Recurring Findings

Health Care: Recurring Significant Internal Control Deficiencies
Federal Program Issue First Year Reported
Department's Assertion Page Number
Medicaid Cluster During our audit for fiscal year 2011–12, we reported that Health Care Services did not have adequate policies and procedures in place to monitor subrecipients in accordance with federal requirements. In fiscal year 2012-13, we found Health Care Services implemented some corrective action but continues to lack adequate policies and procedures to monitor subrecipients. Health Care Services provides services under the Medicaid program through various subrecipients. For example, monies are passed through to counties, or local government agencies, which are responsible for eligibility determination and other administrative activities. Funds are also passed through to local education consortiums and other nonprofit organizations for reimbursement of expenditures for Medicaid programs and administrative costs. Health Care Services disbursed $1.96 billion to subrecipients for county and school-based administrative activities in fiscal year 2012-13. Health Care Services monitors its subrecipients through various mechanisms. For example, Health Care Services policy requires that a site visit be conducted for each county or local government agency once every four years and once every three years for school-based organizations. Our audit found the following: • Health Care Services does not have policies and procedures in place to ensure that DUNS numbers are obtained from its subrecipients prior to awarding of federal funds. Failure to obtain DUNS numbers increases the risk that subrecipients may spend federal funds for unallowable purposes or incorrectly reporting subawards. • In April 2011, Health Care Services implemented travel restrictions and analysts were unable to perform all planned site visits. The school-based unit performs desk reviews when unable to travel which are equivalent in scope to a site visit. However, we identified 9 of the 28 local government agencies or local education consortiums that are part of the school-based program which had no site visit or desk review performed within the last three years. Lack of adequate monitoring increases the risk that Medicaid funds may not be spent for an allowable purpose. Health Care Services does not have policies and procedures in place to obtain OMB Circular A-133 audit reports from local education consortiums and nonprofit organizations. As a result, Health Care Services does not determine whether appropriate and timely corrective action has been taken with respect to Medicaid findings. 2011-12
1. Develop policies and procedures to obtain DUNS numbers prior to awarding federal funds. DHCS Response: DHCS agrees with the recommendation. DHCS’ Medi-Cal Administrative Activities (MAA) program contract agreements do no currently contain relevant award language for obtaining contractors data universal numbers (DUNS) prior to the awarding of federal funds. DHCS will add contract language in the Exhibit B, Budget Detail and Payment Provision section to require Local Governmental Agencies (LGAs) and Local Educational Consortiums (LECs) to submit the appropriate documentation to Health Care Services indicating their DUNS number prior to final execution of the contract agreement. The MAA program will forward a copy to DHCS accounting section prior to the payment of invoices. DHCS will also revise contract language to require LGAs and LECs to include this language in contracts with their subrecipients and/or vendors. LGA/LECs compliance with this directive will be monitored and verified during onsite visits. 2. Ensure that site visits are performed in accordance with department policy. DHCS Response: DHCS agrees with the recommendation. In April 2011, DHCS imposed travel restrictions and all site visits were issued a directive to decease. During Fiscal Year 2011/12, the MAA programs instituted desk review processes that are equitable to the site visit process to ensure that adherence to the requirement to conduct LGA/LEC reviews every four years. The School-Based MAA (SMAA) program has resumed to conducting site visits and/or desk reviews in accordance with department policy during the 2012/13 Fiscal Year. However, due to the implementation of the current deferral on the SMAA program and the development of a new statewide claiming plan and time survey methodology to be in compliance with the Office of Management and Budget A-87, the SMAA program was not able to perform the nine counties site visits and/or desk reviews (Sonoma, Orange, Fresno, Riverside, San Diego, San Luis Obispo, Santa Cruz, Solano, and City of Pasadena). The SMAA program is anticipating on completing site visits and/or desk reviews on all nine counties by June 30, 2014. 3. Develop policies and procedures to ensure OMB Circular A-133 audit reports for all subrecipients reporting federal funds of more than $500,000 are received and management decisions are issued as necessary. DHCS Response: DHCS agrees with the recommendation. The Audits and Investigation Division (A&I) has procedures to track, monitor, and review the corrective action plan(s) to address the audit finding(s) contained in the A-133 Single Audit Report. The State Controller’s Office (SCO) has a Single Audit oversight responsibility and preparing audit-finding reports in accordance with the A-133 Single Audit Report. A&I will establish procedures to ensure that it contacts the SCO in a timely manner to secure A-133 Single Audit Reports that are not received. Regarding the LEAs who receive Medi-Cal Billing Option Program funds (Medi-Cal Billing Option), the SCO is the single state oversight agency and conducts the annual LEA audits. Currently, SCO does not send the LEA reports to other state agencies. A&I will request Single Audit Reports of the LEA who received Medi-Cal Billing Option funds from the SCO starting with the fiscal year ended June 30, 2013, and include the reports in our tracking, monitoring, and follow-up system. 104
Medicaid Cluster During our audit for fiscal year 2011–12, we reported that Health Care Services did not have adequate policies and procedures in place to monitor subrecipients in accordance with federal requirements. In fiscal year 2012-13, we found Health Care Services implemented some corrective action but continues to lack adequate policies and procedures to monitor subrecipients. Health Care Services provides services under the Medicaid program through various subrecipients. For example, monies are passed through to counties, or local government agencies, which are responsible for eligibility determination and other administrative activities. Funds are also passed through to local education consortiums and other nonprofit organizations for reimbursement of expenditures for Medicaid programs and administrative costs. Health Care Services disbursed $1.96 billion to subrecipients for county and school-based administrative activities in fiscal year 2012-13. Health Care Services monitors its subrecipients through various mechanisms. For example, Health Care Services policy requires that a site visit be conducted for each county or local government agency once every four years and once every three years for school-based organizations. Our audit found the following: • Health Care Services does not have policies and procedures in place to ensure that DUNS numbers are obtained from its subrecipients prior to awarding of federal funds. Failure to obtain DUNS numbers increases the risk that subrecipients may spend federal funds for unallowable purposes or incorrectly reporting subawards. • In April 2011, Health Care Services implemented travel restrictions and analysts were unable to perform all planned site visits. The school-based unit performs desk reviews when unable to travel which are equivalent in scope to a site visit. However, we identified 9 of the 28 local government agencies or local education consortiums that are part of the school-based program which had no site visit or desk review performed within the last three years. Lack of adequate monitoring increases the risk that Medicaid funds may not be spent for an allowable purpose. Health Care Services does not have policies and procedures in place to obtain OMB Circular A-133 audit reports from local education consortiums and nonprofit organizations. As a result, Health Care Services does not determine whether appropriate and timely corrective action has been taken with respect to Medicaid findings. 2011-12
1. Develop policies and procedures to obtain DUNS numbers prior to awarding federal funds. DHCS Response: DHCS agrees with the recommendation. DHCS’ Medi-Cal Administrative Activities (MAA) program contract agreements do no currently contain relevant award language for obtaining contractors data universal numbers (DUNS) prior to the awarding of federal funds. DHCS will add contract language in the Exhibit B, Budget Detail and Payment Provision section to require Local Governmental Agencies (LGAs) and Local Educational Consortiums (LECs) to submit the appropriate documentation to Health Care Services indicating their DUNS number prior to final execution of the contract agreement. The MAA program will forward a copy to DHCS accounting section prior to the payment of invoices. DHCS will also revise contract language to require LGAs and LECs to include this language in contracts with their subrecipients and/or vendors. LGA/LECs compliance with this directive will be monitored and verified during onsite visits. 2. Ensure that site visits are performed in accordance with department policy. DHCS Response: DHCS agrees with the recommendation. In April 2011, DHCS imposed travel restrictions and all site visits were issued a directive to decease. During Fiscal Year 2011/12, the MAA programs instituted desk review processes that are equitable to the site visit process to ensure that adherence to the requirement to conduct LGA/LEC reviews every four years. The School-Based MAA (SMAA) program has resumed to conducting site visits and/or desk reviews in accordance with department policy during the 2012/13 Fiscal Year. However, due to the implementation of the current deferral on the SMAA program and the development of a new statewide claiming plan and time survey methodology to be in compliance with the Office of Management and Budget A-87, the SMAA program was not able to perform the nine counties site visits and/or desk reviews (Sonoma, Orange, Fresno, Riverside, San Diego, San Luis Obispo, Santa Cruz, Solano, and City of Pasadena). The SMAA program is anticipating on completing site visits and/or desk reviews on all nine counties by June 30, 2014. 3. Develop policies and procedures to ensure OMB Circular A-133 audit reports for all subrecipients reporting federal funds of more than $500,000 are received and management decisions are issued as necessary. DHCS Response: DHCS agrees with the recommendation. The Audits and Investigation Division (A&I) has procedures to track, monitor, and review the corrective action plan(s) to address the audit finding(s) contained in the A-133 Single Audit Report. The State Controller’s Office (SCO) has a Single Audit oversight responsibility and preparing audit-finding reports in accordance with the A-133 Single Audit Report. A&I will establish procedures to ensure that it contacts the SCO in a timely manner to secure A-133 Single Audit Reports that are not received. Regarding the LEAs who receive Medi-Cal Billing Option Program funds (Medi-Cal Billing Option), the SCO is the single state oversight agency and conducts the annual LEA audits. Currently, SCO does not send the LEA reports to other state agencies. A&I will request Single Audit Reports of the LEA who received Medi-Cal Billing Option funds from the SCO starting with the fiscal year ended June 30, 2013, and include the reports in our tracking, monitoring, and follow-up system. 104
Medicaid Cluster During our fiscal year 2011-12 audit, we reported that certain information security and change management controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary (FI) to adjudicate fee-for-service claims and effective October 1, 2011 a new FI was engaged. Health Care Services obtained a Service Organization Control (SOC1) report over logical security, change management, backup and restoration, and production job processing functions of CA-MMIS for the period from July 1, 2012 through June 30, 2013. The SOC1 contained a qualified opinion as controls over job processing and system access were found to be not operating effectively for the period. Ineffective controls over job processing and system access could result in inappropriate claims being processed. Specifically, the SOC1 report identified the following: • The FI does not maintain formal policy documentation to assure proper processing of jobs through documentation of job description, job dependencies, job escalation, and restart procedures. • Controls related to handing deviations in job processing were not consistently followed. • Management approvals prior to setting up access in mainframe and mid-range systems supporting CA-MMIS were not consistently obtained and documented. • Controls related to removing/disabling of user access after the use is terminated were not consistently followed. • Periodic review of access appropriateness of users with access to the Mainframe and Mid-range systems supporting CA-MMIS were not consistently performed. 2011-12
DHCS agrees with the Service Organization Control (SOC1) report referenced by KPMG in their finding. When the SOC1 report was released to CAMMIS, CAMMIS issued a request for a corrective action plan to Xerox on December 17, 2013. DHCS received a response from Xerox via FI Letter T4092 on February 18th, 2014. DHCS CAMMIS is currently reviewing FI Letter T4092, along with monitoring Xerox’s progress toward achieving security improvements. DHCS will complete its review and respond by March 21, 2014. 99
Medicaid Cluster During our fiscal year 2011-12 audit, we reported that certain information security and change management controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary (FI) to adjudicate fee-for-service claims and effective October 1, 2011 a new FI was engaged. Health Care Services obtained a Service Organization Control (SOC1) report over logical security, change management, backup and restoration, and production job processing functions of CA-MMIS for the period from July 1, 2012 through June 30, 2013. The SOC1 contained a qualified opinion as controls over job processing and system access were found to be not operating effectively for the period. Ineffective controls over job processing and system access could result in inappropriate claims being processed. Specifically, the SOC1 report identified the following: • The FI does not maintain formal policy documentation to assure proper processing of jobs through documentation of job description, job dependencies, job escalation, and restart procedures. • Controls related to handing deviations in job processing were not consistently followed. • Management approvals prior to setting up access in mainframe and mid-range systems supporting CA-MMIS were not consistently obtained and documented. • Controls related to removing/disabling of user access after the use is terminated were not consistently followed. • Periodic review of access appropriateness of users with access to the Mainframe and Mid-range systems supporting CA-MMIS were not consistently performed. 2011-12
DHCS agrees with the Service Organization Control (SOC1) report referenced by KPMG in their finding. When the SOC1 report was released to CAMMIS, CAMMIS issued a request for a corrective action plan to Xerox on December 17, 2013. DHCS received a response from Xerox via FI Letter T4092 on February 18th, 2014. DHCS CAMMIS is currently reviewing FI Letter T4092, along with monitoring Xerox’s progress toward achieving security improvements. DHCS will complete its review and respond by March 21, 2014. 99
Medical Assistance Program During our audit for fiscal year 2011–12, we reported that Health Care Services did not have adequate policies and procedures in place to monitor subrecipients in accordance with federal requirements. In fiscal year 2012-13, we found Health Care Services implemented some corrective action but continues to lack adequate policies and procedures to monitor subrecipients. Health Care Services provides services under the Medicaid program through various subrecipients. For example, monies are passed through to counties, or local government agencies, which are responsible for eligibility determination and other administrative activities. Funds are also passed through to local education consortiums and other nonprofit organizations for reimbursement of expenditures for Medicaid programs and administrative costs. Health Care Services disbursed $1.96 billion to subrecipients for county and school-based administrative activities in fiscal year 2012-13. Health Care Services monitors its subrecipients through various mechanisms. For example, Health Care Services policy requires that a site visit be conducted for each county or local government agency once every four years and once every three years for school-based organizations. Our audit found the following: • Health Care Services does not have policies and procedures in place to ensure that DUNS numbers are obtained from its subrecipients prior to awarding of federal funds. Failure to obtain DUNS numbers increases the risk that subrecipients may spend federal funds for unallowable purposes or incorrectly reporting subawards. • In April 2011, Health Care Services implemented travel restrictions and analysts were unable to perform all planned site visits. The school-based unit performs desk reviews when unable to travel which are equivalent in scope to a site visit. However, we identified 9 of the 28 local government agencies or local education consortiums that are part of the school-based program which had no site visit or desk review performed within the last three years. Lack of adequate monitoring increases the risk that Medicaid funds may not be spent for an allowable purpose. Health Care Services does not have policies and procedures in place to obtain OMB Circular A-133 audit reports from local education consortiums and nonprofit organizations. As a result, Health Care Services does not determine whether appropriate and timely corrective action has been taken with respect to Medicaid findings. 2011-12
1. Develop policies and procedures to obtain DUNS numbers prior to awarding federal funds. DHCS Response: DHCS agrees with the recommendation. DHCS’ Medi-Cal Administrative Activities (MAA) program contract agreements do no currently contain relevant award language for obtaining contractors data universal numbers (DUNS) prior to the awarding of federal funds. DHCS will add contract language in the Exhibit B, Budget Detail and Payment Provision section to require Local Governmental Agencies (LGAs) and Local Educational Consortiums (LECs) to submit the appropriate documentation to Health Care Services indicating their DUNS number prior to final execution of the contract agreement. The MAA program will forward a copy to DHCS accounting section prior to the payment of invoices. DHCS will also revise contract language to require LGAs and LECs to include this language in contracts with their subrecipients and/or vendors. LGA/LECs compliance with this directive will be monitored and verified during onsite visits. 2. Ensure that site visits are performed in accordance with department policy. DHCS Response: DHCS agrees with the recommendation. In April 2011, DHCS imposed travel restrictions and all site visits were issued a directive to decease. During Fiscal Year 2011/12, the MAA programs instituted desk review processes that are equitable to the site visit process to ensure that adherence to the requirement to conduct LGA/LEC reviews every four years. The School-Based MAA (SMAA) program has resumed to conducting site visits and/or desk reviews in accordance with department policy during the 2012/13 Fiscal Year. However, due to the implementation of the current deferral on the SMAA program and the development of a new statewide claiming plan and time survey methodology to be in compliance with the Office of Management and Budget A-87, the SMAA program was not able to perform the nine counties site visits and/or desk reviews (Sonoma, Orange, Fresno, Riverside, San Diego, San Luis Obispo, Santa Cruz, Solano, and City of Pasadena). The SMAA program is anticipating on completing site visits and/or desk reviews on all nine counties by June 30, 2014. 3. Develop policies and procedures to ensure OMB Circular A-133 audit reports for all subrecipients reporting federal funds of more than $500,000 are received and management decisions are issued as necessary. DHCS Response: DHCS agrees with the recommendation. The Audits and Investigation Division (A&I) has procedures to track, monitor, and review the corrective action plan(s) to address the audit finding(s) contained in the A-133 Single Audit Report. The State Controller’s Office (SCO) has a Single Audit oversight responsibility and preparing audit-finding reports in accordance with the A-133 Single Audit Report. A&I will establish procedures to ensure that it contacts the SCO in a timely manner to secure A-133 Single Audit Reports that are not received. Regarding the LEAs who receive Medi-Cal Billing Option Program funds (Medi-Cal Billing Option), the SCO is the single state oversight agency and conducts the annual LEA audits. Currently, SCO does not send the LEA reports to other state agencies. A&I will request Single Audit Reports of the LEA who received Medi-Cal Billing Option funds from the SCO starting with the fiscal year ended June 30, 2013, and include the reports in our tracking, monitoring, and follow-up system. 104
Medical Assistance Program During our fiscal year 2011-12 audit, we reported that certain information security and change management controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary (FI) to adjudicate fee-for-service claims and effective October 1, 2011 a new FI was engaged. Health Care Services obtained a Service Organization Control (SOC1) report over logical security, change management, backup and restoration, and production job processing functions of CA-MMIS for the period from July 1, 2012 through June 30, 2013. The SOC1 contained a qualified opinion as controls over job processing and system access were found to be not operating effectively for the period. Ineffective controls over job processing and system access could result in inappropriate claims being processed. Specifically, the SOC1 report identified the following: • The FI does not maintain formal policy documentation to assure proper processing of jobs through documentation of job description, job dependencies, job escalation, and restart procedures. • Controls related to handing deviations in job processing were not consistently followed. • Management approvals prior to setting up access in mainframe and mid-range systems supporting CA-MMIS were not consistently obtained and documented. • Controls related to removing/disabling of user access after the use is terminated were not consistently followed. • Periodic review of access appropriateness of users with access to the Mainframe and Mid-range systems supporting CA-MMIS were not consistently performed. 2011-12
DHCS agrees with the Service Organization Control (SOC1) report referenced by KPMG in their finding. When the SOC1 report was released to CAMMIS, CAMMIS issued a request for a corrective action plan to Xerox on December 17, 2013. DHCS received a response from Xerox via FI Letter T4092 on February 18th, 2014. DHCS CAMMIS is currently reviewing FI Letter T4092, along with monitoring Xerox’s progress toward achieving security improvements. DHCS will complete its review and respond by March 21, 2014. 99
SCHIP (State Children's Insurance Program) During our fiscal year 2011-12 audit, we reported that certain information security and change management controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary (FI) to adjudicate fee-for-service claims and effective October 1, 2011 a new FI was engaged. Health Care Services obtained a Service Organization Control (SOC1) report over logical security, change management, backup and restoration, and production job processing functions of CA-MMIS for the period from July 1, 2012 through June 30, 2013. The SOC1 contained a qualified opinion as controls over job processing and system access were found to be not operating effectively for the period. Ineffective controls over job processing and system access could result in inappropriate claims being processed. Specifically, the SOC1 report identified the following: • The FI does not maintain formal policy documentation to assure proper processing of jobs through documentation of job description, job dependencies, job escalation, and restart procedures. • Controls related to handing deviations in job processing were not consistently followed. • Management approvals prior to setting up access in mainframe and mid-range systems supporting CA-MMIS were not consistently obtained and documented. • Controls related to removing/disabling of user access after the use is terminated were not consistently followed. • Periodic review of access appropriateness of users with access to the Mainframe and Mid-range systems supporting CA-MMIS were not consistently performed. 2011-12
DHCS agrees with the Service Organization Control (SOC1) report referenced by KPMG in their finding. When the SOC1 report was released to CAMMIS, CAMMIS issued a request for a corrective action plan to Xerox on December 17, 2013. DHCS received a response from Xerox via FI Letter T4092 on February 18th, 2014. DHCS CAMMIS is currently reviewing FI Letter T4092, along with monitoring Xerox’s progress toward achieving security improvements. DHCS will complete its review and respond by March 21, 2014. 99
State Survey and Certification of Health Care Providers and Suppliers During our audit for fiscal year 2011–12, we reported that Health Care Services did not have adequate policies and procedures in place to monitor subrecipients in accordance with federal requirements. In fiscal year 2012-13, we found Health Care Services implemented some corrective action but continues to lack adequate policies and procedures to monitor subrecipients. Health Care Services provides services under the Medicaid program through various subrecipients. For example, monies are passed through to counties, or local government agencies, which are responsible for eligibility determination and other administrative activities. Funds are also passed through to local education consortiums and other nonprofit organizations for reimbursement of expenditures for Medicaid programs and administrative costs. Health Care Services disbursed $1.96 billion to subrecipients for county and school-based administrative activities in fiscal year 2012-13. Health Care Services monitors its subrecipients through various mechanisms. For example, Health Care Services policy requires that a site visit be conducted for each county or local government agency once every four years and once every three years for school-based organizations. Our audit found the following: • Health Care Services does not have policies and procedures in place to ensure that DUNS numbers are obtained from its subrecipients prior to awarding of federal funds. Failure to obtain DUNS numbers increases the risk that subrecipients may spend federal funds for unallowable purposes or incorrectly reporting subawards. • In April 2011, Health Care Services implemented travel restrictions and analysts were unable to perform all planned site visits. The school-based unit performs desk reviews when unable to travel which are equivalent in scope to a site visit. However, we identified 9 of the 28 local government agencies or local education consortiums that are part of the school-based program which had no site visit or desk review performed within the last three years. Lack of adequate monitoring increases the risk that Medicaid funds may not be spent for an allowable purpose. Health Care Services does not have policies and procedures in place to obtain OMB Circular A-133 audit reports from local education consortiums and nonprofit organizations. As a result, Health Care Services does not determine whether appropriate and timely corrective action has been taken with respect to Medicaid findings. 2011-12
1. Develop policies and procedures to obtain DUNS numbers prior to awarding federal funds. DHCS Response: DHCS agrees with the recommendation. DHCS’ Medi-Cal Administrative Activities (MAA) program contract agreements do no currently contain relevant award language for obtaining contractors data universal numbers (DUNS) prior to the awarding of federal funds. DHCS will add contract language in the Exhibit B, Budget Detail and Payment Provision section to require Local Governmental Agencies (LGAs) and Local Educational Consortiums (LECs) to submit the appropriate documentation to Health Care Services indicating their DUNS number prior to final execution of the contract agreement. The MAA program will forward a copy to DHCS accounting section prior to the payment of invoices. DHCS will also revise contract language to require LGAs and LECs to include this language in contracts with their subrecipients and/or vendors. LGA/LECs compliance with this directive will be monitored and verified during onsite visits. 2. Ensure that site visits are performed in accordance with department policy. DHCS Response: DHCS agrees with the recommendation. In April 2011, DHCS imposed travel restrictions and all site visits were issued a directive to decease. During Fiscal Year 2011/12, the MAA programs instituted desk review processes that are equitable to the site visit process to ensure that adherence to the requirement to conduct LGA/LEC reviews every four years. The School-Based MAA (SMAA) program has resumed to conducting site visits and/or desk reviews in accordance with department policy during the 2012/13 Fiscal Year. However, due to the implementation of the current deferral on the SMAA program and the development of a new statewide claiming plan and time survey methodology to be in compliance with the Office of Management and Budget A-87, the SMAA program was not able to perform the nine counties site visits and/or desk reviews (Sonoma, Orange, Fresno, Riverside, San Diego, San Luis Obispo, Santa Cruz, Solano, and City of Pasadena). The SMAA program is anticipating on completing site visits and/or desk reviews on all nine counties by June 30, 2014. 3. Develop policies and procedures to ensure OMB Circular A-133 audit reports for all subrecipients reporting federal funds of more than $500,000 are received and management decisions are issued as necessary. DHCS Response: DHCS agrees with the recommendation. The Audits and Investigation Division (A&I) has procedures to track, monitor, and review the corrective action plan(s) to address the audit finding(s) contained in the A-133 Single Audit Report. The State Controller’s Office (SCO) has a Single Audit oversight responsibility and preparing audit-finding reports in accordance with the A-133 Single Audit Report. A&I will establish procedures to ensure that it contacts the SCO in a timely manner to secure A-133 Single Audit Reports that are not received. Regarding the LEAs who receive Medi-Cal Billing Option Program funds (Medi-Cal Billing Option), the SCO is the single state oversight agency and conducts the annual LEA audits. Currently, SCO does not send the LEA reports to other state agencies. A&I will request Single Audit Reports of the LEA who received Medi-Cal Billing Option funds from the SCO starting with the fiscal year ended June 30, 2013, and include the reports in our tracking, monitoring, and follow-up system. 104
State Survey and Certification of Health Care Providers and Suppliers During our fiscal year 2011-12 audit, we reported that certain information security and change management controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary (FI) to adjudicate fee-for-service claims and effective October 1, 2011 a new FI was engaged. Health Care Services obtained a Service Organization Control (SOC1) report over logical security, change management, backup and restoration, and production job processing functions of CA-MMIS for the period from July 1, 2012 through June 30, 2013. The SOC1 contained a qualified opinion as controls over job processing and system access were found to be not operating effectively for the period. Ineffective controls over job processing and system access could result in inappropriate claims being processed. Specifically, the SOC1 report identified the following: • The FI does not maintain formal policy documentation to assure proper processing of jobs through documentation of job description, job dependencies, job escalation, and restart procedures. • Controls related to handing deviations in job processing were not consistently followed. • Management approvals prior to setting up access in mainframe and mid-range systems supporting CA-MMIS were not consistently obtained and documented. • Controls related to removing/disabling of user access after the use is terminated were not consistently followed. • Periodic review of access appropriateness of users with access to the Mainframe and Mid-range systems supporting CA-MMIS were not consistently performed. 2011-12
DHCS agrees with the Service Organization Control (SOC1) report referenced by KPMG in their finding. When the SOC1 report was released to CAMMIS, CAMMIS issued a request for a corrective action plan to Xerox on December 17, 2013. DHCS received a response from Xerox via FI Letter T4092 on February 18th, 2014. DHCS CAMMIS is currently reviewing FI Letter T4092, along with monitoring Xerox’s progress toward achieving security improvements. DHCS will complete its review and respond by March 21, 2014. 99
© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader