TL;DR: Segregation of duties checklists help organisations map critical processes, identify toxic access combinations, and move from detective review to preventive controls across ERP, HCM, and CRM systems, according to Delinea and the Association of Certified Fraud Examiners. The governance gap is not awareness but repeatability: access conflicts keep reappearing unless review, escalation, and provisioning are tied together.
NHIMG editorial — based on content published by Delinea: Segregation of Duties checklist for robust internal controls
By the numbers:
Questions worth separating out
Q: How should teams build an effective segregation of duties checklist?
A: Start with the business processes that create the most fraud or control risk, then map the duties, approvals, and entitlements involved in each process.
Q: Why do segregation of duties conflicts still appear after periodic reviews?
A: Because periodic reviews only see the access state that exists at the moment of review.
Q: What do security and compliance teams get wrong about segregation of duties?
A: They often treat SoD as a policy document instead of a control that must be operationalised across business applications and identity processes.
Practitioner guidance
- Define the SoD ruleset by process first Map high-risk workflows such as accounts payable, purchasing, and inventory handling before you write entitlement rules.
- Embed SoD checks in access requests Move SoD validation into identity management and provisioning flows so conflicting access is stopped before it is granted.
- Assign clear remediation ownership Name the business application owner, compliance lead, or security team member who will resolve or document each conflict.
What's in the full article
Delinea's full blog post covers the operational detail this post intentionally leaves for the source:
- A step-by-step SoD checklist sequence for business applications, high-risk processes, and duty mapping.
- Practical guidance on building an SoD matrix and ruleset with application owners and audit.
- Decision paths for changing access, applying mitigating controls, or accepting documented risk.
- How to shift SoD from detective review into provisioning-time enforcement.
👉 Read Delinea's segregation of duties checklist for internal controls →
Segregation of duties in IAM: where do access conflicts still slip through?
Explore further
SoD is an access governance control, not just a finance control: the article shows how toxic combinations emerge when business processes span multiple applications and no one owns the full entitlement picture. That is an identity problem because the risk sits in who can both initiate and complete a sensitive transaction. Practitioners should treat SoD as part of broader identity governance, not as a standalone audit checklist.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own remediation when an SoD conflict is found?
A: Ownership should sit with the business application owner, supported by compliance, security, or IT as needed. The key is that someone must be accountable for either changing access, applying a mitigating control, or documenting accepted risk, and that decision must be retained as evidence.
👉 Read our full editorial: Segregation of duties in identity governance: closing access conflict gaps