Maryland Insurance Administration: Audit Report
Maryland Insurance Administration: Audit Report
March 2021
To Report Fraud
The Office of Legislative Audits operates a Fraud Hotline to report fraud, waste, or abuse involving State
of Maryland government resources. Reports of fraud, waste, or abuse may be communicated anonymously
by a toll-free call to 1-877-FRAUD-11, by mail to the Fraud Hotline, c/o Office of Legislative Audits, or
through the Office’s website.
Nondiscrimination Statement
The Department of Legislative Services does not discriminate on the basis of age, ancestry, color, creed,
marital status, national origin, race, religion, gender, gender identity, sexual orientation, or disability in the
admission or access to its programs, services, or activities. The Department’s Information Officer has been
designated to coordinate compliance with the nondiscrimination requirements contained in Section 35.107
of the United States Department of Justice Regulations. Requests for assistance should be directed to the
Information Officer at 410-946-5400 or 410-970-5400.
March 30, 2021
Senator Clarence K. Lam, M.D., Senate Chair, Joint Audit and Evaluation Committee
Delegate Carol L. Krimm, House Chair, Joint Audit and Evaluation Committee
Members of Joint Audit and Evaluation Committee
Annapolis, Maryland
Our audit disclosed that MIA’s use of electronic spreadsheets to record and
compile premium tax data did not provide sufficient controls to ensure the
propriety of recorded data and the results of premium tax audits. In addition,
MIA did not ensure that all premium tax payments received from managed
care organizations (MCOs) and health maintenance organizations (HMOs)
were properly recorded and transferred to the Maryland Department of Health
as required by law. MIA collected approximately $592.4 million in premium
tax revenue during fiscal year 2020, of which $185.6 million came from
MCOs and HMOs.
Our audit also disclosed that the total amount assessed each year by MIA
against insurers to help fund MIA’s budgeted expenditures was not being
calculated in accordance with MIA’s established procedures, and individual
insurers were sometimes assessed incorrect amounts, or in some cases, not at
all. Assessments collected during fiscal year 2019 totaled approximately
$14.5 million.
Furthermore, MIA was unable to explain an increasing deficit balance in its
Health Care Regulatory Fund, which consists of a separate assessment against
insurers to support MIA’s Appeals and Grievances Unit, and should be self-
supporting. The Fund’s deficit balance of $250,000 as of June 30, 2017 rose
to over $1.3 million in the span of three years. MIA also did not ensure that
all producer licensing fees collected by a third party were remitted and
deposited as required. In addition, intrusion detection and prevention system
coverage did not exist for traffic entering the MIA network from certain
untrusted origin points.
Finally, our audit also included a review to determine the status of the seven
findings contained in our preceding audit report. We determined that the
Department satisfactorily addressed six of the seven findings. The remaining
finding is repeated in this report.
Respectfully submitted,
2
Table of Contents
Background Information 5
Agency Responsibilities 5
Status of Findings From Preceding Audit Report 6
Premium Taxes
* Finding 1 – The Maryland Insurance Administration (MIA) continued to 7
use premium tax spreadsheets that lacked adequate controls to ensure
the propriety of tax data recorded and the results of premium tax audits
performed.
Finding 2 – MIA did not ensure that certain premium tax collections 9
received from HMOs and MCOs were properly recorded and
transferred to the Maryland Department of Heath as required, and
significant recording errors occurred.
3
Producer Licensing Fees
Finding 7 – MIA did not ensure that producer licensing fees collected 16
by a third party were remitted and deposited into the Insurance
Regulation Fund as required.
4
Background Information
Agency Responsibilities
The Maryland Insurance Administration (MIA) operates under the authority of the
Insurance Article, Title 2, of the Annotated Code of Maryland. MIA is
responsible for licensing and regulating insurers, insurance agents, and brokers
who conduct business in the State and for monitoring the financial solvency of
licensed insurers. MIA is also responsible for collecting taxes levied on all
premiums collected by insurance companies within the State. According to
MIA’s records as of January 3, 2020, there were 1,831 insurers authorized to
conduct business in the State. MIA’s records also indicated that direct premiums
written by domestic (based in Maryland) and foreign (based in other states)
companies operating in Maryland during calendar year 2019 totaled
approximately $41.9 billion.
5
Status of Findings From Preceding Audit Report
Our audit included a review to determine the status of the seven findings
contained in our preceding audit report dated May 15, 2018. As disclosed in
Figure 2 below, we determined that MIA satisfactorily addressed six of these
findings. The remaining finding is repeated in this report.
Figure 2
Status of Preceding Findings
Preceding Implementation
Finding Description
Finding Status
The Maryland Insurance Administration
(MIA) used a premium tax spreadsheet system
Finding 1 Repeated
that lacked adequate controls to ensure the
(Current Finding 1)
propriety of data recorded and the results of
premium tax audits performed.
MIA did not establish adequate controls over
Finding 2 the processing of premium tax refunds paid to Not repeated
insurance companies.
Employees who processed certain producer
Finding 3 license applications also had the capability to Not repeated
approve the licenses.
Finding 4 Controls over cash receipts and non-cash Not repeated
credits were not sufficient.
Finding 5 Business partners had excessive access into the Not repeated
MIA computer network.
MIA did not have a complete information
Finding 6 technology disaster recovery plan for Not repeated
recovering computer operations.
MIA lacked assurance that the insurance
producer pre-licensing, licensing, and disaster
Finding 7 recovery services systems, each managed by Not repeated
separate services providers, were each
sufficiently protected against operational and
security risks.
6
Findings and Recommendations
Premium Taxes
Background
The Insurance Article of the Annotated Code of Maryland generally provides for
the imposition of an annual tax on insurance companies for premiums derived
from insurance business transacted in the State. Insurance companies are required
to make estimated tax payments to the Maryland Insurance Administration (MIA)
on a quarterly basis throughout the calendar year. By March 15 of each year,
insurance companies are required to file a final tax return reporting premiums
written during the preceding calendar year and to remit any remaining premium
taxes due to the State. MIA conducts annual premium tax audits to determine
whether any additional taxes are owed, including interest and penalties, or
whether the insurance company is due a refund.
By law, premium taxes collected are to be credited to the State’s General Fund,
except for taxes collected from health maintenance organizations (HMOs) and
managed care organizations (MCOs), which are to be credited to the State’s
Health Care Provider Rate Stabilization Fund (RSF), which is administered by
MIA. Funds in the RSF must be periodically transferred by MIA to the Maryland
Department of Health (MDH) for the purpose of retaining certain health care
providers in the State. In addition, MIA reports premium tax revenues quarterly
to the Comptroller’s Bureau of Revenue Estimates (BRE) for its use in preparing
revenue projections for the State.
According to the State’s records, during fiscal year 2020 MIA collected
approximately $592.4 million in premium tax revenue including $185.6 million in
payments from HMOs and MCOs. MIA completes approximately 1,600 premium
tax audits annually.
Finding 1
MIA continued to use premium tax spreadsheets that lacked adequate
controls to ensure the propriety of data recorded and the results of premium
tax audits performed.
Analysis
MIA continued to use premium tax spreadsheets that lacked adequate controls to
ensure the propriety of data recorded and the results of premium tax audits
performed. As noted in our prior audit report, MIA discontinued using its
automated premium tax system in November 2014. In response to that prior
finding, MIA implemented a product available from the National Association of
7
Insurance Commissioners, which it had previously advised us would provide the
appropriate recordation of tax and audit transactions and activity. Although MIA
is now using that product, we noted that it is essentially a web payment and
document filing portal, not a tax and audit tracking system. Consequently, since
2014 MIA has used electronic spreadsheets to track the receipt of quarterly
estimated and annual tax payments, document the performance of the annual
premium tax audits, and calculate any penalties and interest. Our prior report
noted numerous control deficiencies with the use of the spreadsheets. As noted
above, MIA has not procured a new system and has not implemented procedures
to correct the control deficiencies identified last audit.
In this regard, the employees who were responsible for ensuring that all premium
taxes due were received and accurately recorded, and for identifying any penalties
and interest due to the State, also had the capability to modify both premium and
payment data and the formulas used to recalculate premium tax liabilities,
penalties, and interest within the spreadsheets. In addition, the employee
responsible for reviewing and approving the audit results and approving premium
tax refunds had these same capabilities.
Recommendation 1
We recommend that MIA take appropriate action to control the propriety of
premium tax data and audit activity. Specifically, we recommend that MIA
procure and implement an automated premium tax system with sufficient
8
control capabilities or establish adequate controls within its existing use of
spreadsheets (repeat).
Finding 2
MIA did not ensure that certain premium tax collections received from
HMOs and MCOs were properly recorded and transferred to MDH as
required. Significant recording errors were not detected timely or at all,
including an improper reversion of $59 million to the State’s General Fund
that may no longer be available for transfer to MDH.
Analysis
MIA did not ensure that premium tax collections received from HMOs and MCOs
were properly recorded in the State’s accounting records and transferred to MDH
as required. Premium tax
collections from the 14 HMOs and Figure 3
MCOs are to be allocated to the HMO and MCO Premium Tax Transfers
State’s RSF, then transferred to
Premium Tax
MDH. HMO and MCO premium Premium Tax Payment Online or
taxes are submitted by check or wire Payment by Check by Wire Transfer
transfer directly to MIA or online
similar to premium taxes submitted
by other insurers. Check payments
State General
are generally deposited directly into Fund
the RSF while payments made
online and by wire are deposited
into the State’s General Fund along
with the other premium tax Rate Stabilization Fund
payments and transferred
periodically by MIA to the RSF (see
Figure 3). According to agency
records, HMO and MCO premium
Maryland
tax collections totaled Department of Health
approximately $185.6 million
during fiscal year 2020 ($23.0
million by check and $162.6 million
online or by wire transfer).
9
journal entries were often made for lump sum amounts without adequate
documentation explaining how the amounts were derived. As a result, it was not
always possible to verify that specific online and wire payments had been
transferred from the General Fund to the RSF as required. Consequently, errors
were not detected timely or at all.
Furthermore, during fiscal years 2019 and 2020, MIA made a series of recording
errors, such as duplicate transfers, which resulted in excess allocations of HMO
and MCO premium taxes from the State’s General Fund to the RSF totaling
approximately $139.8 million and $92.6 million, respectively. These errors were
identified by GAD or by MIA after significant increases in RSF revenue were
noted and investigated. Adjusting journal entries were subsequently processed by
GAD for fiscal year 2019 and by MIA for fiscal year 2020.
Chapter 538, 2020 Laws of Maryland, repeals the RSF effective July 1, 2021;
after which all premium tax payments will be deposited to the General Fund.
Although the RSF is scheduled for repeal, it is still incumbent upon MIA to
ensure that all funds are properly accounted for.
1
This amount includes a $2.4 million accounting error for an entry made after the close of fiscal
year 2019.
10
Recommendation 2
We recommend that MIA develop adequate procedures and controls to
ensure the proper disposition of HMO and MCO premium tax payments.
Specifically, we recommend that MIA
a. implement procedures to ensure accurate recording of all HMO and
MCO premium tax payments;
b. adequately document journal entries processed to transfer funds
including details regarding specific HMO and MCO premium tax
payments being transferred;
c. work in conjunction with Department of Budget and Management and
GAD to determine if there is any course of action available to
retroactively correct the improper disposition of the aforementioned $59
million that was not transferred to the RSF; and
d. transfer all funds in the RSF to MDH, as required, unless there is
documented justification for retaining certain funds in the RSF.
Finding 3
MIA’s reconciliations of its premium tax revenue records to the State’s
accounting records were not conducted timely and did not ensure that all tax
revenue had been credited to the appropriate fund.
Analysis
MIA’s reconciliations of premium tax revenue were not conducted timely and did
not ensure that all tax revenue had been credited to the appropriate fund. MIA
prepared reconciliations between its premium tax revenue records and the State’s
accounting records for total premium tax revenue received. Our review disclosed
that, as of August 2020, the most recently completed reconciliation was for
December 2019. In addition, the reconciliations conducted before this time were
not comprehensive as they did not include a verification that all premium tax
revenue had been credited to the appropriate fund, either the General Fund or the
RSF.
The lack of timely and adequate reconciliations may have contributed to MIA’s
failure to timely detect certain of the accounting errors with HMO and MCO
premium taxes noted in Finding 2. In addition, we were advised by management
personnel from the Comptroller of Maryland’s Bureau of Revenue Estimates
(BRE) and GAD that premium tax revenue data submitted to BRE by MIA was
not always accurate. As a result, BRE was unable to effectively use this data in
its preparation of revenue projections for the State.
11
Recommendation 3
We recommend that MIA
a. conduct premium tax revenue reconciliations on a timely basis,
b. verify as part of its reconciliations that revenue has been properly
credited to the appropriate funds, and
c. ensure that revenue information reported to BRE is accurate.
Background
In accordance with State law, MIA calculates an annual assessment to be
collected from all health, life, and property and casualty insurers doing business in
the State to fund 60 percent of its annual budget appropriation2. MIA first
calculates the overall assessment and then allocates the assessment to each
licensed insurer based on its percentage of total premiums written, with a
minimum assessment of $300. These assessments are deposited into MIA’s
Insurance Regulation Fund (IRF). According to the State’s records, assessments
collected and deposited into the IRF during fiscal year 2019 totaled approximately
$14.5 million, and the Fund’s balance at June 30, 2019 totaled $6.5 million.
Finding 4
MIA did not prepare its overall assessment calculation for the IRF in
accordance with its procedures, could not support certain estimates used in
the calculation, and could not document that the calculation was reviewed
and approved by supervisory personnel.
Analysis
MIA did not prepare its overall assessment calculation for the IRF in accordance
with its procedures, could not support certain estimates used in the calculation,
and could not document that the calculation was reviewed and approved by
supervisory personnel.
MIA did not take into account the beginning fund balance, as required by its
procedures, when calculating the overall IRF assessment each year.
Specifically, MIA did not reduce the overall assessment calculated for funds
already on hand at the beginning of the year as required. We ultimately
determined that MIA’s overall assessments for fiscal years 2018, 2019, and
2020 were overstated by approximately $6.8 million, $7.2 million, and $6.5
2
MIA also collects fees for certain certifications, licenses, and other services which fund the
remaining portion of its budget.
12
million, respectively, and the corresponding billings to individual insurance
companies reflected these overstatements.
MIA was unable to support certain significant estimates included in its overall
IRF assessment calculation. For example, MIA’s calculation for fiscal year
2020 included estimated other revenue of $14,141,831, but MIA was unable
to provide documentation supporting how this amount was determined.
MIA could not document that the overall IRF assessment calculation was
reviewed and approved by supervisory personnel. We were advised by MIA
that MIA’s Insurance Commissioner participated informally in the calculation
of the assessment; however, there was no documented review to ensure that
the amount assessed was proper and in accordance with State law and MIA
procedures.
Due to the aforementioned conditions, there was a lack of assurance that the
amounts assessed to and ultimately paid by insurers were proper.
Recommendation 4
We recommend that MIA
a. ensure that the overall IRF assessment calculations are completed as
required by its procedures,
b. maintain adequate supporting documentation for estimated amounts
included in its assessment calculation, and
c. require a documented supervisory review and approval of the assessment
calculation prior to billing insurers.
Finding 5
Allocations of assessments to insurance companies were not always made as
required or correct.
Analysis
Insurance companies were not always assessed as required, and initial
assessments to individual insurers were sometimes incorrect. Our examination of
assessments processed for fiscal year 2020 disclosed the following conditions:
MIA did not properly allocate the assessment to all insurers. Specifically, our
review disclosed MIA had not assessed the Maryland Automobile Insurance
Fund (MAIF) since fiscal year 2014 as provided for in State law. Based on
our calculation for fiscal year 2020 alone, MAIF should have been assessed
approximately $50,000. In addition, based on our examination of the 1,399
13
insurers licensed as of December 31, 2018, we noted 22 other insurers who
had received assessments totaling $22,000 for fiscal year 2019, but had not
been assessed any amount for 2020. Although there may be a valid reason
why an insurer does not receive an assessment in a particular year, MIA could
not explain why these 22 insurers had not been assessed for fiscal year 2020.
The amounts not allocated to these insurers would have been allocated to
other insurers.
At the time of our review, adjustments had not been made for any of the
discrepancies noted above. However, MIA processed approximately $6.8 million
in other adjustments during our audit period related to assessments for fiscal years
2018 to 2020, including adjustments of at least $3.9 million that were due to
improper initial assessments. Although the adjustments corrected improper
assessments to individual insurers, accurate annual assessments are critical since
an assessment error relating to one insurance provider, such as an over or under
assessment, will generally impact the amount assessed to all other providers.
Recommendation 5
We recommend that MIA
a. ensure that all applicable insurance providers are accurately assessed, in
accordance with State law, for amounts due to the Insurance Regulation
Fund; and
b. review the amounts assessed during the audit period to determine any
amounts due to or from insurance companies related to errors in the
assessment calculations.
14
Health Care Regulatory Fund
Finding 6
MIA could not readily explain a growing deficit in the Health Care
Regulatory Fund, which had a deficit balance over $1.3 million as of June 30,
2020.
Analysis
MIA could not readily explain a growing deficit balance in the Health Care
Regulatory Fund. MIA administered the Fund, which consists of assessments on
specified providers of health insurance in the State. State law provides that
annual assessments are to cover all costs relating to activities of MIA’s Appeals
and Grievances Unit. Our review disclosed that the Fund had a deficit balance of
approximately $250,000 as of June 30, 2017, which increased to a deficit of over
$1.3 million as of June 30, 2020 (see Figure 4). The deficits were improperly
offset by unrelated surplus funds in the Insurance Regulation Fund and therefore,
MIA did not report these deficits at fiscal year-end to GAD as required.
Figure 4
Increase in Deficit Balance of Health Care Regulatory Fund
From Fiscal Year 2018 to 2020
2018 2019 2020
Beginning Balance, July 1 $ (249,557) $ (583,798) $ (883,273)
Revenues 1,374,714 1,220,671 1,252,477
Expenditures (1,708,955) (1,520,146) (1,721,301)
Ending Balance, June 30 $ (583,798) $ (883,273) $ (1,352,097)
Although a temporary deficit balance may periodically occur due to the timing of
related transactions, a long-term and growing deficit balance may be indicative of
inaccurate assessments and/or recording errors.
Recommendation 6
We recommend that MIA
a. investigate the deficit in the Health Care Regulatory Fund and determine
appropriate corrective action; and
15
b. properly report all fund balances separately at fiscal year-end, as
required.
Finding 7
MIA did not ensure that all producer licensing fees collected by a third party
were remitted and deposited into the Insurance Regulation Fund as required.
Analysis
MIA did not ensure that all producer licensing fees collected by a third party were
remitted and deposited into the Insurance Regulation Fund as required.
According to State records, producer licensing fees collected during fiscal year
2019 totaled approximately $6.6 million, of which $6.5 million were processed
online through the National Association of Insurance Commissioners’ National
Insurance Producer Registry (NIPR). NIPR’s payment portal interfaces with
MIA’s automated licensing system. In accordance with a memorandum of
understanding between MIA and NIPR, NIPR is to make daily electronic fund
transfers of the prior day’s collections to MIA’s Insurance Regulation Fund.
Our review disclosed that MIA did not conduct daily reconciliations of
applications processed to the related collections to ensure that NIPR properly
transferred all producer licensing fees collected. The reconciliations help to
ensure that online payments are accurately reflected on MIA’s licensing system
(which is the basis for license issuance) and that the related fees were deposited to
the Insurance Regulation Fund.
As a result, there was a lack of assurance that all producer licensing fees were
remitted and deposited into the Fund as required. The Comptroller of Maryland’s
Accounting Procedures Manual requires reconciliations of total collections with
total license applications to be performed.
Recommendation 7
We recommend that MIA perform required daily reconciliations of fee
collections to online applications processed, to ensure that all producer
licensing fees collected online through the NIPR payment portal are received
and properly deposited.
16
Information Systems Security and Control
Background
MIA’s Management Information Systems (MIS) Department is responsible for
the development, maintenance, and support of MIA’s information systems,
including operation of an internal network at MIA. The network is connected to
networkMaryland for internet and statewide government intranet connectivity and
includes multiple firewalls and intrustion detection prevention systems. MIA’s
main critical application is the Enterprise system which supports insurance
company licensing, complaints, and case tracking.
Finding 8
Intrusion detection and prevention system (IDPS) coverage did not exist for
traffic flowing into the MIA network from certain untrusted origin points.
Analysis
IDPS coverage did not exist for untrusted traffic entering the MIA network from
certain untrusted origin points. Such coverage did not exist for traffic entering the
MIA network over connections from the statewide intranet, MIA’s neutral public
network zone, and the internet passing to a certain MIA internal network segment.
Specifically, we identified 14 firewall rules that allowed traffic from either the
statewide intranet or MIA’s neutral public network zone to the MIA internal
network without defined network IDPS coverage applied. In addition, traffic
from a separate MIA internet connection to a certain MIA internal network
segment also lacked IDPS coverage as a related IDPS device operating for the
network segment was not properly configured to monitor traffic for this purpose.
The absence of IDPS coverage for these forms of untrusted traffic entering the
MIA network created network security risk, as such traffic could contain
undetected malicious data.
17
Recommendation 8
We recommend that MIA ensure that IDPS protection exists for all traffic
from untrusted sources entering the MIA network flowing to critical servers
and network segments.
18
Audit Scope, Objectives, and Methodology
We have conducted a fiscal compliance audit of the Maryland Insurance
Administration (MIA), for the period beginning January 31, 2017 and ending
January 20, 2020. The audit was conducted in accordance with generally
accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.
Our assessment of internal controls was based on agency procedures and controls
in place at the time of our fieldwork. Our tests of transactions and other auditing
procedures were generally focused on the transactions occurring during our audit
period of January 31, 2017 to January 20, 2020, but may include transactions
before or after this period as we considered necessary to achieve our audit
objectives.
We also performed various data extracts of pertinent information from the State’s
Financial Management Information System (such as revenue and expenditure
19
data) and the State’s Central Payroll Bureau (payroll data). The extracts are
performed as part of ongoing internal processes established by the Office of
Legislative Audits and were subject to various tests to determine data reliability.
We determined that the data extracted from these sources were sufficiently
reliable for the purposes the data were used during this audit.
We also extracted data from MIA’s producer licensing system for the purpose of
testing the issuance of licenses and assessments. We performed various tests of
the relevant data and determined that the data were sufficiently reliable for the
purposes the data were used during the audit. Finally, we performed other
auditing procedures that we considered necessary to achieve our audit objectives.
The reliability of data used in this report for background or informational
purposes was not assessed.
Our reports are designed to assist the Maryland General Assembly in exercising
its legislative oversight function and to provide constructive recommendations for
improving State operations. As a result, our reports generally do not address
activities we reviewed that are functioning properly.
20
MIA’s response to our findings and recommendations is included as an appendix
to this report. As prescribed in the State Government Article, Section 2-1224 of
the Annotated Code of Maryland, we will advise MIA regarding the results of our
review of its response.
21
APPENDIX
Attached please find the Maryland Insurance Administration’s response to the draft audit report
prepared by your Office for the period beginning January 31, 2017 and ending January 20, 2020.
We appreciate the collaborative and professional process conducted by Edward Welsh and his team.
My staff and I are happy to respond to any questions that you may have.
Sincerely,
K
Kathleen A. Birrane
Commissioner
Attachment
KAB:jdb
Premium Taxes
Finding 1
MIA continued to use premium tax spreadsheets that lacked adequate controls to ensure
the propriety of data recorded and the results of premium tax audits performed.
We recommend that MIA take appropriate action to control the propriety of premium tax
data and audit activity. Specifically, we recommend that MIA procure and implement an
automated premium tax system with sufficient control capabilities or establish adequate
controls within its existing use of spreadsheets (repeat).
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 1.
additional comments as
deemed necessary.
Page 1 of 13
Maryland Insurance Administration
The final PTDA Procedures have been implemented and the MIA
believes that, as implemented, they satisfy the recommendation to take
action to control the propriety of premium tax data and audit activity.
1.) The MIA appreciates the limits of the OPTins system and agrees
that an automated system is preferred. The MIA will develop a
two-phased request for proposal, consistent with Maryland
procurement law and budgetary constraints, for the design and
implementation of an automated system that leverages data
sources such as OPTins. To the extent that procurement laws
allow, the MIA will seek to identify and acquire software utilized
by other state regulators for the same purpose. The MIA
anticipates making this project part of its FY2023 budget request.
Page 2 of 13
Maryland Insurance Administration
Finding 2
MIA did not ensure that certain premium tax collections received from HMOs and MCOs
were properly recorded and transferred to MDH as required. Significant recording errors
were not detected timely or at all, including an improper reversion of $59 million to the
State’s General Fund that may no longer be available for transfer to MDH.
We recommend that MIA develop adequate procedures and controls to ensure the proper
disposition of HMO and MCO premium tax payments. Specifically, we recommend that
MIA
a. implement procedures to ensure accurate recording of all HMO and MCO premium
tax payments;
b. adequately document journal entries processed to transfer funds including details
regarding specific HMO and MCO premium tax payments being transferred;
c. work in conjunction with Department of Budget and Management and GAD to
determine if there is any course of action available to retroactively correct the improper
disposition of the aforementioned $59 million that was not transferred to the RSF; and
d. transfer all funds in the RSF to MDH, as required, unless there is documented
justification for retaining certain funds in the RSF.
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 2.
additional comments as
deemed necessary.
Please provide details of As a result of communications with the auditors during their field
corrective action or work, the MIA conducted an internal review and analysis of its
explain disagreement. procedures for the timely and accurate identification and transfer to the
Rate Stabilization Fund established under § 19-802 of the Insurance
Article (the “RSF”) of premium tax revenue earmarked for deposit to
the RSF. As part of that internal review and analysis, the MIA worked
closely with its counsel to assure the proper interpretation and
applications of the relevant statutes.
Page 3 of 13
Maryland Insurance Administration
Procedures have been made available to the auditors for review. They
will be included in the scope of the Fiscal Unit Audit.
Under the revised RSF Procedures, the E&A Unit uses the MIA’s
company licensing database to generate the list of RSF Companies in
order to aid the FSU in accurately identifying and reporting the
premium tax payments to be deposited into the RSF. The FSU uses
the E&A list to create the RSF Payment Schedule which tracks the
receipt of quarterly estimated and annual premium tax payments by
RSF Companies, the transfer/deposit of those payments to the RSF,
and the calculation of interest. The RSF Payment Schedule is
reconciled against the Premium Tax Payment Log (also kept by FSU)
and the DAFR 7470 Activity Report on a monthly basis.
Page 4 of 13
Maryland Insurance Administration
Page 5 of 13
Maryland Insurance Administration
Finding 3
MIA’s reconciliations of its premium tax revenue records to the State’s accounting records
were not conducted timely and did not ensure that all tax revenue had been credited to the
appropriate fund.
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 3.
additional comments as
deemed necessary.
Please provide details As a result of communications with the auditors during their field
of corrective action or work, the MIA conducted an internal review and analysis of its
explain disagreement. premium tax activities, including the timeliness of the conduct of
premium tax reconciliations, which resulted in the adoption and
implementation of the revised PTDA Procedures and the RSF
Procedures. Those Procedures require that premium tax reconciliations
be performed monthly and that the monthly performance be verified
by the Director or Assistant Director of the FSU. In addition, the
timeliness and accuracy of the premium tax reconciliation process will
be included in the scope of the Fiscal Unit Audit.
Please provide details The RSF Procedures (relating to premium tax revenue) are
of corrective action or described in the Response to Finding 2. Compliance with these
explain disagreement. Procedures and verification of these calculations also will be included
in the scope of the Fiscal Unit Audit.
Page 6 of 13
Maryland Insurance Administration
Please provide details The MIA and GAD met in February 2020 to discuss errors and
of corrective action or corrections in RSF reporting that occurred in FY2018, FY2019, and
explain disagreement. FY2020. Recommendations from GAD regarding how to avoid such
errors in the future were incorporated into the RSF Procedures. Since
the February 2020 meeting and the subsequent adoption and
implementation of the RSF Procedures, neither GAD nor BRE have
identified any new reporting errors.
Finding 4
MIA did not prepare its overall assessment calculation for the IRF in accordance with its
procedures, could not support certain estimates used in the calculation, and could not
document that the calculation was reviewed and approved by supervisory personnel.
Agency Response
Analysis Not Factually Accurate
Please provide The MIA does not dispute the factual finding in the first bullet
additional comments as point. However, the auditors’ calculation of the amounts of the carry
deemed necessary. forward amounts for 2018, 2019 and 2020 included certain unused/old
fund accounts which the MIA would not have included in the
calculation. The MIA agreed, however, that steps needed to be taken to
address and close out those accounts appropriately. During the January
20, 2021 exit meeting with the auditors, the MIA agreed that the best
way to proceed would be to research the genesis of the unused/old
accounts and to work with GAD to close or remove those accounts. The
Page 7 of 13
Maryland Insurance Administration
MIA did reach out to GAD, which recommended that the MIA work
with DBM, which is currently researching the best way to resolve the
issue. The MIA will determine the appropriate steps to take once that
research is complete. The FSU Director will ensure that those steps are
promptly implemented.
The MIA does not dispute the factual accuracy of the remainder of
Finding 4.
Auditor’s Comment: MIA has indicated not factually accurate in reference to the
analysis, but the response clarified that MIA does not dispute the factual finding. MIA
further explained that certain unused/old accounts included in the carry-forward
(beginning fund) balance referenced in the analysis need to be appropriately closed out,
which it intends to do. Consequently, we do not consider this an area of disagreement.
Please provide details of As a result of communications with the auditors during their field
corrective action or work, the MIA conducted an internal review and analysis of its
explain disagreement.
procedures relating to the calculation, assessment, and collection of
assessments to be paid by insurers to the insurance regulation fund
(“IRF”). Following that review, the MIA adopted and implemented new
procedures, protocols, tools, and controls designed to ensure the
accuracy of those activities (the “IRF Procedures). Following receipt of
the Audit Report and Findings, the MIA evaluated the IRF Procedures
to assure that they incorporated the Auditors’ recommendations and
adopted an updated version of the IRF Procedures. This document is
available to the Auditors for review and comment. The IRF Procedures
will be included in the scope of the Fiscal Unit Audit.
Per the IRF Procedures, the FSU uses the MIA Legislative
Appropriation amount transmitted from DBM for the fiscal year as the
starting point for the IRF calculation. From that amount, the FSU adjusts
the Appropriation for any step movement or reserve needed, and then
subtracts the Health Care Regulatory Appropriation and reserve, the
estimated IRF carry forward amount, and revenue from certain fees and
investment income outlined by law. The resulting amount is the IRF
Page 8 of 13
Maryland Insurance Administration
assessment amount for the fiscal year and must equal 60% of the MIA’s
approved budget appropriation.
Please provide details of The IRF Procedures include the requirement that supporting
corrective action or documentation be maintained for each estimated amount used in the
explain disagreement. assessment calculation.
Please provide details of A supervisory review is part of the IRF Procedures. In addition,
corrective action or compliance with the IRF Procedures will be included within the scope
explain disagreement. of the Fiscal Unit Audit.
Finding 5
Allocations of assessments to insurance companies were not always made as required or
correct.
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 5.
additional comments as
deemed necessary.
Page 9 of 13
Maryland Insurance Administration
Please provide details of As noted previously, the MIA has adopted and implemented the
corrective action or revised IRF Procedures, which are designed to assure the accuracy of
explain disagreement. the calculation of the assessment; the allocation of the assessment among
the entities subject to it; and verification, reconciliation and audit of
assessment payments and fund deposits. In developing the IRF
Procedures, the MIA worked closely with counsel to assure that the IRF
statutory requirements were correctly interpreted and applied. In
addition, the IRF Procedures will be included in the scope Fiscal Unit
Audit.
Under the revised IRF Procedures, the FSU and the E&A Unit use
the MIA’s company licensing database and premium tax filing data to
generate the list of entities subject to the IRF assessment. Companies
are then classified per the applicable statutory law for assessment
purposes according to procedures approved by the OAG. The IRF
Procedures include a verification check within the FSU and sign-off by
the Director of the FSU.
Page 10 of 13
Maryland Insurance Administration
Finding 6
MIA could not readily explain a growing deficit in the Health Care Regulatory Fund,
which had a deficit balance over $1.3 million as of June 30, 2020.
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 6.
additional comments as
deemed necessary.
Page 11 of 13
Maryland Insurance Administration
Finding 7
MIA did not ensure that all producer licensing fees collected by a third party were remitted
and deposited into the Insurance Regulation Fund as required.
We recommend that MIA perform required daily reconciliations of fee collections to online
applications processed, to ensure that all producer licensing fees collected online through
the NIPR payment portal are received and properly deposited.
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 7.
additional comments as
deemed necessary.
Please provide details of As a result of communications with the auditors during their field
corrective action or work, the MIA conducted an internal evaluation of the procedures
explain disagreement. employed to verify and reconcile the accuracy and receipt of the
producer licensing fees collected online via the National Insurance
Producer Registry (NIPR) website. As a result of its internal
investigation and review, the MIA developed, adopted and implemented
new procedures for calculating the amount due to the MIA as producer
licensing fees and for reconciling amounts due with the amount reported
through NIPR and the amounts remitted to the MIA from NIPR (the
“NIPR Reconciliation Procedures”). A copy of the NIPR Reconciliation
Page 12 of 13
Maryland Insurance Administration
Procedures has been made available to the auditors for review and will
be included within the scope of the Fiscal Unit Audit.
Per the new NIPR Reconciliation Procedures, the FSU performs the
reconciliation each business day on which the MIA is notified via the
R*stars ACH entry report received from the Maryland Treasurer that
NIPR revenue was received into the General Fund. The reconciliation is
performed by first reconciling MIA licensing data with the State Based
Systems (SBS) that house the NIPR transactions and the fees associated
with them, and then compare the amounts owed to the MIA against the
R*stars ACH entry report received from the Maryland Treasurer.
Finding 8
Intrusion detection and prevention system (IDPS) coverage did not exist for traffic flowing
into the MIA network from certain untrusted origin points.
We recommend that MIA ensure that IDPS protection exists for all traffic from untrusted
sources entering the MIA network flowing to critical servers and network segments.
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 8.
additional comments as
deemed necessary.
Page 13 of 13
AUDIT TEAM
Michael J. Murdzak, CPA
Audit Manager
Malik A. Farooq
Matthew P. Henry
Ibijoke O. Owolabi, CPA
Staff Auditors
Charles O. Price
Malcolm J. Woodard
Information Systems Staff Auditors