You setup internal controls to separate duties and have different organizational silos and discourage fraternization.

Then you audit the process and the work often.

Also, you force people to take a break. It's pretty common in finance to require a 2 week consecutive holiday every so often: one justification being that if someone was cooking the books, the person taking over their role would probably stumble across it.

Or for the Sarbanes Oxley rules. We often run into headaches at my office because our second check signer is a general manager based in Canada 75% of the time which ends up holding up any checks over $1k.

The complete lack of internal audits was something that struck me about this story. Million dollar game pieces constantly disappearing, and no one in the company was in a position to notice anything was wrong.

They didn't disappear, it appeared that he'd put them on the packages as expected and then people won the prizes as expected.

They were not security pros. Everything was left to trusted people. They didnt have people witness the opening of envelopes and installation of game pieces. So nobody saw that he was stealing. Today we know better.

Also, you fire people who're assholes.

this is correct. power corrupt, absolute power corrupt absolutely. simple fact. it's actually one of the most basic aspects of security. This is why you need to split up responsibilities, and in some cases even obfuscate an end-goal to someone in the middle. That helps them not to see opportunities to corrupt. you can be very ethical, and say you wouldn't go for those millions. but probarbly in that case, ou already have millions (perhaps gathered similarly) or no opportunity ever present itself to you in such fashion because your employers take good care to prevent that.

simple example: what if you are the person to take, process and finalize orders at a company? You can take all their money. If you split these into 3 separate tasks, none of them can do anything. (because social factors will have more chance to keep the 3 in normal working order, where only 1 is easily to corrupt without 2 other holding them steady.)

It's unbeleivable such large coorporations still have these kind of issues. over complicated structures in my opinion, where people stop seeing the forest through the trees so to speak, and lose sight of these important matters.

Yes! The really serious organizations are very diligent about dividing the responsibilities/opportunities.

While working at IBM, there was a bit of fanfare for someone in my dept who got a very big promotion (iirc, he skipped a couple levels up at once). The promotion was because he'd noticed a flaw in the system that could have allowed four people to collectively conspire and get away with maybe $6 million. He reported it and the managers were all suitably impressed. I never managed to get enough details to understand the potential scam, or the solution implemented.

Contrast this with the much larger amounts at stake with this sweepstakes & fast food org, and they aren't putting in any such multi-party controls. No surprise they were scammed.

This seems very dependent indeed on the top of the organization being absolutely trustworthy. And, uh, to say that's not the case is an understatement.

True about that org top being untrustworthy, but I think it is more about the specifically designed structure of the org,

Design the org so that power is separated, no one has the opportunity to steal at scale.

Power corrupts, absolute power corrupts absolutely. Divide the power and you remove the impetus for corruption. I don't think that cop would have done anything but an ordinary good job, had that multi-million dollar temptation not just showed up in his lap...