A common question in internal control questionnaires is whether the entity requires mandatory vacations. The reason for this is quite sound - perpetuating the fraud often requires the fraudster always be there. If someone else takes over their responsibilities even for the week, they may find something amiss and the fraudster is caught.
I enjoy reading case studies on fraud - what methods were used, how long it lasted, and how the fraud was detected. You often will see a quote in the case studies that goes something like this "Suzanne was the last person we expected to commit a fraud. She was so loyal - she worked here for seven years and never took a day off." Sadly, the entity by then has learned why Suzanne never took any time off.
I'm continuing to read the ACFE's 2008 Report To The Nation on Occupational Fraud & Abuse and was reminded of this while reading Chapter 4 on Victim Organizations. Mandatory vacation policies (and job rotation) were in place in 12.3% of the fraud cases covered by the report. The median loss when this policy was in place was $64,000. The median loss when this policy was not in place was $164,000.
If you do not have mandatory vacation policies, you should strongly consider implementing this policy.