| BLOG · Loss Prevention · Investigations · 10 min read How a Loss Prevention Investigation Actually Works: From First Signal to Case Closed A practitioner’s guide to the investigative process — evidence, interviews, documentation, and the decisions that determine whether a case holds up |
By Mitchell Hamm | Founder & Principal Advisor, Ironside Risk Advisors | Dallas, TX
Most people outside of loss prevention think an investigation begins when someone is caught on camera. In reality, the camera is usually the middle of the story, not the beginning. A well-run LP investigation begins the moment a signal appears — an anomaly in the data, a complaint from a coworker, a discrepancy that does not resolve — and it ends not when you know what happened, but when you can prove what happened with documentation that will hold up in a termination hearing, a criminal referral, or a civil proceeding.
That distinction matters more than most people appreciate. Knowing and proving are different standards. An LP professional who skips from suspicion to confrontation without building the evidentiary record in between creates legal exposure for the business, produces outcomes that get reversed on appeal, and frequently lets the actual subject of the investigation walk while someone else is held accountable.
This post covers the investigative process from first signal to case closed — the phases, the decisions, the evidence standards, and the interview methodology that determines whether a case produces a defensible outcome or falls apart under scrutiny.
The Six Phases of a Loss Prevention Investigation
Every investigation, whether it involves a $200 cashier shortage or a $200,000 cargo diversion scheme, moves through the same six phases. The complexity of each phase scales with the severity of the case, but the structure does not change. Skipping phases — particularly in the rush to confront a subject — is the most common reason investigations fail.
| 01 Signal & Case Opening | 02 Preliminary Review | 03 Evidence Development | 04 Corroboration | 05 Interview | 06 Resolution & Closure |
Phase 1: The Signal and Case Opening
Investigations do not begin with decisions — they begin with signals. A signal is any data point, observation, or report that suggests a loss event may have occurred or may be occurring. Signals come from many sources, and the quality of the signal determines the starting point of the investigation.
| Signal Source | Example |
| POS Exception Report | A cashier’s void rate is 3.4x the location average. A refund pattern clusters at shift end across twelve transactions in a six-week window. |
| Cycle Count Variance | A specific SKU in a specific location is short by 14 units in two consecutive monthly counts. The variance does not appear in adjacent locations. |
| Inventory Adjustment Review | A series of write-downs in a product category totaling $4,300 over 90 days, all authorized by the same manager, none with documented root cause. |
| Anonymous Tip | A tip line submission states that a receiving associate is accepting deliveries and pocketing vendor credit memos without filing discrepancy reports. |
| Coworker or Management Report | A shift supervisor reports observing a team member place merchandise inside a personal bag in the stockroom and exit without purchasing. |
| Vendor or Carrier Complaint | A carrier reports that a driver claims a seal was intact on delivery, but the receiving log shows the load was accepted at full manifest count despite a broken seal on arrival. |
| Financial or Audit Flag | An internal audit identifies a pattern of split transactions at or just below the manager-approval threshold across a single register over 60 days. |
When a signal is received, the LP investigator opens a case in the case management system immediately. Every investigation — regardless of how preliminary — gets a case number, a date, a signal source, and an assigned investigator. This is not bureaucracy. It is the chain of custody for the investigation itself. An investigation that is not documented from the moment the signal is received is an investigation that will have unexplained gaps when it is scrutinized.
| CASE OPENING RULE | Open a case at first signal, not at first certainty. The case file documents the investigation from its beginning. If a case is opened only after guilt is established, the documentation will always look like a post-hoc rationalization — because it is. |
Phase 2: Preliminary Review
Before any active investigation begins — before pulling CCTV, before requesting records, before any conversation with anyone who might be connected to the case — the investigator conducts a preliminary review. The purpose of this phase is to determine whether the signal has enough substance to warrant a full investigation, and to scope the case before touching any evidence that could be contaminated by early action.
What Preliminary Review Covers
- Signal validation: Is the anomaly real? Run the POS exception data independently. Recount the variance location before assuming the cycle count was accurate. Pull the inventory adjustment history directly from the ERP rather than relying on a printed report.
- Scope assessment: How wide is the potential loss window? When is the earliest transaction or event that could be related to this signal? Who had access to the relevant product, system, or physical area during that window?
- Subject identification: Who are the potential subjects at this stage? Do not narrow too quickly — investigations that begin with a predetermined subject frequently miss the actual actor or miss a wider scheme because the investigator stops looking once they confirm the expected answer.
- Legal and HR notification: In most employment contexts, HR should be notified that an investigation has been initiated at this stage. The specific subject should not be disclosed unless necessary, but the existence of an active investigation should be on record. Legal counsel should be briefed for any investigation involving a manager, a potential criminal referral, or significant dollar amounts.
The preliminary review phase ends with one of three decisions: proceed to full investigation, close the case as unfounded, or escalate immediately to law enforcement if an active crime is ongoing. Most signals that reach the LP function proceed to full investigation.
Phase 3: Evidence Development
Evidence development is the core of the investigation. This is where the case is built — the documentation that will ultimately support or fail to support a finding. The quality of this phase determines everything that follows. A strong evidence file produces a clean interview and a defensible outcome. A weak evidence file produces a contested termination, a reversed unemployment claim, and an employee who walks because the case was not built properly before the confrontation.
The Evidence Hierarchy
Not all evidence is equal. LP investigations work with four categories of evidence, in descending order of evidentiary weight:
- Direct evidence: Evidence that directly proves an act without requiring inference. A CCTV recording showing an employee removing product and placing it in a personal vehicle is direct evidence. A transaction record showing a refund was processed with no corresponding merchandise return, confirmed by CCTV showing the register interaction, is direct evidence.
- Circumstantial evidence: Evidence that requires inference to connect it to a conclusion. A cashier with a void rate four times the average is circumstantial. An employee who works the shift during which shrink consistently occurs is circumstantial. Circumstantial evidence alone can support a finding, but it requires corroboration — multiple independent circumstantial data points pointing to the same conclusion.
- Documentary evidence: Written or electronic records. Transaction logs, access control records, inventory adjustment histories, receiving logs, vendor invoices, email or messaging records, policy acknowledgment forms. Documentary evidence is objective and reproducible, which makes it among the most defensible evidence categories.
- Testimonial evidence: Statements from witnesses, subjects, or related parties. This is the least reliable evidence category in isolation because it is subject to recollection error, bias, and fabrication. Testimonial evidence that corroborates physical or documentary evidence is powerful. Testimonial evidence standing alone, without corroboration, is almost never sufficient to support a significant adverse employment action.
| Build the evidence file before you schedule the interview. The interview is not where you find out what happened — it is where you give the subject the opportunity to explain what you already know happened.— Mitchell Hamm, Ironside Risk Advisors |
CCTV Review
In most retail and distribution investigations, CCTV review is the first evidence development action. The investigator identifies the relevant cameras for the time window in question, downloads the footage, preserves it according to the chain of custody procedure, and reviews it systematically — not just for the specific act suspected, but for the full behavioral context around it.
A common error in CCTV review is watching for what you expect to see rather than watching the full recording. An investigator looking for a specific theft event who fast-forwards through surrounding footage may miss the coordination pattern — the coworker acting as a lookout, the manager who turned away at a consistent moment, the supervisor who reviewed the register at the same time the void was processed. Watch the full window.
Downloaded footage must be preserved with a documented chain of custody: who downloaded it, when, from which system, to which storage medium, and where it is being held. A recording that cannot be authenticated as unaltered is substantially weaker as evidence. Some jurisdictions require specific chain of custody documentation for CCTV evidence to be admissible in criminal proceedings.
Transaction and System Record Review
Most internal theft in retail involves a transaction manipulation component — a refund that was not a refund, a void that was not authorized, a discount applied outside of policy, a receiving variance that was written off without documentation. The ERP and POS transaction logs are the paper trail.
Pull the complete transaction history for the subject’s register, department, or receiving dock for the full scope window — not just the transactions that appear suspicious. Reviewing only the transactions that already look like theft produces an evidence file that looks cherry-picked. Reviewing the full history and demonstrating that the anomalous transactions appear against a background of otherwise normal activity is more credible and harder to challenge.
Document the methodology: what query was run, on what date, by whom, what the parameters were, and what the output showed. A system record that cannot be explained by the investigator who pulled it, or that cannot be reproduced using the same methodology, will be challenged in any proceeding.
Phase 4: Corroboration
No finding should rest on a single evidence source. Corroboration is the process of independently verifying each piece of evidence through a separate source. A transaction anomaly corroborated by CCTV confirming the behavior is substantially stronger than a transaction anomaly alone. A CCTV recording of a product removal corroborated by an inventory variance in the relevant product category and a transaction log showing no corresponding sale is a case. A CCTV recording of a product removal without supporting inventory or transaction data is substantially harder to act on.
The corroboration standard also applies to scope. Before concluding the evidence phase and scheduling the interview, the investigator should be confident that the evidence addresses three questions: what happened, when it happened over the full scope window, and what the dollar value or material impact of the loss is. A case that cannot answer all three questions cleanly is not ready for interview.
| SCOPE COMPLETENESS | Before scheduling an interview, calculate the total loss figure. This is not optional. A subject who is confronted about a $300 incident, and then admits to a pattern that the investigator had not quantified, creates a situation where the documented loss figure in the case file does not match the actual loss — which creates problems in civil recovery and criminal referral. |
Phase 5: The Investigative Interview
The investigative interview is the most technically demanding phase of the process, and the one most likely to be conducted incorrectly. The interview has a specific purpose: to give the subject an opportunity to explain or provide context for the evidence that has been developed. It is not a confession-extraction process. It is not a confrontation. It is a structured conversation with defined objectives, a prepared methodology, and strict legal and ethical constraints.
Wicklander-Zulawski and the Non-Confrontational Method
The standard interview methodology for LP investigations in retail and corporate environments is the Wicklander-Zulawski (WZ) method — a non-confrontational interview approach developed specifically for the employment investigation context. Unlike confrontational interrogation techniques, the WZ method does not rely on accusation, deception, or psychological pressure to produce admissions. It relies on a structured conversation that minimizes the subject’s resistance, allows them to explain their behavior in their own words, and creates a documented record of their account that can be compared against the physical evidence.
The non-confrontational approach matters for two reasons that go beyond ethics. First, coerced or pressured admissions are unreliable and legally vulnerable — they are challenged successfully in wrongful termination litigation and frequently fail to support criminal prosecution. Second, an interview that causes the subject to shut down or become defensive produces no information at all, which means a case that could have been resolved with a full accounting of the facts instead closes with an incomplete record.
Interview Logistics
- Location: Private, neutral, and accessible. Never a manager’s office where the power dynamic is amplified by the environment. A neutral conference room with two exits — subject should never feel physically trapped.
- Participants: The investigator and one witness from HR. Never the subject’s direct supervisor — the supervisory relationship contaminates the dynamic. Never more than two interviewers — it becomes an interrogation rather than a conversation.
- Voluntary participation: In most US employment contexts, participation in an investigative interview is a condition of employment — but this must be communicated clearly and the specific requirements of state law must be followed. In some jurisdictions, Weingarten rights or other protections apply. Know the jurisdiction before the interview.
- Documentation: Every interview is documented. The investigator takes contemporaneous notes. A summary statement is prepared immediately after the interview and reviewed for accuracy. In some contexts, a recorded interview with advance consent is appropriate — consult with legal before recording in any jurisdiction with two-party consent requirements.
What to Do if the Subject Admits
When a subject makes an admission, the investigator’s first obligation is to listen — not to react, celebrate, or pivot immediately to the next question. Let the subject complete their account without interruption. Then probe: ask clarifying questions that help establish the scope, the method, the timeframe, and whether anyone else was involved. An admission that accounts for $400 when the evidence suggests $4,000 in loss is an incomplete admission that needs to be addressed in the same interview, with the evidence available to support the inquiry.
Document the admission verbatim as closely as possible — the specific words used, not a paraphrase. A paraphrased admission is a weaker document than a direct quote, and a direct quote that is demonstrably inaccurate — because the investigator recorded their interpretation rather than the actual statement — can be challenged to undermine the entire case record.
What to Do if the Subject Denies
A denial is not a dead end. When a subject denies, present the evidence — methodically, one piece at a time, giving the subject the opportunity to explain each piece before presenting the next. This process serves two purposes: it gives the subject a genuine opportunity to provide an exculpatory explanation, and it documents that the subject was presented with specific evidence and provided a specific response. If the denial is a lie, the evidence will make that clear in the record. If the denial is truthful, the evidence review will surface the inconsistency in the investigator’s theory.
Phase 6: Resolution and Case Closure
The investigation closes with a finding and a documented outcome. There are four possible findings: substantiated, unsubstantiated, inconclusive, and exonerated. Each requires different action and different documentation.
| Finding | Required Action |
| Substantiated | The evidence supports the finding that a policy violation, loss event, or criminal act occurred. Document the finding, the evidence that supports it, the admission or denial by the subject, and the recommended disciplinary or legal action. Provide the complete case file to HR for the employment action. Prepare criminal referral documentation for law enforcement if appropriate. |
| Unsubstantiated | The investigation found no credible evidence to support the original signal. Document the finding and the investigative steps taken to reach it. Close the case with a clear notation that the subject was not implicated. This documentation matters — it protects the business in any subsequent legal action by the subject. |
| Inconclusive | Evidence exists that is consistent with a violation but is insufficient to meet the standard for a finding. Document what evidence exists, what was not found, and the decision not to act based on the evidentiary threshold. Inconclusive cases should be flagged for review if new signals emerge from the same subject or location. |
| Exonerated | The investigation affirmatively demonstrates that the subject did not commit the act under investigation. Document the finding and the exculpatory evidence. Communicate the finding to HR and, where appropriate, to the subject. |
After the finding, the case file is closed and archived. Every case, regardless of outcome, must have: the original signal documentation, a complete evidence log, all CCTV and system records, the interview notes and summary, the finding, and the outcome action. The case file is the business’s legal record of the investigation. It will be reviewed in employment litigation, unemployment appeals, and criminal prosecution. Build it as if it will be.
| CLOSING STANDARD | A case is not closed when the employment action is complete. It is closed when the documentation is complete, the evidence is archived with chain of custody intact, and the case management system reflects the final disposition. Incomplete case closure is the most common audit finding in LP program reviews. |
What Separates Investigations That Hold From Ones That Don’t
In 3,000-plus investigations across retail and supply chain environments, the cases that held up under scrutiny shared the same characteristics: they were documented from the first signal, the evidence was developed before the interview, the interview methodology was consistent with WZ non-confrontational standards, and the case file was complete before the employment action was taken.
The cases that did not hold up shared a different set of characteristics: the investigation began at the confrontation, the evidence was assembled after the fact to support a predetermined conclusion, the interview was confrontational and the admission was obtained under conditions that could be challenged, and the case file had gaps that the subject’s attorney found and exploited.
For PE-backed portfolio companies, this distinction has a financial dimension that goes beyond the individual case. A wrongful termination judgment in a poorly documented LP investigation is a six-figure liability. An unemployment appeal that reverses a termination because the case file could not support the finding means the subject walks, the business pays, and the deterrent effect of the program is undermined for every employee who hears about it.
The investigative process is not complicated. It is disciplined — and discipline in LP investigations means documentation, evidence standards, and interview methodology that hold up when they are challenged. Build the case before the confrontation. Document from the first signal. Follow the process even when it is inconvenient. That is what separates LP programs that produce defensible outcomes from those that produce expensive reversals.
| About Ironside Risk Advisors Ironside Risk Advisors provides fractional loss prevention and cargo security advisory to private equity firms with retail and supply chain portfolio companies. Founded by Mitchell Hamm — 10+ years across a PE-backed multi-site retail operator and corporate security — the firm specializes in pre-acquisition risk assessment, post-close LP buildout, fractional LP director engagements, and supply chain cargo security audits. mitch@ironsideriskadvisors.com · (502) 608-7389 · ironsideriskadvisors.com · Dallas, TX |