Abstract. I examine how an internal auditor, called the firm, designs a control system for a strategic employee who conditions his thefts on the amount and types of controls. Society sets minimum testing amounts and fines for detected theft, whereas the firm determines the employee's wages and the amount of monitoring above the minimum. The results fall into three separate cases. When society's minimum testing standards and fines are sufficiently high, the employee never steals in any period. In this case, the firm performs the minimum amount of testing and pays the lowest feasible wage. In the remaining two cases, the testing standard and fines are too low to prevent theft by themselves. In these two cases the firm's control system determines whether there will be theft in the first period. I show that if the firm chooses to prevent all first-period theft, then it uses only one type of control. She offers a wage premium and monitors the minimum amount. The wage premium substitutes for a tine large enough to prevent all theft. If the firm designs controls that do not prevent all theft, then the firm also uses only one control. In contrast to the no-theft case, the firm pays the lowest feasible wage and monitors above the minimum. This choice reflects the increasing returns to scale of monitoring in preventing theft.