Safeguard Your Practice Assets with Strong Internal Controls
Jennifer Huneycutt, CPA, CMPE
Originally written for and published in RPA News – September 2014 Edition
Used with permission

You know when you roll up to the drive thru window at your favorite fast food restaurant and see the sign that says “if we don’t give you a receipt, your order is free” or “…we’ll pay you $5”?  Some of us sit there, fingers crossed, hoping it’s forgotten just waiting to get that free meal because we all know free food tastes better. Ever wonder why that sign is there? Does the restaurant think you’ll frequent their establishment on the chance that an order might be free? Not likely.  This sign is put in place to ensure that your order is placed in their computer system and the cash you pay is put in the cash drawer to be reconciled instead of the cashier’s pocket.  If you have a receipt in your hand, that whole transaction was captured in the computer.  The restaurant has made you, the customer, the supervisor and possible informant for any wrong doing and has incentivized you to do so with the temptation of some good, greasy, potentially free food.  They’ve put in preventative measures, or controls, to meet their goal of keeping the employees honest.
Medical practices are not immune to embezzlement, theft or fraud.  In fact, they can often be quite susceptible as many offices are family-like with long term relationships and a high degree of blind trust. Some practices have the financial responsibilities in the hands of a single individual and some lack physician owner engagement. All businesses have the potential to be victims of business identity theft, a threat both inside and outside of the organization.  While the prevention of all theft and fraud is impossible, here are several things that medical practices can do to significantly reduce their risk.

  1. Segregation of Duties. First and foremost, you need to ensure segregation of duties.  This means that you don’t have a single individual handling all (or the check and the balance) aspects of the practice’s financial transactions.  You don’t want the same person posting the payments, paying the bills, making the deposits and reconciling the bank statement.  How this separation occurs will vary by practice size and can be difficult to accomplish in smaller practices due to a limited staff.  The more limited the staffing, the more important it is that one or more of the physician owners is actively involved in the cash flow cycle as well as an external accountant or CPA to advise and perform the reconciliation function at a minimum.
  2. Reconcile Each Day’s Work Daily.
    1. Payments. All payments received each day should be batched and posted to patient accounts in your practice management system daily. There should be a practice management system report generated detailing all payment transactions for the day that matches to a specific bank deposit (or group of deposits) for the same day.
    2. Charges. Ideally, the practice should ensure that charges for all encounters are entered daily as well.  Most practice management systems have a canned report that show office encounters that occurred where no charges were entered.  In today’s environment with physicians completing charges electronically through the EMR or other charge capture tool, timing is sometimes outside of the control of the staff.
  3. Time of Service Payments. Ensure that all patients making a payment at the time of service receive a computer generated receipt. Maybe we can learn a lesson from our fast food friends and use signage to let patients know they are to expect a receipt.
  4. Consider check signers carefully.  It sure is convenient when every physician owner of the practice has check signing authority but it is best if this can be limited to a select few.  If every member of the practice is signing checks, how will you get a feel for what is the norm?  It would definitely be easier to slip in an extra check to the power company and get that home power bill paid by the practice.  The doc signing that second check to the power company won’t know you signed the real thing yesterday.
  5. Consider a Dual Signature Requirement. Make it policy that all checks over a certain threshold have two signatures.  Be careful to consider the impact of this decision when it comes to paying routinely high bills such as rents or insurances that have punitive consequences when not paid on time.
  6. Restrict Access to Signature Stamps and Electronic Signatures. Signature stamps can be convenient but pose a significant risk when it comes to safeguarding your financial assets if not properly controlled.
  7. Reconcile the Bank Statement Monthly. Don’t let this function be one that is allowed to get behind. Bank statement reconciliation should be done by someone that has no ability to record financial transactions in the practice management system or general accounting software.  If you use an external accountant, this is an ideal task for them to complete.  It is recommended that the bank statement be mailed directly to the accountant from the bank to ensure that no adjustments are made to the accounting records or bank statement itself prior to reconciliation.
  8. Pay Attention to Electronic Transactions. Today it’s easy to make a payment online and of course it can be convenient in a time crunch.  All you need is the bank routing number and checking account number.  Not only does the staff having access to your check stock have this information, but so does everyone you write a check to.  This is one of the easiest ways for identity thieves to obtain your banking information. Review your bank statement each month to ensure there are no unauthorized electronic transactions.  If the statement goes directly to the accountant, ask your bank to send duplicate statements as a matter of course.
  9. Seek Assistance from Your Bank.  Did you know that you generally only have 48 hours to identify and dispute fraudulent ACH activity and 30 days for fraudulent check activity to be covered on your business account?  Many banks have safeguards you can employ through their treasury management services that include solutions such as Positive Pay to verify that only the checks you authorize get processed by the bank or ACH blocking mechanisms to prevent unauthorized debiting of your account.  You also need to consider internal safeguards to your online banking authority.  Who in your practice has the ability to grant electronic rights to conduct things such as wire transfers, electronic funds transfer, ACH authorization, etc.? Does this person also conduct the bank statement reconciliation?  If so, there is a chink in your armor.

There is no way to create a foolproof system to prevent inadvertent or intentional errors in financial transaction handling. Properly instituting good, solid internal controls can go a long way to minimize the chance of these errors.  Physicians and practice managers should consider reviewing their internal controls to ensure that the systems in place are adequate to safeguard the assets of the practice. 

For more information on the Renal Physicians Association please visit