Segregation of Duties

Segregation of duties (SoD) is a financial control principle that requires different people to be responsible for different steps in a process that involves financial transactions. In accounts payable, the principle means that the person who enters an invoice should not be the same person who approves it, and neither of those people should be the same person who releases the payment.

The reason for this separation is straightforward: if one person controls the entire process from invoice entry to payment, they can pay fraudulent invoices to themselves or to a collaborator without anyone else being able to detect the fraud. With multiple people involved, each acting as a check on the others, the risk of undetected fraud is significantly reduced.

How segregation of duties applies in AP

In a well-controlled AP process, at least three distinct functions should be performed by different people or roles. The first function is vendor management: adding new suppliers to the vendor master and maintaining their payment details. The second function is invoice processing: receiving invoices, entering them into the system, and coding them. The third function is approval and payment authorisation: approving coded invoices and releasing payments.

When one person controls vendor management and invoice processing, they can create a phantom vendor and submit invoices from that vendor for payment. When one person controls invoice processing and payment approval, they can approve their own submissions without independent review. When one person controls vendor management and payment approval, they can change a legitimate supplier's bank details to their own and then approve payments to the fraudulent account.

Implementing SoD in small businesses

Segregation of duties is straightforward in large organisations with dedicated AP teams. In small Australian businesses with two or three finance staff, strict SoD is harder to achieve without involving senior management or the business owner in the approval process. This is a common gap in small business financial controls, and it is one that fraudsters who target small businesses specifically exploit.

Practical approaches for small businesses include: requiring the business owner or director to approve all payments above a defined threshold, using AP automation software that enforces workflow rules and creates a system-generated audit trail (making fraud harder to conceal even if one person touches multiple steps), and involving the accountant or bookkeeper in periodic reviews of vendor master changes and payment history as an independent oversight mechanism.

Segregation of duties and the ATO

The ATO expects businesses to have reasonable internal controls in place, including controls over payment processes. While there is no specific regulation requiring segregation of duties by name, a business that suffers fraud losses due to the absence of basic controls may find the ATO less sympathetic in matters related to GST credits claimed on fraudulent invoices, or in seeking tax deductions for the losses.

More practically, businesses that have been the subject of internal fraud and seek to claim losses or insurance often find that the absence of SoD controls reduces the claim value, since the insurer or legal process may find that the business contributed to the loss through inadequate controls. Implementing SoD is not just a best practice; it is a risk management decision with direct financial consequences when things go wrong.