Now in open beta — close the books in 2 days, not 2 weeks.Read the case study →
Business · April 16, 2026 · 9 min read

SMB fraud prevention without a finance team

Big-company fraud prevention relies on segregation of duties. SMBs do not have that luxury — one person often does AP and bank rec and payroll. So the question is not "how do we segregate?" but "how do we get fraud-resistant without segregation?" Here is the practical playbook.

How SMB fraud actually happens.

Three patterns dominate. Pattern 1: phantom vendors. A trusted bookkeeper sets up a fake vendor, pushes payments to it, and pockets the money. Discoverable through vendor master review and bank-account-name checks. Pattern 2: payroll ghosts. An ex-employee stays on payroll for six months after leaving, with payments routed to a personal account. Discoverable through payroll-to-active-employee reconciliation. Pattern 3: customer collections diverted. A sales person collects cash directly and underreports, or invoices customers off-system.

These patterns share a feature: they exploit the absence of independent verification. The SMB owner is busy and trusting; the bookkeeper is hard to replace and seemingly indispensable. A control framework that does not require a second person can still prevent most of these — if it is set up deliberately. The ACFE's annual Report to the Nations consistently finds that small businesses suffer the largest median fraud losses precisely because of this gap.

Phantom vendorFake supplier setupPayroll ghostEx-employee still paidCash diversionOff-system invoicing
Three dominant SMB fraud patterns. All three exploit absence of independent verification — fixable without segregation of duties.

The 5-control minimum.

Control 1: bank statement review by the owner directly, monthly. Not the reconciliation report — the actual statements from the bank. 30 minutes per account per month catches phantom vendor patterns. Control 2: vendor onboarding requires owner approval for any vendor with payments expected to exceed A$10,000 cumulative. Control 3: payroll register reviewed by the owner monthly, with active-employee count verified against operations. Control 4: customer collections reconciled to invoices weekly, with any cash collections requiring two signatures (owner plus collector). Control 5: every change in the accounting system logged with user, timestamp, and old/new values.

These five together prevent most SMB fraud patterns without requiring segregation. The total time cost is 2-3 hours per month from the owner. Compared to the ACFE median SMB fraud loss of around A$200,000 per incident, the math is overwhelming.

Bank stmtOwner reviews monthlyVendor onboardingApproval > A$10kPayrollHeadcount checkCash collectTwo signaturesAudit logOn every change
Five controls. 2–3 hours/month from the owner. Median saved: A$200k.
  • Owner reviews bank statements monthly
  • Vendor onboarding requires owner approval over A$10,000
  • Owner reviews payroll register monthly
  • Cash collections require two signatures
  • Audit log on every system change

AI anomaly detection as a force multiplier.

Modern accounting systems with AI anomaly detection catch patterns humans miss. Examples: a vendor that suddenly receives much larger payments than usual, a duplicate invoice number across vendors, a payroll entry to an account that does not match the employee's historical bank account, a customer payment that does not match any open invoice. Each of these is a fraud-pattern signal.

Nonari's anomaly detector runs against AP/AR transactions and flags off-pattern items. The owner reviews the queue weekly. False positive rate is around 8-12 percent (which is fine, the cost of investigation is low) and the detection rate of real fraud patterns is high. The AI does not replace the 5 controls; it complements them by catching patterns that visual review misses.

Vendor spikeSudden large paymentDuplicate invoice #Across vendorsOff-pattern bankNew account, same employeeOrphan paymentNo matching invoice
Four anomaly patterns the AI catches that humans miss in routine review. 8-12% false positive — cheap to investigate, costly to ignore.

Worked example: a phantom vendor caught.

A Melbourne-based wholesale distributor, A$7M annual revenue. The bookkeeper of 4 years had set up a vendor "ABC Trading" with a personal-looking bank account. Over 6 months he routed A$28,000 of small-amount payments through it. The fraud was caught when Nonari's anomaly detector flagged "ABC Trading" because: the vendor received only round-amount payments (A$1,000, A$1,500, A$2,000), all on Wednesdays, and the bank account name was a personal name, not a business name.

The owner investigated. ABC Trading had no invoices, no ABN, no business registration. The bookkeeper resigned within 48 hours. Funds were recovered through legal proceedings (partial recovery, ~60 percent). The control that mattered most: the vendor onboarding approval rule had been bypassed because the vendor had been "grandfathered in" from before the rule. The lesson: review your existing vendor master too, not just new vendors.

Cash businesses: the harder problem.

Retail and food SMBs with significant cash sales face a harder fraud problem because cash is harder to track. Two effective controls: per-shift cash reconciliation by the manager (count cash, compare to system, document variance), and weekly bank deposit reconciliation by the owner (cash collected versus cash deposited). Variance investigation is mandatory, not optional.

A more powerful control: shift-by-shift POS reports compared across staff, looking for outliers. Staff member A consistently has 3-5 percent more "voids" than staff B and C. Staff member D has more cash refunds than the team average. These are not proof of fraud but they are signals worth investigating. The pattern matters more than any single transaction.

When to insure versus prevent.

Crime / fidelity insurance (often called Employee Dishonesty cover, or part of a Business Crime policy) costs roughly A$500-A$2,000 annually per A$100,000 of cover for SMBs. For businesses with weak segregation and significant cash handling, this is cheap risk transfer. It does not replace controls — insurers require basic controls before paying claims — but it backstops the gaps.

A reasonable mix: implement the 5-control minimum, layer on AI anomaly detection, add fidelity cover for residual risk. Most SMBs do none of the three and rely on trust. Trust works until it does not, and the cost of failure is large enough to justify the modest investment in this stack.

How Nonari supports SMB fraud prevention.

Five built-in features. One: complete audit log on every transaction with user, timestamp, and old-vs-new values. Two: anomaly detection on AP and AR (duplicate payments, off-pattern vendors, unusual amounts). Three: maker-checker enforcement on payments above configurable thresholds. Four: vendor master with tax-ID and bank-account-name fields, plus warnings when adding vendors with personal-name bank accounts. Five: branch-level segregation of access via the permissions matrix, so a branch manager cannot see or modify another branch's payments.

These features do not eliminate the need for the owner to be engaged. They make engagement more efficient — the owner reviews flagged items rather than scanning everything. For an SMB without a finance team, that efficiency is the difference between actually doing the controls and skipping them.

Frequently asked

Common questions.

I have always trusted my bookkeeper. Should I really do these controls?

Trust is good but not a control. Most SMB fraud cases involve a long-tenured trusted employee. The controls protect both you and the bookkeeper — clean controls mean an honest bookkeeper has nothing to fear, and a dishonest one is detected before the loss compounds. Do not frame this as a trust issue.

How often should the owner actually do the bank statement review?

Monthly for routine review, ideally within 5 business days of statement availability. The discipline of "I will see this within a week" by itself deters opportunistic fraud because the bookkeeper knows the review is coming.

What is the right threshold for vendor onboarding approval?

A$10,000 cumulative is a reasonable starting point for SMBs. Below that, many small vendors flow through without approval. Above that, owner approval is required. Adjust based on your specific business — a high-volume retailer might use A$5,000, a low-volume B2B might use A$20,000.

How do I implement maker-checker without a second person?

Use yourself as the checker for payments above a threshold. The maker (bookkeeper) prepares; the checker (you) approves before the payment goes out. Modern systems implement this digitally — Nonari has it as a permission rule. Below the threshold, the maker can execute alone for efficiency.

Read next

Keep going.

Try nonari

Put your books on autopilot.

Free to start. No credit card. Bring your books, kick the tires, export everything if you decide to leave.