SOD mitigation ownership 2639
jason_hopkins last edited by
I have a question to the group, for those companies that had to develop a mitigation for an unresolvable SOD conflict, who owned the mitigation process? Second to that, did you centralize the mitigation process or disburse it to the business area that had the SOD conflict to begin with? You feedback is much appreciated.
kymike last edited by
We generally look to the process owner to identify mitigating controls. Absent any controls identified by them, we take a top-down view of the SOD issue to see what other controls we might have at a higher level (possibly unknown to the process owner) to mitigate the SOD deficiency.
This is one area where there could be many ways to approach resolution and where management judgment is necessary.
NC last edited by
who owned the mitigation process? .
Control owner/process owner
Second to that, did you centralize the mitigation process or disburse it to the business area that had the SOD conflict to begin with? You feedback is much appreciated.
Depends on how the organization is structured, and i second kymike’s views on any existing controls(though unlikely for that not to be documented as a secondary control in first place.)
Denis last edited by
Mitigation of SOD conflicts needed to be indentified and monitored by the process owner. In our cases SOD mitigations require approval from Internal Control Manager.