In a large organization the mitigation controls can be monitored and owners assigned by the organizational elements like plant company code sales organization combination. In an organizational mitigation control implementation by plan will consist of a global control owner for all the plants. The regional control owner will control group of plants and the local will have access to one plant level. If the user has access to all the plant and is truly a global user then the mitigation will happen at the global or corporate level. But if the user only has access to one plant location he can be mitigated to local level. This will give the local plant manager to control the mitigation controls.
The local mitigation control will satisfy majority of the SAP business scenarios. In this case mitigation will be assigned at the individual plant location. SAP GRC team needs to create organizational rules for plants at global, regional and local level. A sample entry for combination of local mitigation control at the local level will be Risk: P001 Organizational Level WERKS (Plant) , and / or EKORG (Purchase Org) = 1000. This mitigation control will give the local level mitigation control
Tip:
From the informer tab choose risk analysis and org level
OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409
Selva Kumar
Vice President- SAP Practice
OneAccess-UserManager for SAP
SAP Certified-Powered by Netweaver
http://www.softsquare.biz/oneaccess/
selva@softsquare.biz
Phone: 1 877 717 5487
Automate and Meditate