Fraud cannot be eliminated. No system is completely fraud-proof, as any system can be bypassed or manipulated. However, it can be detected early by paying greater attention to common fraud indicators. This article follows a road less-traveled by discussing the potential of audit managers knowingly skewing audit results, causing unintended consequences within what appears to be a well-functioning compliance program.
Defining Terms
The Office of Inspector General (OIG) provides compliance guidance documents for healthcare provider use. There are also self-reporting mechanisms in place to report overpayments on the OIG website (Self-Disclosure) and Self-Referral Disclosure for voluntary self-reporting of overpayments on the Centers for Medicare and Medicaid Services (CMS) website. Detecting errors that result in potential overpayments is typically accomplished through efficient auditing and monitoring programs coordinated under the direction of the organization's compliance officer or compliance department. But is the oversight of the audits manipulated to achieve particular performance goals? Could it result in the "cobra effect" (explained below)? Is anyone monitoring the integrity of the audit managers?
Tons of information can be found on the internet, in books and articles, etc. on fraud detection and prevention in healthcare. Typical publications and investigative reports illustrate involvement of providers, executives, and even lower-level employees.
But there is nowhere near the focus on mid-level managers, those who are the go-betweens of the C-suites and internal auditors and their immediate supervisors. Because the monetary variance with the executives/owners is so different, they are left out.
In my experience, it appears that the mid-level fraud aspect is recognized primarily by two government entities, one federal and one state, which will be referenced throughout this article.
The list of terms and definitions referenced throughout are the following:
- Cobra Effect: A situation where an attempted solution to a problem inadvertently makes the problem worse due to unintended consequences.
- Conspiracy: Britannica defines conspiracy as, "in common law, an agreement between two or more persons to commit an unlawful act or to accomplish a lawful end by unlawful means." The Law Dictionary defines criminal conspiracy as "a combination or confederacy between two or more persons formed for the purpose of committing, by their joint efforts, some unlawful or criminal act, or some act which is innocent in itself, but becomes unlawful when done by the concerted action of the conspirators, or for the purpose of using criminal or unlawful means to the commission of an act not in itself unlawful."
- Indicators and Red Flags: For the purpose of this article, the two terms are used synonymously: Signs of deception or suspicious aspects of behavior or misrepresentations that can lead to illegal payments or claims.
- Perverse Incentive(s): An incentive (reward or motivation) that unintentionally leads to negative or undesirable outcomes.
- Plausible Deniability: Although this can be found in dictionaries, there is no official, or even strictly legal definition. An explanation is far more effective. The best by far is in the updated article, "Plausible Deniability Definition, Examples, and Laws," in The Law Dictionary (July 17, 2022). It is not nearly as neat as one would expect, but the article displays how fraudsters who game the system apply this in their daily activities.
The article explains, "Plausible deniability is defined by the dictionary. But it's not technically a legal term or defined in any legal documents. Which makes it a much looser term than it sounds. On top of that, plausible doesn't mean trustworthy, possible, or even likely. Plausible means you could conclude that something might or might not be possible. But usually theoretically, superficially, or suspiciously. It doesn't necessarily have to be a ‘reasonable' conclusion, either. In its broadest sense, the term usually points to a lack of proof. After all, innocent until proven guilty is the backbone of our legal system. So, if there's no proof, it's plausible they could deny it."
The definition continues to state, "Essentially, anything illegal or unethical that can be explained away under an innocent and probable guise—true or otherwise—falls under plausible deniability. Even if the plausibility of the denial is suspicious. However, in the ‘60s, the CIA took the term and expanded on what plausible deniability means to them. And the CIA's version is the one that became popularized. To the CIA, it's the act of withholding information from senior officials to protect their higher-ups in the event the information becomes public. Whether the information was actually withheld or not matters little in court if there's no proof to the contrary."
The Law Dictionary article goes further and indirectly shows us the dangers posed by managers who use it: "While it might seem like a minor tweak, the CIA's definition puts blame on subordinates. This blame swap alleviates pressure on more senior officials. Which you may or may not frown upon. And I get that. Most people expect superiors to be held accountable for the actions of their subordinates. But if they have plausible deniability, the senior officials can't be held accountable. This is true even if the actions clearly only benefit the superior who ‘wasn't' in the know. It also applies if an implication was made that spurred on illegal or unethical actions. An example would be a sinister comment in a suspicious tone followed by an equally suspicious exaggerated wink. That is, providing the superior can write it off as a misunderstanding. However, in cases where someone genuinely didn't know something was happening, they can't reasonably be held accountable for the other person's actions. Regardless of management practices and chains of command, if someone really doesn't want you to know something, they're really just not going to tell you. Famously, Ollie North (Lt. Col. Oliver L. North from the Iran-Contra scandal) called this situation ‘absolute deniability.' Ollie's argument was if you're genuinely not aware of or did not do something, that's not plausibility—it's just not a thing."
The article concludes that "This seemingly convenient loophole is meant to uphold the burden of proof. And—before you cry outrage—the burden of proof is for your benefit as well. So, it's kind of important if you care about your rights. However, that's not typically how we think of plausible deniability. And that's certainly not how we've seen it pan out in the political or corporate arena. Real-world plausible deniability can (and does!) encompass things like thinly veiled threats, false advertisements, sexual harassment, stalking, discrimination against legally protected characteristics like race, age, gender, and sexual orientation, as well as a slew of other instances."
Why Focus on Mid-Level Audit Managers?
The Data Speaks for Itself!
The Association of Certified Fraud Examiners (ACFE) conducts biannual surveys of its members, and one of the questions is what effect the perpetrator's position has on fraud. ACFE has graciously given me permission to use their surveys and data for this publication.
Since the surveys began in 1996, questions on the survey focused on fraud committed by position. Three positions were given by respondents: (1) Executives/Owners; (2) Employees; and (3) Managers.
A recurring trend emerged:
- Executives/owners account for the least number of cases but the most losses in money.
- Employees account for the greatest number of cases but the least amount of monetary losses.
- Managers account for fewer cases than employees but 250%-300% monetary losses.
The Data Speaks
Data gathered in 2018 was a sign of things to come. The ACFE survey found that most perpetrators were either employees (41.2%/median loss of $50,000) or managers (39.5%). But the median loss due to managers was $150,000—three times that caused by employee fraud.
In the ACFE's 2020 survey, employees accounted for a median loss of $60,000 and managers for $150,000 or 2.5 times that of lower-level employees. In 2022, employees accounted for a median loss of $50,000, and managers again took a far larger proportion of median losses, totaling $125,000 or 2.5 times that of employees.
In the 2022 survey, the ACFE also stated "Frauds committed by higher-level perpetrators also typically take longer to detect… One of the challenges of dealing with fraud committed by high-level perpetrators is that these individuals often have the ability to evade or override controls that would otherwise detect fraud. Additionally, fraudsters in positions of authority might bully or intimidate employees below them, which can deter those employees from reporting or investigating suspected wrongdoing. Both of these factors might contribute to the longer duration of frauds committed by high-level employees."
The ACFE completed its 2024 survey, with the following results:
- Employee fraud caused a median $60,000 loss; whereas
- Managers caused a massive $184,000 median loss.
In addition, the ACFE reported that, based on the surveys and monitoring over time, "Similarly, fraud cases perpetrated by individuals at higher levels of authority took longer to detect. The median duration of frauds perpetrated by employees was only 8 months…while frauds committed by mid-level managers had a median duration of 18 months…." (All figures and quotes used with permission of the Association of Certified Fraud Examiners).
Note: There are two reasons to retro back to 2018. One was to show the timespan and consistency of results. The second is to show that the data was consistent even during the pandemic and afterward. This opens an area gaining scrutiny: fraud committed in the remote workplace.
In the case of healthcare coding and documentation auditors, the primary directive is to ensure documentation is true and accurate, and that claims submitted reflect the work that was in fact accomplished, using specific and correct codes for encounters. When claims become involved, there will always be a financial element. However, performance and upward mobility within the organization becomes a component for dishonesty within mid-level audit management. Although most motivation to commit fraud is financial, coding and documentation audit manager performance is often based on coordinating information down for improved accuracy and upward to demonstrate the audit program is working.
A bigger issue is that red flags were unreported or intentionally misrepresented at a level beyond the auditors. This is where the mid-level leadership can be most dangerous as they form the "solid floor" to the corporate officers for upward transmission of information, and ostensibly a "communications ceiling" for the auditors and their supervisors, ensuring information goes down to the respective components.
Guidance From the Department of Defense Inspector General (DoD IG)
In its current guidance, "Fraud Detection Resources for Auditors," there is a subsection titled, "Management Related Fraud Indicators." This is interesting because of the mass availability of information singling out executives and employees but little recognizing mid-level involvement.
The DoD IG opens the subsection with a key statement:
"Management sets the tone of an organization through its control environment. An organization's control environment is the foundation of all other internal control components. An organization's control environment includes integrity and ethical values, management philosophy, organizational structure, and self-governance. For a DoD contractor, active participation in a compliance program, integrity reporting, and the DoD Voluntary Disclosure Program are key parts of its control environment. The control environment provides both discipline and structure to the organization; therefore, auditors must consider management characteristics and influence over the control environment not only as fraud risk factors but also as fraud indicators along with the general and audit specific fraud indicators."
Several of the sixteen indicators are reviewed below.
Fraud indicators listed by the DoD IG:
-
Failure to display and communicate an appropriate attitude regarding the importance of internal control, including a lack of internal control policies and procedures; ethics program; codes of conduct; self-governance activities; and oversight of significant controls.
Be aware of an inappropriate or unreasonable argumentative attitude.
-
Displaying through words or actions that senior management is subject to less stringent rules, regulations, or internal controls than other employees.
Managers have oversight and execution authority of internal controls. They have the ability to withhold and interpret the controls to their benefit at the cost or suppression of the auditors they are tasked to oversee. They may withhold compliance training, guidance, manuals, or conferences on the controls and processes reporting or proliferate "training" of their own to such an extent the auditors become separated from compliance knowledge or reporting routes.
At meetings, managers will not mention who they answer to, or how. They stay silent on their responsibilities for compliance.
-
Hostile relationship between management and internal and/or external auditors. This would include domineering behavior toward the auditor, failure to provide information, and limiting access to employees of the organization .
In some ways, this is a continuation of the indicator above but is an escalation as now the manager is forcing an adversarial relationship, hoping to bring it to a confrontational level, and the manager will feel justified in disciplining the auditor for insubordination or drive the auditor out of the organization completely.
-
Failure to establish procedures to ensure compliance with laws and regulations and prevention of illegal acts.
One of two things, or both, will occur: Managers will make themselves the only contact to raise concerns or even ideas. The DoD IG, DHHS OIG, and government contractors have complaint and whistleblower processes in place, but if they are not enforced, investigated, and confidentiality strictly adhered to, the auditor's chances of a peaceful resolution are slim to none. Fraudulent managers know and exploit this; it is another tool in their scheme to silence a problematic voice in their environment.
-
Indications that key personnel are not competent in the performance of their assigned responsibilities.
This is one of the more common non-financially driven fraud motives; an audit manager will not have the training, experience, or credentials of auditors they oversee. The manager cannot ask the right questions but feels their position is threatened by superior knowledge, which can result in closing lines and compliance avenues of communication.
When the manager is incompetent to fill the role, every red flag is fair game.
In addition, they justify their actions by telling themselves that only they deserve the position—not even necessarily that they earned it. In one of the cases below, two managers are conspiring against the audit team. The two managers involved did not even have certified auditing credentials, such as the Certified Healthcare Auditor (CHA) offered by AIHC.
In one case, the company had been in trouble with CMS several times. A current manager with no auditing credentials was emplaced to oversee random audits of Medicare claims. However, audits quickly discovered that the same manager was responsible for 84% of the continuing errors, and retrospective audits showed the same manager was responsible for much of the trouble uncovered by CMS auditors previously.
In this manager fraud case:
-
The manager attempted to redirect the audits, but the audit supervisor did have auditing training, defended the auditor, and had already hammered out a solid audit plan and methodology, which the company's compliance director and CMS approved, and she checked every item audited as a check-and-balance.
-
Soon, the auditor and supervisor learned that the company had begun receiving serious inquiries from CMS about the managers' lag time submitting the compliance audits, and they eventually "had to downsize" right when another sanction appeared looming. In total, nine people were downsized in the space of a week; in the middle of the "pack" or team were the auditor and supervisor.
This experience exposes two glaring problems with manager fraud:
-
The manager was untrained, did not know how the audit was built, and demanded items with a certain ID (her own) be left out of all audits. Random means random; you cannot pick and choose which items you audit or report. It skews results and becomes a targeted audit—a type no recognized auditing organization allows when a statistically representative general sample is demanded.
-
The manager did not understand what a universe or statistically significant sample was, or simple formulas for calculating them. The manager also did not understand the old axiom "numbers don't lie." The manager constantly attempted to reword, reinterpret, or omit facts of the audits when the audits had to be reported to the executives. During a meeting, the supervisor and auditor attempted to explain how CMS and the DHHS OIG used their statistical auditing system, called RAT-STATS. The outcome was no response and orders to continue with targeted audits.
Just as widespread, but carrying much higher risk, a manager can never be allowed to oversee and influence an audit where they have a direct stake in the audit outcome. No audit will be trusted. This goes back to the indicator about managers creating a hostile environment; they will have results altered by bullying, threatening, or confounding the auditor, or do it themselves and through use of plausible deniability draw suspicion on the auditor.
If there is conspiracy between the manager and the reporting executive or body, the damage goes from probable/possibly mitigated to unacceptably high risk. In this company, there was a conspiracy, but CMS uncovered it later. I do not know what happened to the two collaborators, but I do know that the compliance officer, who saved the company multiple times from CMS prosecution, was let go not long after the auditor and the supervisor.
Related fraud indicators listed by the DoD IG include:
-
Undue interest and micromanagement.
We live in the information age, where information travels almost as fast as thought (or at least as fast as typing skills). Managers who demand inclusion on all emails, regardless of topic, are suspect, especially when a seemingly unrelated email is sent only to a coworker and a harsh email from the manager is the result. The danger signs are clear. The email never went to the manager; how did he or she intercept it? The email was unrelated to any sensible matter that the manager would be involved in. For example, if I asked a teammate for a copy of a pdf document because I couldn't find it in my thousands of emails and e-files, why would I be criticized?
-
A manager that claims disinterest or having no knowledge about a sensitive or high-profile issue in which you would expect management involvement.
An auditor informs the manager that the electronic system that pulls visits for audits has been only pulling specific dates or codes (remember, depending on the data, the system may be running its own targeted audit). The manager tells you offhandedly to "just do the audit." Or you tell the manager that coders are assigning codes specifically prohibited (e.g., CMS-only codes) on commercial claims. The manager does not show appreciation and simply responds, "I'll look into it if I have time."
-
Failure to effectively follow-up on recommendations resulting from external reviews or questions about financial results.
Failure to follow up on any serious concerns or recommendations from the audit team couples with the hostile work environment; rather than follow up professionally, the managers criticize the auditors.
Thomas P. DiNapoli, State of New York Comptroller Red Flags for Fraud
Several of these management level indicators were further detailed in a guidance recently released by the State of New York Comptroller in his fraud guidance, "Red Flags for Fraud," under "Management Red Flags."
Mr. DiNapoli's red flags for fraud include the following:
-
Managers engage in frequent disputes with auditors.
This can be read differently than the DoD IG's indicator in that, here, the manager instigates and maintains irritating, false, or adversarial confrontations to bait the auditor into a situation which the manager can accuse the auditor of being insubordinate or keep the auditor confused or confounded about what the manager "wants." This can flow into appeals if the manager oversees challenges to the auditor's findings. The manager will overturn the auditor's error and use such a vague or meaningless rationale that the auditor is forced to contact the manager and is sharply rebuked (again, the manager has avoided dealing with the auditor and supervisor). This tends to make the auditor continue contact, attempting to get a clear answer. Each time, the manager increases the inflammatory rhetoric or vague verbiage—and a cycle has begun. This is the entrance of a behavior/methodology addressed below: plausible deniability.
-
Management decisions are dominated by an individual or small group.
Managers who are willing to retaliate without cause yet staunchly refuse to discuss their perceived "problems" with the auditor and supervisor and never forward concerns through the chain of command are dangerous; they keep vital information from the executives and compliance/fraud investigators above or laterally, while oppressing their subordinates and keeping them uninformed. In scenarios presented later, managers are in conspiracy; if concerns or perceived negative information is communicated, the managers meet with each other and no one else.
-
Manager reluctance or refusal to provide information to auditors and their supervisors.
This links directly to multiple red flags in several ways. As mentioned, appeal results will be intentionally confounding to the auditor, which puts the entire power of the outcome in the hands of the manager. The problem escalates when the manager is the first and highest reporting entity who receives audit reports. I have seen cases where information and/or data in an audit report was manipulated or deleted, and conspiring managers made claims that the auditor was remiss, which went into their records for future "disciplinary actions." In one example, even if the auditor keeps the reports in his/her e-files, after a short amount of time, the reports are deleted. The file is there in name, but can neither be opened nor retrieved. This can tie in to the hostile work environment; the manager chastises an auditor for "errors," but either never provides specific, official guidance or provides "guidance" of the manager's making (guidance was talked about at a meeting but never entered in an official manual).
-
Inconsistent, vague, or implausible responses arising from inquiries or analytical procedures.
Mr. DiNapoli's red flag above shows us that officials do recognize the use of plausible deniability. In the manager's sphere of influence, this needs to be closely scrutinized by the executives and auditors—but especially compliance.
This gives fraudulent managers two key openings:
-
First, when not monitored consistently, managers can manipulate almost anything—documents, conversation records, even information that goes up and/or down the leadership structure. Many boards and even civil courts will not allow mobile phone records because they can easily be manipulated.
-
Second, they can target any perceived threat or opposition without question or investigation. This is where auditors who attempted to resolve problems locally become whistleblowers. They attempt to use the reporting systems in place, but because the managers failed to forward concerns to the reporting body above them, the concerns never go up. In addition, with decentralization, the higher authority often incorrectly trusts the manager because the "information" sent to them never covered complaints. Even worse, if the higher authority was part of the hiring process, they have motivation to hide a potential hiring error.
Last in this group is a red flag usually associated with embezzlement, and often with employees, but it can happen in any setting, at any level where an individual wants absolute restricted control of information. This red flag is:
-
Refusing vacations or promotions for fear of detection.
Expanding an example from above, the manager who demands inclusion on all emails and intercepts irrelevant emails, as well as rebukes the auditor, goes on vacation, and the emails are still being intercepted whether relevant or not. The outcome is the same—criticism of the auditor for asking a question. Is the manager embezzling?
As auditors, we cannot know that. So how is this a red flag? Because the manager still has a chokehold on information flow. Let's extend this: The manager is on vacation and your team is informed to contact her or his peer—another manager in the same position. You do as instructed, and either the manager on vacation answers your email, or the other manager answers your email but states that he or she will meet with the other "to discuss"—and no one else. Or worse, the manager on vacation calls you and the conversation becomes adversarial.
To read the rest of the story, see “Fraud Indicators and Red Flags: Part 2 - When Criminal Behavior Infiltrates Your Audit Program” at billing-coding.com (Click here for direct link) in which you'll learn how to detect what you don't see, including withheld or altered information, as well as learn actions to mitigate risk and how to create a culture of compliance.
Carl J. Byron, CCS, CHA, CIFHA, CMDP, CPC, CRAS, ICDCTCM/PCS, OHCC, and CPT/03, USAR FA (retd.)
Carl is a coding and documentation auditor for the Defense Health Agency (DHA), a government agency that provides healthcare to the military. His background includes HCC auditing for CMS, coding and auditing for a large global healthcare network, and as a compliance educator and speaker for AIHC. He currently volunteers as a subject matter expert for AIHC, a non-profit licensing/certification partner with CMS.
www.aihc-assn.org