Audit of the Management Control Framework for the Interim Federal Health Program

Audit Report
Internal Audit and Accountability Branch
Citizenship and Immigration Canada
Final Report
May 2010

Table of Contents

List of Acronyms

ASC
Audit Services Canada
CA
Claims Administrator
CBSA
Canada Border Services Agency
CIC
Citizenship and Immigration Canada
FOSS
Field Operational Support System
HMB
Health Management Branch
IFHP
Interim Federal Health Program
MAF
Management Accountability Framework
MCF
Management Control Framework
NHQ
National headquarters
OHIP
Ontario Health Insurance Plan
OIC
Order‑in‑council
OMC
Operational Management and Coordination Branch
PAHM
Post‑Arrival Health Management
QA
Quality assurance
RFP
Request for proposal
SP
Service provider
PT
Provinces and Territories
TBS
Treasury Board Secretariat

Executive Summary

The Citizenship and Immigration Canada’s (CIC) Risk‑Based Audit Plan 2008–2009 identified the requirement to conduct a follow‑up audit of the Interim Federal Health Program (IFHP). A previous internal audit of the control framework for the IFHP was conducted in 2004. The current audit focused on the Management Control Framework (MCF) at national headquarters (NHQ). The examination phase was conducted between February and November 2009.

The audit was conducted to be in accordance with the Government of Canada’s Policy on Internal Audit and the Institute of Internal Auditors professional practice standards.

The IFHP provides emergency and essential health‑care coverage to eligible people who demonstrate financial need and who do not qualify for provincial or territorial or private health coverage due to their status in Canada. The program provides payment for medically necessary services rendered by licensed medical practitioners, as well as medicines and in‑patient and out‑patient hospital services. It is managed by the CIC Health Management Branch (HMB). HMB sets policy, provides program oversight and has overall responsibility for program management. Claims administration is outsourced to a third party. The total cost of the program in 2008–2009 was approximately $71M.

The objective of the audit was to assess the effectiveness of the current MCF for the IFHP. The audit also assessed the extent to which previous internal audit recommendations had been implemented. The audit scope was comprised of three lines of enquiry, i.e., governance, risk management and internal control. The audit was limited to NHQ activities.

Since the 2004 internal audit of the program, IFHP management has undertaken several initiatives to enhance the MCF. They include a documented quality assurance (QA) process, draft performance indicators, data mining activities, an expenditure forecasting model and development of policies or service definitions, and a new Request for Proposal (RFP) for a claims administrator (CA), which included additional requirements regarding client service standards and quality assurance. We noted that several of these initiatives were not fully implemented at the time of our audit. The RFP process was concluded in 2009 and the contract with the new CA was signed on December 15, 2009. Transition will take place during 2010.

The audit concludes that while the IFHP has the necessary elements of an adequate MCF, certain key controls are not effectively applied, which diminishes the effectiveness of the MCF.

The MCF includes appropriate governance mechanisms such as the definition of roles, responsibilities and accountabilities, operational plans and communication protocols. There is awareness of key risk areas, but these are not formally assessed. Internal controls comprise eligibility requirements of clients and services, requirements for prior approval of certain services, identification of essential services and approved treatment, adjudication of claims by the CA, financial verification of invoices and a compliance audit of the CA. The following weaknesses have been noted in the control framework:

  • Due diligence in the account verification process for the invoices from CA and service providers for detention centres needs to be enhanced;
  • Monitoring of the prior approval process needs to be regularly applied and documented;
  • The QA process for decisions made by the CA needs to be applied consistently and more effectively based on risk; and
  • Attestation needs to be obtained from the CA with regard to the quality control over service providers.

Unless these key control weaknesses are addressed, HMB management’s assurance that payments are made appropriately for the services rendered is limited.

Other opportunities for improvement have also been identified, including the need for enhanced management reporting.

The audit also found that two of the seven recommendations made in the 2004 internal audit of the program were still applicable and action items related to these recommendations were not fully implemented. These recommendations related to updating the program authority and the claims review (QA) process. The present report includes recommendations to address these outstanding issues.

Overall, the IFHP needs to finalize its work regarding various management improvement initiatives, such as the policies or service definitions manual, performance indicators for reporting purposes, and the annual reports for 2007–2008 and subsequent years. The program needs to concentrate on due diligence aspects in particular.

The report provides detailed observations and recommendations. Management responses and an action plan, along with proposed implementation dates for the recommendations, are included.

1.0 Introduction

1.1 General

CIC’s Risk‑Based Audit Plan for 2008–2009 identified the requirement to conduct a follow‑up audit of the IFHP. A previous internal audit of the control framework for the IFHP was conducted in 2004 and seven recommendations were made at that time. The current audit focused on the MCF at NHQ. The examination phase was conducted between February and November 2009.

1.2 Background

1.2.1 Interim Federal Health Program

Scope and Eligibility

The IFHP provides emergency and essential health‑care coverage to eligible people who demonstrate financial need and who do not qualify for provincial or territorial or private health coverage due to their status in Canada. The program provides payment for medically necessary services rendered by licensed medical practitioners, as well as medicines and in‑patient and out‑patient hospital services. Eligible individuals (together with their in‑Canada dependants) fall mainly in the following four groups of recipients:

  • Refugee claimants;
  • Resettled refugees;
  • People detained under the Immigration and Refugee Protection Act; and
  • Victims of human trafficking.

Eligibility is determined at the first point of contact [Note 1] with CIC or the Canada Border Services Agency (CBSA), or as soon as possible thereafter, by assessing the need for health‑care coverage. If eligible, the client is issued a photograph‑bearing certificate for coverage under the IFHP. This certificate is a secure document that contains the claimant’s personal information and photograph. It is produced by CIC for a specified (depending on the case) period of time, and may be renewed if necessary. The certificate is recognized by health‑care providers in all provinces.

Roles and Responsibilities

The eligible individual can access a network of approximately 30,000 medical professionals and institutions across Canada who provide essential medical, dental, vision, pharmaceutical and other related services.

At NHQ, the program is managed by the Health Management Branch. HMB sets policy, provides program oversight and has overall responsibility for the program management. Claims administration is outsourced to a third party which processes and adjudicates claims in accordance with contractual requirements, provides client service to service providers (e.g., medical doctors), distributes program information, verifies client and service eligibility, verifies invoices and issues payments to service providers. The program also has contracts with service providers who offer medical services at the immigration detention centres in Toronto and Montreal. The centres operate under the mandate of the CBSA.

Operationally, the IFHP manager reports to the director of Post‑Arrival Health Management (PAHM) in HMB. Reporting to the IFHP manager are program officers responsible for prior approval adjudication. A senior policy advisor, a program specialist, a manager of accountability and clerical staff also support the program. Centralized Services in HMB provide administrative services to the IFHP, such as the accounting or finance function.

Funding

Funding for the IFHP comes from a special allotment from within the Department's appropriation as provided for by the Financial Administration Act. The following table illustrates the volume of claims processed, the cost of claims and other costs for the last four years.

IFH Program Volume and Costs, 2005–2006 to 2008–2009
  2005–2006 2006–2007 2007–2008 2008–2009
Number of claims1 578,641 540,372 577,786 721,003
Participants2 97,000 95,000 102,000 118,000
Users3 83,000 75,000 87,000 105,000
CA reimbursement for service provider costs $46,672,022 $46,714,018 $52,428,148 $67,789,150
CA administration fees $1,816,533 $1,719,094 $1,704,584 $2,294,670
Detention centres $279,756 $293,145 $274,444 $337,488
International Organization for Migration – Refugees 4 $0 $0 $33,165 $407,229
Grand total $48,768,311 $48,726,257 $54,440,341 $70,828,537
Cost per user $562 $623 $603 $646

Source: Detailed claims information summary maintained by Centralized Services, HMB, and CIC’s Integrated Financial and Materiel System.

Notes:

  1. The total number of participants is the total number of clients who have an eligibility certificate.
  2. The total number of users is the total number of clients who received at least one service during the fiscal year.
  3. The increase in claim volumes and claim costs is attributed to the increased backlog in the processing of refugee claims.
  4. The International Organization of Migration costs are reimbursements for medical screening and vaccine costs for refugees destined for Canada. It is a new practice.

1.2.2 Environmental Context

This section of the report highlights some of the operating environment issues facing the IFHP. They are presented here for information purposes only and are not in any particular order.

Compared to other health insurance programs, the IFHP covers health‑care costs for a relatively small population during a limited period of time, which implies a somewhat high turnover. Despite the limited size of the program, the cost is significant and the program requires management within a framework comparable to that of other health insurance plans.

Until the summer of 2005, the program was managed by one part‑time doctor in CIC who mainly interfaced with the CA, performed limited consultation with some stakeholders and developed some coverage policies. Two clerical staff pre‑approved some services not regularly covered by the policy under the responsibility of this doctor. In the summer of 2005, a manager was appointed to the program. In the summer of 2006, a director was appointed and made responsible for program frameworks and post‑arrival health activities in HMB. The program came under his responsibility. The primary focus was to link with the claims administrator and improve services, as there had been a number of issues related to the CA’s performance.

In addition to the director and the manager, other HMB officers, such as the director of Centralized Services and a statistical analyst, were involved in a limited way with the program activities, such as oversight of payments, Treasury Board Secretariat submissions and data analysis.

Historically, the Branch’s focus has been immigration health, with staff expertise in the management of health screening and public health risk mitigation programs. There is no expertise in insurance management in the Branch.

The IFHP is population driven. Its costs are dependent on the number of individuals covered and their length of stay on the program. In 1999–2000, the program costs were approximately $24M compared to around $71M in 2008–2009.

Meeting this exponential draw on the program created considerable pressure on HMB’s resources. With its very limited capacity (number of resources and competencies), it has been very challenging to perform the essential activities required to update and maintain the IFHP, such as reviewing the authority, ensuring a clear mandate, developing or reviewing coverage policies and operational procedures, and administering a proper QA plan. The fact that a doctor developed the framework and the ongoing lack of policy capacity has resulted in a significant increase in the volume and dedication of resources to the pre‑approval process. It is anticipated that with the new contract, this function, mostly ensured by clerical staff in HMB, will be delegated to the CA

In order to address some of the gaps in the program, and considering the fact that the contract with the CA is up for renewal, the Branch has given priority, in the last year, to the development of detailed specifications for the next contract that will address some of the issues and reduce pressures in HMB due to pre‑approvals and gaps in services. The contracting process is well under way and the Branch has assigned a senior CIC employee to work with the successful bidder to implement all the specifications of the new contract.

Finally, it should be noted that developing the appropriate framework for an insurance program is a complex and specialized business, and HMB will be looking at ways to address this issue. There are several options worthy of consideration. One of them would be the devolution of the program to provincial and territorial public health insurance plans with agreement on a formula to reimburse the costs based on the number of clients, while CIC maintains control for the management of the entry and exit of the clients for the provincial or territorial insurance coverage. Another option is to increase the delegation of responsibilities to the new CA, or to contract to other specialized providers such work as the design of coverage policies. Finally, an option would be a combination of the above, where the provinces could provide the basic OHIP‑like coverage and CIC could purchase extended insurance from already existing providers only for selected groups of clients, such as resettled refugees.

The recent arrival of the new director of post‑arrival health, the arrival of a dedicated senior manager to implement the new CA contract, and the support of the Strategic Policy Branch for the review of the program should provide added capacity to make significant adjustments to the program.

1.3 Audit Objectives

The objective of the audit was to assess the effectiveness of the current management control framework for the Interim Federal Health Program. The audit also assessed the extent to which previous internal audit recommendations had been implemented.

1.4 Audit Criteria

The audit criteria are given in Appendix A by line of enquiry as outlined in the audit scope below. The criteria are based on the applicable elements of the Treasury Board Secretariat’s Management Accountability Framework (MAF) and the CIC Core Management Controls Framework and were provided to HMB at the end of the planning phase.

1.5 Audit Risk Assessment

The audit risk assessment, based on reviews and analysis during the planning phase and taking into account the applicable elements of the Treasury Board Secretariat’s MAF and the CIC Core Management Controls Framework, identified the following key risks:

  • Governance and accountability: There is a risk that governance structures and processes may not be clearly defined and that results and performance are not properly reported.
  • Risk management: There is a risk that critical events that could impact on the delivery of the IFHP have not been identified and appropriately assessed and mitigated.
  • Internal control: There is a risk that due diligence is not exercised when managing contracts with service providers and ensuring compliance with financial and administrative policies and practices.

1.6 Audit Scope

The audit scope consisted of three lines of enquiry: governance, risk management and internal control. The audit was limited to NHQ activities and its scope did not include an examination of:

  • the activities conducted by contractors who provided services to the program; and
  • the process undertaken by CIC and CBSA officers to determine client eligibility and issue eligibility certificates.

For audit testing purposes, a sample selection was made from financial transactions occurring from April 1, 2007, to March 31, 2008.

1.7 Audit Methodology

During the planning phase of the audit, the director of the PAHM, the IFHP manager and key program staff were interviewed in order to determine the significant risks and areas of concern with respect to the IFHP. Upon completion of the planning phase, the audit plan was provided to the director general of the Health Management Branch.

In the examination phase, the audit activities included the following:

  • Analysis of observations from previous internal audits and actions taken;
  • Review of relevant program policies and procedures; contracts with external parties for claims adjudication and health services; and other information;
  • Interviews with key personnel responsible for various aspects of the IFHP at NHQ;
  • Process mapping and analysis; and
  • Audit testing of invoice payment process, QA reports and supporting information as appropriate.

The audit was conducted to be in accordance with the Government of Canada’s Policy on Internal Audit and the Institute of Internal Auditors professional practice standards.

2.0 Audit Conclusions

The audit concludes that while the IFHP has the necessary elements of an adequate MCF, certain key controls are not effectively applied, which diminishes the effectiveness of the MCF.

The MCF includes appropriate governance mechanisms such as the definition of roles, responsibilities and accountabilities, operational plans and communication protocols. There is awareness of key risk areas, but these are not formally assessed. Internal controls comprise the eligibility requirements for clients and services, the requirements for prior approval of certain services, the identification of essential services and approved treatment, adjudication of claims by the CA, the financial verification of invoices and a compliance audit of the CA. The following weaknesses were noted in the control framework over the processing of claims:

  • Due diligence in the account verification process for invoices from the CA and the service providers for detention centres needs to be enhanced;
  • Monitoring over the prior approval process needs to be regularly applied and documented;
  • A QA process for the decisions made by the CA needs to be applied consistently and more effectively based on risk; and
  • Attestation needs to be obtained from the CA with regard to quality control over service providers.

Unless these key control weaknesses are addressed, HMB management’s assurance that payments are made appropriately for the services rendered is limited.

Other opportunities for improvement have also been identified, including the need for enhanced management reporting.

The audit also found that two of the seven recommendations made in the 2004 internal audit of the program were still applicable and action items related to these recommendations were not fully implemented. These recommendations related to updating the program authority and the claims review (QA) process. This report includes recommendations to address these outstanding issues.

Overall, the IFHP needs to finalize its work on various management improvement initiatives, such as the policies manual and the annual reports for 2007–2008 and subsequent years; and concentrate on due diligence aspects in particular.

The detailed observations and recommendations in these areas are discussed in section 3.0 of the report. Management’s response and action plan, along with the proposed implementation dates for the recommendations, are given in Appendix C.

3.0 Observations and Recommendations

3.1 Governance Framework

In assessing the governance and accountability of the IFHP, we expected to find that:

  • Operational plans were in place to achieve departmental objectives with respect to the IFHP.
  • Communication protocols existed for clients, partners, employees and external stakeholders.
  • Accountabilities and responsibilities were clearly defined, delegated and communicated through appropriate policies and guidelines, and these accountabilities and responsibilities were adequately discharged.
  • Processes were in place to establish, maintain and monitor service principles and standards for clients.
  • Management monitored actual performance against planned results and adjusted as required.
  • A QA program was in place to monitor service provider activity, including the results of internal or external audits, on a regular basis and to ensure corrective action as required.
  • The human resources plan was aligned with operational requirements and considered the current and future needs of the program.
  • The criteria and guidance for officers to follow in rendering decisions on prior approvals were documented, clear and concise; and management monitored these decisions and ensured documented evidence thereof.

Overall, the key elements of a governance structure are in place. They include operational plans linked to departmental objectives, appropriate communication protocols and a definition of responsibilities and accountabilities. The program is in the process of developing management tools to further improve the governance framework. However, these tools are not finalized. The details of the work in progress and opportunities for improvement are highlighted below.

Program Authority

The authority that supports the program is a 1957 order‑in‑council (OIC) allowing the Department of Health and Welfare to pay the costs of medical and dental care, hospitalization and any expenses incidental thereto, on behalf of certain immigrants and people subject to immigration jurisdiction, where such individuals lack the financial resources to pay for these expenses.

In 1994, the program was transferred from Health and Welfare Canada (now Health Canada) to Citizenship and Immigration Canada. At that time, a joint CIC/Health Canada project team reviewed the program and made recommendations to enhance program delivery and administration. One of the recommendations was to amend the 1957 OIC to more accurately define the client groups and the extent of health coverage to be provided.

The 2004 CIC internal audit of the program noted that the 1994 recommendation to amend the OIC had not been implemented and recommended that the ADM of Operations renew and update the program authority. In interviews with program management, it was explained to us that a decision had been made by the Branch management not to seek the renewal of the program authority but rather work within the flexibility offered by the 1957 OIC and define the program parameters with policy or service definitions. Program funding is renewed annually through submissions to the Treasury Board.

In our opinion, the program authority under the 1957 OIC is outdated. The vulnerability that exists is the risk of potential misalignment between the intent of the original authority and the evolution of the current program, as well as the future vision for the program. Updating the OIC would assist management and key stakeholders in clearly defining the expectations regarding the scope of services to be covered under the program.

Recommendation 1

The DG of HMB should review the need to update the program authority and obtain departmental senior management approval for the resulting course of action.

Management Response

This recommendation was also made in the audit of the IFHP control framework in 2004. As a result, HMB embarked on a consultation process within CIC. The first step was to develop a robust accountability framework and a definition of benefits. HMB has introduced many elements of this framework since then and made several presentations to the Management Accountability Committee in 2007, 2008 and 2009.

In January 2010, HMB undertook a comprehensive review and analysis of the program authority and consulted within CIC to evaluate the need for the review and the possible options. The review is expected to be completed by June 30, 2010. HMB will seek CIC’s senior management approval for the resulting course of action by September 30, 2010.

Monitoring Results and Performance

The IFHP has defined service standards through the website administered by the claims administrator, the Information Handbook for Health‑Care Providers and CIC’s contract with the claims administrator. The program has made investments in data mining and introduced an expenditure forecasting model in 2008 for budgeting purposes. In 2004, CIC had published the most recent five‑year (1998–2003) report on the IFHP, indicating program expenditures, the number of beneficiaries, service users, claims, etc., for each year. Recently, the IFHP developed an annual report containing information on client population, health‑care providers, claims information and program costs for the fiscal year 2007–2008. The annual report has not been finalized as complete final data on that year’s expenditures were not available as of September 2009. The program has begun developing a performance reporting framework with standardized indicators and capturing information to assess performance. However, this was not finalized at the time of the audit.

We also noted that there was no systematic regular reporting on program activity to the HMB management team. Such reporting through a “dashboard” type of report could provide senior management with key operational information in a timely manner and serve as an important tool to engage them. It could also be used to identify status and results with respect to planned monitoring and follow‑up activities that are part of the overall management control framework.

Recommendation 2

The director of Post‑Arrival Health Management should develop an overall management reporting framework to provide regular and timely reports with appropriate performance indicators to HMB management and external stakeholders. A decision should be reached as to whether and when the annual reports on the IFHP should be issued.

Management Response

HMB agrees with this recommendation. Starting in Q1, 2010–2011, HMB will collaborate with the Operational Management and Coordination (OMC) Branch in its work on developing a performance management framework that provides both periodic operational data as well as a high‑level analysis of trends. The result of this work will be presented to the Business Operations Committee. This framework will be finalized with the new contract for claims administration by December 31, 2010.

Given the transition to a new contract for CA services, incomplete data from 2007–2008, the lack of internal data analysis capacity and the fact that significant time has now elapsed since 2007–2008, HMB has decided not to finalize the 2007–2008 annual report. With regard to future annual reports, HMB is currently clarifying the reporting requirements under the new contract and will be able to decide on how best to report on program performance at the end of the transition period (December 31, 2010).

Accountability and Policies

Generally, we found that accountabilities and responsibilities were defined and understood.

The responsibilities of the claims administrator are defined in the contract, in the procedures manual (also referred to as the CIC training manual) and in other documents (e.g., the Information Handbook for Health‑Care Providers). The responsibilities of the medical service providers in the detention centres are defined in each contract. The responsibilities and accountabilities of the program staff and the reporting relationships are mainly defined in the work descriptions. In 2008, the IFHP developed a new Request for Proposal, with additional requirements relating to client service standards and QA by the CA. The RFP process was concluded in 2009 and the contract with the new CA was signed on December 15, 2009. The transition will take place during 2010.

Under the terms of the contract with the current CA, certain eligible services under the IFHP require prior‑approval from CIC before the CA can reimburse the service provider. Examples of such services include elective surgery, non‑emergency dental services, physiotherapy, certain medications and assistive devices. In such cases, the service provider must fax a request for prior approval to NHQ. The request is reviewed by one of two officers who render decisions on each request. In some cases, the decision is referred to a physician on staff. If the request is approved, the service provider receives an approval document that they, in turn, submit with their claim to the CA for reimbursement. On average, NHQ processes each request within 48 hours.

The IFHP has begun developing policies (also called service definitions) associated with certain treatments. The objective of these policies is to provide sufficient guidance to those involved in the claims adjudication process, especially the CA, so that the need for prior approvals is minimized. The draft policies developed to date do not state who is responsible for authorizing such approvals.

We found that the extent to which prior approval adjudication criteria for decision making is documented, along with guidance for officers, was limited. It was reported to us that in most cases, officers relied on their judgment, based on their experience of making similar decisions over the course of the program.

The lack of defined policies and service definitions for certain treatments to guide adjudication coupled with the lack of clear and concise documented criteria for prior approval create a risk of inconsistency, and affect the transparency of the process. In addition, the absence of explicit accountability with regard to decision making creates the risk that decisions may be made by people that are beyond their authority or competence. Completing the policies and documenting the criteria for prior approval would allow for a more accountable process. It would also facilitate the training of new officers and allow for the retention of corporate memory. The program is aware of these issues and has made it a priority to better define the adjudication decision making criteria and guidelines.

Further, we were informed that management normally reviewed prior approval decisions rendered by staff. However, the evidence of such reviews is not documented.

Recommendation 

The DG of HMB should ensure that:

  • the policies relating to service definitions are completed and that they define the accountabilities for prior approvals;
  • the decision‑making process and criteria for adjudicating prior approval requests are documented; and
  • the process undertaken to systematically review prior approval decisions and the results of such reviews are documented.
Management Response

It should be noted that 98% of claims are processed by the CA without HMB involvement, and this processing is based on benefit policies provided by HMB to the CA and documented in the FAS training manual. HMB agrees that service definitions will improve the adjudication process for the 2% of claims that require prior approval.

Therefore, HMB is presently engaged in documenting IFHP service definitions, decision‑making processes and criteria for prior approvals. In addition, HMB will define the accountabilities for prior approval requests. While this will assist in clarifying the current operating environment, it will be of particular importance for the transition to the new claims administrator contract, so that the systems and procedures developed respect clearly defined policies and support program outcomes.

It should also be noted that in the new contract for CA services, HMB shifted the prior approval process to the contractor, with a requirement for the contractor to provide the services of appropriate health professionals (e.g., physicians, dentists, pharmacists, etc.) during the prior approval process.

Under the terms of the new contract, the CA will be accountable for implementing a QA program for claims processing and payment services, including prior approvals, with performance reports to ensure that the procedures, service levels and process controls are being met. CIC will develop and implement operating procedures and ensure appropriate capacity for reviewing and spot‑checking these reports systematically to confirm that the CAquality assurance program is effective. This will be completed by December 31, 2010.

Quality Assurance

This is covered in section 3.3 below

Planning

The high‑level operational plan for the program forms part of the larger HMB integrated business plan. The IFHP is noted as a separate business activity within the plan, and high‑level priorities (activities) for the IFHP as well as expected results and high‑level performance indicators are noted. More detailed work plans are developed for the IFHP based on priorities, and specific activities are assigned to individuals with deliverables and time frames. We noted that IFHP management did not have a formal human resources plan that was linked to operational requirements and related risks (see 3.2 below).

3.2 Risk Management

In assessing the risk management system in place for the IFHP, we expected to find that:

  • processes were in place to identify, assess, mitigate and monitor risks; and
  • planning and resource allocation considered risk information.

Our interviews indicate that processes are in place to identify, mitigate and monitor risks, but a formal assessment of risks has not been performed. In the past two years, working groups have met to discuss and document the risks faced by the program. Although the risks were documented, the working group discussions did not include an assessment (prioritization) of risks identified nor did it document the mitigation strategies. During interviews, program staff at all levels demonstrated a good awareness of risks and the various mitigation strategies the program is working on implementing. Insufficient evidence was available to demonstrate that planning and resource allocation for the program consider the risk information.

CIC’s Integrated Risk Management Framework outlines management’s responsibility to apply sound risk management processes within their area of responsibility, including assessing and managing risks. The framework also suggests an approach for identifying and analysing risks and developing mitigation strategies. We did not find these types of tools in use within the IFHP. The IFHP has approached the Corporate Affairs Branch for assistance in facilitating a formal risk assessment for the program.

Without a formal risk assessment, there is insufficient assurance that the control framework is up to date and appropriate. An assessment of risks would assist the program in focusing on its priorities as well as determine if appropriate resources are in place to manage the program within acceptable tolerance levels.

Recommendation 4

The IFHP should undertake a formal risk assessment and link it to planning activity and resource allocation decisions.

Management Response

HMB will engage OMC to conduct a formal risk assessment and link it to planning and resource allocation decisions. This will be completed by June 30, 2011. This risk assessment will also be used in the comprehensive review of the program.

3.3 Internal Control

The audit expected to find that:

  • financial and administrative policies and practices complied with legislation, regulations, policies and authorities; and
  • due diligence was exercised while managing contracts with the claims administrator or service providers.

We also expected to find that there would be an appropriate process for terminating the coverage promptly when no longer required.

Overall, we found that while the key controls were in place as part of the control framework, certain key controls were not effectively applied. For example, controls exist with regard to the eligibility of clients and the definition of essential services and approved costs; account verification of service provider and CA invoices; audit and on‑site review of the CA; prior approval adjudication; and monitoring (QA). However, their application was not consistent. Furthermore, the documentation demonstrating their effectiveness was not sufficient. The procedures for terminating client coverage, once they became eligible for other medical coverage, also needed improvement.

Termination Process for Client Eligibility

Client eligibility is documented in CIC’s Field Operational Support System (FOSS). Eligibility information is initially input by the CIC or CBSA officer who assessed the client’s eligibility for the program. Typically, a client is given an eligibility period of one year and extensions are subsequently granted as required. The eligibility information in FOSS is shared with the CA to assess the eligibility of the client prior to reimbursing a claim from a health‑care provider.

Our audit scope did not include the process undertaken by CIC or CBSA officers to determine client eligibility and issue eligibility certificates. However, discussions with program officials indicated that there was a real risk that a client may remain in the program and continue to draw benefits until the expiry of their certificate even if, in the meantime, they have become eligible for provincial health coverage as a result of a decision with respect to their refugee status. Currently, there is no mechanism to promptly terminate IFH eligibility should an individual qualify for medical coverage under another (e.g., provincial) plan. We were informed that the program is considering implementing an “exit strategy” to ensure that clients do not stay in the program longer than necessary.

The costs of the IFHP have increased substantially in the last three years. Without an effective control in place to terminate coverage promptly when it is not required, the program may be absorbing significant health‑care costs that should not be funded by it. One of the concerns associated with a mechanism to terminate coverage is the cost of implementation.

Recommendation 5

The DG of HMB should assess the cost effectiveness of options with regard to the prompt termination of IFH coverage once the client becomes eligible for alternative coverage.

Management Response

Following a cost‑benefit analysis of the options to manage the exit of clients from the program, HMB has put forward an initiative allowing the automatic termination of benefits for refugees no longer eligible due to a change in their immigration status. This option is in the planning stages. The IT capability to achieve this is expected by Q2 of fiscal 2010–2011. Operational implementation will occur after IT capability is achieved, but only after communication has gone out to stakeholders by December 31, 2010.

Invoice Payment Process

An overview of the invoice payment process is provided in Appendix B.

The IFHP receives invoices from two sources: the third‑party CA who adjudicates claims on CIC’s behalf or directly from the two contractors who offer medical services in the detention centres. The invoices are processed by the financial staff in Centralized Services in the Health Management Branch and approved under section 34 of the Financial Administration Act by the director of Post‑Arrival Health Management.

The invoices from the CA contain two parts: the disbursements made by the administrator to health‑care providers, and the administrative fee charged by the CA for the number of claims processed in the month. Supporting the disbursements is a one‑page summary report that provides totals for the cost and claims processed, with a breakdown by province and category of care. We were told that CA processes 20,000 + claims every two weeks. IFHP management has access to the CA’s database, which contains all claims processed and the information that supports the details of the invoice.

The director of the Centralized Services Directorate reported that prior to forwarding the monthly invoices for the disbursements by the CA to service providers to the director of Post‑Arrival Health Management, HMB, for section 34 authorization, her directorate compares the invoiced amounts to a summary of amounts claimed monthly for the previous three years to identify anomalies and explain variances. Unexplained variances are followed up with the CA. This is supplemented, on a post‑payment basis, by having a statistical analyst from HMB extract a summary from the CA database quarterly, which is then compared to the invoiced amounts for that period. Anomalies are followed up with the CA by the director of Centralized Services or her staff.

We tested paid invoices from each of the three suppliers for compliance with CIC financial policies. Random samples were selected on a judgmental basis covering 50% of the paid invoices from each of the suppliers (i.e., 12 of the 24 bi‑weekly invoices from the claims administrator, and 6 of the 12 monthly invoices from each of the detention centres). Our tests included mathematical accuracy, compliance of CA fees and service provider charges with the contract, adequacy of supporting documentation, appropriateness of delegated authority, financial coding, release in SAP (the departmental financial system) and processing within the time frames specified in the contract.

Two issues were noted as follows:

  1. The procedures relating to the verification of invoices from the CA are not documented and there is no evidence on the actual invoices or payment files that the procedures are applied as intended on a regular basis.
  2. The invoices from the contractors who provide medical services in the detention centres relate to hourly fees for medical staff working in these centres. The submission of time sheets is a requirement under the contract for only one of the two centres. Our review of these invoices noted that CIC received no time sheets. Without adequate supporting documents, CIC obtains limited assurance that it is invoiced correctly for the time charged.

Since the expenditures under the IFHP are substantial, it is important to have adequate documentation of the due diligence that is applied in account verification.

Recommendation 6

The director of Post‑Arrival Health Management should ensure that due diligence in account verification is demonstrated by:

  • documenting the account verification procedures and providing a copy thereof to CIC Finance;
  • ensuring that appropriate evidence of the verification process is provided on the payment files, including the information that was examined; and
  • obtaining time sheets, approved by appropriate officials in the field, for the contractors offering medical services in the detention centres.
Management Response

HMB agrees with this recommendation. As of March 31, 2010, HMB will have documented the current account verification procedures and ensured that CIC Finance is in agreement. Also, by June 30, 2010, the director of the PAHM and the director of Centralized Services will formalize a process to ensure that appropriate evidence of the verification process is provided on payment files.

The director of the PAHM intends to initiate a process for detention centre invoices in which the dates and the number of hours for all invoices submitted by the contractors are approved by appropriate detention centre management before arriving at HMB for payment. This will be finalized by June 30, 2010.

Audits and Reviews of Claims Administrator

Audit by Audit Services Canada – March 2008

In the contract with the CA, CIC retains the right to perform audits of the contractor’s accounts and records related to the IFHP. The most recent audit was performed by Audit Services Canada (ASC) on behalf of CIC in early 2008. The objectives of the audit were to provide independent and objective assurance with respect to the following: accounting system and controls; operational system and controls; data management controls; communications; and follow‑up to a previous audit. The report notes that ASC did not conduct a review or an audit of any of the health‑care providers or clients.

The ASCaudit report concluded that, based on the audit work performed, the claims administrator has generally complied with the requirements of the contract. The audit also indicated that the amount paid by the contractor to health‑care providers reconciled to the amount reimbursed by CIC to the contractor for the period April 1, 2006, to March 31, 2007.

While this audit provides added assurance to HMB management, it should not be considered a substitute for proper account verification of invoices before payment.

CIC Review – February 2009

In August 2008, the CA changed the system for claims adjudication. This created a backlog of claims for adjudication by the CA. In February 2009, a team from CIC performed a site visit at the contractor’s facility in Edmonton. The objective of the site visit was to verify the claim volumes and increase CIC’s level of comfort with the progress in reducing the backlog of claims, and with the reliability of financial reports and the accuracy of invoicing that CIC had been receiving since August 18, 2008. The team from CIC was composed of the IFHP director, the IFHP senior policy analyst and a financial management advisor from the CIC Finance Branch. A briefing document was prepared by the IFHP director.

The CIC team concluded that the internal controls of the CA were well established and no material errors were noted as a result of reviewing invoices and supporting documents. An action plan was put in place to address various other minor issues raised by the team.

Quality Assurance

The 2004 audit noted that the program had an informal QA review process for the claims adjudicated by the third‑party CA. A recommendation was made that the review process be documented along with the results of the review.

We found the current process was documented. It is intended to be applied on a monthly basis, but that was not consistently done.

The program has documented standard operating procedures with respect to the monthly review of claims adjudicated by the CA. The procedures spell out the purpose of the monthly QA, the responsibilities of the various parties, the sampling methodology as well as the detailed steps to be undertaken to perform the monthly testing of claims.

The QA process was formally implemented in early 2008 and monthly QA testing was performed for the transactions covering the six‑month period of February to July 2008. In August 2008, there was a change in the CA’s information system which resulted in a major backlog of claims to adjudicate, which became a priority for the program. Thus, the QA process was suspended. To mitigate the risk, IFH management conducted a site visit to the contractor in February 2009 (see above). We were informed that the monthly QA process resumed in April 2009.

We assessed the QA reports prepared for the six‑month period and randomly selected 30 claims for review out of 120 claims reviewed by the program. Our observations are as follows:

  • The review of the six‑month period (February to July 2008) was not performed on a timely basis. The claims were not reviewed until October 2008.
  • The staff responsible for performing the QA did not have access to appropriate information such as fee schedules and medical service coding to ensure that the reimbursement process was being carried out appropriately by the contractor.
  • Monthly reports did not note any significant findings. The average monthly sample was 20 out of approximately 44,000 claims. The sample size was not determined on a statistical sampling basis and thus may not be sufficient to provide information on the contractor’s compliance. Given the limited resources available and the large number of claims, the program should consider either a risk‑based or a statistical approach to quality assurance. For example, it was reported that in 2007–2008, 10% of service providers were responsible for 85% of the total value of claims and 75% of the total number of claims. This type of information can be used to perform a more in‑depth risk‑based analysis of some of these high‑volume service providers.

Moreover, the CIC contract with the current CA requires the contractor to have a QA system in place whereby the contractor will monitor health‑care providers on an ongoing basis to detect and deal with billing irregularities, including fraudulent or redundant claims, and to contact CIC should there be any indication of impropriety by the service provider. During our interviews with IFHP staff, there was no indication that the CA was performing this quality assurance in a diligent manner.

Recommendation 7

The director of Post‑Arrival Health Management should ensure that:

  • quality assurance over claims processing is consistently performed by CIC on a timely basis and by suitably qualified staff;
  • a risk‑based or statistical approach is considered for the QA review; and
  • attestation is obtained from the claims administrator that they are conducting their QA activities with respect to service providers in a diligent manner as required by the contract.

Management Response

HMB agrees with this recommendation

  • Starting April 1, 2010, CIC will develop and implement monthly sampling procedures and ensure appropriate capacity to review and spot‑check random claims to systematically confirm the quality and reliability of claims processed and adjudicated.
  • CIC will develop a methodology that is risk‑based to choose its monthly claims samples. CIC will work with the new CA to determine the areas of risk and will develop its sampling approach taking these risks into considerations.
  • The new contract includes a requirement for a period report on the QA program. CIC will ask the CA to include an attestation that QA activities are conducted in a diligent manner.

Notes

Appendix A: Audit Criteria

Governance processes

Governance and Strategic Direction

  • Operational plans are in place to achieve departmental objectives with respect to the IFHP.
  • Communication protocols exist for clients, partners, employees and external stakeholders.

Accountability

  • Accountabilities and responsibilities are clearly defined, delegated and communicated through appropriate policies and guidelines and these accountabilities and responsibilities are adequately discharged.

Client‑Focused Service

  • Processes are in place to establish, maintain and monitor service principles and standards for clients.

Monitoring Results and Performance

  • Management monitors actual performance against planned results and adjusts as required.
  • A QA program is in place to monitor service provider activity, including results of internal or external audits, on a regular basis and corrective action as required.

People/Human Resources

  • A human resources plan is aligned with operational requirements and considers the current and future needs of the program.

Risk Management

Risk Management

  • Processes are in place to identify, assess, mitigate and monitor risks.
  • Planning and resource allocation considers risk information.

Internal Control

Stewardship

  • Financial and administrative policies and practices are compliant with legislation, regulations, policies and authorities.
  • Due diligence is exercised while managing contracts with service providers.

Source of Audit Criteria: The audit criteria are based on the applicable elements of the Treasury Board Secretariat’s Management Accountability Framework and the CIC Core Management Controls Framework.

Appendix B: Payment Process – Overview of Activities and Key Controls

Activity: IFHP card issued to client

  • Key Controls ‑ Active: CIC/ CBSA officer validates eligibility
  • Key Controls ‑ Passive: Eligibility criteria in CIC manuals
  • Audit Scope: Excluded

Activity: Participant obtains essential health‑care services from service provider  

  • Key Controls ‑ Active: Service provider checks IFHP card with photo ID and records number
  • Key Controls ‑ Passive: Information Handbook for service providers (including service standards) CA website and Call Centre
  • Audit Scope: Excluded

Activity: Service provider submits a request for prior approval

  • Key Controls ‑ Active: Authorization by HMB
  • Key Controls ‑ Passive: Fee guidelines Service definitions
  • Audit Scope: Included

Activity: Service provider submits a claim to claims administrator (CA)

  • Key Controls ‑ Active: Claims review and adjudication by CA IFH eligibility verified with FOSS by CA
  • Key Controls ‑ Passive: Guidelines (training manual) CIC contract with CA (including service standards)
  • Audit Scope: Included

Activity: CA submits invoice or claims to CIC‑reimbursement for service provider payments‑processing fee

  • Key Controls ‑ Active: CIC Section 34
    • verification of invoice and supporting information by Centralized Services, HMB
    • authorization by director, Program Management and Control
    • Periodic site visit by IFHP
    • Periodic compliance audit of service provider
  • Key Controls ‑ Passive: Contract with CA CIC financial policies
  • Audit Scope: Included

Activity: Detention centre service provider submits invoice and claims to CIC

  • Key Controls ‑ Active: CIC Section 34 verification
    • verification of invoice and supporting information by Centralized Services, Medical Services Branch
    • authorization by director, Program Management and Control
  • Key Controls ‑ Passive: Contracts with service providers for detention centres
    CIC financial policies
  • Audit Scope: Included

Activity: CIC payment of claims

  • Key Controls ‑ Active: CIC Section 33 by Finance
  • Key Controls ‑ Passive: CIC financial policies
  • Audit Scope: Included

Activity: Termination of coverage

  • Key Controls ‑ Active: Immediate cancellation if no longer eligible
  • Key Controls ‑ Passive: Eligibility criteria Certificate expiry date
  • Audit Scope: Included

Appendix C: Management Action Plan

Recommendation 1: The DG of HMB should review the need to update the program authority and obtain departmental senior management approval for the resulting course of action.

  • Action Plan:
    • This recommendation was also made in the audit of the IFH program control framework in 2004. As a result, HMB embarked on a consultation process within CIC. The first step was to develop a robust accountability framework and a definition of benefits. HMB has introduced many elements of this framework since then and made several presentations to the Management Accountability Committee in 2007, 2008 and 2009.
    • HMB undertakes to conduct a comprehensive review and analysis of the program authority and consult within CIC to evaluate the need for the review and the possible options. It will seek CIC’s senior management approval for the resulting course of action.
  • Responsibility:
    • Director, PAHM
    • Director, IHFP Transition
  • Target Date:
    • The review started in January 2010 and is to be completed by June 30, 2010.
    • Approval by September 30, 2010.

Recommendation 2: The director of Post‑Arrival Health Management should develop an overall management reporting framework to provide regular and timely reports with appropriate performance indicators to HMB management and external stakeholders. A decision should be reached as to whether and when the annual reports on the IFHP should be issued.

  • Action Plan:
    • HMB agrees with this recommendation. HMB will collaborate with the Operational Management and Coordination (OMC) Branch in its work on developing a performance management framework that provides both periodic operational data as well as a high‑level analysis of trends. The result of this work will be presented to the Business Operations Committee. This framework will be finalized with the new contract for claims administration.
    • Given the transition to a new contract for CA services, incomplete data from 2007–2008, the lack of internal data analysis capacity and the fact that significant time has now elapsed since 2007–2008, HMB has decided not to finalize the 2007–2008 annual report. With regard to future annual reports, HMB is currently clarifying the reporting requirements under the new contract and will be able to decide on how best to report on program performance at the end of the transition period.
  • Responsibility
    • Director, PAHM
    • Manager of  Planning and Accountability
  • Target Date:
    • To start in Q1, 2010–2011 and be finalized by December 31, 2010.
    • To be finalized by the end of the transition period to a new contract for CAservices. (December 31, 2010)

Recommendation 3: The DG of HMB should ensure that:

  • the policies relating to service definitions are completed and that they define the accountabilities for prior approvals;
  • the decision‑making process and criteria for adjudicating prior approval requests are documented; and
  • the process undertaken to systematically review prior approval decisions and the results of such reviews are documented.
  • Action Plan:
    • It should be noted that 98% of claims are processed by the claims administrator without HMB involvement, and this processing is based on benefit policies provided by HMB to the CA and documented in the FAS training manual. HMB agrees that service definitions will improve the adjudication process for the 2% of claims that require prior approval.
      Therefore, HMB is presently engaged in documenting IFHP service definitions, decision‑making processes and criteria for prior approvals. In addition, HMB will define the accountabilities for prior approval requests. While this will assist in clarifying the current operating environment, it will be of particular importance for the transition to the new claims administrator contract, so that the systems and procedures developed respect clearly defined policies and support program outcomes.
    • Under the terms of the new contract, the CA will be accountable for implementing a QA program for claims processing and payment services, including prior approvals, with performance reports to ensure that the procedures, service levels and process controls are being met. CIC will develop and implement operating procedures and ensure appropriate capacity for reviewing and spot‑checking these reports systematically to confirm that the CA quality assurance program is effective.
  • Responsibility
    • Director, IFHP Transition
    • Director, PAHM
  • Target Date:
    • For all three items, commenced in November  2009, the target date of completion before the end of the transition period (December 31, 2010)

Recommendation 4: The IFHP should undertake a formal risk assessment and link it to planning activity and resource allocation decisions.

  • Action Plan: HMB will engage OMC to conduct a formal risk assessment and link it to planning and resource allocation decisions. This risk assessment will also be used in the comprehensive review of the program.
  • Responsibility: Manager, Planning and Accountability
  • Target Date: By the end of Q1, 2011–2012 (June 30, 2011)

Recommendation 5: The DG of HMB should assess the cost effectiveness of options with regard to the prompt termination of IFH coverage once the client becomes eligible for alternative coverage.

  • Action Plan: Following a cost‑benefit analysis of the options to manage the exit of clients from the program, HMB has put forward an initiative allowing the automatic termination of benefits for refugees no longer eligible due to a change in their immigration status. This option is in the planning stages. The IT capability to achieve this is expected by Q2 of fiscal 2010–2011. Operational implementation will occur after IT capability is achieved, but only after communication has gone out to stakeholders.
  • Responsibility:
    • Director, IFHP Transition
    • Director, PAHM
  • Target Date: By end of Q3, 2010–2011 (December 31, 2010)

Recommendation 6: The director of Post‑Arrival Health Management should ensure that due diligence in account verification is demonstrated by:

  • Documenting the account verification procedures and providing a copy thereof to CIC Finance;
  • Ensuring that appropriate evidence of the verification process is provided on the payment files, including the information that was examined; and
  • Obtaining time sheets, approved by appropriate officials in the field, for the contractors offering medical services in the detention centres.
  • Action Plan: HMB agrees with this recommendation.
    • HMB will document the current account verification procedures and ensure that CIC Finance is in agreement.
    • The director of the PAHM and the director of Centralized Services will formalize a process to ensure that appropriate evidence of the verification process is provided on payment files.
    • The director of the PAHM intends to initiate a process for detention centre invoices in which the dates and the number of hours for all invoices submitted by the contractors are approved by appropriate detention centre management before arriving at HMB for payment.
  • Responsibility:
    • Director, PAHM
    • Director, Centralized Services
  • Target Date:
    • By March 31, 2010.
    • To be implemented by June 30, 2010.

Recommendation 7: The director of Post‑Arrival Health Management should ensure that:

  • quality assurance over claims processing is consistently performed by CIC on a timely basis and by suitably qualified staff;
  • a risk‑based or statistical approach is considered for the QA review; and
  • attestation is obtained from the claims administrator that they are conducting their QA activities with respect to service providers in a diligent manner as required by the contract.
  • Action Plan: HMB agrees with this recommendation.
    • CIC will develop and implement monthly sampling procedures and ensure appropriate capacity to review and spot‑check random claims to systematically confirm the quality and reliability of claims processed and adjudicated.
    • CIC will develop a methodology that is risk‑based to choose its monthly claims samples. CIC will work with the new CA to determine the areas of risk and will develop its sampling approach taking these risks into considerations.
    • The new contract includes a requirement for a period report on the QA program. CIC will ask the CA to include an attestation that QA activities are conducted in a diligent manner
  • Responsibility:
    • Director, PAHM
    • Director, IFHP Transition
  • Target Date:
    • To start April 1, 2010.
    • Start date to be deter‑mined in collaboration with the new CA.

Appendix D: Audit Time Line

Audit planning: October 2008 – January 2009

On‑site examination: February–November 2009

Clearance draft to management: December 2009

Management action plan finalized: March 2010

Recommended for approval by Audit Committee: May 6, 2010

Approved by the DM: May 6, 2010