Auditing, Governance, and Digital Transformation

Designing control procedures (Internal Controls): Segregation of duties (SoD) and authorization powers

Posted by author-avatar
Illustration for Internal Control Procedures
Skip to content
Audit & Compliance Control Procedures • Segregation of Duties • SoD • Authorizations • Document Cycle

Designing Internal Controls: Segregation of Duties (SoD) and Authorization Levels

Internal Control Procedures: A professional guide on how to design Internal Controls via Segregation of Duties (SoD), defining authorization levels, and linking them to document cycles to reduce fraud and error risks—Digital Salla.

First, establish the basics: Practical COSO Framework Application — To understand where these procedures fit within the overall 5-component COSO model.
Control procedures design showing two distinct keys needed for a single lock, symbolizing Segregation of Duties.
Core Principle: Collusion is much harder than solo theft. By separating “Approval” from “Custody,” you create a system that checks itself in real-time.
What will you learn in this guide?
  • What is Segregation of Duties (SoD) and which roles must never overlap?
  • How to design an Authorization Matrix (Limits of Authority).
  • Linking controls to the Document Cycle (Purchase Order, Receipt, Invoice).
  • Practical examples: SoD in Cash, Inventory, and Payroll management.
  • Identifying “Conflict of Interest” points in digital accounting systems.
Practical Note: For small businesses with few staff, full SoD might be impossible. In such cases, Management Oversight and surprise spot-checks become the primary compensating controls.

1) The Concept of Segregation of Duties (SoD)

Segregation of Duties (SoD) is an internal control principle designed to prevent error and fraud by ensuring that no single individual is in a position to both perpetrate and conceal errors or fraud in the normal course of their duties.

Management Rule: A transaction should pass through at least two pairs of eyes before cash leaves the company bank account.

2) The Three Phases of a Transaction (The ARC Rule)

To achieve effective segregation, the following three responsibilities must be held by different people:

  1. Authorization (A): Approving the transaction (e.g., Department Head).
  2. Recording (R): Entry into the ledger (e.g., Accountant).
  3. Custody (C): Handling the physical asset (e.g., Cashier or Storekeeper).

3) The Security Triangle (Visual Logic)

Why breaking the triangle leads to “Total Control” by one person?

The SoD Security Triangle Diagram showing Authorization, Recording, and Custody as separate corners of a triangle. Transaction Integrity Triangle 1) Authorization Who Approves? 2) Recording Who Enters Data? 3) Custody Who Holds Asset?
If one person holds two corners (e.g., Recording + Custody), they can steal an asset and write it off in the books to hide the theft.

4) Designing the Authorization Matrix

An Authorization Matrix (Delegation of Authority) defines who can sign what and up to what amount.

Sample Limits of Authority
Transaction Type Amount Range Authorized Person
Operating Expense Up to $1,000 Department Manager
Operating Expense $1,001 – $10,000 Division Director / CFO
Capital Expenditure (CapEx) Over $10,000 CEO / Board of Directors
New Vendor Creation Any Procurement Committee

5) Controls in the Document Cycle (Three-Way Match)

In the Purchase-to-Pay cycle, the primary control is the Three-Way Match. You only pay an invoice if it matches two other documents:

Recommended for you
Purchasing Controls Template - Excel Template

Purchasing Controls Template - Excel Template

Purchasing Internal Control Template is an effective Excel tool to manage supplier invoices and cont...
21.01 $
View Product

  1. Purchase Order (PO): What we Ordered.
  2. Receiving Report (GRN): What we Received.
  3. Vendor Invoice: What we are Billed.
Related topic: Tax Invoice Mandatory Data — To ensure the “Vendor Invoice” part of the match meets regulatory and tax standards.

6) SoD Examples by Department

6.1 Cash Management

The person who receives customer checks (Custody) must not be the same person who updates the Accounts Receivable ledger (Recording).

6.2 Inventory Control

The storekeeper (Custody) should never perform the Physical Year-end Count (Independent Verification). The count must be done by the finance team or internal audit.

6.3 Payroll

The HR manager who adds a “New Employee” to the system must not be the same person who “Approves the Bank Transfer” for monthly wages.

Deep dive: Payroll Reconciliation — To see how monthly matching acts as a “Detective Control” to find payroll SoD breaches.

7) Digital Controls in Accounting Systems

In modern ERP systems, segregation is handled via User Roles and Permissions:

  • Sequential Numbering: Ensuring no missing invoices or duplicate entries.
  • Audit Trail: A log that records every change, who made it, and when.
  • Forced Approval Workflows: The system physically prevents an accountant from clicking “Pay” until a manager has clicked “Approve.”

8) Operational Controls & Readiness Checklist

To evaluate your Control Procedures today:

SoD Quality Gate Checklist

  1. Are user passwords in the accounting system changed every 90 days?
  2. Is there a formal list of “Who can sign checks/authorize transfers”?
  3. Do we perform surprise Petty Cash counts?
  4. Are “New Vendors” verified for existence (Tax ID check) before payment?
  5. Is the Master Budget used to block over-spending automatically?
Deep dive: Master Budgeting — Because a “Budget vs. Actual” variance report is the ultimate monitoring control to find unauthorized activity.

9) Common Errors and How to Prevent Them

  • Sharing Passwords: Managers giving their credentials to accountants to “Speed up” work. This destroys the audit trail.
  • The Trusted Employee Trap: Bypassing controls because an employee has been with the company for 20 years. Controls are for systems, not for people.
  • Rubber Stamping: Approving transactions without actually looking at the supporting documents (PO/GRN).
  • Ignoring IT Superusers: Allowing the IT head to have “Write” access to the accounting database without oversight.

10) Frequently Asked Questions

What is Segregation of Duties (SoD)?

It is the practice of dividing critical transaction tasks among multiple employees to reduce the risk of errors and fraud.

How can a small company implement SoD with only 2 staff members?

By involving the Owner/Manager in the approval and bank reconciliation phases. If you can’t separate duties, you must increase Direct Supervision.

What is a Compensating Control?

It is an alternative procedure (like a higher-level review) used when a primary control (like SoD) cannot be implemented due to cost or staffing limits.

11) Conclusion

Designing Control Procedures is the art of building a “Self-Correcting System.” By strictly enforcing Segregation of Duties, utilizing a clear Authorization Matrix, and anchoring your transactions in the Document Cycle, you protect the entity’s wealth and the integrity of its data. These procedures don’t just prevent theft; they build Operational Excellence that attracts investors and ensures the long-term sustainability of your organization.

Action Step Now (30 minutes)

  1. Open your payment software (Bank portal or ERP).
  2. Check: Is it possible for One User to create a vendor AND pay them?
  3. If yes, call your IT department immediately to implement Dual Authorization.

© Digital Salla Articles — General educational content for audit, compliance, and internal control purposes.

Newer
Financial fraud: Fraud triangle, red flags, and prevention methods
Back to list
Older COSO framework: The five components and how to apply them practically in your company?