Now in open beta — close the books in 2 days, not 2 weeks.Read the case study →
Retail & POS · April 9, 2026 · 9 min read

POS audit trail: stop voids, refunds, drawer leaks

Industry data on retail shrinkage hovers around 1-3% of sales. For a $10 million chain that is $100,000-300,000 per year disappearing through voids, refunds, and drawer pulls. Most of it is invisible without an audit trail. Most of it is preventable with one.

The three leakage vectors.

Voids: a transaction is rung and then voided before payment. The cashier pockets the cash. Refunds: a transaction is processed and then refunded later. The cashier or accomplice receives the refund. Drawer pulls: the cashier removes cash mid-shift without recording the pull. All three look normal in summary reports.

Each vector has a different signature in the data. Voids cluster on cashier ID. Refund abuse clusters on payment method (refund-to-card). Drawer pull leakage shows up as variance with no recorded pulls. An audit trail that captures all three is the prerequisite for catching any of them.

VoidsRing → cash → void → pocketRefundsFake refund → own cardDrawer pullsUnrecorded cash-out
Three attack vectors, three signatures in the data. Each visible only if you log every state change.

What an audit trail should record.

Every transaction state change: created, modified, voided, refunded, paid. Every override: discount, price, manager PIN. Every drawer event: open, pull, drop, close. Every login and logout. Every report generation (so you know who ran the audit). All immutable, all timestamped, all attributed to a user.

The trail is not just a log. It is a queryable audit feed. Asking "show me every void over $100 in the last 30 days by cashier" should be a 30-second query, not a 4-hour database export. If your POS does not support the query, you do not really have an audit trail.

  • Transaction lifecycle: create, modify, void, refund
  • Override events: discount, price, manager PIN approval
  • Drawer events: open, cash-in, cash-out, close
  • Authentication: login, logout, PIN entry, failed attempts
  • Report access: who ran what when

The void problem.

A cashier rings a customer's $120 purchase. The customer hands over $120 cash. The cashier voids the transaction (no payment recorded), pockets the $120, and gives the customer the goods. The customer leaves happy. The drawer balances because nothing was recorded. The owner notices a missing $120 only at month-end inventory count.

Defense: voids require a manager PIN, voids of completed-but-unpaid transactions are flagged for review, voids over $50 trigger an immediate alert, daily void report goes to the manager. Each layer makes the attack harder. Multiple layers make it impractical.

The refund-to-card scheme.

A cashier processes a fake refund to their personal card after closing time. The drawer balanced earlier (cash was correct). The card refund hits the cashier's personal account. No customer ever existed. The accountant sees a refund line in the next day's report and assumes a real customer.

Defense: refunds to card require the original transaction to be present, the last 4 digits of the card to match the original sale, and a manager PIN. Refunds after closing time are blocked. A weekly "refunds without matching original sale" report goes to the owner. This vector closes when those rules exist and are enforced.

The drawer-pull omission.

The cashier needs to pull cash to the safe (cash-out) at 4pm. Instead of entering the pull in the POS, they pull a slightly higher amount, walk to the safe, deposit the correct amount, and pocket the difference. The drawer is short by the difference at end of shift, but the variance falls under the alert threshold.

Defense: every cash event (in or out) must be entered in the POS in the moment, not later. Variance under $2 still gets logged, and a cumulative report flags any cashier whose under-threshold variance trends consistently negative. $1 short three times a week is a pattern.

Reading the audit reports.

Weekly: total voids by cashier, total refunds by cashier, total discount by cashier, drawer variance by cashier, manager-override count by cashier. Sort each report by descending. Anyone who is at the top of three or more lists is your investigation candidate, not your top performer.

Monthly: voids over threshold detail, refunds over threshold detail, drawer variance over threshold detail. Read each row. Most are legitimate, the patterns will surface naturally. The cashier who shows up across all three reports for three months running is having a conversation, even if every individual transaction is small.

The investigation that does not destroy trust.

When the audit trail flags a pattern, do not confront. Investigate quietly first. Pull all transactions for the cashier in the suspect window, look for matching customer complaints (or absence thereof), check inventory count matches sales count, look for after-hours activity. Then have the conversation with evidence.

A confrontation without evidence destroys morale across the team and protects the actual fraudster (who knows you have nothing). A conversation with evidence is brief, factual, and resolved within 30 minutes. Either the cashier explains the pattern (sometimes legitimate) or admits and leaves. Both outcomes are clean.

The cultural piece.

Audit trails work best when the team knows they exist and trusts they are fair. Mention in onboarding that "every void, refund, and pull is logged and reviewed weekly — this protects you as much as us." Show the team a sample report so they know what is being watched. Predictability deters far more than surprise.

In Nonari the audit feed is built into the manager dashboard. Cashiers know reports run, and the conversation around shrinkage becomes a process discussion rather than a witch hunt. The number to focus on is the trend over time — a chain that goes from 2.5% shrinkage to 0.8% in six months is doing audit trails right.

Frequently asked

Common questions.

How long should I retain the audit trail?

Minimum seven years for tax purposes in most jurisdictions (the IRS requires three years minimum, HMRC and the CRA require six, the ATO requires five). Operationally, three years is enough for trend analysis. Modern cloud POS retains indefinitely at low cost — do not delete to save space, you will need the data eventually.

Can the cashier delete log entries?

Never. Audit logs are append-only by design. Cashiers (and managers) can read but not modify or delete. If your POS allows deletion, the audit trail is theater and you should switch systems. Immutability is the whole point of an audit trail.

What about pre-employment checks?

Useful but not sufficient. Most cashier theft is opportunistic, not premeditated — a clean record at hire does not prevent a slow drift into bad habits months later. The audit trail is the ongoing control. Hiring filters are a one-time control. Use both.

Is there a privacy issue with logging cashier activity?

In most jurisdictions, employer monitoring of work activity in the workplace is legal as long as it is disclosed in writing during onboarding. In the EU, GDPR requires explicit notice and a legitimate-interest basis. Best practice everywhere: tell employees in writing that work activity is logged. Transparency converts the audit trail from surveillance into an explicit policy, which is fairer to everyone.

Read next

Keep going.

Try nonari

Put your books on autopilot.

Free to start. No credit card. Bring your books, kick the tires, export everything if you decide to leave.