No one wants to think that their employees would try to steal money or defraud their company in some way. But it happens. Unlike in very large companies where employee fraud might result in prosecution or newspaper headlines, employee theft in small or medium-sized businesses is largely unreported and often just a loss for owners.

The number of fraud cases and the amount of fraud losses is growing in the United States and around the world. The biggest factor that puts smaller or mid-sized companies at risk is that because of fewer employees, too many financial-related duties are in the hands of one person, making it easier to steal money without anyone noticing.

Most of the frauds we see in smaller businesses are pretty basic.

For example, someone who processes accounts payable checks will make a check out to themselves but record it in the accounting system as going to a company vendor. That person may forge the owner’s signature on the check, or simply have a signature stamp, making it even easier. If this person is also the one who reviews the monthly bank statements of canceled checks, no one ever notices the discrepancy.

Studies have shown that most frauds have a duration of about 18 months before being discovered. Typically, an insurance company might cover a loss from employee theft, but insurance might require you to prosecute the employee first. Or you may have a high deductible. The best way to stop loss is to prevent it.

Do You Know the Three Factors Needed to Commit Fraud?

  1. Something is occurring in someone’s life that makes them feel they need to get their hands on more money than they are making now. MOTIVATION
  2. They have rationalized that it is okay to engage in a fraudulent scheme. RATIONALIZATION
  3. There must be an opportunity to commit fraud. The only factor that a company can control is an opportunity to commit fraud, which is reduced through strong internal controls. OPPORTUNITY

How does a company improve internal controls and reduce the opportunity for theft?

Segregation of Duties (SoD)

The best internal control is to have adequate segregation of duties in all significant accounting processes to ensure multiple employees are involved in the responsibility of authorizing transactions, recording transactions, reconciling transactions, and having access to cash or other assets. If only one person is responsible for all four of these functions, committing fraud is simply too easy.

Risk Assessment

A risk assessment can identify where a company is vulnerable and what controls are needed to prevent fraud and detect it. Once the controls are in place, top managers should regularly monitor compliance to ensure they are being followed. Designing good internal controls is only half the battle; you must make sure controls are not being circumvented.

Financial Oversight

Good financial oversight by owners and management is one of the best measures for detecting a significant fraud. If you are an owner, you should actively and regularly review financial statements, following up on any unusual amounts or relationships. This review should include the balance sheet and the profit and loss statement. Too often, management will only focus on the profit and loss statement and the bottom line income without reviewing the balance sheet where many fraudulent transactions can be buried.

Owners can also work with their outside CPA for guidance. If your company currently has an annual audit by an independent CPA, they will already be assessing your internal controls and providing you with a report with suggested improvements. If you do not currently have an annual audit, you can engage an independent CPA to perform an internal control assessment consultation to identify weaknesses and potential improvements.

Sample Internal Controls by Accounting Function to Detect Fraud and Errors in a Small Organization


  • Invoices are approved by department heads prior to entry into the general ledger by the accountant.
  • Checks are approved and signed by the executive director prior to payment.
  • Payroll disbursements are approved by the executive director prior to payment.
  • Unopened bank statements are reviewed by the executive director or treasurer before passing them on to the accountant.
  • Expense reimbursements are approved by the employee’s supervisor and the executive director’s expense reimbursement is approved by a member of the board.


  • Cash is received and logged into a deposit sheet by the receptionist.
  • Deposits are made by the accountant.
  • Checks are kept in a locked location and only prepared by the accountant who is not a signer on the account.

Record Keeping

  • Only the accountant has write access to the general ledger, the executive director only has read access.
  • Deposits are entered into the general ledger by the accountant.
  • The executive director or treasurer reviews manual journal entries on a monthly basis.


Bank reconciliations, including the deposit sheet, bank statement and general ledger detail are prepared by the accountant and reviewed by either the executive director or the treasurer.

Monthly financial statements are reviewed by the executive director, department heads who approve invoices and the finance committee.

In addition to segregation of duties, an organization must also implement organization-wide policies and procedures. These policies and procedures provide additional oversight. For smaller organizations these are, at times, more easily implemented as they do not require significant staffing to accomplish.

Organization-wide Policies and Procedures


  • Require all employees to take at least 2 weeks of vacation per year.
  • Perform evaluations for all staff
  • Conduct background checks on all employees
  • Have separate passwords and usernames for all employees and require passwords to be changed at least annually.
  • Prepare an accounting policies and procedures manual
  • Implement a whistle-blower policy
  • Have an annual audit
  • Require all employees and board members to sign a code of ethics policy and provide ethics training on an annual basis.


  • Send thank-you letters for all contributions.  Ensure the letters are sent by someone outside of accounting.
  • Review monthly financial statements compared to budget and actual for the statement of activities and regularly review a statement of financial position.  Update budgets for expenses in proportion to actual decreases in revenues.
  • Establish a strong “tone at the top” so it is the rule that all employees act ethically, not the exception.
  • Be quick to prosecute fraud or unethical behavior when it occurs and let employees know about the consequences.

One might think that once the above segregation of duties, policies and procedures are implemented, the organization is surely protected from fraud and errors. It is important to remember that internal control is an ongoing process, not just segregation of duties. There are other factors the organization must consider.

A small organization can create an environment that deters and detects fraud and abuse by taking into consideration the concepts above. However, it is important to remember that there is not a one-size-fits-all approach, and the above concepts must be customized based on the facts and circumstances of the organization.

Content provided by LBMC audit professional, Steve Thomason, CPA.