While evaluating an entity that is out of compliance with the subcontrol, you can request an exception. Committing the exception request form initiates the exception workflow process. Exceptions affect the assessment that you are working and any other program that evaluates the entity-subcontrol pair.
| Stage | Options | Next stage | Status | Description |
|---|---|---|---|---|
Requested | Request | Review | Requested | Start of workflow stage, exception automatically transitions to the Executive owner of the entity for Review. |
Close | Closed | Expired | When stakeholders reject the review or sign off stage, gives the requestor the opportunity to add more information and request again or close the ticket as rejected. Note: Exception permissions are required. | |
Review | Sign off | Sign off | -- | Transitions the request to Security owner of the entity for Sign off. |
Reject | Requested | Rejected | Returns the request to Exception Requestor and transitions the request back to the Requested stage. | |
Delegate | -- | Delegated | Assigns the request to another user, and allows that user to sign off or reject the exception as the temporary stakeholder of the Review stage. Note: If the delegate rejects the request, it moves back to the requestor. | |
Sign off | Accept | Accepted | Closed | Closes the request with an accepted status and removes compliance results from related reports and assessments. |
Rejected | Rejected | Requested | Returns the request to Exception Requestor and transitions the request back to the Requested stage. | |
Closed |
Exceptions impact programs and reports, as follows:
An approved exception in the closed state (100% progress) allows the entity to be out-of-compliance with the control for a specified period without impacting the risk and compliance scores. The exception is applied to all programs with assessments of the entity-subcontrol pair.
An expired exception in the closed state displays in all programs and assessments with the entity-subcontrol pair, but the results, answers of the questionnaire responders, are included in the risk and compliance scores.
An open exception request, that is a request in any stage but closed, is flagged in programs and assessments, the questionnaire results use the questionnaire answers while calculating risk and compliance scores.
 | The exception request menu item is an optional questionnaire preference configured by the Program Owner. Exceptions apply to controls, subcontrols, and findings. |
To request an exception:
Open the questionnaire by clicking the questionnaire in the My Assessments or navigating to Home > Questionnaires and selecting Work on this Questionnaire or Resume Questionnaire from the action menu in the questionnaire's row.
Go to the question in the navigation pane and select the control. If there is more than one subcontrol, a table displays. Select the subcontrol title to open the question.
The question displays.
Click Request Exception. The Exception Request wizard appears.
The Exception Request wizard.Enter the exception general and add an attachment, and then click OK.
If you selected attachments, the selection window displays after you click OK. To complete the attachment process, enter a description, select a file, and click OK.
Canceling the attachment seems to cancel the entire Exception Request, but it displays after a while without an attachment.
An exception icon displays in the actions column next to the question in the control tables, in the control on the Questionnaire navigation pane, and in the Questionnaires table.
The exception request automatically transitions to the Review stage and the stage stakeholder is notified according to the workflow settings.
