Findings
A finding is a documented gap — something an assessment showed isn't fully in place. Findings are how you track what needs fixing and prove to an auditor that you're managing it.
Where findings come from
- Generated automatically when you complete an assessment: every question answered No or Partial becomes an open finding, carrying its risk level and the requirement it relates to.
- Created manually for gaps you discover outside an assessment (use **Create finding**).
A generated finding links back to its source assessment — open it to see the exact question and your answer.
Working a finding
- Risk level (critical → informational) drives prioritization.
- Status: open → in progress → resolved (or accepted as risk / false positive). Set a risk treatment (mitigate / accept / transfer / avoid) to record your decision.
- Assign a finding to a teammate; they're notified.
- Evidence: attach the artifacts that prove the gap is closed.
- Remediation tasks: break the fix into tracked tasks — see the Remediation tasks panel on the finding. Sherpa can draft them for you.
Tips
- Resolve a finding only when you have evidence the control is implemented and operating — that's what an auditor checks.
- The compliance score weights open findings heavily, so closing them is the fastest way to raise your posture.