phiac 1 audit guidance 2012

7/30/2019 PHIAC 1 Audit Guidance 2012

1/114

Protecting consumers of private health insurance. Ensuring a well-run and competitive industry.

Audit program

guidance for

PHIAC 1 Returns

June 2012


2/114

Contents

1 Guidelines and template audit programs for PHIAC 1 Returns 1

2 Guidance notes 76

3 Overview of controls testing 1615

4 Controls testing program 1918

5 Key performance indicators 5756

6 Sampling guidelines 6059

7 Substantive testing program 6261

8 Cross reference checklist 7675

Appendix A Private Health Insu rance (Risk Equalisation Adm inis trat ion) Rules 2007 9290

Appendix B Private Health Insur ance (Risk Equalisation Policy ) Rules 2007 9492

Appendix C Referenced PHIAC 1 template 9694

Appendix D Required audit certification 110108

Contact information

Paul Collins

Director, Information and Statistics

PO Box 4549

Kingston ACT 2604

T 02 6215 7955

F 02 6215 7977

E [email protected]


3/114

Audit program guidance for PHIAC 1 Returns 1

Section 1Guidelines and template audit programs for PHIAC 1 Returns


4/114

Audit program guidance PHIAC 1 Returns 2

Section 1 Guidelines and template audit programs for PHIAC 1 Returns

Section 1.1 Exclusion clause

Audit Program Guidance for PHIAC 1 Returns is a publication produced by the Private HealthInsurance Administration Council (PHIAC) to assist Registered Private Health Insurers (the Insurers)with their auditing processes and to help encourage uniform procedures for reporting and auditing.Insurers and auditors should be aware that these guidelines are generic and are not binding rules. Assystems found in Insurers vary, the programs should be tailored to each Insurers circumstances.Insurers are responsible for engaging competent auditors. Auditors of Insurers are responsible forexecuting their audits of the PHIAC 1 Return (the Return) in accordance with applicable AuditingStandards. Under no circumstances should an Insurer, or an auditor, rely solely upon the guidelines tothe exclusion of their duties to produce accurate audited accounts. INSURERS AND AUDITORS ARERESPONSIBLE FOR THEIR OWN AUDIT PROGRAMS AND PROCESSES.

Section 1.2 Introduction

The following guidelines and template audit programs have been designed to assist the external andinternal auditors of Insurers in Australia in their audit of the Returns for the quarter commencing 1 July2011. The programs are necessarily generic as the systems found in Insurers vary and whereappropriate, the programs should be tailored to each Insurers circumstances.

Audit certification for the four quarters to 30 June each year must be provided within 3 months of the endof the financial year or such time as approved by the Commissioner. Please ensure that the certificatefor the 2011-12 year reaches the PHIAC Secretariat by 28 September 2012.

1.2.1 Purpos e of PHIAC 1 Return

Insurers are required to submit data on a quarterly basis for each state or Territory in the approvedPHIAC 1 Form to PHIAC, which then becomes a Return. The information contained in the Return is usedby PHIAC to calculate the quarterly payments due by or to each Insurer to/from the Risk EqualisationTrust Fund for each state and Territory1. In addition, the Returns form the basis for several healthinsurance statistical summaries provided to a wide range of users including the health insurance industryand the Government.

PHIAC reminds officers that in signing the cover sheet accompanying the Return they are not onlystating that the information is true and correct but that they are aware that giving false or misleadinginformation, documents or statements to PHIAC is an offence under the Criminal Code Act 1995. TheCriminal Code Act 1995(see section 6.1)imposes substantial penalties including imprisonment, for

committing offences which includes failure to lodge required Returns to PHIAC.

1.2.2 Scope of audit

The auditor of an Insurer is required to determine, in respect of each state, whether the informationcontained in the Returns for the four quarters to 30 June or such other period as is specified by theCouncil, accurately reflects, in all material respects, the data contained in the books and records of thehealth benefits fund (the Fund) administered by the Insurer and has been compiled in accordance with

1NSW and ACT are regarded as one state for the risk equalisation calculation. Insurers must provide separatereturns for NSW and ACT. PHIAC amalgamates the data for NSW and ACT when calculating risk equalisation.


5/114


the provisions of the Private Health Insurance Act 2007(the Act), the Private Health Insurance (RiskEqualisation Policy) Rules 2007(Policy Rules) approved by the Minister for Health and Ageing, and thePrivate Health Insurance (Risk Equalisation Administration) Rules 2007(Administration Rules) made byPHIAC, so as to give a true and fair view of:

a the policies and insured persons covered by the Fund

b the benefits paid during the periods.

In undertaking the audit it is expected that external auditors will have reviewed the systems andprocedures used by the Insurer to process and maintain policy records and benefits eligible for riskequalisation, and are satisfied that there is sufficient appropriate audit evidence that:

a the Insurer's classification of single, family, single parent, couple 2+ persons no adults and3+ adults policies between hospital treatment, hospital and general treatment combined andgeneral treatment is correct

b the system for determining the age of insured persons is adequate

c the Insurer's method of determining who are high cost claimants is correct

d the benefits paid are in accordance with the Insurer's fund rules

e the benefits paid by the Insurer have been correctly allocated between the applicable agegroups of the insured persons apportioned correctly to the different classifications of:

i hospital treatment

ii hospital-substitute treatment

iii Chronic Disease Management Program (CDMP)

iv general treatment (ancillary) excluding hospital-substitute and CDMP

f the benefits allocated to the High Cost Claimants Pool (HCCP) are correctly calculated

g only eligible benefits stated under Rule 5 of the Policy Rules, see link at Appendix B, havebeen debited to the risk equalisation account.

In cases where the auditor is unable to provide an unqualified opinion that the Return for a particularquarter or quarters accurately reflects the provisions of the legislation or the Policy Rules, a reportshould be provided by the auditor which outlines the nature and magnitude of the errors detected. Thisreport will form the basis for PHIAC to make adjustments to amounts paid to or from the risk equalisationaccount.

Section 1.3 Audit approach

1.3.1 Review of systems and pro cedures

The approach adopted in the accompanying template audit programs is a systems-based approach andrequires the auditor to undertake the following procedures:


6/114


a identify and evaluate the systems and control procedures, whether computer or manual, putin place by management to control the processing of policies/insured persons informationand benefits paid

i in the case of computerised systems, making a preliminary assessment of InformationTechnology controls by completing the template audit program titled "PreliminaryAssessment of Information Technology Controls" (PAIT). If following the completion ofthe PAIT, the auditor determines that it would not be efficient to conduct a moredetailed assessment of controls, the auditor should conduct a substantive testing auditapproach

ii in the case of computerised systems, when the auditor has completed the PAIT andhas decided that it may be efficient to carry out an extended assessment of theInformation Technology controls, the auditor should complete the "DetailedAssessment of Information Technology Controls" (DAIT) (using the guidance notesprovided on selecting samples for testing, if appropriate)

iii if, in the case of computerised systems, the auditor concluded from his overall reviewof the systems environment using the DAIT program that detailed testing of file andtransaction controls (application" controls) was warranted the auditors should completethe template audit programs titled "Record of Application Controls" (RAC) for eachsignificant transaction type and file for both benefits paid and policies/insured personsrecords

iv in the case of non-computerised systems the auditor should just complete theprograms titled RAC for each significant transaction type and file for both benefits paidand policies/insured persons records.

b reviewing key performance indicators using the "Key performance indicators" guidelinesprovided

c assessing the results of the controls testing and analytical review and determining samplesizes for detailed substantive testing of risk equalisation benefit transactions and policyholderrecords (using the guidance notes provided on sampling)

d carrying out detailed tests on risk equalisation benefit transactions and policies/insuredpersons records using the substantive testing programs provided

e reconciling the Insurers records for the Fund to the Return and ensuring the Returns areinternally consistent using the cross referencing testing program provided. (Note that it is

suggested that the cross referencing checklist be completed by the Insurer and evidenced ashaving been reviewed by a suitably senior official of the Insurer).

Section 1.4 Major inherent risk areas

Prior to commencing the audit of the Returns, the auditor should gain an understanding of the majorinherent risks associated with the information contained in the Returns. Some general guidance on theinherent risks in auditing the Returns is given below but the auditor must obviously assess the specificrisks for each of the Insurers for which they are responsible.

In order to appreciate the impact of any errors in the Return, the auditor must understand the basis of thecalculation carried out by PHIAC each quarter to determine the average number of policies of each fund,

calculated as average single equivalent units (SEUs). The method of calculation is provided in the Policy


7/114


Rules, which is linked in Appendix B to this document. The mean State policies for a particular fund isused to determine what proportion of the risk equalisation benefits paid by all funds in that state shouldbe borne by that fund. High cost claims are included in a pool for high cost claimants (the HCCP), whichis calculated after considerations for age based pooling (the ABP) have been taken into account.Therefore, an error in the Return that impacts on either the calculation of the mean number of policies ormis-states the risk equalisation benefits paid in the quarter will result in an error in the amount receivableor payable by the Fund.

1.4.1 Pol icy records

Completeness, accuracy and cut-off control

The nature of the calculation to determine the risk equalisation contributions to the ABP and the HCCPencourages misstatement of the number of policies. Insurers that pay risk equalisation contributions maybe encouraged to understate the number of policies in order to pay less or receive more from the pool.

In addition, the Policy Rules are reasonably complex. Therefore, the risk of error for the completeness,accuracy and cut-off control audit objectives is considered high. Any of the mis-statements will result in afinancial gain or loss to the Insurer being audited.

Of particular note for completeness is accounting for single, family, single parent, couple, 2+ persons noadults and 3+ adult policies. To overcome any uncertainty as to when a policy should be counted, thePolicy Rules clarify the situation in respect of unpaid premiums. The template substantive audit programprovided incorporates these Policy Rules but the auditor should ensure that they have access to acomplete set of these guidelines.

Retrospective coverage of Policy

Some Insurers are offering products that cover new policies retrospectively. Any policies that arecovered retrospectively must be reported to PHIAC so that appropriate adjustments to risk equalisationcan be undertaken. Insurers that cover persons retrospectively are expected to submit revisedpolicies/insured persons statistics for all quarters affected. This requires the resubmission of the Returnwith updated information in part 1. The template substantive audit program provided covers retrospectivecoverage in section 109. If amended Returns are required, the auditor should ensure that the program isfollowed for the amended Returns.

Presentation and disclosure control objective

The Policy Rules are complex and the Return requires a significant amount of detail. Therefore, the risk

of presentation and disclosure errors in the Return is high.

1.4.2 Benefi ts transact ions

Accuracy and existence control objectives

The nature of the calculation to determine the risk equalisation contributions to the ABP and HCCPencourages overstatement of benefits paid from the risk equalisation account (e.g. age incorrect,inclusion of ineligible benefits, etc).

Various adjustments are made each quarter to account for write backs, stale date or dishonoured

cheques etc. These adjustments to benefits paid must be reflected in the Return.


8/114


For the purpose of quarterly returns, a benefit is regarded as being paid during the quarter in which thebenefit is recorded and liability for it is accepted (Admin Rules 6 (4A))

Presentation and disclosure control objective

The Policy Rules are not necessarily well understood and the Return requires a significant amount ofdetail. Therefore, the risk of presentation and disclosure errors in the Return is high.


9/114


Section 2

Guidance notes


10/114


Section 2 Guidance notes

Section 2.1 Factors to be considered in the preparation of the PHIAC 1 Return

Section of Return Factors to be considered by auditors/Insurers

Part 1 - Policies and Insured Persons

Total Hospital and General Treatment

Hospital treatment and general treatmentby policy category, is split into:

i. Total Hospital Treatment (includesHospital Treatment Only and HospitalTreatment and General Treatment

Combined)ii. Hospital Treatment Onlyiii. Hospital Treatment and General

Treatment Combined

iv. General Treatment Ambulance Onlyv. Total General Treatment Only

vi. General Treatment excludingHospital-Substitute, CDMP andHospital-linked Ambulance Treatment

vii. Total General Treatment

Within categories i to iii above, hospitaland general treatment is further splitbetween:

i. Hospital and general cover thatexcludes certain treatments(exclusionary) and those that do not(non exclusionary)

ii. Hospital and general cover thatdeducts an initial amount from thebenefit otherwise payable and wherethere is more than one policyholder

contributing (excess and co-payments) versus those that do not(no excess and no co-payments)

Information is required for both thenumber of policies and the number ofinsured persons in the categoriesdescribed above.

Insurers will need to ensure that their systems arecapable of analysing and grouping together these typesof policies into these categories.

Insurers will need to ensure that their systems classifyhospital treatment policies that also cover ambulance

transport as Hospital Treatment and General TreatmentCombined. Prior to 1 April 2007 those policies thatcovered hospital treatment and included a componentfor ambulance transport but no other general treatmentwere classified as hospital treatment only, but theambulance component is defined under the Act asgeneral treatment.

Insurers will need to ensure that their systems canreport the policies and persons that are covered forGeneral Treatment (ancillary) and exclude from thatcount those who are classified as general treatment

because they have hospital-substitute, CDMP orhospital-linked ambulance but do not have any ancillarycover. Ambulance only policies and persons should beincluded in the category General Treatment excludingHospital-Substitute, CDMP and Hospital-linkedAmbulance Treatment.


11/114



There are six categories of policyholders.Determining a policyholders category isbased on the status of the contributor, not

the type of product the contributor mayhave purchased. For example, a couplewithout dependants may have a familyproduct; however they are to be recordedas a couple. The six categories are:

i. Single policy - this covers all singlepolicies. Insurers are not expected tomatch single policy details to identifytheir actual marital/relationship status.

ii. Family policies - this categoryincludes all policies with an adult

couple and a dependant, ordependants.

iii. Single parent policies - this categoryincludes all policies with only oneadult and a dependant or dependants.

iv. Couples policies - this categoryincludes all policies that are for twoadults and no dependants.

v. 2+ persons no adults this categoryincludes all policies with no adults andtwo or more dependants.

vi. 3+ adults this category includes allpolicies with three or more people, atleast three of whom are adults.

Insurers will need to ensure that their systems arecapable of analysing and grouping together theirpolicies into these categories.

Insurers will need to ensure that policies are notreported in the wrong category, for example 3+ adults.3+ adult policies are counted as two SEUs. If theyshould have been reported in another category andcounted as one SEU there will be an affect on the riskequalisation calculation. Refer to PHIAC Circular 09/17for more information.

Changes during the quarter

This table shows changes during thequarter in policies and insured personsclassified under hospital treatment only,hospital treatment and general treatment,and general treatment only.The end of quarter Hospital TreatmentOnly policies/insured persons will agreewith Hospital Treatment Onlypolicies/insured persons on page 1. Theend of quarter Hospital Treatment andGeneral Treatment policies/insuredpersons will agree with HospitalTreatment and General TreatmentCombined policies/insured persons onpage 2. The end of quarter GeneralTreatment Only policies/insured personswill agree with Total General Treatment

Only policies/insured persons on page 2.

Insurers will need to be able to record the number ofpolicies/insured persons at the start of the quarter (theend of the previous quarter); the number of newpolicies/ insured persons policies/ insured personstransferring from/to another state or territory; policies/insured persons transferring from another fund; policies/insured persons transferring from/to another policy; andend of quarter policies/ insured persons. Discontinuedpolicies/ insured persons are a balancing item.


12/114



Part 2 Total benefits paid for Hospital

Treatment and General treatment

Total benefits for Hospital Treatmentand Hospital-Substitute Treatment

This table analyses hospital and hospital-substitute patients benefits paid showingthe following for each type of facility:

i. Episodes

ii. Daysiii. Benefits paid

An episode should only be reported whenthere is a separation from hospital andhospital-substitute, not when an interiminvoice is received, whereas days andbenefits should be reported whenbenefits are paid. It is recognised that thiswill result in some mismatching of datawithin quarters.

Insurers will need to ensure that they have benefitssystems in place that can accurately record details ofbenefits paid for Hospital Treatment and Hospital-Substitute Treatment.

Nursing home type patients

This section includes the number ofepisodes, days and benefits paid fornursing home type patients..

Insurers will need to ensure that they have benefitssystems in place that can accurately record details ofbenefits paid for nursing home type patients.

Medical services

This section includes the number ofmedical services and the benefits paid formedical.The medical benefits number will agreewith total number of services in part 11.Benefits paid for medical, will agree withtotal fund benefits in part 11 as well aswith the sum of medical benefits in part 3and part 4.

Insurers will need to ensure that they have benefitssystems in place that can accurately record details ofbenefits paid for medical.

Prostheses

This section includes the number ofprosthetics and the benefits paid forprosthetics.Benefits paid for prosthetic will agree withthe sum of prostheses benefits in part 3

and part 4.

Insurers will need to ensure that they have benefitssystems in place that can accurately record details ofbenefits paid for prosthetics.


13/114



Chronic Disease ManagementPrograms

This section includes the number ofCDMPs and the benefits paid for CDMPs.

Insurers will need to ensure that they have benefitssystems in place that can accurately record details of

benefits paid for CDMP.

Insurers will need to ensure that only those benefits thatare consistent with the definition of a CDMP in Section12 of the Private Health Insurance (Health InsuranceBusiness) Rules 2009 and Part 1 of the Policy Rulesare reported as CDMPs.

The Rules specify that, for an eligible CDMP, theremust be (at least):

A written plan

Coordination of the program An allied health service.

High Cost Claimants Pool

This section includes the number ofHCCP claimants in the current quarter,the gross benefits paid for current andpreceding three quarters (for HCCPclaimants related to current quarter), thenet benefits paid for current and thepreceding three quarters for HCCPclaimant after age based pooling (relatedto current quarter claimants), the netbenefits above threshold for current andpreceding three quarters (for HCCPclaimants related to current quarter) andtotal benefits to be included in HCCP forthe current quarter.

PHIAC Circular No 08/04 providesexamples of the calculation of benefits tobe included in the HCCP.

Insurers will need to ensure that they have a benefitssystem and policyholder records system in place thatcan accurately record details of HCCP claimants andbenefits included in the HCCP.

Part 3 - Hospital treatment by age category

This section of the Return is to becompleted for all persons covered byhospital insurance. The persons coveredshould be as at the end of the quarterand will agree with the insured persons insection 1 of the Return. Benefits shouldagree with total hospital benefits,excluding ineligible benefits, at part 2 ofthe Return. Total episodes and daysshould agree with the total episodes anddays at part 2 of the Return.

Insurers will need to ensure that they have a benefitssystem and policy records system in place that canaccurately record hospital benefits paid by age and bydate of commencement. Insurers will need to ensurethat their system can derive fees charged, excluding theMedicare medical fee benefit.


14/114



Fees charged include all fees charged bythe provider, including medical fees butexcluding the 75% Medicare medical fee

benefit.

Part 4 Hospital-Substitute Treatment by age category

This section of the Return is to becompleted for all persons insured for

hospital-substitute treatment. Thepersons covered should be as at the endof the quarter. Benefits should agree withtotal hospitalsubstitute benefits at part 2of the Return. Total episodes and daysshould agree with the total episodes anddays at part 2 of the Return.

Insurers will need to ensure that they have a benefitssystem and policy records system in place that can

accurately record hospital-substitute benefits paid byage.

Part 5 Chronic Disease Management Program by age category

This section of the Return is to becompleted for all persons insured for

CDMP. Benefits should agree with totalCDMP benefits paid at part 2 of theReturn. Programs should agree with thenumber of programs at part 8 of theReturn.

Insurers will need to ensure that they have a benefitssystem and policy records system in place that can

accurately record CDMP benefits paid by age.

Part 6 General Treatment by age category

This section of the Return is to becompleted for all persons insured forgeneral (ancillary) treatment, includingambulance only cover and excluding

persons covered for hospital-substitutetreatment, CDMP and hospital-linkedambulance treatment. The personscovered should be as at the end of thequarter and will agree with the insuredpersons in part 1 of the Return for thecategory General Treatment excludingHospital Substitute, CDMP and Hospital-linked Ambulance. Services, benefits andfees charged should agree with services,benefits and fees charged in part 9 of theReturn, including benefits paid for

ambulance transport for persons with

Insurers will need to ensure that they have a benefitssystem and policy records system in place that canaccurately record general treatment (ancillary) benefitspaid by age.


15/114



hospital-linked ambulance cover.

Note that persons with hospital-linkedambulance cover, and no other ancillary

cover, are not regarded as havingancillary cover, but any benefits paid,services and fees for ambulancetransport for these persons should bereported as ancillary benefits, servicesand fees. This provides consistentmapping with historical data.

Part 7 Total Hospital Treatment Policies by type of cover

This table analyses hospital treatmentpolicies by type of exclusionary as well as

excess and co-payments cover.

Insurers will need to ensure that they have policyrecords systems in place that can accurately record

policies by the level of excess and co-payments as wellas exclusionary cover.

General Treatment (ancillary) claimsprocessing for the state (excludingHospital-Substitute Treatment andCDMP)

Percent of claims processed within fiveworking days.

This data item is designed to show, of allthe general treatment (ancillary) claimsprocessed in the current quarter, howmany were processed within five workingdays of the Fund receiving the claims.Note, date of receipt of a claim refers toreceipt of a valid claim, not claims thathave to be returned to the contributor dueto incomplete or incorrect information. Aclaim is classified as processed when thepayment is drawn/made.

Claim adjustments/reversals should beignored for this calculation.

The percent of claims processed withinfive working days is calculated based onrisk equalisation jurisdictions not onnational data.

Insurers will need to ensure that they have generaltreatment claims systems in place that can accuratelyrecord time to process claims.

National retention index - HospitalTreatment policy holders

The national retention index is designed

Insurers will need to ensure that they have systems toidentify the number of policies at the end of eachquarter and nine quarters prior.


16/114



to provide a performance indicator byshowing the percent of policies that haveremained hospital policies of the same

fund for two years or more, over allstates/territories.

If a contributor changes their coveragefrom hospital only, or hospital andgeneral combined, to general only thenthey would not be regarded as havingretained their hospital cover.A policy which is suspended at thequarter end date is not included in thepolicy totals in the Return. They shouldnot be included in the retention index. If

they are re-instated they would then beincluded as if there had been no lapse intheir policy.

The retention index is calculated basedon national policies as:

[Policies at end of reporting/currentquarter less policies joining over previouseight quarters including the reportingquarter] divided by [Number of policies at

the end of quarter nine quarterspreviously].

The retention index should be reportedcorrect to two decimal points.

Part 8 Benefits paid for Chronic Disease Management Programs

This table analyses CDMP benefits paidand fees charged by the Insurer in thequarter by individual service andprograms. "Programs" refers to the

number of people participating in eachprogram, not the number of programsoffered by the Insurer.

Insurers will need to ensure that they have benefitssystems in place that can accurately record CDMPbenefits paid by service and programs.

Insurers will need to ensure their systems can capturefees charged by service and programs.

Part 9 - Benefits paid for General Treatment (excluding Hospital-Substitute Treatment andCDMP)

This table analyses non-contractual andcontractual general treatment benefitspaid and fees charged by the Insurer inthe quarter by individual service type.

Insurers will need to ensure that they have benefitssystems in place that can accurately record generaltreatment benefits paid by service type.

Insurers will need to ensure their systems can capture

fees charged by service type.


17/114



Part 10 Lifetime Health Cover

This table analyses the number of adultswith hospital cover, split between maleand female, by certified age of entry andshows the loading for late entry.

Insurers will need to be able to record the number ofadults with hospital cover, split between male andfemale, by certified age of entry.

Insurers will need to be able to record the number ofadults with hospital cover, split between male andfemale, by certified age of entry who have their LifetimeHealth Cover loading removed. See PHIAC CircularsNo 10/04 and 10/05 and Department of Health andAgeing Circular PHI 13/10 for further details.

Part 11 Total Hospital Treatment Medical Service Statistics

This table analyses medical benefits paidby type of contract or agreement, and byamount charged in relation to the MBSfee.

Insurers will need to ensure that they have benefitssystems in place that can accurately record medicalbenefits and medical fees charged by contract oragreement category.


18/114


Section 3

Overview of controls testing


19/114


Section 3 Overview of controls testing

Section 3.1 Introduction

Information technology controls (IT controls) in computerised systems and file and transactionprocessing controls (application controls) form the internal accounting controls established bymanagement. They should ensure, together with an effective control environment that an entity'stransactions are completely and accurately processed and recorded in accordance with management'sauthorisation.

Section 3.2 Information technology controls

3.2.1 Prel iminary assessment of informat ion technology c ontro ls

The attached programs direct the auditor towards making a "Preliminary Assessment of IT controls(PAIT) at Insurers where there is a significant computer installation i.e. one within which applications arerun that process accounting, financial or other data relevant to the data contained in the Returns.

The PAIT will assist the auditor in obtaining a general understanding of the client's IT controls, as a basisfor assessing, on a preliminary basis, whether reliance on those controls might be feasible. However,only limited credit may be taken from the assessment for the purpose of reducing the level of substantivetests unless an extended assessment of the IT control risk is made.

The importance of the PAIT is that if, having completed the initial assessment, the auditor decides thatno reliance can be placed upon the IT controls; the auditor may plan to carry out no detailed testing ofapplication controls and decide to only carry out substantive testing.

3.2.2 Detai led assessment of information technolog y contro ls

If having completed the PAIT the auditor decides that a detailed assessment of the IT controls appearswarranted, the "Detailed Assessment of Information Technology Controls" program should becompleted. The program directs the auditor towards determining the controls and techniques used by theclient to achieve certain specified objectives in connection with the IT environment. The functionsinclude, for example, maintenance of computer programs, data file security and file conversion. If theauditor makes the overall conclusion having tested these controls and techniques that credit can betaken for the IT controls, then the next appropriate step is to consider testing of the application controls.

Section 3.3 Application controls

3.3.1File con trols

The file level controls program assists the auditor in understanding and recording the principal controlsover key files or data. The program steps are broken down under the following headings:

a file continuity

b division of duties

c data file security.

If having completed the testing, the auditor considers the file controls to be inadequate, it will generally

be inefficient to test the adequacy of the transaction processing controls.


20/114


3.3.2 Transact ion process ing contro ls

The transaction level controls program assists the auditor in identifying the principal transactions thatupdate key files and the controls over recording them on files. Ultimately, the auditor is required to makean assessment of the effectiveness of the controls and the extent to which further evidence from detailedsubstantive testing of transactions can be restricted.

Where testing is to be conducted, the guidance notes provided on test samples should be regarded.

Application control programs have been completed for the following transaction cycles:

Benefits cycle

File level controls

Transaction level controls

Policyholder records

File level controls

Transaction level controls


21/114


Section 4

Controls testing program


22/114


* Cross-reference to the working paper where the tests of controls have been performed


Section 4 Controls testing program

Section 4.1 Preliminary assessment of information technology controls

Control objective What control activities address thecontrol objective?

*WPRef

Introduction

The preliminary assessment of informationtechnology controls assists the auditor in obtaininga general understanding of the client's informationtechnology controls as a basis for assessing, on apreliminary basis, whether reliance on thosecontrols might be feasible.

A. Insurer of computer processingIn the context of the client's operations, is thenumber of people employed to perform dataprocessing sufficient to enable a proper division ofduties to exist?

B. Implementation

Where systems are developed internally, does theclient have adequate controls governing the reviewand approval of the design, testing andimplementation of new systems by responsible

user and data processing personnel?

Where systems are purchased from outsidevendors, does the client have controls governingthe selection, testing and implementation of newsystems by processing personnel?

Are there controls for transferring all new programsinto production?

Are instructions for the following prepared and

issued as part of the systems documentation:

(a) Operation procedures?(b) Back-up requirements?

(c) User clerical procedures?

Do the answers to questions B above indicate thatthe implementation is likely to be adequatelycontrolled?


23/114




*WPRef

C. Maintenance

Are there controls for making amendments to

systems and programs and data, includingmodifications to purchased application packagesthat govern the review and approval of the design,testing and implementation of amendments byresponsible user and data processing personnel?

Are there controls for transferring all modifiedprograms into production?

Are there procedures to ensure that the users ofmodified systems are instructed in their duties?

Where purchased software is used, is the sourcecode secure from access by client's staff?

Where vendor maintained software is used, arethere adequate controls to prevent the vendormaking unauthorised or erroneous changes to theclients production software and data?

Do the answers to the above questions indicatethat the maintenance of applications is likely to beadequately controlled?

D. Computer operations

Are there properly specified instructions setting outthe procedures to be followed in operating the ITenvironment?

Are there procedures to ensure that all variationsfrom normal computer processing are reviewedand approved by responsible personnel?

Are there controls to ensure that the correct datafiles are used and that all batch processes arecomplete and accurate?

In the event of processing failures, does the clienthave adequate back-up and recovery routines?

Do the answers to the above questions indicatethat computer operations are likely to beadequately controlled?


24/114




*WPRef

E. Data file security

Are any data files held on-line subject to protection

by software? For example, the use of passwordsor security software.

If passwords are used to identify authorised users,are there controls over the issue, selection,changing and security of passwords?

Are reports resulting from the security softwarereviewed and followed up as appropriate?

If software controls alone do not provide control

over data, are there appropriate physical controlsto protect files? For example, library procedures,controls over access to the computer, to terminalsor to communications equipment.

Are there controls over the use of utilities and userprogramming facilities that can update or changedata files?

Do the answers to the above questions indicatethat data file security is likely to be adequate?

F. Program security

Are there controls in force to protect programlibraries from unauthorised insertions, deletions ormodifications when they are:

(a) on-line(b) off-line.

If passwords are used to control access, are there

controls over the issue, selection, changing andsecurity of passwords?

Are reports resulting from security softwarereviewed and followed up as appropriate?

Is there a system of controls in effect to protect alloptions, parameters, job control statements, etc.stored on the system from unauthorised changes(this question may not be appropriate in the caseof smaller computer systems)?


25/114




*WPRef

Are there procedures to prevent operationspersonnel from gaining access to source

statements listings, flowcharts, file layouts andother systems documentations?

Are there controls over the use of utilities and userprogramming facilities that can update or changeprograms?

Do the answers to the above questions indicatethat program security is likely to be adequate?

G. System software

Is all the system software in use vendor suppliedand maintained?

Are the following reviewed and approved by aresponsible official:

(a) The decision to utilise new systemsoftware?

(b) The selection of options to beincorporated?

Are new software and amendments appropriatelytested and approved before implementation?

Do the answers to the above questions indicatethat system software is likely to be adequatelycontrolled?

Overall conclusion

Based on the preliminary assessment of the ITcontrols, are the IT controls, taken as a whole,likely to be adequate and therefore warrant adetailed assessment using the "Detailedassessment of Information Technology Controls"program?

IT audit manager ...............................

Audit manager review ...............................


26/114



Section 4.2 Detailed assessment of information technology controls

4.2.1 Purpose

The attached program should be used to record the client's IT control procedures and should be cross-referenced to the detailed compliance tests the auditor decides to perform. The program is divided intothe following sections:

a Implementation

b Maintenance

c Computer operations

d Data file and program security

e System software

f File conversion.

In completing the program it will be appropriate to complete certain sections such as operations orsystem software only once for each computer installation. Other sections such as implementation or datafile security may need to be completed for each application if the control procedures vary by application.

4.2.2 Recording contro ls

Each section of the program contains questions relevant to the procedures and techniques used by theclient to achieve the control objective addressed by that section. The auditor should record specificcontrols in a brief narrative. There may be instances in which the client has designed more than onecontrol procedure applicable to a particular question. In those instances, only the control procedure thatthe auditor intends to assess should be documented.

4.2.3 Recording tests

Evidence of tests performed should be recorded in work papers that should be cross-referenced to theprogram.

Tests should be described in sufficient detail to support the auditor's conclusion as to whether the controlprocedures are operating as prescribed. The auditor should consider the effect of any significant controlweaknesses encountered during the recording and testing of controls. Weaknesses in certain aspects ofthe client's procedures would not necessarily preclude the auditor from concluding that the procedures,taken as a whole, are adequate to achieve the control objective.


27/114




*WP

Ref

Implementation

If a new system or interface has been

implemented appropriate procedures shouldbe included in production programs when thenew system becomes operational.

Consider, for example, the following points offocus:

Are the following people involved to anadequate extent in the implementation of thesystem, including final approval whereappropriate:

(a) relevant users(b) relevant IT subject matter experts

(c) relevant management/business sponsors

(d) other (e.g. quality assurance, internal audit,external audit to ensure that applicationcontrols are adequately built in to thedesign of the new system)

Are programs and systems adequately testedhaving regards to the following:

(a) methods of testing used (unit testing,

integration testing, performance testing,user acceptance testing)(b) scope of testing?

(c) test data used for testing

(d) business and IT sign off andaccountabilities

Are new systems subject to an adequate livetest period (e.g. parallel or pilot running)?

Are the following prepared and issued as part ofsystems documentation:

(a) operating procedures(b) back-up requirements

(c) user clerical procedures?

Are there controls to ensure that only programsthat have been properly approved and testedare transferred to production status?


28/114




*WP

Ref

Maintenance

Changes to programs should be controlled to

ensure that:

(a) new procedures are appropriate andtimely (valid and authorised);

(b) errors are not introduced as a result ofthe change.


Are there controls to ensure that:

(a) the modifications are appropriate to the

user's requirements(b) the amended system, and interfaces are

adequately tested

(c) systems, operations, back-up and userdocumentation is appropriately updated?


(a) all requests for system amendment areconsidered for action

(b) all approved requests are implemented ona timely basis (e.g. entry in a register and

investigation of outstanding changes)?

If modifications are made to existing systemsand interfaces, during the year, are therecontrols to ensure that modifications areproperly tested?

Are the testing procedures performed orchecked by persons other than those involvedin writing the programs?

Are the testing procedures adequate to preventany unauthorised coding from being insertedinto programs during their modification?

Are there controls to ensure that programlibraries are recovered properly after a failureand that no errors are introduced by therecovery process

If immediate modifications are made toprograms or interfaces during emergencies, arethere controls to ensure that the changes are

correctly made and approved?


29/114




*WP

Ref

Computer operations

Controls in computer operations should beadequate to ensure that:

(a) authorised programmed procedures areconsistently applied

(b) the correct data files are used and thatbatch processes complete successfully

(c) processing can be properly resumed inthe event of failures and that systemsperformance is monitored and managed


If on-line application systems are in operation,scheduling will be relevant only to regular batchjobs, end of day or period routines, back-up andhousekeeping where the control considerations arewhether the jobs are run at the appropriate point intime and in the correct sequence.


(a) proper schedules of jobs/programs areprepared

(b) jobs/programs are run in accordance withthe schedules

(c) any departures from the schedules aredocumented and approved?

Are there adequate procedures for:

(a) setting up batch jobs(b) loading on-line application systems

(c) loading system software?

Are there controls to prevent, or detect andinvestigate, unauthorised changes to approvedjob set-up instructions?

Is there appropriate written approval, includinguser involvement where appropriate, for:(a) variations in parameters and control

statements that may affect the way a batchjob or an on-line system runs (e.g. dates,period-end routines)

(b) departures from authorised set-up andexecution procedures (e.g. use of programs

from a test library for production)?


30/114




*WP

Ref

Are there controls to ensure that the correctdata files are used (e.g. software label

checking, generation data sets, use of a tapemanagement system, user check ofvolume/serial numbers, controlling manualoverrides that bypass label checking)?

Is there adequate identification and reporting of:

(a) system failures(b) restart and recovery

(c) emergency situations(d) other unusual situations?

Are operator actions in the event of the aboveincidents reviewed for appropriateness and toensure that the results of processing were notadversely affected (e.g. review of logs andincident reports, daily problem meetings)?

Is there appropriate supervision of operators atall times, including shifts outside the usualworking period?

Are there adequate controls to either prevent orreport and investigate the use of utilities tochange data or programs during processing?

Are there adequate controls to:

(a) back-up and store independently copies ofall data at appropriate intervals

(b) log or save activity so that the status ofdata files at the time of failure is known?

Are there controls to ensure that data files arerecovered properly after a processing failureand that no errors are introduced by the

recovery process?

If modifications are made to data after failuresor during emergencies, are there adequateprocedures to ensure that the changes aremade correctly and approved?

Is there adequate user involvement to ensurethat proper recovery from failures takes place?

Are the above procedures subject to adequate

supervision by a responsible official?


31/114




*WP

Ref

Data File and Program Security

Controls are needed to prevent unauthorised

changes to data and programs.

Consider the following points of focus:

Is there an adequate combination of softwareprocedures and manual action to:(a) prevent unauthorised accesses to the

system, programs, program libraries, datafiles and data elements and report andinvestigate persistent attempts to bypassthe access controls or

(b) report and investigate unauthorisedaccesses?

Are there adequate controls over:

(a) assigning and reviewing access rights toappropriate individuals in the Insurer

(b) granting and revoking authorised access onthe system (e.g. user IDs or passwords)

(c) allocating and withdrawing special facilitiesfrom users (e.g. ability to use certainutilities, higher levels of clearance in ahierarchy).

Where passwords (or other codes) are used toidentify individuals to the system as authorisedusers, are there controls to ensure that thepasswords are:

(a) regularly changed(b) kept secret (e.g. not written down or

displayed on screen) and are not easilyguessable

(c) promptly cancelled for terminated ortransferred employees?

Are there controls to prevent unauthorisedpublic access via dial-up (e.g. use of dial back,dial-up access restricted to non-sensitivefunctions)?

Are the procedures above subject to adequatesupervision by a responsible official?

If software access control is present, consider thefollowing:


32/114




*WP

Ref

Is a responsible official independent ofcomputer operations, systems development and

systems software in charge of security?

Is a record kept of all modifications and fixes tothe security software?

Are there adequate controls to ensure that:

(a) all modifications are appropriate to theinstallation's requirements

(b) operating and other documentation isproperly updated

(c) the modifications function as expected (e.g.

review of subsequent operations or othertesting)?


(a) the security software protection can only beremoved by appropriately authorisedpersonnel

(b) when the software protection has beenremoved, is the unauthorised modificationof programs and data files prevented (e.g.software protection removed only when allon-line services are down and physicalaccess procedures can be relied on)?

Are there adequate controls over:

(a) granting and revoking of the means ofpermitting physical access (e.g. key,security badge, combination number)

(b) where applicable, physical access tounissued permits, badges or keys?

Is there adequate supervision by a responsibleofficial?

Custody of data stored off- l ine

Where data, including back-up copies, isphysically controlled:

(a) are there records to identify data filesuniquely (e.g. external labels)

(b) are there controls over the issue and returnof data files to and from the:

(i) physical library


33/114




*WP

Ref

(ii) store to be used for recovery in theevent of a disaster

(iii) installation(c) do the storage methods prevent the

unauthorised removal of data files?

Is the file librarian function performed by aperson independent of both computer operationand programming responsibilities?

Where it is necessary to bypass normal securityand access controls (e.g. emergencies ormaintenance of program libraries by outside

software support, such as vendors, through dial-up):(a) is there appropriate authorisation before or

after the event

(b) are there controls to:(i) ensure that security is subsequently

reinstated

(ii) prevent or report and investigateunauthorised changes to data?

Where users are permitted to use utilities orhigh level programming languages that canchange data:

(a) are there controls either to prevent theunauthorised use of this facility or to reportand investigate unauthorised use, orattempts to use it

(b) are there adequate procedures to report orprevent unauthorised use of programswritten by an authorised user?

Are there adequate controls to prevent:

(a) computer operators, schedulers, data input

staff and other operations personnel fromgaining access to program documentationand development libraries

(b) development personnel from gainingaccess to the computer operations area

(c) systems implementation personnelresponsible for the cataloguing functionfrom gaining access to programdocumentation and development libraries,and from entering the operations area orperforming computer operations functions?

If confidential or sensitive output is not spooled


34/114




*WP

Ref

directly to a printer but is held on-line ortransmitted to a remote location for subsequent

batch printing, are there controls to prevent ordetect and investigate modifications to outputprior to printing?

Are there controls to ensure that output is sentto the proper destination?

Custody of programs stored of f - l ine

If programs, including back-up copies, arephysically controlled:

(a) are there adequate records to identify files

containing programs uniquely (e.g. externallabels)

(b) are there controls over the issue and returnof program files.

System Software

Controls are needed over system software toensure that:

(a) system software is properly checkedand approved before implementation

(b) all modifications are appropriate andproperly implemented

(c) system software is adequately secured.


Are staff employed in the technical supportfunction only on the basis of either:

(a) thorough inquiry into the validity of

references or(b) assessment of the integrity of the individualin the course of earlier duties in theInsurer?

Are there controls to ensure that systemsoftware packages, options, and fixes selectedare appropriate to the Insurer's requirements?

Are there controls to ensure that thetailoring of system software by the technicalsupport group is:


35/114




*WP

Ref

(a) designed to meet the Insurer's requirements(b) reviewed or otherwise tested prior to

implementation(c) documented to a sufficient standard to

provide a basis for subsequentmaintenance?

Is new system software, including any tailoring,subjected to an adequate live test to ensure thatit does not adversely affect existing applicationsor system software functions?

Are there controls to ensure that system

software libraries are recovered properly after aprocessing failure, and that no errors have beenintroduced by the recovery process?

If the operating system is maintained by vendors:

Are there controls to ensure that themodifications:(a) are appropriate to the installation's

requirements(b) function as expected (e.g. testing, review of

software update log)?

If modifications or enhancements are made to theoperating system by the Insurer's staff:

Are there controls to ensure that modificationsor enhancements:

(a) are appropriate to the installation'srequirements

(b) are subjected to adequate testing, eitherbefore or after going live?

Is the database periodically reviewed:

(a) to identify redundant (duplicate) information(b) to ensure that information duplicated on

other systems is consistent?

File conversion

When data is created or substantially modifiedduring system conversion, controls are necessaryto ensure that data set-up on file is complete,accurate and valid.


36/114




*WP

Ref


Are there adequate controls to ensure that bothtransaction and standing data transferred fromthe old system to the new file was:

(a) completely transferred(b) accurately transferred(c) if applicable, kept secure (no unauthorised

changes)?

Are there controls to ensure that new data, notpresent on the previous system, has been

calculated or otherwise obtained and:(a) completely set up(b) accurately set up (specify key data of

accounting significance)

(c) authorised?

Were the final results of the conversion processapproved (e.g. review and sign-off of aboveprocedures)?

Overall conclusion

Based on the control procedures described andthe results of tests performed, are the controlprocedures, taken as a whole, appropriatelydesigned to achieve the control objectives and arethey operating as prescribed? Set out the principalreasons for arriving at the overall conclusion.

IT audit manager ...............................

Audit manager review ................................


37/114



Section 4.3 Record of application controls File level controls

4.3.1 Policy system

The following program is designed to assist the auditor in understanding and recording the internalaccounting controls instigated by an Insurer in respect of the specific audit objectives identified in theprogram. Having identified the controls, the auditor must consider the extent to which a particular controlprocedure should be tested.

The nature and extent of the tests that may be undertaken have not been specified, but the auditor mustensure that the techniques are sufficiently comprehensive to support their assessment of theeffectiveness of the control procedures. The auditor should record the program of tests and the resultsand conclusions from the tests on work papers that should be cross-referenced to the attachedprograms.

The following program should be completed for each of the key files identified.

Key files are identified by determining those which, if not correctly processed, could result in a materialmisstatement of policy information in the Returns.

The number of policies is used in calculating the net contribution per SEU to the risk equalisation poolhence the completeness and accuracy of the number of policies will affect a fund's overall contribution toor refund from the risk equalisation pool.


38/114



4.3.2 Key fi les/data element s:


*WP

Ref

Completeness and Accuracy of AccumulatedData: The integri ty of the data in the po l icymaster f i le after related trans act ions and

adjustments have been accumulated in them is

preserved.


What are the processes for comparison of datafrom the master file and subsidiary ledgers with

data from the policy?

What are the processes for resolution ofconflicts generated by the above processes withthe policies?

What ensures appropriate adjustments madeare recorded?

File continuity controls can be exercised at a detaillevel or a total level.

At the detail file level, continuity controls mayassist in ensuring the completeness/accuracyand/or existence of the details on the file and mayinclude reviews of management information suchas the comparison of policy numbers analysedbetween table types (applicable benefitarrangements, exclusionary, non exclusionary,general excess and co-payment and no excessand no co-payments) or age groups

File continuity controls at a total level are designed

to ensure that the file carried forward from oneupdate process is the file brought forward to thenext update process and in the event of aprocessing failure the file is promptly recovered toits proper state.

Division of Duties: In order that control beeffect ive it is essential that there should be an

adequate divis ion of duties between those who

inpu t data, process data, supervise, wri te

programs and contro l output .


39/114




*WP

Ref

Relevant divisions of duties would typically be:

Segregation of users from computer operations.

Segregation of authorising supervisors fromclerical duties.

Separation of programs from computeroperators.

Separation of functions within the systems, forexample ledger keepers separated fromcashiers.

Restricted Access to Records (data filesecurity): Only authorised person nel have theaccess to alter inform ation in the pol icy master

fi le.

Security controls over stored data must besufficient to prevent manipulation of financial andnon-financial data through unauthorised access tothe data files.

Stored data must be physically secure andamendments to the data should only take placewhen properly approved and recorded.


What ensures policy and transaction data arenot modified or lost?

How is access to policy master file recordsrestricted (i.e. password or other controls whichlimit the extent of access to master file records

based on area of responsibility)?

Is there adequate segregation of dutiesbetween cash receipts processing and postingto the master file and subsidiary ledgers?


40/114



Section 4.4 Record of application controls - Transaction level controls

4.4.1 Policy system

The following program is designed to assist the auditor in understanding and recording the internalaccounting controls instigated by an Insurer in respect of the specific audit objectives identified in theprogram. Having identified the controls, the auditor must consider the extent to which a particular controlprocedure should be tested.

The nature and extent of the tests that may be undertaken have not been specified, but the auditor mustensure that the techniques are sufficiently comprehensive to support their assessment of theeffectiveness of the control procedures. The auditor should record the program of tests, the results andconclusions from the tests on work papers that should be cross-referenced to the attached programs.

Ultimately, the auditor is required to make an assessment of the effectiveness of the controls and theextent to which further evidence required from detailed substantive testing of transactions can be

restricted.The following program should be completed foreach of the key transaction types that may include thefollowing:

new policy

policy amendments

The approximate volumes per month of each type of transaction should be recorded on your workingpaper and used as a guide to determine which the more significant transaction types are.


41/114



4.4.2 Transact ion type:

4.4.3 Volume per month:


*WP

Ref

Completeness of Input: All authorisedtransact ions are input and accepted for

proc essing, and transact ions are processed

once and once only .


What ensures that all valid policyapplications/amendments are input andaccepted for processing?

What prevents or detects duplicate input oftransactions?

What ensures suspense account balances areanalysed, cleared and reviewed by appropriatepersonnel for large, old or unusual items?

Examples of control techniques which could beused include:

(a) Matching - usually a system initiatedfunction which for example may indicatewhen information from mandatory field ismissing - for example date of birth,policyholder table etc.

(b) Batching - comparison of system generatedbatch totals with manually calculated batchtotals over key fields.

(c) One-for-one checking of data input againstsource documents.

(d) Sequence checking - investigating missingnumbers from batch number sequences orpolicyholder number sequences.


42/114






*WP

Ref

Accuracy of Input: Transact ions are accu ratelyrecorded and are ref lected in the pro per period.


Are all required policy details, in particularage/date of birth of all the insured personsunder that policy recorded on the applicationform?

What ensures policy information is correctlyinput?

What ensures premium rates are correctlycalculated/applied (including, but not limited tothe correct loading rate for persons aged over30 years in accordance with Lifetime HealthCover)?

Is the correct classification made in recording new

policies of:

Total hospital treatment for policies and insuredpersons between exclusionary and non-exclusionary excess and co-payments and noexcess and no co-payments .

Other policies classified as general treatment(ambulance only & total general treatment only andgeneral treatment excluding hospital-substitute,CDMP and hospital-linked ambulance treatment).

What ensures that transactions are recorded inthe proper period? (NB. particularlyretrospectively covered policies)


(a) Batching - however it should beremembered that this will only provide anaccuracy control for the particular field thatis batched.


43/114




*WP

Ref

(b) One-for-one checking - which once againwill only confirm the accuracy of the fields

that are checked.

(c) Edit checks - which may include:

checks that a data field being input,such as the policy table/type of coverexists on the master file

dependency checks to ensure that thecontents of a data field are logicallypossible in relation to other data fieldsinput or on the master file - for examplewhether the policy table number is for

the same state as the postcode orwhere more than one person iscovered under the same policy numberthat the policy is categorized as policycovering more than one person asdescribed in Part 1.4 of the PolicyRules.


44/114






*WP

Ref

Authorisation: Recorded transact ions arebased on actual appl icat ions/amendm ent

advices received hence maintaining the

integr ity of p ol icy numbers.


What ensures that applications/amendmentsare not received from fictitious people?

What source proof documentation is providedwith the initial application/amendment - such asbirth certificate etc?

What prevents policies being duplicated on thesystem?

What prevents input of information byunauthorised persons?

The timing of authorisation should be identified toensure that additional transactions cannot beintroduced nor authorised transactions removedbetween authorisation and input.

Authorisation controls for computerised systemscould include limiting access by passwordprotection to certain functions and the review andfollow up of override or exception reports by aresponsible person (although this is usually aretrospective authorisation procedure since itusually occurs after the update of information tothe system).


45/114





Control objective What control activities address

the control objective?

*WP

Ref

Completeness and Accuracy of Updating:Transact ions inpu t are com pletely and

accurately updated to the correspond ing

database(s).


What ensures all policy transaction andapplication data input is reconciled withinformation and data updated to the master file?

What prevents or detects incorrect entries (i.e.inconsistent with existing or anticipated data)?

Depending on the timing of performance, manyof the controls over the completeness andaccuracy of input will also be controls over thecompleteness and accuracy of update.Examples include:

Batching - where reports of batch numbers used

in updating are obtained and missing batchesare investigated (completeness and to a lesserextent accuracy of update).

Review of exception or override reports thatmay identify inconsistencies in the data input orfields for which no data has been input(accuracy of update).

Reconciliation with information contained inother files - for example the matching ofcontributions received with individual policy on

the system.


46/114







*WP

Ref

Division of Duties: In order for contro ls to beeffective, it is essential that there is adequate

segregation of duties between those who

ini t iate, input, authorise and pro cess

transact ions.

These divisions must be sufficient to limit theactivities of individuals so that the opportunity formisappropriation of assets or concealment of fraudis minimised.

For example the persons responsible for themaintenance of policy master file informationshould be independent of those responsible forinputting contributions received so as to preventcash being misappropriated where policy detailsare not input to the master file.


47/114



Section 4.5 Record of Application controls - File level controls

Section 4.6 Benefits cycle

The following program is designed to assist the auditor in understanding and recording the applicationcontrols at the file level instigated by an Insurer in respect of the specific audit objectives identified in theprogram. Having identified the controls, the auditor must consider the extent to which a particular controlprocedure should be tested.

The nature and extent of the tests that may be undertaken have not been specified, but the auditor mustensure that the techniques are sufficiently comprehensive to support their assessment of theeffectiveness of the control procedures. The auditor should record the program of tests and the resultsand conclusions from the tests on work papers that should be cross-referenced to the attachedprograms.

The following program should be completed for each of the key files from which the benefits paid

information in the Returns are derived.

Key files are identified by determining those that, if not correctly processed, could result in a materialmisstatement of benefits information in the Return.


48/114



4.6.1 Key fi les/data element s:



*WP

Ref

Completeness and Accuracy of AccumulatedData (file continuity): The integri ty of [po l icymaster f i le data] claims/benefi ts paid in the

sub sidiary ledgers and the general ledger, after

related transact ions and adjustm ents have

been accumulated in them, is preserved.

File continuity controls can be at a detail level or atotal level. At the detail level file continuity controlsmay assist in ensuring the completeness, accuracyand/or existence of the details on the file and mayinclude the following:

Reviews of management information (althoughit should be noted that management informationis generally not sufficiently detailed to enabledetection of errors).

Open items cleared by matching withinformation from other systems or externaldocuments.

File continuity controls at the total level are

designed to ensure that the file carried forwardfrom one update process is the file brought forwardto the next update process and in the event of aprocessing failure the file is promptly recovered toits proper state.


What ensures all benefits/claims transactionsare accurately updated to the necessary

databases e.g. the claims database and thesubsidiary creditors ledger and the generalledger?

How are bank statements reconciled to thegeneral ledger cash accounts?

Division of Duties: In order that control beeffect ive it is essential that there should be an

adequate divis ion of duties between those who

inpu t data, process data, supervise, wri te

programs and contro l output .


49/114





*WP

Ref

Relevant divisions of duties would typically be:

Segregation of users from computer operations.

Segregation of authorising supervisors fromclerical duties.

Separation of programs from computeroperators.

Separation of functions within the systems, forexample ledger keepers separated fromcashiers.

Restricted Access to Records (data filesecurity): Only authorised personn el haveaccess to claims record s, includ ing standing

data, cash accou nts, and u nissu ed cheques.

Security controls over stored data must besufficient to prevent misappropriation of assets ormanipulation of financial and non-financial datathrough unauthorised access to the data files.


How is access to the claims records restricted?

Is there adequate segregation of dutiesbetween those maintaining the claims payablerecords and those responsible for cashdisbursements processing?

How is access to unissued cheques and chequesigning machines restricted?

How are electronic funds transfers controlled?


50/114



Section 4.7 Record of Application controls -Transaction level controls

4.7.1 Benefi ts cycle

The following program is designed to assist the auditor to obtain and record an understanding of theapplication controls at the transaction level instigated by an Insurer in respect of the specific auditobjectives identified in the program. Having identified the controls, the auditor must consider the extentto which a particular control procedure should be tested.

The nature and extent of the tests that may be undertaken have not been specified, but the auditor mustensure that the techniques are sufficiently comprehensive to support their assessment of theeffectiveness of the control procedures. The auditor should record the program of tests, and the resultsand conclusions from the tests on work papers that should be cross-referenced to the attachedprograms.

Ultimately, the auditor is required to make an assessment of the effectiveness of the controls and the

extent to which further evidence required from detailed substantive testing of transactions can berestricted.

The following program should be completed for each of the key transaction types that may include thefollowing:

claims entry

adjustments

cheque production

master file maintenance

cash

The approximate volumes per month of each type of transaction should be recorded on your workingpaper and used as a guide to determine which are the more significant transaction types.


51/114





Control Objective What control activities address thecontrol objective?

*WP

Ref

Completeness of Input: All authorisedbenefi ts/c laims transact ions are input and

accepted for processing and transact ion s are

processed once and once only .


What ensures that all valid benefits/claimstransactions received are input and accepted forprocessing?

What ensures that all eligible benefits/claimsrecoverable through risk equalisation arerecorded?

What ensures the Insurer has kept a record byclaimant of how much has gone into the ABP sothat once the threshold has been reached, theresidual can be assessed to determine if it fitsthe criteria for a high cost claim.

What ensures suspense account balances areanalysed, cleared and reviewed by appropriatepersonnel for large, old or unusual items?


(a) Matching - usually a system initiatedfunction which for example may includewhen information from mandatory fields hasbeen omitted.

(b) Batching comparison of systemgenerated batch totals with manuallycalculated batch totals over key fields.

(c) One for one checking - of data input tosource documents

(d) Sequence checking - investigating missing


52/114



Control Objective What control activities address thecontrol objective?

*WP

Ref

numbers from batch number sequences.




*WP

Ref

Accuracy of Input: Are all data fields requiredto determine risk equ al isat ion el igibi l i ty and

benefi t amount accu rately inpu t and the claim

benefi t accurately generated and ref lected in

the prop er period as to:

Amount of benefit payment or settlement Service type Service provider Date of processing Date of claim event (e.g. period and dates of

hospitalisation, illness, etc)

Date of payment Claim number Policy number Policy coverage (amount and type) Policy effective date


Are all risk equalisation benefit and eligibilitydetails (set out above) recorded on claim form?

What ensures claims payable anddisbursements are applied to the correct policyand paid to the correct claimant?

What prevents or detects incorrect entry of theabove key data?

Has the appropriate plan and table benefit(s)rate(s) associated with the service item beenused in calculating the benefit amount?

How are appropriate excesses identified anddeducted in calculating benefit amounts?

How are appropriate limits identified and appliedin calculating benefits amounts?

What ensures that disputed claims are properly


53/114




*WP

Ref

investigated and that corrections to claims orcoverage data, if necessary, are made on a

timely basis? What ensures transactions are recorded in the

proper period?

What ensures that benefits attributed to theAged Based Pool have been calculated in thecorrect age bands?


(a) Batching - however it should beremembered that this will only provide anaccuracy control for the field that isbatched.

(b) One-for-one checking - which once againwill only confirm the accuracy of the fieldsthat are checked.

(c) Edit checks - which may include:

checks that a data field being input, such as apolicy number, exists on the master file

screen checks, such as the name of apolicyholder of a policy, address and policyappearing on the screen when the policynumber is entered.

dependency checks, to check whether thecontents of a data field are logically possible inrelation to other data fields on the transaction ormaster file - for example whether the claim

being processed is allowable under the level ofcover taken out by that policy

Consi

phiac 1 audit guidance 2012

Documents