What is an accounts payable segregation of duties matrix?

It is a table that maps each AP task to the person who prepares it, approves it, reviews it, and the duties that person should not also perform.

What duties should be separated in accounts payable?

Separate vendor creation, supplier bank detail changes, invoice entry, invoice approval, payment batch preparation, payment release, and bank reconciliation wherever possible.

How do you segregate duties in a small finance team?

Use a practical split of duties, then add compensating controls such as owner review, dual bank approval, vendor change verification, monthly exception reports, and independent reconciliations.

Can the same person create vendors and approve payments?

They should not. That combination allows fake suppliers or changed bank details to flow through to payment without independent review.

Can Xero help with segregation of duties?

Xero permissions and audit history help, but small teams still need approval rules, supplier change reviews, bank controls, and monitoring for unusual payment patterns.

AP Segregation of Duties Matrix for Small Finance Teams

Every fraud prevention guide gives the same advice: separate the person who approves payments from the person who processes them and the person who reconciles the bank.

Good advice. Hard to follow when your finance team has three people.

That is why small businesses need an accounts payable segregation of duties matrix that matches reality. Not a Big Four diagram for a listed company. A working split of duties for a finance manager, a bookkeeper, a part time AP clerk, and an owner who can review the risky points.

The risk is not theoretical. The ACFE Report to the Nations continues to point to weak or missing internal controls as a common factor in occupational fraud. ACCC and Scamwatch reporting also shows that payment redirection and false billing remain live risks for Australian businesses.

For small finance teams, segregation of duties is now both an accounting control and a cyber fraud control.

In this article:

What accounts payable segregation of duties means
Why small teams need a practical matrix
Accounts payable segregation of duties matrix
High risk AP duties that should not sit together
How to split AP duties with a small team
Compensating controls when separation is not possible
Vendor bank detail changes need extra control
Audit evidence to retain
Related reading

What accounts payable segregation of duties means

Segregation of duties means no one person controls a payment from start to finish.

In accounts payable, the risky path is simple. Someone can create or change a supplier, enter an invoice, approve it, release the payment, then reconcile the bank account. If one person can do all of that, they can make a bad payment and hide it.

A strong AP process separates four jobs:

Who maintains supplier records.
Who enters bills and prepares payments.
Who approves invoices and payment batches.
Who reviews the bank and supplier activity afterward.

Xero can support parts of this through roles, permissions, and history logs. It does not replace management review, bank controls, or independent verification of supplier changes. For that, you need a clear matrix.

Why small teams need a practical matrix

Large finance teams can split AP across procurement, AP processing, treasury, and accounting. A small Australian business usually cannot.

That does not mean you ignore the control. It means you pick the highest risk conflicts and design around them.

The strongest small team controls usually protect these moments:

A new supplier is created.
A supplier bank account is changed.
A first payment is made to a new or changed supplier.
A payment batch is released.
A bank reconciliation is signed off.
A duplicate, round number, weekend, or urgent payment appears.

If you only have time to fix one thing this month, fix supplier bank detail changes. That is where ordinary AP work, business email compromise, and payment redirection scams overlap.

Accounts payable segregation of duties matrix

Use this matrix as a starting point. Adjust names and thresholds to fit your business, but keep the conflict rules intact.

| AP activity | Preparer | Approver | Reviewer | Should not also perform | |---|---|---|---|---| | Create a new supplier | AP clerk or bookkeeper | Finance manager or owner | Monthly vendor report reviewer | Approve the first invoice or release payment | | Change supplier bank details | AP clerk or finance admin | Owner or CFO after call back verification | Finance manager monthly | Create the payment batch or release funds | | Enter a supplier invoice | AP clerk or bookkeeper | Department owner or finance manager | AP exception reviewer | Approve the same invoice | | Approve an invoice | Department owner or finance manager | Owner for high value items | Finance manager or external reviewer | Enter or edit the invoice | | Prepare a payment batch | Bookkeeper | Finance manager or owner | Bank reconciliation reviewer | Add suppliers or approve own batch | | Release payment from bank | Owner, CFO, or dual approvers | Bank dual authorisation | Director or finance manager | Prepare the bank reconciliation | | Reconcile the bank | Accountant, finance manager, or external bookkeeper | Owner or CFO | External accountant periodically | Release payments for the same period | | Review AP exceptions | Finance manager | Owner for serious issues | Board, adviser, or external accountant | Own the underlying supplier changes |

The important part is not the job title. It is the separation.

If the same person prepares and approves a payment, add a second review before funds leave the bank. If the same person enters bills and reconciles the bank, have the owner review a payment exception report each month.

High risk AP duties that should not sit together

Some role combinations are worse than others. These are the ones to remove first.

| Risky combination | Why it matters | Compensating control | |---|---|---| | Create suppliers and approve invoices | Fake supplier risk | Owner approval for every new supplier | | Change bank details and release payments | Payment redirection risk | Call back verification and dual bank approval | | Enter invoices and approve invoices | False invoice risk | Department approval outside AP | | Prepare payment batches and release funds | Unauthorised payment risk | Bank dual authorisation | | Release payments and reconcile the bank | Concealment risk | Independent reconciliation | | Maintain vendor master and review vendor reports | Self review risk | Monthly review by owner or external adviser | | Approve own expenses and process reimbursements | Expense fraud risk | Manager or owner approval |

These conflicts also make Xero permissions easier to review. If a user can both maintain supplier records and approve payments, that access needs a business reason and a compensating control.

For a deeper access review, use our Xero user permissions security guide.

How to split AP duties with a small team

A perfect split is rare. A workable split is enough to reduce the chance that one mistake or one compromised inbox turns into a loss.

One person in finance

This is common in founder led businesses.

The bookkeeper can enter invoices and prepare payment files, but the owner should approve new suppliers, approve supplier bank detail changes, release payments from the bank, and review bank statements monthly.

Use an external accountant for periodic bank reconciliation review if the owner is not finance literate.

Two people in finance

Person A can manage the AP inbox, enter bills, and prepare payment batches.

Person B can reconcile the bank, review supplier changes, and run exception reports.

The owner or CFO should still approve new suppliers, bank detail changes, first payments to changed suppliers, and payments above the threshold.

Three people in finance

This is the most common small team pattern.

The AP clerk captures invoices and maintains supplier records. The bookkeeper prepares payment batches and reconciles supplier statements. The finance manager approves invoices, reviews exceptions, and signs off reconciliations.

The owner or CFO releases payments from the bank and reviews supplier bank changes.

Four or more people in finance

You can separate duties more cleanly.

AP enters invoices. Department managers approve them. The controller reviews payment batches. The CFO or owner releases funds. A separate accountant completes bank reconciliation.

If your team has this much depth, add a quarterly access review and document the sign off.

Compensating controls when separation is not possible

Compensating controls are not second rate controls. They are how small teams make segregation of duties practical.

Use these first:

Dual authorisation for bank payments above a threshold.
Owner approval for new suppliers.
Call back verification for supplier bank detail changes using a known number.
Monthly vendor master change report.
First payment review after a new supplier or changed bank account.
Weekly bank reconciliation during high volume periods.
Quarterly Xero user access review.
Mandatory leave for finance roles where practical.
Surprise checks on the last 20 payments.
Automated alerts for duplicate invoices, round number payments, weekend payments, and unusual supplier activity.

Our finance manager fraud detection checklist gives you a monthly review pattern if you need a starting point.

Vendor bank detail changes need extra control

Supplier bank detail changes deserve their own rule because they are the easiest AP control point to abuse.

Do not rely on email approval alone. A compromised supplier inbox can send a believable bank change request. A compromised staff inbox can forward it with the right tone. The payment will still reconcile cleanly after it leaves the bank, which is why normal bookkeeping checks may not catch it.

A safer process looks like this:

The change request comes in through the usual AP channel.
AP records the request but cannot approve it.
A second person calls the supplier using a known number from the existing vendor record or website, not the number in the email.
The approver records the verification evidence.
The next payment to that supplier is flagged for review before release.

If your team uses Xero, pair this with bank detail monitoring. Our guide to detecting unauthorised supplier bank detail changes in Xero explains the warning signs.

Australian businesses should also watch the broader scam environment. The Scams Prevention Framework guide explains why payment controls are moving from nice to have to board level risk management.

Audit evidence to retain

Controls only help if you can prove they happened.

Keep evidence for:

Xero user access lists.
New supplier approvals.
Supplier bank detail change approvals.
Call back verification notes.
Invoice approval history.
Payment batch review and release approvals.
Bank reconciliation sign offs.
Monthly vendor change reports.
Exception reports for unusual payments.
Quarterly access reviews.
External accountant or director review notes.

This does not need to become a paperwork project. A shared folder with dated PDFs or exported reports is enough for many SMBs. The point is to show that reviews happened before and after money moved.

Make the matrix real

A segregation of duties matrix is only useful if someone uses it.

Start with your next payment run. Ask who created the supplier, who entered the invoice, who approved it, who released the payment, and who will reconcile the bank afterward. If the same name appears too many times, you have found the first control to fix.

OutflowGuard helps Xero based finance teams monitor the gaps that small teams struggle to review manually: supplier bank changes, duplicate bills, ghost suppliers, round number payments, and suspicious payment patterns.

The aim is not perfect separation. It is making bad payments harder to make and easier to spot before the money is gone.