Segregation of Duties in Accounts Payable: A Guide

Jul 11, 2026

Try it now, capture a real invoice

Free plan · No credit card · Your data stays yours

Segregation of duties means no single person controls a transaction from start to finish. In accounts payable, that means the person who can add a vendor cannot also approve invoices or release payments. Split the process into five duties, vendor master maintenance, invoice entry, invoice approval, payment release, and reconciliation, and make sure no one holds a combination that would let them both create a payee and pay it. Almost every large AP fraud in the record traces back to one person holding two of those duties.

You will see it written as both segregation of duties and separation of duties. They mean the same thing, and auditors use both. The acronym is SoD.

Why it exists: the fraud it is designed to stop

The classic accounts payable fraud is not complicated. Someone with access to the vendor master file adds a vendor that does not exist, using a bank account they control. Then they enter an invoice from that vendor, approve it, and release the payment. The invoice is modest enough that it never draws attention, and it repeats monthly. Nothing about any single step looks unusual. The fraud is only possible because one person could do all four steps.

Segregation of duties makes that impossible by design rather than by vigilance. It does not depend on anyone noticing anything. It requires a second person to collude, which is a far higher barrier than a single individual acting alone. That is the entire value of the control, and it is why auditors and SOX testers go after it first.

The five duties in accounts payable

DutyWhat it coversThe risk if combined
1. Vendor master maintenanceCreating vendors, editing names, addresses, and bank detailsThe ability to create or redirect a payee
2. Invoice entry and codingRecording the invoice and assigning the GL accountThe ability to create the obligation
3. Invoice approvalAuthorizing that the spend is legitimate and should be paidThe ability to authorize the obligation
4. Payment releaseBuilding the payment run and executing it at the bankThe ability to move the cash
5. Reconciliation and reviewComparing the AP subledger, the bank, and the general ledgerThe ability to conceal the other four

Read that table as five keys. Fraud requires holding more than one of them, and the most dangerous combinations are specific.

The combinations that actually matter

Not every pairing is equally dangerous. If you can only fix a few things, fix these, in this order.

Vendor creation plus invoice approval. This is the fictitious vendor scheme in one person's hands. Whoever can add a payee must never be able to approve what that payee bills. If you enforce only one rule, enforce this one.

Vendor creation plus payment release. Same problem, one step further along. The person who controls where the money is sent should not also be the person who sends it.

Invoice entry plus invoice approval. Self-approval. The person who keys an invoice can key one for anything, at any amount, and wave it through. This is depressingly common in small teams where the AP clerk has an approval limit.

Payment creation plus payment release. Unilateral movement of cash. Building a payment file and releasing it to the bank should always be two people, and most banks support dual authorization on the release itself.

Any processing duty plus reconciliation. The reviewer must not be reviewing their own work. Someone who both processes payments and reconciles the bank can hide a fraudulent payment indefinitely, because they are the only one who would ever see it.

Vendor master file: the duty everyone underestimates

Most companies guard invoice approval carefully and leave vendor master access wide open. That is exactly backwards. Approval limits control how much can be paid. Vendor master access controls who gets paid, and a bank detail change takes seconds and leaves no visible trace on any invoice.

The specific attack to defend against is the bank detail change. A request arrives, apparently from a real supplier you have paid for years, saying their banking has changed. If the person who receives that email can update the vendor record themselves, the next legitimate invoice for that supplier pays a criminal, and everything about the invoice will look perfectly normal, because it is a perfectly normal invoice.

Controls that work:

  • Bank detail changes require verification by callback to a phone number already on file, never a number in the change request itself.
  • The person who makes the change in the system is not the person who verified it.
  • Every vendor master change produces an audit log entry that somebody outside AP reviews.
  • Vendor setup requires documentation on file: a W-9, verified banking, and where the vendor works on your property, a valid certificate of insurance.
  • Dormant vendors are deactivated after 12 to 18 months without activity, because a dormant record is an unwatched door.

What to do when your team is too small to segregate

This is the real question for most US businesses, and most guidance dodges it. If your finance team is three people, you cannot split five duties cleanly. The PCAOB and every audit standard acknowledge this. The answer is not to pretend, it is to implement compensating controls: a different control that addresses the same risk the separation would have.

A compensating control only counts if it is genuinely independent, specific, and evidenced. Owner review is the workhorse here:

  • Owner or CEO reviews the payment run before release. Not a summary total, the actual payee list. New payees since the last run should be highlighted. This one control breaks the fictitious vendor scheme even with zero segregation, because the fraudster cannot get their fake vendor past someone who knows every real supplier.
  • Bank statements go somewhere AP cannot touch. Have the bank mail or email statements directly to the owner, who opens them first. If the person who processes payments is also the person who receives the statement, reconciliation is theater.
  • Dual authorization at the bank. Your bank already supports requiring a second approver on ACH and wire release. It is free and it is enforced outside your accounting system, so it survives even if someone has admin rights internally.
  • Monthly review of the vendor master change log. Short, boring, and it catches the change that mattered.
  • Mandatory vacation for AP staff. Ongoing frauds usually require constant maintenance. Two consecutive weeks with someone else in the seat is how a lot of them surface.

Write these down. An undocumented compensating control does not exist as far as an auditor is concerned, and more importantly, it will not survive the next staff change.

How automation enforces SoD without more headcount

The reason segregation of duties fails in practice is that it is enforced by convention. Everyone knows the AP clerk should not approve their own invoices, and then it is quarter end, the approver is on a plane, and someone says just push it through. The control quietly stops existing, and nobody is quite sure when.

Software enforces it structurally instead. Role-based permissions mean the person who enters an invoice is technically incapable of approving it: the button is not there. Approval routing sends the invoice to the budget owner by rule, not by whoever is nearby. Vendor master changes require a second approval before they take effect. Payment release requires a role that the invoice processor does not hold. And every action is timestamped and attributed, so the audit trail is a byproduct rather than a reconstruction project.

This is also the only way small teams get real segregation. You cannot hire three more people to satisfy an audit, but you can make the system refuse to let one person do two incompatible things, and route the second approval to the owner on their phone. The control stops depending on discipline.

What auditors will ask for

Expect these requests, and notice that every one of them is about evidence, not intent:

  • A current user access listing showing who holds which AP permissions.
  • Proof that the invoice approver is not the invoice preparer, sampled across real transactions.
  • The vendor master change log for the period, with evidence of independent review.
  • Evidence that bank detail changes were verified out of band.
  • Documentation of compensating controls where duties could not be split, and evidence they were actually performed.

The gap auditors find most often is not a missing policy. It is a policy that exists on paper while one person's user account quietly holds permissions that violate it, usually because they covered for someone two years ago and the access was never removed. Review access rights on a schedule, and remove them the day someone changes role.

Frequently asked questions

What is segregation of duties in accounts payable?

Segregation of duties in accounts payable is an internal control that splits the AP process so no one person can complete a payment alone. The five duties are vendor master maintenance, invoice entry, invoice approval, payment release, and reconciliation. Separating them means committing fraud would require collusion between at least two people rather than one person acting alone.

What are the three types of segregation of duties?

Controls are usually grouped as authorization (approving that a transaction should happen), custody (having access to the asset, which in AP means the ability to move cash), and record keeping (entering and reconciling the transaction). No one person should hold more than one of the three. The five AP duties map onto these three categories.

Is segregation of duties required by SOX?

Yes, in effect. SOX Section 404 requires public companies to maintain and assess effective internal control over financial reporting, and segregation of duties is one of the primary controls auditors test. Private companies are not bound by SOX, but insurers, lenders, and acquirers frequently expect the same controls, and the fraud risk exists regardless of who is asking.

What if we are too small to segregate duties?

Use documented compensating controls. The most effective for a small business is owner review of the actual payee list before every payment run, combined with bank statements delivered directly to the owner and dual authorization on payment release at the bank. These address the same risk that separation would, and audit standards explicitly accept them when segregation is impractical.

Who should approve invoices in accounts payable?

The budget owner for the spend, meaning the manager accountable for the cost center or department being charged, and never the person who entered the invoice. Approval should be routed automatically by amount and department rather than chosen ad hoc, and the approver must have no ability to create or edit vendors.

Make the system enforce it

Segregation of duties is not a policy document, it is a set of permissions. If your controls depend on people remembering the rule during a busy week, you do not have a control, you have an aspiration.

AutoPayables enforces the split in the software: role-based access separates entry, approval, and payment, vendor master changes require independent approval, approvals route by policy to the right budget owner, and every action is logged with a name and a timestamp. Read more in our guide to accounts payable internal controls, or see how AP audit software produces the trail your auditors will ask for. If bad actors are the concern, our notes on AP fraud prevention cover the schemes in detail.