REPORT DIGEST DEPARTMENT ON AGING COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2018 Release Date: August 22, 2019 FINDINGS THIS AUDIT: 16 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 4 -- 1 -- 5 Category 2: 3 -- 8 -- 11 Category 3: 0 -- 0 -- 0 TOTAL: 7 -- 9 -- 16 FINDINGS LAST AUDIT: 14 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (18-1) The Departments (HFS, DHS, DCFS, and DoA) failed to execute adequate internal controls over the implementation and operation of the State of Illinois’ Illinois-Michigan Program Alliance for Core Technology system (IMPACT). • (18-4) The Department on Aging (Department) lacked adequate controls and monitoring over eligibility determinations and payments made to service provider agencies that applied for and received a special hourly rate under the Community Care Program. • (18-5) The Department did not maintain a complete list of interagency agreements. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS STATEWIDE FAILURE TO EXECUTE INTERAGENCY AGREEMENTS AND PERFORM ESSENTIAL PROJECT MANAGEMENT FUNCTIONS OVER PROVIDER ENROLLMENT IN THE MEDICAID PROGRAM The Department of Healthcare and Family Services (HFS), the Department of Human Services (DHS), the Department of Children and Family Services (DCFS), and the Department on Aging (DoA) (collectively, the “Departments”) failed to execute adequate internal controls over the implementation and operation of the State of Illinois’ Illinois-Michigan Program Alliance for Core Technology system (IMPACT). Specifically, management of the Departments did not enter into interagency agreements (IA) defining each agency’s roles and responsibilities, and did not perform essential project management functions over the implementation of IMPACT. HFS’ and Delegated Agencies’ Roles As set by the State of Illinois’ State Plan under Title XIX of the Social Security Act (State Plan) (Section 1.1), the State’s designated agency responsible for administering and supervising the administration of the Medicaid Program is HFS. However, Section 1.1 of the State Plan also allows for HFS to delegate specific functions to other State entities to assist with the administration of the Medicaid Program, pursuant to a written IA defining each agency’s roles and responsibilities. During our testing, we identified the following delegated agencies, which we will refer to as HFS’ Delegated Agencies, and examples of the Medicaid services they provide which utilizes IMPACT for enrollment of their providers. DHS administers several human service programs under the Medicaid Program, including developmental disabilities support services, rehabilitation services, and substance abuse (prevention and recovery) services. DCFS administers the State’s child welfare program which includes cooperating in the establishment of Medicaid eligibility for children who are wards of the State. DoA administers the State’s programs for residents aged 60 and older, including Home and Community Based Services to Medicaid recipients who meet Community Care Program requirements. Auditor Testing and Results In order to determine if the Departments complied with federal and State laws, rules, and regulations when they developed, implemented, and operated IMPACT, we reviewed the Departments’ applicable policies and procedures governing IMPACT. The testing identified the following material weaknesses in internal control: • The Departments did not have current, formal written agreements defining the roles and responsibilities of HFS or its Delegated Agencies of the Medicaid Program. • While DHS utilized IMPACT to formally approve providers for the purposes of granting payments of their Medicaid claims, it did not utilize IMPACT as its book of record or rely on it to verify the providers met certain federal requirements. In this instance, the book of record means the mandatory system designated by HFS to be used for the tracking of the State’s activities, events, or decisions when approving or denying the enrollment of Medicaid providers. When we inquired of DHS as to why it did not retain the documentation within IMPACT to support its determination of enrollment, DHS management stated it chose to maintain the supporting documentation outside of IMPACT as it could not rely on IMPACT. • When we inquired of DCFS and DoA as to what their processes were regarding the use of IMPACT, they both stated they did not use IMPACT after formally approving the providers for the purpose of granting payments of their Medicaid claims. They both believed HFS was doing the subsequent review of, and maintenance of, provider enrollment information for them. After asking HFS to confirm if DCFS’ and DoA’s statements were accurate, HFS management stated that was not the case and both DCFS and DoA had the responsibility to subsequently review their providers eligibility for enrollment in the Medicaid program. • The Departments implemented IMPACT despite the inability of IMPACT to allow Illinois officials to generate customary and usual system internal control reports, including such information as provider data, security measures, or updates made to IMPACT. The Departments must go through the third party service provider (TSP) in order to obtain any reports needed by the State. • Based on testing of the documented procedures governing IMPACT, the auditors noted the following: – the procedures only addressed the actions that should have been taken by HFS and did not include the procedures to be followed or taken by the Delegated Agencies, – the procedures contained contradictory provisions, and – the procedures did not depict the actual actions taken by HFS staff during the examination period. – The Departments failed to establish and maintain adequate general information technology controls over IMPACT. • The Departments had inadequate project management over the implementation of IMPACT. According to the Intergovernmental Agreements, Amendments, and Statements of Work signed between HFS and the TSP, who maintains and hosts IMPACT, the TSP was to provide HFS various deliverables throughout the implementation of the project for its timely review and approval. During testing of the deliverables required to be provided, the auditors noted the following: – HFS did not receive 9 of the 60 (15%) required deliverables, – For 39 of the 51 (76%) deliverables received, there was no supporting documentation to demonstrate HFS had approved them, and – One of the 51 (2%) deliverables received, the PE Implementation Plan, was noted as “draft”. As a result, HFS does not have supporting documentation to show it received and approved the “final” version of the deliverable. The purpose of the PE Implementation Plan was to define the overall approach for the implementation of the PE module of IMPACT. • As a result of inadequate project management, the Departments did not implement adequate security controls over IMPACT. • The Departments did not design and establish an adequate internal control structure over provider enrollment determination such that sufficient and appropriate evidence, maintained in a paperless format, existed to support each provider met various compliance requirements at the time when the Departments determined each provider’s eligibility. Further, management at the Departments failed to adequately monitor manual provider enrollment determinations, as (1) staff did not consistently document their review of the provider applications in accordance with HFS’ Process Checklists and (2) HFS did not establish a system of supervisory reviews of work performed by staff. Failure to execute IAs and failure to perform essential project management functions could expose the State to unnecessary and avoidable litigation, approval of ineligible providers, excessive expenditures, over-reliance on contractors, and could result in a system that does not meet the needs of the State and the individuals dependent on the State for Medicaid services. In addition, the Departments’ lack of due diligence in performing project management responsibilities has led to a significant increase in project timeline and associated costs. (Finding 1, pages 10-16) We recommended management of the Departments execute detailed IAs which define the roles and responsibilities of each agency regarding the Medicaid Program. The IAs should sufficiently address necessary procedures to enforce monitoring and accountability provisions over IMPACT as required by the Code of Federal Regulations, the State Plan, and the Act so the enrollment of providers offering services to recipients of the Medicaid program is carried out in an effective, compliant, efficient, and economical manner. We further recommended the Departments obtain and review/approve the remaining deliverables from the TSP and, in the future, the Departments should establish adequate controls over project management for the development and implementation of major projects, such as IMPACT. Department officials partially agreed with the finding and stated the Department believes that HFS, as the State Medicaid Agency, should be the Agency that initiates an Interagency Agreement (IA) with the operating agencies. However, the Department will coordinate with HFS to enter into an IA related to IMPACT. Department officials disagreed with the other elements of the finding as the Department is a limited user within IMPACT. INADEQUATE CONTROLS AND MONITORING OVER ENHANCED RATE PAYMENTS MADE TO COMMUNITY CARE PROGRAM SERVICE PROVIDERS The Department lacked adequate controls and monitoring over eligibility determinations and payments made to service provider agencies (providers) that applied for and received a special hourly rate under the Community Care Program. The Illinois Act on Aging (20 ILCS 105/4.02) requires the Department to pay an enhanced rate under the Community Care Program to those in-home providers that offer health insurance coverage as a benefit to their direct service worker employees consistent with the mandates of Public Act 095-0713. For Fiscal Year 2018, the enhanced rate was $1.77 per hour (previously $1.61 per hour). For the two fiscal years under examination, the Department paid providers approximately $78 million for the enhanced rate payments. The auditors tested the documentation submitted during the two years ended June 30, 2018 and noted six of eleven (55%) providers tested in each fiscal year did not submit verification for an independent certified public accountant of the actual, documented expense for health insurance during the providers’ fiscal year. In addition, one of the providers did not submit a Direct Service Worker Health Insurance Certification (DSWHIC) during Fiscal Year 2017. (Finding 4, pages 30-31) This finding has been repeated since 2010. We recommended the Department strengthen controls to ensure that initial and ongoing reviews of eligibility and annual reporting for the enhanced reimbursement rate are conducted and documented in a timely manner, and in accordance with the Illinois Administrative Code. We also recommended the Department obtain reimbursement from providers if determined to be ineligible. The Department concurred with the recommendation and stated they will work to ensure that initial and ongoing reviews of eligibility and annual reporting of enhanced reimbursement rates are conducted and documented timely. (For the previous Department response, See Digest Footnote #1) INADEQUATE INTERNAL CONTROLS OVER INTERAGENCY AGREEMENTS The Department has not maintained a complete list of interagency agreements. During the examination, the auditors requested the Department provide a list of interagency agreements (IA) that were in effect during the two years ended June 30, 2018. The Department was able to provide copies of certain interagency agreements, but was unable to determine if all agreements in effect during the examination period were included. Due to these conditions, the auditors were unable to conclude whether the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C §205.35) to test the Department’s interagency agreements. Even given the population limitations noted above which hindered the ability to the accountants to conclude whether a sample selected could be representative of the population, the accountants selected a sample and performed testing without noting any exceptions to the procedures performed. (Finding 5, pages 32-33) We recommended the Department implement procedures to compile and maintain a centralized record of all of its interagency agreements. The Department concurred and agreed that the practice of each division within the Department being responsible for maintaining records related to IAs specific to the area made it difficult to ensure a complete list of all IAs could be provided to the Auditors. The Department has introduced an expectation and revised its practice that all Departments and Bureaus responsible for the execution of IAs will forward an electronic copy of the completed records to the Legal Division for retention so that a list of IAs can be provided to the Auditors in the future. OTHER FINDINGS The remaining findings are reportedly being given attention by the Department. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2018, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2018-001 through 2018-005. Except for the noncompliance described in these findings, the accountants stated the Department complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by Borschnack, Pelletier & Co. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:cgc DIGEST FOOTNOTES #1 – Inadequate Controls and Monitoring Over Enhanced Rate Payments Made to Community Care Program Service Providers – Previous Department Response 2016: The Department concurs. Discussions within the Department regarding controls that are currently in place for monitoring of the enhanced rate need to be reviewed for improved efficiencies. The Department has strengthened their efforts to ensure compliance by the providers to submit the necessary verification documents. Additionally, the Department needs to review the imposition of contract sanctions. The Department will continue its efforts to obtain documentation even after termination of the provider contract to close out the final allowable expenditures payable to the provider.