Hi @ChuanYanF 

The OOTB process would allow the reviewer to evaluate the responses and if they are not happy, to then move the control to draft and re-trigger the assessment by moving the control to Attest.

Compliance is a black and white scenario.  You are either compliant or you are not; reflected in the 2 statuses - Compliant / Non-compliant.  

If the Attestation has questions that could be interpreted differently (ambiguity), then it is clear that the control or the Attestation Type used to evaluate the control is not properly defined.

The reviewer must not be able to interpret the state of the control differently to the assessor.  if you had to ask the question to 100 different people they should be able to arrive at the same response.

Example: 

OHS Control:  Emergency exits must be kept clear at all times.

                         Additional info: Check the emergency exit weekly for obstructions

Attestation:   Weekly.  Is the emergency exit clear? Yes / No

                                       Attach evidence

                                       Comment

If the assessor found the emergency exit to be blocked by boxes, then the control fails.

When the reviewer checks the emergency exit the boxes have been cleared away.

The Reviewer cannot ask the assessor to change the response, as it was the truth at that point in time.  the control failed. 

The control did not ensure that the Emergency Exit was clear.  Something needs to be enhanced / fixed / improved. As this failure could result again, you want these to follow the process so that the audit trail records the actual.

This is exactly why it is important that these failure be highlighted.  Continuous improvement.

Issue is raised -> issue is resolved by strengthening the control -> issue is closed -> retrigger attestation.  Now it passes.

Maintain the integrity of the governance and control process.   Maintain the segregation of duties.