control, and governance
Marketing is Not Exempt From Casino Fraud
Business development functions are not commonly known for fraudulent activity, but these typical low-risk areas should not be overlooked.
ROBERT W. RUDLOFF JR., CIA, CFE
VICE PRESIDENT OF INTERNAL AUDIT
Gaming industry fraud comes in all shapes and sizes, from theft in the cage and cashier areas to well-thought-out schemes designed to exploit weaknesses in established controls. Gaming auditors who are aware of industry-specific risks can help head off fraud by ensuring both preventive and detective controls are in place. Although marketing and business development functions are low risk-profile areas, they should not be overlooked.
PLAYER POINT FRAUD
During the past decade, most casinos have implemented a loyalty-based reward system. Similar in structure to a frequent-flyer program, casino players earn points based on their play volume. These points are traded in for complimentary services, such as meals, hotel stays, and merchandise. Like a frequent-flyer program, customer accounts may go dormant after a period of nonuse and earned points may be deemed abandoned by unscrupulous employees. Unlike frequent-flyer programs, customers generally don't receive account statements listing earned point activity and balances, so unauthorized activity on dormant accounts presents a significant opportunity for employee fraud if controls are not maintained.
Common account administrative tasks, such as account name changes, combining accounts, or making point adjustments, is part of any loyalty-based reward system, and data-file changes are not uncommon. Because the marketing function generally “owns” these accounts, they often control the database that accumulates and tracks player points. To optimize customer service, many casinos empower their marketing employees with access authority to set up new accounts and perform maintenance to existing accounts. But when account controls are weak, an employee with authorized access can make unauthorized changes to players’ accounts for personal gain.
Frauds are often perpetrated when the opportunity exists, such as when an employee learns that a mistake was never caught or when the employee is aware of poorly designed control processes. Internal auditors need to validate the effectiveness of player loyalty account controls; those performed both manually and within the system.
Name changes. At a player’s request, an administrator may change the name on an existing account, often due to a change in marital status. Generally, a driver’s license or photo identification is all that is necessary to validate the change. To perpetrate a fraud, an employee might change the name on a dormant account from its rightful owner to the name of a friend or family member. Some casinos make finding dormant accounts easy by generating reports listing accounts within set dormant parameters, while other employees target accounts with last activity dates more than a year old.
Combining accounts. Combining same-named accounts into a single account is not uncommon, and is often requested by customers who want to consolidate the points in two or more accounts. Players who forget their account card or account number may open a new account to continue play, or a husband and wife with separate accounts later may want the accounts combined. With fraudulent intent, an employee can create a new account for an accomplice — the friend or family member involved in the name change scam — for which a player card and number card is generated so the accomplice can begin using the account. The accomplice takes his or her newly issued account card to an unsuspecting marketing representative and requests an account combination with the same-named dormant account.
Point adjustments. On occasion, player accounts need adjusting because of slot machine or system malfunctions. Supervisor intervention is generally required. While the points accumulated in an active account are earned through play, account adjustments may be made to both active and dormant accounts. Supervisory authorization, independent of input authority is required, paying close attention to adjustments to dormant accounts.
In evaluating the control environment, preventive controls should include sound segregation of duties, in which changes to player accounts — name changes, account combinations, and point adjustments — are processed only upon written authorization by an authorized supervisor, and input by an employee who is independent of the approval process. Supporting documentation should be reviewed and maintained for all change requests.
Detective controls — on the back end — should also be in place. Internal auditors should ensure a system report is generated listing changes to player accounts — detailing from/to changes. The auditor should ensure a person independent of input reviews the report for unauthorized and inappropriate changes and validates the change to authorized documentation. Changes that should be researched and further validated include name changes or account combinations from different named accounts and changes that lack supporting documentation (e.g., customer identification). In addition, the internal auditor may consider generating a report listing accounts with no point activity for a certain period— a year or two — that have had administrative changes or point adjustments to the account. Appropriately placed access controls can make the difference between securing the system and leaving the door open to fraud.
Marketing and business development employees also have been guilty of using their positions to fraudulently use the company’s complimentary benefits (i.e., comps) for personal gain. Usual practice is for the customer to be present when comps are tendered, such as signing for a meal, checking into the hotel, or making a purchase in a retail store. The customer’s presence is part of the control over comp fraud or abuse. However, in a recent case of retail fraud, the customer was not present and a senior vice president of marketing was found to be the culprit.
To perpetrate the fraud, the marketing executive selected a leased retail store with pricey merchandise and picked out gifts for his “customer.” He signed the sales slips with his comp number — similar to an authorized signature — and the store billed the casino at the end of the month. Although company policy required customers to be present for all comp transactions, it was a challenge to enforce this policy on retail tenants, especially when an executive approved the policy override.
Several thousands of dollars later, the fraud was uncovered when the recipient of the merchandise — the executive’s girlfriend, who was unaware of the fraud — tried to exchange one of the items for a smaller size. The store manager became suspicious of the transaction, seeing that the stores’ retail system flagged the item as a comp, and contacted the casino’s internal auditor to investigate. After a short examination, the pattern was obvious. The marketing executive had authorized 24 retail comps at various stores over several months, charging the goods to a player’s account even though the player was not at the casino at the time of the charge. Follow-up calls to the customer confirmed that he had never received complimentary merchandise from this executive. When confronted, the executive reluctantly confessed and both his job and gaming license were subsequently terminated. Greed, which emanated from his perception of his privileges of position, created the basis for fraud.
However, the root of the problem comes from two critical control failures. The retail store did not follow policy — which was also a condition of their lease — as the store cashiers were supposed to get the customer’s signature, not the employee’s signature, on the sales slip. The breakdown in the preventive control, resulting from the retail store’s failure to enforce the casino’s policy, allowed the executive to perpetrate the fraud. Furthermore, the detective control was not working as intended. The accounting department, which was responsible for reviewing all comp charges from the retail store, did not question the employee signature and comp number. Lack of consistently applied review procedures allowed the fraud to go undetected.
Too often, employees with control responsibilities don’t know the reasons behind policy requirements, so they are not conscientious about compliance. Had the retail clerks and the accounting department employees been aware of the risk and had their managers monitored compliance, the fraud could have been prevented or detected immediately.
Given the right set of circumstances, some employees will exploit weaknesses in the system for their own benefit. Internal auditors need to assess risk at all potential points of control failure. Most of the controls working most of the time simply is not good enough. Internal auditors need to remain diligent in their analysis of the control design, as well as review the adequacy of control implementation, considering questions such as: Are the right controls in the right places? Do the employees who are responsible for executing the controls understand the purpose of the controls? Are the controls consistently enforced? Only through diligent assessment of risk and execution of focused review and testing processes will internal auditors be in a position to detect fraud, or even better, prevent it before it occurs.
Robert W. Rudloff Jr., CIA, CFE, is vice president of internal audit for MGM MIRAGE in Las Vegas. He has more than 28 years of internal audit experience, 23 of which are in the gaming industry. Rudloff is a member of the Gaming Audit Group Committee.