Fraud Indicators and Red Flags, Part 2

Part 2: When Criminal Behavior Infiltrates Your Audit Program   

Written by Carl J Byron, CCS, CHA, CIFHA, CMDP, CPC, CRAS, ICDCTCM/PCS, OHCC and CPT/03 USAR FA (Ret)   

We Recommend Reading Part 1 Fraud Indicators and Red Flags – When Audit Managers Knowingly Skew Audit Results as this article is Part 2, “the rest of the story.”

Subsequent to Part 1 - Fraud Indicators and Red Flags, this article stresses the need for early detection of that rare, but dangerous potential fraud committed by the Lead Auditor or Audit Manager.  Members of the audit team realize that detecting a non-conformance often means there is likely much that has gone undetected. If you see something, say something, right?  But what if it is your boss managing the audit?

Introduction

In this article, the term Audit Manager and Lead Auditor is used interchangeably, even though there may be variances between these two titles.  Audits are conducted as part of the organization’s compliance program for the purpose of detecting non-conformances in order to take corrective action to improve compliance to applicable rules and regulations. 

The assumption is made that most organizations have internal controls, checks and balances and accountability built into their compliance program.  When those controls fail, the audit process can be jeopardized, skewing audit results with a potential devastating impact on the risk management process.

Organizations, regardless of size, should require the following elements within an audit: Plan, Execute, Report, Corrective action (P-E-R-C).  Smaller healthcare organizations may only have one internal auditor, while mid-size and larger organizations have a team of auditors. Someone needs to manage or lead the audit, even if it is a team of only one auditor.  If your organization doesn’t engage with an independent third-party contractor to periodically inspect the management of the audit team, you should.  Typically, your Lead Auditor is the most skillful within our organization.  For an effective program, engaging an unbiased audit expert to review and “audit” the management of how audits are conducted is a sound risk management decision. 

Let’s review why auditing your audit program is so important.

Below the Surface: Detecting What You Don’t See

If your organization detects a problem, it is likely just the tip of the iceberg.  What you don’t or can’t see is likely to be a much bigger risk factor that what you do see. 

The assumption is made that most organizations have internal controls, checks and balances and accountability built into their compliance program.  Hopefully, this article describes several ways to detect areas of potential fraud within your audit processes.

It is not uncommon for C-suite Executives to delegate the responsibility of establishing and maintaining an effective internal compliance control system to mid-level management, such as the Lead Auditor, who must implement such controls at a reasonable cost. This could conflict with the Lead Auditor’s goals of improving coding, documentation, billing accuracy and other business systems.

It is the Lead Auditor’s primary responsibility to provide assurance that reviews are conducted to detect compliance non-conformance and to lead the audit team through the P-E-R-C proves.  For an audit program to be effective, audits must be conducted and reported in a manner free from material bias, conflict of interest and performed in an objective manner.  We must admit, auditing is not guaranteed to catch every instance of fraud, waste and/or abuse.  If a problem goes undetected, does this reflect poorly on the audit team?  It could, and it could result in tarnishing the team’s reputation.

But what happens when audit results are consistently exceptional?  Repeated scores of, let’s say 96%, 97%, 98% accuracy where the target performance goal is at least 95% accuracy?  Are these results “real” or should they be questioned?  Can Auditor Managers and Lead Auditors sway audit results to improve their own performance? Is it possible that the compliance infrastructure is unintentionally designed to encourage willful misrepresentation resulting in false positive outcomes?

These are important questions to ask to ensure the appropriate checks and balances are in place.  In-other-words, who is auditing the Lead Auditor? 

When Information is Withheld or Altered

Most organizations have effective audit programs led by experienced certified healthcare auditors.  Audit Managers and Lead Auditors are skilled at giving leaders independent, objective assurance that something is true. And auditors are experts when it comes to internal controls expected during an audit; unless that information is withheld or altered. Lead auditors, through training and experience, should be able to detect fraud indicators and when these indicators involve claims, then financial fraud may also be considered triggering an internal investigation. But having this much power, can it open opportunity for willful misrepresentation?

Let’s look at the government auditing standards for a moment.  In the 2018 Revision of Government Auditing Standards, the US Government Accountability Office it states (page 175, Section 8.73): “Fraud involves obtaining something of value through willful misrepresentation. Whether an act is, in fact, fraud is determined through the judicial or other adjudicative system and is beyond auditors’ professional responsibility.” 

Section 8.74 states: “Auditors may obtain information through discussion with officials of the audited entity or through other means to determine the susceptibility of a program to fraud, the extent to which the audited entity has implemented leading practices to manage fraud risks, the status of internal controls the audited entity has established to prevent and detect fraud, or the risk that officials of the audited entity could override internal control. An attitude of professional skepticism in assessing the risk of fraud assists auditors in assessing which factors or risks could significantly affect the audit objectives.”

Is Manipulating the Audit Environment a Sign of Malicious Activity?

Manipulating any part of the audit process requires investigation. This can involve acts of self-preservation on the Lead Auditor’s part, perhaps to the extent they want to drive out the more experienced auditors on the team who can uncover and report true findings and irregularities.

It is likely that experienced auditors on the team they manage may observe and question “why” something has navigated away from protocol. A red flag is when the Audit Manager’s motivations are questioned, the question is deflected or goes unanswered.

In my experience, opportunities exploited and behavior often found in those who are committing fraud, waste or abuse are those listed below, in addition to the typical collusion and conspiracy which are better known:

Weak Internal Controls – The manager is not monitored

The manager knows if concerns are voiced, the controls are so weak that little will come of complaint(s)-the manager also already has a script in place based on plausible deniability. Hyper-compartmentalization is exploited: departments are territorial and do not share information, i.e. Compliance does not oversee or meet with the auditing department. This causes a black hole between critical control components. There is no guarantee of confidentiality or protection. This too is exploited.

Moral hazard

A moral hazard occurs when one party in a transaction has the opportunity to assume additional risks that negatively affect the other party. The decision is based not on what is considered right but on what provides the highest level of benefit, hence the reference to morality.  In my experience, one of the more common is the moral hazard of rationalization.

Rationalizations are the excuses people give themselves for failing to live up to their own ethical standards. "Moral hazard of rationalization" refers to the psychological phenomenon where individuals use reasoning and justifications to convince themselves that their unethical behavior is acceptable, essentially allowing them to engage in immoral actions while maintaining a positive self-image, thus creating a "moral hazard" by reducing the perceived negative consequences of their actions; it's essentially using logic to excuse morally questionable behavior.¹

Thorough knowledge of the systems and/or programs/Information Asymmetry

This is a serious element because the fraudster will have superior knowledge and/or access to electronic programs and processes.  When the Lead Auditor or Audit Manager has unlimited power through technology to manipulate data, routine monitoring is recommended of how this power is employed.  This is all part of strengthening internal controls through an objective expert.

The Payoff Matrix

According to an article in the National Library of Medicine published September 2023, in the context of healthcare fraud: "The Payoff Matrix refers to a conceptual framework that analyzes the potential outcomes (rewards and penalties) for different actors involved in fraudulent activities within the healthcare system, considering the choices they make between committing fraud or acting honestly, essentially illustrating the potential gains or losses depending on their decision and the actions of other parties involved, like patients, providers, and insurers; it helps visualize the incentives and disincentives that could influence their behavior towards fraudulent practices.”²

This is difficult for the vast number of honest managers to understand because they care deeply for their processes, employers, and, most importantly, people. To the fraudster it is a game; there are winners, there are losers; there are moves and counter-moves. They see the auditors as expendable players rather than victims: and they see superiors and leaders as opposing players who will be beaten and outmaneuvered. In the context of this article, they secure their positions and remain champions of the game, to continue with little thought to their own possible loss.

Experts disagree on why the ship struck the iceberg but there are recurring theories: poor watch crew alertness and/or training; no binoculars; and they just didn’t see it in time. Things they do agree on: the ship was sailing too fast in known iceberg waters and there were not enough lifeboats.

Your compliance department is like the watch crew - They must look for hazards (watch): search for hazards in the future (binoculars): and have the authority to order the captain to alter course no matter how inconvenient. A compliance department that has become complacent or does not monitor internal controls is ignoring speed: things in healthcare move quickly. Having an ineffective compliance department is like having these lookouts not just make the ship hit the iceberg; they back the ship up and make it hit the iceberg again. Compliance must also be the lifeboats. They need to listen to and address every concern raised and treat all parties equally-no one stands alone because of title or position and the corollary; no one is above scrutiny for the same reasons. And compliance must be trusted to maintain strictest confidentiality. Every individual who reports concerns must feel they will be protected and safe.

Invest in Infrastructure & Developing a Culture of Compliance

Your workforce must feel “safe” to report concerns and observations of potential fraud, waste and/or abuse.  This only happens when a top-down culture of compliance has been instilled within the organization and demonstrated by the items listed below.

Responding to complaints must be rapid and effective - Compliance must be several critical things, just like the military: it must be forward yet visible (Air Force). We know they are active and they are watching beyond their office desks. We see them. They also must be agile: able to respond to indications or complaints quickly.  Employees at every level must know these people are there, always gathering information even when unseen and are there to defend them if necessary.

Compliance must also be the Army and Marines - Employees (relators) must know how to report concerns to the compliance department in a safe manner and undetected by the Lead Auditor when the Lead Auditor is of concern. Confidentiality must be the operative philosophy. Like all the major services, they must be able to act independently with the backing of the highest levels of authority. Above all, compliance must dedicate itself to an overarching creed: never let the relator feel scared, threatened, harassed or intimidated. Any form of retaliation will not be tolerated.

Establish a Confidential Network - The Audit Team needs to find an avenue to escalate complaints, confidentially, to those tasked with compliance and especially whistleblower protections. This should be between each auditor and the compliance officer or someone within the Compliance Committee. There really is power in numbers and just like plausible deniability, there will be force in consistency of fact. Because the auditors are external to the auditees, and in the remote environment external to the Audit Managers, information and concerns can be shared and options discussed without fear of harassment, reprisal or retaliation. Facts can be shared and supported by other auditors’ experiences.

This element differs from strengthening internal controls in that the point of contact for concerns need not absolutely be someone tasked with receiving them by policy.

Strengthen Internal Controls - There is no cookie-cutter template for succeeding in this. Whether through complacency, old school ways of thinking or the bureaucracy-wide need for self-preservation and avoidance of “bad news,” weak internal controls have devolved into weakness for a reason. Following right on the heels of getting these people to listen may be getting the auditors to trust them. Our attempts at reporting have failed: why should we trust you now? This is a legitimate question which must be answered before real progress can be made.

Documentation – Over time facts and details can become unclear.  Documenting observations, gathering “evidence” and making record in a timely manner can help determine if the person altering data has made a material falsification requiring a more formal internal (or external) investigation.

Conclusion

The vast majority of healthcare managers are ethical, hard-working people who care about their organization both downward and upward. They are as outraged by fraud or someone on their team manipulating information.  In my experience, the majority of published reporting of mid-level fraud regards financial motivation. If any healthcare organization takes firm and consistent steps to maintain strong internal controls, the type of fraud in this article will never see light and be mitigated before any significant damage can be realized.

Although we have covered quite a number of subjects, the solution will be driven by the establishment of a superstructure founded on ferreting out truth from plausible deniability and weak internal controls. Without these other efforts will yield little.

About the Author

Carl J Byron, CCS, CHA, CIFHA, CMDP, CPC, CRAS, ICDCTCM/PCS, OHCC and CPT/03 USAR FA (Ret)

Carl is a coding and documentation auditor for the Defense Health Agency (DHA), a government agency that provides health care to the military.  Previously, his background includes HCC auditing for CMS, coding and auditing for a large global healthcare network, a compliance educator and speaker for AIHC and currently volunteers as a subject matter expert for AIHC, a non-profit licensing/certification partner with CMS.

References

McCombs School of Business – Ethics Unwrapped

https://ethicsunwrapped.utexas.edu/glossary/rationalizations

National Library of Medicine – Study on the Path of Governance in Health Insurance Fraud Considering Moral Hazard

https://pmc.ncbi.nlm.nih.gov/articles/PMC10543491/#:~:text=Combating%20health%20insurance%20fraud%20is,toward%20a%20non%2Dfraudulent%20state.

Copyright © 2025 American Institute of Healthcare Compliance All Rights Reserved