[Video] Best Practice Tips For Designing Compensating Controls In ERP Systems
Organizations use Segregation of Duties (SoD) to reduce the risk of fraud, operational errors, misuse of information, and other security concerns. However, resource limitations, such as technical or staffing constraints, mean that it’s not always possible to achieve perfect SoD. When that happens, organizations turn to compensating controls to mitigate those risks.
In this edition of the Appsian Insights video series, we’re going to talk about compensating controls, when you’ll need to use them, and some best practice tips for designing, documenting, implementing, and reviewing them.
What Are Compensating Controls And When Do You Need Them?
If your organization cannot meet an audit requirement, you must sufficiently mitigate the risk associated with that requirement. This is done using compensating controls to mitigate the risk incurred when a user needs to have many duties. This control can be a list of instructions, procedures, or agreements that support the existence of a rule violation and provide “reasonable assurance.”
Compensating controls should:
- Meet the intent of the original control requirement
- Provide a similar level of assurance had you segregated the duties.
- Ideally, go above and beyond the original requirement
4 Tips For Designing Compensating Controls
When designing compensating controls, consider these tips:
- Documentation – create a formal document that can be reviewed by management. The document should clearly outline the steps necessary to execute the control.
- Approval – ensure documentation is reviewed on a regular basis and approved by management. Systems, access, people, and functionality change constantly, so it’s important to ensure that your control is relevant and serves the purpose it was designed for.
- Training – ensure appropriate staff is trained. They need to understand the risk, review the procedure documentation and be clear on such things as execution method and timing.
- Review – periodically review the control to ensure that it’s effective, especially in the first six to 12 months of a new control being in place.
The Importance Of Reviewing Compensating Controls
It is highly recommended that compensating controls are reviewed and checked for evidence periodically by an independent person to ensure that controls are working properly. You can inquire about it, observe someone doing it, inspect the documentation, or re-perform the control to confirm that if similar steps are taken, was the re-performance successful.
Contact Pathlock to learn how our auditing solution can help flag conflicts and violations, provide the ability to note mitigations, and report on the associated compensating controls.