Accounts Payable Segregation of Duties Matrix: SAP AP SoD Guide
The accounts payable segregation of duties matrix is one of the most critical components of any SoD program. Accounts payable processes handle direct cash outflows, making them the primary target for procurement fraud, vendor fraud, and unauthorized payments.
This guide provides a complete AP SoD matrix with SAP transaction codes, common conflict patterns, and practical implementation guidance for accounting and finance teams.
Why AP segregation of duties matters
Accounts payable fraud accounts for a significant portion of occupational fraud. The Association of Certified Fraud Examiners reports that billing schemes (fake vendors, inflated invoices) are among the most common and costly fraud types.
The segregation of duties in accounting exists specifically to prevent scenarios where one person can:
- Create a vendor and pay that vendor
- Order goods and confirm receipt of those goods
- Post an invoice and approve the payment
Without proper AP segregation of duties, these single-person end-to-end capabilities create opportunities for fraud that may go undetected for years.
Accounts payable SoD matrix: core functions
An effective accounts payable segregation of duties matrix starts by defining the key functions in the procure-to-pay (P2P) cycle:
Function definitions
| Function ID | Function | Key SAP Transactions | Description |
|---|---|---|---|
| AP-01 | Vendor Master Maintenance | BP, XK01, XK02, FK01, FK02, MK01, MK02 | Create and modify vendor records |
| AP-02 | Purchase Requisition | ME51N, ME52N, ME53N | Create and modify purchase requests |
| AP-03 | Purchase Order Creation | ME21N, ME22N, ME23N | Create and modify purchase orders |
| AP-04 | Purchase Order Approval | ME28, ME29N | Release and approve purchase orders |
| AP-05 | Goods Receipt | MIGO, MB01, MB0A | Confirm receipt of goods or services |
| AP-06 | Invoice Verification | MIRO, MIR7, MIR4 | Enter and process vendor invoices |
| AP-07 | Payment Processing | F110, F-53, F-58 | Execute vendor payments |
| AP-08 | Bank Master Maintenance | FI01, FI02 | Create and modify bank master records |
| AP-09 | GL Account Posting | FB01, FB50, F-02 | Post journal entries to general ledger |
| AP-10 | Account Reconciliation | F-03, F.13, FBRA | Clear and reconcile vendor accounts |
SAP S/4HANA note: In S/4HANA, vendor master transactions XK01, FK01, and MK01 are deprecated and replaced by Transaction BP (Business Partner). If you execute the old transactions, SAP automatically forwards to BP. Your SoD ruleset should include both the legacy transactions and BP to cover ECC and S/4HANA environments. Additionally, S/4HANA Fiori apps like "Manage Business Partner" and "Create Supplier Invoice" should be included alongside their classic equivalents.
The conflict matrix
This segregation of duties matrix for accounting shows which function combinations create SoD conflicts:
| AP-01 Vendor | AP-02 Req | AP-03 PO Create | AP-04 PO Approve | AP-05 GR | AP-06 Invoice | AP-07 Payment | AP-08 Bank | AP-09 GL | |
|---|---|---|---|---|---|---|---|---|---|
| AP-01 Vendor | - | Low | Medium | - | - | Medium | Critical | High | - |
| AP-02 Req | Low | - | Medium | High | - | - | - | - | - |
| AP-03 PO Create | Medium | Medium | - | Critical | High | Medium | High | - | - |
| AP-04 PO Approve | - | High | Critical | - | Medium | - | - | - | - |
| AP-05 GR | - | - | High | Medium | - | Critical | - | - | - |
| AP-06 Invoice | Medium | - | Medium | - | Critical | - | High | - | Medium |
| AP-07 Payment | Critical | - | High | - | - | High | - | Critical | High |
| AP-08 Bank | - | - | - | - | - | - | Critical | - | High |
| AP-09 GL | - | - | - | - | - | Medium | High | High | - |
Critical AP SoD conflicts explained
1. Vendor master + payment processing (Critical)
The risk: A user creates a fictitious vendor, submits an invoice, and processes payment to an account they control.
SAP transactions involved:
- Side A: BP (Business Partner), XK01 (Create Vendor), XK02 (Change Vendor), FK01 (Create Vendor - Accounting)
- Side B: F110 (Automatic Payment Program), F-53 (Post Vendor Payment)
Note: In S/4HANA, XK01/FK01 are deprecated and replaced by Transaction BP. Your ruleset must include BP to cover S/4HANA environments.
Key authorization objects:
- F_LFA1_BUK (Vendor Master - Company Code)
- B_BUPA_RLT (Business Partner - Relationship Category, relevant for S/4HANA BP)
- F_REGU_BUK (Payment - Company Code)
Resolution: Vendor creation should always be separated from payment execution. This is non-negotiable for SOX compliance.
2. Purchase order create + approve (Critical)
The risk: A user creates a purchase order and approves it themselves, bypassing the approval workflow entirely.
SAP transactions involved:
- Side A: ME21N (Create PO), ME22N (Change PO)
- Side B: ME28 (Release PO), ME29N (Cancel Release)
Key authorization objects:
- M_BEST_EKG (Purchasing Group)
- M_BEST_EKO (Purchasing Organization)
- M_BEST_WRK (Plant)
Resolution: Implement release strategies in SAP that require different users for creation and approval. Ensure release authorization objects are assigned to separate roles.
3. Goods receipt + invoice verification (Critical)
The risk: A user confirms receipt of goods that were never delivered and matches it with an invoice for payment.
SAP transactions involved:
- Side A: MIGO (Goods Receipt), MB01 (Post Goods Receipt)
- Side B: MIRO (Enter Invoice), MIR7 (Park Invoice)
Key authorization objects:
- M_MSEG_BWA (Movement Type)
- M_RECH_BUK (Invoice Verification - Company Code)
Resolution: Separate warehouse/receiving functions from AP invoice processing functions.
4. Payment processing + bank master (Critical)
The risk: A user modifies bank routing information and then processes payments, potentially redirecting funds.
SAP transactions involved:
- Side A: F110 (Automatic Payment), F-53 (Vendor Payment)
- Side B: FI01 (Create Bank), FI02 (Change Bank)
Resolution: Bank master maintenance should be restricted to a very small group of users, separate from anyone involved in payment processing.
Industry-specific AP SoD considerations
Manufacturing
Manufacturing companies face additional AP risks around:
- Subcontracting: Users managing subcontractor orders and confirming deliveries
- Inventory valuation: Users adjusting inventory values and processing related invoices
- Consignment: Users managing consignment stock and settling consignment payables
Financial services
Financial services organizations need stricter controls around:
- Intercompany transactions: Cross-entity AP postings
- Regulatory reporting: Ensuring AP data integrity for regulatory submissions
- Counterparty management: Vendor master overlapping with counterparty/client data
Retail
Retail-specific AP considerations:
- High-volume vendor management: Thousands of vendors requiring automated controls
- Returns and credits: Credit memo processing separated from payment processing
- Rebate management: Rebate agreements separated from invoice processing
AP functions in SAP S/4HANA: Fiori app equivalents
If your organization runs S/4HANA, your AP SoD matrix must cover Fiori apps alongside classic transactions. A ruleset that only checks transaction codes will miss users who access AP functions exclusively through Fiori.
| AP Function | Classic Transactions | S/4HANA Fiori Apps |
|---|---|---|
| Vendor Master | BP, XK01, FK01, MK01 | Manage Business Partner, Supplier Factsheet |
| Purchase Requisition | ME51N, ME52N | Manage Purchase Requisitions |
| Purchase Order | ME21N, ME22N | Manage Purchase Orders, Create Purchase Order |
| PO Approval | ME28, ME29N | Approve Purchase Orders |
| Goods Receipt | MIGO, MB01 | Post Goods Receipt for Purchase Order |
| Invoice Verification | MIRO, MIR7 | Create Supplier Invoice, Manage Supplier Invoices |
| Payment Processing | F110, F-53 | Schedule Automatic Payments, Post Outgoing Payments |
| Bank Master | FI01, FI02 | Manage Banks |
MTC Skopos supports both classic transaction codes and Fiori apps in its rulesets. See our S/4HANA SoD ruleset guide for details on building a ruleset that covers both.
Building your AP SoD matrix in SAP
Step 1: Define your scope
Start with the highest-risk AP functions:
- Vendor master maintenance
- Payment processing
- Purchase order management
- Invoice verification
These four areas cover the most critical accounting segregation of duties requirements.
Step 2: Map SAP transactions to functions
For each function, document all relevant:
- Transaction codes (including Fiori apps if on S/4HANA)
- Authorization objects and values
- Custom transactions specific to your environment
Step 3: Define risk levels
Apply consistent risk ratings:
- Critical: Direct fraud risk with financial impact
- High: Significant control bypass or compliance risk
- Medium: Operational risk or policy violation
- Low: Minor control weakness, monitoring recommended
Step 4: Automate detection
Manual monitoring of AP SoD conflicts is impractical at scale. Use a segregation of duties tool to:
- Import your AP SoD matrix
- Run analysis against current user access
- Generate conflict reports with specific user/role details
- Track remediation progress
MTC Skopos imports your SoD ruleset directly from Excel and runs full analysis in minutes. The tool supports custom AP-specific rules alongside standard SoD checks.
AP SoD compliance requirements
SOX (Sarbanes-Oxley)
SOX Section 404 requires management to assess the effectiveness of internal controls over financial reporting. AP segregation of duties is a fundamental control that auditors expect to see documented and tested.
Key requirements:
- Documented SoD matrix covering all material financial processes
- Evidence of regular SoD analysis (at least quarterly)
- Remediation plans for identified conflicts
- Compensating controls documented for accepted risks
COSO framework
The COSO Internal Control Framework specifically addresses segregation of duties as a control activity. For accounts payable:
- Authorization: Only authorized personnel can approve purchases and payments
- Custody: Physical or digital access to payment systems is restricted
- Record-keeping: Financial recording is separated from asset custody
Industry regulations
Additional requirements may apply:
- Basel III (Banking): Strict operational risk controls
- FDA 21 CFR Part 11 (Pharma): Audit trail and access control requirements
- PCI DSS (Payment Card): Controls around cardholder data processing
Monitoring and maintenance
Regular review cycle
| Frequency | Activity |
|---|---|
| Weekly | Review new user/role assignments for AP conflicts |
| Monthly | Run full AP SoD analysis across all users |
| Quarterly | Review and update AP SoD matrix with business owners |
| Annually | Comprehensive review aligned with audit cycle |
Key metrics to track
- Total AP SoD conflicts (trending over time)
- Critical conflicts with no compensating controls
- Time to remediate identified conflicts
- New conflicts introduced per period
- Percentage of conflicts with did-do violations
Frequently asked questions
What is an accounts payable segregation of duties matrix?
An accounts payable segregation of duties matrix maps all AP-related functions (vendor management, invoice processing, payment execution, etc.) against each other to identify combinations that create fraud or error risk when held by a single person.
What are the key SoD conflicts in accounts payable?
The most critical AP SoD conflicts include: vendor master maintenance combined with payment processing, purchase order creation combined with purchase order approval, goods receipt combined with invoice verification, and invoice posting combined with payment execution.
How do you implement segregation of duties in accounting?
Implementing segregation of duties in accounting requires separating authorization, custody, and record-keeping functions across different individuals. In SAP, this means assigning roles so that no single user can complete an end-to-end financial process like procure-to-pay or order-to-cash.
Related articles
- What is Segregation of Duties (SoD)? Meaning & Definition - SoD fundamentals
- SAP SoD Matrix Template: Free Excel Download - Download a complete SoD template
- SoD Conflicts in SAP: Detection & Resolution - Broader guide to SAP SoD conflicts
- Best SoD Tools & Software Comparison - Compare SoD analysis solutions
Need help building your accounts payable SoD matrix? Explore MTC Skopos features or contact our consulting team for expert guidance.
