State auditors issue findings. Agencies write corrective action plans. Years later, the same findings reappear. We examined why the CAP process breaks down and what structural changes could make compliance follow-through more effective.
The Recurring Finding Problem
One of the most frustrating patterns in state-level audit oversight is the recurring finding. An auditor identifies a control weakness, the agency submits a corrective action plan (CAP), and two or three years later the same or a closely related finding appears in a subsequent audit.
This isn't a rare phenomenon. Across the five states we monitor, approximately 30% of significant findings in a given audit cycle are substantively similar to findings from the prior cycle. The agencies aren't ignoring the problem. They're failing to fully implement the corrective actions they committed to.
Root Causes
Three structural factors explain most CAP failures:
Corrective actions are too vague. A common CAP response to an invoice overpayment finding reads: "The agency will implement additional controls to ensure invoices are properly reviewed before payment." This is an intention, not a plan. It doesn't specify what controls, who is responsible, what timeline, or how success will be measured. Auditors frequently note that CAPs lack sufficient specificity, but agencies often lack the expertise or bandwidth to develop detailed implementation plans.
Ownership is diffuse. A procurement finding may implicate the finance office (which processes payments), the program office (which manages the contract), and the procurement office (which awarded it). When the CAP doesn't assign specific actions to specific individuals with clear deadlines, everyone assumes someone else is handling it. Twelve months later, nobody has.
No intermediate verification. The typical cadence is: finding issued, CAP submitted, next audit cycle (18-24 months later) checks whether corrective actions were implemented. There is no systematic mechanism for intermediate verification. By the time anyone checks, the staff who wrote the CAP may have turned over, the institutional memory of what was supposed to change has faded, and the agency is essentially starting from scratch.
What Works
The agencies that successfully resolve findings share common characteristics:
They write CAPs with **specific, measurable actions and deadlines.** Instead of "implement additional controls," they specify: "By March 1, the contract management team will implement a three-way match requirement for all invoices over $10,000, verified by the accounts payable supervisor before payment release."
They assign **a single named individual** as the CAP owner for each finding, with quarterly reporting to agency leadership on implementation status.
They conduct **interim self-assessments** at the 6-month and 12-month marks, using the same criteria the auditor will apply. Agencies that do this catch implementation gaps early enough to correct course.
The Technology Dimension
Contract management systems and compliance platforms can support better CAP execution in two ways. First, by encoding the specific checks that triggered the finding into automated workflows. If the finding was about rate discrepancies, the system can be configured to automatically verify invoice rates against the current contract amendment schedule. The check that the auditor performed manually becomes a standing automated control.
Second, by providing the intermediate monitoring that the audit cycle doesn't. Dashboard visibility into which CAP items are on track, which are overdue, and which contract categories still show the patterns that triggered the original finding gives leadership the information to intervene before the next audit cycle.
Implications
For agencies responding to audit findings, the message is: specificity in your corrective action plan is the single highest-leverage investment you can make. A well-written CAP with clear owners and measurable milestones dramatically increases the probability that the finding won't recur.
For the broader ecosystem - auditors, oversight bodies, and technology providers - the message is that the gap between finding and resolution is where the most value is left on the table. Tools and processes that support CAP execution, not just CAP writing, are where the next generation of compliance improvement will come from.