Failing checks now become finished work: findings, remediation, and sealed exceptions
Scorifya Controls v1.6 turns a failing check into a tracked finding with an owner and a due date, verifies it on the next passing run, and lets you accept a risk on the record with an approver, an expiry, and an RFC 3161 seal that cannot be backdated.
The question a pass/fail list cannot answer
Twenty of your checks are failing. Your auditor's first question is not "which ones", it is "what did you do about them?" Who owned each failure, when was it due, when was it actually fixed, and where a risk was accepted instead, who approved that and until when. A dashboard that stops at pass and fail has no answer, so the answer ends up living in a spreadsheet, or worse, in someone's head.
Scorifya Controls v1.6 closes that gap. There is a 75 second walkthrough on [YouTube](https://youtu.be/mjEDRvGYGfk) if you would rather watch than read.
Findings open themselves
When a check fails in a run, Controls opens a **finding** for it automatically: one per check, deduplicated across runs, with a due date computed from your remediation targets. You assign an owner, paste a ticket link, add notes. The status machine is deliberately small: Open, Assigned, In progress, Ready for retest, Verified, Closed.
The automated half of the loop is the point. When the next run passes, the finding moves to Verified on its own. If you marked it Ready for retest and the run still fails, it flips back to In progress with the retest date recorded. And if a check that was verified fails again later, the finding reopens instead of spawning a duplicate. Manual controls attested non-compliant can open a finding with one click too.
Accepting a risk, on the record
Sometimes the right decision is to accept a risk: the failing check covers a read-only archive repo scheduled for deletion, or a compensating control genuinely covers the gap. Auditors do not object to that decision. They object to it being undocumented.
In v1.6 an exception carries a written rationale, a named approver, and a hard expiry of at most one year, because auditors expect risk acceptances to be re-approved, not immortal. The whole decision is then sealed with an **RFC 3161 trusted timestamp** over its canonical content, the same mechanism Controls already uses for attestations and policy adoptions. That means the rationale, the approver, and above all the date are independently verifiable with standard OpenSSL. An exception written the week before your audit looks exactly like what it is.
Two deliberate limits. There is no delete: exceptions expire, and an exception you regret is resolved by fixing the finding. And an exception never silences the check. It keeps running, the finding keeps its badge, and your evidence stays honest.
Your targets, your policy
New findings get due dates from remediation targets: 7 days for critical, 30 for high, 60 for medium, 90 for low by default, editable in Settings. No framework mandates those numbers, and Controls does not pretend otherwise. They are your organization's own policy, which matters because the question an auditor actually asks is whether you met the targets you set for yourself. Pick numbers you can keep.
In the audit package
The one-click audit package now includes the full remediation trail. **findings.csv** lists every finding including closed ones, so time-to-remediate is visible rather than asserted. **exceptions.csv** carries each risk acceptance with its content hash and timestamp authority, and the package ships the raw `.tsr` token for every exception so your auditor can verify the seal offline, with no Scorifya account and no trust in your server's clock.
Getting it
Pull the current image and run your checks; failing ones will open findings on the first run. The [live demo](https://controls-demo.scorifya.com/findings) shows the workflow with fictional data, including a sealed exception, no signup needed. Everything here is included in every tier, alongside SOC 2, PCI DSS 4.0.1, ISO/IEC 27001:2022, HIPAA Security Rule, and CMMC Level 1 coverage. Details and common questions live on the Controls help page.
Try a scan on scorifya.com, read how we score, or see Pro for unlimited scans and exports.
Get a weekly digest
New KEV CVE notices and (later) score changes on the domains you watch. One email a week, easy unsubscribe. We don't share or sell your address.
By subscribing you confirm you can receive transactional security updates from Scorifya at this email.