You may need to re-evaluate your internal controls.
We’ve all read about it in the newspaper- someone has stolen funds from his employer, his partner, his pension fund, his shareholders. Maybe we know them and maybe we don’t, but there’s one thing we’re sure of: we don’t ever want it to be our practice that people are reading about.
Consider the following:
The bookkeeper, “Ann Smith”, knows that a lot of medical supplies are ordered from several different companies. Seeking to capitalize on this, she sets up a new vendor called ALS Medical Supplies. She makes up a realistic-looking invoice for supplies in an amount that is fairly average for a supply purchase. She makes a check out to “A L S” and submits it along with all the other checks being signed. Once the signature has been obtained, she adds the letters “mith” to the end of the company name on her typewriter, takes it to the bank and cashes it.
Sam is a bookkeeper who works for an office that purchases all its medical supplies from one company. Using the regular accounting software, he sets up a second vendor with the same name. Each time he receives a bill for supplies, he makes a copy of the bill. He pays the legitimate vendor, then a few days later writes a check based on the photocopy. Instead of mailing the duplicate payment, he cashes it or perhaps deposits it into an account in that name but under his own control which he can draw from at will.
Josie is responsible for payroll. In order to save the expense of a payroll service, Josie likes to prepare the payroll manually, then follow through and take care of all the related payroll tax returns and payments. However, instead of transferring the payroll taxes to the government, she transfers them to her own account. So she doesn’t get caught, she prepares the regular payroll tax returns, has them signed, but doesn’t file them. She types out W-2 forms for the employees at the end of the year but never mails the government copy. If any notices do arrive from the government, she intercepts and destroys them. By the time this is discovered, she plans to be long gone.
John greets patients at the front desk and collects their co-pays or private pays. When someone writes him a check, he marks it on the day sheet and puts it in the cash box. When someone gives him cash, he leaves them off the day sheet or crosses them off as a no-show and pockets the money. When the file comes back to him for patient check-out, he re-files it instead of sending it on to the billing clerk. It’s a busy office and no one really notices that the names are missing.
Sue is a long-time employee who is indispensable in the back office. Her primary job is to find all the insurance checks that come in the mail, record the receipts in the billing system, make the deposit, and hand over the Explanation of Benefit (EOB) forms to the filing clerk. Each week she leaves a check or two off the regular deposit, and puts them on a separate deposit to her private account in the company name. When she needs funds, she uses this account to write herself a check. To hide her theft, she records the checks she’s taken as write-downs from the insurance company, uncollectible bad debt write-offs or charity care.
As these examples demonstrate, people can be pretty creative when they’re trying to hide something. In its simplest form, money can be stolen at only two times: when it’s coming in, and when it’s going out.
Several national studies indicate that white collar crime is more prevalent than most of us would like to believe. A recent estimate by the Association of Certified Fraud Examiners indicates that a typical organization loses 7% of its annual revenues to some form of fraud. Their 2008 study * showed that the healthcare industry was the 3rd highest on the list of the number of reported cases of fraud and that the median loss in the industry was $150,000 per case. This isn’t just an isolated disease, it’s an epidemic.
Can we prevent theft? Unfortunately, no one can promise this. However, there are some simple, low-cost procedures that can limit your exposure; they make fraud harder to accomplish and more likely to be detected early.
It all comes down to controls. The ultimate goal is for there to be a way to check up on everyone and have everyone know you’re doing it. Once you’re sure the system is working, you don’t have to actually check up on everyone every day, but you do need for there to be a way to do it if you need to. Most important, you need to know when it’s critical to be checking up.
What controls do you need? Unfortunately, there’s no master list because it’s not “one size fits all.” Since every practice is different- different physicians, different procedures, different payers, accounting software, employees, office size, hierarchies- every control system will be different. A practice that has a strong office manager needs a different set of procedures than a practice that relies on a receptionist/bookkeeper. An office with multiple physicians and locations needs different controls than a sole physician with one office.
That being said, there are some controls that are universal. One control that works for everyone is called “segregation of duties.” The idea here is to have more than one person involved in any transaction. That way it is far less likely that someone can take money and also be able to hide that they took it. This is THE primary way to prevent fraud. Let’s look at an example from the first scenario above with Ann Smith.
Loss of control over this transaction actually begins before the checks are signed. The first place a second person should be involved is when goods are received. The payables clerk should never check in supplies when they are received. Someone else should receive goods and sign or initial the receiving slip, noting any corrections. When the invoice comes in, the receiving slip should be matched to the invoice and the two should be presented together to the check signer. That way the check signer can see from the receivers’ initials on the receiving slip that the invoice is for supplies that were actually received.
But this isn’t the only problem with Ann’s office procedures. Where else do the controls break down? Here are the shortcomings:
- The payables clerk should not receive or check in supplies.
- Vendor invoices should all be matched to a signed receiving slip.
- Vendor addresses should be verified (being especially suspicious of any PO boxes) to some outside source when they are set up and any changes to the vendor record should be restricted.
- Physicians should review vendor invoices and related receiving slips when signing checks
- Check writers should never abbreviate vendor names on checks.
- Check writers should use a pen or printer with unalterable ink.
- Signed checks should not be returned to the payables clerk. Someone else should mail them.
- Vendor addresses should occasionally be compared to employee addresses.
- Someone other than the accounts payable clerk should be assigned to receive the unopened bank statements and review the copies of checks for any abnormalities.
- The ratio of medical supplies expense to the number of patients seen for the month should be computed and compared to a budget and the prior period ratio.
- Track vendor activity by getting a monthly report of new set-ups and changes to vendor records.
Some of these procedures are preventative (the first seven) and some serve to detect frauds after they occur (the last four).
Since the next example also deals with problems in the disbursement cycle, let’s see if this theft could also be prevented or detected by the controls we’ve already mentioned. In Sam’s case having a second person check the receiving slip, verifying and comparing vendor addresses, and not returning the signed checks to Sam are the same controls we needed above. In addition, we should add two more controls:
- Never pay based from a duplicated invoice or a vendor’s statement- only from an original invoice.
- Occasionally read the vendor register to scan for unusual, repetitive, or other suspicious vendors.
Since payroll is often the largest expense in any medical practice, controls over the process are critical. However, since there are no receiving slips to verify and confidentiality is so important, this is sometimes a difficult process to assign to a second person. In Josie’s office the following controls could have detected her theft quickly:
- Verify the written documentation of the payroll tax transfer. Transfers to taxing authorities are fairly clearly distinguishable from inter-account transfers on the transfer receipt and on the bank statement.
- Signed payroll tax returns should not be returned to the payroll clerk. Someone else should mail them. This goes for W-2 forms as well.
- Have someone other than the payroll clerk open and distribute the mail. Notices should go to management, not the payroll clerk.
- Require that all employees take a mandatory vacation of at least five consecutive work days. Be vigilant during their absences for any procedures, activities or practices that don’t make sense or are questionable.
A special note: using a payroll service rather than preparing payroll by hand can simplify the payroll process and make it more accurate, but it doesn’t necessarily add a lot of control. In addition, it’s also important to be aware that fraud could possibly happen at the payroll service, so your controls over the entire payroll process are critical regardless of how payroll is prepared.
In John’s office, controls break down over cash receipts. First, the check-in personnel should be segregated from the check-out personnel. Then there needs to be a way to check that all patients are recorded and improve the probability that all co-pays and private pays are deposited. Here are some recommendations for his office:
- Patient check-in and patient check-out functions should not be staffed by the same employees.
- Patient check-in should keep a log of patients scheduled to arrive. It should be matched to the day sheet and any no-shows should be noted. Have the check-out staff verify the completeness of the list and send files or records to the billing staff to complete the billing process.
- Have the billing staff report patients who did not remit their co-pays to management on a daily or weekly basis to spot any problems or trends.
- Have someone other than check-in staff make the daily deposit.
- Restrict check-in staff from further access to patient billing records.
- Patient check-in staff should not answer calls about patient collection issues.
- Track collections for each check-in employee and compare them regularly, both for collections per patient and the percentage of cash, check and credit card collections.
Although co-pays in cash may be easy to steal, Sue is the one making off with the really big money- insurance company payments. And because of the way insurance companies pay, generally with substantial write-downs or disapproved transactions, there is an opportunity to conceal theft in the unwary office. Sue’s office needs to add the following controls:
- Have someone other than the billing or collections clerk open and distribute the mail. Checks should be listed (this can be as informal as making an adding machine tape, then initialing and dating the tape) and prepared for deposit. Some backup (either an EOB or a copy of the check) should be retained for each payment. EOB forms and any other first- or third-party payments should then be given to the billing clerk for analyzing and recording.
- Have the billing clerk maintain a monthly spreadsheet of the total write-down associated with each check received. When the month is closed, the items on the spreadsheet can be spot-checked to the actual EOB’s to verify the accuracy of the write-down.
- Have management approve any write-offs of bad debt or charity care that are being recorded.
- Trace the accounts receivable at the beginning of the month to the accounts receivable at the end of the month by verifying the new charges to the monthly day sheet totals, the co-pays to the day sheet totals, and the first and third party payments, write-downs and write-offs to the monthly EOB spreadsheet and approved bad debt write-offs. Any discrepancy should be reported to management, since it may indicate that a theft has occurred.
- Track collections by insurance company and compare them regularly- both for collections per patient and the expected percentage write-down according to the approved contract.
Although segregation of duties is an important control, some of these controls require involvement of the managing physicians. Examining invoice/receiving documents when signing checks, reviewing and questioning variances in monthly reporting packages, making spot checks, approving bad debt write-offs are all important in letting employees know that you care enough about the importance of controls to do your part. And when employees know that you care, they are more likely to report suspicious activities to you when they find them. According to the Association of Certified Fraud Examiners, the most common method of detecting fraud (over 34%) is by getting tips of known or suspicious behavior, and nearly two out of three tips come from employees.*
Are these controls enough? Although all the controls discussed here may have found the thefts in the examples given, there are still many other ways to steal money. Other controls are likely to be needed to complete your system. And your last line of defense? Make sure employee fidelity coverage is included in your insurance policy.
To find all the controls in a system that will work best for you, you should get what amounts to a “wellness visit” in the form of an examination of the cash-in and cash-out functions of your practice. Your internal processes and controls will be studied to find any weak points, and improvements will be recommended. Benchmarks will be developed to help the managing physicians flag any suspicious circumstances as they develop. A great candidate for performing this internal control study is your independent CPA since many CPAs are trained in fraud detection and internal controls and know the issues unique to a medical practice.
The more strongly an employee feels that he or she will be caught, the less likely he is to steal. From the exam room to the board room, physicians should heed the advice they give their patients: “an ounce of prevention is worth a pound of cure,” and re-evaluate their internal controls.