Segregation of Duties examples: Roles, responsibilities, and risks

As employees change roles or take on temporary projects, their access needs evolve—creating complexity and risk within business applications.

Without a proper Application Access Governance (AAG) approach in place, excess privilege can accumulate, leading to fraud and loss of data.

When an employee first joins an organization, they’re assigned certain roles within business applications that grant permissions and entitlements to perform their jobs, like process vendor payments. Often-used business applications, such as Enterprise Resource Planning (ERP) systems, contain intricate role and privilege structures in their security models.

As an employee's role evolves, permissions and entitlements may change, requiring updates to their access rights. With a robust AAG approach, organizations can avoid security risks and misalignment between an employee's role and access privileges.

Segregation of Duties (SoD) is an internal control that helps organizations prevent mistakes and fraud within their sensitive business processes. In this blog, we will explore examples of SoD across roles, functions, and industries to reinforce the importance of this internal control as part of your application access governance strategy.

Accounting SoD examples: data integrity for accurate financial reporting

In accounting, ‘business cycles’ are the recurring, process-oriented workflows that initiate, record, and process a company’s financial transactions. To reduce the risk of errors and fraud, SoD ensures no single person controls more than one critical stage of a business cycle. Effective SoD is applied to the tasks within each business cycle to protect financial integrity.

Business cycles represent the fundamental operations of a business and serve as the framework for where strong internal controls must reside. Key accounting and operations business cycles include:

• Order-to-Cash (O2C) cycle: The process of selling goods and services and collecting payments. This begins with sales orders and ends with the collection and posting of cash.
• Procure-to-Pay (P2P) cycle: The process of acquiring goods and services. This begins with placing purchase orders and creating vendor master data and ends with paying vendors.
• Record-to-Report (R2R) cycle: The process of consolidating all financial transactions from other business cycles to prepare and report on financial statements. Key activities include journal entry posting and reconciliations.
• Hire-to-Retire (H2R) cycle: The process of compensating employees. Key activities include hiring, recording hours, processing payroll, distributing paychecks, and the setup and maintenance of benefits.
• Inventory cycle: The processes related to managing a company’s inventory. This starts with purchasing raw materials, moves to work-in-progress, and ends with the sale of finished goods.

Segregation of Duties works by dividing important tasks in the business cycle across different individuals to create a system of checks and balances. Within each business cycle, a single transaction can involve four incompatible functions that must be separated:

• Authorization: approving a transaction
• Record-keeping: recording the transactions in the ERP or accounting system
• Custody: handling or having control over an asset, such as cash or inventory
• Reconciliation: verifying that transactions are valid and accurately recorded

A properly segregated process for selling goods and services, known as Order-to-Cash (O2C), separates the tasks of authorization, record-keeping, custody, and reconciliation:

A properly segregated process for acquiring goods and services, known as Procure-to-Pay (P2P), separates the tasks for authorization, record-keeping, custody, and reconciliation:

Creating a Segregation of Duties checklist provides a framework to systematically review business cycles, to identify high-risk processes and duties that need to be segregated. An SoD matrix provides a central place for you to document responsibilities and tasks that are part of sensitive business processes, as well as the level of access and entitlements granted to execute each specific task or job function.

Examples of industries where Segregation of Duties is critical

Manufacturing: Inventory Control vs. Inventory Audit

In the manufacturing industry, without adequate SoD in the inventory cycle, a single employee could conceal fraud or errors. For example, a warehouse clerk who has custody of inventory should not also be responsible for record-keeping, such as cycle counts, which provides an opportunity for theft of raw materials or finished goods.

Banking: Loan Origination vs. Loan Approval

In the banking industry, SoD in the loan approval cycle protects financial institutions by ensuring that no single employee can originate, approve, and disburse a loan without independent oversight. For example, a loan officer who has the ability to originate loans should not also be able to approve them, which provides an opportunity for unauthorized lending.

Pharmaceutical: Quality Control (QC) Labs

In the pharmaceutical industry, data integrity is important for safety and quality control. In pharmaceutical quality control (QC) laboratories, SoD guarantees that no single user can complete, review, and approve the same set of data or documents. This separation strengthens oversight, maintains audit trails, and supports regulatory compliance with HIPAA and FDA requirements.

Below are examples of points in the QC process where inadequate SoD could lead to errors or non-compliance risks:

• Can users modify or delete data directly from analytical instruments?
• Can the same person collect, test, and approve the sample?
• Are sampling and testing responsibilities clearly separated?
• Is there independent second-person verification for calculations and raw data?
• Are audit trails independently reviewed?

Automated SoD risk analysis and predefined risk rulesets accelerate risk mitigation

Once SoD conflicts are identified, organizations must correct access or implement mitigating controls to manage the risk. Not every conflict requires full remediation; some risks can be accepted when proper safeguards are in place. Effective mitigation balances control with practicality; it wouldn’t make sense to apply a $100 control to protect a $5 asset, for example.

By automating SoD risk analysis and leveraging a predefined risk ruleset, organizations can detect SoD conflicts quickly, and gain visibility into role, duty, and privilege combinations down to the lowest securable object within and across applications. This precision allows teams to identify conflicts, prioritize them based on risk ranking (high, medium, or low), and apply controls and remediations that are both targeted and cost-effective, accelerating audit-readiness and strengthening application access governance.

Fastpath, now part of Delinea, Application Access Governance solutions help automate and streamline security, audit, and compliance workflows—including SoD and sensitive access risk analysis. Fastpath Access Control provides prebuilt SoD rulesets based on industry standards and mapped to the unique security models of popular business applications, so you can analyze SoD risk down to the lowest securable object, and across applications.

To learn more, check out our interactive Fastpath Access Control Demo, and take a look at my blog: Assumption-busting strategies for SoD and user access management