Financial Operations
Segregation of Duties: Fraud-Proof Your Business
Implement segregation of duties to prevent fraud & pass audits. Covers internal controls for SMBs, examples, & hiring outsourced controllers.
ByJumpstart Partners, CPA, QuickBooks ProAdvisor
··20 min readYour company is growing. Cash is moving faster, payroll is larger, more vendors are billing you, and your founder approvals still live in Slack, email, and memory. One trusted person is probably holding the whole process together.
That works until it doesn't.
A common version looks like this: your bookkeeper sets up vendors, enters bills, pushes payments, and reconciles the bank account at month end. Nobody designed it that way because it was ideal. You designed it that way because you needed the work done. Then one issue surfaces. A duplicate payment. A vendor that no one remembers approving. A payroll change that doesn't match the offer letter. The problem usually isn't a criminal mastermind. It's a system that lets one person make a mistake and then record over the evidence.
For founders in the $500K to $20M range, segregation of duties is one of the clearest lines between a finance function that is merely operating and one that is protecting the business. If you're still deciding whether you need a bookkeeper or a real control layer above one, this breakdown of bookkeeper vs controller responsibilities is usually where the conversation starts.
Table of Contents
- The Six-Figure Mistake Hiding in Your Finance Team
- What Is Segregation of Duties and Why It Is Not Optional
- Real World SoD Failures in AP AR and Payroll
- The Small Team Dilemma Common SoD Red Flags
- Pragmatic Compensating Controls for Lean Teams
- How to Build Your Audit Ready SoD Matrix
- The Tipping Point When to Outsource Your Controller Function
The Six-Figure Mistake Hiding in Your Finance Team
A founder reviews year-end financials and notices margins are softer than expected. Revenue looked fine all year. Headcount stayed controlled. Nothing felt obviously wrong. Then the cleanup starts.
The finance manager had been doing too much alone. They onboarded vendors, approved routine invoices when the founder was traveling, released ACH payments, and reconciled the bank account after the fact. No one was stealing in plain sight. But no one was independently checking the full transaction path either. Duplicate bills slipped through. Old vendors stayed active. Credits weren't chased. Expenses landed in the wrong periods. Cash leaked because one person controlled too much of the workflow.
Why this gets expensive fast
At a growing SaaS company or agency, small misses stack up:
- A duplicated vendor bill gets paid because the same person entered it and paid it.
- A stale subscription keeps renewing because nobody outside accounting reviews recurring disbursements.
- A payroll change goes through without independent review because the person processing payroll also maintains the employee data.
- A bank reconciliation clears the issue instead of exposing it because the same person who made the error is also verifying the account.
None of that looks dramatic in isolation. Together, it turns into margin erosion, bad reporting, and weak cash visibility.
Founder-level takeaway: if one employee can create, approve, pay, and reconcile the same transaction stream, your business is relying on trust instead of control.
The real cost isn't just fraud
Founders hear "segregation of duties" and think audit jargon. In practice, the first hit is usually operational. You lose confidence in the numbers. Close takes longer because questions get answered from memory. Due diligence gets painful because approvals aren't documented. Team members spend time untangling avoidable issues instead of improving forecasting or collections.
The strongest finance teams make your business harder to exploit and easier to run. That's why segregation of duties belongs in the same conversation as cash forecasting, AP workflow, and board reporting. It's not red tape. It's the structure that keeps a fast-moving company from paying for avoidable mistakes twice. First in cash, then in cleanup time.
What Is Segregation of Duties and Why It Is Not Optional
A founder approves a payment on Friday, closes the laptop, and assumes the process is under control. What often gets missed is who set up the vendor, who entered the bill, who released the payment, and who later reconciled the bank account. If one employee can handle all four steps, the company has a control gap, not an accounting process.
Segregation of duties means splitting key parts of a transaction so one person cannot initiate, approve, execute, and clean up the same activity without independent review. In a larger company, that split may sit across several roles. In a lean team, it may sit across a bookkeeper, a founder, an operations lead, and system approval rules. The principle stays the same. No single person should control both the money and the story told about that money.
The four functions that create risk when combined
The risk usually sits in four functions. Problems start when one person holds more than one high risk combination, especially authorization plus recordkeeping, or custody plus reconciliation.
| Function | What it means in practice | Why combining it creates exposure |
|---|---|---|
| Authorization | Approving a bill, expense report, refund, write-off, or journal entry | The approver can push through a transaction that no one else reviews |
| Custody | Holding checks, cards, bank access, payment platform access, or payroll cash movement rights | The person with access to the asset can move it |
| Recordkeeping | Setting up vendors, posting bills, entering credits, updating employee records, or booking journals | The same person can shape the accounting trail to match the activity |
| Reconciliation | Reviewing bank activity, subledgers, payroll reports, or exception reports | The reviewer can hide the error or misuse after it happens |
ISACA describes authorization, custody, recordkeeping, and reconciliation as incompatible duties because the same person can both cause and conceal the problem if those responsibilities are combined (ISACA's practical guidance on implementing segregation of duties).
This matters even more in small companies because software creates a false sense of separation. Two people may touch a workflow, but permissions inside QuickBooks Online, Bill.com, Ramp, Gusto, or the bank can still leave one person with end to end control. I see this often with founders who believe approval is covered because they sign off on payments, while the same employee still controls vendor setup, invoice entry, and account reconciliation.
That is why segregation of duties is a design decision, not just a staffing decision. You need to assign who can initiate, who can approve, who can release cash, and who can verify after the fact. If your process map does not show those handoffs clearly, use a written control framework such as this overview of financial controls for growing businesses.
Lean teams will not get perfect separation on day one. That is normal. The mistake is pretending partial coverage is enough when the transaction volume, payroll count, and cash movement have already outgrown the team. If you are also tightening policy controls outside finance, this guide to compliance and risk management from LeaveWizard gives a useful broader lens on how operational controls support governance.
Segregation of duties is required because trust does not scale. Once one employee can create, approve, pay, and reconcile the same stream of transactions, the company is one missed review away from an expensive mistake.
Real World SoD Failures in AP AR and Payroll
The easiest way to understand segregation of duties is to watch what happens when it's missing. The risk isn't abstract. It shows up in routine workflows that founders assume are under control.
Accounts payable and the ghost vendor problem
Accounts payable breaks fast when one person can create a vendor, enter the bill, approve the payment, and release the cash. That's an end-to-end path with no independent checkpoint.
Worked example:
- 5 fake invoices
- $3,500 per invoice
- Total paid = $17,500
That money can leave the bank before quarter close if nobody outside the process reviews vendor setup, approval, and payment release.
A founder usually discovers this one in reverse. They notice an unfamiliar vendor name, or a vendor address that matches an employee, or payments that don't match a purchase order history. By then, the transaction trail is already "clean" in the accounting system because the same person built the vendor record and posted the bills.
A simple control would have broken the chain: split vendor creation from payment approval, or require founder review of new vendor setups before the first payment.
Accounts receivable and the lapping pattern
AR fraud often gets less attention because founders focus on money going out, not money coming in. But if one person receives customer payments, posts them to the ledger, and adjusts receivables, they can steal a payment and cover the gap by misapplying later customer cash.
The warning signs aren't dramatic at first:
- Old AR balances that never fully clear
- Customer complaints about payment application
- Frequent credits or write-offs without a clear approval trail
- Messy month-end cleanups in receivables
If you want a reminder of how easily accounting records can be manipulated when controls are weak, this article on what cooking the books means in practice is a useful companion read.
Payroll and the ghost employee setup
Payroll risk shows up when the same person can add an employee, change pay details, and process payroll. That's enough control to create a fake employee, reroute funds, or alter compensation without a true second review.
| Workflow | High-risk combination | Control that breaks the chain |
|---|---|---|
| AP | Create vendor + approve invoice + release payment | Separate vendor master control from payment approval |
| AR | Receive payment + post receipt + adjust AR | Independent review of adjustments and customer account activity |
| Payroll | Add employee + edit pay data + run payroll | HR-approved employee setup and manager review before payroll submission |
Practical rule: if one user can complete the transaction lifecycle inside the same process, you don't have segregation of duties. You have a single point of failure.
This is why the control objective isn't merely splitting roles on paper. The objective is making sure one person cannot complete the full transaction cycle and then verify their own work.
The Small Team Dilemma Common SoD Red Flags
Founders push back on segregation of duties for one understandable reason. They don't have a ten-person accounting department. They have a bookkeeper, an operations lead, and maybe a founder who approves payments from a phone between meetings.
That objection is real. Perfect segregation isn't possible in a lean team.
The mistake is assuming that because you can't get to the ideal model, you should ignore the issue entirely. The better question is simpler: where do you have unreviewed combinations of duties right now?
Red flags founders should check this week
A CPA source focused on small-business controls recommends compensating measures such as having a second person receive and review bank statements before the bookkeeper, using read-only bank access for that reviewer, and performing surprise audits one or twice a year when full separation isn't practical (CPA Hall Talk on segregation of duties and compensating controls).
Use that logic to scan for these red flags:
- Your bookkeeper receives bank statements first. If the same person books transactions and sees the bank statement before anyone else, they control both the records and the first layer of review.
- One person can add vendors and pay them. That combination is too much power in AP.
- The same employee runs payroll and updates employee pay details. Errors and intentional changes are harder to catch.
- Expense reimbursements approve themselves in practice. A manager may not formally approve every payment, especially in a fast-moving team.
- Bank reconciliations happen late and without follow-up. Reconciliation that exists only to "get the month closed" doesn't function as a control.
What does and doesn't matter
Some founders obsess over tiny process imperfections and miss the actual risk. It doesn't matter whether your process looks elegant in a policy manual. It matters whether an independent person reviews the dangerous handoffs.
What works is documented oversight.
What doesn't work is saying, "I trust my team."
You should trust your team. You should also design controls that don't require blind trust to keep cash safe.
Pragmatic Compensating Controls for Lean Teams
Friday at 4:30 p.m., your bookkeeper queues a payment batch, updates a vendor record, and finishes the bank reconciliation before heading out. If one person can do all three without a second set of eyes, a bad vendor setup or a duplicate payment can clear the bank before anyone notices. That is a fundamental small-team SoD problem. Too few people, too many permissions, and review happens after the money is gone.
When headcount is tight, the answer is not a long policy manual. It is a short control stack aimed at the points where cash leaves the business or records can be changed without review. For lean teams, the rule is simple: separate what you can, document the rest, and make sure the highest-risk steps have independent review.
A practical control stack for small finance teams
| Risk area | Low-cost control | Owner |
|---|---|---|
| Bank activity | Founder or manager receives bank statements first and scans unusual items before bookkeeping starts | Founder or operator |
| Vendor payments | New vendors require separate approval before first payment | Founder, ops lead, or manager |
| Bill pay | Payment runs are reviewed against supporting invoices before release | Approver outside bookkeeping |
| Payroll | Employee changes are tied to approved hiring or compensation records | Founder, HR, or department lead |
| Reconciliations | Bank and credit card reconciliations are reviewed, not just prepared | Controller, founder, or outside reviewer |
| Surprise review | Periodic spot checks on vendors, payroll changes, and journal entries | Founder or outside accountant |
What to put in place immediately
Start with disbursements. That is where small companies lose money fastest.
- Send bank statements to a reviewer before the bookkeeper. The reviewer can be the founder, ops lead, or outside accountant. The key is that this person sees cleared transactions before the person posting entries does.
- Use read-only bank access for oversight. Review does not require payment authority.
- Require two steps for vendor setup and payment release. One person can enter the vendor or prepare the payment batch. A different person approves the vendor and releases the money.
- Match payroll changes to written support. Pay rate changes, bonuses, and new hires should tie back to an approved offer letter, compensation memo, or HR record.
- Review reconciliations within days, not weeks. A late reconciliation is mostly a reporting task. A prompt review can still catch an unauthorized transfer or duplicate withdrawal.
- Use software to force approvals into the workflow. If approvals still happen in Slack or by verbal okay, you do not have a control. Approval routing in AP software creates evidence and cuts down on skipped review. If you are cleaning up bill pay, this guide on how to automate accounts payable walks through the setup.
A control only counts if someone can prove it happened.
“I usually look at the account” is not a control. “Founder reviews every payment batch over the set threshold in Bill.com, checks supporting invoices, and approves inside the system before release” is a control.
Where lean teams usually over-patch
Founders often add one more approval and assume the problem is solved. Sometimes it is. Often it is not.
If the same person can create a vendor, change banking details, and prepare the payment, adding a casual final approval does not fix the core exposure unless the approver reviews the change log and supporting documents. The same logic applies to payroll. If payroll changes are approved only after payroll runs, the review is too late to prevent the error or fraud.
This is the trade-off. Patching works for a while, especially below a modest transaction volume. It starts to break when the founder becomes the approval bottleneck, reconciliations slip, or review turns into a rubber stamp because there are too many items to check carefully.
What doesn't work
Controls fail when they live in memory instead of in the process.
Write the rule down. Assign the owner. Set the approval threshold. Keep the evidence in the system or close file. Once your team cannot do that consistently, you are near the point where a dedicated controller function costs less than the mistakes it is supposed to catch.
How to Build Your Audit Ready SoD Matrix
Once the urgent holes are patched, document your process in a simple segregation of duties matrix. With this, many companies level up. They stop talking about duties in vague job-title language and start mapping actual tasks to actual system permissions.
That shift matters because modern segregation of duties is also an access design issue. SailPoint makes the point clearly: in cloud-based finance systems, the key question is not only who does what, but which access rights, workflows, and permissions create hidden conflicts across the finance stack (SailPoint on segregation of duties and identity access).
Sample Segregation of Duties Matrix
| Financial Task | AP Clerk | Controller | CEO/Founder |
|---|---|---|---|
| Create Vendor | Yes | Review | No |
| Approve New Vendor | No | Yes | Review for sensitive vendors |
| Enter Invoice | Yes | Review exception items | No |
| Approve Invoice | No | Yes | Yes for selected spend categories |
| Initiate Payment | Yes | Review batch | No |
| Release Payment | No | Yes | Yes for high-risk or high-value disbursements |
| Post Journal Entry | Prepare support | Yes | No |
| Approve Journal Entry | No | Yes | Review material entries |
| Reconcile Bank | Prepare | Review and sign off | Review summary |
| Add User Permissions | No | Request only | Approve access changes |
How to use the matrix in real systems
In QuickBooks Online, NetSuite, Bill.com, Gusto, and similar tools, don't stop at assigning roles by title. Check the exact permissions attached to each role:
- Can the same user create and approve? That's the first conflict to remove.
- Can the same user change master data and move money? That's the second.
- Can the same user post entries and clear the account? That's where close integrity breaks down.
- Can anyone grant themselves more access? If yes, your access model is already compromised.
Keep the matrix useful
A good matrix is short enough to maintain. Start with your most sensitive workflows:
- Procure to pay
- Order to cash
- Payroll
- Record to report
- User access administration
Review it whenever you change systems, onboard a new finance employee, or shift responsibilities during growth. The matrix doesn't need to impress an auditor on day one. It needs to tell you where one person still has too much control.
If your finance process lives in software, your segregation of duties policy has to live there too.
The Tipping Point When to Outsource Your Controller Function
There comes a stage where patching controls around a thin team stops being efficient. The founder is still reviewing payment batches. The bookkeeper is still carrying too much of the close. The ops lead is helping with approvals but doesn't really own accounting judgment. Controls exist, but only because a few people are working around the process every week.
That setup becomes fragile as the business scales.
The tipping point usually hits when revenue, transaction volume, and reporting expectations all rise at the same time. For many growing companies, that shows up somewhere in the $2M to $5M revenue range. At that stage, the issue isn't just workload. It's the cost of continuing with a finance design where one absence, one rushed approval, or one permissions mistake can undermine the entire control environment.
Signs you've outgrown patchwork controls
| Signal | What it usually means |
|---|---|
| Close drags on and key reconciliations feel reactive | Review is happening late instead of as a control point |
| Founder approves too many financial details personally | The business lacks an intermediate control layer |
| Bank, AP, payroll, and reporting all rely on the same person | Role concentration is too high |
| You're preparing for diligence, lending, or an audit | Informal controls won't hold up under scrutiny |
| Access rights in finance tools haven't been reviewed recently | Software permissions no longer match actual responsibilities |
Why outsourcing fixes the real problem
Hiring a full-time controller isn't always the right first move. Early on, many companies need stronger design and review before they need another internal manager. An outsourced controller function can create separation between preparation, review, approval, and close management without forcing you to build a complete in-house department immediately.
That isn't giving up control. It's formalizing it.
You get someone who can redesign workflows, review reconciliations, challenge unusual entries, structure approvals, and keep the control environment consistent even when internal staff are stretched. If you're weighing the trade-off, this comparison of in-house vs outsourced controller options is the right place to pressure-test the decision.
The founder's job is not to personally catch every duplicate bill or payroll anomaly. The founder's job is to make sure the business has a finance structure that catches them without heroic effort.
If your finance team is still relying on trust, memory, and founder inbox approvals, it's time to tighten the structure. Jumpstart Partners helps growing SaaS, agency, and service businesses build controller-level processes that improve segregation of duties, clean up approvals, and create audit-ready financial operations without the overhead of a full in-house team.