6.3 — Findings Classification and Reporting
Findings classification ensures that the most critical issues receive immediate attention while providing a structured framework for remediation planning.
| Severity | Description | Required Action Timeline |
|---|---|---|
| Critical | Immediate risk to individuals or regulatory non-compliance | Immediate action required |
| High | Significant control weakness or material gap | Action within 30 days |
| Medium | Control improvement needed, moderate risk | Action within 90 days |
| Low | Best practice recommendation, advisory | No mandatory timeline |
What was expected — the standard, requirement, or control that should be in place.
What was actually found — the factual observation during the audit.
Why the gap exists — root cause analysis of the deficiency.
What is the risk or impact — the potential harm if not addressed.
What should be done — specific, actionable remediation steps.
Criteria: ISO 42001 requires AI impact assessments before deployment. Condition: The credit scoring model was deployed without an impact assessment. Cause: No formal pre-deployment review process exists. Consequence: Potential unfair treatment of loan applicants; regulatory non-compliance. Recommendation: Implement mandatory pre-deployment impact assessment gate with documented approval.
The audit report must be accessible to non-technical executives. Structure: Executive summary, scope/methodology, system description, findings by severity, management response (accept/partially accept/reject with action plan, responsible party, and target date), and appendices with detailed test results.