(This post originally appeared on Entrepreneur)
A Microsoft employee was charged this week for stealing $10 million over the course of two years from the company. How did he do it? Believe it or not, it wasn’t that hard.
According to court documents, the employee, a 26-year-old Ukrainian named Volodymyr Kvashuk, worked as an engineer for the technology giant. His main job was to test Microsoft products, specifically by placing mock online orders to make sure the system was running as designed.
Of course, Kvashuk was unable to receive any of the fake orders he placed for testing purposes. But he noticed a flaw: He could place a real order for a virtual gift card and that gift card would then be sent to his test account. Ka-ching! He could then use the gift card as real money to purchase Microsoft products.
And purchase he did. He used his store credit to buy software subscriptions and other Microsoft items, including hardware. But that’s kind of boring, right? So naturally, the intrepid Kvashuk grew bolder. He figured out how to cash out his store credit into Bitcoin — which Microsoft’s online store accepts — and then convert the digital currency into hard cash using online exchange service Coinbase. This is not rocket science.
Oh, then he bought a Tesla and waterfront property, and that’s no so boring at all!
So how was the scheme uncovered? Court documents don’t say specifically, but it appears that as the need to cover his tracks became more urgent, Kvashuk started using the credentials of fellow employees that he was able to access from a shared worksheet to move money out and around to his own account. And of course, I’m surmising that people noticed the Tesla, as well as other signs of him living beyond the means of a typical engineer. People probably got suspicious, and those suspicions turned into an investigation. In the end, he was sentenced to nine years and ordered to make restitution.
Now, you may be wondering how this could happen to one of the world’s biggest technology companies, one that employs thousands of the best and the brightest and can well afford to implement the tools and internal controls necessary to avoid being embezzled. That’s a good question, and I’m pretty certain there are more than a few internal auditors at Microsoft who are being flogged. But enough about them. What’s even more important is if Microsoft can so easily get embezzled out of $10 million by one guy working out of a cubicle in Washington state, what about your little business?
Maybe it’s time for you to review your company’s internal controls. Like making sure that key duties over your money — receiving, paying and recording — are not concentrated with just one person. Or closely reading your financials and ledgers each month and keeping a lookout for any anomalies. Or having an outside person do your bank reconciliations and believing your eyes if you see an employee — particularly someone in finance or IT — who appears to be living beyond their means like Kvashuk.
Most importantly, you should require (yes, require) that all employees take mandatory vacations twice a year and train other people to cover their jobs. Don’t take no for an answer, and don’t be fooled by the “hard working” employee who never takes a day off. Problems, oftentimes theft, get discovered when someone is doing someone else’s job. It’s a basic, yet powerful internal control.
In case you’re worried, Microsoft will be just fine. Ten million to them is like petty cash to you. By the way … who’s looking after your petty cash?