Cash Theft and Skimming Schemes

Skimming is an off-book crime. The perpetrator intercepts cash at the point where it enters the organisation but before any record is made. A retail cashier who accepts payment, does not ring the sale, and pockets the money has skimmed the transaction. A front-desk employee at a medical practice who collects a co-payment in cash, does not post it to the patient account, and keeps the cash has done the same. In both cases, the organisation's books show no record of the receipt, so the accounts balance perfectly without the stolen amount.

The main skimming sub-schemes are: unrecorded sales (the entire transaction is suppressed), understated sales (the transaction is recorded at a lower amount than collected), and receivables skimming (a payment from a customer is intercepted before it is posted to the accounts receivable ledger). In receivables skimming, the perpetrator typically conceals the theft by writing off the customer balance as a bad debt, applying a credit memo, or using a subsequent payment from another customer to cover the gap, a technique called lapping.

Lapping deserves specific attention because it can persist for years. The scheme requires the perpetrator to apply each incoming payment to the oldest open account rather than the correct one, keeping the receivables ledger approximately clean while perpetually owing the current victim. Lapping collapses if the perpetrator leaves, if a surprise reconciliation is done on customer accounts, or if customers are contacted directly and asked to confirm their account balances.

Cash larceny is theft after recording. The cash has entered the accounting records as received, but before it reaches the bank it is diverted. The most direct form is register theft: the cashier records the sale, the drawer opens, and the cashier removes more cash than the change requires or takes from the drawer at an unobserved moment. Deposit theft is a related variant: the employee responsible for preparing the daily bank deposit removes some or all of the cash before depositing, then alters the deposit slip or records a false entry to conceal the shortage.

Because cash larceny is an on-book crime, it always creates a reconciling difference. The accounts receivable or cash receipts journal shows an amount; the bank statement shows less. A competent bookkeeper or auditor doing a deposit reconciliation will find this gap. The perpetrator must therefore either alter records to cover the shortage or hope that reconciliation is not performed. In organisations with weak internal controls, reconciliation may happen infrequently or be performed by the same person who handles cash, allowing the gap to persist.

A surprise cash count is conducted without prior notice to the employee responsible for the cash. The auditor arrives at the location at an unannounced time, ideally at opening before any transactions have been processed, and counts all cash on hand: bills by denomination, coins, and any negotiable instruments such as cheques. The physical total is compared against the accounting balance at the same moment.

A single shortage is not conclusive. Shortages can result from arithmetic errors, incorrect change given, or timing differences in recording. The forensic auditor looks for a pattern: multiple counts over time showing consistent shortages, shortages concentrated on particular shifts or particular employees, or shortages that increase over time. A single large shortage on a day following several accurate counts is also meaningful, as it may represent a one-time theft of an accumulated amount.

Documentation of a surprise count must be contemporaneous and signed by the auditor and, where possible, by a witness. The auditor records the time of count, the denominations counted, the accounting balance at that time, the source of that balance, and the difference. Any explanation offered by the responsible employee is recorded verbatim. This documentation forms part of the evidentiary file if the matter proceeds to a legal or disciplinary process.

Modern point-of-sale systems generate a transaction log for each register: every sale, void, refund, no-sale drawer opening, and discount. At the end of a shift, the system produces a z-report showing the total receipts expected. The auditor counts the physical cash in the drawer and compares it to the z-report total, accounting for the opening float. A persistent shortage is the primary indicator. A surplus is also informative: it can indicate that the employee is accumulating cash for a later, larger theft.

Register reconciliation analysis goes beyond a single-shift count. The auditor analyses register data across a time series to identify patterns. Relevant patterns include: shortages occurring only on specific shifts, voids or no-sale openings clustered immediately before a shortage, refunds processed to cash on transactions that were originally card payments (a red flag for skimming disguised as a refund), and transaction volumes lower than expected during certain hours.

In large retail environments with many registers and many employees, data analytics tools are used to compare shortage rates by employee, time of day, and register location. An employee whose shortage rate is three standard deviations above the mean is a priority investigation target. This statistical approach is consistent with the data-analytics framework described in Evidence Gathering Methods in Fraud Examinations and is well established in retail loss-prevention practice globally.

The foundational control for cash is segregation of duties: the person who handles cash should not be the same person who records transactions or reconciles accounts. When one employee does all three, the opportunity to steal and conceal without detection is open. Small organisations frequently cannot achieve full segregation because of limited staffing, but partial segregation, such as having a manager review and sign off on the daily reconciliation, reduces risk materially.

Specific controls for cash receipt environments include: mandatory receipts for every transaction, pre-numbered receipt books with gap checks, locked point-of-sale systems requiring supervisor authorisation for voids and refunds, daily cash counts by someone other than the cashier, daily bank deposits with the deposit slip verified against the receipts journal, and physical surveillance over cash-handling areas. In jurisdictions with specific legal requirements for cash handling, such as India's Income Tax Act provisions on cash transactions above certain thresholds, compliance controls overlap with fraud controls.

The UK's Bribery Act 2010 and the US Foreign Corrupt Practices Act 1977 both require organisations with international operations to maintain adequate internal controls over financial records. While these statutes target bribery specifically, their internal-control requirements encompass cash handling. Australia's Corporations Act 2001 and equivalent statutes in other common-law jurisdictions impose similar obligations on directors to ensure adequate financial controls. Forensic auditors working cross-border should know which statutory framework governs the entity under review.

When cash-theft indicators are confirmed, the forensic auditor moves from detection to investigation. The first step is evidence preservation: securing register tapes, point-of-sale logs, deposit records, and bank statements before the subject has an opportunity to alter or destroy them. In many cases, this means obtaining the data directly from the system administrator or bank rather than through the employee who handles it day-to-day.

Quantifying the loss requires reconstructing what the receipts should have been. For skimming cases, this often means computing expected revenue from independent operational data: for a restaurant, covers times average spend; for a parking facility, vehicles logged times the posted rate; for a pharmacy, prescriptions dispensed times the applicable co-payment. The gap between expected revenue and recorded revenue, adjusted for known legitimate variances, is the estimated loss. This estimate becomes the foundation for the claim in civil recovery proceedings or for the prosecution's case.

Interviews are conducted after documentary evidence is secured, not before. Confronting a suspect before their records are preserved gives them the opportunity to destroy evidence. The interview sequence moves from peripheral witnesses first, then supervisors, then the subject. In the United Kingdom, a suspect interview in a criminal context is governed by the Police and Criminal Evidence Act 1984 (PACE) and must include a caution. In India, the Bharatiya Nagarik Suraksha Sanhita 2023 governs the admissibility of statements taken from suspects. In the United States, the Fifth Amendment right against self-incrimination shapes the approach to compelled interviews. Forensic auditors who are not law enforcement officers must understand the evidentiary limits of their own interview authority in each jurisdiction.

The final output of a cash-theft investigation is a written report that sets out the evidence, the methodology for loss quantification, and the findings. The report must be written to withstand cross-examination: every figure traced to a source document, every assumption disclosed, every limitation of the methodology stated. Standards for forensic audit reporting vary by jurisdiction. In civil proceedings in England and Wales, expert witness reports follow the requirements of Practice Direction 35. In Indian courts, the Bharatiya Sakshya Adhiniyam 2023 governs what constitutes admissible expert opinion. US federal courts apply Daubert standards for expert testimony.