Segregation of duties sounds like enterprise compliance language. In practice, it is one of the most important fraud prevention concepts for small businesses, and arguably more urgent at small scale than at large scale.
In a large company, multiple people handle financial processes by default. The accounts payable team, the treasury team, and the CFO's office provide separation through sheer organizational structure. In a small company with five or ten or twenty people, one trusted employee might handle vendor setup, payment processing, and the bank reconciliation. That combination is exactly the condition that enables undetected fraud to continue for years.
Most small-business financial fraud is committed by long-tenured, trusted employees. Not outsiders, not new hires. The person who has been there longest, who everyone relies on, who "knows everything" about the financial systems. Trust is not a control. SoD is.
What Segregation of Duties Actually Means
The core principle is simple: no single person should control all three phases of a financial transaction.
Authorization is the decision that a transaction should happen: approving a payment, authorizing a new vendor, signing off on payroll.
Custody is handling the assets involved: receiving payments, releasing funds, processing transactions.
Recording is documenting what happened: entering transactions into the accounting system, reconciling accounts, maintaining the books.
When one person authorizes, executes, and records a transaction, they have complete control with no check on their actions. An error goes undetected because there is no second set of eyes. Fraud goes undetected because the person committing it is also the person recording it.
Splitting these functions across different people (or, where that is not possible, using system controls and owner review as compensating controls) is the foundation of financial controls in any organization.
Practical SoD by Function
Cash Receipts
The ideal: one person receives payments, another records them, and the owner reviews deposits against the bank feed.
When you only have one person handling this function: use direct deposit or a lockbox to remove manual cash handling, enable daily bank feed reviews by the owner, and outsource monthly reconciliations to someone outside the transaction chain.
Accounts Payable
The ideal: one employee enters bills, the owner (or another authorized person) approves payments, and someone else releases them.
Small-company workaround: require dual approval for ACH transfers and wire payments, limit check signing authority to the owner, and have the owner review a payment summary weekly rather than approving each transaction individually.
Payroll
The ideal: HR inputs hours, accounting processes the payroll run, and the owner approves the final register before funds are released.
Small-company workaround: use a payroll service to remove internal processing from a single employee's hands, have the owner review the payroll register every pay period, and enforce a hard rule that no employee can modify their own pay records.
Vendor Management
The ideal: one person sets up new vendors, another approves the additions and any changes.
Minimum control: the owner approves all new vendor additions, and someone reviews the vendor master quarterly for entries that should not be there.
Bank Reconciliations
The ideal: the person reconciling bank accounts has no payment authority.
Minimum control: the owner reviews reconciliations monthly, and bank statements are sent directly to the owner's email rather than passing through anyone else first.
The Owner as the Control
In a small business, the owner is not just a stakeholder in financial controls. The owner is often the control itself.
No SoD framework works if the owner is not actively reviewing. At minimum, owners should review bank and credit card statements monthly, approve all payments above a defined threshold, review financial statements monthly, and ask questions when numbers do not make sense.
The specific controls matter less than the consistent habit of review. An owner who looks at the bank statements every month will catch anomalies. An owner who delegates this review entirely has removed the last check in the system.
When You Cannot Fully Separate Duties
Small teams cannot always achieve perfect separation. A company with two people in finance cannot create four distinct roles. The practical answer is compensating controls: additional oversight or system controls that reduce the risk created by the inability to fully separate.
Compensating controls in practice:
- Owner review of transactions above a threshold when the same person approves and processes below it
- Read-only access for reviewers who check work but cannot modify records
- Outsourced bookkeeping that brings an independent party into the recording function
- System-enforced approval workflows that require a second party's action before a transaction can be completed
- Bank alerts for large or unusual transactions that notify the owner directly
The goal is not perfect separation. It is enough visibility and independent review to catch errors and deter fraud.
How Systems Replace Headcount in SoD
The most practical insight for small businesses is that system controls can do much of what additional headcount would otherwise provide.
Accounting software with approval workflows requires a second person to approve before a payment releases, regardless of whether that person is sitting nearby or reviewing from home. Read-only access ensures that reviewers can see everything but change nothing. Bank feed integration brings the owner into the recording function without requiring the owner to manually enter transactions.
The same logic applies at the identity and access layer. Who has permission to create vendors in your accounting system? Who can approve payments? Who can run payroll? If the same user account has all three permissions in your financial software, you have a system-level SoD failure regardless of what your policies say.
SoD at the System Permission Level
The access control layer of financial software is where SoD controls are either enforced or broken. Most organizations define SoD policies in documents but do not verify whether those policies are reflected in actual system permissions.
The specific conflicts that matter most:
- Vendor creation and payment approval held by the same user
- Purchase order creation and purchase order approval held by the same user
- Expense submission and expense authorization held by the same user
- Payroll record modification and payroll execution held by the same user
- Employee record management and termination authority held by the same user
Each of these combinations allows a single person to initiate and complete a financial workflow without independent review. The combination is the control failure, not any individual permission on its own.
For organizations using enterprise financial applications (QuickBooks, NetSuite, SAP, or similar), Zluri's SoD module includes pre-built toxic rule sets for these specific conflict patterns. Rather than manually auditing who has which permissions in each application, the platform continuously monitors for conflicting permission combinations and flags them as they occur, with configurable remediation: alert the policy owner, route for review, or automatically revoke the conflicting access.
For organizations where full separation is not possible because of team size, each rule can be assigned a risk level and routed to a compensating control review rather than triggering automatic revocation. The policy owner is notified in real time when a conflict exists, making the owner review function that your manual process relies on continuous rather than monthly.
Red Flags That Signal Weak SoD
Any of these conditions indicate a control gap worth addressing:
- One person handles cash receipts and books them
- No owner review of bank statements
- The same person sets up vendors and processes payments to them
- Payroll changes happen without independent review
- No bank reconciliations, or reconciliations done by someone with payment authority
These are not hypothetical risks. They are the conditions present in most small-business fraud cases that are discovered years after the fact.
Compliance and Audit Implications
SoD is not just a fraud prevention tool. It is a control requirement under most compliance frameworks:
SOX Section 404 specifically requires SoD as a tested control activity for public companies and their significant subsidiaries. SOC 2 Trust Services Criteria, ISO 27001 Access Control requirements (A.9 and Annex A.5.3), and PCI DSS all reference SoD as part of the control environment.
For small businesses seeking financing, going through acquisition diligence, or preparing for an audit, documented SoD controls improve credibility. An auditor or potential investor who sees evidence of consistent owner review, approval workflows, and access controls in financial systems has more confidence in the accuracy of the financial statements than one who finds that a single trusted employee handled all financial functions without oversight.
















