A subsidiary lost a material share of its annual turnover for eight straight years to a fraud scheme that never tripped a single control, because the controls were watching the wrong things.
The Fintech Times this month walked through the mechanics of an invoice and expense fraud that ran for eight financial years inside a corporate subsidiary before anyone caught it. The setup was almost embarrassingly simple. A chief accountant in a small finance team held two privileges he should not have held together: the ability to authorise bank payments and the ability to approve his own expense reports through a lightly-supervised external provider.
Customer payments arrived in the bank but were never booked to the ledger. The accountant then filed fictitious expense claims for the same amounts and reimbursed himself from the unbooked cash. Each month-end, manual adjusting entries were posted to make the books tie, then reversed on the first of the following month.
The fraud was invisible because the only person with a full view of the flows was the person running it. According to The Fintech Times, the cumulative loss represented a meaningful percentage of the subsidiary's annual turnover.
For a CFO or fraud lead in financial services, the discomfort here is not the scheme itself. It is that the scheme is structurally indistinguishable from how a lot of subsidiary, branch, and back-office finance functions actually operate today.
Segregation of duties exists on paper. The general ledger reconciles to the bank at month-end. The external expense provider returns a clean approval log. Every individual control passes. The fraud lives in the seam between them, in the recurring pattern of first-of-the-month reversals that no human reviewer reads as a signal and no rules-based system is configured to flag.
In a regulated FS environment, the consequences extend past the embezzled amount. A finding of this shape draws scrutiny on Sarbanes-Oxley attestation, on the integrity of management certifications, and on the firm's broader AML control narrative, because the same weakness that hides an internal fraud will hide a structuring pattern or a sanctions evasion attempt.
The exposure compounds with duration. Eight years of undetected loss is not a control failure that gets written off quietly; it is a restatement risk, an audit committee event, and in some jurisdictions a regulatory notification.
The capability that closes this gap is real-time, cross-system reconciliation with anomaly detection that reads patterns, not thresholds. Bank feeds, ledger entries, expense system approvals, and vendor master changes flow into a governed data layer where reversal cadence, beneficiary recurrence, and unbooked cash receipts are continuously scored against the firm's own baseline.
This is no longer a frontier capability. The firms that build the data foundation for this in the next eighteen months will move concentrated-access risk from a topic auditors raise to a topic the CFO can answer in one slide.