Faisal,
When you run the invalid mitigation report, it is checking for four areas. If a mitigation matches any of these points, it will be reported as an invalid mitigation.
1. Mitigations that are no longer valid (the valid to date has been exceeded).
2. Users or roles that have been completely deleted but that still are in the mitigation table.
3. Users or roles that have two mitigations for the same user/role and risk combination. For example, user GIBBONJ has risk F001*. In mitigated users table, you mitigate GIBBONJ for risk F001* with MIT1 and you also mitigate GIBBONJ for risk F001* with MIT2. MIT2 will show up on the invalid mitigating control table as in RAR, only having one user to risk mitigation makes sense as only one mitigation (the first one) will show whenever you run the risk analysis report. So in this example, MIT2 does not ever show in reports so it is in effect an invalid mitigating control.
4. Users or roles that no longer have the segregation of duties risks at PERMISSION level that are in the mitigation table. Basically, when the invalid mitigation report is run, an ad hoc risk analysis is run for the variable in the report to see what segregation of duties risks the user/roles has. This is hardcoded to run at the permission level. If the user does not have the permission level risk that is shown in the mitigation table, then that mitigation is reported as an invalid mitigation.
Please note that critical action and critical permission type risks are not included in the ad hoc analysis when the invalid mitigating controls report is run. What this means is that ALL mitigations assigned to critical action or permission risks will show up as invalid which is not accurate.
To prevent this, when you run the report, please exclude any critical action or critical permission risks from the variables so that it only runs for valid segregation of duty risks.
Regards,
Alessandro