Accounts Payable Segregation of Duties Matrix: Free SAP AP SoD Template
2026-02-08
sod sap grc risk accounting

Accounts Payable Segregation of Duties Matrix: SAP AP SoD Guide

The accounts payable segregation of duties matrix is one of the most critical components of any SoD program. Accounts payable processes handle direct cash outflows, making them the primary target for procurement fraud, vendor fraud, and unauthorized payments.

This guide provides a complete AP SoD matrix with SAP transaction codes, common conflict patterns, and practical implementation guidance for accounting and finance teams.

Why AP segregation of duties matters

Accounts payable fraud accounts for a significant portion of occupational fraud. The Association of Certified Fraud Examiners reports that billing schemes (fake vendors, inflated invoices) are among the most common and costly fraud types.

The segregation of duties in accounting exists specifically to prevent scenarios where one person can:

  • Create a vendor and pay that vendor
  • Order goods and confirm receipt of those goods
  • Post an invoice and approve the payment

Without proper AP segregation of duties, these single-person end-to-end capabilities create opportunities for fraud that may go undetected for years.

Accounts payable SoD matrix: core functions

An effective accounts payable segregation of duties matrix starts by defining the key functions in the procure-to-pay (P2P) cycle:

Function definitions

Function IDFunctionKey SAP TransactionsDescription
AP-01Vendor Master MaintenanceBP, XK01, XK02, FK01, FK02, MK01, MK02Create and modify vendor records
AP-02Purchase RequisitionME51N, ME52N, ME53NCreate and modify purchase requests
AP-03Purchase Order CreationME21N, ME22N, ME23NCreate and modify purchase orders
AP-04Purchase Order ApprovalME28, ME29NRelease and approve purchase orders
AP-05Goods ReceiptMIGO, MB01, MB0AConfirm receipt of goods or services
AP-06Invoice VerificationMIRO, MIR7, MIR4Enter and process vendor invoices
AP-07Payment ProcessingF110, F-53, F-58Execute vendor payments
AP-08Bank Master MaintenanceFI01, FI02Create and modify bank master records
AP-09GL Account PostingFB01, FB50, F-02Post journal entries to general ledger
AP-10Account ReconciliationF-03, F.13, FBRAClear and reconcile vendor accounts

SAP S/4HANA note: In S/4HANA, vendor master transactions XK01, FK01, and MK01 are deprecated and replaced by Transaction BP (Business Partner). If you execute the old transactions, SAP automatically forwards to BP. Your SoD ruleset should include both the legacy transactions and BP to cover ECC and S/4HANA environments. Additionally, S/4HANA Fiori apps like "Manage Business Partner" and "Create Supplier Invoice" should be included alongside their classic equivalents.

The conflict matrix

This segregation of duties matrix for accounting shows which function combinations create SoD conflicts:

AP-01 VendorAP-02 ReqAP-03 PO CreateAP-04 PO ApproveAP-05 GRAP-06 InvoiceAP-07 PaymentAP-08 BankAP-09 GL
AP-01 Vendor-LowMedium--MediumCriticalHigh-
AP-02 ReqLow-MediumHigh-----
AP-03 PO CreateMediumMedium-CriticalHighMediumHigh--
AP-04 PO Approve-HighCritical-Medium----
AP-05 GR--HighMedium-Critical---
AP-06 InvoiceMedium-Medium-Critical-High-Medium
AP-07 PaymentCritical-High--High-CriticalHigh
AP-08 Bank------Critical-High
AP-09 GL-----MediumHighHigh-

Critical AP SoD conflicts explained

1. Vendor master + payment processing (Critical)

The risk: A user creates a fictitious vendor, submits an invoice, and processes payment to an account they control.

SAP transactions involved:

  • Side A: BP (Business Partner), XK01 (Create Vendor), XK02 (Change Vendor), FK01 (Create Vendor - Accounting)
  • Side B: F110 (Automatic Payment Program), F-53 (Post Vendor Payment)

Note: In S/4HANA, XK01/FK01 are deprecated and replaced by Transaction BP. Your ruleset must include BP to cover S/4HANA environments.

Key authorization objects:

  • F_LFA1_BUK (Vendor Master - Company Code)
  • B_BUPA_RLT (Business Partner - Relationship Category, relevant for S/4HANA BP)
  • F_REGU_BUK (Payment - Company Code)

Resolution: Vendor creation should always be separated from payment execution. This is non-negotiable for SOX compliance.

2. Purchase order create + approve (Critical)

The risk: A user creates a purchase order and approves it themselves, bypassing the approval workflow entirely.

SAP transactions involved:

  • Side A: ME21N (Create PO), ME22N (Change PO)
  • Side B: ME28 (Release PO), ME29N (Cancel Release)

Key authorization objects:

  • M_BEST_EKG (Purchasing Group)
  • M_BEST_EKO (Purchasing Organization)
  • M_BEST_WRK (Plant)

Resolution: Implement release strategies in SAP that require different users for creation and approval. Ensure release authorization objects are assigned to separate roles.

3. Goods receipt + invoice verification (Critical)

The risk: A user confirms receipt of goods that were never delivered and matches it with an invoice for payment.

SAP transactions involved:

  • Side A: MIGO (Goods Receipt), MB01 (Post Goods Receipt)
  • Side B: MIRO (Enter Invoice), MIR7 (Park Invoice)

Key authorization objects:

  • M_MSEG_BWA (Movement Type)
  • M_RECH_BUK (Invoice Verification - Company Code)

Resolution: Separate warehouse/receiving functions from AP invoice processing functions.

4. Payment processing + bank master (Critical)

The risk: A user modifies bank routing information and then processes payments, potentially redirecting funds.

SAP transactions involved:

  • Side A: F110 (Automatic Payment), F-53 (Vendor Payment)
  • Side B: FI01 (Create Bank), FI02 (Change Bank)

Resolution: Bank master maintenance should be restricted to a very small group of users, separate from anyone involved in payment processing.

Industry-specific AP SoD considerations

Manufacturing

Manufacturing companies face additional AP risks around:

  • Subcontracting: Users managing subcontractor orders and confirming deliveries
  • Inventory valuation: Users adjusting inventory values and processing related invoices
  • Consignment: Users managing consignment stock and settling consignment payables

Financial services

Financial services organizations need stricter controls around:

  • Intercompany transactions: Cross-entity AP postings
  • Regulatory reporting: Ensuring AP data integrity for regulatory submissions
  • Counterparty management: Vendor master overlapping with counterparty/client data

Retail

Retail-specific AP considerations:

  • High-volume vendor management: Thousands of vendors requiring automated controls
  • Returns and credits: Credit memo processing separated from payment processing
  • Rebate management: Rebate agreements separated from invoice processing

AP functions in SAP S/4HANA: Fiori app equivalents

If your organization runs S/4HANA, your AP SoD matrix must cover Fiori apps alongside classic transactions. A ruleset that only checks transaction codes will miss users who access AP functions exclusively through Fiori.

AP FunctionClassic TransactionsS/4HANA Fiori Apps
Vendor MasterBP, XK01, FK01, MK01Manage Business Partner, Supplier Factsheet
Purchase RequisitionME51N, ME52NManage Purchase Requisitions
Purchase OrderME21N, ME22NManage Purchase Orders, Create Purchase Order
PO ApprovalME28, ME29NApprove Purchase Orders
Goods ReceiptMIGO, MB01Post Goods Receipt for Purchase Order
Invoice VerificationMIRO, MIR7Create Supplier Invoice, Manage Supplier Invoices
Payment ProcessingF110, F-53Schedule Automatic Payments, Post Outgoing Payments
Bank MasterFI01, FI02Manage Banks

MTC Skopos supports both classic transaction codes and Fiori apps in its rulesets. See our S/4HANA SoD ruleset guide for details on building a ruleset that covers both.

Building your AP SoD matrix in SAP

Step 1: Define your scope

Start with the highest-risk AP functions:

  1. Vendor master maintenance
  2. Payment processing
  3. Purchase order management
  4. Invoice verification

These four areas cover the most critical accounting segregation of duties requirements.

Step 2: Map SAP transactions to functions

For each function, document all relevant:

  • Transaction codes (including Fiori apps if on S/4HANA)
  • Authorization objects and values
  • Custom transactions specific to your environment

Step 3: Define risk levels

Apply consistent risk ratings:

  • Critical: Direct fraud risk with financial impact
  • High: Significant control bypass or compliance risk
  • Medium: Operational risk or policy violation
  • Low: Minor control weakness, monitoring recommended

Step 4: Automate detection

Manual monitoring of AP SoD conflicts is impractical at scale. Use a segregation of duties tool to:

  • Import your AP SoD matrix
  • Run analysis against current user access
  • Generate conflict reports with specific user/role details
  • Track remediation progress

MTC Skopos imports your SoD ruleset directly from Excel and runs full analysis in minutes. The tool supports custom AP-specific rules alongside standard SoD checks.

AP SoD compliance requirements

SOX (Sarbanes-Oxley)

SOX Section 404 requires management to assess the effectiveness of internal controls over financial reporting. AP segregation of duties is a fundamental control that auditors expect to see documented and tested.

Key requirements:

  • Documented SoD matrix covering all material financial processes
  • Evidence of regular SoD analysis (at least quarterly)
  • Remediation plans for identified conflicts
  • Compensating controls documented for accepted risks

COSO framework

The COSO Internal Control Framework specifically addresses segregation of duties as a control activity. For accounts payable:

  • Authorization: Only authorized personnel can approve purchases and payments
  • Custody: Physical or digital access to payment systems is restricted
  • Record-keeping: Financial recording is separated from asset custody

Industry regulations

Additional requirements may apply:

  • Basel III (Banking): Strict operational risk controls
  • FDA 21 CFR Part 11 (Pharma): Audit trail and access control requirements
  • PCI DSS (Payment Card): Controls around cardholder data processing

Monitoring and maintenance

Regular review cycle

FrequencyActivity
WeeklyReview new user/role assignments for AP conflicts
MonthlyRun full AP SoD analysis across all users
QuarterlyReview and update AP SoD matrix with business owners
AnnuallyComprehensive review aligned with audit cycle

Key metrics to track

  • Total AP SoD conflicts (trending over time)
  • Critical conflicts with no compensating controls
  • Time to remediate identified conflicts
  • New conflicts introduced per period
  • Percentage of conflicts with did-do violations

Frequently asked questions

What is an accounts payable segregation of duties matrix?

An accounts payable segregation of duties matrix maps all AP-related functions (vendor management, invoice processing, payment execution, etc.) against each other to identify combinations that create fraud or error risk when held by a single person.

What are the key SoD conflicts in accounts payable?

The most critical AP SoD conflicts include: vendor master maintenance combined with payment processing, purchase order creation combined with purchase order approval, goods receipt combined with invoice verification, and invoice posting combined with payment execution.

How do you implement segregation of duties in accounting?

Implementing segregation of duties in accounting requires separating authorization, custody, and record-keeping functions across different individuals. In SAP, this means assigning roles so that no single user can complete an end-to-end financial process like procure-to-pay or order-to-cash.

Need help building your accounts payable SoD matrix? Explore MTC Skopos features or contact our consulting team for expert guidance.

« All posts