Stop blaming ChatGPT: Bad expense policies are the real business risk

There’s a lot of noise right now about people using ChatGPT to fake receipts and commit expense fraud. But here’s the thing: blaming AI is a distraction, writes Sam Spencer.

There’s a lot of noise right now about people using ChatGPT to fake receipts and commit expense fraud. But here’s the thing: blaming AI is a distraction. ChatGPT isn’t the problem. As a business owner, this is one of the easiest things to fix. You don’t need cutting-edge tech. You need common sense and clear systems.

1. Just give people a per diem

Want to eliminate fake expenses? Make it boring. If someone’s travelling for work, give them a daily allowance. Done. You instantly eliminate the risk of made-up meals and shady Uber receipts. If they eat Macca’s and pocket the difference? That’s fine. You’ve saved time in verification and admin costs. Even better, the Australian Taxation Office publishes standard allowance rates for staff, so if receipts become a nightmare to verify, shift to a flat per diem and save yourself the headache.

2. No receipt, no reimbursement

For reimbursements that fall outside of travel, adopt a “no physical receipt, no reimbursement” policy. Simple. Clear. Defensible.

3. Require approvals – clearly

Then go one step further. Create a policy that outlines which purchases require approval and from whom. Most businesses I talk to don’t even have this documented, which opens up a whole world of ambiguity and opportunity for misuse.

The real risk is human: Understanding the fraud triangle

Let’s be blunt: If someone is going to defraud your business, that’s not a technology problem; that’s a people problem because you have someone who thinks it’s OK for them to steal from you. Expense fraud is a risk that comes down to human behaviour spurred on by three factors known collectively as the fraud triangle, coined by three criminologists: Edwin Sutherland, Donald Cressey, and Steve Albrecht. It’s something I am writing about in my upcoming book, Mostly Quadrants:

1. Pressure: People have an external pressure that requires them to defraud the company. It could be financial stress, mounting debts, a gambling problem, or even personal blackmail. The pressure might be real, or just perceived – but it’s powerful enough to push someone towards risky behaviour.
2. Opportunity: People have the opportunity to perform a bad action. The person has the access and ability to commit fraud. Maybe they can submit reimbursements without oversight or make payments without approval. Lack of checks and balances is what creates opportunity.
3. Rationalisation: People feel they deserve what they will steal from the company. This is the internal story someone tells themselves to justify fraud. “I’m underpaid.” “They owe me.” “Everyone does it.” This is often the hardest factor to detect, and the most dangerous.

A good finance and HR team should review expenses anyway and look for things that are out of the ordinary – not just from a finance perspective, but also from a people perspective.

Want a great example of the fraud triangle in action? Look no further than Jurassic Park. Spoiler alert for those who haven’t read the book or seen the movie. The park’s IT systems were designed and controlled by Dennis Nedry, an overworked and underpaid systems engineer. As a result, there were:

• Opportunity: Nedry had full, unrestricted control over Jurassic Park’s digital infrastructure. He built the security systems, managed user access, and was the only one who truly understood how everything was wired. No oversight. No backup. No redundancy. Just one guy with the keys to the kingdom.
• Pressure: Despite CEO John Hammond’s catchphrase, “Spare no expense”, he actually spared quite a lot when it came to IT. Nedry wasn’t paid properly and still had to fund his offshore development team. This financial pressure made him vulnerable to an outside offer: a shady biotech firm promising a big payday in exchange for stealing dinosaur embryos.
• Rationalisation: From his perspective, Nedry felt he was being taken advantage of. Underpaid, underappreciated, and left to carry the weight of the park’s infrastructure. So he decided to get what he “deserved” by installing a secret backdoor into the system, disabling security, and smuggling out stolen embryos.

And the result? A theme park full of escaped dinos and ensuing chaos and carnage. The entire park collapsed, all because one guy had too much access, too little support, and no reason to stay loyal.

Mitigating fraud risk

The good news is that breaking the fraud triangle is possible. Remove any one of the three pillars, and fraud risk plummets.

Limit opportunity

Opportunity is where your business has the most control – and where most organisations drop the ball. Implement two-person approvals for key financial actions and ensure clear documentation about who has access to what, when, and why. Implement audit trails and version control to trace actions and revoke access promptly when someone changes roles or leaves the business. Good governance isn’t just bureaucracy. It’s protection.

Mitigate pressure

Keep an eye on your people. Have they recently bought a house? Gone through a messy breakup? Are rising interest rates making things tight? These aren’t just personal problems; they’re potential business risks if left unaddressed. That doesn’t mean you should snoop. But it does mean creating a culture where people feel safe enough to say, “I’m struggling.” Offer support, make sure salaries are fair, and provide access to mental health resources.

Disrupt rationalisation

Rationalisation is the trickiest to spot because it lives inside people’s heads. You can’t control how someone feels, but you can shape the culture. Review salaries against market benchmarks to make sure your team isn’t quietly simmering with resentment. Be transparent about bonuses and promotions, and make sure people feel their work is seen and valued. People need to feel that their workplace is fair, or they’ll stop playing fair themselves.

For some organisations, it may even be necessary to have a trusted fraud prevention team, where personnel can confidentially report any suspected conflicts to ensure that these can’t be used as external pressure. The key here is that disclosure is taken positively, judgement-free, and, if possible, without punishment.

It’s not about catching bad people

Fraud is easiest stopped before it starts – which means we’re often dealing with people who haven’t, and may never, do anything wrong. Most people are decent. They want to do the right thing. But sometimes, life pushes them towards decisions they’ll later regret. As a business leader, your job isn’t just to catch fraud when it happens. It’s to build a system that helps people avoid temptation in the first place.

That means creating policies that are clear, fair and easy to follow. It means being kind without being naïve. It means remembering that technology like ChatGPT isn’t the villain, but your own lack of governance might be.

Sam Spencer is the chief executive and chief information security officer at Aristotle Metadata.