Auditors look for evidence that no single role can complete the transaction loop, that exceptions are approved, and that review happened before close. They also inspect role conflicts, admin privileges, and missing reconciliations. If evidence is fragmented or stale, the control is usually treated as ineffective.
Why This Matters for Security Teams
SOX segregation of duties is not judged by policy language alone. Auditors want to see that one person or one service account cannot create, approve, and post the same transaction without independent oversight. That means the control must work in the real operating model, across ERP roles, admin privileges, emergency access, and late-stage reconciliations. The evidence standard is practical, not theoretical, and it is closely aligned with the accountability and access governance ideas in the NIST Cybersecurity Framework 2.0.
This is where NHI governance becomes relevant even in a finance control discussion. Service accounts, API keys, and automated jobs often sit outside normal joiner-mover-leaver processes, yet they can execute the same transaction paths as human users. NHI Mgmt Group notes that 97% of NHIs carry excessive privileges, which makes hidden SoD conflicts harder to spot unless identity, entitlement, and activity evidence are reviewed together. See Ultimate Guide to NHIs — Regulatory and Audit Perspectives and Top 10 NHI Issues for the audit lens.
In practice, many teams discover SoD failures only after a close delay, a reconciliation exception, or a compensating control that never actually fired.
How It Works in Practice
Auditors usually evaluate SoD by tracing a sample transaction from initiation through approval, posting, reconciliation, and period close. They compare the system’s role design against the actual people and non-human identities that can touch each step. The question is not whether a conflicting role exists in theory, but whether an individual or automated actor can exercise conflicting powers in production without detection.
Typical evidence includes role matrices, access listings, exception approvals, logs showing review before close, and remediation records for known conflicts. Where NHI is involved, auditors may also inspect whether API keys, batch jobs, integrations, or robotic processes are effectively acting as privileged users. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because lifecycle control determines whether credentials are still valid long after the original business need has changed. On the standards side, current guidance in NIST CSF 2.0 reinforces continuous access management and monitoring rather than one-time attestation.
- Check whether conflicting access is technically possible, not just formally prohibited.
- Verify approvals for exceptions, temporary access, and emergency overrides.
- Confirm reviews happened before close, not after the fact.
- Test whether reconciliations are complete, timely, and independently reviewed.
- Include service accounts and automation in the same control test as human roles.
These controls tend to break down when finance, IT, and application owners maintain separate evidence silos because no one can prove the full transaction chain end to end.
Common Variations and Edge Cases
Tighter SoD enforcement often increases operational overhead, requiring organisations to balance clean role separation against close deadlines, emergency access, and system complexity. That tradeoff is especially sharp in environments with shared ERP roles, outsourced accounting, or high volumes of batch processing.
There is no universal standard for every exception path, so auditors usually focus on whether exceptions are approved, time-bounded, and reviewed after use. A standing conflict may still be acceptable if compensating controls are strong, but that claim must be supported by evidence. The same logic applies to NHIs: a scheduled job may need broad access to complete a finance workflow, yet the access should still be minimized, monitored, and removed when no longer needed. The NHI Lifecycle Management Guide is relevant when teams need to show how credentials are created, rotated, and retired over time.
One common blind spot is admin access. If a system administrator can both change configuration and approve or post transactions, the control is weakened even if the business role design looks clean. Another is stale evidence: screenshots, outdated role exports, or missing reconciliation sign-offs usually cause auditors to conclude the control is not operating effectively. Best practice is evolving, but current audit guidance still expects traceable evidence, timely review, and clear ownership for every exception.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SoD depends on access rights being limited and reviewed continuously. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI credentials can bypass human SoD controls if overprivileged or stale. |
| NIST AI RMF | Governance and accountability map to evidence-based control operation and review. |
Inventory service accounts and secrets, then remove conflicting privileges and rotate unused credentials.
Related resources from NHI Mgmt Group
- How do organisations know whether segregation of duties is actually working?
- How can organisations know whether their Azure AD governance is working?
- How can organisations tell whether credential management is actually working?
- How can teams tell whether identity controls are working in a remote workforce?
