Segregation of duties in IAM: where do access conflicts still slip through?

TL;DR: Segregation of duties checklists help organisations map critical processes, identify toxic access combinations, and move from detective review to preventive controls across ERP, HCM, and CRM systems, according to Delinea and the Association of Certified Fraud Examiners. The governance gap is not awareness but repeatability: access conflicts keep reappearing unless review, escalation, and provisioning are tied together.

NHIMG editorial — based on content published by Delinea: Segregation of Duties checklist for robust internal controls

By the numbers:

• incidents of fraud occur due to a lack of internal controls 32% of the time

Questions worth separating out

Q: How should teams build an effective segregation of duties checklist?

A: Start with the business processes that create the most fraud or control risk, then map the duties, approvals, and entitlements involved in each process.

Q: Why do segregation of duties conflicts still appear after periodic reviews?

A: Because periodic reviews only see the access state that exists at the moment of review.

Q: What do security and compliance teams get wrong about segregation of duties?

A: They often treat SoD as a policy document instead of a control that must be operationalised across business applications and identity processes.

Practitioner guidance

• Define the SoD ruleset by process first Map high-risk workflows such as accounts payable, purchasing, and inventory handling before you write entitlement rules.
• Embed SoD checks in access requests Move SoD validation into identity management and provisioning flows so conflicting access is stopped before it is granted.
• Assign clear remediation ownership Name the business application owner, compliance lead, or security team member who will resolve or document each conflict.

What's in the full article

Delinea's full blog post covers the operational detail this post intentionally leaves for the source:

• A step-by-step SoD checklist sequence for business applications, high-risk processes, and duty mapping.
• Practical guidance on building an SoD matrix and ruleset with application owners and audit.
• Decision paths for changing access, applying mitigating controls, or accepting documented risk.
• How to shift SoD from detective review into provisioning-time enforcement.

👉 Read Delinea's segregation of duties checklist for internal controls →

Segregation of duties in IAM: where do access conflicts still slip through?

Explore further

View Full Forum →  |  NHI Foundation Course →