Fraud in general practice is an unpalatable business. Seeing money earmarked for patient services, staff wages or GP drawings disappearing into the pocket of an anonymous fraudster – or possibly even worse a practice insider – is hard to stomach. But the rate of fraud in medical practices is on the increase and GP partners need to understand the risks and take steps to protect their business.
Unfortunately, in most cases the fraud is only spotted when the money has been siphoned off into the fraudster’s bank account. The best defence against fraud is to be vigilant and prevention is key. This requires a proper system of financial checks and balances.
Here are 10 tips on how to protect your practice against the risk of fraud, including how to implement robust financial controls.
Start by answering the following five questions to help rate the financial controls in your practice:
If the answer to one or more of these questions is ‘no’, the practice is at risk of fraud.
Setting up specific financial controls will help reduce the risk of fraud. For example, when dealing with cheques, have a minimum of two cheque signatories, of which at least one should be a named partner. When cheques are presented for signature, supporting documentation should be reviewed to ensure payments are for bona fide expenses.
When payments are made online, supporting documentation should be presented to a partner for review. The BACS forms should be signed as approved to provide evidence that the authorisation stems from a partner.
Give only partners the power to authorise standing orders and direct debits. Decide on a level, say £750, above which orders for office supplies, drugs and medical supplies should be authorised (and evidenced as such) by a partner.
A partner should check the practice bank statements and seek supporting evidence for any unusual transactions. The partner should also examine the bank reconciliation each month to look for outstanding items.
Partners in GP practices often take little active part in the practice’s financial affairs. Even if there is a designated finance partner, their time is under pressure and they frequently rely on practice managers to look after most aspects of the practice’s finances.
But the burden of financial responsibility for GP practices should never rest solely with the practice manager. Given the role’s already wide-ranging remit, this is an unreasonable expectation and at least one GP partner must be involved.
Often insider frauds are only discovered when other staff members become involved in the finances. Consider appointing a deputy who can take over the role when the practice manager is away.
Also, split tasks so that, for example, the person writing out the cheques is different from the person recording the expenses on the accounts software. And the receptionist collecting cash from patients should be different from the person recording the amounts received.
From creating fictitious employees to running more than one payroll each month, there are many ways for a staff member to defraud the practice payroll. To guard against this, a critical review of payroll reports should be carried out by someone other than the person who processed the payroll. This is likely to be a GP partner who should make sure they recognise all the names on the list and look for warning signs such as unexplained increases in staff costs, or staff costs being higher than average.
Safeguards should be established for recording, accounting and receiving cash coming in. This is particularly relevant for dispensing practices because the increased amount of cash flowing through the practice makes it easier for someone to take unrecorded money out of the practice.
Where the practice receives money from patients over the counter, a carbonised receipt book with pre-numbered pages or a sheet counter-signed by the patient should enable a quick comparison between cash recorded and counted. Any discrepancies should be followed up immediately.
In dispensing practices, prescription cash collected from patients should equal the charges deducted by NHS Prescription Services. While it can be difficult to match this exactly because of the delay in getting statements from NHS Prescription Services, and because sometimes charges will be deducted if an exemption hasn’t been correctly claimed, large deficits should be investigated.
Large quantities of cash should never be kept on site. They should be banked regularly. Restrict access to petty cash to achieve tighter control over expenditure and aid reconciliation between petty cash records and money available.
This is vital to protect against invoice and CEO scams. Review processes for sending and receiving payments and ensure there are strong independent authentication measures. Confirm any requests to change payment details with suppliers by calling them on their verified switchboard number.
Never divulge online banking passwords or banking secure codes to anyone on the telephone, even if you think you are talking to the bank. Don’t rely on your phone’s caller display to identify a caller – fraudsters can make your phone’s incoming display show a genuine number.
Remember that a bank will never call you and tell you to transfer money to a ‘safe’ account. If you see unusual screens or pop-up boxes when using your online banking or unusual requests to enter bank passwords, log out immediately and call your bank.
Many GPs are receiving fake HMRC ‘refund’ emails. Do not follow the links or requests for bank details in these emails. If your accountant has not advised you of a tax refund it is highly likely to be a fraud. In in doubt, speak to your accountant.
If possible, set up the practice online banking arrangements so that two separate people are required to make any payments.
The practice fraud prevention policy should set levels of responsibility and accountability for staff making financial transactions in the practice. The policy should make clear the distinction between fraud and gross misconduct and should cover payroll, the signing of cheques, payment of invoices, petty cash, issue of invoices, income received via post and at the reception desk, bank reconciliation and the practice accounts.
If an NHS fraud takes place in the practice, for example false claims or money stolen that has been allocated for a service or building project, the practice is responsible for notifying the commissioners.
While accountants prepare the annual financial statements they do not audit the accounts and underlying records. The work they do is not specifically intended to spot a fraud. Accountants can advise on the quality of the records. If recording is poor there may be areas the practice should investigate so they understand the underlying reasons.
It will never be possible to remove all the opportunities for determined fraudsters. There are, however, some sensible housekeeping precautions to help you safeguard against financial loss caused by fraud or even simple human fallibility.
They include regularly changing passwords for accessing the accounts system, especially when personnel leave. Take at least two types of data backups regularly and store them securely. Make sure the finance partner has an overview of how to operate, back up and restore the accounting system. The practice agreement must outline how to share out expenses incurred if the worst happens.
Who commits fraud?
There are five main ways that GP practices can fall victim to fraud
• Insider fraud While the vast majority of staff carry out their roles with integrity, a small minority of insiders will commit fraud if the opportunity arises. Although these cases are thankfully rare, they can cause catastrophic loss. Examples include false payment requests, creating a fictitious supplier or intercepting payments to suppliers.
• Invoice fraud Fraudsters rely on practices failing to verify invoices against a list of known suppliers and simply paying them without checking. Or the fraudsters send a letter, seemingly from an authentic supplier of goods or services, advising the practice of a change in bank account. The ‘new’ account is controlled by the fraudster so when a practice makes a transfer into the account to settle the next invoice the money falls into the wrong hands. Losses are only discovered when the supplier chases for non-payment. There is minimal possibility of retrieving the money paid out.
• CEO fraud This is also known as ‘bogus boss’ fraud. An example would be a member of the practice staff responsible for making payments receiving an email that appears to come from a practice partner, instructing them to make a payment using online banking. The staff member making the payment does not realise that the partner’s email account has been hacked and the request is fraudulent.
• Online fraud Here the fraudster’s aim is to find ways of duping people into divulging online banking usernames, passwords and security information by clicking on links or attachments in so-called phishing emails. Phone and text message scams are another method. In a recent case a GP received a phone call and was persuaded that there was a problem with her bank security. Unfortunately, she ended up handing the fraudster control of her laptop and bank card reader and lost £34,000.
• Professional risk The use of locum doctors is commonplace but controls over their identity, qualifications and defence cover arrangements must be effective. Are they eligible to practise? Do they have indemnity insurance? Without this, if there is a claim or action by a patient, the partners could be liable for the cost of a legal case. Do locum invoices match up with sessions worked and the rate agreed?
Case study 1: CEO fraud
Two-partner practice in Hampshire
Finances managed by senior partner and practice manager
Amount lost to fraud – £20,000
The failure of this high-earning practice to segregate duties was the underlying reason why it became the victim of not one, but two incidents of ‘bogus-boss’ fraud. Only one of the two partners was involved in the practice finances. The practice manager was responsible for making payments but there was no bookkeeper.
When the practice manager received an email from the senior partner requesting an immediate payment of £10,000 to be made, she thought nothing of it as she was used to transferring large sums of money on request from the partner. But the email was fake and when the practice manager made the payment it went into the fraudster’s account. Fortunately, the practice was able recover the funds.
With a different practice manager in post, the fraud was repeated a year later, this time for three times as much money. The email was written in the senior partner’s style so his email account had clearly been monitored to pick up his usual language patterns.
Case study 2: Insider fraud
Seven-partner practice (three part-time) in the West Midlands
Finances Controlled by practice manager
Amount lost to fraud – £64,000
Poor internal controls exposed this practice to considerable financial loss. The practice manager had been working at the surgery for many years and was a trusted member of staff with immense control over finances.
Cheques for high-value personal items were signed unwittingly by GP partners who did not ask to see supporting documentation. Suppliers including HMRC and the NHS Pensions Authority were not paid on time, partly because the cash flow was in a poor state after the practice manager’s personal spending spree. The partners were unaware of the situation because the post was opened by the practice manager, who shredded statements and chasers for payments.
The practice payroll included additional payments over and above normal salary levels. There was no requirement to authorise or even show payroll reports to the GP partners prior to instructing the bank.
There were no financial reports and the partners did not review practice results. This left the practice manager free to defraud the practice over several months before the truth came to light.
Andrew Pow is a director at Hall Liddy Chartered Accountants and Lizzy Lloyd is a partner at Larking Gowen LLP. Both are board members of the Association of Independent Specialist Medical Accountants
This article was originally published in Pulse magazine in February 2019; last reviewed: July 2019
Or, please register for a free trial to access all of the guides and unlock all features.