Total Pageviews

Thursday, 19 June 2014

Mitigating Control Life Cycle


A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

In this post I would like to clarify the lifecycle of Mitigating Controls. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.

On request from Colleen I have additionally added the RACI matrix to see who is Responsible, Accountable,Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

Lifecycle_Mitigating_Control.png


Creation of Mitigating Controls


Tasks

Define the control including:
  • Control description
  • Control execution
  • Control approver and control monitor
  • Documentation of control execution
  • Reports used to monitor the risk

Involved functions

  • Control Owner
  • Internal Control responsible
  • SAP GRC responsible
RACI_Mitigation_Create.png

Changing of Mitigating Controls


Tasks

Change the control for example:
  • Control description
  • Control execution
  • Control approver and control monitor
  • Documentation of control execution
  • Reports used to monitor the risk

Involved functions

  • Control owner
  • Internal Control responsible
  • SAP GRC responsible
RACI_Mitigation_Change.png


Deletion of Mitigation Controls


Tasks

  • Delete the mitigating control within SAP GRC AC
  • Document the decision of deletion of the mitigating control

Involved functions

  • Control Owner
  • Internal Control responsible
  • SAP GRC responsible
RACI_Mitigation_Delete.png

Reviewing of Mitigating Controls


Tasks

  • Analyse if maintained controls within SAP GRC are still valid
  • Analyse if the mitigating controls are covering the risk fully
  • Test the effectiveness of the mitigating controls

Involved functions

  • Control owner
  • Internal Control responsible
  • SAP GRC responsible
RACI_Mitigation_Review.png

If you want to have further information or contribute in this blog post do not hesitate to contact me or reply to this post directly.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)