Stop assigning mitigations to all conflicts regardless of risk
Mitigating segregation of duties (SOD) conflicts is a basic building block of any good compliance strategy. However, low-risk SOD conflicts can sometimes cost you more to mitigate than is at risk were they to actually occur.
Manually monitoring assigned mitigations can be a tedious process even if you only focus on medium and high-risk conflicts. Throw-in low-risk conflicts that people recognize as immaterial and your follow-up voicemails and email messages will get ignored for all risks whether high or low.
If you have an automated controls platform, then there is a pretty simple solution – stop assigning mitigations to low-risk conflicts.
That may seem reckless, but a risk-informed approach to conflict mitigation isn’t complicated and it can save your enterprise a lot of money.
Start by defining what constitutes high, medium, and low-risk SOD conflicts. If your enterprise has already done this, then you are already halfway there.
Your rankings may vary from other enterprises, but that’s expected given the uniqueness of every organization. The crucial thing isn’t how you define the different levels of risk, but rather that they are defined, the definition is accepted, and it is used across your enterprise.
Audit and IT will need to work together. No one group can adjust the rules without agreement from the other and no one group should arbitrarily decide how to best handle low-risk conflicts going forward without agreement from the other group.
A function-based rule set can simplify this collaboration between audit and IT. Using such a rule-set allows auditors to analyze the rules based on business functions before having to look at the specific t-codes and authorization objects.
Once risks have been categorized, it may be IT, business management, and auditors agree to ignore the low-risk conflicts altogether, the mitigation might be automated, or it may be that risks are dynamically scored by your monitoring platform and only mitigated or reviewed if the conflict is exercised and data was changed and a materiality threshold is met.
Any enterprise running our Separation Enforcer module can easily implement a risk-tiered mitigation policy and if they are also running our Process Auditor module they can integrate an automated alerting and case management solution as part of their strategy. Separation Enforcer also enables automatic review of mitigations so management, IT, and auditors know if mitigations are being followed. Both solutions serve as auditor proven and secure repositories for documenting policies and mitigations and for customized SOD reporting that matches those policies and supports defined mitigations.
Want to learn how our Separations Enforcer module simplifies the process of moving to a risk-based approach to SOD conflict mitigation and helps monitor whether mitigations are taking place or not? Download the Separation Enforcer data sheet today.