Fraud Prevention in the Digital Age: 3 Internal Controls Every SME Must Have (Plus 5 Red Flags)

The Fraud Triangle: Why Good People Do Bad Things

Before we discuss controls, understand why fraud occurs. criminologist Donald Cressey’s Fraud Triangle has three components:

• Pressure – Financial strain (personal debt, gambling, medical bills, or even pressure to meet unrealistic company targets).
• Opportunity – Weak controls (the same person writes checks and reconciles the bank).
• Rationalization – “I’m just borrowing it.” “The company owes me.” “Everyone does it.”

Effective controls attack Opportunity. Since you can’t control employees’ personal pressures (and cannot read their minds), you must remove the chance to commit fraud without detection.

The Three Foundational Controls (Non-Negotiable)

1. Segregation of Duties (Even with a Tiny Team)

But what if you have only 3 finance staff? Use compensating controls:

• Management review: The owner or GM reviews the bank reconciliation and signs off on every check over $1,000.
• Random vacation mandate: As described below.
• Surprise audits: Once a quarter, have an external bookkeeper spend 2 hours spot-checking expense reports and vendor files.

2. The “Two-Week Vacation” Mandate

One of the oldest and most effective fraud detection methods is forcing every employee who handles money or records to take two consecutive weeks off every year. Why? Fraudsters must constantly “cover their tracks” by altering records, delaying bank reconciliations, or intercepting vendor statements. If they are absent for 10 straight business days, someone else will inevitably notice the anomalies. The ACFE found that 42% of fraud cases were detected by a tip—and many of those tips came from vacation coverage.

Implementation: Write it into your employee handbook. No exceptions for “too busy” or “mission critical.” If they can’t be away for two weeks, that is itself a red flag.

3. Automated Alerts (Your Digital Watchdog)

Set your accounting system, bank, and credit card processors to send real-time alerts for specific, unusual events. Most modern ERPs and even QuickBooks Online can do this.

Essential alerts to configure today:

• Bank transfers over $5,000 (or any amount above your normal threshold)
• Vendor changes – any modification to a vendor’s bank account or address
• Payroll – adding a new employee or changing salary information
• After-hours logins – 11:00 PM to 5:00 AM (common for fraudsters)
• Multiple failed login attempts (could indicate password cracking)
• Aged payable reports – if an invoice remains unapproved for more than 30 days, it might be a ghost vendor

Real-world example: A non-profit treasurer was adding a fake vendor (his own shell company) and approving invoices for “IT consulting.” The controller received an alert the moment the vendor’s bank account was added. Within 24 hours, they terminated the relationship and recovered $27,000.

5 Additional Red Flags to Watch For

Even with the three core controls, you must stay vigilant. These behavioral and procedural red flags often precede fraud:

What to Do If You Suspect Fraud

Do NOT confront the person immediately. Do not fire them on the spot without evidence. Follow this protocol:

• Gather evidence quietly – Run reports, save emails, copy files.
• Preserve digital evidence – Inform IT not to let the suspect access the system (without alerting them).
• Consult legal/HR – Know your local laws about termination and potential prosecution.
• Interview with a witness – Have a calm, factual discussion. Do not accuse; ask for explanation.
• Decide on action – Termination? Repayment plan? Police involvement? Each has different pros and cons.

“Trust is not a control. Love your employees, but verify their work. The three controls above—segregation of duties, mandatory vacation, and automated alerts—can prevent 80% of common fraud schemes. The remaining 20% require vigilance and culture. Create an environment where reporting concerns is safe (an anonymous hotline), and where ethics are modeled from the top down.”