Mitigating Controls – Should you use them? What controls should you have?
Mitigating controls on a risk situation is never as desirable as an effective segregation of duties. But it is recognised that in some situations, a breach of a security rule may just have to exist (for example if someone is providing temporary cover for another role within their department).
What sort of mitigating or compensating controls should you consider?
- Second signature – to authorize bank payments, salary transfers, purchase orders etc
- Review by a Supervisor – the daily journal entries reviewed and signed by the employee’s supervisor
- Exception reports – run reports which show all SOD exceptions and review/authorise. eg
- Report of changes to G/L
- Report of postings recorded on accruals accounts
- Report on pending items resulting from reconciliations
- Report on any adjustments made to a prior period
- Report of payments over a given threshold
- Report on changes performed to master data
- Etc…. you get the picture!
- Independent Review – a detailed review of all transactions where an employee has two roles giving SOD breaches, or…
- Random Review – spot checks periodically by an independent person
Standard JDE E1 provides only limited change control of menu changes (through OMW) and no change control of security changes.
Use ALLOut Risk Management to enforce the proper testing for SOD and Compliance, and the automated control of User Access conflicts. Automate your security change approval process and allow our delivered reports to streamline your review controls and audit process.
ALLOut will also allow you to control role assignments – allowing an approval process, recording a ‘reason’ code and justification and alerting you if a role is assigned which would cause a breach. You then have the option to ‘hard stop’ that assignment or a simple ‘warning’ with the option to upload and record the mitigation for that breach. ALLOut provides over 80 sample mitigations as part of the latest version of its SODMaster spreadsheet.