Financial – Fraud Prevention and Detection

Service: Risk Management
Subject: Financial and Insurance
Type: Risk Profiles

Fraud in a healthcare organization can significantly impact finances, operations, employee morale, reputation, community relations, partnerships, and credibility with funders and other agencies. This risk relates to theft and/or misappropriation of assets resulting from various means such as employee dishonesty, external scams, cyber-attacks, cheque tampering, procurement fraud, benefits fraud, payroll fraud and vendor-related scams. 

This document contains information entered by HIROC Subscriber healthcare organizations in the Risk Register application to help you in your assessment of this risk.

In addition, review HIROC Employee Fraud Risk Reference Sheet (2023).

Key Controls / Mitigation Strategies

  • Internal Policies and Processes
    • Policies
      • Formal finance policies and processes such as procurement policy, employee expense policy, signing authority policy
      • Other formal policies such as privacy, information security, gift acceptance, whistle blower, procurement, employee benefits, code of conduct and conflict of interest policies 
    • Education and Training
      • Ongoing (annual) staff education and training on early identification and reporting of suspected, alleged, or actual fraud 
      • Social engineering and cyber security risks annual training for staff to identify phishing e-mails, website or invoice scams
    • Finance
      • Segregation of duties (e.g. between cheque preparation and cheque signing, cash/cheque depositing and accounting data entry, cash management and statement/ledger reconciliation, vendor setup, banking setup)
      • Signing authorities including limits and second signature requirements
      • Appropriate approval limits and processes for capital purchases 
      • Rotation of staff/tasks and mandatory minimum number of consecutive vacation days for staff handling financial transactions
      • Cheque Fraud Prevention Measures 
        • Electronic funds transfer (EFT) payments to staff, contractors and vendors (instead of cheques payments)
        • Adoption of various electronic safeguards to detect cheque tampering (e.g. Positive Pay, Safe Pay, Payee Match)
        • Limit access to blank cheque stock and passwords 
    • Human Resources
      • Proper background check on employees (e.g. vulnerable sector, criminal, credentials, references)
      • Appropriate notification and formal off-boarding procedure for terminated employees to the Human Resource and Finance department 
      • Continuous communication between Finance and Human Resources departments to share information about suspected or actual fraud-related activities
    • Processes 
      • Appropriate physical and technical safeguards implemented to monitor and restrict access to key financial information, signature stamps, cash and cheques (e.g. camera / video monitoring, locked doors, safe, panic buttons, access controls to Finance department folders, etc.)
      • Strong relationship with banking staff to understand and adopt additional security measures
      • Appropriate network security controls and password policy
      • Close monitoring of outsourced finance activities (e.g. payroll, accounts payable) 
      • Corporate credit cards have individual spending limits; supporting receipts are required for all credit card purchases
      • Strategies to detect procurement red flags and employee dishonesty red flags
      • Centralized contract and agreement storage
      • Collaboration with the organization’s benefit providers to improve early prevention and detection of benefit fraud (e.g., standardized mechanisms to confirm the billed and submitted health/dental were received, early investigation of questionable visits) 
      • Reporting of suspicious invoices, activities or account
    • Vendor Management 
      • Documented request for proposal (RFP) evaluation and approval process
      • New vendor verification and set-up process (Check for credentials, physical address, telephone and website, names similar to employees or other vendors and references)
      • Approved vendor list is reviewed and updated regularly
      • Vendor invoices include itemized cost breakdown of services and/or products 
      • Ensuring written contracts or Purchase Orders are in place for all invoices; Purchase Order numbers are included in the invoice, where appropriate
      • Fraud audits from benefits provider
    • Fraud Detection
      • Audits, Assessments, Checks and Reconciliations 
        • Adequate monitoring and controls in place ensure compliance with financial and other asset management (including disposal) policies 
        • Daily/weekly/monthly/quarterly financial review and reconciliation process 
        • Regular monitoring of invoices, payments and bank accounts for unusual activities
        • Monthly preparation and review of bank reconciliations
        • Regular review and reconciliation of payroll to identify fictitious employees
        • Internal audit function in place
        • Annual financial and internal controls audit, including audit of processes, by an external audit firm
        • Compliant with Payment Card Industry Data Security Standards (PCI DSS) if collecting, processing, transmitting or storing cardholder data
        • Fraud risk assessment is undertaken regularly to identify potential risk areas within the organization
        • Board level reporting of outcomes of internal and external reviews and audits
        • Bank confirmations

Monitoring / Indicators

  • Fraud or theft-related incidents and near misses
  • Fraud detection capabilities and their effectiveness
  • Employees, contractors and vendors set up on EFT
  • Staff education and training rates
  • Potential fraudulent behaviours or indicators (e.g. substance abuse, gambling, living beyond apparent means, reluctance to delegate work, limited or no vacation days, preferred vendor contact)
  • Comparisons of actuals to budgets (variance analysis)
  • Remediation plans based on the outliers identified during audits
  • Compliance rates of finance related and information security controls
  • Journal entry reviews
  • Financial statement reviews
  • Asset inventories (e.g. cheques, petty cash, major equipment) and asset tagging
  • Unplanned procurement activities
     
Date last reviewed:
This is a resource for quality assurance and risk management purposes only, and is not intended to provide or replace legal or medical advice or reflect standards of care and/or standards of practice of a regulatory body. The information contained in this resource was deemed accurate at the time of publication, however, practices may change without notice.