Upload File

secretary of state audit summarysos.oregon.gov/audits/documents/2017-09.pdfaudit purpose the purpose...

  • Home
  • Documents
  • Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer
18
Secretary of State Audit Summary Dennis Richardson, Secretary of State Kip Memmott, Director, Audits Division Report Number 201709 May 2017 MMIS/ONE IT Systems Review OHA: Automated Medicaid eligibility is processed appropriately, yet manual input accuracy and eligibility override monitoring needs improvement KEY FINDINGS Two critical automated computer programs appropriately determined eligibility, enrolled Medicaid clients in coordinated care organizations, and made appropriate payments to those organizations based on eligibility information received. Automated computer processes appropriately validated the Social Security number and citizenship status of applicants over 99.7% of the time in our review of over 425,000 records. We reviewed 30 eligibility determinations and found seven (23%) had manual input errors. While only one error resulted in a client being determined eligible when they were not, each of the errors related to application information that could have resulted in inappropriate eligibility determinations. Although their volume has significantly decreased over time, overrides of eligibility are not sufficiently monitored, meaning unauthorized overrides of Medicaid eligibility could occur. Our review of 72 overridden eligibility segments showed caseworkers did not take proper action to clear 25 (35%). Overridden segments are not subject to automated processes that redetermine eligibility for certain clients. Our 2011 audit recommendations to OHA and DHS concerning access to the Medicaid Management Information System have not been fully implemented, increasing security risk. RECOMMENDATIONS SUMMARY OHA should continue efforts to improve caseworker manual input accuracy through additional training, and implement a review process for input where errors negatively affect eligibility determination. OHA managers should monitor eligibility overrides to prevent unauthorized validation and ensure state resources are spent appropriately. OHA and DHS should fully implement our 2011 audit logical access recommendations. AUDIT PURPOSE In Oregon, over one million individuals have Medicaid coverage. Medicaid expenditures totaled $9.3 billion in fiscal year 2016, including $1.2 billion in state general funds. We conducted this audit to determine if two critical automated computer programs managed by the Oregon Health Authority accurately verify Medicaid client eligibility and accurately issue payments to healthcare providers. If these programs do not function properly, clients may inappropriately receive, or be denied, Medicaid benefits. FINDINGS IMPACT Manual input errors and lack of monitoring of overrides can cause inappropriate eligibility determinations and payments to providers. If agency leadership implements more effective monitoring of caseworker eligibility overrides and improves manual input accuracy, the state will better comply with eligibility requirements and increase accuracy of payments. Inaction will allow overrides and manual input errors to continue causing inappropriate payments to providers.

Upload: others

Post on 03-Aug-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Secretary of State Audit Summary Dennis Richardson, Secretary of State

Kip Memmott, Director, Audits Division

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review 

OHA:AutomatedMedicaideligibilityisprocessedappropriately,yetmanualinputaccuracyandeligibilityoverridemonitoringneedsimprovement

KEYFINDINGS 

Twocriticalautomatedcomputerprogramsappropriatelydeterminedeligibility,enrolledMedicaidclientsincoordinatedcareorganizations,andmadeappropriatepaymentstothoseorganizationsbasedoneligibilityinformationreceived.

AutomatedcomputerprocessesappropriatelyvalidatedtheSocialSecuritynumberandcitizenshipstatusofapplicantsover99.7%ofthetimeinourreviewofover425,000records.

Wereviewed30eligibilitydeterminationsandfoundseven(23%)hadmanualinputerrors.Whileonlyoneerrorresultedinaclientbeingdeterminedeligiblewhentheywerenot,eachoftheerrorsrelatedtoapplicationinformationthatcouldhaveresultedininappropriateeligibilitydeterminations.

Althoughtheirvolumehassignificantlydecreasedovertime,overridesofeligibilityarenotsufficientlymonitored,meaningunauthorizedoverridesofMedicaideligibilitycouldoccur.

Ourreviewof72overriddeneligibilitysegmentsshowedcaseworkersdidnottakeproperactiontoclear25(35%).Overriddensegmentsarenotsubjecttoautomatedprocessesthatredetermineeligibilityforcertainclients.

Our2011auditrecommendationstoOHAandDHSconcerningaccesstotheMedicaidManagementInformationSystemhavenotbeenfullyimplemented,increasingsecurityrisk.

RECOMMENDATIONSSUMMARY

OHAshouldcontinueeffortstoimprovecaseworkermanualinputaccuracythroughadditionaltraining,andimplementareviewprocessforinputwhereerrorsnegativelyaffecteligibilitydetermination.

OHAmanagersshouldmonitoreligibilityoverridestopreventunauthorizedvalidationandensurestateresourcesarespentappropriately.

OHAandDHSshouldfullyimplementour2011auditlogicalaccessrecommendations.

AUDITPURPOSE

InOregon,overonemillionindividualshaveMedicaidcoverage.Medicaidexpenditurestotaled$9.3billioninfiscalyear2016,including$1.2billioninstategeneral

funds.WeconductedthisaudittodetermineiftwocriticalautomatedcomputerprogramsmanagedbytheOregon

HealthAuthorityaccuratelyverifyMedicaidclienteligibilityandaccuratelyissuepaymentstohealthcareproviders.Iftheseprogramsdonotfunctionproperly,

clientsmayinappropriatelyreceive,orbedenied,Medicaidbenefits.

FINDINGSIMPACT

Manualinputerrorsandlackofmonitoringofoverridescancauseinappropriateeligibilitydeterminationsandpaymentstoproviders.Ifagencyleadershipimplementsmoreeffectivemonitoringofcaseworkereligibilityoverridesandimprovesmanualinputaccuracy,thestatewillbettercomplywitheligibilityrequirementsandincreaseaccuracyofpayments.Inactionwillallowoverridesandmanualinputerrorstocontinuecausinginappropriatepaymentstoproviders.

Page 2: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Secretary of State Audit Report Dennis Richardson, Secretary of State

Kip Memmott, Director, Audits Division

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 1 

OHA:AutomatedMedicaideligibilityisprocessedappropriately,yetmanualinputaccuracyandeligibilityoverridemonitoringneedsimprovement 

Introduction 

Audit Purpose 

ThepurposeofthisinformationtechnologyauditwastodeterminewhethertwocriticalcomputersystemsmanagedbytheOregonHealthAuthority(OHA)accuratelydetermineMedicaidclienteligibility,appropriatelyenrollclientswithCoordinatedCareOrganizations(CCO),andissueaccuratepaymentstothoseorganizations.

WechosethesesystemsbecausethemajorityofMedicaideligibilitydeterminationsandpaymentsareprocessedthroughthem.Iftheydonotfunctioncorrectly,MedicaidclientsmaybeinappropriatelyapprovedordeniedforMedicaidbenefits,andpaymentstoprovidersmaybeinerror.

OHAandtheDepartmentofHumanServicesrelyonseveralothersystemsforeligibilitydeterminationsandpayments.WeintendtoincludeothersystemsandprocessesrelatedtoMedicaideligibilityandpaymentsinfutureaudits.

Agency Response 

TheOregonHealthAuthoritygenerallyagreedwithourfindingsandrecommendations.Thefullagencyresponsecanbefoundattheendofthereport.

Background 

Medicaidisagovernmentprogramthatprovideshealthcarecoveragetolow‐incomeindividualsandfamilies.Itisfinancedthroughjointfederalandstatefundingandisadministeredbyeachstate.TheOregonHealthAuthority(OHA)administerstheMedicaidprogramandsetsguidelinesregardingeligibilityandservicesinOregon.DepartmentofHumanServices(DHS)staffworkinpartnershipwithOHAtoensurequalifiedindividualsreceiveMedicaidcoverage.

Page 3: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 2 

MostMedicaidclientsinOregonareenrolledwithoneofOregon’s16CoordinatedCareOrganizations(CCOs).CCOsdeliverhealthcareservicesundercontractswithOHAforaprescribedmonthlyfee,knownasacapitatedpayment.MedicaidclientsnotenrolledinaCCOreceivehealthcareservicesfromdoctors,pharmaciesandotherprofessionalswhosubmitindividualclaimstoOHAfortheservicestheyperform.

ThefederalPatientProtectionandAffordableCareAct,commonlycalledtheAffordableCareAct(ACA),wassignedintolawonMarch23,2010andimplementedinOregonbeginninginJanuary2014.TheACAallowedOregontoexpanditsMedicaidprogramtocoverindividualswhowerenotpreviouslyeligible.Asaresult,MedicaideligibilityinOregonhasgrownfromapproximately650,000individualsin2013toover1millionbytheendof2014.Medicaideligibilityhasremainedatabout1millionindividualssincethen.

TotalMedicaidexpenditureshavelikewiseincreased.DuringFiscalYear(FY)2013,expendituresforMedicaidatDHSandOHAtotaledabout$5.5billion;inFY2016,thisincreasedtoabout$9.3billion.Theseexpenditures,whichconsistofmedicalassistancepaymentsaswellasadministrativeexpenses,areprocessedthroughseveraldifferentcomputersystemsatDHSandOHA.

ThefederalshareofMedicaidexpendituresvariesbytypeofexpenditureandbymedicalassistanceprogram.Formedicalassistancepaymentsmadeonbehalfofclients,thefederalsharerangesfromabout64%formostclientsto100%forclientsdeemednewlyeligibleforMedicaidbecauseoftheACA.Beginningincalendaryear2017,thefederalgovernmentstartedreducingitsshareoffundingfortheseclients,whichwillresultinanincreaseinthestate’sshareoffundingfortheseexpenditures.Overall,stategeneralfundMedicaidexpendituresforfiscalyear2016totaledover$1.2billion.

OHAprimarilyusestheMedicaidManagementInformationSystem(MMIS)topayhealthcareprovidersforservicestheyrendertoindividualswhoqualifyforMedicaid.DuringFY2016,MMISprocessedover$6.7billioninpaymentstoproviders,includingabout$4.9billiontoCCOsascapitatedpaymentsbasedonMedicaidenrollments.

InDecember2015,OHAimplementedanewcomputerapplication,theOregonEligibilitysystem(ONE),specificallydesignedtodeterminewhetherindividualsqualifyforMedicaidaccordingtothenewACArequirements.ThissystemprovidestheneededcorefunctionalitytoprocessmostMedicaidapplications.DHSusesothercomputersystemstodetermineeligibilityforotherspecificgroupsofMedicaidclients.AsofMarch2017,approximately69%ofallMedicaidclientshadtheireligibilitydeterminedthroughtheONEsystem.

Oregon Medicaid provides health care coverage to approximately one million Oregonians. 

OHA uses a newly implemented computer system called the Oregon Eligibility system (ONE) to determine client eligibility for certain Medicaid benefit programs.   

ONE subsequently transfers eligibility information to the Medicaid Management Information System (MMIS), which enrolls clients in coordinated care organizations and pays providers for Medicaid services. MMIS processed about $6.7 billion to providers in fiscal year 2016. 

If these systems do not function correctly, clients may be inappropriately approved or denied for Medicaid benefits and payments to providers may be inappropriate. 

Page 4: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 3 

Audit Results 

OurworkshowedthattheOregonEligibilitysystem(ONE)appropriatelydeterminesMedicaidclienteligibility,althoughmanualinputaccuracyandeligibilityoverridemonitoringneedimprovement.ONEalsoaccuratelytransmitseligibilityinformationtotheMedicaidManagementInformationSystem(MMIS)forfurtherprocessing.WealsofoundthatMMISappropriatelyenrollsMedicaidclientsinCoordinatedCareOrganizations(CCO)andensuresaccuratepaymentsaremadebasedoninformationreceivedfromONEandothereligibilitysystems

Generallyacceptedcomputercontrolsindicatethattransactiondatashouldbecheckedforaccuracy,completenessandvalidity.Inaddition,processesshouldbeinplacetotimelydetectandcorrectpotentialerrorsthatmayoccurduringcomputerprocessing.Anyoverridesappliedtotransactionprocessingshouldbemonitored.

TheONEsystemreceivesMedicaidapplicationsfromseveralsources.OHAstaffmanuallyinputapplicationstheyreceiveonpaperorthroughtelephoneinterviewsusingtheWorkerPortal.ApplicationsmayalsoenterONEthroughanautomaticcomputerinterfacewiththefederalhealthinsuranceexchangeorfrommanualinputsbycommunityhealthpartnersusingONE’sApplicantPortal.

Aspartofprocessing,ONEqueriesexternalsourcestovalidatetheaccuracyofspecificinformation,includingtheapplicant’sSocialSecuritynumber,dateofbirth,citizenshipstatus,andwhethertheapplicantisincarcerated.Italsocomparestheapplicant’sreportedincometoexternalsourcesincludingfederalcomputersystemsandthestate’sUnemploymentInsurancerecordstoverifythelevelofincomereported.Ifdatadoesnotpassthesetests,ONEautomaticallysendstheapplicantaRequestforInformation(RFI)toprovidetheneededsupportingdocumentationbyacertaindate.

ForapplicationssubmittedthroughthefederalexchangeortheApplicantPortalthatarecomplete,errorfree,andnotduplicatesofpriorreceivedapplications,ONEdetermineseligibilityandpassestherecordtoMMISwithoutmanualintervention.ApplicationsenteredthroughtheWorkerPortal,orsubmittedthroughtheothersourceswhereproblemsweredetected,requirecaseworkerstodirectONEtocontinueprocessingtheapplicationtodeterminetheapplicant’sMedicaideligibility.IfacaseworkeracceptstheeligibilitydeterminationmadebyONEandidentifiesnootherissueswiththecase,theyauthorizethedetermination

The ONE computer system accurately determines Medicaid eligibility, but manual procedures need improvement

Page 5: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 4 

andtherecordissenttoMMIS.Todate,mostapplicationshaverequiredmanualworkbycaseworkersinordertocompleteprocessing.

WetestedautomatedandmanualprocessesassociatedwithONEeligibilitydeterminations.WefoundthatONEautomatedprocessesaccuratelydeterminedMedicaideligibilitybasedontheinformationprovidedandaccuratelytransferredeligibilityinformationtoMMISforfurtherprocessing.Wereviewedmorethan425,000individualrecordsandfoundthatONEappropriatelyvalidatedtheSocialSecuritynumberandcitizenshipstatusofapplicants,orproperlysentRFIstoobtainassurancethereportedinformationwascorrect,over99.7%ofthetime.

However,Medicaideligibilitydeterminationsalsodependonaccurateinputofdatathatarenotexternallyverifiedandonmanualproceduresperformedbycaseworkers.Forexample,stateandfederalrulesdonotrequireexternalvalidationofhouseholdcomposition,soaccurateinputofhouseholdstatusandsizeiscriticalforaccuratelydeterminingwhetherhouseholdincomelevelsqualifyindividualsforMedicaid.Also,whilereportedincomeisvalidatedagainstexternaldata,itoftenrequiresmanualreviewtoensurethatitisaccurate.Accuracyfortheseelementsneedsimprovement.Inaddition,caseworkersmayoverridetheeligibilitydeterminationmadebyONE.Contrarytobestpractices,theseoverridesarenotsufficientlymonitoredtoensuretheywereperformedforapprovedreasonsandthatrequiredactionstocleartheoverridearetaken.

Input accuracy needs improvement 

Bestpracticesindicatethatinformationshouldbevalidatedandeditedasclosetothepointoforiginationaspossiblewheninformationisinputintoacomputersystem.Thisallowserrorstobecaughtandresolvedquickly.

ThoughONEappropriatelyensuresinputisintheproperformatandthatcertainconditionsaremet,itcannotdeterminewhetherinputmatcheswhatisincludedontheapplication.Italsocannotdetermineactionsthatshouldbetakenwhentherearemultipleapplicationsorcasesforasingleindividual,orhowtointerpretsupplementalinformationreceivedonacase,suchaswagestubssubmittedbyapplicantstoprovetheirreportedincomeisaccurate.Theseactionsdependondecisionsandmanualproceduresbycaseworkers.

WereviewedMedicaideligibilitydeterminationsfor30randomlyselectedindividualsoutof541,577individualsinthepopulationtoevaluateaccuracyofinputandeligibilitydetermination.Althoughweidentifiederrorsinsevencases,onlyoneerrorresultedinaclientbeingdeterminedeligiblewhentheywerenot.Forthiserror,theclientwasinitiallydeemedeligibleonacasethatincludedonlytheclient.Asecondapplicationwassubmittedthataddedmemberstotheclient’shouseholdandreportedanewincomelevelthatwouldhavemadetheclientnolongereligibleforMedicaidbenefits.OHAindicatedthatthefirstcaseshouldhavebeenclosedandtheclientshouldhavebeenevaluatedonthesecondcase,butthisdidnotoccur.Basedonourevaluation,inappropriatecapitated

Page 6: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 5 

paymentsof$1,778havebeenmadeoverfourmonthsthroughJanuary2017.

Theothererrorshadnoimpactoncapitatedpayments.Twoerrorsresultedinclientsbeingdeterminedeligibleforthewrongbenefitprogramandwererelatedtohouseholdsizeandincomeevaluationsbycaseworkers.Inbothcases,theclientswereeligibleforMedicaidandthecapitatedpaymentswouldhavebeenthesameiftheyhadbeenplacedinthecorrectprogram.Theremainingfourerrorswereminorandhadnoeffectontheeligibilitydeterminationorsubsequentcapitatedpayments.However,foreachofthesevenerrors,thedataelementinvolvedhadthepotentialtoaffecteligibilitydeterminationorthebenefitstartdate.

Table 1: Types of Input Errors Found During Testing 

Description EffectThe income level on a new application would have made the client ineligible, but the caseworker did not close the existing case first. (1 error) 

Medicaid benefits from the first case continued, resulting in inappropriate capitated payments that totaled $1,778 for four months. 

Caseworker made errors evaluating the household size and income level. (2 errors) 

Clients appropriately determined eligible for Medicaid but placed in the wrong benefit program.  

Caseworker incorrectly determined household size, incorrect application date entered, income attributed to wrong household member. (4 errors) 

No effect on Medicaid eligibility. Each of these could have affected eligibility given other circumstances. 

OHAhasimplementedaqualityassuranceprocessthatincludesreviewingweeklysamplesofcasestoevaluatecompletenessandaccuracyofinput,andotherproceduresfollowedtoenterandprocessMedicaidapplications.Thisprocesshasalsoidentifiederrorsininputaccuracy,thoughnotallofthedataelementsreviewedinthequalityassuranceprocessaffecteligibility.Oneoftheindividualdataelementswiththehighestleveloferrorsdetectedisforinputorvalidationofincome.Outof1,241casesreviewedthroughDecember2016,OHAdetected182errorsassociatedwithincomeorincomeprocessing,orabout15%.OHAintendstodevelopadditionaltrainingandproceduresforcaseworkerstoimprovethesemeasures,butthisworkwasstillinprocessduringouraudit.

TheseerrorsaredueinparttothecomplexnatureofprocessingMedicaidapplicationsandevaluatingsupportingdocumentation.OHAhasdevelopedmultipleprocedurestoinstructworkersonactionstotakewhenevaluatingsupportingdocumentsorclearingtasks.TheseprocedureshavebeendevelopedoverthecourseofthefirstyearofONEoperationandcontinuetoundergochanges.

Page 7: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 6 

Inadequate monitoring of overrides 

Forapplicationsrequiringmanualwork,acaseworkermustauthorizetheeligibilitydeterminationmadebyONE,whichisthentransmittedtoMMIS.Dependingonthecharacteristicsofthecase,thisdeterminationmayconsistofoneormoreeligibilitysegmentscoveringparticulartimeperiods,includingafinalsegmentthatdefinesongoingeligibility.Thecaseworkermayoverridethedeterminationforindividualeligibilitysegments,thoughtheyareexpectedtodosoonlyundercertaincircumstances.CaseworkersmayalsopreventONEfromsendingautomatedRFIstoclients,whichisappropriateifinformationcanbeotherwisevalidated.Bestpracticesdictatethatthesetypesofoverridesshouldbemonitoredtoensuretheyareappropriateand,ifneeded,clearedtoallowthesystemtoresumeautomatedfunctions.

OHAhasdevelopedproceduresforcaseworkerstofollowwhenoverridingeligibility,includingdefiningthespecificinstanceswhenoverridesshouldoccur,andhasalsoprovidedinstructionsondocumentingandperformingtheoverride.Forexample,forsomesegmentsthatareoverridden,workersareinstructedtocreateasystemtasktoreviewtheoverrideatalaterdatetoensuresubsequentappropriateactionsaretakenonacase.

However,OHAhasnotimplementedstandardprocessestoreviewormonitoroverridesoractionsthatpreventRFIsfrombeingissued.Withoutthisstandardizedreview,unauthorizedoverridesofMedicaideligibilitycouldoccur,whichcouldleadtoMedicaidclientsbeinggrantedeligibilitywhentheywerenoteligible,orbeingdeniedbenefitswhentheywereeligible.Inaddition,whenthefinalsegmentthatdefinesongoingeligibilityforanindividualisin“override”status,certainautomatedprocessesperformedbyONEarecircumvented.Forexample,ONEhasaprocesstoidentifyclientswhoareagingoutofonetypeofassistancetoanother,andredeterminetheireligibilityinthenewcategory.Thisredeterminationcouldresultintheclientbeingdeemedineligibleforongoingbenefits.Thisprocessisnotrunforanindividualwhosefinaleligibilitysegmentisinoverridestatus.

Weevaluatedoverridesandsubsequentactionstoresolvecasesinoverridestatus.Wefoundthatthevolumeofoverridesisdecreasingsignificantly,fromapeakof10%ofalleligibilitysegmentsduringMay2016,to4%inJune,tolessthan1%ofsegmentsfromJulyonward.Thisdecreasewasduelargelytochangesinprocedures.

Wealsoreviewed72overriddeneligibilitysegmentsoutofapopulationof31,059approvedsegmentsthatwereoverridden.Wefoundthatwhiletheseoverrideswereperformedforapprovedreasons,workersdidnotsetupatasktoreviewtheoverrideatalaterdateinnineofthesegmentsreviewed.Inaddition,evenwhenacaseworkerinitiallyenteredtheoverrideusingestablishedprocedures,properactiontolatercleartheoverridewasnottakenin25ofthesegmentswereviewed.Thesesegmentsremainedinoverridestatusandwerethereforenotsubjecttofurtherprocessingprocedures.Twooftheserecordswereforindividualswho

Page 8: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 7 

shouldhavehadtheireligibilityredeterminedduetoagingoutofonetypeofassistancetoanother.TheoveralleffectofthelackofredeterminationwasanunderpaymenttoCCOsof$1,809overaperiodofsevenmonths,endingJanuary2017.

Testsofotherareasalsorevealedproblemsassociatedwiththelackofappropriateactiontakenonoverriddeneligibilitysegments.Forexample,wetestedRFIstoensuretheywereappropriatelyresolved.Wetested75RFIsfromanoverallpopulationof180,676.Thisincluded14RFIsfromapopulationof2,815thatweidentifiedashighrisk.Weconsideredthesetobehighriskbecausetheywerestillopenmorethanonemonthpasttheirexpirationdateandtheindividualshadbeendeterminedeligible.OftheRFIswetested,12werenotappropriatelyresolvedforeligibilitysegmentsstillinoverridestatus,including9fromthehighriskpopulation.Fortheseindividuals,benefitsshouldhaveendedaftertheexpirationoftheRFIbasedonanestablishedcutoffdateinONE.However,automatedprocessestoendbenefitsdidnotoccurduetotheoverride.Inaddition,nomanualactionhadbeentakentoeitherauthorizeorendcontinuingbenefits.PaymentsmadetoCCOsonbehalfoftheseclientsaftertheRFIexpirationcutoffdatetotaled$18,902fromJuly2016throughJanuary2017.

ONE,alongwithseveralothereligibilitysourcesystems,sendsMedicaideligibilityinformationtoMMIS,whichapplieseditstothesetransactionsandacceptsorrejectstherecord.Itcreatesorupdatestheindividual’srecordinMMISwithinformationfromthesourcesystemandassignsthebenefitplanandothercodingneededforfurtherprocessing.

IfclientsareinapopulationthatrequiresCCOenrollment,butdidnotchooseaCCOwhenapplyingforbenefits,MMISensurestheyareenrolledthroughanauto‐enrollmentprocess.MMIStransmitstheenrollmentinformationtoCCOs,whichareexpectedtocomparethisinformationtotheirownrecordsandreportbacktoOHAiftherearedifferences.OHAreviewstheseresponsesandgeneratescorrectionstoMMISrecords,orprovidesfurtherinformationtotheCCOs,asneeded.

MMISusesacombinationofeligibilityinformation,clientdemographics,andenrollmentdatatodetermineandprocessmonthlycapitatedpaymentstoCCOs.Italsorunsweeklyadjustmentjobsandcanadjustpriorpaymentsuptooneyearinthepast,basedonchangesthatwouldhaveaffectedthosepayments.

Overall,wefoundthatMMIScontrolsprovidereasonableassurancethatMedicaidclientsareappropriatelyenrolledinCCOsandthatpaymentstotheseorganizationsareappropriate,basedontheinformationreceivedfrommultipleeligibilitysourcesystems,includingONE.Ifthisinformation

MMIS Properly Enrolls Medicaid Clients and Ensures Payments are Appropriate

Page 9: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 8 

wereincorrect,itwouldaffecttheoverallaccuracyofMMISprocessesandpayments.

Specifically,wefound:

CapitationpaymentratesforeachCCOwereappropriatelyloadedintoMMIS. Rateswereappropriatelyusedforpayments,basedonclientdemographicsandcapitationcategory. ControlsweresufficienttoensureclientswereappropriatelyenrolledinCCOs. OHAreconcilesenrollmentdatawithCCOstoensurethatrecordsmatch,andthisreconciliationshowsafairlylownumberofreporteddiscrepancies.

Asrequiredbyauditstandards,weevaluatedthestatusofpriorauditfindingsfromanauditwecompletedin2011.Specifically,ourmanagementlettermadethreerecommendationstoaddressMMISlogicalaccessfindings.

MMIS user roles are not well defined or documented 

ThepriorauditfoundthatMMISrolesgrantedtousersappropriatelyrestrictedaccesstothesystemasawhole,buttheywerenotsufficientlydefinedordesignedtoensureusersreceivedonlytheaccesstheyneededtoperformtheirduties.WerecommendedmanagementreviewallMMISuserrolesandmakeadjustmentsasneededtoensuretheyareappropriatelydesignedtoprovideaccessbasedonleastprivilegeprinciples.

Duringourcurrentaudit,MMISsecurityadministratorsindicatedthatreviewsofroleshaveoccurredsincetheprioraudit,andthattheyarecontinuingtomonitorthem.Theyalsoreportedthatseveralroleshavebeenmodifiedtoensuremoregranularaccess.However,wefoundthatMMISrolesremaingenerallydefined.Forexample,arolemayidentifythatitgrants“update”accesstoaparticularsubsystem,withoutdetailsregardingwhichpagesorpanelsallowupdateandwhichdonot.Currently,determiningwhichusershaveaccesstowhichspecificfunctionsisnotpossiblewithoutamanualreviewofsecuritysubsystemsettings.Thislackofgranularityindefiningtherolesincreasestheriskthatuserswillhaveaccesstomorefunctionsthantheyneedtoperformtheirjobs.

Logical access is not reviewed 

OurpriorauditalsoidentifiedthatstaffdidnotalwaysremoveuseraccountsfromMMISinatimelymannerandmanagerswerenotperiodicallyreviewingaccessgrantedtousers.Werecommendedthat

Some prior audit findings remain unresolved

Page 10: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 9 

managementensuremanagersperformeffectivereviewofaccessgrantedtotheirpersonnel.

AcurrentDHS/OHApolicyindicatesaccesswillbereviewedannuallybymanagers.However,MMISsecurityadministratorsreportedtheyhavenopracticalwaytoidentifywhichusersworkforwhichmanagers.Asaresult,thereisnoformal,enforcedprocessforreviewofMMISaccess,exceptforexistinginactivityandemployeeterminationreports.Withoutaneffectivereview,currentusersmayretainaccessthatisnolongerneededtoperformtheirjobs.

Audit trails were insufficient 

Duringourprioraudit,wefoundMMISlackedcompleteaudittrailstoidentifywhogranteduserswhataccess,andwhen.Werecommendedthatmanagementensureappropriateaudittrailsexisttomonitorchangestousers’accessprivileges.

Currently,avarietyoftoolsareavailabletoshowwhenauserwasgrantedaccess,andwhograntedit,butsomeofthesetoolsrelyonmanualactionstocapturetheinformation.Inaddition,MMISadministratorsindicatedthattheyconductperiodicscanstoidentifyuserswithexcessiveorcontradictoryroles.

Afterconsideringmanagement’scurrentprocedures,weconcludedthatifuseraccesswasbeingeffectivelyreviewed,theriskassociatedwiththelackofaudittrailswouldbereduced,andthereforeapotentiallyexpensivetechnicalmodificationofMMIStodevelopthislevelofaudittrailmaynotbejustified.Asaresult,weconsiderthisrecommendationresolved.

Page 11: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 10 

Recommendations 

WerecommendthatOHAmanagement:

Continuetodevelopstrategiestoevaluateandimprovecaseworkerinputaccuracy.Inparticular,werecommendmanagementconsiderimplementingareviewprocessforportionsofinputidentifiedashavinghighererrorratesandthatnegativelyaffecteligibilitydetermination. Developprocedurestomonitoroverridestoensuretheyareperformedonlyforapprovedreasonsandthatneededsubsequentactionsonthesecasesaretimely.

TofullyresolvepriorauditfindingsforMMIS,werecommendOHAandDHSmanagement:

Ensuresystemdocumentationisavailabletofacilitateagranularreviewofpermissionsgrantedforeachrole. Ensuremanagersperformeffectiveperiodicreviewsofaccessgrantedtotheirpersonnel.

Page 12: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 11 

Objectives, Scope, and Methodology 

Ourauditobjectiveswereto:

DeterminewhethertheOregonHealthAuthority’s(OHA)OregonEligibility(ONE)systemappropriatelydeterminesMedicaidclienteligibility. DeterminewhetherOHA’sMedicaidManagementInformationSystem(MMIS)reasonablyensuresthatMedicaidclientsareappropriatelyenrolledincoordinatedcareorganizationsandthatpaymentstotheseorganizationsareaccurate.

OurreviewoftheONEsystemfocusedonautomatedsystemprocessesdesignedtoaccuratelyprocessMedicaidapplicationsanddetermineMedicaideligibility.ThereviewalsoevaluatedtheaccuracyofdatainputbycaseworkersintoONEandconsideredactionstakentoresolveitemsthathadbeenpendinginthesystem.

OurreviewofMMISprimarilyfocusedoncapitatedpaymentsmadetocoordinatedcareorganizationsandonenrollmentofclientsintoCCOs,regardlessoftheoriginationoftheeligibilitydetermination.

WeconductedinterviewswithOHAandDHSpersonnelandobservedoperationsandprocesses.WeexaminedselectedpoliciesandproceduresassociatedwithprocessingofMedicaidapplicationsthroughtheONEsystem.WealsoexaminedtechnicaldocumentationrelatingtoONEandMMISandtheirarchitecture.

WeassessedthereliabilityofMMISandONEdatabyreviewingexistinginformationaboutthedataandthesystemthatproducedthem,evaluatingthequeriesusedtodownloadthedata,andinterviewingagencyofficialsknowledgeableaboutthedata.Inaddition,wetracedarandomsampleofdatatootherdatafiles,toavailablesourcedocuments,andtoproductionscreens.Wedeterminedthatthedataweresufficientlyreliableforthepurposesofthisreport.

ToevaluatewhetherONEappropriatelydeterminedMedicaideligibility,we:

obtaineddownloadsofONEdatathatincludedcase,eligibility,RFIandoverridedatafromDecember2015throughOctober2016; randomlyselected30individualsoutofapopulationof541,577individualswithatleastoneapprovedeligibilitysegmentandtestedwhetherselectedportionsoftheapplicationsuchashouseholdcompositionandreportedincomewereaccuratelyrecordedorverifiedintheONEsystem,andwhethertheeligibilitydeterminationmadebytheONEsystemfortheseindividualswasappropriate; randomlyselected75requestsforinformation(RFI)fromvaryingpopulations,including14fromahighriskpopulationof2,815,andevaluatedwhetherappropriateactionwastakentoresolvethem;

Page 13: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 12 

examinedwhetherindividualswhohadturnedage1or19wereappropriatelyredeterminedbyONEtoevaluatewhethertheindividualswerestilleligibleforMedicaidunderanewprogram; examinedwhetherSocialSecuritynumbersandcitizenshipstatushadbeenverifiedfromexternalsources,andwhetherappropriateRFI’swereissuediftheyhadnotbeenverified,outofapplicablepopulationsof445,907individualsand426,102individuals,respectively; randomlyselected72approvedoverriddeneligibilitysegmentsfromvaryingpopulations,outofatotalsummarizedpopulationof31,059individual,case,andtypeofassistancecombinationsandevaluatedwhethertheoverridewasperformedforanapprovedreasonandthatappropriateactionhadbeentakentoresolvetheoverride; conductedalimitedreviewofONEchangemanagementprocedures;and conductedotherdataintegrityteststoensurebasiclogicalconditionsandeligibilityrequirementsweremet.

Fortheitemstestedthroughasample,weperformedtheteststoevaluatetherelativestrengthorweaknessofparticularcontrols.Thesampleselectionsandtestsperformedwerenotdesignedtoprojecttheresultstothepopulation.

WealsotestedwhethereligibilitydeterminationsmadeinONEwereappropriatelyrecordedinMMIS.

WeobtainedMMIScapitatedpaymentdata,andenrollmentandeligibilityrecordsfortheperiodofDecember2015throughAugust2016.WeprimarilyevaluatedtheperiodofJanuary2016throughJune2016forthetestsdescribedbelow.Forthisperiod,therewere6,467,147individualcapitatedpaymentrecords,5,125,876recordsshowingenrollmentdata,and2,068,074recordsforeligibilitydata.

ToevaluatewhetherMMISmadeproperenrollmentsandmadeappropriatecapitationpayments,we:

evaluatedwhethertheprocesstoloadcapitationratesforCCOsintoMMISwasappropriatelycontrolled; evaluatedwhethercapitatedpaymentsweremadeusingtheapprovedrates; evaluatedwhetherduplicatepaymentstoCCOsweremadeonbehalfofindividuals; evaluatedwhetherpaymentswereonlymadeonbehalfofenrolledandeligiblerecipientsandonlytorecipients’selectedorassignedCCO; evaluatedwhetherMMISgeneratedcapitatedpaymentsforallproperlyenrolledandeligiblerecipients; evaluatedwhetherrecipientsinMMISwereassignedappropriatecodingbasedontheirage;

Page 14: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

Report Number 2017‐09  May 2017 MMIS/ONE IT Systems Review  Page 13 

randomlyselected30recordsandevaluatedwhethertheclientsweretimelyenrolledwithaCCO,basedonthedatetheeligibilityrecordswererecordedinMMIS; evaluatedwhetherineligiblerecipientsinMMISwereinappropriatelyenrolledwithaCCO;and conductedlimitedreviewsofMMISchangemanagementandlogicalaccessprocedures.

WeusedtheISACApublication“ControlObjectivesforInformationandRelatedTechnology”(COBIT),andtheUnitedStatesGovernmentAccountabilityOffice’spublication“FederalInformationSystemControlsAuditManual”(FISCAM)toidentifygenerallyacceptedcontrolobjectivesandpracticesforinformationsystems.

Weconductedthisperformanceauditinaccordancewithgenerallyacceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjective.Webelievethattheevidenceobtainedandreportedprovidesareasonablebasistoachieveourauditobjective.

Auditorsfromouroffice,whowerenotinvolvedwiththeaudit,reviewedourreportforaccuracy,checkingfactsandconclusionsagainstoursupportingevidence.

Page 15: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer
Page 16: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer
Page 17: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer
Page 18: Secretary of State Audit Summarysos.oregon.gov/audits/Documents/2017-09.pdfAudit Purpose The purpose of this information technology audit was to determine whether two critical computer

 

About the Secretary of State Audits Division 

 

TheOregonConstitutionprovidesthattheSecretaryofStateshallbe,byvirtueoftheoffice,AuditorofPublicAccounts.TheAuditsDivisionexiststocarryoutthisduty.ThedivisionreportstotheelectedSecretaryofStateandisindependentofotheragencieswithintheExecutive,Legislative,andJudicialbranchesofOregongovernment.Thedivisionisauthorizedtoauditallstateofficers,agencies,boards,andcommissionsandoverseesauditsandfinancialreportingforlocalgovernments.

AuditTeam

WilliamGarber,CGFM,MPA,DeputyDirector

NealE.Weatherspoon,CPA,CISA,CISSP,AuditManager

TeresaL.Furnish,CISA,AuditManager

ErikaA.Ungern,CISA,CISSP,PrincipalAuditor

AmyK.Mettler,CPA,CISA,StaffAuditor

LuisSandoval,MPA,StaffAuditor

Thisreport,apublicrecord,isintendedtopromotethebestpossiblemanagementofpublicresources.Copiesmaybeobtainedfrom:

website: sos.oregon.gov/audits

phone: 503‐986‐2255

mail: OregonAuditsDivision255CapitolStreetNE,Suite500Salem,Oregon97310

ThecourtesiesandcooperationextendedbyofficialsandemployeesoftheOregonHealthAuthorityandtheOregonDepartmentofHumanServicesduringthecourseofthisauditwerecommendableandsincerelyappreciated.

 


SMERU Financial Audit Report 2013-2012195.110.59.133/sites/default/files/audit/audit_2013.pdfAudit yang ditetapkan oleh Institut Akuntan Publik Indonesia. Standar tersebut mengharuskan

Audit and Inspection Update - Nottinghamshire PCC...2019/02/22  · Audit and Inspection Update 1. Purpose of the Report 1.1 The purpose of this report is to provide the Joint Audit

Internal Audit and Audit Committee Purpose

Environmental Audit of Rural Areas Electricity …apur.om/pdfs/tenders/AER032020.pdfaudit of all environmental aspects of the Licensed Activities that are subject to audit. Consultants

WHAT IS AUDIT PURPOSE OF AUDIT WHAT IS INSPECTION DIFFERENCES BETWEEN AUDIT AND INSPECTION WHO IS RESPONSIBLE FOR AUDIT AND INSPECTION TYPES

AUDIT OF MEN’S BASKETBALL PURCHASING CARD USEiaudit/2016 pdfs/Final Athletics P-Card Use 2016-07.pdfAUDIT OF MEN’S BASKETBALL PURCHASING CARD USE THE UNIVERSITY OF NEW MEXICO Report

Audit Committee Purpose Process Professionalism_ACCA_Profs

OFFICE OF INSPECTOR GENERAL - Railroad …1].pdfAudit Report. Audit of the Data Management ... migration if lessons learned are ... This report presents the results of the Office of

Summary of EPA’s Audit Policy · 3 EPA’s Audit Policy: Purpose and History The purpose of EPA’s Audit Policy is to encourage regulated entities to… voluntarily discover, disclose,

Audit of the Department of Hawaiian Home Lands’ …files.hawaii.gov/auditor/Reports/2013/13-02.pdfAudit of the Department of Hawaiian Home Lands’ Homestead Services Division A

Audit Analytical Procedures: A Field Investigation*lib.cufe.edu.cn/upload_files/other/4_20140522023710_9.pdfAudit Analytical Procedures: A Field Investigation 459 ago. Audit firms

Segment Audit Guide - Administrative Expensesoagnep.gov.np/old/downloadfile/2 segment audit guide_1477566603.pdf4 1.4 Purpose of the administrative expenses The main purpose of this

Audit Report - Congdon Orchardscongdonorchards.com/wp/wp...Packing-LLC-64th-BRC-Audit-Report-2015.pdfAudit Report Global Standard for ... BRC audit None Company Description ... inspection

4 P.M. - t ncenexkovai.tn.nic.in/AuditTenderVehicle15JUL2017-31Mar2018.pdfAudit Commissionerate Coimbatore Page 1 GOVERNMENT OF INDIA OFFICE OF THE COMMISSIONER (AUDIT), CENTRAL EXCISE,

Statement of Receipts and Paymentsdocuments.worldbank.org/curated/en/547231508441803304/pdf/118381.pdfaudit. We conducted our audit in accordance with International Standards on Auditing

Audit Report - Congdon Orchardscongdonorchards.com/.../uploads/2017/05/64th-BRC-Audit-Report-2016.pdfAudit Report Global Standard for ... Checklist, F-4.7.1Y was revised ... If you

Audit Fee Determinants in different Ownership Structures631488/FULLTEXT01.pdfaudit fee determinants within the research body collectively can reach unanimity regarding which are the

AUDIT QUALITY, OWNERSHIP CONCENTRATION AND ...unizikjga.com/PDF-files/Volume-6-No-2-2019/1-21.pdfAudit quality is difficult to measure and many researchers apply a variety of proxy

Kinetix Quality Services Internal Audit Report Purpose

Audit Report on the Internal Controls Over Cash Receipts ...blogs.unpad.ac.id/devianti/files/2011/08/contoh31.pdfAudit Report on the Internal Controls Over Cash Receipts by the Hudson

RED HERRING PROSPECTUS Dated: February 04, 2017 Please …drop.ndtv.com/profit/gl/IPO/Dp1113.pdfAudit Committee Audit Committee of our Company constituted in accordance with Regulation

ARAMIS Audit Manual - SafetyBarrierManagersafetybarriermanager.duijm.dk/files/aramis/ARAMIS_Audit...The ARAMIS Audit Manual 1. Introduction Purpose The purpose of the ARAMIS audit

Www.theiia.org The Audit Committee Purpose, Process, Professionalism

GENERAL GUIDELINES INVESTIGATION ENGAGEMENT FOR … · Audit Specific Purposes is an audit conducted by a special purpose beyond financial audit and performance audit. Included in

AUDIT REPORT - IT Security - Region IVmca.dadeschools.net/AuditCommittee/AC_June_26_2012/item11.pdfaudit of network data and systems security at 20 of the 59 schools located within

Audit of Travel Expenditures and Reimbursementscity.milwaukee.gov/.../User/pmensa/TExpenseandReimbursement02-04-.pdfAudit of Travel Expenditures and Reimbursements MARTIN MATSON City

Report of the Comptroller and Auditor General of ndia on ...agarun.cag.gov.in/docs/audit/2011-12.pdfAudit Report for the year ended 31 March 2012 (Social, General and Economic Sectors

CO. - web.esdo.net.bdweb.esdo.net.bd/attachments/Annual Audit Report 2016-2017.pdfaudit. W€ conducted our audit in accordance with Bangladesh Standards on Auditing (BSA) Thos€

Energy Audit - NJ Clean Energy Audit Reports - July 20… · Energy Audit Purpose & Scope Purpose: The objectives of the energy audit are to evaluate each site‟s energy consumption,

Title Day case hernia repair: a 3-year audit of patient ...hub.hku.hk/bitstream/10722/53486/2/47711.pdfAudit Methods The study population comprised all patients who were included for

Audit Quality and Auditor Reputation: Evidence from Japan Files/10-088.pdfAudit Quality and Auditor Reputation: Evidence from Japan* Douglas J. Skinner University of Chicago Booth

LAPORAN AUDIT MUTU INTERNAL AKADEMIK TAHUN …fik.um-surabaya.ac.id › ... › 10 › ...Internal-2016-2017.pdfaudit mutu internal akademik tahun 2016/2017 program studi diii keperawatan

Audit Partner Tenure, Audit Firm Tenure, and …ntur.lib.ntu.edu.tw/bitstream/246246/84848/1/4.pdfAudit partner tenure, audit firm tenure, and discretionary accruals: Does long auditor

CITY OF FORT WORTH DEPARTMENT OF INTERNAL AUDIT · FY2021 Annual Audit Plan Page 1 of 11 Purpose The purpose of the FY20Annual Audit Plan is to outline audits and other activities

People and Purpose - PwC: Audit and assurance, consulting