GBS Insider ClubField Guide Free
Pillar 2 — Operational Excellence
Cluster 4 of 6
Pillar 2 · Operational Excellence · Cluster 4

Operational Controls The guardrails that keep GBS honest — and audit-proof.

Controls are not bureaucracy. They are the evidence that your organization can be trusted to handle money, data, and decisions correctly — consistently and without supervision. Understanding them early in your career changes how you read every process you work in.

50%faster fraud detection in organizations with strong Segregation of Duties controls — Association of Certified Fraud Examiners
4 eyesThe minimum for any high-risk financial transaction — two people, one action, one review. Cannot be bypassed.
SOXSarbanes-Oxley Act — the regulation most GBS F&A teams operate under. Section 404 requires documented, tested internal controls.
Four-Eyes Maker-checker Two people, one decision SoD Segregation of duties No single point of control Audit Ready Every day Evidence-based compliance
Operational Control Framework
Topic 01

The four-eyes principleA control requiring that a second, independent person reviews and approves any significant action before it is executed. The most widely applied internal control in GBS finance processes. — why two people are better than one

TL;DR

Four-eyes means an independent second review before significant actions execute. It protects the process — and the person. The model is in THE FIX.

A second pair of eyes
is not about trust.

2 min read · full theory in the expandable
The Problem
R
Ravi
AP analyst · Month 8 · Pune

Ravi preps a payment run. Every batch waits for a reviewer.

It feels slow. It feels like being doubted.
Then a reviewer catches a duplicated line in his batch — before it paid out twice.

"That would have had my name on it."

He feels grateful for the control he resented.

The Trap

You read controls as distrust. They are the reason one mistake stays a mistake.

The Fix

Three words make the control real — or hollow.

INDEPENDENTThe reviewer had no hand in the work. Otherwise it is one pair of eyes, twice.
GENUINEReal review, not rubber-stamp. A signature without scrutiny is theater.
TRACEABLEBoth actions leave evidence. Who did, who checked, when.

Ravi stops resenting the wait — and starts reviewing others properly. The control is only as strong as the second pair of eyes.

The four-eyes principle in depthTHEORY · 3 MIN

The four-eyes principle is the simplest and most universal internal control in GBS. One person acts. A second person, independent of the first, reviews and approves. Neither can complete the transaction alone.

Preparer

Performs the action

Creates the payment, posts the entry, sets up the vendor, enters the data. Has full access to prepare but cannot approve their own work.

Reviewer
👁

Independent review

A second person — with no role in the preparation — checks the work against policy, supporting documentation, and approval thresholds. Not a rubber stamp: active scrutiny required.

Result

Approved or rejected

If the reviewer is satisfied: approved, with their ID logged in the system. If not: returned with a reason. Both actions are traceable.

Where four-eyes applies in GBS — common examples
  • Payment runs: processor releases invoices for payment → team lead or treasury approves the payment run
  • Vendor setup: new vendor created in the ERP → independent review confirms bank details, VAT number, and duplicate check before activation
  • Journal entries above threshold: journal posted by analyst → reviewed and approved by senior accountant or controller
  • Master data changes: change to payment terms, bank account, or address requires a second sign-off to prevent fraud
  • Credit note issuance: credit notes above a defined threshold require approval before release to avoid unauthorized revenue reversal
The rubber stamp problem

The most common failure mode for the four-eyes principle is not bypassing it — it is performing it without actually reviewing.

  • A reviewer who approves based on trust rather than scrutiny provides no protection.
  • Auditors test this by checking whether reviewers can explain what they approved and why.
  • A culture where second reviews are rushed or treated as a formality is a culture where controls exist on paper but not in practice.
FOUR-EYES PRINCIPLE MAKER Prepares / executes Person 1 CHECKER Reviews / approves Person 2 (independent) POSTED Approved & executed Audit trail complete NO SINGLE PERSON CONTROLS A TRANSACTION END-TO-END

Four-eyes principle — maker-checker control

Monday Move

Next time you are the second pair of eyes, review as if your name is on it. It is.

Four-eyes is the rule. SoD is the architecture behind it.

GBS Operational Controls Framework — quality management, four-eyes principle, audit readiness, escalation management, and control activities

GBS operational controls framework: quality management, four-eyes principle, audit readiness, and escalation tiers

Topic 02

Segregation of dutiesSoD — the principle that no single person should have end-to-end control over a critical financial process. Separating create, approve, and release roles prevents fraud and reduces error risk. — the architecture behind the four-eyes principle

TL;DR

Segregation of Duties: no single person controls a critical process end-to-end. Create, approve, release stay separated. The model is in THE FIX.

You cannot approve your own work.
That rule protects you.

2 min read · full theory in the expandable
The Problem
A
Amara
O2C analyst · Year 1 · Lagos

Amara requests system access to cover a colleague’s absence.

Denied: the role would let her both create and approve credit notes.

"But I would never misuse it."

The controls analyst is kind: the rule is not about her. It is about anyone, ever, in that seat. She feels at ease with the no.

The Trap

You take SoD personally. It is designed for the seat, not the person in it.

The Fix

Critical processes split into three hands, minimum.

CREATEEnter the transaction. The maker.
APPROVEAuthorize it. The checker — independent by design.
RELEASEExecute it. The final gate before money or data moves.

The coverage gap gets solved with a temporary approver instead. The control holds and the work still moves.

Segregation of duties in depth — toxic combinationsTHEORY · 4 MIN

If the four-eyes principle is the rule, Segregation of Duties (SoD) is the system design that makes it possible. SoD means that no single person controls a complete financial cycle from start to finish.

PERSON A PERSON B PERSON C Create Enter the invoice or payment request Approve Validate and authorize the transaction Release Execute payment or post to ledger TOXIC COMBINATION — SAME PERSON ACROSS ROLES = FRAUD RISK
Segregation of Duties — Create / Approve / Release
Segregation of duties — AP payment cycle example
ROLE A Create vendor AP Clerk ROLE B Approve invoice AP Team Lead ROLE C Release payment Treasury / Controller ROLE D Reconcile & audit Senior Accountant different people different people different people
Why SoD matters in GBS — and what breaks it
  • Why it exists: if one person can create a vendor, approve an invoice, and release the payment, there is no check. Fraudulent payments become easy. Errors go undetected for months.
  • SOX requirement: for publicly listed companies, Section 404 of SOX requires documented evidence that SoD is designed correctly and operating effectively — tested annually by internal and external auditors
  • The most common GBS SoD failure: insufficient headcount. When a small team covers too many roles, individuals end up with conflicting access rights — not by design, but by necessity. Auditors find these and flag them as control deficiencies.
  • Compensating controls: when true SoD is not possible (too small a team), a compensating control is required — typically a management review of all transactions performed by the conflicted individual
  • System enforcement: ERP access rights (SAP authorization profiles, Oracle role configuration) should enforce SoD at the system level — not rely on policy alone
Monday Move

Check your own access: could you create and approve the same transaction? If yes, flag it. Finding it first counts.

Controls in place daily. That is what audit-ready actually means.

Topic 03

Audit readiness — being "audit ready" every day, not just when auditors arrive

TL;DR

Audit readiness means operating so audits pass as a byproduct — documentation, evidence, and access clean every day. The model is in THE FIX.

Audit season panic
is a choice.

2 min read · full theory in the expandable
The Problem
K
Klaudia
Senior associate · Year 3 · Krakow

Two teams, same audit week.

Next door: late nights, reconstructed evidence, screenshots nobody wants to explain.
Klaudia’s team: folders complete, evidence attached at execution time, done by Thursday.

"What did you do differently?" — "Nothing. That is the point."

She feels calm in the one week nobody else is.

The Trap

You prepare for audits instead of operating audit-ready. The sprint is the failure.

The Fix

Audit-ready is a daily operating mode, not an annual project.

DOCUMENTControls written as performed. The SOP matches reality.
EVIDENCEAttached when the work happens. Never reconstructed later.
ACCESSReviewed on schedule. Leavers removed, roles current, exceptions logged.

Audit week costs her team nothing extra — the discipline already paid, in small daily installments.

Audit readiness in depth — the full checklistTHEORY · 4 MIN

The goal is not to pass audits. The goal is to operate in a way that makes passing audits a byproduct of how you normally work — not a sprint you do once a year.

What auditors look for in GBS — the checklist
  • Control documentation: every key control documented — what it is, who performs it, when, and what evidence it produces
  • Evidence of execution: system logs, approval records, review sign-offs — timestamped, traceable, and attached to the transaction or reconciliation they relate to
  • SoD compliance: access rights matrix showing who can do what, with no unmitigated conflicts
  • Current SOPs: process documentation that reflects how the process actually runs today — version-controlled and recently approved
  • Training records: evidence that staff have been trained on current controls — especially after any process or system change
  • Exception handling: documented process for what happens when a control fails or an exception occurs — and evidence that exceptions were handled correctly
  • Management review evidence: regular review of key reports, reconciliations, and metrics — signed off and dated
Control Docs Execution Evidence SoD Compliance Current SOPs Training Records Exception Handling
Auditors verify evidence, not intent.
The daily practice: Audit readiness is built through habits, not sprints.
  • Attach evidence at the time of execution — not six months later when auditors ask.
  • Maintain version-controlled documentation that reflects how the process actually runs today.
  • Flag exceptions immediately rather than hoping nobody notices.
QUALITY MANAGEMENT PREVENTSOPs · Training · Checklists DETECTQC checks · Error tracking CORRECTFix · Root cause · Improve IMPROVEStandardize · Scale Lowest cost Highest value PREVENTION IS ALWAYS CHEAPER THAN CORRECTION FIRST-TIME-RIGHT IS THE ULTIMATE QUALITY METRIC

Quality management — building audit readiness into daily work

Monday Move

Attach evidence to your next control step the moment you perform it. Make it the habit, not the exception.

Even controlled operations have bad Mondays. Here is how the good ones respond.

? CHALLENGE YOURSELF click to expand
  • Can you explain the four-eyes principle and where it applies in your daily work? Do you follow it consistently, or are there shortcuts?
  • Does your team have a documented escalation framework — or do people escalate based on instinct and relationships?
  • When was your last audit touchpoint? If auditors walked in tomorrow, how ready would your documentation be?
  • Do you know the segregation of duties requirements for your process? Where are the potential conflicts?
Topic 04

Handling escalations, volume spikes, and SLA breaches

TL;DR

Spikes, breaches, and escalations are normal operations. Maturity is a response pattern, not an absence of problems. The model is in THE FIX.

Monday: a spike, three escalations.
Your response is your reputation.

2 min read · full theory in the expandable
The Problem
M
Miguel
New team lead · Week 6 · Manila

8:05 AM. Volume is double normal. A system feed failed overnight.

Two stakeholders escalate before Miguel finishes his coffee.
His instinct: answer every email at once, apologize everywhere.

"Wait — who needs to know what, and when?"

He feels frazzled — and catches himself.

The Trap

You react to the loudest voice instead of running a response pattern.

The Fix

Mature teams run the same four moves every time.

ASSESSSize and cause first. Two facts before any communication.
COMMUNICATEProactive, once, right level. One status note beats ten apologies.
RECOVERCapacity plan and aging control. Oldest first, inflow managed.
REVIEWWhat broke, what holds next time. The spike becomes a stronger process.

By 9:00 one status note reaches every stakeholder. Nobody escalates twice. The spike clears — and his name gains weight, not damage.

Escalations, spikes, and breaches in depth — response levelsTHEORY · 5 MIN

In GBS, things go wrong. Systems fail, volumes spike unexpectedly, team members are absent at exactly the wrong time. How you respond to these events defines your operational maturity, and your professional reputation.

Level
Trigger
Who is involved
Response timeframe
L1
SLA at risk — KPI trending below target but not yet breached. Volume higher than planned for the day.
Processor flags to Team Lead. Team Lead monitors and reallocates capacity.
Flagged immediately, resolved within the same business day if possible.
L2
SLA breach confirmed. Backlog exceeding aging threshold. Stakeholder has raised a complaint.
Team Lead notifies Operations Manager. Stakeholder informed proactively. Recovery plan drafted.
Acknowledgment within 4 hours. Recovery plan within 24 hours.
L3
Sustained SLA breach (3+ consecutive periods). System failure impacting processing capacity. Executive-level complaint.
GBS Operations Director involved. Formal incident management process activated. Root cause analysis committed.
Leadership notified same day. Formal RCA delivered within 5 business days.
Volume spike response — the practical playbook
  • Declare it early: the moment volume is tracking 20%+ above plan, flag it. Do not wait for the backlog to form. Early warning is the single most valuable action.
  • Triage the backlog: not all items are equal. Aged items near payment deadlines, items with stakeholder escalations, and regulatory filings have priority over standard aging. Sort and prioritize explicitly.
  • Reallocate capacity temporarily: cross-trained team members from adjacent processes can provide surge support for standardized tasks. This is one reason cross-training is a governance requirement, not optional.
  • Communicate proactively: stakeholders who find out about a backlog before GBS tells them lose trust permanently. Stakeholders who are told early, with a plan, usually remain constructive.
  • Close the loop: after recovery, document what happened, what caused it, and what prevents recurrence. Volume spikes that are not analyzed become recurring surprises.
GBS Insider Club Insights
  • Controls are your professional protection, not just the organization's. When something goes wrong in GBS — a payment is made incorrectly, data is lost, a fraud occurs — the question is: was the control in place and was it followed? If yes, you are protected. If not, you are exposed. Following controls carefully, every time, is not compliance theater — it is career risk management.
  • The worst escalations are the ones that surprise leadership. An SLA breach that GBS discovered, reported, and had a plan for is manageable. An SLA breach that a business stakeholder raised before GBS leadership knew about it is a trust crisis. The discipline of flagging early — even when you are not certain — is a mark of operational maturity.
  • Being audit-ready every day is easier than you think — and harder than most teams manage. The daily habits that create audit readiness (attaching evidence at execution time, version-controlling documents, logging exceptions immediately) take about 5 minutes per transaction. The catch-up sprint to recreate evidence from six months ago takes weeks — and sometimes cannot be done at all.
ESCALATION FRAMEWORK LEVEL 3: LEADERSHIP Director/VP · Strategic decisions · SLA breach LEVEL 2: MANAGEMENT Manager · Cross-team issues · Resource conflicts LEVEL 1: TEAM LEAD Team Lead · Day-to-day exceptions · Priority calls LEVEL 0: SELF-RESOLVE SOP · FAQ · Knowledge base · Peer support ESCALATE UP · NEVER SKIP LEVELS

Escalation framework — structured issue resolution

Monday Move

Write your spike playbook in four lines: assess, communicate, recover, review. Before the next Monday needs it.

The process is protected. Your own day needs the same design.

? CAREER CHECK click to expand
  • Have you ever identified a control gap before an auditor did? How did you handle it, and what was the outcome?
  • Controls knowledge is a career accelerator in GBS, especially in finance processes. How would you rate your understanding compared to peers?
  • Could you explain your team's control environment to a new joiner in 10 minutes? What would you cover?
GBS Insider Club learning paths offer structured career frameworks, practical templates, and guided exercises tailored to your GBS role — from entry-level to leadership.
Glossary

Key terms in this cluster

Full glossary at the GBS Insider Club Field Guide.

Four-eyesControl principle requiring a second, independent reviewer to approve significant actions before execution. The reviewer must genuinely review — not rubber-stamp. Evidence of both actions must be traceable.
SoDSegregation of Duties — the design principle that no single person should control an entire financial cycle end-to-end. Separates creation, approval, release, and reconciliation into different roles.
SOX 404Section 404 of the Sarbanes-Oxley Act — requires management of publicly listed companies to assess and document the effectiveness of internal controls over financial reporting annually.
Control deficiencyAn audit finding indicating that a control is absent, poorly designed, or not operating effectively. A material weakness is a severe control deficiency that could result in a material misstatement of financial statements.
Compensating controlAn alternative control used when true SoD is not achievable — typically a management review of all transactions performed by a person with conflicting access rights.
RCARoot Cause Analysis — structured investigation to identify why a control failure, SLA breach, or operational incident occurred. Standard output after any L3 escalation.
What this cluster covers — and what comes next
  • Four-eyes principle — the most universal GBS control, with examples
  • Segregation of Duties — design principles, SOX requirements, ERP enforcement
  • Audit readiness — daily habits that make audit prep a formality
  • Escalation matrix — L1/L2/L3 escalation triggers and response frameworks
  • Personal Productivity — Eisenhower Matrix, time blocking, inbox zero — Cluster 5

Want the full breakdown on video?

GBS operational controls covered in depth on the GBS Insider Club YouTube channel.

▶   Subscribe on YouTube
Theory done. Now make it count.

Knowing the frameworks is the entry ticket. Applying them — visibly, at your actual job — is what gets you promoted.

The GBS Insider Club Career Playbooks turn this theory into a guided 90-day program for your role: self-assessment, practical exercises, templates, and Julian's unfiltered practitioner playbook.

Explore the Career Playbooks → Back to Operational Excellence
Leave a comment
← Previous Continuous Improvement Next → Personal Productivity