Exception List

The Exception List module provides a centralized view of all exceptions recorded across compliance frameworks. It enables compliance managers, auditors, and control owners to:

  • Track non-compliance cases formally accepted by management.

  • Review the context, justification, and evidence behind each exception.

  • Monitor exception timelines to ensure they are periodically reviewed or remediated.

This module functions as the “single source of truth” for all active exceptions, supporting audit readiness and risk governance.

Core Concepts

  • Exception A formally logged record that a control/check cannot be fully met. Example: “Password rotation is not enforced on all legacy systems due to compatibility issues; compensating monitoring is in place.”

  • Sub-control The framework requirement to which the exception applies (e.g., CC1.0 Control Environment → CC1.3 COSO Principle 3).

  • Check The specific check (policy or automated) impacted by the exception.

  • Evidence/Documentation Files or notes uploaded to justify and support the exception (e.g., risk acceptance memo, approvals, compensating controls).

Filters and Search

Users can easily locate specific exceptions using the available filters:

  • Search by Content – Filter exceptions based on entered descriptions or titles.

  • Search by Sub Control – Narrow results to a specific SOC 2 sub-control.

  • Search by Check – Filter by the impacted policy or automated check.

  • Date Filter – View exceptions logged within a specific date range.

  • Clear Filters – Reset all applied filters.

Exception List Table — Column Details

  • Sr No Auto-generated serial number of the exception entry.

  • Content Exception title or short description entered during logging.

  • Sub-control The specific requirement under the control (e.g., CC1.3 COSO Principle 3: Management establishes...).

  • Check The impacted check name (policy or automated check linked).

  • Uploaded At Timestamp showing when the exception was logged. Useful for audit tracking and periodic review schedules.

  • Actions Quick actions available for each exception:

    • 🗑️ Delete → Permanently removes the exception (permissions required).

    • ⬇️ Download → Downloads attached exception documentation/evidence for offline use.

Action Buttons

1. Downloading Exception Evidence

Click the Download (⬇️) icon to export supporting files for offline audit packs or management review.

2. Deleting an Exception

  • Use the Delete (🗑️) icon if the exception is no longer valid.

  • Deletions should be rare and typically require approval (depending on your governance model).

Summary

The Exception List module provides a structured, transparent mechanism to track risk acceptance across the organization. By centralizing exceptions, linking them to controls/checks, and maintaining supporting evidence, it enables strong governance, audit readiness, and continuous risk oversight.

PreviousBenefits of the Browse Findings ModuleNextUser Management

Last updated