Why segregation of duties is a key internal control and how to implement it

Segregation of duties (SoD) is a key internal control that involves splitting critical activities so no single individual can initiate, approve, record, and reconcile the same transaction end‑to‑end. At its core, effective SoD comes down to a simple control principle: at least two sets of eyes should be on critical transactions. 

This article dives into common error and fraud scenarios, and the potential consequences of inadequate SoD. Additionally, it covers SoD implementation approaches tailored to small, large private, and public companies.

What can happen without adequate SoD?

To apply SoD in practice, organizations typically segregate transaction responsibilities into four key functions, often referred to as the “four Rs”:

• Request/ initiate: originate a transaction 
• Review/ approve: authorize the transaction 
• Record: post the transaction to the general ledger
• Reconcile/ report: independently review of results

When duties are not segregated, individuals may have the ability to control a transaction from start to finish. Errors and fraud become more probable without at least one other set of eyes on critical transactions. Common examples include:

• Unauthorized payments: One individual creates a vendor ID, enters an invoice for that vendor, approves the payment for that invoice, and pays it (self-dealing or shell vendors).
  • Procure-to-Pay (P2P): A conflict exists when the same person:
    • maintains vendor master data and releases payments 
    • enters invoices and approves invoices 
    • creates payments and administrates banking transactions.
• Payroll conflicts: SoD conflicts exist when the same person sets up new hires, processes payroll, approves payroll, and uploads the bank file.
• Treasury conflicts: SoD conflicts exist when the same person is in charge of bank administration and payment release, or forecasts cash and reconciles bank statements.
• Skimming and concealment: Someone receives cash, records it, and reconciles the bank statements, allows stolen funds to be concealed with little chance of detection.
• Fictitious refunds or credits: A single individual issues customer credits and posts them to the ledger without independent approval or documentation.
• Inventory misuse: A warehouse manager records inventory receipts, makes inventory adjustments, and perform physical counts, to conceal inventory shrinkage or theft.
• Financial misstatements: A preparer posts journal entries and also performs the related account reconciliations, so that material errors or intentional misstatements go undetected.
• Information Technology (IT): SoD conflicts in IT environment exist when the same person provisions user access and performs access reviews, or when developers can deploy changes into production without independent approval.

These examples often occur in the real world but are solvable.

Without adequate SoD, the ability to control the transaction end-to-end can lead to significant consequences, including financial loss, regulatory fines, reputational damage, adverse auditor conclusions, and, for public companies, reported material weaknesses that may negatively affect valuation and access to capital. 

Material weakness consequences

If SoD deficiencies aren’t appropriately identified or mitigated, they can become a material weakness in the company’s internal control over financial reporting (ICFR) processes. A material weakness exists when a control deficiency, or combination of deficiencies, creates a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected on a timely basis.

When a SoD-related issue is determined to be a material weakness, the impacts can be significant and far-reaching:

• Adverse ICFR opinion: For a public company, an auditor issues an adverse opinion on the effectiveness of ICFR in the annual Form 10-K. This can raise concerns about the reliability of financial reporting. For non-public companies, auditors communicate material weaknesses in writing to management and the audit committee.
• Disclosure obligations: Management must disclose any material weakness in Item 9A of Form 10-K, which often leads to increased scrutiny from investors, lenders, and regulators.
• Financial and valuation impacts: A reaction to the material weakness can be an increased cost of capital or valuation impacts.
• Remediation effort and cost: Management must design, implement and evidence effective controls. For SoD issues, this often involves redesigning process, reassigning responsibilities, retesting controls and, in some cases, restatement if misstatements occurred.

Implementation advice by company size

Effective SoD presents different challenges depending on an organization’s size, complexity and resources. While the underlying control principles are the same, the approach to achieving SoD might vary. The sections below outline practical approaches for small companies, large private organizations, and public companies subject to SOX requirements:

Small companies

Challenge: Smaller organizations often have limited staff, making it difficult to segregate responsibilities.

Approach: When segregation isn’t feasible, management should implement compensating controls for independent review and increased oversight: 

• Increase leadership oversight: This often includes increased management reviews. For example, owners, CEOs or CFOs reviewing documents – such as bank statements, vendor change reports, payroll registers, journal entry listings and account reconciliations – to provide a second set of eyes on critical transactions.
• Enforce dual authorization: Require dual authorization for payments above pre-set thresholds in both AP systems and banking portals, with approvals routed to the owner, CEO or a board member when there is only one finance staffer. 
• Rotate responsibilities: Periodic rotation or temporary reassignment of duties and mandatory vacations can surface issues and reduce fraud risk. 
• Seek external support when needed: If necessary, hire outside resources such as a part-time controller, a CPA firm, or outsourced accounts payable services. 
• Enable system monitoring: Turn on system logging and configure alerts for vendor master changes, user access modifications, and off-cycle payments, to provide immediate notification and allow for timely reviews.

Large private companies

Challenge: Large companies often operate multiple systems with more users, higher transaction volumes, and broader categories – potentially requiring finely tuned SoD.

Approach: Formalize SoD across processes and systems with a centralized framework that clearly defines roles, responsibilities, and oversight: 

• Define roles with a RACI framework: Explicitly define who can request, approve, record, and reconcile each process using a RACI chart. 
• Implement role-based access controls (RBAC): Create job-based roles with approved RBAC combinations to systematically control SoD, especially restricting and closely monitoring “power users.”
• Establish a formal SoD ruleset: Develop and implement a formal SoD ruleset or matrix (e.g., prohibiting users from both creating vendors and releasing payments) to prevent end-to-end access and control to one transaction. The ruleset requires periodic conflict scans to reflect changes in processes or resources and ensure that SoD is up to date. 
• Review access for personnel changes: Ensure that organizational or employee changes trigger access reviews so that permissions align with updates roles or terminations. 
• Conduct regular access recertifications: Require quarterly manager reviews and re-approval of user access to reinforce accountability and control integrity.
• Strengthen governance and audit oversight: Leverage governance or internal audit functions to test compliance, review risk mitigating controls, and identify exceptions – supporting a strong internal control environment where SoD plays a key role.

Public companies

Challenge: Public companies must maintain evidence-documented controls, with SoD as a key internal control to support management and external audit assessments (e.g., SOX compliance).

Approach:

• Maintain a documented control framework: Develop and maintain a control matrix that documents key controls to financial statement assertions, with clearly defined SoD logic, defensible evidence, and timely issue remediation.
• Support SoD with IT general controls (ITGCs): Ensure user provisioning, change management, and logging support are in place to aid the SoD environment.
• Perform structured testing and monitoring: Establish a formal testing cadence for design and operating effectiveness testing, supported by GRC or IAM tools to identify SoD conflicts and manage exceptions through compensating controls.
• Maintain audit-ready documentation: Create clear, timestamped evidence – such as approval records, system logs, and reconciliation signoffs – with preparer and reviewer identification to support both management’s ICFR assessments and external audit requirements.

Final thought

Errors and fraud destroy confidence in companies of any size. Small companies can achieve SoD with targeted compensating controls, while larger private and public companies can institutionalize it through RBAC, monitoring, and evidence‑driven processes. SoD is foundational in a SOX environment, and to the long-term future of your business. Our team of experts are available to discuss SoD assessments and implementation and sustainable governance models tailored to your needs.