One of the most common SoD disputes in audit work is whether a detective compensating control resolves an underlying preventive control failure. The journal entry scenario is a textbook example of exactly this debate, and the answer has important implications for how auditors classify control deficiencies.
The short answer: your colleague is correct. Here is the precise reasoning.
The Scenario and the SoD Conflict
The setup: a CFO who can post journal entries to the general ledger, who also serves as the approver for all large entries posted by others. When the CFO personally posts an entry, CEO and Board approval is required, but that approval happens at a subsequent meeting, after the entry is already live in the system.
Mapping this to SoD functions:
The CFO can initiate (create and post journal entries directly). The CFO can authorize (approve other users' entries). And the CFO can post their own entries before any independent approval is recorded in the system.
This is the textbook "create plus approve" toxic combination. The specific conflict in journal entry processing is well-documented in audit literature: the person who creates a journal entry should not have the system-level ability to post it without an independent approver acting first. Combining journal preparation and posting capability enables unauthorized adjustments to financial results, particularly during period close when oversight pressure is highest.
Why CEO and Board Approval Does Not Resolve the Conflict
The argument that there is no SoD issue rests on the existence of the CEO and Board approval requirement. This argument misunderstands the distinction between preventive and detective controls.
Preventive controls block an error or fraudulent act before it happens. A system that requires an independent approver to record approval before a journal entry can be posted is a preventive control. The transaction cannot complete until the control is satisfied.
Detective controls identify an error or violation after it has occurred. CEO and Board review of CFO-posted entries at a subsequent meeting is a detective control. The entry is already in the general ledger, affecting financial statements, during the gap between posting and review.
The CEO and Board requirement does not change the underlying SoD conflict. The CFO can still post an entry without any independent person seeing it first. Whether the approval eventually comes later is a separate question from whether the SoD structure is sound.
The Critical Distinction: Policy Versus System Enforcement
The most important question an auditor should ask in this scenario is whether the CEO and Board approval is built into the system as a required prerequisite for posting, or whether it is a policy that depends on the CFO self-reporting entries for review.
If the system structurally blocks the CFO's entries until a CEO or Board member records approval in the GL, the SoD conflict may be resolved (though the CEO's own system access and permissions would also need evaluation).
If the system allows the CFO to post freely and the policy simply says the CFO must subsequently obtain approval, the SoD conflict exists regardless of whether the policy is generally followed.
The distinction matters because policies can be circumvented and a system control cannot. An entry that is posted before the required approval arrives is live in the financial statements. In a genuine fraud scenario, an entry could be posted, used to distort financial reporting or conceal a fraud, and then reversed before the next Board meeting makes it invisible to the after-the-fact review.
The Timing Gap and What It Enables
The timing gap between a CFO posting an entry and the next Board meeting, which could be days or weeks, creates specific risks that the compensating control does not address:
Financial decisions may be made based on financial statements that contain the unreviewed entry. External reports or debt covenants that reference those statements could be affected. The entry could be reversed before the Board meeting, making it invisible to the review that was supposed to provide oversight. During period-end close, when pressure to post quickly is highest, entries go into the system with the least scrutiny.
None of these risks are eliminated by the existence of a subsequent approval requirement. They are the risks that exist in the gap between posting and review.
How Auditors Classify This
When evaluating whether a control deficiency exists and how severe it is, auditors ask whether one person can initiate and approve the same transaction, whether there is a system-level block preventing this, and whether any compensating control is timely, documented, and consistently evidenced.
In this scenario: the CFO can initiate and authorize the same journal entry. There is no system block. The CEO and Board review is a compensating control, but its effectiveness depends on whether it is actually performed and documented, how frequently it occurs, whether it covers all CFO-posted entries or only a subset, and whether the review happens before financial statements are finalized or after.
An auditor would test the operating effectiveness of the compensating control by selecting a sample of CFO-posted entries and verifying that documented CEO or Board approval exists for each one, with timestamps that predate any significant use of the financial statements. If the approval documentation is missing, inconsistent, or consists only of informal references in Board minutes rather than entry-level sign-off, the compensating control has significant weaknesses.
The classification of the deficiency, whether a control deficiency, significant deficiency, or material weakness, depends on the dollar thresholds involved, the frequency of CFO-posted entries, the frequency of Board meetings, and the quality of the compensating control documentation.
What Proper SoD Looks Like for Journal Entries
The correct design for this control environment:
A controller or accountant prepares and posts journal entries. The CFO approves entries posted by the controller, not their own entries. For entries the CFO needs to initiate, a CEO or designated Board member approves in the system before posting completes. System permissions reflect these roles: the CFO does not have the system-level ability to both post and serve as the sole approver.
This structure means no entry can be live in the general ledger without an independent person having approved it in the system first. The approval is not after-the-fact. The system does not permit the transaction to complete without it.
The SoD Question Versus the Authorization Question
SoD analysis asks a different question from authorization analysis. Authorization asks whether an action was approved by someone with the right to approve it. SoD asks whether the person who took the action also holds the ability to approve, record, or reconcile it.
The CFO in this scenario passes the authorization test if the CEO or Board eventually approves. But they fail the SoD test because they hold the system-level ability to both initiate and authorize journal entries, and the independent approval comes after the fact rather than as a prerequisite.
This distinction is the core of the disagreement in this audit file and the reason your colleague is correct. The CEO and Board approval is a valid compensating control that should be acknowledged and tested, but it does not eliminate the underlying SoD conflict.
What to Tell Your Manager
The framing for your manager conversation:
The CEO and Board approval is a valid compensating control that reduces risk from the underlying SoD conflict. But it does not eliminate the conflict itself. The CFO still holds the system-level ability to both initiate and authorize journal entries. The proper SoD design would require the system to block CFO-posted entries until independent approval is recorded before posting, not a policy requiring post-hoc review at the next meeting. This is a control deficiency at minimum, with the CEO and Board review as the documented compensating control. Testing should include a sample of CFO-posted entries to verify the compensating control is consistently operated and documented.
How System-Level SoD Enforcement Works
The difference between the current control environment and sound SoD design is the difference between a policy and a system control. A policy says the CFO must obtain approval. A system control means the CFO cannot post without approval being recorded.
Zluri's SoD module applies this same logic at the application access layer. Rather than relying on policies about which users should not hold certain permission combinations, the platform monitors for toxic combinations in real time and enforces remediation before conflicts persist. When a user holds the ability to both create and approve journal entries, that conflict is flagged as it forms, not when someone thinks to check during an audit.
The underlying principle is the same whether the context is journal entries or access provisioning: the mechanism of control matters as much as the existence of a requirement. A requirement that depends on human compliance provides weaker assurance than a control that structurally prevents the problematic action.
















