The Department of Defense (DoD) has been under some level of financial statement audit for the last several years. The majority of information technology (IT) Notification of Findings and Recommendations (NFRs) are coming from areas that could have been detected and corrected during the Risk Management Framework (RMF) process. As a result, auditors are finding significant control deficiencies and material weaknesses for systems authorized under RMF. With the scope of the audit expanded to full financial statements, additional IT systems will be audited leading to more findings. RMF can be used as a tool to enforce compliance with audit requirements and decrease the volume of IT NFRs.