Notifications
Clear all
Topic starter
08/06/2026 4:14 pm
TL;DR: Accounts receivable segregation of duties splits credit approval, invoicing, collections, and reconciliation so one person cannot control the full revenue cycle, reducing fraud risk and improving auditability according to SecurEnds. The control matters because revenue integrity fails when a single role can create, move, and verify the same transaction.
NHIMG editorial — based on content published by SecurEnds: Segregation of duties in accounts receivable and revenue control
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations implement segregation of duties in accounts receivable?
A: Start by separating credit approval, invoicing, collections, and reconciliation into different roles or accounts.
Q: Why does role overlap create fraud risk in accounts receivable?
A: Role overlap removes independent verification.
Q: How do organisations know if AR segregation of duties is actually working?
A: Look for evidence that no single user can approve credit, create invoices, collect cash, and reconcile accounts.
Practitioner guidance
- Split AR permissions by control step Assign credit approval, invoice creation, payment collection, and reconciliation to different roles, and remove any shared access that lets one person complete the full cycle.
- Introduce independent review for exceptions Require a second person to approve large write-offs, unusual credit terms, and manual payment adjustments so exceptions cannot be self-authorised.
- Use access reviews to find role overlap Review ERP and finance system entitlements for conflicting combinations, then remove overlaps that let the same identity create and verify transactions.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- A practical accounts receivable SoD matrix showing which roles can approve credit, issue invoices, collect payments, and reconcile records.
- Automation examples for ERP-linked access reviews and conflict detection across finance workflows.
- Audit-oriented evidence patterns that show when SoD is enforced continuously rather than checked manually.
- Compensating control options for smaller teams that cannot fully separate every AR task.
👉 Read SecurEnds' guidance on segregation of duties in accounts receivable →
Accounts receivable segregation of duties: where the control breaks?
Explore further
08/06/2026 5:46 pm
Privilege concentration is the real governance failure behind weak AR controls. The article describes a finance control, but the identity lesson is broader: one actor should not be able to initiate, execute, and verify the same business outcome. That same concentration problem is what breaks NHI governance when a service account, API key, or workflow identity is allowed to both act and validate its own activity. Practitioners should recognise this as a control-design problem, not just an operating issue.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- A separate NHIMG finding shows that only 5.7% of organisations have full visibility into their service accounts, which is why ownership separation must be paired with discovery.
A question worth separating out:
Q: Who is accountable when segregation of duties fails in accounts receivable?
A: Accountability usually sits with the process owner and the control owner, not just the person who exploited the overlap. Finance leadership must define the roles, and internal control or audit teams must verify that the separation is real in the system, not only on paper.
👉 Read our full editorial: Segregation of duties in accounts receivable and revenue control
