2 Employee Thefts – Over 6 Figures – How to Prevent
Well it has been a weird few weeks here!
I am going to share some personal painful stories here…
Two businesses (not adbank) have both had issues of employee theft which is a first for my business! We are not talking hundreds of dollars but over 6 figures!
I won’t get into the exact details but one is solved and one is in the process of being solved.
The key anytime we have a major f-up in our business is to dig in and understand why it was allowed to occur, if the risk of it occurring again is worth putting in stronger systems.
This article will cover the 2 scenarios the systems that were in place and why they failed plus the 5 keys everyone should do if they have any team members with access to hurting your business financially.
Swiss Cheese Model for Losses:
One of the ways I like to think about the risk mitigation systems inside my business is the Hazards – Losses path through multiple layers of swiss cheese. No system can be completely bulletproof but the idea is if all layers are in place and working the probability of all holes lining up is very low.
Failure 1: Speed vs Control Accepted Risk
An employee wired himself funds, oversight was not in place fast enough.
There were 3 layers of mitigation
- Mitigation #1 – Trusted employee & controlled access
- Never a sufficient mitigation on its own!
- Mitigation #2 – Accountant monitoring monthly numbers
- The accountant was unfortunately months behind not revealing the problem.
- Mitigation #3 – Bookkeeper/Controller onboarded
- The controller for the business was not up to speed fast enough leaving a window of time where things would go undetected.
In the end we were not pushing the pace fast enough on the 2 financial oversight systems resulting in a window for theft to occur.
Although this was the far larger of the 2 thefts it is one where no major systems upgrades are needed as there was some acceptance of risk due to prioritization and low probability of someone repeating with the systems that were too slow to get in place now in place.
- Note – All funds from this theft have been recovered + consideration for time/fees.
Failure 2: Execution
Although the dollar amount is smaller than failure/theft #1 this one has me much more upset.
This was a known risk we had put many barriers against but the systems all failed in the same way to allow this to occur.
- Mitigation #1 – Trusted long term team member & controlled access
- Clearly this is not enough to rely on blindly! This employee has been with me for YEARS and involved on multiple projects.
- Mitigation #2 – Daily Revenue and Expense Monitoring – Temporarily Not Active
- During this time we had taken a break from the daily expense tracking due to workload in other areas
- Mitigation #3 – Weekly unit economics review – Didn’t Validate
- This one is frustrating as this practise was created with the intent of being able to quickly detect any issue however the theft was paired with forged numbers that were not validated. Human error on compliance to the process for validation of the numbers was the reason this mitigation failed.
- Mitigation #4 – Monthly PnL statements and review – Not setup on new system
- We have been in the process of upgrading our proper monthly PnL and as a result were not in a position to review them. Getting these completed slipped down the priority list and as a result allowed this issue to continue.
Note – All funds have not been recovered, the length we will go to will be unreasonable 🙂
5 Steps to Take:
- Financial Risk & Access Control Matrix
-
-
- There are a lot of potential attack vectors. Having an organized control list of all the places that someone could impact you financially and then understanding who currently has access is key. There are the obvious locations like bank account, paypal but then you also need to think about the revenue sources Amazon Account, AdSense account etc. Plus, don’t forget places where funds could be improperly sent from Fiverr, UpWork etc. Don’t forget your websites that make the money, swapping out an affiliate link on a few pages can be another source of theft that is harder to detect.
-
- Agreements Updated
-
-
- Ensuring compensation agreements are in writing is key to ensure there can be no debate about the amount of funds received.
-
- Have Contact Information Handy
-
- For anyone with access to money you should have accurate information on them including name, ID, phone number, address etc.
- Proper Login & Password Management
- Managing logins for a team is a daunting task! 1Password and LastPass are the tools we use for a couple different projects. The key is to be able to quickly turn on/off access while controlling the ability to provide access through either the tool as a user (with the login still in the password management system) or shared access via a password management system. Strong random never reused passwords and 2FA activated whenever possible goes beyond just internal theft but is one of the most basic steps to avoiding theft from hackers.
Conclusion:
I hope you haven’t experienced any issues like these. My hope is sharing these unfortunate events and what I have learned will be helpful in preventing future problems for you or if problems do occur arming you with what you need to resolve quickly.
Please share any other suggestions on how to help protect your business!
Nice case study, Jon. Thanks for the sharing with us.
Thank you for sharing this. It would be great if you can share the “Weekly unit economics review” and “Monthly PnL statements and review” systems you use!
Thanks for letting me know you would be interested in something like that. I am sure I will provide you guys with more details on the systems I put into place!
Thx for sharing this with us. I know it can be hard to admit when bad stuff goes down.
As someone who’s worked in a Bank and seen the lengths employees can go to in order to steal is absolutely mind blowing. And catching them, whether it was physical cash or transferred out through the computer system, isn’t always easy.
I do have to say, that you may want to investigate further into the two people who have done this. In my experience, thieves don’t go for broke on their first attempt (in this case over 6 figures). They tend to start small, gain confidence and then increase the amounts and the risks they are willing to take.
Since you say your systems, checks and balances have been out of wack for a while, there are likely to be more incidents you are not aware of yet….
Thank you! Yes we have been going back into everything to make sure. I agree most people don’t just do it once, so I will be monitoring this and assessing further back to ensure there isn’t anything we are missing! Thanks for the tip!
Jon I feel for you and I am sorry to hear that people you thought you could trust have taken advantage of you.
My family owned a local restaurant and bar for over 20 years and let me tell you people will always find a way to get their piece of the cake. We had some of our closest friends and family members get bitter and start skimming money and products from the store to the point of almost driving us bankrupt.
I think you made a really good point about first identifying all the possible places people can take you to the cleaners. And then fortifying those vulnerabilities with AUTOMATED systems that will alert you the second something goes south.
As for most financial systems allow for multiple forms of notification when money is sent or received.
I have been using lastpass for years and having the ability to share passwords without the user actually knowing the password is a great feature as well as the ability to cut all access with the flip of a switch.
Keep up the good work and thanks for sharing! I run a portfolio of niche sites and I think its time to audit all access and communication.
Cheers,
Andrew
Hi Andrew,
Sorry that happened to you and your parents business. Its never pleasant when someone tries to take advantage of a situation or their role in a company! We also use a password managing tool as well which helped us once we identified who, changing things so they no longer had access.
Sorry to hear this happened to you, but hope it all get resolved soon. Indeed, process changes everything! Look forward to hearing what processes/systems you will put in place to mitigate these occurrences. I would also suggest to check your current policies and your hiring process.
I’ve seen some posts like this over the years an none mentional criminal charges / authorities. Once you have proof, shouldn’t these people be arrested? What am I missing?
Commenting (or not doing so) on any active criminal cases is likely what causes these posts to leave that out.
Wow. So sorry this happened to you. 🙁 Especially since one of the offenders was someone that had been with you for years. Reading this reinforces why I plan to be a one-woman shop.
I would be cautious of that… life and business is not without risk. Trying to risk manage yourself down to 0 risk is a recipe I think for disaster. We need to accept some risk and despite these problems I am glad I didn’t become obsessed with managing risk as it would have slowed my ability to pursue other opportunities.