The URL can be used to link to this page

Home My WebLink About2007 Island Group Admin - Internal Controlsi 1 I t I I I 1 l ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT REPORT ON INTERNAL CONTROLS PLACED IN OPERATION AND TESTS OF OPERATING EFFECTIVENESS 2007 i 1 1 i ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT REPORT ON INTERNAL CONTROLS PLACED IN OPERATION AND TESTS OF OPERATING EFFECTIVENESS PAGE I. REPORT OF INDEPENDENT AUDITORS ................................................... ....... 1-2 II. INTRODUCTION .................................................................................. ........ 3 III. CONTROL ENVIItONMENT POLICIES AND PROCEDURES 1. CUSTOMER ACCEPTANCE ................................................................ ........ 4 2. PLAN SET-UP/CHANGES ................................................................... ........ 4 3. ELIGIBILITY AND ENROLLMENT ....................................................... ........ 5 4. CLAIMS RECENING ........................................................................ ......... 6 5. CLAIMS PROCESSING ...................................................................... ......... 6 6. CLAIMS PAYMENT, REPORTING AND AUDIT ...................................... ......... 11 7. PARTICIPATING PROVIDER ACCEPTANCE AND MAINTENANCE ............ ........ 13 8. BILLING ......................................................................................... ....... 14 9. DATA PROCESSING ......................................................................... ........ 14 IV. INTERNAL CONTROL OBJECTNES AND CONTROL TECHNIQUES .............. ........ 15 V. TESTS OF SPECIFIC POLICIES AND PROCEDURES .................................... ........ 21 1 Nawrocki Smith LLP CERTIFIED PUBLIC ACCOUNTANTS 1 REPORT OF INDEPENDENT AUDITORS To Island Group Administration, Inc.: I We have examined the accompanying description of controls of Island Group Administration, Inc.'s Self-Funded Employee Benefits Plan Department (the "Administrator"). Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of the Administrator's controls that maybe relevant to a user organization's internal control as it relates to an audit of the financial statements, (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and (3) such controls had been placed in operation as of December 31, 2007. The control objectives were specified by the management of Island Group Administration, Inc. Our examination was performed in accordance with standazds established by the American Institute of Certified Public Accountants and included those procedures considered necessary in [he circumstances to obtain a reasonable basis for rendering our opinion. 1 In our opinion, the accompanying description of the aforementioned controls presents fairly, in all material respects, the relevant aspects of the Island Group Administration, Inc.'s ' Self-Funded Employee Benefits Plan Department controls that had been placed in operation as of December 31, 2007. Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily. In addition to the procedures we considered necessary to render our opinion as expressed I in the previous paragraph, we applied tests to specific controls, listed in the accompanying report, to obtain evidence about their effectiveness in meeting the control objectives, described in the accompanying report, during the period from January I, 2007 to December 31, 2007. The specific controls and the nature, timing, extent and results of the tests aze listed in the accompanying report. This information has been provided to user organizations of the ' Administrator and to their auditors to be taken into consideration, along with information about the intemal control at user organizations, when making assessments of control risk for user organizations. In our opinion, the controls that were tested, as described in the accompanying I report, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in the accompanying report were achieved during the period from January 1, 2007 to December 31, 2007. However, the scope of our engagement ' did not include tests to determine whether control objectives not listed in the accompanying report were achieved and, accordingly, we express no opinion on the achievement of control objectives not included in the accompanying report. -1- 1 The relative effectiveness and significance of specific controls of the Administrator and their effect on assessments of control risk at user organizations are dependent on their interaction I with the controls, and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations. I The description of controls at the Island Group Administration, Inc.'s Self-Funded Employee Benefits Plan Department is as of December 31, 2007, and information about tests of the operating effectiveness of specified controls covers the period from January I, 2007 to December 31, 2007. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the system in existence. The potential effectiveness of specified controls at the Island Group Administration, Inc.'s Self-Funded Employee Benefits Plan Department is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on 1 our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions. I This report is intended solely for use by the management of Island Group Administration, Inc., its user organizations and the independent auditors of its user organizations. May 15, 2008 ' Melville, New York 1 I 1 1 1 1 I _2_ ' The following narrative documents Island Group Administration, Inc.'s (the "Administrator") Self-Funded Employee Benefits Plan Department's policies and procedures in 1 order to: ' - Ensure that procedures and internal controls are documented and properly communicated to appropriate personnel; and 1 - Provide a basis for the preparation of timely and accurate financial reports. These procedures are reviewed and updated on a periodic basis to reflect current I procedures and support management's belief that Island Group Administration, Inc.'s Self- Funded Employee Benefits Plan Department is operating within a sound internal control structure. The following policies and procedures have been presented by functional area for ease of review, evaluation and update. 1 1 t 1 1 1 -3 CONTROL ENVIRONMENT POLICIES AND PROCEDURES 1. CUSTOMER ACCEPTANCE Customer acceptance is conducted by the executive division (President). Once a company chooses to consider self-funded employee benefits, the president begins his analysis to determine whether the company would be a good candidate. Information is gathered for at least the prior three years: loss runs, total claims, large claims, status of people, ongoing conditions, catastrophic illness, premiums paid, prior insurance company discounts and certified financial statements. Previous claims can usually be no more than 80% of previous premiums paid to be a ' self-funded employee benefits candidate. Once a decision is made that a company is an acceptable candidate based on evaluation of the aforementioned criteria, a proposal is presented to a reinsurance company for validation. The proposal is then presented to the potential customer. The proposal includes the benefits and the risks to the customer including a description of the plan, best and worst case examples, services and savings. At this point, a customer may or may not accept the proposal. 2. PLAN SET-UP/CHANGES ' The plans offered by the Administrator include medical, hospital, dental, vision and prescription drugs (the "Plan(s)"). Where applicable, we will discuss particular attributes of a ' specific Plan. Plan set-up is conducted by the executive division (Executive Vice-President). An initial 1 meeting is conducted with the customer to set up the Plan. A "Plan Spreadsheet" is prepared based on the customer's previous plan. The prior plan is the key link to ensure that current benefits are properly identified and included in the new Plan. Additional precautionary coverages (i.e. 100% mammography benefits) maybe suggested which will benefit the customer and employees if diagnosed early. Once this information is gathered, the Plan's parameters are entered into the Administrator's data processing system by the plan management division. These ' parameters include such variables as limits, deductibles and coordination of benefits. Participating providers are part of the network and are linked to all Plans. The customer is given a copy of the Plan Agreement and the Plan Spreadsheet to read and approve. Once signed by the customer, the Plan is sent to the reinsurer for acceptance. If the prior plan has not been changed significantly, the reinsurer accepts the Plan. Changes and updates to a Plan usually occur when customers desire adjustments to the type of coverage offered to the participants. Any changes to a Plan must be documented on the Plan Spreadsheet, approved and signed by the customer. The changes then have to be approved I by the reinsurer who has the option not to accept them since such additions are usually not part of the prior plan. Some customers may use another insurance company for additional coverage ' instead of the reinsurance company. ' -4- Once the Plan is set-up, the plan management division takes over. Each Plan Manager is given various reference materials (i.e. a copy of the Plan, the Plan Spreadsheet, enrollment forms, etc.) in order to supplement the data processing system. 3. ELIGIBILITY AND ENROLLMENT Once the Plan is set-up, the executive division meets with all employees of the customer ' and present a package including the final Plan Spreadsheet. Insurance cards, enrollment forms and website address to access preferred provider listings provided by the Administrator. All participants in the Plans administered by the Administrator, whether they are active, on leave of absence, surviving family, COBRA or retired employees of their applicable employer, aze required to complete standazd enrollment forms in order to initiate their eligibility into a Plan. If a participant requests the release of confidential information, each participant and spouse must submit a HIPAA form stating any individuals that maybe given information on their behalf. (i.e. John Smith must submit authorization for wife Mazy Smith to receive any information regarding his information from Island Group.) When all the enrollment forms are received from the customer, the plan management division reviews them for completeness and eligibility prior to systems input. Eligibility is evaluated based upon pre-established criteria as identified by the applicable customer. After the standard enrollment forms are reviewed, the pertinent information is entered into the data processing system. Following input of this information, a census is produced and sent to I the customer for approval. Once approved, permanent insurance cazds aze issued. When there is a change in the status of a Plan participant, it has to be in writing. Anew participant must fill out an enrollment form which is reviewed and entered into the data processing system within 24 hours. The customer is responsible to notify the Administrator in writing if an employee is terminated. The Administrator is then responsible to ensure that claims incurred subsequent to termination are properly handled. The Administrator enters the termination date into the ' computer which flags the computer file as "terminated", and the specific person is reported in the monthly termination report. The data processing system is set up to automatically terminate all dependents at nineteen years of age. If the dependent becomes nineteen and is a fulltime student, coverage can be extended. For each college-aged dependent, the Plan participant has to provide the Administrator with a "Student Verification Form" filled out by the Plan participant and the school registrar for each semester. Enrollment is extended for six months when the form is 1 received. The Administrator maintains a separate file by customer for all college students to ensure that applicable tuition forms are up-to-date. Semi-annually a reminder letter is sent out to all participants who have eligible full time students that a current verification of student status 1 must be submitted in order to continue coverage. ' -5- 4. CLAIMS RECEIVING All claims for benefits are submitted on standard claim forms which have been specifically prepared for each Plan. Each day a customer service representative receives the mail and performs the following tasks: - Checks the return address for possible COBRA considerations and coordination of ' benefit issues - Stamps date received - Sorts claim forms by account 1 - Seazches for participant in data processing system - Routes claim forms to respective accounts ' The Plan Managers maintain a log of how many claims aze received and processed each day for productivity evaluation purposes. 5. CLAIMS PROCESSING The claims supervisor coordinates the claims processing by plan managers. Plan benefit processing procedures have been communicated to all applicable personnel. These procedures are periodically reviewed by management of the Administrator and updated accordingly. Each Plan Manager is stationed at a computer terminal which is linked to a central processor. A customized softwaze program has been developed to process claims. Plan Managers aze also provided with customer reference material as to the nature and extent of available benefits and participating provider fee schedules. ' Before entering a claim, it is checked for completeness by the Plan Manager. All claims ' for benefits must be properly completed to be processed. If a claim is not complete, the available information is entered into the claims processing system and the claim is coded "pended". The Explanation of Benefits form is then sent back to the claimant/provider with the reasons for ' returning the claim. To access the claims processing system, each Plan Manager uses their assigned user name ' and password. When processing a claim, the Plan Manager will enter or select the applicable data or perform requisite functions as follows: - Choose customer - Choose claims program and processing - Entec initials to record who is processing the claim - Enter date the weekly report will be run - Enter claimants name and ID number - Review enrollment information for eligibility - Enter Plan type (i.e. medical, dental etc.) - Check for term dates and flags on claimants file - Enter assignment of payment - Enter provider using Federal tax identification number -6- - Note system generated claim number - Enter stamped received date - Enter claim information - Enter internal codes based on CPT code (standard medical code which identifies the nature of a medical service) - Enter coordination of benefits payment, if applicable - Determine deductible, based on comment section ' - Enter comments, if applicable The Plan Manager will check the reasonableness of the CPT codes indicated by the provider based on a description of the claim and their knowledge of CPT codes. Benefits are paid in accordance with the applicable Plan's guidelines as to deductible satisfaction and co- payment provisions. In obtaining required health services, a participant in a Plan has one of two options: - Utilizing the services of a participating provider; or - Utilizing services of the provider of the participant's choice To the extent that a Plan participant chooses the "participating provider" option, he or she will utilize the services of a medical provider included in the "Participating Providers Network". ' Utilization of the services of a participating provider does not require the satisfaction of a deductible, and is such that the claimant is only required to pay the medical provider a co- payment amount. The Administrator will then be billed for the appropriate charges by the ' participating provider for services rendered, and will pay the provider directly for allowable charges, less consideration of any co-payment made by a Plan participant. Payment to the participating provider for services rendered is based on the participating provider fee schedules. To the extent a Plan participant decides to utilize a provider which is not a participating provider, a claim form is submitted for services received. All information on the claim form is ' then reviewed in detail by the plan manager and compared to the Ingenix table, which establishes reasonableness of medical charges. Providers will only be paid in accordance with these prevailing charges, based on a percentile level agreed to by customer. The individual claimant is ' responsible for any costs in excess of what is reimbursable under the terms of a Plan. Once the Plan Manager is satisfied that the specific claim has been processed in accordance with the aforementioned guidelines, the claim is finalized for payment. To the extent that a Plan Manager may note that an error has been made, or changes have to be made to a given claim, such changes may be made through normal system processing until the checks have ' been processed. If an error or item requiring follow-up on a specific claim is noted after a claim is processed, the check must be returned and voided. Supervisors are the only individuals who can make reversals. Adjustments to claims can be accomplished by processing a new claim for ' the adjustment amount. 7 I J r Another area of benefit coverage responsibility is the area of Medicare. In essence, if an individual is over 65 years of age but is still working, the applicable Plan is considered to provide primary coverage. If the covered participant is over 65 years of age and retired, Medicare is considered to provide primary coverage. It is the customer's responsibility to notify the Administrator of any individuals eligible for Medicaze. Coordination of benefits is addressed directly through the data processing system. Based on the standard enrollment forms and other information required on the standard claim forms, information with respect to primary coverage for the claimant as well as coverage by other carriers is tracked by the data processing system. In this manner, reimbursements are only made for charges for which a Plan is responsible. Participants in certain Plans also receive benefits for prescription related claims. CVS / Caremark sends a bill package to the Administrator covering atwo-week period. The claims supervisor reviews the package, which lists detailed information on claims paid. Confirmation is made that it is a bill for the two weeks subsequent to the last bill. Comparison of the explanation of benefits sheet amount with the amount on the bill, and comparison on the current amount with previous amounts for overall reasonableness is made. The plan managers convey census updates to CVS / Caremark so that they know who is eligible for the prescription plan. All enrolled employees receive a prescription card. CVS / Caremark provides a package to all employees describing its services. A 90-day supply is the maximum order. If mail order is used, CVS / Caremark sends the drugs via UPS, Federal Express or other carrier. The following are procedures pertaining to the Medicare Part D Drug Plan: 1. Satisfying Creditable Coverage Notice Requirements under Medicare Part D. 2. Preparing Medicare Part D subsidy application(s), including: - Assessing drug coverage funding and relevant "benefit options". - Assisting in selecting an individual within the organization who will be the Authorized Representative. - Assisting the Authorized Representative to register at the Retiree Drug Subsidy web page maintained by CMS, obtain a logon ID, and establish an electronic signature. - Serving as the Account Manager for the Subsidy Application, performing the following tasks within the Retiree Drug Subsidy ("RDS") secure web site maintained by CMS: - Obtain unique Plan Sponsor ID number for each GHP - Obtain unique application ID number for each GHP - Identify the Authorized Representative for each GHP ' - Provide secure, dedicated e-mail address for CMS communications 8 1 - Live-time assistance for the Authorized Representative in signing onto the RDS web site. - Complete all portions of the Application Form, including General Contact Information, Qualified Basic Plan Information, Actuary Assignment, Electronic Fund Transfer, Payment Frequency ' arrangements, Retiree List Submission with 12 fields of formatted demographic and other information for each Medicare Eligible ' Individual. - Providing electronic actuarial attestation via PDA's Actuary (or the Plan Sponsor's Actuary, with the consent of PDA). - Assisting the Authorized Representative with electronic signature of the Subsidy ' Application. 3. Receiving and electronically responding to any CMS partial or complete rejections of the Subsidy Application within the required 15-day period. 4. Electronically updating the Retiree file on an ongoing basis (monthly. in order to maximize cash flow), including during Subsidy Payment process, using the RDS Medicare format. ' S. Preparing and filing quarterly Subsidy Payment Requests, which entail the following tasks: ' - Collecting prior months' eligibility file and claim file from the pharmacy benefit manger(s). ' - Identifying and adjusting for non-Part D drugs. - Calculating the subsidy amount for each MEI. ' - Aggregating the individual MEI subsidy calculations. ' - Electronically submitting cost data for all of the qualifying MEI's in each BO (multiple submissions if multiple BO's), including: - Aggregate gross retiree costs (drug only) for the previous month - Aggregate threshold ($250) reduction ' - Aggregate limit ($5,000) reduction - Estimated cost adjustments (e.g., drug rebate payments from manufacturers) ' - Reconciling any changes for the previous months' payment requests. 1 t -9- 1 r - Providing electronic confirmation to CMS that cost data is to be included in the subsidy payment request. - Reviewing any and all subsidy payment rejections and making any appropriate appeals. - Electronically submitting payment request on behalf of the Plan Sponsor. - Confirming receipt of EFT deposit in the Plan Sponsor's bank account. - Responding to any questions, demands or denials issued by CMS, which may, in PDS's sole judgment, include: - Filing a 15-day appeal of a denied subsidy payment - Requesting a hearing within 15 days of a denied appeal - Requesting a reopening of a denial 6. Performing annual subsidy reconciliation as required by CMS with 15 months after the end of the plan year. This task includes the electronic filing of the following data for each MEI for each month: (Note: There is no alternative annual reconciliation reporting mechanism for insured group health plans.) - Subsidy application number - Unique benefit option identifier applicable to that MEI for that month - MEI Social Security number - Amount of drug costs incurred each month during the plan year - MEI's name, date of birth, and gender - 12 months' gross retiree costs, threshold reduction, limit reduction, and actual cost adjustments - Date and time of data file creation 1 7. Responding to any questions, demands or denials issued by CMS in connection with annual subsidy reconciliation. These responses may, in PDS's sole judgment, include: - Filing a 15-day Appeal of a denied payment - Requesting a hearing within 15 days of a denied Appeal Providing Plan Sponsor with data and information necessary to assist in the event the Plan Sponsor is selected by CMS for audit during the six-year period following receipt of a subsidy payment. In order to monitor and control the cost of health care, the Administrator reviews and assesses prospective claims for significant treatment. For significant prospective treatment, a Plan participant is required to contact the Administrator in order to receive the necessary precertification. In the case of a medical emergency, a Plan participant is required to contact the Administrator within 48 hours of the emergency as to the nature of the medical attention. The ] 0- ' Plan Manager logs the required information on [he "Precertification Form". The Plan Manager will verify the information with the doctor and notify the hospital of the approved number of days. All pre-certifications are subject to the approval of the Administrator based upon an overview of necessary provider and hospital records and subject to the Plan's pazameters and ' limitations. Pre-certifications aze reviewed and filed, and when the corresponding claim is received, it is attached to the claim form. Precertifications are not necessary for childbirth but it is critical that the Administrator be noti&ed as soon as the baby is born so that the baby is ' covered immediately. All Hospital Admissions require pre-certification. Pre-certifications and elective surgical ' authorizations are received and reviewed by the Case Management Department. Any necessary information for screening and approval of an admission is tracked. if additional information is required, it is obtained from the patient or practitioner at this time. All admissions are followed ' by concurrent review of clinical information during the hospitalization and subsequent discharge to the appropriate level of care (acute and/ or sub-acute rehabilitation, home care, intravenous therapy etc.) ' When a hospital bill is received by the claims department, it is separated and copied for case management. The bills are matched to the pre-certification information, length of stay, quality ' control and other concurrent medical review information. Large Case Management is initiated based on information that is obtained. They aze priced in the Case Management Department according to the contracted rates and fee arrangements for the specific facility. Al] bills are ' reviewed by the Nurse Case Manager and the Executive Vice President. The bills are returned to the claims area for processing. t 6. CLAIMS PAYMENT, REPORTING AND AUDIT Once a week for each customer, an Operations Department Representative will run the ' required reports and prepare the appropriate documentation. The following information is generated by the data processing system: - Benefit claim checks - Explanation of benefits statements ' - Claims check register - Claim Summary Report ' Upon obtaining these reports and documentation, a Plan Manager along with Operations Manger will review the various reports to ensure that data is consistent with the corresponding claims production and processing, and that the information on the check register agrees with the ' actual checks. Once all reports and documentation are noted to be in order, the original checks and explanation of benefits forms are mailed to the medical provider or claimant. Copies of the explanation of benefits forms, check registers and claim summaries for a given day are then filed ' with other customer information for reference purposes. Customer checks (with the Administrator as agent) are maintained in a locked closet. When checks are processed, the beginning and ending check number is entered into a log to -11- 1 1 control the correct sequence of checks being used. On every check run, the first check is always voided. Any breaks in the sequence are investigated immediately. The Administrator notifies the customer of how much to deposit when checks are ready to be mailed. Benefit checks are not released until approval is received from the customer. A control list of checks printed is prepared for review by management of the Administrator. Each customer receives their applicable cancelled checks and maintains and reconciles their own cash account which is independent of the Administrator's claims processing. The check signing machine has many safeguards. The signature plate is kept under lock and key in the executive division and only released to authorized personnel at the time of check signing and is returned upon completion. The signature plate is placed into the machine only to process checks. The machine keeps track of how many checks were run, and it cannot be reset. Each day, a daily log is prepared to track the number of incoming claims and claims processed in a given day. At the end of the week, a report is produced to analyze production. This provides management of the Administrator with a mechanism for ensuring that incoming claims are processed in accordance with the underlying Plan Agreements. The following reports are prepazed and sent to the customers each month for review and evaluation: - Claims summary - to summarize various claims paid throughout the month - Lag reports - to show customer productivity - Stop loss reports - to keep customer up-to-date as to how close they are to the limit - Current census - to provide customer with a list of currently insured individuals to review and approve - Changes in enrollment - to flag enrollment updates - Terminating dependents - to flag terminations Separate reports are produced for each type of Plan offered by the customer. The Administrator hires employees primarily by word of mouth, and prefers individuals who have customer service and computer experience. When a person starts at the Administrator, he or she will go through an extensive training process. New hires will work with another person until they are confident to work alone. Everyone works in close proximity, creating an atmosphere where it is easy to ask questions. Trainees are familiarized with the data processing keyboard and given a trainee's handbook, which includes the following: - A checklist to ensure that a claim is complete - A list of where to file data - A customer list with necessary numbers - Lists of all codes - All fee schedules - Co-payment rules - Hospital bill procedures 12- ' - "How to" order medical prescription cards ' - "How to" handle coordination of benefits claims - List of zip codes - List of various comments to use in the comment section All processed claims are subject to audit. All claims processed by a "Plan Manager In Training" are audited prior to check release. For a trainee's first three months at work, all claims t processed are audited. During the next three months, most claims are audited depending on an individual's "audit grades". The supervisors perform the audits. The claims selected for audit are reviewed for completeness and accuracy. A record of what was incorrect is maintained and ' discussed with the employee being audited so correction can be made. The trainee's "audit grade" is based on the total claims reviewed and incorrect amounts noted. These audits are maintained in the individual employee files. The grades are tracked to provide a basis for ' employee evaluation. All claims over certain dollar limitations are also subject to review and audit prior to check release. Periodically, an audit of the processing of claim forms is performed for all Plan Managers. 7. PARTICIPATING PROVIDER ACCEPTANCE AND MAINTENANCE The Administrator has a participating provider network. There are two ways that the ' provider acceptance process can be initiated; an insured individual can request a specific doctor to join the network or, a doctor could request to become a participating provider. ' The Administrator initiates the acceptance process by completing a "Participating Provider Inquiry Form" which includes date of inquiry, name, address, telephone, referred by, date ' application letter sent, date completed application received, date confirmation letter mailed, dates entered into participating provider file, alpha list and any comments. The Administrator then sends out an introduction letter and two applications that must be completed by the provider applicant. Along with the completed applications, the Administrator requires copies of current licenses, malpractice insurance and accreditation. The Administrator also checks the New York State Medical Guide. The executive vice president tries to meet the doctor if possible. If the provider is accepted, then a Participating Provider Agreement is completed and signed by the provider and the Administrator. Management then enters new participating providers into the data processing system. The Administrator maintains a national website which is updated daily with a listing of all participating providers. ' Review of the participating provider files is done periodically to ensure that the files are up-to-date. Requests for updated licenses and insurance are sent out, if needed. A doctor who does not respond will be removed from the network. ' -13- 8. BILLING At the end of each month, the finance manager prepazes billings that include administration fees and reinsurance fees for all applicable participants. Billings are generated from the census reports. Rates per insured individual are negotiated with each customer for administration fees ' and reinsurance fees. Therefore, based on the rates and current census, bills are produced. ' All bills are reviewed by the finance manager before they are sent out. The monthly billing includes a current census report. This report provides the customer with a basis to confirm that only eligible Plan participants are listed and they are being billed for the correct ' amount. Sepazate files that include administration fee summaries and dates that payments were received are maintained in finance division. 9. DATA PROCESSING The data processing system utilizes security level codes for user's names and passwords. The related data processing system utilizes these passwords to limit what functions can be seen and accessed by the user. The data processing system also posts the passwords in the input screen for control and review purposes in the case of error tracing and/or correction. ' All changes and updates to the data processing system are processed through CD-ROM discs received from our Management Information Systems (MIS) division. On an emergency ' basis, a modem can be activated and utilized if required. Modem is only on during this process and is password protected. Data is downloaded to a test account to make certain programming works correctly and then is installed for usage by our staff. The Administrator utilizes on-site and off-site data processing back-up procedures. Daily back-ups are kept on site with four days kept in reserve. Weekly backups are kept off-site. The Operations Department is the only department that has access to print reports. These individuals were never Plan Managers and have no knowledge of claims processing to ensure a proper segregation of duties. i 1 -14- 1 ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT ' INTERNAL CONTROL OBJECTIVES AND CONTROL TECHNIQUES 2007 iNTD /1D7 i!`Til1N ' In order to determine whether Island Group Administration, Inc.'s Self-Funded Employee Benefits Plan Department is operating within a satisfactory internal control structure, it is first necessary to identify the specific internal control objectives to be achieved by policies and procedures in effect at the Administrator. In this regard, we have identified pertinent internal control objectives, which maybe characterized in the following areas: Organization obiectives -These objectives address controls in place to ensure organizational structure is such that a proper segregation of duties is in effect throughout the processing areas of responsibilities. Authorization obiectives -These objectives address controls for securing compliance with policies and criteria established by management as part of overall financial planning and control. Transaction processing obiectives -These objectives address the controls over the recognition, processing and reporting of transactions and adjustments. Classification obiectives -These objectives address the controls over the source, timeliness and propriety of resulting reports. Substantiation obiectives -These objectives address periodic substantiation of reported data and the integrity of processing systems. Physical safeguard obiectives -These objectives address access to assets, records, critical forms, processing areas and processing procedures. The accompanying matrix is presented by area of internal control and identifies the key internal control objectives to be achieved, as well as a description of the control techniques that have been established in order to achieve those objectives. -15- ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT INTERNAL CONTROL EVALUATION 2007 INTERNAL CONTROL OBJECTIVES CONTROL TECHNIQUES ll I Orsanization 1. The Administrator should be organized to provide adequate internal segregation of duties and functions. II Authorization 1. Self-insured employee benefits should be authorized in accordance with management's criteria and the terms of the Plan. I 2 . Adjustments to a Plan should be authorized in accordance with management's criteria. 3. Plan benefit processing procedures should be established and maintained in accordance with management's criteria. la. Persons involved in a Plan's acceptance and set-up are independent of the individuals responsible or processing claims. lb. Persons independent of claims processing receives, dates and batches all claim forms for control purposes. 1. The customer is given a copy of the Plan Agreement and the Plan Spreadsheet to read and approve. 2. Any changes to a Plan must be documented on the Plan Spreadsheet, approved and signed by the customer. 3a. Plan benefit processing procedures have been communicated to all applicable personnel. 3b. Procedures are periodically reviewed by management of the Administrator and updated accordingly. -16- ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT INTERNAL CONTROL EVALUATION 2007 i ~~ i INTERNAL CONTROL OBJECTIVES II Authorization (continued) CONTROL TECHNIQUES 3c. New employees will go through an extensive training process. III Transaction Processine Only those requests for benefits that meet management's criteria and are properly supported with the requisite documentation and authorization should be approved. 1 a. All claims for benefits must be properly completed to be processed. lb. Benefits are paid in accordance with the applicable Plan's guidelines. 1 c. The Plan Manager will check the reasonableness of the CPT codes indicated by the provider. 1 d. Each Plan Manager is given various reference materials (i.e. a copy of the Plan, Plan Spreadsheet, enrollment forms, etc.) in order to supplement the data processing system. le. For significant prospective treatment, a Plan participant is required to contact the Administrator in order to receive the necessary precertification. lf. When appropriate, coordination of benefits is addressed directly through the data processing system. 1 g. When appropriate, for each college-aged dependent, the Plan participant has to provide the Administrator with a "Student Verification Form" filled out by the Plan participant and the school registrar for each semester. 17 ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT INTERNAL CONTROL EVALUATION 2007 INTERNAL CONTROL OBJECTIVES CONTROL TECHNIQUES I i ~~ III Transaction Processine (continued) 2. Requests for benefits should be accurately and promptly processed. 2a. All claims for benefits are submitted on standard claim forms which have been specifically prepazed for each Plan. 2b. The Plan Managers maintain a log of how many claims are received and processed each day for productivity evaluation purposes. 2c. The Administrator ensures that incoming claims are processed in accordance with the underlying Plan Agreements. 2d. Claim forms aze sorted by Plan Manager for their respective customers. 3. Each disbursement of funds should be 3a. Each customer maintains and reconciles based upon a recognized contractual their own cash account which is obligation, be accurately prepazed and be independent of the Administrator's promptly and accurately reported. claims processing. 3b. Customer checks are maintained in a locked closet. 4. Transaction adjustments and special considerations should be accurately and promptly classified, summarized and reported. 3c. Benefit checks are not released until approval is received from the customer. 4. The Administrator reviews and assesses prospective claims for significant treatment. -18- ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT INTERNAL CONTROL EVALUATION 2007 INTERNAL CONTROL OBJECTIVES CONTROL TECHNIQUES III Transaction ProcessinE (continued) 5. All members within the Participating Provider Network should be properly validated and credentialed. Sa. Providers must complete the applicable application and provide the requisite information. Sb. Providers must provide current information (i.e. licenses, malpractice insurance, etc.) on an ongoing basis. IV Classification 1. Reports on a Plan should be prepared on a timely basis and should classify and summarize financial activities in accordance with management's plan. 1 a. A control list of checks printed is prepared for review by management of the Administrator. lb. Monthly reports ofbenefits paid to Plan participants are prepared for review and evaluation purposes. V Substantiation ' 1. Detailed Plan data which is entered in the data processing system should be periodically substantiated and evaluated. ' 2. Recorded Plan benefit transactions I activity should be periodically substantiated and evaluated. 1 a. Upon initial Plan set-up, a Plan Spreadsheet is sent to the respective customer for review and validation. lb. When all the enrollment forms are received from the customer the plan management division reviews them for completeness and eligibility prior to systems input. 2a. Periodically, an audit of the processing of claim forms is performed for all Plan Managers. -19- ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT INTERNAL CONTROL EVALUATION 2007 INTERNAL CONTROL OBJECTIVES CONTROL TECHNIQUES V Substantiation (continued) 2b. Al] claims processed by a "Plan Manager In Training" are audited prior to check release. VI Physical Safeguards 1. Access to the transaction processing system should be permitted only in accordance with management's criteria. 2. Data files, programs and equipment aze organized, maintained and adequately protected from loss, destruction or misuse. 1. The data processing system utilizes security level codes for user's names and passwords. 2a. The Administrator utilizes on-site and off-site data processing back-up procedures. Daily back-ups are kept on site with four days kept in reserve. Weekly backups are kept off-site. 2b. All changes and updates to the data processing system are processed through CD-ROM discs received from Management Information Systems (MIS) division. On an emergency basis, a modem can be activated and utilized if required. Modem is only on during this process and is password protected. -20- ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT 1 TESTS OF SPECIFIC POLICIES AND PROCEDURES 2007 ' Introduction 1 As indicated in the Report of Independent Auditors, tests of specific controls were performed to obtain evidence about their effectiveness in meeting control objectives. The specific controls and the nature, timing, extent and results of the tests are presented below. I Oreanization 1. Policy and procedure tested: Persons involved in a Plan's acceptance and set-up are independent of the individuals ' responsible for processing claims. Control objective: ' The Administrator should be organized to provide adequate internal segregation of duties and functions. Test applied: We interviewed the Vice President as to the procedures of the Administrator. We observed personnel at work to substantiate their responsibilities as outlined during the ' interview. Results of test: Based upon the test performed, we noted persons involved in a Plan's acceptance and set-up to be independent of the processing personnel. I 2. Policy and procedure tested: Persons independent of the claims processing function are responsible for eligibility and enrollment of Plan participants. Control objective: The Administrator should be organized to provide adequate internal segregation of duties and functions. Test applied: We interviewed the Vice President as to the procedures of the Administrator. We observed personnel at work to substantiate their responsibilities as outlined during the interview. 1 -Zl_ ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT 1 TESTS OF SPECIFIC POLICIES AND PROCEDURES 2007 1 Results of test: Based upon the test performed, we noted persons responsible for eligibility and ' enrollment to be independent of the processing personnel. 3. Policy and procedure tested: ' Persons independent of claims processing receives, dates and batches all claim forms for control purposes. ' Control objective: The Administrator should be organized to provide adequate internal segregation of duties and functions. Test applied: We interviewed the Vice President as to the procedures of the Administrator. We observed personnel at work to substantiate their responsibilities as outlined during the interview. Results of test: Based upon the test performed, we noted persons involved in receiving, dating and batching incoming claim forms to be independent of the processing personnel. II Authorization I. Policy and procedure tested: Any changes to a Plan must be documented on the Plan Spreadsheet, approved and signed by the customer. Control objective: ' Adjustments to a Plan should be authorized in accordance with management's criteria. ' Test applied: A sample of enrollment forms fifty-seven (57) was chosen and the enrollment and eligibility of Plan participants was verified. Results of test: Based upon the test performed, we noted that enrollment forms were properly completed and signed by the insured. 1 -22- ISLAND GROUP ADMINISTRATION. INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT 1 TESTS OF SPECIFIC POLICIES AND PROCEDURES 2007 I III Transaction Processing 1. Policy and procedure tested: All claims for benefits must be properly completed to be processed. ' Control objective: Only those requests for benefits that meet management's criteria and are properly supported with the requisite documentation and authorization should be approved. ' Test applied: A sample of claim forms fifty-seven (57) were chosen and reviewed for proper 1 completion, including signature by claimant and medical provider (where there was no signature of claimant we noted "signature on file" reference), claimant' address, employer, social security number, etc. Results of test: Based upon the test performed, we noted claim forms were fully and properly ' completed. 2. Policy and procedure tested: Benefits are paid in accordance with the applicable Plan's guidelines. Control objective: ' Only those requests for benefits that meet management's criteria and are properly supported with the requisite documentation and authorization should be approved. Test applied: A sample of claim forms fifty-seven (57) were chosen and reviewed for propriety of benefit payments based on the participating provider fee schedules or standards established for choice providers. Results of test: ' Based upon the test performed, we noted that the most appropriate fee schedule was applied to claims processed. ' -23- 1 ISLAND GROUP ADMINISTRATION. INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT TESTS OF SPECIFIC POLICIES AND PROCEDURES 2007 3. Policy and procedure tested: When appropriate, coordination ofbenefits is addressed directly through the data processing system. I Control objective: Only those requests for benefits that meet management's criteria and are properly supported with the requisite documentation and authorization should be approved. Test applied: A sample of claim forms fifty-seven (57) were chosen and reviewed for proper. treatment of coordination ofbenefits. Results of test: Based upon the test performed, we noted coordination ofbenefits considerations, ' where applicable, were properly addressed. 4. Policy and procedure tested: ' When appropriate, for each college-aged dependent, the Plan participant has to provide the Administrator with a "Student Verification Form" filled out by the Plan participant and the school registrar for each semester. Control objective: Only those requests for benefits that meet management's criteria and are properly ' supported with the requisite documentation and authorization should be approved. Test applied: L A sample of Student Verification Forms two (2) were chosen and college-age claimants were tested for proper documentation of eligibility. Results of test: Based upon the test performed, we noted college status was properly addressed by the Plan managers. ' S. Policy and procedure tested: Al] claims for benefits are submitted on standard claim forms, which have been ' specifically prepared for each Plan. Control objective: Requests for benefits should be accurately and promptly processed. ' -24- ISLAND GROUP ADMINISTRATION. INC. ' SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT TESTS OF SPECIFIC POLICIES AND PROCEDURES ' 2007 Test applied ' A sample of claim forms fifty-seven (57) were chosen and reviewed to ensure proper standazdized claim forms were utilized. Results of test: Based upon the test performed, we noted standard claim forms were utilized by both the participating providers and choice providers. 6. Policy and procedure tested: The Plan Managers maintain a log of how many claims are received and processed each day for productivity evaluation purposes. Control objective: Requests for benefits should be accurately and promptly processed. Test applied: 1 A sample of claim forms fifty-seven (57) were chosen and reviewed to ensure that they were properly completed and promptly processed. ' Results of test: Based upon the test performed, we noted incoming claims were promptly processed and properly completed. 7. Policy and procedure tested: The Administrator reviews and assesses the correct administration fees according to specific plan agreements. Control objective: ' Billing was correctly calculated according to the number of members along with plan provisions. Test applied: A sample often (10) bills were chosen and reviewed for proper approval along with the attachment of the invoices and plan agreements with clients indicating administration fees and number of members. Results of test: Based upon the test performed, we noted all members were documented, administration fees were correctly calculated and they agree with each of the client's specific plan agreements. ' -25- ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT TESTS OF SPECIFIC POLICIES AND PROCEDURES 2007 S. Policy and procedure tested: Providers must complete the applicable application and provide the requisite information. Control objective: All members within the Participating Provider Network should be properly validated and credentialed. Test applied: A sample of medical providers ten (10) were chosen and reviewed for proper documentation. Results of test: Based upon the test performed, we noted proper documentation was obtained and maintained for medical providers. IV Substantiation 1. Policy and procedure tested: Participant enrollment forms are reviewed for completeness and eligibility prior to systems input. Control objective: Detailed Plan data which is entered in the data processing system should be periodically substantiated and evaluated. Test applied: A sample of enrollment forms fifty-seven (57) was chosen and reviewed to ensure proper enrollment and eligibility of the claimant in the Plan. Results of test: Based upon the test performed, emollment and eligibility was properly established. -26- ISLAND GROUP ADMINISTRATION, INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT TESTS OF SPECIFIC POLICIES AND PROCEDURES ' 2007 ' 2. Policy and procedure tested: Periodically, an audit of the processing of claim forms is performed for all Plan ' Managers. Coutrol objective: Recorded Plan benefit transactions activity should be periodically substantiated and evaluated. Test applied: We interviewed the Vice President as to the procedures of an audit. We observed personnel at work to substantiate their responsibilities as outlined during the ' interview. Results of test: Based upon the test performed, we noted that audits are performed to ensure Plan Managers are following proper procedures. V Physical Safeeuard 1. Policy and procedure tested: The data processing system utilizes security level codes for user's names and passwords. Coutrol objective: Access to the transaction processing system should be permitted only in accordance ' with management's criteria. Test applied: ' We interviewed the Vice President as to the procedures of the Administrator. We observed personnel at work to substantiate their responsibilities as outlined during the interview. ' Results of test: Based upon the test performed, we noted that users of the Administrator's data processing system are assigned unique user names and passwords for access. -27- ISLAND GROUP ADMINISTRATION. INC. SELF-FUNDED EMPLOYEE BENEFITS PLAN DEPARTMENT TESTS OF SPECIFIC POLICIES AND PROCEDURES 2007 2. Policy and procedure tested: Data processing operators perform a daily back-up of systems data. Control objective: Data files, programs and equipment are organized, maintained and adequately protected from loss, destruction or misuse. Test applied: We interviewed the Vice President as to the procedures of the Administrator. We observed personnel at work to substantiate their responsibilities as outlined during the interview. Results of test: Based upon the test performed, we noted a daily back-up of systems data was performed. -28-