Segregation of duties mitigation controls: what audit teams need now

TL;DR: When segregation of duties conflicts cannot be removed without disrupting operations, mitigation controls let organisations document, monitor, and re-test accepted risk instead of leaving violations unresolved, according to SafePaaS. The governance issue is not whether SoD matters, but whether teams can prove that accepted conflict risk remains time-bound, justified, and continuously reviewed.

NHIMG editorial — based on content published by SafePaaS: Managing Segregation of Duties risk with mitigation controls

By the numbers:

• Organizations that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.

Questions worth separating out

Q: How should security teams handle SoD violations that cannot be remediated?

A: They should treat them as formal risk acceptances with documented mitigation, not as unresolved exceptions.

Q: Why do SoD conflicts remain risky even when no fraud has occurred?

A: Because the risk lies in the access path as much as the transaction outcome.

Q: What do auditors expect to see for accepted SoD risk?

A: Auditors expect a complete treatment trail.

Practitioner guidance

• Build a current SoD conflict matrix Define the business function pairs that create real control conflicts, map them to roles and users, and refresh the matrix whenever finance, procurement, or approval workflows change.
• Use mitigation only for justified exceptions Require a documented reason, named owner, and expiry date for every accepted conflict so mitigation stays time-bound and reviewable.
• Link SoD exceptions to transaction monitors Connect accepted conflicts to activity monitoring so reviewers can see whether the user actually executed both sides of the conflicting process.

What's in the full article

SafePaaS's full article covers the operational detail this post intentionally leaves for the source:

• The article explains the seven-phase SoD review lifecycle in implementation terms, including how violations move from detection to certification.
• It describes how mitigation controls are configured with validity periods, owners, and supporting documentation.
• It shows how transaction monitors are linked to accepted conflicts so teams can compare can-do and did-do evidence.
• It outlines how reviewers decide between remediation and mitigation during periodic SoD surveys.

👉 Read SafePaaS's full article on mitigation controls for segregation of duties →

Segregation of duties mitigation controls: what audit teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →