Segregation of duties in ERP: where do controls break down?

TL;DR: Segregation of duties in modern ERP environments fails less because policies are missing than because privilege creep, role-level review, and cross-application conflicts let a single identity accumulate end-to-end transaction power, according to SafePaaS. The control problem is structural: finance and access governance break when review models cannot follow transaction paths across systems.

NHIMG editorial — based on content published by SafePaaS: Segregation of duties and ERP financial control breakdowns

Questions worth separating out

Q: What breaks when segregation of duties is only checked at the role level?

A: Role-level checks miss the way separate permissions combine into a harmful transaction path.

Q: Why do cross-application SoD conflicts create more risk than single-system conflicts?

A: Cross-application conflicts are harder to detect because each platform sees only part of the workflow.

Q: How do organisations know whether SoD controls are actually working?

A: SoD is working when no identity can complete a financially material transaction chain without independent oversight, and when entitlement reviews catch conflicts before they reach production use.

Practitioner guidance

• Map SoD at the transaction level Trace the full procure-to-pay, order-to-cash, and record-to-report paths so you can identify combinations that let one identity originate, approve, and complete the same financial flow.
• Correlate entitlements across systems Join access data from ERP, procurement, finance, and admin tools so cross-application conflicts such as vendor creation plus payment approval are visible in one review cycle.
• Remove access as part of SoD enforcement Treat offboarding and temporary access expiry as control actions, not hygiene tasks, so one-time exceptions do not become permanent financial authority.

What's in the full article

SafePaaS's full article covers the operational detail this post intentionally leaves for the source:

• Specific procure-to-pay and record-to-report conflict examples that map directly to ERP control design.
• The automation approach for detecting SoD conflicts across SAP, Coupa, and other finance platforms.
• A downloadable process guide for teams that need to operationalise segregation checks in daily workflows.

👉 Read SafePaaS's analysis of segregation of duties automation in ERP finance →

Segregation of duties in ERP: where do controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →