Tom Ealey (email@example.com) is a professor at Alma College in Michigan. Tom has decades of experience in fraud prevention and healthcare consulting, administration, compliance, and revenue cycle management. Tina Rolling (firstname.lastname@example.org) is an associate professor at Alma College in Michigan. Tina is an expert in accounting systems design, accounting technology, internal controls, and embezzlement investigations.
Internal controls are a critical performance duty in organizations of all sizes, any taxation format, and any type of ownership format. The creation, implementation, and operation of appropriate internal control policies and procedures is a primary duty of senior management and ownership, directed and monitored by the board.
Healthcare organizations must operate two distinct internal controls structures: the routine financial and reporting structure and the special internal controls required for a complex and highly regulated revenue management cycle.
Rationales for internal control
Internal controls are a foundational element of competent and diligent management.
There are multiple reasons for designing and implementing a sound regimen of internal controls. Failure to design, implement, operate, and monitor internal controls is a major management failure and can be costly to the organization.
There are three rationales for creating and operating an effective regimen of internal controls. They are:
A need for accurate financial recording and reporting,
A need to safeguard assets from theft and destruction, and
A need for policy and procedure compliance in all phases of finance.
All these rationales are components of risk management, and the first principle of risk management is prevention. Prevention is always easier than cleaning up a mess.
Building internal controls
The heart of internal controls is the establishment of responsibility, documented by job title and job description.
Who authorizes a check to be written, who reviews and signs the checks, who reconciles the bank statement against the cash ledger account? Controls are established in detail by position.
Establishment of responsibility interacts with separation of duties, policies, and is then followed up with the development of documentation procedures, physical asset safeguards, verification procedures, review procedures, and human resources controls.
Interaction with compliance programs
Financial internal controls, compliance billing integrity efforts, and regulatory compliance efforts can and should interact. The entire revenue cycle should be subject to both financial and integrity controls.
Typical financial internal controls would not cover coding integrity or technical billing issues, which should be subject to specific compliance program efforts.
Collections and account posting should be conducted subject to detailed financial control policies and monitored with audits and reconciliation of the cash flow and balances.
Cost–benefit analysis of asset protection controls
Internal controls are subject to a cost–benefit analysis, guided by the question, “How desirable are the assets?”
Controls must be appropriate in design and effort as compared to the value of the assets involved, different assets requiring different controls.
Cash is always the most desirable and most portable asset—everybody can use it and it is easy to move out of the proper channels—thus requiring the tightest internal controls.
Many healthcare assets, inventory, and equipment are not immediately useful outside the facility, so these need minimal protection (narcotics being a notable exception and subject to special safeguards).
It is a game, or perhaps a war: the organization versus those who wants the company assets.
Perfect controls would be too expensive even if possible, so do not strive for perfection. The goal is reasonable assurance the assets are protected, and other control objectives are met.
Reasonable is a term of judgment and a term of art; there is no equation for reasonableness. It is situation and context specific; however, the type of business and the specific assets involved are two large factors in determining what is reasonable.
Customize for ownership format and size
The controls, policies, and procedures of the organization must be customized for the organization: type of organization, product/service, ownership format, physical location, and workforce.
Medical, service, retail, professional, nonprofit—each has certain types of transactions generating higher volumes or large dollar amounts (e.g., purchasing, accounts receivable, payrolls), and those transactions need more controls.
Each type of health organization has unique transactions, unique transaction flows, and unique control challenges. Knowing the business model and matching up internal controls is critical.
Different providers have much different control scenarios. A nursing home, for example, may have a large revenue flow but fewer total billings and transactions than a multispecialty physician practice with ancillaries generating a high-volume billing and collections flow.
Controls must be fashioned to the type and size of provider and updated as billing practices or the size of the provider changes.
Ownership format and the size of the organization play a large role in controls design. Consider some ownership formats:
Physician groups, from sole practitioner to large multispecialty organizations;
Nursing homes, from sole facility to large chain organizations;
Home health agencies, from single office to large chain organizations;
Hospitals ranging from small rural to large network organizations; and
Nonprofit providers to massive for-profit companies.
There is a variety of ownership models, each individual provider organization is different, and each provider requires specific customized internal controls. Each provider format has different business characteristics, different transaction types, different transaction volumes, and different review needs.
If owners cannot be close to the operations or are too busy to be directly involved (e.g., surgeons in a large practice), they need to be certain that controls are adequate to protect the assets and operations and that the organization has appropriate management staff and external accounting services to assist with internal controls.
The most important control is a separation of duties
If one employee manages transactions from beginning to end, the odds of dishonesty are increased. This is compounded if there is no review function.
One important separation is the bank statement reconciliation. Allowing the person who writes the checks to do the bank reconciliation is asking for trouble.
Separation of duties applies to all types of transactions: expense accounts, purchasing, payroll, fixed asset purchases, inventory management (including medication inventories). At least two people should be involved in processing each transaction.
If the company is very small, then the owner(s) must provide the separation, even if the owners are crazy busy and prefer to depend on an employee. Management must not assume controls are being followed; monitoring and review are essential.
Accurate recording of transactions enables accurate reporting
Internal controls should be designed to ensure each transaction is properly authorized and accurately recorded.
This is crucial for financial accounting, the process of putting together comprehensive company financial statements and tax returns, and crucial at the component level to protect assets and conduct business in a timely manner. Some examples:
Purchases are authorized, then recorded and documented properly.
Payroll is recorded, collected, paid, and summarized timely and accurately.
Vendor payments are made on time and in the proper amounts.
Taxes are paid on time and in proper amounts.
Patient accounts are processed accurately and timely with accurate journal entries in a financial accounting system (depends on cash basis or accrual accounting basis).