Just like our bodies or our cars, organizations need check-ups, too. Unfortunately, unlike us, organizations do not receive reminder postcards in the mail to make sure they come in for an annual check-up, nor does a handy check engine light switch on brightly and chime from their dashboard.
Instead, it is up to an organization’s leadership to ensure that regular check-ups are performed to prevent unnecessary wear, tear and breakdown. In the current climate where fraud is all too common, a fraud check-up is one that organizations cannot afford to skip.
The healthcare industry is particularly susceptible to fraud due to its complexity, size, reliance on personal and confidential information, and highly-regulated nature. According to the Association for Certified Fraud Examiners (ACFE), estimates of fraud, both public and private, run between 3% and 10% of total healthcare expenditures.
Similarly, the FBI leans towards the high-end of the ACFE’s figures with an estimate of 10% of total healthcare expenditures being fraudulent. Given that in 2015 the United States spent approximately $3.2 trillion on healthcare, healthcare fraud is a significant problem with an estimated $320 billion price tag.
For any organization that receives government funds, a fraud, waste and abuse (FWA) program is a requirement. For all other organizations, a FWA program is an important best practice that is in the organization’s best interest. Within most organizations the responsibility for fraud deterrence and prevention is delegated to the compliance function regardless of its size and resources.
While addressing fraud is part of an organization’s overall compliance function, it is important that attention is paid to the effectiveness of the FWA program in particular. Not only are there enormous financial costs associated with FWA, organizations can suffer significant reputational costs and face disruptions to operations as a result of FWA. In light of these associated risks, organizational leadership cannot afford to assume their FWA program is effective and must insist upon the regular performance of a fraud check-up.
A fraud check-up involves a series of steps to identify issues and to ensure continued healthy performance:
1. Consider organizational culture
When considering fraud risks, it is imperative to assess an organization’s culture. According to the Society for Human Resource Management, “organizational culture consists of shared beliefs and values established by leaders and then communicated and reinforced through various methods, ultimately shaping employee perceptions, behaviors and understanding. Organizational culture sets the context for everything an enterprise does.”2 Organizational culture creates the environment within which employees work and is frequently cited as a significant contributing factor to fraud.
Organizational culture can contribute to fraud by failing to prevent it, failing to detect it, or failing to deter fraud through effective enforcement actions. Additionally, the overall tone at the top can contribute to a fraudster’s justification of their deeds. Fraudsters may justify fraud by citing the executive team’s lack of appreciation of employees, focus on unrealistic performance goals, or by comparing their own actions to executives’ own unethical behavior.
For example, an organizational culture that focuses on productivity goals above all else faces a greater fraud risk, especially when financial incentives are attached. Similarly, an organizational culture that overemphasizes “trusting its people” may inadvertently contribute to an environment where fraud can thrive.
2. Review internal controls
The evaluation of internal controls serves a crucial function for organizations – not only can it identify fraud risks, but often also can identify opportunities to increase efficiency and effectiveness in processes and operations. For example, executive management may be reassured about the security of a software system because of the elaborate functionality it offers, but without the implementation of appropriate user access controls, the security of even the most sophisticated system can be nullified.
Maintaining good controls across all functions, not just financial processes, in an organization is vital. Effective controls can establish compliance with applicable laws and regulations, reduce redundant or duplicative steps, and prevent loss of resources, including assets, cash, and proprietary information. However, to assess the effectiveness of controls, periodic audits or reviews should be conducted.
A review of internal controls provides organizations with a unique perspective into their operations – specifically, which processes are performed manually, where segregation of duties is lacking, which units face operational risks due to current staffing issues and where risky work-arounds have been adopted to overcome system, staffing, or other barriers. Internal controls reviews provide valuable information about which fraud risks are most significant, the likelihood and likely severity of occurrence.
3. Ongoing monitoring and periodic auditing
Ongoing monitoring is essential in order to establish a baseline against which future performance can be compared. Without monitoring performance, neither trends nor significant variances can be easily identified. For example, if an organization is not regularly monitoring its per member per month claims costs, a sudden spike in costs could go unnoticed for months. Similarly, if ongoing monitoring of the incurred but not reported (IBNR) liability is not performed, changes go undetected.
In addition to monitoring, organizations should perform more in-depth auditing to identify root cause issues. In-depth audits should be performed on a routine basis, as well as based on identified risk factors such as recent unexplained variances. Risk-based approaches are particularly useful to organizations with limited internal auditing resources.
If monitoring has not historically been performed for a certain activity or operation, organizations should consider performing in-depth audits first to understand current practices and identify and address any significant operational issues prior to implementing ongoing monitoring. Moreover, the targets for in-depth audits should be selected using a risk-based approach.
While ongoing monitoring and periodic auditing is easily recognized as a means to detect FWA, the awareness among organizational staff that operational activity is regularly monitored and audited can also have a deterrent or preventative effect. The performance of monitoring and auditing can also provide organizations with valuable information to improve other aspects of their operations and identify other types of issues.
4. Evaluate your FWA program
A FWA program is an important, and often required, element of an organization’s compliance program. The Department of Health and Human Services Office of the Inspector General has identified seven elements of an effective compliance program. Like a compliance program, there are also seven general elements of an effective FWA plan.
Not only is it important to institute these elements when establishing a FWA program, but it is important to evaluate your FWA program periodically to determine its effectiveness. For example, establishing a FWA hotline will not be effective if information about the hotline is not well-distributed or if the hotline does not allow confidential and anonymous reporting. The following are key elements to developing and maintaining an effective FWA program:
- A written FWA plan with detailed policies and procedures. The plan should ensure compliance with state and federal laws with particular attention to applicable laws that pertain to government programs, such as HIPAA, Federal False Claims Act, and the Social Security Act. Written documentation should include a code of conduct and ethics as well as a requirement for conflict of interest disclosure statements.
- Disciplinary standards should be described within the FWA plan and associated policies and procedures. These standards should clearly state that FWA violations may result in corrective action including suspension or termination of employment or contracts.
- Establish roles and responsibilities for implementing the FWA plan including designated positions such as the Compliance Officer and Compliance Committee to administer the program as well as oversee enforcement action and the effectiveness of the program. To ensure efficacy, the implementation of the FWA plan should be allocated adequate resources for successful execution. Moreover, the Compliance Officer should regularly report activities to the Board of Directors and relevant committees.
- Establish training and education programs for employees, Board and Committee members, and other relevant parties such as providers and vendors. Fraud awareness training should be provided initially upon hiring or commencing duties and refresher training should be performed annually. Additionally, targeted training should be provided for individuals associated with activities with heightened fraud risks. All trainings should be provided by qualified trainers and the trainings should be updated to include ongoing improvements as well as reflect any changes to state or federal requirements.
- Create lines of communication to allow anonymous and confidential reporting of FWA issues or concerns from both internal and external sources. After establishing these lines of communication, such as a phone hotline or an online site, it is important to disseminate information about these reporting options on a regular basis. Moreover, to engender trust in the reporting process, it may be helpful to provide accompanying information about the organization’s investigative and enforcement process, reiterate the organization’s anti-retaliation policy, and outline the process for reporting call volume and call outcome to the Board of Directors or relevant governing body. Periodically, as a part of other survey activities, employees, providers, and vendors should be asked about their awareness of this hotline to gauge information dissemination. Also, the organization should monitor call volume to the hotline as well as monitor patterns in the calls.
- Perform ongoing monitoring and periodic auditing to identify trends and variances as well as determine root causes to issues identified and ensure ongoing compliance. Monitoring and auditing are necessary to ensure ongoing compliance with established practices as well as to help identify unusual trends. Not only is it important that these efforts are supported by organizational values and appropriate allocation of resources, but that an internal audit department or other designee is empowered to perform unscheduled reviews and granted unfettered access to records.
- Perform prompt and thorough investigation and corrective action. Upon the identification of a potential FWA issue, the organization should thoroughly investigate the issue. Depending on the result of the investigation, disciplinary action should promptly be sought for the involved parties. Any weaknesses in operations or processes identified through the investigation should be addressed formally in a remediation or corrective action plan to ensure that they are resolved and will not persist. As part of an organization’s overall compliance program, these issues should be tracked, and implementation of the remediation plans should be validated to ensure resolution.
Just like how a routine maintenance check for your car can reveal a lurking problem before it occurs, performing a fraud check-up can help organizations reduce the occurrence and impact of fraud through prevention, deterrence, detection and correction.
While check-ups or preventative maintenance are easy to postpone, it is far less costly for organizations to address fraud risks proactively. Moreover, the steps involved in a fraud check-up can yield valuable information that offers other benefits to your organization – such as identifying opportunities to improve organizational culture, increase efficiency, or strengthen an overall compliance program.
If you need assistance performing a fraud check-up, please do not hesitate to contact the Healthcare Consultants at Mazars USA LLP or visit www.mazarsusa.com/hc for assistance.
 ACFE, “Fraud against Government Health Care Programs” Training, 3/29/2017