Why segregation of duties falls apart the moment someone goes on leave
May 1, 2026

Why segregation of duties falls apart the moment someone goes on leave

 



ttm-favicon
To the Max
5 min read
Table of Contents
Spend control with ApprovalMax for Xero
Spend control with ApprovalMax for Xero
Learn how structured approvals, clear audit trails, and a modern app stack reduce manual work and give your team full visibility over every expense.
Download the guide
Spend control with ApprovalMax for QuickBooks Online
Spend control with ApprovalMax for QuickBooks Online
A simple framework for controlling spend in QBO, improving accuracy, and maintaining confidence in every financial decision.
Download the guide

It’s August. Your accounts payable manager is on a two-week holiday in Portugal. The person covering for them has access to everything they need to keep the bills moving: they can receive invoices, code them, approve them, and schedule payments. For two weeks, one person controls the entire payment chain from end to end.

On paper, your business has segregation of duties. In practice, for those two weeks, it has none.

This scenario plays out in growing businesses far more often than most finance leaders realize, and the risk it creates goes well beyond those two weeks. Leave cover, sick days, and unexpected absences are the moments when carefully designed controls quietly collapse, because the controls were built around people rather than systems.

Key Takeaways

•  Only 18% of finance professionals feel confident in their internal controls. The most common gaps are approval tracking, segregation of duties, and audit trails.

Someone with 40 weeks of unused leave is a risk, not a reliable employee. Fraud often hides behind constant availability, because the person committing it can’t afford for anyone else to see the process.

If your segregation of duties depends on specific people being available, it will break every summer, every Christmas, and every time someone calls in sick. The controls need to live in the system, with built-in delegation and escalation.

A $9 million fraud at NAB went undetected for years because one trusted employee had a $20 million approval limit with no second reviewer. A multi-tier approval process would likely have caught it.


Pressure-test your controls by trying to break them. Push a dummy invoice through and see if it gets caught. If it sails through, you know where the gap is.

The employee who never takes leave

One of the most reliable red flags in internal controls is an employee who never takes time off. Across multiple recent conversations with auditors and financial controllers, the same observation keeps surfacing: someone with 40 weeks of unused leave is a risk signal, because fraud often depends on constant access. The person committing it cannot afford for someone else to step in and see how things actually work.

This pattern appeared in a well-known case involving NAB, where a single employee with a personal relationship to a supplier had a $20 million approval limit. False and inflated invoices were submitted and approved by this one person over a period of years, eventually costing the bank $9 million. A multi-tier approval process, where a second person reviewed invoices above a certain threshold, would likely have surfaced the problem far earlier.

Mandatory leave rotation does two things: it gives another person visibility into the process, and it forces the business to discover whether the controls actually work when the usual person is absent. If the answer is no, you’ve identified the gap while you still have time to fix it.

📊 From a recent survey of 166 finance professionals

Only 18% feel confident in their internal controls. The top gaps identified: approval tracking, segregation of duties, and audit trails. These are the three areas most likely to fail when a key person is unavailable.

Three ways leave exposes control gaps

The same person ends up handling every step. In a well-functioning AP process, one person receives the invoice, another codes and reviews it, and a third approves or pays it. When one of those people is away and their responsibilities get absorbed by whoever is available, that separation collapses. The person covering may not even realize they’re now controlling the full payment chain, because the handover focused on keeping things moving rather than maintaining controls.

Approvals get stuck and then bypassed. An approval sitting in an absent person’s inbox creates pressure to pay suppliers on time, and that pressure leads to workarounds. Someone with admin access pushes the payment through directly, or a manager verbally approves over a call with no record. Each workaround is individually understandable, but collectively they create a period where the approval process effectively does not exist.

Nobody notices because nobody is looking. The most dangerous aspect of leave-related control failures is that they often go undetected. The person returns, picks up where they left off, and the two weeks of weakened controls are never reviewed. If something went wrong during that period, it may only surface months later during an audit or a reconciliation, by which point the trail is cold and the damage is done.

Controls that survive holidays, sick days, and resignations

The fix for leave-related control failures is moving the controls from people into systems. Tools like ApprovalMax allow approvers to set a delegate before they leave, so the approval chain continues with a designated substitute rather than defaulting to whoever happens to be around. Escalation rules ensure that if an approval sits untouched for a defined period, it automatically moves to the next person in the chain. And because every action is timestamped and logged, the audit trail remains intact regardless of who is handling the approvals that week.

This approach also solves for the scenario where someone leaves the business entirely. If the approval process is tied to a role rather than an individual, the transition is seamless. A new person steps into the role and inherits the approval rules, thresholds, and escalation paths. The process continues without interruption, and the history of every previous approval remains accessible.

Contrast that with a process where approvals happen over email: when the person leaves, their inbox becomes inaccessible, the approval history goes with them, and the new hire starts with no visibility into what was approved, by whom, or why.

How to find the gaps before they find you

The most practical advice from recent conversations with financial controllers is deceptively simple: try to break your own controls. Push a dummy invoice through the system and see what happens. Does it reach the right approver? Does anyone challenge it? If it sails through without scrutiny, you’ve found the gap.

The same approach applies to leave cover. Before someone goes on holiday, run a few test scenarios through the delegation setup. Confirm that the substitute actually receives the approvals, has the right permissions, and understands their role. It takes minutes, and it reveals problems that would otherwise only surface during the absence, when the pressure to keep things moving makes them much harder to fix.

Reviewing leave balances across the finance team at least quarterly is another straightforward measure. Long stretches of untaken leave, especially from someone who handles payments or approvals, should prompt a conversation and, ideally, a mandatory handover to a colleague for a defined period. The controls should work regardless of who is sitting in the chair that week. If they only work when one specific person is there, they are not controls. They are habits, and habits break under pressure.

This article draws on insights from recent ApprovalMax webinars covering financial controls, fraud prevention, and AP automation best practices.