You're deep into an internal control assessment, working through your sample selections. You're on sample 5 of 45. So far, so good. Then you see it.
The approval signature doesn't match policy. Or maybe the transaction amount in the system doesn't tie to the source document. Or the segregation of duties you documented in the walkthrough? Yeah, that's not happening here.
Your stomach drops a little. This looks like an exception.
Now what? Do you keep testing the other 40 samples? Stop everything and call your manager? Email the client immediately?
If you're feeling uncertain right now, you're not alone. Finding your first exception is always a bit of an "oh crap" moment, even when you've been doing this for a while.
Let me walk you through exactly what to do next.
Here's What You Do Right Now
Step 1: Document what you see
Write down exactly what made you think this is an exception. What did you look at? What did you compare it to? Why doesn't it meet the control attribute you're testing?
This serves two purposes. First, you're going to need this for your workpapers anyway. Second, you're new to this (whether it's your first assessment, new client, or new industry), and there might be some nuance you're missing. Having it documented helps your senior or manager see exactly what you saw.
Step 2: Check with your senior or manager
Step 3: Confirm with the client
Once your team agrees this looks like an exception, go to the client. Keep it straightforward: "I was reviewing the sample you provided last week. Based on our walkthrough, this appears to not follow the policy. Can you help me understand what happened here?"
This isn't about catching anyone. It's about clarifying the facts. Maybe there's a legitimate explanation. Maybe there's an updated process you didn't capture. Or maybe it really is an exception, and now everyone knows early rather than being surprised later.
Why do we do this early communication? Because as an internal control assessor, you can easily end up in an adversarial relationship with your clients. We don't want that. We want to be teammates working together to identify and fix issues. No surprises. No gotchas. Just good communication.
Step 4: Now you can decide what to do next
Once you've confirmed it's a real exception, you have a choice to make: keep testing all 45 samples, or stop here?
The answer depends on a few factors. Let's talk about those.
Why One Exception Matters So Much
Before we get into the decision framework, let's talk about why finding one exception is such a big deal.
Most internal control assessments use zero deviation sampling. If you remember your statistics class, this involves setting a confidence level that determines how many samples you need to test. The methodology assumes you'll find zero exceptions.
So when you find one exception, it's enough to conclude the control failed. Yes, just one.
This is where you'll get pushback from clients. "It's just one mistake out of 45! That's only 2%! The control still works!" And look, I get why they'd say that. It feels harsh.
But the sample size calculation is based on finding zero deviations. If you wanted to allow for one or more exceptions and still pass the control, you'd need a different sampling approach with a significantly larger sample size. We're talking potentially doubling your testing effort.
If you really want to get into the statistical theory behind why this works, you'll need to involve a statistician. For our purposes, just know that one exception under zero deviation sampling means the control didn't operate as designed.
Now that you understand why one exception is a failure, let's talk about what to do with your remaining 40 samples.
Should You Keep Testing or Stop Here?
You've confirmed it's a real exception. The control has failed. Now you need to decide: do you test the remaining 40 samples, or stop here?
The answer depends on three factors.
Factor 1: How far along are you?
You're on sample 5 of 45. That means you have 40 samples left to test. That's a lot of work remaining.
Here's my take: if you were on sample 43 of 45, I'd say just finish. You're so close, and having the complete picture is worth the extra effort. But at sample 5? You're barely getting started. The other factors matter more here.
Factor 2: What's your sample size and workload?
45 samples is a moderate size. It's not 10 samples where you'd probably just finish. It's not 200 samples where stopping would save you weeks.
Think about your workload. Do you have other controls to test? Other assessments running? If stopping here frees you up to test controls that might actually pass, that's valuable.
Remember, this is an internal control assessment, not an audit. It's a management tool. If management determines it's more cost-effective to redirect your time to other areas, that's a legitimate decision.
You've already identified the issue. Testing 40 more samples won't change the conclusion. The control failed.
Factor 3: How collaborative is your client?
This is where relationship dynamics come into play.
If you're working with a client who's receptive to feedback, who you communicate well with, and who's going to take this finding seriously, you probably don't need to keep testing. You've found the issue. They're going to work on root cause and remediation. Why create more work for them (gathering more samples) and you (testing them) when you're already aligned?
On the other hand, if you're working with a client who's been resistant to testing, who's insisted "this will never happen," or who's likely to push back hard on your findings, testing the full sample size gives you more data. It's not about being adversarial. It's about professional skepticism and having sufficient evidence to support your conclusion.
When you have a more skeptical or challenging client relationship, the data becomes your backup. You're not just saying "I found one exception." You're saying "I tested 45 samples using a statistically valid methodology, and here's what I found." That carries more weight.
My general guidance:
At sample 5 of 45, with a client who's collaborative? Stop testing and redirect your efforts.
At sample 5 of 45, with a client who's been difficult or dismissive? Consider testing the full sample to have comprehensive evidence.
Either way, communicate your findings and your plan clearly with both your team and the client.
The Bottom Line
Finding your first exception can feel unsettling. You're not sure if you're reading the situation right. You're not sure what comes next. That's normal.
The framework is straightforward: document what you see, confirm it with your team, clarify it with the client, then decide whether to continue or stop based on where you are in testing and how the client relationship is going.
This approach does two things. First, it keeps you professional and thorough. You're not jumping to conclusions or surprising anyone with findings they haven't heard about. Second, it builds trust with your clients. You're treating them as partners in identifying and fixing issues, not as adversaries.
Internal control assessment works best when everyone's on the same team. Following this framework helps you get there.
Whether you're pursuing CPA continuing education or learning through on-the-job internal auditor training, mastering this framework is essential for effective internal control assessment.
Ready to build your internal control expertise and earn CPE credits? Visit FederalFinanceCPE.com for online governmental accounting courses and government accounting training. Our federal accounting training covers A-123 assessments, GAO Green Book application, and the practical skills you need for internal control work with government contractors and federal agencies. Earn NASBA-approved accounting CPE credits while developing the judgment and frameworks you'll use on every assessment.