How to Pass Every Audit - Exception Process

Audit
Written By Andrew Alaniz

We’ve talked about scope and measuring for an audit. There is a nuanced component that lives across both of those worlds. The exception process. An exception process is not a way to manage out of scope. Exceptions are still in scope. Exceptions are risk acceptances in some way that you need to account for. There are a few things that should be true about exceptions:

  1. They must be transparent

  2. They must be included in the scope (exception ≠ out of scope)

  3. They must have reference to the formal risk register so that they are not managed on an island

  4. They must have an expiration date

If these things are true, then your audit is fine. So, what is an exception.

  1. The CEO of the recent acquisition refuses to use MFA

  2. That one board member expects to be treated differently

  3. There is an old system living in a closet that doesn’t support the current MFA technology

  4. There is a test account that is needed for a mobile development team that breaks their app if they use MFA

These are all similar to situations I’ve seen. They are not something I’m ok with per se, but at least the last two make sense. I am going to document the risk of allowing this, make a recommendation that it doesn’t happen, and then get sign off from someone above me. Once I have that, I will document the compensating controls and log the exception in some system of record. This is all you need to maintain your metrics and satisfy audit requirements.

M4 — MFA Exceptions Register
M4 — MFA enforced Program effectiveness — exec/risk committee metric 100% — 8,912 employees + MFA 99.7% — 353 1 contractor — no MFA 100% — 12 third parties + MFA approved exceptions M4.1 — Approved MFA exceptions 4 active — all risk-register approved Account Reason / compensating control Risk record johnsmith.ceo Employee Acquisition CEO refuses MFA adoption. Compensating: dedicated device, geo-fencing. RSK-2024-0041 approved · annual bob.board Board member Board member expects policy exemption. Compensating: read-only access, no privileged systems. RSK-2024-0055 approved · annual exc.user-app1 Legacy system account Legacy system does not support MFA. Compensating: network isolation, access logging, remediation plan on file. RSK-2024-0078 approved · 90-day mob.test-user-exc Dev test account Mobile dev test — MFA breaks app under test. Compensating: isolated dev environment, no production access. RSK-2024-0091 approved · 90-day All exceptions require: business justification, compensating control, named approver, and scheduled review date.
Andrew Alaniz https://www.alaniz.io
Previous

How to Pass Every Audit - Review
Next

How to Pass Every Audit - Measure