> ## Documentation Index
> Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Findings

> Track gaps, non-conformities, and remediation across every framework, control, and audit in one unified view.

# Findings

Findings is Matproof's unified view of every gap, non-conformity, vulnerability, and remediation item across your compliance program. Whether a finding originates from an internal audit, an external auditor, a penetration test, the device agent, a vendor questionnaire, or a manual entry — it ends up in one place with consistent structure and lifecycle.

## Why Findings Are Centralized

Compliance programs typically scatter gaps across spreadsheets, audit reports, ticket systems, and email threads. Matproof's Findings module solves that by:

* **One status taxonomy** — open, in-progress, resolved, accepted-risk, closed-no-action — applied to all sources
* **One owner model** — every finding has an owner and (optionally) a due date
* **One remediation flow** — convert findings into corrective actions or tasks; track evidence on close-out
* **Cross-framework scope** — a single finding can be linked to multiple controls and frameworks at once

## Sources of Findings

| Source                    | Example                                                           |
| ------------------------- | ----------------------------------------------------------------- |
| **Internal audits**       | Auditor flags missing access review evidence on ISO 27001 A.5.15  |
| **External audits**       | SOC 2 audit firm raises a non-conformity on CC6.6                 |
| **Penetration tests**     | AI pen-test finds an exposed admin endpoint on a target URL       |
| **Device agent**          | A laptop reports FileVault disabled or a vulnerable installed app |
| **Vendor questionnaires** | A supplier's response indicates non-compliance with your DPA      |
| **Cloud tests**           | Automated cloud configuration check fails (e.g. S3 bucket public) |
| **Manual entry**          | Compliance team logs an issue surfaced in a meeting               |

## Finding Structure

Every finding carries:

* **Title and description** — what was found
* **Source** — origin module (audit, pentest, device agent, manual, etc.)
* **Severity** — informational / low / medium / high / critical
* **Status** — open / in-progress / resolved / accepted-risk / closed
* **Scope** — which controls, frameworks, requirements, vendors, or assets it relates to
* **Owner** — the person responsible for remediation
* **Due date** — when remediation is expected
* **Evidence** — attached documents or links proving remediation

## Lifecycle

<Steps>
  <Step title="Detection">
    A finding is created automatically (by an integration, scan, or audit module) or manually.
  </Step>

  <Step title="Triage">
    Compliance team reviews, sets severity, assigns an owner, links the finding to relevant controls and frameworks.
  </Step>

  <Step title="Remediation">
    Owner addresses the underlying issue. Optionally creates a [corrective action](/features/audit-programs) for tracked, multi-step work.
  </Step>

  <Step title="Verification">
    Owner attaches evidence of remediation. Compliance team verifies and closes the finding.
  </Step>

  <Step title="Audit trail">
    Closed findings remain in the system with full history — useful for next audit cycle or auditor questions.
  </Step>
</Steps>

## Finding Templates

For recurring finding types (e.g. "missing access review evidence", "expired security training"), Matproof ships **Finding Templates** so audit teams don't rewrite the same description and remediation steps every time. Templates pre-fill title, description, severity, and recommended remediation; the user fills in scope and owner.

You can also create your own finding templates for organization-specific patterns.

## Reporting

The Findings overview supports:

* Filtering by status, severity, source, owner, framework, control, or due date
* Aggregations by framework — instant view of how many open findings affect each framework
* Aggregations by owner — accountability dashboards
* Export to CSV / PDF for auditor handover

## Integrations

Findings tie into the rest of the platform:

* A finding linked to a control surfaces directly on that control's page
* A finding linked to a framework counts against that framework's compliance score
* Closing a finding can satisfy task completion (if the finding was raised against a task)
* A finding's remediation can be tracked as a [corrective action](/features/audit-programs) for ISO 9001 / ISO 27001 audit programs

## Getting Started

<CardGroup cols={2}>
  <Card title="Audit Management" href="/features/audit-programs">
    Internal audits and corrective actions
  </Card>

  <Card title="Penetration Tests" href="/features/penetration-tests">
    Auto-generate findings from pen-test reports
  </Card>

  <Card title="Device Agent" href="/features/device-agent">
    Endpoint findings from compliance checks
  </Card>

  <Card title="Vendor Management" href="/features/vendor-risk">
    Findings from supplier questionnaires
  </Card>
</CardGroup>
