I was wondering if anyone can provide me with some indications in this area.

I have a SA report and then SOD report (with Access Risk IDs P003,S026 and Z098 accounting for 50% of violations). The reports are only on High Risk Level SA and SOD violations.

To confirm, SA results to SOD violation right? because I believe the two are distinction (SAP produces 2 separate reports) and it's a violation of SA that results to users being able to actually 'post' transactions that count as SOD violations. Besides the Access Risk IDs for SOD violations are quite different form those for SA as per the generated reports. Can anyone please shed more light on this.

I am not IT and simply tackling this from the compliance point of view. i do the SA and SOD report analysis and am to advise on remediation or mitigation procedures. The Users having these violations are saying that they simply having a 'view' of the transactions and that no actual transactions are taking place. I don't work from same branch with users