History

2008

Agencies varying from a control with a should' or should not’ compliance requirement are required to document: a. reasons for the variation b. an assessment of the residual risk resulting from the variation c. the ITSA’s involvement in the decision d. a date by which to review the decision e. management’s approval f. the acceptance of risk by the agency head (or delegate).