Recurring audit findings are a familiar challenge for most internal audit functions. Year after year, the audit is completed, the report is issued, and management commits to remediation. Yet, when the next audit begins, the same findings reemerge. Different year, same weakness, same conversation.
After twenty years in internal audit across private and public sector organizations, I have stopped being surprised by recurring findings. The IIA’s 2026 North American Pulse of Internal Audit, based on 373 responses from senior audit leaders, confirms the pressure: budget cuts rose from 11 to 19 percent between 2024 and 2025. In an environment where internal audit is being asked to do more with less, recurring findings are not just frustrating, they are a resource drain that compounds every year.
What still bothers me is that we keep treating recurring findings as individual control failures when the real problem is almost always sitting one level above. The enterprise governance framework that should prevent these weaknesses from taking root is often absent, outdated, or disconnected from how the business actually operates.
Here, we will consider patterns I have observed throughout my career and conversations I have had with colleagues across the internal audit profession on recurring audit findings. We will examine such repeat findings through three recurring root causes: control design flaws, cultural behaviors, and accountability gaps.
Root Cause – Accountability Gaps: When There Are No Consequences, Nothing Changes
A common audit finding I have seen repeatedly across several organizations or heard from my peers in procurement and vendor management audits is when work has started without a signed contract. Management agrees it is a problem. They commit to fixing it. A year later the finding comes back. The reason is simple: starting work without a contract carries no real consequence. No one is disciplined. No payment is withheld. No escalation reaches the board. Business pressure to get work started always outweighs the process requirement to have a signed agreement first.
Contract renewal tracking is the other half of this problem. Contracts expire and work continues because no one owns the renewal process end to end. Procurement onboards the vendor and walks away. Legal drafts the agreement and files it. The business unit manages the day-to-day relationship with little visibility over contractual timelines. By the time internal audit finds it, the organization has been operating without contractual coverage for months.
Master data management, particularly vendor bank account updates and payment mode changes, sits in the same category. The 2026 AFP Payments Fraud and Control Survey, based on 465 corporate professionals, found that 76 percent of U.S. firms experienced payments fraud in 2025, with vendor impersonation and business email compromise among the most common methods. The control exists on paper. But weak segregation of duties and cursory verification mean the same person who receives a vendor bank change request often processes it. This is not just a control gap. It is a common entry point for fraud. The finding repeats because no one has felt the consequences directly.
The remediation question is uncomfortable: what happens to the individual or team when this finding recurs? If the answer is nothing, expect to write it again next year.
Root Cause – Culture and Hierarchy: When Seniority Overrides Process
Change management is a clear example of culture driving recurring findings. Most organizations have a change-management framework. Most require adequate testing before changes go to production. And yet, across industries and sectors, a persistent finding is changes pushed through without adequate testing because management signed off on a business rationale.
The pattern is consistent. A deadline is approaching. A project is behind. Someone with sufficient authority decides the risk of delay outweighs the risk of skipping testing. They document a business rationale, get a peer sign-off, and the change goes through. When something breaks in production, the conversation quickly moves to fixing the problem rather than examining why the control was bypassed.
Internal audit can document this finding every year. Without a culture that holds senior decision-makers to the same standard as everyone else, documentation changes nothing. The real question is whether the audit committee is prepared to ask why the same bypass is happening repeatedly.
Segregation of duties (SOD) reviews follow a similar pattern. The reviews happen, but they are driven by internal audit cycles rather than business events. A review conducted annually might miss months of exposure created when someone changed roles in March. When a finding involves a senior team member, management’s response is often to note a compensating control rather than address the root cause.
Root Cause – Control Design: When the Control Is Built to Fail
Access control is a persistent design-flaw finding. A January 2026 CyberArk study of 500 practitioners in the United States found that only 1 percent of organizations have fully implemented just-in-time (JIT) privileged access. A full 91 percent report that at least half their privileged access is always-on. And 63 percent report employees bypass controls to move faster. This is not a technology failure. It is a governance weakness often treated as a technology problem.
In practice, access accumulates. Someone joins a project, gets elevated privileges for a specific task, and those privileges are never revoked when the task ends. Someone moves to a new role and their old access goes with them. Privileged access granted for short-term work sits unrevoked for months, sometimes years. Periodic access reviews conducted quarterly or annually are not fit for purpose in environments where roles continuously change. Continuous monitoring tools that flag anomalies in real time exist and are widely available. The finding keeps coming back in organizations that know these tools exist but have not committed to deploying them.
Vendor vetting sits in the same design-flaw category. Vendors are assessed at onboarding and rarely reassessed. Their circumstances change. Their subcontractors change. Their security posture changes. None of this is visible to the organization because no one has designed a process to look again. Vendor vetting is also frequently inconsistent across regions in the same company. Different standards, different rigor, no one enforcing a baseline.
SOC reports are requested, received, and filed. Exceptions are rarely followed up. Complementary user entity controls that the organization itself must implement are rarely reviewed. When asked why, the answer is almost always the same: this is a well-known provider, their reputation speaks for itself. Reputation is not a control.
Root cause – Control design and accountability: Shadow AI and vendor AI risk
Shadow artificial intelligence (AI) is now a finding I have seen consistently across several organizations in technology-related audits. IBM’s 2025 Cost of Data Breach Report found that 63 percent of organizations have no AI governance policies in place. IBM associates shadow AI incidents with an average cost uplift of approximately $670,000 per breach. Deloitte’s State of AI in the Enterprise 2026
Based on a survey of 3,235 senior leaders across 24 countries, the survey found that only one-in-five organizations has a mature governance model for autonomous agents. Adoption is accelerating but oversight is not keeping pace.
Employees across finance, HR, operations and customer service are using AI tools, some free, some embedded in platforms already in use, that IT has no inventory of and that governance teams have never assessed. The tools to monitor AI usage exist. Most organizations have not deployed them. AI governance policies exist in draft. They have not been approved, have no named owner, and have never been communicated to the business units actually making decisions about AI adoption.
The vendor AI risk dimension is equally significant. According to Cleary Gottlieb’s January 2026 analysis, 88 percent of businesses now use AI in at least one function. Many organizations continue to rely on traditional vendor risk management frameworks that were not designed for AI-specific risks.
As internal auditors are finding, existing SOC 2 reports and standard risk questionnaires often lack the specificity needed to assess how a vendor is actually using AI, what data it relies on, and whether adequate controls exist.
Platforms purchased three or five years ago now include AI decision-making that was never in the original contract. There are no clauses covering model transparency, data use, audit rights, or liability when an AI output is wrong. IBM’s 2025 Cost of Data Breach Report found that supply chain and third-party vendor compromise was the second costliest attack vector at an average of $4.91 million per incident. Organizations may be carrying AI-related risks that were never contemplated in the original vendor agreement.
Root Cause – Broken Enterprise Governance Framework: The Governance Gap
What links all of these findings is something that sits above each individual control weakness. Enterprise policies are not being updated to reflect how the organization actually operates. Strategy documents for cybersecurity, cloud, and AI either do not exist or are so high-level that they provide no practical guidance. Where they do exist, they are not linked to corporate objectives or business priorities.
When policies are disconnected from strategy, and strategy is disconnected from operations, every control sits in a vacuum. The finding gets documented. Management agrees to remediate. But the remediation targets the symptom, not the system that generated it. Six months later the system generates the same symptom again.
The IIA’s Global Internal Audit Standards, effective January 2025, make this explicit. The new standards strongly emphasize outcomes and impact, not just findings. They call for enhanced communication between internal audit, the board, and executive management specifically around implementing remediation plans. The profession has set the expectation. Now it needs to be met.
What Actually Drives Remediation
In my experience, three things separate the organizations that close findings from those that cycle through them year after year.
The first is consequences. Not punishment for its own sake, but a clear and consistently applied link between control failures and outcomes for the individuals responsible. When the audit committee asks management to explain why a finding has recurred, and when that explanation is scrutinized rather than accepted, behavior changes.
The second is moving from periodic to continuous. Most of the design-flaw findings described above persist because the controls were designed for a slower, more stable environment. Access reviews, SOD monitoring, vendor assessments, and AI usage monitoring all benefit from real-time visibility. The tools exist. The decision to deploy them is a governance decision, not a technical one.
The third is connecting findings to business objectives. A finding described in technical terms gets a technical response. A finding framed in terms of business risk, regulatory exposure, or financial consequence gets heard differently. Internal audit’s job is not just to identify the weakness. It is to explain why the business should care about closing it permanently.
Moving on from Groundhog Day
Recurring findings are not evidence that internal audit is failing. They are evidence that something in the governance structure is not working. The audit report documents the symptom. The harder conversation, the one worth having with the audit committee, is about the system that keeps producing it.
I believe the greatest value internal audit can bring is not just identifying repeated findings but uncovering the deeper reasons they reappear and helping the organization implement lasting solutions. That keeps the focus on the purpose behind the audit. 
Nirpendra Ajmera, CIA, CISA, CFE, CA(I), is a Chief Audit Executive at an Electrical Utility Company focused on modernizing audit, controls, and AI‑related risk oversight.