Commercial Insights
Fighting fraud with internal controls

Article 6 min read Updated January 6, 2026

When it comes to protecting business against fraud, internal controls are often the best line of defense.

For many business leaders, fraud prevention is front-of-mind. With business email compromise and other types of payment fraud on the rise, it’s more important than ever for companies to take proactive measures to detect and protect against potential sources of fraud – including internal sources.

Business leaders often underestimate the likelihood that internal fraud might impact their business. However, not only is it relatively common, but the sources may come from long-tenured and trusted employees. A report from the Association of Certified Fraud Examiners (ACFE) found that the longer a fraudster has worked for an organization, the most costly their fraud is likely to be. The median loss is $250,000 from an employee with a tenure of ten years or more, compared to $50,000 from an employee with one year or less with an organization.

Internal fraud controls: What to ask

For many companies, the process of implementing internal controls will be a reverse engineering process. It begins by asking the 5 W's about potential risk to company assets:

What assets (money, digital assets, etc.) are at risk?
Where are these assets at risk?
Who are these assets at risk with?
When are these assets at risk?
Why are these assets at risk?
How are these assets at risk?

Once these questions about are answered, here are further questions to ask to help guide planning:

How might internal and external fraud occur?
What are some potential access points?
Who oversees the assets at risk?
Why do they manage it?
What checkpoints can we establish to better protect these assets?

Implementing controls

Once these questions have been thoroughly answered, a good place to begin is by implementing controls that everyone in the organization understands and is committed to following. While each company is unique and will require different internal controls to prevent fraud, consider implementing:

Authorization: In which a manager signs off on a transaction before an employee enacts it
Dual controls: In which authorization, recording, and custody are overseen by different people
Increased oversight: Which might include independent account reconciliation and periodic audits
Take the time to confirm: If encountering a request that doesn’t seem right, whether a change in payment information or a request for payment via e-mail, use STOP-CALL-CONFIRM to validate the request. If an employee receives a request, STOP the process, pick up the phone and CALL the requestor at a known number (not the number in the email or text message), and CONFIRM the request is legitimate.

Once internal controls are established, it’s important to ensure those controls are actually effective. Testing a control process can be as simple as creating a test transaction to see if it goes through, such as an expense report that falls outside defined parameters or a wire transfer request bearing all of the markings of a business email compromise scam. If it does, where did the failure occur? Was the control simply ignored or actively overridden? Did the technology in place fail to raise a red flag? Did it notify the wrong person?

Trustworthiness as a corporate value

While it would be imprudent to place complete trust in any member of an organization — even those with significant tenure — treating employees as if they are under suspicion may harm morale and reduce the incentive to embrace proper controls. A more effective approach may be to communicate the importance of trustworthiness as a corporate value while conducting anti-fraud training for employees on a periodic basis. Doing so may earn employee buy-in, which can increase adherence to safeguarding processes.

If fraud is detected, taking a collaborative rather than punitive approach can yield better results. Unless it involves malfeasance, use the incident as an occasion to uncover and repair weaknesses in processes. An example might be a control that was to resolve a customer service issue. Is there a way to avoid such a conflict in the first place?

Remember, above all, to keep it simple. Internal controls don’t have to be complex to function well. Instead, take common sense steps to prevent and detect fraud while providing employees with the resources needed to act as a first line of defense.