10 High-Risk Segregation of Duties Conflicts Auditors Always Flag in D365 Finance
Segregation of duties (SoD) is one of the most important internal controls in any ERP.
But in D365 Finance, it’s also one of the most misunderstood — and the source of the most frequent audit findings.
Here are the 10 SoD conflicts auditors always flag, why they matter, and how to fix them before they become findings in your next review.
1. Vendor Creation / Modification vs Vendor Payments
This is the classic high-risk conflict.
A user who can create vendors and process payments can bypass every financial control in the system.
Why auditors care:
Fake vendors + self-approved payments = fraud risk.
Minimum expectation:
– Vendor master handled by a limited, independent group
– Payment processing handled by AP or treasury
– Database logging active on vendor changes
– Workflow on vendor creation
2. Vendor Master Data vs AP Invoice Posting
Most companies underestimate this one.
If the same person can:
- modify vendor banking or payment terms, and
- post invoices,
…they can reroute payments or manipulate liability timing.
Controls:
– Vendor master team separated from AP operations
– Review of vendor changes (weekly or bi-weekly)
– AP invoice workflows enforced
3. AP Invoice Entry vs AP Invoice Approval
Self-approved invoices are an instant audit issue.
Risk:
An employee submits an invoice, approves it, and processes it without oversight.
Controls:
– Multi-step invoice workflows
– Mandatory approval limits
– Daily review of open delegations
4. Purchase Order Creation vs Purchase Order Approval
This is the heart of procurement governance.
If one user can both create and approve a PO, they can initiate spending without authorization.
Controls:
– Distinct requester vs approver roles
– Clear approval hierarchy
– Workflow with monetary thresholds
– Logged changes on vendor accounts
5. PO Receiving vs AP Invoice Approval
When the same person can receive goods and approve invoices, the three-way matching process loses integrity.
Risk:
They can “receive” goods that never arrived and approve the invoice anyway.
Controls:
– Separate warehouse/receiving and AP approval roles
– Receiving logs reviewed periodically
– Tighter monitoring during year-end
6. GL Journal Creation vs GL Journal Posting
No auditor will accept “one person creates and posts their own entries.”
Risk:
Hidden adjustments, manipulation of reserves, period cut-off issues.
Controls:
– Mandatory journal workflows
– Journal categories by team
– Periodic review of posted entries by user
7. Bank Reconciliation vs Cash Disbursements
If the person reconciling the bank can also issue payments, they can hide fraudulent transactions within the reconciliation.
Controls:
– Separate treasury vs AP duties
– Restrict payment processing authorization
– Automated alerts when reconciliation exceptions occur
8. Delegation Management vs Approvals
This is one of the most overlooked — and dangerous — conflicts.
A user who can modify delegations can temporarily give themselves (or someone else) approval power.
Risk:
Bypassing workflows, approving their own transactions, hiding activity during vacations or month-end.
Controls:
– Delegations must be time-bound
– Weekly review of active delegations
– Alerts when delegations are created or modified
9. Fixed Asset Creation vs Disposal / Transfer
Having full control over the asset lifecycle is a major risk, especially in asset-heavy organizations.
Risks:
– Unauthorized disposals
– Hidden write-offs
– Manipulation of net book value
Controls:
– Separate asset accountant vs approver roles
– Audit trail on FA changes
– Monthly FA subledger-to-GL reconciliation
10. Security Admin (Role Assignment) vs Any Financial Posting Access
This is the highest-risk conflict in all of D365 Finance.
It deserves special emphasis.
A user with security admin access can:
– Assign themselves any role
– Elevate their privileges
– Bypass workflows
– Override SoD controls
– Grant posting access to others
Core principle:
A security admin should have no operational access to AP, AR, GL, FA, procurement, inventory, or reporting.
Controls:
– Limit full admin privileges to 1–2 non-operational users
– Strong monitoring on role changes
– Periodic review of system admin activity
⭐ Bonus Section: Why “System Administrator” Access Is a Governance Issue
The System Administrator (sysadmin) role is not a technical detail.
It is a financial governance risk.
Sysadmin can do everything in the system:
– Modify security
– Modify system parameters
– Override posting setup
– Create users
– Modify workflows
– Change bank accounts
– Post journals
– Manage batch jobs
– Access all master data
This role requires:
– Strong restriction (1–2 people maximum)
– Clear justification
– Monitoring of activities
– Separation from finance and operations
⭐ Bonus Section: Security Roles Alone Are Not Enough
Segregation of duties is only one layer of control.
Auditors expect three layers working together:
1. Security Roles
The foundation.
But roles alone do not prevent fraud or errors.
2. Workflows
Workflows are mandatory in a mature D365 environment:
– Vendor creation
– Purchase orders
– Invoices
– Journals
– Payments
– Asset disposals
– Expense approvals
Workflows provide independent authorization — the backbone of internal control.
3. Automated & Ad-Hoc Controls
Automated controls:
– Alerts when vendor bank accounts change
– Alerts on failed batch jobs
– Database logging
– Reconciliation exceptions
– Delegation activity reports
Ad-hoc controls:
– Bi-weekly review of vendor changes
– Quarterly review of security roles
– Review of posting profiles and parameters
– Spot checks of workflow bypasses
This is the full governance picture auditors expect.
Related Governance & Finance Articles
Strengthen your D365 governance model with these resources:
– Real-life ERP implementation lessons:
https://www.fitgapfinance.com/real-life-erp-implementation-lessons/
– Human side of ERP projects:
https://www.fitgapfinance.com/human-side-erp-projects/
– D365 Finance licensing governance:
https://www.fitgapfinance.com/d365-finance-new-licensing-approach-10-things-to-know/
