Tom Ealey (ealey@alma.edu) is a professor at Alma College in Michigan. Tom has decades of experience in fraud prevention and healthcare consulting, administration, compliance, and revenue cycle management. Tina Rolling (rollingtm@alma.edu) is an associate professor at Alma College in Michigan. Tina is an expert in accounting systems design, accounting technology, internal controls, and embezzlement investigations.
Internal controls are a critical performance duty in organizations of all sizes, any taxation format, and any type of ownership format. The creation, implementation, and operation of appropriate internal control policies and procedures is a primary duty of senior management and ownership, directed and monitored by the board.
Healthcare organizations must operate two distinct internal controls structures: the routine financial and reporting structure and the special internal controls required for a complex and highly regulated revenue management cycle.
Rationales for internal control
Internal controls are a foundational element of competent and diligent management.
There are multiple reasons for designing and implementing a sound regimen of internal controls. Failure to design, implement, operate, and monitor internal controls is a major management failure and can be costly to the organization.
There are three rationales for creating and operating an effective regimen of internal controls. They are:
-
A need for accurate financial recording and reporting,
-
A need to safeguard assets from theft and destruction, and
-
A need for policy and procedure compliance in all phases of finance.
All these rationales are components of risk management, and the first principle of risk management is prevention. Prevention is always easier than cleaning up a mess.
Building internal controls
The heart of internal controls is the establishment of responsibility, documented by job title and job description.
Who authorizes a check to be written, who reviews and signs the checks, who reconciles the bank statement against the cash ledger account? Controls are established in detail by position.
Establishment of responsibility interacts with separation of duties, policies, and is then followed up with the development of documentation procedures, physical asset safeguards, verification procedures, review procedures, and human resources controls.
Interaction with compliance programs
Financial internal controls, compliance billing integrity efforts, and regulatory compliance efforts can and should interact. The entire revenue cycle should be subject to both financial and integrity controls.
Typical financial internal controls would not cover coding integrity or technical billing issues, which should be subject to specific compliance program efforts.
Collections and account posting should be conducted subject to detailed financial control policies and monitored with audits and reconciliation of the cash flow and balances.
Cost–benefit analysis of asset protection controls
Internal controls are subject to a cost–benefit analysis, guided by the question, “How desirable are the assets?”
Controls must be appropriate in design and effort as compared to the value of the assets involved, different assets requiring different controls.
Cash is always the most desirable and most portable asset—everybody can use it and it is easy to move out of the proper channels—thus requiring the tightest internal controls.
Many healthcare assets, inventory, and equipment are not immediately useful outside the facility, so these need minimal protection (narcotics being a notable exception and subject to special safeguards).
It is a game, or perhaps a war: the organization versus those who wants the company assets.
Reasonable assurance
Perfect controls would be too expensive even if possible, so do not strive for perfection. The goal is reasonable assurance the assets are protected, and other control objectives are met.
Reasonable is a term of judgment and a term of art; there is no equation for reasonableness. It is situation and context specific; however, the type of business and the specific assets involved are two large factors in determining what is reasonable.
Customize for ownership format and size
The controls, policies, and procedures of the organization must be customized for the organization: type of organization, product/service, ownership format, physical location, and workforce.
Medical, service, retail, professional, nonprofit—each has certain types of transactions generating higher volumes or large dollar amounts (e.g., purchasing, accounts receivable, payrolls), and those transactions need more controls.
Each type of health organization has unique transactions, unique transaction flows, and unique control challenges. Knowing the business model and matching up internal controls is critical.
Different providers have much different control scenarios. A nursing home, for example, may have a large revenue flow but fewer total billings and transactions than a multispecialty physician practice with ancillaries generating a high-volume billing and collections flow.
Controls must be fashioned to the type and size of provider and updated as billing practices or the size of the provider changes.
Ownership format and the size of the organization play a large role in controls design. Consider some ownership formats:
-
Physician groups, from sole practitioner to large multispecialty organizations;
-
Nursing homes, from sole facility to large chain organizations;
-
Home health agencies, from single office to large chain organizations;
-
Hospitals ranging from small rural to large network organizations; and
-
Nonprofit providers to massive for-profit companies.
There is a variety of ownership models, each individual provider organization is different, and each provider requires specific customized internal controls. Each provider format has different business characteristics, different transaction types, different transaction volumes, and different review needs.
If owners cannot be close to the operations or are too busy to be directly involved (e.g., surgeons in a large practice), they need to be certain that controls are adequate to protect the assets and operations and that the organization has appropriate management staff and external accounting services to assist with internal controls.
The most important control is a separation of duties
If one employee manages transactions from beginning to end, the odds of dishonesty are increased. This is compounded if there is no review function.
One important separation is the bank statement reconciliation. Allowing the person who writes the checks to do the bank reconciliation is asking for trouble.
Separation of duties applies to all types of transactions: expense accounts, purchasing, payroll, fixed asset purchases, inventory management (including medication inventories). At least two people should be involved in processing each transaction.
If the company is very small, then the owner(s) must provide the separation, even if the owners are crazy busy and prefer to depend on an employee. Management must not assume controls are being followed; monitoring and review are essential.
Accurate recording of transactions enables accurate reporting
Internal controls should be designed to ensure each transaction is properly authorized and accurately recorded.
This is crucial for financial accounting, the process of putting together comprehensive company financial statements and tax returns, and crucial at the component level to protect assets and conduct business in a timely manner. Some examples:
-
Purchases are authorized, then recorded and documented properly.
-
Payroll is recorded, collected, paid, and summarized timely and accurately.
-
Vendor payments are made on time and in the proper amounts.
-
Taxes are paid on time and in proper amounts.
-
Patient accounts are processed accurately and timely with accurate journal entries in a financial accounting system (depends on cash basis or accrual accounting basis).
Internal audit and review procedures
No matter how duties are separated, a person not involved in processing the transaction should do a periodic review. Looking at the monthly bank statement(s) is the most critical, but both scheduled and random review of records are important sources of control. Areas for regular review:
-
Accounts receivable processing;
-
Accounts payable processing;
-
Payroll (needs regular scrutiny);
-
Bank transfers, wire transfers, electronic payments;
-
Checks written and cashed;
-
Inventory records; and
-
Regular review (look for trends).
So, what is a typical review? Matching paperwork, cash movements, and accounting entries, looking for discrepancies.
Errors and anomalies
Seemingly routine errors and glitches may be red flags. Every business has them, but patterns may add up to something more than routine.
Voided checks, merchandise returns, bank overdrafts, complaints about payroll errors—each may be an occasional accident, but each may also be a part of a pattern, a means of covering something else.
One shocking indicator is when a profitable business with abundant cash flow (seemingly) gets a call from the bank that checks are bouncing. Do not be that company!
The healthcare revenue cycle
The healthcare revenue cycle is incredibly complicated.
Those of us who have worked in coding, billing, collections, and account maintenance know just how complicated the tasks are.
The large volume of transactions and the complexity of those transaction make the cash collection and accounts receivable functions very labor and technology intensive, which makes monitoring the system difficult.
Compared with other merchant and service businesses, the healthcare revenue cycle is a frustrating tsunami of transactions and information. It is difficult for the billing and financial people to keep track of the workflow, let alone clinicians and executives.
Internal and financial controls, policies, and procedures must strive to maintain control of the tsunami within a cost-beneficial staffing and IT plan, while maintaining timely and accurate records and controlling cash inflows. Tough work!
Complex systems require sophisticated controls, which requires sophisticated monitoring and compliance review, and the crushing workload makes this more difficult.
Monitoring is difficult because the sheer volume of transactions and the time spent on nonfinancial workloads are tremendous, distracting from financial management.
Clinician/executives/owners are swamped with work and have little time for a detailed monitoring of the revenue cycle.
Executives and administrators have plenty of work also and depend on the revenue cycle staff to keep the lights on.
Keep in mind the first role is to insure timeliness and accuracy of financial accounting and treasury functions. A close second is the prevention of theft and misuse of assets.
Revenue cycle: Designing controls
There are several areas where managerial and financial internal controls are required:
-
Coding and billing;
-
Patient accounts follow-up;
-
Piecemeal payments from multiple payers;
-
Rebilling after partial payments or insurance issues;
-
Posting payments versus depositing payments;
-
Working the credit balance accounts;
-
Determining collection and write-off policies, implementing same; and
-
Day-to-day workflow management.
Cash handling controls must be carefully customized to the organization, both with cash inbound and cash outbound (e.g., cash defined as currency, checks, debit and credit charges, money orders, electronic payments).
Fraud and the embezzlement epidemic
Persons inside and outside the organization may have designs on converting assets (i.e., stealing).
From an insider stealing cash to a vendor overbilling on an invoice, there are innumerable ways for people to get unauthorized custody of organizational assets—that is, stealing.
Many assets are safe by nature: few people are going to steal exam tables or medical beds. Some of the assets are more volatile, such as cash and medications. These assets receive stricter financial physical controls because the assets are highly desirable.
We monitor embezzlement cases on a routine basis, and the number and scope of cases are startling.
We see the cases where someone has been caught, and we can only guess at the number of cases never discovered. Our professional estimate is many more cases occur than are ever discovered.
Embezzlement victims often respond with, “How could this happen here?” The answer is easy: People like and need money, and inadequate controls provide the pathway.
Human resources
Internal controls are dependent on quality staff with adequate training and supervision. This is particularly true in revenue cycle management, due to the complexity of the tasks.
Screening is important: many serial embezzlers find finance jobs easy to come by, sometimes even with a criminal record. Legal counsel and an insurance agent should be consulted about the advisability of bonding for some or all employees. Quality hires can pay for themselves by providing quality work.
Detailed job descriptions should sync with finance operational policies and procedures to clarify work assignments, facilitate orientation and training, facilitate supervision, and improve the odds of functional control procedures.
Technology controls and safeguards
This is a discussion for another article, but an awareness of IT internal controls and cybersecurity ranks high on managements’ work list. HIPAA alone should scare everyone into thinking about data security.
Make use of vendors and consultants when necessary, and remember that prevention is better than cleanup.
As change occurs
A common scenario is to find an organization that has grown and evolved over a period of years. A growing organization, a more diverse organization, more diverse locations, or different technology should trigger a review and update of internal controls.
Perhaps existing controls fit the new business model, or perhaps they do not. Worst event: nobody bothers to look. Best event: a review is conducted, and controls are updated, and employees are given training on the new control.
List of key internal control issues
-
Accounting and control policies and procedures are custom designed for the organization.
-
Accounting system design fitted to the organization and updated as required.
-
Employee screening, training, and retraining activities are adequate.
-
Constant and supportive supervision of revenue and accounting personnel.
-
Procedural details designed, implemented, and monitored:
-
Approval and authorization of transactions
-
Document movement trails
-
Document storage and preservation protocols
-
Physical control of varied assets
-
Verifications processes
-
Reconciliations of transactions/documentation/cash
-
Monthly revenue cycle analytics (must be customized for your specific provider type)
Trace-and-tie accounts receivable total activity:
Beginning + Charges - Collections +/- Adjustments = Ending
Run and review reports:
-
A/R aging
-
A/R credit balance accounts
-
Top 20 or 50 CPT codes
-
Charges by provider
-
Charges by department (if applicable)
-
Collections by provider
-
Top 20 (non-governmental) insurers charges and collections
-
Medicare and Medicaid charges and collections
Other related reconciliations:
-
Reconcile checking accounts against bank statements (check deposits against receipts from revenue reports)
-
Reconcile petty cash account against dedicated balance
Takeaways
-
Financial internal controls must be implemented and updated.
-
Adequate controls improve financial reporting.
-
Controls must be customized for your organization.
-
A complex revenue cycle requires special controls.
-
Countering fraud is a must for each organization.