Crypto Treasury Segregation of Duties: No One Signs Their Own Payment

The most common crypto treasury control mistake is believing the multisig is the control. A 3-of-5 where one person prepares, pressures three colleagues to sign, and books the result is fully signed and fully uncontrolled. Segregation of duties is the missing layer. This guide is that layer — and it completes the treasury pillar.

TL;DR

• A multisig threshold ≠ segregation of duties. The threshold is cryptographic; SoD is organisational; you need both.
• Separate initiator / approver / signer / recorder — no individual can initiate and complete, or execute and record.
• Dual control (two independent people for sensitive actions) + step-up approvals (more authority as amount/risk rises).
• Governance actions are in scope — signer changes, modules, policy controls are privileged and must be separated too.
• SoD without an audit trail is unverifiable — record who initiated/approved/signed/recorded.
• Completes the treasury control stack: key security + policy controls + SoD + accounting.

The threshold is not the control

A multisig threshold ensures multiple signatures approve a transaction. It does not ensure the requester, approver, signer, and recorder are different people. The same person can request, approve, and sign; several signers can be one team executing one person's instruction. A fully-signed transaction can be fully uncontrolled. Segregation of duties is the organisational control that the threshold cannot provide on its own — cryptographic and organisational controls are different layers.

The roles to separate

No individual should hold a combination that lets them both create and complete a payment, or both execute and record it. Observer roles (visibility, no authority) support oversight without expanding control.

Dual control and step-up

• Dual control: a sensitive action needs two independent people — it cannot be done unilaterally.
• Step-up approvals: more or higher-authority approvers as amount/risk rises — a small operational payment needs less than a large strategic transfer.

Together they make the control proportionate: routine activity is not over-gated, while high-risk actions face more independent eyes (the tiered-threshold principle as an SoD rule).

Governance is in scope too

The subtle gap: whoever can change the signer set can redefine who controls the treasury. SoD must cover governance actions — changing signers, enabling modules, altering policy controls are privileged changes needing separation between proposer and approver, identity verification, and an auditable record — not something a single signer can do alone.

SoD must be evidenced

Every controlled action should record who initiated, who approved, who signed, who recorded — so the segregation is evidenced, not just intended. An audit trail that cannot show role separation cannot demonstrate the control existed. SoD without an audit trail is an unverifiable claim; the trail is what turns the policy into something an auditor can test — the same principle that closes every cluster of this treasury pillar.

Practical guidance

1. Do not treat the multisig as the control — add organisational SoD.
2. Separate initiator / approver / signer / recorder — no toxic combinations.
3. Apply dual control to sensitive actions; step-up by amount/risk.
4. Cover governance actions (signer/module/policy changes) under SoD.
5. Record initiator/approver/signer/recorder for every action — evidence it.
6. Tie SoD to the audit trail — confirm the design with internal-control advisers.

How vendor tools support SoD

Cryptio and Bitwave record approval and reconciliation roles distinctly from signing. Confirm the tool can evidence initiator/approver/recorder separation in the audit trail and treats governance changes as recorded privileged events — a tool that only logs the signature cannot demonstrate segregation of duties.

How Wag3s helps

Wag3s Ledger records who initiated, approved, signed, and recorded each treasury action — and treats signer/module/policy changes as documented privileged events — so segregation of duties is evidenced in the audit trail, completing the control stack alongside key security, policy controls, and accounting. See the Ledger product page and the Wag3s for accountants page.

Further reading

• Crypto Treasury Board Reporting
• Crypto Treasury KPIs
• Crypto Treasury Accounting Policy
• Multisig Signer Policy and Recovery
• Multisig Treasury Policy Controls
• Safe Treasury Setup Best Practices

Sources

• Segregation-of-duties best practice: separate the requester (initiator), approver, signer, and recorder so no single individual has unilateral control; observer roles for oversight without authority
• Dual control for sensitive actions; step-up approvals as transaction amount/risk rises (proportionate control)
• Governance actions (signer/module/policy changes) are privileged and in SoD scope; SoD must be evidenced in the audit trail (a multisig threshold is cryptographic, not organisational SoD)