If businesses don’t impose controls, policies and procedures over credit card processing and they don’t perform daily and monthly reconciliations, employees with access to the credit card systems could process fictitious or fraudulent refund or credit transactions to their personal credit cards. Learn how to avoid this fraud.
This article is excerpted and adapted with permission from the publisher, John Wiley & Sons, from “Preventing and Detecting Employee Theft and Embezzlement: A Practical Guide,” by Stephen Pedneault, CFE, CPA/CFF © 2010 John Wiley & Sons. See the online ACFE Bookstore.
A small medical practice with two physicians and a staff of five found out the importance of regularly reviewing its refund activity when it lost more than $10,000 in unauthorized refunds processed over five years through the practice’s credit card system.
The medical practice hadn’t always accepted credit card payments, so it had to constantly send statements to patients to collect fees. At some point, the physician owners realized that if they offered the ability to pay by credit card, their collections would increase, and the outstanding balance from private-paying patients would decrease – especially if payment was collected up front before treatments were provided.
The practice manager (we’ll call her Meg) implemented a merchant system with swipe terminals and posted signs informing patients that the practice now accepted credit card payments. (A practice manager is similar to an office manager of a non-medical entity.) Many patients began paying their copayments and balances with their credit cards, and collections increased for the owners.
Initially, the practice received a monthly automated merchant bank statement, available for downloading, which identified the activity processed during the month. The practice had no procedures in place to independently review the daily credit card activity or reconcile the monthly activity to the merchant statement, so the practice grew more dependent on the individuals who processed the charges, recorded the payments within the medical billing system and generated the daily close-out reports. The practice stopped generating the merchant statement image and simply relied on the deposits that posted into the practice’s bank account.One day Meg found a close-out report inadvertently left on a computer printer. She reviewed the day’s activity and saw an odd refund processed for $125. Meg couldn’t independently trace the $125 credit transaction because the office had no process in place to support refunds or credits.
Early the next morning, Meg asked the employee who typically handled the charges to explain the refund. At first, the employee (we’ll call her Liz) explained that a patient had been in earlier in the week and paid by credit card. The patient had returned to pay by check instead, and a refund needed to be made to the patient’s card so the patient wouldn’t pay twice, Liz explained. Meg asked Liz to retrieve the underlying credit card slips for both transactions and to deliver them to her office with any other information about the patient and the charges.
Liz later went to Meg’s office but had no slips to support either transaction. Liz closed the door and explained that the slips were gone and that she had processed the refund to her own credit card to avoid being late on her credit card payment, which would caused the interest rate to skyrocket because of the default terms on the card. Liz explained that it was only $125 and that she fully intended to put the funds back into the practice to cover the refund. She didn’t realize that the processed refund wouldn’t constitute a payment on the account and the account would fall into the default terms.