What is Segregation of Duties?
The internal control principle requiring different people to handle different parts of a transaction to prevent fraud and errors.
Quick Definition
Segregation of duties (SoD) is an internal control mechanism that requires different individuals to be responsible for different parts of a transaction or process—preventing any single person from having complete control and reducing the risk of fraud, errors, and unauthorized activities.
- Requires collusion for fraud to occur (multiple bad actors)
- Catches errors through multiple review points
- Essential for SOX compliance and audit readiness
Understanding Segregation of Duties
Segregation of duties (SoD), also known as separation of duties, is one of the most fundamental internal controls in finance and accounting. The principle is simple: no single person should have control over all aspects of any critical transaction.
In accounts payable, this means the person who creates a vendor in your system shouldn't be the same person who approves invoices from that vendor. The person who enters an invoice shouldn't be able to approve it for payment. And the person who initiates a payment shouldn't be the one who releases the funds.
This separation creates natural checkpoints where fraud or errors can be detected. It also means that for fraud to succeed, multiple people must collude—dramatically reducing the likelihood of successful theft or manipulation.
The Three Core Duties to Separate
Authorization
The power to approve and authorize:
- Approving new vendors
- Authorizing invoices
- Approving payments
- Setting approval limits
Custody
Physical or system access to assets:
- Releasing payments
- Signing checks
- Bank account access
- Handling cash/cards
Recordkeeping
Ability to modify financial records:
- Entering invoices
- Creating vendor records
- Modifying GL entries
- Adjusting balances
Segregation of Duties in Accounts Payable
Key Separations Required
- Vendor setup separated from invoice approval
- Invoice entry separated from invoice approval
- Payment initiation separated from payment release
- AP processing separated from bank reconciliation
Why It Matters
- Prevents fictitious vendor fraud schemes
- Blocks unauthorized payment modifications
- Catches data entry errors before payment
- Creates clear accountability and audit trail
Why Segregation of Duties Matters
Of occupational fraud involves asset misappropriation
Median loss from billing fraud schemes
Months average duration before fraud detection
When proper segregation of duties is in place, fraudsters must convince or coerce multiple employees to participate. This dramatically reduces successful fraud attempts and shortens detection time when violations do occur.
Common SoD Violations in AP
| Violation | Risk | Proper Control |
|---|---|---|
| Same person creates & approves vendors | Fictitious vendor fraud | Separate vendor admin from AP approval |
| Same person enters & approves invoices | Unauthorized payments | Require independent approval |
| Approver can modify bank details | Payment redirection fraud | Lock bank data from approvers |
| AP staff does bank reconciliation | Hidden discrepancies | Assign reconciliation to treasury |
| Self-approval of expenses | Personal expense fraud | Require manager approval for all |
How to Implement Segregation of Duties
Map All Critical Processes
Document every step in vendor management, invoice processing, and payment execution. Identify who performs each step.
Identify Conflicting Duties
Find where the same person has authorization, custody, or recordkeeping roles that should be separated.
Reassign Responsibilities
Redistribute duties so no person controls multiple critical functions. Document the new assignments clearly.
Configure System Controls
Set up role-based access controls in your AP system that enforce separation. Block conflicting permissions.
Implement Compensating Controls
Where full separation isn't possible (small teams), add extra oversight like detailed management review.
Monitor and Audit Regularly
Run periodic access reviews and SoD violation reports. Address conflicts promptly and document exceptions.
Segregation of Duties Best Practices
Use Role-Based Access Controls
Configure your AP system with predefined roles that have mutually exclusive permissions. Don't assign conflicting roles to the same user.
Implement Dual Control for High-Risk Actions
Require two people for critical actions like changing bank account details, releasing large payments, or modifying master data.
Run Regular SoD Violation Reports
Generate automated reports showing users with conflicting access rights. Review and remediate violations promptly.
Document Compensating Controls
When full separation isn't possible, document what compensating controls exist (reviews, audits, monitoring) and ensure they're actually performed.
Prevent Self-Approval
System should automatically prevent users from approving their own expenses, invoices they entered, or vendors they created.
Common Segregation of Duties Mistakes
- xOver-provisioning access — Giving users more system access than they need "just in case" creates SoD violations
- xIgnoring emergency access — Temporary elevated access that never gets revoked leads to permanent conflicts
- xShared accounts or credentials — Multiple people using one login destroys accountability and SoD controls
- xCompensating controls that aren't performed — Documented reviews that don't actually happen provide false assurance
- xNot updating access after role changes — People change jobs but keep old access, accumulating conflicts