Mitigating controls are a great way to reduce SOD conflict risks. Still, if you are not careful, you can mitigate yourself out of compliance. It’s not enough to assign a compensating control to a risk and call it a day.
Mitigating controls need to be designed and executed to uncover potential fraud and support your SAP® GRC SOX compliance strategy. It doesn’t matter to an auditor whether you’ve said you are going to execute a potential process – you need to be able to prove your success to the auditor. Get “control happy,” and you could end up setting yourself up for failure.
Mitigating Controls Don’t Automatically Reduce SOD Conflict
In an SAP audit, you’ll have to answer two main questions about your controls:
- Are they valid?
- Are they actually doing what they’re supposed to do?
For your controls to be valid, they need to mitigate the entire risk and not just a piece of the risk. Over time, poorly chosen mitigating controls can be a way to patch over SOD risks that should be corrected in a more fundamental way. That complicates the security model, and may not adequately reduce SOD conflicts, threatening compliance.
To comply with the second condition, you need to execute the control on a periodic basis. For example, let’s say your organization needed to allow certain users to both create purchase orders and create vendors. To reduce SOD conflict, your organization might create a mitigating control stating that you review all Vendor Master Changes on a weekly basis for appropriateness
It wouldn’t be enough to have someone skim the changes looking for potential problems. You’d need to have a process in place defining what you’re looking for and how to respond to suspicious activity. You’d also need to follow a procedure to document the workflow so that it’s reviewed and signed off by the appropriate party each week. And finally, you’d need to reaffirm the control, ensuring that it is really addressing all the SOD risks it’s supposed to address.
Manual Processes Are Impractical for Reducing SOD Conflict
Without automation, it can be extremely difficult to use mitigating controls successfully — the process is just too time-consuming and complicated. Organizations using manual review often end up with a patchwork of controls that aren’t properly maintained, and which wouldn’t adequately reduce SOD conflicts or other obstacles to SOX compliance even if they were. Even where controls work, it can be difficult to maintain the review process, leaving compliance staff wasting time chasing after signatures and documentation.
Organizations should be using automated processes to continuously monitor their controls. GRC software can spot issues instantly, drill down to reduce SOD conflict more effectively, and save your workers a tremendous amount of time.
The Right SAP Access Control Solution is a Must
Most SAP GRC access control software allows you to document your compensating controls, but doesn’t incorporate true continuous control monitoring. That means you’ll require a full process control implementation in addition to access control.
With ControlPanelGRC Access Control, you’ll have this continuous control monitoring functionality in a single solution. Compensating control reporting is executed automatically on behalf of monitors and pushed to them in the self-documenting workflow, for them to review and signoff. This allows you to more effectively reduce SOD conflict, reducing the headache and uncertainty of SOX compliance.
To learn how we can support your compliance strategy, contact us for a free SAP GRC Risk Assessment.