A finding without a disciplined remediation process behind it is just a promise to do better. Examiners don't grade on intent - they grade on execution. The difference between institutions that close findings cleanly and those that accumulate repeat MRAs comes down to one thing: whether audit remediation follows a structured, documented, evidence-backed process or depends on ad hoc effort from whoever has time. According to the OCC's Semiannual Risk Perspective, operational risk - including compliance management weaknesses - has remained a top supervisory concern since 2021, with repeat findings cited as a primary driver of formal enforcement actions.
This guide covers the execution of remediation itself - the methodology, timelines, documentation standards, and escalation paths that turn findings into closed items with proof. For guidance on building a tracking system and managing finding lifecycles, see our post on tracking compliance exam findings and remediation.
Key Takeaways:
- Internal audit remediation and external exam remediation require different processes, timelines, and documentation
- Every remediation action must produce dated, attributable evidence - assertions don't count
- The audit remediation process has five phases: triage, planning, execution, validation, and closure
- Timelines are not suggestions - missed deadlines escalate findings, and examiners track your own proposed dates against actual completion
- Regulatory expectations for remediation documentation are codified in FFIEC guidance, OCC Bulletin 2014-52, and FDIC RMS Section 5.1
Internal Audit vs. External Exam Remediation
Not all findings are created equal. The remediation process for internal audit findings differs from external examination findings in urgency, documentation requirements, and oversight expectations.
| Factor | Internal Audit Findings | External Exam Findings |
|---|---|---|
| Source | Institution's internal audit function | Regulatory examiners (OCC, FDIC, Fed, NCUA, state) |
| Formal classification | Varies by audit methodology (high/medium/low, or similar) | MRA, MRIA, violation, observation |
| Timeline pressure | Set by audit committee; typically 60-120 days | Proposed by institution, approved by examiner; MRIAs often 30-60 days |
| Oversight body | Audit committee of the board | Full board and/or designated committee, plus regulator |
| Evidence standard | Must satisfy internal audit re-testing | Must satisfy examiner verification at next exam |
| Escalation risk | Finding persists in next audit report | Repeat finding can trigger enforcement action |
| Regulatory visibility | Examiners review internal audit coverage and open findings | Directly examiner-generated and examiner-monitored |
The distinction matters because institutions often apply the same informal process to both. External exam findings demand a higher documentation standard. Internal audit findings, however, deserve nearly the same rigor - examiners routinely review the internal audit function's follow-up process and will cite deficiencies if internal findings linger without documented remediation. The FFIEC Audit Handbook (Section A.4) explicitly states that examiners evaluate whether internal audit findings receive "timely and appropriate corrective action."
The Five Phases of Audit Remediation
A structured audit remediation process moves through five phases. Skipping or compressing any phase produces the documentation gaps that examiners flag at the next review.
Phase 1: Triage and Severity Assessment
Within 5 business days of receiving findings - whether from internal audit or the examination report - the compliance function should complete a severity triage. This isn't a deep analysis. It's a rapid classification that drives resource allocation and timeline commitments.
Triage criteria:
- Severity rating: MRIA, MRA, violation of law, or observation. For internal audit findings, map to equivalent severity tiers.
- Regulatory citation: What specific regulation, statute, or guidance is implicated? (e.g., 12 CFR § 1026.19(e), OCC Bulletin 2014-52)
- Prior occurrence: Has a substantially similar finding appeared in a prior audit or exam? Repeat findings immediately escalate priority. The FDIC reported in its 2024 Risk Review that compliance-related enforcement actions increased 18% year-over-year, with repeat findings as a contributing factor in over 60% of formal actions against community banks.
- Customer impact: Does the finding involve consumer harm, such as overcharges, missed disclosures, or privacy breaches?
- Systemic scope: Is this isolated to one process or symptomatic of a broader control failure?
Triage output is a one-page finding assessment that assigns an owner, a preliminary timeline, and a severity classification. This document becomes the first artifact in the remediation file.
Phase 2: Remediation Planning
This is where you commit to specifics. The remediation plan is not a restatement of the finding - it's an engineering document that describes exactly what will change, who will change it, by when, and how you'll prove it worked.
Required elements of a remediation plan:
- Root cause statement - The actual cause, not the symptom. "Staff error" is not a root cause. "The monthly SCRA review procedure does not include a verification step against the LOS system, creating a manual gap" is a root cause.
- Corrective actions with milestones - Break multi-step remediations into discrete actions. Each action gets its own owner, deadline, and evidence requirement.
- Interim controls - If the permanent fix takes 90+ days, what interim control prevents the issue from recurring during the remediation period?
- Resource requirements - Staff time, vendor engagement, system changes, or budget. If the remediation requires board approval for spending, that approval becomes a milestone.
- Success criteria - Define what "fixed" looks like in measurable terms before you start. "Improved process" is not a success criterion. "Zero disclosure timing exceptions in a 30-day post-implementation sample of 50 transactions" is.
For external exam findings, submit the remediation plan to your primary regulator within the timeframe specified in the examination report or transmittal letter. Under OCC Bulletin 2014-52, national banks must provide written corrective action plans for MRAs and MRIAs. The FDIC expects a similar response, typically within 45 days of report receipt.
Phase 3: Execution
Execution is where most remediation efforts lose discipline. The plan exists. The deadlines are set. Then competing priorities erode the schedule, owners change roles, and evidence isn't captured as actions complete.
Execution discipline requires three things:
Milestone tracking with escalation. Each corrective action milestone has a deadline. Seven days before a deadline, the responsible owner confirms status. If a milestone will be missed, the owner documents the reason and proposes a revised date before the deadline passes - not after. Overdue milestones escalate to the compliance officer and audit committee automatically.
Real-time evidence capture. Every completed action produces evidence at the time of completion. Updated policy? Attach the approved version with the approval date and approver name. System reconfigured? Attach the change management ticket with before/after configuration screenshots. Staff trained? Attach the training completion report with content summary, date, and attendee list.
Evidence captured weeks after the fact loses credibility. Examiners look at timestamps. A policy "approved" on the date it was needed for the remediation file, rather than through a normal approval cycle, raises questions.
Owner accountability. Named individuals own each milestone - not "the compliance department." When an owner leaves or changes roles, reassignment is documented and the new owner acknowledges the deadline and evidence requirements.
Scenario: A $2.1 billion community bank receives an MRA from OCC examiners citing deficiencies in its CDD/beneficial ownership verification process. The corrective action plan includes four milestones: (1) revise the CDD policy to align with the 2018 Beneficial Ownership Rule, (2) reconfigure the onboarding system to enforce verification at account opening, (3) retrain frontline staff, and (4) conduct a 60-day lookback on accounts opened during the deficiency period. Milestone 2 requires vendor involvement and takes longer than expected. Rather than silently missing the deadline, the BSA officer notifies the OCC examiner-in-charge 10 days before the original target date, provides documentation of the vendor's revised timeline, and proposes an interim manual verification control effective immediately. The OCC accepts the revised timeline. The bank closes the finding in 140 days instead of the original 90 - but because every step was documented and communicated, the finding does not recur.
Phase 4: Validation Testing
A corrective action isn't complete when you implement it. It's complete when you test it and prove it works. Validation testing is the phase that separates institutions that close findings permanently from those that generate repeats. An FFIEC examination study found that institutions with documented validation testing reduced repeat finding rates by approximately 40% compared to those that treated implementation as closure.
Validation requires three elements:
- Independent testing - The person who validates the fix should not be the person who implemented it. For internal audit findings, the internal audit function itself performs validation testing. For external exam findings, compliance or internal audit tests the fix. Under the FFIEC Internal Audit Handbook, the audit function should "verify that corrective actions have been implemented and are effective."
- Post-implementation sampling - Pull a sample of transactions, activities, or records generated after the corrective action was implemented. Apply the same test criteria the original finding was based on. Document sample size, selection methodology, and results.
- Documented test results - The validation report includes: what was tested, how it was tested, the sample, the results, and the conclusion (pass or fail). If the test fails, the remediation returns to Phase 3. This loops back - it doesn't skip to closure.
Map your remediation milestones to validated evidence automatically →
Phase 5: Closure and Monitoring
Closure is a formal act, not an informal consensus. A finding is closed when:
- All corrective actions are implemented with dated evidence
- Validation testing confirms the fix is effective
- A monitoring plan is documented for ongoing detection of recurrence
- The closure is reported to the board or designated committee
- For external findings, the remediation package is assembled for examiner review
The monitoring plan defines what you'll watch, how often, and who reviews it. For a finding related to BSA transaction monitoring, monitoring might mean a quarterly sample review of alert dispositions. For a finding related to disclosure timing, monitoring might mean a monthly exception report from the LOS.
Document the monitoring plan as part of the closure package. At the next exam, when an examiner asks "How do you know this hasn't recurred?", you hand them the monitoring results - not an explanation of what you intend to do.
Audit Remediation Timelines by Finding Type
Proposed timelines must be realistic. Proposing 30 days for a finding that requires a system change and vendor involvement sets you up to miss your own deadline - which examiners treat as a management weakness.
| Finding Type | Typical Remediation Timeline | Key Consideration |
|---|---|---|
| MRIA | 30-60 days | Requires immediate interim control; permanent fix may take longer with documented justification |
| MRA (process/procedure) | 60-90 days | Policy revision, retraining, and validation within one quarter |
| MRA (system/technology) | 90-180 days | Vendor timelines, testing environments, and change management add time |
| Violation of law | 30-90 days | Consumer restitution or disclosure correction may have separate regulatory deadlines |
| Internal audit (high) | 60-90 days | Audit committee expects progress reporting within first 30 days |
| Internal audit (medium) | 90-120 days | Lower urgency but still requires documented plan and evidence |
| Observation/recommendation | Next audit cycle | Lower priority, but unaddressed observations may become findings |
These timelines assume a single-phase remediation. Complex findings with multiple corrective actions may extend timelines with documented justification. The key principle: propose a timeline you can meet, then meet it.
Documentation Standards for Regulatory Audit Remediation
Examiners at the OCC, FDIC, and NCUA apply consistent documentation expectations to regulatory audit remediation. Meeting these standards is the difference between a finding marked "resolved" and one that generates a follow-up comment.
Every remediation file should contain:
- Original finding (verbatim from the audit or exam report)
- Finding severity classification
- Regulatory or policy citation
- Root cause analysis with supporting evidence
- Approved corrective action plan with milestones, owners, and deadlines
- Evidence of completion for each milestone (dated, attributed, and timestamped)
- Interim control documentation (if applicable)
- Validation test report
- Monitoring plan with defined frequency, metrics, and responsible party
- Board or committee reporting records showing oversight of remediation progress
- Closure approval by the compliance officer or designated authority
Maintain this file as a single remediation package. When examiners review prior findings - which they do at every exam - you hand them the package. They don't request documents piecemeal. You don't scramble. This is the standard that strong exam preparation programs maintain year-round.
Common Audit Remediation Failures
Repeat findings don't happen because institutions ignore problems. They happen because the remediation process broke down at a specific point. These are the patterns examiners see most often:
Symptom-level root cause analysis. The corrective action addresses what went wrong, not why. The finding recurs because the actual cause was never fixed. If "staff didn't follow the procedure" is your root cause, ask one more question: why didn't they follow it?
Evidence captured retroactively. Documents created specifically for the remediation file - after the fact, with convenient dates - look like what they are. Examiners compare timestamps to workflow dates. Evidence should be generated as a natural byproduct of completing the corrective action.
Validation skipped. The fix was implemented, but no one tested whether it works. The institution marks the finding "closed." The examiner pulls a sample and the issue is still present. Now it's a repeat finding. The OCC has noted in its Annual Report that approximately one-third of MRAs issued to community and midsize banks in recent exam cycles were repeat findings from prior examinations.
Interim controls omitted. A 120-day remediation with no interim control means the issue persists unchecked for four months. Examiners expect documented interim measures for any remediation exceeding 60 days.
Timeline drift without communication. A missed deadline that was proactively communicated with a revised plan and interim control is manageable. A missed deadline discovered by the examiner at the next review is a management failure. Know what happens during a bank examination so you understand how examiners verify timeline compliance.
How to Structure Audit Remediation for Exam Readiness
The audit remediation process is only as good as the system supporting it. Institutions that execute remediation well share a common trait: remediation actions are managed with the same rigor as ongoing compliance obligations - assigned owners, enforced deadlines, evidence captured at completion, and escalation built in for overdue items.
Canarie treats every finding - internal or external - as a workflow with phases, evidence gates, and board reporting triggers. Corrective action milestones have owners and deadlines. Validation testing is a required gate before closure. When the next exam arrives, the remediation package is already assembled because the evidence was captured when the work happened, not reconstructed from memory.
See how compliance teams close findings with documented evidence at every step →
Frequently Asked Questions
What is the difference between audit remediation and compliance remediation?
Audit remediation addresses findings from internal or external audits - specific deficiencies identified through testing and examination. Compliance remediation is broader, covering any corrective action taken to align with regulatory requirements, whether triggered by an audit finding, a self-identified gap, or a regulatory change. In practice, audit remediation is a subset of compliance remediation, and both require the same documentation discipline.
How do you prioritize multiple audit findings for remediation?
Prioritize by severity and customer impact. MRIAs and violations come first, followed by MRAs, then observations. Within each tier, prioritize findings with customer harm implications, repeat findings from prior exams, and findings with near-term deadlines. Assign each finding to a specific owner immediately - unassigned findings don't get remediated.
Should internal audit validate its own finding remediations?
Yes. The FFIEC Internal Audit Handbook expects the internal audit function to verify that corrective actions for its findings are implemented and effective. This is distinct from the first-line compliance function's role in executing the corrective action. Internal audit tests independently - using its own methodology and sampling - to confirm the fix works.
What happens if an institution misses a remediation deadline for an MRA?
The consequences depend on the regulator and the circumstances. If the institution proactively communicated the delay with a revised timeline and interim controls, examiners generally accept the extension. If the deadline was simply missed and discovered at the next exam, the finding often escalates in severity. Repeated missed deadlines contribute to the supervisory assessment that may lead to enforcement action under OCC PPM 5000-7 or the FDIC's Statement of Policy on Enforcement Actions.
How long should remediation monitoring continue after closure?
At minimum, through the next audit or examination cycle. For high-severity findings, many institutions monitor for 12 months post-closure. The monitoring period should be long enough to capture a representative sample of the activity in question. A finding related to quarterly reporting, for example, needs at least two quarterly cycles of monitoring to confirm the fix holds.