Protect Your ASC From Embezzlement

Digital Debut

Protect Your ASC From Embezzlement

Establish internal controls, use an external accountant and conduct regular audits

BY ROBERT KURTZ | JUNE 2019

Scrubs. Gloves. Scalpels. Drapes. A rowboat. Which of these is not like the others?

Margaret Acker, RN, CASC, wishes she did not need to answer this question. She was the chief executive officer (CEO) of an ASC when she saw an unauthorized purchase of a rowboat on her ASC's credit card statement.

"When I became CEO, I assumed everyone at the ASC would do their job the right way," says Acker, a project specialist with Compliance One Group in Kalamazoo, Michigan. "Like most people, I put a lot of trust in others. As this experience taught me, I was naïve to think that everyone would act the way they should and the way I expected them to."

Acker says she was fortunate to detect the embezzlement not long after it occurred. Other ASCs, says Denise McClure, president of Averti Solutions in Boise, Idaho, are not so lucky. As examples, she cites cases from the Department of Justice’s website of a Pennsylvania ASC business manager embezzling more than $4 million over 14 years and a practice manager for an ophthalmologist with a laser center embezzling more than $500,000 over four years.

"As these and many other cases illustrate, surgery centers are at risk for theft and embezzlement," McClure says.

Understanding Vulnerabilities

The manner in which many ASCs operate can increase the likelihood for embezzlement, says John Fanburg, chair of the health law practice at Brach Eichler in Roseland, New Jersey. "We have found that ASC physician owners typically delegate a lot of independence to their administrators because they are busy practicing medicine and do not want to be involved in the oversight required of a multi-million-dollar business. But without proper oversight, embezzlement can go undetected."

Further complicating matters, Acker says, is that staff members in ASCs often wear multiple hats. "Your business manager might handle bank deposits, oversee billing and place orders on a company credit card. In a lot of ASCs, the person ordering supplies is also the person receiving those supplies. Both scenarios can increase an ASC's vulnerability."

McClure says that operating on a "trust model" for internal control is risky. Even if internal controls exist, the business manager can usually override or ignore them. “In a small organization, the best and sometimes only internal control is oversight, but physicians often do not have time to review bank records and drill down into the details to catch possible embezzlement."

While bigger surgery centers might have more individuals in management and oversight positions, McClure says, this does not necessarily serve as an embezzlement deterrent. "Fairly large surgery centers may only have a few people involved in accounting processes. This makes it difficult to segregate duties."

Another factor that Fanburg says increases embezzlement risk: cash payments. "ASCs often accept co-pays and even deductibles in cash. Cash is difficult to track and easy to conceal."

Strengthening Your Defenses

Segregating duties is the preferred method of internal control, McClure says. "Not only is it proactive, but it can be enforced with software access security. If an ASC's accounting department is too small to effectively segregate duties, use oversight retroactively for early detection of errors and irregularities."

Another worthwhile step for reducing vulnerabilities is calling on the expertise of an accountant, Acker says. "Have this individual set up your accounting system and help your ASC implement generally acceptable accounting principles.” This would include requiring receipts for all purchases, balancing petty cash, matching purchase orders to packing slips and performing stronger inventory management. “With solid accounting practices, you are more likely to spot a problem."

Conduct routine receipt, bank statement and merchant card reconciliations, McClure says. "Reconciliations should be performed by someone who does not and cannot process transactions like payroll and paying vendors. If this is not possible, an external accountant should review the reconciliations and trace or otherwise validate some of the reconciling items."

An external accountant also can help by performing surprise audits, McClure says. "This is one of the most effective internal controls for a small accounting department.” Employees should be aware that a certified public accountant (CPA) will review and conduct on-site inspections of their work. “The best internal controls are the ones employees know about because they reduce the perception of opportunity to 'borrow' from the owners."

Regular audits by a CPA are worthwhile for reasons beyond identifying and discouraging embezzlement, Fanburg says. "The accounting firm will typically provide management with a letter outlining best practices. These are recommendations ASCs should implement to ensure there are appropriate checks and balances."

ASC owners, Fanburg says, are sometimes hesitant to bring in expertise to help with accounting and oversight. Physicians may feel these services are more than the ASC requires, in part because they have confidence in their administrator. “You bring a CPA in not because you doubt your administrator; you do so because there are many different areas of potential vulnerability and you want to make sure those holes are plugged. A good administrator will welcome the checks and balances as well as the opportunity to further strengthen the ASC's safeguards against risk."

McClure advises ASCs to follow the guidance of a Russian proverb. Trust but verify. Internal controls are not about mistrust; they are about accountability and transparency, he says. “An ASC administrator who pushes back against internal controls is a red flag."

Your goal, Acker says, should be to make embezzlement as difficult as possible. If you lack effective safeguards, staff may be more tempted to make a small, unauthorized purchase for themselves. If they get away with this, they may keep pushing their luck on bigger purchases. “Opportunity can entice good people to do bad things," she says.

Responding to Incidents

If you suspect your ASC is the victim of embezzlement, conduct careful research into the situation, McClure says. Obtain the original source documents needed to verify whether your suspicions are valid, he advises. Secure copies of cancelled checks directly from the bank, obtain invoices directly from vendors, research unknown vendors to determine if they are valid or fictitious and get bank reports of direct deposit activity if suspicions include payroll. “It is easy to create valid-looking invoices and alter cancelled checks, bank statements and bank reports, so you first need to confirm your suspicions are valid by obtaining records from original sources."

Contact your attorney if your suspicions are confirmed and you identify inappropriate transactions, McClure says. Consider whether to file a criminal report with law enforcement, file a civil suit or both. An attorney can assist with these decisions and employment law issues, such as whether and how to terminate the suspected employee. “Involving law enforcement early in the process may also be advantageous as they can subpoena records needed to prove the case," he says.

Some organizations that fall victim to embezzlement choose not to involve the authorities because owners are embarrassed that the crime occurred under their watch, Fanburg says. "Do not let embarrassment stand in the way of doing what is right. If you fire the employee without reporting what happened, this increases the likelihood that the next facility the employee goes to will be subject to the same type of experience."