Skip to main content
  • This page, Audit of the Commonwealth Health Insurance Connector Authority Objectives, Scope, and Methodology, is   offered by
  • Office of the State Auditor

Audit of the Commonwealth Health Insurance Connector Authority Objectives, Scope, and Methodology

An overview of the purpose and process of auditing the Commonwealth Health Insurance Connector Authority.
Skip table of contents

Table of Contents

You skipped the table of contents section.

Overview

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Commonwealth Health Insurance Connector Authority (Connector) for the period July 1, 2021 through June 30, 2023.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

Objective  Conclusion
  1. Did the Connector conduct eligibility requirement tests to ensure that all applicants receiving benefits met the criteria established by Sections 12.05 and 12.06 of Title 956 of the Code of Massachusetts Regulations?
Yes
  1. Did the Connector have policies and procedures to process complaints, and did it document the actions taken to resolve the complaints it received?
No; see Finding 1
  1. Did the Connector provide cybersecurity awareness training to its employees in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?
Yes

To accomplish our audit objectives, we gained an understanding of the aspects of the Connector’s internal control environment relevant to our objectives by reviewing applicable policies and procedures and by interviewing staff members and management. In addition, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

Connector Enrollment

To determine whether the Connector conducted eligibility requirement testing to ensure that all enrollees receiving benefits met the criteria established by Sections 12.05 and 12.06 of Title 956 of the Code of Massachusetts Regulations, we took a number of actions. Using a 95% confidence level,6 a 0% expected error rate,7 and a 5% tolerable error rate,8 we selected a random, statistical9 sample of 60 people who were enrolled during the audit period out of a total population of 601,854.10 For our sample, we examined each application to determine the following:

  • whether the Connector verified (1) each enrollee’s income as a percentage of the federal poverty level and (2) that the income matched the information with both the Massachusetts Department of Revenue and the US Internal Revenue Service;
  • whether the Connector verified that each enrollee was not eligible for Medicare or Medicaid;
  • whether the Connector verified that each enrollee was a Massachusetts resident by ensuring that the corresponding address matched with LexisNexis or the US Postal Service;
  • whether the Connector verified that each enrollee’s Social Security number matched US Social Security Administration records; and
  • whether the Connector verified (1) that each enrollee met the criteria based on their immigration status and (2) whether the enrollee was incarcerated by obtaining information from the US Department of Homeland Security.

Based on the test results, we determined that the Connector conducts eligibility requirement tests to ensure that applicants receiving benefits meet the criteria established by Sections 12.05 and 12.06 of Title 956 of the Code of Massachusetts Regulations. No exceptions were noted in our sample selected for testing. Because we utilized statistical analysis, there is a 95% likelihood that the results of this sample accurately represent the experience of the entire population. 

Connector’s Complaint/Issue Process

To determine whether the Connector had policies and procedures in place to process complaints and documented the actions taken to resolve these complaints, we inquired with management regarding the process used and created a flowchart to document our understanding of the process.

The Connector management informed us that they do not track all complaints but only those that rise to the level of privacy and security incidents. As a result, we concluded that the Connector does not have a complaint log that would serve as documentation of complaints received. See Finding 1.

Cybersecurity Awareness Training

To determine whether the Connector provided initial and annual cybersecurity awareness training to its employees, as required by Sections 6.2.3 and 6.2.4 of the EOTSS’s Information Security Risk Management Standard IS.010, we took the following actions. We obtained a list of Connector employees who were employed by the Connector as of June 30, 2023. This list included 79 active, 37 terminated, and 33 newly hired employees. We took the following actions using this list:

  • We selected a random, nonstatistical sample of 20 active and terminated employees from the list to ensure that each took their annual cybersecurity awareness training as required by Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.
  • For each employee newly hired during the audit period, we selected a random, nonstatistical sample of 10 to ensure that each employee signed their certification within 30 days, as required by Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010.

Based on the test results, we determined that the Connector provides cybersecurity awareness training to its employees in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010. No exceptions were noted.

Data Reliability Assessment

The Connector’s Enrollees

To determine the reliability of the list of the 601,854 enrollees that we obtained from the Connector’s system11 that were approved to enroll for health insurance during the audit period, we interviewed officials who were knowledgeable about the data. We reviewed System and Organization Control reports12 that covered the audit period and ensured that an independent auditor had performed certain information system control tests. We also tested the enrollee data for any worksheet errors (e.g., hidden objects such as rows, headers, and other content). To confirm the accuracy of the enrollee data in the Massachusetts Health Insurance Exchange and Integrated Eligibility System, we selected a random sample of 20 in the list of enrollees from the data and compared the information in the data (i.e., member identification number, reference identification number, and gender) to source documents to ensure that the information was accurate.

Cybersecurity Awareness Training

To determine the reliability of the lists provided by the Connector of employees who were, during the audit period, active, newly hired, and/or terminated, we checked the spreadsheet for duplicate records, identified any employees whom the Connector hired during the audit period, and confirmed whether employment start dates and/or termination dates were within the audit period. We also reconciled the entire population of active Connector employee records in the list to payroll summary data that we extracted from the Office of the Comptroller of the Commonwealth’s CTHRU database13 and the cybersecurity awareness training systems that the Connector used during the audit period. We took a sample of 10 newly hired employees out of the 33 and determined whether the Connector’s Human Resources Department issued a System Access Request to the authority’s Information Technology Department, granting each newly hired employee access to the system after completion of the cybersecurity awareness training.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained was sufficiently reliable for the purposes of our audit.

6.    Confidence level is a mathematically based measure of the auditor’s assurance that the sample results (statistic) are representative of the population (parameter), expressed as a percentage. A 95% confidence level means that 95 out of 100 times, the statistics accurately represent the larger population.

7.    Expected error rate is the number of errors that are expected in the population, expressed as a percentage. It is based on the auditor’s knowledge of factors such as prior audit results, the understanding of controls gained in planning, or a probe sample. In this case, we are assuming there are no errors in the data provided to us by the auditee.

8.    The tolerable error rate (which is expressed as a percentage) is the maximum error in the population that is acceptable while still using the sample to conclude that the results from the sample have achieved the objective.

9.    Auditors use statistical sampling to select items for audit testing when a population is large (usually over 1,000) and contains similar items. Auditors generally use a statistics software program to choose a random sample when statistical sampling is used. The results of testing using statistical sampling, unlike those from judgmental sampling, can usually be used to make conclusions or projections about entire populations.

10.    As stated above, there were 387,255 distinct enrollees during our audit period. Some of these distinct enrollees enrolled in more than one year of coverage during the two-year audit period, resulting in a population of 601,854 enrollments.

11.    The Connector utilized the Massachusetts Health Insurance Exchange and Integrated Eligibility system to process eligibility.

12.    A System and Organization Control report is a report on controls, issued by an independent contractor, about a service organization’s systems relevant to security, availability, processing integrity, confidentiality, or privacy.

13.    According to the Office of the Comptroller of the Commonwealth’s website, “CTHRU is an innovative open records platform . . . that offers transparency into the finances and payroll of the Commonwealth of Massachusetts. CTHRU provides users with an intuitive experience for exploring how and where public money is utilized.”

Date published: December 23, 2024

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback