Let's Talk

Internal Controls Made Easy: Two Things You Can Do Today to Thwart Would-Be Embezzlers

March 20, 2025
Medical Money Matters Podcast

Episode 118: Internal Controls Made Easy: Two Things You Can Do Today to Thwart Would-Be Embezzlers

Welcome to today’s episode, where we’re going to talk about something that isn’t fun to think about but is absolutely essential if you own or manage a medical practice: internal controls to prevent embezzlement.

Now, before you think, “Oh, that’s not something I need to worry about,” let me hit you with some numbers. The Medical Group Management Association (MGMA) estimates that **83% of medical practices will experience employee theft at some point**. Eighty-three percent. That means if you own or manage a practice, the odds are not in your favor. The Association of Certified Fraud Examiners reports that the **median loss in healthcare fraud cases is $100,000**, and many of these thefts go unnoticed for years—sometimes a decade or more.

Let’s put that in perspective. Imagine working hard every day, treating patients, managing staff, and keeping your practice running, only to find out that over the years, a trusted employee has been skimming money right out from under you. It happens all the time. And it happens to smart, successful, well-run practices.

Here’s a real example. A family medicine practice in the Midwest had a long-time office manager who had been with them for over 15 years. She was beloved by the staff and trusted completely. One day, a newly hired billing coordinator noticed a discrepancy in an insurance payment. It led to a deeper look, and eventually, they discovered that over the course of **six years, the office manager had stolen over $300,000** by diverting insurance overpayments into a personal account she controlled. No one suspected a thing because she was the one reconciling the books, making deposits, and handling payroll.

The good news? You don’t have to overhaul your entire financial structure to protect your practice. There are **two simple things you can do today** that will significantly reduce your risk. These are small, manageable changes, but they pack a huge punch when it comes to keeping would-be embezzlers at bay.

The first one is that **a physician-owner must have full admin access to the practice’s accounting system and online banking website and conduct a monthly financial review.**

Too often, doctors completely delegate financial matters. They trust their office managers or accountants, and while trust is important, blind trust is dangerous. Having **full administrative access** to your accounting system—whether you use QuickBooks, Sage, or another software— and your online banking portal is critical. You don’t have to be a financial expert, and you don’t have to analyze every transaction. But you should be able to log in at any time and take a look around.

Here’s why this works: **The mere knowledge that the owner checks financials is enough to deter many would-be thieves.** If no one is watching, it’s tempting to steal. But if everyone in the office knows that Dr. Smith logs in every month to review financial transactions, it becomes much riskier to attempt fraud.

The process is simple. Once a month, log in. Look at bank transactions, vendor payments, and payroll. You don’t need to go line by line—just do a spot check. Scan for unusual vendors. Look at recent payments. See if anything feels off.

Here’s a real example. A dermatologist in California made it a habit to log into QuickBooks and their bank website every month and check transactions. One month, he noticed a recurring payment to a vendor he didn’t recognize. It turned out that his office manager had created **a fake vendor account and was paying herself a little extra each month**. Because she kept the amounts small—$500 here, $800 there—it went unnoticed for **over two years**, costing the practice nearly **$50,000** before he caught it. And the only reason he found out? He **logged in and looked around.**

Another case: A small orthopedic practice had a front desk supervisor who was in charge of handling petty cash. She would take out small amounts, mark them as “office supplies,” and no one questioned it. One day, the physician-owner was doing his routine monthly check and noticed a series of cash withdrawals that didn’t quite add up. Turns out, over two years, she had **pocketed nearly $20,000 in cash withdrawals**—just a little at a time.

Think about this: These thefts weren’t caught by forensic accountants. They weren’t uncovered in big, dramatic audits. They were found by **a doctor taking 15 minutes once a month to log in and look around.**

If you do nothing else, set up admin access and make sure that **everyone in your office knows you’re checking.** You’re not micromanaging. You’re protecting your business.

The second internal control we want to discuss today is **segregation of duties**—making sure no single person controls an entire financial process.

This is a fundamental accounting principle, but many medical practices don’t follow it. When one person **has too much control**, fraud becomes easy. Segregation of duties means that no individual should handle an entire financial transaction from start to finish.

Here’s an example: Let’s say you have a staff member who opens the mail and logs incoming payments. If that same person also **deposits checks** and **reconciles bank statements**, they can easily steal money without being caught. Instead, one person should **log payments**, another should **deposit the checks**, and a third—maybe the physician or an outside CPA—should **review the reconciliation.**

Payroll is another big area of risk. If the same person who **processes payroll** is also **the one reconciling payroll reports**, they can easily add fake employees or pad their own paycheck without detection. The solution? Have a **different person review payroll reports** each month, or better yet, have the physician-owner sign off on payroll summaries.

These issues are not unusual – it’s typical for us to see practices that have evolved from smaller groups to larger businesses, and the office manager has retained a lot of these functions as the business grows. Now you find yourself with a multi-million dollar business and one person in charge of too many functions to be safe.

Here’s a case study: A pediatric practice in Florida had a trusted office manager who was in charge of processing payroll. Over five years, she quietly gave herself **extra bonuses, padded her hours, and even issued checks to fake employees.** She got away with it for so long because **no one else was reviewing payroll reports.** When the doctors finally caught it, she had embezzled **over $200,000.**

Another case: A cardiology practice had an employee responsible for paying invoices. She created **a fake medical supply company**, submitted invoices for payment, and **cut herself checks totaling over $80,000** before she was caught. How did she get away with it? She was also the person reconciling the bank accounts. If someone else had been reviewing the bank statements, the fraud would have been caught much sooner.

Even if your practice is small, you can still implement segregation of duties. If you don’t have enough staff, consider outsourcing some financial functions—like having an outside bookkeeper, CPA or consultant do your bank reconciliations. Even something as simple as **reviewing payroll reports and vendor payments once a month** can make a huge difference.

So let’s recap. The two simple things you can do today to protect your practice from embezzlement are:

  1. **Have full admin access to your accounting system and conduct monthly financial reviews.** Let your staff know that you check. Even a quick glance each month can deter fraud.
  2. **Implement segregation of duties.** No single employee should control an entire financial process. Separate responsibilities so that fraud is harder to commit.

These aren’t complicated changes. They don’t require expensive consultants or massive overhauls. But they can **save your practice thousands—if not hundreds of thousands—of dollars.**

If you’re a physician-owner, take 15 minutes this week to log into your accounting system. Look around. Spot check payroll. Review vendor payments. It’s a small step that can make a huge difference.  And, if you’d like some external eyes and ears to do routine, brief reviews for you, please reach out to us at Health e Practices. We’re happy to help.

Your practice is your business. Protect it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Join our Medical Money Matters Podcast

LEARN MORE
The podcast is our commitment to increasing financial and business literacy for physicians and clinical leaders. All of this is in service to physician wellness and reducing stress by increasing knowledge and understanding. And, it’s free, with our gratitude to a community that’s been good to us for more than 30 years.
Screenshot of a podcast page titled "Medical Money Matters with Jill Arena"

Why HePS?

money

People

Strategy

Products & Courses

Subscribe to our newsletter
Linkedin Youtube Facebook-f

© 2023 All rights reserved

EULA, Privacy Policy, Terms & Conditions