Audit of the Division of Insurance Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of the Division of Insurance (DOI) for the period July 1, 2016 through June 30, 2018. We expanded our audit period for the audit objective related to DOI’s operations assessments to July 1, 2013 through June 30, 2018.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

 To achieve our objectives, we gained an understanding of the internal controls related to our audit objectives by reviewing applicable laws and agency policies and procedures, as well as conducting interviews with DOI management. We evaluated the design and tested the operating effectiveness of controls over DOI’s market conduct analysis of licensed insurers in the state.

In 2018, OSA performed a data reliability assessment of the Commonwealth’s Massachusetts Management Accounting and Reporting System (MMARS) that focused on testing selected system controls (access controls, application controls, configuration management, contingency planning, and segregation of duties) for the period April 1, 2017 through March 31, 2018. In conjunction with this work, we tested security management controls at DOI during the audit period to assess security awareness training and personnel screening.

We performed validity and integrity tests on the MMARS data, including (1) scanning for duplicate entries, (2) looking for dates outside the audit period, and (3) testing for blank fields.

We then compared the MMARS data to DOI’s original invoices to determine the accuracy of the records. We judgmentally selected 30 transactions from MMARS and determined whether the information from MMARS matched the original invoices. Next, we judgmentally selected a sample of 30 original invoices from DOI’s files and traced the information on the invoices to the data in MMARS.

We inspected an Excel workbook DOI provided to us that contained a list of insurers that received operations assessments in fiscal years 2014 through 2018. We examined this workbook and tested for macros, hidden rows and columns, and hidden worksheets. We performed additional validity and integrity tests, including (1) checking total amounts against agency totals, (2) testing for missing records or missing values in key data elements, (3) scanning for duplicate entries, (4) verifying fields to detect any data validity errors, and (5) testing for values outside a designated range.

We requested documents related to the market conduct analysis that DOI performed on insurers it regulated during the audit period. To test the accuracy and completeness of these documents, we met with DOI officials and a third-party consultant to verify that we had received all documents for market conduct analyses performed during the audit period.

Based on the results of these data reliability assessment procedures, we determined that the information obtained for our audit period was sufficiently reliable for the purposes of our audit work.

To determine whether DOI properly administered its operations assessment process, we reviewed all applicable authoritative requirements for this process (Section 8C of Chapter 26 of the General Laws, DOI’s policies and procedures, and DOI’s annual budget appropriations). Then, for 100% of the insurers listed on DOI’s operations assessment Excel workbook, we reviewed all the invoices related to these assessments to determine whether all insurers that were required to receive operations assessments did so and whether the amounts of the fees were accurately calculated.

To determine whether DOI properly administered its market conduct analysis of Massachusetts licensed insurers in accordance with Section 4(3) of Chapter 175 of the General Laws and with the National Association of Insurance Commissioners’ Market Regulation Handbook, we selected 100% of insurers that received a market conduct analysis from DOI during the audit period.

We reviewed DOI’s market conduct analysis and determined whether DOI performed a baseline analysis of all insurers identified as outliers. For the purpose of this audit, a baseline analysis is a review performed by DOI’s Market Conduct Team to determine whether insurers identified as outliers require further examination. Based on this review, we examined whether DOI then performed either a level 1 analysis (an evaluation of an insurer to determine whether it can sufficiently explain why it was an outlier) or an interrogatory review (an evaluation of answers to interview questions that DOI has sent to an insurer to determine its compliance with state or federal laws) and whether this was evidenced by a letter from DOI to the outlier insurer detailing the type of review.