Asset Misappropriation and Skimming

The most common category of occupational fraud: employees stealing cash, diverting payments, and misappropriating non-cash assets, and the internal controls that stop or detect each scheme.

Last updated: 10 Jun 2026

Asset misappropriation is by far the most common form of occupational fraud, appearing in roughly 86% of all cases the ACFE records in its biennial Report to the Nations. It is also, median loss by median loss, the least costly of the three ACFE fraud categories: most asset-misappropriation schemes involve a single employee exploiting a local control weakness rather than an executive-level conspiracy to overstate earnings. But small individual losses aggregate; the ACFE estimates that the typical organisation loses 5% of its annual revenue to fraud, and asset misappropriation schemes are responsible for most of that drain.

The ACFE Fraud Tree divides asset misappropriation into cash schemes and non-cash schemes. Cash schemes divide further into skimming (taking cash before it is recorded), cash larceny (taking cash after it is recorded), and fraudulent disbursements (manipulating the payments process to divert money outward). Non-cash schemes involve stealing inventory, equipment, and proprietary information. Each branch of the tree has its own mechanics and its own control countermeasures.

This topic maps each major scheme type, explains the control environment that enables it, and identifies the detection signals that appear in accounting records, payroll data, and physical observations. The emphasis throughout is on the investigative perspective: what does the scheme look like in the data, and what is the minimum evidence set needed to support a conclusion.

Key terms

Skimming: Taking cash or other payments before they are entered into the accounting records. Leaves no direct accounting discrepancy, making detection dependent on external evidence such as customer receipts, till surveillance, or comparison to expected revenue.
Cash larceny: Taking cash that has already been recorded in the accounting system. The record exists, so the theft creates a provable discrepancy between the book entry and the physical cash, making detection more straightforward than skimming.
Fraudulent disbursement: A scheme in which the perpetrator manipulates the organisation's outbound payment process to divert money to themselves or an accomplice. The main sub-types are billing schemes, payroll fraud, expense reimbursement fraud, and register disbursements.
Ghost employee: A fictitious or departed person on the payroll whose wages are diverted to the perpetrator. Detection relies on headcount reconciliation, supervisor attestation of active personnel, and physical sign-in verification.
Lapping: A scheme to conceal the theft of cash from customer receipts by applying a later customer's payment to the earlier customer's account. Creates a running gap between customer accounts and cash receipts that grows unless the lapper catches up or is discovered.
Segregation of duties: The principle that the authorisation, custody, and recording of any transaction should be performed by different people. Its absence is the single most common control weakness enabling asset misappropriation.

Skimming: taking cash before the books see it

The perfect scheme leaves nothing in the ledger to find.

Skimming is often described as an off-books fraud because the cash intercepted never appears in the accounting records at all. A cashier who accepts payment from a customer but does not ring the sale, a billing clerk who accepts a customer's cash payment and deposits only a portion while pocketing the rest, and an accounts-receivable employee who intercepts a cheque and destroys the remittance advice are all running skimming schemes.

Because the entry is never made, a standard ledger reconciliation will not reveal the theft. The detection methods must come from outside the books: comparing register tapes to cash counts, comparing expected revenue (from customer count data, transaction volumes, or industry benchmarks) to recorded revenue, or relying on customer complaints about payments that were not credited to their accounts.

Sales skimming: intercepting cash at the point of sale before recording. Detected by surprise cash counts, surveillance, or comparison of physical transaction count to registered sales.
Receivables skimming: intercepting customer payments before posting to the accounts. Detected by lapping patterns, customer statements, and direct customer confirmation.
Mail skimming: intercepting cheques or cash from incoming mail before they reach the cashier. Requires access to incoming mail and is usually associated with small organisations lacking mailroom controls.

Fraudulent disbursements: billing and payroll fraud

The money leaves through the front door, properly signed off on paper.

Fraudulent disbursement schemes use the organisation's own payment machinery to send money to the perpetrator or an accomplice. Because the payment is processed through normal channels, it appears in the books as a legitimate expense. The fraud is in the substance, not the form, of the payment.

Billing schemes are the most common fraudulent disbursement type. The simplest version creates a shell company in the perpetrator's name, registers it in the vendor master file, submits invoices for goods or services never provided, and approves and processes the payment. More sophisticated versions involve real vendors whose invoices are inflated, with the perpetrator receiving a kickback from the vendor.

Payroll fraud takes several forms. Ghost employees are the most studied: a fictitious person or a departed employee whose payroll entry was not terminated continues receiving wages that are diverted to the perpetrator. Commission fraud involves inflating sales figures to generate excess commission payments. Timesheet fraud involves claiming hours not worked. The ACFE data consistently shows payroll schemes have a longer average duration before detection than billing schemes, often running for several years.

Billing scheme: shell company added to vendor master, invoices submitted and paid.

Scheme type	Median duration (ACFE 2022)	Primary detection method
Billing fraud (shell company)	24 months	Vendor master analysis: address/phone/bank matches to employees
Ghost employee	30 months	Headcount reconciliation; supervisor attestation of active staff
Expense reimbursement fraud	18 months	Duplicate receipt testing; policy-limit analysis
Commission fraud	24 months	Sales record comparison to commission claims
Register disbursement	12 months	Void and refund transaction analysis

Non-cash misappropriation

Inventory, equipment, and data are assets too.

Non-cash misappropriation covers any theft of organisational assets other than cash and monetary instruments. The most common forms are inventory theft and the misuse of equipment, vehicles, and other physical property. Less visible but increasingly significant is the theft of proprietary information and intellectual property.

Inventory theft is often detected through periodic physical counts compared against book inventory records. The investigation task is distinguishing genuine theft from breakage, shrinkage, and recording errors, all of which also produce discrepancies. Consistent discrepancies in specific locations, specific product categories, or specific shifts point toward theft rather than systemic error.

Internal controls: the prevention and detection framework

Every asset misappropriation scheme exploits a specific control gap.

Internal controls against asset misappropriation fall into two categories: preventive controls that make the scheme harder to execute, and detective controls that surface it after it has begun. Both are necessary: preventive controls can be overridden by colluding employees or management, and detective controls that are only applied annually may allow a scheme to run for a year before detection.

Segregation of duties: split the authorise, record, and custody functions. No single person should be able to approve a payment, record it, and reconcile the bank account.
Physical controls: locked cash drawers, access-controlled inventory areas, fixed-asset tagging, and vehicle tracking.
Surprise cash counts: unannounced counts compare physical cash to the register balance at random intervals. Predictable counting schedules allow perpetrators to replace stolen cash for the count.
Independent bank reconciliation: reconciliation performed by someone who did not process payments, with review of original cancelled cheques or bank images rather than the company's own records.
Vendor master controls: approval process for adding new vendors; periodic comparison of vendor addresses, telephone numbers, and bank accounts against employee data.
Payroll controls: independent headcount verification; mandatory holiday policies (many payment schemes require the perpetrator to be present to maintain the fraud); direct deposit to verified employee accounts.

The ACFE data consistently shows that organisations with fewer controls have higher median fraud losses and longer fraud durations. The cost of basic preventive controls, particularly segregation of duties in small finance teams, is frequently cited as a barrier in small and medium organisations, but the cost of a single undetected fraud typically exceeds the annual cost of the control many times over.

Data analytics for detection

The scheme leaves a pattern in the data even when the documents look clean.

Data analytics has become the primary tool for asset-misappropriation detection in large organisations. The central advantage is coverage: manual review of a representative sample of transactions can miss a scheme that affects only a small percentage of payments. Analytics can examine the entire population.

Duplicate payment testing: matching invoice number, vendor, and amount across all payment records to find duplicate submissions.
Round-number testing: filtering for payments ending in .00 or .50, which human-created fictitious invoices favour over the irregular amounts of genuine commerce.
Vendor-employee match: comparing vendor master addresses, phone numbers, tax IDs, and bank accounts against employee records to find shell companies in employees' names.
Benford's Law on expense claims: first-digit analysis of expense claim amounts. Human-chosen numbers below a reimbursement threshold (such as $25) cluster unnaturally because the perpetrator chooses amounts to stay under approval limits.
Sequence gaps and duplicates: invoice sequence gaps suggest missing invoices; duplicate sequences suggest fabricated ones.

Worked example

Identifying a ghost-employee scheme through payroll analytics

The pattern in the data was visible from three angles before the first interview.

An investigator is retained after an anonymous tip line message claims that a payroll manager at a mid-sized logistics company has added a family member to the payroll. The company employs 340 people across three sites.

Payroll data pull. All employee records active over the past 36 months are extracted: name, address, bank account, national insurance or tax ID, hire date, termination date, and gross payments. Three records have the same address as the payroll manager. One of them, listed as a warehouse operative at a site 200 km away, has never claimed an expense, never had a sick day recorded, and has been paid consistently for 28 months.
Supervisor verification. The site manager at the relevant warehouse is asked to confirm headcount in the warehouse operative category. The name does not appear on any site attendance record or uniform allocation list for the past 28 months.
Bank account analysis. The bank account receiving the wages is in a different name but linked to the same sort code as the payroll manager's salary account. A subpoena for bank records reveals the two accounts are held at the same branch and the name on the ghost account is the payroll manager's spouse.
HR record review. The employee was added to the system by the payroll manager using an administrator override, bypassing the normal new-hire approval workflow. No offer letter, contract, or line-manager approval exists in the HR system.
Quantification. 28 months of wages plus employer contributions totals the loss. The investigation then extends the analytics to all payroll additions made by the same administrator account over the same period to assess whether additional ghost employees exist.

The case illustrates how a ghost-employee scheme survives because the payroll manager controls both entry and reconciliation. Segregation of duties, specifically requiring a separate manager to approve new payroll additions, is the single control that would have prevented this scheme from running for over two years.

Check your understanding

Question 1 of 4· 0 answered

Why is skimming harder to detect from accounting records alone than cash larceny?

Key Takeaways

Skimming takes cash before it enters the books, leaving no ledger discrepancy; detection requires external evidence such as customer confirmations, surveillance, or expected-versus-actual revenue analysis.
Fraudulent disbursements, particularly billing fraud and ghost-employee payroll schemes, exploit organisations where the same person can add vendors or employees, initiate payments, and reconcile accounts.
Segregation of duties is the foundational preventive control; when it cannot be fully implemented in a small team, compensating detective controls such as surprise counts and independent reconciliation become essential.
Data analytics applied to the full population of payroll and vendor-payment records routinely detects schemes that sample-based testing misses: duplicate payments, round-number clustering, and vendor-employee address matches.
Asset misappropriation is the most common occupational fraud category by frequency and the one most directly controlled by basic preventive measures, making the cost-benefit case for those controls straightforward.

What is the difference between skimming and cash larceny?

Skimming occurs before cash is recorded in the accounting system: an employee intercepts a payment before it enters the books, so there is no accounting entry to detect. Cash larceny takes cash that has already been recorded, which leaves a traceable discrepancy between the book balance and the physical count. Skimming is harder to detect precisely because it leaves no entry.

What is a ghost employee?

A payroll scheme where an employee adds a fictitious person to the payroll and diverts the wages. The ghost may be a completely fabricated identity, a former employee whose departure was not processed, or a real person who is no longer performing work. Detection relies on headcount reconciliation and physical verification that every person on the payroll is a genuine, active employee.

What is the most common type of occupational fraud by frequency?

Asset misappropriation accounts for approximately 86% of fraud cases in the ACFE Report to the Nations. Cash schemes, billing fraud, and expense reimbursement fraud are the most common sub-types.

How does billing fraud work?

An employee submits or approves payments to fictitious vendors they control, to real vendors for goods or services never received, or inflates invoices from genuine vendors and pockets the difference. Detection relies on vendor master file scrutiny, matching of goods received records to invoices, and separation of the approval and payment functions.

What internal control most effectively prevents asset misappropriation?

Segregation of duties is the foundational control: separating the authorisation, custody, and recording functions so that no single employee can complete and conceal a theft. Physical controls, surprise cash counts, and independent bank reconciliation each add additional layers, but segregation is the structure that makes all other controls meaningful.

Test yourself on Forensic Accounting and Financial Forensics with free, timed mocks.

Practice Forensic Accounting and Financial Forensics questions

Found this useful? Pass it along.

Spotted an error in this page? Report a correction or read our editorial standards.

Scheme type

Median duration (ACFE 2022)

Primary detection method

Billing fraud (shell company)

24 months

Vendor master analysis: address/phone/bank matches to employees

Ghost employee

30 months

Headcount reconciliation; supervisor attestation of active staff

Expense reimbursement fraud

18 months

Duplicate receipt testing; policy-limit analysis

Commission fraud

24 months

Sales record comparison to commission claims

12 months

Void and refund transaction analysis

Key Takeaways

Skimming takes cash before it enters the books, leaving no ledger discrepancy; detection requires external evidence such as customer confirmations, surveillance, or expected-versus-actual revenue analysis.

Fraudulent disbursements, particularly billing fraud and ghost-employee payroll schemes, exploit organisations where the same person can add vendors or employees, initiate payments, and reconcile accounts.

Segregation of duties is the foundational preventive control; when it cannot be fully implemented in a small team, compensating detective controls such as surprise counts and independent reconciliation become essential.

Data analytics applied to the full population of payroll and vendor-payment records routinely detects schemes that sample-based testing misses: duplicate payments, round-number clustering, and vendor-employee address matches.

Asset misappropriation is the most common occupational fraud category by frequency and the one most directly controlled by basic preventive measures, making the cost-benefit case for those controls straightforward.

What is the difference between skimming and cash larceny?

What is a ghost employee?

What is the most common type of occupational fraud by frequency?

Asset misappropriation accounts for approximately 86% of fraud cases in the ACFE Report to the Nations. Cash schemes, billing fraud, and expense reimbursement fraud are the most common sub-types.

How does billing fraud work?

What internal control most effectively prevents asset misappropriation?

Your journey to becoming a forensic professional starts here.

Key Takeaways

Key Takeaways