Finance & Enjoyment Blog

A Not-So-Fun, but Critical Post: Protecting Your Practice from Embezzlement

A Not-So-Fun, but Critical Post: Protecting Your Practice from Embezzlement

I had a brand new client referred to me by a fellow CPA for an internal control review. That CPA had expressed some concerns to the five physician-owners about their controller and the ability to get certain pieces of information from him in the tax return preparation process.

After putting the engagement letter together and reviewing the timeline for the review to be done, the interviews with the staff were ready to begin. A list of pertinent items (financial reports, job descriptions, organizational chart, etc.) were requested from the controller the Monday before staff interviews began. These began on a Monday and were finished on Friday. All owners were interviewed in addition to the staff that had any financial responsibility.

There are a few portions of the physician interviews that stand out not just because I was conducting the internal control review, but stand out as examples of what to be aware of in your own practices.

The interviews are designed to find out what is actually happening from an internal control standpoint. While the organizational chart and job descriptions may indicate how these should work, reality does not always imitate those documents. All of the physician owners indicated that they would be shocked if anyone was stealing from them. The staff was one big happy family and something like that could not happen. Here are some of questions that I asked of all the physicians:

“Do you know with which bank your corporation works?”
“Have you ever seen a bank statement or bank reconciliation?”

This practice had a number of corporate credit cards issued to various individuals, so I asked “Have you ever seen the credit card statements?” The answer to all these questions was no. In fact, one quote that I wrote down in my notes about the credit cards was “they just get paid.”

In the interview with the controller, we did get the organizational chart and the employee handbook, but no financial reports. He had known for two weeks that we needed those. On the Friday of the interviews, I did get a Peachtree backup that was about one year old. Not very helpful by itself, let alone with no other financial reports.

On that following Monday, I got my answer as to why no financial reports had been given to us. The controller had confessed Monday morning to stealing over the last two and a half years. That amount was in the $300,000 range. In a meeting that night with two of the physicians, we talked about passwords, cancelling credit cards and getting corporate laptops back from the controller. I also told them that typically the actual amount of theft is a multiple of what they confessed to and goes back much further than the length of time they indicate.

Our internal control review turned into an agreed upon procedures engagement to ascertain an amount of theft. The amount found did turn out to be about twice of the confession. The actual amount would be higher as the theft started well before the first month of our agreed upon procedures. We found over $500,000 was taken in the three year period. If we had gone back further, I think the amount would have been in excess of $750,000.

The lessons/things to think about are numerous.

Always ask questions. Some of the owners expressed to me in the interviews that the last few years had not been as good. They had concerns over billing, rent, etc. If you have those concerns, ask for further information. If you do not feel you have the ability to analyze that properly, get a second opinion.

I would strongly recommend at least having a quarterly compilation performed by a CPA. While a compilation is no guarantee that embezzlement is not occurring, having an independent CPA looking at the financials can be a deterrent. At a minimum have an independent third party prepare your bank reconciliations.

In this example, I believe the theft would have been caught very early on. He knew that no one was looking at the bank statements or PeachTree, so he would show a check in PeachTree as being paid to McKesson, when he actually wrote the check to himself. There were checks that cleared that were never entered in PeachTree. A CPA preparing the back reconciliation would be expected to catch this quickly. There were other areas in which the theft occurred that would not be detected by a bank reconciliation, but having proper internal controls in place (and followed) will go a long way towards reducing the likelihood of your practice being hit in a similar manner.

Posted in Successful Practice Management »

0 Responses to "A Not-So-Fun, but Critical Post: Protecting Your Practice from Embezzlement"

Leave a Reply

Fields marked with  * are required.

Name *
Email Address *
(will not be published)