Ethical Shoplifting - Retail Story

If you think risk of shrinkage in a retail outlet can be reduced completely with latest technological controls like bar codes, smart tags, RFID, Scanners, and CCTV together with tight physical security then you may probably need to rethink.

Ethical shoplifting is a fraud story of a food retail chain in Mumbai. The story has dramatic scenes of shop lifting and shop un-lifting and inventory leakage without physical goods moving out of the store. If you wonder how it is possible to have inventory leakage without physical goods moving out unethically and voids. Read more.

A year back, I was on an assignment for a retail giant at their Lower Parel Office in Mumbai; one gentleman approached me and asked me if I am again on a hunt? I was surprised to hear the words and I felt that I have seen him earlier before.

I had managed to break traps of this Mr. Fraud when he was working with a renowned retail chain in Mumbai as a supervisor. Although he had changed his job since then to work with this biggest retail giant in Mumbai; he remembered me distinctly and how I had caught him and his tricks in the past. He was looking humble but cunning still.

This smart man has seen various store situations, peak time footfalls, power failures in stores, consumer disputes, and night times of cash counting etc. He had discovered around 10-12 tricks to earn Rs. 4000-5000 every day i.e. around 1% of the revenue of the store.

I am sharing one of his tricks here which is about ethical shoplifting/ un-lifting.

People leave articles at the cash counters before they settle their bills. They dont want to purchase may be. Even some times people return articles immediately after the same gets billed. People have disputed because they have been told to pay first and then return it at the sales return counter to get the money back. Many people paid less and left the articles at the counter. This is all about billing errors and mood changes of the customers. You cannot think what all happens at peak hour at a food retail hypermarket in crowded urban city like Mumbai and when customer service is your motto.

Duplicate bills. If you are a Retailer, I am 150% sure that use of duplicate invoices are not getting tracked properly in your store. I bet, just check back.

Mr. Fraud with his one favorite cashier had done the trick. They were managed to print duplicate bills on basis of which they picked up articles from the racks inside the store to send to the sales return counter as if articles were left behind by the customers after they have been billed but for which no collection could have been made.

The sales return counter had seen such situations and disputes with customers earlier. So, he could easily believe the circumstances. He could not perceive a risk because it never involved GIVING as no cash refund involved at the outset. Moreover he received the article which needed to go back on the racks after the due procedures. Mr Fraud, who was a supervisor un-lifted the lifted material at the sale return counter with the duplicate bill which had the sale of the article.

The cashier removed that much cash from the sales. At time of final cash reconciliation short cash got adjusted for the sales return. No one ever questioned the inter-counter cash adjustments between cash counter and sales return counter as there was a physical material present in view which got un-lifted at the counter some hours back in the good spirits. At night every body wants to go home. In morning, all controls are paper works and you will never know what had happened last day.

If you doubt that with strong physical control no cashiers can take cash out of the store, then mind your thought as it is the easiest of all. You can have hundreds of secret pockets and baskets in which cash can go out. NO POCKET policy is a flop. I could catch this trick of his and his other 12 tricks because I had an idea of some thing called THREADS. THREADS are always there.

My next study is on Just in Time (JIT) Inventory Method Blunder. This is not a fraud story but incorrect application of JIT.

After this, I want to write on ENRON & BOW-FORCE. I know you will like to know in brief how SOX had taken birth to take away millions of dollars from the corporate world and it is unfortunate that the situation is still the same and chances of corporate frauds have never reduced at all.

Nowadays many want to look SOX as a process improvement tool rather than Fraud Prevention Assurance Tool. I bet; all big minds have again missed it completely and ethically justifying higher controlling costs.

Bye for now.

Duplication in Processes

I was given an assignment a few years back to find leakage of revenue in a disco outlet of a five star hotel in Mumbai. I was quite excited about the place. Mind you!! It is still one of the most happening places in Mumbai.

I remember I had met the outlet manager and discussed about the processes. He said there are good controls like continuous vigilance by CCTV, proper segregation of duties, strict control over cash handling, accurate and well documented revenue reconciliations, coupon stationery controls and so on.

Those days while searching on Google, I came across an interesting web page saying 101 ways to cheat in a Restaurant and Bar. I was amazed to see such a material on the net. I am not sure if controllers in hospitality industry know this. These were tricks of the trade. I thought, like an ethical hacker, some day I will be working as an ethical control breaker to see if controls can be broken or overridden. I had started to do abstract thinking and visualizing immediately.

To enter that disco outlet, you had to pass through bumpers, the men who see if you are an eligible character to enter the disco. Then you have to purchase coupons either by credit card or cash from the cash counter to be able to enter the disco. Sales of coupons were recorded in the POS system immediately.

The bar tender were required to take correct amount of coupons for drinks served. These coupons were minced or shredded before putting in a locked box; the keys of which were with the food & beverage controllers.

Room guests of the hotel were also required to purchase coupons to enter the disco. They could settle coupons purchased directly in their room folio from the POS.

Room guest were also given a facility inside the disc to run a tab, a facility by which one can have drinks without paying every time. Idea was to settle all the drinks at the end on the basis of tab recorded by the bar tender. These tab consumptions too were charged to folio of room guests by the cashier in presence of the bar tender.

Once amount was settled no one could change anything in the system and there were proper revenue reconciliations happening.

Although controllers and outlet manager told me that the controls are effective and current monitoring system is able to mitigate the possibility of any substantial mischief, I had approached with a mind-set to challenge the existing processes like an ethical hacker.

Clear evidence of duplication of the process was revealed to me. Dues of room guests could be settled directly to room folio when running a tab and for the purchase of coupons.

I could see if I were a cashier, I would have beaten the system to earn some extra money every night. The job remained was to see if cashiers were thinking like me or not and to gather the evidence of such a possibility.

It was then simple. To do a mischief it was required to show some drinks sold against running tab as sale of coupons to room guests and then to remove that much coupons for a personal gain without getting accounted for those.

On close scrutiny it was revealed that for some of the room guests there were two checks prepared for every tab in addition to a check prepared for purchase of coupons at the time of entry into the disco.

Out of those two checks, one was charged directly to the room folio for a part of the tab consumption and remaining was charged to room as sale of coupons. Although the correct amount was charged to the room folio, the cashiers could embezzle the coupons without getting noticed in the reconciliation process.

All evidences were present of effectiveness of controls. However, there was a trick. Although it looked so simple, no body thought of it initially. It was both a control effectiveness and efficiency issue. Once problem identified solution was simple.

The case study presented here is for intentional mischief where duplication of process was involved. However, duplications can also lead to unintentional leakages. Also, this is just one of the aspects to be kept in mind while testing effectiveness and efficiency of controls.

Duplication can cause problems in higher level processes too. I am aware of a case wherein a Business Head of an Advertising Agency was involved in manipulating his Sales KPI (Key Performance Indicator).

My next case study is devoted to Ethical Shoplifting at a Food Retail Chain. This is again an interesting mischief happened in one of the Retail Chain in Mumbai despite of having all of so called good controls. This will be followed by one case study on Risk of incorrect benchmarking and incorrect process improvement initiative and failure of Just in Time Inventory Method.

Till then, I want you to live with following thoughts.

One needs to challenge the existing in an ethical way. Some of the ethical hackers who hack into technological systems with due permission of the corporate were just below 15 years of age. It does not require experience but the power of abstract and radical thinking and knowledge of the tricks.

Dont you think you need some one who can beat your systems, of course ethically? Its about efficiency of controls. One of our services is to increase efficiency of your controls.

Note: I thought a story like case study will be more appropriate than a structured one. However, I will look forward to your comments.

Challenge The Existing

For our risk management efforts, we are relying on high-end technologies, the latest frameworks and the latest process ideas like Just in Time Inventory system. We believe that they will make our businesses better and improved. Better processes, technology and people. What is missing? Let us call it knowledge or Intelligence. Combination is Super processes, technology and people.

I would like to call it the trick of the trade. Dynamic and not linear!!!

Businesses are paying huge money for mapping processes, documenting risks & controls on some technological platform to increase visibility. At first a risk assessment exercise is carried out at a reasonably high cost by the people who are either less experienced or less talented in the area (Actually they are getting leveraged). This is a mammoth task as one needs to feed a huge amount of intelligent data into some technological system with quality consistent throughout. And, if a team of highly experienced business people were do such manual work, the cost could be much much more. Copy paste is not a bad idea at all if one has already done it before for some other companies irrespective of the industry or country differences. Branded consulting companies call it knowledge bank and cost is reduced to some extent as well (Theirs or yours.. Think!!). I am not sure about the worth but in presence of such a knowledge bank it is natural to not to apply ones minds for actual situation at hand.

Enterprise wide risk management is not just about risk assessment and finding mitigating controls but understanding a broader perspective of business controls. Not just the plain knowledge of business but learning the trick of the trade. Think about the Strength, Weakness, and Opportunity Cost, Cost Benefit, Simplicity and Endurance of a control too.

The serious question is why effectiveness of controls is given more weightage over efficiency of controls now-a-days? Is some body making a business out of it?

Business people also talks about KPI, KRAs, roles and responsibilities. Good idea! but till now it is a subjective aspect of controls and it is subjective because tricks can differ from business to business and management style.

My next case study is mainly targeted to Hospitality & Retail Industry named Duplication in Processes. These industries are more prone to have duplication in processes resulting into intentional or unintentional leakages in revenue by the people involved. However, the knowledge can be applied to other businesses as well.

Duplication in Processes is one of the aspects to bring a perspective on efficiency of control. I will also be writing about other industry scenarios in coming case studies.

There are 44 subscribers by email to this knowledge station and I am sure I will be having mix readers who are Business Heads, Business Managers, Consultants or Auditors looking for answers to both high-end controls as well as nitty-gritty.

The idea is to have an interesting case study and story line to refresh and challenge your mind every week. And, to have a perspective of dynamic relationships rather than linear relationships with respects to business controls.

Thanks for allowing your mind to get challenged.

My Plans

Yes, I will be posting case studies on a weekly basis. I dont know if this blog will going to completely change your thoughts on risk management.

You might want to hear from me soon. May be you'll be excited about my secret innovative ideas. You will soon realise that you have made a right decision to join this knowledge sharing effort. I wouldn't tell you that innovation is a must but you'll realise it reading case studies from here.

You know that knowledge is very important. Knowledge sharing is need of the hour. And you will agree that for this we should be using advance technology at our disposal. So lets talk on this as I will make an honest attempt to give you the best. Please visit frequently or simply subscribe because there is nothing to lose but everything to gain.

Our New Venture: Risk Consultancy

Our new venture Proteus Advisors; we would like it to be very Unique, Simple but a Powerful consulting outfit. That's the USP. The proteus brand will have strong focus on Innovation, Implementation and Value Creation closely working with its clients' teams. We are positioned to serve the fast growing innovative companies. We are currently based out of Mumbai.

Proteus Advisors may not compete directly with any of Big 4 or companies like Protiviti Consulting or Axis Risk Consulting in India.

We will have boutique consulting firms' approach to provide business risk consultancy and Internal Audit solutions to all kinds of enterprises and not just Small Scale and Medium Scale Enterprises ( SME ). Thus our SME solutions will also be best in class.

We would like to be part of your Internal Value Adding Team and compliment it with our skills and innovations. Our aim is to increase ROI on your Risk Consulting or Operational Consulting Projects, Internal Audits and Special Assignments.

We have always driven by our independence and passion for our work. And, key to our success so far is our commitment to build trust, willingness to share valuable and workable ideas with passion.

To establish ourselves as a Knowledge Leader in Internal Auditing & Business Risk Consulting arena, We would like to share our ideas and techniques with you. Thus this blog is a step to build a win-win partnership with you where you can also be a part of our knowledge sharing effort.

So do provide us with your valuable comments or visit our site to know more about us.

Thanks,

Mumbai, India.