AWRA OpsHub Search

Segregation of Duties: The Control Behind Every Clean Audit

The oldest control in the book and the one most quietly abandoned in small teams — what segregation of duties means, the four functions it splits, and how to keep it when you cannot hire more people.

Security & Compliance Washingtone Aura 7 min read

Segregation of duties (SoD) is the principle that no single person should control every step of a transaction that moves money or goods. Split the steps across different people and fraud requires collusion — several people conspiring — while honest error gets caught by the next pair of eyes. Concentrate the steps in one person and you have built a single point of failure with signing authority. Nearly every clean audit rests on this control, and nearly every "trusted employee" fraud story is its absence.

The four functions that must not overlap

Classic SoD separates four responsibilities. The same person should never hold two adjacent ones for the same transaction:

Function What it is Example
Authorisation Approving that a transaction should happen Approving a purchase requisition or payment
Custody Physical control of the asset Holding stock, cash, or cheque books
Recording Booking the transaction into the records Posting the invoice, updating the ledger
Reconciliation Independently checking records against reality Matching bank statement to cash book

The dangerous combinations, in one line each

Authorise + custody = approve a payment to yourself. Custody + recording = take the stock and adjust the record to hide it. Recording + reconciliation = post an error, then "verify" your own posting. The whole discipline is keeping these pairs in different hands.

Why "we trust her" is not a control

The most common objection is that the person concerned is trusted completely. But SoD is not an accusation — it is a structure that protects the honest as much as it catches the dishonest. When one person owns a whole cycle, they carry sole blame for any error, they cannot take leave without the process stopping, and they are exposed to suspicion the moment anything looks odd. Separating duties removes the temptation, distributes the knowledge, and means a single mistake is caught rather than compounded. Trust is a feeling; segregation is a system.

SoD in procurement — the worked case

Procurement is where SoD earns its keep, because it touches authorisation, custody, and recording in quick succession. The person who requests a purchase should not be the one who approves it; the one who approves should not be the one who receives the goods (which is why the goods received note is created independently); and the one who receives should not solely release the payment. Split this way, no individual can invent a supplier, approve the order, sign for a delivery that never came, and pay themselves. It is also the reason three-way matching is a genuine control rather than theatre — the three documents come from different hands.

The small-team problem — and compensating controls

Real objection: a five-person organisation cannot put four people on every transaction. True — so SoD gives way to compensating controls that achieve the same protection without the same headcount:

  • Owner/manager review. The person who cannot be separated out is watched by an approval from above — every payment over a threshold sees a second signature.
  • System-enforced approval routing. Software can require a different user to approve than the one who raised the request, even in a tiny team — the approval workflow makes "someone else clicks approve" structural, not optional.
  • Mandatory leave and rotation. A fraud that requires daily maintenance surfaces when the person is forced to take leave and someone else runs the cycle.
  • Independent reconciliation. Even if one person records, a monthly reconciliation done by someone else — or reviewed by the owner — closes the loop.
  • An immutable audit trail. When the system logs who did what and when, and the log cannot be edited, concentration of duties becomes far less dangerous because nothing is invisible.

This is exactly the terrain of an audit-ready operation: auditors do not expect a small team to have four people per transaction, but they do expect to see that the risk was recognised and a compensating control put in its place. "We are small" is a reason to design the controls deliberately, not a reason to have none.

Make separation structural, not aspirational

AWRA OpsHub enforces approval routing, independent receiving, and an immutable audit trail — so duties stay separated even in a lean team.

See approval controls

Frequently asked questions

What is segregation of duties in simple terms?

It is splitting the steps of a transaction — approving it, holding the asset, recording it, and checking it — across different people so no single person controls the whole thing. That way fraud would require collusion, and honest mistakes get caught by the next person in the chain.

What are the four duties that should be separated?

Authorisation (approving the transaction), custody (physical control of the asset), recording (booking it into the records), and reconciliation (independently checking records against reality). The risk lies in one person holding two adjacent functions — for example both custody of stock and the ability to adjust its record.

How can a small business apply segregation of duties with few staff?

Through compensating controls: owner or manager review of transactions above a threshold, system-enforced approval routing so a different user approves than requests, mandatory leave that forces a handover, independent monthly reconciliation, and an immutable audit trail. These achieve the protection of separation without needing four people per transaction.

Why is trusting a reliable employee not enough?

Because the control protects the honest employee as much as it constrains a dishonest one — it removes sole blame, allows them to take leave without stopping the process, and shields them from suspicion. Trust cannot catch an honest mistake or survive the person leaving; a structural separation does both.

Help Center

Need a quick answer while you read?

Run inventory, procurement, assets, sales, and field work with approved AWRA guidance for setup, migration, integrations, security, pricing, and support.

Search all approved AWRA public help articles.

Open Help Center