Segregation of Duties (SOD): Complete Guide with Examples
FACULTY INSIGHT
Segregation of Duties Across All Cycles: Complete 2026 Guide
Master the four-function framework that appears on every AA exam—and understand exactly how to spot and fix SOD deficiencies in any business cycle.
Let me share something I've noticed after teaching hundreds of CIA and AA candidates across India and Asia: segregation of duties (SOD) is one of those topics that sounds simple in definition but trips up even strong students when they face real exam scenarios. The candidates who ace these questions don't just memorize the concept—they develop a framework for analyzing any SOD scenario. That's exactly what we're building today. By the end of this guide, you'll understand the four functions that matter, how to apply them across any business cycle, and most importantly, what examiners are actually looking for in your answers. This isn't just theory; it's a practical system you can use immediately on exams and in audit practice.
Segregation of Duties in 60 Seconds
Before we dive deep, here's what you need to know in a nutshell:
| Question | Answer |
|---|---|
| What is SOD? | Splitting critical responsibilities between different people so no one person controls an entire transaction. |
| Why is it important? | Prevents fraud, errors, and concealment. Reduces the opportunity for anyone to commit and hide misconduct. |
| Four functions? | Authorization (approval), Custody (asset control), Recording (documentation), Reconciliation (independent review). |
| Biggest risk? | One person controlling an entire transaction from start to finish without oversight. |
| Does it stop all fraud? | No. Collusion between two or more employees remains possible—that's why reconciliation is critical. |
What Segregation of Duties Really Means (Beyond the Definition)
I see this mistake constantly: candidates memorize "SOD divides tasks among different people" and think they understand it. But here's the reality—that definition is just the starting point. True segregation of duties is about breaking up the dangerous combinations. It's about asking: What could one person do alone that would be harmful? Then you systematically prevent that person from doing all the pieces.
The core principle: No single person should have unchecked control over a complete transaction—from authorization to custody to recording to reconciliation.
When we talk about SOD, we're talking about separating four critical functions. These aren't random—they're the four points where fraud or error is most likely if one person controls them all. Understanding these four functions is your master key to analyzing any SOD scenario. This framework is used across CIA, ACCA AA, internal audit roles, and SOX compliance programs. Once you learn it, you can apply it anywhere.
The Four Functions Framework: Your Master Key
Here's the framework I teach to every candidate in my audit class. When you encounter any SOD scenario, immediately think about these four functions and which person (or role) should own each one:
Function 1: Authorization
Who approves or initiates a transaction? The person who approves a transaction must be different from the person who initiates it. Think of this as the gatekeeper. Their job is to check: Should this happen? Is it authorized? Is it legitimate? In a purchase cycle, the purchasing manager might initiate a purchase order, but someone else—perhaps a director or senior manager—must formally approve it, especially if it exceeds a threshold.
Function 2: Custody
Who handles or controls the related assets? This is physical control over money, inventory, or assets. If one person is responsible for holding inventory in the warehouse, that person should not be the same person recording the sale in the system. Why? Because if they're both, they could quietly remove inventory and record it as a sale at an inflated price, pocketing the difference.
Function 3: Recording
Who documents or reports the transaction in the accounting system? This goes to the heart of where many candidates struggle. If the person who receives cash is also the person who records it, they can receive $10,000 and record $8,000, keeping the $2,000 undisclosed. Recording must be separated from both authorization and custody.
Function 4: Reconciliation
Who performs periodic independent review? This is the detective function—comparing what was recorded against what actually exists. Someone independent, someone who doesn't handle the custody or recording, should perform this check monthly or quarterly. In my experience, reconciliation is often overlooked but is actually the most critical control because it catches fraud regardless of how carefully the perpetrator planned it.
I've trained candidates across audit firms in India and Southeast Asia, and the students who master this framework—these four functions—can apply SOD confidently to any business cycle or exam scenario. That's the link to understanding CIA Part 1 control concepts, which give you the foundational framework before you ever tackle AA exam scenarios. When you're ready to deepen your control knowledge, explore our CIA curriculum which covers control design principles in detail.
Which Duties Should Never Be Combined?
Here's a practical reference table. Students ask this constantly, and examiners test it frequently:
| Dangerous Combination | What Can Go Wrong | Real Example |
|---|---|---|
| Authorization + Custody | Theft: Person can approve a transaction and then take the asset without proper oversight. | Manager approves purchase and diverts goods to personal use without recording. |
| Custody + Recording | Concealment: Person can misappropriate assets and hide the theft in the records. | Warehouse worker removes inventory and adjusts the system records to match the theft. |
| Recording + Reconciliation | Cover-up: Person can falsify records and then reconcile them to their false version. | Accounts payable clerk records fake invoices and reconciles the supplier statement to match. |
| Authorization + Reconciliation | Override: Person can override controls and then hide it in the review process. | Finance director approves unauthorized payments and then signs off on the reconciliation. |
| All Four Combined | Complete fraud: Person has total control with zero oversight. | One employee can order, approve, receive, record, and reconcile—completely unchecked. |
Segregation of Duties Across the Five Critical Business Cycles
This is where the framework gets real. Let me show you how SOD applies to the five cycles you'll see repeatedly on AA exams. Understanding the specific combinations that are dangerous in each cycle is what separates candidates who score 14/20 on control questions from those who score 18/20.
Purchase Cycle: The Procurement Pipeline
The prohibited combination: One person should NOT initiate a purchase order, approve it, receive the goods, AND record the invoice. The risky scenario: An employee orders goods for themselves, approves their own order, receives them (diverting them for personal use), and records it as a legitimate business purchase.
Here's what good segregation looks like: The purchasing manager initiates the PO; a senior manager approves it; the warehouse manager receives and inspects the goods; the accounts payable clerk records the invoice; and someone independent reconciles purchase orders to goods received notes to supplier invoices monthly. In my experience with audit teams in India, this is especially critical in organizations with high procurement volumes. I've seen manufacturing companies with dozens of purchasing points where poor SOD resulted in unauthorized purchases running into hundreds of thousands.
Sales Cycle: From Order to Cash
The sales cycle is tricky because there's tension between efficiency and control. Here's what should happen: The salesperson initiates the sale (takes the customer order); a credit manager approves it (checking credit limits); the warehouse staff ship the goods; the billing clerk records the invoice; and a collections manager follows up on payment. An independent function—reconciliation—compares sales invoices to goods delivery notes to cash received. Without this segregation, a salesperson could override a customer's credit limit, skip the formal billing process, collect cash, and pocket it.
Payroll Cycle: The Employee Pay Pipeline
Payroll is where I see candidates really struggle because the functions are less obvious. The prohibited combinations: one person approving salary changes AND running the payroll; one person handling timesheets AND calculating pay; one person disbursing payroll AND reconciling it. The right structure: HR initiates personnel changes; management approves changes; the payroll administrator calculates pay based on approved rates and recorded hours; someone else disburses it (ideally through the bank); and a completely independent person reconciles total payroll against the approved headcount and rates each month. This is especially important in organizations across Asia where informal arrangements and unvetted workers are common risks.
Revenue/Cash Cycle: The Collection Function
One of the trickiest cycles because cash can disappear easily and is difficult to trace. The dangerous combination: one person collecting cash, recording it, AND reconciling the bank account. The right approach: Collection staff receive cash and maintain a cash log; a cashier or administrator records it in the system (after verifying it against the log); the bank makes a deposit; and someone independent—who hasn't touched the cash at any point—reconciles the bank deposit to the recorded cash receipts.
Inventory/Assets Cycle: Protecting Physical Resources
Here's what candidates often miss: the person counting inventory during stocktakes should not be the same person recording inventory transactions daily. Also, someone completely separate should review inventory adjustments. The proper segregation: warehouse staff maintain physical custody and handle counting; the inventory clerk records daily transactions; someone separate reconciles recorded inventory to physical count and investigates differences; and a senior manager approves any adjustments over a certain threshold.
What We See on Exams
From years of reviewing examiner feedback and student performance data, I can tell you that segregation of duties appears in some form on nearly every ACCA AA exam session. But here's what examiners repeatedly observe: candidates identify that SOD is missing, but they can't explain what the actual risk is or how to fix it. They might write, "One person should not do everything"—which is technically correct but vague and costs marks. The examiners want to see that you understand the specific functions at risk and the specific consequences if they're not separated.
— Based on ACCA AA Examiner Reports & eduyush Student Performance Data
Common Mistakes We See
❌ Mistake 1: Missing the Specific Risk
What happens: Candidates write "Lack of segregation of duties" as if that's enough. They don't connect it to what could actually go wrong.
How to fix it: Always ask: "If one person does both, what's the harm?" Then write that explicitly. Example: "This creates a risk that the person could order goods for personal use and have them delivered to their home, while recording them as legitimate business inventory."
❌ Mistake 2: Generic Recommendations That Don't Fix Anything
What happens: Candidates recommend "implement segregation of duties" as if that's a control. Examiners hate this because it's not actionable.
How to fix it: Be specific. "The purchasing manager (not the accounts payable clerk) should approve all purchases over $5,000. A separate receiving department should verify goods match the purchase order before the AP clerk records the invoice."
❌ Mistake 3: Assuming Segregation Means Hiring More Staff
What happens: In smaller organizations, candidates recommend hiring two more people. Examiners understand that cost matters and value recommendations that are practical.
How to fix it: Consider rotation, compensating controls, or technology. "Implement a quarterly independent review where the finance director reviews all purchase orders over $10,000 against goods received notes and supplier invoices."
Testing for Segregation of Duties Deficiencies: The Audit Approach
Now that you understand the principle and framework, here's how auditors actually test for SOD deficiencies. This is the practical application you need for AA exam scenarios:
Step 1: Understand the Transaction Flow
The auditor starts by asking: Who can create a transaction? Who can approve it? Who has custody? Who records it? Who reviews it? If one person appears in multiple roles, you've found a potential gap.
Step 2: Sample and Trace Transactions
Auditors select a sample of transactions (say, 20 purchase orders over $50,000) and trace them through the entire cycle. Did the PO get authorized by someone other than the requester? Does the goods receipt note match the PO? Does the invoice match both? This is where actual control gaps are discovered.
Step 3: Test for Manual Overrides
Even if the system enforces segregation, auditors check for exceptions or bypass capabilities. Is there a legitimate exception process, or are people just circumventing controls?
Step 4: Assess Compensating Controls
If segregation isn't perfect, the auditor assesses whether compensating controls—especially reconciliation and independent review—are effective. Are reconciliations actually being performed by someone independent? Are discrepancies investigated? This is where understanding control deficiency frameworks becomes essential in your audit practice.
How to Score Full Marks on SOD Questions: The Three-Step Template
Here's my template for answering any SOD question effectively. I teach this to every candidate because it works:
Step 1: Identify the Missing Segregation (½ mark)
State clearly which functions are not segregated. Don't just say "lack of segregation"—specify which functions. Example: "The inventory warehouse manager both records inventory adjustments AND performs the physical count. These functions should be segregated."
Step 2: Explain the Implication (½ mark)
This is where most candidates lose marks. Explain what could go wrong. Example: "Because the warehouse manager performs both functions, they could physically remove inventory and adjust the records to conceal the theft. An independent count would show a discrepancy, but only if someone else reviews it."
Step 3: Recommend a Specific Control (1 mark)
Be really specific. Example: "Implement a control where the finance director performs a quarterly surprise physical count of high-value inventory items and compares results to recorded amounts. Any discrepancies must be investigated and documented." For more detailed examples of how to structure control recommendations, review ACCA AA reference materials that cover real exam scenarios with annotated answers.
Why Segregation of Duties Appears Across CIA, AA, and Internal Audit Roles
Here's something important: SOD isn't just an exam topic. It's a foundational concept that appears across multiple audit and assurance roles. This is why understanding it deeply now pays dividends throughout your career.
For CIA candidates: SOD is part of Section 1372 (Control Activities) in CIA Part 1. Understanding this means you're building knowledge that internal auditors use every day to assess and recommend controls across an organization.
For AA candidates: SOD deficiencies are a critical component of ISA 330 (Audit Procedures) and ISA 260 (Communication of Audit Matters). You'll be identifying and reporting SOD gaps in client organizations. For deeper preparation, ACCA AA course materials provide extensive worked examples of control deficiency identification.
For internal auditors: SOD is a core competency. Internal auditors assess whether organizations have properly segregated duties, and they're often the ones recommending improvements. This is career-building knowledge, not just exam knowledge.
In regulated industries across India and Asia—banking (RBI requirements), insurance (IRDA requirements), healthcare—SOD is mandated by regulators. When you understand SOD deeply, you're understanding a governance framework that's recognized globally.
Common Segregation of Duties Interview Questions (For Audit Careers)
If you're pursuing audit roles, here are the questions you'll likely face. Practicing these now prepares you for both exams and real interviews:
Question 1: What are the four functions in segregation of duties?
What they're testing: Do you understand the framework? Your answer: "The four functions are Authorization (who approves), Custody (who controls the asset), Recording (who documents it), and Reconciliation (who reviews it independently). Each should be performed by a different person or role to prevent one person from having unchecked control."
Question 2: Why is reconciliation the most important segregation of duties control?
What they're testing: Do you understand that segregation has limits? Your answer: "Reconciliation is the detective control that catches fraud regardless of who committed it or whether people are colluding. Even if segregation is imperfect or two employees work together, an independent person reconciling actual assets to recorded amounts will find discrepancies."
Question 3: Can segregation of duties prevent all fraud?
What they're testing: Do you understand the limitations of controls? Your answer: "No. Segregation of duties cannot prevent fraud if two or more employees collude. However, combined with reconciliation and management review, it significantly reduces the opportunity for fraud and makes it easier to detect."
Question 4: How would you test whether segregation of duties controls are actually working?
What they're testing: Can you apply the framework in practice? Your answer: "I would: (1) Understand the intended transaction flow and who should perform each function; (2) Sample actual transactions and trace them to verify that different people performed each function; (3) Check for any exceptions or bypasses of the system controls; and (4) Assess whether compensating controls like reconciliation are effective if segregation isn't perfect."
Question 5: What's the difference between segregation of duties and authorization controls?
What they're testing: Can you distinguish between related concepts? Your answer: "Authorization is one function within segregation of duties. Authorization control ensures that transactions are approved by someone with appropriate authority. Segregation of duties goes further by ensuring that authorization is separated from custody, recording, and reconciliation—so the person approving a transaction isn't also the one executing it, recording it, or reviewing it."
Segregation of Duties in 2026: AI, Automation, and ERP Systems
Here's something I want to share because it's the future of audit and it's already showing up in updated exam guidance. As organizations increasingly automate—using AI to match invoices, robotic process automation to disburse payroll, chatbots to process orders—the traditional four-function segregation is evolving.
With ERP Systems (SAP, Oracle, NetSuite)
ERP systems can enforce segregation through role-based access controls. For example, an ERP can prevent the same user from both approving and executing a payment. However, this only works if access is properly configured. I've seen cases where one admin account has override access to everything. So the principle remains: ensure no single person has unchecked control, whether that's through manual segregation or system controls.
With AI and Automation
The new challenge: Who's responsible for approving the algorithm? Who monitors the system outputs? Who reviews exceptions? In a highly automated environment, the "functions" change, but the principle remains identical. I'm seeing this trend especially in larger organizations across India and Asia that are rapidly digitizing their finance functions. The examiner isn't looking for you to know AI in depth—they're looking for you to apply the principle of segregation to these new environments.
What This Means for Exams
When you see a scenario involving automated systems, apply the same principle. Ask: What are the key decision points? Who controls each one? Could one person bypass controls? That's your segregation analysis, even in an automated environment. The framework doesn't change; only the mechanics.
Frequently Asked Questions
Q1: Can segregation of duties ever be completely achieved in a small company with only 5-10 employees?
Absolutely, but it requires thinking creatively. You can achieve segregation through rotation (one person does task A one month, task B the next), compensating controls (monthly independent review by the owner or an external accountant), or technology (allowing the system to enforce separations automatically). The key is that you're thinking about the principle—separating conflicting functions—even if the perfect structure isn't possible. Many smaller organizations in India and across Asia successfully implement SOD through these methods. The examiner isn't looking for a sprawling organizational chart; they're looking for evidence that you understand why segregation matters and what alternatives exist when perfect segregation isn't feasible.
Q2: What happens if a company uses Enterprise Resource Planning (ERP) systems like SAP or Oracle?
Great question because ERP systems are the reality in larger organizations. ERP systems can enforce segregation through role-based access controls (RBAC). For example, an ERP can prevent the same user from both approving and executing a payment. However, system-enforced segregation only works if the access is properly configured, monitored, and regularly reviewed. A critical gap I see constantly: companies implement ERP but don't properly segregate user access, so one powerful admin account can do everything. Additionally, system controls don't eliminate the need for human review and reconciliation. Someone still needs to independently review transactions and reconcile the system records to actual assets. So yes, technology helps, but it's not a complete substitute for operational segregation and detective controls.
Q3: How does the segregation of duties requirement change if there's a risk of employee collusion?
This is something examiners absolutely love to test. If two employees could collude, segregation alone isn't enough. You need an additional detective control—someone completely independent must review transactions or reconcile periodically. This is why reconciliation is so critical. A manager reconciling actual inventory to recorded amounts will catch it whether one person or ten people were involved in the scheme, as long as someone independent is looking. In my experience with audit firms, the organizations that catch fraud effectively aren't just those with perfect segregation (which doesn't exist) but those with effective reconciliation and periodic independent review controls.
Q4: How do you identify SOD deficiencies in an exam scenario when the deficiency isn't explicitly stated?
This is a practical exam technique question. When you read a scenario, mentally trace the flow of a transaction. Take a sample transaction—a purchase or a cash receipt—and ask: Who initiated it? Who approved it? Who has custody? Who recorded it? Who will review it? If the same person appears twice in that sequence, you've found a potential SOD deficiency. For example, if the scenario says "the accounts payable clerk processes supplier invoices" but doesn't explicitly state who approves them, and later mentions "the manager trusts the AP clerk with most processing," you can reasonably identify that the approval function may not be properly segregated. The examiner is testing whether you can read between the lines and apply the four-function framework.
Q5: Should control recommendations for SOD deficiencies always suggest hiring more people?
Other solutions are often preferred and show better thinking. Recommending that a company hire additional staff is the least creative recommendation. Examiners specifically value recommendations that show you understand practical constraints. Better alternatives include: (1) Implementing technology or system controls that enforce segregation automatically; (2) Introducing rotation so one person doesn't perform the same function indefinitely; (3) Implementing compensating controls like monthly independent review; (4) Changing approval thresholds; or (5) Outsourcing to an external provider. For example, instead of hiring an additional person to reconcile inventory, recommend that the external auditor perform a quarterly surprise count and reconciliation. This achieves the independent review objective without hiring overhead. The candidates who score highest on control recommendations show this practical thinking.
Ready to Master This Topic?
Get structured guidance with our certification programs that teach segregation of duties application across all cycles and real exam scenarios:
Your Next Step: From Theory to Exam Success
Segregation of duties isn't just a control concept—it's a framework that examiners expect you to apply with precision and practical understanding. You now have the foundation and the framework. The next level is practicing with real exam scenarios until identifying and addressing SOD deficiencies becomes second nature.
Master AA Exam Topics
Leave a comment