You are the CFO, finance coordinator, or program director of an NGO, and a donor audit is approaching. The auditor asks you to demonstrate that the people who authorize an expense are not the same as those who execute or record it. Your org chart is clear — but are your actual processes, on the ground, equally so? In many international solidarity organizations, operational pressure pushes several critical roles onto a single individual, creating risk zones that donors identify immediately.
Segregation of duties — also called task segregation or Segregation of Duties (SoD) — is one of the fundamental principles of internal control. This guide walks you through step by step to understand the principle, assess your current situation, and implement robust segregation of duties adapted to field realities. We will also see how an ERP like Abvius can automate and secure this segregation at every stage of the financial cycle.
NGO Segregation of Duties: the foundation of internal control
Reading time: ~14 min
- What is segregation of duties and why donors require it
- The four incompatible functions to separate
- Concrete risks when segregation is lacking
- Mapping your processes: the SoD matrix
- Implementing segregation of duties in 5 steps
- How Abvius structures task segregation
- Best practices for small field teams
- Mini FAQ
1. What is segregation of duties and why donors require it
Segregation of duties is an organizational principle that consists of distributing the responsibilities linked to a financial or operational process among several distinct people. The objective is simple: prevent a single individual from being able to initiate, authorize, execute, and record a transaction without cross-checks.
This principle originates in international audit standards (ISA 315, COSO) and has been progressively integrated into the contractual requirements of most major donors: European Union (ECHO, INTPA), USAID, AFD, FCDO, UN agencies. During an audit, the first thing checked is often the expense authorization matrix and the proof that incompatible functions are effectively separated.
Why donors insist on this point
Donors fund projects with public money or trust funds. They have an accountability obligation toward their own stakeholders — taxpayers, parliaments, boards of directors. Segregation of duties is for them the first line of defense against three major risks: internal fraud, undetected errors, and misappropriation of funds. Without this structural guarantee, fiduciary risk is judged too high, which can lead to expense ineligibility, payment suspensions, or even contract termination.
2. The four incompatible functions to separate
Internal control theory identifies four fundamental functions that should never be combined by the same person within a transaction cycle:
| Function | Role | Example in an NGO |
|---|---|---|
| Authorization | Approve the transaction | The project manager validates the purchase request |
| Execution | Carry out the operation | The logistician places the order with the supplier |
| Recording | Record the transaction | The accountant enters the invoice and the journal entry |
| Control / Custody | Hold or protect the assets | The cashier manages cash, the storekeeper manages inventory |
The principle is that each of these functions constitutes a security lock. If two or three locks are in the same hands, the control system is compromised. For example, if the accountant is also the one who authorizes payments and holds the checkbook, they can theoretically issue a fictitious payment, record it in the accounts, and conceal it — without any third party being involved.
The most critical incompatibilities
Some combinations are particularly monitored by auditors:
- Authorization + Execution: a person who approves their own purchases can easily inflate amounts or choose an accomplice supplier.
- Execution + Recording: whoever places the order and records it can mask discrepancies between what was ordered and what was received.
- Custody + Recording: the cashier who also keeps the cash journal can conceal shortfalls.
- Authorization + Control: a manager who self-approves and controls the entire process eliminates any counterbalance.
3. Concrete risks when segregation is lacking
The consequences of insufficient segregation of duties are not theoretical. Here are situations we regularly observe in NGOs and CSOs:
Undetected internal fraud
When the same staff member combines cash management and accounting entry in the field, misappropriations can go unnoticed for months. The cash reconciliation is then carried out by the very person who holds the funds — a worthless control. The amounts involved, often individually modest, can accumulate and represent significant sums over the duration of a project.
Expense ineligibility during audits
During a donor audit (ECHO, EU, USAID), the absence of documented segregation of duties almost systematically leads to qualified observations. If the auditor finds that the same person authorized and executed a purchase without third-party control, the expense can be declared ineligible — even if it is perfectly legitimate on the merits. The cost of reimbursing the donor then far exceeds that of compliance.
Reputational damage and loss of trust
A negative audit report on internal control is shared among donors. In a sector where trust is the main capital, a recurring observation on segregation of duties can limit access to new funding and weaken existing relationships with institutional partners.
Cascading operational errors
Beyond fraud, the absence of cross-checks increases the risk of errors: duplicate payments, incorrect budget allocation, invoices recorded without effective receipt of goods. These errors, when they accumulate, distort financial reporting and can lead to flawed management decisions.
4. Mapping your processes: the SoD matrix
Before correcting anything, you must first understand the real situation. The reference tool is the segregation of duties matrix (SoD matrix), which crosses key processes with organizational roles to identify risky combinations.
How to build your matrix
Start by listing your critical financial and operational processes: purchase-to-pay cycle, payroll cycle, cash management, inventory management, bank reconciliations, donor reporting. For each process, identify the key steps and the role that performs them in practice — not on paper, but in the daily reality of the field.
Here is a simplified example for the purchase cycle:
| Process step | Project manager | Logistician | Accountant | CFO / Finance Coord. |
|---|---|---|---|---|
| Expression of need | ✔ | |||
| Purchase authorization | ✔ | |||
| Supplier consultation | ✔ | |||
| Selection and order | ✔ | |||
| Receipt of goods | ✔ | |||
| Accounting entry | ✔ | |||
| Payment validation | ✔ | |||
| Payment execution | ✔ | |||
| Bank reconciliation | ✔ |
The ticked cells show a healthy distribution: no column concentrates more than two consecutive steps, and the authorization, execution, and recording functions are carried by distinct people.
Identify risky combinations
Color in red the situations where one person combines two incompatible functions. In the field, the most frequent combinations are: the accountant who also manages the cash, the logistician who authorizes their own purchases for lack of an available project manager, or the finance coordinator who records journal entries in addition to validating payments. Each red cell represents a risk to address through a corrective measure: role reassignment, addition of a compensating control, or automation via a tool.
5. Implementing segregation of duties in 5 steps
Step 1: Conduct a field diagnostic
Do not rely on existing procedure manuals. Go observe the operational reality: who actually signs purchase orders? Who has access to the safe? Who validates timesheets? Interview field teams, examine a sample of recent transactions, and verify consistency between written procedures and actual practices. This diagnostic must cover headquarters and each field base separately, as configurations often differ.
Step 2: Formalize the roles and responsibilities matrix
Based on the diagnostic, build the SoD matrix for each critical process. Document the identified combinations and classify them by risk level (critical, high, moderate). This matrix must be validated by management and annexed to the internal procedures manual. It constitutes a key deliverable during donor audits.
Step 3: Implement compensating controls
In small structures or in field bases with reduced staff, total separation is not always possible. Compensating controls must then be put in place: mandatory dual signature, monthly verification by headquarters, enhanced supervision by a hierarchical manager, unannounced physical counts, cross reconciliations. The essential point is that no combination of functions remains without a documented mitigation measure.
Step 4: Configure your information system
A properly configured ERP is the best ally of segregation of duties. Access rights must reflect exactly the SoD matrix: an accountant must not have the technical ability to approve a payment, a logistician must not be able to modify an accounting entry. Validation workflows must impose sequential steps with distinct approvers. This is where the tool makes the difference between a declarative policy and an effective control.
Step 5: Plan a periodic review
Segregation of duties is not a one-time exercise. Teams change, projects evolve, new bases open. Plan a quarterly review of the SoD matrix, integrated into the internal control process. Verify that access rights in the information system are still aligned with actual roles. Document each review — this traceability demonstrates a continuous improvement approach to auditors.
6. How Abvius structures task segregation
Segregation of duties can only be fully effective if it is anchored in the tools teams use daily. This is precisely the logic of Abvius, the first Finance, Operations, and MEAL ERP designed for NGOs and CSOs.
Multi-level validation workflows
Each transaction in Abvius follows a configurable validation circuit. A purchase request cannot be approved by the person who initiated it. The transition from one step to the next is conditioned by the validation of a distinct role, in accordance with the organization's SoD matrix. These workflows are configurable by transaction type, amount threshold, and field base.
Granular access rights management
Abvius allows you to define access profiles that exactly reflect the responsibilities of each collaborator. A field accountant has access only to entry functions, not to approval functions. A project manager can validate requests but cannot execute a payment. This granularity eliminates the risks of combined functions at the information system level.
Automatic and timestamped audit trail
Every action in Abvius is traced: who initiated, who validated, who executed, on what date, and from which workstation. This audit trail is generated automatically and cannot be modified. During a donor audit, the NGO can provide a complete and tamper-proof history of each transaction, proving the effective segregation of duties at every step.
Integrated electronic signature
The electronic signature integrated into Abvius replaces paper circuits that are often bypassed in the field. Each validation is authenticated and timestamped, which strengthens the reliability of approval circuits and facilitates the work of auditors who no longer need to reconstruct signature chains across scattered documents.
Real-time headquarters-field centralization
Thanks to real-time budget monitoring and automatic donor reporting, headquarters has permanent visibility over field transactions. This continuous supervision constitutes a structural compensating control for bases with reduced staff where total segregation of duties is difficult to achieve.
| Criterion | Paper process | Excel / shared files | Abvius (NGO ERP) |
|---|---|---|---|
| Role separation enforced by the system | No | No | Yes |
| Automatic audit trail | No | Partial | Yes, timestamped |
| Multi-level workflows | Manual | No | Yes, configurable |
| Granular access rights | Not applicable | Limited | Yes, by role and base |
| Electronic signature | No | No | Yes, integrated |
| Real-time headquarters-field visibility | No | Delayed | Yes |
| Risk of circumvention | High | High | Low |
7. Best practices for small field teams
The reality of humanitarian fieldwork often imposes compromises: a base with three or four people cannot fully separate all functions. Here are the best practices to apply in these contexts:
Apply the "four eyes" principle
Even when full separation is impossible, no significant transaction should be processed by a single person. Systematically establish a second pair of eyes: dual signature on payments, cross-verification of cash reconciliations, remote validation by headquarters for amounts above a certain threshold.
Practice rotation of sensitive tasks
Regularly alternate the people in charge of the most exposed functions: cash management, inventory, bank reconciliation. Rotation limits the entrenchment of opaque practices and helps detect anomalies that the usual holder might conceal.
Conduct unannounced controls
Schedule cash counts and stock verifications without prior notice, carried out by a person different from the one in charge. These surprise controls complement segregation of duties by adding a deterrent element and detecting discrepancies in real time.
Strengthen remote supervision by headquarters
Headquarters can compensate for the limits of separation in the field by instituting monthly reviews of supporting documents, cross-reconciliations between field data and bank statements, and remote validations for transactions above defined thresholds. A centralized tool like Abvius makes this supervision smooth and documented.
Document systematically
Every unresolved combination of functions must be documented in a risk register, accompanied by the compensating controls put in place. This proactive documentation is valued by auditors: it demonstrates that the NGO is aware of its limitations and acts responsibly to mitigate them.
8. Mini FAQ
Is segregation of duties possible in a small NGO of 5 people?
Yes, even if it cannot be total. The essential thing is to identify the most critical combinations and put in place compensating controls: dual signature, supervision by the board of directors, unannounced verifications, or use of a tool that imposes validation workflows. Donors understand the constraints of small structures — what they expect is a documented and sincere risk management approach.
What happens if an auditor identifies a segregation of duties weakness?
The auditor will issue an observation or recommendation in the report. The severity depends on the context: a combination identified but offset by documented controls will be classified as a minor observation. A combination without any compensating control, especially if it concerns high amounts, can lead to expense disqualification and reimbursement to the donor. The existence of a corrective action plan is always a mitigating factor.
How often should the segregation of duties matrix be reviewed?
At least once a quarter, and systematically during any organizational change: staff departure or arrival, base opening or closure, new project with specific procedures. The review must include a verification of access rights in the information system to ensure they still reflect the distribution of roles.
What is the difference between segregation of duties and internal control?
Segregation of duties is a component of internal control, not a synonym. Internal control encompasses all policies, procedures, and mechanisms put in place to protect assets, ensure the reliability of financial information, and ensure compliance. Segregation of duties is one of its pillars, alongside authorization procedures, physical asset security, periodic reconciliations, and hierarchical supervision.
Summary
Segregation of duties is not a luxury reserved for large organizations: it is an essential protection mechanism that every NGO, regardless of size, can and must adapt to its reality. By formalizing your SoD matrix, instituting compensating controls where total separation is impossible, and anchoring these principles in a suitable tool, you transform an audit requirement into a true lever of governance and transparency.
To go further on complementary topics, see our articles on NGO internal control in 7 steps, the fight against NGO fraud, the digital audit trail, and donor audit preparation. To discover how Abvius can structure task segregation in your organization, visit abvius.org.