How to Uncover and End Billing Fraud
JOEL HERMAN, CPA
Most attorneys are adamant that their firm bills clients appropriately — no padding time records, exaggerating expenses or performing unnecessary work to bill a client more. Yet, it occurs regularly, perhaps while partners ignore the questionable billing habits from either a lone attorney or a larger subgroup at the firm.
This could open the doors to disciplinary action and litigation, not to mention public injury to a firm’s reputation. So, it is critical to uncover and end any billing fraud that might be occurring in your firm.
Who is responsible?
While anyone at your firm, including partners, associates and paralegals, can falsify timesheets, your billing partners and administrators ultimately are responsible for ensuring that bills are accurate and fair. If your billing partner regularly “rubber stamps” time records, you should evaluate and change that process.
Create — or update — a bill preparation checklist and require that everyone who is responsible for billing clients to adhere to it. While your firm’s practice type and fee methodology will determine specific areas of vulnerability to billing fraud, billing partners and administrators should be on the lookout for the following:
- Incomplete Descriptions
Cryptic or incomplete summaries of services are not unethical, but they may be suspicious. If an attorney billing big hours appears to cut and paste a handful of non-specific descriptions such as “e-mail client,” or “phone conference with associate,” ask him or her to provide brief, yet more explicit topics or descriptions that can be verified as actual client work.
- Math Mistakes and Rounding Errors
Everyone makes an occasional math mistake. Review bills from lawyers who regularly submit invoices with hourly totals unsupported by line item descriptions. Also, flag attorneys who bill only full or half hours (as opposed to quarterly increments) or who bill close to the same number of hours every day.
- Extra Hours
It is not unusual for lawyers to regularly work long days or to put in extra hours as a case nears trial or a deal approaches closing. However, if an attorney routinely bills 12 to 15 hours a day, particularly if other lawyers on the team are not working those same hours, something could be amiss.
- Expense Padding
One of the most common ways that professionals defraud clients is by padding their expenses. Often, firm administrators review expense reimbursement requests that are absorbed as operating costs of the firm with greater scrutiny than expense reimbursements for which the cost will be passed on to a client. Train your accounting staff and billing partners to spot inflated amounts, falsified receipts and personal charges marked as client-related expenses.
What about firm culture?
Scrutinizing time and expense reports for inaccuracies is only one element of preventing billing fraud. Falsified bills may arise from deeper cultural problems, including unrealistic performance expectations and tolerance for unethical behavior.
How many hours do you require of associates? Setting the bar too high may induce an attorney to falsify billing records to meet the target hours. Some critics assert that the billable hour (and compensation models that reward top billers) encourages exaggeration. Others claim that some professionals will cheat regardless of billing methodology, particularly in times of economic insecurity or when under personal financial pressure.
What can you do?
The most important step a firm can take is to set the proper tone. Firm leaders need to foster an ethical environment. To start, provide and require ethics training for new employees. Then set reasonable expectations for both workloads and performance. Be sure to compensate partners and employees for quality as well as quantity.
It is important to encourage both employees and clients to report potential billing fraud, and to protect whistle blowers from reprisal. Finally, managing and senior partners need to lead by example and ensure that their own words and conduct — whether with clients, colleagues or employees — are above reproach.
What you can do next
While some bill padding incidents are open-and-shut cases of fraud and need to be handled as such, other incidents are murkier. When questions arise, do not automatically assume fraud is occurring. For example, sometimes legitimate services may be billed for more hours than is expected or customary. The issue might not be fraud, but rather, time management or organizational skills. In that case, the solution could be providing the attorney with appropriate resources and training.
Cybersecurity for Law Firms
ROB SWENSON, CPA, MST
The leak of the so-called Panama Papers—11.5 million documents with financial and legal information stolen from an international law firm—made headlines around the globe in 2016. While the well-known names included in the papers were the focus of many news stories, the hacking incident also highlighted the cyber risks confronting law firms of all sizes. Yet many firms continue to lag behind other businesses when it comes to taking the measures necessary to prevent and mitigate attacks.
The current landscape
One reason many firms are behind the curve on their cybersecurity is the cost. The minimum defense — security-focused software — can be expensive. But, cost justifications fall in the face of the risks.
As the American Bar Association (ABA) has pointed out, law firms are cybercriminal targets for two reasons:
- They gather, store and use highly sensitive client information, while at times using safeguards inferior to those of their clients.
- This information is more likely to be of interest to a hacker and likely represents a smaller amount of information than the client has.
The ABA categorizes hacking and data loss in terms of “when,” not “if.” Clients seem to be coming to the same conclusion. They have begun to demand certain levels of data security and include such specifications in their retainer agreements (sometimes unbeknownst to their law firms until too late).
Others are taking more drastic steps to protect themselves. In 2016, for example, a class action lawsuit was filed against a Chicago firm based on its “practice of systematically exposing confidential client information and storing client data without adequate security.” Notably, the firm had not actually been hacked and had suffered no known data breaches.
Firms that have been attacked have incurred a range of damage. In addition to the loss of confidential files and information, cyber attacks can lead to downtime and loss of billable hours, costly mitigation and recovery efforts, higher insurance rates and long-lasting reputational injury.
Despite these risks, a 2017 ABA survey found that only 26% of respondent law firms had a data breach incident response plan in place. Of firms with two to nine attorneys, 14% had the plans and only 10% of solo practitioners had them.
Protect yourself and your clients
At a minimum, law firms should incorporate the following security measures into their way of doing business:
The Ponemon Institute, an independent researcher on privacy, data protection and information security policy, has found that negligent insiders are the root cause of most data breaches. One unthinking click on a link in a phishing email, for example, could unleash malware that paralyzes the entire firm. Additionally, the risks are exponentially higher when employees work remotely via multiple, easily misplaced or stolen devices, often over vulnerable public Wi-Fi networks. Employees must receive regular training on the risks and how they should handle them.
Encryption is nothing new, but many law firms have not adopted it on the widespread basis that they should. Perhaps the lapse is due to the time and expense previously involved in establishing encryption, but the process is quite simple and cost-efficient these days. Firms should require whole-disk encryption of every desktop or laptop computer, mobile device, USB flash drive and hard drive used to store data.
- Patches & Updates
Yes, it can be a pain to keep up on updates to the operating system or software. But, it is important to remember that such updates and patches usually are released in response to the discovery of security vulnerabilities.
- Incident Response Plans
The 2017 ABA survey showed an improvement in the number of firms with plans, but many remain without a road map for how to respond to an attack. Your plan should clearly describe the individual roles, (and name the respective attorneys and other employees) processes and procedures to be implemented. It should be concise and immediately actionable when needed.
The time is now
Law firms that relegate cybersecurity to the IT department or think of it as a one-time project make a serious mistake. The risk — and the steps to mitigate that risk and recover when disaster strikes — call for an ongoing, firm-wide effort.
Sidebar: The ethics element
Effective cybersecurity is more than just a smart business practice — it is also a matter of ethics. Bar associations have recognized the cyber risks that attorneys bear and increasingly are moving to address the issue with rules and opinions.
For example, the New York County Lawyers Association issued an ethics opinion in 2017 that says the New York Rules of Professional Conduct require lawyers to stay current with technological developments. Moreover, the opinion states that a lawyer’s “duty of technological competence may include having the requisite technological knowledge to reduce the risk of disclosure of client information through hacking or errors in technology.”
The American Bar Association also tackled cyber security in 2017, in its Standing Committee on Ethics and Professional Responsibility Formal Opinion 477, Securing Communication of Protected Client Information. It adopts a “fact-specific approach to business security obligations that requires a process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented and ensure that they are continually updated in response to new developments.”