Here is a number that should make every small business owner uncomfortable: the typical fraud at a company with fewer than 100 employees costs $141,000. That is not a worst-case outlier. It is the median — half of small-business fraud cases cost more. And the people committing it are rarely strangers. They are the trusted bookkeeper who has been with you for years, the office manager who "handles all that stuff," the one employee who knows where everything is.
The textbook answer to this risk is segregation of duties: never let one person control a transaction from start to finish. The textbook also assumes you have a finance department. You have three employees. Maybe two. Maybe it is you, a part-time bookkeeper, and a kid who answers the phone.
So here is the real question. How do you build controls that actually prevent theft when you genuinely cannot give every task to a different person? The answer is not "give up." It is "be deliberate." This guide shows you how.
Why Small Businesses Are the Easiest Targets
Fraud researchers consistently find that smaller organizations suffer disproportionately. They get hit with the same median loss as much larger companies, but they have a fraction of the revenue to absorb it. A $141,000 loss might be a rounding error for a corporation. For a business doing $2 million a year, it can be the difference between making payroll and closing.
The reason is not that small-business employees are more dishonest. It is opportunity. Small companies have fewer anti-fraud controls, smaller budgets to invest in them, and a culture of trust that makes oversight feel insulting. The schemes that thrive in this environment are mundane: billing fraud (paying fake or inflated invoices), check and payment tampering, padded expense reimbursements, and skimming cash before it ever hits the books. None of these require sophistication. They require only that one person can do a task and also hide it.
That last phrase is the entire concept. Fraud needs both the act and the concealment. Segregation of duties works by making sure the person who could commit the act is not the same person who could hide it.
The Four Functions You Are Trying to Separate
Before you can divide duties, you need to know what you are dividing. Accountants break every financial transaction into four functions, and the goal is to keep them in different hands.
Authorization is approving that a transaction should happen — signing off on a purchase order, approving a new vendor, okaying a refund.
Custody is physical or digital control of the asset itself — handling cash, holding signed checks, having the password to the bank account, controlling inventory.
Recordkeeping is entering the transaction into the books — posting the invoice, recording the payment, making the journal entry.
Reconciliation is comparing the records against an independent source — matching the accounting ledger to the bank statement at month-end.
The principle is simple: no one person should control more than one of these for the same transaction. When functions are split, an error or theft created in one function gets caught by a different person performing a cross-checking function. The bookkeeper who records a fake payment cannot also be the person who reconciles the bank statement, because the reconciliation would expose the payment.
The danger combinations are predictable. Anyone who has both custody and recordkeeping can steal an asset and erase the evidence. Anyone with authorization and custody can approve a payment to themselves and then collect it. Anyone with authorization and recordkeeping can approve a fictitious transaction and bury it in the books. If your one bookkeeper writes checks, enters them, and reconciles the account, that person holds all four functions. That is not a control weakness. That is no control at all.
What "Segregation" Actually Looks Like With Three People
The classic textbook split needs four or five people. You do not have them. So you separate the functions you can and accept that the rest will need a different kind of control. The good news is that even one clean split closes the most dangerous doors.
The single most important separation in a small business is custody versus recordkeeping. If the person who touches the money is not the person who records the money, you have eliminated the most common asset-misappropriation scheme in one move. In practice:
- The bookkeeper records transactions but does not have signing authority on the bank account and does not handle cash deposits.
- The owner (or a second employee) signs checks, approves the payment run, and has custody of the bank login.
- Whoever opens the mail and logs incoming checks is not the person who posts customer payments to the ledger.
The second priority is keeping reconciliation independent. The bank reconciliation is the master check on everything. If it is done honestly by someone who did not create the records, almost no scheme survives a month. So the owner — not the bookkeeper — should receive the bank statement and either perform the reconciliation or review it line by line. This single habit, which costs an hour a month, catches check tampering, ghost payments, and unexplained transfers.
A workable three-person model often looks like this. The owner holds authorization (approving vendors, payments, and payroll changes) and reconciliation. The bookkeeper holds recordkeeping. A second employee — or the owner again — holds custody of cash and checks. Notice the owner appears twice. That is fine. The owner appearing in authorization and reconciliation is far less dangerous than the bookkeeper appearing in custody and recordkeeping, because authorization plus reconciliation does not let you both steal and conceal in the normal course of work.
Compensating Controls: The Real Toolkit
When you cannot separate a function, you compensate. Compensating controls do not prevent one person from doing a task — they make it overwhelmingly likely that wrongdoing gets noticed. For small businesses, these are not a fallback. They are the main event.
Owner review of the bank statement, unopened. Have the bank statement mailed to your home, or log in yourself before anyone else does. Spend twenty minutes scanning every check image and every electronic payment. You are looking for payees you do not recognize, round numbers, payments to employees, and anything just under an approval threshold. Fraud surveys repeatedly find that owner-level oversight is one of the few controls that consistently shrinks losses at small companies.
Dual approval above a threshold. Require two people to approve any payment over a set amount. Pick a threshold based on your cash flow — many small businesses use $1,000, startups often go lower. Most accounting and bill-pay software lets you enforce this automatically so it cannot be skipped.
Outside accountant review. A monthly or quarterly review by an external accountant or fractional controller is a powerful compensating control precisely because that person has no stake in hiding anything. They can review the reconciliation, scan the vendor list for additions, and sample a few transactions. This is often the best dollar a small business spends on fraud prevention.
Mandatory vacations and cross-training. Many frauds unravel when the perpetrator is out and someone else touches their work. Require your bookkeeper to take an uninterrupted week off, and have someone else cover the role. Frauds depend on continuous control; a forced gap breaks it.
Restricted master data. The ability to add a new vendor, change a vendor's bank details, or set up a new employee is its own form of authorization. Lock it down. A surprising amount of billing fraud is just a real-looking vendor that the fraudster created. Adding a vendor should require sign-off from someone who is not the person who pays vendors.
System-enforced audit trails. Use software that logs who entered, edited, or deleted every transaction, and make that log unalterable. When everyone knows their actions are permanently recorded under their name, the calculus of fraud changes. Concealment becomes much harder, and that is half the equation.
A Practical Starting Checklist
You do not need to redesign your whole operation this week. Start here:
- List who does what. Write down every person and which of the four functions they touch. Circle anyone holding custody and recordkeeping together — that is your fire to put out first.
- Take the bank login away from your bookkeeper if they also enter transactions. The owner keeps custody of banking credentials.
- Claim the bank statement. Starting next month, you see it first and review it before anyone reconciles.
- Set a dual-approval threshold and turn it on in your software.
- Lock vendor and payroll setup behind owner approval.
- Schedule an outside review — even quarterly is meaningful.
- Put a real vacation on the calendar for whoever holds the books.
None of these require hiring. They require deciding that trust and verification are not opposites — and that verifying your most trusted employee is a courtesy to them, because it protects them from suspicion as much as it protects you from loss.
Keep Your Finances Organized From Day One
Strong internal controls depend on records that are complete, timestamped, and hard to quietly alter. That is exactly where your bookkeeping system matters: if your books are a black box only one person understands, no compensating control can see inside it. Beancount.io provides plain-text accounting that is transparent and version-controlled — every change is tracked, every entry is readable, and the full history is auditable by anyone you trust to look. That makes independent review, reconciliation, and audit trails dramatically easier to enforce in a small team. Get started for free and see why developers and finance professionals are switching to plain-text accounting.
Sources: ACFE Occupational Fraud 2024: A Report to the Nations; Improving Internal Controls in Departments with Limited Segregation of Duties — Lutz; Segregation of Duties — Hyperproof.