Segregation of duties (SoD) remains a core element of a sound internal control environment. At its foundation, it is designed to keep any one individual from being able to initiate, approve, carry out, and conceal a transaction without detection. While the concept itself has stayed the same, the surrounding business environment has changed considerably. For internal audit leaders, that means segregation of duties can no longer be treated as a narrow access matter or a routine compliance task. SoD should be considered within the wider context of business and information technology (IT) risk management.
A Broader, Modern View of Segregation of Duties
In the past, segregation of duties reviews often centered on conflicts within a single ERP platform. That approach aligned with environments built around more centralized technology, stable job responsibilities, and manual approval steps. Today, many business processes extend across multiple applications, cloud-based platforms, and digital workflows. A user may not appear to have a conflict within one system yet may still influence several stages of a process across different systems. Because of this, internal audit leaders need to evaluate segregation of duties through an end-to-end process lens rather than a single-application lens.
This broader view also extends the review beyond finance. Current risk can arise in operational processes, workflow administration, privileged access, and automation tools. For instance, the ability to configure workflows, change approval paths, modify tolerance settings, or build and trigger bots can create the same kind of control weakness as a traditional access conflict. Even when these activities do not align neatly with classic segregation of duties definitions, they can still create openings for fraud, error, or unauthorized activity. Internal audit teams therefore need to understand not only system roles, but also the wider control structure that shapes how work is approved, processed, and monitored.
A Risk-Based Approach
A current approach should also be risk-based. Not every conflict carries the same level of exposure, and organizations should not devote the same level of attention to every exception. More effective programs rank conflicts based on materiality, fraud exposure, transaction volume, and operational effect. This is particularly relevant in organizations where full separation is not always practical. In those situations, compensating controls such as independent review, exception monitoring, supervisory approval, and reconciliation are essential. The central question is not simply whether a conflict exists, but whether it is understood, consciously accepted, and supported by effective mitigation.
Internal Audit’s Role in Connecting the Dots
Internal audit has an important part in that assessment. Audit should not own segregation of duties, but it can help connect business owners, finance, compliance, and IT to support sound decision-making. That calls for more than identifying technical violations. Internal auditors need to translate conflicts into business consequences, describe what could go wrong, and assess whether management’s response aligns with the level of risk. This calls for stronger capabilities in access governance, process knowledge, analytics, and stakeholder communication.
Identify, Rank and Manage to Support Control Integrity and Business Operations
Maintaining an effective segregation of duties program also calls for ongoing governance. Annual reviews remain important, but they are not enough on their own. Role changes, reorganizations, system updates, and temporary access can all create new conflicts between review cycles. Organizations that are more advanced in this area often combine periodic assessments with targeted monitoring and clearer accountability for remediation. The aim is not perfection. The aim is a control environment in which segregation of duties risks are identified early, ranked appropriately, and managed in a way that supports both control integrity and business operations.
Access the recording of this webcast here:
Modernizing Segregation of Duties: Implications for Internal Audit Leaders
April 21, 2026 | 3-4 PM ET