The reason most SAP SoD programs never produce a single violation report. And it is not what the aud

Author : Tushar Pansare | Published On : 13 Jul 2026

A consistent pattern surfaces when talking to IT Audit Managers at mid-market manufacturing and financial services companies about their SAP SoD programs. 

They know they need SoD detection. They understand the control objective. They can describe exactly what the conflict looks like — one person with the ability to create a vendor and approve payment to that vendor, one person with access to both sides of a transaction that should require independent oversight. 

They do not have a running SoD program. 

The reason is almost never what the audit finding eventually says it is. 

The cold-start problem 

Building a SAP SoD rule set from scratch means mapping transaction codes to authorization objects, assigning risk levels, connecting each rule to a specific control objective, and writing audit-ready remediation guidance for every conflict. In a mid-size SAP environment, the realistic estimate for a team with genuine SAP authorization expertise is three to four months. 

Most mid-market IT audit teams do not have that expertise in-house. Most do not have three to four months of capacity to allocate to rule-building before the next audit cycle. So the program gets deferred. Not cancelled. Deferred. 

The tool may be selected. The intention to implement remains. But because the rule set does not exist, the first scan cannot run. And because the first scan cannot run, the violations that already exist in the SAP environment continue to accumulate undetected. 

By the time the program is actually implemented, the remediation effort is significantly larger than it would have been eighteen months earlier. By the time the auditor finds the conflict, the question of why the program was never started has been replaced by the more immediate question of what to do about the finding. 

Why SAP cannot solve this 

SAP's authorization framework validates individual role assignments. It does not evaluate whether a user's combination of roles creates a conflict — whether two roles held by the same person together create the ability to execute both sides of a financially material transaction without independent oversight. 

This is not a flaw in SAP. It is a design boundary. SAP is an ERP system. SoD enforcement is a governance control that sits above the ERP. It requires three things SAP does not provide: a rule set that defines which T-code combinations constitute a conflict, cross-role analysis that evaluates a user's full role portfolio rather than each role in isolation, and audit-ready output that names the specific T-codes in conflict, maps to a control objective, and includes remediation guidance. 

Without all three, there is no SoD program. There is only awareness that one is needed. 

What the T-code level actually means 

SOX audit findings reference specific SAP transaction codes. IFC management assertions reference T-codes. PCAOB audit workpapers reference T-codes. 

A detection tool that works above the T-code level produces output that needs to be translated before an auditor can use it. That translation step is where audit cycles are lost and where the conversation between the IT audit team and the external auditor becomes unnecessarily difficult. 

Detection at the T-code level means the scan output is directly usable by the auditor without transformation. The violation names the specific T-codes in conflict. The control objective is mapped. The remediation guidance is written. The auditor receives a document that matches the format of the finding they would write themselves. 

For mid-market teams without dedicated audit support, the difference between output that requires transformation and output that does not is frequently the difference between a SoD program that produces audit value and one that produces reports nobody fully acts on. 

What eliminating the cold-start actually changes 

The most direct way to eliminate a three-to-four month rule-building phase is to not require one. 

A pre-built rule set curated from ISACA, PCAOB, and SAP authorization documentation — mapped to SOX, IFC, and COBIT control objectives, validated against the conflict patterns that appear most consistently in real audit findings — means the first scan runs on the day the tool connects to SAP. The violation report is formatted for audit review from the moment it is generated. 

The IT Audit Manager who connects a pre-built manufacturing rule set to a SAP ECC environment on Monday has a violation report by Wednesday. The conflicts that have been accumulating for two years are surfaced before the auditor finds them rather than after. 

The accounts payable lead with vendor creation and payment execution access. The 26-month accumulation window. The audit finding that could have been a remediation ticket. 

That gap exists because the detection program was never implemented. The detection program was never implemented because the rule set was never built. That is the problem the cold-start solution solves.