Business Fraud Through Trusted Access: When Openness Becomes a Liability
- Maria Mor, CFE, MBA, PMP

- Jul 3
- 10 min read
Property management companies operate on relationships. The management company handles the money. The individual properties handle the operations. Trust is baked into the structure.
That trust is appropriate. It is also incomplete without a structural counterpart: access discipline.
Table of Contents
The Structure That Made This Fraud Possible
When a business confuses trusting someone with giving that person unrestricted visibility into how the back office works, it creates a fraud window that most financial controls are not built to catch. The relationship looks clean. The financials look clean. And the loss accumulates quietly, sometimes for a year or more, before anyone notices something is wrong.
This is not a property management problem. It is a back office architecture problem that shows up with particular frequency in property management, because the industry is structured around distributed locations, shared financial systems, and cultures of operational familiarity. Revenue comes from the front office. Profit is protected in the back office. When the back office has no access boundary, that protection disappears.
The accounting team at this property management company was not small. A controller, an assistant controller, two accounts payable clerks, and several staff accountants handled the books for properties across the country. A CPA partner came in quarterly to review the financials and sign off. For a mid-sized operation, this is a reasonable structure.
The controller had come up through the ranks of that company. She understood the mechanics of what needed to happen. She knew which reports to run, which accounts to reconcile, and how money moved through the system. She had learned the job by doing it, not by designing it. That distinction matters more than it looks.
One of the managed properties was based in Texas. The person running that property was well-known to the corporate team. She visited the corporate office, spent time with the accounting staff, and was walked through how things worked: which files they reviewed, how deposits were processed, what the approval workflow looked like, and where the receipts were supposed to go.
She was part of the family. So the team was open with her.
What they did not realize is that they had just handed her a map.

Why the Quarterly Financial Review Missed It
This is the part of the story that tends to surprise business owners, and it should not.
A CPA partner reviewing financials on a quarterly basis is looking at the accuracy of financial statements. The numbers are checked, the accounts are reconciled, and the reporting is confirmed to reflect what was recorded. That kind of review is designed to catch errors, misclassifications, and reporting gaps. It is also exactly what this company had.
What it is not designed to catch is someone who already knows exactly what the statements show and what they do not show.
The fraud in this case operated below the line the CPA was watching. Deposits were being manipulated at the transaction level, moving money between accounts before it ever reached the financial statements in a form that would raise a flag. The statements were clean. The reconciliations held. The CPA signed off.
That is not a failure of the audit. It is a demonstration of the audit's natural ceiling. A financial review confirms what the numbers say. It cannot tell you whether the underlying transactions that produced those numbers were legitimate, unless the review goes deeper than the statement level.
This is a distinction that most business owners have never been told.
The Two Operational Gaps That Created the Exposure
Business fraud through trusted access rarely happens because of one failure. It happens because two or three gaps operate at the same time and none of them is large enough to trigger an alert on its own. In this case, both gaps were structural. The 2026 ACFE Report to the Nations found that more than half of all occupational fraud cases involved either a lack of internal controls or an override of existing controls. That pattern held here.

Gap One: No Boundary on Operational Visibility
When the Texas property manager visited the corporate office, the team shared how they worked because she was a known, trusted contact within the network. That openness was a reflection of the company's culture.
What the team did not have was a framework for what operational information was relevant to a managed property versus what was internal to corporate. There is no reason a property manager needs to know which specific files the accounting team reviews, how deposits are routed through the system, or which line items get checked on a reconciliation. That knowledge is operational intelligence. In the wrong hands, it is a fraud playbook.
Transparency inside a business relationship should be scoped to what the other party needs to do their job. Everything beyond that scope is exposure, not generosity.
Gap Two: No Transaction-Level Verification
The second gap was the absence of any mechanism to verify transactions against source documents. There were no receipts stored in a shared location. There was no process for matching deposits to documentation before the money moved.
The fraud ran for approximately twelve to eighteen months before it was caught. That window existed because the only review in place, the quarterly audit, was working from summary-level data. By the time the numbers reached that level, the manipulation had already been absorbed into the figures.
Transaction-level verification is not an advanced control. It is a basic one. When every deposit has a corresponding receipt accessible to more than one person, the window for manipulation narrows significantly. When it does not, a person who knows the system can operate inside the gaps indefinitely.
These two gaps rarely exist in isolation. In businesses where one is present, the other usually is as well. The signs are recognizable:
External contacts, affiliates, or managed parties are walked through internal workflows as a matter of courtesy
Financial reviews happen at the statement level with no corresponding check at the transaction level
Receipts, deposit records, or payment confirmations are held by one person with no shared repository
Access to internal processes is granted based on relationship rather than functional need
No one has formally mapped what information each external party actually requires to do their job
In each of these situations, the gap is not visible until it is used. That is what makes this category of fraud particularly costly: the control that would have prevented it is also the control that would have told you the risk existed.
What the Business Put in Place After the Loss
After the fraud was discovered and the matter was referred to law enforcement, the company implemented a control that should have existed from the start: a shared folder where every receipt was required to be deposited, creating a paper trail that multiple people could access and verify.
This is a straightforward control. It requires no special technology. It requires a defined process, a clear ownership rule, and the discipline to enforce it.
The lesson is not that the company was negligent. The lesson is that the absence of this control was invisible until it was exploited. Nobody knew it was missing because the system had been working without it. That is how operational gaps survive in otherwise functional businesses. They do not announce themselves. They wait.

What a Properly Structured Back Office Would Have Caught Earlier
The question worth sitting with is not how the fraud was eventually discovered. It is what a different back office structure would have made possible from the beginning.
Transaction-level documentation accessible to more than one person compresses the fraud window. When a deposit cannot be moved without a corresponding receipt visible in a shared system, the manipulation that ran for eighteen months becomes much harder to sustain for eighteen weeks.
Access discipline, the practice of scoping what any external party or affiliate learns about internal processes, eliminates the informational advantage that makes this category of fraud possible in the first place. A property manager who does not know how corporate processes deposits cannot exploit that knowledge.
Neither of these controls is expensive. Both require something harder than money: a structured review of what the back office actually does, who has access to what, and where the verification gaps sit. That review is difficult to conduct from inside the organization. The people closest to the system are the least equipped to see what it is missing, not because they lack capability, but because proximity is a structural limitation. They built it. They live inside it. They cannot audit their own blind spots.
Access vulnerability does not end when someone leaves either. The same structural gaps that allow excess access going in are often the ones that leave access open on the way out. The pattern is consistent enough that it has its own post: employee access controls after termination.
AI cannot fill that gap either. An AI tool will document exactly what the owner describes. It will produce a clean, organized output. What it will miss is the approval step that creates a fraud exposure, the access boundary that was never defined, the receipt process that everyone assumed existed because nobody had ever needed it before.
The gaps that cost businesses the most are almost never the ones that show up on a checklist. They are the ones nobody thought to put on the checklist.
The Pattern Repeats
What made this situation particularly instructive is the detail that emerged after prosecution began: this was not the first time this had happened. The same person had done this before, at a previous organization, and had not been pursued.
Serial fraud of this type survives because businesses absorb the loss, move on, and do not pursue legal remedies. The reasons vary: embarrassment, legal cost, uncertainty about whether prosecution would succeed. The result is consistent. The person moves to the next organization and finds the same gaps, because the gaps are structural and the gaps are common.
Property management is not uniquely vulnerable to this. Any business with distributed locations, trusted affiliates, and informal information sharing carries this exposure. The industry is simply a clear illustration of how the conditions align.
The answer is not less trust. Trust is a reasonable starting point in business relationships. The answer is an operational structure that does not require trust to function correctly. Controls that work regardless of the relationship are the ones that actually protect profit.
According to the Association of Certified Fraud Examiners 2026 Report to the Nations, the median duration of occupational fraud before detection is twelve months. Fraud that exploits trusted relationships, where the perpetrator's presence suppresses suspicion, tends to run longer.
Free Resource: System Leak Audit
The System Leak Audit is a free, 15-minute diagnostic that identifies the five categories of back office gaps most likely to create financial exposure in businesses with 10 or more employees. If this post raised questions about what your current controls actually cover, this is the right place to start.
Frequently Asked Questions
What is business fraud through trusted access and how does it differ from other fraud types?
Business fraud through trusted access occurs when someone with legitimate access to an organization, whether an employee, affiliate, or managed property representative, uses operational knowledge gained through that relationship to manipulate financial processes. It differs from external fraud because the perpetrator already understands the system's internal structure, which processes are watched and which are not. This makes it harder to detect with standard financial controls, because those controls were designed to catch external intrusion, not internal exploitation.
Why does a quarterly financial review by a CPA not catch this type of fraud?
A quarterly review by a CPA partner confirms that the financial statements are accurate and that the recorded transactions reconcile correctly. It is not designed to verify whether the underlying transactions were legitimate, particularly when those transactions have been manipulated before they reach the statement level. Fraud that operates below the financial summary, moving money between accounts before any reports are generated, does not typically leave a visible signature on a well-prepared income statement or balance sheet.
What does access discipline mean in practice for a property management company?
Access discipline means defining a boundary between what information is operationally relevant for a managed property and what is internal to corporate. A property manager needs to know how to submit deposits, how to request approvals, and what documentation is required. A property manager does not need to know which specific files the accounting team reviews, how the corporate system routes transactions, or what the reconciliation workflow looks like. Scoping information sharing to functional need removes the informational advantage that enables this category of fraud.
How long does this type of fraud typically go undetected?
According to the Association of Certified Fraud Examiners 2026 Report to the Nations, the median duration before detection across all fraud categories is approximately twelve months. Fraud that exploits trusted access tends to run longer than fraud committed by unknown parties, because the relationship itself suppresses suspicion. When a known and trusted contact is involved, discrepancies that might prompt a question are more likely to be attributed to error or system issues rather than deliberate manipulation.
What is the minimum control structure that prevents this type of exposure?
Two controls address the majority of the exposure. First, transaction-level documentation accessible to more than one person: every deposit, payment, or fund transfer has a corresponding source document stored in a location where at least two people can view and verify it. Second, defined access boundaries for external parties and affiliates: what operational information is shared is determined by function, not by relationship. Neither requires advanced technology. Both require a structured review of how the back office currently operates and where the verification gaps exist.
Is Your Back Office Built to Catch What Your Financials Miss?
The fraud described in this post ran for over a year inside a company with a full accounting team, a quarterly CPA review, and no obvious red flags. The controls in place were real. They were just watching the wrong level of the process.
This pattern shows up across industries, not just in property management. The structure that creates the exposure, trusted relationships without scoped access and financial reviews without transaction-level verification, is common. It is also correctable.
The starting point is understanding what your back office currently covers and where the gaps sit. That is the conversation Praxis Hub's Business Process Improvement service is built around.
The Back Office Brief
Get a weekly insight connecting back office operations to profit. Delivered every week, free.





Comments