Segregation of Duties in Financial Reporting: How SOD Prevents 
One person should never control everything.
Sounds obvious. But you would be surprised how many Nigerian organisations violate this basic rule every single day.
The same person who creates a vendor also approves the payment. The same person who processes payroll also reconciles the bank account. The same person who authorises a journal entry also records it.
This is not efficiency. This is a fraud waiting to happen.
Segregation of duties is the simple but powerful control that prevents this. Let me explain what it is, why it matters, and how to implement it properly.
The internal control crisis in Nigerian financial reporting
Financial reporting failures in Nigeria are not usually caused by complex accounting standards or sophisticated fraud schemes.
In most cases examined by forensic investigators, external auditors, and regulatory bodies, the root cause is strikingly simple. One person had too much access and too much unchecked authority over a financial process. Nobody was watching closely enough.
The EFCC, the Financial Reporting Council of Nigeria, and external auditors consistently identify weak internal controls as a primary enabler of financial fraud. Inadequate segregation of duties is at the top of that list.
Ghost workers on public sector payrolls. Fictitious vendor payments. Unauthorised journal entries that mask losses. Procurement fraud with inflated purchase orders.
All of these share a common thread. The absence of meaningful separation between the person who initiates a transaction, the person who approves it, and the person who records and reconciles it.
What is segregation of duties?
Segregation of duties is an internal control principle that requires the responsibilities for authorising transactions, recording and processing transactions, and maintaining custody of the resulting assets to be divided among at least two or more separate individuals.
The logic is simple. Requiring collusion between multiple people to commit or conceal fraud dramatically reduces the likelihood that fraud will occur. It also significantly increases the probability that fraud will be detected if attempted.
In financial reporting specifically, SOD ensures that the person who initiates a payment cannot also approve it. The person who records a journal entry cannot also reconcile the account it affects. The person who manages vendor relationships cannot also authorise vendor payments.
Why segregation of duties is critical to financial reporting in Nigeria
The theoretical case for SOD is well established globally. But the Nigerian context makes it urgent.
The scale of fraud enabled by SOD failures.
The Association of Certified Fraud Examiners consistently finds that a lack of internal controls, with inadequate segregation of duties specifically cited, is the most common factor enabling occupational fraud.
In Nigeria, where the ACFE estimates fraud losses run into billions of naira annually, the stakes are acute. When one employee can create a vendor, approve a purchase order, authorise a payment, and reconcile the bank account, the temptation and opportunity for fraud are almost irresistible.
Regulatory expectations in Nigeria.
Nigerian regulators have made it clear that adequate internal controls, including SOD, are a baseline expectation. The CBN’s guidelines on internal controls for banks expect SOD. The Financial Reporting Council’s corporate governance codes require it. The SEC’s rules for listed companies reference it.
Organisations that cannot demonstrate adequate separation of duties face regulatory censure, increased scrutiny during examinations, and in severe cases, sanctions.
The financial reporting integrity imperative.
For Nigerian companies listed on the NGX, seeking international capital, or reporting to international parent organisations, the integrity of financial statements is non negotiable.
External auditors assess SOD as part of their evaluation of the internal control environment. Weak SOD raises the risk of material misstatement. It triggers expanded audit procedures. It increases audit fees. In worst cases, it leads to qualified or adverse audit opinions with severe market and regulatory consequences.
The ghost worker and payroll fraud connection.
Nigeria’s persistent ghost worker problem is almost universally enabled by a failure of segregation of duties in the HR and payroll process.
When the same team that onboards employees also processes payroll and reconciles payroll accounts, the segregation that would expose ghost workers simply does not exist. Proper SOD in the payroll process, separating HR administration, payroll processing, payment authorisation, and payroll reconciliation, is the most direct control against this fraud.
The four key duties that must be separated
Effective SOD requires clear thinking about which specific responsibilities need to be kept apart.
Authorisation.
The authority to approve a transaction must sit with a person who is independent of the person who initiated and will process the transaction. Authorisation is the gatekeeper function. When it is bundled with initiation or processing, the gate is effectively unmanned.
Recording.
The responsibility for recording transactions in the financial system must be separated from both the authorisation and custody functions. A person who can both authorise a transaction and record it has the ability to create fictitious transactions and conceal them without independent verification.
Custody.
Physical or electronic custody of assets including cash, inventory, securities, and access credentials must be managed by people who do not also have recording or authorisation responsibilities. In Nigerian organisations, this is particularly important for cash handling and inventory management.
Reconciliation.
The reconciliation function compares records to physical counts, bank statements, or system reports to verify accuracy. For reconciliation to work as a control, it must be performed by someone not involved in the underlying transactions. When the same person processes payments and reconciles the bank account, the reconciliation provides no real assurance.
SOD in an automated and ERP environment
As more Nigerian organisations move to ERP systems, the nature and implementation of SOD must evolve.
SOD in SAP, Oracle, and other ERP platforms.
ERP systems implement SOD through system-level access controls. They assign roles and authorisations that determine which transactions each user can initiate, approve, and record.
In theory, ERP systems make SOD enforcement more rigorous. In practice, many Nigerian organisations have implemented ERP systems with poorly designed access controls that replicate or worsen the SOD violations that existed in their manual processes.
Common ERP SOD violations include users assigned to multiple conflicting roles, excessive use of superuser or administrator access that bypasses all control restrictions, and inadequate periodic review of user access rights.
Compensating controls where full SOD is not possible.
In smaller Nigerian organisations, achieving full segregation of duties across all processes may not be practical due to limited staff numbers.
Compensating controls become essential. Examples include enhanced management review and approval of transactions, more frequent and independent reconciliation by owners or senior management, external bookkeeping or payroll processing by third parties, rotation of staff across financial roles, and increased frequency of internal and external audit procedures.
Compensating controls do not eliminate SOD risk. But they can reduce it to a manageable level when full separation is genuinely impractical.
What is changing in SOD management in 2025 and 2026
The way organisations design, monitor, and enforce segregation of duties is changing rapidly.
Automated SOD conflict detection is now standard practice.
In 2025, the expectation that organisations manually review SOD conflicts through periodic access rights audits has given way to continuous, automated SOD monitoring.
Leading GRC platforms now provide real time SOD conflict detection engines that continuously scan user access rights, flag violations as they occur, and generate automated alerts for review and remediation. For Nigerian organisations with ERP systems, implementing automated SOD monitoring is becoming the baseline expectation.
The IIA’s 2025 standards place greater emphasis on control environment assessment.
The IIA’s revised International Standards, effective from January 2025, place significantly greater emphasis on the internal audit function’s responsibility to assess the adequacy of the internal control environment, including SOD.
Remote work has created new SOD vulnerabilities.
When financial processes that previously relied on physical separation move to digital environments, SOD controls must be redesigned for the digital context.
In 2025, Nigerian banks and financial institutions received specific CBN guidance noting that remote and digital operational models must maintain equivalent SOD standards to in-person processes, with system-enforced controls rather than manual workarounds.
Forensic audit findings are driving board-level SOD scrutiny.
High-profile forensic audit findings published in 2024 and 2025 have placed SOD directly in the boardroom spotlight. Audit committees across Nigeria are asking more pointed questions about SOD adequacy.
This heightened scrutiny is translating into increased internal audit mandates to assess and report on SOD, increased investment in access control reviews, and in some organisations, a formal SOD policy approved at the board level for the first time.
FRCN’s enhanced corporate governance code tightens SOD expectations.
The Financial Reporting Council of Nigeria’s enhanced corporate governance code, updated in 2025, includes strengthened provisions relating to internal control adequacy for listed and public interest entities.
The updated code places explicit responsibility on the board and audit committee to satisfy themselves that management has implemented adequate segregation of duties across all material financial reporting processes.
Designing an effective SOD framework for your Nigerian organisation
Building a practical, enforceable SOD framework requires a systematic approach.
Start with a comprehensive mapping of all financial processes and the roles involved in each step. This process map is then used to identify all actual or potential conflicts. Points where the same person has access to two or more of the four key duties that should be separated.
Each conflict is assessed for its risk level. A remediation plan is developed that either eliminates the conflict through role redesign or addresses it through a formally documented and monitored compensating control.
The framework must be supported by a formal SOD policy approved by the board or audit committee. Clear role definitions in both HR and IT systems. Periodic access rights reviews, ideally automated and continuous. A process for managing SOD exceptions where business necessity requires a temporary deviation.
Every exception must be formally documented, risk assessed, time limited, and subject to enhanced monitoring for the duration of the exception.
Internal audit plays a critical role in ongoing assurance of the SOD framework. Testing not just whether controls exist on paper, but whether they are functioning effectively in practice. SOD testing should be a standing component of every internal audit engagement that touches financial reporting processes.
Where to start tomorrow
Do not try to fix everything at once.
Start with your highest risk processes. Cash disbursements. Payroll. Vendor management. Journal entries.
Map who does what. Document every step. Identify who authorises, who records, who has custody, who reconciles.
Look for conflicts. The same person in multiple roles. Excessive system access. Weak approval processes.
Fix the easy wins first. Separate the most obvious conflicts. Implement compensating controls where full separation is impossible.
Automate where possible. ERP role reviews. Access certifications. SOD conflict monitoring.
Train your team. Make sure everyone understands why SOD matters. Not just the rules.
Final word
Segregation of duties is not complicated. But it is powerful.
One person controlling everything is a fraud waiting to happen. The evidence is overwhelming. Ghost workers, fictitious vendors, unauthorised journal entries. All enabled by weak SOD.
Regulators expect it. Auditors look for it. Fraudsters look for its absence.
Start with your highest risk processes. Separate authorisation, recording, custody, and reconciliation. Monitor continuously. Fix gaps quickly.
Your financial reporting depends on it.
CALL TO ACTION
Is Your Organisation’s Financial Reporting Protected by Proper Segregation of Duties?
The uncomfortable truth is that many Nigerian organisations, including some with sophisticated finance teams and established external audit relationships, are operating with significant SOD gaps that they have not yet identified.
These gaps are not theoretical risks. They are live vulnerabilities that fraudsters and dishonest insiders can and do exploit, often for extended periods before detection.
A well designed, properly enforced segregation of duties framework is one of the highest return investments a Nigerian finance leader can make. It deters fraud before it starts. It detects problems faster when controls are tested. It satisfies regulatory expectations. It gives your board and audit committee the genuine assurance they need that your financial reporting can be trusted.
At Stonehill Research, we help Nigerian organisations assess, design, and strengthen their segregation of duties frameworks. From initial SOD gap assessments and process mapping through policy design, ERP access control reviews, compensating control frameworks, and internal audit SOD testing programmes. We understand the Nigerian regulatory environment, the practical realities of Nigerian organisational structures, and the specific fraud risks that SOD failures enable.
Our Internal Controls and SOD Services Include
SOD Gap Assessments and Process Mapping. ERP Access Rights Reviews and Conflict Analysis. SOD Policy and Framework Design. Compensating Control Framework Development. Internal Audit SOD Testing Programmes. Board and Audit Committee Reporting on Internal Control Adequacy. Finance Team Training on SOD Principles and Practice.
Why Choose Stonehill Research?
Deep Nigerian Expertise. We understand the Nigerian regulatory environment and the specific fraud risks that SOD failures enable.
Practical Approach. We focus on implementable solutions that work in real Nigerian organisations, not theoretical frameworks.
Technology Enabled. We leverage ERP access control reviews and automated SOD conflict detection.
Proven Track Record. We have helped Nigerian organisations across banking, manufacturing, public sector, and other industries strengthen their SOD frameworks.
Contact Us Today
Do not wait for a fraud incident or a regulatory finding to discover your SOD gaps. Let us help you build financial reporting controls you can genuinely rely on.
📧 Email: info@stonehillresearch.com
📞 Phone: +234 802 320 0801
📍 Address: 5, Ishola Bello Close, Off Iyalla Street, Alausa, Ikeja, Lagos
Schedule a Confidential SOD Assessment. Let our experts review your current segregation of duties framework and identify gaps before fraudsters do.
Stonehill Research – Your Trusted Partner in Internal Controls and Fraud Prevention
REFERENCES
American Institute of Certified Public Accountants (AICPA). Understanding Internal Controls: The COSO Framework. https://www.aicpa-cima.com/resources/article/understanding-internal-controls
Committee of Sponsoring Organisations of the Treadway Commission (COSO). Internal Control – Integrated Framework (2013). https://www.coso.org/guidance-on-ic
Association of Certified Fraud Examiners (ACFE). Report to the Nations on Occupational Fraud and Abuse. https://www.acfe.com/report-to-the-nations
Financial Reporting Council of Nigeria (FRCN). Nigerian Code of Corporate Governance. https://www.financialreportingcouncil.gov.ng
Central Bank of Nigeria. Guidelines on Internal Controls for Banks and Other Financial Institutions. https://www.cbn.gov.ng
The Institute of Internal Auditors. International Standards for the Professional Practice of Internal Auditing. https://www.theiia.org/en/standards/
SAP. GRC Access Control and SOD Conflict Detection. https://www.sap.com/products/financial-management/grc.html
MetricStream. SOD and Access Risk Management. https://www.metricstream.com
There are no comments