The word "fraud" sends a chill down the spine of CFOs, CIOs, and CISOs alike. No organization wants to end up on the front page of The Wall Street Journal tied to a fraud scandal.
When fraud is discussed, the focus is often on external threats: bad actors who access company resources by exploiting cybersecurity vulnerabilities. These external threats are real and costly, but they only represent half of the story.
The other half is insider risk: fraud committed by trusted employees who already have access to critical systems and data. In this blog, we’ll explore real-life examples of fraud—and more importantly—best practices and approaches your company can take today to reduce this risk.
Fraud by the numbers
Let's start with the facts.
Each year, the Association of Certified Fraud Examiners (ACFE) analyzes around 2,000 fraud cases from 130+ different countries for its global study on occupational fraud. Consistently, their research shows that companies lose approximately 5% of annual revenue to insider risk fraud, with a $1.7M average loss per case.
Those are not small numbers, and more concerning, insider risk-related fraud is on the rise.
Across these cases, two common themes appear again and again:
-
Organizations rely too heavily on implicit trust in their employees.
-
Strong internal controls are missing, ineffective, or easily circumvented.
In fact, the ACFE reports that more than half of occupational fraud cases involve a lack of internal controls or override of existing controls. Let’s look at how this plays out in the real world.
Fraud example #1: A leading global retailer’s story
Even large, global enterprises can fall victim to fraud when internal controls fail.
A global retailer experienced fraud totaling $151 million. While the company could absorb the financial impact, the root cause was straightforward and preventable. An accounting employee took advantage of weak internal controls to defraud the company over a period of several years.
This fraud, ironically, possibly began as a mistake, but then turned into a cover-up. Small-parcel delivery expenses were posted incorrectly. Instead of correcting the mistake, the accountant attempted to conceal it by posting improper accrual entries. While the individual did not personally profit, this still constituted fraud as the financial statements no longer reflected reality.
The ripple effects were significant. Due to this cover-up, EBITDA was overstated by $81 million, resulting in executive bonuses that were later clawed back by more than $600,000. The organization found itself facing not one, but two fraud-related headlines.
What went wrong?
Bottom line: if they had an Application Access Governance (AAG) approach with strong internal controls in place, these reconciliation entries would have been reviewed, and the questions would have prompted further investigation into the incorrect entries or errors.
Strong controls help lower the risk of fraud by insiders, whether intentional or accidental; those controls were missing and have since been strengthened by the retailer.
Fraud example #2: A midwestern U.S. municipality’s story
Insider risk is not limited to large enterprises.
In this case, a midwestern U.S. city lost over $53 million over a period of 22 years. The employee was a trusted comptroller who circumvented weak internal controls in financial systems. What’s even more remarkable about this story is that over time, the employee’s lifestyle changed dramatically—luxury assets, horses, and travel—yet no one questioned it. Why? Because she was trusted. Let’s dive into the scary details.
The scheme was methodical. First, the comptroller opened a secret bank account in the municipality’s name. Then, she began creating fake invoices from the State, issuing checks from the town payable to the Treasurer, and depositing the checks into the secret bank account. The accounting department lacked strong Segregation of Duties (SoD) controls, allowing the fraud to continue for over 22 years.
The fraud was finally discovered only when the comptroller went on vacation, and a colleague noticed an unfamiliar bank account with many deposits to it over the years. This led to a deeper investigation and fraud was uncovered. But by then, the damage was irreversible. The municipality was effectively bankrupt.
What went wrong?
Trust without controls creates opportunity. In this case, lack of strong IT General Controls (ITGCs), like SoD and user access reviews, led to serious fraud, and no systems were in place to detect it.
Fraud example #3: A U.S. professional sports team’s story
Our final example shows how insider risk can emerge even in high-profile organizations.
An employee at a U.S. professional sports team exploited weak controls around a virtual credit card program, stealing $22 million over 3 years. If you think this cannot happen to your company, think again.
Unchecked trust in employees is dangerous. In this case, a gambling addiction drove the employee to commit fraud, and nearly all of the $22 million was lost to gambling. As with the previous case, warning signs were visible: luxury cars, country club memberships, chartered flights, and expensive watches—none of which aligned with the employee’s salary.
The fraud persisted because strong ITGCs were not in place, and no one realized the fraud was happening. The same individual responsible for administering the virtual credit card program was also responsible for the financial statements and for reconciling budgets tied to the credit card spend, allowing fraudulent credit card expenses to be easily concealed.
What went wrong?
Strong Segregation of Duties controls would have prevented this fraud. Instead, unchecked trust allowed it to grow.
How to reduce insider risk:
By now, a clear pattern has emerged. Insider risk flourishes when trust replaces strong internal controls. Most employees are honest, but trust is not a control. What happens when an employee falls on hard times or needs a little more money, with the intention of paying it back? Unfortunately, once fraud starts, it often escalates under the belief that “no one will notice”.
What can be done to reduce fraud? To mitigate this risk, organizations must focus on two areas working together.
1. Strengthen IT General Controls (ITGCs)
Insider risk often occurs because fraudsters understand which internal controls are in place and which are not, and how to exploit those weaknesses. Key controls include:
-
Segregation of Duties (SoD)
-
User Access Reviews (UARs)
-
Compliant user provisioning
These controls should be enforced across core business applications like ERP, CRM, and HCM systems where sensitive data lives and fraudulent transactions can occur.
2. Limit access with Least Privilege and Zero Trust
Insider risk is most damaging when access is excessive. Applying Least Privilege access and Zero Trust principles limits the blast radius of fraud, even if other controls are missing or not functioning as designed.
When employees have only the access required to do their jobs, opportunities for abuse shrink dramatically.
Final thoughts: trust is not a control
Insider risk is on the rise. Too many organizations rely on trust while underestimating the need for strong internal controls to mitigate fraud. In today’s world of interconnected systems, remote work, and economic uncertainty, fraud is a risk no organization can ignore.
The good news? With the right controls in place, insider risk is both detectable and preventable.
Fastpath Application Access Governance solutions help organizations automate controls, improve efficiency, and maintain clear accountability via audit trails.
For more fraud stories, check out our webinar. Or download the whitepaper Automating Your Control Environment to dive into best practices for preventing insider risk.
