While a Segregation of Duties (SoD) tool is a big and important step to take in order to mature your risk management processes in SAP, it will not be able to handle all risk in the organization. Some SoD risks and critical accesses will be accepted. To maintain full control of risks, organization’s need to implement mitigating controls. While the SoD tool concentrates on determining your access permissions and whether they can be approved, the control functions as an audit mechanism to detect and avert errors after privileged access has been approved.
How does mitigating controls fit into the SoD process?
When you introduce SoD in an SAP landscape, you have taken a huge step in maturing your risk management level. The organization now has advanced from only being covered by the ordinary access management in SAP. Based on the SAP dedicated risk library, the organization has gained transparency of who in the organization has a risk, and as the risks are now known, the risks can now be managed. The organization can reject accesses that result in SoD risks if they are not needed and/or the employee is not to be trusted with the access. While the SoD tool is not a complete safety net that catches every possible risk in the organization, it does enable the organization to know who has a risk, and in addition someone has taken an active decision in consenting to whether the employee should have the risk-containing access. With transparency we can manage risks as we now know who has risks
– but there are still risks.
So, even though you have taken a big step in maturing the risk management and preventing risks in the organization, we are still left with accepted risks. What is the logical next step then? How do we make sure that we still have full control of the organization’s risk landscape when we know we have to accept a certain level of risk in order to keep the organization operational and effective? We need a process/tool that takes over where the SoD tool leaves off.
Establishing mitigating controls is the next natural step. Mitigating controls can exactly take over where SoD tools leaves off, in order for the organization maintaining full control over their risk exposure. Mitigating controls is a necessary process if you wish to avoid risk stemming from critical accesses, which cannot be segregated away via an SoD tool, as well as accepted SoD risks deemed necessary the employees ability to perform their functions. Where SoD tools act as a restriction to access that prevents risks, mitigating controls act as an audit process to investigate accepted risks and prevent potential oversights in the SoD process.
ComplianceNow can help your organization with maturing your risk management processes with CN Internal controls.
What is Internal Control from ComplianceNow
Internal Control is an SAP-integrated framework supporting the documentation and execution of your company’s controls. Controls related to your SAP processes as well as controls relevant to other applications or even non-IT controls can be included in the scope.
Internal Control digitalizes and optimizes your internal control process:
- Delegate the responsibility of the control process – Central framework with individual workplaces for Control Administrator, Executer, Compliance Manager and Approver
- Preparing you for the audit, IC is a standardization of the control process ensuring efficient audits by providing audit trace, logs and the control documents all in one system
- The Enterprise Risk Management and Risk Map will not only link your controls to the company’s enterprise risks but also provide an effective overview based on the present active controls
Interested in hearing more about CN Internal Control?
Follow us on LinkedIn and get instant access to our latest articles and posts on SAP and compliance.