It depends upon the circumstances.
1) If a prior audit report contains a recommendation and management commits to implement corrective action, and management fails to do so, I would include the finding in the current audit report as a repeat criticism. If, subsequent to the prior audit, management changes their mind, conducts a risk assessment to reevaluate the issue, and decides to accept the risk, I would probably include the issue again but include their "revised" response (assuming I still feel the exposure is there and there are insufficient mitigating controls in place).
2) If a prior audit contains a recommendation and, in their response, management indicates that the risk is acceptable, I would generally consider the issue closed. I would, however, bring the issue up again if circumstances have changed and the bank's exposure has increased since the last audit.
3) Notwithstanding what I said in #2 above, if I strongly disagree with management's "acceptance" of a given risk, and feel that the bank has significant exposure, I would probably include a discussion of the issue in the comment section of the audit report.
_________________________
My opinions are just that...my opinions.