Fighting Fraud Losses with Internal Controls

July 27, 2018

Most medical practitioners would describe the focus of their practice as providing quality medical care to their patients. For many small office practices, patient care is the main focus of the physician’s activities, relying on the office staff to handle all the details of day-to-day business operations. The small office environment may have a close family atmosphere, where the physician has delegated care of valuable business assets to one or two trusted individuals. This could leave the practice vulnerable to fraud and financial losses that may be costly to untangle and take years to overcome.

Recent statistics on occupational fraud from the Association of Certified Fraud Examiners reveal:

  • Businesses worldwide lost more than $7 billion from 2016 – 2017 due to fraud
  • The median fraud loss to small businesses was $200K
  • 42% of small business frauds are attributed to a lack of controls
  • 53% of fraud losses are never recovered
  • Perpetrators are not strangers — fraudsters who had been with their company longer stole twice as much

The first line of defense against fraud for any business is instituting a strong set of internal control policies. Internal controls also serve to reduce significant errors or other risks to the practice. Effective internal controls can help management spot problems in the development phase, where they can be easily corrected and resolved. Other practice objectives such as operational efficiency, reliable financial reporting, and compliance with laws, regulations, and policies are also supported through the internal control process. Some key elements of internal controls are:

  • Segregation of Duties
    • Prevents one person from having access to all parts of an accounting transaction
  • Documentation and Approval
    • System of approvals and authorization for clear trail of who was involved
    • Policies established for document retention and backup
  • Accountability/Reconciliation
    • Accounts are reconciled by an independent party
  • Physical Controls/Safeguarding of Assets
    • Safeguard assets from theft or destruction
    • Control access to assets, including cash, bank accounts, and inventory
  • Performance/Management Review
    • Review financial statements or account statements

According to the ACFE’s 2018 Report to the Nations, asset misappropriation schemes account for 89% of fraud cases. Asset misappropriation includes larceny of cash, larceny, and misuse of inventory or business assets, cash skimming, and fraudulent disbursements. When it comes to cash, the most important internal control is the segregation of cash-handling duties among employees. With proper segregation of duties, no single person will have control over a cash transaction from beginning to end. In a small office with two to three people, this may seem impossible to achieve. However, it is possible by implementing some best practices to safeguard cash and other assets, including:

At the front desk:

  • Generate numbered receipts from the billing system for all patient payments received.
  • Require daily receipts and cash drawer reconciliation prior to close.
  • Close out the credit card machine daily; require manager oversight to approve refunds or voids.
  • Keep cash boxes in a fireproof safe overnight.
  • Establish co-pay collection procedures.
  • Require access controls and passwords on billing and collection systems.

In the back office:

  • Involve more than one employee in the accounting process. Physicians in small practices should be prepared to get involved.
  • Perform timely reconciliations of bank and credit card statements. Require an independent review by an outside accountant or other qualified staff not involved in payment processing or approval.
  • Implement a review and approval process for all disbursements, including payroll, operating expenses, and reimbursements.
  • Perform randomly timed surprise audits.
  • Have your CPA evaluate the books on a regular basis, preferably more than once a year

Other best practices:

  • Conduct thorough employment and criminal background checks as part of the hiring process.
  • Cross-train staff and require mandatory vacations, especially bookkeepers and all cash handlers.
  • Deliver all bank and credit card statements to the owner’s home address.
  • Store medical inventory in a locked cabinet and limit access to staff.
  • Take an interest in the books. For example:
    • Establish income and expense budgets
    • Learn what financial reports to ask for and how to read them
    • Regularly ask for financial reports
    • Review variances with the bookkeeper
  • Act ethically at all times. Employees cannot be expected to conduct themselves better than you. Set the tone at the top.

No system of internal control is 100% foolproof, but when thoughtfully designed and periodically reviewed for effectiveness, internal controls will safeguard a small practice’s most valuable assets.

If you have additional questions about implementing an internal control system to prevent fraud and mitigate risks in your medical practice, contact Susan Goncalves or one of our tax advisors at 301.231.6200.