Home / Insights / Signs of Internal Theft

Signs of Internal Theft Every South African Employer Should Know

Back to Insights
Internal theft chart showing tips at 43 percent, other detection methods at 57 percent, revenue loss at 5 percent and 12 median months before detection.

Most internal theft isn't caught by a camera. It's noticed by a person who felt that something was off, long before anyone could prove it. By the time the numbers confirm the suspicion, the loss has usually been running for months. So how do you spot it sooner?

That gap between "something feels wrong" and "we can prove it" is where South African employers lose the most money. Occupational fraud costs a typical organisation about 5% of revenue every year, and a scheme runs a median of 12 months before it is detected (ACFE Report to the Nations 2024). The signs that surface first are rarely the ones your controls are built to catch, which is a big part of why they get missed. Below: what to watch for, and how to act on it lawfully once you do.

Further reading: what an undercover audit is and how it works.

TL;DR: Internal theft costs organisations roughly 5% of revenue a year and typically runs about 12 months before detection (ACFE 2024). The earliest signs are behavioural and procedural, not caught on CCTV. Tips remain the single most common way fraud is discovered. Acting on suspicion the wrong way can hand the employee a labour-law victory, so evidence discipline matters as much as detection.

What does internal theft actually cost a South African business?

Internal theft costs far more than the value of what leaves the building. Organisations lose about 5% of annual revenue to occupational fraud, and the median case runs 12 months before it is caught (ACFE 2024). In Southern Africa specifically, one study of more than 400 regional cases put the average loss at roughly R2 million per case (BusinessTech, 2023).

The real cost compounds with time. The longer a scheme runs undetected, the deeper the loss, and the maths gets ugly fast.

How long the fraud ran before detectionRelative median loss per case
Caught within 6 monthsBaseline
Ran for 25 to 36 monthsRoughly 8x larger
A scheme left to run two to three years cost roughly eight times more than one caught within six months. Source: ACFE Report to the Nations 2024 (1,921 cases across 138 countries).

The pattern in that table is the case for early detection. A loss caught in the first six months is a fraction of the same scheme left to run for two years. And the direct theft is only part of it. Add the management time, the disciplinary process, the possible CCMA or Labour Court proceedings, and the damage to workforce trust, and the total exposure is far larger than the missing stock or cash.

The scale is easy to underestimate. In the healthcare sector alone, fraud, waste and abuse are estimated to drain about R30 billion a year, close to 15% of medical-scheme spend (Business Day, 2026). Concealment is the point of these schemes, which is why the total is always larger than what anyone first suspects.

Sick-leave abuse shows how these invisible losses add up. Absence from work is estimated to cost the South African economy between R12 billion and R16 billion a year (BusinessTech, 2023).

Further reading: how an undercover audit works.

What are the warning signs of internal theft?

The clearest signs of internal theft are behavioural and procedural, not the act itself. Most schemes surface through a tip rather than a control: tips account for 43% of fraud detections, the single largest category, ahead of internal audit and management review combined (ACFE 2024). People sense it before any system does.

How occupational fraud is first detected Tips account for 43 percent of fraud detections, the single largest category. All other methods combined account for 57 percent. Source: ACFE Report to the Nations 2024. A tip finds more fraud than any control 43% from a tip Tips: 43% All other methods: 57%
How occupational fraud is first detected, global data. Source: ACFE Report to the Nations, 2024.

The signs below rarely prove anything on their own. A single red flag isn't evidence of theft. A cluster of them, especially around the same person or process, is a reason to look more closely. Part of why they go unread is that most companies never map their own exposure: only 59% of South African firms ran an enterprise-wide fraud-risk assessment in the past year (PwC Global Economic Crime Survey, 2024).

Behavioural red flags

Watch for the employee who never takes leave, refuses to hand over duties, or insists on personally handling a task that should rotate. Fraud often depends on one person controlling a process from start to finish, so time away risks someone else noticing. Living visibly beyond a known salary, bristling at routine questions, or resisting an audit are all worth a note.

Operational and financial red flags

Look at the process, not just the person. Recurring stock variances that never quite reconcile, write-offs that cluster around one department, suppliers nobody can place, and credits or refunds processed outside normal patterns are common markers. Missing or altered documentation, round-number adjustments, and transactions timed to quiet shifts or month-end all deserve a second look.

Relationship and access red flags

Some of the most damaging schemes involve collusion, where two or more people cover for each other. A buyer who is unusually close to a single supplier, a receiving clerk who always works the same shift as a particular driver, or staff who resist separation of duties can all signal a relationship being used to move value out of the business. Forensic specialists call collusion between insiders and outsiders a real problem in South African organisations (Daily Maverick, 2026). Access that quietly expands beyond a role, and credentials shared "to save time," widen the opening.

Next step: request the free Loss-Risk Assessment.

Why do cameras, guards, and controls miss employee theft?

Cameras, guards, and audits miss employee theft because the costliest schemes stay inside the rules those controls check. South Africa has over 2.6 million registered security officers and 12,059 security businesses, yet insider schemes still slip past them (PSIRA 2023/24). A camera records what happens; it can't tell you the clerk and the driver have an arrangement.

As Fidelity Services Group CEO Wahl Bartmann put it, "cameras and guards alone do not reduce loss. What reduces loss is visibility supported by processes" (Business Explainer, 2026).

Two blind spots matter most. The first is collusion: when people work together, each can pass the checks that assume a single dishonest actor. The second is the planted or recruited insider, and that is where South African employers are most exposed.

Criminal networks don't always break in from outside. They recruit from within. In the logistics sector, syndicates recruit insiders across the transport chain, often low-paid staff, who leak schedules, routes, and cargo details so thefts can be timed to the most vulnerable points in a journey (DigitFMS, 2026). The same pattern reaches into financial services. Forensic expert Albert van Zyl of the North West University Business School has said that "criminal syndicates target and deploy people to infiltrate" organisations, and that collusion between insiders and outsiders is a definite issue (Daily Maverick, 2026).

There's a third reason the costliest schemes run so long: few companies have a yardstick to measure against. Most never run an enterprise-wide fraud-risk assessment, so the anomaly that should stand out has nothing to stand out from.

Enterprise-wide fraud risk assessment in South Africa 59 percent of companies ran an enterprise-wide fraud risk assessment in the past year, 12 percent plan to, and 29 percent did neither. Source: PwC Global Economic Crime Survey 2024. Most companies never measure their own exposure 59% 12% 29% Ran an assessment Plan to Did neither
Enterprise-wide fraud risk assessment, South African respondents. Source: PwC Global Economic Crime Survey, 2024.

The mismatch is the point. A periodic audit and a fixed camera both assume the threat is an outsider or a lone opportunist. A recruited insider is neither. They know the audit schedule, the camera angles, and the reconciliation rhythm, because reading those controls is part of the job they were placed to do. The warning signs are usually there; they just aren't spotted in time, which is how businesses get blindsided by behaviour they could have caught earlier (KYC Africa, 2025), an account that matches forensic descriptions of insider facilitation in South African banks (Daily Maverick, 2026). Catching that kind of threat takes human intelligence inside the same workforce, not another device pointed at the door.

Related: how covert human intelligence differs from cameras.

What should you do when you spot the signs of internal theft?

When you spot the signs, resist the urge to confront the person or act on suspicion alone. How you investigate decides whether the case holds, and a rushed response is costly: a POPIA breach carries an administrative fine of up to R10 million (Bowmans, 2023), on top of the original loss.

The first move matters, and it is rarely the one instinct reaches for.

1. Contain, do not confront

Keep the suspicion tight. Tipping off the subject destroys evidence and, if you're wrong, exposes you to a defamation or unfair-labour-practice claim. Discretion protects the case and the workforce.

2. Preserve and document

Secure the relevant records, system logs, and physical evidence with a clear chain of custody. Evidence that withstands legal scrutiny is corroborated, properly documented, and gathered through a sound procedure, not a single test or a hunch. Weak or hearsay evidence is a leading reason employer cases are overturned on review (Labour Guide). In one reported matter, two warehouse workers dismissed over missing cigarette stock were reinstated because a failed polygraph stood alone, with nothing to corroborate it (SAFLII, 2014).

3. Investigate lawfully

Any investigation must stay within POPIA and RICA. Consent must be informed and specific, monitoring must be proportional and serve a genuine business need, and private spaces such as changing rooms remain off limits (Polity, 2025). RICA adds real teeth: unlawful interception of communications is a criminal offence carrying a fine of up to R2 million or ten years in prison (Michalsons). Get this wrong and you've created a second legal problem on top of the theft.

4. Use the right method for the risk

Where you suspect collusion or a planted insider, covert human intelligence inside the workforce sees what a device cannot. A properly run undercover audit gathers corroborated, defensible evidence while the scheme is still active, which is when it's easiest to prove. Used correctly, a polygraph can support that evidence, but only ever as corroboration, never as the sole basis for action (Consolidated Employers Organisation; the courts confirmed as much in Goldplat Recovery v CCMA, De Rebus, 2021).

Related: how an undercover audit gathers defensible evidence.

Frequently asked questions

What is the most common sign of internal theft?

There's no single tell, but the most reliable early signal is a tip. Tips account for 43% of fraud detections, ahead of any control (ACFE 2024). In practice, unexplained stock variances and an employee who refuses to take leave or hand over duties are among the operational signs seen most often.

How long does internal theft usually go undetected?

A typical occupational-fraud scheme runs a median of 12 months before it's caught (ACFE 2024). The longer it runs, the larger the loss: a scheme left to run two to three years costs roughly eight times more than one caught within six months.

Can I dismiss an employee based on a polygraph test?

No. A dismissal can't rest on a polygraph result alone, because it lacks the corroborating evidence needed to discharge the employer's onus under the Labour Relations Act (Consolidated Employers Organisation). A polygraph can support other evidence, but it can't stand as the sole basis for disciplinary action. Why polygraph-only dismissals fail at the CCMA.

Is it legal to investigate an employee covertly in South Africa?

It can be, when done within POPIA and RICA. Monitoring must be proportional, serve a genuine business need, and avoid areas with a reasonable expectation of privacy (Polity, 2025). A lawful, purpose-limited method is what separates a defensible investigation from one that creates fresh legal exposure. How to investigate within POPIA and RICA.

Why do cameras and guards not stop internal theft?

Because the costliest schemes are built to pass the checks those controls run. Collusion and recruited insiders operate inside the rules a camera or audit assumes an outsider will break. As Fidelity Services Group CEO Wahl Bartmann put it, "cameras and guards alone do not reduce loss" without the visibility and processes behind them (Business Explainer, 2026).

Key takeaways

  • The signs that show up first are human, not technical. Behavioural and procedural red flags surface before any system does, and a tip is still the most common way fraud gets found (ACFE 2024).
  • Time is the multiplier. A scheme caught early costs a fraction of one left to run for years, so acting on the first cluster of signs pays for itself.
  • Standard controls miss collusion and planted insiders, because cameras and periodic audits are built for a lone outsider, and a recruited insider knows exactly what they check.
  • How you investigate decides whether the case holds. Corroborated, properly documented evidence gathered lawfully within POPIA and RICA is what withstands legal scrutiny.

If the signs in this guide feel familiar, the safest next step is a quiet, expert look before the loss compounds further. Trio Data offers a free, confidential Loss-Risk Assessment that helps you gauge your exposure without committing to a full investigation. To understand how covert evidence is gathered lawfully and defensibly, see our undercover audits explained, or start a confidential enquiry to speak with our team in confidence.

Take a quiet look before the loss compounds

Trio Data offers a free, confidential Loss-Risk Assessment that helps you gauge your exposure without committing to a full investigation, and shows you how covert evidence is gathered lawfully and defensibly.

Enquire Confidentially