Notifications
Clear all
Topic starter
08/06/2026 4:14 pm
TL;DR: Segregation of duties reduces fraud and audit risk by splitting authorization, custody, and recordkeeping, and an ACFE survey cited by SecurEnds found organisations with strong SoD controls detected fraud 50% faster than those without. The governance lesson is that control design only works when access, approvals, and evidence are separated and reviewed continuously.
NHIMG editorial — based on content published by SecurEnds: segregation of duties in internal controls
By the numbers:
- One survey by the Association of Certified Fraud Examiners found companies with strong SoD controls detected fraud 50% faster than those without.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams implement segregation of duties in high-risk workflows?
A: Start by identifying every workflow where one identity could request, approve, execute, and record the same action.
Q: Why does weak segregation of duties increase fraud and compliance risk?
A: Because it removes the checkpoints that expose misuse and error.
Q: What do teams get wrong when they rely on roles to prove SoD?
A: They assume a role name proves separation, but effective privilege is what matters.
Practitioner guidance
- Map conflicting entitlements across critical workflows List the identities that can initiate, approve, record, and release each high-risk process, then flag any overlap that lets one actor complete the flow end to end.
- Test effective access, not just role names Review ERP, IT, and payroll permissions at the entitlement level so you can find bundled rights such as vendor creation plus payment approval or deploy plus approve.
- Treat compensating controls as exceptions Where staffing forces overlap, require named supervisor review, independent reconciliation, and evidence retention so the exception is visible and auditable.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Role-by-role examples for accounts payable, payroll, and IT change workflows that show how duties are split in practice.
- Examples of compensating controls for small teams that cannot fully separate every function.
- Audit-oriented documentation patterns that help prove SoD effectiveness during review.
- Practical access review prompts for identifying overlapping authority in ERP and admin systems.
👉 Read SecurEnds' article on segregation of duties in internal controls →
Segregation of duties in internal controls - what are teams missing?
Explore further
08/06/2026 5:46 pm
SoD is an identity control pattern, not just an accounting safeguard. The article frames the issue in finance language, but the underlying problem is broader: one identity should not be able to create, approve, and release a critical action. That principle maps directly to IAM, PAM, and NHI governance, where conflicting entitlements create the same loss of oversight. The practitioner takeaway is that SoD should be measured as an access conflict problem across all high-risk workflows, not only in ledger processes.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means SoD reviews often start from incomplete access data.
A question worth separating out:
Q: Who is accountable when compensating controls are used instead of full separation?
A: Accountability stays with the control owner and the business process owner, because compensating controls are an exception to design, not a replacement for it. The organisation must be able to show why the overlap exists, who reviews it, and what evidence proves the control is working.
👉 Read our full editorial: Segregation of duties in internal controls is still a live IAM issue
