Mitigating controls – is this a cure for “all evil” in excessive authorizations risks in SAP?

The implementation of additional mitigating controls is a frequent response from the company management in order to limit the risk of excessive (redundant or unnecessary) authorizations in ERP (SAP) systems. Is it a good way to eliminate the excessive authorization risks or are we are just dealing with its side effects? Let’s debate whether it is the right and well-thought approach. What are the negative consequences of doing so, are there any? Is there one answer that is right for all organizations, situations, and markets? During the SoD (Segregation of duties) project, there are many myths about excessive user rights in SAP. The desire to dispel doubts and debunk the myths about mitigating controls and SoD challenges was the main motivation and inspiration for us to write this series of 5 articles. Today we give you heads-up it is coming.

We encourage you to read our series of articles and let us know about your thoughts after.

A properly conducted project of building or rebuilding user authorizations in SAP should be based on the segregation of duties matrix in business processes designed during business workshops. It’s the matrix that is the ​key product of such project, often overlooked and forgotten during system implementation by vendor/implementation companies, who’s priorities are different and are concentrating on launching a new S\4 Hana (ERP) system. Within the last few years, GRC Advisory has carried out a number such workshops in wide range of private businesses as well as public organizations and administrative units. We had trainings in organizations of various sizes – medium companies led by small management team and large international corporations. Among many conclusions which came from these workshops and meetings, the topic of mitigating controls seems to be an interesting and a bit unfamiliar aspect. What are mitigating controls? When do they apply? In the case of many companies that we have had the opportunity to cooperate with by far, the mitigation control seems to be the most common

The mitigating controls are very wide subject, the material has been created and divided into 5 articles:

1. Challenges for mitigating controls.
2. When is it worth to create and when should we avoid mitigating controls?
3. Control examples and repository – Review building best practice.
4. How to implement mitigating controls in GRC systems?
5. Summary and conclusions.

My friend and busienss partner Andrzej Partyka was a great influencer to this series. We invite you to read the article and learn more on the subject of mitigating controls.

I encourage you to read it

Filip Nowak

GRC & Security Enthusiast