Following the methodology of risk reviews, I believe that control reviews should follow the same methodology, or at least make a “Completed” attribute optional, to indicate that a completed audit cannot be edited in the future.
For example, for external audits, audits whose result of the previous year has been “Failed” cannot be edited to “Passed”.