table of contents of internal controls... · web viewstatement of work review of internal controls...
TRANSCRIPT
Review of Internal Controls over Reporting (ICOR) for CMS
Statement of Work
5/20/2020
CMS A-123 Technical Team
THE CENTERS FOR MEDICARE & MEDICAID SERVICES
STATEMENT OF WORK
Review of Internal Controls over Reporting of the
Centers for Medicare & Medicaid Services (CMS)
Table of Contents
Table of Contents1I.Scope7A.Background7B. Description of CMS8C. General Requirements:9Part One - ICOFR11A.Purpose111.Establish the Assessment Process122.Identify Significant Financial Reports123.Define Materiality134.Identify Significant Accounts155.Identify Significant Components and Locations156.Identify the Relevant Financial Statement Assertions and Risks157.Identify the Major Transaction Cycles178.Link Accounts and Transaction Cycles189.Crosswalk of Applications to Cycle Memos1810.Work Products and Documentation (Deliverables)18Step B: Document Controls and Evaluate Design of the Controls191.Identify Related Laws and Regulations192.Document Key Controls at the Entity Level193.Identify and Document Key Controls at the Major Transaction Cycle, Sub-Cycle or Account Level194.Obtain and Document the Business Owner’s Concurrence235.Evaluate the Design of Key Controls236.Work Products and Documentation (Deliverables)24Step C: Test Operating Effectiveness251.Define and Document the Testing Approach252.Test of the Key Controls263.Test Compliance with Related Laws and Regulations284.Evaluate the Operation of the Controls285.Work Products and Documentation (Deliverables)29Step D: Identify and Address Deficiencies in the Current Review; Validate Prior A-123, CFO, and Other CAPs for CMS Contractors, SSMs, DCs, and Baltimore Applications; and CMS locations.291.Interpret the Results292.Categorize the Types of Control Deficiencies303.Assist in Creating Current Year Corrective Action Plans to Remedy Deficiencies and Test Remediated Controls314.Requirements for a CAP Follow Up Review at CMS Contractors, SSMs, DCs, and Baltimore Applications.315.Validation of Prior A-123 CAPs and Selected CMS CAPs316.Work Products and Documentation (Deliverables)31Step E: Report on Internal Controls over Financial Reporting321.Submit Required Reports to HHS322.Initial Assurance Statement323.Interim Supporting Narrative324.Updated Assurance Statement335.Work Products and Documentation (Deliverables)34CMS Required Report Guidelines and Deliverable Task341.Contractor and CMS Initial Meeting342.Entrance Conferences with CMS locations, Contractors, Baltimore Applications, DCs, and SSMs353.A-123 Weekly Status Meetings354.Monthly Status Reporting355.Project Work Plan (PWP)356.Planning/Scoping Document and Assessment Process Documentation367.On-Site Activities368.A-123 Internal Control over Financial Reporting Education379.Documentation on Internal Control over Financial Reporting3710.Evaluation of Design and Test of Operating Effectiveness3811.Conduct A-123 presentations, as required, to the Risk Management and Financial Oversight Committee (RMFOC); CFO audit support; and other needed support3812.Final Exit Conference for CMS selected locations, Baltimore Applications, Contractors, DCs, and SSMs3813.Draft Report Issuance for CMS locations, Baltimore Applications, Contractors, DCs, and SSMs3914.Final Report Issuance for CMS locations, Baltimore Applications, Contractors, DCs, and SSMs3915.Results of Testing and Interim Assurance Statement3916.Report on Validation of Previous CMS A-123, CFO, and Selected CMS CAPs3917.CAP Follow Up Reports4018.Updated Assurance Statement and Supporting Information4019.Documentation4020.Required Reports4121.Deliverable Instructions41Part Two - ICOR41A.Objectives41B.Purpose43C.Work Products and Documentation (Deliverables)44Attachment A: Sample of Mapping of Controls45Attachment B: Crosswalk of Baltimore Office Applications to Cycle Memos Template46Attachment C: Schedule of Deliverables47Attachment D: HHS Appendixes50
Table 1: List of Commonly Used Acronyms
Acronym
Definition
A-123
OMB Circular No. A-123, Appendix A
ACA
Affordable Care Act
AFR
CMS Agency Financial Report
AHBE
American Health Benefit Exchange
ARS
CMS Acceptable Risk Safeguards
ATT
CMS A-123 Technical Team
BHP
Basic Health Program
BPSSM
Business Partners Systems Security Manual
CAATS
CMS Assessment/Audit Tracking Sheet
CAP
Corrective Action Plan
CCIIO
Center for Consumer Information and Insurance Oversight
CDL
Control Deficiency Log
CFACTS
CMS FISMA Controls Tracking System
CFO
Chief Financial Officer
CHIP
Children’s Health Insurance Program
CISA
Certified Information Systems Auditor
CLIA
Clinical Laboratory Improvement Amendments of 1988
CMMI
Center for Medicare & Medicaid Innovation
CMS
The Centers for Medicare & Medicaid Services
CMSRs
CMS’ Minimum Security Requirements
COOP
Consumer Operated and Oriented Plan Program
COR
Contracting Officer’s Representative
CPA
Certified Public Accountant / Accounting Firm
CPARS
Contractor Performance Assessment Reporting System
CPIC
CMS Certification Package of Internal Controls
CS
Contract Specialist
CUEC
Complementary User Entity Control
DC
Data Center
DD
Denotes the 2 digits of a day within a month (e.g. 01 through 31 )
HHS
The Department of Health and Human Services
DME
Durable Medical Equipment
DOC
The Department of Commerce
EBDP
Entitlement Benefits Due & Payable
EIT
Electronic and Information Technology
FAR
Federal Acquisition Regulation
FBWT
Fund Balance with Treasury
FedRAMP
Federal Risk and Authorization Management Program
FFMIA
Federal Financial Management Improvement Act
FFS
Fee for Service
FIPS
Federal Information Processing Standards
FISCAM
Federal Information System Controls Audit Manual
FISMA
Federal Information Security Management Act of 2002
FMFIA
Federal Managers’ Financial Integrity Act of 1982
FSTARS
CMS FMFIA Self-Assessment Questionnaire
FY
Fiscal Year
GAO
Government Accountability Office
HHSAR
Health & Human Services Acquisition Regulation
HI
Medicare Hospital Insurance
HIRR
Health Insurance Rate Review
HITECH Act
Health Information and Technology for Economic and Clinical Health Act
HR
Human Resources
ICOFR
Internal Controls Over Financial Reporting
ICOR
Internal Controls Over Reporting
IOM
Internet Only Manual
IRS
Internal Revenue Service
IT
Information Technology
MAC
Medicare Administrative Contractor
MM
Denotes the 2 digits of a month (e.g. June = 06, July = 07, etc.)
MMA
Medicare Prescription Drug, Improvement and Modernization Act of 2003
MSPRC
Medicare Secondary Payer Recovery Contractor(s)
N/A
Not Applicable
NIST
National Institute of Standards and Technology
OFM
Office of Financial Management
OFPP
Office of Federal Procurement Policy
OIG
Office of Inspector General
OMB
Office of Management and Budget
OPDIV
Operating Division
PCIE
President’s Council on Integrity and Efficiency
PP&E
Property, Plant, and Equipment
PUBS
Publications
PWP
Project Work Plan
RA
Risk Adjustment
RC
Risk Corridor
RDS
Retiree Drug Subsidy
RI
Reinsurance
RMFOC
Risk Management and Financial Oversight Committee
SCA
Security Controls Assessment
SCSIA
Statement of Changes in Social Insurance Amounts
SF
Standard Form
SIWGP
State Innovation Waivers Grant Program
SMI
Medicare Supplementary Medical Insurance
SOP
Standard Operating Procedure
SOSI
Statement of Social Insurance
SOW
Statement of Work
SP
Special Publication
SREW
State Relief & Empowerment Waivers
SSAE
Standards for Attestation Engagements
SSAE 18
Standards for Attestation Engagements Number 18
TBD
To Be Determined
TMTF
Treasury Managed-Trust Funds
US
United States
USCFOC
United States Chief Financial Officers Council
YY
Denotes the last 2 digits of a year (e.g. 20YY could be 2018, etc.)
Statement of Work
Review of Internal Controls over Reporting of the
Centers for Medicare & Medicaid Services (CMS)
*Note that this sample has been revised from the source document on the Government Point of Entry as necessary to align formatting and applicable FAR procedures.*
I. Scope
The contractor shall provide services in support of the Office of Management and Budget’s (OMB) revised Circular No. A-123, Appendix A (A-123), Management of Reporting and Data Integrity Risk, review of internal controls over reporting (ICOR) within Centers for Medicare & Medicaid Services (CMS) using a maturity model approach. The Statement of Work describes the general requirements; however, is not meant to be all-inclusive. The Department of Health and Human Services (HHS) may provide additional A-123 guidance to CMS. If HHS provides additional guidance to CMS, CMS will distribute the guidance to the CPA firm. The CPA firms will be required to comply with the guidance.
A. Background
The CMS management is responsible for developing and maintaining effective internal control to achieve effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. CMS is the nation’s largest health insurer and has a fiduciary responsibility to ensure that each dollar spent for benefits and/or administration of its programs is spent in the best interest of beneficiaries and the American taxpayers.
OMB issued a revised Circular No. A-123, Management’s Responsibility for Internal Control, dated December 21, 2004, which was effective beginning in fiscal year (FY) 2006. OMB Circular A-123 was revised again on July 2016, and the title was changed to Management’s Responsibility for Enterprise Risk Management and Internal Control. Appendix A of OMB Circular A-123 requires the heads of certain Federal agencies to annually document and assess internal controls over financial reporting (ICOFR) and report the results in a management assurance statement similar to that required of publicly-traded companies by the Sarbanes-Oxley Act of 2002. Appendix A provides a framework for management’s use to document, assess, and report on conclusions reached in evaluating an agency’s ICOFR. Historically, in each year, HHS provided every operating division (OPDIV) with an A-123 implementation guidance. The last implementation guidance received was in FY 2015.
Appendix A of OMB Circular A-123 was revised in June 2018, and the title was changed to Management of Reporting and Data Integrity Risk. It expands beyond ICOFR to internal control over reporting (ICOR). This update gives agencies the flexibility to determine which control activities are necessary to achieve reasonable assurances over internal controls and processes that support overall data quality contained in agency reports. Historically, CMS has primarily focused on ICOFR given the magnitude of CMS outlays. CMS will continue to focus on ensuring management has effective internal controls over financial reporting alongside implementing the objectives of the new Appendix. The revised circular encourages agencies to take a maturity model approach towards its implementation. This statement of work (SOW) considers the importance of this maturity level approach by allocation of labor hours between Parts One and Two of the SOW over the contract period.
B. Description of CMS
CMS, an OPDIV under HHS, administers Medicare, Medicaid, Prescription Drugs, Children’s Health Insurance Program (CHIP), the Clinical Laboratory Improvement Amendments of 1988 (CLIA), and provisions of the Patient Protection and Affordable Care Act (ACA)[footnoteRef:0],is one of the largest purchasers of health care in the world. Based on recent projections, Medicare and Medicaid (including state funding), represent 37 cents of every dollar spent on health care in the United States (US). [0: On March 23rd, 2010, the Patient Protection and Affordable Care Act were signed into law. On March 30th, 2010, the Health Care and Education Reconciliation Act of 2010 was also signed into law. The two laws are collectively referred to as the ACA.]
CMS net outlays totaled approximately $1,080.7 billion in FY 2019. In FY 2019, the total net cost of operations was $1,087.3 billion, encompassing total benefit/program costs of $1,195.8 billion and operating costs of $6.5 billion. CMS establishes policies for program eligibility and benefit coverage, processes over one billion Medicare claims annually, provides prescription drug coverage, provides states with matching funds for Medicaid benefits, and monitors the quality of health care for beneficiaries.
CMS employs over 6,000 Federal employees in Baltimore, Maryland; Bethesda, Maryland; Washington, D.C.; and other offices throughout the continental US. CMS employees provide direct services to CMS contractors, State agencies, health care providers, beneficiaries, and the general public. CMS provides funds to CMS contractors; writes policies and regulations; sets payment rates; safeguards the fiscal integrity of the Medicare, Medicaid, and other health programs to ensure that benefit payments for medically necessary services are paid correctly the first time; recovers improper payments; assists law enforcement agencies in the prosecution of fraudulent activities; monitors contractor performance; develops and implement customer service improvements; provides education and outreach activities to beneficiaries and Medicare providers, surveys hospitals, nursing homes, labs, home health agencies and other health care facilities for compliance with Medicare health and safety standards; and assists the states and territories with Medicaid and CHIP.
CMS administers its programs through the use of third parties. The Medicare Advantage and Prescription Drug programs are administered through the use of Medicare Advantage Organizations, Prescription Drug Plans, and the Retiree Drug Subsidy (RDS) contractor. The Medicaid program and CHIP are administered through the states and territories. The Medicare Administrative Contractors (MACs)/Durable Medical Equipment (DME) MACs process Medicare fee-for-service claims, provide technical assistance to providers and service beneficiaries’ needs, and respond to inquiries. Additionally, Quality Improvement Organizations conduct a wide variety of quality improvement programs to ensure quality of care provided to Medicare beneficiaries.
In each fiscal year CMS may contract with a Certified Public Accountant (CPA) firm to conduct A-123 Appendix A internal control reviews. Specifically, the Statement on Standards for Attestation Engagements (SSAE) Number 18 (SSAE 18) audits are conducted on the CMS Parts A/B and DME MACs. The results will be considered when issuing the management assurance statement for A-123.
C. General Requirements:
1.The contractor shall perform work in accordance with this SOW and the following requirements at a minimum:
· The CPA firm and the CMS’s A-123 Technical Team (ATT) shall agree on a deliverable format if not specifically identified in the Deliverable Schedule (Attachment C);
· The Federal Managers’ Financial Integrity Act of 1982 (FMFIA), OMB Bulletin No. 07-04, Audit Requirements for Federal Financial Statements;
· The most current HHS Guidance to Implement Appendix A of OMB Circular A-123;
· OMB Circular A-123, Appendix A guidance;
· GAO Framework for Assessing the Acquisition Function At Federal Agencies, September 2005;
· Federal Acquisition Regulation (FAR);
· HHS Acquisition Regulation (HHSAR).
· CMS Acceptable Risk Safeguards (ARS);
· CMS Business Partners Systems Security Manual (BPSSM) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-115 (Technical Guide to Information Security Testing and Assessment);
· Applicable Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM);
· NIST Federal Information Processing Standards (FIPS) Publications (PUBS);
· Federal Risk and Authorization Management Program (FedRAMP)
· Federal Information Security Modernization Act (FISMA);
· NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations);
· NIST SP 800-53A (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans);
· NIST SP 800-30, (Guide for Conducting Risk Assessments);
2. Independently and not as an agent of the government, the Contractor shall furnish all the necessary services, qualified personnel, material, equipment, and facilities, not otherwise provided by the government, as needed to perform the requirements of this SOW.
Note: Comprehensive workpapers (including cycle memos, test plans, reports, etc.) from the prior fiscal year will be provided to the CPA firm.
3. The CPA firm shall provide a database that will house the A-123 workpapers, reports, cycle memos, and other supporting documentation. Workpapers shall contain sufficient information to enable an experienced auditor/accountant having no previous connections with this review, to ascertain from them the evidence that supports the CPA firm’s significant conclusions and judgments reached. The CPA firm shall store this information in such a way that they can be accessed by CMS immediately upon request. Final copies of the CPA firm’s workpapers, reports, cycle memos, and documentation supporting the review shall be provided each year in a format agreeable to CMS. The contract will require the CPA firm to meet CMS information security requirements (see CMS Information Security Contract Clause / Provision).
D. Key Personnel:
Partner: Must be a CPA, and have relevant credentials for this SOW which includes experience in Medicare and Medicaid/CHIP operations (at least five years is required), ten years of experience in American Institute of Certified Public Accountants (AICPA) consulting standards, and be proficient in internal controls and financial reporting of Medicare and Medicaid/CHIP. Experience at HHS OPDIVs or other Federal entities similar in size, magnitude, and complexity as CMS is required.
Project Director: Must have relevant credentials for this SOW which includes experience in Medicare and Medicaid/CHIP operations (at least five years is required), eight years of experience in AICPA consulting standards, and be proficient in internal controls and financial reporting with Medicare and Medicaid/CHIP.
Financial Manager: Must have a bachelor’s degree in Accounting or other related business field, with a minimum of five years of experience in Medicare and Medicaid/CHIP operations, five years of experience in AICPA consulting standards, and be proficient in internal controls and financial reporting with Medicare and Medicaid/CHIP.
Information Technology (IT) Manager: Must be a Certified Information Systems Auditor (CISA) with at least five years of experience at HHS OPDIVs or other Federal entities similar in size, magnitude, and complexity as CMS. The IT Manager shall demonstrate direct working knowledge with, at a minimum, FISMA, FISCAM, FedRAMP, and NIST Guidance.
Part One - ICOFR
Financial reporting, as referred to in this SOW, includes CMS and CMS contractors’ basic financial statements, all required supplementary information, and all related schedules and disclosures, as included in the CMS Financial Report. The areas included under the financial reporting umbrella include the same areas audited during the CMS annual financial statement audit. For example,
1. Medicaid and CHIP grant award and expense reporting process,
2. Medicare Advantage (Part C) and Prescription Drug (Part D) payment calculation and review,
3. Estimates, projections and statements (e.g. Statement of Social Insurance (SOSI)) developed by the CMS Office of the Actuary,
4. Applicable Baltimore IT Applications,
5. Medicare contractors’ fee-for-service claims and financial operations (including Medicare contractors, Data Centers (DCs), Shared System Maintainers (SSMs), and/or business partners), and
6. Financial statement preparation by Office of Financial Management (OFM).
A.Purpose
The CPA firm shall:
· Prepare and/or enhance the agency-wide documentation of CMS including major transaction cycles; CMS contractors such as the Financial Services Support Contractor for Exchange Financial Activities, Retiree Drug Subsidy (RDS), and the Medicare Secondary Payer Recovery Contractor(s) (MSPRC); and financial and IT internal control processes used in financial reporting, including documentation of the financial reporting process and process level controls over financial reporting.
· Identify the key controls at CMS, CMS contractors, Baltimore applications, SSMs, and DCs that need to be evaluated and develop detailed review protocols for each area.
· Perform testing of the design and operating effectiveness of internal controls over financial reporting at CMS, CMS contractors, Baltimore applications, SSMs, and DCs, and identify any deficiencies in accordance with Appendix A of OMB Circular A-123.
· Develop Control Deficiency Logs (CDLs) and assist business owners in developing Corrective Action Plans (CAPs) for all identified issues.
· Develop work papers that shall provide sufficient detail to enable an experienced reviewer having no previous connection to the review to understand from the review documentation the nature, timing, extent, and results of the review procedures performed; the review evidence obtained; and its source and the conclusions.
· Provide support to the CMS financial statement audit in order to minimize duplication of efforts, and create a more efficient review and audit process. Activities will include, but not be limited to, coordinating on-site activities to include CFO auditor participation/observation (i.e., activities such as planning, scoping, testing approach, walkthroughs of processes, documentation, and testing), making A-123 workpapers and copies available, responding to audit questions, and attending meetings to discuss A-123 and CFO topics.
· For the Exchange and Other Related Programs, the Premium Stabilization Program, Basic Health Program (BHP), the State Innovation Waivers Grant Program (SIWGP)/State Relief & Empowerment Waivers (SREW) (Section 1332), as well as other ACA Programs, in addition to providing support to the CFO audit, it will be necessary to provide support to various reviews and audits which could involve an array of stakeholders such as the Internal Revenue Service (IRS), Government Accountability Office (GAO), Office of Inspector General (OIG) and others. Activities will include, but not be limited to, coordinating activities to include stakeholder participation/observation (i.e., activities pertaining to the 5 step A-123 process), making A-123 workpapers and copies available, responding to audit and other questions, and conducting/attending meetings and presentations as needed.
This SOW relating to ICOFR includes the following Steps:
A. Plan and Scope the Evaluation;
B. Document Controls and Evaluate Design of the Controls;
C. Test Operating Effectiveness;
D. Identify and Address Deficiencies in the Current Review; Validate Prior A-123, CFO, and other CAPs for CMS Contractors, SSMs, DCs, and Baltimore applications; and all CMS locations; and
E. Report on Internal Controls over Financial Reporting.
Step A: Plan and Scope the Evaluation
1. Establish the Assessment Process
To ensure timely completion of its work, the CPA firm shall develop a Project Work Plan (PWP) of its technical approach of how it shall accomplish each task. The CPA firm shall create a calendar that reflects significant deadlines and establishes a status reporting process. The schedule (including deliverables) shall be aligned with the milestones established by HHS and CMS’s A-123 Technical Team (ATT). The CPA firm shall also ensure that any significant issues are brought to the attention of the Contracting Officer’s Representative (COR)/ATT.
2. Identify Significant Financial Reports
OMB Circular A-123 Appendix A mandates assurance on internal control related to the annual financial statements, as well as other significant internal or external financial reports. Other significant financial reports are those reports with a significant impact on decisions related to spending, budget, or other financial areas or reports used to determine CMS’ compliance with laws and regulations. Significant financial reports for the A-123 assessment will include reports submitted to CMS by the Medicare contractors. The assessment of internal controls over financial reporting will also include CMS quarterly and annual principal financial statements listed below.
Table 2: Listing of CMS Quarterly / Annual Principal Financial Statements
Quarterly/Annual Financial Statements
Balance Sheet
Statement of Net Cost
Statement of Changes in Net Position
Statement of Budgetary Resources
Notes to the Financial Statements (June and September Quarters)
Statement of Social Insurance (SOSI) (Annual)
Statement of Changes in Social Insurance Amounts (SCSIA)
The CPA firm and CMS shall consider including additional financial reports in the assessment of ICOFR and should integrate the ICOFR assessment with FMFIA and other control related activities already in place.
3. Define Materiality
When performing the assessment of ICOFR, A-123 requires the establishment of materiality levels that ensure the detection of significant misstatements.
The risk of material misstatement has four components:
1. Inherent Risk: The susceptibility of one or more financial statement assertions to a material misstatement;
2. Control Risk: The risk that misstatements will not be prevented or detected by the agency’s internal control (assessed separately for each significant financial statement assertion in each significant cycle or accounting application);
3. Combined Risk: The likelihood that a material misstatement would occur (inherent risk) and not be prevented or detected on a timely basis by the agency’s internal control (control risk); and
4. Fraud Risk: The risk of material misstatement due to fraudulent financial reporting or misappropriation of assets.
Internal control exists to address the risk of a material misstatement due to error (unintentional) or fraud (intentional). The CPA firm shall assess and document these risks at the overall financial statement level and at the financial statement assertion level for financial statement line items, classes of transactions and disclosures. Materiality for financial reporting is the risk of error or misstatement that could occur in a financial report that would impact management’s or users’ decisions or conclusions based on such a report.
Establishment of materiality levels will also take into consideration guidance from HHS.
HHS will use an overall (or planning) materiality level to assess the aggregated misstatements and deficiencies in internal control, while other materiality levels (design and disclosure) will be used to assess individual line items or components. These other levels of materiality will always be less than planning materiality.
When considering materiality from a quantitative aspect, internal assessment levels should be set lower than what is considered by external auditors. The GAO Financial Audit Manual provides a framework for auditors to use in determining materiality. A similar framework has been applied when determining materiality in testing for compliance with Appendix A. The following paragraphs describe each materiality level anticipated to be employed by HHS.
Materiality Base
The materiality base is the element of the financial statements that is considered to be most significant. Typically, total assets or expenses (net of adjustments for intragovernmental and offsetting balances) are used as the base. However, revenues, appropriations, or liabilities may also be used. HHS guidance references gross costs with the public as its materiality base for basic financial statements other than SOSI.
Planning Materiality
Planning materiality is the preliminary estimate of materiality in relation to the financial statements taken as a whole. It is also used to determine whether aggregated misstatements and deficiencies in internal control are material to the consolidated financial statements.
Design Materiality
Design materiality is the materiality level allocated to individual line items and disclosures. Design materiality is used to identify significant accounts and disclosures, and to determine the nature, timing and extent of testing. This type of materiality is a percentage of planning materiality.
Disclosure Materiality
Disclosure materiality is the threshold for determining whether an item should be reported or presented separately.
The CPA firm shall also evaluate line items on its significant financial reports using this quantitative calculation. This could bring to the surface other line items to be considered for inclusion in the assessment process and might increase the scope of the implementation of ICOFR.
Qualitative factors (those affected by seasonal or situational issues) must also be considered in determining materiality. Certain accounts or elements of a financial report may be significant due to the interest of Congress, OMB, or the public.
4. Identify Significant Accounts
Both qualitative and quantitative materiality concepts must be considered in determining the significant accounts. The significant financial statement accounts identified shall be mapped to major transaction cycles. At a minimum, the scope must include the significant financial statement accounts and transaction cycles per HHS guidance.
5. Identify Significant Components and Locations
The planning/scoping documentation shall include a strategy for performing work related to CMS’s locations (including CCIIO programs located in Bethesda, Maryland); and other selected CMS locations; selected CMS contractors; SSMs, and DCs. The CPA firm shall consider any available SSAE 18 and CFO audits in planning and scoping the evaluation, and shall review CMS contractors on-site as selected by CMS in addition to on-site reviews at selected CMS locations, SSMs, and selected DCs. The scope of CMS contractors, SSMs, and DCs is subject to future adjustment. In addition, the planning/scoping document shall document the strategy for identifying and evaluating 1) IT systems related to major transaction cycles, and 2) IT security.
6. Identify the Relevant Financial Statement Assertions and Risks
Identify the Relevant Financial Statement Assertions
The following are the types of financial statement assertions that may be inherent in the significant accounts:
· Existence and Occurrence: All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date;
· Rights and Obligations: All assets are legally owned by the agency and all liabilities are legal obligations of the agency;
· Completeness: All assets, liabilities and transactions that should be reported have been included, and no unauthorized transactions or balances are included;
· Valuation: Assets, liabilities, revenue and expenses have been included in the financial statements at appropriate amounts. Where applicable, all costs have been properly allocated;
· Presentation and Disclosure: The financial report is presented in the proper form and any required disclosures are present; and
· Other Assertions: Such as compliance (transactions are in compliance with applicable laws and regulations), safeguards (all assets have been reasonably safeguarded against fraud and abuse), or documentation (documentation of internal control testing and all transactions and other significant events are readily available for examination).
Not all assertions will be significant to all accounts. However, each assertion is applicable to every major transaction cycle and all associated assertions must be covered to avoid any control gaps. These assertions shall be documented in the Control Matrix (Appendix II of HHS Guidance).
Risk Assessment
Tools used to identify conditions or “red flags” that may signal a risk of material misstatements shall include, but not be limited to the following:
· Self-assessment questionnaires, evaluations, or surveys;
· Surveys or self-assessments by external providers, such as the CMS Certification Package of Internal Controls (CPIC) submitted by CMS contractors;
· Automated tracking of assessments, such as the CMS FMFIA Self-Assessment Questionnaire (FSTARS) program;
· GAO Internal Control Management and Evaluation Tool;
· Capital Planning and Investment Control reviews that examines a system’s lifecycle;
· CMS Financial Report, including the prior year(s) “Report of Independent Auditors on Internal Control”, and HHS Agency Financial Report (AFR)
· Relevant SSAE 18 audits (e.g. MACs, Medicare Contractors, etc.);
· Medicare Prescription Drug, Improvement and Modernization Act of 2003 (MMA) Section 912 Reviews and GAO/Office of Inspector General (OIG) reports/audits/reviews; and
· FISMA audits.
The CPA firm shall prepare and submit a graph that depicts an overall view of CMS’s risk in accordance with the HHS Guidance for OMB Circular A-123 Assessments.
Risks shall be recorded in the Control Matrix (Appendix II of HHS Guidance). Next, the conditions should be rated as to the likelihood of occurrence (high, medium, or low) and the possible magnitude of the misstatement (high, medium, or low) and the risk of fraud (yes or no). The CPA firm may customize the risk assessment process to meet CMS’s needs and integrate it into the overall management/internal controls process as long as it accomplishes the overall intent of this paragraph.
Since risks are associated with each type of assertion, the CPA firm must review each significant account and determine the type of material error or misstatement that may occur for each assertion. The results of the evaluation of these assertions and identification of risks will help determine the types of controls that shall be assessed and the tests that will need to be performed during the subsequent steps in the ICOFR assessment (i.e., Document Controls and Evaluate Design, and Test Operating Effectiveness).
The Control Matrix (Appendix II of HHS Guidance) lists the risks for an account or line item and the key controls that cover the assertions and cross-references the controls to the risks they address. The key controls should be numbered and listed. This information enables reviewers to quickly determine if there is an identified risk for which there is no key control to mitigate the risk. A determination will need to be made to ensure the risk is valid and, if so, that either a related control exists or the gap in the ICOFR is listed and remedied.
In addition, a Complementary User Entity Controls (CUECs) analysis shall be performed to assess appropriateness of CUECs and to develop a mapping of MAC SSAE 18 reports' CUECs to CMS internal controls to ensure they are tested in A-123.
7. Identify the Major Transaction CyclesMajor Transaction Cycles
A major transaction cycle is a business process for which the quantity and dollar volume of transactions is so great that if a material error occurred in the process, it would affect financial decisions. The major transaction cycles associated with significant financial statement line items must include those that HHS and CMS ATT have identified for the internal control over financial reporting evaluation. The CPA firm using a risk based approach will recommend which transaction cycles should be included in scope in each fiscal year for the assessment of internal control over financial reporting. The CPA firm shall provide the supporting documentation used for the risk assessment determination. Historically, cycles that have been considered under ICOFR include but not limited to the following:
· Basic Health Program (BHP)
· Budget (including Government Charge Card)
· Children’s Health Insurance Program (Including processes and locations outside of Baltimore
· Center for Medicare and Medicaid Innovation (CMMI)
· Contingent Liabilities
· Financial Reporting
· Fund Balance with Treasury (FBWT)
· Health Information and Technology for Economic and Clinical Health Act (HITECH Act), Medicaid only.
· Human Resources (HR)
· Travel
· Innovation Payment Contractor (IPC)
· Medicaid (Including processes and locations outside of Baltimore)
· Medicaid and Entitlement Benefits Due & Payable (EBDP)
· Medicare Hospital Insurance (HI)/Supplementary Medical Insurance (SMI) Fee for Service (FFS) (including processes and locations outside of Baltimore)
· Medicare Advantage (Part C) (including processes and locations outside of Baltimore)
· Medicare EBDP
· Property, Plant, and Equipment (PP&E)
· Prescription Drug Program (Part D) (including processes and locations outside of Baltimore)
· Statement of Social Insurance (SOSI)
· Treasury Managed-Trust Funds (TMTF)
· Consumer Operated and Oriented Plan Program (COOP)
· Health Insurance Rate Review (HIRR) Grant Program
· Exchange (Note: The A-123 review and cycle memo will also encompass financial activities performed by third party contractor(s))
· Premium Stabilization Program (Note: CMS anticipates that the CPA firm will review Risk Adjustment (RA), including several functions related to the EDGE server, using the 5 step A-123 process.)
· 1332 State Innovation Waiver Grant Program
The CPA firm shall ensure that all significant financial statement accounts are covered and all significant financial key controls are considered and identified. In addition, it is anticipated that new processes or cycles may be identified as part of the scope in any given year. For any new processes or cycles, the CPA firm shall document (i.e., develop cycle memos) and test, accordingly.
8. Link Accounts and Transaction Cycles
The significant financial statement accounts identified must be linked to the transaction cycles that provide the source data. This step ensures that a transaction cycle has been associated with all significant accounts.
9. Crosswalk of Applications to Cycle Memos
The CPA firm shall create a separate Attachment (see Attachment B) to the IT test plan to identify and cross walk all applications (all systems and their related sub-system) to each of the cycle memos and highlight which applications will be tested under A-123 based on: (1) materiality, (2) prior year findings, and (3) risk level (high to medium). Additionally, the CPA firm shall complete the FFMIA System Inventory (Appendix XVIII).
10. Work Products and Documentation (Deliverables)
As a result of the aforementioned steps, the scope of the fiscal year review will be determined. The following is a list of work products that shall be prepared as a result of completing this step of the assessment:
· Project Work Plan
· Planning/Scoping Document
· Assessment Process Documentation
· Risk Assessment Chart (Appendix XVII of HHS Guidance)
· Control Matrix (Appendix II of HHS Guidance)
· Crosswalk of Applications to Cycle Memos (Attachment B)
· FFMIA System Inventory (Appendix XVIII of HHS Guidance).
Step B: Document Controls and Evaluate Design of the Controls
The CPA firm shall review and update the documentation of ICOFR at the process (or transaction) level for CMS locations, Baltimore Applications, Contractors, DCs, and SSMs in scope. The CPA firm shall also leverage existing available documentation, including, but not limited to documentation from other audits or reviews such as external financial statement auditors (including the prior year(s) “Report of Independent Auditors on Internal Control”), SSAE 18 audits, CPIC, FFMIA, FISMA, 912 evaluations, Security Control Assessments (SCAs), GAO/OIG audits, and existing A-123 compliance efforts. As a result of previous A-123 efforts, cycle memos were developed that document internal controls at the transaction level. CMS contractor cycle memos and other control documentation should be available upon the CPA firm’s arrival on-site at CMS contractor locations. The CPA firm shall review and update these cycle memos/documentation.
1. Identify Related Laws and Regulations
The first step in documenting internal controls is to identify significant provisions of laws and regulations that could have a direct and material effect on the financial statements. In addition, the GAO/ President’s Council on Integrity and Efficiency (PCIE) Financial Audit Manual recommends considering any other general or entity-specific laws.
2. Document Key Controls at the Entity Level
The CPA firm shall review and update CMS entity-level controls using current HHS methodology. Evaluation at the entity-wide level provides information that aids in determining the nature and extent of internal control testing that may be required at the transaction cycle level. Consideration must be given to the five internal control components that are described in the HHS Guidance.
3. Identify and Document Key Controls at the Major Transaction Cycle, Sub-Cycle or Account Level
Documentation shall be prepared in the form of a cycle memo that reflects an understanding, from beginning to end, of the underlying processes and document flows involved in each major transaction cycle. These would be the processes for initiating, authorizing, recording, processing and reporting accounts and transactions that affect the financial reports. Major transaction cycle narratives and flowcharts shall identify the major IT system involved; the IT controls shall be documented separately.
Because some transaction cycles flow from one OPDIV to another, the CPA firm shall coordinate the documentation of affected transaction cycles and identification of key controls, e.g., the Payment Management System.
Documenting Key Controls over Major Transaction Cycles
Cycle memos shall be used to document the understanding of major transaction cycles, and narratives, flowcharts, and control matrices shall be used.
A major transaction cycle narrative is a written summary of the transaction process. For each major transaction cycle, the narrative describes:
· The initiation point;
· The processing type (e.g., automated versus manual, preventative versus detective);
· The completion point;
· Other data characteristics such as source; receipt; processing; and transmission;
· Key activities/class of transactions within the process;
· Controls in place to mitigate the risk of financial statement errors;
· Supervisor/manager review; process and calculations performed in preparation of financial reporting; and process outputs;
· Use of computer application controls and general IT controls over spreadsheets/data used in the preparation of financial reporting;
· Identification of errors; types of errors found; reporting errors; and resolving errors; and
· Ability of personnel to override the process or controls.
The CPA firm shall review, validate, and/or update the key controls within the major transaction cycle. Controls are the specific policies, procedures, and activities that are established to manage or mitigate risks identified in the risk assessment process. Key controls are those controls designed to meet the control objectives and cover management’s financial statement assertions. In other words, they are the controls that management relies upon to prevent and detect material errors and misstatements. In addition, as part of the control identification process, the CPA firm shall identify redundant controls or controls that are ineffective and recommend eliminating them.
The Control Matrix (Appendix II of HHS Guidance) lists management’s assertions, control characteristics such as frequency, preventive/detective or automated/manual, and the significance of controls.
IT Controls
For each major transaction cycle, the CPA firm shall identify and document all applications and systems processing environments (see Attachment B) and recommend based on risk, materiality, and prior audit/review findings (including findings in the prior year(s) “Report of Independent Auditors on Internal Control”) which major Baltimore Office applications and or systems shall be reviewed. The evaluation of the control structure with respect to systems should be included in the assessment. The control structure will include processes such as access controls, computer operations, and change management. IT controls that relate directly to transaction cycles shall be documented separately to aid in the evaluation. In addition, ICOFR are frequently embedded within software applications. These should be reflected on the previously discussed Control Matrix (Appendix II of HHS Guidance).
Technology-based (automated) controls shall be assessed and key controls in the IT applications and system designs shall be identified, as CMS significantly relies on IT systems to process financial transactions and report the associated financial information. To support its assessment of ICOFR, the CPA firm shall ensure that applicable IT system components, such as automated calculations, accumulations, interfaces and reports are operating effectively.
The CPA firm shall make sure the entire major transaction cycle process is documented. The CPA firm shall integrate other review processes in the evaluation of the IT controls over ICOFR. Processes used to comply with FFMIA and FISMA serve as a foundation for documenting and evaluating IT controls.
Computerized operations can introduce additional risk factors not present in manual systems. The CPA firm shall consider the following factors and assess the overall impact of computer processing on inherent risk.
· Uniform processing of transactions;
· Automatic processing;
· Increased potential for undetected misstatements;
· Existence and completeness of the audit trail;
· Nature of the hardware and software used; and
· Unusual or non-routine transactions.
Assessing IT Risk
The general methodology that shall be used to assess computer-related controls involves evaluating:
· General controls at the entity-wide and installation levels;
· General controls as they are applied to the application being examined; and
· Application controls, which are the controls over input, processing, and the output of data associated with individual applications.
As part of assessing control risk, the CPA firm shall make a preliminary assessment of whether computer-related controls are likely to be effective using NIST Special Publication 800-30, Risk Management Guide for IT Systems. This assessment may be based on discussions with personnel throughout the entity (program managers, system administrators, information resource managers, and system security managers). Preliminary assessments may also take the form of observations of computer-related operations or reviews of written policies and procedures. Regardless of the method, the protocols must be in compliance with guidelines set forth in the ARS or CMS’ Minimum Security Requirements (CMSRs). Controls that are not properly designated or would not be effective may indicate weaknesses that are required to be reported.
Based on the assessment of inherent and control risks, including the preliminary evaluation of computer-based controls, the CPA firm should identify the general controls that are properly designed and should be tested to determine if they are operating effectively.
General Controls
There are five major categories of general controls that shall be considered:
· Security management;
· Access controls;
· Configuration Management;
· Segregation of duties; and
· Contingency Planning.
Application Controls
There are four major categories of business process application controls that should be considered:
· Application security;
· Business Process Controls;
· Interface Controls; and
· Data management System Controls.
The objective of application level general controls is to help management assure the confidentiality, integrity, and availability of information assets, and provide reasonable assurance that application resources and data are protected against unauthorized:
· Modification;
· Disclosure;
· Loss; and
· Impairment.
Mapping of Current IT Audits and Reviews
The CPA firm shall create a mapping of current year IT audits, reviews, and/or independent FISMA evaluations to the appropriate ARSs or CMSRs for each of the selected sites and applications. This mapping shall be the basis for each of the sites and application test plans. The CPA firm shall create an ongoing database which would map new reports and findings as received along with the controls tested.
The mapping of IT controls (see Attachment A) shall include at a minimum:
· Control Family (e.g., access controls);
· Applicable CMSR or ARS number;
· FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (high, medium, or low);
· IT audit or review leveraged (with identifying date of report used);
· Whether the audit or review leveraged control passed or failed;
· Recommendation if control shall be tested under A-123 (yes or no).
Documenting IT Controls
Workpapers shall contain documentation such as copies of written policies and procedures, written memoranda, flowcharts of system configurations and significant processes identifying key internal controls, etc. The documentation shall identify the control objectives and related control points designed to achieve those objectives. The CPA firm shall assist with the completion of, and have CMS Business Owners (Major Applications and General Support System), CMS Contractors, SSMs, and DCs sign the HHS A-123 Appendix D FFMIA System Compliance Evaluation Tool (Appendix IX of HHS Guidance). Workpapers shall be maintained in accordance with guidelines set forth in CMS Information Security Testing Approach. Reports shall be prepared for each entity or system using CMS Reporting Standard for Information System Testing.
4. Obtain and Document the Business Owner’s Concurrence
Before finalizing the documentation of a major transaction cycle, the CPA firm shall review the documentation with the business owners to ensure that key controls are identified and appropriately address the identified risks. Because the accuracy of the documentation and the identification of key controls are so critical, sign off from business owners shall be obtained on each document, attesting to its accuracy.
5. Evaluate the Design of Key Controls
After documenting key controls, the CPA firm shall evaluate the design of the controls. A control gap may be identified. A control gap exists when a control for a given financial assertion does not exist, or does not adequately address a relevant assertion. If the transaction cycle documentation reveals the lack of an adequate control at a certain point in the cycle, the CPA firm shall determine if a secondary or mitigating control that would detect problems exists elsewhere in the cycle. Identifying such controls may enable the team to provide assurance on the ICOFR despite the lack of a primary control. The lack of a control shall be documented on the Control Deficiency Log (Appendix V of HHS Guidance).
The CPA firm shall also assess the existing key controls to determine whether they are suitably designed to prevent or detect material errors or misstatements. This can be accomplished by performing a “walk-through.” A transaction cycle walk-through can be thought of as a “mini-test” that traces the transaction or process from beginning to completion. The walk-through should include selecting transactions and assessing whether the design of the control, assuming the control is properly executed, would detect errors or misstatements. Tests of design may include interviews, observations, inspection of documents (e.g., reports, completed forms), or inspection of screen prompts such as errors or warnings. During the walk-through, the CPA firm shall ensure that the major transaction cycle documentation and key controls identified are accurate and complete. If any deviations or omissions are detected, the process documentation shall be updated accordingly.
The walk-through shall document the results of the assessment of design in a memorandum that includes the:
· Name and contact number of any person interviewed;
· Specific items selected for assessment;
· Control gaps identified;
· Results of the assessment; and
· Conclusion regarding whether the design of a control is effective or not.
The determination whether the design of a control is effective or not is a subjective judgment. Guidelines for the characterization are:
· Effective: The control is suitably designed to prevent or detect material errors or misstatements on a timely basis.
· Not Effective: The design of the control would not prevent or detect material errors or misstatements on a timely basis.
The documentation memorandum shall note an identifying number, amount, and date for each transaction reviewed. The control number shall be the same as it appears on the Control Matrix (Appendix II of HHS Guidance). The documentation shall be written in sufficient detail to enable another professional with similar experience and knowledge to re-perform the assessment using the same items. Summary documentation and conclusions will be recorded using the Design Matrix (Appendix III of HHS Guidance).
6. Work Products and Documentation (Deliverables)
The following is a list of work products that shall be prepared as a result of completing this step of the assessment:
· Process-level flowcharts, narratives (cycle memos) and Cycle Memo and Flowchart Checklist (Appendix X of HHS Guidance)
· Updated GAO Internal Control Management and Evaluation Tool (Appendix XI of HHS Guidance)
· Assessment of entity-level controls
· Mapping of Current IT Audits and Reviews (Attachment A)
· Control Matrix (Appendix II of HHS Guidance)
· Design Matrix (Appendix III of HHS Guidance)
· Control Deficiency Log (Appendix V of HHS Guidance)
· CMS’s FFMIA System Inventory
· Walk-through memorandums and supporting documentation
Note: The CPA firm will be provided the work products listed above resulting from the prior year assessment.
Step C: Test Operating Effectiveness
This phase requires testing the operation of the key controls that were identified in the major transaction cycle documentation and making a determination of whether the control is operating effectively or not effectively. The testing shall address both manual and IT controls.
1. Define and Document the Testing Approach
The CPA firm shall develop an overall testing strategy and a detailed test plan for each major transaction cycle for CMS, including selected locations and CMS contractors. In developing the overall testing strategy, the CPA firm shall describe, in a narrative form with supporting schedules, its detailed approach for conducting testing, including a description of the approach to test various financial statements and related footnotes as well as a description of sampling techniques to be used when conducting testing. In developing the detailed test plan, the CPA firm shall define a testing procedure for each key control. Steps included in the detailed test plan shall address relevant financial statement assertions. The test plan shall document the following: (a) relevant financial statement assertion; (b) detailed testing procedure performed; (c) source of the documents reviewed; (d) detailed description and number of samples selected; (e) date tested; (f) results; and (g) reference to the documentation for any test failures.
The CPA firm shall develop an IT test plan for each of the selected sites and applications tested (CMS contractors, DCs, SSMs, and Baltimore applications) subject to the task requirements that shall include the applicable CMS ARSs or CMSRs (which include the integration of such requirements as NIST, FISCAM, FedRAMP, FIPS, and other directives). Additionally, the CPA firm shall cross-walk the applicable CMSRs to the Internet Only Manual, Publication 100-6, Chapter 7, Medicare Financial Management Manual, Internal Control Requirements, Control Objective A, Information Systems control objectives and ensure each control objective is tested accordingly.
In addition Attachment A: Mapping of the Controls shall be completed for each selected site or application subject to the task requirements, e.g., CMS contractors, DCs, SSMs, and Baltimore applications, in order to document leveraging of relevant reviews/audits.
During the testing of controls, if the CPA firm identifies an A-123 deficiency as a repeat finding the CPA firm shall reference the existing CAP number in the A-123 site report.
The CPA firm shall test all prior year(s) A-123 and CFO findings, and other findings provided by the ATT, to determine if the status of the finding has been corrected or not and document as part of the test plan.
Timing of Testing
Testing should occur throughout the year. The results of testing completed prior to and as of June 30th in any given fiscal year will form the basis of the June 30th assurance statement. As testing continues into the fourth quarter, the results of that testing, along with any items corrected since the June 30th assurance statement will be considered in the September 30th assurance statement update.
Extent of Testing
CMS and the CPA firm shall agree on the test plans prior to testing. The sampling methods and the minimum sample size for testing shall be based on the HHS Guidance for OMB Circular A-123 Assessments (provides testing sample sizes based on the operational frequency of controls: annual, quarterly, etc.) and are subject to approval by CMS. The CPA firm shall test IT controls by appropriate standards (CMS policies and procedures, e.g., ARSs and CMSRs) to complete task requirements. The CPA firm shall submit recommended sample sizes for manual and automated Financial and IT control activities for each site location (i.e., CMS Applications, Contractors, DCs, and SSMs) before testing commences. The extent of testing shall be documented in the test plan and signed off by the business owners as deemed necessary by the ATT.
2. Test of the Key Controls
The Internal Control Review shall address at a minimum the quarter beginning July 1, through the quarter ending June 30, of the current fiscal year. Draft results shall be submitted to the ATT no later than June 15, of the current fiscal year.
Once the test plan for each major transaction cycle has been developed, the CPA firm shall test controls to ensure that they are operating effectively and may be relied upon to ensure that the financial statement assertions are valid. Results of completed test plans shall be summarized and recorded in the Test Documentation Matrix (Appendix IV of HHS Guidance). The tests shall be documented in such a manner that they can be re-created, if necessary. Testing approach (including sample sizes) should follow the HHS Guidance. Workpapers shall meet requirements described later in this SOW under CMS Required Report Guidelines and Deliverable Tasks – Final Documentation.
The IT testing shall be documented in accordance with CMS Reporting Standards for Information System Testing (Note: CMS Reporting Standards for Information Systems Testing referenced throughout this document may be superseded by updated guidance). The review shall be conducted in accordance with, but not limited to, applicable FedRAMP, FISCAM, FISMA and NIST standards/guidance.
The CPA firm shall provide a database that will house the A-123 workpapers, reports, cycle memos, and other supporting documentation. Workpapers shall contain sufficient information to enable an experienced auditor/accountant having no previous connections with this review, to ascertain from them the evidence that supports the CPA firm’s significant conclusions and judgments reached. The CPA firm shall store this information in such a way that they can be accessed by CMS immediately upon request. Final copies of the CPA firm’s workpapers, reports, cycle memos, and documentation supporting the review shall be provided each year in a format agreeable to CMS. The contract will require the CPA firm to meet CMS information security requirements (see CMS Information Security Contract Clause / Provision)
For each area reviewed, the CPA firm shall maintain an ongoing dialogue with the business owner(s)/stakeholder(s) regarding any findings and/or issues noted during the assessment. The CPA firm shall obtain business owner(s)/stakeholder(s) concurrence regarding A-123 deficiencies and work with the entity to develop the related CAPs.
If testing results in a finding, the CPA firm shall document the instance in the Control Deficiency Log (Appendix V of HHS Guidance). Findings will be discussed between the CPA firm and the ATT to determine the severity level (i.e. Control Deficiency, Significant Deficiency, or Material Weakness).
The CPA firm shall be involved in the coordination with the CFO Act auditors while on-site at the various locations. This shall include, but not be limited to, such activities as planning, scoping, testing approach, walkthroughs of processes, documentation, and testing.
The CPA firm shall conduct an Internal Control Review and CAP Follow-Up Review for all applicable CMS locations, Baltimore Applications, Contractors, DCs, and SSMs.
Requirements for the Internal Control Review at CMS Baltimore Applications, Contractors, DCs, and SSMs
1. The assessment shall include the following control objective areas as outlined in Internet Only Manual (IOM) Publication 100-6, Chapter 7 – Internal Control Requirements:
1. Control Objective A – Information Systems and the associated CMSRs
2. Control Objective B – Claims Processing
3. Control Objective F – Medical Review
4. Control Objective G – Medicare Secondary Payer (MSP)
5. Control Objective I – Provider Audit
6. Control Objective J – Financial
7. Control Objective K – Debt Referral
8. Control Objective L – Non MSP Debt Collection
2. The CPA firm shall provide a written report which includes an executive summary and the following listed sections:
Section 1: Introduction and Purpose;
Section 2: Summary Description (history, background, function, etc.);
Section 3: Planning and Scoping the Review;
Section 4: Test Results; and
Appendix 1: Details of Test Results.
The CPA firm shall conduct an entrance conference, a weekly status meeting, and an exit conference for CMS contractors, Baltimore Applications, selected CMS locations, SSM, and DCs. For each engagement, the CPA firm shall provide a written list of deficiencies at the exit conference.
3. The CPA firm shall assist with the completion of the HHS A-123 FFMIA System Compliance Evaluation Tool and Certification(s) (Appendix IX of HHS Guidance) for each Baltimore Application, DC, and SSM. Additionally, the CPA firm shall assist with the completion of CMS Assessment/Audit Tracking Sheet (CAATS) Template which is used to upload findings into CMS FISMA Controls Tracking System (CFACTS).
4. CMS Information Security Policies, Standards, and Procedures available on the CMS website including, but not limited to:
1. CMS Information Security Policy
2. CMS Policy for the Information Security Program
3. CMS Information Systems Security and Privacy Policy (IS2P2) [Final 04/26/2016, Document #: CMS-CIO-POL-SEC-2016-0001]
4. CMS Standard/ ARS - Acceptable Risk Safeguards (ARS) [Final 11/21/2017, Document #: CMS_CIO-STD-SEC01-3.1]
5. CMS/Business Partner System Security Manual (BPSSM), Rev. 12 [Issued 11/15/2013, eCHIMP CR#: 8460]
3. Test Compliance with Related Laws and Regulations
The CPA firm shall consider the related laws and regulations that were identified in the documentation phase when formulating and executing test plans.
4. Evaluate the Operation of the Controls
Test results shall be summarized using the Test Documentation Matrix (Appendix IV of HHS Guidance) and for the IT testing the contractor shall use CMS Reporting Standards for Information System Testing. Based upon the results of testing, the CPA firm shall determine whether the operation of the control was effective or not effective and document this conclusion in the Test Documentation Matrix (Appendix IV of HHS Guidance).
5. Work Products and Documentation (Deliverables)
The following is a list of work products that shall be prepared as a result of completing this step of the assessment:
1. Test Approach and Detailed Test Plans (IT and Non-IT);
2. Test Documentation Matrix (Appendix IV of HHS Guidance) and documentation in accordance with CMS Reporting Standards for Information System Testing. Please refer to CMS website(s):
· HHS/CMS: CMS Information Security and Privacy Overview
· Information Security and Privacy Library
3. Attachment A: Mapping of the Controls;
4. CAATS Template;
5. Control Deficiency Log (Appendix V of HHS Guidance);
6. Internal Control Review Report for each selected CMS location, Baltimore Application, Contractor, DC, and SSM in scope;
7. CMS Information Security Testing Approach. Please refer to the following CMS website(s):
· HHS/CMS: CMS Information Security and Privacy Overview
· Information Security and Privacy Library
8. HHS A-123 FFMIA System Compliance Evaluation Tool and Certification(s) (Appendix IX of HHS Guidance); and
9. Supporting Workpapers.
Step D: Identify and Address Deficiencies in the Current Review; Validate Prior A-123, CFO, and Other CAPs for CMS Contractors, SSMs, DCs, and Baltimore Applications; and CMS locations.
The CPA firm shall test the operating effectiveness of the key controls and identify and provide assistance to correct any deficiencies in ICOFR.
1. Interpret the Results
The CPA firm shall evaluate the results of documentation and testing. As a result of the evaluation of the design and operating effectiveness of the key controls, the CPA firm shall conclude if:
· There are control gaps;
· The design of the controls is effective or not effective; and/or
· The operating effectiveness of the controls is effective or not effective.
The CPA firm shall consider whether an ineffective key control would allow a material error or significant deficiency to occur and go undetected. The ICOFR is subject to cost-benefit constraints, and no system is designed to provide absolute assurance that errors or misstatements will not occur. Therefore, the CPA firm and CMS management shall use judgment to decide whether the deficiencies resulting from ineffective key controls would allow material errors or misstatements to occur and not be detected.
If design or operating effectiveness deficiencies are noted, the CPA firm shall discuss the deficiency with CMS management and business owner to determine the validity of the deficiency, and if compensating controls exist to mitigate the deficiency. If compensating controls are identified, testing of the compensating controls is required to provide evidence that the compensating controls are operating effectively to prevent or detect a material error or significant deficiency.
2. Categorize the Types of Control Deficiencies
The CPA firm shall discuss the potential impact of any control gaps or deficiencies on financial reporting with CMS management and business owners. The magnitude or significance of the consequence of the deficiency will determine the category, and will be recorded on the Control Deficiency Log (Appendix V of HHS Guidance). The CPA firm shall recommend to CMS the category for each deficiency according to the impact on CMS’s financial statements. The CPA firm and CMS shall agree on the categorization of the deficiencies as a control deficiency, a significant deficiency, or material weakness, and the CPA firm shall obtain concurrence from the business owner regarding the deficiency. The CPA firm shall have the responsibility in assisting CMS in reporting all control deficiencies, significant deficiencies, and material weaknesses to HHS. To evaluate deficiencies, the CPA firm may use the guiding principles outlined in A Framework for Evaluating Control Exceptions released on December 20, 2004.
Control Deficiency
A control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
Significant Deficiency
A deficiency or combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
Material Weakness
A material weakness is a deficiency, or a combination of deficiencies in internal control such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected on a timely basis.
3. Assist in Creating Current Year Corrective Action Plans to Remedy Deficiencies and Test Remediated Controls
The CPA firm shall assist CMS in creating current year CAPs using the template in the HHS Guidance, Appendix VI, and shall obtain concurrence from the business owners. The CPA firm shall allow sufficient time for the retest of the control to determine whether the CAP has been successful. The CPA firm shall assist in creating a CAP that will consist of revising or enhancing an already existing control, or implementing a new control. The CPA firm shall test these enhanced or new controls between June 30th and September 30th to determine that the design and operation of the controls are effective and ensure that the CAPs are adequate to address the deficiency(s) so that the deficiency(s) may be corrected in a timely manner. The CAP (Appendix VI of HHS Guidance) shall be used as a tool by the CPA firm and CMS to monitor CAPs.
4. Requirements for a CAP Follow Up Review at CMS Contractors, SSMs, DCs, and Baltimore Applications.
a. The CPA firm shall develop review procedures and methodologies that shall be used to validate that prior year CAPs submitted for review by CMS have been implemented and are operating effectively. CMS shall provide the list of prior year CAPs to be reviewed for each selected CMS Baltimore Applications, Contractor, DC, and SSM.
b. The CPA firm shall:
1) review the CAPs to determine whether CMS Contractors, DCs, and SSMs, have implemented corrective actions and the CAPs are operating effectively;
2) address whether or not the original finding has been corrected; and
3) make a recommendation to CMS as whether or not to close the CAP or have it remain open. If testing is needed in addition to the current year test plan, it shall be completed.
c. The CPA firm shall submit a CAP Follow-Up Report for each CMS Contractor, SSM, DC, and Baltimore Application reviewed. The format of the CAP Follow Up Report shall be approved by the ATT.
5. Validation of Prior A-123 CAPs and Selected CMS CAPs
The CPA firm shall examine all CMS’s prior A-123 CAPs, CFO CAPs, and other CAPs and make recommendations to CMS management as to what CAPs shall remain open or be closed. In addition, the CPA firm shall provide CMS with explanation and documentation to support recommendations regarding the previous A-123 CAPs and other selected CMS CAPs. It should be noted that for CMS locations not in scope, the review shall be conducted via desk review. The status of CAPs shall be reported quarterly.
6. Work Products and Documentation (Deliverables)
The CPA firm shall provide CMS the following list of work products that shall be prepared as a result of completing this step of assessment:
· Control Deficiency Log (Appendix V of HHS Guidance);
· Corrective Action Plan (Appendix VI of HHS Guidance);
· Remediated Deficiencies Documentation;
· CAP Follow Up Reports for selected CMS locations and Baltimore Applications, Contractors, DCs, and SSMs; and
· Quarterly CAP Follow Up Report for CMS locations.
Step E: Report on Internal Controls over Financial Reporting
Reporting on the A-123 review of internal controls over financial reporting occurs throughout the process. The CPA firm shall assist CMS by preparing drafts of the required reports per the guidelines below.
1. Submit Required Reports to HHS
CMS is required to submit various reports to HHS. Due dates for drafts from the CPA firm will be determined by the ATT.
2. Initial Assurance Statement
CMS shall issue an assurance statement on ICOFR as of June 30th. This assurance is a subset of the FMFIA assurance. The CPA firm will assist the ATT in preparing the assurance statement and shall also prepare the related supporting narrative. CMS will submit the assurance statement to HHS by approximately August 8th of the current fiscal year.
The assurance statement will be stated in one of the following forms:
· Unmodified Statement of Assurance: no material weaknesses or lack of compliance reported;
· Modified Statement of Assurance: considering the exceptions explicitly noted (one or more material weaknesses or lack of compliance reported); or
· Statement of No Assurance: no processes in place or pervasive material weaknesses.
The assurance statement states that the ICOFR are operating effectively with the exception of material weaknesses found in the design or operation of internal controls (if any). For modified statements of assurance, all material weaknesses must be listed. For the statement format, the CPA firm shall follow guidance from the ATT. The CPA firm shall also assist the ATT in completing the Integrity Act Assurance Checklist (Appendix XIV of HHS Guidance).
3. Interim Supporting Narrative
In addition to the initial assurance statement, the CPA firm shall submit to CMS the CDLs and CAPs, and a supporting narrative paper. The supporting narrative paper shall include the rationale for the type of assurance statement issued based on the results of the A-123 review, including IT and Non-IT CDLs and open CAPs, and any other factors used in the A-123 assessment.
The supporting narrative paper shall include separate sections for both the IT perspective and Non-IT perspective and shall include information such as the following:
a) Overview
b) IT Scope and non-IT scope
c) Summary of results
d) Observations/deficiencies noted
e) Status of Deficiencies and CAPs reviewed
f) Evaluation of findings identified during other audits or reviews, such as CPIC reviews and SSAE 18 audits
g) Discussion of current year results relative to prior audits or reviews, including results from prior CFO audits
h) Other Factors
i) Conclusion for IT perspective
j) Conclusion for Non-IT Perspective
k) Discussion of work performed, and evaluation of results regarding compliance with laws and regulations
l) Conclusion for compliance with laws and regulations
m) Overall conclusion
4. Updated Assurance Statement
As testing continues into the fourth quarter, the results of that testing, along with any items corrected since third quarter reporting, must be considered in the September 30th assurance statement update. In addition, the CPA firm shall prepare the Final Supporting Narrative and Appendix IXs to include changes from June 30th to September 30th. The CPA firm shall assist CMS with the completion of the updated assurance statement, and Integrity Act Assurance Checklist as of September 30th, of the current fiscal year. For the current FY assessment, the update is due to HHS by approximately October 14. The CPA firm shall prepare an updated CDL and an updated CAP.
Based on the fourth quarter findings (after June 30th but before September 30th), there may be changes in the status of the ICOFR assurance statement delivered to HHS. These changes could include:
· A material weakness discovered as of June 30th but corrected as of September 30th. The assurance statement should identify the material weakness and corrective action taken and state that the material weakness has been resolved by September 30, 20YY.
· A material weakness discovered after June 30th but prior to September 30th. The assurance statement should be updated to include the subsequently identified material weakness.
In addition, if activities or programs experience significant modification after June 30th and before September 30th, the controls within that major transaction cycle shall be reevaluated to ensure that no material weaknesses exist that should be reported to HHS. Examples of significant modifications include: significant changes in the mission, programs, or systems; updated CPIC Assurance Statements received from CMS contractors; SSAE 18 Bridge Letters; results of the financial statement or FISMA audit performed by an independent public accounting firm or the OIG; or results of program audits performed by OIG or GAO.
5. Work Products and Documentation (Deliverables)
The following is a list of work products that shall be produced as a result of completing this step of the assessment:
1. Required HHS Reports;
2. Interim and Final Integrity Act Assurance Checklist (Appendix XIV of HHS Guidance);
3. Initial and Final CDLs (Appendix V of HHS Guidance);
4. Initial and Final CAPs (Appendix VI of HHS Guidance);
5. Initial Statement of Assurance as of June 30th, of the current fiscal year, accompanied by a Supporting Narrative Paper;
6. Final Statement of Assurance updated through September 30th, of the current fiscal year; and
7. Final Supporting Narrative Paper and Appendix IXs of HHS Guidance updated through September 30th, 20YY.
CMS Required Report Guidelines and Deliverable Task
The CPA firm shall submit all reports to the CMS COR/ATT by e-mail. The CPA firm and the ATT shall agree on a report format if not specifically identified below and the format shall adhere to current CMS software standards (for example, Microsoft Office 20YY). Deliverables include the following (see also the Schedule of Deliverables (Attachment C)):
1. Contractor and CMS Initial Meeting
The CPA firm shall participate in an initial meeting with the ATT. The purpose of the initial meeting is for CMS and the CPA firm to discuss the following:
a. The objectives of the review to be performed;
b. Introduction of the CPA firm, COR, and the ATT for the contract; and
c. Questions and answers regarding the engagement.
Other kickoff meetings shall be held as appropriate with various groups of business owner(s)/stakeholder(s) to discuss the objectives, logistics, and other aspects of the review.
2.Entrance Conferences with CMS locations, Contractors, Baltimore Applications, DCs, and SSMs
The CPA firm shall provide the ATT, CMS locations, Contractors, Baltimore Applications, DCs, SSMs, and designated CMS business owner(s)/stakeholder(s) with the following:
a. Entrance Conference Appointment: Five business days notice of the time and place for all entrance conferences.
b. Entrance Conference Agenda: Including an attendee list, the estimated fieldwork start and finish dates, and the scope of work to be performed.
3.A-123 Weekly Status Meetings
The CPA firm shall conduct weekly status meetings with ATT staff beginning one week after the initial meeting. The COR shall determine the meeting frequency (generally weekly) and attendees. The CPA firm shall provide the ATT and the designated CMS business owner(s)/stakeholder(s) with the following:
a. Two business days’ notice of the time and place for all status meetings;
b. A status meeting agenda, including a comprehensive status by component, a list of significant findings/potential issues, and upcoming activities/deliverables; and
c. The CPA firm shall notify the COR/ATT of any major concerns or issues identified during the field work that requires immediate attention or correction.
4.Monthly Status Reporting
The CPA firm shall submit a Monthly Status Report containing status information on the assessment. At a minimum, each status report shall contain the following:
a. Start, estimated completion, and completion dates for the assessment;
b. Status of the assessment (percent completed); and
c. A narrative of specific activities (broken down by IT and non-IT) performed during the month and significant findings/potential issues identified thus far, and concerns that may affect the completion of the work, and planned activities.
The first report is due thirty days after the initial meeting with CMS and on the 28th of each month thereafter until the end of the contract.
5.Project Work Plan (PWP)
The CPA firm shall submit a detailed PWP of its technical approach of how it shall accomplish the assessment. The PWP shall include an assessment schedule and detailed description of the CPA firm’s project plan for performing the necessary documentation and assessment activities using the procedures and methodologies that it shall develop. The CPA firm’s PWP shall be structured to ensure that the assessment is conducted and completed on a flow basis. The PWP shall follow the steps below:
a. The PWP shall show all tasks scheduled with major milestone and target dates.
b. The CPA firm shall submit its PWP to CMS; target date is within three weeks of the initial meeting/teleconference.
c. The PWP is subject to CMS approval. The CPA firm shall periodically amend this PWP as appropriate based on comments received from the COR and/or as work changes/developments necessitate a modification, which is subject to the COR approval.
6. Planning/Scoping Document and Assessment Process Documentation
The CPA firm shall submit a planning/scoping document that includes the following:
a. The recommended materiality levels to be used in planning the overall assessment of internal control over financial reporting at CMS.
b. A risk assessment at the financial statement line item, account (or groups of accounts), and disclosure levels that also includes which of these fall within the materiality threshold previously defined. This assessment should also identify the business processes, application systems, and systems processing environments that relate to each significant account or group of accounts; and determine the relevance of each management assertion (existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure) for each significant item identified as in scope.
c. The methodology that shall be used to assess IT risk as it relates to what documentation, audits, and or reviews that shall be leveraged for the engagement and what gaps or risks that the CPA firm shall recommend for testing.
d. Central Office Applications Identification - The CPA firm shall create a separate Attachment (see Attachment B) to identify and cross walk all applications to each of the cycle memos and highlight which applications is material in scope, as well as which applications are high to moderate risk, for the A-123 assessment.
The Assessment Process Documentation (including a Risk Assessment Chart) shall be prepared in accordance with the HHS Guidance.
The target date for these reports is four weeks after the initial meeting/teleconference with CMS.
7.On-Site Activities
The CPA firm shall conduct the on-site fieldwork activities at each selected CMS locations, the selected Baltimore Application, Contractor, DC, and SSM according to their PWP in the most efficient and expedient manner possible. The CPA firm shall maintain an ongoing dialogue with CMS locations, Baltimore Applications, Contractors, DCs, and SSMs regarding any findings and/or issues noted during the fieldwork. The CPA firm shall conduct entrance/exit conferences, and status meetings for the selected CMS locations, Baltimore Applications, Contractors, DCs, and SSMs staff every week, beginning one week after commencement of fieldwork.
The CPA firm shall provide the ATT, CMS locations, Baltimore Applications, Contractors, DCs, and SSMs and the designated CMS business owner(s)/stakeholder(s) with the following:
a. A two business days notice of the time and place for all status meetings
b. A status meeting agenda, including a list of potential issues and estimated exit conference date and draft findings or outstanding issues once known, at least 48 hours prior to the status meeting. The CPA firm shall provide CMS locations, selected Baltimore Applications, Contractors, DCs, and SSMs an agenda showing all outstanding items and/or concerns.
c. The CPA firm shall provide the COR/ATT with any major concerns during the fieldwork upon discovery, as well as in the Monthly Status Report. The CPA firm shall brief the COR/ATT and CMS business owner(s)/stakeholder(s) prior to presenting formal findings to the selected CMS locations, Baltimore Applications, Contractors, DCs, and SSMs.
d. The CPA firm shall obtain written concurrence on any finding(s) from the entity reviewed.
8.A-123 Internal Control over Financial Reporting Education
The CPA firm shall use the time prior to the start of field work to gain an understanding of applicable policies and procedures. The CPA firm shall provide assistance in situations where some components in scope for the A-123 review need guidance and instruction regarding their roles and responsibilities, and development/maintenance of their policies and procedures. This assistance will be most important for the components that have had, for example, staff turnover, policy changes, new business processes, etc. Specifically, the CPA firm shall assist in situations where components might have difficulty in providing descriptions of control policies and procedures needed for the development of internal control documentation (e.g. cycle memos) for the A-123 self-assessment. This education includes providing examples of applicable control policies, Standard Operating Procedures (SOPs), etc., as well as communicating to component personnel appropriate internal controls for their operations.
Throughout each phase of work, the CPA firm shall work with the ATT and CMS business owner(s)/stakeholder(s) to ensure that appropriate knowledge transfer occurs.
9.Documentation on Internal Control over Financial Reporting
The CPA firm shall review and update the current cycle memos for CMS, selected locations,