Who’s Minding the Store? Managing Retail Risk From the Inside Out

Managing Retail Risk From the Inside Out
Who’s Minding the Store? Managing Retail Risk From the Inside Out


After decades of dire predictions for the future of retail stores, the disruptive innovation of e-commerce has only managed to carve off a little more than 7 percent from sales at brick-and-mortar outlets.1 The surprising resilience of bricks versus clicks extends across gender and age ranges and applies to most retail categories.


Shopping isn’t just a transaction; it’s an experience. Consumers like to shop, and they want to be able to do it on their terms. Sometimes that means browsing online at work, or at home. And sometimes they want to touch the merchandise. Pundits call this “any way I want it, when I want it” reality “omni-channel.”

Retailers, who have spent the past decade investing in user-friendly online platforms, are now looking for ways to extend that hyper-personalized experience to their bricks-and-mortar stores. It’s a complex challenge, with execution risks ranging from training customer service personnel to implementing IT to upgrading payment systems.

Consistency is key, not only across platforms, but also from store to store. This increases the need for internal controls and governance to ensure that store-level priorities, controls and procedures comply with organizational and regulatory standards and are aligned with corporate goals and objectives.

Store-level controls are important, not only for governing the guest experience, but also for more traditional reasons, such as inventory loss control and regulatory compliance. Internal inventory control audits differ from traditional loss prevention audits, which are conducted by external auditors and tend to focus on theft. Internal inventory control audits are more procedurally focused to address losses due to improper inventory control and inventory handling errors.

A majority of publicly traded retailers performs store audits to verify store-level internal controls, as required by the Sarbanes-Oxley Act.2 An optimized store audit, however, can be expanded to identify operational improvements that can add shareholder value.

Mismanaging store-level risks can be costly. On the other hand, auditing every store, every year, is impractical from a cost perspective. A typical large retailer audits only a small fraction of its stores in a year, which raises the need for some kind of interim control.

Store-level control self-assessments (CSAs) can bridge the gap, but credibility is key, so validation is critical. We recommend a two-tiered approach combining annual self-assessments for all stores, with rotating audits and data analytics to benchmark and validate store-generated reports.

How a two-tiered approach works

Traditional audits

A typical store audit involves an internal auditor from corporate headquarters traveling to store locations (often over great distances) and conducting a battery of tests according to a formal work plan that includes conducting interviews and collecting operational and observational data.

Store self-audits

Also known as CSAs, self-audits provide a structured means for stores to evaluate their own operations, then submit the results to corporate headquarters where they are analyzed for anomalies.


Although self-assessments alone are not a complete or effective store-level audit program, they do serve as a benchmarking tool and help to identify stores that may warrant heightened scrutiny. Advances in data analytics are making it more difficult for individual store managers to “game” the system. And the very exercise of putting store managers through the self- assessment process raises risk awareness and fosters a culture of governance and control.

Challenges and concerns

Store self-assessment works best in a high-trust environment. It may not be as effective in times of crisis or high turnover, or in a culture that doesn’t support and value communication and openness.

Getting started

As with any audit process, the first step is to determine the scope. A good place to start is with the annual risk assessment. Prioritize the objectives, risks and controls the organization wants to address at the store level. These should be consistent with the organization’s overall objectives.

Areas within the scope of store self-assessments typically include cash handling, inventory management, security, regulatory issues, human resources (HR), and compliance with company policies and procedures, as well as other special considerations, such as perishables, pharmacy and lottery.

Once the scope has been determined, it is important to establish a system to validate store manager responses, remediate problem areas, and address inconsistencies between reported results and audited or observed performance. Noncompliance with established policies and procedures also should be addressed. Internal audit and district managers are typically responsible for validation and follow-up.

Self-assessment results should be compiled by personnel other than those responsible for completing the assessments and reported up to executive management for analysis and corrective action, as needed. Data analytics tools can be used to help validate quantitative results by benchmarking against self-reported data from other stores and audited results.

Qualitative information and recommendations should be included to facilitate upward communication and store-level feedback on inconsistencies between policies and practices. Not all breakdowns occur at the store level. For example, store managers might discover through the self-assessment process that certain HR policies are not being properly communicated down to the store level.

Questions to ask before establishing a CSA program

  • Is the audit committee satisfied with store-level internal controls, and will those controls still be effective as the company grows?
  • Does the proposed self-assessment process provide for reporting on the effects of process and system changes on store-level controls?
  • How, specifically, will management establish and maintain a “tone at the top” that supports and encourages  store self-assessment?
  • Who will own the store-level control self-assessment: internal audit, loss prevention or store operations?
  • How will the initial audit content be developed, and what departments need to be involved?
  • How frequently will assessments be conducted?
  • Who will monitor remediation?
  • What are the follow-up procedures?
  • Is there overlap between the store self-assessment and testing requirements for Sarbanes-Oxley Section 404? If not, how could these separate processes be integrated or aligned?


With regulatory pressures mounting, we think the time has come for retailers to give serious consideration to store-level CSAs. Carefully designed, with proper oversight and validation, these bottom-up checkups not only can help build a healthy compliance culture, but also provide a vehicle for verifying that corporate policies are being applied and are effective in the field.

1U.S. Census Bureau, Q4 2015 E-Commerce Report.
2Creating Value From Your Compliance Efforts: Retail Sarbanes-Oxley Optimization Survey Results, 2007, Protiviti.

Ready to work with us?

Rick Childs
Rick Childs
Managing Director