Designing Effective Mitigating Control

  • by Jayne Gibbon, Director of Customer Care, SAP
  • July 6, 2011
Because mitigations are normally detective controls, it’s very important that they are designed in a way to maximize their effectiveness. Learn the key concepts for designing, documenting, implementing, testing, and monitoring an effective mitigating control. In addition, examples show how you can use SAP BusinessObjects Access Control risk analysis and remediation to help document and monitor these mitigating controls.
Key Concept
Mitigating controls are normally detective controls designed to ensure any exploitation of a segregation of duties (SoD) risk is caught in a timely manner and can be addressed before significant loss or financial misstatement occurs.

In today’s economy, resources are limited and people are wearing multiple hats. Consequently, many organizations do not have the people available to facilitate proper segregation of duties (SoD) of system access. Although it’s always better to remove SoD risks (which is a preventive control), many companies today must rely on mitigating controls to remediate SoD risks (which is a detective control).


The key to designing an effective mitigating control is in understanding the risk that occurs if the SoD issue is exploited. Thus, you really have to think like a criminal when evaluating the risk to determine what could happen if someone executed both conflicting actions.

The SoD example I use in this article is a conflict between maintaining vendor master data and generating accounts payable payments (cut checks). It’s very important that all possibilities that could occur if the SoD risk were exploited are identified and documented to ensure that the mitigating controls address all use cases. In this case, the main risk is that someone could create a fictitious vendor and subsequently cut a check to that vendor, defrauding the company of money. A secondary risk is that the person could change the bank routing information on an existing vendor to redirect payments to his or her own account.

Jayne Gibbon

Jayne Gibbon, CPA, has been implementing SAP applications since 1996 and is currently a director in the Chief Customer Office at SAP. Jayne’s focus is making customers successful with their SAP HANA deployments. She has helped more than 100 customers drive business value with SAP HANA. Prior to joining SAP in 2007, Jayne worked for two multinational manufacturing companies based in Wisconsin. While an SAP customer, Jayne led the very first implementation of Virsa’s Compliance Calibrator, which is now part of SAP Access Control. Jayne’s experience includes internal audit; computer security; governance, risk, and compliance; SAP HANA; and SAP analytics.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.