Wipfli logo
Back to Articles

How to perform fraud-based due diligence in healthcare transactions

Marc Courey
Marc W. Courey
May 12, 2020
5 min read

In part I of this two-part series, we covered why compliance- and fraud-based due diligence is so important to healthcare organizations involved in an M&A transaction and where the greatest areas of risk are. But just as important to know is how to perform fraud-based due diligence.

There are seven critical steps to follow when looking for fraud or other inappropriate activities during the due diligence process.

1. Engage a third party

In part I, we discussed the value of engaging a third party to perform a risk assessment, so it’s no surprise step #1 to implementing fraud-based due diligence is involving a veteran third party. They bring highly valuable experience in what to look for when it comes to fraud and other compliance risks.

They also bring an independent and objective perspective, which can be invaluable when considering what should be included in the due diligence process, as well as evaluating the potential impact the discoveries may have on the acquirer and target organization. This helps reduce the potential for risks to be overlooked to “make the deal happen” or that unfounded risks will be used to scuttle a deal.

Furthermore, M&A deals can move at a fast pace, and making sure the due diligence process is comprehensive and addresses all aspects in a timely manner likely requires outside assistance.

2. Go beyond standard due diligence

There are many steps to compliance- and fraud-based due diligence that fall outside standard due diligence. Make sure to:

  • Conduct background checks on and interviews with key executives and employees.
  • Fully identify the target’s jurisdictions and regulatory environment.
  • Adequately review the target’s business practices.
  • Use technical skills such as data analytics to identify red flags and uncover issues.
  • Identify and review the target’s third-party relationships.
  • Examine relevant key policies and procedures.
  • Identify and analyze areas that may require including representations or warranties in the final agreement.
  • Monitor the target’s business activities until the transaction is finalized.

3. Conduct a risk assessment

We already discussed in part I what a fraud and compliance risk assessment is and why it’s so valuable, but it’s vital to ensuring a comprehensive due diligence process. It’s significantly more in-depth than a general due diligence report and is tailored to the specific type, industry, geographic coverage, services/products and practices of each organization.

The fraud and compliance risk assessment may discover red flags. Examples include data privacy and cybersecurity issues, changes in reimbursement, and relationships between physicians, hospitals, vendors and clinics. An assessment can also highlight employee-based issues or deficiencies in internal control procedures that would not otherwise be evident in traditional financial due diligence.

4. Review the target company’s relevant fraud and compliance-related programs

A good sign is if the target organization has a robust fraud and compliance program and department, as well as an anti-corruption program. However, you should review these programs so that you can understand the intended scope, the intended and actual controls, whether they were adequately funded and staffed for the target’s size and risk, and their effectiveness and then identify any gaps. Review the results of prior fraud or compliance issues, if there are any, plus the target organization’s response(s) and the residual risks to the organization.

5. Review prior internal audit findings (and other self-assessments)

Does the target organization’s internal audit department perform in-depth analyses of anti-fraud and compliance-related business processes? If so, you can use them as key sources of information, highlighting past risks to the organization and potential future issues that may impact the value of the target.

The failure of the target organization to have a robust internal audit department may signify previously unidentified issues. If that’s the case, you would need an even more robust due diligence plan.

6. Evaluate corrective measures for previously identified issues

What did the organization do to correct previous issues? Did they bolster policies and procedures and provide training for staff? Did they monitor the ongoing effectiveness of remedial measures?

Understanding the organization’s response to previously identified issues can indicate potential future issues. It also helps you understand their past approach to fraud and compliance-related issues, which can have a significant impact on the value of the proposed transaction.

7. Begin to develop plans for implementing additional compliance measures

Unidentified or under-appreciated issues can happen no matter the organization. Developing and implementing a robust anti-fraud and compliance program can prevent future missteps. The results and findings identified during due diligence will help you develop plans that close the gaps post-transaction with appropriate anti-fraud and compliance programs.

What to do when you discover issues post-M&A

Now you know what to do for your next M&A, but what about past transactions? Is it too late to take action? Could you experience an unwelcome financial or regulatory hit?

Not necessarily. Here are three actions to take when fraud or other compliance-based issues are discovered after the M&A transaction is complete.

1. Implement an improved compliance program

What matters most is how the organization addresses previously unidentified issues. Implement an improved compliance program immediately, and make improvements to policies, procedures, training and monitoring activity. If your organization self-discloses or the issue is revealed another way, showing a robust response will help mitigate the potential impact.

2. Consider the risks and benefits to self-disclosure

There may be a benefit to self-disclosing any self-identified misconduct to the appropriate regulatory body. But disclosure brings its own risks, including increased scrutiny and the potential for litigation from relevant stakeholders. 

To disclose, or not disclose, is something that must be carefully weighed. It all depends on what the particular inappropriate behavior was, what the actual impact was and what the potential impact is going forward.

3. Cooperate in an investigation

If an investigation is launched, cooperation is key. By having your legal counsel cooperate with any government investigation, you can help lessen both the severity of the regulator’s response as well as any impact to your organization from third parties.

Learn more about fraud and compliance-based due diligence

To learn more about how to detect fraud, contact Wipfli. Our seasoned CPAs, fraud examiners, auditors and compliance specialists can help your healthcare entity uncover fraud and mitigate risks before a merger or acquisition is completed.

Related reading:

How to respond to fraud

Using data analytics to identify errors, waste and abuse

How to protect your medical practice from employee financial fraud

Author(s)

Marc Courey
Marc W. Courey
CPA/CFF, JD, LLM, CFE, CICA, CCEP, CIA, Director, Wipfli Advisory LLC
View Profile
Dru Carney
Dru D. Carney
MBA, CFE, CFCI, Senior Consultant, Wipfli Advisory LLC
View Profile

Discover how we can help you succeed in the modern healthcare landscape

2025 state of rural healthcare

Explore insights and stats in our third annual research report.

Download report

TOP PICKS

Stephanie Smith
Stephanie M. Smith 01/22/2026
AI in healthcare finance: Practicality over hype, strategy over speculation
Read full story
Paul Ouweneel
Paul D. Ouweneel 01/20/2026
Understanding your startup’s 409A valuation and the backsolve method
Read full story
Marc Courey
Marc W. Courey 05/11/2020
Why fraud-based due diligence is critical in healthcare M&A transactions
Read full story