Controls protect against employee theft

Question: Over the years I have heard horror stories about how medical practice staff members have slowly and methodically been able to embezzle funds without the physician owner's knowledge. When the physician does find out, it is often too late. What should my partners and I do to minimize this risk to our practice?

Answer: Medical practices are businesses. And all businesses, regardless of the size, should implement internal control procedures to protect against disasters and minimize the risk of internal theft and unfavorable external audits.

Internal controls are essentially checks and balances within a company. They are a system of procedures that segregate duties and limit any one person's control over an entire area, in particular the flow of cash.

One of the most important and often overlooked procedures is to screen employees carefully before they are hired. This can be accomplished via reference checks, credit checks and criminal record checks. This procedure might take time, but using this information to make a good hiring decision will cost the business less in the long run.

While there is no foolproof way to ensure that internal theft will not occur, you can create an environment where such behavior is discouraged.

The first step in implementing an internal control program in your office is to review every area where potential problems could arise. This not only includes the "traditional" financial areas of cash disbursements, cash receipts and bookkeeping but also inventory control, data processing, purchasing and receiving.

The next step includes developing and implementing policies and procedures to remove the temptations that could make an otherwise honest employee dishonest. It is preferred that companies separate financial responsibilities among two or more employees so no one person controls all aspects of a financial transaction. But some businesses are too small to accomplish this in all areas, so we recommend that you identify those functions at the greatest risk for theft.

Here are suggestions that should be incorporated into daily operations:

• Endorse checks received over the counter (for co-payments and payments on account) and checks sent via mail "for deposit only" to the business account immediately upon receipt.
• Make sure that the amount of funds in the cash drawer balances to the payment log every day.
• Maintain a receipt book for all cash payments.
• Allow only the physician owners to sign checks.
• Delegate the responsibility for receiving checks and cash to someone other than the person who records incoming funds into the general ledger.
• Make sure that employees responsible for ordering supplies are not the same ones responsible for receiving them or paying for them.
• Examine payroll records on a regular basis; ensure that someone is responsible for approving hourly employee timesheets every pay period.
• Make sure every employee with computer access, particularly to financial information, is assigned a password that changes regularly.
• Limit access to financial details to a "need-to-know" basis only.
• Develop a business disaster recovery and contingency plan.

Internal controls help physician practice owners better manage their business, gain greater control over cash flow and reduce risk of loss due to error and oversights. Even the smallest business can and should implement a basic internal control system.