Lessons in internal control lapses from major fraud cases

Tammy Thomas, CPA/CFF, CGMA, is a co-author of the most recent FVS Eye on Fraud report, focused on the importance of internal controls preventing employee embezzlement.

In this episode, Thomas breaks down how failures in segregation of duties allowed two major embezzlement schemes to persist for years. She explains how small control gaps and role consolidation can quietly erode an organization’s defenses.

Thomas also outlines how deadline pressure and resource constraints can unintentionally weaken internal control environments.

Also, hear the previous Eye on Fraud podcast discussion, about the role of company culture, from July 2025.

What you’ll learn from this episode:

• A definition of internal controls and why they function best as a dynamic, ongoing process.
• How weak internal controls and poor segregation of duties can create openings for employee embezzlement.
• Why deadline pressure around the month‑end or year‑end close can weaken internal control effectiveness.
• Practical steps organizations can take to strengthen internal controls, improve oversight, and reduce fraud risk.
• Why Thomas said it was important to remember that “internal control is not a checklist.”

Play the episode below or read the edited transcript:

— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.

Transcript

Neil Amato: Welcome back to the Journal of Accountancy podcast. This is Neil Amato with the JofA. This February 2026 episode is about fraud, specifically on the topic of internal controls. The focus of the first winter edition of the Eye on Fraud report. That regular report is from the AICPA’s Forensic and Valuation Services, or FVS, Section. You’ll hear the conversation right after this brief sponsor message.

[sponsor message]

Amato: Welcome back. My guest on this episode is Tammy Thomas. Tammy is director in the Forensic Consulting Group at CBIZ, and she is a co-author of this winter edition of the Eye on Fraud report. Tammy, thanks for being on the Journal of Accountancy podcast.

Tammy Thomas: Thanks so much for having me, Neil.

Amato: The title of the most recent Eye on Fraud report is “How Internal Controls Help Prevent, Deter, and Detect Employee Embezzlement.” I want you to dig into the very first part of that phrase, internal controls. Can you define “internal controls”?

Thomas: Sure. In our accounting landscape, we often go to one of the governing bodies, COSO, the Committee of Sponsoring Organizations, who years ago defined internal control. It’s a very formal definition, so I’ll just tell you some of it, but basically, it’s a process that entities — a board, management — design to help provide assurance regarding the achievement of their objectives regarding the operations, reporting, and compliance. It’s very accurate, but it also can be very structured.

One of the co-authors of this article, actually, Jonathan Marks, I think, did a great job of expanding on that, saying it’s more of a process of interlocking activities designed to support policies and procedures to prevent, detect, correct, direct, and corroborate actions. It’s more of a living, breathing process versus [the COSO definition], which is an accurate description of internal control, it more makes it a living process.

Amato: I think that’s a really good explanation. Thank you for that. In our previous Eye on Fraud podcast episode, the discussion with Carey Miller focused on company culture’s role in mitigating or exacerbating fraud risk. We touched on internal controls and about that, she said, “Weak internal controls can create gaps that fraudsters exploit.” Can you expand on that a little bit, maybe your thoughts on it?

Thomas: No problem. I thought this was a brilliant statement by Carey because it is absolutely true. Fraudsters are very keen observers, and they can spot weaknesses and weak internal controls. For example, when a CFO is on vacation, this is their chance to subvert or go around internal controls because they’ve been loosened or someone else is in charge, now signing checks if, for example, the CFO had been in charge.

Sometimes the gap wasn’t considered when they set up these controls, and vacations or other absences give the fraudster an ability to bridge that gap and exploit it.

Amato: Two recent U.S. fraud cases addressed in the Eye on Fraud winter edition, again, the one I mentioned — “How Internal Controls Help Prevent, Deter, and Detect Employee Embezzlement” — they are prime examples of those weak internal controls, specifically, a lack of segregation of duties. Much of our audience knows that phrase, but could you detail it and how segregation of duties would have prevented these examples of fraud?

Thomas: I’ll go through the two examples that we mentioned. We actually mentioned more than that, but there’s two that I think are a good example. The first one, beginning with the State Department fraud where Levita Ferrer — she embezzled more than $650,000. She had the ability to create and approve and sign checks. There was no oversight into who or what was being paid.

In this example, if there had been another set of eyes who, one person created the check, another person gave approval, i.e., segregation of duties, this embezzlement may have been avoided. Unfortunately, that’s not always the case, depending on budgets, and sometimes people try to consolidate roles, which on the surface is a good idea, but when it comes down to controls and who has the authority to issue funds, there really does need to be a separation.

For example, the CEO or president needs to sign checks with the proof of the vendor invoice, and a different person creates the check, so that way you can have at least some checks and balances. This other one that we discussed related to Promise Community Homes, which was formerly known as Rainbow Village, which was an entity that provided housing and resources for adults with intellectual and developmental disabilities. The fraudster in this case, Joelle Fouse, perpetrated this fraud over 10 years, embezzling almost $700,000.

Amato: Wow.

Thomas: Yeah, so she wore many hats. She was responsible for payroll, expense reimbursements, and maintaining the books and records. The way she perpetrated the fraud, she took over 71 transactions and she authorized $140,000 in payroll deposits to her account. She took $407,000 in expense reimbursements, also over 10 years, false expense reimbursements, and then she also charged $133,000 in unauthorized credit card purchases and ran them through the company.

Keep in mind, she already had a generous salary with benefits. She, as an aside, also lied about graduating a college with an accounting degree. The sad thing is the executive director — so this was prosecuted by the Department of Justice — wrote a letter to the judge and said, “As it was, we’re already stretching every dollar and deciding which projects to fund” — and here she is buying Louis Vuitton purses.

She had the ability to approve and distribute payroll checks. She created false financial reports, doctored receipts, and prevented the board from looking at the records. If she had been able to not do all of this and the duties had been divided, this would have been avoided.

Amato: You can see how one person who’s a bad actor maybe gets a little too much authority can take advantage. But, overall, how in your mind do internal controls, the process, unravel?

Thomas: That’s a very good question. It often takes time. It’s usually not one day the person’s hired or by the next month, they’ve stolen a million dollars. This last example I gave happened over 10 years, and that’s often what we find is that it’s someone testing the waters, doing it little bit by little bit, getting more confident as time goes on. It’s gradual departures from established process, like skipping reconciliations or allowing a journal entry to be posted with, “Doesn’t really make sense, but we need to close the books, so let’s just get it done.”

Some controls start to be slowly bypassed, and over time, it just builds on itself. There’s research we cite in our article that says that nearly one in five internal fraud cases involve management override controls, which is a high amount, but more than half traced back to weak internal controls itself. Someone said in the article, which I thought was a great quote, “Embezzlement doesn’t arrive by storm; it arrives through cracks formed by familiar neglect. A trusted employee who never leaves their desk or takes a vacation, a pressured manager who bypasses approval or an unmonitored ledger account.” That’s how it starts to happen.

Amato: You mentioned that “We just gotta close the books. We just have to do it.” How is speed or pressure to meet deadlines sometimes an enemy of good internal control processes?

Thomas: Part of what can happen is month-end close, quarter-end close, year-end close, companies feel, and in the accounting department especially, feel pressure to get things done, get the reports to their higher-ups. As I mentioned before, maybe people that would have checked journal entries that don’t have support or don’t make sense, they overlook it because they don’t have time. We’ll look at it next week, and then weeks later, they realize they need to figure it out, and it becomes a really long investigation.

Also, in terms of not just closing the books, but a desire to make any internal goal, whether it’s let’s be the first one in the company that closes the books or the first one that reaches this accounts payable payment level, it becomes this goal that really is not needed for the entity but somehow incentivizes the fraudster to take advantage of maybe people that are focused on other metrics, other things that are happening in the company in order to perpetrate, for example, a vendor fraud and create a vendor that really is themselves, but formed a fake LLC, and all of a sudden they’re getting paid and the boss doesn’t have time to approve this new vendor but approves the payment to it. Lo and behold, the employee is getting paid under a false entity.

Amato: What would you say overall are some tips for maintaining strong internal controls?

Thomas: We talked in our article about the idea of strategizing, and what that really means is having everyone involved, from the board of directors or whatever the governance of the company is, constantly reassessing their fraud risk and what their internal controls are doing and are not doing. What that usually involves is getting the board involved, other levels of management, and down to the accounts payable clerk to discuss what things are we doing that are good, what things are we doing that really aren’t working? They’re just a check the box.

Looking at the policy and procedures for oversight and reporting and monitoring of those controls. Seeing if management is communicating the point of the internal controls and how they’re supposed to work. It’s one thing to make employees sign that they understand and they’ll be a whistleblower if needed. But they don’t fully understand why and what it’s intended to catch, then they may just be getting check-the-box employees and not people that are really aware and cognizant of the point of these controls.

Then also, especially nowadays, checking the technology and how things have changed and whether or not there are changes that pose a threat to their processes, to their payments. Honestly, to sum it up, just to sort of evaluate where they are, evaluate what is going on in their industry in terms of fraud, evaluate recent cases to see what has the Department of Justice been pursuing? What kind of things are being found in fraudulent activities.

Just checking where they are and then also checking, and I know this is also a term that can be overused, but tone at the top, which really represents what is management’s position? What do the employees at a company feel like management is saying to them? Is it a check-the-box internal control process, or is it we really care? We really do want real vendors. We don’t want fake vendors to be created. We don’t want ghost employees. This is important to us, and it’s important to you as well.

Amato: I think that is important because it shouldn’t just be, “Oh, these are the things you have to do. These are the boxes you have to check.” It should be emphasized that it’s important. Carey Miller did use that phrase as well, and it is important.

We will link to this winter edition of the Eye on Fraud report in the show notes for this episode, along with any other related Eye on Fraud resources. Tammy, this has been an excellent conversation. There’s always more we can say on these topics, but anything short you’d like to share as a closing thought for the audience?

Thomas: Thanks, Neil. I would just reiterate something you just said that internal control is not a checklist. You need to be vigilant. While a thought is to quote Disney that it’s “a tale as old as time,” the methods are continually evolving, and you need to try to be on top of the internal control threats and just stay alert.

As you said, check out [the resources]. There’s a lot of good guidance out there, not just the COSO fraud risk management guide that came out in 2023. The AICPA has some great risk management information as well. Thank you again for having me on this podcast. I really appreciate it.

Amato: Again, that was Tammy Thomas with CBIZ. We appreciate her time and insights on the Journal of Accountancy podcast. This is Neil Amato. Thanks for listening.