Fraud and Your Practice – It Can and Does Happen, So Review Your Internal Controls

“It can’t possibly happen in our medical practice” — and then it does.

A check is written to a mysterious vendor. An improper patient refund is issued to a friend. Or $20 is taken out of the petty-cash fund to pay for a personal lunch. These are all types of fraud that can occur in a medical practice, which are oftentimes just the tip of the iceberg when they are discovered.

Unfortunately, when these events occur, it often involves one of the most trusted employees within the practice. While the owners want to focus on seeing patients, they do not always spend enough time watching the goings-on in their front and back offices. The result is that holes within internal control can develop and then be exploited.

With a deeper understanding of how fraud can occur, as well as be prevented, a culture of mutual trust and teamwork can be created or further developed within your practice, as it relates to fraud prevention. This article will focus on why internal controls are so important, where fraud could be most likely to occur, and some best practices as to how it can be prevented.

In order for fraud to occur, three factors must be in place — opportunity, motivation, and rationalization. Opportunity exists when there has been a breakdown in the internal-control structure, allowing the employee the ability to perform a theft. Motivation occurs when the employee has a desire or need to perform the theft, such as financial hardship or personality disorder.

Meanwhile, rationalization is as simple as the employee convincing themselves that the money is not needed, won’t be missed, or that they will repay it. When all three of these factors come together, it can be a recipe for disaster.

In response to these factors, it is difficult to stop an employees’ motivation or rationalization. Therefore, it is critical that efforts are taken to mitigate their opportunity to commit fraud. Every medical practice, large or small, should have a set of policies and procedures covering internal control. As these are being evaluated and developed, it is important that the risk of fraud be considered. Proper training of those who will carry out the controls is an important aspect of a properly designed internal-control plan. However, the most important, yet often-overlooked, step is that of oversight and follow-through by the owners.

When designing your internal-control plan, there are certain areas within a medical practice that are generally more susceptible to fraud. As such, it is important to keep these in mind as the plan is being developed. The first place to start is your petty-cash fund. Not keeping this locked up or reconciled can lead to a slow drain of cash over time. With more sophistication, along with access to your checking account, checks can start to be generated to false vendors, or worse, the signature can be forged. This issue can become more prevalent in practices that use electronic or stamped signatures on checks. Similar to improper checks is the improper use of a company credit card. Many times, there are no controls in place to limit the use of these cards for personal purposes, and invoices are not reviewed by the owners.

What is important to note is that fraudulent schemes don’t always stop with those employees having direct access to your cash or other means of payment. Monitoring your billing department, where payments can be deleted, or not posted, is critical. The same can be said for watching the transaction history of your credit-card machine to ensure that payments aren’t being credited out of the account. As it relates to the payroll department, fictitious or overpaid employees are another area of concern for practices of any size.

Since fraud can occur in so many types and sizes, as well as the fact that it is impossible for an owner to verify every transaction that occurs within the practice, it is important that certain controls are established. While not an all-inclusive list, this section will provide some of the most basic controls that should be in place in every medical practice, regardless of size.

First, for those employees who will handle the financial aspects of your business, ensure that proper due diligence, including background checks, are performed before they are hired. Once they are hired, share with them a copy of your employee manual, which should include sections on expected ethical behavior and your zero-tolerance policy regarding these matters. Additionally, requiring all employees to take a one-week continuous vacation, where another cross-trained employee is able to perform their duties, is where many fraudulent schemes have been exposed in the past.

From a production standpoint, cash deposits should be reconciled to billing-system reports on a daily basis. Additionally, one of the owners should be reviewing writeoffs of accounts receivable and non-contractual adjustments on a regular basis. Third-party-billing fraud is beyond the scope of this article, but can create personal liability for the business owners.

At the highest level of the practice, financial results, including budget to actuals, should be reviewed regularly. As part of these reviews, the practice’s bank statements should be received and opened directly by someone other than the individual who handles the receipt, payment, and posting of financial transactions.

Additionally, payments to new vendors should require the express approval of the owners or senior management. Finally, detailed payroll reports, including master change reports, should be sampled and reviewed for reasonableness on a regular basis.

Your medical practice is something that you have worked hard to develop and make as strong as possible. Therefore, it is crucial that you remain vigilant in protecting it from harm. In addition to the controls and best practices noted above, you should be on the lookout for warning signs at all times.

These signs include employees who become defensive when asked about certain transactions, as well as those who are going through difficult times at home or have shown evidence of a recent lifestyle change. Additionally, any employee who holds all of their duties extremely close to the vest and is unwilling to cross-train other employees to perform those duties would be a concern.

As it relates to your trusted advisors, it is OK to seek their advice on these matters, but they should not be relied upon to protect your practice from these events. As accountants, even those procedures performed annually for your financial-statement audit, let alone compilation and review engagements, are not designed, or intended, to identify those instances of fraud that may be occurring. However, at the first sign of trouble, your accountant and other advisors should be consulted to help identify the impact on your practice and what next steps should be taken, up to and including contacting law enforcement.

In today’s world, it is important that fraud is considered on a daily basis as it relates to your medical practice. However, by treating the issue and your employees with proper respect, not only can fraud be prevented, but a culture can be created within your practice of mutual trust and teamwork. v