This scam involves the server ringing in a menu item, billing the guest, and then transferring the menu item to another ticket. They'll pocket the difference as additional gratuity on a credit card payment, or as cash. This can be repeated multiple times during a shift with a single menu item. It can be explained away and voided as a single mistake, despite having been present on multiple billed checks.
These suggestions depend upon your operating needs and POS capabilities.
As with all preventative measures, it helps to have a baseline for what "normal" is. Zeroing in on the important metrics in your reports will help you notice odd behavior. Start with your system reports and if you notice an anomaly, dig deeper into specific employee reports. You may find actual malicious intent, or you may find opportunities for re-training your employees. Either way it is a good practice.
Void controls in the POS.
Require manager authorization for voids of items that have been service totaled (i.e. "sent" to the kitchen/bar)
Ensure that Void counts (and amounts if possible) are reported on employee checkout reports
Enable a nightly Void report that shows employee voids and who authorized the voids
Check and Transfer Controls
Do not allow checks to print without service totaling the order (i.e. "sent" to the kitchen/bar)
Disallow clockout with open checks
Require authorization for item or ticket transfers
Monitor transfer and split check trends over time and between employees. If one of your employees has a significantly different number of transfers or split checks, you should dig deeper
The other thing you need to watch for is the dancing bottle of wine, soft drink or coffee. Server rings in a coffee, pop, bottle of wine depending on the establishment and then just transfer it to table to table as they bill people. So ring in one item then collect cash for that same one item 10 or 20 times over. http://www.tek-tips.com/viewthread.cfm?qid=1709806