There is a great article in the USA today on how criminals target hotels and steal their guest’s credit card info.  You can read the entire article on the USA Today website by clicking here. 

The article says that hotels are considered hacker’s number one target and mentions how Wyndham was breached 3 times in the last 12 months. 

Our favorite post from the comment section:  Ladies Man writes “A bigger and far more serious crime is coming down to breakfast and discovering it consists of bagels, honey buns, and those weird chewy off-brand fruit bars. If my credit card info must be stolen, I’d rather find out after I’ve had a large and proper breakfast.”

Internal Control:  Positioning a Point of Sale (POS) Terminal

Goal:  Allow guests to see transactions as they are rung to prevent internal theft

The key to proper placement of a point of sale terminal is visibility.  You want to set up your terminal so that customers can see every transaction as it is rung up.  Many POS systems do a great job of displaying the transaction total in large numbers on the screen or display ‘no sale’ when the cashier hits the no sale key.  It makes it very easy to have a manager or supervisor monitor the transactions from accross the restaurant.  If your terminal is in a position below a counter, add a display arm or ‘goose neck’ to your POS.

The Wall Street Journal posted a great article on the rise of employee theft as a result of the recession.  You can read the entire article on MSN’s Money page here.  The article reports that ‘New research shows that employers are seeing an increase in internal crimes, ranging from fictitious sales transactions and illegal kickbacks to the theft of office equipment and retail products meant for sale to customers.’  The article also mentions that ‘To many employers’ chagrin, the workers guilty of the most grandiose theft frequently turn out to be those deemed to be highly trustworthy’.   

We have seen a dramatic increase in internal theft while in the field and expect to see a continued increase in 2009, especially in employees who rely on tips for a large part of their salary.  Many hotels have been forced to dramatically reduce the number of hours as occupancy declines and many of the hotel restaurants have slowed down.  Many employees are now really struggling to make what they made in the past and most cannot afford to take a pay cut and still pay their monthly expenses.     (more…)

It is a common question, how often should your hotel have an internal audit done?  The answer:  well, it depends.  Here is why:

First, how often do most hotels actually conduct an internal audit?  Most hotels will say they are audited once per year.  However, most hotels have the goal of being audited once per year.  In reality, they are audited only every 2 or 3 years in most cases.

Having a goal of once per year is a good start.  But we recommend that you set your goal based on the results of the last audit.  If the hotel scored 90 percent or better on the last audit, conducting one audit per year is fine.  However, if the hotel scored less than 90 percent, we recommend that the hotel creates a 90 day action plan to improve their results and then the hotel is audited again after 90 days.

We understand the expense of conducting an audit, however, the amount of money that could be lost by a hotel with improper controls could easily be far more than the cost of an audit.

A few additional audit tips:

First, the audits should always be completely unannounced.  We usually recommend that the Controller and other key managers who are needed for the audit submit a schedule of any vacation days so the auditor does not show up during their vacation.

Second, the follow up on the audit is just as important as the audit itself.  Many hotels will score poorly year after year.  Passing the internal audit should be on every Controller’s list of goals and yearly review.

Conducting random audits of your cashier banks is one of the most important actions you can perform to keep theft out of a hotel.  Even though it is so pertinent, almost no hotels actually conduct the random bank audits as part of their normal operations routines. 

Why is conducting a random bank audit so important?  If you have an employee who is stealing cash during their shift, they need a place to store the cash they are going to steal.  They typically store the cash in the drawer and then pocket it at the end of their shift when they are closing out their paperwork.  This often applies to guest service agents, bartenders, gift shop cashiers, and coffee shop baristas.  A good program of random bank audits can be one of the most important tools to help you keep theft out. 

(more…)

Credit card chargebacks probably cost your hotel thousands and thousands of dollars each year. With changing privacy policies, hotels are finding it harder and harder to protect themselves against chargebacks. In the old days, guests would check in, present a credit card and an ID. The guest service agent would imprint the credit card on the back of a registration card and have the guest sign. Now, check ins are often paperless and many hotel chains such as Marriott do not allow hotels to imprint credit cards.

Here are some suggestions to protect your money:

1. Make sure every credit card presented at the front desk is swiped. Have accounting periodically run reports from the PMS and audit to make sure that all cards are swiped. Conduct further training with the front desk on the importance of swiping every card. Swiping the cards will also save you money on your transaction fees. We will get to third party credit card authorization forms in a section below.
2. Set a credit limit for in house guests of one to two thousand dollars. Post a payment every time their account gets to that level and deliver a copy of the folio to their room. Then make sure that a new authorization is taken after each payment is posted.
3. Monitor guests for unusual purchasing. Guests staying on stolen credit cards are usually the guest who go wild with room service, in-room movies, telephone, etc.
4. Make sure the front desk gets a current address and phone number from every guest, especially walk in guests. This is one area that is most neglected, especially when the front desk is busy. Also, in many counties in the US, it is the law.

What to do when a credit card is not present:

1. Have a strict policy on the use of third party credit card authorization forms. Have all requests processed through the accounting department rather than the front desk.
2. Make sure that your authorization form requires the cardholder to fill in their name, credit card billing address, and signature.
3. Require the cardholder to fax over a copy of the card and their photo ID if possible. However, many hotel chains no longer allow this. If you cannot do this, use step 4 below.
4. Use an ‘Address Verification System’ to verify every authorization form received. Most major credit card processors such as Chase have an automated system available and it takes just a minute or two. Do not accept a credit card if you can not verify the billing address.
5. Require a payment in advance or a deposit when using a credit card authorization form. This is especially important if you accept an authorization form for large amounts like a group block, meeting room, or catering function.

As privacy policies continue to become more strict, it will be difficult to prevent chargebacks unless you stay on top of the tools you have on your side. Of course, we will continue to keep you updated in any way we can.

We have all heard stories of hotels that have had accounting employees commit serious fraud. Maybe it has happened at your hotel. Maybe it is happening at your hotel right now and you don’t know it. Even if you have a perfect record, it is always a good idea to review your internal controls and prevent fraud from happening.

There are some simple controls that every hotel should have, yet many hotels fail in these areas when internal audit comes around. Here are some highlights:

1. Make sure that the General Cashier does not perform any accounts payable or accounts receivable functions. This is especially tough in small hotels that may only have one employee in their accounting office. In a small hotel, we recommend having the Sales Admin or Front Desk Manager be the General Cashier… anyone who does not do A/P or A/R. If a General Cashier has access to A/P or A/R, it makes it incredibly easy to steal cash.

2. Require the General Cashier to take a vacation each year and have their job functions assumed by another associate. Quite often, a cashier will not want someone else to handle their job duties or to take a vacation at all. This is often a red flag that the cashier is committing fraud and afraid of someone looking closely at his/her work.

3. Make sure that every bank in the hotel (including the main safe) is audited on a surprise basis at least once per month. This one is the most basic of basic controls yet many hotels do not do this. They typically find out of a cash shortage when an employee with a bank is terminated. This is especially important when it comes to the main safe. If it is not audited frequently on a surprise basis, it makes it so much easier for the cashier to steal or borrow money.

4. The drop safe should require two people to open. We like the drop safes that need a key and a combination. The combination should be kept by the General Cashier and the key should be kept by a separate person.

5. All deposits should be removed with a witness present and immediately logged. The deposits should be logged with a witnessed in case an envelope is missing.

6. Bank deposits should be made every day via armored car service. Do not allow your General Cashier to skip days and keep cash on hand. This makes it easier to commit fraud. Also, make sure that your deposit is picked up by armored car and not taken to the bank by the General Cashier.

7. Accounts Payable or Accounts Receivable employees should never handle cash or checks. Do not allow the A/P employee to receive checks in the mail. The checks should be received and logged by someone other than the General Cashier or A/R employee. We prefer an Administrative Assistant to handle this or have the checks sent directly to your bank lock box. Also, the A/P or A/R employee should not handle cash, including petty cash.

Again, these are just the basics of control. There is more information available in the HFTP Study Guide for the CHAE Exam. More information is available at http://www.hftp.org/ or your local HFTP Chapter.

If you would like an Internal Audit performed by Five Diamond Hospitality, please call or email us by clicking on contact us.