A trusted bookkeeper with 16 years on the job. A signature stamp left in her desk drawer. One hundred fifty-four checks written to herself over a decade. By the time the owner caught on, more than $200,000 was gone — and so was any realistic chance of recovery.
That story is not an outlier. The Association of Certified Fraud Examiners' 2024 Report to the Nations found that organizations with fewer than 100 employees suffer a median loss of $141,000 per fraud case — the highest of any company-size category. The typical scheme runs for 12 months before anyone notices, bleeding roughly $9,900 every month that passes. And the single most common reason small businesses get hit harder than large ones? A lack of internal controls — most pointedly, one person doing all the financial work because "we're too small to split it up."
You are not too small. You just need a different blueprint than the one a Fortune 500 controller would draw. This is that blueprint.
What Segregation of Duties Actually Means
Strip away the audit jargon and segregation of duties (SoD) is a single, stubborn idea: no one person should be able to commit a financial wrong and then hide it. That is the entire point. Every other rule, control, and procedure flows from this one principle.
Auditors break the financial work of any business into four functions. To keep fraud and material errors hard to pull off, these four should be split across different people whenever possible:
| Function | What it covers | Example |
|---|---|---|
| Authorization | Approving that a transaction should happen | Signing off on a vendor invoice, approving payroll, approving a refund |
| Custody | Physical or digital control of the asset itself | Holding the checkbook, having signature authority, possessing the company credit card |
| Recording | Entering the transaction into the books | Posting bills to the accounting system, recording deposits, running payroll |
| Reconciliation | Verifying that records match independent evidence | Reconciling the bank statement to the general ledger, matching the credit card statement to receipts |
The bookkeeper who recorded the transaction should not also reconcile it. The person who holds the checkbook should not also approve the bills. The owner who signs checks should not also reconcile the bank account in a vacuum. Each function gets a different set of eyes.
In a 50-person company, separating these four functions is straightforward. In a three-person company, it feels impossible — and that is where most owners give up and just hand everything to "the bookkeeper they trust." Which is exactly the setup nearly every embezzlement case study starts with.
Why "I Trust Them" Is Not a Control
Almost every reported bookkeeper-embezzlement case shares the same opening line: the owner trusted the perpetrator completely. The Ohio contractor trusted Deborah Hall — for 16 years. The construction company trusted its bookkeeper through 18 fraudulent checks totaling more than $44,000. The heating-and-cooling office manager Angela Cooper was trusted enough to be entrusted with the owner's signature stamp; she used it to forge more than 100 checks and pocket $158,658.
Trust is not a control. Trust is what creates the opportunity — the conditions in which fraud can happen and go undetected. Controls are what remove that opportunity. The point of building internal controls in your small business is not to accuse your employees; it is to make sure that even a perfectly honest bookkeeper has a structural safety net catching honest mistakes, and that any bad actor would need to recruit a co-conspirator before they could steal a dime.
Said another way: if your only protection from a six-figure loss is your read of someone's character, you don't have a protection. You have a hope.
The Three-Person Reality
Let's get concrete. Suppose your business has:
- You (the owner)
- A bookkeeper (full-time or part-time, in-house or remote)
- An operations or office manager (one general-utility employee)
You cannot afford a controller. You cannot afford a separate AP clerk and AR clerk and treasurer. Here's what you can do — and it's enough to dramatically reduce fraud risk.
Step 1: Sketch your transaction flows
Pull out a piece of paper and write down the lifecycle of each major money flow:
- Cash receipts — How does money come in? Who opens the mail / processes payments / posts deposits / reconciles?
- Disbursements — How does money go out? Who approves bills / signs checks or initiates ACH / records the payment / reconciles?
- Payroll — Who adds and removes employees / approves hours / runs payroll / reconciles to the GL?
- Inventory or other assets — Who has physical access / records movements / counts and reconciles?
For each step, write the name of the person doing it. If the same name appears across authorization, custody, recording, and reconciliation in any one row, you have an SoD red flag.
Step 2: Make every reasonable split you can
Even with three people, you can usually pull off the most important splits:
- The owner signs all checks above a low threshold (say, $500). The bookkeeper prepares the checks, but never signs them, and never has signature authority. The bookkeeper should never be allowed to sign checks. Ever.
- The owner — not the bookkeeper — approves new vendors before any payment can be issued to them. Fictitious-vendor fraud is the easiest scheme in the world to run, and this single control kills it.
- The office manager opens the mail and stamps every incoming check "For Deposit Only" before handing it off. The bookkeeper records the receipts but never has physical custody before they're restrictively endorsed.
- The bookkeeper records transactions; the owner reconciles the bank account (more on how to do this properly in a minute).
- The owner approves payroll every cycle — name by name, dollar by dollar — before it's transmitted. Phantom-employee schemes are stopped cold by an owner who can look at the payroll register and recognize every face.
That's not perfect segregation. But it is enough to require collusion for most fraud schemes to succeed — and the moment two people need to conspire, your risk drops dramatically.
Step 3: Use compensating controls everywhere else
A compensating control is what auditors call any review step you bolt on when full separation isn't realistic. They're not as strong as true segregation, but stacked together they're surprisingly effective. The big ones for a small business:
- Owner review of the bank statement before the reconciliation is done. This is the single highest-leverage control on this entire list. Have the bank mail (or email a PDF directly to) the owner each month. The owner opens it, scans for unfamiliar payees, unusual transfers, or amounts that don't fit the pattern, then hands it off for reconciliation. Initials and date on the statement = done.
- Monthly bank reconciliation reviewed and signed off by the owner. Even if the bookkeeper performs it, the owner reviews the completed recon and signs the bottom. Look at outstanding checks: anything stale? Look at deposits in transit: do they actually clear next month?
- Mandatory annual vacations of at least one consecutive week for anyone touching the books, during which someone else covers their work. The vast majority of long-running embezzlement schemes unravel the moment a second person opens the books. Many bookkeeper frauds have been discovered specifically because the perpetrator was forced to take time off.
- Surprise spot checks. Periodically pull a random week's worth of disbursements and trace each one back to an invoice, an approval, and a recorded entry. You don't need to do this often — even quarterly is plenty — but the fact that it might happen is a deterrent.
- A whistleblower / tip channel. This sounds corporate, but it doesn't have to be. Tell your employees in writing that they can report concerns directly to you (or your CPA) without retaliation. Tips are how 43% of all occupational fraud gets caught — more than three times any other detection method. Your employees see things you don't.
Step 4: Lock down the system, not just the people
Even with limited staff, your accounting software, banking portal, and payroll system give you huge leverage if you configure them well:
- Separate user logins for every person. No shared credentials. Ever. If something goes wrong, you need to know which user did it.
- Role-based permissions in the accounting system. Your bookkeeper does not need permission to delete transactions, void checks after they've cleared, change vendor bank account details, or alter the chart of accounts. Most modern systems let you turn each of these off.
- Audit logs turned on and reviewed. If your software keeps a change log, learn how to read it. Periodically glance at deletions, edits to historical periods, and changes to vendor master data.
- Bank-level dual authorization for ACH and wires above a threshold. Most business banking portals support this. Use it. The bookkeeper initiates; the owner releases.
- Positive pay (or whatever your bank calls it) on the checking account. You upload the list of checks you issued; the bank refuses to clear anything not on the list. This kills check-tampering fraud almost entirely and is often free with a business account.
Step 5: Bring in a part-time outsider
If you can't split duties fully in-house, borrow segregation from outside the company. Options that are usually affordable even for small businesses:
- A part-time bookkeeping firm that handles the work, while you do approvals and reconciliation review.
- A fractional CFO or outside accountant who reviews monthly financials, sample-tests transactions, and quietly serves as a second set of eyes.
- An annual review (one step lighter than an audit) by a CPA, which often surfaces control weaknesses long before they turn into losses.
Outsourcing one of the four functions is often cheaper than hiring another employee and provides a much stronger control than anything you could build internally with three people.
A Worked Example: Tightening Cash Disbursements
Let's run through one full process — paying bills — to make this concrete in a three-person shop.
Before tightening:
The bookkeeper receives invoices, enters them into the accounting system, prints checks, signs them with the owner's signature stamp, mails them, and reconciles the bank account at month-end.
That's all four functions in one pair of hands, plus custody of the signature stamp. This is the textbook fraud setup.
After tightening:
- The office manager (or the bookkeeper) receives invoices and enters them as bills in the system, but cannot pay them.
- The owner pulls up the unpaid bills weekly, reviews each one against the supporting documentation, and marks the ones approved for payment.
- The bookkeeper generates the payment run for approved bills only (checks and/or ACH).
- The owner physically signs every check. The signature stamp is shredded.
- ACH payments require the owner to log into the bank portal and release the file the bookkeeper prepared.
- The bank statement is mailed (or emailed) directly to the owner, who opens it, reviews it, initials it, and then hands it to the bookkeeper for reconciliation.
- The completed reconciliation comes back to the owner, who reviews and signs the cover sheet.
You went from one person controlling every step to a process where stealing a dollar would require either (a) forging the owner's signature on a check (positive pay catches this) or (b) getting the owner to actively approve a fraudulent invoice (the supporting-document review catches this) or (c) recruiting a co-conspirator. The fraud risk doesn't go to zero — nothing does — but it goes from "trivially easy" to "actually hard and likely to get caught."
How Good Bookkeeping Makes All of This Possible
Every control above depends on one quiet prerequisite: your books have to be clean enough that anomalies stand out. If your general ledger is a mess of miscoded transactions, lumped-together categories, and uncategorized "Ask My Accountant" entries, then the owner reviewing the bank statement has no baseline to compare against. Strange payments hide in noise.
Solid, well-organized bookkeeping is what turns these controls from theater into protection. Reconciliations only catch fraud when they actually reconcile to the dollar. Vendor reviews only work when vendors are entered consistently. Pattern-spotting only works when there's a real pattern in the data.
Plain-text, version-controlled accounting is especially powerful here, because every change is logged in the underlying file history. You can see exactly what changed, when, and by whom — built-in audit trail without buying an enterprise GRC platform. That's a structural advantage for small businesses that genuinely cannot afford a controller or an audit department.
A Quarterly Internal Controls Checklist
Print this. Tape it inside a filing cabinet. Work through it every three months.
- Walk through one full transaction in each major cycle (receipts, disbursements, payroll) and verify it followed your documented process.
- Pull the most recent month's bank reconciliation and confirm the bank statement matches the GL ending balance with no unexplained reconciling items older than 60 days.
- Review the vendor master list. Investigate any vendors added in the last quarter that you don't recognize. Compare vendor addresses to employee addresses.
- Review the payroll register for one cycle. Recognize every name. Investigate any new employee or rate change.
- Check the accounting system audit log for deleted or voided transactions. Investigate any in closed periods.
- Confirm everyone on the books took at least their required vacation days in the last quarter.
- Confirm signature authority on bank accounts still matches who you intend.
- Pull credit card statements and verify each charge has a documented business purpose and a receipt.
Twenty to thirty minutes, four times a year. The bookkeeper at Plant Nutrition Services ran her scheme until the owner died. Don't let the timing of the catch be a function of luck.
When to Loosen Up — and When to Tighten Further
Internal controls are not about paranoia; they're about matching the control to the risk. Some calibration tips:
- Tighten when cash volume rises, when you hire a new bookkeeper, after any near-miss, when you take on outside investors, when you start handling third-party trust funds (e.g., customer deposits, retainers), or when you discover you can't actually explain a line item on the bank statement.
- Loosen (slightly) when controls are causing genuine operational pain and you have a robust compensating control elsewhere. Every control has a cost; the goal is the minimum set that gives you adequate coverage.
- Never loosen check-signing authority, vendor approval, or bank-statement-first review. These three are the load-bearing walls of the whole structure.
Keep Your Finances Organized From Day One
Strong internal controls only work on top of a clean, well-organized set of books. If you can't trust the numbers, you can't trust the reconciliations — and the whole control system collapses. Beancount.io provides plain-text accounting that gives you complete transparency and a full version history of every change to your ledger, the kind of built-in audit trail that small businesses normally have to buy expensive software for. Get started for free and see why developers and finance professionals are switching to plain-text accounting — and check out our hosted Fava dashboards for instant visualizations on top of your books.
The cheapest internal control you will ever build is the discipline of clean books reviewed by a second pair of eyes. The most expensive one is the lawsuit you file three years later, hoping to recover ten cents on the dollar.