REPORT DIGEST

DEPARTMENT OF HEALTHCARE AND FAMILY
SERVICES

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2021

Release Date:  June 22, 2022

FINDINGS THIS AUDIT:  8

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 7 -- 7
Category 2:  0 -- 1 -- 1
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 8 -- 8

FINDINGS LAST AUDIT: 11

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

• (21-01) The Departments (HFS and
DHS) had insufficient internal
controls over changes to the
Integrated Eligibility System (IES)
and recipient data.
• (21-05)  The Departments (HFS and
DHS) failed to establish and maintain
adequate general information
technology internal controls (general
IT controls) over the operation of the
State of Illinois’ Illinois Medicaid
Program Advanced Technology system
(IMPACT).
• (21-06) The Department of Healthcare
and Family Services (HFS) failed to
execute interagency agreements (IA)
with the Department of Human Services
(DHS) establishing adequate internal
controls over operation of the State
of Illinois’ Illinois Medicaid Program
Advanced Cloud Technology system
(IMPACT). In addition, HFS failed to
sufficiently review and document
eligibility requirements either prior
to the approval of eligibility, and/or
during the required monthly screenings
for enrolled providers.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INSUFFICIENT INTERNAL CONTROLS OVER
CHANGES TO THE IES AND RECIPIENT DATA

The Department of Healthcare and
Family Services and the Department of
Human Services (collectively, the
“Departments”) had insufficient
internal controls over changes to the
Integrated Eligibility System (IES)
and recipient data.

Management of the Departments have
shared responsibility for various
human service programs in the State
and for internal controls over the
manual and automated processes
relating to eligibility for these
programs.  The Departments’ IES is the
automated system used by the
Departments which intakes, processes
(with the assistance of caseworkers),
and approves recipient applications,
maintenance items, and
redeterminations in order to determine
eligibility and make payments for the
State’s human service programs.

Change control is the systematic
approach to managing changes to an IT
environment, application, or data.
The purpose is to prevent unnecessary
and/or unauthorized changes, ensure
all changes are documented, and
minimize any disruptions due to system
changes.

IES Application Changes Policies and
Procedures
Our review of the April 20, 2020 IES
Change Management Plan (Plan) noted
the Plan did not:

• Define the requirements for the
prioritization or classification of
changes,
• Define the numerical grading for
determining impact,
• Define the detailed documentation
requirements for test scripts and
results, impact analysis, design
documentation, or other required
documentation, and
• Define when changes were required to
include a specific requirement, who
was to review the various steps and
when and by whom approvals were
required.

Additionally, we noted backout plans
to return the system to a previous
functional version in the event a
change moved into production caused
undesired results had not been
prepared for individual infrastructure
changes.

Testing of IES Application Changes
Due to the Plan’s limitations noted
above, the scope of our audit
procedures was limited to the
Departments’ testing and approval of
IES changes prior to placing them into
production. Specifically, we could not
perform testing on other change
management control procedures, which
would otherwise be typically tested,
as they were not included in the Plan.

Our testing noted no exceptions during
testing of IES application changes.
(Finding 1, pages 56-58) This finding
was first reported in 2017.

We recommended management of both
Departments work together to
strengthen controls in the Change
Management Plan by including:

• Specific requirements for the
prioritization or classification of
changes,
• Definitions of the numerical grading
for determining impact,
• Detailed documentation requirements
for test scripts and results, impact
analysis, design documentation, or
other required documentation,
• Definitions of when changes are
required to include a specific
requirement, who should review the
various steps, and when, and by whom
approvals are required, and
• Requirements for backout plans to
return the system to a previous
functional version in the event a
change moved into production causes
undesired results, for individual
infrastructure changes.

HFS accepted the recommendation and
stated it will work with the
Department of Human Services to
develop policy guidance that
strengthens controls.

INADEQUATE GENERAL INFORMATION
TECHNOLOGY CONTROLS OVER IMPACT

The Department of Healthcare and
Family Services (HFS) and the
Department of Human Services  (DHS)
(collectively, the “Departments”)
failed to establish and maintain
adequate general information
technology internal controls (general
IT controls) over the operation of the
State of Illinois’ Illinois Medicaid
Program Advanced Technology system
(IMPACT).

In calendar year 2012, HFS and the
State of Michigan’s Department of
Community Health entered into an
intergovernmental agreement (IGA) for
the State of Illinois (State) to
utilize Michigan’s existing Medicaid
Management Information System (MMIS)
and its related infrastructure with
the goal of replacing the State’s MMIS
to accommodate the processing of the
State’s Medicaid provider enrollment
determinations and all Medicaid claim
payments to such providers. Since
2012, the State has implemented two
phases of IMPACT: Electronic Health
Record Medicaid Incentive Payment
Program (eMIPP) and Provider
Enrollment (PE).

An IGA was entered into in 2015 which
formally established the Illinois-
Michigan Program Alliance for Core
Technology.  Additionally, the parties
agreed to pursue expansion of the
Michigan MMIS environment to
accommodate the processing of
Illinois’ Medicaid claims.  The IGA
required Michigan to extend it current
system to utilize cloud architecture
that would result in converged
infrastructure, maximizing the
effectiveness of shared resources, and
allowing the shared services to be
offered to HFS.

As a result of the Departments not
having access to or control over
IMPACT and its infrastructure, the
auditors requested HFS provide a
System and Organization Control (SOC)
report which would provide the State
and auditors information on the design
and effectiveness of internal controls
over IMPACT.  In response, HFS
provided a Security Assessment Report
(Report), however, this report did not
evaluate the design and implementation
of Michigan’s internal controls.

Specifically, the Report did not
document:

• Timeframe/period in which the
Security Assessment Report covered,
• Independent service auditor’s
report,
• Details of the testing conducted,
and
• Details of Michigan’s internal
controls as they relate to:
— Control environment,
— Risk assessment processes,
— Information and communication,
— Control activities, and
— Monitoring activities.

As a result, the auditors were unable
to perform adequate procedures to
satisfy themselves that certain
general IT controls (change
management) to IMPACT were operating
effectively during the audit period.

Change Management
As a result of the Departments’
failure to obtain a SOC report, as
noted above, or conduct their own
timely, independent internal control
review over changes to IMPACT, data,
or the infrastructure, the auditors
were unable to determine if changes
made during the audit period were
proper and approved.

User Access Control
The auditors noted HFS included all
users, including DHS users, in its
annual IMPACT Provider Enrollment
Access Review.  However, due to no
executed intergovernmental agreement
between HFS and DHS (see Finding
2021-006), there was no interim user
access review completed for DHS.
(Finding 5, pages 65-67)  This finding
was first reported in 2018.

We recommended the Departments work
with the service provider to obtain
assurance the internal controls over
IMPACT, data, and the infrastructure,
including change control and user
access, are adequate. Additionally,
until the Departments execute an
intergovernmental agreement which
addresses all user access testing, we
recommended DHS perform periodic user
access reviews of all DHS employees
with access to IMPACT.

HFS accepted the recommendation and
stated a SOC report will be generated
and available for the next audit year
which will provide HFS with the
assurance needed regarding the
internal controls over IMPACT.

INSUFFICIENT REVIEW AND DOCUMENTATION
OF PROVIDER ENROLLMENT DETERMINATIONS
AND FAILURE TO EXECUTE INTERAGENCY
AGREEMENTS

The Department of Healthcare and
Family Services (HFS) failed to
execute interagency agreements (IA)
with the Department of Human Services
(DHS) establishing adequate internal
controls over the operation of the
State of Illinois’ Illinois Medicaid
Program Advanced Cloud Technology
system (IMPACT). In addition, HFS
failed to sufficiently review and
document eligibility requirements
either prior to the approval of
eligibility, and/or during the
required monthly screenings for
enrolled providers.

Interagency Agreements
Auditors noted HFS did not enter into
or have an existing IA with DHS
defining each agency’s roles and
responsibilities as they related to
IMPACT during fiscal year 2021.

Detail Sample Testing of IMPACT
Providers at HFS
During fiscal year 2021, 24,209
provider enrollment applications were
approved in IMPACT.  In order to
determine if the providers’
applications were approved in
accordance with federal and State
laws/rules/regulations, a sample of 60
approved applications were selected
for testing.  Our testing noted seven
(12%) approved provider applications
did not contain documentation to
substantiate a review of the
provider’s required professional
license or board certification to
confirm the licenses/certifications
were valid at the time the application
was approved.

Detail Sample Testing of IMPACT
Providers at DHS
During testing, the auditors
determined DHS did not solely utilize
IMPACT as the official book of record
or consistently rely on it to verify
its providers met certain Medicaid
requirements prior to approving them
to provide services.  Specifically, in
fiscal year 2021, DHS performed
procedures to determine if its
providers met certain Medicaid
requirements outside of IMPACT.  Upon
completion of those procedures, DHS
personnel then entered the providers’
information into IMPACT and approved
the provider’s file in order to grant
approval for payment.

In order to determine if DHS provider
applications were approved in
accordance with federal and State
laws/rules/regulations, prior to DHS
entering their information into
IMPACT, the auditors selected a sample
of 60 approved applications for
detailed testing and had no
exceptions.

Additionally, on a monthly basis,
IMPACT conducts monthly screenings of
provider profiles against several
databases to determine if the provider
licenses are valid and current, and
identifies suspected criminal
activity.  During testing, the
auditors determined DHS personnel did
not regularly follow-up on issues
identified in IMPACT during the
monthly screenings. (Finding 6, pages
68-70)  This finding was first
reported in 2018.

We recommended HFS management work
with DHS to ensure all provider
applications are properly reviewed,
approved, and documented within
IMPACT. In addition, we recommended
HFS work with DHS to execute detailed
interagency agreements which document
specific roles and responsibilities as
they relate to IMPACT.  Finally, until
the interagency agreement is
finalized, we recommended DHS follow-
up on issues identified pertaining to
their providers, from the IMPACT
monthly screenings.

HFS accepted the recommendation and
stated the interagency agreement is
being finalized. HFS also stated
provider enrollment staff works with
DHS staff monthly to conduct quality
assurance reviews of provider
applications approved during previous
month and any identified errors are
communicated to DHS and corrected.

OTHER FINDINGS

The remaining findings pertain to
inadequate access review procedures
for IES, inadequate disaster recovery
controls over the IES, insufficient
detailed agreement with the Department
of Innovation and Technology and
inadequate interagency agreement for
the IES, failure to review third-party
service providers’ internal controls,
and inadequate internal controls over
census data. We will review the
Department’s progress towards the
implementation of our recommendations
in our next financial audit.

AUDITOR’S OPINION

The auditors stated the financial
statements of the Department of
Healthcare and Family Services as of
and for the year ended June 30, 2021
are fairly stated in all material
respects.

This financial audit was performed by
Sikich LLP.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:jv