{"id":6339,"date":"2023-01-04T08:43:36","date_gmt":"2023-01-04T06:43:36","guid":{"rendered":"http:\/\/inprosec.com\/mitigating-controls-for-finance-risks\/"},"modified":"2025-07-07T11:09:14","modified_gmt":"2025-07-07T09:09:14","slug":"mitigating-controls-for-finance-risks","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/","title":{"rendered":"Mitigating Controls for Finance Risks (SAP Risk Matrix)"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In this article, we will review the concepts of Business Process, Risk, Control, and we will describe some of the best practices for defining Mitigation Controls.<\/span><\/p>\n\n<h2><b>Business Process<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Every company has its own business process, but from a high-level perspective, most of them are similar regardless of their activities. As an example, we can use the Purchase to Pay process. The image below shows a simple P2P process where the process begins with Purchase Requisition activities, then we move to Purchase Order activities, afterwards we receive the Delivery Note for the goods <\/span><span style=\"font-weight: 400;\">we acquired, on the other hand, we receive the Supplier Invoice and finally we make the payment for the goods received from the Supplier.<\/span><br \/>\n<img decoding=\"async\" class=\"aligncenter wp-image-8553\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/1.jpg\" alt=\"\" width=\"700\" height=\"209\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/1.jpg 1038w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/1-300x90.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/1-1024x306.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/1-600x179.jpg 600w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><br \/>\n<span style=\"font-weight: 400;\">Furthermore, based on the previous image we can detect that if someone is handling all these activities, it will be a High Risk for the Company. However, if someone is handling two activities that are together within the process, this will also be a Risk for the Company, for example:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Purchase request versus RP approval.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Invoice reception and payment execution.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Therefore, <\/span><b>it is easy to find the Risk when the Business Process is already defined.<\/b><\/p>\n<h2><b>Risk<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The definition of risk could be:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Effect of uncertainty on objectives.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">(Exposure to) the possibility of loss, injury, or other adverse or undesirable circumstance; an opportunity or situation that involves such a possibility.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Combination of the consequences of an event (including changes in circumstances) and the associated probability of occurrence.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">On the other hand, there are two types of risk in SAP:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Segregation of Functions (SoD) Risk: when a person requires having two or more activities to create a Risk within the Organization. For example, the ability to record an invoice and execute the payment will be a segregation of functions risk.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Critical Action Risk: when a person requires only one activity to create a Risk within the Organization. As an example, the activity of Opening Closed Financial Period will be a Critical Action.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Once we know the meaning behind the Concept of Risk, we can move forward and understand the aspect of Financial Risks within the SAP Risk Matrix. The SAP Matrix has different Business Processes and one of them is the one that is more related to purely financial activities called &#8220;Financial&#8221; Risks. During this article, we will focus on pure financial risks, but we will cover other cross-process risks.<\/span><br \/>\n<img decoding=\"async\" class=\"aligncenter size-full wp-image-8555\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/2.png\" alt=\"\" width=\"260\" height=\"261\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/2.png 260w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/2-150x150.png 150w\" sizes=\"(max-width: 260px) 100vw, 260px\" \/><br \/>\n<b>Those indicated with a full circle are purely Financial Risk and those indicated with a dotted circle are related to Cross-Process Risks<\/b><span style=\"font-weight: 400;\"> (where one activity of the Risk is related to a Financial Activity and the other could be related to another Process). As an example, we can use the following SoD Risk to understand Cross-Process Risk:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">M013 \u2013 Compensate inventory differences (materials management process) and record the entry (financial process)<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The following activities are those we establish as pure Finance activities:<\/span><br \/>\n<img decoding=\"async\" class=\"aligncenter wp-image-8557\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/3.jpg\" alt=\"\" width=\"700\" height=\"400\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/3.jpg 759w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/3-300x172.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/3-600x343.jpg 600w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/p>\n<h2><b>Risk Response<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">There are different risk responses that can be applied:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Avoid: Eliminate the cause of the risk<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Mitigate: Reduce the probability or impact of the risk.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Accept: Contingency Plans for Risks.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Transfer: A third party assumes the responsibility of the risk.<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8559\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/4.png\" alt=\"\" width=\"412\" height=\"271\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/4.png 571w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/4-300x198.png 300w\" sizes=\"(max-width: 412px) 100vw, 412px\" \/><br \/>\n<b>The main Risk Response that we will focus on during this article is the activity of Mitigation.<\/b><span style=\"font-weight: 400;\"> Additionally, based on the definition we have previously described, to mitigate we need to define an activity that reduces the probability or impact of the Risk and for this, we use the concept of Mitigating Control. There are two types of mitigation control:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Preventive: Designed to be implemented before a threat event.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Detection: Designed to find errors after the execution of the activity.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">As an example, we will use a simple scenario where the lock on a door is a preventive control that prevents the entry of strangers to your house and the security alarm will be the detection control when an unauthorized person enters your house.<\/span><br \/>\n<img decoding=\"async\" class=\"aligncenter size-full wp-image-8561\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/5.jpg\" alt=\"\" width=\"320\" height=\"178\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/5.jpg 320w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/12\/5-300x167.jpg 300w\" sizes=\"(max-width: 320px) 100vw, 320px\" \/><\/p>\n<h2><b>Risk Mitigation Strategy<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Once we have understood the meaning and different types of Mitigation Controls we can move forward and describe a strategy to mitigate <\/span><b>the 32 SoD Financial Risks that exist within the SAP Risk Matrix<\/b><span style=\"font-weight: 400;\">. <\/span><br \/>\n<span style=\"font-weight: 400;\">Next, we will detail two examples, one for SoD risk F001 and another for F019.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The description of SoD Risk F001 says &#8220;Maintain a fictitious ledger account and conceal activity through postings&#8221;. Based on this, we can understand that the functions that generate this risk are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Update the ledger account<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GL Posting<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Once we understand the activities behind the risk, we have to focus on them, but independently.<\/span><\/p>\n<p style=\"padding-left: 40px;\"><i><span style=\"font-weight: 400;\">Maintain the ledger account: This activity could be controlled by the following mitigation controls:<\/span><\/i><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Every creation of the ledger account must be approved based on the List of Authorities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Quarterly, all ledger accounts created during this period will be reviewed, based on the authorities&#8217; calendar.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\"><i><span style=\"font-weight: 400;\">GL Posting: This activity could be controlled by the following mitigation controls:<\/span><\/i><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Every manual posting to be included in the profit and loss statement must go through a workflow for approval based on the list of authorities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Monthly, all manual postings created during this period will be reviewed based on the list of authorities.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The description of SoD Risk F019 says &#8220;Open closed periods and post payments after the end of the month.&#8221; Based on this, we can understand that the functions that are being this Risk are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Update GL periods<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">AP Payment<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Update GL periods: This activity could be controlled by the following mitigation controls:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Any request to open a previously closed GL period must be approved by the List of Authorities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Once the activity is completed, all changes made must be sent to the corresponding approver based on the List of Authorities.<\/span><\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\"><i><span style=\"font-weight: 400;\">AP Payment: This activity could be controlled by the following mitigation controls<\/span><\/i><span style=\"font-weight: 400;\">:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Each AP payment must be referenced to a supplier invoice that includes an approved purchase order number.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Urgent payments must be approved based on the list of authorities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The AP payment needs to have an authorized payment proposal.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">It is important to review each activity and understand the specific controls. Based on this best practice, we managed to improve in the Client&#8217;s Access and Risk Control Matrix from a total of 548 Control Assignments (user assigned to a mitigating control) to a total of 1,049. Therefore, it is really important when in the process of defining the Mitigation Control to understand the activities behind the SoD Risk and review them individually to find the most relevant Mitigation Controls.<\/span><br \/>\n<span style=\"font-weight: 400;\">Finally, and focusing only on the 32 SoD Risks in Finance that appear within the SAP Matrix, <\/span><b>if you are able to mitigate 3 activities: &#8220;General Ledger Posting&#8221;, &#8220;Maintain General Ledger Period&#8221; and &#8220;Asset Master Maintenance&#8221;, you will be able to mitigate 60% of the SoD Risks in Finance.<\/b><\/p>\n<h2><b>Key points to consider<\/b><\/h2>\n<ul>\n<li aria-level=\"1\"><span style=\"font-weight: 400;\">Documenting all business processes will help you understand most of the risks in your organization.<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><span style=\"font-weight: 400;\">Identify the activities behind your SoD Risk.<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><span style=\"font-weight: 400;\">Assign activities to controls individually.<\/span><\/li>\n<li aria-level=\"1\"><span style=\"font-weight: 400;\">Don&#8217;t worry if you don&#8217;t have Mitigation Controls for all activities, once you map the controls to the SoD Risk you will find out which of them have no Mitigation Control assigned.<\/span><\/li>\n<li aria-level=\"1\"><span style=\"font-weight: 400;\">Please prioritize Preventive Control over Detection Controls, even if the implementation of Preventive Control may have a higher cost, usually the effort to execute a preventive control is less than a Detection Control.<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we will review the concepts of Business Process, Risk, Control, and we will describe some of the best practices for defining Mitigation Controls. Business Process Every company has its own business process, but from a high-level perspective, most of them are similar regardless of their activities. As an example, we can use&#8230;<\/p>\n","protected":false},"author":6,"featured_media":5707,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[60,61,52],"tags":[165,151,164],"class_list":["post-6339","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sap-grc-en","category-sap-security-en-2","category-technical-article","tag-risk-management-en","tag-sap-grc-en","tag-sap-risk-matrix"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Mitigating Controls for Finance Risks (SAP Risk Matrix) - Inprosec<\/title>\n<meta name=\"description\" content=\"During this article we are going to review the concepts for Business Process, Risk, Control and we are going to describe some best practices to define Mitigating Controls.\u00a0(SAP Risk Matrix)\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mitigating Controls for Finance Risks (SAP Risk Matrix)\" \/>\n<meta property=\"og:description\" content=\"During this article we are going to review the concepts for Business Process, Risk, Control and we are going to describe some best practices to define Mitigating Controls.\u00a0(SAP Risk Matrix)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-04T06:43:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-07T09:09:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/03\/articulo-DTI-26-11.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fernando Mosquera\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Mosquera\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/\"},\"author\":{\"name\":\"Fernando Mosquera\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"headline\":\"Mitigating Controls for Finance Risks (SAP Risk Matrix)\",\"datePublished\":\"2023-01-04T06:43:36+00:00\",\"dateModified\":\"2025-07-07T09:09:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/\"},\"wordCount\":1214,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/articulo-DTI-26-11.jpg\",\"keywords\":[\"Risk Management\",\"SAP GRC\",\"SAP Risk Matrix\"],\"articleSection\":[\"SAP GRC\",\"SAP Security\",\"Technical Article\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/\",\"name\":\"Mitigating Controls for Finance Risks (SAP Risk Matrix) - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/articulo-DTI-26-11.jpg\",\"datePublished\":\"2023-01-04T06:43:36+00:00\",\"dateModified\":\"2025-07-07T09:09:14+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"description\":\"During this article we are going to review the concepts for Business Process, Risk, Control and we are going to describe some best practices to define Mitigating Controls.\u00a0(SAP Risk Matrix)\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/articulo-DTI-26-11.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/articulo-DTI-26-11.jpg\",\"width\":1536,\"height\":768},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/mitigating-controls-for-finance-risks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mitigating Controls for Finance Risks (SAP Risk Matrix)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\",\"name\":\"Fernando Mosquera\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"caption\":\"Fernando Mosquera\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Mitigating Controls for Finance Risks (SAP Risk Matrix) - Inprosec","description":"During this article we are going to review the concepts for Business Process, Risk, Control and we are going to describe some best practices to define Mitigating Controls.\u00a0(SAP Risk Matrix)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/","og_locale":"en_US","og_type":"article","og_title":"Mitigating Controls for Finance Risks (SAP Risk Matrix)","og_description":"During this article we are going to review the concepts for Business Process, Risk, Control and we are going to describe some best practices to define Mitigating Controls.\u00a0(SAP Risk Matrix)","og_url":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/","og_site_name":"Inprosec","article_published_time":"2023-01-04T06:43:36+00:00","article_modified_time":"2025-07-07T09:09:14+00:00","og_image":[{"width":1536,"height":768,"url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/03\/articulo-DTI-26-11.jpg","type":"image\/jpeg"}],"author":"Fernando Mosquera","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fernando Mosquera","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/"},"author":{"name":"Fernando Mosquera","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"headline":"Mitigating Controls for Finance Risks (SAP Risk Matrix)","datePublished":"2023-01-04T06:43:36+00:00","dateModified":"2025-07-07T09:09:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/"},"wordCount":1214,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/03\/articulo-DTI-26-11.jpg","keywords":["Risk Management","SAP GRC","SAP Risk Matrix"],"articleSection":["SAP GRC","SAP Security","Technical Article"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/","url":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/","name":"Mitigating Controls for Finance Risks (SAP Risk Matrix) - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/03\/articulo-DTI-26-11.jpg","datePublished":"2023-01-04T06:43:36+00:00","dateModified":"2025-07-07T09:09:14+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"description":"During this article we are going to review the concepts for Business Process, Risk, Control and we are going to describe some best practices to define Mitigating Controls.\u00a0(SAP Risk Matrix)","breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#primaryimage","url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/03\/articulo-DTI-26-11.jpg","contentUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/03\/articulo-DTI-26-11.jpg","width":1536,"height":768},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/mitigating-controls-for-finance-risks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"Mitigating Controls for Finance Risks (SAP Risk Matrix)"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2","name":"Fernando Mosquera","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","caption":"Fernando Mosquera"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=6339"}],"version-history":[{"count":9,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6339\/revisions"}],"predecessor-version":[{"id":13298,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6339\/revisions\/13298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media\/5707"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=6339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=6339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=6339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}