reduce SOD conflictMitigating controls are a great way to reduce SOD conflict risks. Still, if you are not careful, you can mitigate yourself out of compliance. It’s not enough to assign a compensating control to a risk and call it a day.

 

Mitigating controls need to be designed and executed to uncover potential fraud and support your SAP® GRC SOX compliance strategy. It doesn’t matter to an auditor whether you’ve said you are going to execute a potential process – you need to be able to prove your success to the auditor. Get “control happy,” and you could end up setting yourself up for failure.

 

Mitigating Controls Don’t Automatically Reduce SOD Conflict

 

In an SAP audit, you’ll have to answer two main questions about your controls:

 

  1. Are they valid?
  2. Are they actually doing what they’re supposed to do?

 

For your controls to be valid, they need to mitigate the entire risk and not just a piece of the risk. Over time, poorly chosen mitigating controls can be a way to patch over SOD risks that should be corrected in a more fundamental way. That complicates the security model, and may not adequately reduce SOD conflicts, threatening compliance.

 

To comply with the second condition, you need to execute the control on a periodic basis. For example, let’s say your organization needed to allow certain users to both create purchase orders and create vendors. To reduce SOD conflict, your organization might create a mitigating control stating that you review all Vendor Master Changes on a weekly basis for appropriateness

 

It wouldn’t be enough to have someone skim the changes looking for potential problems. You’d need to have a process in place defining what you’re looking for and how to respond to suspicious activity. You’d also need to follow a procedure to document the workflow so that it’s reviewed and signed off by the appropriate party each week. And finally, you’d need to reaffirm the control, ensuring that it is really addressing all the SOD risks it’s supposed to address.

 

Manual Processes Are Impractical for Reducing SOD Conflict

 

Without automation, it can be extremely difficult to use mitigating controls successfully — the process is just too time-consuming and complicated. Organizations using manual review often end up with a patchwork of controls that aren’t properly maintained, and which wouldn’t adequately reduce SOD conflicts or other obstacles to SOX compliance even if they were. Even where controls work, it can be difficult to maintain the review process, leaving compliance staff wasting time chasing after signatures and documentation.

 

Organizations should be using automated processes to continuously monitor their controls. GRC software can spot issues instantly, drill down to reduce SOD conflict more effectively, and save your workers a tremendous amount of time.

 

The Right SAP Access Control Solution is a Must

 

Most SAP GRC access control software allows you to document your compensating controls, but doesn’t incorporate true continuous control monitoring. That means you’ll require a full process control implementation in addition to access control.

 

With ControlPanelGRC Access Control, you’ll have this continuous control monitoring functionality in a single solution. Compensating control reporting is executed automatically on behalf of monitors and pushed to them in the self-documenting workflow, for them to review and signoff. This allows you to more effectively reduce SOD conflict, reducing the headache and uncertainty of SOX compliance.

 

To learn how we can support your compliance strategy, contact us for a free SAP GRC Risk Assessment.

About Ben Uher, Client Manager of Security & Controls

Ben Uher manages the SAP Security and Controls Practice at Symmetry where he leads a team of permanent Consultants in delivering SAP Security and GRC offerings to global organizations. His deep knowledge in everything SAP Security and GRC related has come from the opportunity to work with over 150 Organizations running SAP throughout various cycles of their implementations. Variation in industry, sector and size has provided a breadth of opportunity and experience in almost every facet of SAP technology spanning HANA, Fiori, ERP, BW/BI, HCM and SCM amongst others. Most importantly, Ben is driven based on results and continually strives to provide exceptional support for the organizations that rely on him and his team as trusted advisers for SAP Security and GRC support.