By Thomas Buckhoff and James Clifton

For obvious reasons, cash is the asset most often stolen by dishonest employees. Fraudsters typically target cash as it enters or leaves the business. Thoroughly understanding the controls and procedures in place for processing cash flowing through a business is of primary importance when conducting a fraud examination. Inadequate cash flow controls, especially over substantial amounts, allow dishonest employees to divert cash into their own pockets. Understanding these controls allows investigators to generate ideas, known as fraud theories, that describe how someone could steal cash from the organization without getting caught. These ideas can be categorized as either on-book or off-book fraud schemes.

Historically, law enforcement and financial investigators are reluctant to investigate off-book fraud schemes due to their lack of direct, documentary evidence. The case study below illustrates various methods effectively used to detect and investigate off-book fraud schemes. Such indirect methods include financial statement analysis, undercover surveillance, invigilation, and admission-seeking interviews.

On-Book and Off-Book Fraud Schemes

Cash larceny involves the theft of cash after it has appeared on a company’s books. Such schemes are called on-book frauds because an examination of the victim company’s records can easily reveal the cash shortage. Here, the company typically knows that a theft has occurred. On-book frauds can be categorized as billing, payroll, expense reimbursement, check tampering, or register disbursement schemes.

Skimming is an example of an off-book fraud, which involves theft of incoming cash before it enters the accounting records. Thus, no record of the fraud exists on the company’s books. Skimming typically entails selling goods or services to a customer, collecting the customer’s cash payment, and making no record of the sale. The victim generally does not know that a theft has occurred. Off-book frauds cannot be detected by examining the company’s books and records and generally are categorized as skimming, unrecorded sales, understated sales and receivables, or theft of checks through the mail.

Case Study: Northern Exposure

Northern Exposure (all names in this case study have been changed) was a gentleman’s club featuring exotic dancers. Its primary revenue sources were cover charges and food, beer, and liquor sales. A recent local ordinance outlawed the type of entertainment offered by Northern Exposure. The club’s manager, however, successfully petitioned the city council to obtain an exemption, and Northern Exposure was allowed to continue operations in a competition-free environment. The substantial effort by the manager on the club’s behalf earned her the owner’s trust and loyalty. In the initial fraud investigation interview, the owner said that anyone could be a suspect—except the manager.

Because of the exemption, the club’s profit potential was enormous. Northern Exposure generated huge amounts of incoming cash, because no credit cards or checks were accepted. However, a huge risk existed that employees would figure out a way to divert incoming cash into their own pockets.

Larry Swenson, Northern Exposure’s owner, was not satisfied with the 10% margins being realized. He engaged two certified fraud examiners to determine why the club was not generating the 35% margins he had expected. They embarked upon a typical fraud examination, whose steps include understanding cash controls, generating fraud theories, collecting and evaluating evidence, estimating losses, assisting in filing claims or bringing charges, and making recommendations.

Understanding Cash Flows

By interviewing Swenson and other personnel, the fraud investigators learned that cash flowed into the business as follows:
Customers paid a $6 cover charge to enter the club. No receipt was given, nor was a head count made. Customers placed orders for food or beverages with the servers. The servers started out with $40 in a cash pouch. They paid the bartenders for their orders from this, then collected payment from the customer. At their shift’s end, the server gave the initial $40 back to the manager and kept the difference as tips. At the end of the night, the manager counted the cash and closed out the cash registers; the cash was deposited by the manager the next morning. Changes in beer and liquor inventory were not reconciled to the drinks rung into the cash register, nor were the register tapes reconciled to deposits listed on the bank statements.

Generating Fraud Theories

The fraud examiners determined that it would be relatively easy for employees to steal and not be caught, based on the control levels they discovered. They developed the following fraud theories:

Off-book frauds such as the first two theories are called skimming and are essentially unrecorded sales. The second two would be considered on-book frauds. Because there was a transaction record, the fraud could be detected by reconciling the cash register tapes to the deposits. In Northern Exposure’s case, however, cash register printing ribbons were not replaced on a timely basis, resulting in illegible tapes.

Collecting and Evaluating Evidence

Indirect investigative methods were used to test the fraud theories. Financial statement analysis is one such method that can be used to test all four fraud theories presented. If employees are indeed stealing cash from the club, then the actual sales markup-over-cost ratios are expected to be less than the budgeted ratios. Accordingly, the fraud investigators determined the actual markup-cost ratios for beer and food sales. Beer was purchased for $.60 per bottle, then sold to customers for $3 each, a markup of 500%. Food items costing $5 were sold to customers for $12.50, a 250% markup. One year’s budgeted revenue was calculated, based on cost of sales and expected markup ratios, then compared to one year’s actual revenue (see Exhibit 1). The significant differences in ratios clearly supported the fraud theories—in fact, food sales were less than their cost of sales! Using this indirect investigative method, the total estimated annual fraud loss due to skimming or cash larceny was $379,974.

The investigators knew that the club had a big problem with fraud; determining which employees were responsible came next. Undercover surveillance can be used effectively for identifying dishonest employees. Posing as customers, a team of six trained fraud investigators (with experience as bartenders and servers) spent a collective 40-hour week at the club observing the employees’ activities and behavior. This surveillance revealed that 90% of them, including the manager, regularly stole cash from the club, with little regard to subtlety. The reason that employees never complained about salary levels, despite low base wages and a lack of raises, became clear. In fact, several servers and bartenders had been there for years, which is highly unusual for this type of club. The lead investigators communicated their findings to Swenson, who, though concerned, was reluctant to take action without more substantive evidence of employee theft.

Estimating Losses Incurred

To more firmly establish the fraud losses and estimate their amount, the fraud investigators conduced a week-long invigilation. Invigilation creates a strict internal control environment so that opportunities to commit fraud are virtually eliminated and a fraud-free profile can be established. The cash received and deposited during the invigilation is then compared to the periods before and after. As an indirect investigative method, invigilation can be very effective in estimating fraud losses. The key to an invigilation’s success is making the employees think that any theft during that period will be detected. Instilling the perception of detection in this case was accomplished by sending in the same team of six investigators to watch the employees for one week. The club’s employees and manager were informed that the investigators were there to make sure that every dollar collected from customers made it into the bank at the end of the day and that changes in consumable inventories were properly accounted for. During the invigilation, the investigators conspicuously watched employees handling cash, conducted surprise cash counts, reconciled changes in inventory to cash register tapes, monitored end-of-night cash counts, and witnessed the daily cash deposits.

The first day brought an incident that greatly heightened the perception of detection. Meals were served downstairs, away from the live entertainment area. Suspecting the single server working downstairs of skimming money from food sales, one of the investigators conducted a surprise cash count and reconciled cash rung into the register to meals prepared by the cooks. The server had skimmed $25 in the first hour she worked. When confronted with the evidence, the server confessed and was immediately terminated. News quickly spread to the other employees, who realized that their activities were indeed under close surveillance. No other employees were caught skimming during the remainder of the invigilation.

During the invigilation’s first night, a Friday, $8,300 in cash was deposited into the bank—the largest sum for one night in the entire 15-year history of the club. This occurred on what was considered a “slow” night—unlike the previous week, which had seen near-record attendance. The manager and employees all soon realized that setting such a record on a slow night reflected poorly on them. This convinced Swenson that his employees were stealing from him, and he wanted to fire everyone on the spot. The investigators persuaded him to allow the invigilation to continue for the entire week as planned. The results of the week-long invigilation are summarized as follows:

Gross cash receipts during the invigilation were $30,960, compared with $25,775 the previous week and $22,006 for the annual weekly average (see Exhibit 2). The revenue during the week of invigilation exceeded the average weekly revenue by $8,954 and the previous week’s revenue by $5,185, despite being a slow week. The above differences implied that at least $259,250 and as much as $447,700 was skimmed per year. (After changes were implemented following the investigation, the remaining nine months’ sales were $300,000 higher than for the same period in the prior year.)

Swenson no longer doubted that his employees were stealing from him. As noted earlier, Swenson had had difficulty believing his manager was stealing because of her efforts to exempt the club from the city ordinance. It became apparent that these efforts were motivated by a desire to protect her illicit cash flow.

Employee interviews were held during the week of the invigilation. Their purpose was twofold: to further enhance the perception of detection during the invigilation period, and to provide employees with an opportunity to report any fraudulent activities. Very specific questions were asked during the interviews, based upon information from the prior undercover surveillance and the ongoing invigilation. While no one admitted to stealing, they did implicate fellow employees; many claimed that manager Betsy Smith was the primary thief.

Filing Claims and Pressing Charges

During her interview, Betsy Smith was confronted with the evidence from the undercover surveillance, invigilation, and employee interviews. After 2 Qs hours, she admitted to stealing almost $100,000 over three years. Her admission was converted to a written statement, which she ultimately signed. The statement detailed the amounts she had skimmed, when she had done so, and the various techniques (skimming from liquor sales, bank deposits, video sales, and food deliveries) she had used. An attached summary totaled the funds skimmed by source. Since evidence collected in resolving off-book fraud schemes is mostly indirect and circumstantial, obtaining a signed admission statement greatly facilitates the filing of employee dishonesty insurance claims or criminal charges. In this case, such a claim was filed by the fraud investigators on behalf of Northern Exposure.

The insurance company restituted Northern Exposure for the maximum coverage amount provided by their policy, $50,000. Clearly, the coverage amount was inadequate given the exposure to risk for such a cash-intensive business. As required by the insurance provider, evidence collected during the fraud examination was turned over to local law enforcement for prosecution.

Making Fraud Prevention Recommendations

Cash-intensive businesses (e.g., bars, restaurants, casinos, convenience stores, movie theaters) are vulnerable to off-book fraud schemes. Few people will steal if they think they will be caught and suffer serious negative consequences. Accordingly, the most effective deterrent is to instill this perception of detection in employees’ minds. In Northern Exposure’s case, the two assets most susceptible to theft were cash and inventory, especially the beer and liquor inventories. Consequently, better internal controls were needed to safeguard those assets.

The following internal controls were implemented:

Companies will always be susceptible to fraud at the points where cash enters or leaves the business. But even cash-intensive businesses can take measures to ensure that fraud is minimized or eradicated. Despite a lack of direct evidence, off-book fraud schemes, such as the skimming that occurred at Northern Exposure, can be detected and thwarted through indirect investigation techniques and careful control over the cash flow a business generates.