Separation of duties vs internal controls: where teams go wrong

TL;DR: Separation of duties is a specific control pattern that prevents one identity from initiating, approving, and recording the same sensitive action, while internal controls are the broader governance mechanisms around accountability, fraud prevention, and compliance, according to Zluri. The distinction matters because teams often overstate SoD as a cure-all when the real requirement is a control framework that matches the process and identity type.

NHIMG editorial — based on content published by Zluri: Security & Compliance Separation Of Duties & Internal Controls: What’s The Difference?

Questions worth separating out

Q: How should organisations implement separation of duties in access governance?

A: Start by identifying the specific processes where one identity should never be able to initiate, approve, and finalise the same action.

Q: Why do internal controls need more than separation of duties?

A: SoD limits role concentration, but internal controls also need monitoring, reconciliation, training, and corrective action.

Q: What do teams get wrong about SoD in identity programmes?

A: They often treat it as a single permission rule instead of a control design problem.

Practitioner guidance

• Define SoD at workflow level Break sensitive processes into discrete initiation, approval, execution, and reconciliation steps, then assign each step to different identities where the risk justifies it.
• Test for role concentration Review where one user, service account, or admin role can still influence multiple steps in the same process, especially in finance, procurement, and privileged access paths.
• Tie SoD to access reviews Use periodic access recertification to verify that role assignments still preserve independence and that inherited permissions have not recreated end-to-end control.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Detailed explanations of preventative, detective, and corrective controls in business and finance processes
• Expanded examples showing how SoD reduces fraud, error, and conflict of interest in day-to-day operations
• FAQ material on implementing SoD policies, training staff, and supporting SOX compliance
• Product-context guidance on how Zluri positions automated access workflows for governance teams

👉 Read Zluri's article on separation of duties and internal controls →

Separation of duties vs internal controls: where teams go wrong?

Explore further

View Full Forum →  |  NHI Foundation Course →