Segregation of Duties
Segregation of duties (SoD), also called separation of duties, is an internal control that divides key tasks and responsibilities among different people. The goal is to prevent any single person from being able to commit and conceal fraud or errors.
The Core Principle
No single person should control all aspects of any critical transaction:
❌ Wrong: One person creates vendor, enters invoice, approves, and pays ✓ Right: Different people handle each step
The Three Key Functions
Segregation of duties separates three incompatible functions:
| Function | Description | Example |
|---|---|---|
| Authorization | Approving transactions | Approving vendor invoices |
| Custody | Physical control of assets | Handling checks, cash |
| Record-keeping | Recording transactions | Entering invoices in system |
Rule: The person who authorizes should not have custody. The person with custody should not record. The person who records should not authorize.
SoD in Accounts Payable
Vendor Setup
| Task | Should Be Done By |
|---|---|
| Request new vendor | Requester (operations) |
| Verify vendor legitimacy | AP or procurement |
| Create vendor in system | Master data team |
| Approve vendor | Manager/controller |
Risk without SoD: Someone creates a fake vendor and pays themselves.
Invoice Processing
| Task | Should Be Done By |
|---|---|
| Receive invoice | AP clerk A |
| Enter invoice | AP clerk A |
| Approve invoice | Manager (not clerk A) |
| Schedule payment | AP clerk B |
| Release payment | Controller/CFO |
Risk without SoD: Someone enters fraudulent invoices and approves their own payments.
Payment Execution
| Task | Should Be Done By |
|---|---|
| Prepare payment batch | AP staff |
| Review payment batch | AP supervisor |
| Sign checks (< threshold) | One authorized signer |
| Sign checks (> threshold) | Two authorized signers |
| Mail checks | Someone without signing authority |
Risk without SoD: Someone writes checks to themselves.
Common SoD Violations
Dangerous Combinations
| If Same Person Does Both… | Risk |
|---|---|
| Creates vendors + Approves invoices | Fake vendor fraud |
| Enters invoices + Approves payments | Invoice fraud |
| Signs checks + Reconciles bank | Theft concealment |
| Has system admin + AP access | Can override controls |
| Receives goods + Records receipt | Inventory theft |
Warning Signs
- One person “owns” entire AP process
- Resistance to cross-training
- Never takes vacation
- Defensive about their area
- Close vendor relationships
Implementing SoD
Step 1: Map Your Process
Document who does what in your current process:
Invoice received → [Person] → Invoice entered → [Person] → Approved → [Person] → Payment scheduled → [Person] → Payment released → [Person]
Step 2: Identify Conflicts
Look for one person controlling multiple incompatible functions.
Step 3: Reassign Duties
Separate incompatible functions among different people.
Step 4: Configure System Access
Align system permissions with duty assignments.
Step 5: Document and Train
Create written procedures and train all staff.
SoD for Small Teams
Challenge: Small AP teams may not have enough people to fully segregate duties.
Compensating Controls
When you can’t fully segregate:
| Compensating Control | How It Helps |
|---|---|
| Management review | Owner/CFO reviews all transactions |
| Bank reconciliation by owner | Independent check on payments |
| Dual signatures | Two people must approve payments |
| Exception reports | Flag unusual activity |
| External audit | Independent verification |
Minimum Controls for Small Teams
Even with just 1-2 AP people: - Owner/manager approves all invoices over threshold - Owner/manager signs all checks - Owner receives bank statements directly - Owner performs bank reconciliation (or reviews) - Annual external review
System Access Controls
Your accounting system should enforce SoD:
| Access Level | Typical Permissions |
|---|---|
| AP Clerk | Enter invoices, view vendors |
| AP Supervisor | Approve invoices, add vendors |
| Controller | Release payments, modify vendors |
| System Admin | Technical access only, no transactions |
Common System Issues
- Shared login credentials
- Admin access given too broadly
- No approval workflows
- Override capabilities not monitored
SoD Matrix
Create a matrix showing who can do what:
| Function | AP Clerk | AP Manager | Controller | CFO |
|---|---|---|---|---|
| Create vendor | ✓ | Approve | ||
| Enter invoice | ✓ | |||
| Approve < $1K | ✓ | |||
| Approve < $10K | ✓ | |||
| Approve > $10K | ✓ | |||
| Sign checks | ✓ | ✓ | ||
| Bank reconciliation | ✓ |
Testing SoD
Regular testing ensures SoD is working:
Access Review
- Pull system access reports
- Compare to authorized duties
- Remove inappropriate access
Transaction Testing
- Sample invoices and payments
- Verify different people performed each step
- Investigate exceptions
Conflict Analysis
- Run reports showing who approved their own entries
- Check for vendor setup/payment by same person
- Review overrides and exceptions
Related Terms
- AP Internal Controls - Complete controls framework
- Positive Pay - Check fraud prevention
- Three-Way Matching - Invoice verification
Want to establish a single front door for invoices that anyone can access but no one can manipulate? See how BillerPlus creates an independent intake audit trail →