Value Proposition: Segregation of Duties (SoD) is not a “general policy,” but a working document that closes a specific point: that the same user within the ERP has conflicting authorities (creates/edits + approves + executes). This matrix provides you with ERP Conflict of Authority in a testable format: a rulebook for conflicts, mapping of roles and authorities, a user-level conflict report, and a remediation plan (remove authority/modify role/compensating control) with an exception register and periodic authority review.

In 20 Seconds: What Will You Get?

• Library of Segregation of Duties Rules: Definition of conflicts by process (Vendor/PO/GRN/Invoice/Payment/JE).
• Clear Conflict Matrix: “Authority A + Authority B = Conflict” with risk classification (High/Medium/Low).
• Financial User Authorities Report: Users ↔ Roles ↔ Conflicts (Who has the conflict? In which process?).
• SoD for Procurement and Payments: Separation of Prepare/Approve/Release + Separation of Master Data from execution.
• Practical Remediation Plan: Remove/Replace role + Split duties + Compensating control (with application guide).
• Exception Register: Temporarily accepted conflicts with reason, duration, approver, and compensating control.
• Access Review Pack: Access Review Checklist + Sign-off + Evidence Index (ready for audit).

CTA related to outputs: Receive Conflict Matrix + User Conflict Report + Remediation Plan as a single deliverable package.

Suitable For

• Financial Controller: Wants to adjust ERP authorities before Month-End/Year-End and reduce untraceable restrictions/payments.
• AP/Treasury Lead: Wants to separate payment preparation from approval and execution (Bank release).
• Internal Audit: Needs to test access controls with evidence (Reports + Sign-off + Exceptions).

Not Suitable For

• A company that cannot extract a report of Users/Roles/Permissions from the ERP or does not have an owner for the authorities (conflict analysis will be incomplete).
• Anyone wanting “automatic application within the system” without involving the ERP/IT team in modifying roles and authorities.

Without SoD / With SoD (Brief Comparison)

Before Use: 5 Symptoms That Access Within ERP Is Not Controlled

• Users have “broad” Roles (Super user) under the pretext of rapid operation without a reduction plan.
• AP has the ability to modify Vendor master + enter Invoice + approve or execute Payment.
• Month-end closing relies on Manual JEs without separating “Prepared/Approved” or without mandatory attachments.
• No authority review record (who was added/removed? And why?) and no periodic Sign-off.
• Any exception (Urgent/Override) is done without documenting the reason or a compensating control.

Segregation of Duties (SoD): Implementation Method (3 Steps Without Gaps)

Step 1: Preparation and Collection of Authority Data and Workflows

• Extract a report from the ERP: Users + Roles + Permissions (or Role-to-Transaction).
• Identify financially critical workflows: Vendor/PO/GRN/Invoice/Payment + Bank release + Manual JEs.
• Identify Owners: Who has the authority to approve Roles? (Finance owner / IT security owner).

Step 2: Build Conflict Rules and Analyze ERP Authority Conflicts

• Apply Rulebook: Define conflicts (A+B) for each process (e.g., Create Vendor + Release Payment).
• Output Conflict Matrix + Risk Classification + Identify “SoD for Procurement and Payments” cases.
• Produce User Conflict Report: For each user, what are the conflicts and where do they occur within the cycle.

Step 3: Remediation Plan + Authority Review + Audit Pack

• Remediation: Remove authority/modify role/split duties + identify compensating control when immediate separation is not possible.
• Activate Access Review: Quarterly Checklist + Sign-off + Follow-up on remediation execution.
• Issue an approved version: Version + Sign-off + Exception register + Evidence index.

Components of the Matrix (Clear Inventory)

1. SoD Rulebook (Segregation of Duties Rules)
   • Practical Purpose: Define “what is a conflict” in an applicable manner (A+B) according to financial processes.
   • When Used: When establishing authorities or resetting Roles.
   • Resulting Guide: List of conflict rules with examples (Use cases) and risk classification.
2. Conflict Matrix (ERP Conflict of Authority)
   • Practical Purpose: Transform rules into a clear matrix: Permission/Role A × Permission/Role B = Conflict.
   • When Used: During analysis + as a reference when creating a new Role.
   • Resulting Guide: Conflict matrix with Risk rating (H/M/L) and affected process path.
3. Role Catalog & Role-to-Process Mapping
   • Practical Purpose: Link each Role within the ERP to the process it serves (Procurement/AP/Treasury/GL) to facilitate processing.
   • When Used: When interpreting conflicts and redesigning roles.
   • Resulting Guide: Role catalog + mapping sheet clarifying the function of each Role and its scope.
4. User Access Review Template (Authority Review)
   • Practical Purpose: Template for reviewing financial user authorities: Who has what? Do they still need it? Who approved?
   • When Used: Quarterly/Annually or during job changes (Joiner/Mover/Leaver).
   • Resulting Guide: Access review sheets + Sign-off by owners.
5. SoD for Procurement and Payments (Control Design Sheet)
   • Practical Purpose: Separate bottlenecks: Vendor master ≠ Invoice processing ≠ Payment run ≠ Bank release.
   • When Used: When adjusting the AP/Payments cycle or auditing payments.
   • Resulting Guide: Design of task separation (Prepare/Review/Approve/Release) + list of responsible roles.
6. Remediation Plan (Conflict Remediation Plan)
   • Practical Purpose: Convert the conflict report into actions: Remove permission / Split role / Replace role / Tighten approval.
   • When Used: After issuing the User conflict report and until closure (Closed).
   • Resulting Guide: Remediation plan with Open/Closed cases + execution date + responsible person.
7. Exception Register + Compensating Controls
   • Practical Purpose: If separation is not possible (due to operational circumstances), document the exception with a testable compensating control (independent review/exception report/dual signature).
   • When Used: Emergency cases or small teams or transitional periods.
   • Resulting Guide: Exception register + evidence of the compensating control + expiration date.
8. Access Control Evidence Pack (Fraud Prevention Controls)
   • Practical Purpose: Evidence pack to demonstrate that access controls are functioning (Rulebook + Conflicts + Reviews + Exceptions + Sign-off).
   • When Used: For internal/external audits or when testing controls (SOX/ICFR if applicable).
   • Resulting Guide: Pack index + evidence index + approved copy for the period.

Final delivery: Conflict Matrix + User Conflict Report + Remediation Plan + Exception Register with Pack Index and Sign-off.

What Should Be Included in the Delivery?

• 01-Inputs: Export from the ERP (Users/Roles/Permissions) + Org roles/owners + Simplified description of the procurement and payments cycle and closing.
• 02-Rulebook: Library of Segregation of Duties rules (A+B conflicts) + Risk classification.
• 03-Conflict Matrix: ERP conflict matrix + Linking each conflict to the affected process.
• 04-Role Catalog: List of roles + Role function + Linking to processes + Any high-sensitivity Roles.
• 05-User Conflict Report: User-level conflict report (User/Role/Conflict/Risk/Process).
• 06-Remediation Plan: Plan for removing/modifying authorities with status (Open/Closed) and responsible person and execution date.
• 07-Exceptions: Exception register + Compensating controls + Expiration date + Approvals.
• 08-Access Review: Access review templates + Sign-off by owners + Change log (Joiner/Mover/Leaver).
• 09-Evidence Index: Evidence index showing where ERP reports/attachments/approvals are stored (for archiving).
• 10-Version & Sign-off: Version number + Entity/branch scope + Approval date + Approvers + Next review date.

After Implementation (Two Key Points)

• Operational Outcome for the Team: Roles become linked to the process (Procurement/AP/Treasury/GL) with clear approval and execution paths, reducing the need to grant “broad” authorities to facilitate work.
• Control/Audit Outcome: You have a testing guide: Conflict report + remediation + exceptions + access review sign-off, and can trace any conflict and why it was accepted or closed.

FAQ — Questions Before Purchase

Is SoD the same as DOA (Delegation of Authority Matrix)?

No. DOA defines “who approves an amount/type of transaction.” SoD ensures that the same user does not have conflicting authorities (Create + Approve + Release) within the ERP even if there is a DOA.

Is the matrix suitable for any ERP?

Yes, provided that Users/Roles/Permissions can be extracted. Authority names differ between systems, but the logic of conflict (Master data + Processing + Release) is consistent.

Does SoD practically cover Procurement and Payments?

Yes: Separating Vendor master from AP processing from Payment run from Bank release, with identification of high-risk conflicts and a clear remediation plan.

What if our team is small and cannot separate all tasks?

Temporary exceptions are documented in the Exception register with testable compensating controls and expiration dates.

Does it include GL restrictions (Manual JEs)?

Yes: Conflict of “Post JE” with “Approve JE” or “Maintain COA” with “Post” as allowed by your system, with mandatory attachments and independent review when necessary.

What is the minimum data required to get started?

Export user authorities from the ERP + List of Roles + Identify Owners + Identify critical workflows (AP/Payments/GL/Procurement).

How often should authority reviews be conducted?

Practically: Quarterly or semi-annually for financial users + Immediate review upon (Joiner/Mover/Leaver) or when granting sensitive authority.

Is there a delivery template for reviewers?

Yes: Evidence Pack includes Rulebook + Conflict matrix + User conflict report + remediation + exceptions + access review sign-off + version.

Ready to Show Conflicts of Authority as a Closeable List?

Outputs: Conflict Matrix + User Conflict Report + Remediation Plan + Exception Register with Pack Index and Sign-off.