In a decade-long study of Australian workplace fraud, forensic accounting firm Warfield & Associates analysed 102 cases involving losses exceeding $350 million.¹ The largest single theft amounted to $27.4 million. Six cases involved losses of at least $10 million each. Across all 102 cases, one finding stands out above all others: the median time before the fraud was discovered was more than five years.

These were not opportunistic petty theft incidents. They were systematic, sustained schemes including false invoicing, electronic funds transfer manipulation, and payment tampering, executed by trusted employees, often in finance functions, over long periods. And in the overwhelming majority of cases, the organisations involved had controls in place. The controls simply were not working.

The Association of Certified Fraud Examiners' 2024 Report to the Nations, the largest occupational fraud study in the world, based on 1,921 cases across 138 countries, paints a consistent picture. The typical organisation loses 5% of its annual revenue to fraud.² The median loss per case has now reached $145,000, a 24% increase from the 2022 study.² When owners or executives are the perpetrators, the median loss climbs to $500,000.² And a typical fraud scheme runs for 12 months before it is detected, often much longer.²

The most prevalent fraud type is not the exotic cyberattack or elaborate financial statement manipulation. It is asset misappropriation, the deliberate theft or misuse of an organisation's own resources, accounting for 89% of all cases.² Billing fraud, payment tampering, and expense reimbursement schemes dominate. These are, in almost every case, enabled by one thing: insufficient or overridden internal controls.

More than 50% of occupational frauds in the study occurred due to a lack of internal controls or the active override of controls that existed.² In Australian context, Warfield & Associates found that of the employees who committed fraud against organisations other than banks, 43 were employed directly in their victim organisation's finance function.¹ The people with the most access, trust, and technical knowledge of how payments are processed are, statistically, also the most likely to exploit that position.

The greatest financial risk inside your organisation is not the person you would suspect. It is the one you would not.

Understanding why internal fraud is so persistent requires looking beyond malice. The ACFE's research shows that 84% of fraudsters displayed at least one behavioural red flag prior to detection, including living beyond their means (39%), experiencing financial difficulties, or demonstrating unusually close relationships with specific vendors.² In 87% of cases, the perpetrator had no prior criminal record.² These were trusted, often long-tenured employees, not identifiable bad actors.

The motivating factors in Australian cases were equally human: lifestyle aspiration drove 44 cases; gambling addiction was the primary motivator in 39.¹ The funds were spent on property, vehicles, travel, and other expenses indistinguishable from legitimate personal wealth.

This is the trusted employee problem in its most difficult form. The perpetrators are not people the organisation identified as high-risk. They are often the opposite, dependable, familiar, rarely on anyone's radar. And the longer they go undetected, the more expensive the outcome. In the Warfield study, the longest scheme ran for 17 years.¹

‍

Finance leaders are not oblivious to this risk. Most organisations have some form of delegated authority framework, vendor management process, and invoice approval workflow. The gap is not typically in the design of controls. It is in their consistent enforcement and real-time visibility.

Manual approval processes rely on human review of payment batches, often under time pressure and at volume. Segregation of duties is a principle that many organisations honour on paper but find difficult to enforce consistently, particularly in smaller finance teams or when senior staff have broad system access. Vendor master data, the source of where payments ultimately land, is frequently managed with insufficient controls, leaving it vulnerable to manipulation through account number changes that bypass normal review.

The ACFE study found that more than half of victim organisations modified their anti-fraud controls only after a fraud was discovered.² That is the reactive posture that organisations can no longer afford.

The regulatory environment is also tightening. Australia's expanded Anti-Money Laundering and Counter-Terrorism Financing framework, which came into effect in 2024 and extends Tranche 2 obligations to lawyers, accountants, and real estate agents from 2026, places explicit responsibility on boards and senior management to maintain active oversight of compliance programs.³ ASIC commenced 132 new investigations in the first six months of 2025, more than double the same period the previous year.⁴ The era of consequence-free control failures is closing.

Governance that validates process compliance, while leaving financial accuracy unverified, is not governance of what matters most. It is governance of the form, not the substance.

‍

The fundamental shift required is one of timing. Traditional anti-fraud frameworks are built around periodic review, including monthly reconciliations, quarterly audits, annual external reviews. The fraud, by contrast, is continuous.

What effective internal fraud prevention requires is the same characteristic: continuous, automated monitoring at the transaction level. Controls that validate every payment against vendor master records, flag anomalies in payment patterns, identify duplicate invoices, and surface exceptions before funds are released, not after month-end when the trail has gone cold.

When 43% of occupational frauds are detected by a tip, more than three times any other detection method, it is a signal that organisations are relying on luck and conscience more than systems.2 The CFOs who are changing this are embedding governance directly into the payment workflow: automating the enforcement of rules that currently depend on human attention, removing the gaps that prolonged schemes exploit.

The goal is not to suspect every employee. It is to ensure that no single employee, regardless of their seniority, tenure, or trust level, is able to move money outside the bounds of enforced policy, and that any attempt to do so is surfaced immediately rather than years later.

The data tells us clearly: internal fraud is not a rare event. It is a common one that most organisations simply discover too late.

‍