Maryland Insurance Administration: Audit Report

Audit Report
Maryland Insurance Administration
March 2021
OFFICE OF LEGISLATIVE AUDITS

DEPARTMENT OF LEGISLATIVE SERVICES
MARYLAND GENERAL ASSEMBLY
Joint Audit and Evaluation Committee
Senator Clarence K. Lam, M.D. (Senate Chair) Delegate Carol L. Krimm (House Chair)
Senator Malcolm L. Augustine Delegate Steven J. Arentz
Senator Adelaide C. Eckardt Delegate Mark S. Chang
Senator George C. Edwards Delegate Nicholas P. Charles II
Senator Katie Fry Hester Delegate Andrea Fletcher Harrison
Senator Cheryl C. Kagan Delegate Keith E. Haynes
Senator Benjamin F. Kramer Delegate David Moon
Senator Cory V. McCray Delegate April R. Rose
Senator Justin D. Ready Delegate Geraldine Valentino-Smith
Senator Craig J. Zucker One Vacancy
To Obtain Further Information

Office of Legislative Audits
301 West Preston Street, Room 1202
Baltimore, Maryland 21201
Phone: 410-946-5900 ꞏ 301-970-5900 ꞏ 1-877-486-9964 (Toll Free in Maryland)
Maryland Relay: 711
TTY: 410-946-5401 ꞏ 301-970-5401
E-mail: [email protected]
Website: www.ola.state.md.us
To Report Fraud
The Office of Legislative Audits operates a Fraud Hotline to report fraud, waste, or abuse involving State
of Maryland government resources. Reports of fraud, waste, or abuse may be communicated anonymously
by a toll-free call to 1-877-FRAUD-11, by mail to the Fraud Hotline, c/o Office of Legislative Audits, or
through the Office’s website.
Nondiscrimination Statement
The Department of Legislative Services does not discriminate on the basis of age, ancestry, color, creed,
marital status, national origin, race, religion, gender, gender identity, sexual orientation, or disability in the
admission or access to its programs, services, or activities. The Department’s Information Officer has been
designated to coordinate compliance with the nondiscrimination requirements contained in Section 35.107
of the United States Department of Justice Regulations. Requests for assistance should be directed to the
Information Officer at 410-946-5400 or 410-970-5400.
March 30, 2021
Senator Clarence K. Lam, M.D., Senate Chair, Joint Audit and Evaluation Committee
Delegate Carol L. Krimm, House Chair, Joint Audit and Evaluation Committee
Members of Joint Audit and Evaluation Committee
Annapolis, Maryland
Ladies and Gentlemen:
We have conducted a fiscal compliance audit of the Maryland Insurance

Administration (MIA) for the period beginning January 31, 2017 and ending
January 20, 2020. MIA is responsible for licensing and regulating insurers,
insurance agents, and brokers who conduct business in the State, and for
monitoring the financial solvency of licensed insurers. MIA is also
responsible for collecting taxes levied on all premiums collected by insurance
companies doing business within the State.
Our audit disclosed that MIA’s use of electronic spreadsheets to record and
compile premium tax data did not provide sufficient controls to ensure the
propriety of recorded data and the results of premium tax audits. In addition,
MIA did not ensure that all premium tax payments received from managed
care organizations (MCOs) and health maintenance organizations (HMOs)
were properly recorded and transferred to the Maryland Department of Health
as required by law. MIA collected approximately $592.4 million in premium
tax revenue during fiscal year 2020, of which $185.6 million came from
MCOs and HMOs.
Our audit also disclosed that the total amount assessed each year by MIA
against insurers to help fund MIA’s budgeted expenditures was not being
calculated in accordance with MIA’s established procedures, and individual
insurers were sometimes assessed incorrect amounts, or in some cases, not at
all. Assessments collected during fiscal year 2019 totaled approximately
$14.5 million.
Furthermore, MIA was unable to explain an increasing deficit balance in its
Health Care Regulatory Fund, which consists of a separate assessment against
insurers to support MIA’s Appeals and Grievances Unit, and should be self-
supporting. The Fund’s deficit balance of $250,000 as of June 30, 2017 rose
to over $1.3 million in the span of three years. MIA also did not ensure that
all producer licensing fees collected by a third party were remitted and
deposited as required. In addition, intrusion detection and prevention system
coverage did not exist for traffic entering the MIA network from certain
untrusted origin points.
Finally, our audit also included a review to determine the status of the seven
findings contained in our preceding audit report. We determined that the
Department satisfactorily addressed six of the seven findings. The remaining
finding is repeated in this report.
MIA’s response to this audit is included as an appendix to this report. We

reviewed the response to our findings and related recommendations, and have
concluded that the corrective actions identified are sufficient to address all
audit issues. We have edited MIA’s response to remove certain vendor names
or products, as allowed by our policy.
We wish to acknowledge the cooperation extended to us during the audit by

MIA and its willingness to address the audit issues and implement appropriate
corrective actions.
Respectfully submitted,
Gregory A. Hook, CPA

Legislative Auditor
2
Table of Contents
Background Information 5
Agency Responsibilities 5
Status of Findings From Preceding Audit Report 6
Findings and Recommendations 7
Premium Taxes
* Finding 1 – The Maryland Insurance Administration (MIA) continued to 7
use premium tax spreadsheets that lacked adequate controls to ensure
the propriety of tax data recorded and the results of premium tax audits
performed.
Finding 2 – MIA did not ensure that certain premium tax collections 9
received from HMOs and MCOs were properly recorded and
transferred to the Maryland Department of Heath as required, and
significant recording errors occurred.
Finding 3 – Reconciliations of MIA’s premium tax revenue records 11

to the State’s accounting records were not conducted timely and did
not ensure that all tax revenue had been credited to the appropriate
fund.
Insurance Regulation Fund Assessments

Finding 4 – MIA did not prepare its overall assessment calculation for 12
the Fund in accordance with its procedures, could not support certain
estimates used in the calculation, and could not document that the
calculation was reviewed and approved by supervisory personnel.
Finding 5 – Allocations of assessments to insurance companies were not 13

always made as required or, when made, were sometimes incorrect.
Health Care Regulatory Fund

Finding 6 – MIA could not readily explain a growing deficit in the Health 15
Care Regulatory Fund, which had a deficit balance over $1.3 million
as of June 30, 2020.
* Denotes item repeated in full or part from preceding audit report
3
Producer Licensing Fees
Finding 7 – MIA did not ensure that producer licensing fees collected 16
by a third party were remitted and deposited into the Insurance
Regulation Fund as required.
Information Systems Security and Control

Finding 8 – Intrusion detection and prevention system coverage did not 17
exist for traffic flowing into the MIA network from certain untrusted
origin points.
Audit Scope, Objectives, and Methodology 19
Agency Response Appendix
4
Background Information
Agency Responsibilities
The Maryland Insurance Administration (MIA) operates under the authority of the
Insurance Article, Title 2, of the Annotated Code of Maryland. MIA is
responsible for licensing and regulating insurers, insurance agents, and brokers
who conduct business in the State and for monitoring the financial solvency of
licensed insurers. MIA is also responsible for collecting taxes levied on all
premiums collected by insurance companies within the State. According to
MIA’s records as of January 3, 2020, there were 1,831 insurers authorized to
conduct business in the State. MIA’s records also indicated that direct premiums
written by domestic (based in Maryland) and foreign (based in other states)
companies operating in Maryland during calendar year 2019 totaled
approximately $41.9 billion.
According to the State’s

records, during fiscal year
2020 MIA’s revenues
totaled approximately
$881.9 million (see Figure
1). The majority of MIA’s
revenue related to premium
taxes and Health Care
Access Assessment revenue,
which was first collected in
fiscal year 2019 pursuant to
the Health Care Access Act
of 2018.
As required by State law,

MIA transferred $406.8
million in revenue to the
State’s General Fund,
$185.6 million to the Maryland Health Care Provider Rate Stabilization Fund, and
$30.9 million to the State’s Insurance Regulation Fund in fiscal year 2020.
Health Care Access Assessments for fiscal year 2019 and 2020, which totaled
$428.3 million as of June 30, 2020, are being held by MIA pending a request from
the Maryland Health Benefit Exchange to transfer the funds for the State
Reinsurance Program.
5
Status of Findings From Preceding Audit Report
Our audit included a review to determine the status of the seven findings
contained in our preceding audit report dated May 15, 2018. As disclosed in
Figure 2 below, we determined that MIA satisfactorily addressed six of these
findings. The remaining finding is repeated in this report.
Figure 2
Status of Preceding Findings
Preceding Implementation
Finding Description
Finding Status
The Maryland Insurance Administration
(MIA) used a premium tax spreadsheet system
Finding 1 Repeated
that lacked adequate controls to ensure the
(Current Finding 1)
propriety of data recorded and the results of
premium tax audits performed.
MIA did not establish adequate controls over
Finding 2 the processing of premium tax refunds paid to Not repeated
insurance companies.
Employees who processed certain producer
Finding 3 license applications also had the capability to Not repeated
approve the licenses.
Finding 4 Controls over cash receipts and non-cash Not repeated
credits were not sufficient.
Finding 5 Business partners had excessive access into the Not repeated
MIA computer network.
MIA did not have a complete information
Finding 6 technology disaster recovery plan for Not repeated
recovering computer operations.
MIA lacked assurance that the insurance
producer pre-licensing, licensing, and disaster
Finding 7 recovery services systems, each managed by Not repeated
separate services providers, were each
sufficiently protected against operational and
security risks.
6
Findings and Recommendations
Premium Taxes
Background
The Insurance Article of the Annotated Code of Maryland generally provides for
the imposition of an annual tax on insurance companies for premiums derived
from insurance business transacted in the State. Insurance companies are required
to make estimated tax payments to the Maryland Insurance Administration (MIA)
on a quarterly basis throughout the calendar year. By March 15 of each year,
insurance companies are required to file a final tax return reporting premiums
written during the preceding calendar year and to remit any remaining premium
taxes due to the State. MIA conducts annual premium tax audits to determine
whether any additional taxes are owed, including interest and penalties, or
whether the insurance company is due a refund.
By law, premium taxes collected are to be credited to the State’s General Fund,
except for taxes collected from health maintenance organizations (HMOs) and
managed care organizations (MCOs), which are to be credited to the State’s
Health Care Provider Rate Stabilization Fund (RSF), which is administered by
MIA. Funds in the RSF must be periodically transferred by MIA to the Maryland
Department of Health (MDH) for the purpose of retaining certain health care
providers in the State. In addition, MIA reports premium tax revenues quarterly
to the Comptroller’s Bureau of Revenue Estimates (BRE) for its use in preparing
revenue projections for the State.
According to the State’s records, during fiscal year 2020 MIA collected
approximately $592.4 million in premium tax revenue including $185.6 million in
payments from HMOs and MCOs. MIA completes approximately 1,600 premium
tax audits annually.
Finding 1
MIA continued to use premium tax spreadsheets that lacked adequate
controls to ensure the propriety of data recorded and the results of premium
tax audits performed.
Analysis
MIA continued to use premium tax spreadsheets that lacked adequate controls to
ensure the propriety of data recorded and the results of premium tax audits
performed. As noted in our prior audit report, MIA discontinued using its
automated premium tax system in November 2014. In response to that prior
finding, MIA implemented a product available from the National Association of
7
Insurance Commissioners, which it had previously advised us would provide the
appropriate recordation of tax and audit transactions and activity. Although MIA
is now using that product, we noted that it is essentially a web payment and
document filing portal, not a tax and audit tracking system. Consequently, since
2014 MIA has used electronic spreadsheets to track the receipt of quarterly
estimated and annual tax payments, document the performance of the annual
premium tax audits, and calculate any penalties and interest. Our prior report
noted numerous control deficiencies with the use of the spreadsheets. As noted
above, MIA has not procured a new system and has not implemented procedures
to correct the control deficiencies identified last audit.
Specifically, data recorded on spreadsheets, as well as formulas in templates used

by MIA in the spreadsheets to automatically compile data and perform needed
calculations, could still be modified without independent supervisory review and
approval. As noted in the prior report, the spreadsheets do not provide a means
for changes in data or formulas to be recorded for subsequent review, and the
identity of the individuals performing such changes could not be ascertained. In
addition, MIA still did not use certain available controls to restrict access to
recorded data and formulas, and had not implemented adequate compensating
controls to ensure the integrity of the data.
In this regard, the employees who were responsible for ensuring that all premium
taxes due were received and accurately recorded, and for identifying any penalties
and interest due to the State, also had the capability to modify both premium and
payment data and the formulas used to recalculate premium tax liabilities,
penalties, and interest within the spreadsheets. In addition, the employee
responsible for reviewing and approving the audit results and approving premium
tax refunds had these same capabilities.
Since data recorded in the spreadsheets is used extensively in the performance of

premium tax audits, there was a lack of assurance that audit results, including
taxes due from or refunds due to insurance companies were proper. While no
significant errors or discrepancies were noted in our tests of premium tax audits,
the lack of controls over the data and the lack of accountability over critical
changes made recorded premium data, premium tax payments, and formulas
vulnerable to such errors or other discrepancies.
Recommendation 1
We recommend that MIA take appropriate action to control the propriety of
premium tax data and audit activity. Specifically, we recommend that MIA
procure and implement an automated premium tax system with sufficient
8
control capabilities or establish adequate controls within its existing use of
spreadsheets (repeat).
Finding 2
MIA did not ensure that certain premium tax collections received from
HMOs and MCOs were properly recorded and transferred to MDH as
required. Significant recording errors were not detected timely or at all,
including an improper reversion of $59 million to the State’s General Fund
that may no longer be available for transfer to MDH.
Analysis
MIA did not ensure that premium tax collections received from HMOs and MCOs
were properly recorded in the State’s accounting records and transferred to MDH
as required. Premium tax
collections from the 14 HMOs and Figure 3
MCOs are to be allocated to the HMO and MCO Premium Tax Transfers
State’s RSF, then transferred to
Premium Tax
MDH. HMO and MCO premium Premium Tax Payment Online or
taxes are submitted by check or wire Payment by Check by Wire Transfer
transfer directly to MIA or online
similar to premium taxes submitted
by other insurers. Check payments
State General
are generally deposited directly into Fund
the RSF while payments made
online and by wire are deposited
into the State’s General Fund along
with the other premium tax Rate Stabilization Fund
payments and transferred
periodically by MIA to the RSF (see
Figure 3). According to agency
records, HMO and MCO premium
Maryland
tax collections totaled Department of Health
approximately $185.6 million
during fiscal year 2020 ($23.0
million by check and $162.6 million
online or by wire transfer).
Transfers Were Not Adequately Supported Resulting In Errors Going Undetected

or Not Being Detected Timely
Journal entries processed by MIA to transfer payments made online and by wire
from the General Fund to the RSF often lacked supporting documentation. The
9
journal entries were often made for lump sum amounts without adequate
documentation explaining how the amounts were derived. As a result, it was not
always possible to verify that specific online and wire payments had been
transferred from the General Fund to the RSF as required. Consequently, errors
were not detected timely or at all.
Specifically, our review of 55 payments from HMOs and MCOs totaling

approximately $187.4 million made for calendar year 2018 premium taxes
disclosed 14 payments totaling $58.9 million that were initially credited to the
General Fund, but based on available records, were never transferred to the RSF
as required. These funds were reverted to the State’s General Fund upon the
fiscal 2018 year-end closing, and MIA management advised us that the
Comptroller of Maryland’s General Accounting Division (GAD) notified them
the funds are no longer available for transfer to the RSF.
Furthermore, during fiscal years 2019 and 2020, MIA made a series of recording
errors, such as duplicate transfers, which resulted in excess allocations of HMO
and MCO premium taxes from the State’s General Fund to the RSF totaling
approximately $139.8 million and $92.6 million, respectively. These errors were
identified by GAD or by MIA after significant increases in RSF revenue were
noted and investigated. Adjusting journal entries were subsequently processed by
GAD for fiscal year 2019 and by MIA for fiscal year 2020.
RSF Balance Was Not Transferred to MDH As Required

MIA could not justify retention of the RSF fund balance, which totaled
approximately $8.1 million1 as of June 30, 2020. In accordance with State Law,
any funds in the RSF should be transferred to MDH. MIA management claimed
that a fund balance was necessary to cover any HMO and MCO premium tax
refunds that were required to be paid. However, refunds processed during fiscal
years 2019 and 2020 related to HMO and MCO premium taxes totaled $17,000
and $3 million, respectively, well below the $8.1 million retained by MIA.
Chapter 538, 2020 Laws of Maryland, repeals the RSF effective July 1, 2021;
after which all premium tax payments will be deposited to the General Fund.
Although the RSF is scheduled for repeal, it is still incumbent upon MIA to
ensure that all funds are properly accounted for.
1
This amount includes a $2.4 million accounting error for an entry made after the close of fiscal
year 2019.
10
Recommendation 2
We recommend that MIA develop adequate procedures and controls to
ensure the proper disposition of HMO and MCO premium tax payments.
Specifically, we recommend that MIA
a. implement procedures to ensure accurate recording of all HMO and
MCO premium tax payments;
b. adequately document journal entries processed to transfer funds
including details regarding specific HMO and MCO premium tax
payments being transferred;
c. work in conjunction with Department of Budget and Management and
GAD to determine if there is any course of action available to
retroactively correct the improper disposition of the aforementioned $59
million that was not transferred to the RSF; and
d. transfer all funds in the RSF to MDH, as required, unless there is
documented justification for retaining certain funds in the RSF.
Finding 3
MIA’s reconciliations of its premium tax revenue records to the State’s
accounting records were not conducted timely and did not ensure that all tax
revenue had been credited to the appropriate fund.
Analysis
MIA’s reconciliations of premium tax revenue were not conducted timely and did
not ensure that all tax revenue had been credited to the appropriate fund. MIA
prepared reconciliations between its premium tax revenue records and the State’s
accounting records for total premium tax revenue received. Our review disclosed
that, as of August 2020, the most recently completed reconciliation was for
December 2019. In addition, the reconciliations conducted before this time were
not comprehensive as they did not include a verification that all premium tax
revenue had been credited to the appropriate fund, either the General Fund or the
RSF.
The lack of timely and adequate reconciliations may have contributed to MIA’s
failure to timely detect certain of the accounting errors with HMO and MCO
premium taxes noted in Finding 2. In addition, we were advised by management
personnel from the Comptroller of Maryland’s Bureau of Revenue Estimates
(BRE) and GAD that premium tax revenue data submitted to BRE by MIA was
not always accurate. As a result, BRE was unable to effectively use this data in
its preparation of revenue projections for the State.
11
Recommendation 3
We recommend that MIA
a. conduct premium tax revenue reconciliations on a timely basis,
b. verify as part of its reconciliations that revenue has been properly
credited to the appropriate funds, and
c. ensure that revenue information reported to BRE is accurate.
Background
In accordance with State law, MIA calculates an annual assessment to be
collected from all health, life, and property and casualty insurers doing business in
the State to fund 60 percent of its annual budget appropriation2. MIA first
calculates the overall assessment and then allocates the assessment to each
licensed insurer based on its percentage of total premiums written, with a
minimum assessment of $300. These assessments are deposited into MIA’s
Insurance Regulation Fund (IRF). According to the State’s records, assessments
collected and deposited into the IRF during fiscal year 2019 totaled approximately
$14.5 million, and the Fund’s balance at June 30, 2019 totaled $6.5 million.
Finding 4
MIA did not prepare its overall assessment calculation for the IRF in
accordance with its procedures, could not support certain estimates used in
the calculation, and could not document that the calculation was reviewed
and approved by supervisory personnel.
Analysis
MIA did not prepare its overall assessment calculation for the IRF in accordance
with its procedures, could not support certain estimates used in the calculation,
and could not document that the calculation was reviewed and approved by
supervisory personnel.
 MIA did not take into account the beginning fund balance, as required by its
procedures, when calculating the overall IRF assessment each year.
Specifically, MIA did not reduce the overall assessment calculated for funds
already on hand at the beginning of the year as required. We ultimately
determined that MIA’s overall assessments for fiscal years 2018, 2019, and
2020 were overstated by approximately $6.8 million, $7.2 million, and $6.5
2
MIA also collects fees for certain certifications, licenses, and other services which fund the
remaining portion of its budget.
12
million, respectively, and the corresponding billings to individual insurance
companies reflected these overstatements.
 MIA was unable to support certain significant estimates included in its overall
IRF assessment calculation. For example, MIA’s calculation for fiscal year
2020 included estimated other revenue of $14,141,831, but MIA was unable
to provide documentation supporting how this amount was determined.
 MIA could not document that the overall IRF assessment calculation was
reviewed and approved by supervisory personnel. We were advised by MIA
that MIA’s Insurance Commissioner participated informally in the calculation
of the assessment; however, there was no documented review to ensure that
the amount assessed was proper and in accordance with State law and MIA
procedures.
Due to the aforementioned conditions, there was a lack of assurance that the
amounts assessed to and ultimately paid by insurers were proper.
Recommendation 4
a. ensure that the overall IRF assessment calculations are completed as
required by its procedures,
b. maintain adequate supporting documentation for estimated amounts
included in its assessment calculation, and
c. require a documented supervisory review and approval of the assessment
calculation prior to billing insurers.
Finding 5
Allocations of assessments to insurance companies were not always made as
required or correct.
Analysis
Insurance companies were not always assessed as required, and initial
assessments to individual insurers were sometimes incorrect. Our examination of
assessments processed for fiscal year 2020 disclosed the following conditions:
 MIA did not properly allocate the assessment to all insurers. Specifically, our
review disclosed MIA had not assessed the Maryland Automobile Insurance
Fund (MAIF) since fiscal year 2014 as provided for in State law. Based on
our calculation for fiscal year 2020 alone, MAIF should have been assessed
approximately $50,000. In addition, based on our examination of the 1,399
13
insurers licensed as of December 31, 2018, we noted 22 other insurers who
had received assessments totaling $22,000 for fiscal year 2019, but had not
been assessed any amount for 2020. Although there may be a valid reason
why an insurer does not receive an assessment in a particular year, MIA could
not explain why these 22 insurers had not been assessed for fiscal year 2020.
The amounts not allocated to these insurers would have been allocated to
other insurers.
 MIA over-assessed 11 insurers approximately $2.3 million because MIA

improperly included exempt federal premiums, such as Medicare premiums,
in their assessment calculation.
 MIA under-assessed 67 insurers by approximately $814,000 because they

were misclassified as life insurance providers rather than health insurers.
These insurers wrote premiums for life and health insurance or only health
insurance. State law requires insurers to be assessed in the category in which
they wrote the most premiums during the previous calendar year. Proper
classification is important because an insurer’s assessment is based, in part, on
total premium dollars within their designated insurance category.
At the time of our review, adjustments had not been made for any of the
discrepancies noted above. However, MIA processed approximately $6.8 million
in other adjustments during our audit period related to assessments for fiscal years
2018 to 2020, including adjustments of at least $3.9 million that were due to
improper initial assessments. Although the adjustments corrected improper
assessments to individual insurers, accurate annual assessments are critical since
an assessment error relating to one insurance provider, such as an over or under
assessment, will generally impact the amount assessed to all other providers.
Recommendation 5
a. ensure that all applicable insurance providers are accurately assessed, in
accordance with State law, for amounts due to the Insurance Regulation
Fund; and
b. review the amounts assessed during the audit period to determine any
amounts due to or from insurance companies related to errors in the
assessment calculations.
14
Finding 6
MIA could not readily explain a growing deficit in the Health Care
Regulatory Fund, which had a deficit balance over $1.3 million as of June 30,
2020.
Analysis
MIA could not readily explain a growing deficit balance in the Health Care
Regulatory Fund. MIA administered the Fund, which consists of assessments on
specified providers of health insurance in the State. State law provides that
annual assessments are to cover all costs relating to activities of MIA’s Appeals
and Grievances Unit. Our review disclosed that the Fund had a deficit balance of
approximately $250,000 as of June 30, 2017, which increased to a deficit of over
$1.3 million as of June 30, 2020 (see Figure 4). The deficits were improperly
offset by unrelated surplus funds in the Insurance Regulation Fund and therefore,
MIA did not report these deficits at fiscal year-end to GAD as required.
Figure 4
Increase in Deficit Balance of Health Care Regulatory Fund
From Fiscal Year 2018 to 2020
2018 2019 2020
Beginning Balance, July 1 $ (249,557) $ (583,798) $ (883,273)
Revenues 1,374,714 1,220,671 1,252,477
Expenditures (1,708,955) (1,520,146) (1,721,301)
Ending Balance, June 30 $ (583,798) $ (883,273) $ (1,352,097)
Increase in Deficit from Prior Year $ 334,241 $ 299,475 $ 468,824

Percentage Increase from Prior Year 134% 51% 53%
Source: State records
Although a temporary deficit balance may periodically occur due to the timing of
related transactions, a long-term and growing deficit balance may be indicative of
inaccurate assessments and/or recording errors.
Recommendation 6
a. investigate the deficit in the Health Care Regulatory Fund and determine
appropriate corrective action; and
15
b. properly report all fund balances separately at fiscal year-end, as
required.
Finding 7
MIA did not ensure that all producer licensing fees collected by a third party
were remitted and deposited into the Insurance Regulation Fund as required.
Analysis
MIA did not ensure that all producer licensing fees collected by a third party were
remitted and deposited into the Insurance Regulation Fund as required.
According to State records, producer licensing fees collected during fiscal year
2019 totaled approximately $6.6 million, of which $6.5 million were processed
online through the National Association of Insurance Commissioners’ National
Insurance Producer Registry (NIPR). NIPR’s payment portal interfaces with
MIA’s automated licensing system. In accordance with a memorandum of
understanding between MIA and NIPR, NIPR is to make daily electronic fund
transfers of the prior day’s collections to MIA’s Insurance Regulation Fund.
Our review disclosed that MIA did not conduct daily reconciliations of
applications processed to the related collections to ensure that NIPR properly
transferred all producer licensing fees collected. The reconciliations help to
ensure that online payments are accurately reflected on MIA’s licensing system
(which is the basis for license issuance) and that the related fees were deposited to
the Insurance Regulation Fund.
As a result, there was a lack of assurance that all producer licensing fees were
remitted and deposited into the Fund as required. The Comptroller of Maryland’s
Accounting Procedures Manual requires reconciliations of total collections with
total license applications to be performed.
Recommendation 7
We recommend that MIA perform required daily reconciliations of fee
collections to online applications processed, to ensure that all producer
licensing fees collected online through the NIPR payment portal are received
and properly deposited.
16
Background
MIA’s Management Information Systems (MIS) Department is responsible for
the development, maintenance, and support of MIA’s information systems,
including operation of an internal network at MIA. The network is connected to
networkMaryland for internet and statewide government intranet connectivity and
includes multiple firewalls and intrustion detection prevention systems. MIA’s
main critical application is the Enterprise system which supports insurance
company licensing, complaints, and case tracking.
Finding 8
Intrusion detection and prevention system (IDPS) coverage did not exist for
traffic flowing into the MIA network from certain untrusted origin points.
Analysis
IDPS coverage did not exist for untrusted traffic entering the MIA network from
certain untrusted origin points. Such coverage did not exist for traffic entering the
MIA network over connections from the statewide intranet, MIA’s neutral public
network zone, and the internet passing to a certain MIA internal network segment.
Specifically, we identified 14 firewall rules that allowed traffic from either the
statewide intranet or MIA’s neutral public network zone to the MIA internal
network without defined network IDPS coverage applied. In addition, traffic
from a separate MIA internet connection to a certain MIA internal network
segment also lacked IDPS coverage as a related IDPS device operating for the
network segment was not properly configured to monitor traffic for this purpose.
The absence of IDPS coverage for these forms of untrusted traffic entering the
MIA network created network security risk, as such traffic could contain
undetected malicious data.
The State of Maryland Information Technology Security Manual requires

protection against malicious code and attacks by using IDPS coverage to monitor
system events, detect attacks, and identify unauthorized use of information
systems and/or confidential information. Strong network security uses a layered
approach, relying on various resources, and is structured according to assessed
network security risk. Properly configured IDPS protection can aid significantly
in the detection/prevention of, and response to, potential network security
breaches and attacks.
17
Recommendation 8
We recommend that MIA ensure that IDPS protection exists for all traffic
from untrusted sources entering the MIA network flowing to critical servers
and network segments.
18
Audit Scope, Objectives, and Methodology
We have conducted a fiscal compliance audit of the Maryland Insurance
Administration (MIA), for the period beginning January 31, 2017 and ending
January 20, 2020. The audit was conducted in accordance with generally
accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.
As prescribed by the State Government Article, Section 2-1221 of the Annotated

Code of Maryland, the objectives of this audit were to examine MIA’s financial
transactions, records, and internal control, and to evaluate its compliance with
applicable State laws, rules, and regulations.
In planning and conducting our audit, we focused on the major financial-related

areas of operations based on assessments of significance and risk. The areas
addressed by the audit included disbursements, cash receipts, payroll, information
system security and control, accounts receivable, premium taxes, the Insurance
Regulation and the Health Care Regulatory Funds, producer licensing, and
examinations and audits. We also determined the status of the findings contained
in our preceding audit report.
Our assessment of internal controls was based on agency procedures and controls
in place at the time of our fieldwork. Our tests of transactions and other auditing
procedures were generally focused on the transactions occurring during our audit
period of January 31, 2017 to January 20, 2020, but may include transactions
before or after this period as we considered necessary to achieve our audit
objectives.
To accomplish our audit objectives, our audit procedures included inquiries of

appropriate personnel, inspections of documents and records, tests of transactions,
and to the extent practicable, observations of MIA’s operations. Generally,
transactions were selected for testing based on auditor judgment, which primarily
considers risk. Unless otherwise specifically indicated, neither statistical nor non-
statistical audit sampling was used to select the transactions tested. Therefore, the
results of the tests cannot be used to project those results to the entire population
from which the test items were selected.
We also performed various data extracts of pertinent information from the State’s
Financial Management Information System (such as revenue and expenditure
19
data) and the State’s Central Payroll Bureau (payroll data). The extracts are
performed as part of ongoing internal processes established by the Office of
Legislative Audits and were subject to various tests to determine data reliability.
We determined that the data extracted from these sources were sufficiently
reliable for the purposes the data were used during this audit.
We also extracted data from MIA’s producer licensing system for the purpose of
testing the issuance of licenses and assessments. We performed various tests of
the relevant data and determined that the data were sufficiently reliable for the
purposes the data were used during the audit. Finally, we performed other
auditing procedures that we considered necessary to achieve our audit objectives.
The reliability of data used in this report for background or informational
purposes was not assessed.
MIA’s management is responsible for establishing and maintaining effective

internal control. Internal control is a process designed to provide reasonable
assurance that objectives pertaining to the reliability of financial records;
effectiveness and efficiency of operations, including safeguarding of assets; and
compliance with applicable laws, rules, and regulations are achieved. As
provided in Government Auditing Standards, there are five components of
internal control: control environment, risk assessment, control activities,
information and communication, and monitoring. Each of the five components,
when significant to the audit objectives, and as applicable to MIA, were
considered by us during the course of this audit.
Because of inherent limitations in internal control, errors or fraud may

nevertheless occur and not be detected. Also, projections of any evaluation of
internal control to future periods are subject to the risk that conditions may
change or compliance with policies and procedures may deteriorate.
Our reports are designed to assist the Maryland General Assembly in exercising
its legislative oversight function and to provide constructive recommendations for
improving State operations. As a result, our reports generally do not address
activities we reviewed that are functioning properly.
This report includes findings relating to conditions that we consider to be

significant deficiencies in the design or operation of internal control that could
adversely affect MIA’s ability to maintain reliable financial records, operate
effectively and efficiently, and/or comply with applicable laws, rules, and
regulations. Our report also includes findings regarding significant instances of
noncompliance with applicable laws, rules, or regulations. Other less significant
findings were communicated to MIA that did not warrant inclusion in this report.
20
MIA’s response to our findings and recommendations is included as an appendix
to this report. As prescribed in the State Government Article, Section 2-1224 of
the Annotated Code of Maryland, we will advise MIA regarding the results of our
review of its response.
21
APPENDIX
LARRY HOGAN KATHLEEN A. BIRRANE

Governor Commissioner
BOYD K. RUTHERFORD GREGORY M. DERWART

Lt. Governor Deputy Commissioner
200 St. Paul Place, Suite 2700, Baltimore, Maryland 21202

Direct Dial: 410-468-2000 Fax: 410-468-2020
1-800-492-6116 TTY: 1-800-735-2258
www.insurance.maryland.gov
March 25, 2021
Via Email: [email protected]
Gregory A. Hook, CPA

Legislative Auditor
Department of Legislative Services
Office of Legislative Audits
301 West Preston Street, Room 1202
Baltimore, MD 21201
RE: Maryland Insurance Administration Response to Draft Audit Report
Dear Mr. Hook:
Attached please find the Maryland Insurance Administration’s response to the draft audit report
prepared by your Office for the period beginning January 31, 2017 and ending January 20, 2020.
We appreciate the collaborative and professional process conducted by Edward Welsh and his team.
My staff and I are happy to respond to any questions that you may have.
Sincerely,
K
Kathleen A. Birrane
Commissioner
Attachment
KAB:jdb
cc: Gregory M. Derwart, Deputy Commissioner, MIA (via e-mail w/attachment)

Godwin O. Ehirim, Director, Fiscal Services, MIA (via e-mail w/attachment)
Agency Response Form
Premium Taxes
Finding 1
MIA continued to use premium tax spreadsheets that lacked adequate controls to ensure
the propriety of data recorded and the results of premium tax audits performed.
We recommend that MIA take appropriate action to control the propriety of premium tax
data and audit activity. Specifically, we recommend that MIA procure and implement an
automated premium tax system with sufficient control capabilities or establish adequate
controls within its existing use of spreadsheets (repeat).
Agency Response
Analysis Factually Accurate
Please provide The MIA does not dispute the factual accuracy of Finding 1.
additional comments as
deemed necessary.
Recommendation 1 Agree Estimated Completion Date: Completed

7-31-2020
Please provide details of As a result of communications with the auditors during their field
corrective action or work, the MIA altered certain of its procedures under the guidance of
explain disagreement.
the Auditors beginning in March 2020. In addition, the MIA
conducted an internal review and analysis of its premium tax data and
audit activity. Following that review, the MIA updated and enhanced
its procedures, protocols, tools, and controls, including controls
regarding spreadsheets. The MIA’s revised Premium Tax Data and
Audit Procedures (“PTDA Procedures”), which include a revised
Audit Summary Workbook, are designed to ensure the integrity of its
premium tax data and audit activities. Interim and longer term control
procedures related to changes in the Audit Summary Workbook were
reviewed and determined to be acceptable by the Auditors and have
been implemented.
Following receipt of the Audit Report and Findings, the MIA

evaluated its updated PTDA Procedures to assure that they
incorporated the Auditors’ recommendations. The final PTDA
Procedures document is available to the Auditors for review and
comment.
Page 1 of 13
The final PTDA Procedures have been implemented and the MIA
believes that, as implemented, they satisfy the recommendation to take
action to control the propriety of premium tax data and audit activity.
Separately, the MIA is developing an internal audit function

pursuant to which auditors who work in the Examination and Auditing
(E&A) Unit will evaluate and report to the Commissioner on the
Fiscal Services Unit’s (FSU) compliance with the FSU’s core and
critical procedures (the “Fiscal Unit Audit”). The scope of the Fiscal
Unit Audit will include confirming compliance with procedures
adopted by the MIA as a result of the audit, including the MIA’s
revised PTDA Procedures.
With respect to the two specific, alternative, recommendations set

forth above:
1.) The MIA appreciates the limits of the OPTins system and agrees
that an automated system is preferred. The MIA will develop a
two-phased request for proposal, consistent with Maryland
procurement law and budgetary constraints, for the design and
implementation of an automated system that leverages data
sources such as OPTins. To the extent that procurement laws
allow, the MIA will seek to identify and acquire software utilized
by other state regulators for the same purpose. The MIA
anticipates making this project part of its FY2023 budget request.
2.) In the meantime, as noted above, the MIA has implemented

controls over the existing spreadsheet-based system that fully
address the deficiencies identified by the auditors.
Page 2 of 13
Finding 2
MIA did not ensure that certain premium tax collections received from HMOs and MCOs
were properly recorded and transferred to MDH as required. Significant recording errors
were not detected timely or at all, including an improper reversion of $59 million to the
State’s General Fund that may no longer be available for transfer to MDH.
We recommend that MIA develop adequate procedures and controls to ensure the proper
disposition of HMO and MCO premium tax payments. Specifically, we recommend that
MIA
a. implement procedures to ensure accurate recording of all HMO and MCO premium
tax payments;
b. adequately document journal entries processed to transfer funds including details
regarding specific HMO and MCO premium tax payments being transferred;
c. work in conjunction with Department of Budget and Management and GAD to
determine if there is any course of action available to retroactively correct the improper
disposition of the aforementioned $59 million that was not transferred to the RSF; and
d. transfer all funds in the RSF to MDH, as required, unless there is documented
justification for retaining certain funds in the RSF.
Agency Response
deemed necessary.
Recommendation 2a Agree Estimated Completion Date: Completed

1-15-21
corrective action or work, the MIA conducted an internal review and analysis of its
explain disagreement. procedures for the timely and accurate identification and transfer to the
Rate Stabilization Fund established under § 19-802 of the Insurance
Article (the “RSF”) of premium tax revenue earmarked for deposit to
the RSF. As part of that internal review and analysis, the MIA worked
closely with its counsel to assure the proper interpretation and
applications of the relevant statutes.
Following that review and analysis, the MIA substantially revised,

and implemented, procedures respecting the identification of premium
tax that must be deposited to the RSF, as well as the transfer and
reconciliation of the RSF deposits (the “RSF Procedures”). The RSF
Page 3 of 13
Procedures have been made available to the auditors for review. They
will be included in the scope of the Fiscal Unit Audit.
Under the revised RSF Procedures, the E&A Unit uses the MIA’s
company licensing database to generate the list of RSF Companies in
order to aid the FSU in accurately identifying and reporting the
premium tax payments to be deposited into the RSF. The FSU uses
the E&A list to create the RSF Payment Schedule which tracks the
receipt of quarterly estimated and annual premium tax payments by
RSF Companies, the transfer/deposit of those payments to the RSF,
and the calculation of interest. The RSF Payment Schedule is
reconciled against the Premium Tax Payment Log (also kept by FSU)
and the DAFR 7470 Activity Report on a monthly basis.
Recommendation 2b Agree Estimated Completion Date: Completed

1-15-21
Please provide details of The RSF Procedures require that all RSF transfers include adequate
corrective action or documentation for all journal entries; namely, company name, NAIC
explain disagreement. company number, amount of the transfer, and date. This
documentation information is reconciled against the RSF Payment
Schedule, the FSU’s Premium Tax Payment Schedule and the DAFR
7470 Activity report on a monthly basis.
Recommendation 2c Agree Estimated Completion Date: Completed

3-15-2021
Please provide details of The MIA has been informed by GAD multiple times that it is not
corrective action or possible to transfer the $59 million from the General Fund to the RSF,
explain disagreement. because FY2018 is closed. Notwithstanding that, the MIA requested
that its Principal Counsel review the position taken by GAD and
undertake on behalf of the MIA and the RSF any lawful options which
the OAG believes to be available to restore these funds to the RSF. In
response to the request for legal advice, the MIA’s Principal Counsel
prepared a legal memorandum. In summary, the MIA’s Principal
Counsel reached out to the Department of Budget and Management
(DBM) and was told, through its counsel, that DBM feels that it does
not make sense to pursue the correction due to the imminent sunset of
the RSF and the fact that the funds remained in the General Fund (and
were therefore available to pay similar initiatives). The legal
memorandum prepared by Principal Counsel has been shared with the
auditors.
Page 4 of 13
Recommendation 2d Agree Estimated Completion Date: Completed

1-15-2021
Please provide details of The MIA has historically retained a balance within the RSF to fund
corrective action or premium tax refunds to companies that overestimated and overpaid
their annual premium tax and are entitled to a refund. Premium tax is
assessed on a calendar year basis and carriers must pay estimated
premium tax payments quarterly during the calendar year and then
submit an annual tax return by March 15 of the following year (based
on the prior year’s premium). Because of certain timing
considerations, discussed in more detail below, the MIA has
historically retained an estimated refund amount because an actual
refund amount may not be known at fiscal year-end. Specifically,
MCOs are subject to Medicaid premium adjustments that could impact
the final audit. Additionally, the MIA’s premium tax audit process, as
outlined in § 6-109(b) of the Insurance Article, allows for the
completion of the premium tax audit within 3 years of the date the tax
return is due (although the MIA’s current practice and procedure is to
complete the premium tax audit by the end of August for the prior
calendar year). Finally, and significantly, because the RSF is due to
sunset in 2021, retention of an appropriate amount to address potential
refunds is especially vital because it ensures there are funds available
to address refunds to companies that are entitled to a refund.
In response to the auditors’ recommendation, the MIA revised its

RSF Procedures to address and revise the MIA’s historical practice of
retaining a balance in the RSF fund by adding certain additional
requirements. The Procedures require: (1) that the refund estimate is
calculated by taking the average refund amount of the prior two (2)
fiscal years’ refund requests, and (2) that the Fiscal Services Director
document the estimate calculation. This revised approach will more
closely approximate the funds needed to be retained for refund
requests, ensure transfers (i.e. refunds) from the RSF fund remain
within the same fiscal year, and ensure that funds are available during
this final year of the RSF.
Page 5 of 13
Finding 3
MIA’s reconciliations of its premium tax revenue records to the State’s accounting records
were not conducted timely and did not ensure that all tax revenue had been credited to the
appropriate fund.

a. conduct premium tax revenue reconciliations on a timely basis,
b. verify as part of its reconciliations that revenue has been properly credited to the
appropriate funds, and
c. ensure that revenue information reported to BRE is accurate.
Agency Response
deemed necessary.

1-15-21
Please provide details As a result of communications with the auditors during their field
of corrective action or work, the MIA conducted an internal review and analysis of its
explain disagreement. premium tax activities, including the timeliness of the conduct of
premium tax reconciliations, which resulted in the adoption and
implementation of the revised PTDA Procedures and the RSF
Procedures. Those Procedures require that premium tax reconciliations
be performed monthly and that the monthly performance be verified
by the Director or Assistant Director of the FSU. In addition, the
timeliness and accuracy of the premium tax reconciliation process will
be included in the scope of the Fiscal Unit Audit.

1-15-21
Please provide details The RSF Procedures (relating to premium tax revenue) are
of corrective action or described in the Response to Finding 2. Compliance with these
explain disagreement. Procedures and verification of these calculations also will be included
in the scope of the Fiscal Unit Audit.
Page 6 of 13

1-15-21
Please provide details The MIA and GAD met in February 2020 to discuss errors and
of corrective action or corrections in RSF reporting that occurred in FY2018, FY2019, and
explain disagreement. FY2020. Recommendations from GAD regarding how to avoid such
errors in the future were incorporated into the RSF Procedures. Since
the February 2020 meeting and the subsequent adoption and
implementation of the RSF Procedures, neither GAD nor BRE have
identified any new reporting errors.
Finding 4
MIA did not prepare its overall assessment calculation for the IRF in accordance with its
procedures, could not support certain estimates used in the calculation, and could not
document that the calculation was reviewed and approved by supervisory personnel.

a. ensure that the overall IRF assessment calculations are completed as required by its
procedures,
b. maintain adequate supporting documentation for estimated amounts included in its
assessment calculation, and
c. require a documented supervisory review and approval of the assessment calculation
prior to billing insurers.
Agency Response
Analysis Not Factually Accurate
Please provide The MIA does not dispute the factual finding in the first bullet
additional comments as point. However, the auditors’ calculation of the amounts of the carry
deemed necessary. forward amounts for 2018, 2019 and 2020 included certain unused/old
fund accounts which the MIA would not have included in the
calculation. The MIA agreed, however, that steps needed to be taken to
address and close out those accounts appropriately. During the January
20, 2021 exit meeting with the auditors, the MIA agreed that the best
way to proceed would be to research the genesis of the unused/old
accounts and to work with GAD to close or remove those accounts. The
Page 7 of 13
MIA did reach out to GAD, which recommended that the MIA work
with DBM, which is currently researching the best way to resolve the
issue. The MIA will determine the appropriate steps to take once that
research is complete. The FSU Director will ensure that those steps are
promptly implemented.
The MIA does not dispute the factual accuracy of the remainder of
Finding 4.
Auditor’s Comment: MIA has indicated not factually accurate in reference to the
analysis, but the response clarified that MIA does not dispute the factual finding. MIA
further explained that certain unused/old accounts included in the carry-forward
(beginning fund) balance referenced in the analysis need to be appropriately closed out,
which it intends to do. Consequently, we do not consider this an area of disagreement.

1-15-21
corrective action or work, the MIA conducted an internal review and analysis of its
procedures relating to the calculation, assessment, and collection of
assessments to be paid by insurers to the insurance regulation fund
(“IRF”). Following that review, the MIA adopted and implemented new
procedures, protocols, tools, and controls designed to ensure the
accuracy of those activities (the “IRF Procedures). Following receipt of
the Audit Report and Findings, the MIA evaluated the IRF Procedures
to assure that they incorporated the Auditors’ recommendations and
adopted an updated version of the IRF Procedures. This document is
available to the Auditors for review and comment. The IRF Procedures
will be included in the scope of the Fiscal Unit Audit.
Per the IRF Procedures, the FSU uses the MIA Legislative
Appropriation amount transmitted from DBM for the fiscal year as the
starting point for the IRF calculation. From that amount, the FSU adjusts
the Appropriation for any step movement or reserve needed, and then
subtracts the Health Care Regulatory Appropriation and reserve, the
estimated IRF carry forward amount, and revenue from certain fees and
investment income outlined by law. The resulting amount is the IRF
Page 8 of 13
assessment amount for the fiscal year and must equal 60% of the MIA’s
approved budget appropriation.
The revised IRF Procedures require documentation of the review and

approval of the assessment calculation prior to billing insurers.

1-15-21
Please provide details of The IRF Procedures include the requirement that supporting
corrective action or documentation be maintained for each estimated amount used in the
explain disagreement. assessment calculation.

1-15-21
Please provide details of A supervisory review is part of the IRF Procedures. In addition,
corrective action or compliance with the IRF Procedures will be included within the scope
explain disagreement. of the Fiscal Unit Audit.
Finding 5
Allocations of assessments to insurance companies were not always made as required or
correct.

a. ensure that all applicable insurance providers are accurately assessed, in accordance
with State law, for amounts due to the Insurance Regulation Fund; and
b. review the amounts assessed during the audit period to determine any amounts due to
or from insurance companies related to errors in the assessment calculations.
Agency Response
deemed necessary.

1-15-21
Page 9 of 13
Please provide details of As noted previously, the MIA has adopted and implemented the
corrective action or revised IRF Procedures, which are designed to assure the accuracy of
explain disagreement. the calculation of the assessment; the allocation of the assessment among
the entities subject to it; and verification, reconciliation and audit of
assessment payments and fund deposits. In developing the IRF
Procedures, the MIA worked closely with counsel to assure that the IRF
statutory requirements were correctly interpreted and applied. In
addition, the IRF Procedures will be included in the scope Fiscal Unit
Audit.
Under the revised IRF Procedures, the FSU and the E&A Unit use
the MIA’s company licensing database and premium tax filing data to
generate the list of entities subject to the IRF assessment. Companies
are then classified per the applicable statutory law for assessment
purposes according to procedures approved by the OAG. The IRF
Procedures include a verification check within the FSU and sign-off by
the Director of the FSU.
Recommendation 5b Agree Estimated Completion Date: 8-1-2021

corrective action or work, the MIA began to review company listings used to allocate
explain disagreement. assessments during the audit period to identify errors in the amounts
assessed. The MIA identified two entities that were subject to the IRF
assessment that were not assessed (MAIF and Renaissance
Reinsurance). The MIA reached out to both entities and it was agreed
that the MIA would issue an assessment for the missing years based on
the data for those years. That calculation was made and invoices were
issued in November 2020.
As a separate process, the MIA is recreating the company listing,

premium Workbook, and allocation calculation for FY2016 through
FY2020. This exercise will then lead to the identification of shortfalls
and overpayments (including for the two entities that were missed) for
those years. Our expectation is that this process will be completed by
August 1, 2021. The MIA is working with counsel to determine our
authority for adjusting these payments and will make any lawful
adjustments as part of the FY2022 assessment.
Page 10 of 13
Finding 6
MIA could not readily explain a growing deficit in the Health Care Regulatory Fund,
which had a deficit balance over $1.3 million as of June 30, 2020.

a. investigate the deficit in the Health Care Regulatory Fund and determine appropriate
corrective action; and
b. properly report all fund balances separately at fiscal year-end, as required.
Agency Response
deemed necessary.

10-20-2020
corrective action or work in which they identified potential deficiencies in the HCRF during
explain disagreement. the audit period, the MIA conducted an internal investigation as to
whether such deficiencies existed and, if so, the cause of the
deficiencies. The investigation confirmed that the balance of the HCRF
was deficient in each year within the audit period. The MIA determined
that these deficiencies resulted from the failure of the FSU to consider
the historic costs and expenses of the Appeals & Grievance Unit and to
project the needs of the HCRF based on annually updated historic data.
The MIA thereafter developed, adopted and implemented revised HCRF
Procedures, which now requires the FSU to identify the annual costs and
expenses incurred by the MIA’s Appeals & Grievance Unit, to determine
the cost/expense and complaint trends, and to estimate future
costs/expenses and HCRF needs based on those considerations.
Additionally, the FSU must consider the HCRF fund balance deficit (or
surplus) in its calculation of the HCRF assessment and to document the
review and approval of the assessment calculation. The revised
Procedures require documentation of the review and approval of the
assessment calculation. The HCRF Procedures will be included within
the scope of the Fiscal Unit Audit.
Page 11 of 13
Working with counsel, the MIA has developed a five-year plan of

recoupment which has been shared with the auditors. The first phase of
that plan was implemented in October 2020.
Recommendation 6b Agree Estimated Completion Date: July 2021

Please provide details of While GAD has not noted errors in MIA closing reports in the past,
corrective action or the MIA intends to report all special fund balances separately at fiscal
explain disagreement. year-end as recommended.
Finding 7
MIA did not ensure that all producer licensing fees collected by a third party were remitted
and deposited into the Insurance Regulation Fund as required.
We recommend that MIA perform required daily reconciliations of fee collections to online
applications processed, to ensure that all producer licensing fees collected online through
the NIPR payment portal are received and properly deposited.
Agency Response
deemed necessary.

1-25-2021
corrective action or work, the MIA conducted an internal evaluation of the procedures
explain disagreement. employed to verify and reconcile the accuracy and receipt of the
producer licensing fees collected online via the National Insurance
Producer Registry (NIPR) website. As a result of its internal
investigation and review, the MIA developed, adopted and implemented
new procedures for calculating the amount due to the MIA as producer
licensing fees and for reconciling amounts due with the amount reported
through NIPR and the amounts remitted to the MIA from NIPR (the
“NIPR Reconciliation Procedures”). A copy of the NIPR Reconciliation
Page 12 of 13
Procedures has been made available to the auditors for review and will
be included within the scope of the Fiscal Unit Audit.
Per the new NIPR Reconciliation Procedures, the FSU performs the
reconciliation each business day on which the MIA is notified via the
R*stars ACH entry report received from the Maryland Treasurer that
NIPR revenue was received into the General Fund. The reconciliation is
performed by first reconciling MIA licensing data with the State Based
Systems (SBS) that house the NIPR transactions and the fees associated
with them, and then compare the amounts owed to the MIA against the
R*stars ACH entry report received from the Maryland Treasurer.
Finding 8
Intrusion detection and prevention system (IDPS) coverage did not exist for traffic flowing
into the MIA network from certain untrusted origin points.
We recommend that MIA ensure that IDPS protection exists for all traffic from untrusted
sources entering the MIA network flowing to critical servers and network segments.
Agency Response
deemed necessary.

10-30-2020
Please provide details of The MIA conducted an assessment of its network security risks
corrective action or relative to IDPS coverage. An Intrusion Policy has been created and
explain disagreement. applied for one of our firewalls and its access control rules. The MIA
has added the MIA Intrusion Policy to another separate NGFW’s ACL
rules listed in the audit recommendations. The MIA will apply
logging/reporting to all Access Policy rules.
Page 13 of 13
AUDIT TEAM
Michael J. Murdzak, CPA
Audit Manager
R. Brendan Coffey, CPA, CISA

Information Systems Audit Manager
Edward J. Welsh, CFE

Anthony V. Calcagno
Senior Auditors
Michael K. Bliss, CISA

Information Systems Senior Auditor
Malik A. Farooq
Matthew P. Henry
Ibijoke O. Owolabi, CPA
Staff Auditors
Charles O. Price
Malcolm J. Woodard
Information Systems Staff Auditors

Maryland Insurance Administration: Audit Report

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Maryland Insurance Administration: Audit Report

Uploaded by

Copyright:

Available Formats

Audit Report

Maryland Insurance Administration

OFFICE OF LEGISLATIVE AUDITS

To Obtain Further Information

Ladies and Gentlemen:

We have conducted a fiscal compliance audit of the Maryland Insurance

MIA’s response to this audit is included as an appendix to this report. We

We wish to acknowledge the cooperation extended to us during the audit by

Gregory A. Hook, CPA

Findings and Recommendations 7

Finding 3 – Reconciliations of MIA’s premium tax revenue records 11

Insurance Regulation Fund Assessments

Finding 5 – Allocations of assessments to insurance companies were not 13

Health Care Regulatory Fund

* Denotes item repeated in full or part from preceding audit report

Information Systems Security and Control

Audit Scope, Objectives, and Methodology 19

Agency Response Appendix

According to the State’s

As required by State law,

Specifically, data recorded on spreadsheets, as well as formulas in templates used

Since data recorded in the spreadsheets is used extensively in the performance of

Transfers Were Not Adequately Supported Resulting In Errors Going Undetected

Specifically, our review of 55 payments from HMOs and MCOs totaling

RSF Balance Was Not Transferred to MDH As Required

Insurance Regulation Fund Assessments

 MIA over-assessed 11 insurers approximately $2.3 million because MIA

 MIA under-assessed 67 insurers by approximately $814,000 because they

Increase in Deficit from Prior Year $ 334,241 $ 299,475 $ 468,824

Producer Licensing Fees

The State of Maryland Information Technology Security Manual requires

As prescribed by the State Government Article, Section 2-1221 of the Annotated

In planning and conducting our audit, we focused on the major financial-related

To accomplish our audit objectives, our audit procedures included inquiries of

MIA’s management is responsible for establishing and maintaining effective

Because of inherent limitations in internal control, errors or fraud may

This report includes findings relating to conditions that we consider to be

LARRY HOGAN KATHLEEN A. BIRRANE

BOYD K. RUTHERFORD GREGORY M. DERWART

200 St. Paul Place, Suite 2700, Baltimore, Maryland 21202

March 25, 2021

Via Email: [email protected]

Gregory A. Hook, CPA

RE: Maryland Insurance Administration Response to Draft Audit Report

Dear Mr. Hook:

cc: Gregory M. Derwart, Deputy Commissioner, MIA (via e-mail w/attachment)

Agency Response Form

Recommendation 1 Agree Estimated Completion Date: Completed

Following receipt of the Audit Report and Findings, the MIA

Agency Response Form

Separately, the MIA is developing an internal audit function

With respect to the two specific, alternative, recommendations set

2.) In the meantime, as noted above, the MIA has implemented

Agency Response Form

Recommendation 2a Agree Estimated Completion Date: Completed

Following that review and analysis, the MIA substantially revised,

Agency Response Form

Recommendation 2b Agree Estimated Completion Date: Completed

Recommendation 2c Agree Estimated Completion Date: Completed

Agency Response Form

Recommendation 2d Agree Estimated Completion Date: Completed

In response to the auditors’ recommendation, the MIA revised its