Internal Control Checklist

Practice Management & Consulting

INTRODUCTION As operating margins tighten, the need to optimize controls over assets and cost management increases. The need for enhanced internal control is a natural part of managing costs and revenues in a medical practice. The chief aim of internal controls within a medical practice setting is to provide managers and physicians with measurable assurances of their facilitys effective and efficient operation. Internal control over cash and other crucial operating assets ultimately promotes efficiency. In addition, internal control seeks to minimize the risks of unauthorized acquisition, use, or disposition of assets. In other words, internal control also seeks to prevent fraud or at the very least, identify and detect fraud in a timely manner. INTERNAL CONTROL STRUCTURE Creating an effective internal control structure is a primary concern of most health care organizations seeking to improve their operations. Specifically, the internal control structure refers to the policies and procedures established to provide reasonable assurance that the organizations objectives will be achieved. The following five components are key to establishing an effective internal control structure. 1. Creating an organization that promotes an environment of control. Managements attitude has a significant influence on the effectiveness of an organizations internal control structure. A management team with a cavalier attitude regarding its fiduciary responsibilities is likely to have difficulty establishing a working system of internal control. Likewise, managers who fail to give written policies to employees whom it holds responsible for control are offering a less than optimal environment. In an optimal environment, management should, for example, encourage and support efforts among employees to control the management of cash. 2. Assessing and prioritizing risk and minimizing the possibility of losses. For example, management should identify those areas of cash management that pose the greatest risk of fraud or calculation errors. 3. Establishing activities and procedures intended to maintain internal control. For example, management should institute appropriate measures to document user fee cash transactions. In addition, establishing methods that identify the status of actual versus expected performance is useful for identifying high-risk areas that are not yet under control. 4. Promoting information and communication among all managers within the organization. For example, management should encourage people at all levels of the organization to support and promote internal control mechanisms. In addition, those responsible for certain aspects of the control process need to be thoroughly trained in the control task and have a clear understanding of their responsibilities. Written job descriptions are useful in promoting this understanding. 5. Monitoring the internal control process in a methodical manner, making corrections and improvements as required. For example, management should periodically audit the control

processes to ensure that they are functioning as intended. In addition, the management of a health care organization should consider the size, complexity, and diversity of its services and applicable legal requirements when designing internal controls. Generally, the larger and more complex an organization, the more elaborate the internal control structure needed. OBJECTIVES FOR INTERNAL CONTROL It is managements responsibility to establish and maintain an adequate internal control structure. In establishing an effective control structure, management can consider a number of specific objectives, including the following: Ensure that all transactions are captured: For example, the collection and management of all patient charges is essential. Tracking systems for office encounters using pre-numbered encounter forms and built in redundancies for tracking out of office services is an essential internal control procedure. Ensure documentation and accountability for assets: The internal control system should prevent unauthorized access to assets such as drugs and medications. In addition, items such as computer hardware/software, office and medical equipment must be properly labeled for inventory and disposal purposes. Ensuring cash and receivables are properly managed. These assets should be monitored continuously and periodically audited for accuracy. In addition, the internal control system should ensure the timely and accurate posting of transactions. CONTROL PROCEDURES When establishing internal controls, management should follow five main procedures: 1. Establish a system for authorizing transactions and activities. This is normally accomplished through a written policy with the approval of senior management. 2. Segregate duties in order to reduce the opportunity for any one person to be in a position to perpetrate and/or conceal errors or irregularities in the normal course of his or her duties. This can be done by assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets. 3. Design and require the use of documents and records that help ensure the proper recording of transactions and events. 4. Institute adequate safeguards for accessing and using records and assets such as cash or medicine inventories. Such safeguards should also cover access to records, documentation, and record-keeping files. 5. Perform independent checks of the internal control process and periodic validation via auditing to ensure that records reflect assets, and that a reconciliation of assets and records is accurate and balanced. The independent checks should first attempt to identify the types of errors or irregularities that could occur, and then determine the risk of these errors or irregularities actually occurring. Finally, the checks should provide relevant tests and audit procedures to evaluate the possibility that errors have occurred. Those performing the periodic

audits should be familiar with the internal control process but not be a part of it. In other words, the auditor should be somewhat independent of those involved in the process. . The Checklist The checklist is simply a tool similar to what most auditors might use if they were performing a review of your Medical Practices internal controls. The measures and questionnaires provided are meant to serve as a guide, not a mandate, and as such portray a rather complete picture of internal control. Managers are encouraged to use their judgment as to the cost of adopting internal controls versus the risks associated with foregoing them. It is difficult to make a statement regarding a particular control based on the response to just one question. Most internal control procedures are simply based on common sense, i.e. the person having custody of the asset, such as cash, should not be solely responsible for accounting for it; no one person should be able to complete a requisition/payment transaction or personnel/payroll transaction from beginning to end without an appropriate monitoring or oversight. Incompatible duties should be segregated for a check and balance; laws, policies and directives are expected to be followed. Despite the fact that many internal controls are a simple matter of common sense, taking the time to periodically use this checklist to review the control processes can be a valuable tool in the process and help document due diligence.

Roles & Responsibilities Who receives cash, checks or credit card payments? _______________________ Who posts charges? ___________________________________________________ Who posts payments? __________________________________________________ Who is authorized to post charge adjustments? ____________________________ Who opens the mail? ___________________________________________________ Who prepares the deposit? ______________________________________________ Who is authorized to make adjustments for cash and A/R? ___________________ Who is authorized to write off for bad debt? ______________________________ Who reconciles charges? _______________________________________________ Who reconciles receipts posted to actual bank records? _____________________ Who reconciles A/R? ___________________________________________________ Who reconciles cash? __________________________________________________ Who issues patient statements? _________________________________________ Who prepares checks for payables? ______________________________________ Who are the authorized signers for payables? ______________________________ Who authorizes payroll? ________________________________________________ Who is authorized to sign payroll checks? _________________________________ Who is authorized to make purchases? ____________________________________ Who is authorized to receive purchases? __________________________________ Who authorizes refunds? ________________________________________________ Who is authorized to sign refund checks? __________________________________

ORGANIZATIONAL DYNAMICS
YES NO *NS *N/A CHECKLIST QUESTION

1. 2. 3. 4. 5.

Are staff members familiar with policies, procedures and other relevant operating and compliance requirements and guidelines? Does management demonstrate the importance of integrity and ethical values including the statement of core values to staff. Is good communication, collaboration, and team effort stressed? Is management open to employee suggestions to improve productivity, service, and quality? Do supervisors and employees have the knowledge, training, and skills necessary to perform their jobs adequately and continue to take advantage of ongoing training opportunities? Has management established a mission statement, set goals, and developed plans to meet its objectives? Are plans and performance periodically assessed? Are the practices performance targets realistic and attainable? Does integrity of financial and operational results take priority over reporting acceptable performance targets? Is the practices organizational structure and lines of authority clearly understood by employees? Are employee job descriptions, and other internal operating procedures current? Has the practice maintained an acceptable employee turnover rate? Does employee morale appear to be at an acceptable level? Does the practice have the time, tools, and resources to effectively accomplish its mission and objectives? Has the practice established any benchmarks with peers to measure its resource use and outcomes? Are records maintained in accordance with policies and guidelines? Does the practice have a business continuation plan that addresses the absence of key employees and backup procedures for key business processes? Does the practice use signature stamps for any purpose? Secured?

6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.

18.

COLLECTIONS, DEPOSITS AND CASH FUNDS

5 YES NO *NS *N/A CHECKLIST QUESTION

1.

Are all staff members responsible for cash handling and deposits bonded and have they been trained on practice policies and procedures regarding cash handling and deposits? Are the collections and deposit preparation functions segregated from the accounting functions, including general ledger and accounts receivable maintenance? i.e. do the same persons that open the mail have ability to write off patient charges and/post payments directly into the patients account? Has a custodian been appointed for each cash collection point where there are petty cash funds and are fund reimbursements made directly to the custodian? Is the mail opened by at least two people? Are receipts recorded (logged) immediately for all forms of collections received at the earliest point of collection? Are electronic receipts or three-part receipt forms issued each time a cash collection (including collection by check or credit card) is received over the counter? Are pre-numbered receipts and/or mail logs independently controlled, accounted for, and compared to validated deposit documentation by an individual with no cash handling responsibilities? Are all copies of voided receipt forms retained, accounted for, approved and documented? Are all checks required to be made payable to the practice? Are checks required to be restrictively endorsed upon receipt? Are responsibilities for monies fixed at all times? (This would include prohibiting cash handlers from working out of the same cash drawer and requiring documentation of transfers of collections among employees.) Are cash drawers or cash boxes secured when the cash custodian leaves his/her workstation? Are overages and shortages properly documented and appropriately explained? Are deposits made daily? Are receipts and deposits reconciled at least monthly with ledgers? Are funds physically stored in a safe or equally secure place?

2.

3.

4.

5.

6.

7. 8. 9. 10.

11. 12. 13. 14. 15.

YES NO *NS *N/A

CHECKLIST QUESTION

16.

Is knowledge of safe combinations or access to keys restricted to employees with a need-to-know or need-to-access, and is the combination/keys to the safe changed when there are changes to the taff that have knowledge of the safe combination or who have had access to the safe keys? Is the petty cash fund periodically counted by surprise? Are deposits transmitted in locked bank bags? Is staff prohibited from making loans from cash funds and from cashing personal checks from cash funds? Are duties related to accounts receivable delegated so that no one individual can collect funds, update receivable records, and reconcile accounts receivable details? Are accounts receivable billings issued at least monthly? Are accounts receivable aged regularly with older accounts receiving appropriate follow-up? Is the write-off of delinquent accounts in compliance with policy? Does management periodically review data showing trends regarding the status of receivable balances and take appropriate action if needed? Are sales taxes collected and properly remitted when appropriate? If the practice accepts credit cards for payment, has the practice established policies and procedures for credit cards? ASSET MANAGEMENT

17. 18. 19. 20.

21. 22. 23. 24. 25. 26.

YES NO *NS *N/A

CHECKLIST QUESTION

1. 2. 3. 4. 5.

Are Property Identification numbers placed in an easily viewed spot to make taking of inventory easier? Are all work areas and storerooms appropriately secured to deter unauthorized entry? Are adequate procedures in place to facilitate the annual inventory, including procedures to resolve discrepancies in a timely manner? Are only appropriate employees allocated keys to the office and building? Is the building secure and after hours access limited to appropriate employees?

PAYROLL
YES NO *NS *N/A CHECKLIST QUESTION

YES NO *NS *N/A

1. 2. 3.

Are staff members with responsibility for payroll familiar with the policies and procedures related to payroll Have employees charged with payroll and distribution responsibilities been appropriately trained? Does management review, sign, and date the final authorization-to-pay document to ensure that staff is paid according to wage agreements and terminated employees are not paid? Are payroll distributions properly approved and made timely and accurately? Are bonus payments and other types of additional pay properly documented? For employees required to maintain time cards for time worked, do the time records reflect the actual hours/minutes worked rather than the hours scheduled to work? Have procedures been implemented to ensure that overtime and compensatory time hours worked are appropriate and approved in advance by an employees supervisor? Are payroll checks properly secured prior to delivery? HUMAN RESOURCE MANAGEMENT
CHECKLIST QUESTION

4. 5. 6.

7.

8.

1. 2. 3. 4. 5. 6. 7.

Have employees with HR administrative responsibilities attended training programs that are specific to their roles in the organization? Are hiring practices reflective of the Practices non-discrimination policy? Are the education and/or verification(s) for past work experience of the new employee(s) verified and documented? Are the appropriate criminal background checks being performed when required by position? Are I-9 forms being processed within three days of date of hire? Do new employees attend new employee orientation? Do new employees complete sexual harassment training within six months of date of hire?

YES NO *NS *N/A

CHECKLIST QUESTION

8. 9. 10. 11. 12.

Are personnel records maintained in accordance with retention guidelines and access to confidential records limited to those with a need to know? Are performance evaluations performed on a timely basis? Are employees who are covered by the Fair Labor Standards Act (nonexempt/hourly employees) compensated for overtime worked? Are practice procedures in place to ensure that leave taken is properly approved and recorded? Have supervisors and other staff members responsible for HR been properly trained on the Family and Medical Leave Act (FMLA)? PURCHASING AND DISBURSEMENTS

YES NO *NS *N/A

CHECKLIST QUESTION

1. 2.

Are staff members responsible for purchasing, vendor payments and travel reimbursement familiar with policies and procedures? Are the duties for initiating requisitions, receiving purchased items, processing of invoices for payment, and reconciliation of the practices bank statement separated between two or more employees? Are contracts and leases approved by all appropriate parties prior to the effective date of the contract? Does management review charges recorded on the Practices ledger and inquire about unfamiliar charges? Is managements review of the departmental ledger, reconciliation, and supporting documentation appropriately documented? Do practice procedures ensure that the best combination of quality, total price, and delivery are evaluated when acquiring goods or services? Are purchases initiated and approved by employees specifically authorized to perform this task? Are vendor invoices processed timely? Is there a periodic audit of the vendor list? Are all invoices independently reviewed for completeness, accuracy, compliance with directives, and matched with supporting documentation before approval for payment? Are invoices attached to checks for authorized signer review? Do invoices receive appropriate supervisory approval before payment? Are appropriate discounts being taken?

3. 4. 5. 6. 7. 8. 9.

10. 11.

YES NO *NS *N/A

CHECKLIST QUESTION

12. 13. 14. 15. 16. 17. 18. 19. 20. 21.

Are encumbrances and disbursements reconciled with the general ledger? Are returned purchases controlled in such a manner to ensure that the practice receives the credit or refund due? Are vendor invoices and travel reimbursements controlled in such a manner as to prevent duplicate payment? Are credit card transactions authorized by an Approver, reconciled timely, and signed by the cardholder? Does management periodically review a list of cardholders and their limits to determine if changes need to be made? Are originators adequately trained to ensure proper posting of travel related data? Are telephone bills reviewed and appropriately certified as to business use only? Is a periodic review made of telephone lines and equipment to ensure that such telephone lines and equipment is needed? Is the use of copy machines limited to official business use only? Are maintenance agreements reviewed periodically, especially before they are renewed, to ensure that the equipment the maintenance agreement is intended to cover is still owned and used by the unit and that it is still in the units best interest to continue to carry the maintenance coverage? Are the purchase, storage, and issuance of supplies properly controlled to prevent over-purchasing, pilferage, deterioration, and damage? INFORMATION TECHNOLOGY

5 YES NO *NS *N/A

22.

CHECKLIST QUESTION

1. 2. 3. 4. 5.

Has an IT risk assessment been conducted within the past three years? Does a business continuation plan exists which identifies critical activities, backup files, programs, and alternative processing sites? Are system security and application access logs enabled and reviewed periodically? Are backups of operating systems, critical data, and key software programs made on a regular basis and stored at an off-site location? Are procedures in place for removing access to all systems when an employee leaves the practice?

YES NO *NS *N/A

CHECKLIST QUESTION

5 YES NO *NS *N/A

6.

Is sensitive and restricted data managed by the practice (on networks, personal computers, and back up media), classified and protected by restricted access, encryption, or other controls? Do policies require all personnel with a need to access critical applications to have individual accounts and passwords and are they prohibited from sharing those passwords? Are records of all software licensing agreements properly maintained? Has the Practice policy on acceptable use of computer resources been effectively communicated to all employees, including new hires? Are antivirus software installed, operating and being updated for all computing resources (laptops, desktops, servers, etc)?

7.

8. 9. 10.

BUDGETING, ACCOUNTING, AND FINANCIAL REPORTING

CHECKLIST QUESTION

1. 2. 3. 4.

Are practice ledgers reviewed and reconciled to supporting documentation at least monthly? Is the staff performing the reconciliation separate from the staff initiating and finalizing transactions? Are reconciling differences, negative balances, and/or unsupported transactions investigated and corrected timely? Does higher level management review the reconciled ledgers and appropriate supporting documentation and appropriately document its review in a timely manner? Are funds for large purchases, travel, etc. encumbered and set aside ahead of time to ensure that funds will be available when payment is due? Are financial reports comparing budgeted balances with actual financial activity generated and reviewed by appropriate management? Charges/Adjustments

5.

6.

YES NO *NS *N/A

CHECKLIST QUESTION

1. 2.

Are Superbills, charge tickets or encounter forms pre-numbered and accounted for daily (weekly)? Is there a daily reconciliation of charges posted in the practice management system to the appointment system?

YES NO *NS *N/A

CHECKLIST QUESTION

3.

Are adequate procedures in place to facilitate review of contractual adjustments? Are specific write-off codes used to track different classes of adjustments? Are policies and procedures in place to ensure an account cannot be written off to bad debt without authorization? Are there effective procedures is place, including built in redundancies, to ensure charge capture of all out-of-office services. Are procedures is place to ensure all charges generated are posted in the practice management system.

4. 5. 6.