866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Management of Exceptions and How to Manage Them Blog Feature
RYAN MEEHAN

By: RYAN MEEHAN

Print/Save as PDF

Management of Exceptions and How to Manage Them

SOC Examinations

During SOC 1 Type 2 examinations, which analyze both the design and operating effectiveness of your controls, deviations from the stated control process must be disclosed within the service auditor’s testing results, often referred to as testing “exceptions” or “deviations” as they are exceptions from the stated control activity.  The identification of at least one testing exception is a common occurrence, whether it is due to an outage, failure to document a manual process, or a simple oversight.  There are a few questions, however, that you can ask both your auditors and yourselves to help manage the exceptions.

One of the first questions you should ask when a testing exception is identified is two-fold:

Is this an exception related to the design of the control

 Or

Is this an exception related to the operating effectiveness of the control?

 

Design

Testing exceptions related to the design of a control activity could result in a qualification of the entire control objective area if this issue is significant and pervasive, so it is worth having a discussion with your auditor about the given control to confirm that it properly reflects your environment.  For example, a control might state that a financial processing job is configured to run on a daily basis to support a control objective for timely data processing.  Let’s assume that your auditor inspected your job configurations and notes that the processing job is actually configured to be performed on a weekly basis.  In this instance, the control may be poorly designed for the stated objective of timely transaction processing.  Additionally, the auditor may also inspect the transaction processing policy and procedure documentation to determine whether the processing job was intended to be performed daily or weekly.  If the policy states that processing jobs occur daily, then this would be a design flaw.  However, if the policy states that processing job is intended to be performed on a weekly basis, then your auditor would likely need to discuss the discrepancy between the policy and the stated control with your management to ensure the controls are accurately stated, and if additional procedures are necessary to determine if effectively designed controls are in place to achieve the stated objective. 

Operating Effectiveness

Testing exceptions related to the operating effectiveness of a control activity could also result in a qualification of the entire control objective, if they are found to be pervasive and significant to the achievement of the objective.  A key consideration when determining the impact of the testing exception is the criticality of the failed control to the achievement of the objective, and the breadth of the exception (e.g. did it fail for 15 of 25 job processing runs or was it only one of 25).  Each of these can be discussed with your auditor, but ultimately the service auditor would need to determine if the control alone or in combination with the other effectively designed controls operated effectively to achieve the control objective.

If we revisit our example above, assume that the processing job was configured to run on a daily basis consistent with the stated control activity and the policy, however the job failed to complete for several days in a sample of days.  This breakdown in the operation of the control would result in operating testing exceptions.

After potential exceptions are uncovered by the auditors, a vetting process should take place to determine if any further information could provide sufficient evidence for the sample in question.  If the exceptions are confirmed, the next stage involves the exception wording that will appear in the report.  Exception wording appears in the section reserved for information provided by the service auditor (this is typically in matrix format in a dedicated section of the SOC 1 report) and would disclose the nature and extent of the testing deviations.

Two great questions that can be asked of your auditor at this point are:

1. Q: Can any additional testing be done to show that the exceptions noted were not pervasive?

A: In some instances where testing identifies a single exception in the original sample, auditors can increase their sample size to determine if additional deviations in operation are present.  If the additional sample size finds no further exceptions, the disclosure about the one exception will remain, however, the control activity may be deemed to have been operating effectively.

2. Q: Can any subsequent testing be performed to show that a given exception was resolved after it was noted during the audit?

A: Continuing with our example above, consider if the auditor performed additional testing and found that the job was in fact, manually re-run within hours after the initial failure and the computer operator noted the successful completion in a system log for each date previously noted.  This subsequent testing essentially shows resolution of the previously noted exception.

The last question that should be asked after exception wording has been decided upon is whether or not you’d like to insert a management response to the exception (typically found in a dedicated section of the report).  Management responses to testing exceptions are not covered by the service auditor’s opinion, but often times provide useful information regarding the causative factors of the noted exception to the users of the report. 

In regards to inserting a management response to an exception there are often two schools of thought:

  1. Some organizations feel that by responding to testing exceptions, they only draw further attention to the exception that occurred.
  1. Some organizations feel that an explanation is warranted in the circumstances, which may include a description of the causative factors and/or corrective plans for remediation

As noted, there are quite a few things to consider when determining if a response should be made.  Understanding the users of your report and their informational needs will largely determine your selected course of action. 

After an exception is noted by your auditor and confirmed, regardless of the way in which it is represented in the SOC 1 report, it is important to reflect upon the root cause of the exception.  Oftentimes exceptions can be useful in improving business operations or information technology practices; or at the very least, help to reduce the chances of future exceptions.

About RYAN MEEHAN

Ryan is a Senior Manager at Schellman. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, and the Advanced SOC certification.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.