Part #2/5 – When is it worth creating and when should mitigating controls be avoided? In the previous part of our series part link, we concluded that managers responsible for business operations must decide when and in what situations the system access risk should be remediated by access removal, and when it should remediated by assigning compensating controls. Mitigating controls are a […]
Mitigating controls are control mechanisms implemented in business processes, for the purpose of limiting the access risk coming from the user excessive authorizations granted in ERP systems. These are activities, in most cases, outside the ERP system (SAP) and conducted in a manual manner, usually based on SAP reports or other statements generated from the IT systems. Mitigating controls are a common management response to the access risk coming from conflicting authority assigned to users in SAP. Removing user access rights or modifying access via role change management process is a difficult, time-consuming and very often under appreciate response to the problem.