Combating Surgery Center Fraud With Effective Risk Assessment
Fraud losses in the healthcare sector continue to slice into the precious resources of ambulatory surgical centers. ASCs need to work hard to protect the dollars they earn, but, with the right controls and processes, an ASC can help protect the organization, its owners, and other stakeholders from fraud-related losses.
In a 2010 study of occupational fraud and abuse, the Association of Certified Fraud Examiners (ACFE) looked at 1,843 fraud cases investigated around the world, including 1,021 cases in the United States, over the past two years. The study notes that of the 22 industries affected by these cases, healthcare was fifth-highest on the list. In addition, the ACFE found the median loss per fraud case for a U.S. organization to be $105,000; for U.S. organizations with fewer than 100 employees, the median loss was $150,000. Twenty-eight percent of reported frauds in U.S. organizations occurred in the billing area. These reports also noted that 81 percent of all of the organizations implemented or changed internal controls — that is, the processes, policies and procedures that direct, monitor, and measure the data and other assets of the center — only after fraud was discovered.
The ACFE report further disclosed that frauds are most commonly discovered through the use of anonymous hotlines or whistleblowers — about 38 percent of the U.S. cases were detected by tips. Reviews of documentation by management, account reconciliations and related controls were responsible for detecting 29 percent of frauds. Fourteen percent of frauds were detected by an internal audit department or function. Nine percent of frauds were detected by accident, and financial statement audits identified only about 4 percent of frauds.
What is important to note about these fraud reports is that where the so-called fraud triangle (opportunity, rationalization, motivation) exists, fraud can occur. Moreover, it occurs on a regular basis. With employees under more financial pressure than ever due to reduced household incomes and increased demand on household resources, ASCs would be wise to spend more time "watching the store."
Fraud risk assessment
A financial statement audit provides some security from fraud risks but not enough — external audits uncovered fraud in only 4 percent of the U.S. cases in the ACFE study. But the financial statement audit and other audit processes can nonetheless identify areas or gaps in the current control structure that management should address in an effort to reduce fraud risk.
In audits of ASCs, one gap frequently encountered is the absence of a formal fraud risk assessment program. In the ACFE study, internal controls identified a fraud scheme in 30 percent of the cases investigated. The fraud risk assessment program can be one of the most important tools in a center's internal-control tool box to assist management in identifying areas of fraud risk and improving internal controls.
A comprehensive fraud risk assessment program comprises five stages, as follow.
The assessment should begin with a fraud risk brainstorming session to identify potential areas where fraud could occur at the ASC. This list might include some processes, policies, and procedures such as:
- inventory and drug purchasing and handling processes;
- cash collection and depositing processes; and
- receivable write-off policies and procedures.
2. Risk measurement
In stage two, management should quantify the magnitude of the risk for each of the identified processes, policies and procedures. This can be done using a rating system or scale (for example, a one-to-five scale, with one representing low risk and five representing high risk); each risk is rated by the effect a fraud could have on the ASC. Issues to consider include how material the process is to the organization, how easily a fraud could be committed, how the current processes and controls could deter fraud and how the area or process is currently monitored by some form of audit or similar procedure. If the outcome of the rating process yields a high number for a particular procedure or process, that process or procedure likely could easily be exploited due to poor or lack of controls. Once the ratings are completed, the list should be prioritized from highest risk to lowest risk.
Management must gain support from the owners of the ASC for its efforts to combat fraud, as changes to processes and procedures are likely inevitable. Upper-level support will make it easier to achieve buy-in on the lower levels. Everyone must be aware of the process and the identified risks before significant changes.
Management should next outline and develop the appropriate controls to address or reduce the identified fraud risks, beginning with those that have the highest risk scores. It may be necessary to redesign or improve existing controls.
Finally, management should develop the implementation plan to roll out the new controls or processes for each area noted. It may be as easy as creating an anonymous phone line for employees to report fraud, adding a required use vacation policy, or instituting cross-training and rotating work responsibilities.
Sooner is better than later
Once management has completed the process for the greatest fraud risks identified, it can proceed to the next fraud risk and follow the same process. The fraud risk assessment process might take a significant amount of time and effort, but the important thing is to start the process, maintain momentum, and address each area.
The best way to contain fraud-related losses is to implement effective internal control processes and procedures before fraud occurs. Going through the process described here will, on its own, serve as a fraud deterrent because everyone in the organization will know that someone is watching and that the owners care about what is happening on a day-to-day basis.
Ron Ralph, CPA, is a partner with Crowe Horwath LLP in the Chicago office. He can be reached at 312.899.7092 or email@example.com.
Jason Whitmer, CPA, is with Crowe Horwath LLP in the South Bend, Ind., office. He can be reached at 574.235.6857 or firstname.lastname@example.org.
Paul Smith, CPA, MSA, is with Crowe Horwath LLP in the Grand Rapids, Mich., office. He can be reached at 616.774.6701 or email@example.com.
© Copyright ASC COMMUNICATIONS 2015. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.