Duplication in Processes

I was given an assignment a few years back to find leakage of revenue in a disco outlet of a five star hotel in Mumbai. I was quite excited about the place. Mind you!! It is still one of the most happening places in Mumbai.

I remember I had met the outlet manager and discussed about the processes. He said there are good controls like continuous vigilance by CCTV, proper segregation of duties, strict control over cash handling, accurate and well documented revenue reconciliations, coupon stationery controls and so on.

Those days while searching on Google, I came across an interesting web page saying 101 ways to cheat in a Restaurant and Bar. I was amazed to see such a material on the net. I am not sure if controllers in hospitality industry know this. These were tricks of the trade. I thought, like an ethical hacker, some day I will be working as an ethical control breaker to see if controls can be broken or overridden. I had started to do abstract thinking and visualizing immediately.

To enter that disco outlet, you had to pass through bumpers, the men who see if you are an eligible character to enter the disco. Then you have to purchase coupons either by credit card or cash from the cash counter to be able to enter the disco. Sales of coupons were recorded in the POS system immediately.

The bar tender were required to take correct amount of coupons for drinks served. These coupons were minced or shredded before putting in a locked box; the keys of which were with the food & beverage controllers.

Room guests of the hotel were also required to purchase coupons to enter the disco. They could settle coupons purchased directly in their room folio from the POS.

Room guest were also given a facility inside the disc to run a tab, a facility by which one can have drinks without paying every time. Idea was to settle all the drinks at the end on the basis of tab recorded by the bar tender. These tab consumptions too were charged to folio of room guests by the cashier in presence of the bar tender.

Once amount was settled no one could change anything in the system and there were proper revenue reconciliations happening.

Although controllers and outlet manager told me that the controls are effective and current monitoring system is able to mitigate the possibility of any substantial mischief, I had approached with a mind-set to challenge the existing processes like an ethical hacker.

Clear evidence of duplication of the process was revealed to me. Dues of room guests could be settled directly to room folio when running a tab and for the purchase of coupons.

I could see if I were a cashier, I would have beaten the system to earn some extra money every night. The job remained was to see if cashiers were thinking like me or not and to gather the evidence of such a possibility.

It was then simple. To do a mischief it was required to show some drinks sold against running tab as sale of coupons to room guests and then to remove that much coupons for a personal gain without getting accounted for those.

On close scrutiny it was revealed that for some of the room guests there were two checks prepared for every tab in addition to a check prepared for purchase of coupons at the time of entry into the disco.

Out of those two checks, one was charged directly to the room folio for a part of the tab consumption and remaining was charged to room as sale of coupons. Although the correct amount was charged to the room folio, the cashiers could embezzle the coupons without getting noticed in the reconciliation process.

All evidences were present of effectiveness of controls. However, there was a trick. Although it looked so simple, no body thought of it initially. It was both a control effectiveness and efficiency issue. Once problem identified solution was simple.

The case study presented here is for intentional mischief where duplication of process was involved. However, duplications can also lead to unintentional leakages. Also, this is just one of the aspects to be kept in mind while testing effectiveness and efficiency of controls.

Duplication can cause problems in higher level processes too. I am aware of a case wherein a Business Head of an Advertising Agency was involved in manipulating his Sales KPI (Key Performance Indicator).

My next case study is devoted to Ethical Shoplifting at a Food Retail Chain. This is again an interesting mischief happened in one of the Retail Chain in Mumbai despite of having all of so called good controls. This will be followed by one case study on Risk of incorrect benchmarking and incorrect process improvement initiative and failure of Just in Time Inventory Method.

Till then, I want you to live with following thoughts.

One needs to challenge the existing in an ethical way. Some of the ethical hackers who hack into technological systems with due permission of the corporate were just below 15 years of age. It does not require experience but the power of abstract and radical thinking and knowledge of the tricks.

Dont you think you need some one who can beat your systems, of course ethically? Its about efficiency of controls. One of our services is to increase efficiency of your controls.

Note: I thought a story like case study will be more appropriate than a structured one. However, I will look forward to your comments.