Segregation of Duties in Accounts Payable
When an AP fraud case is finally uncovered, the post-mortem is almost always the same: one person could do the whole thing. They could set up a vendor, approve its invoices, and release its payments — three steps that should never sit with one set of hands. That concentration is the vulnerability. Segregation of duties is the control that closes it.
Segregation of duties (SoD) is the deliberate splitting of an AP process so that no single person can both create and approve the same transaction. It does not assume anyone is dishonest. It assumes that if completing a fraud requires collusion between two people, most fraud simply will not happen — and honest mistakes get a second set of eyes for free. This guide covers the conflicts that matter, how small teams can still apply it, and how to enforce it without paralyzing AP.
Not every separation is equally important. A handful of role combinations account for the large majority of AP fraud risk, and those are the ones to separate first.
The AP duty conflicts to separate first
- Vendor setup vs. payment approval — the person who can create a vendor must not be able to approve payments to it (this enables fictitious-vendor schemes)
- Invoice approval vs. payment release — the person who approves an invoice should not be the one who executes the payment
- Vendor bank-detail changes vs. payment approval — whoever can change a vendor's bank account must not approve the next payment to it
- Purchasing vs. invoice approval — the person who commits the spend should not be the sole approver of the resulting invoice
- Approval vs. bank reconciliation — whoever approves payments should not be the one reconciling the bank statement that would reveal an anomaly
The vendor-setup-plus-approval combination is the most dangerous in AP. A fictitious-vendor scheme requires exactly those two abilities in one person. If you separate only one conflict, separate that one.
The standard objection is real: 'We have three people in accounting — we cannot separate five duties.' True. But small teams are not exempt from the risk; they are exposed to more of it, because concentration is unavoidable. The answer for small teams is not full separation — it is compensating controls.
If the same person must set up vendors and approve invoices, then a second person — an owner, a controller, a CFO — reviews a report of all new vendors and all bank-detail changes every month. The duties are not separated, but the second look reintroduces the missing eyes. The control is preserved even when the headcount is not there to split it cleanly.
~0%
Estimated share of annual revenue lost to occupational fraud, with smaller organizations hit hardest (ACFE Report to the Nations)
Get AP insights in your inbox
A short monthly roundup of construction AP + accounting posts. No spam, ever.
No spam. Unsubscribe anytime.
Even when a company designs segregation of duties correctly, it erodes in practice. An approver is on vacation, so someone steps in 'just this once.' A clerk gets temporary access to clear a backlog and it is never revoked. The org chart says the duties are separate; the day-to-day reality drifts. Manual SoD depends on everyone remembering the rules under deadline pressure — and that is exactly when it fails.
“Our segregation of duties was perfect on paper. Then year-end pressure hit, the controller was out, and for three weeks one person was setting up vendors and releasing payments. Nothing went wrong — that time. We realized the policy meant nothing if the system did not enforce it.”
— CFO, regional construction firm
The fear with segregation of duties is that it adds friction — more handoffs, more waiting. Designed well, it does not. The key is that enforcement should be automatic and invisible until it is needed: the system simply will not let the person who created a vendor approve its first payment, and routes it to someone else. There is no policy to remember, and no extra step for the 99% of transactions where one person was never going to do all the jobs anyway.
Good SoD enforcement is conditional, not blanket. It should intervene only on genuine conflicts — the same person trying to both create and approve — and stay out of the way otherwise. Blanket extra approvals on every invoice train people to rubber-stamp.
Covinly enforces segregation of duties as a built-in rule of the workflow rather than a policy people have to honor. A user who created a vendor or uploaded an invoice cannot also approve it; bank-detail changes route the next payment to a different approver; conflicts are blocked automatically, with the reason recorded in the audit trail. The control holds during year-end crunch and vacations — the moments when manual SoD always slipped before.
Separate the conflicts that matter most, use compensating reviews where the team is too small to split duties, and make enforcement automatic so the control survives pressure. Segregation of duties is not about distrust — it is about making sure no single mistake, or single bad actor, can run all the way to a payment.
Written by
Sarah Blake
Head of Product
Former AP Manager at a $200M construction firm, now leads product at Covinly. Writes about what AP teams actually need from automation — beyond the marketing promises.
View all posts