Two-Person Control: What It Is And Why You Might Need It

A nonprofit in Daphne lost $38,000 when their bookkeeper created a fake vendor, generated invoices, approved them herself, and deposited the funds into her own account.

She was the only person with access to:

• Set up new vendors
• Create invoices
• Approve payments
• Process wire transfers

No one reviewed her work. She had sole control over the entire payment process.

If two people had been required — one to create the vendor, another to approve payment — this fraud would have been impossible. Not because the bookkeeper was dishonest (she wasn't, until she was), but because the control made the opportunity invisible.

This is two-person control.

What this solves (in real business terms)

Two-person control (also called dual authorization or segregation of duties) means critical actions require two people to approve, not one. No single person can complete a sensitive transaction alone.

The purpose isn't distrust. It's risk reduction:

• Prevents fraud by one person acting alone
• Catches errors made by tired or careless employees
• Creates accountability — someone else knows what's happening
• Meets compliance requirements for regulated industries

Most Gulf Coast small businesses have one person doing everything in key areas. The owner handles banking. The bookkeeper handles payables. The office manager handles payroll. That concentration of control is the vulnerability.

What can go wrong

Single person with unchecked power. The Daphne nonprofit. One person controlling the entire payment process = opportunity for fraud.

Owner doing everything. An owner who handles banking, vendor setup, and approvals because "it's faster." If the owner's credentials are compromised, there's no backup person to catch the fraudulent transaction.

No backup for critical roles. The only person who knows how to process payroll leaves. Or gets sick. Or goes on vacation. Business stops until they're back.

Informal two-person control. "I'll just call you before I do anything big." This isn't two-person control. It's a verbal agreement with no accountability, no documentation, and no enforcement.

Two-person control without defined procedures. You implement two-person control, but don't specify what requires it and what doesn't. Some things get checked, some don't. The gaps are where risk lives.

What it costs (honest ranges)

• Process redesign: Free — document your existing procedures and add dual-approval steps
• Banking dual control (many banks offer free): Free to $50/month for small business accounts
• Software with role-based access (QuickBooks Online, Xero): $25-$150/month
• Managed accounting/bookkeeping services: $500-$2,000/month (includes internal controls)
• IT configuration for role separation: $500-$1,500 one-time

Vendor questions (copy/paste)

Ask your bank:

1. "Do you offer dual control for wire transfers and bill pay? Is there an additional fee?"
2. "What's the limit before a transaction requires two people to approve?"
3. "Can we require two people to set up new vendors or change payment information?"

Ask your accounting software vendor:

1. "Can we set up role-based permissions so one person can't do everything?"
2. "Can we require two approvals for certain transactions?"
3. "Do you support audit logs so we can see who did what?"

Ask your IT vendor:

1. "Can we configure admin accounts so critical actions require two people?"
2. "Can we set up alerts when certain high-risk actions occur?"

Minimum viable implementation

Step 1: Identify your highest-risk processes

Look at your financial operations:

• Who can set up new vendors?
• Who can create invoices?
• Who can approve payments?
• Who can initiate wire transfers?
• Who can add new bank accounts or change payment information?
• Who can process payroll?

If the same person does all of these, you have risk.

Step 2: Map current controls

For each high-risk process, document:

• Who currently does it?
• Who could plausibly review or co-sign?
• Is there any current review (even informal)?

Step 3: Implement dual authorization for wires

Contact your bank:

• Enable dual approval for wire transfers
• Set a threshold: anything over $1,000 (or your comfort level) requires two people
• Some banks require both approvers to be present at the bank or use separate authentication

Step 4: Implement vendor verification

Before adding a new vendor:

• Require a second person to verify the vendor is legitimate
• For new vendors, require W-9, business license, or other documentation
• Change payment info (new bank account) requires a phone callback to the known vendor number

Step 5: Configure software role separation

In QuickBooks, Xero, or your accounting software:

• Create separate roles: data entry, approver, admin
• Don't give one person all three
• Require approver to be different from data entry

In Microsoft 365 or Google Workspace:

• Separate admin roles from regular accounts
• For critical actions (adding new admins, changing security settings), require a second approver

Step 6: Document and train

Write down your two-person control procedures:

• What requires two people?
• Who can serve as the second approver?
• How do approvers verify the request is legitimate?
• What do approvers do if something looks suspicious?

Train everyone on the procedures. Make sure backup approvers exist for when the primary is out.

Step 7: Review quarterly

Set a calendar reminder. Every quarter:

• Review transactions that required dual approval
• Check for any exceptions or workarounds
• Verify the controls are still functioning as designed

When to hire help

Do it yourself if:

• You have fewer than 10 employees
• Your financial processes are straightforward
• You're comfortable working with your bank to enable dual control
• You can implement role separation in your accounting software

Get help if:

• You have complex financial operations (multiple locations, many vendors, high transaction volume)
• You're in a regulated industry (healthcare, finance, government contracting) with specific control requirements
• You've had fraud or a near-miss
• You want help designing controls that fit your specific business processes
• Your accounting software is too complex to configure yourself