Connecting the Dots: Periodic Audit Requirement – Financial Data

Uncertainties and Expectations

In May 2016, the Centers for Medicare & Medicaid Services (CMS) created the Medicaid and CHIP final rule that modernized Medicaid managed care regulations. The rule established new requirements for states’ managed care programs and operations, essentially strengthening oversight of both. The rule outlines specific state responsibilities regarding program integrity safeguards including the requirement for periodic audits of managed care plan (MCP) data. 42 Code of Federal Regulations (CFR) § 438.602(e), requires states must periodically, but no less frequently than once every three years, conduct an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCP. To ensure compliance, the Office of Management and Budget State-Level Single Audit compliance supplement added the requirement for states to verify these audits are performed in the July 2021 supplement.

States have struggled to determine what MCP “financial data” entails as the 2016 rule did not define the “financial data” that must be included in the periodic audits. Although select states began to contract for the performance of MLR audits to comply with the rule, other states struggled to determine their obligations related to MCP MLR reporting. In a September 2022 report, the U.S. Health and Human Services – Office of Inspector General found some states expressed uncertainties regarding their obligations for ensuring proper oversight and monitoring of the “completeness and accuracy of MLR data.” In response on September 30, 2024, the Centers for Medicare & Medicaid Services (CMS) released its most recent Medicaid technical assistance toolkit related to medical loss ratio (MLR) reporting, which clearly outlines expectations.

The MLR toolkit confirms that all states –as a part of their managed care financial oversight responsibilities—must conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data, including MLR financial information, submitted by the MCPs at least once every three years, as required under 42 CFR §438.602(e). MLR information, including non-claims costs, is part of overall financial data that should be included in the independent audit. The performance of the MLR audit as well as an administrative expense review, or non-claims cost review, is one way states can satisfy the periodic independent audit requirement.

CMS Clarifies Reporting of Non-claims Costs

Non-claims costs — defined as expenses for administrative services — are often missing from MCP MLR reports and represented most of the Office of Inspector General’s “Incomplete MLR reports” finding. As CMS states in its toolkit:

“Non-claims costs—defined as expenses for administrative services—are often missing from MCP MLR reports. Unreported non-claims costs limit states’ abilities to monitor that MCPs are properly excluding administrative expenses from spending on health care services for enrollees. It is important that states review MCP administrative expenses even though non-claims costs are not a required line item in the annual MLR summary report states submit to CMS. Specifying the non-claims costs with the level of detail in the line items described below helps states validate the accuracy of the reported MLR numerator and helps actuaries set the non-benefit administrative load for capitation rate setting.”

Uses – and Benefits – of Data…and Audits

CMS specifies in the toolkit that MLR audits must follow generally accepted auditing standards, and recognizes these audits are typically conducted by certified public accountants (CPAs). It is important for states to comply. Here are three reasons why.

1. Requirements. First and most importantly, it is necessary. As the toolkit states, “The requirement to review and validate MLR information is part of the state’s monitoring system specified in federal regulation at 42 CFR § 438.66(b)(5).”

Federal agencies are monitoring states’ compliance with these requirements. CMS is doing so based on 42 CFR § 438.66(e) stipulating submission of the Managed Care Program Annual Report (MCPAR), which holds states accountable for compliance with this periodic audit requirement. The MCPAR requires states to disclose MCP MLR percentages and the location of the audit results on their official websites. Additionally the Office of Management and Budget monitors compliance through its issued guidance under the Single Audit Act.

2. Monitoring and Rebates. Monitoring and Rebates. States may elect to mandate a minimum MLR with associated rebates. MCPs that fall short of any mandated minimum might owe a rebate. Additionally, many states have alternative requirements in place resulting in monies owed to/from the state and that are impacted by MLR components, such as risk corridors, risk shares, underwriting gain maximums, etc. An accurate MLR is essential to capturing the amount owed to the state (and federal government), ensuring money is not left on the table.

Additionally, an MLR examination provides states with a host of information about MCP activities and performance, resulting in increased transparency that informs state decisions, assists in benchmarking MCPs against each other, assists in trending data for the same MCP over multiple years, and can highlight opportunities to strengthen contractual requirements or other supplemental guidance for MLR reporting.

3. Rates. Financial data helps inform capitation rate setting. Capitation rates must be based on MCPs achieving a federal minimum MLR of 85 percent. MCPs meet this minimum by spending capitation dollars on clinical services and quality improvement activities.

To bring consistency and standardization across all health insurance markets, and to promote fiscal stewardship, administrative efficiency, and comparability across states and markets, the final rule requires the MLR to be calculated, reported, and used in the development of actuarially-sound rates.

Furthermore, auditing administrative expenses can assist in the development of the administrative component of the capitation rate. This helps ensure: the administrative component of the rate does not include costs the state has identified as non-allowable, the Medicaid allocation is accurate, and related-party and parent-company expenses are not overstated. Additionally, these audits can be used to increase transparency surrounding clinical vendors used by the MCP, including the pharmacy benefit manager (PBM).

How Myers and Stauffer Can Help

We acknowledge the regulatory and logistical complexity around these issues can be challenging, and we are here to provide the guidance you need and the services you require to manage these processes and maintain compliance.

Targeted and Timely Services

Managed Care
Our managed care team’s audit and consulting services address the entire spectrum of a managed care program, from design and procurement to sustained program monitoring and evaluation. We have provided managed care audit and consulting services to Medicaid programs nationwide, which affords us the depth and breadth of knowledge needed to create tailored solutions for specific program needs.
MLR Audits
We perform MLR examinations for numerous state Medicaid agencies and CMS and have the expertise to help with all facets of the MLR reporting, auditing, and performance oversight. In fact, we are currently the auditor of choice for more than one-third of the states’ Medicaid programs; experience that gives us insight into both common and unique issues that vary by the type of MCP, including MCP’s operating nation-wide.
Administrative Expense Audits
The objective of the administrative expenses testing procedures is to align reporting to MCP contract/financial reporting instructions and applicable federal guidance, drive transparency, and enforce accountability for financial reporting and rate setting.

Through our procedures, we ensure administrative expenses are properly supported and accurately allocated. Expenses will be actual, rather than estimates, and reported in the proper period. If expenses are from a related party, they will be at cost. Most importantly, the reporting will be in compliance with applicable state and federal guidance.
Required Periodic Audits – Encounter and Financial Data
Myers and Stauffer has assisted several state clients satisfy the audit requirements outlined in these regulations. Our work performing encounter data validation and External Quality Review Protocol 5– combined with our robust financial data audit procedures performed on MLR reports and administrative expenses– addresses both the encounter and financial data requirement for periodic audits.

Why Myers and Stauffer? In a word… Independence.

Independent National CPA and Consulting Firm

Unlike most firms in our industry, we intentionally restrict our practice to government-sponsored health and human-service programs, and this truly sets us apart. We have never accepted providers, MCPs, PBMs, or individuals as clients. We conduct ourselves according to rigorous professional ethical standards designed to serve the public good – hallmarks of professional CPA standards that make us unique within our business community. We perform our procedures under the American Institute of Certified Public Accountants standards for attestation engagements, a level of assurance offered only by CPA firms such as ours. Our clients can be confident we will have no conflicts of interest. We meet all independence standards and provide unbiased consulting.