Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mitigating controls - is this a cure for "all evil" in excessive authorizations risks in SAP?

FilipGRC
Contributor
‎11-18-2022 1:38 PM

The implementation of additional mitigating controls is a frequent response from the company management in order to limit the risk of excessive (redundant or unnecessary) authorizations in ERP (SAP) systems. Is it a good way to eliminate the excessive authorization risks or are we are just dealing with its side effects? Let’s debate whether it is the right and well-thought approach. What are the negative consequences of doing so, are there any? Is there one answer that is right for all organizations, situations, and markets? During the SoD (Segregation of duties) project, there are many myths about excessive user rights in SAP. The desire to dispel doubts and debunk the myths about mitigating controls and SoD challenges was the main motivation and inspiration for us to write this series of 5 articles. Today we give you heads-up it is coming.


We encourage you to read our series of articles and let us know about your thoughts after.

A properly conducted project of building or rebuilding user authorizations in SAP should be based on the segregation of duties matrix in business processes designed during business workshops. It’s the matrix that is the ​key product of such project, often overlooked and forgotten during system implementation by vendor/implementation companies, who’s priorities are different and are concentrating on launching a new S\4 Hana (ERP) system. Within the last few years, GRC Advisory has carried out a number such workshops in wide range of private businesses as well as public organizations and administrative units. We had trainings in organizations of various sizes – medium companies led by small management team and large international corporations. Among many conclusions which came from these workshops and meetings, the topic of mitigating controls seems to be an interesting and a bit unfamiliar aspect. What are mitigating controls? When do they apply? In the case of many companies that we have had the opportunity to cooperate with by far, the mitigation control seems to be the most common

The mitigating controls are very wide subject, the material has been created and divided into 5 articles:

  1. Challenges for mitigating controls.

  2. When is it worth to create and when should we avoid mitigating controls?

  3. Control examples and repository – Review building best practice.

  4. How to implement mitigating controls in GRC systems?

  5. Summary and conclusions.


My friend and busienss partner andrzejpartyka was a great influencer to this series. We invite you to read the article and learn more on the subject of mitigating controls.

I encourage you to read it

Filip Nowak

GRC & Security Enthusiast
3 Comments
Popular Blog Posts
Top kudoed authors
View all