45 pre-built SAP SoD rules for manufacturing — ready on day one.
Built for SAP ECC 6.0 and S/4HANA. Mapped to SOX, IFC, and COBIT control objectives. Covering FI, MM, SD, PP, CO, and QM — the six modules auditors test in manufacturing environments. No consultant required. No rule-building phase.
Mid-size and large manufacturing and distribution companies operate complex SAP ECC environments spanning procurement, sales, production, service operations, and financial management. In regulated industries — whether under SOX, IFC under the Companies Act 2013, or COBIT-aligned frameworks — management is required to demonstrate that access controls in SAP are governed in a way that prevents any single individual from executing a complete financial transaction without independent authorization. The requirement is consistent across jurisdictions: no single individual should be able to execute a complete financial transaction without independent oversight — the core principle of Segregation of Duties in SAP.
The challenge most organizations face when implementing SoD controls in SAP is the cold-start problem: they know they need SoD rules, but mapping the relevant SAP transaction codes, identifying which role combinations create genuine fraud risk, and connecting each rule to a specific control objective is a months-long exercise that requires deep SAP and audit expertise working in combination.
The OpenIAM SoD Accelerator for SAP eliminates this cold-start entirely. Organizations receive a pre-built library of 45 SoD rules across six SAP modules — Financial Accounting, Sales & Distribution, Materials Management, Production Planning, Controlling, and Quality Management — ready to load into OpenIAM on day one. Each rule reflects the operational reality of manufacturing and distribution businesses and maps directly to the control objectives that internal and external auditors test. This is the Manufacturing Edition — focused on the six core operational modules. Separate rule sets are available for SAP Basis, HR/Payroll, and Plant Maintenance.
| Capability | Detail |
|---|---|
| Total rules in this edition | 45 rules across 6 SAP ECC modules — Manufacturing Edition |
| Critical risk rules | 15 rules — the role conflicts that appear most often in audit findings |
| High risk rules | 20 rules — significant financial reporting risk, actively tested in audit |
| Medium risk rules | 10 rules — best practice controls, important for a mature compliance program |
| SAP ECC version support | SAP ECC 6.0 — all transaction codes and authorization objects validated for ECC 6.0 |
| S/4HANA compatibility | Yes — the rule set is compatible with SAP S/4HANA. See the S/4HANA compatibility section below for detail. |
| Time to first violation scan | Hours from connection — no consultant engagement, no rule-building phase required |
| Regulatory framework alignment | SOX Section 404 / PCAOB AS 2201 (US) · IFC under Companies Act 2013 / ICAI (India) · COBIT 2019 / DORA Article 9 (EU) |
| Other module rule sets | Three extension modules are available — each loads into OpenIAM alongside this Core Edition and runs in the same scan: Basis Extension (30 rules) — user and role administration, transport management, security audit log, system configuration, and background processing. HR/Payroll Extension (35 rules) — personnel administration, payroll processing, time management, organizational management, and cross-module HR/Finance conflicts. Includes ghost employee and payroll bank redirection controls. Plant Maintenance Extension (30 rules) — work orders, equipment master data, maintenance planning, customer service, and PM/Finance conflicts. Covers both financial fraud risk and quality/compliance risk for OEM-certified environments. |
Why SoD rules matter for manufacturing companies in regulated industries
SOX, IFC, and COBIT: the regulatory context
Manufacturing and distribution companies in regulated industries face the same core obligation regardless of jurisdiction: management must demonstrate that access controls in SAP prevent any single individual from executing a complete financial transaction without independent oversight. Under SOX Section 404 and PCAOB AS 2201, this is a tested ITGC control. Under the Companies Act 2013 and ICAI auditing standards, it is a mandatory IFC assessment. Under COBIT 2019 and DORA Article 9, it is an ICT access control requirement. The rule set maps to all three — the same 45 rules, the same T-codes, the same control objectives, applicable across jurisdictions.
Auditors — whether from a Big 4 firm, a PCAOB-registered practice, or a leading regional firm — test SAP access controls as part of their assessment. SoD violations found during the audit become reportable deficiencies. Material weaknesses affect financial statements and the auditor's opinion.
The SAP access control challenge
SAP ECC's role-based authorization model is powerful but does not natively prevent SoD violations. Roles are assigned based on job function, and over time — through promotions, temporary access grants, and emergency access that is never revoked — users accumulate role assignments that individually are appropriate but in combination create dangerous conflicts.
In a manufacturing and distribution context, the most common SoD risks arise in three areas:
- Procure-to-pay: a user who can create a vendor in SAP and also approve the payment run creates an opportunity to introduce a fictitious supplier and approve payment to that supplier without any independent check.
- Order-to-cash: a user who can create a customer order and also issue a credit memo can manipulate revenue by issuing unauthorized credits to customers or related parties.
- Financial reporting: a user who can both post and approve journal entries, or who can maintain general ledger master data and post transactions to it, can manipulate the company's financial statements without detection.
An SoD violation found by an auditor is not merely a compliance finding — it requires remediation evidence, a management response in the audit report, and potential re-testing in subsequent audit cycles. For a group company of this profile, an IFC deficiency finding can have implications across the group's consolidated financial reporting. Identifying and remediating violations before the auditor finds them — using OpenIAM's pre-built rule set — is significantly less costly than responding to an audit finding after the fact.
The Rule Set Framework
Every rule in the OpenIAM SoD Accelerator is built to the same seven-field standard. This consistency means that the output of every violation scan is formatted as audit evidence — not an IT report that needs to be translated before an auditor can use it.
| Rule field | Purpose and content |
|---|---|
| Rule ID | A unique identifier following the convention [VERTICAL]-[MODULE]-[NNN] — e.g. MFG-FI-001, MFG-MM-001. The ID is the permanent reference used in remediation documentation and audit workpapers. |
| Rule name | Plain language description of the role conflict — e.g. "Create vendor master + Execute payment run". Written so a finance or audit professional can understand the risk without SAP technical knowledge. |
| Conflict detail | The specific SAP transaction codes (T-codes) on each side of the conflict, with the full SAP transaction name. This is the technical definition that OpenIAM uses to detect the conflict in the live SAP environment. |
| Risk level | Critical, High, or Medium. Critical rules map to conflicts that have appeared in actual audit findings at peer organizations. High rules represent significant financial reporting risk. Medium rules represent best practice controls. |
| Control objective | The financial control statement that this rule enforces — expressed in the language auditors use when documenting findings. Mapped to SOX ITGC, IFC, and COBIT frameworks. This is the evidence that management has addressed the control requirement that auditors test. |
| Fraud scenario | Plain language description of what could actually happen if this conflict exists and is exploited. Written for CFOs, audit committees, and non-technical stakeholders — not just SAP technical teams. |
| Remediation guidance | The recommended action when a violation is detected: the preferred role split approach, and the compensating control that can be applied where a role split is not operationally feasible. |
Risk level definitions
A role conflict that could result in financial fraud or a material misstatement. These are the first conflicts IFC auditors test and will be reported as significant deficiencies or material weaknesses if found without compensating controls.
All 15 Critical rules must be addressed before the next audit cycle.
A role conflict that creates significant financial reporting risk. These are actively tested in IFC audits. Unmitigated High-level violations are typically reported as control deficiencies requiring management response.
A role conflict that represents best practice SoD control. Medium-level rules may not be tested in every audit cycle but are important for the organization's long-term compliance posture and for demonstrating a comprehensive approach to access governance.
For an explanation of why SAP doesn't natively prevent SoD conflicts and how the cold-start problem affects most programs before they begin, see how SAP SoD enforcement works.
SAP Module Coverage
The Manufacturing Edition rule set covers the six SAP ECC modules that matter most for manufacturing and distribution operations. It is one of several purpose-built OpenIAM SoD rule sets — each focused on a specific functional domain. This edition covers Financial Accounting, Sales & Distribution, Materials Management, Production Planning, Controlling, and Quality Management. The module coverage reflects the business processes where SoD violations most commonly arise and where auditors focus their testing in manufacturing environments.
This is the Manufacturing Edition — purpose-built for the six SAP modules that auditors focus on in manufacturing and distribution environments.
| Rule set | Coverage |
|---|---|
|
Manufacturing Edition 45 rules — this edition |
FI (Financial Accounting) • MM (Materials Management) • SD (Sales & Distribution) • PP (Production Planning) • CO (Controlling) • QM (Quality Management). The six modules auditors focus on in manufacturing and distribution environments. |
|
SAP Basis Extension 30 rules |
User & role administration, transport management, security audit log, system configuration, and background processing. The highest-risk module in any SAP environment: Basis conflicts can bypass every other SoD control in the system. |
|
HR/Payroll Extension 35 rules |
Personnel administration, payroll processing, time management, organisational management, and cross-module HR/Finance conflicts — including the ghost employee and payroll bank redirection patterns most SoD programmes miss. |
|
Plant Maintenance Extension 30 rules |
Work orders, equipment master data, maintenance planning, customer service, and PM/Finance cross-module conflicts. Covers financial fraud risk and quality/compliance risk for OEM-certified and safety-regulated environments. |
All three extensions activate in OpenIAM alongside this Core Edition and run in a single unified scan.
When comparing SoD rule set coverage across vendors, ensure the comparison is module-for-module. A vendor quoting 200+ rules across all SAP modules combined is not comparable to this edition. OpenIAM provides dedicated rule sets for Basis, HR/Payroll, and Plant Maintenance — each with the same depth and audit alignment as this edition.
If SAP SuccessFactors is your HR system of record, see how OpenIAM turns SuccessFactors HR events into automated access governance across SAP and every connected system: SuccessFactors Identity Governance.
Financial Accounting
General ledger, accounts payable, accounts receivable, and payment processing. The highest-scrutiny module in every IFC audit.
Production Planning
Production orders, bill of materials, and goods confirmation. Covers production cost reporting and work-in-progress valuation.
Materials Management
Procurement, goods receipt, inventory management, and invoice verification. Covers the procure-to-pay cycle.
Controlling
Cost center management, internal orders, and profitability analysis. Protects management accounting integrity.
Sales & Distribution
Customer orders, pricing, billing, and credit management. Covers the order-to-cash cycle.
Quality Management
Inspection lots and usage decisions. Protects quality certifications, inspection records, and product release decisions.
BC
30 rules
Basis & System Administration
Technical infrastructure and access administration — the highest-risk module in any SAP environment. User & role administration, transport management, security audit log, system configuration, and background processing.
HR
35 rules
HR / Payroll
Personnel data, payroll processing, and time management — including ghost employee and payroll bank redirection controls. Personnel administration, payroll processing, organisational management, and cross-module HR/Finance conflicts.
PM
30 rules
Plant Maintenance
Work orders, equipment records, and maintenance planning — financial and quality/compliance risk for asset-intensive operations. Covers OEM-certified and safety-regulated environments and PM/Finance cross-module conflicts.
Rule count by module and risk level
| Module | Module name | Risk level | Rules | Key process area |
|---|---|---|---|---|
| FI | Financial Accounting | Critical | 6 | Payment processing, GL integrity |
| FI | Financial Accounting | High | 3 | AP and AR management |
| FI | Financial Accounting | Medium | 1 | Bank master data |
| MM | Materials Management | Critical | 4 | Procure-to-pay cycle |
| MM | Materials Management | High | 4 | Goods receipt, invoice verification |
| MM | Materials Management | Medium | 2 | Inventory adjustments |
| SD | Sales & Distribution | Critical | 3 | Order-to-cash cycle |
| SD | Sales & Distribution | High | 3 | Customer master, pricing |
| SD | Sales & Distribution | Medium | 2 | Returns and credits |
| PP | Production Planning | Critical | 2 | Production order integrity |
| PP | Production Planning | High | 3 | BOM and routing management |
| PP | Production Planning | Medium | 2 | Goods confirmation |
| CO | Controlling | High | 4 | Cost center and internal orders |
| CO | Controlling | Medium | 2 | Profitability analysis |
| QM | Quality Management | High | 3 | Inspection and usage decisions |
| QM | Quality Management | Medium | 1 | Quality notifications |
| Total | 45 | 15 Critical / 20 High / 10 Medium | ||
The 15 Critical Rules - Full Detail.
The following 15 rules represent the highest-priority SoD controls for SAP ECC and S/4HANA manufacturing environments. Each rule is presented with its complete technical definition and the specific business risk it addresses. These rules are the primary focus of the first OpenIAM violation scan and should be remediated before the next audit cycle.
Financial Accounting (FI) — 6 Critical Rules
Conflict
A user with access to both create or modify vendor master records and execute the automatic payment run can introduce a fictitious or modified vendor and approve payment to that vendor without any independent authorization.
|
T-codes FK01 / FK02 + F110 |
Auth objects F_LFA1_BUK + F_LFA1_GRP + F_BKPF_BUK (payment run) |
Control objective SOX ITGC AC-3 / IFC Control AC-3 / COBIT DSS06.03: No individual should be able to both create the payee and authorize the payment. |
Fraud scenario
A member of the accounts payable team who can add vendors to the system and run the payment programme can create a bank account in their own name or a related party's name as a new supplier, add it to SAP, and approve payment without any other person being involved. This is the most common procurement fraud pattern in SAP environments globally — it can run undetected for months or years and a single exploited instance can result in a material financial loss.
Business risk
Manufacturing companies process significant supplier payment volumes. A user with this conflict could create a fictitious vendor and divert payments. This is the most common procurement fraud vector in SAP environments and the first conflict tested by auditors.
Recommended remediation
Split roles: remove F110 access from users who have FK01/FK02. Compensating control: mandatory dual approval on all payment runs with documented second-person review retained as audit evidence.
Conflict
A user who can both post vendor invoices and approve manual vendor payments can create an invoice for a fictitious or inflated amount and approve its payment without independent review.
|
T-codes FB60 / MIRO + F-53 / F-58 |
Auth objects F_BKPF_BUK (posting + payment activity) |
Control objective SOX ITGC AC-3 / IFC Control AC-3 / COBIT DSS06.03: Invoice posting and payment approval must be performed by different individuals. |
Fraud scenario
A user who can post a vendor invoice for any amount and then approve the resulting payment can create an invoice for a fictitious or inflated amount and pay it without independent review. In accounts payable teams that process hundreds of invoices per month, a systematic pattern of small inflations is very difficult to detect without independent approval at the payment stage.
Business risk
AP teams process invoices from hundreds of suppliers. Combining invoice posting with payment approval creates direct fraud exposure and is routinely flagged in financial controls assessments.
Recommended remediation
Split roles: separate invoice posting from payment approval. Compensating control: automated three-way match enforcement and monthly independent review of payment postings.
Conflict
A user who can both create and approve their own journal entries can manipulate financial statement balances without any independent review.
|
T-codes FB50 / FB01 + FBS1 / FB08 |
Auth objects F_BKPF_BUK + F_BKPF_KOA (create + approve) |
Control objective SOX ITGC AC-4 / IFC Control AC-4 / COBIT DSS06.03: Journal entry creation and approval must be performed by different individuals. |
Fraud scenario
A finance team member who can post and approve their own journal entries can adjust any financial statement balance — revenue, expenses, liabilities, provisions — without a second person reviewing the entry. Month-end close processes involve hundreds of manual entries; a systematic pattern of small adjustments across many entries can cumulatively represent a material misstatement.
Business risk
Month-end close involves significant journal entry volumes for accruals, provisions, and inter-company adjustments. A single user posting and approving their own entries creates direct financial statement manipulation risk — a material weakness if found by auditors.
Recommended remediation
Split roles: implement a formal journal entry approval workflow where preparer and approver are always different individuals. Compensating control: monthly management review of all manually posted entries above a defined materiality threshold.
Conflict
A user who can both maintain general ledger account master data and post transactions to those accounts can create fictitious GL accounts, route transactions through them, and mask financial misstatements.
|
T-codes FS00 / FSP0 + FB50 / FB01 |
Auth objects F_SKA1_BUK (maintain) + F_BKPF_BUK (post) |
Control objective SOX ITGC AC-4 / IFC Control AC-4 / COBIT DSS06.03: GL master data maintenance and transaction posting must be performed by different individuals. |
Fraud scenario
A user who can create new GL accounts and post transactions to them can route transactions through newly created accounts — accounts that may not be included in standard management reports or audit testing — concealing the nature of those transactions from the normal review process. For group companies, this can affect consolidated reporting at the parent level.
Business risk
For group companies, the integrity of the chart of accounts is critical for consolidated reporting. Combining master data access with posting access could allow manipulation of account categorizations affecting segment reporting and group consolidation.
Recommended remediation
Split roles: restrict GL master data maintenance to finance administration roles with no posting access. Compensating control: independent quarterly review of all GL master data changes.
Conflict
A user who can create or modify customer master records and also process billing can create a fictitious customer, generate an inflated invoice, and record revenue that does not represent a genuine transaction.
|
T-codes FD01 / FD02 + VF01 / VF04 |
Auth objects F_KNA1_BUK (create/change) + V_VBRK_FKA (create) |
Control objective SOX ITGC AC-6 / IFC Control AC-6 / COBIT DSS06.03: Customer master management and revenue recognition must be performed by different individuals. |
Fraud scenario
A user who can create customer records and generate billing against them can add a fictitious customer to the system, raise an invoice, and book revenue — inflating sales figures without any underlying transaction. This is a revenue recognition fraud risk relevant to companies with growth targets or earnings-based incentive structures.
Business risk
Revenue spans product sales, rental, spare parts, and services. Creating fictitious customer records and billing against them is a known revenue manipulation vector.
Recommended remediation
Split roles: restrict customer master creation to a master data team separate from billing. Compensating control: independent approval workflow for new customer creation with supporting documentation requirements.
Conflict
A user who can maintain bank account master data and also initiate bank transfers can redirect payment to a personal or fraudulent bank account and approve the transfer without independent review.
|
T-codes FI12 / FB70 + F-53 / FBZP |
Auth objects F_BVTYP (maintain) + F_BKPF_BUK (payment initiation) |
Control objective SOX ITGC AC-3 / IFC Control AC-3 / COBIT DSS06.03: No individual should be able to both change bank account details and execute payments. |
Fraud scenario
Bank redirection fraud — modifying the bank account of a vendor and then approving payment to the new account — is one of the most financially damaging fraud patterns in SAP globally. A single exploited instance can result in a material, unrecoverable loss. The combination of bank master maintenance and payment execution means one person can complete the entire fraud cycle without independent oversight at any step.
Business risk
Bank redirection fraud is one of the most financially damaging fraud vectors in SAP environments globally. A single exploited instance could result in a material loss.
Recommended remediation
Split roles: bank master data maintenance restricted to treasury roles with no payment execution access. Compensating control: mandatory dual approval for any bank master data change, with an automated alert to the CFO or finance controller.
Materials Management (MM) — 4 Critical Rules
Conflict
A user who can both create and approve their own purchase orders can commit company funds to unauthorized purchases without independent authorization.
|
T-codes ME21N + ME28 / ME29N |
Auth objects M_BEST_BSA (create) + M_BEST_WFB (release) |
Control objective SOX ITGC AC-5 / IFC Control AC-5 / COBIT DSS06.03: Purchase order creation and approval must be performed by different individuals. |
Fraud scenario
A buyer who can create and release their own purchase orders can commit company funds to any procurement without independent review — ordering anything at any price from any supplier without a second person confirming the purchase is necessary and appropriately priced. In manufacturing environments with high procurement volumes, this creates exposure to both fraud and procurement inefficiency that compounds with every unreviewed order.
Business risk
Manufacturing companies procure significant volumes of raw materials, equipment, and services. A user who can create and release their own purchase orders can commit the organization to unauthorized procurement.
Recommended remediation
Split roles: implement a formal PO approval hierarchy where the requisitioner cannot also be the release approver. OpenIAM enforces this at the provisioning level.
Conflict
A user who can both raise a purchase order and confirm its receipt can fictitiously procure goods, confirm receipt, and trigger payment — completing the entire procure-to-pay cycle without independent verification.
|
T-codes ME21N + MIGO (GR type 101) |
Auth objects M_BEST_BSA (create) + M_MSEG_BWA (GR activity) |
Control objective SOX ITGC AC-5 / IFC Control AC-5 / COBIT DSS06.03: Order, receipt, and invoice must be performed by different individuals to prevent fictitious procurement. |
Fraud scenario
The three-way match is the primary control over procurement payments. A user who can create the order and confirm its receipt has completed two of the three legs independently. This pattern supports fictitious procurement: order goods that never arrive, confirm receipt, and approve payment. In remote or distributed operations where the same team raises orders and processes goods receipts, this conflict is extremely common and difficult to detect.
Business risk
For spare parts and consumables at remote locations with limited staffing, combining order creation and GR posting creates significant fictitious procurement risk. Auditors routinely test this conflict.
Recommended remediation
Split roles: PO creators must not have GR posting access. Compensating control: GR postings above a defined value threshold require supervisory review before payment release.
Conflict
A user who can create vendor master records and also raise purchase orders can introduce a fictitious or related-party vendor and direct procurement spend without independent verification.
|
T-codes FK01 / MK01 + ME21N |
Auth objects F_LFA1_BUK / LFA1 (create) + M_BEST_BSA (create) |
Control objective SOX ITGC AC-5 / IFC Control AC-5 / COBIT DSS06.03: Vendor creation and purchase order raising must be performed by different individuals to prevent fictitious vendor fraud. |
Fraud scenario
The ability to introduce a new vendor and immediately order from it in a single session removes independent verification of the supplier's legitimacy. A fraudster can onboard a personal or related-party business as a supplier and begin directing spend to it without any third party reviewing whether the vendor relationship is arm's-length. This is one of the most common fraud patterns in procurement functions globally.
Business risk
Manufacturing companies work with large supplier networks. The ability to create a new vendor and immediately raise a PO against it is a direct conflict that enables procurement fraud.
Recommended remediation
Split roles: vendor master creation restricted to a master data function separate from procurement. Compensating control: new vendor creation triggers an independent approval workflow before the vendor can receive purchase orders.
Conflict
A user who can both confirm goods receipt and verify the supplier invoice can approve fictitious or inflated invoices by fabricating the goods receipt confirmation.
|
T-codes MIGO (GR) + MIRO / MIR7 |
Auth objects M_MSEG_BWA (GR) + M_RECH_BUK (IV create/verify) |
Control objective SOX ITGC AC-5 / IFC Control AC-5 / COBIT DSS06.03: GR and invoice verification must be performed by different individuals to ensure the three-way match is independently confirmed. |
Fraud scenario
Combining goods receipt and invoice verification means the same person can confirm that goods arrived and then approve the invoice for payment — without any independent verification of either action. This creates a pathway for approving inflated invoices by fabricating the goods receipt, or for approving invoices for goods that were never received.
Business risk
In workshop operations where parts are received and immediately invoiced, combining GR posting and invoice verification eliminates the independent check the three-way match is designed to provide.
Recommended remediation
Split roles: GR posting and invoice verification must be held by different roles. Compensating control: supervisory countersignature for GR/IV transactions performed by the same user within a defined time window.
Sales & Distribution (SD) — 3 Critical Rules
Conflict
A user who can both create sales orders and issue credit memos can artificially inflate and reverse revenue, create fictitious credit notes, or manipulate customer account balances.
|
T-codes VA01 / VA02 + FB75 / VF01 (credit) |
Auth objects V_VBAK_AAT (create) + F_BKPF_BUK (credit memo) |
Control objective SOX ITGC AC-6 / IFC Control AC-6 / COBIT DSS06.03: Sales order creation and credit memo issuance must be performed by different individuals. |
Fraud scenario
A sales representative who can create orders and issue credits can manipulate revenue recognition, commission calculations, and customer account balances — raising orders to inflate sales figures and then issuing credits to remove the corresponding liability, or issuing credits to related parties that represent a direct cash transfer from the company.
Business risk
Capital goods sales involve large transaction values. A user with this conflict can manipulate commission calculations, issue unauthorized discounts post-sale, or reverse revenue to meet period-end targets.
Recommended remediation
Split roles: credit memo authority restricted to a credit management function separate from sales. Compensating control: all credit memos above a defined threshold require dual approval with documented justification.
Conflict
A user who can create or modify pricing conditions and process billing can set artificially low prices for related parties and bill at those prices without independent review.
|
T-codes VK11 / VK12 + VF01 / VF04 |
Auth objects V_KONH_VKO (create/change) + V_VBRK_FKA (create) |
Control objective SOX ITGC AC-6 / IFC Control AC-6 / COBIT DSS06.03: Pricing master data and billing execution must be performed by different individuals to prevent deliberate underpricing. |
Fraud scenario
A user who can create pricing conditions and run billing can set prices below standard rates for selected customers — a related-party transaction risk specifically addressed by securities regulations and transfer pricing rules — and immediately bill at those manipulated rates without any independent review of the pricing.
Business risk
A user with pricing and billing access could manipulate prices below standard rates — a related-party transaction risk addressed by securities regulations and transfer pricing rules.
Recommended remediation
Split roles: pricing condition maintenance restricted to a pricing administration function separate from billing. All pricing changes should generate an automated notification to the sales manager and finance controller.
Conflict
A user who can both create a customer order and confirm its delivery can record fictitious deliveries, triggering billing and revenue recognition for transactions that never occurred.
|
T-codes VA01 + VL02N / VL01N |
Auth objects V_VBAK_AAT (create) + V_LIKP_VST (delivery confirm) |
Control objective SOX ITGC AC-6 / IFC Control AC-6 / COBIT DSS06.03: Sales order creation and delivery confirmation must be performed by different individuals. |
Fraud scenario
Delivery confirmation triggers billing and revenue recognition. A salesperson who can create an order and confirm its delivery can record fictitious shipments — recognising revenue on goods that have never left the warehouse. In large equipment sales where a single delivery may represent a significant revenue amount, a single false delivery confirmation creates a material revenue overstatement.
Business risk
For large equipment deliveries, fictitious delivery confirmation creates direct and material revenue overstatement risk.
Recommended remediation
Split roles: delivery confirmation performed by logistics or warehouse operations independent of the sales team. Compensating control: physical delivery documentation must be attached to every delivery confirmation in SAP.
Production Planning (PP) — 2 Critical Rules
Conflict
A user who can modify the bill of materials and also release the production order can substitute lower-quality or unauthorized components in work orders — creating quality control and warranty liability exposure.
|
T-codes CS02 / CS12 + CO02 / CO01 |
Auth objects C_STUE_BER (BOM change) + C_AFKO_AWK (release) |
Control objective SOX ITGC AC-8 / IFC Control AC-8 / COBIT DSS06.03: BOM master data and production order release must be performed by different individuals to prevent unauthorized component substitution. |
Fraud scenario
A user who can modify the BOM and release production orders can substitute lower-quality, cheaper, or unauthorised components — releasing orders based on altered specifications without independent quality review. In OEM-certified and accredited service environments this is both a financial risk and a compliance risk: unauthorised component substitution can void warranties, fail inspections, and create product liability exposure.
Business risk
Unauthorized BOM modifications combined with production order release could result in non-compliant production, warranty claim rejections, and quality accreditation risk.
Recommended remediation
Split roles: BOM maintenance restricted to engineering roles separate from production planning. Compensating control: all BOM changes trigger an approval workflow requiring technical authority sign-off before the change takes effect.
Conflict
A user who can both create and confirm their own production orders can record fictitious labor and material consumption, inflating work-in-progress values and distorting cost accounting.
|
T-codes CO01 + CO11N / CO15 |
Auth objects C_AFKO_AWK (create + confirm) |
Control objective SOX ITGC AC-8 / IFC Control AC-8 / COBIT DSS06.03: Order creation and completion confirmation must be performed by different individuals to ensure cost accuracy. |
Fraud scenario
A production planner or workshop manager who can create and confirm their own production orders can record fictitious production runs — charging materials, labour, and overhead to cost centres without any corresponding manufacturing activity. In environments where production costs are allocated to customers on a cost-plus basis, this creates direct customer billing fraud in addition to the internal cost inflation risk.
Business risk
A planner who creates and confirms their own orders can inflate work-in-progress, distort margin reporting, and misstate costs allocated to specific products or contracts.
Recommended remediation
Split roles: production order creation and confirmation must be held by different roles. Compensating control: confirmations above a defined labor hours or cost threshold require countersignature from the workshop manager.
High and Medium Risk Rules - Summary
The following tables summarize the 20 High and 10 Medium risk rules in the Manufacturing Edition rule set. Full T-code and control objective detail for each rule is available in the OpenIAM platform and in the accompanying technical rule library document.
High Risk Rules (20)
| Rule ID | Rule name | Module | Key process area |
|---|---|---|---|
| MFG-FI-007 | Maintain AP account + Post vendor invoice | FI | Accounts payable master data |
| MFG-FI-008 | Post AR invoice + Apply cash receipts | FI | Accounts receivable |
| MFG-FI-009 | Create fixed asset + Post asset acquisition | FI | Fixed asset management |
| MFG-MM-005 | Create purchase requisition + Convert to PO | MM | Requisition-to-order |
| MFG-MM-006 | Maintain material master + Post inventory | MM | Inventory management |
| MFG-MM-007 | Post goods issue + Process customer return | MM | Returns management |
| MFG-MM-008 | Maintain info record + Create purchase order | MM | Purchasing conditions |
| MFG-SD-004 | Maintain customer credit limit + Release blocked order | SD | Credit management |
| MFG-SD-005 | Create customer master + Maintain credit limit | SD | Customer master data |
| MFG-SD-006 | Create sales order + Approve sales order discount | SD | Discount authorization |
| MFG-PP-003 | Maintain routing + Confirm production operation | PP | Work center management |
| MFG-PP-004 | Maintain work center + Create production order | PP | Resource management |
| MFG-PP-005 | Post goods issue to order + Confirm production | PP | Material consumption |
| MFG-CO-001 | Create cost center + Post to cost center | CO | Cost center management |
| MFG-CO-002 | Create internal order + Post to internal order | CO | Internal order management |
| MFG-CO-003 | Maintain settlement rule + Execute settlement | CO | Order settlement |
| MFG-CO-004 | Maintain cost element + Post primary cost | CO | Cost element management |
| MFG-QM-001 | Create inspection lot + Record inspection results | QM | Quality inspection |
| MFG-QM-002 | Record inspection results + Post usage decision | QM | Quality decision |
| MFG-QM-003 | Create quality notification + Complete notification | QM | Quality notifications |
Medium Risk Rules (10)
| Rule ID | Rule name | Module | Key process area |
|---|---|---|---|
| MFG-FI-010 | Maintain bank account + View bank statement | FI | Treasury — best practice |
| MFG-MM-009 | Conduct physical inventory + Post count difference | MM | Inventory count |
| MFG-MM-010 | Create service entry sheet + Approve service entry | MM | Service procurement |
| MFG-SD-007 | Create returns order + Post goods return receipt | SD | Returns processing |
| MFG-SD-008 | Maintain output condition + Process billing | SD | Output management |
| MFG-PP-006 | Create capacity plan + Confirm production order | PP | Capacity management |
| MFG-PP-007 | Maintain production version + Create production order | PP | Production version |
| MFG-CO-005 | Maintain allocation cycle + Execute allocation | CO | Cost allocation |
| MFG-CO-006 | Maintain planning version + Post actual costs | CO | Plan vs actual |
| MFG-QM-004 | Create sampling procedure + Create inspection lot | QM | Sampling management |
S/4HANA Compatibility & Additional Modules
S/4HANA compatibility
The OpenIAM SoD Accelerator rule set is fully compatible with SAP S/4HANA. When an organization migrates from ECC 6.0 to S/4HANA — whether to on-premise S/4HANA or SAP S/4HANA Cloud Private Edition — the rule set migrates with it without requiring a rebuild. This protects the organization’s compliance investment across the migration.
| Compatibility detail | Explanation |
|---|---|
| T-code continuity | The vast majority of transaction codes in the rule set exist in S/4HANA with identical names and functions. SAP has preserved ECC T-codes for backwards compatibility, and FI, MM, SD, PP, CO, and QM T-codes have particularly high continuity. |
| SAP Fiori equivalent mapping | Where S/4HANA introduces Fiori apps that replace specific T-codes, OpenIAM's S/4HANA connector maps SoD rules to the equivalent Fiori app permissions and authorization objects. The compliance control remains intact regardless of the user interface used to execute the transaction. |
| Authorization object continuity | SAP authorization objects — the underlying technical basis for SoD detection — are highly stable across ECC and S/4HANA. Core financial and logistics authorization objects (F_BKPF_BUK, M_BEST_BSA, V_VBAK_AAT, etc.) are unchanged. |
| Migration path | When you upgrade to S/4HANA, the rule set is updated in OpenIAM to reflect any T-code changes — this is a configuration update, not a rule rebuild. Existing violation history, remediation records, and audit evidence are preserved across the migration. |
Additional SAP module coverage — available as extensions
The following SAP modules are available as rule set extensions beyond the Manufacturing Edition core library. These modules may be relevant to specific operational areas and can be added as separate named extensions based on the organization’s SAP landscape.
| Module | Relevance and available rule coverage |
|---|---|
| SAP PM — Plant Maintenance | Directly relevant to manufacturing maintenance and service operations. PM rules cover work order creation and completion, maintenance plan management, and equipment master data — the technical compliance controls for workshop and field service operations. |
| SAP CS — Customer Service | Relevant to after-sales service and warranty management. CS rules cover service order creation and completion, warranty processing, and service contract management. Particularly important for OEM warranty compliance and service accreditation. |
| SAP EWM — Extended Warehouse Management | Relevant for organizations operating dedicated warehouses with SAP EWM. EWM rules extend MM procure-to-pay SoD coverage into warehouse transfer orders, stock movements, and physical inventory. |
| SAP TM — Transportation Management | Relevant to logistics operations for equipment delivery and spare parts distribution. TM rules cover freight order creation, carrier assignment, and transportation cost settlement. |
| SAP HR / HCM — Human Resources | Relevant for payroll and personnel administration governance. HR rules cover payroll posting, personnel master data management, and the access segregation between HR administration and payroll execution — an area of increasing audit focus. |
| Microsoft Active Directory / Entra ID | Where the SAP access governance program is extended to cover the full IT landscape, OpenIAM governs Microsoft Active Directory and Entra ID using the same platform, connectors, and access certification workflow. Recommended as a follow-on phase once the SAP SoD program is established. |
OpenIAM also replaces SAP IDM — the governance platform most mid-market SAP teams are being asked to migrate away from. See the SAP IDM replacement guide.
How OpenIAM Delivers the Rule Set
The OpenIAM SoD Accelerator is not a consulting deliverable or a spreadsheet — it is a product capability that ships with the OpenIAM platform and connects directly to the customer's SAP ECC or S/4HANA environment. This section describes what the experience looks like from the moment OpenIAM is connected to SAP.
| Step | What happens |
|---|---|
| 1 Connect | Connect to SAP ECC — OpenIAM connects to your SAP ECC 6.0 or S/4HANA environment using the native SAP connector. The connector reads role assignments, authorization objects, and user master data — read-only, no changes to SAP during connection. |
| 2 Load | Load the manufacturing rule set — The 45-rule manufacturing SoD rule set is loaded into OpenIAM. Each rule is pre-mapped to the relevant SAP authorization objects and T-codes. No configuration is required for the standard rule set. |
| 3 Scan | Run the first violation scan — OpenIAM analyses the full population of SAP user assignments against all 45 rules. For a typical mid-market environment, the first scan completes within hours of connection. |
| 4 Review | Review the violation report — The report shows every detected conflict: rule ID, rule name, the specific user accounts affected, the conflicting roles, and the risk level. The report is formatted as audit evidence — it maps directly to the control objectives auditors test. |
| 5 Prioritize | Prioritize remediation — Critical violations are highlighted first. For each violation, the report includes the recommended remediation — role split or compensating control — so the IT and compliance team can prioritize and assign remediation actions immediately. |
| 6 Monitor | Ongoing monitoring — After initial remediation, OpenIAM continuously monitors for new SoD conflicts as role assignments change. Any new violation triggers an alert and is added to the audit evidence trail. |
| 7 Certify | Access certification — OpenIAM's access certification module allows the organization to run regular (quarterly or annual) access reviews where business managers certify that their team members' SAP access is appropriate. The SoD rule set is applied during certification — any certifier who approves access that creates a SoD conflict is flagged. |
For organizations where Active Directory is also part of the access governance scope, OpenIAM governs Microsoft Active Directory and Microsoft Entra ID using the same platform that governs SAP — there is no separate tool required.
The recommended approach is to establish the SAP SoD program first, validate the rule set against your SAP environment, and then extend the governance scope to Active Directory in a follow-on phase. This allows the compliance team to demonstrate measurable SAP compliance improvement quickly, and then broaden the program with a proven operational model.
Next steps
Ready to run your first violation scan?
Review the 15 Critical rules
Review the Critical rules above with your SAP team and internal audit to confirm the rule set addresses the control objectives required for your IFC program.
Confirm the SAP ECC connection
OpenIAM's technical team will provide the connector configuration guide and the read-only authorization profile required for your SAP system.
Schedule a demonstration scan
OpenIAM connects to your SAP sandbox or test system, loads the manufacturing rule set, runs the first violation scan, and presents the output in the format your auditors will see.
Questions on specific rules?
For questions on any specific rule, the S/4HANA migration path, or the Active Directory extension, contact the OpenIAM team directly.
Common questions about SAP SoD compliance for manufacturing companies
Segregation of Duties (SoD) in SAP is the principle that no single user should be able to execute a complete financial transaction — from initiation to approval — without a second person's independent involvement. In an SAP environment, SoD violations occur when a user's role assignments allow them to perform two conflicting functions: creating a vendor master record and also approving the payment run, or posting a journal entry and also approving it.
For manufacturing companies, SAP SoD controls are a core requirement of internal financial controls frameworks globally — including SOX in the US, the Companies Act 2013 in India, and equivalent regulatory obligations in the EU and UK. External auditors test SAP access controls as part of their financial controls assessment. An SoD violation found during an audit becomes a reportable deficiency, and a material weakness can affect the company's financial statements and the auditor's opinion.
SAP ECC's role-based authorization model is designed to control what a user can do — not to prevent combinations of access that individually are appropriate but together create a conflict. Roles are assigned based on job function, and over time — through promotions, temporary access grants, and emergency access that is never revoked — users accumulate role assignments that create dangerous conflicts SAP itself cannot detect.
SAP's native tooling has no mechanism to flag that a user holds both "create vendor" and "approve payment" access until a violation has already been assigned. Preventing SoD violations requires a dedicated governance layer that continuously analyses role combinations against a library of conflict rules — which is what the OpenIAM SoD Accelerator provides.
In SAP manufacturing and distribution environments, the highest-risk SoD violations cluster around three business processes. In the procure-to-pay cycle, the most dangerous conflict is a user who can both create a vendor master record (FK01/FK02) and execute the automatic payment run (F110) — enabling fictitious vendor fraud without independent authorization. In the order-to-cash cycle, the critical conflict is a user who can both create a customer order (VA01) and issue credit memos — enabling revenue manipulation. In financial reporting, the highest-risk conflict is a user who can both post and approve their own journal entries (FB50/FB01) — enabling direct financial statement manipulation.
These three conflict types are the first tested by financial controls auditors and are the source of the majority of significant deficiency and material weakness findings in mid-market SAP audits.
The OpenIAM SoD Accelerator for SAP — Manufacturing Edition is a pre-built library of 45 SoD rules purpose-built for manufacturing and distribution companies running SAP ECC 6.0 or S/4HANA. It ships as a product capability — not a consulting deliverable — and is ready to load on day one of an OpenIAM deployment.
The rule set covers six SAP modules: Financial Accounting (FI), Materials Management (MM), Sales & Distribution (SD), Production Planning (PP), Controlling (CO), and Quality Management (QM). Each rule is structured to the same six-field audit standard — Rule ID, Rule name, Conflict detail (with specific T-codes), Risk level, Control objective, and Remediation guidance — so that the output of every violation scan is formatted as audit evidence.
For a typical mid-market SAP ECC 6.0 environment, the first violation scan completes within hours of connection — not days or weeks. The process involves three steps: connecting OpenIAM to the SAP environment using the native read-only SAP connector, loading the pre-built 45-rule manufacturing rule set, and running the scan against the full user population. No rule configuration is required for the standard rule set, and no changes are made to the SAP environment during connection. The connector reads role assignments, authorization objects, and user master data in read-only mode.
Each rule in the Manufacturing Edition is mapped to a specific financial controls objective — expressed in the language that auditors use when documenting findings. The rules were curated from ISACA guidance, PCAOB AS 2201, and SAP authorization documentation. Each control objective statement is written so that the output of a violation scan can be handed directly to an auditor as evidence — without requiring an IT-to-audit translation step.
The 15 Critical rules map to conflicts that appear most frequently in audit findings at peer manufacturing and distribution organisations, regardless of the regulatory framework in place. The same rule set supports SOX compliance in the US, IFC requirements in India, and equivalent financial controls obligations in other jurisdictions.
The Manufacturing Edition rule set is fully compatible with both SAP ECC 6.0 and SAP S/4HANA, including on-premise S/4HANA and S/4HANA Cloud Private Edition. SAP has preserved ECC transaction codes in S/4HANA for backwards compatibility, and the core financial and logistics authorization objects used by the rule set (F_BKPF_BUK, M_BEST_BSA, V_VBAK_AAT, and others) are unchanged across both platforms.
Where S/4HANA introduces Fiori apps that replace specific T-codes, OpenIAM's S/4HANA connector maps the SoD rules to the equivalent Fiori app permissions and authorization objects. When migrating from ECC 6.0 to S/4HANA, the rule set is updated as a configuration change — not a rebuild — and existing violation history and audit evidence are preserved.
Building a complete SoD rule set for a mid-market SAP ECC environment typically takes internal teams 3–4 months — assuming they have both the SAP module expertise to map relevant transaction codes and authorization objects, and the audit framework knowledge to connect each rule to a specific control objective. Most teams have one or the other but not both.
The pre-built Manufacturing Edition rule set eliminates this cold-start entirely. The 45 rules are already mapped to SAP T-codes, authorization objects, and financial control objectives — ready to load on day one. The practical question is whether the next audit is in this cycle or the next one: building from scratch means the first complete scan happens months from now; loading the pre-built rule set means it happens today.
SAP GRC Access Control governs access within your SAP environment. OpenIAM's SoD Accelerator is designed to work alongside GRC — not replace it — and extends your compliance coverage in two specific ways.
First, GRC does not govern systems outside SAP. Every system beyond the SAP boundary — Microsoft 365, Salesforce, ServiceNow, your SaaS applications — remains ungoverned by GRC. A financial controls auditor does not stop at the SAP boundary, and audits increasingly include access controls across the full IT landscape. OpenIAM governs all connected systems from the same platform.
Second, OpenIAM's pre-built Manufacturing Edition rule set provides 45 audit-aligned rules with T-code level detection and audit-formatted violation reports. If your GRC implementation lacks this depth of rule coverage, the SoD Accelerator addresses that gap directly without requiring GRC to be replaced.
The Manufacturing Edition covers the six SAP modules that financial controls auditors focus on most in manufacturing and distribution environments: FI, MM, SD, PP, CO, and QM. These 45 rules address the process areas where SoD violations most commonly arise and where audit findings are most frequently issued.
Three additional module areas are covered by separate OpenIAM SoD rule sets, available as extensions: SAP Basis (technical administration and privileged access), HR/Payroll (personnel master data, payroll processing, and time management), and Plant Maintenance/PM (work orders, maintenance planning, and equipment master data). When comparing rule set coverage across vendors, ensure the comparison is module-for-module — a vendor quoting 200+ rules across all SAP modules combined is not directly comparable to a 45-rule set covering a specific controls-focused scope.
Let’s Connect
Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.
For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.