← Back to knowledge base

Internal Theft & Employee Fraud

Internal Theft & Employee Fraud

Cannabis-specific employee theft patterns, background-check frameworks, exception-based reporting queries, investigation protocols, and prosecution decisions.

Extends: sops.md §Employee Background Checks and §Incident Reporting. That SOP is the index; this file is the operational LP playbook.

See also: hiring-retention.md for per-state background-check mechanics | licensing.md for cannabis-industry disqualifiers | cash-handling.md for variance-to-fraud escalation

Data current as of early 2026. Industry shrink benchmarks cited with source year; numbers are industry estimates unless otherwise noted.

Shrink Landscape & Why Internal Dominates

Internal theft -- employee fraud executed at the register, the receiving dock, the safe, or the waste bin -- is the dominant loss-prevention exposure facing every legal dispensary. In conventional retail, external theft (shoplifting, organized retail crime, smash-and-grab) typically runs a larger share of total shrink than internal. In cannabis retail, the ratio inverts.

The ~90% Figure (and Why to Caveat It)

Industry estimates widely cited across cannabis loss-prevention vendor publications -- Sapphire Risk Advisory Group, Cova, Meadow, Flowhub, DTIQ -- place internal theft at roughly 90% of total dispensary shrink (industry estimates, 2024-2025; no peer-reviewed academic source). The figure is directional, not precise: the exact split varies by format (delivery vs. storefront), by employee count, by cash-vs-cashless payment mix, and by the maturity of the operator's exception-reporting stack.

Treat the number as framing, not as fact. What matters operationally is that:

  • Budtenders, supervisors, receiving clerks, vault managers, and drivers all have legitimate access to high-value, mostly-cash, regulator-tracked product.
  • The industry's median employee tenure is short (cannabis budtender turnover runs 55-75% annually per Headset / MJBizDaily; see hiring-retention.md for turnover economics), which shortens the window in which trust is earned and lengthens the tail of employees who never fully internalize policy.
  • Cash-heavy operations produce small, daily, easily-concealed theft vectors ($20 skim on a $200 transaction) that traditional retail's card-dominant mix does not.
  • Regulator-visible inventory (Metrc) means every unit stolen creates a reconciliation problem that eventually surfaces -- but the lag between theft and detection can be weeks or months.

Phrasing guidance across this file: "industry estimates suggest" or "industry estimates place" is the correct framing for the 90% claim and the related void-rate benchmarks. Do not state shrink percentages as absolute fact.

Contrast With Conventional Retail

In general retail, per the National Retail Federation's annual Retail Security Survey, external theft typically accounts for ~35-40% of shrink and internal theft ~30-35%, with process failures and administrative errors making up the balance (NRF, 2023-2024 reporting; industry estimates). Cannabis inverts this for three structural reasons:

  1. High unit value density. A quarter-pound of premium flower at $1,400 wholesale fits in a coat pocket. The shoplifter-per-dollar-stolen calculus strongly favors the insider who can move ten times that volume through a buddy-pass transaction that looks like a normal ring.
  2. Cash concentration. Even as cashless-ATM, pinless-debit, and compliant ACH expand (see cash-handling.md and payment-processing.md for payment-mix trends), cash remains the dominant tender at most storefronts. Cash is the internal-theft fuel that modern card-dominated retail has largely eliminated.
  3. Access discipline asymmetry. Dispensaries have hardened the customer-facing perimeter (mantraps, ID scanners, armed guards in some markets, camera coverage regulated at the state level). The employee-facing perimeter -- who can void, who can issue store credit, who signs for receiving, who witnesses waste destruction -- is often much less hardened, especially at single-store and young-MSO operators.

The Cash-Compliance-Inventory Triangle

The cannabis-specific wrinkle that distinguishes this domain from general-retail LP: every internal-theft vector interacts with at least two of three regulator-visible surfaces.

            Cash (POS variance / drawer counts / deposit logs)
                    /                                    \
                   /                                      \
                  /                                        \
   Compliance  -------------------------------------  Inventory
   (Metrc, state tracking,                          (physical counts,
    reconciliation audits)                           cycle counts, COA chain)
  • A budtender who skims $200 creates a cash variance (triangle vertex 1).
  • If the budtender covers the skim by ringing one $200 eighth as a $20 pre-roll, the inventory is off by one eighth -- which surfaces at the next cycle count and ultimately in Metrc reconciliation (triangle vertex 2 and 3).
  • A receiving clerk who diverts a case at intake creates both a Metrc manifest-acceptance discrepancy (vertex 2 = compliance) and a physical count shortage (vertex 3 = inventory). There is no cash trail until the stolen product is resold, but the regulator trail is immediate.
  • A waste-room employee who pockets "rendered" product in lieu of destroying it creates a Metrc waste-entry discrepancy and a physical inventory gap that may not reconcile for weeks.

Operational implication: An effective internal-theft program does not sit inside the LP function alone. It is a joint exception-reporting exercise across cash ops, Metrc compliance, and inventory -- with HR as the termination and legal-review arm. Dispensaries that silo LP ("cameras and door codes") from compliance ("Metrc reconciliation") and inventory ("cycle counts") miss two-thirds of the signal.

How Modern Detection Has Changed (2022-2025)

The state of the art in internal-theft detection has shifted materially over the last three years:

  • POS-integrated video (Solink, Verkada AI analytics, Spot AI) replaces standalone DVR archives. Instead of pulling tape for a flagged transaction, an investigator pulls the timestamp-linked video clip tied to a transaction ID. Investigation time per flagged transaction drops from hours to minutes.
  • Exception-based reporting is now a first-class feature in tier-1 cannabis POS (Dutchie, Flowhub, Cova, Treez, Meadow) rather than a build-your-own SQL-query exercise. Weekly exception digests flagging top-5% void rate, discount-percentage outliers, and basket-size anomalies are the 2024-2025 baseline.
  • Metrc reconciliation cadence has tightened. Operators that previously reconciled monthly or quarterly are moving to weekly cycles, driven by regulators that increasingly audit reconciliation discipline (DCC, Illinois CCB, NJ CRC all noted for audit-forward posture per 2024-2025 industry reporting).
  • Video analytics -- license-plate recognition at delivery docks, facial recognition at vault entries, dwell-time analytics at register -- provide passive signal that historically required manual review. The technology is cannabis-agnostic but the cannabis industry has been a fast adopter because the loss per incident is high.

The implication for this playbook: the archetypes below describe theft patterns, but the investigation protocols assume operators are running modern POS-linked video and at least monthly Metrc reconciliation. Single-store operators without that stack are running at 2019 detection posture and should plan upgrades as the first LP investment, not cameras-for-cameras' sake.

Background Checks & Pre-Hire Screening

The first line of internal-theft defense is the hire you do not make. Cannabis-industry background checks differ from general-retail checks in three ways: they are state-mandated (not optional), they typically require fingerprint-based state-agency screens (not just a county-court search), and they interact with cannabis-specific disqualifier rules that vary from state to state.

Deep reference: For the per-state background-check mechanics -- which states require fingerprinting, which require state agent-issued badges, which disqualifiers apply, how fair-chance statutes intersect with cannabis hiring -- see hiring-retention.md. This section covers the LP-facing framing, not the taxonomic detail.

What a Cannabis Background Check Typically Covers

A compliant cannabis pre-hire background check in most legal states covers the following layers. Most legal states require cannabis-specific background checks; verify per-state in legality.md and hiring-retention.md.

| Layer | What It Screens | Typical Source | Cannabis-Specific Use | |-------|-----------------|----------------|-----------------------| | State agent/employee registration | Does the person have a disqualifying record per cannabis statute? | State cannabis agency (DCC / MED / CCB / CCB IL / NJ CRC) | Required before badge issuance | | Fingerprint-based criminal record | Felonies, misdemeanors, pending charges across state and FBI databases | State police + FBI via Live Scan / ink | Core disqualifier screen | | Federal court record | Federal convictions not captured in state systems | PACER / federal court records search | Controlled-substance trafficking at federal level | | Employment verification | Prior employer confirmation, reason-for-leaving notes | Direct contact with prior employers | Cannabis-industry tenure verification | | Education / license verification | Claimed certifications, transporter licenses, pharmacy tech | Credentialing bodies | Role-specific (delivery driver CDL, pharmacist-equivalent med roles) | | Drug screen | Historically non-cannabis drug panel; cannabis use is policy-specific | Third-party clinical labs | Federal illegality × employment exposure | | Social-equity inclusion screen | Prior cannabis conviction eligibility for equity programs | State-specific equity programs | Inverse disqualifier in IL, NY, MA, NJ programs |

Operators should not confuse a "cannabis background check" with "more thorough general-retail check." The material difference is that the state cannabis agency is one of the parties reviewing the record and issuing the badge -- the hire is not fully consummated until the state signs off.

Cannabis-Industry Disqualifiers Vary by State

Most legal states tie disqualifier criteria to either felony convictions involving controlled substances or felony convictions involving fraud / theft / violence within a recency window. The recency window and the offense categories vary.

General framing (verify per-state in licensing.md and hiring-retention.md):

  • California (DCC): Disqualifier list published in 16 CCR Division 42; prior cannabis-only convictions are in many cases explicitly excluded as disqualifiers under Prop 64 / AUMA implementation. Fair-chance statute (AB 1008) applies.
  • Colorado (MED): Felony controlled-substance convictions within specified recency window; felony theft / embezzlement / fraud within a longer window.
  • Illinois (CCB / IDFPR): Social Equity Justice Impacted (SEJI) framework explicitly inverts standard disqualifiers -- prior cannabis convictions can qualify applicants for license preference under SEJI; non-cannabis felony disqualifiers still apply.
  • Nevada (CCB): Felony within 10 years is typical baseline; cannabis-industry badge reviewed at state level.
  • New York (OCM) / New Jersey (CRC) / Massachusetts (CCC): Social equity programs with cannabis-conviction eligibility; standard fraud/theft felony disqualifiers retained.

Do not attempt to build a 50-state disqualifier matrix inside this file -- that belongs in licensing.md and hiring-retention.md. The LP-facing callout is: the disqualifier lists are not uniform, and the intersection with cannabis-conviction equity framing means the same prior record can be a disqualifier in one state and an eligibility factor in another.

Re-Screening Cadence

A pre-hire check is not a one-time event. Industry-standard re-screening cadence for loss-prevention-relevant roles (cash handlers, vault managers, receiving clerks, drivers) is:

  • Annual re-screen for badge renewal in most states.
  • For-cause re-screen triggered by any arrest, DUI, cash variance above the investigation threshold, or suspicion of theft. Consent paperwork should be in the employee handbook up front; surprising someone with a re-screen at investigation time is procedurally sloppy.
  • Role-change re-screen when an employee promotes into a cash-handling or vault role from a non-cash role. The original pre-hire screen may have been to the lower-trust standard.

Fair-Chance-Hiring Interaction

Most jurisdictions the operator will care about (CA, IL, MA, NJ, NY, Washington DC, Seattle, San Francisco, NYC) have fair-chance-hiring statutes that limit when and how an employer can ask about criminal history. The interaction with cannabis-specific disqualifiers creates a compliance knot: the state cannabis agency requires the background check, but local fair-chance rules constrain the hiring workflow.

Operational guidance:

  • Do not ask about criminal history on the initial application in fair-chance jurisdictions.
  • Make the conditional offer before running the cannabis-agent background check.
  • If the state-agency screen returns a disqualifier, document the specific statute-cited basis for rescinding the offer. Generic "failed background check" language is both fair-chance-noncompliant and creates wrongful-termination exposure.
  • Coordinate with employment counsel before templated offer-rescission letters go out.

This is a Phase-14 and Phase-20 (hiring-retention.md) depth topic; the LP-facing point is that pre-hire screening is a compliance gate that must be run within a carefully sequenced workflow, not a one-step fire-and-forget.

The Pre-Hire → Post-Hire LP Handoff

Background checks reduce hiring risk but do not prevent post-hire drift. The pre-hire screen tells you who the person was up to the hire date; it does not tell you what they will do in month four when rent is due and the vault has $80K in it. The rest of this file is about the post-hire surfaces that catch the drift.

Internal Theft Archetypes

Five archetypes cover the majority of observable cannabis internal theft. Each follows the same template -- Pattern, Detection Signals, Exception-Based Reporting Query, Investigation Protocol, Cannabis-Specific Wrinkle -- so the LP function can build a reproducible playbook across them. Archetypes are operational shorthand, not criminology; real incidents often combine two or three archetypes (e.g., a buddy pass executed via void-and-rering at a discount).

Internal Theft Archetype: The Buddy Pass

Pattern: A budtender rings a friend's or family member's $200 basket as $20 -- by discount abuse, by void-and-rering at a lower price, by SKU substitution (scanning a $12 pre-roll barcode while bagging a $200 eighth), or by outright under-scanning (bagging three items, scanning one). The friend pays the $20, walks out with the full basket, and splits the difference with the budtender after hours. This is the canonical internal-theft archetype in dispensaries and consistently the most-reported by LP consultants (Sapphire Risk, Cova, Meadow, 2024-2025 industry coverage).

Detection signals:

  • Basket-size anomaly by employee. Flagged budtender's average basket runs materially below store average for the same daypart and customer mix (e.g., 20-30% below store average for weekday afternoons).
  • Discount-percentage anomaly. Flagged budtender issues discounts at a rate 1.5-2x the store average, or uses manager-override discount codes disproportionately.
  • Void rate above benchmark. Industry void rate benchmarks suggest <2% of transactions is normal in general retail; cannabis may see a higher baseline (3-4%) because compliance-triggered voids (ID age-verify failure, purchase-limit hit, Metrc sync error) inflate the floor. A void rate above 5% for a specific employee is a red flag (general retail benchmark; cannabis operators may see higher baseline due to compliance-triggered voids -- verify store-level baseline before setting threshold).
  • Repeat-customer concentration with one employee. The same customer ID (or loyalty member, or walk-in demographic cluster via camera identification) appears 3+ times in the budtender's sales history within a 30-day window, especially if the customer avoids other budtenders.
  • Cash variance correlated to employee shift. Drawer variances (even small ones) cluster on the flagged budtender's shifts. This signal is weak in isolation but strong in combination with the prior four.
  • Refund / store-credit pattern. Flagged budtender issues store credits or refunds at rates above peer; the store credit is later spent when the same budtender is working.

Exception-based reporting query (generic pseudo-SQL):

-- Weekly buddy-pass exception report
-- Flag: employees in top-5% void rate AND top-5% discount-% AND
--       with any single customer appearing >=3 times in sales history
-- Escalation: manager review within 48h; LP review if pattern confirmed

with employee_stats as (
  select
    employee_id,
    count(*) as txn_count,
    count(*) filter (where is_void) * 1.0 / count(*) as void_rate,
    avg(discount_pct) as avg_discount_pct,
    avg(basket_total) as avg_basket
  from pos_transactions
  where txn_ts >= current_date - interval '30 days'
    and store_id = :store_id
  group by employee_id
),
percentile_thresholds as (
  select
    percentile_cont(0.95) within group (order by void_rate) as void_p95,
    percentile_cont(0.95) within group (order by avg_discount_pct) as disc_p95
  from employee_stats
),
customer_concentration as (
  select
    employee_id,
    customer_id,
    count(*) as customer_visit_count
  from pos_transactions
  where txn_ts >= current_date - interval '30 days'
  group by employee_id, customer_id
  having count(*) >= 3
)
select distinct
  es.employee_id,
  es.void_rate,
  es.avg_discount_pct,
  es.avg_basket
from employee_stats es
  cross join percentile_thresholds pt
  join customer_concentration cc on es.employee_id = cc.employee_id
where es.void_rate >= pt.void_p95
  and es.avg_discount_pct >= pt.disc_p95;

Investigation protocol:

  1. Transaction-detail pull. Pull the flagged employee's full transaction detail for the last 30 days. Focus on voids, refunds, discounts, and transactions involving any repeat-concentrated customer ID.
  2. POS-linked video review. Pull video for the flagged transactions (Solink or equivalent POS-linked video cuts investigation time from hours to minutes; standalone DVR archives require manual timestamp matching).
  3. Inventory reconciliation on affected SKUs. Cross-check Metrc package movement for the SKUs involved in flagged transactions. An undersold eighth appears as a physical-count shortfall that did not sell through the POS.
  4. Interview with HR witness -- do NOT accuse. The initial interview is informational, not accusatory. Ask open-ended questions ("Walk me through how you handle voids," "Tell me about your regular customers"). HR witness protects both sides against procedural challenge. Have a second manager or LP specialist observe if staffing allows.
  5. Legal / employment counsel review before termination. Cannabis operators are generally at-will, but wrongful-termination and fair-chance exposure is real in CA, IL, MA, NJ, NY. Counsel reviews the evidence package.
  6. Termination decision per progressive-discipline policy. If the employee handbook prescribes progressive discipline, skipping to termination requires documented cause. Most cannabis employee handbooks carve out theft as a summary-termination offense -- verify the handbook reflects this before relying on it.
  7. Prosecution decision. Depends on provable theft value, state felony threshold (typically $500-$1,500; varies by state), local LE willingness to pursue cannabis-linked cases, and Metrc-trail strength as corroborating evidence. See "Termination & Prosecution Decisions" below for the full decision framework.

Cannabis-specific wrinkle: Filing a police report about cannabis theft triggers Metrc and state regulator scrutiny of your inventory reconciliation. Some operators have historically under-reported cannabis theft to avoid this scrutiny -- which is itself a red flag regulators are increasingly aware of (DCC, Illinois CCB, and NJ CRC have all noted pattern-of-under-reporting as an enforcement factor per 2024-2025 industry reporting). Under-reporting to avoid Metrc heat creates audit exposure that exceeds the cost of the theft itself.

Internal Theft Archetype: Void Abuse

Pattern: A budtender rings a transaction, accepts cash or tender, then voids the transaction after the customer leaves and pockets the cash; or rings a transaction, voids it, re-rings at a lower total, and pockets the difference. Void abuse is closely adjacent to the buddy pass but does not require a colluding customer -- the theft is executed entirely at the register. Void abuse is often the "entry-level" theft archetype because it requires the least planning.

Detection signals:

  • Absolute void rate above threshold. >5% of transactions voided is the general-retail red-flag threshold; cannabis may run structurally higher (3-4%) because of compliance-triggered voids (ID failure, purchase-limit hit). Calibrate the threshold to the store's baseline, then flag outliers two standard deviations above baseline.
  • Time-between-void-and-rering pattern. Voids followed immediately by a re-ring at a lower total, within 30-120 seconds, are more suspicious than voids followed by no re-ring (the no-re-ring case may be a legitimate customer change-of-mind).
  • Same-customer void-and-rering. If the customer ID on the void matches the customer ID on the subsequent re-ring, the pattern is stronger than voids across different customers (which may just be a sloppy register flow).
  • End-of-shift void concentration. Voids clustered in the last 15-30 minutes of a shift are suspicious because the budtender has less time for a legitimate customer change-of-mind and more incentive to zero out the drawer before count.
  • No manager approval on voids above threshold. Most POS systems require manager override for voids above a dollar threshold (commonly $20-$50). A budtender consistently voiding just below the threshold is a known pattern.
  • Receipt-discarded voids. POS systems that do not require receipt-presentation for voids are easier to abuse; if the store's void policy does not include a physical-receipt step, assume void abuse is running hotter than peer stores.

Exception-based reporting query (generic): Employees with void rate above (store baseline + 2 standard deviations) AND with >20% of voids followed by same-customer re-ring within 120 seconds -- supervisor review weekly; LP review if threshold breached two consecutive weeks.

Investigation protocol:

  1. Pull void-log detail for the flagged employee for 60 days (longer window than buddy-pass because void abuse is lower-dollar and slower-accumulating).
  2. Match each void to a POS-linked video clip (Solink / Verkada / equivalent). Look for: (a) customer still present vs. gone; (b) cash still in drawer vs. removed; (c) budtender body language at the void (glancing at camera, turning away, etc.).
  3. Reconcile voided inventory against Metrc. A voided SKU should be returned to available inventory. If the Metrc package shows depleted count but the POS shows a void, the void was a cover for inventory removal -- this is the theft signature.
  4. HR-witnessed interview per the protocol in the buddy-pass section above.
  5. Legal review, termination, prosecution decision.

Cannabis-specific wrinkle: In most cannabis POS systems, voids rekey inventory back to available. That means a void executed without physical re-stocking of the product creates a POS-Metrc mismatch the moment the next cycle count runs. Metrc transfer and reconciliation logs are the paper trail that makes cannabis void abuse more detectable than general-retail void abuse -- the diversion leaves a fingerprint regulators can follow. An operator who runs weekly Metrc reconciliation catches this archetype in days; an operator on monthly reconciliation catches it in weeks; an operator with no reconciliation discipline catches it when the DCC asks for it during audit.

Internal Theft Archetype: Return Fraud

Pattern: An employee processes a no-receipt return by issuing store credit, then spends the store credit on their own purchase (or has a friend spend it). Variants include: issuing a cash refund for a fabricated return, processing a legitimate customer's return as store credit instead of cash and pocketing the cash equivalent, or returning sealed product from the vault to inventory while taking product home. Return fraud is operationally different from the buddy pass because it runs through the refund/return workflow, which many LP systems audit less rigorously than the sales workflow.

Detection signals:

  • Return rate by employee above peer. Flagged employee processes returns at 1.5-2x peer rate.
  • No-receipt return concentration. Industry good practice limits no-receipt returns to a small fraction (under 10-15%) of total returns. An employee above this threshold is working outside policy.
  • Store-credit issuance pattern. Store credit issued and redeemed by the same customer ID within a short window (days) is not inherently suspicious, but the store credit issued and redeemed when the same budtender is working both sides is.
  • Return without Metrc re-ingest. A legitimate cannabis return requires the product be quarantined and typically destroyed (see the wrinkle below). If Metrc shows no quarantine or destruction entry for returned units, the return was fictitious (product was never actually returned) or the destruction was skipped.
  • Refund to cash when policy requires store credit. Policy-vs-practice mismatch on refund tender is a red flag worth pulling video on.
  • Employee-as-customer loop. The flagged employee's own loyalty account shows frequent use of store credit that traces back to returns they processed on shift.

Exception-based reporting query (generic): Employees with return rate above (store baseline + 2 stdev) AND with >25% of returns issued as store credit that is redeemed within 14 days -- supervisor review weekly.

Investigation protocol:

  1. Pull 60-day return detail for the flagged employee. Segment by: returns with receipt, returns without receipt, returns to cash, returns to store credit.
  2. Match return events to Metrc. Legitimate returns should produce a quarantine entry (for sealed / unopened returns in most states) or a destruction entry. Missing Metrc entries for claimed returns = fictitious returns.
  3. Pull video for the return transactions. Look for: is there a physical product being returned? Is the customer present? Is the budtender's behavior consistent with a legitimate return?
  4. Cross-check the redemption of store credit issued. If store credit from a flagged return is redeemed later, capture video on the redemption transaction and identify who benefited.
  5. HR-witnessed interview, legal review, termination, prosecution decision per the framework.

Cannabis-specific wrinkle: Returned cannabis product must in most states be quarantined and ultimately destroyed, not returned to sellable inventory. (Cross-reference waste-management.md for rendering-unusable and destruction requirements per state.) Fake returns create a particularly dangerous inventory distortion: the POS shows the unit coming back into inventory, but the physical inventory never increased (because the return was fictitious). Over weeks, the store shows a Metrc-visible excess that eventually forces a correction entry, which attracts regulator attention. Real returns that skip the destruction step create the opposite problem: product that should be destroyed stays in quarantine indefinitely or silently returns to the shelf, a compliance violation regulators treat severely. Either failure mode ends at the regulator's door.

Internal Theft Archetype: Manifest Diversion

Pattern: A receiving clerk or vault manager accepts a delivery (cultivation-to-retail, distributor-to-retail, or internal store-transfer) that contains fewer units than the manifest lists, and either (a) signs for the full manifest and pockets the shortage, attributing the discrepancy to "vendor error" if ever questioned, or (b) removes units between the truck and the vault during the physical receipt, and signs for the adjusted count. A sophisticated version involves collusion with the delivery driver, who pre-adjusts the physical shipment to match the signed-short count so the manifest-vs-physical reconciliation looks clean from the distributor's side too.

Detection signals:

  • Per-vendor shortage-rate anomaly by receiving employee. Flagged clerk signs for shortages at a rate materially above peer receiving clerks for the same vendor and product mix.
  • Vendor-complaint absence. A true vendor-error shortage produces a back-and-forth with the distributor (credit memo, re-ship, reconciliation). A fictitious shortage has no such paper trail because the distributor thinks the manifest matched.
  • Receiving-employee concentration. Shortages cluster heavily on one or two clerks' shifts even when the vendor rotation is random.
  • Time-of-receipt pattern. Shortages cluster at shift changes, end-of-day receipts, or deliveries processed without dual-custody.
  • High-value SKU concentration. Shortages disproportionately affect high-potency flower, solventless concentrates, and limited-release drops -- the inventory with the highest street resale value. A clerk skimming shampoo in conventional retail takes $4; a clerk skimming a solventless jar takes $80.
  • Metrc transfer-acceptance delay. Clerk accepts Metrc transfer days after the physical receipt (which should be same-day), giving room to adjust the count before the state tracking system captures it.

Exception-based reporting query (generic): Receiving clerks with shortage rate >2x peer rate AND with >30% of shortages occurring outside dual-custody hours -- weekly review.

Investigation protocol:

  1. Pull 90-day receiving log for the flagged clerk. Segment by vendor, by shift, by SKU category, by dual-custody status.
  2. Match claimed shortages against distributor records. A clerk claiming vendor error on a manifest the distributor shows as shipped-full is the signature of this archetype. (Cross-reference receiving-qc.md dual-receipt protocol and manifest-verification standards.)
  3. Reconcile Metrc transfer-acceptance logs. Every accepted package in Metrc has a timestamp and an accepting agent ID -- that is your chain-of-custody paper trail.
  4. Video review of the receiving dock for flagged receipts. Look for units transferred between the truck and the vault.
  5. HR-witnessed interview, legal review, termination, prosecution decision. Manifest diversion is a higher-value theft archetype than buddy-pass and is more frequently prosecuted because the dollar amounts cross felony thresholds more often and because the distributor may be a co-victim.

Cannabis-specific wrinkle: Metrc transfer-acceptance creates the chain-of-custody paper trail that makes manifest diversion provable. The diverted packages don't have matching Metrc entries; either the clerk accepted fewer packages in Metrc than the manifest listed (visible discrepancy to the distributor's Metrc) or accepted all packages and then created fictitious "destruction" or "adjustment" entries (visible to the state during any audit). Either trail leads back to the clerk. This archetype is materially harder to execute in states with strict Metrc enforcement (CA, CO, IL) than in lighter-touch tracking states, but no legal state offers the clerk a clean exit.

Internal Theft Archetype: Discount Abuse

Pattern: An employee uses discount codes beyond policy -- typically the employee-self-discount, manager-override discount, or compliance discounts (medical-patient discount, veteran discount, senior discount) -- to enable buddy-pass transactions, self-purchases at unauthorized depth, or to mask other theft. Discount abuse is related to buddy-pass but distinct in that the primary mechanism is the discount engine rather than the void or SKU-substitution paths. Owner-discount abuse is a subtype: owners or partners with unlimited discount permissions use that access to move product at deep discount to family, friends, or personal side-sales -- a pattern that rarely gets caught because the person with authority to audit is the person doing it.

Detection signals:

  • Discount-percentage outlier by employee. Flagged employee's average discount percentage sits 1.5-2x above peer.
  • Discount-code usage concentration. A specific manager-override code or a specific employee-self-discount code sees usage clustered on one employee.
  • Discount-on-high-margin-SKU pattern. Discounts applied disproportionately to top-shelf flower, solventless concentrate, and limited drops (the highest-margin, highest-resale SKUs) rather than the sale-table items.
  • Compliance-discount misuse. Medical-patient or veteran discounts applied to customers who are not (verifiable via customer profile data) qualifying. This is a regulatory violation regardless of theft -- medical-patient discounts in many states come with reporting obligations and audit trails.
  • Self-discount above allowance. Most employee handbooks cap self-discount at 20-30% and a per-month dollar limit. Employees exceeding the cap or using self-discount for non-employee customers (friends, relatives) violate policy.
  • Owner/partner discount audit gap. If the operator has no audit cadence on owner-level discount usage, assume it is running hotter than policy.

Exception-based reporting query (generic): Employees whose 30-day discount dollar volume exceeds (peer median + 2 stdev) OR whose top-shelf discount rate exceeds (peer rate × 1.5) -- supervisor review weekly; special rule for owner/partner accounts: monthly dedicated audit regardless of threshold.

Investigation protocol:

  1. Pull 60-day discount log for the flagged employee. Segment by discount code, by SKU category, by customer ID.
  2. Cross-check compliance-discount usage against customer-profile data. Veteran discount applied to a customer who never provided verification = procedural violation that may rise to theft-with-fraud.
  3. Match owner/partner discount usage against documented policy (written discount authority in the shareholder agreement, board resolution, or employee handbook owner carve-out).
  4. Video review for the highest-dollar flagged discount transactions.
  5. HR-witnessed interview, legal review, termination, prosecution decision. Owner-level discount abuse may require board / investor escalation rather than standard HR flow and should be handled with outside counsel.

Cannabis-specific wrinkle: Compliance discounts -- medical-patient discounts, veteran discounts, senior discounts, equity-program discounts -- have regulatory reporting implications in many states. Medical-patient discount misuse is not just theft; in states where the medical-discount is tax-advantaged (e.g., lower excise or sales tax), the misuse is also a tax compliance violation, which compounds the exposure. CA, IL, NY, and MA all tie medical-patient discount eligibility to verified patient registration in state systems -- fictitious medical discounts are visible to the state when reconciliation runs.

Exception-Based Reporting Framework

Archetype-by-archetype detection only works if the data pipeline surfacing the exceptions is running reliably. Exception-based reporting is the LP-facing data product: weekly (or daily, for high-volume stores) digests of the outliers that warrant supervisor review.

Data Sources

An effective exception-reporting stack pulls from at least three sources:

  • POS transaction log. Every ring, void, refund, discount, store-credit issuance, and employee ID. Tier-1 cannabis POS (Dutchie, Flowhub, Cova, Treez, Meadow) expose this via reports or API.
  • Metrc transfer / waste / adjustment records. Every package accepted, transferred, destroyed, or adjusted. This is the regulator-visible chain of custody.
  • Cash variance log. Every drawer count, deposit, and variance event, tied to employee and shift. Small variances are noise; variance correlated with employee shift is signal.

Additional sources that mature programs incorporate:

  • Video analytics (Solink / Verkada / Spot AI / Eagle Eye Networks). Dwell time at register, employee presence at vault, POS-linked video clips.
  • Loyalty / CRM data. Repeat-customer concentration with an employee; store-credit issuance and redemption patterns. (Cross-reference tech-crm-loyalty.md for loyalty platform integration.)
  • HR roster. Shift schedules, role history, prior incidents.

Weekly Cadence and Threshold Logic

The recommended cadence for most mid-size operators (5-30 stores) is:

  • Daily: Automated drawer variance report. Variances above threshold auto-route to supervisor within 24h.
  • Weekly: Exception digest covering void rates, discount percentages, return rates, receiving shortage rates by employee. Top-5% flagged; supervisor review within 48h.
  • Monthly: Metrc reconciliation; SKU-level inventory variance; owner/partner discount audit.
  • Quarterly: Full LP health review; background-check re-screen cycle for cash-handling and vault roles.

Top-N flagging is the baseline logic. For each metric (void rate, discount %, return rate, shortage rate, basket size skew), identify the top 5% (or top 3 employees at smaller stores) and surface for review. Pattern-based flagging -- "same exception flagged 3+ consecutive weeks" -- escalates from supervisor review to LP review.

Escalation Path

Exception flags should follow a documented escalation path. A typical progression:

| Stage | Who Reviews | Trigger to Advance | Typical Timeline | |-------|-------------|---------------------|------------------| | 1. Auto-flag | POS / LP system surfaces the exception | Metric exceeds threshold | Automatic, within 24-48h of data arrival | | 2. Supervisor review | Store manager or shift lead | Flag appears once | Within 48-72h of flag | | 3. LP review | Loss-prevention specialist / regional LP | Flag appears 2+ weeks OR single high-severity event | Within 5 business days | | 4. HR + legal review | HR partner + outside employment counsel | Investigation indicates likely termination | Within 10 business days | | 5. Termination / prosecution decision | Executive / ownership | Legal clearance | Documented decision |

Avoid the anti-pattern of "flag goes to a shared inbox no one owns." Every stage of the escalation path should have a named owner, an SLA, and a documented outcome.

Common Exception-Report Metrics (Reference Set)

| Metric | How Calculated | Red-Flag Threshold (Starting Point) | |--------|----------------|--------------------------------------| | Void rate | Voids / total transactions, rolling 30d | >5% (calibrate to store baseline) | | Discount % | Total discount $ / total sales $, rolling 30d | >2x peer median | | Return rate | Returns / total transactions, rolling 30d | >2x peer median | | No-receipt return % | No-receipt returns / total returns, rolling 30d | >15% | | Basket-size skew | Employee avg basket vs. store avg, same-daypart adjusted | Employee <80% of store avg | | Receiving shortage rate | Shortage events / total receipts, rolling 90d | >2x peer receiving clerk | | Drawer-variance frequency | Non-zero variance counts / total shifts, rolling 60d | >25% of shifts | | Store-credit redemption loop | Store credit issued + redeemed with same employee | Any match warrants review | | Customer-employee concentration | Same customer appearing with same employee | >=3 times in 30 days |

These thresholds are starting points. Every store should calibrate to its own baseline during a 90-day tuning window before automated escalation kicks in. A store with a 4% baseline void rate should not escalate at 5%; it should escalate at 6% or whatever its p95 is.

The Modern Stack (2024-2025)

The reference architecture for a current exception-reporting stack:

  • POS as source of truth for transaction events. Cannabis tier-1 POS expose the needed data.
  • Solink, Verkada, or equivalent for POS-linked video, mapping transaction IDs to video timestamps automatically.
  • Metrc state tracking integration for inventory-movement cross-check.
  • Lightweight BI layer (Looker Studio, Metabase, or even a spreadsheet model for small operators) to synthesize the metrics and generate the weekly digest.
  • Named LP owner (internal specialist or outsourced consultant) who reads the digest, triages, and drives escalations.

Operators lacking this stack should treat its absence as the first LP investment, ahead of additional cameras, additional guards, or additional policy documents. Policy without data-driven enforcement is administrative theater.

Investigation Protocol

The archetype sections above each include a protocol stub. This section is the reference playbook for the mechanics that apply across archetypes.

Evidence Preservation

Before anything else, preserve the evidence. The moment a credible theft signal surfaces, the clock starts on: transactional data retention, video retention, digital access-log retention, and physical evidence chain-of-custody.

  • Video. Pull and archive (to separate media, not left on the DVR rolling buffer) the relevant clips. Cannabis-state camera retention ranges from 7 days (NV routine) to 90 days (CA DCC §5044) -- do not assume footage is safe on the DVR for the duration of the investigation.
  • POS transaction log. Export the flagged employee's full transaction history for the investigation window. Most POS retain indefinitely but exports protect against system changes mid-investigation.
  • Metrc records. Export package, transfer, adjustment, and destruction logs for the affected SKUs and time window.
  • Cash variance log. Pull all drawer counts, deposits, and variance events tied to the flagged employee.
  • Physical evidence. If physical product, cash, or documents need to be secured, do so with dual-custody and documented transfer. Chain of custody starts the moment evidence is identified.

Video Pull Procedures

Video is the single highest-leverage evidence type in a dispensary theft investigation because it turns ambiguous data patterns into direct observations. POS-linked video (Solink, Verkada) reduces pull time from hours to minutes by jumping to the transaction ID. Manual DVR archives require timestamp matching.

Best-practice video pull:

  • Identify the transactions or events of interest by ID and timestamp.
  • Pull a window around each event (60-120 seconds before, 60 seconds after) to capture customer entry and tender flow.
  • Export to a dedicated evidence drive, not a shared NAS. Label each clip with transaction ID, date, employee ID, and pull-date.
  • Hash the exported files (SHA-256) and record the hashes in the investigation log. Hashes protect against later tampering claims.
  • Keep the original DVR footage in place until the investigation closes and legal / regulator retention obligations are satisfied.

Chain of Custody for Evidence

For any physical evidence (recovered product, cash, notes, phones), chain of custody must be documented:

  • Who found it, when, where.
  • Who transferred it, to whom, when, why.
  • Where it is stored now.
  • Any access events (who reviewed it, when).

Template:

Evidence ID: EV-2026-001
Description: One-eighth pre-roll SKU 1234, sealed, recovered from employee locker
Discovered by: [Name], [Role], [Date/Time], [Location]
Custody chain:
  - 2026-04-01 14:32: Recovered by [Name] from locker 12
  - 2026-04-01 14:40: Secured in evidence vault by [Name + Witness]
  - 2026-04-03 09:15: Reviewed by LP specialist [Name], returned to vault
  - [...]

HR-Witness Interview Script

The initial interview is informational, not accusatory. Never accuse in the first interview -- it hardens positions, invites lawyer involvement, and closes off information flow.

Canonical script structure:

  1. Setting. Private room, door closed but unlocked. HR witness present (never solo). Water available. Recording only with consent and if state law permits.
  2. Opening. "We're reviewing some patterns in transaction data and wanted to ask a few questions. This is a standard procedure."
  3. Open-ended questions first. "Walk me through a typical shift." "How do you handle voids?" "Any regular customers you've gotten to know?"
  4. Specific questions later. "On [date], transaction [ID] shows [pattern]. Can you walk me through what happened there?"
  5. No accusations. Even when the employee lies or contradicts themselves, note it -- don't confront. Confrontation belongs in the second interview (if there is one) after legal review.
  6. Close. "Thank you, we'll follow up if we have further questions. This conversation is confidential."

Document everything: questions asked, answers given, body language notes, any admissions. HR witness signs the notes at the close.

Legal Review Before Termination

Even in at-will states, cannabis operators have meaningful wrongful-termination and fair-chance exposure:

  • California, Illinois, New York, Massachusetts, New Jersey: Fair-chance-hiring laws, anti-retaliation statutes, and worker protections create procedural landmines. Legal review before termination is operationally mandatory.
  • Federally-regulated contexts (e.g., employees in roles tied to federal grant-funded programs -- rare in cannabis but possible for ancillary businesses): Additional procedural requirements.
  • Union environments (a growing minority of cannabis operators -- UFCW, Teamsters): Collective bargaining agreements typically impose just-cause standards, grievance procedures, and progressive-discipline requirements that override at-will framing.

Legal review should touch:

  • Sufficiency of evidence.
  • Consistency with handbook policy.
  • Procedural compliance (interview process, documentation, evidence chain).
  • Termination letter language (avoid generic "failed background check" or "violation of policy" -- cite specific conduct with specific evidence references).
  • Severance / settlement considerations (particularly in jurisdictions with mandatory arbitration or release-agreement standards).

Compliance Implications of Mid-Shift Termination

Cannabis-specific wrinkle on termination mechanics: terminating a badged employee mid-shift may trigger:

  • Metrc credential revocation. The employee's POS and Metrc access should be disabled immediately on termination. Delays create a window for retaliatory theft or data tampering.
  • State regulator notification. Some states (CA, IL, NJ) require notification when a licensed cannabis worker is terminated for cause. Verify per licensing.md and legality.md.
  • Badge return. Many states require the physical state-issued badge to be returned or surrendered on termination. Document the return.
  • Final-pay rules. California, Nevada, and others require final pay within a specific window (CA: immediately on for-cause termination). Plan the termination logistics around payroll cutoff to avoid wage-and-hour violations compounding the HR action.

Termination & Prosecution Decisions

Termination Framework

Termination for theft is a higher bar than termination for policy violation or performance, because the evidentiary record has to withstand both internal morale scrutiny and external legal challenge. The baseline decision framework:

| Factor | Weight | Consideration | |--------|--------|---------------| | Strength of evidence | Highest | Video + POS + Metrc + witness statement = strong; POS pattern alone = weak | | Dollar value of provable theft | High | Felony threshold alignment, civil recovery potential | | Consistency with prior cases | High | Was a prior employee terminated for similar conduct? What was the outcome? | | Handbook policy | Medium | Summary-termination carve-out for theft vs. progressive discipline | | Fair-chance / labor law exposure | Medium | Jurisdiction-specific procedural requirements | | Union environment | High (when present) | Just-cause standard, grievance procedure | | State regulator visibility | Medium | If the state agency will see the case, posture accordingly |

Termination decisions should be documented in writing with cited evidence, reviewed by legal, approved at the appropriate executive level, and executed with attention to final-pay, badge-return, and credential-revocation mechanics.

Prosecution Decision Framework

Prosecution is distinct from termination. An operator can terminate for-cause without pursuing prosecution, and in many cases should. Factors in the prosecution decision:

  • Provable theft value. State felony thresholds typically range from $500 to $2,500 (varies by state; see licensing.md for disqualifier context). Below the threshold, prosecution is a misdemeanor at best and local LE willingness drops sharply.
  • Local LE willingness. Cannabis-related theft is treated differently across jurisdictions. Some DA offices decline cannabis cases as a policy matter; others treat them like any other retail theft. Talk to LE contacts before filing -- a declined case after filing creates a record without the enforcement benefit.
  • Metrc-trail strength. Metrc documentation often makes the theft provable in a way that a register-only investigation cannot. If the Metrc trail is clean and complete, prosecution is more viable.
  • Civil recovery posture. Many operators recover via civil process (wage withholding from final pay within state legal limits, small-claims, or civil litigation) rather than criminal prosecution.
  • Reputational calculus. Publicly prosecuted cases create recruiting-signal both positive (deterrent) and negative (hostile employer brand). Consider in context.
  • Insurance requirements. Some commercial insurance policies require a police report for coverage of theft losses. If insurance claim is anticipated, filing the report may be non-negotiable.

The Non-Obvious Case: When to Skip Prosecution

Prosecution is often the wrong choice even when termination is clearly right. Common scenarios:

  • Small-dollar theft. Below state felony threshold, prosecution is procedurally expensive and low-deterrent.
  • Single-event impulsive theft where the employee has admitted, apologized, and committed to restitution. Termination + civil restitution may be a better outcome than a criminal case that will likely be declined or pleaded down.
  • Cases with weak evidence despite strong suspicion. Filing a case that gets declined creates a record of LE involvement without the enforcement benefit.
  • Cases where the evidence path itself violates policy (e.g., warrantless search of employee locker in a jurisdiction that requires cause). Bad evidence produces bad outcomes.

Non-Cannabis General: Cross-State Felony Thresholds (Starting Framework)

A general framework -- the cannabis-specific disqualifier detail belongs in licensing.md, not here:

| Tier | Typical Threshold | Implication | |------|---------------------|-------------| | Petty theft | Under $500-$950 | Misdemeanor; prosecution rare for cannabis cases | | Grand theft (felony entry) | $500-$2,500 | State-dependent; prosecution viable if LE willing | | Felony high-value | Above $2,500-$5,000 | Strong prosecution candidate; insurance recovery typically requires filing | | Organized theft / ring | Varies | Higher-tier charges; federal interest possible for multi-state |

Verify state-specific thresholds before relying on this framework; do not build a 50-state grid inside this file (Phase 4 and Phase 14 own the state detail).

Progressive Discipline vs. Summary Termination

Most cannabis employee handbooks carve out theft (along with violence, sexual harassment, and willful safety violations) as a summary-termination offense -- meaning the progressive-discipline ladder (verbal warning → written warning → suspension → termination) does not apply. Before relying on the summary-termination carve-out:

  • Verify the handbook language clearly defines theft, and the investigation documentation matches the handbook definition.
  • Verify the employee has signed an acknowledgment of the handbook in the HR file.
  • Verify the summary-termination carve-out has been applied consistently across prior cases (selective application creates discrimination exposure).
  • Verify the jurisdiction does not impose statutory progressive-discipline requirements beyond the handbook (rare for private employers, but possible in union environments).

Post-Termination Mechanics

After the termination decision:

  • Immediate credential revocation. POS access, Metrc access, email, key cards, building codes -- all disabled before the exit interview ends.
  • Badge return. Physical state-issued badge surrendered; document the return.
  • Final pay per state law (CA: immediately for for-cause; others vary).
  • Benefits continuation (COBRA in US, mirror statutes).
  • Non-solicitation / non-disparagement review if applicable.
  • Knowledge transfer for any operational responsibilities (do not send a terminated employee back for training-on-the-way-out).
  • Insurance notification if a claim is anticipated.
  • State regulator notification per jurisdiction (CA, IL, NJ have specific requirements).
  • Internal communication -- inform remaining team of the change factually, without specifics. "[Name] is no longer with the company effective [date]. Please route [responsibilities] to [new owner]." No color commentary.

When the Thief Is the Owner

A structural blind spot in internal theft: the highest-access employee -- the owner, managing partner, or officer -- often has no independent check on their own behavior. Owner-level theft (discount abuse, unauthorized cash withdrawals, inventory self-pull) is harder to detect because the person running the audit is the person being audited.

Mitigations:

  • Board / investor-level audit cadence. Quarterly review of owner discount usage, cash withdrawals, and inventory adjustments by a party who does not report to the owner.
  • Outside audit. Annual outside audit (accounting firm + cannabis LP specialist) with a named non-owner partner overseeing.
  • Operating agreement terms. Clear definition of permissible owner-use, owner-discount, and owner-withdrawal, with enforcement teeth.
  • Investor reporting rights. Investors (especially debt holders) typically have audit rights they under-exercise. Exercise them.

Owner theft is operationally different from employee theft because termination is not an option; the intervention is typically investor action, board action, or partnership dissolution. Prosecution, if warranted, is typically handled by outside counsel with specialty in partnership disputes rather than general-retail LP.

Insurance and Civil Recovery

A parallel lane to prosecution is insurance recovery plus civil action. Commercial crime policies (employee-dishonesty coverage, often called "fidelity bonds") pay out on provable internal theft subject to policy limits and a police-report requirement. The claim process is documentation-heavy: the insurer typically wants the investigation file, the evidence chain, the termination documentation, and the police report. Operators that skipped the police report to avoid Metrc scrutiny later discover they have also forfeited insurance recovery -- the worst of both worlds.

Civil recovery options outside insurance:

  • Wage offset / final-pay withholding. Most states permit limited offset against final pay for documented theft, subject to state-specific caps and notice requirements. Never exceed the statutory cap; wage-and-hour violations compound the original loss.
  • Small-claims court. Viable for theft amounts under the state small-claims limit (typically $5,000-$10,000). Lower procedural burden than superior court; useful for recovering from former employees with reachable assets.
  • Civil litigation. For higher-dollar cases, particularly where collusion or ring-style theft is involved. Cost-benefit analysis should include attorney fees, collectability risk, and management time.
  • Restitution through criminal case. If criminal prosecution proceeds, restitution can be part of the sentencing order. Enforceable via standard collection processes.

Post-Incident Review and Systemic Fixes

Every confirmed internal-theft incident should trigger a post-mortem that asks not "who did it?" (already answered) but "what system gap let it run?" Common systemic fixes:

  • Policy gap -- the handbook lacked clear language prohibiting the conduct, or the summary-termination carve-out was ambiguous.
  • Detection gap -- the exception-reporting threshold was too loose, the data pipeline was incomplete, or the escalation path had no named owner.
  • Supervision gap -- the manager or shift lead missed signals that should have been obvious, or was not trained to recognize them.
  • Access gap -- the role had more system permissions than it needed; least-privilege principles were not enforced.
  • Culture gap -- peer reporting was disincentivized, or the team lacked a clear channel to surface suspicions without fear of retaliation.

Systemic fixes are where the post-termination ROI on an investigation comes from. Terminating one thief without closing the gap that let them operate means the next thief in the role will do the same thing. Document the systemic fix, assign an owner, and track completion.

Cross-Reference Index

| Topic | See | |-------|-----| | Employee Background Checks SOP (index) | sops.md §Employee Background Checks | | Incident Reporting SOP (index) | sops.md §Incident Reporting | | Per-state background-check mechanics | hiring-retention.md | | Cannabis-industry disqualifier detail | licensing.md | | Cash variance → fraud escalation | cash-handling.md | | Receiving dual-receipt protocol (manifest diversion backbone) | receiving-qc.md | | Returned-product destruction requirements (return fraud wrinkle) | waste-management.md | | External theft / armed robbery / smash-and-grab response | security.md (not covered here) | | Metrc mechanics (state-by-state) | tech-compliance.md | | POS exception reporting feature detail | tech-pos.md | | Loyalty / CRM integration for customer-employee concentration detection | tech-crm-loyalty.md | | Union-environment termination constraints | labor-relations.md | | State legality baseline | legality.md |

Data current as of early 2026. Industry shrink benchmarks and behavioral patterns cited with source year. See also: sops.md | hiring-retention.md | cash-handling.md | receiving-qc.md | security.md