Casino fraud – prevention through internal audit

Casino fraud – prevention through internal audit

Robert W. Rudloff

Despite an internal auditor’s best intentions, some types of casino fraud, such as table game cheating, simply aren’t 100-percent preventable. However, with the potential for deception, abuse, and corruption extending far beyond gaming tables and slot machines, internal auditors can stack the deck in the organization’s favor.

When it comes to duplicity at gaming tables, the highly skilled and specially trained surveillance and security employees may be better equipped for fraud detection than internal auditors. To detect table game cheating, an observer needs both a detailed knowledge of game rules and highly specialized observational skills that help distinguish between normal and abnormal behaviors.

The internal auditor’s fraud detection capabilities, therefore, are best utilized in other areas of the casino. The potential for “loading the dice” and stealing from the company is even greater away from the tables and slot machines. Controls governing game play are quite detailed, and fraud detection training is extensive; but controls may not be as stringent in areas such as casino marketing, food and beverage operations, hotel operations, and financial and operations accounting. These functions may offer the best opportunities for internal auditors who want to use their skills to fight casino fraud.

One of the most fraud-ridden areas of the casino is its promotions and marketing program. Casinos spend significant sums to lure customers into their facilities. Coupons for two-for-one meals in the restaurants, discounted hotel room rates, and match play at the casino’s tables are often mailed to prospective customers or offered in the newspapers. First-time customers may receive special bonuses for opening an account. These and many more programs are in place every day, and they are fraught with pitfalls that most marketing people never seem to see.

During my 18 years as an internal auditor for major gaming companies, I participated in as many as five fraud investigations each year, many of them involving our marketing and promotions programs. These frauds, some of which are discussed here, were of varying complexity and involved a multitude of participants, including current and prospective employees, managers, executives, vendors, suppliers, and customers. Some fraud perpetrators worked alone, while others teamed together to beat our systems of internal control. Some schemes were elaborate, yet others simply relied on exploiting a weakness in the internal control environment. Hopefully, the lessons from my experiences will provide insights into the types of marketing and promotion frauds that occur and will shed light on steps internal auditors can take to detect and prevent such crimes.


Casinos rely heavily on complimentary services, or “comps,” to attract and retain their best customers. Gaming customers earn comp credits the same way that American shoppers earned Green Stamps many years ago. The more customers play, the more credits they earn. Credits can be redeemed for gifts, complimentary goods and services, and sometimes cash.

Casinos use a variety of methods to award credits; but the most common method is based on theoretical win, which is the amount the casino expects to win from a particular customer. It is calculated using four factors:

* The theoretical house advantage of the game. Roulette, for example, has a 5.26 percent house advantage.

* The number of expected hands or spins per hour.

* The gambler’s average bet.

* The length of time the gambler plays.

The latter two factors, which make up the “player rating,” are monitored, recorded by a casino supervisor on a player rating card, and entered into a computer tracking system. When multiplied together, these four factors produce the theoretical win for the casino. Comps are then granted based on a percentage of the theoretical win. For example, if a player’s theoretical win is calculated at $100 and the comp rate is 40 percent, then the player will receive complimentary services valued at $40.

Prevention or detection of complimentary abuse provides internal auditors with one of the single largest opportunities to save costs through fraud prevention. Casinos primarily rely on the integrity of many different employees to ensure that complimentary services are issued correctly. Nonetheless, complimentary abuses abound.


One of the most common areas of comp abuse involves player ratings. A casino supervisor can miscalculate the theoretical win by overstating a customer’s length of play or average bet.

Since an overstated theoretical win will inflate the value and number of comps to be awarded, players may offer cash gratuities to entice casino supervisors into embellishing their rated play. Or, the supervisor may just want to “take care of” a good customer. Casino supervisors can also be persuaded by coworkers to overstate rated play, since certain marketing employees often receive commissions based on the amount of theoretical win their customers produce.

Internal auditors can help management design automated and manual controls to prevent or detect inflated ratings and theoretical win. For example, players frequently change tables during play and open a new rating card at each table. Embedded audit routines can be designed into computer systems to prevent overlapping times from being entered – a method commonly used to overstate play.

Procedures also can be designed that require all cards to be input immediately at the conclusion of play. A supporting “manual” policy would require a pit boss to examine all open rating cards every few hours and match them to the actual players sitting at the table, decreasing the opportunity for supervisors to inflate the play time.

Occasional observations of gaming activity can also be employed to detect overstated ratings. For example, during my tenure as casino audit director, I would often send a team of internal auditors into the surveillance department to observe and record player rating activity. The auditors’ player ratings would later be compared to the play recorded by the casino supervisor. On many occasions we detected either time or average bet information that was overstated.

Many gamblers use special account rating cards from their favorite casinos. Since these cards are similar to credit cards, card readers can be installed in the gaming pits to log the player’s start and stop times, automatically eliminating the need to record the information manually. Such player cards are often used to record slot machine play. Players insert the card into a card reader at the slot machine, and the more they play the more credits they earn.

Such cards present a different set of comp exposures, however. For example, customers can ask for duplicate player cards, claiming the first card was lost; or they can attempt to redeem account credits without providing proper identification. Employees can transfer credits from dormant accounts to accounts of family or friends; steal credits and redeem them for cash vouchers for themselves; or change the balance of credits in an account. Finally, transactions can be voided without leaving a trail.

All of these situations – and more – occurred at casinos where I worked. Controls were well-designed in theory, but they were either overlooked, ignored, or simply didn’t work.

For example, while some customers really did lose their cards, the computer at one casino did not prevent anyone from using more than one card at a time. Some people found others’ cards, inquired about the balances, then emptied the accounts for anything they could get. Employees properly requested identification, but sometimes relented – without first contacting a supervisor – and completed the transactions without seeing proper identification.

As with player ratings, controls can be strengthened to prevent card fraud. Simple audit routines can prevent multiple cards from being used at the same time. In addition, employees should not be allowed to change information on customer accounts. Rather, changes should be recorded and forwarded to others to approve and enter into the system. This is particularly important if the casino uses customer identification information for other purposes, such as casino currency transaction reporting. Finally, employees should never be able to void a transaction without the assistance of a supervisor.


Restaurants are often the site of weak controls and rampant comp abuse. One common scam involves food servers switching low-dollar comp sale tickets with higher-dollar cash tickets. For example, a customer might possess a coupon valued at $100, yet spend only $50. If another customer later pays a $100 check with cash, the server will attach the $100 coupon to that dinner check, use the cash to cover the $50 bill of the previous customer who paid with the $100 coupon, and then pocket the $50 remaining in cash.

To uncover this scam, our audit team would visit the restaurant, order a minimum amount of food, then pay with a high-dollar value comp. On the following day, the auditors would look for their guest check in the restaurant’s records to find how much was charged to the comp. In just one weeklong investigation, we discovered three comp thieves. Each was interrogated and arrested; and, in the months that followed, the percentage of sales attributable to complimentaries decreased measurably.

Simple controls can be put in place to minimize opportunities for comp switching in restaurants:

* Comp slips should be prenumbered. The comp number should be written on the guest check, and the check number written on the comp slip. Better yet, the comp slip should be printed on a form with an adhesive backing that can be attached to the guest check.

* Guests should be asked to sign both the comp slip and guest check as soon as they are seated.

* Since servers need time to switch comps, the restaurant manager should print an open check report periodically, and follow up on any checks open for more than an hour.

Complimentary programs must be designed with strict controls to protect both the customer and the casino. To ensure success, such control systems must be consistently followed and monitored by supervisory employees.


With their heightened level of promotional activity, casinos are particularly susceptible to event or promotion fraud by external and internal perpetrators. In one case I investigated, fraud perpetrators turned the casino’s effort to build new business into a customer relations nightmare and a potential boon to its competitors.

The casino sponsored a legitimate sweepstakes drawing in an effort to attract new customers. One lucky winner, the sweepstakes promo promised, would receive a valuable grand prize. Hundreds of potential customers entered the contest.

Unfortunately, once the names were keyed into the computer database, the entry forms were haphazardly discarded and fell into the wrong hands. Fraud perpetrators entered the names of the entrants into their own database and sent letters to hundreds of potential customers, notifying them that they all had won the grand prize in the sweepstakes contest. The letters were prepared on casino letterhead and were “signed” by the company president.

The potential loss represented by the scam was significant. First, the listing of potential new customers could have fallen into a competitor’s hands, who would have benefited greatly at our casino’s expense.

Secondly, and perhaps most importantly, such scams cause customers to question the legitimacy and integrity of the casino. When the gamblers who received the bogus award letters learned that the fraud perpetrators had acquired their names because their entry forms had been discarded, they lost faith in the casino itself. Many decided that they had never actually been entered into the contest and that the sweepstakes was a scam from the beginning. Simple controls, such as securing sweepstakes entries every day, effectively controlling data entry, and shredding entry tickets, could have saved the company significant embarrassment.


Casinos often employ a field sales force to persuade both new and established customers to visit their casino. Some sales force members are direct employees of the casino, but most are commissioned agents who are compensated based on the amount of casino play they generate. Often, they also have broad comping authority for their customers.

Again, the level of agent activity and the corresponding incentives make field agent fraud quite common. In one case, a casino executive was extorting payments from commissioned field representatives from South America. The executive opened U.S. bank accounts in the names of the South American agents. He personally picked up the agents’ checks, forged the agents’ signatures, and deposited the checks into their U.S. accounts. The executive then initiated a wire transfer, moving half the commission to his own account and the other half to the agents’ accounts in South America.

Fearful of losing the opportunity to conduct business with the casino, the South American agents never formally complained. Nonetheless, news of the scam circulated around the marketing network and eventually made its way to internal auditing.

With the assistance of a translator, our internal auditors acquired verbal statements from the South American agents. We then followed up with reviews of available documents, including accounts payable records and cancelled checks. The fraud was confirmed, and the executive was arrested. From that point forward, checks were mailed to the payee by the accounts payable department, instead of being given to those requesting the check or approving the disbursement.

In another scheme, a field agent “sold” tour packages that included casino lodging and transportation. Although the agent collected payment from the customer, he never remitted any portion of it to the casino. Instead, the agent listed his buyers as “preferred” casino customers who should receive all transportation and accommodations on a complimentary basis.

The fraud unraveled only when a customer requested a refund from the casino for a trip she had to cancel. As part of the investigation, some of our auditors posed as cash-paying customers and purchased the agent’s tour package. When they later found their names on the listing of guests to be “comped,” they had all the proof they needed, and the fraud came to a close.

Again, the simplest of controls could have ended the fraud soon after its start. Although a large number of the agent’s preferred customers failed to gamble in the casino, he was never questioned. The casino should have queried every comped customer who did not play in the casino – or who played, but not at a level worthy of the complimentaries received.


Like other businesses, casinos protect themselves against fraud through a sound system of internal controls. Unfortunately, no system is foolproof. Those who want to get around the controls will seek out every opportunity, particularly those that offer the least chance of detection.

While the types of frauds our audit team encountered were well concealed, internal auditors do not need the eagle-eyed training of surveillance employees or a state-of-the-art closed circuit TV system to tip the odds of discovery in their favor. Internal auditors do require, however, a thorough understanding of gaming and nongaming internal controls; an awareness of the indicators of fraud in the casino business; a level of skepticism that rejects overly simplistic or unusually complex answers to important business problems; and an understanding of the process of a fraud investigation in a highly regulated environment and the related obligation to report the existence of fraud to regulatory authorities.

It’s also important to work closely with management, creating a climate where internal auditing is the first place an executive, manager, or employee feels comfortable reporting suspected fraud. In addition, talking to other gaming internal auditors, particularly through industry groups such as the IIA’s new gaming internal audit section, is essential for staying one step ahead of fraud perpetrators.

As internal auditors, we need to work to our strengths, and allow those who are more qualified than we to do the rest. We want to be infallible, and admitting to our own weaknesses can be difficult. But the internal auditor who can focus on what he or she can realistically accomplish will have the greater opportunity to contribute significantly to a strong, casino-wide control and fraud prevention and detection program.

RELATED ARTICLE: Fraud in Restaurant Operations

Not all casino frauds are related to marketing efforts. Some result from typical operational weaknesses. For example, while comp abuse is common in restaurants, the operations side of the business presents many additional opportunities for fraud.

Food products can be ordered and served without being recorded on a guest check. Guest checks can be reused when similar orders are placed, and the cash proceeds misdirected. Legitimate orders can be voided after the food is served. In a buffet restaurant, customers can be seated without the sale being recorded.

To prevent such scams, internal auditors should dine in the casino’s restaurants to evaluate the quality of the service and the related controls, remaining alert to potential weaknesses. How are guests greeted and seated? How are guest checks controlled? How are customers’ orders recorded? How does the food server coordinate the order with the kitchen staff? How are alcoholic beverages, particularly wines, controlled? Who handles the check at the end of the meal? All of these issues represent potential weaknesses that could expose the casino to losses.

While controls may appear to be sound in theory, they may not work well in practice. Internal auditing can provide significant assistance by evaluating the controls, not just as they should exist, but as they actually exist in the operating environment. Wherever practical, the number of opportunities for abuse should be reduced. In financial areas, duties are usually well-segregated. But this is not necessarily the case in operations. Food servers often control guest checks, customer orders, food delivery, and customer payment.

Many strategies exist for strengthening the operational control environment:

* Guest checks should be controlled by a restaurant manager or hostess and individually assigned to a server when the guest is seated. The number in the party and the payment type, whether it is room charge, cash, or complimentary, should be recorded immediately.

* Coupons or comp slips should be immediately attached to the check and cross-referenced with the check.

* Food and beverage orders should be entered on the check electronically, with a duplicate order going directly to the kitchen. Orders should be prepared based solely on the information entered through the computer.

* Some restaurants use “red liners,” employees who check to see that all food removed from the kitchen is first recorded on a guest check. This could be an expensive control; but it is very effective, particularly in restaurants with a history of control problems.

* Finally, cashiers should be periodically rotated among the casino’s restaurants. Too often, as the cashiers become friendly with the servers, they become more lax and allow “small matters” to slide. These small matters can quickly become big matters. Periodic rotation of cashiering duties reduces such opportunities.

ROBERT W. RUDLOFF, CIA, is Director of Internal Audit Services for PricewaterhouseCoopers in Las Vegas, Nevada. You may reach him via e-mail at

COPYRIGHT 1999 Institute of Internal Auditors, Inc.

COPYRIGHT 2004 Gale Group