Dear Dangerously in Love with Finance,

I am a former aesthetic nurse injector who opened my first medspa in 2014. I now own three self-pay medspas across the metro area, doing laser, injectables, and body contouring. Last month my bookkeeper sent me the July P&L and something felt off. When I pulled up my practice management dashboard, appointment volume was up 14% from June, but revenue was down 6%.

When I asked my office manager at one of my locations to walk me through it, she came back with reasons that did not connect for me. Two clients had received partial refunds during a slow week, a few staff had composed sessions for VIP clients before a launch event, and one package was reclassified to a different service category mid-month. Each answer sounded reasonable when I read it back to her. Strung together, the explanations sounded rehearsed.

So I drove to that location and watched the building from a coffee shop across the street over two afternoons that week. I recognized several clients pulling in as regulars. They walked in, stayed around 45 minutes, walked back out to their cars. Everything I could see from the street looked like routine treatment visits. Each night I pulled the daily transaction report. By the second night I had four appointments showing no payment posted at all, and two more with partial payments and manual adjustments attached, all signed off by my office manager.

Cross-checking the booking records for the clients I had watched pointed me to a second concern. One of them had paid a $200 deposit at the time of booking. Our system should have applied that deposit to her service balance when she checked in. The deposit was not showing applied to her account. Every client at our medspas puts $200 down at booking once they are past their first visit, which then applies to their service total at check-in or is forfeited if they cancel inside our 24-hour window. I have no idea whether other forfeited deposits ever made it into revenue, or whether deposits for cancelled appointments got refunded to clients who should not have qualified for a refund under the policy I wrote.

I cannot tell whether I am looking at sloppy front desk work, internal theft, or both. My office manager has been with me for seven years. I gave her a bonus when we opened locations two and three. She came to my daughter’s bat mitzvah last spring. The thought of accusing her of something keeps me up at night, and the thought of doing nothing keeps me up at night too.

Here is where I need your help. Are there checks I can run this weekend, without involving anyone at the front desk, that would tell me whether my gut read is right?

Tired and watching too much,
—A Multi-Location Self-Pay Medspa Owner

---

Dear Multi-Location Medspa Owner,

What you described is one of the most common patterns I see when I review self-pay medspa books for signs of employee theft. Your gut read is supported by everything in your letter, and you noticed the discrepancy before your bookkeeper did. The question you are asking yourself is how to check if your employee is stealing from your medspa without involving anyone yet.

The three explanations your office manager gave you (refunds during a slow week, comps for VIP clients, package reclassification) are three of the most common categories of revenue manipulation I investigate first in any multi-location self-pay practice. Each one is a legitimate business activity that can be misused by anyone with PMS access. The question is whether her version of events matches what your data has been recording the whole time.

Run all three checks before drawing any conclusions about what you are seeing..

Check 1: Do your appointments match your payments?

This is the first check to run when you suspect front desk or back office skimming. You are looking to confirm that every completed appointment on your schedule produced a matching payment in your bank account or your card processor settlement.

Pull a 90-day appointment report from your practice management system showing every appointment marked as completed. Export the report into Excel for sorting. Then pull a matching 90-day transaction report showing every payment collected by date, by amount, by client name, and by staff member who processed the transaction. Lay the two reports side by side and match each appointment to its payment.

The matches will fall into three buckets. Some unmatched appointments will have legitimate explanations (prepaid package usage, documented complimentary follow-ups, prior credit on file, third-party financing platforms like Cherry or CareCredit, gift card redemption). Most appointments should not have a missing payment match. The pattern that signals a problem is when unmatched appointments cluster around one staff member, one time of day, or one service type. In my professional experience reviewing self-pay practices, a healthy match rate runs at 95% or higher, and anything below 90% is a signal that money is moving outside the system.

Check 2: Are your refunds and your intakes telling the same story?

Refund manipulation patterns appear in this check. Your goal is to verify that every refund processed has a documented reason, a client request, and a refund destination that matches the original payment method.

Pull a 90-day refund report from your PMS showing every refund processed, by date, by amount, by client, by staff member who processed it, and by destination (cash, check, credit card return). Then run a 90-day new sales report for the same window. Calculate your refund-to-sales ratio overall and by staff member. In my experience, a healthy aesthetic practice runs a refund-to-sales ratio under 3%, and anything higher needs a documented business explanation.

Signs of manipulation include refund spikes from one staff member, refunds processed outside the manager’s documented working hours, refunds without a documented client request or signature, and refunds where the destination does not match the original payment method. A common example is the client who paid by credit card but received the refund in cash. In a healthy refund pattern, every entry has a corresponding client communication, a documented reason, and a destination that matches the original payment.

Check 3: Is every deposit accounted for?

Deposit-to-appointment matching is where the question you raised becomes a test. The point is to track whether every $200 booking deposit your medspa collected was either applied to a completed service, forfeited under your 24-hour cancellation policy, or refunded for a documented in-window cancellation.

Generate a 90-day deposit collected report from your PMS showing every deposit taken in. Pull three separate reports for the same window: deposits applied to services, deposits forfeited as revenue, and deposits refunded back to clients. Add up the three outcome categories. The total should equal the deposits collected. If the numbers do not match, the difference is money that should be in your bank account but is not, or money that left your bank account without authorization.

Warning signs in this report include deposits collected that do not appear in any of the three outcome categories, forfeited deposits that never posted as revenue to your books, and refunded deposits that went to clients who cancelled outside your 24-hour window. The healthy version is when those three categories balance to zero unexplained difference.

Once you have run all three, here is how to read the results.

What to do with what you find

Clean results across all three checks mean the volume-versus-revenue mismatch has an innocent explanation, like service mix shift, heavy prepaid package usage, or promotional pricing during the month. Run the same three checks monthly from here as your operational guardrail.

Irregularities in one check signal a process problem that needs operational fixing, along with a closer look at any staff member whose actions cluster in that check. The middle ground is uncomfortable, but it does not require immediate confrontation.

Two or three checks showing irregularities clustering around any one staff member means you are looking at potential occupational fraud. You need to bring in a Certified Fraud Examiner and your employment attorney before any conversation. Confrontation before evidence collection is a common mistake I see medspa owners make in these situations. The conversation, when it happens, needs to be planned, witnessed, and documented.

On the human side

The sleepless nights are not a sign that something is wrong with you. They are a sign that your moral compass is working. This does not mean your office manager is stealing. It does mean your instinct to investigate before accusing is the correct one.

Run all three this weekend if you can. The data will tell you what to do next. You are not accusing anyone by reviewing your own books.

With you in the work,
Dangerously in Love with Finance

| CFE + Fractional CFO | Healthy Bodies of Finance Helping health and wellness practices generating over one million dollars annually build the financial infrastructure that keeps what they earned.

Follow Us Online

Stay connected and get more exclusive content on:
Instagram: @healthybodiesoffinance
Facebook: https://www.facebook.com/healthybodiesoffinance
LinkedIn: https://www.linkedin.com/in/lozellemathai/
TikTok: @healthybodiesoffinance

This article is designed to provide information only and should not be considered legal or tax advice. Because of the complexity of the law and the variables in your own personal tax and accounting situation, you can’t rely on our advice specifically related to your unique circumstances. In order to get the best tax savings and legal advice available to you, you should consult with your own accountant, attorney or advisor regarding your particular facts and circumstances. Healthy Bodies of Finance is an accounting firm that specializes in working with health and wellness providers. We provide monthly accounting & bookkeeping services and financial education. For more information on our specialized services for health and wellness providers please contact us at info@healthybodiesoffinance.com