Why Most Audits Don't Actually Find Anything

I've sat through a lot of audits over the years — conducted them, been present during them, inherited the results of ones that missed things they really shouldn't have. And the pattern I keep seeing is this: the audit was thorough on paper, covered every box on the standard form, and produced a clean score. Then three months later, someone found a significant issue that the audit had walked right past.

Usually it's not that the auditor was careless. It's that the audit was checking for compliance — was the safe locked, was the camera pointing the right direction, was the return policy posted — rather than looking for whether the actual processes behind those things were working as intended. A locked safe with an incorrect count inside it passes an audit. A camera pointing at the register doesn't matter if no one ever reviews the footage.

A good LP audit checks the systems behind the controls, not just whether the controls exist. That's the distinction this guide is built around.

What a Loss Prevention Audit Actually Is

A loss prevention audit is a structured, documented review of the processes, physical environment, and data that a business uses to protect its assets. It's not the same as an inventory count — though a count is usually part of it. And it's not the same as a financial audit, which focuses on books and statements. An LP audit is asking a more operational question: do the controls this business has in place actually work, and are they being followed consistently?

The areas a thorough LP audit covers tend to include: cash handling and register procedures, receiving and inventory processes, physical security, transaction data review, staff behavior and policy compliance, and vendor controls. In smaller businesses, one person can cover all of these in a few hours. In larger or multi-location operations, it's typically a structured program with regular schedules and documented scoring.

📌 The key distinction

An LP audit checks whether your controls are working. A compliance audit checks whether they exist. A financial audit checks your books. You need all three — but they're not the same exercise, and treating an LP audit like a compliance checklist is one of the most common reasons audits miss things.

The Audit Process: 7 Steps

A loss prevention audit isn't something you should improvise on the day. The value is in the structure — knowing what you're looking for before you get there, and having a way to compare results across time and locations. Here's the process that works.

01
Pull the Data Before You Walk In
Before visiting a location, pull the available data for that site: shrinkage rate and trend, exception reports (returns, voids, discounts by employee), cash discrepancy history, cycle count results, and any previous audit findings. This isn't about confirming what you already suspect — it's about knowing what to pay extra attention to when you arrive. A site with a high refund rate and an unexplained stock discrepancy in one category needs a different focus than a clean data set.
02
Don't Announce It — Or Announce It Strategically
Announced audits have their place: they're useful for training, for compliance reviews, and for making sure staff are aware of standards. But they don't catch behavior — because behavior changes when people know they're being watched. Unannounced audits are where you find out what's actually happening day to day. At a minimum, the timing should be variable enough that staff can't predict when an audit will happen based on past patterns.
03
Start Outside and Work In
Arrive early enough to observe the location before anyone inside knows you're there. Look at the exterior: lighting, access points, CCTV coverage of the entrance, signage. Then walk in as a customer would — what's the first thing you see? Is the entrance visible from the register? Are high-value items near the door? Your first five minutes should be observation, not conversation.
04
Work Through the Checklist Area by Area
Move systematically through the six audit areas covered in the checklist section below: cash and register, receiving and inventory, physical security, transaction data, policy compliance, and vendor controls. Don't jump between areas — covering one completely before moving to the next means fewer things get missed. Use your written checklist as you go, not from memory afterward.
05
Ask "Show Me" — Not "Do You"
When reviewing processes with staff or managers, the difference between "Do you reconcile the till at shift change?" and "Can you walk me through the last till reconciliation?" is enormous. The first gets a "yes." The second tells you how it actually works — or whether the records exist to show it happens at all. Ask for evidence, not assurances. This isn't accusatory; it's just how audits that find things are run differently from audits that don't.
06
Score, Document, and Flag Immediately
Record findings on the day, not from memory later. Photographs where appropriate. Flag items as Pass, Fail, or Requires Follow-Up — not just a final score. A location that scores 85% can have its critical failures hidden in the average. A cash reconciliation failure is more significant than a missing sign, regardless of what the total score says.
07
Debrief, Assign Actions, and Set a Follow-Up Date
An audit that produces a report nobody acts on is a wasted exercise. Before you leave — or within 48 hours if a full debrief isn't possible on the day — every failure should have an owner, an action, and a deadline. Follow-up isn't optional. Unresolved audit findings from six months ago that are still "in progress" tell a location that the audit process has no teeth.

The Loss Prevention Audit Checklist

This checklist is organized into six areas. Work through each one in order. Items marked with a red note are high-priority flags — findings here should be escalated immediately, not deferred to the next audit cycle.

💵

Area 1: Cash Handling & Register

12 items
  • Till is counted and reconciled at the start of every shift, with a signed recordAsk to see the reconciliation log for the last 7 days
  • Till is counted and reconciled at the end of every shift, not just end of dayAny discrepancy over threshold should trigger a manager review — check whether this is happening
  • Two people are present for till counts on opening and closing⚠️ Flag: Single-person cash handling is high risk — prioritize correction
  • Cash discrepancy log exists and is currentReview the last 30 days — look for a pattern of small, recurring shortfalls on specific shifts
  • Safe is secured at appropriate times and combination is known only to authorized staff
  • Safe combination has been changed in the last 6 months and when any staff with access has left⚠️ Flag: Default or unchanged combinations are a critical exposure
  • Bank deposits are made on schedule and recorded with receipts
  • Cash is not left in unlocked drawers or on countertops during non-trading hours
  • POS terminal is secured and requires individual login per cashier — no shared PIN
  • Each cashier's transaction data is trackable individually in the POS systemVerify by pulling a report — if all transactions show as one generic "cashier" login, the system needs reconfiguring
  • No-sale transactions are logged and require supervisor approval above a defined threshold
  • Voids, refunds, and discounts require manager approval above the defined threshold⚠️ Flag: Self-approved refunds are the most common pathway for cash theft — this must be enforced
📦

Area 2: Receiving & Inventory

11 items
  • Deliveries are physically counted against the purchase order before being signed forDon't just ask — ask them to show you the last three delivery records and the corresponding POs
  • The person who orders stock is not the same person who receives and signs for it⚠️ Flag: This separation of duties is fundamental — if one person controls both sides, all other receiving controls are weakened
  • Delivery discrepancies are documented and disputed with the supplier on the day of receipt
  • Stock is entered into the inventory system on the same day it's received
  • A full physical inventory count has been completed within the last 6 monthsAsk for the result and the shrink rate calculated from it — if they can't produce it, that's a finding
  • Cycle counts are being conducted on the highest-risk SKUs at least monthly
  • Damaged and expired items are logged at the time they're removed from sale — not during the count
  • Stock transfers between locations are documented with signed paperwork at both ends
  • In-transit stock is reconciled regularly — items logged as "in transit" for more than 2 weeks should be investigated
  • High-value or high-risk SKUs are stored in a secure area with restricted access
  • Stockroom access is limited to authorized staff only — access log or key sign-out is in place
📷

Area 3: Physical Security

10 items
  • CCTV cameras are operational and recording — test by reviewing live feed and confirming timestamp is correct
  • Camera coverage includes: register area, stockroom entrance, delivery area, and main floor⚠️ Flag: Any of these four areas without camera coverage is a priority gap
  • Footage is being actively reviewed at set intervals — not only when an incident is reported
  • Footage retention is at least 30 days (90 days recommended for high-risk locations)
  • No obvious blind spots on the main trading floor — walk the floor from a customer's perspective
  • High-value items are positioned near the register, not near the entrance or in blind-spot zones
  • All external entry points are secure when not in use — check rear and side doors specifically
  • Alarm system is functional and tested within the last 30 days — ask for test log
  • Staff entrance/exit is separate from customer entrance where possible
  • Lighting is adequate in all areas — both interior (floor, fitting rooms, stock area) and exterior (entrance, car park if applicable)
📊

Area 4: Transaction Data Review

10 items
  • Exception report for returns, voids, and discounts has been reviewed in the last 30 days⚠️ Flag: If this report has never been run, run it during the audit — this is where most employee-related theft patterns surface
  • Return volume per cashier has been compared across the team — any significant outliers investigated
  • Void transaction frequency is within expected range — pull 30 days of void data and check for patterns
  • Discount frequency is consistent with what's authorized — no single employee applying discounts at unusually high rates
  • Refunds without item present require specific manager approval and are tracked separately
  • Price overrides are logged, require approval, and reviewed monthly
  • Transaction data by shift is available and reviewed to identify patterns tied to specific staffing combinations
  • POS system flags are being actively monitored — not just available but actually being reviewed
  • Average transaction value by cashier is tracked and compared — significant differences from the team average are explained
  • End-of-day reports are reconciled and filed, not just printed and ignored
👥

Area 5: Policy Compliance & Staff

10 items
  • All staff have completed LP training within the last 12 months — ask to see training records
  • New staff receive LP process overview during onboarding, not just a policy document to signAsk the most recently hired staff member to describe the returns procedure — their answer reveals how effective onboarding actually is
  • Staff are aware of the anonymous reporting channel and how to use it⚠️ Flag: If staff don't know how to report concerns, the channel exists in name only
  • Bag check policy is in place and applied consistently — not selectively
  • Staff purchase discounts are applied through the correct process and documented
  • No staff member has access to both cash and the ability to self-approve their own returns or voids
  • Staff locker and personal storage is in a designated area, not the stockroom or near inventory
  • Uniform or dress code compliance makes it possible to identify who is staff vs customer at a glance
  • Previous audit action items have been completed — check the last audit report against current state
  • Manager is able to explain current shrinkage rate and what's driving it — or what's being investigated
🤝

Area 6: Vendor & Procurement Controls

8 items
  • Purchase orders are always raised before goods are received — no verbal orders without documentation
  • Invoice approval requires three-way matching: PO, delivery receipt, and invoice must agree before payment⚠️ Flag: Invoices approved without three-way matching create significant vendor fraud exposure
  • Vendor delivery accuracy is tracked over time — shortfalls are documented and disputed
  • No single employee controls vendor selection, ordering, and invoice approval for the same supplier
  • Competitive quotes have been obtained for major vendor relationships within the last 12 months
  • Vendor contact details are on file and verified — delivery personnel are cross-checked against known contacts
  • All vendor payments are processed through an approved accounts payable process — no cash payments to suppliers
  • Refund or credit notes from vendors are tracked and applied correctly against outstanding balances

How Often Should You Audit?

This depends on your business size, how many locations you have, and your current shrink rate — but here's a practical framework that works for most operations:

Business Type Recommended Schedule Announced vs Unannounced Who Conducts
Single small store Monthly self-audit by owner/manager N/A — owner doing it Owner or senior manager
Small chain (2–10 stores) Quarterly full audit per location + random spot checks monthly 50/50 mix Ops manager or LP lead
Mid-size chain (10–50 stores) Full audit every 6 weeks per location, spot checks biweekly Mostly unannounced Dedicated LP manager
High-risk location (any size) Monthly full audit, weekly spot checks on specific areas Unannounced LP manager + regional oversight

One thing I always recommend regardless of size: vary your timing. If your audits happen on the same day of the month, at the same time of day, staff figure it out quickly — and the audit only captures a prepared environment. Mix morning visits with afternoon ones. Audit a Tuesday the month after auditing a Thursday. Keep it genuinely unpredictable.

Best Practices That Separate a Useful Audit from a Wasted One

The checklist tells you what to check. The best practices tell you how to check in a way that actually finds things.

Test the system, don't just verify it exists

If a policy says the till is reconciled at every shift change, don't just read the policy — look at the reconciliation logs from the last 30 days. If the logs show it's being done five out of six shifts, that's a finding. A policy that's followed 80% of the time is only 80% protection.

Pay attention to what's not documented

Missing records are findings just as much as wrong records are. If someone can't produce a delivery receipt for a shipment that arrived two weeks ago, that's not a minor admin issue. That's a gap in the chain of custody for that stock.

Talk to floor staff, not just managers

A manager knows what the policy says. Staff know what actually happens on a Tuesday afternoon when the manager's on their break. Asking a cashier how they handle returns — not in an interrogation, just a casual "walk me through it" — often tells you more about real-world compliance than anything in the manager's office.

"The most useful thing an audit can produce isn't a score. It's a specific, actionable finding with an owner and a deadline. Everything else is just paperwork."

— PreventLoss.org

Score critical items separately from general compliance

Don't let a good overall score mask a critical failure. A location that scores 92% on an audit where one of the failures is "no manager approval required for refunds" is not a well-controlled location — the 92% is misleading. Flag-level findings should be tracked separately, with mandatory resolution timelines that are shorter than the next scheduled audit.

Follow up faster on serious findings

If an audit uncovers something serious — a cash discrepancy pattern, missing receiving records, a camera that hasn't been recording — the clock starts immediately, not at the next audit cycle. Serious findings need a follow-up verification within two weeks, not six.

Keep records long enough to see trends

A single audit score tells you where a location stands today. A year's worth of audit scores tells you whether it's improving, plateauing, or sliding — and whether your LP program is actually working. Archive audit results and review trends at least quarterly.

Frequently Asked Questions

A loss prevention audit is a structured review of a business's processes, physical environment, and data to identify gaps that create risk of theft, fraud, or financial loss. It covers cash handling, receiving, inventory controls, physical security, transaction data, and policy compliance — and checks whether the controls in place are actually working, not just whether they exist.
It depends on size and risk level, but a practical minimum is quarterly full audits per location with monthly spot checks on specific high-risk areas. High-risk locations or those with elevated shrinkage should be audited more frequently. Varying the timing is as important as the frequency — predictable audits are easy to prepare for.
For single-location businesses, the owner or a senior manager can run LP audits. For multi-location operations, it should be someone who doesn't directly manage the location being audited — a loss prevention manager, regional manager, or third-party auditor. Objectivity matters, and a manager auditing their own location tends to find what they expect rather than what's there.
A thorough LP audit checklist covers six main areas: cash handling and reconciliation, receiving and inventory verification, physical security (cameras, access, lighting), transaction data (returns, voids, discounts by employee), policy compliance and staff behavior, and vendor controls. The checklist in this article covers all six with 60+ specific items.