Module 25: Issue, Finding & Exception Management
Every organization has control failures. What matters is what happens next. This module focuses on what happens when:
- Controls don’t operate as intended
- Audit identifies deficiencies
- Risk exceeds tolerance
- Policy cannot be fully complied with
CRISC expects structured tracking, ownership, and escalation.
What the exam is really testing
When issues, findings, or exceptions appear, CRISC is asking:
- Is the issue documented?
- Is ownership assigned?
- Is remediation tracked?
- Is exception formally approved?
- Is escalation triggered when required?
- Is root cause addressed?
CRISC prefers structured governance response — not informal resolution.
Definitions you must separate
Issue
A problem requiring corrective action.
Example:
- Control failure
- Policy non-compliance
- Process breakdown
Issues are operational and must be tracked.
Finding
A formal observation — often from audit or assessment.
Examples:
- Audit finding
- Regulatory observation
- Security assessment result
Findings may lead to issues.
Not all issues originate from audit — but findings often trigger issues.
Exception
A formal, approved deviation from policy or control requirements.
Examples:
- Temporary policy waiver
- Accepted deviation from standard
- Compensating control approval
Exceptions must be documented and time-bound.
CRISC frequently tests uncontrolled exceptions.
Issue management lifecycle
Mature issue management includes:
- Identification
- Documentation
- Ownership assignment
- Root cause analysis
- Remediation plan
- Target remediation date
- Status tracking
- Validation of closure
If closure is not validated, residual risk may remain.
Root cause vs symptom
CRISC expects structural correction.
Example:
Finding: Access review not performed.
Superficial fix: Perform review once.
Root cause fix: Redesign access governance process and accountability.
Recurring findings signal root cause failure.
Exception management discipline
Exceptions must:
- Be documented
- Have business owner approval
- Define compensating controls
- Be time-limited
- Be periodically reviewed
- Be recorded in risk register
Untracked exceptions = hidden residual risk.
The most common exam mistakes
A common wrong-answer pattern: choosing “close the issue” as soon as remediation starts. CRISC will not accept that. Issues stay open until validated. Also watch for answers that treat exceptions as the same thing as risk acceptance, or that put audit in charge of remediation. Informal approvals are never sufficient in the CRISC world.
Example scenario (walk through it)
Scenario:
An audit identifies that privileged access reviews are not consistently performed. Management agrees to fix the issue but does not assign a remediation owner.
What is the PRIMARY governance weakness?
A. Lack of issue ownership
B. High inherent risk
C. Weak threat modeling
D. Excessive appetite
Correct answer:
A. Lack of issue ownership
Without ownership, remediation accountability fails.
Second scenario
A business unit requests an exception to bypass encryption requirements for operational efficiency. No expiration date is defined.
What is the MOST significant governance concern?
A. Excessive mitigation
B. Weak inherent risk
C. Uncontrolled exception duration
D. Poor BIA
Correct answer:
C. Uncontrolled exception duration
Exceptions must be time-bound and reviewed.
Findings vs issues
Important nuance:
- A finding identifies a condition.
- An issue requires remediation.
- An exception allows controlled deviation.
If these are confused, governance clarity fails.
Escalation discipline
If remediation deadlines are repeatedly missed:
- Escalation is required.
- Risk profile may change.
- Residual risk may increase.
- Governance oversight must intervene.
CRISC often tests failure to escalate recurring delays.
Here’s where it gets tricky
An issue is marked “closed” once remediation controls are implemented, but no validation testing is performed.
What governance gap exists?
A. Weak inherent risk
B. Poor BIA
C. Excessive appetite
D. Lack of closure validation
Correct answer:
D. Lack of closure validation
Control effectiveness must be validated before closure.
Exception vs acceptance
Exception:
Temporary deviation from control requirement.
Risk Acceptance:
Formal acknowledgment of residual risk within tolerance.
They are related — but not identical.
Exception may increase residual risk and require acceptance documentation.
Quick knowledge check
1) Who owns remediation of an identified issue?
A. Internal audit
B. Business process owner
C. Risk management
D. External regulator
Answer & reasoning
Correct: B
Business owns remediation accountability.
2) What is MOST critical when granting a policy exception?
A. Informal approval
B. Defined expiration and review
C. Permanent waiver
D. Immediate mitigation
Answer & reasoning
Correct: B
Exceptions must be time-bound and reviewed.
3) What is required before closing an issue?
A. Mitigation initiated
B. Owner reassigned
C. Audit approval
D. Control effectiveness validation
Answer & reasoning
Correct: D
Closure requires validation of remediation effectiveness.
Final takeaway
Issue management requires:
- Documentation
- Ownership
- Root cause correction
- Escalation discipline
- Closure validation
Exception management requires:
- Formal approval
- Defined scope
- Time limits
- Review cycles
- Risk register documentation
This is what separates passing answers from close-but-wrong ones: governance discipline holds even when operational pressure pushes back.