Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

A Jackpot Win

A vulnerable lottery ticket system allows a store manager to steal tickets and create make-believe winnings.

Comments Views

​When Jenny Smith, a store manager for Australian retail chain Kangaroo Konvenience, realized she could easily defraud her employer by exploiting its point-of-sale (POS) system, she seized the opportunity. Her unsegregated sale and reconciliation duties allowed her to validate lottery tickets for herself without logging the sale in the system, leading to sizeable losses for the chain.

As in many countries, lotteries in Australia are state-run as a way of raising state revenues. Typically, about half of ticket sales are spent on marketing, administration, and gaming taxes, while the remainder is returned to the prize pool. While low-value prizes are mathematically frequent, the possibility of winning millions, despite its low probability, engenders player loyalty. On average, players win 30% to 40% of their ticket spend, leading players to believe that a jackpot win is imminent. Acting as a lottery agent can be profitable for retailers that benefit from lottery customer foot traffic, as well as earning a commission of about 10% on each ticket sold. 

Lottery tickets have several controls to prevent cheating the state, including electronic codes that guard against counterfeiting, alteration, or duplication. In Australia, each ticket sold by the retailer must be validated and time stamped in the state government's independent POS system to participate in the game. After game validation, the retailer must enter the sale into its own POS system and collect payment. 

Although the two systems should record identical lottery transactions, the risk falls to the retailer if they do not. The retailer sells the ticket at 100% of its face value, retains approximately 10% as commission income, and remits the remaining 90% of the ticket price back to the state. So, the theft of a single lottery ticket costs the retailer nine times the amount of the earned commission. Under The IIA's Three Lines Model, Kangaroo's first-line function includes a daily reconciliation of all lottery transactions between the two systems to ensure that every ticket activated in the state's POS system is also paid for in full in Kangaroo's POS system. 

Second-line head office monitoring controls provide additional assurance that in-store controls log all ticket sales. Monitoring by the head office was slightly complicated by the different lottery games across Kangaroo's store portfolio, occasional keying errors by staff when entering transactions, low-value cash payouts to in-store customers, and the sale of syndicated tickets to groups of customers that required unsold portions to be charged back to the retailer by the state. Second-line controls were difficult for new head office staff to grasp unless they had in-store experience or were adequately briefed during induction. 

By not logging the sale in Kangaroo's POS system, Smith knew the absent ticket sales would not appear on Kangaroo's end-of-day cash till, so an end-of-day cash variance would not arise. This first-line failure meant Kangaroo was charged by the state for the validated tickets even though the tickets had not been paid for. 

It was second-line control lapses at Kangaroo's head office during a finance supervisor's maternity leave that enabled Smith's fraud to go unnoticed. A replacement staff member spotted the control failure, but she also went on leave before it could be remedied. Against earlier advice from Kangaroo's internal auditors, job handover during staff changeovers remained poor and controls undocumented, so new staff members did not understand the in-store risk or the absence of second-line controls.

Even worse, Smith figured she could outsmart the head office by entering fake lottery winnings into Kangaroo's POS system to steal cash from the till, which she fraudulently logged as genuine prize payouts. Her stolen lottery tickets and the 30% to 40% average winnings per fake player were further supplemented by direct cash thefts from the till masked as genuine prize payouts, which allowed her to pocket more than AU$100,000 (US$77,000) over a two-year period. 

The declining lottery commission margin was finally noticed after another staff change at Kangaroo's head office, which led to the discovery that the lottery control account was not oscillating around zero as expected. An after-hours visit to the store by management revealed the first-line store controls had lapsed under Smith. When interviewed, she confessed to what she was doing. 

Smith first realized the opportunity when she erroneously processed a ticket sale that was never investigated by the head office. A gambling addiction and the intent to repay the money after she won the jackpot was how she rationalized her actions, which grew in intensity when she realized she could win 30% to 40% of the payouts built into the lottery system on tickets she obtained free of charge. 

Management engaged internal audit to research and explain the control failures to it and the audit committee. The auditors used data mining to identify specific theft occurrences by matching state government lottery transactions to the retailer's sales and payouts. They also used the technology to cross match staff time sheets to check whether other store staff may have been involved and determine if similar frauds occurred at other stores. This enabled internal audit to piece together the make-believe lottery cash payouts and ticket theft fraud.

Smith was immediately fired and forfeited all accrued employment benefits, but she was not prosecuted as police and lawyers determined Kangaroo was at fault through failing to exercise first-line and second-line controls. 

Matt Knight, the financial controller, was fired because he failed to spot second-line control lapses by the finance supervisors in his charge. Plus, Knight had several actions from unrelated internal audits that were overdue. The area manager also was dismissed for failing to oversee in-store reconciliations, along with the dubiously titled loss prevention manager.

​Lessons Learned

  • As Kangaroo Konvenience's smallest out-of-town store, duties were not segregated and visits by management and internal audit were infrequent. Staff members were reminded of the importance of segregating duties and carrying out supervisory visits, or otherwise repurposing small stores if their risks cannot be controlled. 

  • Control accounts are designed to oscillate around zero as reversing transactions self-cancel, or otherwise show a growing imbalance. In this case, the financial controller's team had ignored the control account imbalance warning.

  • Staff turnover in head office second-line oversight, combined with undocumented controls, was a red flag. Updated controls should be recorded in process playbooks that can help sustain control continuity when someone is filling in for another employee on leave or when training new staff members. 

  • Head office staff members with no in-store experience should be required to visit stores at least twice per year to participate in, and better understand, first-line controls.

  • The fraud prompted management to improve controls and make staff changes resulting in reduced salary costs and promotion of capable juniors into the newly vacant roles. These enhancements recouped Kangaroo's losses by refreshing and strengthening the head office finance and loss prevention teams.

Christopher Kelly
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Christopher KellyChristopher Kelly<p>​​Christopher Kelly, DProf, FCA​, PFIIA, is a partner at internal audit consulting firm Kelly & Yang in Melbourne, Australia.</p>https://iaonline.theiia.org/authors/Pages/Christopher-Kelly.aspx

 

Comment on this article

comments powered by Disqus
  • AuditBoard-November-2021-Premium-1
  • OnRisk-2022-November-2021-Premium-2
  • 2021-All-Star-Conference-November-2021-Premium-3

 

 

Stopwatch Auditinghttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Stopwatch-Auditing.aspxStopwatch Auditing
Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
Hidden Goalshttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Hidden-Goals.aspxHidden Goals
Building a Better Auditor: Which Way Should I Go?https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Which-Way-Should-I-Go.aspxBuilding a Better Auditor: Which Way Should I Go?