Law firm embezzlement prevention isn't a topic most managing partners think about until it's too late. The American Bar Association estimates that law firms lose billions annually to internal theft, and the majority of perpetrators are the people trusted most: bookkeepers, office managers, and accounting staff. If your firm has a single person handling deposits, writing checks, and reconciling the bank statement, you have a problem — whether you know it yet or not.
At Steph's Books, we've onboarded law firms that discovered six-figure losses hidden behind years of sloppy bookkeeping. The patterns are remarkably consistent. This guide breaks down exactly how bookkeeper theft happens in law firms, the warning signs you're missing, and the internal controls that actually prevent it.
Bookkeeper theft at law firms doesn't look like a masked burglar cracking a safe. It's subtle, systematic, and exploits the trust that small and mid-size firms give to a single person who "handles the money." Here are the four schemes we see most often.
This is the most dangerous scheme because it involves client funds held in trust. The bookkeeper transfers small amounts from the IOLTA to the operating account (or directly to themselves), then juggles client balances to hide the shortfall. By the time a client demands their retainer balance, the money isn't there.
The reason this works: most managing partners don't personally review IOLTA reconciliations. They trust the bookkeeper's monthly summary, which the bookkeeper controls.
The bookkeeper writes checks to themselves, to a shell company, or to a family member. They record the payment in QuickBooks as a legitimate vendor expense — office supplies, IT services, or "legal research." A $2,000 check to "ABC Consulting" every month doesn't raise flags when nobody's reviewing the vendor list.
This one is embarrassingly simple. The bookkeeper submits personal expenses as firm expenses — gas, meals, Amazon purchases, subscriptions. They approve their own reimbursements. At a 10-attorney firm, an extra $500–$1,500 per month in fake reimbursements can go undetected for years.
Ghost employees, inflated hours, or unauthorized bonuses. The bookkeeper adds a phantom employee (often using a relative's Social Security number) and collects the extra paycheck. Or they simply increase their own salary by small increments, counting on the fact that no partner reviews the payroll register line by line.
Every embezzlement case we've seen had warning signs that were ignored. Not because the partners were careless — but because they were busy practicing law and trusted someone else to handle the finances. Watch for these red flags:
| Warning Sign | What It Really Means | Severity |
|---|---|---|
| Bookkeeper never takes vacation | They can't risk someone else seeing the books | High |
| Bank reconciliations are "pending" or late | Discrepancies are being hidden or juggled | Critical |
| Vendors you don't recognize on the check register | Possible shell company or unauthorized payee | High |
| Client complaints about trust balance discrepancies | Funds may have been diverted from IOLTA | Critical |
| Bookkeeper gets defensive about financial questions | They're protecting access to the scheme | Medium |
| Rising expenses without a clear business reason | Padded reimbursements or unauthorized spending | Medium |
| Bounced checks or unexpected overdrafts | Cash is leaving the account through unauthorized channels | High |
| Bookkeeper insists on handling all mail | Intercepting bank statements and vendor notices | High |
Critical: If your bookkeeper hasn't taken a single vacation day in over a year and insists they're the only one who can "handle the books," that's not dedication. It's a red flag. Require at least one week off annually where someone else reviews the accounts.
Prevention isn't complicated. It requires separation of duties — making sure no single person controls the entire financial chain. Here's the checklist every law firm should implement immediately.
The person who creates payments should never be the same person who reconciles the bank statement. This is the most fundamental internal control in accounting, and it's the one most small law firms violate. If your bookkeeper does both, you have no verification layer.
Set your bank account to require two signatures (or two online approvals) for any payment above a threshold. $500 is a good starting point for most firms. This prevents unauthorized checks and ACH transfers without adding friction to routine expenses like postage or coffee.
A managing partner should personally open and review bank statements every month. Not the bookkeeper's summary — the actual bank statement. Look at every payee. Flag anything you don't recognize. This takes 15 minutes and is the single most effective deterrent.
Your IOLTA reconciliation should be performed or verified by someone other than the person who deposits and disburses trust funds. This is where bank reconciliation discrepancies hide the most dangerous problems. Cross-reference the three-way reconciliation: bank balance, book balance, and individual client ledger balances.
Hire an outside CPA or bookkeeping firm to perform an unannounced review of your books twice a year. Not a full audit — just a spot check of bank reconciliations, vendor payments, payroll registers, and trust account balances. The cost is typically $1,500–$3,000 per review. Compare that to the average embezzlement loss of $150,000+.
Here's the uncomfortable truth: most small and mid-size law firms don't have enough staff to properly separate duties. You can't split the bookkeeping role across three people when you only have one office manager. That's exactly why outsourced bookkeeping exists.
When you outsource your bookkeeping to a firm like Steph's Books, you get built-in separation of duties by design:
This isn't just a nice theory. It's the reason the Association of Certified Fraud Examiners recommends third-party financial oversight as one of the top anti-fraud controls.
| Control | In-House Bookkeeper | Outsourced Bookkeeping |
|---|---|---|
| Separation of duties | Rarely possible with 1-2 staff | Built into the service model |
| Independent reconciliation | Self-reviewed (no verification) | Third-party verification every month |
| Check/payment authorization | Often single-signer | Firm retains payment authority |
| IOLTA oversight | Same person deposits and reconciles | Independent reconciliation by outside team |
| Surprise audit readiness | May resist or delay | Books always audit-ready |
| Cost of fraud prevention | Additional staff or CPA reviews | Included in monthly service fee |
If you're reading this because something already feels wrong, here's your action plan. Don't confront the suspected employee. Don't tip them off. Move deliberately.
Change online banking passwords. Remove the suspected person's access to QuickBooks, bill pay, and credit cards. Do this after hours or over a weekend. Contact your bank and request copies of all statements, canceled checks, and transaction records for the past 36 months.
Not your regular CPA. A forensic accountant specializes in tracing stolen funds and documenting losses for legal proceedings. They'll review bank records, vendor payments, payroll, and trust accounts. Expect to spend $5,000–$15,000 depending on the complexity and time period.
If client trust funds were affected, you have an ethical obligation to report the loss. Your malpractice insurer may cover some of the client losses. Contact them before you contact the bar — they can advise on the proper disclosure process.
File a police report. Embezzlement is a criminal offense. You'll need the forensic accountant's findings to support the case. Also check whether your firm has a fidelity bond or crime insurance policy — this is the insurance specifically designed to cover employee theft.
After the crisis, implement the 5-point checklist above. Engage an outsourced bookkeeping firm for ongoing oversight. Review your accounting method to ensure your financial reporting accurately reflects the firm's position going forward.
Let's put actual numbers on this. The Association of Certified Fraud Examiners reports that the median loss from occupational fraud is $117,000, and schemes last an average of 12 months before detection. For law firms specifically, the risk is compounded by trust account exposure — meaning the loss isn't just your money, it's your clients' money.
| Cost Category | Typical Range |
|---|---|
| Direct theft (median) | $50,000 – $200,000 |
| Forensic accounting investigation | $5,000 – $15,000 |
| Legal fees (prosecution/recovery) | $10,000 – $50,000 |
| Client trust fund replenishment | Varies (potentially unlimited) |
| Bar disciplinary costs | $5,000 – $25,000+ |
| Reputational damage | Incalculable |
| Outsourced bookkeeping (prevention) | $500 – $2,000/month |
Professional outsourced bookkeeping for a law firm typically runs $500–$2,000 per month. Even at the high end, that's $24,000 per year — a fraction of what a single embezzlement event costs. Prevention is always cheaper than recovery.
Ready to protect your firm? Steph's Books specializes in bookkeeping for law firms with built-in internal controls, independent IOLTA reconciliation, and monthly financial reporting. Get an instant quote to see what professional oversight costs for your firm.
Get a free quote and see how Steph's Books can save you 40-60% vs hiring in-house.
