Skip to content

Protecting Your Business From Internal Fraud and Theft

The person stealing from your business usually has keys, a login and your trust. Here are the controls that make internal fraud hard to commit and easy to catch.

By Karani Geoffrey, Founder & CEO, Upeosoft
In short

You protect a business from internal fraud with controls, not trust alone. Separate who authorises, who handles money and who records it, so no one person controls a whole transaction. Give each person their own login, restrict access to what their role needs, require approvals for payments, reconcile regularly, and keep an audit trail that makes every action traceable.

Key takeaways
  • Most business fraud is committed by trusted insiders, not outside criminals.
  • Segregation of duties means no single person controls a transaction end to end.
  • Shared logins destroy accountability, individual accounts create it.
  • Approvals and spending limits stop money moving on one person's say-so.
  • Regular reconciliation catches the gap between what is recorded and what is real.
  • An audit trail turns fraud from a mystery into a traceable, deterred act.

The uncomfortable truth about business theft

Founders picture the threat to their business as an outsider: a burglar, a hacker, a con artist. The reality is harder to accept. Most losses come from inside, from the people who have a login, hold the keys and enjoy your trust. They know where the controls are weak because they work inside them every day.

This is not a reason to become paranoid or to treat good employees as suspects. It is a reason to build controls that do not depend on trust. Trust is a feeling; controls are structure. Honest people are protected by good controls too, because a clean system means no one can be wrongly blamed when money goes missing. Good controls are a kindness to everyone, not an accusation.

Segregation of duties: the control that matters most

The most powerful anti-fraud principle is simple: no single person should control a transaction from beginning to end. The one who authorises a purchase should not also be the one who pays for it and records it in the books.

When these roles are split, fraud stops being something one person can do quietly. It now requires two or more people to collude, agree and trust each other to keep a secret, which is dramatically rarer and riskier for them. A clerk who can raise a supplier, approve the invoice, pay it and reconcile the account holds every lever needed to steal. Take away even one of those levers and the whole scheme falls apart.

Give everyone their own login

Shared logins are one of the most common and most damaging weaknesses in small businesses. When five people use the same account, or everyone knows the till password, no action can ever be pinned to a person. Accountability disappears, and with it both detection and deterrence.

Individual logins fix this at the root. Every entry, edit, discount, refund and payment is tied to a named person. You are not doing this to spy on staff, you are doing it so that responsibility is real and so honest people are never caught in a fog of anonymous mistakes. Access should also be scoped: each person can reach only what their role needs. A stock clerk has no business inside the payroll or the bank reconciliation.

Control the money with approvals and limits

Cash and payments are where fraud does its real damage, so this is where controls must be strongest. The goal is that money never moves on a single person's unchecked say-so.

  • Require approval for payments above a sensible threshold, so a second person signs off.
  • Set spending and discount limits per role, enforced by the system, not by memory.
  • Match every payment to an approved purchase order and a received delivery.
  • Separate the person who approves a payment from the one who releases it.
  • Reconcile M-Pesa and bank statements against your records independently and often.

Reconcile relentlessly, because the gap is the fraud

Fraud lives in the gap between what is recorded and what is real: cash that is short, stock that is missing, a supplier that does not exist, a customer payment that never reached the account. Reconciliation is the discipline of closing that gap on a regular schedule so it can never grow large enough to hide.

Count the cash against the till record. Count the stock against the system. Match the bank and M-Pesa statements against the books, line by line. Crucially, the person who reconciles should not be the person who handled the money, or they can simply reconcile their own theft to zero. Regular, independent reconciliation is how a small discrepancy gets caught in week one instead of discovered as a large hole a year later.

The audit trail: your quiet, permanent witness

An audit trail is a record of who did what and when, kept automatically and, ideally, impossible to quietly alter or delete. It is both a detective and a deterrent.

As a detective, it lets you answer the exact questions fraud raises: who changed this price, who approved that payment, who deleted this record, and when. As a deterrent, its mere existence changes behaviour, because people do not steal when they know every action leaves a permanent, attributable mark they cannot erase. Paper records and spreadsheets fail here, because they can be edited without a trace. A real audit trail sits inside a proper system of record and cannot be talked away.

Build the controls into the system, not the person

The weakness of controls that rely on people remembering to follow them is that people, under pressure or temptation, forget or bend them. The strongest controls are the ones the system enforces automatically, so the right behaviour is the only behaviour available.

When segregation of duties, approval limits, per-role access and the audit trail are built into your business software, fraud controls stop depending on vigilance and start being structural. A payment above the limit simply cannot go through without a second approval. A clerk simply cannot open the payroll. An edited record simply leaves a trace. This is the difference between hoping people follow the rules and building a system where the rules follow themselves.

How Upeosoft helps

Upeosoft implements ERPNext and Frappe for Kenyan businesses with these controls built in, so anti-fraud protection is part of how the system works rather than a policy you have to police. We configure segregation of duties into your workflows, give each person an individual login with role-based access, enforce approval limits on payments, and rely on a complete audit trail that records who did what and when.

Reconciliation against M-Pesa and bank statements becomes routine, and discrepancies surface early instead of festering. If you have ever felt uneasy about how much any single person can do unchecked in your business, that unease is worth acting on. Talk to us about building controls that protect your business and your honest staff alike.

Frequently asked questions

Who usually commits fraud against a small business?

Overwhelmingly, trusted insiders: employees, sometimes long-serving ones, who have access, know the gaps and are not suspected. Outsiders get the attention, but the person best placed to steal is someone with a login, keys and your confidence. This is uncomfortable but important, because it means the answer is not more trust, it is better controls that apply to everyone.

What is segregation of duties?

It is the principle that no single person should control a whole transaction from start to finish. The person who approves a payment should not also be the one who makes it and records it. Splitting these roles means fraud requires collusion between people, which is far harder and rarer than one person acting alone. It is the single most powerful anti-fraud control.

We are a small team, how can we separate duties?

You rarely have enough people to split every role cleanly, so you compensate with other controls. The owner reviews and approves rather than doing, someone reconciles independently, spending limits force a second signature above a threshold, and the system logs everything. Even a two-person business can have the owner approve what a staff member records, which already breaks the dangerous concentration.

Why are shared logins such a problem?

When several people use one login, no action can be traced to a person, so nobody is accountable and fraud becomes deniable. Individual logins reverse this: every entry, edit and payment is tied to a name. That accountability both catches wrongdoing and deters it, because people behave differently when they know their actions are attributable to them personally.

How does an audit trail deter fraud?

An audit trail records who did what and when, and ideally cannot be quietly altered. Its power is partly detection and partly deterrence. People are far less likely to steal when they know every action leaves a permanent, attributable record they cannot erase. The mere existence of a real audit trail changes behaviour, which is why a proper system of record matters.

Karani Geoffrey
Karani Geoffrey
Founder & CEO, Upeosoft

Karani Geoffrey is the Founder & CEO of Upeosoft, a software and automation company rooted in Kenya. He builds custom software, AI systems, and production-grade ERPNext for businesses across East Africa, and writes about the Kenyan realities - eTIMS, M-Pesa, SHIF, unreliable internet and power - that make or break real systems.

Next step

Want this working in your business?

Upeosoft builds and hardens the systems behind this article - for real Kenyan operations, with eTIMS, M-Pesa and offline realities handled.

Keep reading

Risk, Continuity and Governance

Do You Really Own Your Business? A Guide to Records and Structure

You built it, so you own it, but could you prove it? Ownership lives in registration, records and structure, and founders who never formalise these can find their claim is weaker than they thought.

8 min readRead article →
Risk, Continuity and Governance

Cybersecurity Basics Every Kenyan Business Leader Should Know

Cybersecurity is not an IT problem you can delegate away, it is a business risk you own. Here are the basics every Kenyan business leader can understand and act on without being technical.

8 min readRead article →
Risk, Continuity and Governance

Insuring Your Business: What Founders Often Overlook

Insurance is only as good as the fit of your cover and the strength of your records. Here is what founders routinely overlook, and why a claim so often turns on the paperwork you kept before disaster struck.

8 min readRead article →