I used to think the controls were stupid. Then I started working with our comptrollers and auditors. I had an auditor come into the office and he showed me all of the ways the front line people were “ripping us off.”
For example, the cash drawers were sometimes off in multiples of the cost of a soda from the company soda machine. Sometimes the work orders were for houses right next to each other...and the tech took “travel time” from one place to the other.
I embraced controls, not because I wanted to be a jerk, but because it meant I could trust my numbers and my people. And after that, we never had a “recurring” theft.
Then I went to work at a bank. Talk about a place with controls. And the security guys wouldn’t even talk to me about what they would catch. It took years for them to start telling me stories.
In short, if you give anyone around money the opportunity—sooner or later someone is going to try to steal from you. But they don’t realize that there is nothing new under the sun. And most of the time you will get caught.
These “internet” hacks are almost ALL inside jobs.
Interesting; I remember the audit classes from college, and then saw the controls in action in the workplace. Much easier to enact with larger staffs; as companies reduce staff levels so many positions are “one-deep”, it becomes harder. You’re right that most things have been done before (maybe with slight variations); competent people should be able to detect theft fairly quickly. I’ve seen things where collusion was necessary (and even then the thefts should have been detected by a third party fairly quickly as well). Simple basic controls (like timely bank reconciliations) go a long way in sniffing things out, but too often overworked staff delay that process.