Segregation of duties is an internal control that splits a process between people so no single person can both commit and conceal an error or fraud.
Segregation of duties (SoD, sometimes called separation of duties) is an internal control that splits the steps of a process between different people, so that no single person can both commit and conceal an error or fraud. The logic is simple: most losses require two acts - doing the thing and hiding the thing - and separating who can do each turns a one-person problem into a conspiracy, which is rarer, riskier, and easier to detect.
The four functions to keep apart
Auditors think of SoD as separating four roles within any process:
- Authorisation - approving the purchase, the checkout, the write-off.
- Custody - physically holding the asset, the stock, or the cash.
- Recording - maintaining the register or ledger the asset appears in.
- Reconciliation - checking that the records match reality.
A process is well segregated when no individual covers two of these for the same transaction. The person who approves a disposal should not be the person who held the asset; the person who keeps the register should not be the one counting against it.
What it looks like in asset management
Equipment is where SoD failures get tangible. The patterns worth enforcing: the employee who wants kit is never the one who approves the spend; the person receiving deliveries is not the person who placed the order; the register’s maintainer does not sign off write-offs; and the annual count is done by someone who neither holds the assets nor keeps their records. Even mundane shared kit - webcams, scanners, loan laptops - benefits from the request-approve-record split, because pooled equipment with no custodian is exactly where quiet attrition happens. Who may do what belongs written down in an asset management policy, not held as tribal knowledge.
Small teams and compensating controls
A three-person company cannot split four functions four ways, and pretending to is its own failure. The honest approach is to rank risks and apply compensating controls where separation is impossible: management review of the audit trail, mandatory documentation of every approval, money thresholds above which a second person must sign, and spot counts by whoever is furthest from the process. SoD also matters enough to security frameworks that ISO 27001 names it as a control in its own right - certification auditors will ask how conflicting duties are separated or, failing that, monitored.
Common mistakes
The control fails in predictable ways. Splitting duties on paper while everyone shares one login defeats the entire point - attribution is what makes separation enforceable. Applying SoD only to money and not to assets misses the easier theft. Ignoring administrator rights is the subtle one: a person who can edit any record can bypass every split, so admin access needs its own review. And rotating one overloaded person through all four functions sequentially is not segregation, it is scheduling.
Segregation of duties in practice
The control only operates if the everyday tools enforce it, because under deadline pressure people route around anything optional. In AMPthilly, the role model separates the functions by design - employees request assets, managers or admins approve them, and every decision is logged in the audit trail under the named approver. However it is implemented, the test is the same: pick any asset that left the building last year and ask whether one person could have made that happen alone, unrecorded.
Related terms
- ISO 27001 Asset Management - the security standard that names segregation of duties as a control
- Information Asset Register - the record-keeping function SoD says should sit apart from custody
- Asset Management Policy - where the who-may-do-what splits get written down
- Acceptable Use Policy - the companion rules for the people holding the assets
- Data Retention Policy - keeps the approval and audit evidence producible later