Terrorist Attack on Taj & Trident

Before I give account of the topic I have selected today, I would like to brief you on 'where I am coming from'. I am among the fortunate ones who have done Internal Audit of five star hotels like Taj & JW Marriott in Mumbai and have spent a considerable time of my career doing these Internal Audits. My first Internal Auditing lesson had come from doing Internal Auditing at Taj. My Internal Auditing style resembles my work at these five star hotels i.e. systems audit. When I say Systems Audit, I do not mean IT systems audit but Business Systems Audit. All who have done Taj Internal Audit before TPAM audit started there will understand what I am saying.

Now, I would like to share a specific Internal Control which I think has never been paid attention to, which I think is not only important from Revenue Assurance point of view but also from security point of view.

Like every business, inventory of these hospitality giants are also required to be reconciled and physically verified. There are two kinds of perishable inventory which a hospitality unit like Taj might carry. One is connected to their F&B business and other is connected to their Room Revenue business. We will talk about their Room Revenue Business Inventory called Room Nights. Inventory made of Time & Space which is sold to its Guests.

How do you physically verify such an inventory which is made up of Time & Space? Historical records will not serve the purpose as one cannot go back in time to do a physical verification once you have moved ahead in time. I am sorry; but we have still not invented something called Time Machine.

Thus, concurrent physical stock taking is the only solution available. Now-a-days most of the hotels have software to manage its room inventory. One can tell if a room is occupied or not. Front Office keeps track of room folios opened with a formal check-in and check-out procedures. Most often than not housekeeping department in the hotel perform a check to physically verify status of the room once or twice a day. They update system with room status independently verified by them.

When we have two sets of inventory data, we reconcile them and if there are discrepancies or variances, we would go and find out cause for the discrepancies. If room is occupied as per Front Desk record but vacant as per housekeeping than we have a situation called 'Skipper' and when room is vacant as per front office desk but occupied as per housekeeping it's called 'Sleeper'.

Both the cases involve a possible leakage of revenue for the hospitality unit. Along with this room status control, a few hotels also resort to something called baggage control. No. of patrons staying in a room etc to make this control complete. Most often than not, I have found serious lacuna in the said control. Inspite of reporting it several times to various hotel unit managements, this control has never been taken seriously by any one and always has ranked as a low risk area.

It's important that the managements of these hotels understand risk of having inventory that is made up of Space & Time and its possible abuse by any unscrupulous person.

Housekeeping department although independent from the front desk personnel to verify the room stock is not properly trained to verify the physical status of the room when they visit a room for cleaning or otherwise. Second issue is that, the housekeeping department in most of the hotels submits this room status discrepancy report only to Front Office Manager instead of Security Manager or Loss Prevention Manager along with Front Office Manager. Moreover, the luggage brought by the guests are also not tracked and controlled to ensure an effective status control activity. Currently, the control is too mechanical and that too is adhered to half heartedly and does not ensure a subsequent procedure to ensure no leakage of revenue or a security threat. In simple words, hotel management should know intelligently what is happening at every room without disturbing privacy of the guest.

I am sure the recent attacks on Taj & Trident will ensure strengthening of this control further in light of this new risk lurking on the hospitality industry. I also see improvement possibility in gate security and guest room key control procedures.

I also feel strongly that there is something wrong with the procedures where the hoteliers have to submit details of the foriegn nationals staying in their hotels to the local police station on an every day basis. Its possible that police station takes these reports, stamps it and sit back without doing much scruitiny of these records.

My heartfelt condolence to the families of those who have affected by the recent inhuman act of terror at Taj, Trident and Nariman House.

The Invisible Act

When cheaters are invisible, there is surge in crime levels. When victims are invisible; result is the same.

It was almost an hour after the midnight. You could hardly hear your own voice due to the loud heart beating music in the pub. The auditor on a surprise visit who was not known to the bartender was trying to give cash to buy a drink. The bartender shouted that he needs coupons as taking cash is not allowed. The auditor shouted back, don't you know me, I come here every month; I always have paid cash here and no body denied it earlier. The bartender smiled and came closer and whispered - sorry sir, but we are being watched today.

Let's ponder on the above phenomena by way of a short story. A student named Vishnu Prasad Singh puts on a magical bracelet and founds that it made him invisible. With no one able to monitor his behavior, he proceeded to do woeful things - seduce a girl, murder her boy friend, and so on. This story posed a moral question, could any man resist the temptation of evil if he knew his acts could not be witnessed.

Paul Feldman's research says although there is no economic benefit in living a morale life, there is evidently some principles in man's nature, which interests him to do so. The research goes on to conclude that 87 % of the times people are honest and do not cheat. His research explains that cheating activities change with weather conditions, economic and political scenarios, and even they are different with different days of the year. Paul's estimate of 87 % is subject to presence of reasonable level of internal controls and safe guarding of the assets as appropriate.

Working environment, size of office and nature of boss are also among the factors which affect the level of cheating by the white collars. His research also found out that employees up the corporate ladder cheat more than those down below. Possibly this is due to the reason that they are not being monitored as much as the people down below. ( Alarm for Audit Committee !!!)

Although, we are aware and have read about many white collar crimes, we know very little about practicalities of the white collar crime at the various levels. The reason is that there are very few cases which have been reported and have come to light and the most of the embezzlers lead quite and theoretically happy lives as they have not been detected.

When you don't know who the victims of white collar crimes were, you also don't know with what frequency or in what magnitude it happened. Now there is a question - from whom, exactly, did the master of Enron steal? These cheaters had remained invisible to the victims and vise versa.

Amazingly, the silent theft of our shared wealth has gone largely unnoticed because we have lost our ability to see the commons. What to say about the white collars who are amongst us.

Cheeni Kum : A Fraud by Chef

Mr. Rao, the Chief Internal Auditor of a five star hotel chain was stunned to hear Anil, a young audit executive, who wanted to expose various incorrect practices that were being carried out by the chef-in-charge of one of the hotel properties of the chain. The Chief Internal Auditor and General Manager of the property told him to shun the findings as the chef had been selected as best chef of the year for achieving record favorable food cost percentage. The chef-in-charge's performance was evaluated based on food cost percentage, a relative measure of Food & Beverage (F&B) cost and F&B revenue

Disappointed Anil from the co-sourcing IA firm finally decided to make a note of these findings in the permanent audit file for future reference when he found out that there was no way he could blow a whistle.

The inventory system of the chain provided for outlet-wise ordering and food costing. The chef-in-charge ordered for the high food cost items in name of the outlet, where sales margins were higher. In such cases no accounting had been done for inter outlet transfers and thus benefit of incorrect indenting were transferred to inefficient outlet so as to meet the targeted outlet-wise food cost percentage.

Many times chef-in-charge had been issued with high value raw materials on basis of post dated requisition by the storekeeper to be charged in subsequent periods to avoid reporting of adverse food cost percentage during current appraisal period.

Calculation of food cost was being done after adjusting cost of hospitality checks i.e. check raised for free food served. Thus, food cost percentage was calculated incorrectly, measuring efficiency of the operations of the outlet. Evidences were found of incorrect adjustment of wastage, spoilage and leakage in food cost through hospitality checks. This was done to keep these costs out of the books to achieve a better food cost percentage.

Thus, a non deserving chef had been selected for the award based on the KPI which was manipulated and miscalculated.

Many hospitality players nowadays are implementing latest POS and material management system but they lack proper management accounting practices. With increased empowerment they have achieved innovation but gaps exist in understanding of evolution of control system. It is not enough that the management just sees, touches, smells, tastes and hears the relationship between input and output or oversees the behavior of various personnel. A structured monitoring, end-to-end analysis of completeness, activity based management is a must to add value.

Think Out of The Circle

When opportunity to commit fraud exist, someone has likely already exploited it. Then, the role of fraud investigators is just to determine the extent of the losses. What fraud perpetrators do? They don't play by the rules. They ignore internal controls or compromise with internal controls. Circle represents your 'As Is' internal controls and Square represents what employees really do. There is no proof in the audit books that segregation of duties is generally effective or worth its often significant cost. It depends on case to case basis. To my knowledge the segregation of duties is the most overemphasized and often least cost-effective control design option available.

Breakdown in segregation of duty is mostly a symptom of bad control design. Apparently it seems that segregation of duty will improve controls. However, the laws of human psychology and the realities of the workplace prevent segregation of duties from being an effective control.

Segregation of duties is expected to prevent fraud and error and to safeguard assets. However reality is different. Let us take couple of examples from Hospitality business; the chef picks up the phone and orders the material directly from the supplier, and purchasing prepares the paperwork after the fact, often when the invoice arrives. What happened to requisition, purchase order approvals etc? It is to be noted that chef has done nothing wrong as far as business objectives are concerned. Does it mean control objectives are not in sync with business objectives?

In a Restaurant, check voids are supposed to be approved by the Restaurant Manager and Chef to serve a dual control. However, repeated void of a same menu item due to its bad taste never gets attention for taking appropriate action. What really happens? Manager & chef sign all void check just to serve a control. Actually responsibility is not fixed in this case. When we find everything approved, we say controls are effective. What about the purpose?

Such ineffective practices are bad for the business as they block innovation and learning. Need is for analyzing risk and control within a specific process or a work groups to couch the work groups about the control practices and its effectiveness. This will help us form a reliable opinion about effectiveness of the controls. The Companies should expect occasional error, fraud, or abuse and deal with it. The organization will be healthier as a result. Trust but verify - can be a powerful cost-effective strategy.

Some companies are using ongoing surveys to seek inputs from employee on sensitive soft control issues. Tools can be simple like automated excel sheet or web based tool to increase awareness and reflect real business needs for the controls. Risk perception determines your risk management process. So let us get innovative and meaningful in our approach.

Duplication in Processes

I was given an assignment a few years back to find leakage of revenue in a disco outlet of a five star hotel in Mumbai. I was quite excited about the place. Mind you!! It is still one of the most happening places in Mumbai.

I remember I had met the outlet manager and discussed about the processes. He said there are good controls like continuous vigilance by CCTV, proper segregation of duties, strict control over cash handling, accurate and well documented revenue reconciliations, coupon stationery controls and so on.

Those days while searching on Google, I came across an interesting web page saying 101 ways to cheat in a Restaurant and Bar. I was amazed to see such a material on the net. I am not sure if controllers in hospitality industry know this. These were tricks of the trade. I thought, like an ethical hacker, some day I will be working as an ethical control breaker to see if controls can be broken or overridden. I had started to do abstract thinking and visualizing immediately.

To enter that disco outlet, you had to pass through bumpers, the men who see if you are an eligible character to enter the disco. Then you have to purchase coupons either by credit card or cash from the cash counter to be able to enter the disco. Sales of coupons were recorded in the POS system immediately.

The bar tender were required to take correct amount of coupons for drinks served. These coupons were minced or shredded before putting in a locked box; the keys of which were with the food & beverage controllers.

Room guests of the hotel were also required to purchase coupons to enter the disco. They could settle coupons purchased directly in their room folio from the POS.

Room guest were also given a facility inside the disc to run a tab, a facility by which one can have drinks without paying every time. Idea was to settle all the drinks at the end on the basis of tab recorded by the bar tender. These tab consumptions too were charged to folio of room guests by the cashier in presence of the bar tender.

Once amount was settled no one could change anything in the system and there were proper revenue reconciliations happening.

Although controllers and outlet manager told me that the controls are effective and current monitoring system is able to mitigate the possibility of any substantial mischief, I had approached with a mind-set to challenge the existing processes like an ethical hacker.

Clear evidence of duplication of the process was revealed to me. Dues of room guests could be settled directly to room folio when running a tab and for the purchase of coupons.

I could see if I were a cashier, I would have beaten the system to earn some extra money every night. The job remained was to see if cashiers were thinking like me or not and to gather the evidence of such a possibility.

It was then simple. To do a mischief it was required to show some drinks sold against running tab as sale of coupons to room guests and then to remove that much coupons for a personal gain without getting accounted for those.

On close scrutiny it was revealed that for some of the room guests there were two checks prepared for every tab in addition to a check prepared for purchase of coupons at the time of entry into the disco.

Out of those two checks, one was charged directly to the room folio for a part of the tab consumption and remaining was charged to room as sale of coupons. Although the correct amount was charged to the room folio, the cashiers could embezzle the coupons without getting noticed in the reconciliation process.

All evidences were present of effectiveness of controls. However, there was a trick. Although it looked so simple, no body thought of it initially. It was both a control effectiveness and efficiency issue. Once problem identified solution was simple.

The case study presented here is for intentional mischief where duplication of process was involved. However, duplications can also lead to unintentional leakages. Also, this is just one of the aspects to be kept in mind while testing effectiveness and efficiency of controls.

Duplication can cause problems in higher level processes too. I am aware of a case wherein a Business Head of an Advertising Agency was involved in manipulating his Sales KPI (Key Performance Indicator).

My next case study is devoted to Ethical Shoplifting at a Food Retail Chain. This is again an interesting mischief happened in one of the Retail Chain in Mumbai despite of having all of so called good controls. This will be followed by one case study on Risk of incorrect benchmarking and incorrect process improvement initiative and failure of Just in Time Inventory Method.

Till then, I want you to live with following thoughts.

One needs to challenge the existing in an ethical way. Some of the ethical hackers who hack into technological systems with due permission of the corporate were just below 15 years of age. It does not require experience but the power of abstract and radical thinking and knowledge of the tricks.

Dont you think you need some one who can beat your systems, of course ethically? Its about efficiency of controls. One of our services is to increase efficiency of your controls.

Note: I thought a story like case study will be more appropriate than a structured one. However, I will look forward to your comments.