Accounting & Finance / Audit, Controls & Compliance

Segregation of Duties Checker

Import your user access export and a conflict-rules matrix, automatically flag every person who can perform two duties that should never sit with one human (like creating a vendor and paying it), rank the conflicts by risk, and let the control owner approve either a remediation or a documented mitigating control — with a full audit trail and a clean SoD violations report.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres + Auth + Storage, RLS on)Resend (email notifications & digests)CSV import / export (no-API fallback included)

What you'll build

A private, login-protected web tool that imports your access export and conflict rules, automatically flags users who hold conflicting capabilities, ranks each violation by risk, routes it to the control owner to approve a remediation or a time-limited mitigating control, and exports an auditor-ready SoD violations report plus a mitigation log — with duplicate guards and a complete audit trail.

Before you start

A CSV (or export) of user-to-role/permission assignments: at least a user id and the roles or permissions each user holds
A conflict-rules matrix: which pairs of functions must be kept separate (e.g., vendor setup vs. vendor payment)
Free accounts on Vercel, Supabase, and Resend (all have generous free tiers)
No coding experience required — you'll paste the plan into an AI coding agent and answer its questions

The problem this kills

Your access policy is clear: the person who can set up a new vendor should never be the same person who can pay that vendor. The person who records cash receipts shouldn't also reconcile the bank. The person who prepares a journal entry shouldn't approve it. These are the classic segregation-of-duties (SoD) rules — and a single human holding both sides of one of those pairs is exactly how fraud and costly errors slip through.

But proving nobody has a toxic combination is brutal by hand. Access lives in a sprawling export: users mapped to roles, roles mapped to permissions, and the permissions only imply a business function. To find a violation you'd have to expand every user's full set of capabilities, then check every pair against a conflict matrix — for hundreds or thousands of users. Spreadsheets buckle, and a missed combination is the one the auditor finds first.

Controllers and internal audit need complete coverage, ranked by how dangerous each conflict is, plus a defensible record of how every flagged conflict was handled — remediated, or accepted with a documented mitigating control that actually has an expiry date. That's what this builds.

What you'll build

A small, private web app that does the exhausting cross-referencing for you and then puts a human in charge of the judgment calls:

Import a user access export (users → roles/permissions) and your conflict-rules matrix (which function pairs must be separated, and how risky each pairing is).
Expand each user to the full set of business functions they can perform, through their roles and permissions.
Flag every user who holds both sides of a conflicting pair — vendor setup + payment, cash receipt
- bank rec, JE prepare + approve, and whatever else your matrix defines.
Rank the violations by risk so the control owner works the worst first.
Disposition each flagged conflict through the control owner: approve a remediation (remove access) or accept a documented mitigating control with a required expiry date.
Export an auditor-ready SoD violations report and a mitigation log.

This is detective review — it confirms who currently holds conflicting access. It never writes back to your ERP or identity system, so it can't break anyone's access; it reads exports and produces reports.

What's inside the Implementation Plan

The plan is a complete, paste-and-go runbook for an AI coding agent. The very first thing it does is interview you about your business — which systems the access export comes from, exactly how your roles and permissions are named, which business functions matter, the precise conflict pairs you enforce, how you weight risk, and how you record an accepted mitigation. It reflects a short tailored spec back to you and waits for your thumbs-up before it builds anything, so the tool fits your real access model and rules — not a generic template.

From there it walks you, step by step, through:

Standing up the Next.js app, Supabase database, and login.
Designing the data model around your roles, permissions, and conflict pairs.
Building the import screens for the access export and the conflict matrix (with duplicate guards).
Writing the engine that expands each user's capabilities and detects conflicting pairs.
Ranking violations by risk and presenting the control owner's disposition queue.
The mitigation log with expiry tracking, and the SoD violations CSV export.

Every build step ends with a ready-to-copy prompt you paste into your agent.

The governance it includes (this is the point)

This isn't a throwaway script — it's an access-risk control, so it's built like one:

Login so only your finance and audit team can open it.
Row-level security so each organization only ever sees its own access data and rules.
A complete audit trail — who imported what, who dispositioned which conflict, and when.
A human-in-the-loop gate: the tool flags and ranks, but nothing is finalized as "remediated" or "mitigated" until the control owner reviews and approves it.
Duplicate guards so the same user-plus-conflict can't be flagged or counted twice.

Who it's for

Controllers, internal auditors, and IT-risk / finance-ops leads who own access risk and are tired of hand-expanding role exports. If you can pull a CSV of who has which roles and you can describe the conflict pairs you care about, you can build this — no developer required.

You've got this. Open the Implementation Plan, paste the first prompt, and let the agent interview you.