In most small-practice embezzlement cases, one person handles the money. They post payments, make deposits, set up vendors, run payroll, reconcile the bank account and answer any questions about all of it. They have been there a long time, the physicians trust them, and they understand the systems better than anyone in the building.

When something looks odd, the answer is usually a quick explanation no one else has the context to challenge. That is how most small-practice fraud happens.

But the answer isn’t to look at every long-tenured employee as suspect. When access, recording and review all sit with one person, the practice has no way to detect a problem until something forces it into the open — a vacation, a software change, an external audit, a tip from another employee.

Internal controls exist so the practice does not have to wait for those moments. They protect the practice, the physicians, the administrator and the employees who handle money honestly every day. The principle is simple: no single person should be able to create, approve, process and conceal a financial transaction. COSO's internal control framework treats control activities, monitoring and information flow as the core elements of effective internal control, and the principles apply just as much in a six-provider practice as in a large health system.¹

The risk is also more common than most administrators want to think. The Association of Certified Fraud Examiners' 2024 occupational fraud report found that 43% of cases were detected by tips — more than three times any other method — and that more than half of frauds occurred because controls were missing or were overridden by someone with authority.² Controls for medical groups have to be designed around the actual flow of money in an office: accounts payable, vendor setup, payroll and bank activity.

Separation of duties

Perfect segregation of duties is not realistic in a small office. Breaking apart the riskiest combinations is. The person who collects payments should not also post adjustments and reconcile the bank account. The person who creates vendors should not also approve invoices and release payments. The person who changes pay rates or direct deposit information should not also be the only one reviewing the payroll register.

A useful way to think about this is four jobs that should not all live with the same person: