You may want to take into consideration additional factors (i.e. in addition to impact on patient safety, data integrity, regulatory compliance, etc.,) when assessing the severity of an audit finding. The frequency of occurrence of the non-compliance, as well as the level of control / processes that govern the non-compliance, both can have an impact on the grading.
For example, an isolated incidence of non-compliance within an otherwise well-controlled process is likely to have a lower grading. Whereas, the same non-compliance issue that occurred frequently with little or no evidence of control, is likely to have a higher grading.