The uncomfortable truth about business theft
Founders picture the threat to their business as an outsider: a burglar, a hacker, a con artist. The reality is harder to accept. Most losses come from inside, from the people who have a login, hold the keys and enjoy your trust. They know where the controls are weak because they work inside them every day.
This is not a reason to become paranoid or to treat good employees as suspects. It is a reason to build controls that do not depend on trust. Trust is a feeling; controls are structure. Honest people are protected by good controls too, because a clean system means no one can be wrongly blamed when money goes missing. Good controls are a kindness to everyone, not an accusation.
Segregation of duties: the control that matters most
The most powerful anti-fraud principle is simple: no single person should control a transaction from beginning to end. The one who authorises a purchase should not also be the one who pays for it and records it in the books.
When these roles are split, fraud stops being something one person can do quietly. It now requires two or more people to collude, agree and trust each other to keep a secret, which is dramatically rarer and riskier for them. A clerk who can raise a supplier, approve the invoice, pay it and reconcile the account holds every lever needed to steal. Take away even one of those levers and the whole scheme falls apart.
Give everyone their own login
Shared logins are one of the most common and most damaging weaknesses in small businesses. When five people use the same account, or everyone knows the till password, no action can ever be pinned to a person. Accountability disappears, and with it both detection and deterrence.
Individual logins fix this at the root. Every entry, edit, discount, refund and payment is tied to a named person. You are not doing this to spy on staff, you are doing it so that responsibility is real and so honest people are never caught in a fog of anonymous mistakes. Access should also be scoped: each person can reach only what their role needs. A stock clerk has no business inside the payroll or the bank reconciliation.
Control the money with approvals and limits
Cash and payments are where fraud does its real damage, so this is where controls must be strongest. The goal is that money never moves on a single person's unchecked say-so.
- Require approval for payments above a sensible threshold, so a second person signs off.
- Set spending and discount limits per role, enforced by the system, not by memory.
- Match every payment to an approved purchase order and a received delivery.
- Separate the person who approves a payment from the one who releases it.
- Reconcile M-Pesa and bank statements against your records independently and often.
Reconcile relentlessly, because the gap is the fraud
Fraud lives in the gap between what is recorded and what is real: cash that is short, stock that is missing, a supplier that does not exist, a customer payment that never reached the account. Reconciliation is the discipline of closing that gap on a regular schedule so it can never grow large enough to hide.
Count the cash against the till record. Count the stock against the system. Match the bank and M-Pesa statements against the books, line by line. Crucially, the person who reconciles should not be the person who handled the money, or they can simply reconcile their own theft to zero. Regular, independent reconciliation is how a small discrepancy gets caught in week one instead of discovered as a large hole a year later.
The audit trail: your quiet, permanent witness
An audit trail is a record of who did what and when, kept automatically and, ideally, impossible to quietly alter or delete. It is both a detective and a deterrent.
As a detective, it lets you answer the exact questions fraud raises: who changed this price, who approved that payment, who deleted this record, and when. As a deterrent, its mere existence changes behaviour, because people do not steal when they know every action leaves a permanent, attributable mark they cannot erase. Paper records and spreadsheets fail here, because they can be edited without a trace. A real audit trail sits inside a proper system of record and cannot be talked away.
Build the controls into the system, not the person
The weakness of controls that rely on people remembering to follow them is that people, under pressure or temptation, forget or bend them. The strongest controls are the ones the system enforces automatically, so the right behaviour is the only behaviour available.
When segregation of duties, approval limits, per-role access and the audit trail are built into your business software, fraud controls stop depending on vigilance and start being structural. A payment above the limit simply cannot go through without a second approval. A clerk simply cannot open the payroll. An edited record simply leaves a trace. This is the difference between hoping people follow the rules and building a system where the rules follow themselves.
How Upeosoft helps
Upeosoft implements ERPNext and Frappe for Kenyan businesses with these controls built in, so anti-fraud protection is part of how the system works rather than a policy you have to police. We configure segregation of duties into your workflows, give each person an individual login with role-based access, enforce approval limits on payments, and rely on a complete audit trail that records who did what and when.
Reconciliation against M-Pesa and bank statements becomes routine, and discrepancies surface early instead of festering. If you have ever felt uneasy about how much any single person can do unchecked in your business, that unease is worth acting on. Talk to us about building controls that protect your business and your honest staff alike.
