Pulse February 2019 issue - Page 37

37 Case study 1 CEO fraud Practice profile Two-partner practice in Hampshire Finances Managed by senior partner and practice manager Amount lost to fraud £20,000 The failure of this high-earning practice to segregate duties was the underlying reason why it became the victim of not one, but two incidents of ‘bogus-boss’ fraud. Only one of the two partners was involved in the practice finances. The practice manager was responsible for making payments but there was no bookkeeper. When the practice manager received an email from the senior partner requesting an immediate payment of £10,000 to be made, she thought nothing of it as she was used to transferring large sums of money on request from the partner. But the email was fake and when the practice manager made the payment it went into the fraudster’s account. Fortunately, the practice was able recover the funds. With a different practice manager in post, the fraud was repeated a year later, this time for three times as much money. The email was written in the senior partner’s style so his email account had clearly been monitored to pick up his usual language patterns. While some of the money has been recovered, the practice stands to lose £20,000. Case study 2 Insider fraud Practice profile Seven-partner practice (three part-time) in the West Midlands Finances Controlled by practice manager Amount lost to fraud £64,000 Poor internal controls exposed this practice to considerable financial loss. The practice manager had been working at the surgery for many years and was a trusted member of staff with immense control over finances. Cheques for high-value personal items were signed unwittingly by GP partners who did not ask to see supporting documentation. Suppliers including HMRC and the NHS Pensions Authority were not paid on time, partly because the cash flow was in a poor state after the practice manager’s personal spending spree. The partners were unaware of the situation because the post was opened by the practice manager, who shredded statements and chasers for payments. The practice payroll included additional payments over and above normal salary levels. There was no requirement to authorise or even show payroll reports to the GP partners prior to instructing the bank. There were no financial reports and the partners did not review practice results. This left the practice manager free to defraud the practice over several months before the truth came to light. a carbonised receipt book with pre- numbered pages or a sheet counter- signed by the patient should enable a quick comparison between cash recorded and counted. Any discrepancies should be followed up immediately. In dispensing practices, prescription cash collected from patients should equal the charges deducted by NHS Prescription Services. While it can be difficult to match this exactly because of the delay in getting statements from NHS Prescription Services, and because sometimes charges will be deducted if an exemption hasn’t been correctly claimed, large deficits should be investigated. Large quantities of cash should never be kept on site. They should be banked regularly. Restrict access to petty cash to achieve tighter control over expenditure and aid reconciliation between petty cash records and money available. Ensure payment details are authenticated This is vital to protect against invoice and CEO scams. Review processes for sending and receiving payments and ensure there are strong independent authentication measures. Confirm any requests to change payment details with suppliers by calling them on their verified switchboard number. 7 Beat the online fraudsters Never divulge online banking passwords or banking secure codes to anyone on the telephone, even if you think you are talking to the bank. Don’t rely on your phone’s caller display to identify a caller – fraudsters can make your phone’s incoming display show a genuine number. Remember that a bank will never call you and tell you to transfer money to a ‘safe’ account. If you see unusual screens or pop-up boxes when using your online banking or unusual requests to enter bank passwords, log out immediately and call your bank. Many GPs are receiving fake HMRC ‘refund’ emails. Do not follow the links or requests for bank details in these emails. If your accountant has not advised you of a tax refund it is highly likely to be a fraud. In in doubt, speak to your accountant. If possible, set up the practice online banking arrangements so that two separate people are required to make any payments. 8 Know your responsibilities The practice fraud prevention policy should set levels of responsibility and accountability for staff making financial transactions in the practice. The policy should make clear the distinction between fraud and gross misconduct and should cover payroll, the signing of cheques, payment of invoices, petty cash, issue of invoices, 9 income received via post and at the reception desk, bank reconciliation and the practice accounts. If an NHS fraud takes place in the practice, for example false claims or money stolen that has been allocated for a service or building project, the practice is responsible for notifying the commissioners. 10 Don’t leave it to your accountant While accountants prepare the annual financial statements they do not audit the accounts and underlying records. The work they do is not specifically intended to spot a fraud. Accountants can advise on the quality of the records. If recording is poor there may be areas the practice should investigate so they understand the underlying reasons. Finally… be prepared It will never be possible to remove all the opportunities for determined fraudsters. There are, however, some sensible housekeeping precautions to help you safeguard against financial loss caused by fraud or even simple human fallibility. They include regularly changing passwords for accessing the accounts system, especially when personnel leave. Take at least two types of data backups regularly and store them securely. Make sure the finance partner has an overview of how to operate, back up and restore the accounting system. The practice agreement must outline how to share out expenses incurred if the worst happens. Andrew Pow is a director at Hall Liddy Chartered Accountants and Lizzy Lloyd is a partner at Larking Gowen LLP. Both are board members of the Association of Independent Specialist Medical Accountants For your appraisal folder Key points • Don’t delegate financial responsibility for your practice entirely to your practice manager • Split tasks where possible • Critically review payroll reports • Change passwords regularly Audit ideas • Look at the year’s income/ expenditure and compare with last year’s. Can you explain any significant discrepancies? 1 CPD HOUR Go to pulse-learning.co.uk to test your learning and download your certificate Pulse February 2019