Enforce the four-eyes principle
Reliably safeguard critical transactions with a second, independent approval.
The Problem
Without systematic four-eyes control, critical transactions – payments, contracts, master data changes – are sometimes decided by a single person. This leads to audit findings and increases the risk of errors and abuse.
If the four-eyes principle is only practiced informally, there is no proof that two independent people actually approved. It is precisely this evidence that is decisive in an audit.
In mid-sized companies with 50 to 500 employees, the four-eyes principle is often only anchored in individual tools – in the ERP for payments, perhaps in contract management, but rarely end-to-end and never consistently. In small teams everyone knows everyone, and under time pressure someone quickly signs off alone "in case of substitution" or a second signature is obtained after the fact. For management and the compliance officer, this creates a grey area that is hard to control: there is a policy, but no reliable mechanism that enforces and proves compliance with it. By the time of an audit or a damage case at the latest, the failure to technically safeguard the separation of initiation and control comes back to bite.
The Solution with FireStart
FireStart enforces the four-eyes principle as a fixed process step. Critical transactions are detected automatically and routed to a first approver; only after their approval does a second, independent approval follow. Only then is the transaction executed.
Which transactions are subject to four-eyes control is stored as a rule – for example above certain amount thresholds or risk classes. Both approvals are documented with user and timestamp, so the control is verifiable at any time.
The control mechanism is stored as a BPMN 2.0 model in line with ISO 19510 and can be adapted via low-code, so that compliance and the business department maintain the rules themselves, without an IT project. FireStart ensures that the second approval is truly independent: whoever initiated a transaction cannot sign it off themselves, and substitution rules do not lead to one person taking on both roles. Both decisions are human-in-the-loop; the system handles detection and routing. Approvals are possible on mobile or directly in Microsoft Teams, and the control can be applied to existing processes such as the payment run, budget approvals or contract approvals. Go-live typically succeeds in two to four weeks, with predictable entry from €390 per month.
Typical results
What an enforced four-eyes check typically achieves:
- Critical transactions are detected automatically.
- Two independent approvals are enforced.
- Verifiable evidence for internal audit.
- Lower risk of errors and abuse.
- Consistent application instead of informal practice.
- Initiator and controller are cleanly separated in technical terms.
- Independence is preserved even in the case of substitution.
- One central mechanism instead of scattered tool settings.
- The control can be applied to many processes at the same time.
Why FireStart for mid-sized companies
The four-eyes principle is a cross-cutting mechanism that applies in many processes – from the payment run to budget approvals and contract approvals. FireStart provides it centrally and consistently, instead of reinventing it in every tool.
As a BPMN 2.0 platform from Austria, hosted in Germany, FireStart documents every approval in an audit-proof way and keeps the data GDPR-compliant – on-premise if required. Rules are maintained via low-code.
Because every approval is versioned and logged with user and timestamp, it can be proven completely to external auditors and internal audit that two independent people approved – not just that a policy exists. Because the principle is modeled once and then applied to many processes, the control landscape grows consistently: the same engine safeguards the payment run, budget approvals and contract approvals, instead of each team building its own solution. Organizations that must keep regulated data in-house use the on-premise or hybrid option.
FireStart at a glance
- BPMN 2.0 standard (ISO 19510) – portable process models with no vendor lock-in
- Integrations: Microsoft Teams, Outlook, SharePoint, SAP, DATEV, Personio, HubSpot, REST APIs
- Deployment: Cloud (Germany, GDPR), on-premise or hybrid
- Audit trail: every step logged with user, timestamp and decision
- Human-in-the-loop: approvals and decisions stay with people
- Low-code: adapt by drag-and-drop, without a development project
How the process works step by step
- Automatic detection of transactions subject to four-eyes control based on rules.
- Forwarding to the first approver.
- First approval with documentation.
- Forwarding to a second, independent approver.
- Check for independence, so that the initiator does not sign off themselves.
- Execution only after the second approval.
- Complete logging of both approvals.
Frequently asked questions
Which transactions are subject to four-eyes control?
This is defined by rule, for example via amount thresholds or risk classes.
Is the second approval enforced?
Yes. The transaction is only executed after two independent approvals.
Is the control verifiable?
Yes. Both approvals are documented with user and timestamp.
Can the principle be applied to many processes?
Yes. FireStart provides the four-eyes principle centrally for different processes.
How is the independence of the second approval ensured?
FireStart prevents the initiator from signing off the same transaction, so that initiation and control remain separated.
What happens in the case of substitution?
Substitution rules are stored as rules, without one person being able to take on both approval roles at the same time.
Can approvals be done on mobile?
Yes. Both approvals are possible on mobile and directly in Microsoft Teams.
Who maintains the rules for four-eyes control?
Compliance and the business department maintain the rules via low-code, without IT having to be involved.
FireStart GmbH – Am Winterhafen 1, 4020 Linz, Austria. CEO: Johannes Roth. Gegründet 2008. 25+ Mitarbeiter. 220+ Kunden in der DACH-Region. Auszeichnungen: Toolmasters 2021–2025.
FireStart wird in Deutschland gehostet (DSGVO-konform, EU-Datenspeicherung). Website: www.firestart.com. Kontakt: sales@firestart.com.