The migration from SAP ECC to S/4HANA does not automatically clean up your Segregation of Duties landscape. In fact, the simplified authorization concept in S/4HANA — combined with the introduction of Fiori apps and new authorization objects — often introduces new SOD risks that did not exist in ECC.
Why S/4HANA SOD Is More Complex
In ECC, SOD was managed through transaction codes (T-codes) and authorization objects. In S/4HANA, Fiori apps abstract the underlying T-codes — a single Fiori app may execute multiple T-codes, and the authorization object structure has changed significantly in Logistics, Finance, and Procurement modules.
The 15 Conflict Pairs Auditors Flag First
- Create Vendor + Approve Payment — Classic procure-to-pay conflict
- Create Purchase Order + Approve Purchase Order
- Post Goods Receipt + Create Vendor Invoice
- Create Customer + Post Customer Invoice
- Create GL Account + Post Journal Entry
- Approve Journal Entry + Post Journal Entry
- Create User + Assign Authorization Roles — IT SOD, highest risk
- Execute Payment Run + Release Payment Run
- Create Asset + Depreciate Asset
- Create Material + Release Purchase Order for Material
- Maintain Bank Master Data + Initiate Wire Transfer
- Access Salary Data + Post Payroll
- Create Credit Memo + Release Credit Memo
- Change Contract + Approve Contract
- Access Debug Mode (SM50/SM51) + Any Financial Transaction — Highest risk ABAP developer conflict
Conflict #15 is critical: Any user with SM50/SM51 debug access combined with posting authority can bypass system controls entirely. This is the first thing a PCAOB-trained IT auditor will check in an SAP engagement.
Using NextGen GRC for SOD Analysis
NextGen GRC's SOD module maps these conflict pairs across SAP ECC, S/4HANA, and Oracle EBS — with role-level and user-level conflict detection, risk scoring, and compensating control documentation. The AI-powered risk assessment module generates a remediation roadmap prioritized by audit risk.