Is Your Business Office at Risk for Fraud?

Is your business office at risk for fraud?
A business office can be a hotbed of opportunity for theft and misappropriation of assets, especially in long-term care
In the nursing home industry, theft and misappropriation of assets are all too common occurrences. Over the past two years as controller for Medical Rehabilitation Centers/Exceptional Living Centers, I have analyzed nursing home policies and operating practices and have identified five key risks of fraud in industry business offices and the mitigating controls that are critical to preventing these abuses. The situations described in this article are derived from industry observations as opposed to specific company experience. By identifying these risks and implementing controls to mitigate fraud and illegal acts, facilities and resident assets can be protected. The key risks of fraud are theft of resident payments, theft of miscellaneous contributions, misappropriation of resident funds, fictitious payroll, and fictitious accounts payable.

To examine fraud risks, it is necessary to establish a working definition for fraud. In its broadest sense, fraud is any deception made for personal gain. This definition spans a wide spectrum of fraudulent acts ranging anywhere from petty theft (stolen office and medical supplies, etc.) to outright fraud and illegal acts (personally cashing resident payments, etc). This article specifically focuses on identifying risks for fraudulent and illegal acts and implementing controls to prevent them.

Risk #1: Theft of resident payments. A facility’s business office receives cash (including checks and currency) each day as families, donors, and government agencies settle debts and extend contributions. In the absence of preventive controls, accounts receivable (AR) personnel could easily conceal theft by manipulating residents’ financial information, including the primary payer source. For example, the AR clerk could steal private payments and change the resident’s payer source from “private pay” to “Medicaid pending.” In this scenario, the facility administrator and corporate personnel would not expect payment from Medicaid until approval of the resident’s application. This process often takes from six to eight weeks, and the approval may not be 100% retroactive. Therefore, uncollectible balances during the transition from private pay to Medicaid are common, which creates a ripe situation for theft.

The primary mitigating control to prevent theft of resident payments is segregation of duties (i.e., separating access to interrelated operations). This is a key preventive measure in all business office practices. Specific to this fraud risk, separating cash access and resident financial records will reduce the opportunity for theft. To illustrate, the AR clerk should not have access to live cash. Instead, an employee without access to resident financial information should receive and open private payments, make copies for the AR clerk, and then physically make the bank deposit.

Another process that assists in reducing the risk of theft involves administrator oversight of private-pay statements and the review of the Accounts Receivable Aging Schedule. Administrators should oversee monthly distribution of private-pay statements to ensure that only system-generated charges are listed. Fraud could be perpetrated by adding additional charges to private-pay statements through either typed or handwritten notes on the system-generated statement. (Handwritten charges are outside the accounting system and are not traceable.)

Furthermore, administrators should participate in a monthly review of the Accounts Receivable Aging Schedule. The AR clerk and administrator should participate in a conference call with a corporate officer to review all outstanding balances older than 90 days. This helps to identify issues and situations as they occur.

Risk #2: Theft of miscellaneous contributions. Donations are not anticipated and cannot be recorded until received. To mitigate the risk of theft, a standard facility policy of donor awareness is recommended. Signs posted in the facility and written correspondence should notify donors that contributions should be sent directly to an established local bank account. Furthermore, all donors should be notified that the administrator will contact them personally to express appreciation. Creating a standard operating policy and donor expectation improves the level of control and reduces the possibility of contributions theft.

Risk #3: Misappropriation of resident funds. The nursing home often serves as the overseer of residents’ personal funds. Income (such as Social Security checks) is directly deposited into the resident’s bank account, and expenditures are paid out by the nursing home’s business office. Fraud occurs when resident funds are misappropriated through reimbursement of unauthorized expenses. For example, without oversight, the designated resident funds manager could submit reimbursement requests for purchase of gift cards, lunch, or supplies for a resident and then personally use the items. To guard against this, administrators should review all reimbursed expenses. The administrator should also ensure that statements of deposits and withdrawals are distributed to each resident or power of attorney (POA) in a timely manner. (Monthly statements are hand-delivered or mailed to the POA if the resident has dementia.)

Risk #4: Fictitious payroll. To mitigate the risk of fictitious or terminated employees being carried on the payroll, administrators should review the final detail payroll register that accompanies payroll checks. Financial analytics comparing budget with actual (as well as current with prior year actual) should be examined each month.

Risk #5: Fictitious accounts payable.To mitigate the risk of fraudulent activity, fictitious vendors and invoices are created for payment processing. Administrators should authorize all accounts payable check requests and keep an eye out for unfamiliar and fictitious vendors. Specific red flags include vendor addresses with a post office box and invoices that omit details of services performed.

Professional Skepticism
The controls presented with each of these five risks will lay the groundwork for internal control and oversight. They are important and can reduce the opportunity for fraud and illegal acts to occur. However, they are not foolproof. It is important to note that mitigating controls such as those identified here may not prevent collusion (two or more employees conspiring to commit fraud). Thus, it is essential for administrators to adopt an attitude of professional skepticism (or neutral evaluation) by remaining objective and unbiased. Professional skepticism assumes that employees are neither honest nor dishonest. Important qualities in the manager-to-staff relationship are trust and the ability to delegate. However, it is equally as important for managers to practice professional skepticism in an ongoing evaluation of the actions and motives of business office employees.

These techniques are an effective start to fraud prevention. They should serve as a reminder to evaluate your facility and the controls in place to prevent fraud in the business office.

Kylie Waters Whipple, CPA, is Controller for Medical Rehabilitation Centers/Exceptional Living Centers, an independent living and long-term care management company. For more information, call (859) 255-0075, ext. 316, or visit To send your comments to the author and editors, e-mail

Topics: Articles , Finance , Risk Management