oversight

Audit of Information Systems Application Controls at AXA Assistance as Administrator for the Panama Canal Area Benefit Plan

Published by the Office of Personnel Management, Office of Inspector General on 2009-06-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                        u.s. 06~~~f6;;~~O=~6~~~~~r;t~i
                                                                                                                OFFICE.OF AUPITS



                                      FilIal Audit Report . 


SUbject:

                        AUDIT OF INFORMATION SYSTEMS
                                   APPLICATION CONTROLS AT
                              .                      oAXA ASSJSTA.NCE ..                                            .
                 .. . ' AS A.Q)ViINISTR1).TQ:a FOR.1JlE . .
              .·.. ;PANAMA-CANAL                                   AREA
                   ··,--" ·:"- ;;::" ,,,-" -,,,:":"i " " ,' ',-,', .... .' . ... ., . BENEFIT         PLAN
                                                                                      . ...... - .,. ",, " ', - -,­

                         ~o. ,';·.,   ..'__;' '-"'"    '




                                                      Il.i;port No.
                                                           , -  " -
                                                                    lB..j3-00-08-066
                                                                    .. .
                                                                 ,' ,          --"',   ..   .• ..   ..   - ,"




                                                      Date'
                                                       .-.- - .         .




                                                                            -CAU1l0N­
l 'his 'tI._ll:dit rcptlrt Iw beep diittrihu'te4 -lv Ferlcrai.ilud Non-F....'<!cral officials wbo are ri-sponsihl~ for the
administntlio8ort,he 211djted C9ntraci. This audit teport may conuin propneJarydata wbich 'is protected -by
Federal bw (18 u.S.C.J905}) therefore, wb,ile tbIs audit repOrt is ;wailableuu_dcr ·the,Freedom or lilforUlation
A('t, caution need): to bee};crtiscd bdore rcleasfng the repOrt to tfu; gel1er~1 rub.lie.
                       UNlTED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                         Washington, DC 20415 



   OffICe of the
Irupct.10f Gcncml




                                         Audit Report


                    FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM 

                                 CONTRACT CS 1066 

                                  AXA ASSISTANCE 

                              AS ADMINISTRATOR FOR 

                          PANAMA CANAL AREA BENEHT PLAN 

                                   PLAN CODE 43 

                                 PANAMA CITY, PANAMA 





                                Report No. 1&43-00-08-066

                                Dllte:          June 18. 2009




                                                                  Assistant Inspector General
                                                                    for Audits
                          UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                 Washington, DC 20415 


   Office of the
In.ipector General




                                            Executive Summary


                      FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM 

                                   CONTRACT CS 1066 

                                         AXA ASSISTANCE 

                                     AS ADMINISTRATOR FOR 

                                 PANAMA CANAL AREA BENEFIT PLAN 

                                          PLAN CODE 43 

                                        PANAMA CITY, PANAMA 





                                       Report No. lB-43-00-08-066 


                                       Date:           June 18 t 2009 





         This final report discusses the result<; of our audit of application controls over the information
         systems at AXA Assistance (AXA), the administrator for the Panama Canal Area Benefit Plan.

         Our audit focused on the claims processing application used to adjudicate Federal Employees
         Health Benefits Program (FEHBP) claims for AXA, as well as the various processes and
         information tcclmology (IT) systems used to support these applications. \Vc documente4
         controls in place and opportunities for improvement in the area below.


         Apl2lication Controls
         AXA has implemented many controls in their claims adjudication proc,ess to ensure that FEHBP
         claims are procC8scd accurately. However, we recommended that AXA implement severa]
         enhancemenls to their claims processing system as well as their claims adjudication processes to




         www ... pm.go~
ensure that they are processing FEHBP claims in a manner consistent with their OPM contract
and other regulations. Those enhancements include:

   •	   Improved Internal Auditor Procedures
   •	   Implementing controls over system overrides
   •	   Segregation of emollment duties
   •	   The implementation of appropriateness of care, non-covered benefit and provider-to­
        procedure inconsistency edits
   •	   Improving the controls over the benefit code selection for claims processors
   •	   The processing of U.S. claims
   •	   Development of a Multilingual Explanation of Benefits (EOB)
   •	   Improving the EOB information provided to members
   •	   Development of system generated EOB remark codes




                                               11
                                                                      Contents 



Executive Summary .......... ,................ , .. , ............ ,....... ,............ ,................ ,.... ,.... i 

I. 	 Introduction........ "., ................ ,................................. ,......... ,.............. ,................................. " .... 1 

     Background ............................. ,................................. ,.................... ,...... ,... "."'" ..,,...... ,.,' .......... 1 

     Objectives ,..................... ,." ....................,., .. ', ...... ,.................. " ....................... ,................. " ..... , 1 

     Scope..,.................................... ,.......... :..... ,........... , .............. ,............... ,', ... ,', .... " .. ,... ,........ " .. ,... 1 

     Methodology ..................... ,....................................................................... ,', ............................. 2 

     Compliance with Laws and Regulations ........................ ,.... ,............................................. " ...... 3 

II. 	 Audit Findings and Recommendations ..................................................................................... 4 

      Application Controls, ...... ,.......... ,..,.. "..,..,...... ,.. ,.,.... ,..... ,..,... ,"', ........... ,............ ,................. ,.... 4 

           A. Input Contois., ................... ,.......................... " ...... ,................................................ ,' ...... 4 

           B. 	 Processing Controis ....................... ,......... , .............................. ,"', .................... " ........... 4 

           C. Output Controis ........... ,.............. ,........................................... " ...... " .......................... , 16 

Ill. Major Contributors to This Report ......................................................................................... 17 


Appendix: AXA Assistance's December 16, 2008 response to the draft audit report, issued
October 15, 2008.
                                       I. Introduction 

This final report details the findings, conclusions, and reconunendations resulting from the audit
of application controls over the information systems responsible for processing Federal
Employees Health Benefits Program (FEHBP) elaims at AXA Assistance (AXA).

The audit was conducted pursuant to Contract CS J 066; 5 U.S.C. Chapter 89; and 5 Code of
Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of
Personnel Management's (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Aet are implemented by
OPM through regulations codified in Title 5, Chapter I, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

AXA Assistance is the administrator for the Panama Canal Area Benefit Plan. Employees
responsible for processing FEHBP claims for AXA are located in the Plan's facility in Panama
City, Panama and Miami, Florida.

This was the OrG's first audit of application controls at AXA Assistsnce.

All personnel that worked with the auditors were particularly helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.

Objectives
"The objective of this audit was to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in AXA's computer systems.
This objective was accomplished by reviewing the application controls specific to AXA's claims
processing systems.

Scope
Our performance audit was conducted in accordance with Govermnent Auditing Standards
issued by the Comptroller General of the United States. Accordingly, we obtained an
understanding of AXA's internal controls through interviews and observations, as well as the
in~'Pection of various documents, including information technology and other organizational
policies and procedures. This understanding ofAXA's internal controls was used in planning
the audit by detennining the extent of compliance testing and other auditing procedures



                                                  J

necessary to verify that the internal controls were properly designed, placed in operation, and
effective.

We audited the confidentiality, integrity, and availability ofAXA's computer-based information
system used to process FEHBP claims, and found that there are opportunities for improvement in
the information systems' internal controls. These areas are detailed in the "Audit Findings and
Recommendations" section of this report. Since our audit would not necessarily disclose all
significant matters in the intemal control structure, we do not express an opinion on AXA's
system of internal controls taken as a whole.      .

The scope of this audit was centered on the claiIDs processing system that processes FEHBP
claims for AXA, as well as the business structure and control enviromnent in which it operates.
In addition, we evaluated several areas of concern expressed to us by the Office of Personnel
Management's Contracting Office. Our findings, recommendations, and conclusions are based
on the status of information system general and application controls in place at AXA as of
September 5, 2008.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
AXA. Due to tiIDe constraints, we did not verify the reliability of the data used to complete
some of our audit steps, but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

We performed the audit at AXA Offices in Panama City, Panama. These on-site activities were
performed in August 2008. We completed additional audit work before and after the on-site
visits at our office in Washington, D.C.

Methodology
In"(All'ldueting this review the OIG:
• 	 Gathered documentation and conducted interviews; and
• 	 Conducted various compliance tests to determine the extent to which established controls and
    procedures are functioning as intended.
Various laws, regulations, and industry standards were used as a guide to evaluating AXA's
control structure. This criteria includes, but is not limited to, the following publications:
• 	 Office of Management and Budget (OMB) Circular A-l30, Appendix III;
• 	 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
• 	 The Information Technology Governance Institute's (ITGI) CobiT: Control Objectives for
    Information and Related Technology, 3,d Edition;
• 	 The General Accountability Office's (GAO) Federal Information System Controls Audit
    Manual;
• 	 The National Institute of Standards and Technology'S Special Publication (NIST SP) 800-12,
    Introduction to Computer Security;



                                                 2

• 	 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Infonnation
    Technology Systems; and
• 	 The Health Insurance Portability and Accountability Act of 1996, Health Insurance Refonn:
    Security Standards; Final Rule.

Compliance with Laws and Regulations
In conducting the audit, the OIG perfonned tests to detennine whether AXA 's practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
AXA was not in complete compliance with all standards as described in the "Audit Findings &
Recommendations" section of this report.




                                                3

                 II.     Audit Findings and Recommendations 

Application Controls
The policies and procedures that AXA has incorporated into its claims adjudication process
involve several activities, some ofwhicll are supported by several computer applications.
However, Ihe scope of our application controls audit was limited to reviewing the activities
related to the claims processing system.

We evaluated the input, processing, and output controls associated with AXA's _
_            system. In telms of input controls, we documented the policies and procedures
adopted by AXA to help ensure that: 1) there are controls over the inception of claims data into
the system; 2) the dara received comes from the appropriate sources; and 3) the data is entered
into tbe claims database correctly. We also documented and reviewed AXA's methods for
reconciling its processing totals against input totals and for evaluating the accuracy of their
processes. For output controls. we evaluated the methods that AXA utilizes to ensure that output
is distributed, safeguarded and disposed of properly.

To validate the claims processing controls. we conducted a testing exercise with AXA personnel
in Panama City, Panama. This exercise involved developing a test pJan that included real life
situations to present to ~'XA personnel in the fonn of institutionaJ and professional claims. Ail
test scenarios were processed through AXA                               system.

The test plan included expected results for each test casC. Upon conclusion ofthe testing
exercise, we compared our expected results with the actual results obtained during the exercise.

The se<..llons below document the opportuniti~s for improvement we noted reJated to applicailon
controJs.

A. Input Controls

   To evaluate the inpul controls AXA has implementoo for' 

   we identified an possible- sources of claims coming into the ~:~ 

   mechanisms established by AXA to aecept and process the cl 

    1) Uses.a daily log to keep track of received claims; 

    2) Documents all of the claim documentation received from a member; and 

    3) VisuaUy verifies that paper claims are entered correctly. 


   These practices provide a controlled envirorunent for receiving FEHBP data.

B. Processing Controls

   AXA has adopted a practice of allditing an claims that are entered into the claims processing
   system . AXA maintains a pre~payment report that allows the intemal auditor to review all
   authorized claims before approviJlg them for payment. A backlog report is used to determine
   how long claims have been in the~ system. In addition, AXA performs several internal
   audits throughout the year including a three percent audit and a high dollar audit.


                                                4
Although we observed adequate processing controls as part ofAXA's tracking mechanisms
and internal auditing techniques, some of our test claims produced unexpected results. The
test results indicate that certain eiaims processing practices at AXA should be modified to
produce results consistent with the FEHBP contract and other regulations. The following
sections document the findings from our limited scope audit.

1. Internal Auditor Procedures

   AXA has implemented a process in which the internal auditor must approve all eiaims
   authorized by the claims adjusters before they are released for payment. During this
   process, the internal auditor reviews the claims that were authorized that day. The
   internal auditor does this by verifying the member and provider infonnation as well as
   comparing the paper claim to the infonnation entered into the system. However, AXA's
   internal auditor procedures do not include enough detail regarding the reviews the
   internal auditor perfonns during the approval process.

   While AXA does have procedures that describe how to download the prepayment reports
   to spreadsheets, the procedures do not provide enough detail describing the steps the
   internal auditor must take to review a claim. Procedures that are not detailed would
   hinder other employees ability to complete a thorough review of the claims should the
   current internal auditor become unavailable. As a result, a major compensating control
   for AXA's claims processing system would be significantly weakened by the lack of
   infonnation and training the new internal auditor would receive from the procedures.

   Recommendation 1
   We recommend that AXA expand its procedures to describe the audit process in a way
   that would enable a new internal auditor to adequately review authorized claims.

   AX4 Assistance's Response:
    '~XA    Assistance agrees with this audit recommendation and has expanded the
   existing auditor's procedure manual to include details on quality criteria and
   requirements that the audit(}r must consider prior to reviewing a cloim. For example,
   the list (}f all the Plan benefits categorized by covered and n(}n covered procedures. The
   procedure has been expanded to also include reviewing the provider's inconsistency
   and appropriateness of care until the system can be automated. Copy of auditor's
   procedure manual is available to OIG upon request.
   It is anticipated that the gender c(}ntrol system capabilities will be implemented during
   the first quarter of2009. "                                                             .

   OIG Reply:

   We acknowledge the steps AXA has taken to address this recommendation. As part of
   the audit resolution process, we recommend that AXA provide OPM's Center for



                                            5

     Retirement and Insurance Services (CRIS) with appropriate supporting documentation
     related to the controls that have been implemented,

 2. Override Controls

     'Wh(.."ll a claims adjuster enters a claim into the l1li system. Ihey have the option to
     bypass (or override) all ofthe edits in the system. allowing them to process a claim
      without limitations, This knO\vn control deficiency was discovered during an .
      independent audit ofAXA. As a result. we requested documentation showing that this
      deficiency has been corrected. During our ansite visit, we were jnfonned and were
     provided with screen prints of the test region to support that AXA is in the process of
      developing a modification for the override command that will be administered by the
     l1li administrator. This modification allows the administrator to enable or disable the
      adjuster's rights 10 the override (.;ormnand. If the command were enabled, the processor
      would have a maximum dollar threshold for using this command and, if the threshold
      were exceeded, it would go to the internal auditor for review. Finally, AXA is creating
      an override report that would keep track of all of the ~Iaims that were overridden.

     While AXA is working on implementing controls over the override command, those
     controls have not been impkTnented in the production environment of the claims
     processing system. This deficiency provides claims adjusters with the ability to bypass
     aU ortbe edits in thellll system, such as duplicate and eligibility edits, thus
     undermining the integrity of the claims processing system. Until these controls are
     jmplemented in the l1li production environment, the adjuster's ability to use the
     override conunand without any limitations is still a significant deficiency in the l1li
                       system .

     Recommendation 2
-' -. ' We recommend that AXA continue working toward implementing the oven'ide controls
        'into thellll production environment.

     AXA AS.fistance's Response:

     I'AXA Assistance agrees with this audit recommendation and Ihe override controls
     were already fixed;n o"r~ Test environment and the Information Systems Alldits
     Group test€d the o"erride controls during the onsuc vi.tit. O'lr Information ~'!!!'-~
                  has scheduled the deployment of the new l'ersion of
                  sy",'em by end of2008.

     User limits have been created to o"erride the chlims with the deployment o/the new
     lIerslon o~ The Ilea' user nghts will also be introduced. We will also "aye the
     capahility to detect the oIJerriddell claims through the mass approval process as well as
     review overridden claims for appropriateness via reporting. "




                                              6

   OIG Reply:
   We acknowledge the sleps AXA has taken to address this recommenda1ion. As part of
   the audit resolution process, we recommend that AXA provide OPM's CRIS with
   appropriate supporting documentaticHl s110wing that the ovenide controls have been
   implemented in production.

3. Enrollment SegrcguticlR of Duties

   AXA regularly receives enrollment jnformation from multiple sources. The processor
   then modifies the l1lisystem by either adding a new member to the system or
   modifYing a current member's enrollment record based on the information provided.

   The processor who updated the enrollment information then reconciles it with the FEHB
   Enrollment Reconciliation Clearinghouse (CLER) system. Enrollment reconciliation is
   the process of reconciling a health insurance carrier's enrollment system with the
   emollment information from all oftIte federal goverrunent payroll offices that is located
   on the CLER. On a quarterly basis, the CLER system compares each carrier's enrollme,nt
   database to the database provided by the payroll offices. Each carrier is required to
   review and resolve any dis(,'rcpancies generated from the match. Typically, a health
   insurance carrier segregates the reconciliation process from the cnrollment update
   process. However, AXA has the same person who adds or modifies the cnroJhncnt
   infbnnation also recclncile that infonnation with CLER.

   Any time a single individual has control of an entire process, the potential for fraud
   increases significantly. As a result, AXA is more susceptible to fraud bec,ause the
   enrollment processor may be able to fabricate enrollees and c.onccal the activity because
   the processor al so performs the CLER reconciliation. This could potential1y result in
   false claims being submitted and paid by AXA, thus increasing the costs to the FEHBP.

   Recommendation 3
   We recommend that AXA segregate the enrollment process so that more lhan one
   individual is involved in the process.

   AXA Assistance's Response:

   "AXA Assistance agrees with this audil recommendario1l and has segregated the
   enrollment reconciljution process with the CLER jysJem to the Claims Team due to
   their high o.perielf(:e working ill the A-fember Services Area. Enrollment process ;s
   handled by the Jt.Jember Services 1~/anoger and the quarterly CLER reconciliation
   process is hatldled by Ihe Claims Team."

   OIGReply:
   We acknowledge the steps AXA has taken to address this recommendation. As part of
   the audit resolution process, we recommend that AXA provide OPM 's eRIS with
   appropriate supporting documentation that these duties have been segregated.


                                            7

4. ApPTopriatent'Ss of Care

     We submitted six. profcs:>ional daims lnto                                test system to
     evaluate the effectiveness of the system's                         care     Thc~ test
     system processed and paid all of the professional claims without defening them for
     apIPrc'jlI1'" """"" of care edits. The six: test claims included the    .
      •
       •
       •
       •
     To further         "l'!""l1ri2~,ess of care edits, the OIG submitted two hospital
     claims that ir~~;~~~,!!!                        into the system. Neither ofthose claims
     encountered:                         . as expected.

     ~lbe lack of adequate appropriateness of care e<lits in the
     increases the risk ofprocessing claims inaccurately and gen..~rjng
     increasing the costs to the FEHEP.

     Recommendation 4
     We recommend that AXA detennine the feasibility of implementing appropriateness of
     care edits tor all FEHBP claims in an effort to cnsure that only services covered by thc
     plan are paid.

     AXA A.fsistance'.~ Respolue:
     ..AX.4 Assistance agrcl!!t' with this audit rec(}mmendation and i.s working toward the
     del'Clopment of age c(mtro/ edits in the                                system. Sy:;tem
     capability will be ready by January 1,                                      will need 10
     be expallded by tile system developers _ . It is anticipated that 

     ~apabiliries will be implemented during rhe./irsr quarter 0/2009. 


     Additionally, a report hO.f been created that Itighlight~· errors according to the rilles
     defined for review and will be run by the Claims Departmem ott a daily basis. "

     OIG R.epty:

     We acknowledge the steps AXA has taken to address this rcconnnendation. As part of
     the audit resolution process, we reconunclld that AXA pro"idc OPM's eRIS with
     appropriate supporting documentation related to the controls that have been
     implemented.

5.   Non~Covered    Benefits

     AXA incorrectly paid two tC!>i: c1aims for services that arc not listed as covered by the
     Panama Canal Area Benefit Plan (PCABP) benefit brochure.


                                               8

     The first test case was for a claim jn which the ~~~




     The second lest case was for a claim in which the patient had a pf()cedwe
     W b i l e _ is not specifically excluded in the benefit brochure, it .                as a
     benefit eHher. The benefit brochure states that "Benefits will not be paid for services
     and supplies... Not specificaUy listed as covered."

     The lack of adequate edits in                           system to prevent non·oovcred
     benefits from being paid increases:                  can be processed inaccurately, thus
     generating erruneous payments and increasing the costs to the FEHBP:

     RecommeDdation 5
     We recommend that AXA implement edits that prevent tbe payment of nonAcovered
     benefits.

     AX4 AfOSistanceJs RespoNse:

     "..4X1 Assismnce   agree~'   with this audit recommendation and is working toward tlte
                     . edits that prCl"ent the payment of non-covered bellefits in the ~
                           s)"""", System capabUity will be ready by January 1, 2009.

     Additionally, we have expanded the existing procedure manllal used by (he auditor's 10
     i"clude details 011 system edits so as to track what we have added in the lystem. Copy of
     auditor's procedure manual is available 10 OIG upon request.

     The Non Covered beneflt~· have been added by serviceJ to
     system's matrix. to automatically deny. This process .I1I"uld red."iCe hum-iii

     OIG Reply:
     We acknowledge the steps AXA has taken to address this reconuncndatiofl. As part of
     the audit resolution process, we recommend that AXA provide OPM' s CRIS with the
     appropriate supporting documentation related to the controls that have been implemented.

6.

     The" test system incorrectly paid for claims that were

                             sy,;telm prolx:sscd an,1 na>ct a claim even though it was for a
                                                              . Two additional claims willi ~
                                                         though the fee schedules for those
                                                             We were expecting the claims


                                              9

  .E~~~ S)'laeln       to deny these claims because the services are


   Paying for claims that are                                            in<:reases AXA' s risk
   of processing c1aims ina,wur2,tely       gCllleratingclToneous payments, thus increasing the
   costs to the FEHBP.

   Recommendation 6
   We recommend that AJ(,\JJT'l"eJI1<e!1t the necessary technical controls to ensure that only
   services associated                                 are pa.id,

   AX4 AssistanceJs Response:
   ...AXA Assistance                this audit recommelldation and is working toward the
   development ofa                                 that will be               /0 claim
   approwlls. The                                                                    wllich
   services are aOfJWeti. The                                                       rules
   defin€d for re~iew. It is anticipated that the reporti1lg will he implemented during the
   first qlltU1er of1009."

   OIG Reply:
   We acknowledge tlle steps AXA has taken to address this recommendation. As part of
   the audit resolution process, we recommend that AXA         OPM's crus with the
   appropriate supporting documentation related to                                      that has
   been implemented.

7" Benefit Code Selection

   In certain instances the claims adjuster has the ability to select the benefit that is
   applicable for a specific service.

   During our claims testing. we submitted a claim in which the member incurred an office
   visil al the member's primary care physician (PCP). When the claim was entered into the
   ~ test system, the adjuster had the option of choosing one of the following services:
       • an office visit with the PCP or
       • an office visit with a specialist.
   We were expecting the adjusler to select the PCP benefit resulting in a member 00­
   payment 0[$ iO and the health pJan being responsible for the rest of the claim. However,
   the adjuster mistakenly sc1ccted the specialist benefit, resulting in the member owing
   "50% of the Panama P~S Fee schedllie amount. " In addition, the member was
   responsible for "any difference betwet.'I1 the POS Fee schedule and the billed amount"
   because the member did not get a referral from the PCP to go to a specialist.

   The claims adjustl.'T should not have the opportunity to select the applicable benefit.
   Rather, tIllS decision should be made: by the claims processing system. If the adjuster



                                              10 

\


       makes an incorrect selection. AXA would pay the incorrect benefits for a particular
       servIce.

       ReeommendaHon 7
       We recommend that~"'(A implement the necessary technical changes lO allow the'"
       system to select the appropriate benefit fOf all services.

       AXA Assistance's Resflonse:
       "AXA A$Sistance agrees nith this audit recommendation and is working toward
       di/niltisJ'Iiti'!r the benefit,,; appearing during the cloim.~ processing by upd4ting our~
                                   sy~·tem, thus the system wilt be able to select the appropriate
       he,nej'i, ,'0' all ..,,,i,,",,.' listed ;11 OUT Plan. Sy:,'tem capahi/iJy will be ready by January 1,
       2009. "

       OIG Reply:
       We acknowledge the steps AXA bas taken to address this recommendation. As part of
       the audit resolution process, we recommend that AXA provide OPM)s CRIS wjth
       appropriate supporting documentation related to the controls that have been
       impJemented.

    8. Processing U.S. Claims

       AXA's Panama office receives claims for serv1ces from Panamanian providt-'Ts as well as
       U.s. providers. Once a claim is reccived in Panama the processor is responsible for
       detcnnilling ifthcdaim is from the U.s. or Panama. If the member went to the U,S. for
       services, the processor is supposed to send the claim to AXA's Miami office for
       processing. However, if the claims                 not detennine that the member went to
       the U.S. for services then                             system would process and pay the
       claim WitJlout deferring it

       We tested this situation by submitting a claim with a U.S. provider. The test system
       processed atld paid this claim without deferring it. We were expecting the~ system
       to either suspend the claim for processor review or have the claim automatically
       transmitted to a claims adjuster in AXA's Miami office. The adjusters jn AXA's Miami
       office are (hen responsible for processing the claim and coordinating it with Medicare, if
       necessary. However, jfthe adjusters in Panama were to process thi s claim they do not
       have the training to coordinate claims with Medicare. As a result, AXA may not be
       coordinating claims with other insurance carriers, resulting in increased costs to the
       FEHBr.

       .Recommchdation 8
       We recommend thatAXA jmplement the necessary technical controls to ensure that U.S.
       claims arc not processed in the Panrona office.



                                                    lJ
  AXA Assistance's Response:
  "AXA Assistance agrees with this audit recommendation and our Member Services
  Department is now detecting the U.S. claims from the instant the members submit their
  claims and is sending the claim to AXA 's Miami office for processing.
   Our Claims Manager is also monitoring that U.S. claims are indeed being processed by
   U.S. adjustors only through a monthly productivity report. "

   OIGRcply:
   We acknowledge' the steps AXA has taken to address this recommendation. As part of
   the audit resolution process, we recommend that AXA provide OPM's CRIS with
   appropriate supporting documentation that U.S. adjustors are processing all U.S. claims.

9. Multilingual EOB

   AXA only provides its members with the option of receiving an Explanation of Benefits
   (EOB) printed in English. While this may work for most plans, AXA's diverse group of
   members, most of whom live in a Spanish speaking country (Panama), would benefit
   from a multilingual EOB.

   EOBs are an important part of FEHBP's fight against fraud as well as the disputed claims
   process. By developing a multilingual EOB that accommodates all their members' native
   languages, the health plan would be empowering their members to help AXA in their
   fight against fraud and abuse in the healtheare industry.

   Recommendation 9
   We recommend that PCABP develop an EOB that would accommodate their members'
   native languages (English and Spanish).

  AXA Assistance's Response:
   "AXA Assistance agrees with this audit recommendation, though based on past
   experience and specific client requirements, our central batch Explanation ofBenefits
   (EOB) printing must be in English. Therefore, we are working toward the development
   ofa Spanish version ofthe EOB to have available upon request.
  A Spanish brochure called "Understanding Your Explanation of Benefits" has been
  created to translate EOB jargon into ea$J1 to understand plain language for members
  as well as to include educational information on what an EOB is and how to
  understand the format and language within the EOB. Please refer to Exhibit I
  enclosed with this communication for a sample copy of the "Understanding Your
  Explanation ofBenefits" brochure using our current EOB format.

  Additionally, at the bottom of all EOBs, a notice will be placed advising members to
  refer to our Member Services Department for brochure gllidance on understanding
  your explanation ofbenefits or for a copy oftheir EOB in Spanish.


                                          12 

    The Understanding your Explanation ofBenefits brochure will be promoted to our
    members via our website and member lIewsleners? and other disrdb"nort points,
    includillg tire administration offices. "

    OJG Reply:
    We acknowledge the steps AXA bas taken to address this recommendation. As part of
    the audit resolution process, we recommend that CRlS verify that the "Understanding
    yom EX'Planation of Benefits" brochure i::; made available to PCABP's member.

 10. Explanation of Benefits

    After reviewing the output provided during our c1aims testing exercise we detennined
    that the EOB could be confusing to members.

    The output received for one of our test claims shows that the claim has an allowed
    amount ofzero dollars (see [A) Table I) while the insured cost is $17.50 (see [BJ Table
     1)~ which is 50% of the POS fee schedule amount We were expecting the EOB to show
    the allowed amount as the fee schedule amount allowed for this claim (see [C] Table 2).
    In addition, we were expecting the insured cost to equal $37,50 (see [D] Ti:lble 2), which
    is 50% ofthe Panama POS Fee schedule amount plus the difference between the pas
    Fee schedule and the biJIed amount, instead of the $17.50 that was di~,;played (see [B]
    Table I) on the actual EOB.




Amotmt                                                                                       Code



    Table J: Sunnnary of an actual EOB from an DIG Te::;t Claim



Amount     Covered    Amount Discount



    Table 2: Summary of an expected EOB from an OIG Test Claim

    Finally. the EOB does not provide the member with a remark code that explains why the
    insured's cost was so high. In this case, we were expecting all explanation stating that the
    patient went to a Fee for Service provider resulting in an increase(.:! cost to the member.




                                             J3 

              AXA's EOBs are confusing because they are missing critical information. As a result,
              their value as a tool for informing members and preventing fraud is diminishL'<i.

              Recommendation 10
              We recommend that AXA implement the necessary changes to ensure the Explanation of
              Benefits ~re easy to understand by the members.

              A.X4 Assistance's Response:
              "AXA Assistance agrees with this audit recommendation and is including in the
              Explanation of Benefits the negotiated cO.\t and changing the description of the
              aUowed amount io COB allowed amount. However, u's important to clarify that the
              allowed amount in the claim from your claims te~ting exercise is the COB allowed
              amount and not the fee schedule amount allowed. Nevertheless, AXA Assistance will
              change the current "Allowed Amount" description to 4'COB Allowed Amount"
              The"~ystem behavior would be as follows using the same test claims example as your
              draft report:




                               Amount    Discount                              Paid          Cost      Code




          Table 2: Summary of the revised EOB after the OIG audit recommendation IF we do have a
         fee schedule i.e.• network providers.



Amount    Covered                            Discount           Copay    Carrier                Cost
                                                                          Paid



     Table 3:




Amount    Covered                            Discount                    Carrier      Paid      Cost      Code
                                                                          Paid




                                                    14 

   OIGRcp)y:
   We acknowledge the steps AXA has taken to address this recommendation. As part of
   the audit resolution process, we recommend that AXA provide OPM's CRIS with
   appropriate supporting documentation that this updated EOB has been impiemt.'ntcd.

11. Explanation of Benefits Remark Code

   Several claims tbat process~d through the  l1litest system did not include remark codes
   on the' explanation of benefits (EOB). During our claims testing exercise, it was
   detennined that claims adjusters have to manually adjust the claim to include the correct
   EOB remark code.

   In one instance, a claim was denied in the system as a duplicate. The system warned the
   claims adjuster of a potential duplicate as well as provided the adjuster \\'ith the other
   claim to review . However, the system did not place a duplicate remark code on the EOB
   to notify the member of the reason the claim was denied.

   In another instance, the ctaims pro("-essing sy~1em detected that the claim was submitted
   by a debarred provider. While the'" system provided the adjuster with infonnation
   about the debarred provider, it did not place an informational remark code indicating to
   the member that the provider is debarred on the EOB.

   Because AXA's EOBs arc incomplete. important infonnation is not being provided to
   health plan members. As a result., the EOBs have limited effectiveness as tools for
   fighting fraud and keeping members infonned.

   RecOrilmCndlltion J 1
   We recommend that AXA implement the necessary technical changes to ensure the
   system automatically places rematk codes on the explanation of benefits in an effort to
   provide members with more information regarding the adjudication process.

   AXA Assislanu's R~sponse:
   "AX.4 Assistance agrees with this oudit recommendation. The :,yslem had a unique
   shared freJd to provi(/.e an explaml1ion for suspensions or rejections, hut it was Q free
   lexlfielti and mIt a list o/rejection codes to refer to. AXA ASJ;;stance is working wward
   the development of a dictionar}' of sU!Jpension and rejection reason.f. The dictionary
   Kill feed a drop down list for adlustor~' to reference when claims are rejected or
   suspended, but will also have a free text field for new rejection retumns not listed. A
   centrol will be implemented that will prompt the IIser if a 'claim is rejected or ~.1Ispended
   without providing a rea~·on. We expect to implement these system capabililies during
   the first quamr of2009.

   Additionally, Ollr prepayment report will include the reasons for rejection so we can
   verify that the appropriate code has been selected or if the field is used as a free format,



                                            15 

      to confirm that this will be a unique event a/rejection that will not require us to add to
      the rejection reason dictionary. "

      OIGReply:
      We acknowledge the steps AXA has taken to address this recommendation. As part of
      the audit resolution process, we recommend that AXA provide OPM's CRIS with
      appropriate supporting documentation related to the controls that have been
      implemented.

C. 	 Output Controls

   On a weekly basis, AXA's Miami office prints the checks for the claims that were processed
   the previous week. The cheeks are then mailed to the Panama office for distribution. Once
   they are received in Panama, the finance manager verifies that all of the checks were
   received. The finance manager then delivers the checks to the member services department
   in the Panama office. This department then distributes the cheeks to both the provider and
   members upon request.

   AXA has adopted adequate policies and practices to provide guidance for the generation and
   distribution of system output related to the claims processing applications within the scope of
   this audit. These include activities such as:
     • 	 The use of a "check register" to keep track of all checks received from the Miami
         office;
     • 	 The use of a check log to keep track of batches of checks that were printed; and
     • 	 The use of a provider receipt to document that the provider picked up the check.

   Nothing came to our attention to indicate that there are any weaknesses related to AXA's
   procedures for controlling system output for FEP claim transactions.




                                               16 

                  III. Major Contributors to This Report 

This audit report was prepared by the U.S. Office ofPersunne1 Management, Orfice of
Inspector General. Information Systems Audits Group. The following individuals
participat(.'{) in the audit and the preparation of this report:

    •                      Group Chief
    •                         Senior Team Leader 

    •                          Auditor-in-Charge 





                                                17 

                                         Appendix
 December 16, 2008




                      of    Pill'SOlmel Management 

  Office of th e In spector GL'neral 

  Inronnation Systems Audits Group 

  Washington, DC 20415-1100 


  Rc: 	   Draft Report Response for the Application Controls And,i t 

          Report No. 111-43-00-08-066 

          Carrier Code: 43 




  On October 15, 2008 the U,S. Office of Persotmel Manag(''1nent, Office of the Inspector
  General, Information Systems Audits Group issued a draft report for the Application
  Controls Audit of AX A Assistance Florida, Inc.

  Our comments below arc in response to the draft report detai ling the results of the audit
  fmdings and ccx:ommend3tlollS of the Federal Employees Health Benefits Program
  operations at AXA Assistance, administrators of the Panama Canal Area Benefit Plan.

  ThllJ1k: you for your cooperation and consideration of this additional information. If you 

  have .:my quc:stiolls or need additional infomlatioll      contact me directly at _ 

  _           or by email at 

- -.
  Sincerely,




  cc:
                            PROCESSING CONTROLS 


A. Auditor Pro£cdures Recommendation

The Infornlation Systems Audits Group recommendl.>d that AXA Assistance expand
its procedures 10 describe tbe audit process in a way that would enable a new
auditor to adequately review authorized claims.

AXA Assistance agrees with tJlis audit recommendation and has exp~nd ed the existing
auditor's procedure manual 10 include details on quality criteria and requirements that the
auditor must consider prior to reviev.'ing a claim. For example, the list of aU the Plan
benefits categurized by covered and non covered procedures. The procedure has been
expanded to also include reviewing the provider's inconsistency and appropriateness of
care until the system can be automated. Copy of auditor's procedure manual is available
to 01G upon request
It is anticipated that the geoder control system capabilities will be implemented during
the first quarter of2009.

B. Override ConttoJ5 Recommendation
The Information Systems Audits Group recommended tbat AXA Assistance
continue working toward implementing tbe override controls into tbe                 l1li
production environment.
AXA Assistallce agrees with this audit recommendation and the ovenidc controls were
already fixed in our l1li Test environment and the Information Systems Audits Group
tested the override controls during the onsite visit. Our Information
Department has scheduled the deployment of the new version of
_            syslem by end of2008.

User limits have been Cfetlted to override the claims with the deployment of the new
version of l1li    The new user rights win also be introduced. We will also have the
capability to detect the overridden claims tlu-ough the mass approval process as well as
review overridden cl aims tor appropriateness via reporting.

C. Enrollment Segregation of Duties Recommendation

The Information Systems Audits Group recommended that AXA Assistance
segregate the cnro1lmcnt pnlCcss so that more tban one individual is involvtd in the
process.

AXA AssJstance agrees with this audit recommendation and has segregated the
enrollment reconciliAtion process with the CLER system to the Claims Team due to their
high experience working in the Member Services Area. Enrollment process is handled by
the Member Services Manager and the quarterly CLER reconciliation process is handJed
by the Clajms Team.
D. Appropriateness of Care Recommcndation
The Information SystClWS Audits Group r ecommended that AXA Assistance
determine the feasibility of implementing appropJ'latcnc5S of cll re edib for aJl
FEHBP claims in an effort to eDsure tbat only services covered by the plan arc paid.

AXA Assi stance agrees with tllis audit recommendation and is working toward the
development of age control edits in the                            system. Systcm
capability will be ready by January I ,                      ho.,ev'er, will need to
be CJ:panded by the system developers
system capabilities will be imj,ICI'n<'11tedduring

Additionally, a n..-port has been created tllat hi ghlighl'l errors according to the rules
defined for review and will be run by the Claims Department on a daily basis.

E. Non·Covered Benefits Recommendation
The Information Systems Audits Group recommended tbat AKA Assistance
implement edits that prevent the p~yment of Don-covered benefits.

AXA Assistance agree..'l with this audit recommendation and is worlcing toward the
~~'E'!~ of edits that prevenl the pa}ment afnon-covered benefits in thc _
             sysi,:m . System capability wi]1 be ready by January ), 2009.

Additionruly, we have expanded tbe existing procedure manual used by the auditor>s to 

inc1ude deL1i1s on system edits so as to track what we have added in the system. Copy of 

aud itor' s procedure manum is 3vailable to OIG upon request. 


The Non Covered benefit s have been added by seIVice, to the 

system's matrix to automatically deny. This process sho\lld reduce hum, ,, 




The luformation Systems Audits Group recommended (hat A...XA Assistance
                        bnica( controls to ensure tbat
                            paid.
AXA Assistance


                        The report
                      . anticipated that the reporting
quarter of2009,

G. 8t!nefit Code Selection Recommendation

The Information Systems Audits Group recommended thut AXA Assistance
implement the necessary tec.hnkal changes to allow tbe _ system to sei(>Ct the
appropriate benefit for aU services.
AXA Assistance agrees with this audit recommendation and is working toward
difininishiing the benefits appearing during the claims processing by updating our . .
                      systern~ thus the system will be able to select the appropriate l>t;nefil­
                       in our Plan . System capability will be ready by January J, 2009.

H. Processmg U.S. Claims Recommeodation

The Information Systems Audits Group re<:ommended that AXA Assistance
implement the necessary tecboical conlrols to ensure that U.S. claims are not
processed in tbe Panama office.

AXA Assistance agrees with tbis audit recommendation and our Member Services
[x:partmcnt is now detecting the u.s. claims from the in.<;tant tbe members submit their
claims and is sending tlle claim to AXA '5 Miami office for processing.

Our Claims Man,lger is also monitoring that u.s. claims nre indeed being processed by
U.S . adjust(}fs only through a monthly productivity n."1 'on .

I. Multilingual EOB RccQuuncndation

The Information Syst'e ms Audits Group recommended that AX.A Assistance develop
an EOB tb.t wDuld accommotlale their members t native languages (Englisb lind
Spanish).

AXA Assistance agrct'S with this audit recommendation, though based on past experience
and specific client requjrements. our central batch Ex.planation of B~ne fi ts (EOS)
printing must be in English. Therefore, we are work ing toward the development of It
Spanish version of the EOB to have available upon reque::!l.

A Spanish broch ure called "Understanding Your Explanation of Benefits" has heen
created to translate EOB jargon into easy 10 lUlderstfUld plain language for members as
well as to include educational1nfonnation OJ) what an EOn is and how to understand the
fOJ'TUat and language within the EOR Please refeT to Exhibit I enclosed with this
communication for a sample copy of the "Understanding Your Explanation of Benefits"
brochure using our current EOB [onnat.

Additionally, at the bott,om of all EOBs, a notice will be plac\.-'(i advising ,members to
refer to our Member Services Department for brochure guidance on understanding your
explanation of benefil s or for a copy of their EOB in SpanisJl.

The Understanding your Explanation of Bcn c fil~ brochure will be- promoted to our
members via our website and member newslcttcrs. and other distribution poinls,
including the admioistration offices.
         J. Explanation of Benefits Recommendation
         The Information Systems Audits Gronp recommended that AXA Assistance
         implement the necessary changes to ensure the .~xplanation of Benefits is easy to
         understand by the members.
         AXA Assistance agrees with this audit tecommendation and is including in the
         Explanation of Benefits the negotiated cost and changing the description of the allowed
         atnQWlt to COB allowed amount. HoweveT. it's important to clarify that the allowed
         amount in the claim from your claims testing exercise is the COB allowed amount and
         not the fcc schedule amount allowed, Nevertheless, AXA Assistance will change the
         current "AUowed Amount" description to "COB Allowed Amount"

         The system behavior would he as follows using the same test claims example as your
         draft report:




           Amount        Covered   Amount        Discount         Copay Carrier      Paid     Cost     Code
                                                                            Paid

           $55.00                   $0.00        $20.00     $0.00 $17.50    $0.00   $17.50   $17.50


          Table 2: Summary of the revised EOB after the OIG audit recommendation IIi' we do have a
          fee schedule i.e., network providers.




          Table 3: Summary of the revised EOB after the OIG audit recommendati on IF we do not have
          a fee schedule i.e., U.S. providers.




Amount                                           Discount                                      Cost
                                                                             Paid

                                                                   $27.50           $27.50    $27.50
K. Explanation of Benefits Remark Code Recommendation
The Information Systems Audits Group recommended that AXA Assistance
implement the necessary technical changes to ensure the system automatically
places remark codes on the explanation of benefits in an effort to provide members
with more information regarding the adjudication process.
AXA Assistance agrees with this audit recommendation. The system had a unique shared
field to provide an explanation for suspensions or rejections, but it was a free text field
and not a list of rejection codes to refer to. AXA Assistance is working toward thc
development of a dictionary of suspension and rejection reasons. The dictionary will feed
a drop down list for adjustors to reference when claims are rejected or suspended, but will
also have a free text field for new rejection reasons not listed. A control will be
implemented that will prompt the user if a claim is rejected or suspended without
providing a reason. We expect to system capabilities during the first quarter of 2009.


Additionally, our prepayment report will include the reasons for rejection so we can
verify that the appropriate code has been selected or if the field is used as a free format,
to confirm that this will be a unique event of rejection that will not require us to add to
the rejection reason dictionary.