Why fraud-based due diligence is critical in healthcare M&A transactions

Fraud can take many forms — and have just as many consequences. This is especially clear but often overlooked in M&A transactions.

Whether it’s stealing from the company or inflating earnings, fraud can have a major impact on an entity’s value and price. Finding fraud before a transaction is in the buyer and seller’s best interest.

For the seller, finding and dealing with fraud may increase the value or price a buyer is willing to pay. For the buyer, if the fraud is something that would decrease earnings in the future, they would want to estimate the impact prior to the purchase.

That’s why the focus of transaction due diligence should be on more than just financial performance and the ability for the transaction to fulfill promises to both sides. It must also include steps specifically developed to uncover fraud.

The consequences of not performing fraud-based due diligence

Sellers should consider performing due diligence in advance of a sale. This proactive approach: 1) allows the seller to identify and address fraud and compliance issues in a timely and early manner, 2) allows the seller to better position itself to potential buyers, making it more likely to garner its desired price and set the transaction up to have a smoother and faster close, and 3) prevent the buyer from identifying the fraud during their due diligence and therefore either decreasing the price or derailing the transaction altogether. 

For buyers, the consequences of not performing fraud-based due diligence are even greater. Fraud can bring future fines, penalties, criminal sanctions and other consequences, so discovering it prior to a transaction can save the buyer from major hardship. They may even want to withdraw from the transaction if the fraud would bring significant enough consequences.

Areas of risk

The National Health Care Anti-Fraud Association (NHCAA) estimates that, in 2018, $3.6 trillion was spent on healthcare in the U.S. and that at least 3% of it was lost to fraud (aka $108 billion).

There are many different types of fraud that can be perpetrated in a company. These include:

• Noncompliance with regulations
• Corruption
• Financial statement misstatement
• Tax return misstatements
• Asset misappropriation
• Theft of intellectual property and trade secrets
• Stealing of company resources
• Illegal use of company assets

We’ll go through some quick examples.

Noncompliance with regulations could be services provided by or billed for unlicensed personnel.

Corruption includes things like payment to physicians to prescribe certain drugs or perform additional or unnecessary procedures.

Stealing of company resources includes examples like stealing pharmaceuticals, pocketing cash payments from patients, using company assets for personal gain, and stealing employee or patient information. With strict privacy laws in the healthcare industry, this latter example has the potential to also result in significant regulatory fines. 

If any of these types of fraud are discovered during an M&A transaction’s due diligence process, that could dramatically change the value of the entity and/or cause the buyer to walk away. If they aren’t discovered, then the buyer is left with potentially steep consequences. For example, if the Anti-Kickback Statute and Stark Law violations are uncovered afterward, then the organization may be prevented from billing Medicare in the future.

Fraud and compliance risk assessments

So how exactly do you identify fraud in higher-risk areas? You rely on an experienced third party to perform a risk assessment.

This third party knows what to look for and where to look for it. Plus, by having a third party assist, the acquirer benefits from the third party’s independence and objectivity, the increased confidence in the transaction that results from this type of due diligence, and the better understanding of the target’s value.

The risk assessment asks things like: Does the organization have adequate controls? Do they monitor employee compliance with policies and procedures? If there were past compliance failures or fraud, did they perform remedial measures, were those measures adequate and is there monitoring in place to help ensure those measures are being followed?

If the acquirer does decide to go through with the transaction, then the risk gaps can be closed as much as possible.

Regulatory compliance should be included within the fraud risk assessment for healthcare organizations. For example, the risk assessment should verify that the facility has conducted a community health needs assessment in the previous three years, or that written emergency care policies exist. While these are not directly fraud related, the lack of either may increase the potential for fraud to occur or go undetected.

Four signs of potential trouble

In a healthcare M&A transaction, there are certain things that could indicate fraud or compliance risks. Here are four of the bigger signs:

1. High turnover in key roles

This can indicate that certain key employees were aware of inappropriate activities and disagreed with them. If the targeted organization has an anonymous reporting mechanism and has received whistleblower complaints, you should review those complaints and how the target acted on them.

2. Spikes in inventory, receivables or other key accounts

Unexpected spikes in financial accounts such as inventory or receivables can indicate that someone is trying to bump up the value of the targeted organization. Unexpected spikes in key performance metrics can indicate intentional manipulation of results or actual but unsustainable performance. Fraud-based due diligence can identify not only whether the results are sustainable but also whether it was the result of intentional manipulation.

3. Extraordinary results

Buyers want to acquire a great performer, but they should always be skeptical of a target with extraordinary results.

Fraud-based due diligence should include performing data analytics on financials and looking at how the targeted entity compares to similar entities. Where do they stand out? Can their management provide reasonable explanations for extraordinary performance? Are there subjective components or methodologies that could be affecting the results?

Due diligence can help buyers discover whether extraordinary results are because of 1) a truly outstanding organization, 2) poorly designed or implemented processes or 3) intentional actions to bolster the seller’s current position and fetch a higher price.

4. Comparable organizations experience certain risks

Pay attention to what fraud or compliance failures similar organizations have had. That can shed light on where risks may be. Not all organizations are susceptible to the same risks, but similar organizations operating in a similar environment can face the same pressures and risks that lead to inadvertent or intentional missteps.

International business risks

The healthcare industry also includes entities providing healthcare goods and products. Entities such as pharmaceutical companies and equipment or consumable manufacturers can be deeply involved in business in other countries.

In this case, the buyer must consider the potential for prior Foreign Corrupt Practices Act (FCPA) violations, such as bribery. They could inherit liability from those violations and be responsible for paying fines and even undergoing court-ordered monitoring to ensure future compliance.

If there haven’t been FCPA violations, a risk assessment can identify the risks of the environment(s) the target operates in and evaluate the adequacy of their compliance program. Don’t overlook third-party relationships (e.g., joint ventures, business partners and sales relationships), either, because buyers can bear responsibility for their FCPA failures as well.

Learn more about fraud and compliance-based due diligence

We covered the consequences of fraud, business areas most at risk, and signs of trouble, but what should you include in your fraud-based due diligence process? And what should you do if you discover issues after an acquisition is complete? Find out in part II.