Internal Controls Could Improve Your Practice’s Bottom Line

By Kimberley Briones and Christopher Davis, CPA
Tuesday, September 4, 2018

In the medical practice setting, theft is often perpetrated by the same individuals who are typically given access to both financial assets and your trust: your own employees.

The most common type of fraud risk in today’s practice environment is employee fraud. The Association of Certified Fraud Examiners studied the effect of employee fraud on practice performance and showed that organizations typically lose 5 percent of annual revenues due to employee mishandling of assets. This percentage of loss could potentially add up quickly.

It is easy to become complacent and operate under the belief that your employees are loyal and you are immune to the statistics, yet the Medical Group Management Association has reported that three out of four physician practices will experience some type of losses due to employee dishonesty.

Internal Controls as a Solution

An integral method to safeguard hard-earned practice dollars from employee fraud is to develop and establish internal controls. Internal controls are processes unique to your practice that are put in to place to help avoid risk. Controls can not only assist in safeguarding assets but also will optimize efficiency, ensure accurate financial records, and facilitate compliance with legal requirements.

Maintaining a Control Environment Using Skepticism

Implementation of internal controls within your practice begins with a working environment that establishes, communicates and monitors clear rules to employees. There are several broad areas to focus on in establishing clear rules, including current hiring practices that are consistent and include appropriate employee vetting. This is done by performing employee background checks, particularly for those employees who have financial duties within the practice.

Once employees are hired, getting to know them is an important way to mitigate fraud risk. One of the easiest and most effective approaches to preventing employee theft is to become an astute observer of employee behavior. Changing employee attitudes can serve as a red flag for practice management. It is important to always maintain a skeptical, intuitive approach to viewing employee behaviors. Note specific pressures that employees individually face to drive them to act unethically, as well as opportunities that employees may have to act in inappropriate ways. The mix of employee malicious intent and opportunity is a perfect storm for fraud to happen in any organization. Fraudsters will often exhibit signs that point to wrongful intentions so it is important to maintain skepticism regarding even the most loyal employees. Implement a system of rotated job responsibilities or scheduled time off to help in monitoring for fraud, as the mishandling of assets will become evident.

Separation of Duties

Another important policy is to make certain that clearly defined duties are established for each employee to ensure that no one individual has control of a process from inception to resolution. This deters would-be fraudsters by avoiding collusion between two perpetrators.

Segregation of cash handling transactions from record-keeping transactions is a preferred practice. These specific suggestions can assist with maintaining controls within this area in your practice:

  • Assign separate individuals to receive payments from patients and third-party payers from those individuals responsible for posting receipts to the accounting system general ledger.
  • Ensure employees accepting cash payments always issue a receipt as a means of tracking cash inflows.
  • Deposit receipts from co-pays on a regular basis.
  • Close out practice credit card machines daily.
  • Limit petty cash amounts on hand, physically secure petty cash in a lock box and have only one individual assigned to track petty cash disbursements.
  • Institute electronic safeguards to limit access within accounting systems based on job duties of that employee.

It is also considered standard practice to maintain separation of purchase authorization activities from payable functions. Some suggestions in this area include:

  • Blank check stock should be in a secure physical location and only assigned employees should have access.
  • Checks written to vendors should be matched with corresponding invoices and signed off by a separate authorized signer.
  • If possible, maintain an approved vendor list to reduce the possibility of an employee writing checks to fictitious vendors.

The chance that fraud will exist increases when a firm is smaller because a checks and balances system is not as easy to implement. Small practices may require owner participation or third party oversight to perform this type of separation of duty.

Communication Is Key

Once the rules are set, communicate the established controls to employees. Emoloyee awareness that controls are being established and monitored can aide in preventing employees from acting even if there is the opportunity to commit fraud. Making employees aware of what should (and should not) occur can help them act as stewards for your organization. If employees are aware that monitoring activities are undertaken, the risk of malfeasance will be reduced.

Ongoing Monitoring

Continued management review is a key piece of establishing effective internal controls. Always keep in mind that the potential exists to override the existing controls. Don’t assume that the controls are working as planned. Instead, put on-going effort in monitoring any established rules. Potential areas to monitor include the following:

  • Review monthly bank statements for any unusual activity and/or unauthorized withdrawals.
  • Reconcile bank statements on a regular, timely basis to verify if deposits actually hit the bank account as expected.
  • Analyze any credit of patient account balances to confirm discounts are in line with practice policy.
  • Sample receipts and test if payments are posted to patient accounts.
  • Conduct an annual audit with an outside expert to pinpoint weaknesses.

Focus must be placed on guarding practice revenue from slipping out the back door. If you have any specific questions regarding internal controls within your organization, it is advisable that you engage an outside CPA to perform a review of practice internal controls. Ask that individual to recommend best practices and opportunities for improvement within your practice. Don’t remain susceptible to fraudulent behavior.


Kimberley Briones is currently a Tax Associate with Sol Schwartz & Associates PC. Briones enjoys helping individuals, corporations, partnerships, trusts and nonprofit organizations with tax compliance and planning issues. She earned a Master of Healthcare Administration degree from Texas Woman’s University and has several years of experience in the medical field providing payroll, accounts receivable and medical billing services. You can contact Briones via email at ktb@ssacpa.com or 210-384-8000, ext. 157.

Christopher Davis, CPA, is a Manager with Sol Schwartz & Associates PC and has been practicing public accounting since 2008. Davis practices in various areas of public accounting, including tax compliance and consulting for individual, corporate, S corporation and partnership taxation. He is a member of the firm’s Healthcare niche that specializes in identifying and implementing solutions to achieve the goals of the physician clientele we serve. You can contact Davis via email at cbd@ssacpa.com or 210-384-8000, ext. 118.