Notifications
Clear all
Topic starter
08/06/2026 4:13 pm
TL;DR: Segregation of duties in accounts payable splits invoice entry, approval, payment, and reconciliation so no single role can drive a payment end to end, reducing fraud, duplicate payments, and audit failures, according to SecurEnds. The control matters because trust shifts from one person to the process itself.
NHIMG editorial — based on content published by SecurEnds: Segregation of Duties in Accounts Payable
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: What breaks when one identity can create, approve, and pay invoices?
A: When one identity controls the full AP path, segregation of duties disappears and the process becomes easy to game.
Q: Why do AP segregation controls matter for audit readiness?
A: Auditors look for evidence that no single person can both authorise and execute spend.
Q: How do you know if an AP SoD matrix is actually working?
A: The matrix is working only if it matches the permissions in the finance system and exceptions are rare, visible, and reviewed.
Practitioner guidance
- Define incompatible AP roles Document which identities may enter invoices, approve payments, release funds, and reconcile accounts.
- Map real entitlements to the SoD matrix Compare the AP segregation matrix with actual ERP permissions, not job titles, then close any entitlement gap that allows invoice creation and approval to sit in the same hands.
- Add independent reconciliation checkpoints Require a separate control owner to review payment batches, vendor changes, and duplicate invoice flags before closeout, so exceptions are caught outside the payment chain.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- A practical SoD matrix example showing how AP roles map to invoice entry, approval, payment, and reconciliation.
- Workflow and ERP enforcement details for SAP, Oracle, and similar finance systems.
- Automation features for access reviews, conflict alerts, and audit-ready reporting.
- Compensating control patterns for small teams that cannot fully separate AP duties.
👉 Read SecurEnds' guide to segregation of duties in accounts payable →
Accounts payable segregation of duties: where do controls break down?
Explore further
08/06/2026 5:45 pm
Accounts payable segregation of duties is a governance pattern, not an accounting preference. The article shows that fraud risk falls when one identity cannot move from invoice entry to payment release without independent review. That is the same control logic that underpins identity governance in any high-risk workflow. The practitioner lesson is that end-to-end control is the vulnerability, regardless of whether the identity is human or non-human.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, which is why role concentration remains a governance problem across identity types.
A question worth separating out:
Q: What should teams do when staff constraints make perfect SoD impossible?
A: Use compensating controls such as supervisor sign-off, periodic independent review, and tighter monitoring of high-risk transactions. The goal is not to pretend overlap is safe. The goal is to reduce the chance that one person can create and conceal a payment error without detection.
👉 Read our full editorial: Segregation of duties in accounts payable reduces fraud risk
