Exception vs Failure 2977

  • For IT do you see auditors allowing an exception to a control instead of failing the control in testing?
    As a specific example, daily backup jobs. Once or twice a month a file may remain open preventing the daily backup job from completing. But the job runs fine and completes succesfully the next day. Is that documented as an allowable exception to a control of ‘have daily backups’, or does that qualify as a failure?

  • Our auditors would consider the control effective as long as it operated as intended at least 95% of the time. So if they picked a sample of 25 days and there was only one of those where the daily back-up didn’t run, then it is still an effective control. If it fails >5% of the time, then the control (as currently worded) would be ineffective and something may need to be done to address why the daily back-ups aren’t able to run.

  • Thanks NC_Sox for the response.

  • It depends, in your case, if the backup failed on day 1 and the backup was required the very next day, if such case is identified by the auditor they fail it. I would compare the backup logs with the restoration log( actual restoration and not test restoration) and see if such instances occured and if yes how frequently.

Log in to reply