See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/333357075

Retail point of sale fraud prevention and detection using internal audit and
data analytics

Article  in  EDPACS the EDP audit, control and security newsletter · May 2019
DOI: 10.1080/07366981.2019.1603834

CITATIONS READS

0 2,658

1 author:

Christopher C Kelly
Kelly Partners LLP
40 PUBLICATIONS   11 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Duplicate Payments Audit View project

Biblical apologetics View project

All content following this page was uploaded by Christopher C Kelly on 30 May 2020.

The user has requested enhancement of the downloaded file.

 Kelly & Yang Academy © 2019 Christopher C Kelly

Experiential methods for identifying and reducing

point of sale retail fraud
DR CHRISTOPHER C KELLY
Director, Kelly & Yang (London, England & Melbourne, Australia)

Abstract

This paper is aimed at management, accountants, auditors and loss prevention officers
responsible for assuring the existence and effectiveness of internal controls to
minimise fraud in retail business environments.

Retail is defined to include the wide array of retailers serving consumers across
shopping malls and on the high street as well as organisations that have retail
operations supporting their main non-retail business activities, such as book stores in
universities and souvenir shops in museums.

Whether cash or cashless, retail point-of-sale (POS) transactions present multiple

fraud opportunities despite the existence of internal controls. Based on experiential
observations at clients in the UK, US and Australia, approximately 3% of staff
entrusted to process customer payments at the POS create inventive ways to steal
cash, credit card data and stock during routine POS till operation.

This paper summarises how an array of technological and behavioural controls can
work together to reduce, if not entirely eliminate, potential fraud scenarios by POS
operators. Anonymised fraud scheme case studies from real client situations are
provided.

The article is a pre-print. The final published article can be downloaded at the
publisher's website:

https://www.tandfonline.com/eprint/Y7eCTd3CXI6EHITEUHGp/full?target=10.1080
/07366981.2019.1603834

Since every dollar collected in the till

POS TRANSACTION FRAUD finances not only the cost of goods but
also the cost of wages, overheads such as
RISKS rent and the retailer’s gross profit margin,
for every dollar lost through fraud the
Ever competitive retailers are under retailer must generate several dollars in
unprecedented pressure from Amazon and new sales just to get back to break-even. In
other online sellers.1 an already cut-throat marketplace, retail
fraud can be crippling.
1
The competitive pressure on brick and mortar
retailers from online retailers is widely reported in https://www.floship.com/amazon-killing-
the press. One example: traditional-retail/.

2020 05 10 KY Academy Stopping Retail Fraud 1 30/05/20 17:19

 Kelly & Yang Academy © 2019 Christopher C Kelly

PRE-PRINT ● Accepted for publication in EDPACS the EDP audit, control and security
newsletter ● May 2019 ● Vol 59(5) pp1-8 ● DOI: 10.1080/07366981.2019.1603834

the Z-total and physical cash can be

Based on our client experiences, point-of- expected, material or persistent losses by
sale (POS) till operators are mostly honest the same operator or location would be a
and hard-working, but about 3%2 of them cause for concern. However, if operators
devise devious ways to exploit systematic do not routinely check their opening float,
weaknesses to steal cash, credit card data then removing cash from the float before
and stock either single-handedly or in trading commences could give the
collusion with buddies. In our experience, appearance that the missing cash was an
these fraud tactics continue until detected end-of-day reconciling item thereby
at which point historic recoveries are obscuring the true source of the cash loss.
infrequent.
Since the Z-total of each POS till
Before considering the layers of internal summarises the day’s sales, cash collected
control and data analytics designed to in tills should not be used as if they were
prevent or detect retail POS fraud, we will bottomless petty cash tins to meet minor
outline various schemes by which fraud expenditures. If the cash tills are used in
can be perpetrated by POS operators and this way, cash control procedures will
their collaborators. become necessarily more complex and
thereby create scope for error and
Cash and Card Fraud Risks concealment of theft because cash in the
Due to customers requiring small change till will never agree to the end of day Z-
for their cash purchases, each POS till total.
requires a starting cash float. The
difference between the end-of-day cash Card purchases will have no cash effect
and the starting float should agree to the and will be processed through a PED
end-of-day sales summary automatically (“PIN entry device”) terminal linked to a
generated by the cash till, usually called bank intermediary for authorised deduction
the Z-total.3 from the end customer’s bank account.
Due to the vulnerability of these card
Cash and card purchases are Z-totalled transactions transmitted in cyberspace
separately. In this way, sales transactions between the retailer and the bank, PEDs
can be reconciled to the penny by need to comply with Payment Card
matching Z-totals to actual cash in the till Industry Data Security Standards (PCI-
and card receipt bank notifications. DSS)5 which include a number of controls
Mandatory operator logons should ensure such as non-capture of credit card security
cash discrepancies are traceable back to data in the retailer’s own POS system,
individual operators. While occasional encryption during transmission to the bank
gains or losses of less than 0.2%4 between intermediary and regular PED terminal
checks for possible substituting or
tampering.
2
Three percent is an approximation based on Kelly
& Yang’s observations over several years of client
Card data and security characters are also
work across different geographies. vulnerable to being stolen or copied for
3
The POS system processes and terminology as
described in this article have been observed by us But differences more than 0.2% should concern
as consistent across different retail client systems. management.
4 5
0.2% is based on a $10 difference from $5,000 Payment card industry data security standards are
average daily takings from a single POS till. In promulgated by the PCI Security Standards Council
most cases, differences should be smaller than this. https://www.pcisecuritystandards.org/.

2020 05 10 KY Academy Stopping retail fraud -2- 30/05/2020 5:19 PM

 Kelly & Yang Academy © 2019 Christopher C Kelly

PRE-PRINT ● Accepted for publication in EDPACS the EDP audit, control and security
newsletter ● May 2019 ● Vol 59(5) pp1-8 ● DOI: 10.1080/07366981.2019.1603834

later fraudulent use. This could be done Discount Fraud Risks

through till operator sleight of hand or Discounting provides several inventive
where a customer has inadvertently ways to perpetrate POS fraud including:
forgotten their credit card at the POS. • Unauthorised discounts, such as
staff discounts, given to non-
Gift Voucher Fraud Risks eligible customers; perhaps a
In addition to cash and credit cards, “sweetheart” acting in collusion
sometimes gift or promotional vouchers with the till operator.
may also be accepted at the POS. • Over-riding the product’s stock
Vouchers are a dream ticket for would-be
keeping unit (SKU) code6 and
Frank Abagnale counterfeiters of ‘Catch
ringing up the sale at a discounted
me if you can’ fame as they are unlikely to
include sophisticated security features and price instead, collecting the full
therefore may be reproducible with today’s price from the customer while not
quality printers and papers. Besides providing the customer with a
counterfeiting, vouchers also present risks docket, and pocketing the
of mis-accounting and erroneous difference.
duplication. If the marketing department • Sale of high-value goods to a
persuades the chief executive to accept “sweetheart” masquerading as a
vouchers to stimulate sales, then customer rung up as a void sale
management will need to control the allowing the customer to walk out
unique risks they create. Vouchers should of the store with goods which were
be Z-totalled separately from cash and card
not paid for.
transactions. At least daily, vouchers need
to be removed from the till and cancelled • Sale of goods at a discount which
to prevent fraudulent re-use. Of course are subsequently refunded at full
unused mint-condition vouchers should be price.
stored securely to eliminate the risk of As some of these discounting frauds can
theft. result in excess cash being collected in the
till, the operator will then need to do till
Refund Fraud Risks subtotalling, known as X-reads in the POS
POS operators are often empowered to system, during the course of the shift so
process cash or card refunds to customers that any excess cash collected from
which potentially could be non-legitimate. customers, in error or as part of
Ideally refunds will be separately deliberately voided or miscoded sales, can
controlled through a customer service desk be pocketed by the operator without ever
rather than through the normal POS till being noticed by end of day Z-totalling
operators. But if refunds must be made checks.7
through the POS tills, they ought to require
management authorisation and separate 6
Stock keeping unit (SKU) or sometimes inventory
totalling at the end of the day. In this way product number (IPN) is the unique code assigned
refunds by individual operators should be by an organisation to each product in its catalogue.
These are developed in-house for inventory
traceable against the operator logon code management purposes and are therefore non-
to discourage concealment of cash theft. standard from retailer to retailer.
7
The technique of pocketing surplus cash after X-
reads was recently reported in the Daily Telegraph
(Sydney, Australia) “Manager stole $50k from bar”
(19 April 2019, page 8).

2020 05 10 KY Academy Stopping retail fraud -3- 30/05/2020 5:19 PM

 Kelly & Yang Academy © 2019 Christopher C Kelly

PRE-PRINT ● Accepted for publication in EDPACS the EDP audit, control and security
newsletter ● May 2019 ● Vol 59(5) pp1-8 ● DOI: 10.1080/07366981.2019.1603834

the customer so that individual

Human Behavioural Controls transactions can be traced back to
Having summarised above the various the operator.
fraud schemes observed in our retail client 9. Segregation of duties between till
work, we now consider an array of operation, start-of-day float,
behavioural and system controls to detect refunds, end-of-day totalling and
and mitigate the above kinds of fraud banking.
scenarios. 10. POS operator awareness that there
is a mystery shopper regime in
Before considering the controls built into place by which the above controls
typical POS systems, the following
are randomly checked by
overarching human behavioural controls
can help to reduce incentives to commit anonymous members of
fraud: management and audit.
1. An unambiguous zero tolerance 11. Knowledge of safe codes limited
anti-fraud policy which articulates only to necessary personnel.
consequences for non-compliance If any of these controls are not in place or
so that any staff later caught are evaluated to be ineffective such as
defrauding the organisation will when tested in mystery shopper activities,
not have a defence that relies on then those deficiencies would point
ignorance. towards specific process improvements or
2. Mandatory login to the POS till at audit findings in need of rectification.
the start of each shift and logout at
the end, with zero tolerance of POS TILL SYSTEM CONFIGURATION
operator logon code sharing, to CONTROLS
ensure personal accountability for POS till systems typically allow real-time
all transactions. tracking of sales, cash receipts, stock
3. Operator training on correct movements and individual operator
procedures for sales, cancellations activity. Each retailer will have configured
and refunds. its POS and stock management system
4. POS tills and cash safes physically differently, hence the need for
positioned such that operator management and auditors to research the
activity is always visible and system configuration and inbuilt system
within CCTV range. controls at the outset. When assessing
configuration suitability, findings might
5. Operators not permitted to have
include non-use of inbuilt POS system
bags, purses or wallets with them
features due to lack of management
when operating POS tills. awareness or deficiencies in operator
6. Management spot-checks on training.
operator lockers.
7. Visibility of the POS transaction Errors or theft can occur where goods are
display to the customer as it is rung processed at other than their correct retail
up whether it is a sale, refund or price. To counter this, in most POS till
cancellation. systems the operator scans or enters the
8. Printed dockets with the till SKU stock code rather than keying in the
operator’s ID routinely provided to price. SKU codes will cross reference to a

2020 05 10 KY Academy Stopping retail fraud -4- 30/05/2020 5:19 PM

 Kelly & Yang Academy © 2019 Christopher C Kelly

PRE-PRINT ● Accepted for publication in EDPACS the EDP audit, control and security
newsletter ● May 2019 ● Vol 59(5) pp1-8 ● DOI: 10.1080/07366981.2019.1603834

master file containing data about each SKU codes at the point of sale will ensure
stock item such as its description, pack stock is updated real-time as sales are
size, colour and price. In this way, SKU processed.
codes reduce the likelihood of operator
pricing errors. Management and audit POS DATA ANALYTICS
should consider testing the accuracy of the As most fraudulent behaviour leaves a trail
SKU master file, and procedures to ensure of data footprints, POS data can be
it is kept up to date with ever-changing analysed to isolate individual operators
products, dimensions such as pack sizes with unusually high cash variances, sales
and prices. discounts, void sales, cancellations,
refunds and X-read subtotalling during the
Sometimes the POS system configuration shift. An example POS performance
may permit operators the freedom to operator report displaying these
override the SKU code price with fixed or occurrences is shown in Table 1. Each
discretionary discounts. Default discount field can be sorted and analysed for
settings should be either restricted or unusual data patterns which may point
switched off. towards fraudulent operator behaviour.
Drilling down from the performance
Besides ensuring all sales are processed at operator report into the individual time-
the correct price or discount, a further stamped suspicious transactions can then
benefit of processing sales using SKU be cross-checked to CCTV images to
codes is that stock quantities will produce evidence for disciplinary
simultaneously be tracked. By inputting purposes.
the opening stock quantities, the use of
UserName Trans Sales Value Sales Xread VoidSale Return Return CancItem CancItem CancSale CancSale Disc Disc Promo Promo
Count IncTax Count Count Count Value Count Value Count Value Count Value Disc Disc
Count Value
Debbie Lacey 791 6,368.65 6,999.77 0 27 1 10.91 109 337.50 7 0.00 2 6.95 12 15.99
Michelle Jolly 29 295.56 323.46 0 0 0 0.00 1 9.09 0 0.00 0 0.00 1 0.90
Carmel Jeavons 285 2,147.74 2,351.82 3 33 1 36.27 48 230.51 32 0.00 0 0.00 3 4.74
Sophie Vyse 264 2,276.35 2,489.12 0 9 0 0.00 12 84.18 2 0.00 3 7.95 34 107.57
Noriko Kurihara 1,372 10,517.17 11,337.73 0 9 2 8.63 55 527.78 3 0.00 28 96.76 398 784.97
Qing Yang 449 4,577.45 4,788.94 5 0 1 20.42 44 438.20 5 0.00 8 25.09 105 175.41
Ahmed Haryanto 20 263.80 288.01 0 1 0 0.00 0 0.00 1 0.00 0 0.00 4 3.79
Akanksha Cronel 773 10,771.19 11,720.42 2 26 0 0.00 26 196.34 24 0.00 24 45.11 315 932.79
Alexander Moh 913 9,083.42 9,894.21 2 23 3 56.18 33 267.41 5 0.00 19 74.76 184 506.54
Alix Bhatt 160 1,224.04 1,338.12 0 6 1 7.25 11 38.73 3 0.00 2 6.95 6 9.48
Allison Bachel 227 2,081.19 2,285.07 0 8 0 0.00 26 90.55 2 0.00 1 1.00 2 3.16
Amandeep Shooper 178 1,991.73 2,175.97 2 6 1 27.27 34 309.09 0 0.00 1 11.40 31 84.13
Amel Copeland 347 2,614.70 2,832.26 9 23 0 0.00 10 36.18 2 0.00 1 2.30 131 344.41
Amelia Singh 579 9,602.67 10,475.65 0 21 3 22.59 22 367.82 33 0.00 1 1.35 208 664.92
Amit Shah 319 4,548.44 4,721.88 1 17 1 5.00 9 152.35 2 0.00 0 0.00 44 75.08
Amy McScottish 56 1,940.77 2,134.82 0 0 0 0.00 0 0.00 0 0.00 0 0.00 17 195.07
Andrew Shresh 686 10,298.80 10,764.23 32 70 8 117.72 20 289.38 3 0.00 8 33.35 54 168.37
Angela Mac 257 2,372.23 2,601.97 0 12 1 4.55 33 168.08 0 0.00 0 0.00 1 0.90
Amy Malcolm 81 1,253.60 1,373.11 0 2 0 0.00 1 36.35 0 0.00 0 0.00 24 84.02
Anita Li 779 6,767.31 7,351.80 3 23 1 206.44 62 631.24 2 0.00 11 36.83 102 278.27
Annette Tai 0 0.00 0.00 0 0 0 27.23 0 0.00 0 0.00 0 0.00 0 0.00
Anna Kacinariovski 263 3,877.97 4,203.12 0 3 0 0.00 15 125.33 2 0.00 8 39.30 140 461.95
Annette Hobdash 139 1,369.14 1,503.98 1 4 0 0.00 5 8.45 0 0.00 0 0.00 0 0.00
Annika Lacey 586 5,262.13 5,764.59 0 24 1 5.45 41 179.92 5 0.00 0 0.00 16 25.50
Anthea Kelly 455 6,492.61 7,077.58 2 2 1 47.18 31 446.13 14 0.00 0 0.00 179 634.41

Table 1 EXAMPLE OPERATOR PERFORMANCE REPORT.

operator; and traceability of till cash to
END-OF-DAY CASHING-UP ROUTINE end-of-day bank deposits. Cash takings are
A typical end-of-shift control entails the Z- transferred to a safe which can range from
total cashing-up summaries for each till a key or combination-controlled strongbox
being matched to the cash in the till; to a smart safe requiring individual user
unders/overs being logged for each till and logon and automated cash counting. Cash

2020 05 10 KY Academy Stopping retail fraud -5- 30/05/2020 5:19 PM

 Kelly & Yang Academy © 2019 Christopher C Kelly

PRE-PRINT ● Accepted for publication in EDPACS the EDP audit, control and security
newsletter ● May 2019 ● Vol 59(5) pp1-8 ● DOI: 10.1080/07366981.2019.1603834

in the safe is then transported intact for normally albeit with delays. This kind of
deposit into the retailer’s bank account. fraud may come to light when the
Understanding the till and safe perpetrator is absent due to illness or
configuration and how cash handling holiday.
duties are segregated will help to
determine the strong and weak points in For the above reasons management and
the cash cycle. auditors should ensure POS end-of-day
totalling is done diligently each day, the
The end-of-day cashing-up routine should results forwarded to head office, and the
be performed assiduously so that net cash and card banking reconciled to the
anomalies are followed up quickly. Any penny against the bank statement. Any
delay or failure of this control should deviations or delays could suggest money
concern management. going missing at store level or during
Periodic attendance at the end-of-day transit. For these reasons delays or
cashing-up routine by accounting and audit discrepancies need to be followed up as
personnel can be a way of discovering new soon as they come to light. Otherwise,
and previously unknown risks. On doing staff learn to exploit the loopholes. If
this for various retail clients, we have unaddressed, experience shows problems
discovered unexpected localised will likely get worse over time.
procedures such as daily cash variances Management and auditors should
being hidden with previously unknown till recommend changes to the cash cycle if:
slush funds; and tills that contained mint • Cash is not kept securely
condition promotional vouchers, postage overnight.
stamps and prepaid telephone cards for • Cash is not banked promptly the
sale to customers which had been next working day.
expensed rather than inventoried. In such
• Cash goes missing while in transit
scenarios, untraceable fraud could have
been perpetrated (and probably was) to the bank.
without management’s knowledge. • Banking is delayed resulting in
excessive amounts held in safes
PROMPT BANKING which may present a tempting theft
End-of-day till cash will comprise (1) the opportunity.
cash with which the tills will be re-floated • Cash handling staff do not take
the next day and (2) the day’s cash sales to holidays.
be banked. Management need to ensure • There is not a traceable link
that the physical cash collected from the between the aggregate till totals
tills is locked away securely for the next and the amount banked. In our
day’s transit to the bank. client work we have seen poorly
Cash remains vulnerable while sitting in designed spreadsheets used for
the safe, at time of collection, during aggregating cash collections across
transit and upon arrival at the bank. At multiple tills which served to
each stage cash can be mis-accounted,
conceal fraud due to deliberate
stolen or delayed. Theft of cash can be
masked by overlapping bank deposits from totalling errors in the spreadsheet’s
later takings (known as “lapping”) formulas giving the false
resulting in serial delayed banking giving appearance of reconciliation to the
the false appearance that cash is flowing amount banked.

2020 05 10 KY Academy Stopping retail fraud -6- 30/05/2020 5:19 PM

 Kelly & Yang Academy © 2019 Christopher C Kelly

PRE-PRINT ● Accepted for publication in EDPACS the EDP audit, control and security
newsletter ● May 2019 ● Vol 59(5) pp1-8 ● DOI: 10.1080/07366981.2019.1603834

CONCLUSION
As is often the case, the devil lurks in the
details. This article has sought to outline
concisely the detailed risks around POS
retail fraud and the detailed internal
controls to eliminate or at least mitigate
those fraud risks. Since most transactions
leave a trail of time-stamped data, the
organisation’s chief information officer
and POS system administrator will be the
gatekeepers who can assist management
and auditors in reviewing critically the
POS system configuration, inbuilt controls
which may not have been switched on and
to obtain the data needed for the analytics
suggested above. Controls around POS
tills and safes, with spot checks by
management and auditors, can help to
create a positive POS culture encouraging
operator integrity over takings and stock
with immediate and sustainable dollar
savings for the organisation.

Author information
Christopher C Kelly After 11 years as a tax
consultant and auditor with Ernst & Young
in the UK and Middle East, Chris switched
into industry as head of internal audit for
several UK and Australian companies.
While in industry he pioneered audit and
risk management techniques utilizing
mathematical data analytics resulting in
numerous fraud discoveries, material
treasury savings and process efficiencies.
Since the 1990s Chris progressively
disseminated the intellectual property
arising from these achievements in US and
UK professional journals and went on to
do a finance doctorate at Middlesex
University in London, UK. This career-
long build-up of experience and
intellectual property allowed him to found
Kelly & Yang which today provides risk
management, internal audit and data
analytics services to corporate and
government clients.

2020 05 10 KY Academy Stopping retail fraud -7- 30/05/2020 5:19 PM

View publication stats