What are testing exceptions and what is their role in the SAS 70/SSAE 16 audit?
Testing exceptions are simply deviations from the expected result from testing one or more control activities. Consider the following example:
Control Objective: Controls provide reasonable assurance that statement processing is appropriately scheduled and that deviations in processing are identified and resolved.
Control Activity: Statement batch totals are used in order to identify and resolve deviations in processing.
Testing Performed: Inspected a sample of batches used to process statements and noted that batch control totals were used to help maintain the integrity of the statements processed.
Using the example above, if one or more of the samples selected did not use batch control totals as expected and indicated by the service organization, that deviation would be a testing exception.
So what does this exception mean to the SAS 70/SSAE 16 examination?
Testing exceptions generally fall into one of four categories: clearly inconsequential, relevant to the user auditor, and control failure, and precludes the achievement of the control objective. Those testing exceptions that are clearly inconsequential should not be noted in the report. The others should.
Referring again to the example above, a testing exception for the batch control totals should be described in the report though it would not necessarily preclude the achievement of the control objective. Additional tests and considerations would have to be made before that happened.
Most reports have testing exceptions. It is normal. Abnormal are perfectly clean reports that show no exceptions. In cases such as these, user organizations and user auditors have to wonder how robust the service auditor’s procedures actually were.