyone
  • Sequence remediation by risk, not by who shouts loudest
  • Aggregate ratings into an overall opinion on the area

Ratings only work if they're consistent, so the audit function needs a defined rating scale applied the same way by every auditor, with clear criteria for what makes an issue low, medium, or high. Calibration matters: two auditors looking at the same facts should land on the same rating, which is why mature functions hold rating discussions and document the thresholds. Consistency also drives prioritization.

Remediation effort should be sequenced by risk, the high-risk findings fixed first, rather than by which business unit complains loudest or which fix is easiest. And individual ratings roll up into an overall opinion on the area audited, so the board can see at a glance whether the transaction-monitoring program, say, is satisfactory, needs improvement, or is unsatisfactory. That overall conclusion has to be supported by the underlying findings; a clean overall opinion sitting on top of several high-risk findings is internally inconsistent, and the exam may hand you exactly that mismatch and ask what's wrong.

Consistent, calibrated ratings are what make the whole reporting system trustworthy.

Recap and next

  • Finding = condition, criteria, cause, effect, recommendation
  • Rate risk by severity × likelihood; low/medium/high
  • Judge materiality individually and in aggregate
  • Next — reporting to management and the board

Recapping: a finding has a clear anatomy, condition, criteria, cause, effect, and recommendation, and each finding gets a risk rating that combines severity and likelihood into low, medium, or high. Judge materiality both individually and in aggregate, since small findings can sum to a systemic problem, and write findings that are objective, evidenced, specific, and risk-framed so they drive action. Next, we take these findings up the chain: reporting to management and the board or audit committee, including how to handle the management response.

Test yourself on findings and ratings first.

Sources

  • IIA International Professional Practices Framework — communicating engagement results and the elements of a finding
  • FFIEC BSA/AML Examination Manual — corrective action and issue significance
  • ACAMS Advanced CAMS-Audit (risk levels of findings)

Test your knowledge

A few CAMS-Audit questions on this material — pick an answer to see the explanation.

  1. Q1. An audit report on the transaction-monitoring system contains three high-risk findings, seven medium-risk findings, and nine low-risk findings, all presented in equal detail without any executive summary. What quality criterion has likely been violated?

  2. Q2. An audit team assigned to validate a statistical transaction-monitoring model does not include anyone with a quantitative background. The team concludes the model is sound. What quality risk does this create?

  3. Q3. An institution's wire-transfer system sends an automated alert when a payment is destined for a high-risk jurisdiction. The alert is reviewed and cleared by the same analyst who initiated the wire. What control weakness does this represent?

  4. Q4. A high-risk legal-entity customer's beneficial ownership changed materially six months ago — a new controlling shareholder was added who is a PEP. The institution has not updated the customer's risk rating or file. What is the most precise finding?

Ready to practice?

Put this lesson to work on real CAMS-Audit questions.

Drill the full CAMS-Audit bank →