The Case of the CFO’s Family Photo
I was recruited to a startup thirty-store retailer to launch their first loss prevention program. My supervisor, the CFO, was a seasoned no-nonsense retailer. Our very first meeting started with typical small talk when I noticed a picture placed prominently on his desk. The picture was of a thin, short-haired person bending over petting a dog. Mistakenly I asked, “Is that your son?” The CFO replied in a stern tone, “No, that’s my wife,” (adjusting the framed photo slightly).
Despite the poor start to the meeting, I recovered due to diligent preparation and a simple theme of accountability based on my past access control technology experience. I presented a PowerPoint deck outlining my critical path for the next 30/60/90 days with milestones and specific objectives. With only a few changes, he approved my plan. Wanting to make an immediate impact, I scheduled meetings with the other department heads to listen to their loss prevention concerns and solicit ways to assist.
My first meeting was with the assistant controller (let’s call him John). He was the older brother of a longtime friend who lobbied senior leadership to start a loss prevention program. John happened to be the person managing alarm installations, false-alarm fines, and cash loss. He asked if I could work with him to research and resolve the associated issues. I agreed and began with false-alarm fines.
I obtained an Excel data dump of alarm reports covering the past three months. While researching false-alarm activations, I noticed odd activity in a store that was literally a hundred yards from the corporate office. The alarm information showed that the store was frequently opened and closed after store hours in the middle of the night. I brought this information to John’s attention. He thought it might be related to preparation for taking inventory. The store was a high-shrink store and was scheduled for quarterly cycle count inventories. The overnight entries occurred several times every week and sometimes for periods of fewer than thirty minutes.
I requested additional alarm information and point-of-sale (POS) returns and voids going back a year and dug into the data. What I found changed the way the company approached access control technology.
The POS data indicated that two credit cards had been credited more than $30,000 over the past six months. The credits were no-receipt returns and exchanges completed by thirty different user IDs. One of the credit cards belonged to the assistant manager, and the other card belonged to his wife. (Coincidence? I think not.) A review of the transaction dates and times revealed that most returns were completed with the user IDs of employees on their days off or by employees who had left the company. The assistant manager was on vacation, so I conducted a review of the store POS and alarm controls.
My Findings. The access control procedures for the POS system were ineffective.
- Managers, assistant managers, and supervisors could create and delete user IDs.
- Terminated employees’ user IDs remained active and were being used.
- The assistant manager’s user ID had been deleted, and employee user IDs had been recreated that credited his credit card.
Next Steps. I partnered with human resources to conduct an interview with the assistant manager that resulted in his theft admission. He admitted that he had:
- Deleted employees’ original user IDs and created new IDs and passwords.
- Used the new user and password to complete the return.
- When employees complained the user ID and password did not work, he or another manager reset the password.
- He re-entered the store to obtain return-to-vendor merchandise, placed it near the register, and completed the returns while he was alone the next day.
- He stole merchandise through the receiving dock at night and during the day.
The Results. This incident led to a strengthening of access controls for the POS system:
- POS user IDs could only be created systemically after all new employee paperwork was received and entered into payroll.
- User IDs could only be deleted systematically upon termination in payroll.
- A POS exception-monitoring system was purchased and implemented.
The incident also led to changing access control technology for entering the building:
- Updated alarm pads were installed that required two codes to be entered before the alarms deactivated.
- An alarm pad was installed at the receiving door and was required to remain alarmed until actively receiving product.
- Alarm monitoring software was installed that provided exception reports.
Check out “Access Control and the Case of the Missing Camera” to read more whodunit cases dealing with access control technology. The original article was published in 2017, and this excerpt was updated January 3, 2018.