Too few staff, a shoestring budget, technology limitations, and a simple lack of internal controls: sound familiar? These challenges show up across industries — especially in organizations with lean teams, limited budgets, or outdated legacy systems. But they’re also major risk factors that stand in the way of proper segregation of duties (SOD). When SOD does break down, the risk isn’t just inefficiency — it’s accountability failure.
SOD, most simply, is a form of risk management. The key is requiring that separate people complete critical tasks to avoid “incompatible duties” like recording, authorizing, and processing cash disbursements. This allows for more oversight, which leads to fewer mistakes and a lower fraud risk. As the AICPA notes, failing to segregate duties is like handing just one person the keys, the code, and launch button for a nuclear weapon system. The risk might not be nuclear, but the fallout can still be serious.
Here’s how failure to segregate duties hurts organizations
Lack of operational efficiency
SOD exists, in part, to prevent mistakes. Many accounting software options will require you to have one person prepare a journal entry and a separate person post it. But if your system doesn’t have these restrictions, it’s easy to disregard. We get it — you’ve got a small team, a limited budget, and a lot of work to do. But if you think you don’t have time to segregate duties, do you have time to fail an audit due to misstated financials? Do you want to spend time explaining to your auditors why you don’t have dual signatures on large wire payments or appropriate checks and balances in place? Restating financials isn’t just time- and labor-intensive; it’s costly, and it’s an embarrassment to your department.
Fraud and corruption
Organizations have a responsibility to safeguard the integrity of their operations. Without proper oversight, it’s not just reputation that’s at risk, but your ability to deliver on what others rely on you to do. For example, when the person who initiates the wire transfer is the same person who approves them, there’s a significant risk of fraud. The same goes for if one person oversees soliciting and approving bids, as well as setting up vendors and deciding who gets paid.
As one client of ours discovered before calling us in to help, a director of a department without proper SOD selected a “vendor” to whom they paid thousands. Turns out, the “vendor” was the director’s spouse, and the checks were going straight to their personal account. With no one double-checking the work, it’s easy to scrape a little off the top. Even someone who might normally never think of committing such a crime might be tempted if they have the opportunity paired with enough financial pressure.
Loss of stakeholder trust
Segregation of duties is more than an internal control — it’s a method of accountability. Without it, stakeholders start to ask harder questions like: Who’s signing off on payments? Who’s reviewing the books? And who’s making sure the same staff member isn’t managing both?
Imagine a midsized company where one employee is responsible for issuing refunds and reconciling bank statements. Even without intent to defraud, the lack of oversight can raise red flags. For investors, auditors, and executive leadership, it suggests deeper control issues and confidence is quickly questioned. Once trust is lost, it’s hard to recover.
The good news? You don’t need a bigger team or budget (although that would certainly make it easier) to reduce risk. When our team is engaged to improve segregation of duties — an issue that’s usually uncovered as part of a risk assessment (which you should be doing annually) — there are three steps we typically take:
1. Review your current staffing models to align staff to the correct responsibilities
Say you have a two-person team, but only one person knows how to make journal entries. Small teams often make it easy for one person to wear too many hats. That’s where segregation starts to break down. We recommend reviewing your ERP system to ensure it follows best practices, including role-based access control (RBAC) and the principle of least privilege (PoLP).
This allows you to assign responsibilities more intentionally — so no one person is responsible for initiating and approving transactions. We’ll also look for other ways to reduce risk, such as separating duties around cash handling, journal entries, and vendor setup.
2. Review your user access to analyze potential conflicts
Even strong systems create risk if too many users have unrestricted access in your ERP system. A client of ours once had a retiring staff member point out that their unrestricted access to the technology system meant they could have been stealing from the company for years and that they ought to fix it before she leaves. That client was lucky. Most aren’t. Conducting a user access review and limiting access based on job function, especially in your ERP system, reduces opportunity for error and fraud. A third-party review can help pinpoint where mitigating controls should be added, especially when there are limited personnel and segregating each incompatible duty is impractical.
3. Review your internal controls and current processes to recommend solutions
Internal controls only work if they can’t be bypassed. If they can be overridden — or ignored — they’re not really controls. Mapping out the current processes and who’s responsible for each step helps identify where duties overlap or go unchecked. A structured internal control audit can surface process gaps, recommend improvements, and uncover risks hiding in plain sight. Some organizations go further by implementing continuous monitoring to flag risks in real-time — not just during annual reviews.
Of course, every organization is unique and will need different solutions when it comes to proper segregation of duties. But the point is that there are cost-effective ways to shield your organization from SOD risk. Your reputation and your organization’s ability to operate efficiently are at stake, so don’t ignore this issue. Next time you conduct your annual risk assessment, ask for a review of your segregation of duties. You might be surprised by what’s uncovered.
