What is segregation of duties in accounting?

Segregation of duties (SoD) is an internal control that divides critical financial tasks — such as authorising, recording, and reconciling transactions — among different people so no single person can commit and conceal fraud or errors.

How do you implement segregation of duties with a small team?

Small teams can use compensating controls such as mandatory management reviews, rotation of duties, technology-enforced approval workflows, and independent reconciliations to achieve effective separation even with limited staff.

What are compensating controls for segregation of duties?

Compensating controls are alternative measures used when full segregation isn't possible. Examples include surprise audits, automated monitoring tools, dual-approval workflows, detailed audit trails, and regular independent reviews.

Why is segregation of duties harder for small businesses?

Small businesses typically have fewer staff, meaning one person often handles multiple financial functions. The ACFE found that only 53% of small businesses have basic controls like external audits, compared to 90% of larger organisations.

Can Xero help with segregation of duties?

Xero's user permission system lets you restrict access by role, and its audit trail logs all changes. However, Xero alone doesn't enforce approval workflows — pairing it with tools like OutflowGuard adds automated monitoring and dual-approval controls.

Segregation of Duties When You Only Have 3 People in Finance

Every fraud prevention guide says the same thing: separate who authorises payments from who processes them from who reconciles the books. Three distinct roles, three distinct people.

That's great advice — if you have the headcount for it.

But what happens when your entire finance function is a finance manager, a bookkeeper, and a part-time accounts payable clerk? According to the ACFE's 2024 Report to the Nations, the median fraud loss for organisations with fewer than 100 employees was $141,000 — and a lack of internal controls was a contributing factor in 32% of all fraud cases studied. Small teams aren't just inconvenienced by segregation of duties challenges. They're disproportionately exposed.

This guide is for the finance managers and CFOs at Australian SMBs who know they should separate duties but can't simply hire their way to compliance. Here's how to make it work with the team you've got.

In this article:

What Segregation of Duties Actually Means
Why Small Teams Face a Structural Disadvantage
The Three Functions You Must Separate
Compensating Controls That Actually Work
Technology as Your Fourth Team Member
A Practical SoD Matrix for a 3-Person Team
Related Reading

What Segregation of Duties Actually Means

Segregation of duties (SoD) is one of the oldest internal controls in accounting. The Australian Auditing and Assurance Standards Board defines it as assigning different people the responsibilities of authorising transactions, recording transactions, and maintaining custody of assets.

The logic is simple: if no single person controls an entire process from start to finish, fraud requires collusion between two or more people. That makes it harder to commit and easier to detect.

In practice, SoD applies across your entire finance function — not just payments. It covers payroll, bank reconciliations, supplier onboarding, expense approvals, and journal entries. Any process where one person could create, approve, and hide a transaction is a process that needs separation.

Why Small Teams Face a Structural Disadvantage

The textbook model assumes you have enough people to assign one person per function. Enterprise finance teams with 15 or 20 staff can do this easily. A three-person team cannot.

This isn't hypothetical. Research shows that only 53% of small businesses have formal controls like external audits and codes of conduct in place, compared to 90% of larger organisations. And in Australia, the problem is compounded by the scale of the threat: the ACCC's 2025 Targeting Scams Report recorded $2.18 billion in combined scam losses nationally, with payment redirection scams alone accounting for $166.8 million.

Small finance teams typically face three specific SoD challenges.

Limited headcount means overlapping roles. When the bookkeeper also processes payments and reconciles the bank, you have zero separation across the most critical financial functions. One person controls the entire accounts payable cycle.

Trust replaces controls. In small teams, people know each other well. The finance manager trusts the bookkeeper who has been there for years. That trust is natural — and it's exactly what fraudsters exploit. The ACFE consistently finds that the longest-tenured employees cause the largest losses.

Budget constraints delay solutions. Hiring a fourth person or engaging an external auditor feels like a luxury when you're running a $5M business. The cost of controls is visible; the cost of fraud is hidden until it happens.

The Three Functions You Must Separate

At a minimum, your finance team needs separation across three core functions. Even with three people, you can distribute these — it just requires deliberate planning.

1. Authorisation — Who approves transactions?

This is the gatekeeper role. The person who authorises a payment, approves a new supplier, or signs off on a payroll run. Ideally, this sits with your most senior finance person or a director outside the finance team entirely.

2. Processing — Who executes transactions?

This is the hands-on role. The person who enters invoices, runs the payment batch, creates supplier records, or processes payroll. They do the work but shouldn't be able to approve their own work.

3. Reconciliation — Who verifies the records?

This is the detective role. The person who reconciles bank statements, reviews accounts, and confirms that what was approved matches what was processed. They should be independent of both authorisation and processing for the transactions they're reviewing.

The critical principle: no single person should perform more than one of these functions for the same transaction. Your bookkeeper can process invoices and reconcile other accounts — but they should not reconcile the accounts they process.

Compensating Controls That Actually Work

When you can't achieve full separation, compensating controls fill the gap. These aren't compromises — they're recognised by auditors and the Commonwealth Fraud Prevention Centre as legitimate alternatives. The key is choosing controls that genuinely reduce risk, not just tick a box.

Mandatory management review. Have a director or business owner review bank statements, payment runs, and supplier changes monthly. This doesn't need to take hours — a 30-minute review of payment summaries and new supplier additions can catch anomalies that automated systems miss. The review must be documented.

Rotation of duties. Swap responsibilities periodically so no one person owns the same process indefinitely. Even rotating quarterly between who processes payments and who reconciles the bank creates natural detection opportunities. When Person B takes over Person A's work, discrepancies surface.

Surprise audits. Unannounced spot-checks on petty cash, supplier records, or payment approvals. These don't need to be formal audits — even an informal "let me pull up the last 20 payments and check the approval chain" once a month creates accountability. As our finance manager's fraud detection checklist details, a structured monthly review catches most common issues.

Mandatory leave. Requiring employees to take consecutive leave (at least one week) while someone else covers their duties. Fraud schemes that require ongoing concealment often unravel when the perpetrator is away. This is a standard control in banking and increasingly recommended for all finance roles.

Independent reconciliation. Bank reconciliations should be performed by someone who didn't process the payments. If your bookkeeper processes AP, have your finance manager reconcile the bank — or vice versa. The person checking the work must be different from the person who did it.

Exception reporting. Set up automated alerts for transactions that fall outside normal parameters: payments above a threshold, payments to new suppliers, payments outside business hours, or round-number invoices. Our guide to suspicious payment patterns covers what to monitor.

Technology as Your Fourth Team Member

When headcount is limited, technology becomes your most important compensating control. The right tools can enforce separation that people alone cannot.

Xero user permissions. Start with the basics: Xero lets you assign different access levels to different users. Your bookkeeper doesn't need the ability to modify supplier bank details if that's the finance manager's responsibility. Review your Xero user roles and apply least-privilege access — give each person only the access they need for their specific duties.

Approval workflows. Use tools that enforce dual approval for critical changes. If a supplier's bank details change, that should require sign-off from two people before the next payment goes out — not just an email notification that gets buried. This is exactly the problem that duplicate payment detection and bank detail monitoring solve.

Automated monitoring. Manual spreadsheet monitoring fails because it depends on the same overworked team remembering to check. Automated tools continuously scan for anomalies — ghost suppliers, round-number invoices, duplicate bills — without adding to anyone's workload. Think of it as a control that doesn't take annual leave.

Audit trails. Every change to financial records should be logged automatically. Xero's History & Notes feature tracks modifications, but it requires someone to actively review it. Pairing Xero with monitoring tools that flag changes in real time turns a passive log into an active control.

Outsourced functions. Consider outsourcing specific tasks to create natural separation. Having an external bookkeeper handle day-to-day processing while your internal finance manager approves and reconciles creates genuine independence. As Grant Thornton Australia notes, outsourcing can provide a level of segregation that small teams cannot achieve internally.

A Practical SoD Matrix for a 3-Person Team

Here's how a typical three-person finance team can distribute duties effectively. This isn't perfect separation — it's realistic separation with compensating controls plugged into the gaps.

Finance Manager (Person A):

Authorises payments above $5,000
Approves new supplier setups and bank detail changes
Reviews monthly bank reconciliation (prepared by Person C)
Conducts surprise audits on AP and payroll
Cannot process payments or enter invoices

Bookkeeper (Person B):

Processes invoices and enters bills into Xero
Runs payment batches (pre-approved by Person A)
Manages accounts receivable and collections
Cannot approve their own invoices or modify supplier bank details
Cannot reconcile the bank accounts they process against

AP Clerk / Part-Time Admin (Person C):

Performs bank reconciliations
Reconciles supplier statements against Xero records
Maintains the supplier master file (additions require Person A's approval)
Cannot authorise payments or process payment runs

Compensating controls layered on top:

Director reviews bank statements monthly (independent of all three)
Automated monitoring flags supplier bank detail changes, duplicate invoices, and unusual payment patterns
Duties rotate quarterly between Person B and Person C
All three take at least one week of consecutive leave annually

This matrix won't satisfy a Big Four audit for a publicly listed company. But for an Australian SMB with $2M–$50M in revenue, it dramatically reduces the risk of undetected fraud while remaining operationally practical.

The critical question isn't whether your controls are perfect. It's whether they're sufficient to make fraud detectable before losses compound. As the ROI of AP automation demonstrates, even modest controls deliver outsized returns when they catch a single fraudulent payment.

The Finance Manager's Monthly Fraud Detection Checklist — A structured review process that complements your SoD controls.
Vendor Fraud in Australian Small Businesses: The Silent $2.6B Problem — Common fraud schemes that exploit weak segregation.
The ROI of Accounts Payable Automation for Xero Users — How technology-based controls pay for themselves.

Making It Work With What You've Got

Segregation of duties isn't all-or-nothing. The worst outcome isn't imperfect controls — it's no controls at all.

Start by mapping who currently does what across your finance function. Identify the single biggest concentration of risk — usually, one person who can both process and approve payments — and address that first. Layer in compensating controls where full separation isn't feasible. Use technology to enforce what policies alone cannot.

If your organisation uses Xero, OutflowGuard's free audit tools can identify existing gaps in your controls — ghost suppliers, duplicate bills, and round-number anomalies — without requiring any changes to your current workflow. It's a practical first step toward understanding where your risks actually sit.

The finance teams that avoid fraud aren't the ones with the biggest headcount. They're the ones that design controls around the team they have.