Most property management teams do not have a “fraud problem.” They have a permissions problem.

When too many people can edit sensitive fields, override controls, or post manual adjustments, you end up with:

• Accidental errors that are hard to unwind
• Unclear accountability (“who changed that?”)
• Bottlenecks when the wrong person is the gatekeeper
• Month end stress and audit anxiety

Balanced Asset Solutions (BAS) provides AppFolio consulting that includes setup, optimization, and system-level support across accounting and operations. This post shows you how to run a permissions audit that keeps work moving while reducing risk.

Contact Us!

Why Permissions Audits Matter in Property Management Accounting

Property management is high volume and high velocity. Teams process rent, deposits, owner funds, vendor payments, fees, credits, and adjustments every day. In that environment, the biggest risks are rarely “hackers.” They are:

• Too many people with all-access permissions “just in case”
• Approval steps that exist only in theory
• Offboarding gaps (former team members still active)
• Workarounds that bypass controls because the official process is slow

Even BAS’s content around compliance highlights that access controls and user permissions help protect sensitive financial information. The goal here is practical: reduce unnecessary risk without turning your team into a ticketing system where nothing gets done.

What This Post Covers (And What It Does Not)

This guide is a hands-on audit framework:

• How to identify high-risk actions
• How to map those actions to roles
• How to remove excess access without creating bottlenecks
• How to build a monthly controls cadence that prevents relapse

What it is not:

• A list of AppFolio security features
• A generic “best cybersecurity practices” article

For that broader overview, link readers to BAS’s “Is AppFolio secure?” post. 

IMAGE

Step 0: Prep the audit (30 minutes that saves days later)

Before you touch roles, get clarity on four basics:

1) Define your operating model

• How many properties and units are you managing?
• Are leasing and accounting separate teams, or blended?
• Do property managers enter bills, or does AP handle it centrally?
• Who is the final approver for money leaving the building?

Your role design should match reality. If your model is centralized AP, do not give payment-release rights to site teams “for convenience.”

Contact Us!

2) Pick a single “audit owner”

One person should run the audit and collect decisions. That does not mean they approve everything forever. It just prevents chaos.

3) Decide what “fast” means for approvals

If the team is over-granting permissions because approvals are slow, define a service level up front:

• AP approvals within 24 business hours
• Credit/write-off approvals within 1 business day
• After-hours exceptions only for true emergencies

This prevents the common failure mode: “We gave them admin access because approvals took too long.”

4) Timebox the first pass

Your first pass is about removing obvious risks. You can refine later. A good goal is:

• Week 1: inventory + quick wins
• Week 2: role matrix + changes
• Week 3: workflow fixes + documentation
• Week 4: monthly controls routine goes live
  

Step 1: List your “sensitive actions” first (not your job titles)

Start by naming the actions that should be controlled. In property management, these usually fall into two buckets: financial risk and operational risk.

IMAGE

Financial risk actions

These actions can directly cause losses, misstatements, or compliance issues:

• Add or modify bank accounts
• Post or approve payments
• Create or modify vendors
• Edit GL structure or chart of accounts
• Post manual journal entries
• Edit closed periods

BAS’s cleanup guidance emphasizes internal controls, including user permissions, as part of keeping books from becoming messy again. 

Operational risk actions

These actions impact revenue and resident outcomes:

• Override screening decisions
• Edit lease terms after approval
• Waive fees or issue credits without approval
• Change renewal terms or pricing

Key principle: You are not restricting people because you distrust them. You are restricting actions because systems work better when duties are separated and exceptions are documented.

Step 2: Apply a simple segregation-of-duties rule (works even for small teams)

You do not need perfect separation. You need to avoid one person controlling the full chain for high-risk transactions.

Use this model:

1. Entry (create bill, input data, start a transaction)
2. Approval (review and approve)
3. Release (pay, publish, finalize, or lock)

For high-risk items, one person should not own all three.

What if you are a small team?

Small teams can still separate duties by:

• Using approval thresholds (low dollar items easier, high dollar items require manager)
• Separating entry vs release (even if one person approves)
• Running monthly spot checks by leadership

Step 3: Build a role matrix you can actually live with

Below is a practical starting point. Adjust to your portfolio size and staffing.

Suggested role matrix (high level)

Leasing Agent

• Leasing actions only
• No financial overrides
• No ability to waive fees without documented approval

IMAGE

Property Manager

• Operational approvals
• Limited fee adjustments (under a threshold)
• No payment release
• No closed-period edits

AP Specialist

• Bill entry + coding
• Limited vendor creation (with review)
• No payment release
• No bank changes

Accounting Manager or Controller

• Approvals + journal entries (limited users)
• Period close controls
• Limited vendor/bank changes (documented)

Admin or Executive

• Critical settings access
• Very limited user count
• Access reviewed monthly

Rule: Admin-level access should be rare and documented. Treat admin as a temporary tool, not a permanent job perk.

Step 3A: Add thresholds so you do not slow the team down

The best way to preserve speed without granting blanket access is threshold-based controls.

Examples:

• Credits or write-offs under $100 can be approved by a property manager, above $100 requires controller approval
• Vendor changes require approval if bank details change (high risk), but not for address updates (low risk)
• Journal entries under a certain amount require documentation, above that amount require review and sign-off

This approach reduces bottlenecks while preventing the worst-case scenarios.

Step 3B: Design for your unit count (simple scaling rules)

BAS’s own intake forms segment by unit count, which is a useful way to think about complexity. 

0 to 199 units

• Keep roles simple
• Separate entry from release
• Monthly spot checks by owner or controller

200 to 500 units

• Separate AP entry from payment release
• Formal approval SLAs
• Standardized close checklist ownership

500 plus units

• Role matrix by department
• Dedicated admin role (still limited users)
• Monthly audit trail review cadence is non-negotiable

image

Step 4: Audit your current state (what you actually have today)

Run the audit like this:

1. Export or list users (active + inactive)
2. Confirm each person’s job responsibilities (today, not last year)
3. Compare responsibilities to permissions granted
4. Remove or adjust mismatches
5. Document exceptions and why they exist

Quick wins that almost always apply

• Remove access for former employees immediately
• Eliminate duplicate accounts and generic shared logins
• Require approvals for credits and write-offs above a threshold
• Reduce admin-level users to the minimum possible

A practical exception rule

If someone “needs admin sometimes,” do not leave them with admin permanently. Use:

• temporary elevation
• documented reason
• expiration date
• review in the monthly controls check

This single change prevents a huge portion of long-term risk.

Step 4A: Do not forget third-party access and integrations

Many teams lock down internal users but forget external vectors:

• Vendor portals
• Integration accounts
• Outsourced bookkeeping logins 
• “Former consultant” access that never got removed

Create an “external access list” with:

• who owns the relationship
• what permissions exist
• why they need access
• how you will revoke access if the relationship ends

This keeps your access surface area intentional.

Step 5: Protect speed with approved workflows, not blanket access

Teams often over-grant access because approvals feel slow. Fix that by designing workflows that are fast enough to follow.

1) Create approval SLAs

Examples:

• AP approvals within 24 business hours
• Urgent owner disbursements same day when requested before noon
• Credit/write-off approvals by end of next business day

image

2) Use a standard exception process

Avoid “just give them access” decisions. Use:

• Request
• Reason
• Threshold
• Approval
• Time limit

3) Train managers on the new approval path

Most bypass behavior is not malicious. Training plus predictable turnaround time eliminates the motivation to bypass.

BAS positions AppFolio consulting as improving operations across accounting and workflows, which includes setting up processes that teams can follow without constant workarounds. 

Step 5A: Write down the rules (a one-page controls policy)

A permissions audit fails when nothing is documented.

Create a one-page document that answers:

• Who can approve payments, and at what thresholds?
• Who can create vendors, and what requires review?
• Who can post journal entries, and what documentation is required?
• Who can edit closed periods, and under what conditions?
• What is the emergency process?

Keep it simple enough that a new hire could follow it.

Step 6: Add a monthly controls check (15 minutes)

Controls are not “set and forget.” They degrade quietly as teams change.

Once a month:

• Review who has high-level access
• Review recent changes to vendors and bank-related fields
• Spot-check manual journal entries for documentation
• Confirm offboarding happened correctly
• Confirm any temporary elevated access was removed

This is how you prevent the “we cleaned it up once” cycle BAS warns about in cleanup contexts. 

Make it stick: put it on the close calendar

If the control check is not scheduled, it will not happen. Tie it to the month-end close.

image

Red flags that your permissions structure is hurting you

If any of these are true, your current setup is likely creating risk or inefficiency:

• More than a small handful of admin-level users exist “because we might need it”
• People ask for access instead of following a workflow
• The same issues appear every month (reclasses, reversals, mysterious adjustments)
• Offboarding is inconsistent
• Approvals are delayed and people bypass them 

When to bring in AppFolio consulting

If you are unsure how to structure roles without breaking workflows, this is a high ROI place for a consultant.

BAS’s AppFolio consulting includes setup, optimization, and training support across accounting and operational use cases. A CPA-led consultant can help you:

• Design roles based on your portfolio size and team structure
• Build an approval framework that is fast enough to follow
• Align permissions with your month-end close controls
• Reduce workarounds that lead to messy books

Optional FAQ section (good for SEO without cannibalizing)

How often should we review AppFolio permissions?

Monthly for high-level access and critical actions, plus immediately after staffing changes.

Will tighter permissions slow down operations?

Not if you pair them with approval SLAs and a standard exception process. Tight permissions without workflow design creates bottlenecks. Tight permissions with a fast approval path creates consistency.

What is the biggest mistake teams make?

Leaving admin access in place “just in case,” and skipping offboarding cleanup.