When talking about Segregation of Duties, it is important to understand the risk areas within the application and understand what security roles compromise the access to those areas. When conflicts are identified, users’ access must be adjusted where possible to remove offending roles. When this is not possible due to resource constraints, mitigating controls must be put into place. These can be Log reviews, rotating personnel, reconciliations, etc. that occur to monitor the data and transactions for any potential fraud or misuse. Reports can be run to validate the data or transactions, or some review of audit records where applicable. Compensating controls can be preventative, detective, or monitoring controls that are executed by an independent supervisory-level employee. There MUST be an audit trail for each compensating control.