Exception vs Failure 2977



  • For IT do you see auditors allowing an exception to a control instead of failing the control in testing?
    As a specific example, daily backup jobs. Once or twice a month a file may remain open preventing the daily backup job from completing. But the job runs fine and completes succesfully the next day. Is that documented as an allowable exception to a control of ‘have daily backups’, or does that qualify as a failure?



  • Our auditors would consider the control effective as long as it operated as intended at least 95% of the time. So if they picked a sample of 25 days and there was only one of those where the daily back-up didn’t run, then it is still an effective control. If it fails >5% of the time, then the control (as currently worded) would be ineffective and something may need to be done to address why the daily back-ups aren’t able to run.



  • Thanks NC_Sox for the response.



  • It depends, in your case, if the backup failed on day 1 and the backup was required the very next day, if such case is identified by the auditor they fail it. I would compare the backup logs with the restoration log( actual restoration and not test restoration) and see if such instances occured and if yes how frequently.
    cheers


Log in to reply