By Monte Fisher, CPA (Ret.), CFE  ·  Find your business's blind spots — take the free assessment →
Forensic Files · Internal Fraud

9 Ways Employees Quietly Steal From a Small Business — and the Two Questions That Stop Them

Monte Fisher

The typical business loses 5% of its revenue every year to fraud committed by its own people — and it runs a median 12 months before anyone notices. Here is the part that should stop a business owner cold: a financial-statement audit is not designed to catch it. Fraud routinely runs right past audited books, quietly, disguised as ordinary cost — until a sale, a succession, or a disaster finally forces someone to look.

It almost never looks like theft. It looks like a slightly-too-loyal bookkeeper, an invoice that's always just under the limit, a name on payroll you don't quite recognize. Internal fraud is quiet, patient, and — according to the people who investigate it for a living — running inside far more businesses than their owners would ever guess.

The Association of Certified Fraud Examiners studies this for a living. Their finding, consistent across nearly three decades: the typical organization loses about 5% of its revenue every year to occupational fraud. The median case costs $145,000—and small businesses, those under 100 employees, get hit hardest relative to their size, because they have the fewest controls and the most trust.

Worst of all, it runs a long time before anyone notices. The median fraud goes 12 months undetected. Twelve months of a quiet leak that looks like ordinary cost, ordinary competition, ordinary bad luck—until someone finally reads the exceptions.

5%
of revenue lost to fraud annually (ACFE)
12 mo
median time a fraud runs before it's caught
50%+
of cases tied to missing or overridden controls
The uncomfortable part: over half of all fraud cases trace to one of two failures — a control that was never there, or a control that existed on paper but nobody actually performed. That distinction is the whole article, so hold onto it: a control can be perfectly designed and completely ineffective in operation. Most fraud lives in that gap.

The nine schemes — and the flag that gives each away

Nearly 90% of occupational fraud is "asset misappropriation" — the plain theft of company resources. It sorts into a handful of schemes that show up again and again in small businesses. None are sophisticated. All are catchable. Here they are, with the tell for each.

Scheme 01 · The Ghost Employee

A paycheck with no person behind it

A fake name added to payroll, the checks cashed by whoever created it. It survives when one person sets up AND approves payroll with no second look.

The tell: a name on payroll nobody can put a face to. The fix isn't suspicion — it's separating who-adds-employees from who-approves-payroll.

Scheme 02 · The Billing Scheme

Invoices always just under the limit

A shell vendor the fraudster controls, or a real one kicking back — with invoices sized to slip just beneath the amount that would trigger a second signature.

The tell: a vendor whose invoices cluster suspiciously just under your approval threshold. A threshold everyone knows becomes a number to hide beneath.

Scheme 03 · Check & Payment Tampering

Altered or redirected payments

Payments diverted, altered, or issued to the wrong hands — one of the highest-risk schemes for small businesses specifically, where one person often controls the whole payment cycle.

The tell: no one other than the person cutting payments ever reconciles the bank statement. Separate paying from reconciling.

Scheme 04 · Expense Reimbursement Fraud

The receipts that repeat

Padded, duplicated, or fictional expense claims — small each time, large over months, and a clean signal of how someone treats your money when no one is watching.

The tell: the same receipt appearing twice, or claims always just reasonable enough to wave through. A light spot-check closes it.

Scheme 05 · Skimming

Cash taken before it's recorded

Sales diverted before they ever hit the books — the hardest to detect, because the money is stolen before any record of it exists.

The tell: deposits that don't track sales, or revenue softness in one area with no market explanation. Reconcile what was sold against what was banked.

Scheme 06 · Collusion & Bid-Leaking

Losing deals to the same rival, by a hair

An insider feeding a competitor — leaking bids, steering deals — so your losses read as ordinary competition instead of betrayal. This is the one that hides as poor performance.

The tell: consistent near-miss losses to one competitor, tied to one employee with a back-channel to them. Preserve the evidence before you confront anyone.

Scheme 07 · No Segregation of Duties

One person, the whole money cycle

Not a scheme itself — the structure that enables most of the others. When one person creates the vendor, approves the invoice, cuts the payment, and reconciles the account, no one else ever sees a problem.

The tell: any process where a single pair of hands runs end-to-end. Split it, whether or not anyone is stealing today.

Scheme 08 · The Rubber-Stamped Control

Signed every month, read by no one

The control that exists on paper — a monthly reconciliation, dutifully signed — but that nobody actually performs. The same discrepancies sit there, unremarked, month after month.

The tell: identical, tidy sign-offs with obvious anomalies ignored beneath them. "Signed" is not "performed." This is the design-vs-operating gap in its purest form.

Scheme 09 · The AI Nobody Reads

"The software watches it for us"

The modern version of the rubber stamp: an anomaly-detection tool that flags everything perfectly — into a report nobody opens. Automation designed to catch fraud, operationally catching nothing.

The tell: "set it and forget it." A flag no human reviews is a control that's designed but not operating. AI makes the exceptions visible; someone still has to look.

The two seats where it happens most

Ask who's highest-risk and most owners picture a shifty new hire. The data says otherwise, and so does experience. By sheer number of cases, rank-and-file employees commit the most fraud — but their median hit is smallest, around $60,000. Managers run higher, near $184,000. And owners or executives commit the fewest cases but cause the largest losses by far — a median around $500,000 — for one reason: authority scales damage. The higher the access, the more controls that person can quietly override.

But the real risk isn't a job title. It's an access pattern: anyone who can both move money and review their own movement of it. Two seats produce this again and again in small businesses, and both are worth picturing concretely.

The clerk who was her own favorite vendor. An accounts-payable clerk controlled the vendor master file — she could add new vendors — and she also processed payments. So she added a vendor: herself, lightly disguised. Then she approved and paid it, month after month. No one else ever reviewed a new vendor, and no one reconciled vendors against real ones. Here is the part most owners miss: the vendor master is the master key, and most small businesses never lock it. If one person can both create a vendor and pay it, you don't have a weak control — you have none. It was a design gap (no separation between creating and paying) sitting on an operating gap (nobody reviewed additions to the master). Two failures, stacked, running for months.
The assistant who reconciled the card she carried. A trusted executive assistant held the owner's company card — normal enough — but also reconciled the statement each month and submitted it on his behalf. The one control that should have caught anything, the owner reviewing his own card, never actually happened; he trusted her completely and signed off without looking. So personal charges — a tank of gas here, a dinner there, an online order — went on the card and were quietly reconciled away by the same hand that made them. The trust that made her indispensable is exactly what removed the check.

That same failure scales the moment a business hands out procurement cards. P-cards feel small and convenient, so owners issue them and stop looking — "it's just a few hundred dollars here and there." But recall the median fraud runs twelve months at about $9,900 a month. "A few hundred here and there" is the median fraud; small-and-convenient is the camouflage. The classic P-card patterns are all versions of the same unchecked-holder problem: personal charges blended into legitimate ones on a statement the holder codes for themselves; split purchases (a $4,000 buy rung up as two $2,000 charges to slip under the single-transaction limit); buying on the card, returning the item, and pocketing the refund; and coding anything questionable to a vague "miscellaneous" bucket precisely because those get the least scrutiny. Whether it's one assistant reconciling the boss's card or a stack of P-cards nobody independently reviews, the failure is identical: the person spending the money is the person reviewing the spending. Borrowed authority plus the review function in one pair of hands, with the real reviewer asleep at the switch — which is why "I'd trust her with my life" is the sentence fraud examiners hear most.

Neither person was a criminal mastermind. Both simply sat in a seat where they controlled a process end to end, and no one above them was looking. That is the whole risk profile — not a personality, a structure.

Why "do you have controls?" is the wrong question

Here is where most fraud-prevention advice stops short, and where an assurance background changes the read. The question isn't whether you have a control. It's whether that control is both designed to catch the problem and actually operating as intended. Those are two separate tests, and a control has to pass both.

A reconciliation that's required monthly but rubber-stamped is designed and not operating. An approval limit everyone games by staying just under it is operating but poorly designed. An AI tool that flags every anomaly into a report no one reads is beautifully designed and operationally worthless. In each case there is technically "a control" — and in each case the money still leaves. This is exactly why the ACFE finds more than half of frauds tied not just to missing controls but to controls that were overridden or ignored. The paperwork existed. The performance didn't.

The AI angle, honestly: a lot of vendors will sell you automated anomaly detection as the answer. It can genuinely help — it makes the exceptions visible at a scale no owner could match. But automation without a human who reads the exceptions is theater. A flag nobody opens is a smoke alarm with the battery removed: installed, certified, silent when it matters. AI doesn't change the two questions. It just makes "is anyone actually performing this control?" the difference between protection and the appearance of it.

The two questions that catch most of it

You don't need to become an auditor. Across all nine schemes, the same two questions surface nearly everything:

1. Is there a control here to catch this? If any one person can run a whole money process alone — create, approve, pay, reconcile — there isn't. That's a design gap, and it's fixed by splitting the steps so no single person controls a transaction end to end.

2. Is someone actually performing it? If the control exists but the reconciliation is rubber-stamped, the exception report goes unread, or the approval is automatic — it's a control in name only. That's an operating gap, and it's fixed by testing that the work is really done, not just signed.

One more thing worth knowing, because it's the cheapest control there is: 43% of frauds are caught by tips — more than audits, reviews, and every other method combined — and most tips come from employees. An owner who makes it safe to say "something felt off" has built the single best detection system money can't buy.

Why this is governance, not just bookkeeping: internal fraud is a controls failure, and controls are what governance is. The owner who asks "is there a control, and is it operating?" is doing governance — the same discipline that separates a business that holds its value from one quietly bleeding it. You don't need to suspect your people. You need to know your process would catch a problem regardless of who's involved.

This discipline has a name — and you're probably not doing it

What we've been describing — checking not just that a control exists but that someone actually performs it, with evidence — isn't a hunch. It's a formal discipline. After the Enron and WorldCom accounting frauds collapsed public trust in the early 2000s, the Sarbanes-Oxley Act (SOX) forced public companies to document, test, and attest that their financial controls actually operate — not merely that they exist on paper. A signed-off control with no evidence anyone reviewed it has a technical name in that world: an ineffective control. That is the entire game.

This is the work I did for years — designing controls and testing whether they truly operated. And here's the thing: the frameworks never expired. They're as valid for a fifteen-person company today as they were for the Fortune 500 that got dragged into them. It's a pattern that repeats: it takes a crisis to force the discipline — accounting scandals brought SOX, the 2008 mortgage collapse brought its own wave of financial-accountability regulation — and each time the lesson is identical. A control nobody performs is no control. Big companies only adopted the rigor at gunpoint. A smaller owner can adopt it voluntarily, and cheaply, before their own disaster.

It's the same rigor I brought as a Lean Six Sigma practitioner, just pointed at a different target: Six Sigma asks whether an operational process actually runs as designed, consistently, with the evidence to prove it — and kills the variation when it doesn't. Controls testing asks the same question of your financial safeguards. Two lenses, one discipline: designed isn't enough — prove it operates.

An assurance review is not an audit — and that's the point. A financial-statement audit opines on whether your numbers are fairly stated; it is not built to hunt fraud, which is exactly why fraud runs a median twelve months past audited books. What a mature owner actually needs before a transition is an independent assurance review — an experienced set of eyes that checks whether the business truly runs the way you think it does, finds the blind spots, and tells you where you're exposed. If it turns up something serious, that's when you escalate to a formal audit or investigation. The review finds the questions; it doesn't replace the formal tools.

The blind spots surface at the worst possible time — unless you look first

If you're a mature owner thinking about the next chapter — selling, handing the business to family, or just stepping back — this is exactly when hidden control gaps and fraud exposure matter most. They're what due diligence uncovers, what a successor inherits, what discounts a sale price. Most owners don't know the right questions to ask their staff anymore, or whether they even need AI and who would govern it. That's the work: a virtual assurance manager — an independent, experienced set of eyes that reviews whether your business actually runs the way you believe it does, finds the blind spots, and hands you the questions you didn't know to ask — while there's still time to fix them, before a buyer, a successor, or an auditor finds them for you.

Related from Fisher Governance Labs

Disclaimer: This article is for educational and informational purposes only and represents the independent professional opinion of Monte Fisher, CPA (Retired), CFE. Statistics are drawn from the ACFE's Occupational Fraud 2024: A Report to the Nations. It is not legal, audit, or financial advice for any specific business. Implementing anti-fraud controls for your circumstances should be done with a qualified professional.