Documentation Index
Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
Use this file to discover all available pages before exploring further.
Findings
Findings is Matproof’s unified view of every gap, non-conformity, vulnerability, and remediation item across your compliance program. Whether a finding originates from an internal audit, an external auditor, a penetration test, the device agent, a vendor questionnaire, or a manual entry — it ends up in one place with consistent structure and lifecycle.Why Findings Are Centralized
Compliance programs typically scatter gaps across spreadsheets, audit reports, ticket systems, and email threads. Matproof’s Findings module solves that by:- One status taxonomy — open, in-progress, resolved, accepted-risk, closed-no-action — applied to all sources
- One owner model — every finding has an owner and (optionally) a due date
- One remediation flow — convert findings into corrective actions or tasks; track evidence on close-out
- Cross-framework scope — a single finding can be linked to multiple controls and frameworks at once
Sources of Findings
| Source | Example |
|---|---|
| Internal audits | Auditor flags missing access review evidence on ISO 27001 A.5.15 |
| External audits | SOC 2 audit firm raises a non-conformity on CC6.6 |
| Penetration tests | AI pen-test finds an exposed admin endpoint on a target URL |
| Device agent | A laptop reports FileVault disabled or a vulnerable installed app |
| Vendor questionnaires | A supplier’s response indicates non-compliance with your DPA |
| Cloud tests | Automated cloud configuration check fails (e.g. S3 bucket public) |
| Manual entry | Compliance team logs an issue surfaced in a meeting |
Finding Structure
Every finding carries:- Title and description — what was found
- Source — origin module (audit, pentest, device agent, manual, etc.)
- Severity — informational / low / medium / high / critical
- Status — open / in-progress / resolved / accepted-risk / closed
- Scope — which controls, frameworks, requirements, vendors, or assets it relates to
- Owner — the person responsible for remediation
- Due date — when remediation is expected
- Evidence — attached documents or links proving remediation
Lifecycle
Detection
A finding is created automatically (by an integration, scan, or audit module) or manually.
Triage
Compliance team reviews, sets severity, assigns an owner, links the finding to relevant controls and frameworks.
Remediation
Owner addresses the underlying issue. Optionally creates a corrective action for tracked, multi-step work.
Verification
Owner attaches evidence of remediation. Compliance team verifies and closes the finding.
Finding Templates
For recurring finding types (e.g. “missing access review evidence”, “expired security training”), Matproof ships Finding Templates so audit teams don’t rewrite the same description and remediation steps every time. Templates pre-fill title, description, severity, and recommended remediation; the user fills in scope and owner. You can also create your own finding templates for organization-specific patterns.Reporting
The Findings overview supports:- Filtering by status, severity, source, owner, framework, control, or due date
- Aggregations by framework — instant view of how many open findings affect each framework
- Aggregations by owner — accountability dashboards
- Export to CSV / PDF for auditor handover
Integrations
Findings tie into the rest of the platform:- A finding linked to a control surfaces directly on that control’s page
- A finding linked to a framework counts against that framework’s compliance score
- Closing a finding can satisfy task completion (if the finding was raised against a task)
- A finding’s remediation can be tracked as a corrective action for ISO 9001 / ISO 27001 audit programs
Getting Started
Audit Management
Internal audits and corrective actions
Penetration Tests
Auto-generate findings from pen-test reports
Device Agent
Endpoint findings from compliance checks
Vendor Management
Findings from supplier questionnaires