Embezzlement and Fraud: Using basic Internal Controls to Protect a Company

Whether your company is on the cutting edge being decentralized with remote employees that accepts cryptocurrency, or a mom and pop shop that sells retro gaming collectables. Employee theft is always a major concern. With the wonderful community here at Steemit having small business owners, or those looking into starting their own company. I wanted to bring this topic that is near and dear to my heart --internal controls. Even multibillion dollar companies have failed these rather simple and basic multilayer approaches to stopping, and detecting embezzlement, or fraud from occurring inside of the workplace.

Background Checks and Drug Testing


While these two things are not legal to do everywhere in the world if your company operates in an area that it is you should take advantage of these front line tools. I am still shocked to this day when I find out a local, or global company never ran a background check on an accountant, or person for critical areas of business. With that in mind, yes, drug test can be beaten, and lack of a criminal history does not mean crimes have not been committed. Oftentimes, companies will even drop, or never file charges for partial or full return of stolen goods, and cash since it is not worth the court cost to pursue charges. Then there are areas like consultants in computer security that could have a criminal past for gaining those skills in the first place. More often than not companies trust employees with a troubled past as much as a two year old with a flame thrower (never give a two year old a flamethrower!).

Surveillance and Monitoring


When it comes to internal controls I consider this a necessary evil. Most owners do not want to have hundreds of motion tracking cameras, and keylogging every key entered into a computer system. However, if it’s legal to do so some deterrents in form of cameras and monitoring computer systems is enough to keep the average employee honest when a random thought slips into their mind of helping themselves.

While some countries flat out make it illegal to record anyone in a public or private areas most do allow with certain restrictions in place. It is generally considered illegal to record in areas where an employee expects privacy which is normally in a dressing locker room or bathroom area. So, where should you set up surveillance then? In areas where employees are dealing with cash, customer payment, small and high value items in storage and high traffic areas. One of the most common areas companies forget to put a camera is the employee only entrance, and exit door that is usually right in the back where inventory is stored.

While it can get annoying having to use an employee card to enter into areas, or use for using a device such as a printer this gives the company the ability to not only keep track of who was in the area at the time, but also what they were doing . So why is this important information to have? If during a shift a $1200 item goes missing, and only one employee was logged as being in the back room where it was stored. You now have an idea where to start the investigation on the missing item. As far as having printing system lock down it just helps prevent information from walking out, and allows you to find out if someone printed sensitive information that could been anything. From customer credit card too internal documents that where leak to the press. While there are still other ways of achieving this it at least controls one of many avenues.

The Bring Your Own Device policy. Ah it is so nice to save money and just allow your employees to bring in their personal devices: cellphones, laptops, and tablets to use in a work setting. If you’re a small company, have remote employees, or just have an employee who happens to work as much out of the office as in; then, this is just something you have to deal with. These kinds of policies however can be a nightmare for IT staff, put your network at risk for virus, worms, and other nasty stuff. Finally, gives an employee the ability to negate any safe measures you have in place preventing them from gathering sensitive data, and leaving the building with it. In general if you can avoid using such a police it is best.

For computer systems themselves a company should look into having software that allows the manager to not only see what is going on for a specific computer; but, also have the ability to take control of it if they need to say lock a user out. Most of these types of monitoring systems also take snapshots of the monitor incase a review, or investigation needs to be taken place. Most accounting software and programs like Microsoft Excel provide similar functions such as snapshot or lookback periods on what is being worked on.

Separation of Duties and Powers


The entire point of this is keeping a single person from gaming the system in their favor. It can be rather complex. Often times companies struggle the most with separation of duties and powers. Even more so for small company where an owner whose been working eighty hours a week just hired on a part time accountant or manager, and they offload a large chunk of duties to a single person.

Example 1: handling cash and payments
Cash drawer > closing out the drawer > storing money in safe place > transportation of money to a bank > bank reconciliation

This is the basic cycle of accepting payment from a customer all the way down to confirming banking records and general ledger are correct in the accounting system. In an ideal world, you could just have one person to take care of all of this. In the real world however this just leaves too many opportunities for someone to help themselves. Ideally the person who closes out a drawer, and courts it should not be the person who has access to the record of how much cash there is supposed to be. This prevents the employee who counts the cash from just saying “yep it’s correct”; while, they withhold some for themselves. Next, money needs to be stored in a safe place till I can be transferred to the bank. Some companies do nightly deposits while others do weekly depending on sales. Finally, the person who deposits the money should not be the person who audits the banking and general ledger. This is done by running bank reconciliation, and resolving difference if the two figures do not match. This is important as the person who is taking the money out of the building has the greatest risk of gaming the system. It is also very important to check the deposited dates when the employee was sent to the bank to make a deposit. While even if no money was found missing after running a bank reconciliation. It would not be the first time an employee was found out spending the deposit; then, using their paycheck to pay it back in a day or two. This can also be a red flag that an employee is suffering from: alcohol, drug, or gambling addiction. They are putting the deposit at risk to cover their own personal shortfall in funds till they get paid. Sooner or later the employee’s paycheck no longer covers how much of the deposit they spent, and then too late to recover lost funds.

Example 2: Ordering, and receives supply from a supplier
Order is place to vender> good(s) are confirmed to match order from scouse document, and accounting records > entered into the inventory system

This is a much shorter example but still shows how easy it is for a company to assume only one employee is needed, but it should really be two. When it comes to dishonest individuals they have an assumption that other people are dishonest as well. As such they usually don’t need to know cool secret word like it is betrayed in the movies, or even in main stream media. They can simply call up a supplier and say “hey, I’d like to place an order for $1800 worth of X but only send us $1000, 40% sound ok?” Now in perfect world the employee on other end of the line is an honest person who calls his or her manager, and they contact your company to inform you of what just happened. In an in-perfect world this person was already know to be “on the take” and therefore was just found on a list on the internet, or known by industry experts. This is why having a second employee to confirm delivery with what the company has paid for is important.

In the end, this list could go on for a while about separation of duties and powers to help give examples for better understanding of why it is needed. Since I have an accounting background these two examples are just ones I know well enough. This kind of thinking can be applied to other departments as well such as: IT, sales, consumer service, and so on.

Mandatory Two Weeks off Vacation


Do you have that employee that is overly helpful, and will not only show up during their vacation, or days off, but on holidays, or even when they are really sick? Do they act like their life is going to end if they are unable to show up to work? Well there could be good reason for that. Mandatory two week off vacation is often your last line of defense when it comes to protecting your company. This is often times when a company finds there internal controls were in fact missing something in: surveillance and monitoring; and separation of duties and powers. When a dishonest employee finds loopholes, and breaks in your layers of internal control they usually need to be around to keep maintaining their involvement. Furthermore, they need to prevent another employee from finding out about it.

Even when an employee who is in a mission critical role is given mandatory two weeks off vacation you need to be firm on the mandatory part. Do not call them. Do not let them come in and help. This is often the best time to have an internal audit of that employee’s work, or even your books if they are your accountant. Without them around they cannot intervene with any investigation into anomaly(s) found in the books, missing inventory, cash, equipment, and so on.



A lot of small business owners to even multibillion dollar companies need to up their game in internal controls. Failure to do so have resulted in companies filing for bankruptcy, or shutting down for good. While ten or twenty dollars going missing here or there does not sound like a lot. Over time this can be a lot. There even have been large companies that where the victims of embezzlement resulting in millions of dollars are lost over a ten or fifteen year span.

Since it has been recommended, I have included the following information as an edit to my original blog post.

I have spoken with many business owners over the years online who have been the victims of embezzlement, and fraud well after the fact. I also earned an A.S in Accounting Technology back in 2013. When I was younger I watch shows like American Greed. As a gamer I have also dealt with scammers in games like Eve Online. While I do not hold a degree in things like: forensic accounting, internal controls, or auditing. I have a lot of passion for topics like this. This is my own work.

