In addition to the operational process to identify conflicts, it is necessary to periodically review the underlying elements. This is mainly about the roles and the controls. A role review can take place on two levels.
- Assess whether the role only provides access to the necessary application components
- Assess whether the employees are linked to the right role(s).
The first review is a role content review, which is conducted by a domain or process expert. This person can assess whether the correct application components are linked to the responsibilities associated with the role. Any deviations are reported and adjusted.
The second review is usually performed by the supervisor or manager, who determines whether his employees, given their respective responsibilities, are linked to the appropriate roles. The roles must of course be sufficiently described to provide this supervisor with the information necessary for this assessment.
When roles have been modified, a conflict scan must be performed again to prevent new conflicts are introduced with the modified role. As soon as this role is in use, these conflicts multiply by the number of employees associated with the role, which potentially introduces a large number of new conflicts.
The mitigating controls must also be assessed periodically. In addition, it is checked whether the control is still effective and whether it is used in the right situations. It may also be necessary to make a control more specific, for example by applying a different scope. For example, a specific control for legal entity A must be performed monthly, but for legal entity B once per quarter.
By periodically reviewing the roles and controls, these elements that are important for conflict identification and mitigation remain up-to-date. This way the company optimizes its ‘control environment’.