Prevent Theft in Your Practice with Internal Controls

By implementing some simple internal controls, such as ensuring that no one person on your staff is responsible for opening the mail, you can protect your medical practice from theft.

Many healthcare practices focus on seeing as many patients and performing as many procedures as they can logically and ethically perform in order to bolster the shrinking pool that is their reimbursement and revenue. This is obviously an important goal, but it's just as important to for practice's to protect the revenue cycle through strong checks and balances to safeguard cash flow.

Internal controls, simply put, are the series of procedures established to assure that the revenue generated by the practice is protected from the time an appointment is made through the deposit of the funds in the appropriate bank account. This is called the revenue cycle. Likewise, cash assets must be protected while in the bank until they can be used to pay for practice expenses and obligations. This is known as the disbursement cycle.

One of the cornerstones of internal controls is the concept of segregation of duties. In practice, this means that no one employee controls most or all of the steps within a transaction cycle. For example, on the revenue side, no one employee should be responsible for opening the mail, making bank deposits and reconciling bank statements to affirm the actual cash balance in accounts. On the disbursement cycle, no one person should have the ability to log payables (bills due) into the system, prepare the list of bills to be paid, approve the list and have signature authority to disburse funds.

Segregation of duties has always been difficult for healthcare practices, because most are small and lack sufficient qualified personnel to divide these tasks.

Many physicians don’t want to be involved in the internal “accounting” for their business. But acts as simple as opening the mail before giving it to staff, or having the business bank statements (including the merchant statements from the credit-card processing agent) mailed to the practice owner’s residence and opened prior to being given to the person responsible for reconciling the data, are compensating controls. In this way, employees don't know whether the owner is making note of what comes in through the mail, or what transactions are flowing through the bank account.

An employee who believes someone is “looking over their shoulder” is much less likely to engage in dishonest behavior. One who is determined to steal from an employer can do so, even from the best designed system. However, reasonable internal controls make dishonest behavior more difficult to accomplish. Should an employee steal in a good internal-control environment, the transactions are easier to identify because they do not follow the normal pattern associated with “clean” transactions.

Believing that a trusted employee would never steal is the lament of most embezzlement victims. Honest employees will not be hurt or offended by the establishment or bolstering of internal controls within the practice. Adding or upgrading internal control procedures is almost like having an insurance policy. Internal control procedures are a road map for how transactions are supposed to flow. Each transaction leaves “markers” as it flows through the system. For example, if a patient pays at the point of service, there should be a superbill to document the services performed and a cash receipt that will be included on a bank-deposit slip. If theft takes place somewhere in this transaction, at least some markers in the transaction sequence will be missing.

Many business owners believe their computer software will keep them safe from theft. This is a misnomer. The “point and click” ease of use of such systems has a cost, and it is usually at the expense of internal controls, such as allowing a transaction to be deleted once posted, rather than requiring a correcting entry that shows both the incorrect posting and the correction. The ability to simply delete is a dangerous function in the world of internal controls.

There are many books and entire fields of study dedicated to internal controls. However, a few simple procedures included in your practice’s daily routine can make a big difference in your control environment.

Thomas P. McGuinness, CPA, CVA is a shareholder and founding partner with Reimer, McGuinness & Associates, P.C. Tom has worked with doctors and doctor groups in many ways, from helping with their tax and accounting issues to providing assistance in the management of their offices. Tom reviews cost reimbursements, provides valuations of medical practices, and delivers many other consultative services. Tom can be reached at

Reimer, McGuinness & Associates, P.C. is also a proud member of the National CPA Health Care Advisors Association. HCAA is a nationwide network of CPA firms devoted to serving the healthcare industry. Members provide proactive solutions to the accounting needs of physicians and physician groups. For more information contact the HCAA at