Control Exception

A documented instance where an established control did not operate as designed or a policy deviation was authorized under specified conditions.

Full definition

Control exceptions arise through control failures (operating deficiencies) or authorized deviations where management grants temporary relief from standard requirements for business reasons. Both types require formal documentation, risk assessment, compensating controls where applicable, and defined resolution timelines. Tracking exceptions reveals control environment weaknesses, training needs, or impractical policies requiring revision. Persistent exceptions may indicate systematic issues rather than isolated incidents. Exception management processes include approval workflows, periodic review, and reporting to governance committees. A financial institution might grant a control exception allowing a large corporate client transaction to proceed despite incomplete due diligence documentation due to timing constraints, requiring enhanced monitoring, expedited completion of standard checks, and senior management approval as compensating measures.

Auditinternal-controlsgovernancecompliance

RiskPedia — The Risk Framework Encyclopedia & AI Advisor

Frameworks indexed

Control Exception