It Can Happen to You – Implement Fraud, Internal Controls in Your Medical Practice
It can’t possibly happen in our medical practice” — and then it does. A check is written to a mysterious vendor. An improper patient refund is issued to a friend. Or $20 is taken out of the petty-cash fund to pay for a personal lunch. These are all types of fraud that can occur in a medical practice, which are oftentimes just the tip of the iceberg when they are discovered.
Unfortunately, when these events occur, it is commonly one of the most trusted employees within the practice. While the owners want to focus on seeing patients, they do not always spend enough time watching the goings-on within their front and back offices. The result is that holes within internal control can develop and are then exploited.
While this topic has been discussed in the past, it continues to be overlooked in many practices. This article will focus on why internal controls are so important, where fraud could be most likely to occur, and some best practices for how to prevent it. With a deeper understanding of how fraud can occur, as well as be prevented, a culture can be created within your practice of mutual trust and teamwork, which is your best defense.
Internal Controls
In order for fraud to occur, three factors generally must be in place: opportunity, motivation, and rationalization. Opportunity exists when there has been a breakdown in the internal control structure, allowing the employee the ability to perform a theft. Motivation occurs when the employee has a desire or need to perform the theft, such as financial hardship or personality disorders. Rationalization is as simple as the employee convincing themselves that the money is not needed, won’t be missed, or that they will repay it. When all three of these factors come together, it can be a recipe for disaster.
In response to these factors, it is difficult to stop an employee’s motivation or rationalization. Therefore, it is critical that efforts are taken to mitigate their opportunity to commit fraud. Every medical practice, large or small, should have a set of policies and procedures over internal control. As these are being evaluated and developed, it is important that the risk of fraud be considered. Proper training of those who will be carrying out the controls is an important aspect of a properly designed internal-control plan. However, the most important, and oftentimes overlooked, step is that of oversight and follow-through by the owners.
While it can generally be more difficult to perform, fraud or embezzlement can still occur even if all three factors mentioned above are not present. In these cases, the damages can still be as significant. As such, consideration and monitoring of internal controls are necessary in any practice environment — large or small.
Common Forms of Fraud
When designing your internal-control plan, there are certain areas within a medical practice that are generally more susceptible to fraud. It is important to keep these in mind while the plan is being developed. The first place to start is your cash receipts and your petty-cash fund.
Not reconciling or keeping this locked up can lead to a slow, but oftentimes large, drain of cash over time. With some more sophistication, along with access to your checking account, checks can start to be generated to false vendors, or worse, the signature can be forged. This issue can become more prevalent in practices that use electronic or stamped signatures on checks. Finally, there can be the improper use of a company credit card. Many times there are no controls in place to limit the use of these cards for personal purposes, and invoices are not reviewed by owners.
What is important to note is that fraudulent schemes don’t always stop with those employees having direct access to your cash or other means of payment. Monitoring your billing department, where payments can be deleted, not posted or adjusted out of patient accounts, is critical. The same can be said for watching the transaction history of your credit-card machine to ensure that payments aren’t being credited out of the account. As it relates to the payroll department, fictitious or overpaid employees, including unauthorized bonuses, are another area of concern for practices of any size.
Best Practices
Since fraud can occur in so many types and sizes, as well as the fact that it is impossible for an owner to verify every transaction that occurs within the practice, it is important that certain controls are established. While not an all-inclusive list, this section will provide some of the most basic controls that should be in place in every medical practice, regardless of size.
First, for those employees who will handle the financial aspects of your business, ensure that proper due diligence, including background checks, are performed before they are hired. Once hired, share with them a copy of your employee manual, which should include sections on expected ethical behavior and your zero-tolerance policy regarding these matters. Additionally, requiring all employees to take a one-week continuous vacation, where another cross-trained employee is able to perform their duties, is a must. History shows that this is where many fraudulent schemes have been exposed.
From a production standpoint, cash deposits should be reconciled to billing-system reports on a daily basis. Additionally, one of the owners should be reviewing writeoffs of accounts receivable and non-contractual adjustments on a regular basis. Third-party-billing fraud is beyond the scope of this article, but can create personal liability for the business owners.
At the highest level of the practice, financial results, including budget to actuals, should be reviewed regularly. As part of these reviews, the practice’s bank statements should be received and opened directly by someone other than the individual who handles the receipt, payment, and posting of financial transactions. Additionally, payments to new vendors should require the express approval of the owners or senior management. Finally, detailed payroll reports, including master change reports, should be sampled and reviewed for reasonableness on a regular basis.
Daily Vigilance
Your medical practice is something that you have worked hard to develop and make as strong as possible. Therefore, it is crucial that you remain vigilant in protecting it from harm at all times. In addition to the controls and best practices noted above, you should be on the lookout for warning signs at all times.
These signs include employees that become defensive when asked about certain transactions, as well as those who are going through difficult times at home or have shown evidence of a recent lifestyle change. Additionally, any employee who holds all of their duties extremely close to the vest and is unwilling to cross-train other employees to perform those duties would also be a concern.
As it relates to your trusted advisors, it is OK to seek their advice on these matters, but they should not be relied upon to protect your practice from these events. As accountants, even those procedures performed annually for your financial-statement audit, let alone compilation and review engagements, are not designed, or intended, to identify those instances of fraud that may be occurring. However, at the first sign of trouble, your accountant and other advisors should be consulted to help identify the impact on your practice and what next steps should be taken, up to and including contacting law enforcement.
In today’s world, it is important that fraud is considered on a daily basis as it relates to your medical practice. However, by treating the concept of fraud and your employees with proper respect, not only can instances of fraud be prevented, but a culture can be created within your practice of mutual trust and teamwork.
Comments are closed.