ORIGINAL CONTRIBUTIONS
Protecting your practice ABSTRACT
Joseph Kerr, MBA
Y
ou have much invested in your dental practice. How protected are you from fraud or noncompliance? How do you know? In this article, I explore ways to create an internal control environment that will reduce the risk of loss and inaccurate financial information, improve your knowledge of the practice’s financial performance, and balance the costs and benefits of putting controls in place as a natural part of running a practice. In accounting, internal controls are policies and procedures put into place to direct, monitor, and measure processes so as to reduce the risk of fraud and loss of organizational resources, both tangible (that is, property, equipment, cash) and intangible (that is, reputation). The Committee of Sponsoring Organizations of the Treadway Commission, an internationally recognized group that creates standards, defines an internal control framework with 5 components: control environment, risk assessment, information and communication, control activities, and monitoring activities.1 While the definition and its components may sound overwhelming, implementation of internal controls does not need to be. The intent is to integrate monitoring and control into normal ongoing activities so they are a natural part of what you do. Below I provide a brief review of 4 of the 5 internal control framework components and practical examples for consideration. CONTROL ENVIRONMENT
Leading by example is so important that without it, monitoring and control activities are generally a waste of time. Simply put, if integrity, accuracy, attention to detail, compliance, confidentiality, and completeness are a priority for you, then they will be for others. The proper amount of monitoring and number of controls help set expectations, encourage proper behavior and attitudes, and discourage fraud by making it difficult to Mr. Kerr is the associate dean for administration, School of Dental Medicine, State University of New York University at Buffalo, 325 Squire Hall, Buffalo, NY 14214, e-mail [email protected]. Address correspondence to Mr. Kerr. Copyright ª 2015 American Dental Association. All rights reserved.
50 JADA 146(1) http://jada.ada.org
January 2015
Background and Overview. Dentists have much invested in their practices. They need to protect their practices from fraud and noncompliance. The author provides practical suggestions for how to significantly reduce the risk of fraud and theft in the practice without disrupting day-to-day operations. Conclusions. By adhering to nonintrusive policy and procedure changes, dental practice owners can reduce inherent risks of fraud and theft, while increasing financial and human resource knowledge regarding their practice. Practical Implications. Practice owners with the appropriate policies and procedures benefit from significantly lower risk of loss from fraud and theft. Furthermore, they have a better understanding of their practice’s finances and human resources. Key Words. Confidentiality; dental offices; dental records; practice management; documentation; employee performance appraisal; fraud; general practice. JADA 2015:146(1):50-51 http://dx.doi.org/10.1016/j.adaj.2014.10.005
accomplish. The greatest risk of theft of practice assets comes from those working for the practice. RISK ASSESSMENT
Risk assessment is part of the cost-benefit evaluation that helps decide the extent of monitoring and control activities required. Rubber gloves, for example, have a relatively low value (benefit) and do not invite theft, so limited effort (cost) would be invested in monitoring them. In contrast, cash, billing, confidentiality, proper patient charting, instrumentation, and high-value materials are high-value, high-risk items that warrant more monitoring and controls. Adverse events take many forms, including loss of resources, inaccurate information, failure to comply with regulations, and loss of patients and reputation that all will negatively affect your practice. CONTROLS AND MONITORING ACTIVITIES
Controls are the policies and procedures put into place to increase the probability of achieving organizational goals and objectives. Examples of controls that can be effective and reasonably implemented are as follows:
ORIGINAL CONTRIBUTIONS
Create position descriptions defining responsibilities, evaluation criteria, and required skill sets, experience and education; share the information with staff, and use the criteria in hiring and evaluating staff. - Check references, including candidates’ last place of employment even if you personally know the candidate. - Require taking 1 full week of vacation annually (fraudulent activity is more difficult to sustain the longer a person is away from the office). - Segregate duties so no single person has sole access to assets, creates or records transactions, authorizes activity, and reconciles the information. For example, n The business manager enters payment transactions into the accounting system and performs bank reconciliation. The owner prints and signs all checks, reviews transactions, and conducts bank statement reconciliation with supporting documentation. n The business manager does patient billing. The owner reviews accounts receivable weekly and talks with patients when they come in about their accounts if they are overdue. Statements should be mailed to patients. Asking patients about overdue balances increases collections and confirms that the business manager posted all payments to their accounts in a timely fashion. Similarly, mailing statements reduces the risk of improper adjustments or charges being posted to the patient account. - Each day, review accounting transactions in the accounting system for reasonableness and periodically check supporting documentation. -
Review patient bills for accuracy, completeness, and consistency with patient chart. - Make sure systems are backed up nightly, backups are stored off-site, and data restoration systems are periodically checked in a test environment to verify that backups are working. Note that a contingency plan, data backup plan, disaster recovery plan, and emergency mode plan are mandated under the Health Insurance Portability and Accountability Act.2 -
CONCLUSIONS
Consideration of internal controls and their components will help protect your organization’s resources, increase your knowledge of practice activities and performance, and increase compliance. Assistance with designing and implementing internal controls in your practice can be obtained from a public accounting firm or consultant. Engaging a public accounting firm for a systems and financial review provides an independent professional opinion of your practice’s financial condition and internal control policies, procedures, and systems. n Disclosure. Mr. Kerr did not report any disclosures. 1. Committee of Sponsoring Organizations of the Treadway Commission. Internal control–integrated framework: executive summary. Available at: http://coso.org/documents/990025P_Executive_Summary_ final_may20_e.pdf. Published May 2013. Accessed June 2013. 2. Health Insurance Portability and Accountability Act (HIPAA), 45 USC §164 (2007). Available at: http://www.hhs.gov/ocr/privacy/hipaa/ administrative/privacyrule/index.html. Accessed June 2013.
JADA 146(1) http://jada.ada.org
January 2015 51
Protecting your practice ABSTRACT
Joseph Kerr, MBA
Y
ou have much invested in your dental practice. How protected are you from fraud or noncompliance? How do you know? In this article, I explore ways to create an internal control environment that will reduce the risk of loss and inaccurate financial information, improve your knowledge of the practice’s financial performance, and balance the costs and benefits of putting controls in place as a natural part of running a practice. In accounting, internal controls are policies and procedures put into place to direct, monitor, and measure processes so as to reduce the risk of fraud and loss of organizational resources, both tangible (that is, property, equipment, cash) and intangible (that is, reputation). The Committee of Sponsoring Organizations of the Treadway Commission, an internationally recognized group that creates standards, defines an internal control framework with 5 components: control environment, risk assessment, information and communication, control activities, and monitoring activities.1 While the definition and its components may sound overwhelming, implementation of internal controls does not need to be. The intent is to integrate monitoring and control into normal ongoing activities so they are a natural part of what you do. Below I provide a brief review of 4 of the 5 internal control framework components and practical examples for consideration. CONTROL ENVIRONMENT
Leading by example is so important that without it, monitoring and control activities are generally a waste of time. Simply put, if integrity, accuracy, attention to detail, compliance, confidentiality, and completeness are a priority for you, then they will be for others. The proper amount of monitoring and number of controls help set expectations, encourage proper behavior and attitudes, and discourage fraud by making it difficult to Mr. Kerr is the associate dean for administration, School of Dental Medicine, State University of New York University at Buffalo, 325 Squire Hall, Buffalo, NY 14214, e-mail [email protected]. Address correspondence to Mr. Kerr. Copyright ª 2015 American Dental Association. All rights reserved.
50 JADA 146(1) http://jada.ada.org
January 2015
Background and Overview. Dentists have much invested in their practices. They need to protect their practices from fraud and noncompliance. The author provides practical suggestions for how to significantly reduce the risk of fraud and theft in the practice without disrupting day-to-day operations. Conclusions. By adhering to nonintrusive policy and procedure changes, dental practice owners can reduce inherent risks of fraud and theft, while increasing financial and human resource knowledge regarding their practice. Practical Implications. Practice owners with the appropriate policies and procedures benefit from significantly lower risk of loss from fraud and theft. Furthermore, they have a better understanding of their practice’s finances and human resources. Key Words. Confidentiality; dental offices; dental records; practice management; documentation; employee performance appraisal; fraud; general practice. JADA 2015:146(1):50-51 http://dx.doi.org/10.1016/j.adaj.2014.10.005
accomplish. The greatest risk of theft of practice assets comes from those working for the practice. RISK ASSESSMENT
Risk assessment is part of the cost-benefit evaluation that helps decide the extent of monitoring and control activities required. Rubber gloves, for example, have a relatively low value (benefit) and do not invite theft, so limited effort (cost) would be invested in monitoring them. In contrast, cash, billing, confidentiality, proper patient charting, instrumentation, and high-value materials are high-value, high-risk items that warrant more monitoring and controls. Adverse events take many forms, including loss of resources, inaccurate information, failure to comply with regulations, and loss of patients and reputation that all will negatively affect your practice. CONTROLS AND MONITORING ACTIVITIES
Controls are the policies and procedures put into place to increase the probability of achieving organizational goals and objectives. Examples of controls that can be effective and reasonably implemented are as follows:
ORIGINAL CONTRIBUTIONS
Create position descriptions defining responsibilities, evaluation criteria, and required skill sets, experience and education; share the information with staff, and use the criteria in hiring and evaluating staff. - Check references, including candidates’ last place of employment even if you personally know the candidate. - Require taking 1 full week of vacation annually (fraudulent activity is more difficult to sustain the longer a person is away from the office). - Segregate duties so no single person has sole access to assets, creates or records transactions, authorizes activity, and reconciles the information. For example, n The business manager enters payment transactions into the accounting system and performs bank reconciliation. The owner prints and signs all checks, reviews transactions, and conducts bank statement reconciliation with supporting documentation. n The business manager does patient billing. The owner reviews accounts receivable weekly and talks with patients when they come in about their accounts if they are overdue. Statements should be mailed to patients. Asking patients about overdue balances increases collections and confirms that the business manager posted all payments to their accounts in a timely fashion. Similarly, mailing statements reduces the risk of improper adjustments or charges being posted to the patient account. - Each day, review accounting transactions in the accounting system for reasonableness and periodically check supporting documentation. -
Review patient bills for accuracy, completeness, and consistency with patient chart. - Make sure systems are backed up nightly, backups are stored off-site, and data restoration systems are periodically checked in a test environment to verify that backups are working. Note that a contingency plan, data backup plan, disaster recovery plan, and emergency mode plan are mandated under the Health Insurance Portability and Accountability Act.2 -
CONCLUSIONS
Consideration of internal controls and their components will help protect your organization’s resources, increase your knowledge of practice activities and performance, and increase compliance. Assistance with designing and implementing internal controls in your practice can be obtained from a public accounting firm or consultant. Engaging a public accounting firm for a systems and financial review provides an independent professional opinion of your practice’s financial condition and internal control policies, procedures, and systems. n Disclosure. Mr. Kerr did not report any disclosures. 1. Committee of Sponsoring Organizations of the Treadway Commission. Internal control–integrated framework: executive summary. Available at: http://coso.org/documents/990025P_Executive_Summary_ final_may20_e.pdf. Published May 2013. Accessed June 2013. 2. Health Insurance Portability and Accountability Act (HIPAA), 45 USC §164 (2007). Available at: http://www.hhs.gov/ocr/privacy/hipaa/ administrative/privacyrule/index.html. Accessed June 2013.
JADA 146(1) http://jada.ada.org
January 2015 51
