Release Notes EZ-Compliance 2025b-SP0 (build 1.25.20.6036) (SoD Mitigation Request Enhancement)

Release Notes EZ-Compliance 2025b-SP0 (build 1.25.20.6036) (SoD Mitigation Request Enhancement)

Background

The application has been extended to support additional processes, such as a Control Request process and Control Review process, next to the existing Cont`rol Testing Process. 

General

The reference to Control Testing has been adjusted to refer to Control Cycles (which can now be of type Request, Review or Testing).
The Work Item executors capability has been extended, next to the existing Employees or Employees Groups, to select the assigned Owners of the various object. 
The application will resolve and assign the executor, base don the object being routed in the Process Cycle.

Control Request - SoD Conflict Mitigation (new)

The Control Request (SoD Conflict Mitigation) is a Process in which a User can request Mitigation for one or more SoD Conflicts. The main process steps are expected to be the following:
  1. User Reviews Conflicts
  2. User Selects one or more Conflicts and Initiates the Process
    1. User selects the Template (Master Control) which is to mitigate the SoD Conflicts
    2. User enters detailed data for the Mitigation Request
  3. When saving the Conflict Mitigation Request
    1. A Control is created as a derivative of the Master Control
    2. A Control Schedule entry is created for the current date/time and the Process as configured on the Master Control is associated to this entry
  4. Mitigation Request is routed for Approval per the Process Configuration
  5. Upon Approval of the Mitigation Request
    1. Control is Approved
    2. Resolution Rule is created and linked to the Control
  6. Upon Decline of the Mitigation Request
    1. Control is Canceled

Control Review (new)

The Control Review Process is a Process that, on a periodically basis, validates that the Control is still effective and applicable.
  1. System initiates the Review Process per the Control Configuration
  2. Control is routed through the Process
  3. Upon Decline / Not Effective conclusion of the Process
    1. Control is expired
    2. Associated Resolution Rule(s) is/are expired

Control Testing (existing)

The Control Testing Process is a Process that, on a periodic basis, executes the Control Activity and collects (where applicable) the evidence.
  1. System initiates the Testing Process per the Control Configuration

Notifications (enhanced)

These processes are supported by an enhanced notification framework. Default messages are available and per message the recipients can now be configured, instead of being predetermined.
Also each message can be linked to the process which allows custom message per process. These custom message will be send instead of the default messages. If no custom messages are defined, the default messages will be send. 

Master Data (Client)

Employees

In the tab permissions, 2 permissions were added
  1. Can request Conflict Resolution from My Components
If checked the selected Employee will be able to initiate a SoD Mitigation Request from the reports in the menu section My Components / My Conflicts / As Employee/SoD Owner/Rule Owner/Company Owner.
  1. Can request Conflict Resolution from All reports
If checked the selected Employee will be able to initiate a SoD Mitigation Request from all the conflict reports.

Employee Groups

A new attribute is added, Category. This attribute is used to identify one or more Employee Groups as of being the same Category. This attribute can be used in the SoD Conflict Resolution Request, to identify the Conflicts for all Employees of the Employee Group Category.

The ability to configure one or more owners for each Employee Groups is added. These owners can be used to assign work items in the Process execution.
Via the contextual Menu (right click on a specific Employee Group Record) and the option View/Edit Relationships in the menu, the Owners can be Edited and Viewed.
In the Employee Group Grid itself, a columns with the number of assigned owners is added.

Divisions

Added the ability to document which Companies are part of a Division. This information is maintained from the Companies Dialog, where the Division is an attribute of the Company. This attribute can be used in the SoD Conflict Resolution Request, to identify the Conflicts for all Employees of the Division (through the Company).

Added the ability to document one or more owners for a Division. Via the contextual Menu (right click on a specific Division Record) and the option View/Edit Relationships in the menu, the Owners can be Edited and Viewed.

Companies

A new attribute is added, Division. The Division, is grouping a set of Companies.  

Enterprise Risk Management (Client)


Business Controls

The existing Testing Tab is re-purposed for only those attributes to be used for the Control Testing Process. Also the Testing Process and Schedule are added to this tab.

Testing Process: This is indicating the Process which is to be used to Test this control.
Testing Schedule:  This indicates the testing schedule. Testing Cycles are initiated based on this schedule. Existing functionality (Testing Calendar, where pre-defined entries can be created, also remains fully functional)
The Control tab “Review is added. In the Review Tab, similar as the Testing Tab, the Review Process for this Control and the Review Schedule can be defined. The purpose of the Review process is to validate that the Control is still effective.

The Control Tab “Notifications” is added. In the Notifications Tab, the events are indicated which should result in sending a notification.


If checked a notification is send for the indicated event. The message number is indicated between brackets:
  1. This Business Control Expires (001)
  2. A Cycle Starts (016)
  3. The Last Cycle Starts (034)
  4. A Cycle is skipped (032)
  5. A Cycle is Completed / Approved (047)
  6. A Cycle is Completed / Declined (040)

Processes

The menu option Business Control Testing Processes has been renamed to Processes.

Properties

In the Tab Properties, a new attribute is introduced, Process Type

A Process can be of the Type
  1. Business Control Testing (existing functionality)
  2. Business Control Review (new process type added)
  3. SoD Conflict Mitigation Request (new process type added)

Notification Settings

In the notification settings it is indicated at which Process event a message is to be send. The message recipients are defined in the message itself. (see Administration / Notifications). The Completion notification can now we Completed / Approved of Completed / Declined. 

Events Messages:
Standard Notifications:
  1. Send Notification on Cycle Start (016)
  2. Send Notification when Cycle is Overdue (019)
  3. Send Notification on Completion / Approved (049)
  4. Send Notification on Completion / Declined (042)
  5. Send Notification on Cancellation (due to inactivity)
  6. Send Notification on Cancellation (by Executors) (020)
  7. Send Notification Progress (25%, 50% and 75%)(018)
FYI Notification
  1. Send FYI Notification when Cycle is Overdue
  2. Send FYI Notification on Completion / Approved (031)
  3. Send FYI Notification on Completion / Declined (031)
  4. Send FYI Notification on Cancellation (due to inactivity)
  5. Send FYI Notification on Cancellation (by Executors) (039)
  6. Send FYI Notification Progress (029)

Notification Messages

In the Administration / Notifications the default notification messages are defined. In the context of the Process, these default messages can be adjusted. This enables the client to define process specific messages to be send that the defined moments.
Through the contextual menu (right click in the dialog) and selecting the option Add


This will bring the list of standard messages. A message can be selected and be associated to the Process.


When such message is associated, the message content and recipients can be edited. In the situation a message is directly associated with the process, such message will be send at the indicated moment. If for that event no message is directly associated, the default message will be send. For details on how to edit a message, please see Administration / Notifications.

Conflict Mitigation Request

For a Process of the Type “SoD Conflict Mitigation Request” a additional Tab is present to configure the required behavior of this process. The SoD Conflict Mitigation Request Process is used to request a control which will mitigate one or more conflicts. If the Request is approved, this will result in a Control and Resolution Rule, with the scope as requested


Attributes
In the process configuration the Conflict Scope Attributes are to be selected which are to be used during the request process. The listing of the attributes references the attributes of the Conflicts for which the mitigating control is requested.
Display Sequence
The display Sequence determines in which sequence the selected attributes are presented during the request. (see also SoD Mitigation Request in the Portal)

Parameters
All/Display Urgent Cycles
This parameter controls if the requestor is allowed to set the Request Cycle to Urgent. If not checked, this attribute will not be visible in the Request Dialog.
Allow/Display Expiration Date
This parameter controls if the requestor is allowed to define an Expiration Date for the Control which is requested. If not checked this attribute will not be visible in the Request Dialog.
Allow/Display Schedule
This parameter controls if the requestor is allowed to define/edit the Testing and Review Schedule of the Requested Control. If not checked this attribute will not be visible in the Request Dialog.

Allow Conflicts Across Multiple
These parameters control whether the Request can be raised for more than one SoD Conflict. If not checked, the SOD Conflicts for which the request is raised, should only have one value in the indicated attribute. This validation is done upon issuing the request. If the validation determines that the So conflicts do not meet the defined configuration, the requestor will be notified and will need to adjust the selected conflicts to meet the requirements. 

Process Activities

In the Process Activities have been enhanced, so that Owners of various Objects now also can be configured as Executors.

Execution
In the TAB execution these “Owners” can be configured. 


The Work Item executors capability has been extended, next to the existing Employees or Employees Groups, to select the assigned Owners of the following objects:
  1. Company Owner
The Owner(s) of the Company associated to the Control for which the Cycle is executed 
(Cycle / Control / Company / Owner)
The Owners of the Companies of the Conflicts associated to this Control for which the cycle is executed
(Cycle / Control / Conflict / Company / Owner)
  1. Conflicts
SoD Owner of the Employees of the Conflicts associated to this Control for which the Cycle is executed.
For process of Type Request
(Selected Conflicts / Conflict Employees / SoD Owner Employee)
For Process  of Type Testing and Review
(Control / Resolution Rule / Conflicts in Scope of Resolution Rule/ Conflict Employees / SoD Owner Employee)
  1. Business Control
Control Owner(s) of the Control for which the Cycle is executed
(Cycle / Control / Owner)
  1. Business Function
Business Function Owner(s) of the Access Points of the Conflicts associated to this Control for which the Cycle is executed
(Cycle / Control / Conflict / Access Point / Business Function / Owner)
  1. Role
Role Owner(s) (per Company) of the Role(s) of the Conflicts associated to this Control for which the Cycle is executed
(Cycle / Control / Conflict / Role / Owner)
  1. Supervisor
Supervisor(s)  of the Employees of the Conflicts associated to this Control for which the Cycle is executed
(Cycle / Control / Conflict / Employee / Supervisor)
  1. Resolution Rule
Resolution Rule Owner(s) of the Resolution Rules which are associated to the Conflicts associated to this Control for which the Cycle is executed
(Cycle / Control / Conflict / Resolution Rule / Owner)
  1. Employee Group
Authorization Employe Group or Employee Group??
Employee Group Owner of the Employee Group associated to the Employee of the Conflicts associated to this Control for which the Cycle is executed
(Cycle / Control / Conflict / Employee / Employee Group/Owner)
  1. Division
The Owner(s) of the Division associated to the Company associated to the Control for which the Cycle is executed 
(Cycle / Control / Conflict / Company / Division / Owner)
The application will resolve and assign the executor, based on the object being routed in the Process Cycle

The application will resolve and assign the executor, based on the object being routed in the Process Cycle

Additional some need new permissions are added
  1. Ability to Edit Details (new); This permission control whether the executor is allowed to edit the Work Item – Mitigation Request Tab.
  2. Ability to Edit Schedule; This permission controls whether or not the Mitigation Request Schedule can be edited by the Executor, while in the Work Item
  3. Ability to Control Code, Title and Description; This permission controls whether or not the Control Code, Title and Description can be edited by the Executor, while in the Work Item.

Processing

In the Tab Processing various new parameters are added, which could impact the behavior of the Cycles.


Activity is Auto-Completed unless Reverted Back to
If checked, the Work Item will auto completed and the next work item(s) will be initiated. In the situation that this work item is reverted back to, the work item will not auto completed and have the same behavior as normal work items.

Cycle Can be Canceled from this Work Item
If Checked, the “cancel” option is activated (and visible) on the work item. Using the Cancel option in the Work Item, will result in the cancelation of the Cycle.

Complete & Decline will Complete Cycle
If Checked, and the Executor does Completed with Decline/Ineffective/Fail than this will complete the Cycle and any Activities that have not resulted in a Work Item will be skipped.

Show Conclusion Tab
If checked the Conclusion Tab is available to the Executor. IF not Checked this tab is not visible.

Conclusion Information must be filled
If Conclusion Tab is checked, this parameter controls if the Conclusion information is to be filled. If checked and the Conclusion information is not filled, the Executor can not complete the Work Item. 

Processes and Activities

The menu option Business Control Testing Processes and Activities has been renamed to Processes and Activities.

Business Control Schedule

The menu option Business Control Testing Schedule has been renamed to Business Control Schedule.

Business Control Cycles

The menu option Business Control Testing Cycles has been renamed to Business Control Cycles.

Cycle Work Items (via Contextual menu). From the Work Item select the Actions. The actions will be displayed in the context of the process:

Request

Testing

Review

Approve

Pass

Effective

Decline

Fail

Ineffective

Escalate

Escalate

Escalate

Revert

Revert

Revert

Cancel

Cancel

Cancel

Business Control Request (SoD)

This dialog lists the SoD Mitigation Requests which have been raised through the Web Portal.

Dialog Attributes:
  1. Control; Control Code of the Request Control. 
  2. Title; Title of the Requested Control
  3. Description; Description of the Requested Control
  4. Urgent; If the Request Cycle is set to Urgent
  5. Status; Status of the Business Control Request. Status can be:
    1. In Progress; request is still in progress
    2. Completed; request has been approved and is completed
    3. Cancelled; Request is either Canceled or Declined
  6. Created On; Date the request was raised
  7. Expiration Date; Expiration date of the Control, if defined
  8. Master Business Control ; The Master Business Control from which the requested control was derived.
  9. Created by; Employee how raised the request.
Contextual Menu
Delete
Will delete the request. Only Canceled and Completed Requests can be deleted. To delete an ongoing request, first the Request Cycle is to be canceled (or completed) after which the Request can be deleted.

View/Edit Relationships / View Associated SoD Conflicts
Shows the SoD Conflicts which, per the scope of the request, will be mitigated by this requested Control.

Master Business Controls

Definition
This dialog is used to create/maintain Master Business Controls, to be used to create "Normal" Business Controls using the Create Business Controls from Organization Units 
AND
are the basis for the SoD Conflict Mitigation Request. When a user is initiated a SoD Mitigation Request, the user is to select the Master Control as a Template from which the Requested Control is to be derived.

Properties 

Expired – If expired this Master Control can no longer be selected as basis for the Requesting an SoD Mitigation Control.

The attributes
  1. Type
  2. Division
  3. Department
  4. Segment
Are added to the Master Control. If a Control is to be created with a Master Control as Template, there attributes are carried forward to the control.

Execution

The default values for the Control Testing Process and Schedule and the Control Review Process and Schedule are defined. The Requested Control which will be derived from the Master Control will have these values populated.


Notifications

The default values for the Control Notifications are defined here. See Control Notification for detailed description of the attributes)

Contextual Menu Master Control

View Events History
Shows a log of all the changes done to the Master Control

Administration (Client)

Custom Labels

The following menu options
  1. EZ-Compliance Custom Labels
  2. EZ-Publisher Custom Labels
  3. Access Poitn Custom Labels 
are Merged into one new options Custom Labels. This option / dialog has now 4 tabs:
  1. Global (old EZ-Compliance Custom Labels)
  2. Business Control Testing (new)
  3. Access Points (old Access Points Custom Labels)
  4. EZ-Publisher (old EZ-Publisher Custom Labels)

Global

Added custom label for the Division Owner and Division Substitute

Business Control Testing

This dialog shows the labels which are used for the various Process Type in the Work Item Actions. These can be adjusted by the Client.

Notifications

Custom Texts has been changed to Notifications
There are 4 categories of notifications:
  1. Activity/Work Items
  2. usiness Control
  3. Periodic Employee Access Review
  4. Process/Cycle
The default notifications are listed here. The default notifications can be adjusted her, if required.


For each notification of type, the Recipients, Subject and Body text can be edited.
  1. Activity/Work Items
  2. Business Control
  3. Process/Cycle
For notification of type: Periodic Employee Access Review, only the subject and body text can be edited.


For the recipients the following options are available:
  1. Employees; specific employees
  2. Control Owner; Owner of the Control for which the Cycle executed
  3. Control Owner Supervisor; Supervisor of the Owner of the Control for which the Cycle executed
  4. Process Owner; Owner of the Process
  5. Process Owner Supervisor; Supervisor of the Owner of the Process
  6. Process Manager; Manager of the Process
  7. Process Manager Supervisor; Supervisor of the Manager of the Process
  8. FYI Process; List of Employees or Members of the Employee Group as defined in the FYI notification section of the Process
  9. Work Item Executor; Assigned Executor to the Work Item
  10. Work Item Executor Supervisor; Supervisor of the Assigned Executor to the Work Item
  11. FYI Work Item; List of Employees or Members of the Employee Group as defined in the FYI notification section of the Process Activity

  1. Company Owner; Owner of the Company associated to the Control
  2. Company Owner Supervisor; Supervisor of the Owner of the Company associated to the Control
  3. Employee Group; as specified
  4. Cycle Executors; every employee who did work on any of the work items of the cycle.
  5. Division Owner; Division to which the Company is associated, which Company is associated to the Control

Enterprise Risk Management - Web Portal


Business Control Management

In the menu option Business Control Management, the menu items have been renamed and the reference to Testing has been removed.

Business Control Report


Control Status

The Control Status “In Testing” has been changed to Active Cycles Ongoing”; reflecting the situation that Cycles of type, Request, Testing and/or Review can be ongoing.
The Status, “Canceled” ahs been added, reflecting the situation that a Control has been Requested via the SoD Mitigation Request, but the request was Canceled.

Business Control Schedule

Column with Process Type is added to the report. The following types are available
  1. Request
  2. Testing
  3. Review
Column with the Last Work Item is added
Indicates the last action of the last work item that is registered, providing insight if the cycle was approved/passed or declined/failed.

Segregation of Duties Mgmt (SoD) - Web Portal

SoD Conflict Report

Conflict Mitigation Status

A new column, Mitigation, is added to the report
This column shows the Control Mitigation status of the Conflict
  1. Unmitigated; no control is associated to the conflict 
  2. Requested; mitigating control is requested for this conflict
  3. In Testing; control(s) are associated to the conflict, active testing cycle(s) are ongoing 
  4. In Review ; control(s) are associated to the conflict, active review cycle(s) are ongoing 
  5. In Review and Testing; control(s) are associated to the conflict, active testing and review cycles are ongoing 
  6. Mitigated; active control(s) are associated to the conflict

Context Menu

In the contextual menu, 2 new options have been added:

View associated Business Control - This report shows the Associated Control(s) to this SoD Conflict
View related Business Control Requests (SoD) - This report shows the Requested Control(s) for this Conflict.

Conflict Mitigation Request (button)

A new button has been added to the bottom of the report, “Request Conflict Resolution”. This button is only available of the user has been granted the permission in the Employee Permissions. After selecting one or more conflicts, this button can be clicked to request a mitigation for the selected conflicts. This will bring a dialog, where initially the Master Control (Template) is to be selected from which the Mitigating Control is being derived.

After selecting the Master Control, the form is further populated, based on the Master Control Configuration.

Attributes of the Mitigation Request Form

Control Title – Default populated with the Title of the selected Master Control. If permissions allow the Control Title can be edited.
Description – Default populated with the Description of the selected Master Control. If permissions allow the Description can be edited.
Attributes 1/2 – Based on these attributes the scope of the Mitigating Control can be configured. Only those attributes are shown in the order as configured on the Request Process.
Preview Conflicts – This button will result in a report with the conflicts in scope, per the configured conflict scope in the attributes.
Urgent – Yes/No; If permissions allow the requestor can set the request to Urgent.
Conflict Resolution Status – The status which is assigned to the conflicts after the Request has been approved and the Resolution Scan has been executed.
Comment – Additional Comment which can be entered by the Requested. The comment is shown in the Work Item – Mitigation Request Tab.
Expiration Date
If permissions allow the requestor can indicate a Expiration date for the Requested Control
Schedule- This button will bring a pop up dialog in which the Testin and Review Schedule can be edited or defined. Default this will show the Testing and Review schedule as configure don the Master Control.


Resolution Link – This button will bring a pop up dialog in which a url or document can be linked to the requested control.

SoD Mitigation Request (new)

A new menu option is added, showing the initiated SoD Mitigation Requests:

An SoD Mitigation Request can also be initiated from this menu option, without selecting any conflicts. Similar as if conflicts are selected, first a Master Control (Template) is to be selected, after which the entry form is populated based on the configuration of the Request Process as is configured on the Master Control.
The processing is similar as described clicking the Request Conflict Resolution in the Conflicts Report.

My Components (Web Portal)

My Business Controls

My Business Controls as Company Owner

A new report is added, showing the Controls that are associated to the Company(ies) for which the user is the Company Owner. This report has the same contextual menu options as the Controls report. 

My Work Items

In the Tab Work Item. In the section Business Control, related information can now be viewed. Clicking on one of these section, will expand such section and show the related information.

Expected Completion Date

The completion date has been renamed to Expected Completion Date, given the date is calculated, based on the norm times.

Complete Action Button

The Complete Action Button at the bottom of the dialog, has been split in to buttons, a Complete / Positive and Complete / Negative. The Labels shown in the Button can be configure per Process type in the Custom Labels section in the Environment Settings.

 

Event Log

Cycle History Tab has been renamed Event Log

Control Cycles Tab

A new Tab has been added to the Work Item Dialog, Control Cycles.

 

My Conflicts as Company Owner (Consolidated)

This report shows the Controls for which I am the Company owner. The report shows the data consolidated per Company / Conflict Rule.

Attributes

  1. Company Code
  2. Company Description
  3. SoD Conflict Rule Code 
  4. SoD Conflict Rule Description
  5. Number of Conflicts (open); Shows the number of Conflicts for the Company / SoD Conflict Rule combination that are not mitigated and for which no mitigation request is in progress. 
  6. Number of Conflicts (requested); Shows the number of Conflicts for the Company / SoD Conflict Rule combination for which a mitigation request is in progress and which are not closed. 
  7. Number of Conflicts (closed); Shows the number of Conflicts for the Company / SoD Conflict Rule combination that are mitigated by a control. 

Contextual Menu

  1. View Conflicts – open; Shows the detailed conflicts that are open
  2. View Conflicts – resolution requested; Show the detailed conflicts for which a mitigation is requested
  3. View Conflicts – closed; Shows the detailed conflicts that are mitigated.
  4. View Company Information; Shows the detailed company information
  5. View SoD Conflict Rule Information; Shows the detailed SoD Conflicts Rule information

Object Statuses

In the attached / below matrix, the status of the various objects are shown, based on the particular events that are executed.


    • Related Articles

    • Release Notes EZ-Compliance 2025b-SP0 (build 1.25.20.6036)

      New and/or Adjusted Functionality Conflict Mitigation Request The ability to request a conflict mitigation, initiated from the conflict report. This request can be routed for approval and upon approval, will result in a Control, Resolution Rule. This ...

    • Release Notes EZ-Compliance 2021a-SP2 (build 1.21.12.3937)

      SEE ALSO ATTCHED DOCUMENT New and/or Adjusted Functionality  •             External Access Change Request Id's are to be unique (TICKET 1739) Added protection when creating an ACR based on an external message. In the situation the external request ID ...

    • Release Notes EZ-Compliance 2023a-SP0-HF8 (build 1.23.10.5625)

      New and/or Adjusted Functionality Inclusion of Access point description in SOD Preventive scan Conflict report (TICKET 2243) The Access Point Description has been added (at the end) to the excel Conflict Report which is generated when executing a ...

    • Release Notes EZ-Compliance 2023a-SP0-HF11 (build 1.23.10.5850)

      New and/or Adjusted Functionality Self Review Pop-up Message - TICKET 2294 In case of a self review, the reviewer is notified by a pop up message that the reviewer can not review its own records and can get additional information from the Access ...

    • Release Notes EZ-Compliance 2022a (build 1.22.10.4144)

      New and/or Adjusted Functionality Merge of the EZ-Compliance and EZ-Dashboard client (TICKET 1836)  EZ-Compliance and EZ-Dashboard are merged into one Client Application. The EZ-Dashboard functionality can now be found under the Master Data menu: ...