Internal fraud within organizations is common and results in loss in terms of revenue and at times that of reputation. If not handled in a timely manner, it can lead to future occurrences and sets a bad precedent. The case at HH involved an employee who was employed for a relatively short period and the fraud perpetrated led to the loss of $80,000. He was able to take advantage of the internal organizational weaknesses of the hospital. In order to prevent such a fraud being repeated in the future, an information audit plan is recommended which will seek to remedy the institutional gaps currently manifest at the institution.
Technical- The technical reason that contributed to the prospect of fraud was the information system used at HH. The system shows the weakness of not having incremental security checks in order to ensure security protocols are not broken (Seago 2016). The ideal system should have started with the account payable clerks feeding the system with data about vendors. It should ideally have directed to one senior clerk who is tasked with counter-checking. The assistant manager should have counter checked for accuracy and finally ended with the approval of the manager. The incremental security protocols of checking and counter-checking would have reduced the prospect of fraud.
Organizational- The hospital shows the weakness of having little or no linkage between the different departments that deal with accounts and finances ( Mercuri & Neumann 2016). Transactions from the accounts payable department should have been availed to the general accounting desk that is tasked with analysis. Their analysis of monthly revenue and expenditure should have raised a red flag when they notice there was an increase in expenses. The high turn-over at the accounts payable department creates the possibility of an employee committing fraud and leaving the organization. This should have raised a red flag and have been investigated to find the root cause.
People- Sharon Harris should not have suggested her son to come and work in the same department as this was against the company regulations. The accounts manager should also not have accepted to hire Harris on the same argument and additionally failed to undertake a background check when she confirmed his employment as being permanent. The accounts payable manager also broke organizational requirements of not interviewing other candidate and hired Harris at her discretion (Van Vugt 2017). There was breach of organizational protocols by the chief financial officer due to sentimental reasons, even after the matter was brought to his attention.
The first step that needs to be taken by the auditor is to notify the legal counsel department (Bayuk 2009). This department will give advice on how to protect the reputation of the hospital. Further counsel will be given so as to safeguard against lawsuits that may be instituted by the party concerned. The counsel is also important in preparing the charges that may be instituted against the employee who has committed the fraud. In the event that the employee involves their private legal representative, the company counsel will represent it. The employee may also decide to confess and write a confession which needs to be recorded according to the stipulations set out by the law.
The second step is to inform the board and senior management of the hospital. The board and senior management are the ones with authority to take disciplinary action or suspend employees. The manager and her assistant could be asked to go on temporary leave as further investigations are undertaken in the accounts payable department. They are also tasked with authorizing an exhaustive internal inquiry of the departments involved. Releasing the information involving the fraud to the public is also at their discretion. The internal auditor should also inform the internal security officer so that steps can be taken to protect the evidence gathered.
The information governance within a hospital helps to control and manage the information that supports the organizations activities and ensures compliance within it. It helps to establish the hospital policy and prioritizes values and investments (American Health Information Management Association 2014).Information is protected and insulated from organizational or individual bias and this ensures that it operates within the legal requirements set out by the law. This leads to reduced organizational risks and costs, increases quality of care and efficiency at the hospital (Glandon, Slovensky & Smaltz 2014). It is the foundational framework that guides the strategy and operational outlook adopted by the hospital.
It is guided by eight principles: disposition, availability, accountability, compliance, protection, retention, transparency and integrity (Lazer & Mayer-Schonberger 2007). The principle of disposition states that an organization should dispose information no longer required to be maintained by law in a manner that is appropriate and secure (American Health Information Management Association 2014).Availability principle requires that information should be maintained in a manner that ensures it can be retrieved efficiently, accurately and timely. Accountability requires that a person of seniority in leadership should oversee the information governance program or delegate that authority appropriately. The principle of compliance states that the program on governance of information should comply with applicable laws as well as organizational policies (Tallon, Ramirez & Short 2013).
Protection ensures that that there are appropriate levels of protection from breaches, loss and corruption. It also ensures that information is kept confidential and classified. The principle of retention posits that information shall be stored or maintained for an appropriate time according to the regulatory and legal requirements (American Health Information Management Association 2014). Transparency requires that an organization shall document its activities and processes in a verifiable and open manner. The last principle of integrity states that information about an organization has reliability and authenticity that is reasonable. This is with regards as to how the information is generated and managed.
1. Step one-Establish the plan using the control objectives which will form the basis of testing the audit as well as acting as the checklist. Cascarino (2007) states that this is defined by the management and provides resources for the audit plan.
2. Fieldwork - this step involves the identification of the persons, process and technology that will be audited. In this situation, the following will be involved in the audit plan: accounts payable personnel, the financial systems manager, the controller and the chief financial officer.
3. Findings- If no evidence is found that corresponds to a given control objective, this will be labeled as a finding. The finding should include the condition, criteria, cause and effect and concluding with the recommendation.
4. The report giving assessment- The audit should conclude with a formal report which gives the opinion of the auditor. It should also include the objective, methodology used and opinion of the auditor (Bayuk 2009). It may also include recommendations to the management.
Emphasis of the plan should focus on the audit trail within the accounts payable department. This is because it is the primary focus where the fraud took place (Harvard University 2017). The sequence of events should be reconstructed, examined and reviewed. The computer record showing system activity such as log-ins should be analyzed. This will reveal security violations and breaches. It will also reveal who had access and what operations were performed.
The focus on the accounts payable department will help improve the data governance and ensure that data quality within HH is improved upon. The focus should be done within the context of analyzing the information lifecycle that captures vendor information (Bayuk 2009). from gathering to disposing and how it can be improved. The interoperability of different systems between departments will reveal whether or not the hospital should upgrade its current information systems.
The ethical dilemma in this case involves the action to be taken against Harris. The outcomes of any action taken will yield outcomes which will be negative. If the hospital decides to sue Harris, there is a dilemma of what moral reasoning will justify instituting legal action against him (Lo 2013). It was the duty of the hospital according to the theory of rights and duties to exercise due diligence before employing him. Despite knowing his family links with his mother, the hospital still proceeded to hire him. Figar & Dordevic (2016) asserts that using the theory of consequentialism, will his dismissal and result in minimizing harm and maximizing benefit to the hospital or not.
His dismissal and subsequent legal actions against Harris does not yield any tangible benefits to the hospital. On the other hand, it may create unnecessary friction between the accounts payable manager and the mother of Harris who will work while harboring a grudge against the hospital. Chaplais, Mard & Marsat (2016) asserts that the best course of action would be to dismiss him without instituting legal action against him in light of his medical status. On the other hand, the CFO and the accounts payable manager should be held liable to pay the loss of $80,000. This will serve as an example that will ensure managers act in compliance with hospital regulations.
Internal fraud within organizations is common and results in loss in terms of revenue and at times that of reputation. In order to avoid cases of fraud being repeated, an internal audit plan is important in leading to proper recommendations for future action. The audit plan should be guided by the information governance adopted by an organization. The information governance structure will ensure that certain principles such as accountability and availability of information are adhered. In cases where fraud leads to an ethical dilemma, using organizational ethics will assist the management in making an ethical decision.
American Health Information Management Association, 2014, Information governance principles for healthcare, viewed 22 September, < www.ahima.org/~/media/AHIMA/Files/HIM-Trends/IG_Principles.ashx>
Bayuk, J, 2009, Information systems audit: the basics, viewed 22 September,
Cascarino, R, 2007, Auditor's guide to information systems auditing, Hoboken, N.J., John Wiley & Sons.
Chaplais, C, Mard, Y, & Marsat, S, 2016, 'The auditor facing ethical dilemmas: the impact of ethical training on compliance with a code of conduct', [L'auditeur face auxdilemmes ethiques : l'impactd'une formation a l'ethiquesur la conformite au codede deontologie], Comptabilité Contrôle Audit (English Edition), vol. 22, no. 1, pp. I-XXX.
Figar, N, & ?or?evi?, B, 2016, 'MANAGING AN ETHICAL DILEMMA', [UPRAVLJANJE ETI?KOM DILEMOM], Economic Themes, vol. 54, no. 3, pp. 345-362.
Glandon, GL, Slovensky, DJ, & Smaltz, DH, 2014, Information Systems for Healthcare Management, Eighth edition, Health Administration Press, Chicago, IL.
Harvard University, 2017, Information systems audit, viewed 22 September, < https://rmas.fad.harvard.edu/pages/information-systems-audit>
Lazer, D, & Mayer-Scho?nberger, V, 2007, Governance and Information Technology : From Electronic Government to Information Government, The MIT Press, Cambridge, Mass.
Lo, B, 2013, Resolving ethical dilemmas a guide for clinicians. Philadelphia, Pa, Lippincott Williams & Wilkins. https://meded.lwwhealthlibrary.com/book.aspx?bookid=823>
Mercuri, RT, & Neumann, PG, 2016, 'The Risks of Self-Auditing Systems', Communications of the ACM, vol. 59, no. 6, pp. 22-25. Available from: 10.1145/2909877. [22 September 2017].
Seago, J, 2016, 'A Unified Approach to Compliance: Businesses benefit from a proactive partnership between internal audit and the compliance function', Internal Auditor, vol. 73, no. 5, pp. 49-53.
Tallon, PP, Ramirez, RV, & Short, JE, 2013, 'The Information Artifact in IT Governance: Toward a Theory of Information Governance', Journal of Management Information Systems, vol. 30, no. 3, pp. 141-178. Available from: 10.2753/MIS0742-1222300306. [22 September 2017].
Van Vugt, M, 2017, 'Evolutionary psychology: theoretical foundations for the study of organizations', Journal of Organization Design, vol. 6, no. 1, pp. 1-16. Available from: 10.1186/s41469-017-0019-9. [22 September 2017].