What type of controls should be sought when segregation of duties is not feasible?

When segregation of duties is not feasible, the implementation of compensating controls is essential. Compensating controls are alternative measures that provide a similar level of risk mitigation as segregation of duties. These controls are put into place to mitigate the increased risk that arises when there is a lack of segregation. For instance, if an employee is responsible for both processing and approving transactions, other controls can be introduced—such as detailed audits, transaction logging, or supervisory reviews—to help detect and prevent potential errors or fraud that could occur due to this lack of separation.

This approach is particularly useful because it acknowledges the practical limitations of an organization, which may not always be able to segregate duties due to size, resource constraints, or specific operational needs. By implementing compensating controls, organizations can still achieve an essential level of assurance and support their overall risk management strategy effectively.