Audit Exceptions 101

Shannon Idea generator Vanta Team Member Conversation starter
 
As organizations grow and aim to improve their security postures, it becomes necessary to have a robust risk management process. Even with the proper procedures and controls in place, there are often items in the audit report known as Risk Exceptions.
 
What is risk management?
  • Risk management describes the process of proactively identifying potential risks, analyzing those risks, and taking precautions to minimize risks. Because compliance risk management looks different for different companies, each company should develop an appropriate compliance risk management program designed to suit its specific business processes and regulatory compliance concerns.‍
 
What are security policies?
  • An information technology (IT) security policy establishes rules and procedures for the individuals who interact with an organization’s IT assets and resources to protect information and IT systems from any unauthorized access, use, alteration, or destruction and to provide guidance as to the actions an organization should take if any IT systems are compromised.
 
What is a risk exception? 
  • A risk exception is implemented a security policy, standard, program requirement, or security best practice cannot be fully implemented.
 
Does a report with risk exceptions mean we failed the audit?
  • It does not; most audit reports will have a few exceptions depending on the scope of the audit. Discussing exceptions with your auditor is always beneficial, as it can help you understand where additional work needs to be done to improve your security posture. Additionally, speaking with the auditor to better understand the exceptions reported could lead to a better understanding of the process, additional evidence being provided, and the exception being removed from the report.
 
What are the types of audit exceptions? 
  • Misstatements: a misstatement is used to reference an error or omission in the description of a company’s system or services
  • Deficiency in the Design of a Control: a design deficiency is used when a necessary security control is missing or was not designed correctly
  • Deficiency in Operating Effectiveness of a Control: an operating deficiency is used when a properly designed control does not operate as designed or when the person performing the control does not have the appropriate permissions or knowledge to perform the control correctly
 
Qualified Opinions & Unqualified Opinions
  • Qualified Opinions:  A control or controls were not designed correctly and/or operating effectively  
  • Unqualified Opinion: A control or controls were designed correctly and/or operating effectively  
Common risk exceptions to look out for
  • Team members did not complete the required security training
  • Terminated employees were not off-boarded from systems and platforms 
  • MFA is not enabled company-wide
 
What is risk acceptance, and when is it appropriate? 
  • Accepting risk is a formal and documented choice by the security policy owner or stakeholder not to remediate or patch a particular risk. It would be appropriate to accept the risk if other factors are used for protection or remediation would be more harmful than helpful. 
    • To gain a better understanding, let’s say you have a deadbolt on your front door to block entry from unwanted intruders. You drive to work one day but realize you have left the door unlocked. You feel this is a risk worth accepting because your house has an alarm system that will mitigate unwanted entry. 

 

Comments

1 comment

  • Comment author
    Sarah Wilkey Community Founding Member Conversation starter

    I wish I had this article when I started with compliance and our SOC 2 audit process! Understanding that "unqualified" was a good thing was a mental hurdle for me. I will definitely share this with any compliance newcomers!

    2

Please sign in to leave a comment.