A former employee walks back into a business where he no longer works. He steps behind the counter, uses the register, processes 800 transactions, and routes $80,000 in refunds to his own personal credit cards. Nobody stops him. The system lets him in.

This is not a technology failure. The Grapevine, Texas Chick-fil-A case that made national headlines in April 2026 is a back office failure. And the specific failure is one of the most overlooked in growing businesses: employee access controls after termination were never closed.

What Actually Happened in Grapevine

Keyshun Jones was terminated from a Chick-fil-A franchise in Grapevine, Texas in October 2025. The following month, surveillance footage recorded him standing behind the counter at the same restaurant, using the register as if he still worked there. He rang up 800 orders of macaroni and cheese trays and refunded each one to his personal credit cards. The total: just over $80,000. He was arrested in April 2026 after evading authorities for several months and now faces charges of property theft, money laundering, and evading arrest.

The question that belongs in every business owner's mind right now is not "how did someone steal $80,000 in mac and cheese refunds?" The question is: could a terminated employee access my systems today?

The Access Gap Most Businesses Don't Know They Have

Here is what typically happens when an employee is let go from a growing business. HR or the owner handles the conversation. Maybe they collect a key card or a set of keys. There is paperwork. The employee leaves the building. That feels like the offboarding is complete.

What does not happen in most businesses is a structured sweep of every system that employee could still access. Point-of-sale systems. Scheduling software. Inventory platforms. Vendor portals. Email accounts. Refund and return authorization tools. Each one is a potential open door, and in businesses with 10 to 100 employees, those doors are almost never all confirmed closed on the day someone is let go.

In my experience across different industries, the condition that makes this kind of fraud possible is rarely a sophisticated scheme. It is the absence of a process. The fraud did not require skill. It required only that no one had closed the door.

In the Grapevine case, the former employee did not hack anything. He walked in and used a system that had never removed him.

Why Refund Fraud Is a Back Office Problem, Not a Security Problem

There is a tendency to look at a story like this and reach for a technology solution. Better cameras. A smarter POS system. Access badges with stricter permissions. Those things matter, and they are not the root of the problem.

The root of the problem is that no process existed to ensure termination triggered a complete access review. That is a back office design issue. It lives in the offboarding workflow, or more precisely, in the absence of one.

Refund authority is one of the highest-risk permissions in any retail or service business. It allows a user to move money out of the business without a corresponding sale. When that permission is attached to an employee account that was never deactivated after termination, the exposure does not disappear when the person walks out the door. It stays open, silently, until someone uses it or someone thinks to check.

The Association of Certified Fraud Examiners also reports that the typical occupational fraud scheme runs for 12 months before it is detected. Twelve months of transactions running through an account that should have been closed on day one of termination.

Employee Access Controls After Termination: What the Gaps Look Like

This pattern shows up across industries. The particulars change. The underlying gap is almost always the same: offboarding is treated as a conversation and a handshake, not a structured process with a completion checklist.

In businesses without a formal termination protocol, these are the gaps that remain open longest:

• POS and register credentials tied to an employee ID that was never deactivated

• Refund, void, or discount authorization levels still active in the system

• Vendor portal logins associated with a personal email the business no longer monitors

• Scheduling or operations software where the employee still has manager-level permissions

• Shared passwords that were never changed after the employee's last day

• Physical access through a key code or fob that was never disabled or rotated

Each of these is a control gap. None of them requires sophisticated effort to exploit. They require only that someone with prior knowledge of the system decide to use it.

Revenue comes from the front office. Profit is protected in the back office. And when the back office has no structured process for closing access after termination, profit is exposed to anyone who ever had a login.

Revenue Comes from the Front Office. Profit Is Protected in the Back Office.

The Grapevine case looks like a crime story. It is also a financial story, and the financial story is the more instructive one for any business owner reading this.

An $80,000 loss is visible. It shows up eventually, whether in reconciliation, in an audit, or in a police report. What does not show up as easily is the cumulative, smaller version of this happening inside businesses that have no idea it is occurring. A former employee with refund access processing a few hundred dollars a week. A terminated manager still logging into a vendor portal and redirecting payments. A part-time worker whose discount authorization was never removed.

The Before You Hire Your Next Employee post on this blog covers what needs to be in place before a person joins your business. The less-discussed side of that question is what needs to happen when they leave. Hiring has a process in most businesses, even an informal one. Offboarding, in most businesses with under 100 employees, does not.

That asymmetry is where the exposure lives. Across different industries, I have seen businesses invest significantly in hiring, onboarding, and training, and then end employment with a handshake and a wish of good luck. The systems that person touched during their tenure stay exactly as they left them.

The financial risk of that is not hypothetical. It is documented, and in Grapevine, it was caught on surveillance footage.

Why Outside Perspective Helps

When you are running a business with 15, 30, or 60 employees, the operational details are everywhere. You are inside the work every day. The things that feel complete to you, including who has access to what, often feel complete because nothing has gone wrong yet. That is a proximity issue, not a competence issue.

The business owner in Grapevine was not negligent by intent. No owner terminates someone and thinks: I should leave their POS credentials active and their refund access open. The oversight happens because offboarding is not mapped as a process with a checklist, a responsible party, and a confirmation step. It is handled person by person, each time, from memory.

A business process improvement engagement looks at exactly this kind of gap, not just the fraud exposure, but the dozens of other handoff points where the absence of a structured process is quietly costing money. AI can document a process once you describe it. It cannot see the controls you forgot to mention because you did not know they were missing. That requires someone who has seen enough broken back offices to recognize what is absent, not just what is present.

Free Resource: System Leak Audit

The access control gap described in this post is one of five categories covered in the System Leak Audit. It is a free, self-scoring diagnostic built for business owners who want to see where their back office has exposure before that exposure shows up in a loss, a reconciliation gap, or a police report.

The audit takes about 15 minutes and covers the five most common areas where growing businesses leak profit without knowing it.

Get the System Leak Audit and see where your business stands.

Ready to Talk About What Is Open in Your Business?

If this post raised questions about what is actually closed in your back office, that is worth a conversation. The gaps described here are not unusual. They are common in growing businesses, and they are fixable with the right structure in place.

Frequently Asked Questions

What are employee access controls after termination, and why do they matter?

Employee access controls after termination are the steps a business takes to revoke a former employee's ability to access company systems, tools, accounts, and physical spaces once their employment ends. They matter because most businesses use multiple platforms, including POS systems, scheduling software, vendor portals, and communication tools, and each one represents a potential point of exposure if access is not explicitly removed. The Grapevine Chick-fil-A case illustrates what happens when those controls are not in place: a terminated employee used an active register login to process $80,000 in fraudulent refunds.

How long after termination do access risks typically exist?

As long as the access exists. There is no automatic expiration on most system credentials. If an employee's login was never deactivated, it remains active indefinitely. The ACFE's 2024 Report to the Nations found that the typical occupational fraud scheme runs for about 12 months before detection. In many cases, the fraud was enabled by access that had simply never been revoked.

What systems should be included in a termination access review?

The review should cover every system the employee touched during their tenure. This includes point-of-sale and payment systems, refund and void authorization tools, inventory platforms, scheduling software, vendor and supplier portals, company email accounts, shared drives, communication tools, and any physical access credentials such as key codes, fobs, or alarm codes. The specific list will vary by business, which is why a documented offboarding checklist tailored to each role is more reliable than a general policy.

Is this only a risk for retail businesses?

No. The retail setting in the Grapevine case makes the fraud visible, but the underlying vulnerability exists in any business where employees have system access tied to financial transactions. Service businesses, professional firms, healthcare practices, logistics operations, and any company using digital platforms with authorization levels are all exposed to the same category of risk when offboarding does not include a structured access review.

How does a business process improvement engagement address this type of risk?

A business process improvement engagement maps the actual workflows in a business, including how employees are onboarded, what access they receive, and what happens operationally when employment ends. Most businesses discover during this process that their offboarding has no formal owner, no checklist, and no confirmation step. The engagement identifies those gaps and builds the structure to close them, so that termination triggers a consistent, documented process rather than a case-by-case memory exercise.

The Back Office Brief

Get a weekly insight connecting back office operations to profit. Delivered every week, free.