How Pre-Built SAPÂ SoDÂ Rules Eliminate the Cold-Start Problem for Manufacturing Companies
For manufacturing companies running SAP, Segregation of Duties compliance sits at the intersection of two uncomfortable realities. The first is that SAP S/4HANA and ECC compliance obligations — under SOX, IFC, or COBIT-aligned frameworks — require demonstrable access controls that prevent any single individual from completing a financial transaction without independent oversight. The second is that building those controls from scratch, in a live SAP environment, takes longer than most audit calendars allow.Â
This is the cold-start problem. And it's why so many manufacturing SoD programs produce their first meaningful results the quarter after the audit that found the violations — rather than the quarter before.Â
Why SAP Access Control Violations Stay Hidden Without a Governance LayerÂ
A common misconception is that SAP's role-based authorization model handles SoD. It doesn't — not in the way compliance programs require.Â
SAP ECC's authorization framework controls what a user can do. It does not analyze whether the combination of things a user can do creates a conflict. Roles are assigned based on job function, and over time — through promotions, temporary access, emergency grants that are never revoked, and role copies during upgrades — users accumulate access combinations that individually are appropriate but together create genuine fraud exposure.Â
SAP access control violations of this kind are invisible to SAP itself. There is no native mechanism that flags a user who holds both vendor creation and payment approval access, or both journal entry posting and approval. Detecting these conflicts requires a dedicated governance layer that continuously analyzes role assignments against a structured library of conflict rules — mapped to specific T-codes and authorization objects — and produces output that auditors can use directly.Â
Building that library is where most programs get stuck.Â
The Real Cost of Building Segregation of Duties in SAP From ScratchÂ
A complete SAP SoD rule set for manufacturing needs to cover the modules where financial fraud risk actually lives: Financial Accounting, Materials Management, Sales and Distribution, Production Planning, Controlling, and Quality Management at minimum. For each module, the relevant transaction codes need to be identified, the conflicting combinations mapped, and each rule connected to a specific control objective — expressed in the language that internal and external auditors use when documenting findings.Â
Done properly, this is a 3–4 month exercise. It requires SAP module expertise — the technical knowledge of which T-codes and authorization objects govern which functions — and audit framework knowledge — the understanding of which control objectives map to SOX Section 404, PCAOB AS 2201, IFC under the Companies Act 2013, or COBIT 2019. Most internal teams have one of these capabilities. Few have both. Fewer still have the bandwidth to apply them simultaneously while managing a live SAP environment.Â
The result is predictable: the program starts, stalls during the rule-building phase, and the audit arrives before the first scan runs.Â
What Pre-Built Rules Actually ChangeÂ
The cold-start problem is not a capability problem — it's a time-to-value problem. Pre-built, audit-aligned SAP SoD rules for manufacturing solve it directly.Â
When a SoD rule set ships as a product capability — ready to load the moment the platform connects to SAP — the sequence changes entirely. Connection, rule set load, first violation scan: hours, not months. Every rule already maps to the relevant SAP T-codes and authorization objects. Every control objective is already expressed in audit language. The output of the first scan is formatted as evidence — not as an IT report that requires translation before a compliance team can use it.Â
For a manufacturing company with a SOX audit scheduled in the next two quarters, this distinction is the difference between being ready and not being ready.Â
Risk Levels That Match Audit PriorityÂ
Not all SoD conflicts carry equal weight — and a well-structured rule set reflects this. The most useful frameworks organize rules into risk tiers that map directly to how auditors prioritize their testing.Â
Critical rules represent conflicts that appear most often in actual audit findings: a user who can create a vendor master and execute the payment run (MFG-FI-001), a user who can post and approve their own journal entries (MFG-FI-003), or a user who can create a purchase order and confirm goods receipt (MFG-MM-002). These are the conflicts that become significant deficiencies or material weaknesses when auditors find them. They require remediation before the next audit cycle — not after.Â
High-risk rules cover conflicts with significant financial reporting exposure that are actively tested in most audit engagements. Medium-risk rules represent best practice controls — important for a mature compliance program and increasingly relevant as audit scope expands.Â
Organizing remediation effort around this tiering means compliance teams address the highest-exposure conflicts first, produce demonstrable progress quickly, and build toward a comprehensive program over subsequent cycles.Â
S/4HANA Compatibility and Migration ProtectionÂ
A concern that comes up consistently in manufacturing SAP environments is SAP S/4HANA compliance continuity during migration. Organizations mid-journey from ECC 6.0 to S/4HANA need assurance that their SoD program doesn't need to be rebuilt when the platform changes.Â
The answer lies in how SAP has handled the transition. SAP has preserved ECC transaction codes in S/4HANA for backwards compatibility, and the core authorization objects used in financial and logistics SoD rules — F_BKPF_BUK, M_BEST_BSA, V_VBAK_AAT — are unchanged across both platforms. Where S/4HANA introduces Fiori apps that replace specific T-codes, the equivalent Fiori app permissions and authorization objects can be mapped to the same underlying control. The compliance investment survives the migration as a configuration update, not a rebuild.Â
Extending Beyond SAPÂ
One limitation worth addressing directly: SOX ITGC controls in SAP don't exist in isolation. A financial controls auditor doesn't stop at the SAP boundary. Access governance across Microsoft 365, Salesforce, ServiceNow, and other connected systems is increasingly part of the same audit scope — and a SoD program that covers SAP but leaves everything else ungoverned produces an incomplete picture.Â
The most effective approach treats SAP SoD as the foundation and extends governance to the full IT landscape from the same platform. One access certification campaign. One audit report. SAP and every connected system covered together.Â
The Practical Path ForwardÂ
For manufacturing companies facing a real audit deadline, the practical question isn't whether to build a SoD program — it's how to get one operational before the next engagement begins.Â
OpenIAM's SoD Accelerator for SAP — Manufacturing Edition delivers 140 pre-built rules across nine SAP module groups, mapped to SOX, IFC, and COBIT control objectives, compatible with SAP ECC 6.0 and S/4HANA, and ready to run on day one. The first violation scan completes within hours of connection. No rule-building phase. No consultant engagement required to get to value.Â
The cold-start problem is solved before the audit calendar forces the issue.Â
Explore the full SAP SoD rule set for manufacturing →Â













