Segregation of duties in accounts payable reduces fraud risk

At a glance

What this is: This is an analysis of segregation of duties in accounts payable, with the key finding that splitting AP tasks reduces fraud and oversight failures.

Why it matters: It matters to IAM practitioners because the same governance logic applies when one identity can create, approve, and reconcile access or payments without independent checks.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read SecurEnds' guide to segregation of duties in accounts payable

Context

Segregation of duties is a control design principle that prevents one identity from controlling a process from start to finish. In accounts payable, that means invoice entry, approval, payment, and reconciliation stay separated so errors and fraud need collusion instead of opportunity. The same control logic shows up across identity governance when a single human or non-human identity can accumulate too much authority.

For IAM teams, the interesting part is not the accounting workflow itself but the governance pattern. AP is a clean example of how role boundaries, review points, and compensating controls reduce blast radius. That pattern maps directly to service accounts, privileged workflows, and other non-human identities where standing authority creates the same concentration risk.

Key questions

Q: What breaks when one identity can create, approve, and pay invoices?

A: When one identity controls the full AP path, segregation of duties disappears and the process becomes easy to game. Fraud, duplicate payments, and hidden errors become much more likely because there is no independent checkpoint before money leaves the business. The control fails at the design level, not just the staffing level.

Q: Why do AP segregation controls matter for audit readiness?

A: Auditors look for evidence that no single person can both authorise and execute spend. When AP duties are split and documented, the organisation can show that payments are independently reviewed and reconciled. That reduces findings, makes exceptions easier to explain, and demonstrates that the payment process cannot be controlled by one role alone.

Q: How do you know if an AP SoD matrix is actually working?

A: The matrix is working only if it matches the permissions in the finance system and exceptions are rare, visible, and reviewed. If users can still perform conflicting tasks in the ERP or if the matrix is updated only on paper, the control is not functioning. Operational evidence matters more than policy language.

Q: What should teams do when staff constraints make perfect SoD impossible?

A: Use compensating controls such as supervisor sign-off, periodic independent review, and tighter monitoring of high-risk transactions. The goal is not to pretend overlap is safe. The goal is to reduce the chance that one person can create and conceal a payment error without detection.

Technical breakdown

Role separation in accounts payable controls payment authority

Segregation of duties works by splitting a financial workflow into discrete checkpoints. Invoice capture creates the record, approval validates legitimacy, payment execution releases funds, and reconciliation independently verifies the ledger afterward. Each step should be performed by a different role so that one person cannot both initiate and complete a payment path. This is a control architecture, not just a staffing choice. The control fails when role overlap collapses the review boundary and the same identity can both authorise and execute spend.

Practical implication: define which roles can initiate, approve, pay, and reconcile, then remove any overlap that lets one identity close the loop.

SoD matrices expose conflicting permissions before they become fraud

A segregation of duties matrix is a control map that shows which identities can perform which tasks. It helps teams see incompatible permissions, such as invoice entry combined with payment release or approval combined with reconciliation. In governance terms, the matrix is a pre-control assessment tool: it identifies where a role design creates an implicit trust chain that auditors and attackers can both exploit. The matrix only works when it is maintained against actual system entitlements, not just job titles.

Practical implication: reconcile the AP SoD matrix with real ERP entitlements and recertify it whenever roles, vendors, or payment workflows change.

Automation enforces compensating controls when manual review falls behind

Manual segregation of duties checks often degrade as transaction volume rises. Automation can enforce access rules, flag conflicts, and generate evidence for audits, but only if the underlying role model is already sound. In practice, automation is a control multiplier, not a substitute for design. If the process allows the same identity to create and approve records, automation will simply accelerate a broken workflow. The governance question is whether controls are encoded at the workflow layer or left to human memory.

Practical implication: use automation to enforce role boundaries and detect exceptions, but do not treat it as a fix for flawed process design.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Accounts payable segregation of duties is a governance pattern, not an accounting preference. The article shows that fraud risk falls when one identity cannot move from invoice entry to payment release without independent review. That is the same control logic that underpins identity governance in any high-risk workflow. The practitioner lesson is that end-to-end control is the vulnerability, regardless of whether the identity is human or non-human.

Standing authority is the real failure mode. The dangerous condition is not simply that a role can touch invoices, but that it can keep enough authority to complete the payment chain without interruption. Once that happens, review becomes ceremonial because the same identity can shape the evidence being reviewed. The implication is that governance must treat role overlap as a structural risk, not a procedural annoyance.

SoD matrices make privilege concentration visible before it becomes loss. A matrix is only useful when it is tied to live entitlements, because job descriptions rarely match what users can actually do. That disconnect is where audit findings and insider abuse begin. The practitioner conclusion is simple: if the matrix does not match the system, the control does not exist.

Automation does not correct weak control design unless the workflow is already separated. The article’s automation examples matter because they show how enforcement, monitoring, and reporting can scale. But automation can also scale a bad model if the same identity still controls multiple AP steps. The implication is to encode segregation into the process first, then use tools to sustain it.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, which is why role concentration remains a governance problem across identity types.
• That same control logic shows up in the Ultimate Guide to NHIs, where lifecycle, visibility, and least-privilege discipline determine whether authority can be safely split.

What this signals

Segregation of duties is the same control idea that breaks many NHI programmes when one service account can both create and execute a privileged action. The AP example shows why role separation must be enforced at the workflow level, not left to policy language. For identity teams, the lesson is to look for any process where one principal can authorise, execute, and conceal its own action path.

Standing privilege is the hidden cost of convenience. Once a role can keep enough authority to move across multiple checkpoints, review becomes reactive instead of preventative. That is true in finance and in identity governance, which is why access reviews and entitlement clean-up need to focus on conflicting permissions rather than raw role counts.

Privilege blast radius is the more useful concept than broad access. When a process allows one actor to own multiple control points, the issue is not volume alone but the ability to shape the evidence trail. Teams should treat SoD mapping as a way to surface where accountability disappears before an audit or incident does.

For practitioners

• Define incompatible AP roles Document which identities may enter invoices, approve payments, release funds, and reconcile accounts. Remove any role combination that lets one person complete the transaction loop.
• Map real entitlements to the SoD matrix Compare the AP segregation matrix with actual ERP permissions, not job titles, then close any entitlement gap that allows invoice creation and approval to sit in the same hands.
• Add independent reconciliation checkpoints Require a separate control owner to review payment batches, vendor changes, and duplicate invoice flags before closeout, so exceptions are caught outside the payment chain.
• Automate exception detection without replacing design Use access reviews and conflict alerts to surface overlaps continuously, but treat every alert as evidence that the underlying workflow still needs role separation.

Key takeaways

• Accounts payable segregation of duties reduces fraud by preventing one identity from controlling invoice entry, approval, payment, and reconciliation end to end.
• The control only works when the live system permissions match the SoD matrix, because paper-based separation does not stop conflicting access.
• Automation helps sustain AP controls, but it cannot fix a workflow that still allows one person to authorise and execute the same payment path.

Key terms

• Segregation of Duties: Segregation of duties is a control design that splits a process into separate responsibilities so no single identity can create, approve, execute, and conceal the same action. In identity governance, it reduces fraud and errors by forcing independent review before high-risk activity is completed.
• SoD Matrix: A SoD matrix is a role-to-task map that shows which identities can perform which actions and where conflicts exist. It turns abstract policy into an operational view of incompatible access, helping teams compare intended separation with the permissions that actually exist in systems.
• Compensating Control: A compensating control is an alternative safeguard used when ideal separation is not practical. It does not remove the underlying risk, but it lowers exposure through independent review, approval, monitoring, or restricted thresholds until the workflow can be redesigned more cleanly.
• Privilege Concentration: Privilege concentration occurs when one identity holds enough authority to move through multiple control points without meaningful interruption. It is a structural governance problem because it reduces oversight, increases fraud opportunity, and makes later review less effective at detecting misuse.

Deepen your knowledge

Segregation of duties, access review design, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building control separation into service accounts or privileged workflows, it is worth exploring.

This post draws on content published by SecurEnds: Segregation of Duties in Accounts Payable. Read the original.