Why segregation of duties still catches finance teams off guard
Financial fraud rarely begins with a dramatic breach. More often, it starts with a single employee who has just a little too much access inside an ERP system. When one person can create a vendor, approve an invoice, and release a payment without anyone else intervening, the conditions for misuse are already in place.
Segregation of duties, commonly abbreviated as SoD, is one of the oldest principles in internal control. Yet in practice, organisations running enterprise software like Microsoft Dynamics 365 Business Central frequently struggle to implement it properly. The reason is not a lack of awareness but a gap between what compliance frameworks demand and what IT teams can realistically configure.
Breda-based software company 2-Controlware has spent over 17 years developing authorisation tools specifically for Microsoft Dynamics environments. For organisations looking to understand how authorisation management in Business Central works in practice, click here to access their free whitepaper on the subject.
The gap between policy and practice
Most finance directors understand that segregation of duties matters. SOx compliance, GDPR requirements, and internal audit standards all point in the same direction. The challenge appears when those high-level policies need to be translated into specific user permissions inside an ERP system.
Business Central uses a permission-set model that can grow complex quickly. An organisation with 50 users might have hundreds of permission combinations. Without dedicated tooling, keeping track of who can do what becomes a manual task that nobody truly owns.
This is where conflicts slip through. A warehouse manager who was temporarily granted purchasing rights during a holiday cover period may still hold those rights six months later. Nobody checked, and nobody was alerted.
Where authorisation controls tend to break down
The most common failure point is not the initial setup but the ongoing management. Organisations often invest time in configuring roles correctly during an ERP implementation. Then staff changes happen, new modules are added, and the original structure erodes.
Conflict detection is particularly tricky. Two permissions that seem harmless individually can create a serious control weakness when combined. Identifying these combinations requires either deep system knowledge or software that maps and flags them automatically, such as the Authorization Box tool developed by 2-Controlware for Business Central environments.
Without that kind of detection, finance teams rely on periodic audits to catch problems. By then, a control gap may have existed for months or longer. The shift from periodic to continuous monitoring represents one of the more significant improvements available to compliance-conscious organisations today.
Continuous monitoring changes the equation
Traditional authorisation reviews happen once or twice a year. An auditor pulls a report, reviews user access, and flags anomalies. This cycle leaves long windows during which inappropriate access goes entirely undetected.
Continuous monitoring flips this model. Instead of reviewing permissions after the fact, the system alerts administrators in real time when a change introduces a conflict or when a user’s access deviates from their assigned role template. For organisations subject to SOx or similar regulatory frameworks, this approach significantly reduces the window of risk exposure.
The practical benefit extends beyond compliance alone. IT managers spend less time on manual access reviews, and finance directors gain more confidence that the controls described in policy documents actually exist in the live system. It turns authorisation management from a dreaded audit exercise into a routine operational process.
Making access control scalable for mid-sized organisations
Smaller organisations sometimes assume that structured authorisation management is only relevant for large enterprises with dedicated compliance teams. That assumption is increasingly outdated. As more mid-sized companies adopt Business Central and face tightening regulatory expectations across the EU, the need for proper access control grows regardless of company size.
User templates and centralised management features allow administrators to define role-based access once and apply it consistently. When a new employee joins the finance department, their permissions mirror those of their colleagues automatically. When someone leaves, their access is revoked in a single action rather than across dozens of individual permission sets.
Organisations that handle authorisation management well tend to share one trait: they treat it as an ongoing operational process rather than a one-time project during implementation. Access rights are living configurations that need regular attention, appropriate tooling, and clear ownership within the business.

