When most business owners picture fraud, they imagine some mysterious hacker in a hoodie, sitting in a dark room overseas, trying to break into their bank account.
But sometimes the real risk is much closer.
Sometimes it is the person who already has the password.
A recent case out of Colorado is a painful reminder that fraud does not always come from the outside. According to federal prosecutors, a Texas accountant who worked remotely as an accounting manager and financial controller allegedly stole more than $3 million from two Colorado companies over several years.
The accusations are the kind that make business owners sick to their stomach.
Unauthorized financial transactions. Altered bank statements. Company credit cards used for personal spending. Misleading financial information. Fabricated documents. Money allegedly moved into personal accounts and used for luxury purchases.
Now let’s be clear. These are allegations, and the court process still has to play out.
But from a fraud prevention standpoint, this case gives us a big red flashing warning light:
Trust is not an internal control.
The person handling the money should not be the only person watching the money
Here is where businesses get themselves in trouble.
They hire someone who seems competent. That person takes over the books, the bank logins, the credit cards, the vendor payments, the loan payments, and the financial reporting. At first, this feels amazing.
Finally, someone else is handling it.
The owner can stop worrying about the numbers. The reports show up. Bills get paid. Payroll happens. Credit card statements are “handled.”
But what happens when the person doing the work is also the person controlling the proof?
That is where the fraud door cracks open.
If one person can initiate payments, access bank accounts, reconcile the books, manage credit card statements, prepare reports, and explain away questions, you do not have a finance department.
You have a single point of failure.
And fraud loves a single point of failure.
The clue was not the luxury spending. The clue was the control.
In stories like this, people often focus on what the stolen money was allegedly used for. Cars. Trips. Watches. Retail purchases.
That makes for a flashy headline, but it is not the most important part for a business owner.
The real issue is not what happened after the money left.
The real issue is how the money was able to leave in the first place.
Fraud usually does not start with a giant neon sign. It starts quietly.
A bank statement looks slightly different than expected.
A credit card login is only controlled by one person.
A payment is made, but the backup does not quite match.
A loan payment is requested, but nobody independently verifies where the money went.
A financial report looks polished, but nobody compares it to the actual bank activity.
That is the detective work.
Not paranoia. Not micromanaging. Just basic verification.
“But I trust my bookkeeper.”
Good. You should be able to trust the people you hire.
But good controls are not an insult to good people.
They protect everyone.
They protect the owner from theft. They protect honest employees from suspicion. They protect the business from mistakes. They protect the financial person from being put in a position where one bad decision becomes a million-dollar disaster.
Think of it like locking your office door at night.
You are not accusing your staff of stealing because you lock the door. You are creating a normal business habit that protects the company.
Financial controls work the same way.
The fraud risk checklist every business owner needs
If you own a business, especially a small or growing one, here is where to start.
1. Separate access from approval
The person entering bills or preparing payments should not be the same person approving the final money movement.
That does not mean you need a huge accounting department. It means you need a second set of eyes before money leaves the account.
For example:
The bookkeeper can prepare the bill payment list.
The owner approves it.
The bank requires approval from someone other than the person who created the transaction.
Simple. Clear. Effective.
2. Review bank activity directly from the bank
Do not rely only on reports that are handed to you.
Once a week, log into the bank yourself and scan the transactions. Look for transfers, ACH payments, wires, debit card charges, loan payments, and unfamiliar vendors.
You are not trying to do a full reconciliation. You are looking for anything that makes you say, “Wait, what is that?”
That one question can stop a lot of damage.
3. Require backup for every payment
Every payment should answer three questions:
Who are we paying?
Why are we paying them?
Who approved it?
If the backup is missing, vague, altered, or stored somewhere only one person can access, that is a problem.
Fraud gets easier when documentation gets messy.
4. Lock down credit card access
Company credit cards are one of the easiest places for fraud to hide because the charges can feel small, routine, and annoying to review.
But small charges add up fast.
Every card should have a named cardholder, a clear business purpose, spending limits, and monthly review by someone outside the cardholder’s control.
And no, “I’m the only admin on the account” should not be accepted as a permanent answer.
5. Watch for financial gatekeeping
This is one of the biggest red flags.
If your accounting person resists sharing access, discourages outside review, gets defensive about questions, controls every statement, or says certain reports are “too complicated” for anyone else to see, pay attention.
A good financial professional explains.
A risky one hides.
6. Have your books reviewed by someone independent
At least quarterly, have someone outside the day-to-day accounting process look at the books, bank activity, reconciliations, credit card statements, payroll, and vendor payments.
This does not have to be a full audit.
It can be a fraud-focused review.
The goal is simple: make sure what the books say matches what actually happened.
Remote work is not the problem. Blind access is.
This case involved remote accounting work, but remote work itself is not the villain.
Plenty of excellent bookkeepers, accountants, controllers, and CFOs work remotely.
The problem is not where someone sits.
The problem is whether the business owner still has visibility.
If your accounting person works remotely, you need even cleaner systems. Shared document storage. Bank-level approvals. Read-only access for oversight. Clear monthly closing procedures. Separate approval workflows. Regular review meetings.
Remote work can absolutely be safe.
But “she handles all of that” is not a system.
The owner’s job is not to do the bookkeeping. It is to own the oversight.
I know most business owners do not want to spend their time digging through bank statements.
You did not start a business so you could play detective with every ACH payment.
But here is the truth: you cannot fully outsource responsibility for your money.
You can outsource the work.
You can outsource the reconciliation.
You can outsource the reporting.
But oversight still belongs to the owner.
That does not mean hovering. It means having a rhythm.
Once a week: review bank activity.
Once a month: review financials and credit card statements.
Once a quarter: have an independent review.
Once a year: tighten access and update controls.
That is not overkill. That is business hygiene.
The bottom line
Fraud does not usually happen because a business owner is careless.
It happens because they are busy, trusting, and focused on running the company.
That is exactly why controls matter.
The lesson from this case is not “never trust accountants.”
The lesson is this:
Never give one person unchecked control over your company’s money, records, and reporting.
Your financial systems should make fraud harder, mistakes easier to catch, and honest people easier to trust.
Start with one step today.
Log into your bank account. Look at the last 30 days of activity. Ask yourself, “Do I recognize every transaction, and can someone prove why each one happened?”
If the answer is no, that is your first clue.