The Accounting Errors That Enable Embezzlement
Employee theft doesn't happen because employees are inherently dishonest—it happens because weak controls create opportunity. Most embezzlement schemes exploit specific, fixable gaps in accounting processes. Here's how to close them.
Pressure
Financial need
Opportunity
Weak controls
Rationalization
Justification
Key Takeaways
- •Most embezzlement involves small amounts over long periods—the median scheme runs 18 months before detection
- •The 'fraud triangle' (pressure, opportunity, rationalization) explains why trusted employees steal
- •Segregation of duties is the most effective control—no one person should control a complete transaction cycle
- •Small businesses are disproportionately victimized because they lack formal controls
According to the Association of Certified Fraud Examiners, organizations lose approximately 5% of revenue to fraud annually. Small businesses suffer disproportionately—they experience both higher frequency and higher impact from employee theft because they lack the internal controls that larger organizations implement.
The uncomfortable truth: embezzlement is usually committed by trusted employees. They have access because you trusted them. They exploit that trust because controls didn't prevent it. The solution isn't to stop trusting people—it's to implement controls that make theft difficult even for trusted people.
The Fraud Triangle
Criminologists explain occupational fraud through three factors: Pressure (financial need), Opportunity (weak controls), and Rationalization (mental justification). You can't control pressure or rationalization—but you can eliminate opportunity through proper controls.
Common Embezzlement Schemes (and the Gaps That Enable Them)
1. Billing Schemes
How it works: Employee creates fake vendor, submits invoices, approves payments to themselves.
Control gap: Same person can create vendors, submit invoices, and approve payments. No verification that vendors are legitimate.
2. Check Tampering
How it works: Employee forges signatures, alters payees, or creates unauthorized checks.
Control gap: Blank checks accessible, signature stamps available, bank statements not reviewed by someone independent.
3. Expense Reimbursement Fraud
How it works: Employee submits fictitious expenses, inflates amounts, or submits personal expenses as business.
Control gap: No receipt verification, no review of expense patterns, same person submits and approves.
4. Payroll Schemes
How it works: Ghost employees added to payroll, unauthorized raises, excess hours recorded.
Control gap: No verification of employee existence, payroll changes not reviewed, no comparison of payroll to budget.
5. Skimming
How it works: Employee pockets cash receipts before they're recorded.
Control gap: Cash handling without oversight, no reconciliation of receipts to deposits, no independent verification of sales.
6. Lapping
How it works: Employee steals Customer A's payment, then covers it with Customer B's payment, creating a rotating scheme.
Control gap: Same person opens mail, records receipts, and applies payments. No customer statement verification.
The Most Important Control: Segregation of Duties
The single most effective fraud prevention control is segregation of duties—ensuring no one person controls all steps in a financial process. When duties are segregated, theft requires collusion between multiple people, dramatically reducing risk.
| Process | Duties to Segregate |
|---|---|
| Accounts Payable | Vendor creation | Invoice approval | Check signing | Bank reconciliation |
| Accounts Receivable | Invoicing | Cash receipt | Payment application | Statement reconciliation |
| Payroll | Employee setup | Time entry | Payroll processing | Payroll review |
| Purchasing | Purchase request | Approval | Receiving | Invoice matching |
The Small Business Challenge
"We don't have enough people to segregate duties" is the most common objection. The solution: involve the owner or a trusted manager in key controls. The owner should review bank statements, sign checks, and approve vendor additions. These tasks take minutes daily but provide critical oversight.
Essential Controls Every Business Needs
Bank Account Controls
- Owner reviews bank statements: Unopened statements go directly to owner monthly
- Dual signature requirements: All checks above a threshold require two signatures
- Positive pay: Bank verifies checks against an issued check file before clearing
- Online banking alerts: Notifications for large transactions, wire transfers, ACH changes
Vendor Controls
- Vendor approval process: New vendors require approval from someone other than AP
- W-9 requirement: All vendors provide tax identification before first payment
- Address verification: Check that vendor addresses aren't employee addresses or PO boxes
- Periodic vendor review: Review vendor list annually for legitimacy
Payroll Controls
- Ghost employee checks: Periodically verify all employees exist (visit sites, check IDs)
- Payroll register review: Owner/manager reviews payroll before processing
- Direct deposit verification: Bank account changes require employee confirmation
- Payroll-to-budget comparison: Investigate unexplained variances
Cash Receipt Controls
- Immediate recording: Receipts logged before any other handling
- Deposit verification: Compare receipts log to bank deposits
- Lock box for check payments: Checks go directly to bank, not through employees
- Customer statement review: Customers receive statements and are encouraged to report discrepancies
General Controls
- Mandatory vacation: Require employees to take consecutive time off (exposes schemes that require daily manipulation)
- Surprise audits: Unannounced cash counts, inventory checks, reconciliation reviews
- Hotline/reporting channel: Anonymous way for employees to report suspicious activity
- Background checks: Screen employees with financial responsibilities
Warning Signs of Embezzlement in Progress
Most schemes are eventually detected. These red flags often appear:
Behavioral Red Flags
- Employee never takes vacation
- Works unusual hours (alone)
- Lifestyle exceeds known income
- Unusually protective of duties
- Resists process changes or audits
Financial Red Flags
- Unexplained budget variances
- Missing documentation
- Unusual vendor activity
- Customer complaints about billing
- Bank reconciliation problems
The Trusted Employee Problem
In most embezzlement cases, the perpetrator was a trusted, long-term employee with no prior record. They often started small—covering a personal emergency—and escalated over time. Trust is important, but it's not a control. The best protection is controls that prevent theft by anyone, regardless of trust level.
Implementing Controls Without Creating Bureaucracy
Controls shouldn't slow down operations. Focus on high-risk areas with lightweight, automated controls:
Priority Controls (Implement First)
- Owner reviews bank statements and canceled checks monthly
- Dual approval for vendor additions
- Payroll register review before processing
- Positive pay with your bank
Secondary Controls (Add as Resources Allow)
- Formal vendor approval workflow
- Expense report audit sampling
- Customer statement mailing
- Periodic vendor list review
Technology Enablers
- Accounting software with approval workflows
- Bank alerts for specified transaction types
- Expense management software with receipt capture
- Automated three-way matching for payables
The ROI of Controls
The median loss in an occupational fraud case is over $100,000. Basic controls cost a few hours monthly to maintain. The math overwhelmingly favors prevention. And controls have a side benefit: they improve accuracy and efficiency even in the absence of fraud.
Need Help Strengthening Controls?
Eagle Rock CFO helps businesses assess internal controls and implement cost-effective safeguards. We identify gaps in your processes and design controls that protect your assets without creating bureaucracy.
Get a Controls Assessment