Skip to content
Latch
Request Demo
← Back to blog
Latch Journal

Four-Eyes Principle, Maker-Checker, and Segregation of Duties: What Actually Differs

Four-eyes principle, maker-checker, dual control, and segregation of duties are related but not identical. Here is what changes in workflow design and auditabil

March 19, 2026 6 min read Latch Editorial Team
finance-controls auditability maker-checker segregation-of-duties

Finance, risk, and operations teams often use the same cluster of words when they talk about sensitive workflows:

  • four-eyes principle
  • maker-checker
  • dual control
  • segregation of duties

They point in the same direction, but they are not identical. That distinction matters because the design of the workflow changes depending on which problem you are actually trying to solve.

If the terms stay fuzzy, the implementation usually gets fuzzy too. A team says it wants four-eyes control, but what it really builds is a spreadsheet sign-off. Another team says it wants segregation of duties, but what it actually needs is a visible execution boundary for one class of high-risk actions. By the time internal audit asks for evidence, everyone is arguing about vocabulary instead of reviewing the workflow.

The better approach is to separate the ideas clearly.

Four-Eyes Principle: Independent Review Before Sensitive Action

The four-eyes principle is the control idea most people mean when they describe a sensitive workflow that should not move on one person's judgment alone.

The core point is simple:

  1. one person prepares or advances the case
  2. another independent person reviews or validates it
  3. the action moves only once that boundary is respected

This concept is about decision quality and independence.

It matters most when the impact is meaningful:

  • payment reversals
  • write-offs
  • high-value adjustments
  • retries that can affect balances or reporting
  • sensitive customer or account corrections

The phrase is useful because it tells control owners what they are trying to preserve: more than one set of eyes on the decision.

Maker-Checker: The Operational Finance Version

Maker-checker is the language many finance teams use for the same underlying control.

The maker prepares the request. The checker validates it. In practice, this wording is especially common where people care about financial exceptions, posted transactions, ledger impact, or other actions that are hard to explain later if the record is weak.

Maker-checker is therefore less abstract than four-eyes. It usually implies a concrete workflow question:

  • who prepared the request
  • who checked it
  • what evidence was attached
  • what happened after the check

That is why maker-checker discussions quickly turn into auditability discussions. Once the workflow is named that explicitly, people immediately ask what proof survives after the action runs.

Dual Control: The Broader Umbrella

Dual control is a broader phrase. Sometimes it refers to two people sharing responsibility over one action. Sometimes it refers to more general control layering around sensitive operations.

The important point is that dual control does not always imply the same operating pattern as maker-checker.

For example, a team may use dual control language when:

  • one role can prepare but another role can execute
  • one system enforces policy and another system executes the action
  • two people must validate different parts of the same decision path

That makes dual control a useful umbrella term, but a weaker implementation term. If a project only says "we need dual control," the engineering team still has to ask: what exact action, what exact boundary, and what exact evidence?

Segregation of Duties: Structural Boundary, Not Just One Workflow

Segregation of duties is the structural concept in the group.

It is less about one action and more about how responsibilities are distributed so incompatible powers do not collapse into one role.

Examples:

  • the same user should not both create and approve a financial exception
  • the same role should not both manage policy and bypass it
  • the same operator should not both prepare a sensitive case and execute every downstream action without an independent boundary

Segregation of duties is therefore the design foundation. Four-eyes and maker-checker are specific workflow expressions of that foundation.

If the team gets this wrong, the workflow may look controlled while still concentrating too much authority in one role.

Why the Difference Matters in Workflow Design

Precise terminology changes what the product needs to do.

If you are solving for segregation of duties, you need role boundaries.

If you are solving for maker-checker, you need case visibility and evidence at the point of review.

If you are solving for four-eyes control, you need a workflow that makes independent review meaningful instead of ceremonial.

If you are solving for dual control, you still need to name the exact boundary or the phrase stays too broad to implement well.

That is why weak systems fail in predictable ways:

  • the action can still be executed from a side channel
  • only the final outcome is logged, not the control path
  • denial and retry paths are invisible
  • evidence lives in email rather than with the case
  • policy exists on paper but not at the point of execution

The vocabulary problem becomes a design problem very quickly.

What Good Control Looks Like Operationally

A strong workflow usually has a few shared traits no matter which term the team prefers:

  • one case or work item that holds the context
  • clear role boundaries around sensitive actions
  • permission checks at the point of use
  • visible denials or blocked actions
  • durable execution history after the action runs
  • notes and attachments that stay with the case

Those are the ingredients that turn a control principle into something a reviewer can actually inspect.

Without them, the organization may still have policy text. It just will not have reliable operational proof.

Where Latch Fits

Latch is best understood as the workflow layer around this control problem.

It does not claim to be a magic maker-checker inbox or a generic approval engine for every enterprise scenario. What it does provide is the operational surface teams need when they want four-eyes-ready workflows to stay visible and auditable:

  • one case record for notes, attachments, and issue context
  • Action Providers for high-risk downstream actions
  • approved roles plus permission policy before execution
  • denied-attempt visibility when an action is blocked
  • execution history when the action runs
  • ticket audit logs that keep the action story attached to the case

That matters because a control is only as credible as the record it leaves behind.

If the team wants to bring four-eyes discipline into a finance exception path, Latch can hold the case, expose the action in context, keep execution boundaries explicit, and preserve the result in one place.

If you want to see that pattern mapped to finance-specific workflows, start with the finance controls page.

Continue Reading

If this article answered the vocabulary question, the next useful articles are:

Continue exploring
Approval Workflows See how sensitive actions run with reviewer checkpoints, policy checks, and execution history. Finance Controls Explore four-eyes control, exception handling, and governed recovery paths for finance teams. Audit Trails See how case-linked evidence, denied paths, and execution logs stay attached to one record.
Related reads
How to Run Four-Eyes Control Without Inbox Approvals Four-eyes control breaks down when approval depends on forwarded emails and memory. Here is a case-centric model that keeps role boundaries, denied attempts, an Finance Exception Handling Needs Four-Eyes Control Why finance exception handling needs four-eyes control, evidence, and audit-ready review before unauthorized actions slip through. Turn Reprocessing from Tribal Knowledge into a Governed Action Make reprocessing explicit, permissioned, and auditable so finance teams can retry failed work without relying on tribal knowledge or weak controls.