Financial internal controls in healthcare organizations

By Tom Ealey, MA, CPA and Tina Rolling, MBA, CPA, CMA

Tom Ealey (ealey@alma.edu) is a professor at Alma College in Michigan. Tom has decades of experience in fraud prevention and healthcare consulting, administration, compliance, and revenue cycle management. Tina Rolling (rollingtm@alma.edu) is an associate professor at Alma College in Michigan. Tina is an expert in accounting systems design, accounting technology, internal controls, and embezzlement investigations.

Internal controls are a critical performance duty in organizations of all sizes, any taxation format, and any type of ownership format. The creation, implementation, and operation of appropriate internal control policies and procedures is a primary duty of senior management and ownership, directed and monitored by the board.

Healthcare organizations must operate two distinct internal controls structures: the routine financial and reporting structure and the special internal controls required for a complex and highly regulated revenue management cycle.

Rationales for internal control

Internal controls are a foundational element of competent and diligent management.

There are multiple reasons for designing and implementing a sound regimen of internal controls. Failure to design, implement, operate, and monitor internal controls is a major management failure and can be costly to the organization.

There are three rationales for creating and operating an effective regimen of internal controls. They are:

  1. A need for accurate financial recording and reporting,

  2. A need to safeguard assets from theft and destruction, and

  3. A need for policy and procedure compliance in all phases of finance.

All these rationales are components of risk management, and the first principle of risk management is prevention. Prevention is always easier than cleaning up a mess.

Building internal controls

The heart of internal controls is the establishment of responsibility, documented by job title and job description.

Who authorizes a check to be written, who reviews and signs the checks, who reconciles the bank statement against the cash ledger account? Controls are established in detail by position.

Establishment of responsibility interacts with separation of duties, policies, and is then followed up with the development of documentation procedures, physical asset safeguards, verification procedures, review procedures, and human resources controls.

Interaction with compliance programs

Financial internal controls, compliance billing integrity efforts, and regulatory compliance efforts can and should interact. The entire revenue cycle should be subject to both financial and integrity controls.

Typical financial internal controls would not cover coding integrity or technical billing issues, which should be subject to specific compliance program efforts.

Collections and account posting should be conducted subject to detailed financial control policies and monitored with audits and reconciliation of the cash flow and balances.

Cost–benefit analysis of asset protection controls

Internal controls are subject to a cost–benefit analysis, guided by the question, “How desirable are the assets?”

Controls must be appropriate in design and effort as compared to the value of the assets involved, different assets requiring different controls.

Cash is always the most desirable and most portable asset—everybody can use it and it is easy to move out of the proper channels—thus requiring the tightest internal controls.

Many healthcare assets, inventory, and equipment are not immediately useful outside the facility, so these need minimal protection (narcotics being a notable exception and subject to special safeguards).

It is a game, or perhaps a war: the organization versus those who wants the company assets.

Reasonable assurance

Perfect controls would be too expensive even if possible, so do not strive for perfection. The goal is reasonable assurance the assets are protected, and other control objectives are met.

Reasonable is a term of judgment and a term of art; there is no equation for reasonableness. It is situation and context specific; however, the type of business and the specific assets involved are two large factors in determining what is reasonable.

Customize for ownership format and size

The controls, policies, and procedures of the organization must be customized for the organization: type of organization, product/service, ownership format, physical location, and workforce.

Medical, service, retail, professional, nonprofit—each has certain types of transactions generating higher volumes or large dollar amounts (e.g., purchasing, accounts receivable, payrolls), and those transactions need more controls.

Each type of health organization has unique transactions, unique transaction flows, and unique control challenges. Knowing the business model and matching up internal controls is critical.

Different providers have much different control scenarios. A nursing home, for example, may have a large revenue flow but fewer total billings and transactions than a multispecialty physician practice with ancillaries generating a high-volume billing and collections flow.

Controls must be fashioned to the type and size of provider and updated as billing practices or the size of the provider changes.

Ownership format and the size of the organization play a large role in controls design. Consider some ownership formats:

  • Physician groups, from sole practitioner to large multispecialty organizations;

  • Nursing homes, from sole facility to large chain organizations;

  • Home health agencies, from single office to large chain organizations;

  • Hospitals ranging from small rural to large network organizations; and

  • Nonprofit providers to massive for-profit companies.

There is a variety of ownership models, each individual provider organization is different, and each provider requires specific customized internal controls. Each provider format has different business characteristics, different transaction types, different transaction volumes, and different review needs.

If owners cannot be close to the operations or are too busy to be directly involved (e.g., surgeons in a large practice), they need to be certain that controls are adequate to protect the assets and operations and that the organization has appropriate management staff and external accounting services to assist with internal controls.

The most important control is a separation of duties

If one employee manages transactions from beginning to end, the odds of dishonesty are increased. This is compounded if there is no review function.

One important separation is the bank statement reconciliation. Allowing the person who writes the checks to do the bank reconciliation is asking for trouble.

Separation of duties applies to all types of transactions: expense accounts, purchasing, payroll, fixed asset purchases, inventory management (including medication inventories). At least two people should be involved in processing each transaction.

If the company is very small, then the owner(s) must provide the separation, even if the owners are crazy busy and prefer to depend on an employee. Management must not assume controls are being followed; monitoring and review are essential.

Accurate recording of transactions enables accurate reporting

Internal controls should be designed to ensure each transaction is properly authorized and accurately recorded.

This is crucial for financial accounting, the process of putting together comprehensive company financial statements and tax returns, and crucial at the component level to protect assets and conduct business in a timely manner. Some examples:

  • Purchases are authorized, then recorded and documented properly.

  • Payroll is recorded, collected, paid, and summarized timely and accurately.

  • Vendor payments are made on time and in the proper amounts.

  • Taxes are paid on time and in proper amounts.

  • Patient accounts are processed accurately and timely with accurate journal entries in a financial accounting system (depends on cash basis or accrual accounting basis).

This document is only available to members. Please log in or become a member.
Become a Member Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings