Table of Contents - General Services Administration - Att retiree benefits center log in

32591382898458Review of Internal Controls over Reporting (ICOR) for CMSStatement of Work325913828984583111502540005/20/202031115025400032591388846503CMS A-123 Technical TeamTHE CENTERS FOR MEDICARE & MEDICAID SERVICES32591388846503STATEMENT OF WORKReview of Internal Controls over Reporting of the Centers for Medicare & Medicaid Services (CMS)Table of Contents TOC \h \u \z Table of Contents1I. PAGEREF _30j0zll \h Scope7A. PAGEREF _1fob9te \h Background7B. Description of CMS8C. General Requirements:9Part One - ICOFR11A. PAGEREF _3dy6vkm \h Purpose111. PAGEREF _4d34og8 \h Establish the Assessment Process122. PAGEREF _2s8eyo1 \h Identify Significant Financial Reports123. PAGEREF _17dp8vu \h Define Materiality134. PAGEREF _3rdcrjn \h Identify Significant Accounts155. PAGEREF _26in1rg \h Identify Significant Components and Locations156. PAGEREF _lnxbz9 \h Identify the Relevant Financial Statement Assertions and Risks157. PAGEREF _35nkun2 \h Identify the Major Transaction Cycles178. PAGEREF _1ksv4uv \h Link Accounts and Transaction Cycles189. PAGEREF _44sinio \h Crosswalk of Applications to Cycle Memos1810. PAGEREF _2jxsxqh \h Work Products and Documentation (Deliverables)18Step B: Document Controls and Evaluate Design of the Controls191. PAGEREF _3j2qqm3 \h Identify Related Laws and Regulations192. PAGEREF _1y810tw \h Document Key Controls at the Entity Level193. PAGEREF _4i7ojhp \h Identify and Document Key Controls at the Major Transaction Cycle, Sub-Cycle or Account Level194. PAGEREF _2xcytpi \h Obtain and Document the Business Owner’s Concurrence235. PAGEREF _1ci93xb \h Evaluate the Design of Key Controls236. PAGEREF _3whwml4 \h Work Products and Documentation (Deliverables)24Step C: Test Operating Effectiveness251. PAGEREF _qsh70q \h Define and Document the Testing Approach252. PAGEREF _3as4poj \h Test of the Key Controls263. PAGEREF _1pxezwc \h Test Compliance with Related Laws and Regulations284. PAGEREF _49x2ik5 \h Evaluate the Operation of the Controls285. PAGEREF _2p2csry \h Work Products and Documentation (Deliverables)29Step D: Identify and Address Deficiencies in the Current Review; Validate Prior A-123, CFO, and Other CAPs for CMS Contractors, SSMs, DCs, and Baltimore Applications; and CMS locations.291. PAGEREF _3o7alnk \h Interpret the Results292. PAGEREF _23ckvvd \h Categorize the Types of Control Deficiencies303. PAGEREF _ihv636 \h Assist in Creating Current Year Corrective Action Plans to Remedy Deficiencies and Test Remediated Controls314. PAGEREF _32hioqz \h Requirements for a CAP Follow Up Review at CMS Contractors, SSMs, DCs, and Baltimore Applications.315. PAGEREF _1hmsyys \h Validation of Prior A-123 CAPs and Selected CMS CAPs316. PAGEREF _41mghml \h Work Products and Documentation (Deliverables)31Step E: Report on Internal Controls over Financial Reporting321. PAGEREF _vx1227 \h Submit Required Reports to HHS322. PAGEREF _3fwokq0 \h Initial Assurance Statement323. PAGEREF _1v1yuxt \h Interim Supporting Narrative324. PAGEREF _4f1mdlm \h Updated Assurance Statement335. PAGEREF _2u6wntf \h Work Products and Documentation (Deliverables)34CMS Required Report Guidelines and Deliverable Task341. PAGEREF _3tbugp1 \h Contractor and CMS Initial Meeting342. PAGEREF _28h4qwu \h Entrance Conferences with CMS locations, Contractors, Baltimore Applications, DCs, and SSMs353. PAGEREF _nmf14n \h A-123 Weekly Status Meetings354. PAGEREF _37m2jsg \h Monthly Status Reporting355. PAGEREF _1mrcu09 \h Project Work Plan (PWP)356. PAGEREF _46r0co2 \h Planning/Scoping Document and Assessment Process Documentation367. PAGEREF _2lwamvv \h On-Site Activities368. PAGEREF _111kx3o \h A-123 Internal Control over Financial Reporting Education379. PAGEREF _3l18frh \h Documentation on Internal Control over Financial Reporting3710. PAGEREF _206ipza \h Evaluation of Design and Test of Operating Effectiveness3811. PAGEREF _4k668n3 \h Conduct A-123 presentations, as required, to the Risk Management and Financial Oversight Committee (RMFOC); CFO audit support; and other needed support3812. PAGEREF _2zbgiuw \h Final Exit Conference for CMS selected locations, Baltimore Applications, Contractors, DCs, and SSMs3813. PAGEREF _1egqt2p \h Draft Report Issuance for CMS locations, Baltimore Applications, Contractors, DCs, and SSMs3914. PAGEREF _3ygebqi \h Final Report Issuance for CMS locations, Baltimore Applications, Contractors, DCs, and SSMs3915. PAGEREF _2dlolyb \h Results of Testing and Interim Assurance Statement3916. PAGEREF _sqyw64 \h Report on Validation of Previous CMS A-123, CFO, and Selected CMS CAPs3917. PAGEREF _3cqmetx \h CAP Follow Up Reports4018. PAGEREF _1rvwp1q \h Updated Assurance Statement and Supporting Information4019. PAGEREF _4bvk7pj \h Documentation4020. PAGEREF _2r0uhxc \h Required Reports4121. PAGEREF _1664s55 \h Deliverable Instructions41Part Two - ICOR41A. PAGEREF _kgcv8k \h Objectives41B. PAGEREF _34g0dwd \h Purpose43C. PAGEREF _1jlao46 \h Work Products and Documentation (Deliverables)44Attachment A: Sample of Mapping of Controls45Attachment B: Crosswalk of Baltimore Office Applications to Cycle Memos Template46Attachment C: Schedule of Deliverables47Attachment D: HHS Appendixes50Table 1: List of Commonly Used AcronymsAcronymDefinitionA-123OMB Circular No. A-123, Appendix A ACAAffordable Care Act AFRCMS Agency Financial Report AHBEAmerican Health Benefit ExchangeARSCMS Acceptable Risk Safeguards ATTCMS A-123 Technical Team BHPBasic Health Program BPSSMBusiness Partners Systems Security Manual CAATSCMS Assessment/Audit Tracking SheetCAP Corrective Action PlanCCIIOCenter for Consumer Information and Insurance Oversight CDLControl Deficiency LogCFACTSCMS FISMA Controls Tracking SystemCFOChief Financial Officer CHIPChildren’s Health Insurance Program CISACertified Information Systems AuditorCLIAClinical Laboratory Improvement Amendments of 1988 CMMICenter for Medicare & Medicaid Innovation CMSThe Centers for Medicare & Medicaid Services CMSRsCMS’ Minimum Security Requirements COOPConsumer Operated and Oriented Plan ProgramCORContracting Officer’s Representative CPACertified Public Accountant / Accounting FirmCPARSContractor Performance Assessment Reporting SystemCPICCMS Certification Package of Internal ControlsCSContract Specialist CUECComplementary User Entity ControlDCData Center DDDenotes the 2 digits of a day within a month (e.g. 01 through 31 )HHSThe Department of Health and Human Services DMEDurable Medical Equipment DOCThe Department of CommerceEBDPEntitlement Benefits Due & PayableEITElectronic and Information Technology FARFederal Acquisition Regulation FBWTFund Balance with TreasuryFedRAMPFederal Risk and Authorization Management ProgramFFMIAFederal Financial Management Improvement Act FFSFee for ServiceFIPSFederal Information Processing Standards FISCAMFederal Information System Controls Audit Manual FISMAFederal Information Security Management Act of 2002 FMFIAFederal Managers’ Financial Integrity Act of 1982 FSTARSCMS FMFIA Self-Assessment Questionnaire FYFiscal Year GAOGovernment Accountability OfficeHHSARHealth & Human Services Acquisition Regulation HIMedicare Hospital Insurance HIRRHealth Insurance Rate ReviewHITECH ActHealth Information and Technology for Economic and Clinical Health Act HRHuman ResourcesICOFRInternal Controls Over Financial ReportingICORInternal Controls Over Reporting IOMInternet Only Manual IRSInternal Revenue Service ITInformation Technology MACMedicare Administrative ContractorMMDenotes the 2 digits of a month (e.g. June = 06, July = 07, etc.)MMAMedicare Prescription Drug, Improvement and Modernization Act of 2003MSPRCMedicare Secondary Payer Recovery Contractor(s)N/ANot ApplicableNISTNational Institute of Standards and Technology OFMOffice of Financial Management OFPPOffice of Federal Procurement Policy OIGOffice of Inspector General OMBOffice of Management and BudgetOPDIVOperating Division PCIEPresident’s Council on Integrity and EfficiencyPP&EProperty, Plant, and EquipmentPUBSPublications PWPProject Work Plan RARisk Adjustment RCRisk Corridor RDSRetiree Drug Subsidy RIReinsurance RMFOCRisk Management and Financial Oversight Committee SCASecurity Controls AssessmentSCSIAStatement of Changes in Social Insurance Amounts SFStandard FormSIWGPState Innovation Waivers Grant ProgramSMIMedicare Supplementary Medical InsuranceSOPStandard Operating ProcedureSOSIStatement of Social InsuranceSOWStatement of WorkSPSpecial PublicationSREWState Relief & Empowerment WaiversSSAEStandards for Attestation Engagements SSAE 18Standards for Attestation Engagements Number 18TBDTo Be DeterminedTMTFTreasury Managed-Trust FundsUSUnited States USCFOCUnited States Chief Financial Officers CouncilYYDenotes the last 2 digits of a year (e.g. 20YY could be 2018, etc.)Statement of WorkReview of Internal Controls over Reporting of the Centers for Medicare & Medicaid Services (CMS)*Note that this sample has been revised from the source document on the Government Point of Entry as necessary to align formatting and applicable FAR procedures.*ScopeThe contractor shall provide services in support of the Office of Management and Budget’s (OMB) revised Circular No. A-123, Appendix A (A-123), Management of Reporting and Data Integrity Risk, review of internal controls over reporting (ICOR) within Centers for Medicare & Medicaid Services (CMS) using a maturity model approach. The Statement of Work describes the general requirements; however, is not meant to be all-inclusive. The Department of Health and Human Services (HHS) may provide additional A-123 guidance to CMS. If HHS provides additional guidance to CMS, CMS will distribute the guidance to the CPA firm. The CPA firms will be required to comply with the guidance.BackgroundThe CMS management is responsible for developing and maintaining effective internal control to achieve effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. CMS is the nation’s largest health insurer and has a fiduciary responsibility to ensure that each dollar spent for benefits and/or administration of its programs is spent in the best interest of beneficiaries and the American taxpayers.OMB issued a revised Circular No. A-123, Management’s Responsibility for Internal Control, dated December 21, 2004, which was effective beginning in fiscal year (FY) 2006. OMB Circular A-123 was revised again on July 2016, and the title was changed to Management’s Responsibility for Enterprise Risk Management and Internal Control. Appendix A of OMB Circular A-123 requires the heads of certain Federal agencies to annually document and assess internal controls over financial reporting (ICOFR) and report the results in a management assurance statement similar to that required of publicly-traded companies by the Sarbanes-Oxley Act of 2002. Appendix A provides a framework for management’s use to document, assess, and report on conclusions reached in evaluating an agency’s ICOFR. Historically, in each year, HHS provided every operating division (OPDIV) with an A-123 implementation guidance. The last implementation guidance received was in FY 2015.Appendix A of OMB Circular A-123 was revised in June 2018, and the title was changed to Management of Reporting and Data Integrity Risk. It expands beyond ICOFR to internal control over reporting (ICOR). This update gives agencies the flexibility to determine which control activities are necessary to achieve reasonable assurances over internal controls and processes that support overall data quality contained in agency reports. Historically, CMS has primarily focused on ICOFR given the magnitude of CMS outlays. CMS will continue to focus on ensuring management has effective internal controls over financial reporting alongside implementing the objectives of the new Appendix. The revised circular encourages agencies to take a maturity model approach towards its implementation. This statement of work (SOW) considers the importance of this maturity level approach by allocation of labor hours between Parts One and Two of the SOW over the contract period.B. Description of CMSCMS, an OPDIV under HHS, administers Medicare, Medicaid, Prescription Drugs, Children’s Health Insurance Program (CHIP), the Clinical Laboratory Improvement Amendments of 1988 (CLIA), and provisions of the Patient Protection and Affordable Care Act (ACA),is one of the largest purchasers of health care in the world. Based on recent projections, Medicare and Medicaid (including state funding), represent 37 cents of every dollar spent on health care in the United States (US).CMS net outlays totaled approximately $1,080.7 billion in FY 2019. In FY 2019, the total net cost of operations was $1,087.3 billion, encompassing total benefit/program costs of $1,195.8 billion and operating costs of $6.5 billion. CMS establishes policies for program eligibility and benefit coverage, processes over one billion Medicare claims annually, provides prescription drug coverage, provides states with matching funds for Medicaid benefits, and monitors the quality of health care for beneficiaries.CMS employs over 6,000 Federal employees in Baltimore, Maryland; Bethesda, Maryland; Washington, D.C.; and other offices throughout the continental US. CMS employees provide direct services to CMS contractors, State agencies, health care providers, beneficiaries, and the general public. CMS provides funds to CMS contractors; writes policies and regulations; sets payment rates; safeguards the fiscal integrity of the Medicare, Medicaid, and other health programs to ensure that benefit payments for medically necessary services are paid correctly the first time; recovers improper payments; assists law enforcement agencies in the prosecution of fraudulent activities; monitors contractor performance; develops and implement customer service improvements; provides education and outreach activities to beneficiaries and Medicare providers, surveys hospitals, nursing homes, labs, home health agencies and other health care facilities for compliance with Medicare health and safety standards; and assists the states and territories with Medicaid and CHIP.CMS administers its programs through the use of third parties. The Medicare Advantage and Prescription Drug programs are administered through the use of Medicare Advantage Organizations, Prescription Drug Plans, and the Retiree Drug Subsidy (RDS) contractor. The Medicaid program and CHIP are administered through the states and territories. The Medicare Administrative Contractors (MACs)/Durable Medical Equipment (DME) MACs process Medicare fee-for-service claims, provide technical assistance to providers and service beneficiaries’ needs, and respond to inquiries. Additionally, Quality Improvement Organizations conduct a wide variety of quality improvement programs to ensure quality of care provided to Medicare beneficiaries.In each fiscal year CMS may contract with a Certified Public Accountant (CPA) firm to conduct A-123 Appendix A internal control reviews. Specifically, the Statement on Standards for Attestation Engagements (SSAE) Number 18 (SSAE 18) audits are conducted on the CMS Parts A/B and DME MACs. The results will be considered when issuing the management assurance statement for A-123.C. General Requirements:1.The contractor shall perform work in accordance with this SOW and the following requirements at a minimum:The CPA firm and the CMS’s A-123 Technical Team (ATT) shall agree on a deliverable format if not specifically identified in the Deliverable Schedule (Attachment C);The Federal Managers’ Financial Integrity Act of 1982 (FMFIA), OMB Bulletin No. 07-04, Audit Requirements for Federal Financial Statements;The most current HHS Guidance to Implement Appendix A of OMB Circular A-123;OMB Circular A-123, Appendix A guidance;GAO Framework for Assessing the Acquisition Function At Federal Agencies, September 2005;Federal Acquisition Regulation (FAR);HHS Acquisition Regulation (HHSAR).CMS Acceptable Risk Safeguards (ARS);CMS Business Partners Systems Security Manual (BPSSM) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-115 (Technical Guide to Information Security Testing and Assessment);Applicable Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM);NIST Federal Information Processing Standards (FIPS) Publications (PUBS);Federal Risk and Authorization Management Program (FedRAMP)Federal Information Security Modernization Act (FISMA);NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations); NIST SP 800-53A (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans);NIST SP 800-30, (Guide for Conducting Risk Assessments);Independently and not as an agent of the government, the Contractor shall furnish all the necessary services, qualified personnel, material, equipment, and facilities, not otherwise provided by the government, as needed to perform the requirements of this SOW.Note: Comprehensive workpapers (including cycle memos, test plans, reports, etc.) from the prior fiscal year will be provided to the CPA firm.The CPA firm shall provide a database that will house the A-123 workpapers, reports, cycle memos, and other supporting documentation. Workpapers shall contain sufficient information to enable an experienced auditor/accountant having no previous connections with this review, to ascertain from them the evidence that supports the CPA firm’s significant conclusions and judgments reached. The CPA firm shall store this information in such a way that they can be accessed by CMS immediately upon request. Final copies of the CPA firm’s workpapers, reports, cycle memos, and documentation supporting the review shall be provided each year in a format agreeable to CMS. The contract will require the CPA firm to meet CMS information security requirements (see CMS Information Security Contract Clause / Provision).Key Personnel: Partner: Must be a CPA, and have relevant credentials for this SOW which includes experience in Medicare and Medicaid/CHIP operations (at least five years is required), ten years of experience in American Institute of Certified Public Accountants (AICPA) consulting standards, and be proficient in internal controls and financial reporting of Medicare and Medicaid/CHIP. Experience at HHS OPDIVs or other Federal entities similar in size, magnitude, and complexity as CMS is required.Project Director: Must have relevant credentials for this SOW which includes experience in Medicare and Medicaid/CHIP operations (at least five years is required), eight years of experience in AICPA consulting standards, and be proficient in internal controls and financial reporting with Medicare and Medicaid/CHIP.Financial Manager: Must have a bachelor’s degree in Accounting or other related business field, with a minimum of five years of experience in Medicare and Medicaid/CHIP operations, five years of experience in AICPA consulting standards, and be proficient in internal controls and financial reporting with Medicare and Medicaid/rmation Technology (IT) Manager: Must be a Certified Information Systems Auditor (CISA) with at least five years of experience at HHS OPDIVs or other Federal entities similar in size, magnitude, and complexity as CMS. The IT Manager shall demonstrate direct working knowledge with, at a minimum, FISMA, FISCAM, FedRAMP, and NIST Guidance.Part One - ICOFRFinancial reporting, as referred to in this SOW, includes CMS and CMS contractors’ basic financial statements, all required supplementary information, and all related schedules and disclosures, as included in the CMS Financial Report. The areas included under the financial reporting umbrella include the same areas audited during the CMS annual financial statement audit. For example,Medicaid and CHIP grant award and expense reporting process,Medicare Advantage (Part C) and Prescription Drug (Part D) payment calculation and review,Estimates, projections and statements (e.g. Statement of Social Insurance (SOSI)) developed by the CMS Office of the Actuary,Applicable Baltimore IT Applications,Medicare contractors’ fee-for-service claims and financial operations (including Medicare contractors, Data Centers (DCs), Shared System Maintainers (SSMs), and/or business partners), and Financial statement preparation by Office of Financial Management (OFM).A.PurposeThe CPA firm shall:Prepare and/or enhance the agency-wide documentation of CMS including major transaction cycles; CMS contractors such as the Financial Services Support Contractor for Exchange Financial Activities, Retiree Drug Subsidy (RDS), and the Medicare Secondary Payer Recovery Contractor(s) (MSPRC); and financial and IT internal control processes used in financial reporting, including documentation of the financial reporting process and process level controls over financial reporting.Identify the key controls at CMS, CMS contractors, Baltimore applications, SSMs, and DCs that need to be evaluated and develop detailed review protocols for each area.Perform testing of the design and operating effectiveness of internal controls over financial reporting at CMS, CMS contractors, Baltimore applications, SSMs, and DCs, and identify any deficiencies in accordance with Appendix A of OMB Circular A-123.Develop Control Deficiency Logs (CDLs) and assist business owners in developing Corrective Action Plans (CAPs) for all identified issues.Develop work papers that shall provide sufficient detail to enable an experienced reviewer having no previous connection to the review to understand from the review documentation the nature, timing, extent, and results of the review procedures performed; the review evidence obtained; and its source and the conclusions.Provide support to the CMS financial statement audit in order to minimize duplication of efforts, and create a more efficient review and audit process. Activities will include, but not be limited to, coordinating on-site activities to include CFO auditor participation/observation (i.e., activities such as planning, scoping, testing approach, walkthroughs of processes, documentation, and testing), making A-123 workpapers and copies available, responding to audit questions, and attending meetings to discuss A-123 and CFO topics.For the Exchange and Other Related Programs, the Premium Stabilization Program, Basic Health Program (BHP), the State Innovation Waivers Grant Program (SIWGP)/State Relief & Empowerment Waivers (SREW) (Section 1332), as well as other ACA Programs, in addition to providing support to the CFO audit, it will be necessary to provide support to various reviews and audits which could involve an array of stakeholders such as the Internal Revenue Service (IRS), Government Accountability Office (GAO), Office of Inspector General (OIG) and others. Activities will include, but not be limited to, coordinating activities to include stakeholder participation/observation (i.e., activities pertaining to the 5 step A-123 process), making A-123 workpapers and copies available, responding to audit and other questions, and conducting/attending meetings and presentations as needed.This SOW relating to ICOFR includes the following Steps:A. Plan and Scope the Evaluation; B. Document Controls and Evaluate Design of the Controls; C. Test Operating Effectiveness; D. Identify and Address Deficiencies in the Current Review; Validate Prior A-123, CFO, and other CAPs for CMS Contractors, SSMs, DCs, and Baltimore applications; and all CMS locations; andE. Report on Internal Controls over Financial Reporting.Step A: Plan and Scope the EvaluationEstablish the Assessment ProcessTo ensure timely completion of its work, the CPA firm shall develop a Project Work Plan (PWP) of its technical approach of how it shall accomplish each task. The CPA firm shall create a calendar that reflects significant deadlines and establishes a status reporting process. The schedule (including deliverables) shall be aligned with the milestones established by HHS and CMS’s A-123 Technical Team (ATT). The CPA firm shall also ensure that any significant issues are brought to the attention of the Contracting Officer’s Representative (COR)/ATT.Identify Significant Financial ReportsOMB Circular A-123 Appendix A mandates assurance on internal control related to the annual financial statements, as well as other significant internal or external financial reports. Other significant financial reports are those reports with a significant impact on decisions related to spending, budget, or other financial areas or reports used to determine CMS’ compliance with laws and regulations. Significant financial reports for the A-123 assessment will include reports submitted to CMS by the Medicare contractors. The assessment of internal controls over financial reporting will also include CMS quarterly and annual principal financial statements listed below.Table 2: Listing of CMS Quarterly / Annual Principal Financial StatementsQuarterly/Annual Financial StatementsBalance SheetStatement of Net CostStatement of Changes in Net PositionStatement of Budgetary ResourcesNotes to the Financial Statements (June and September Quarters)Statement of Social Insurance (SOSI) (Annual)Statement of Changes in Social Insurance Amounts (SCSIA)The CPA firm and CMS shall consider including additional financial reports in the assessment of ICOFR and should integrate the ICOFR assessment with FMFIA and other control related activities already in place.Define MaterialityWhen performing the assessment of ICOFR, A-123 requires the establishment of materiality levels that ensure the detection of significant misstatements.The risk of material misstatement has four components:Inherent Risk: The susceptibility of one or more financial statement assertions to a material misstatement;Control Risk: The risk that misstatements will not be prevented or detected by the agency’s internal control (assessed separately for each significant financial statement assertion in each significant cycle or accounting application);Combined Risk: The likelihood that a material misstatement would occur (inherent risk) and not be prevented or detected on a timely basis by the agency’s internal control (control risk); and Fraud Risk: The risk of material misstatement due to fraudulent financial reporting or misappropriation of assets.Internal control exists to address the risk of a material misstatement due to error (unintentional) or fraud (intentional). The CPA firm shall assess and document these risks at the overall financial statement level and at the financial statement assertion level for financial statement line items, classes of transactions and disclosures. Materiality for financial reporting is the risk of error or misstatement that could occur in a financial report that would impact management’s or users’ decisions or conclusions based on such a report.Establishment of materiality levels will also take into consideration guidance from HHS.HHS will use an overall (or planning) materiality level to assess the aggregated misstatements and deficiencies in internal control, while other materiality levels (design and disclosure) will be used to assess individual line items or components. These other levels of materiality will always be less than planning materiality.When considering materiality from a quantitative aspect, internal assessment levels should be set lower than what is considered by external auditors. The GAO Financial Audit Manual provides a framework for auditors to use in determining materiality. A similar framework has been applied when determining materiality in testing for compliance with Appendix A. The following paragraphs describe each materiality level anticipated to be employed by HHS.Materiality BaseThe materiality base is the element of the financial statements that is considered to be most significant. Typically, total assets or expenses (net of adjustments for intragovernmental and offsetting balances) are used as the base. However, revenues, appropriations, or liabilities may also be used. HHS guidance references gross costs with the public as its materiality base for basic financial statements other than SOSI.Planning MaterialityPlanning materiality is the preliminary estimate of materiality in relation to the financial statements taken as a whole. It is also used to determine whether aggregated misstatements and deficiencies in internal control are material to the consolidated financial statements.Design MaterialityDesign materiality is the materiality level allocated to individual line items and disclosures. Design materiality is used to identify significant accounts and disclosures, and to determine the nature, timing and extent of testing. This type of materiality is a percentage of planning materiality.Disclosure MaterialityDisclosure materiality is the threshold for determining whether an item should be reported or presented separately.The CPA firm shall also evaluate line items on its significant financial reports using this quantitative calculation. This could bring to the surface other line items to be considered for inclusion in the assessment process and might increase the scope of the implementation of ICOFR.Qualitative factors (those affected by seasonal or situational issues) must also be considered in determining materiality. Certain accounts or elements of a financial report may be significant due to the interest of Congress, OMB, or the public.Identify Significant AccountsBoth qualitative and quantitative materiality concepts must be considered in determining the significant accounts. The significant financial statement accounts identified shall be mapped to major transaction cycles. At a minimum, the scope must include the significant financial statement accounts and transaction cycles per HHS guidance.Identify Significant Components and LocationsThe planning/scoping documentation shall include a strategy for performing work related to CMS’s locations (including CCIIO programs located in Bethesda, Maryland); and other selected CMS locations; selected CMS contractors; SSMs, and DCs. The CPA firm shall consider any available SSAE 18 and CFO audits in planning and scoping the evaluation, and shall review CMS contractors on-site as selected by CMS in addition to on-site reviews at selected CMS locations, SSMs, and selected DCs. The scope of CMS contractors, SSMs, and DCs is subject to future adjustment. In addition, the planning/scoping document shall document the strategy for identifying and evaluating 1) IT systems related to major transaction cycles, and 2) IT security.Identify the Relevant Financial Statement Assertions and RisksIdentify the Relevant Financial Statement AssertionsThe following are the types of financial statement assertions that may be inherent in the significant accounts:Existence and Occurrence: All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date;Rights and Obligations: All assets are legally owned by the agency and all liabilities are legal obligations of the agency;Completeness: All assets, liabilities and transactions that should be reported have been included, and no unauthorized transactions or balances are included;Valuation: Assets, liabilities, revenue and expenses have been included in the financial statements at appropriate amounts. Where applicable, all costs have been properly allocated;Presentation and Disclosure: The financial report is presented in the proper form and any required disclosures are present; andOther Assertions: Such as compliance (transactions are in compliance with applicable laws and regulations), safeguards (all assets have been reasonably safeguarded against fraud and abuse), or documentation (documentation of internal control testing and all transactions and other significant events are readily available for examination).Not all assertions will be significant to all accounts. However, each assertion is applicable to every major transaction cycle and all associated assertions must be covered to avoid any control gaps. These assertions shall be documented in the Control Matrix (Appendix II of HHS Guidance).Risk AssessmentTools used to identify conditions or “red flags” that may signal a risk of material misstatements shall include, but not be limited to the following:Self-assessment questionnaires, evaluations, or surveys;Surveys or self-assessments by external providers, such as the CMS Certification Package of Internal Controls (CPIC) submitted by CMS contractors;Automated tracking of assessments, such as the CMS FMFIA Self-Assessment Questionnaire (FSTARS) program;GAO Internal Control Management and Evaluation Tool; Capital Planning and Investment Control reviews that examines a system’s lifecycle;CMS Financial Report, including the prior year(s) “Report of Independent Auditors on Internal Control”, and HHS Agency Financial Report (AFR) Relevant SSAE 18 audits (e.g. MACs, Medicare Contractors, etc.);Medicare Prescription Drug, Improvement and Modernization Act of 2003 (MMA) Section 912 Reviews and GAO/Office of Inspector General (OIG) reports/audits/reviews; andFISMA audits.The CPA firm shall prepare and submit a graph that depicts an overall view of CMS’s risk in accordance with the HHS Guidance for OMB Circular A-123 Assessments.Risks shall be recorded in the Control Matrix (Appendix II of HHS Guidance). Next, the conditions should be rated as to the likelihood of occurrence (high, medium, or low) and the possible magnitude of the misstatement (high, medium, or low) and the risk of fraud (yes or no). The CPA firm may customize the risk assessment process to meet CMS’s needs and integrate it into the overall management/internal controls process as long as it accomplishes the overall intent of this paragraph.Since risks are associated with each type of assertion, the CPA firm must review each significant account and determine the type of material error or misstatement that may occur for each assertion. The results of the evaluation of these assertions and identification of risks will help determine the types of controls that shall be assessed and the tests that will need to be performed during the subsequent steps in the ICOFR assessment (i.e., Document Controls and Evaluate Design, and Test Operating Effectiveness).The Control Matrix (Appendix II of HHS Guidance) lists the risks for an account or line item and the key controls that cover the assertions and cross-references the controls to the risks they address. The key controls should be numbered and listed. This information enables reviewers to quickly determine if there is an identified risk for which there is no key control to mitigate the risk. A determination will need to be made to ensure the risk is valid and, if so, that either a related control exists or the gap in the ICOFR is listed and remedied.In addition, a Complementary User Entity Controls (CUECs) analysis shall be performed to assess appropriateness of CUECs and to develop a mapping of MAC SSAE 18 reports' CUECs to CMS internal controls to ensure they are tested in A-123.Identify the Major Transaction CyclesMajor Transaction CyclesA major transaction cycle is a business process for which the quantity and dollar volume of transactions is so great that if a material error occurred in the process, it would affect financial decisions. The major transaction cycles associated with significant financial statement line items must include those that HHS and CMS ATT have identified for the internal control over financial reporting evaluation. The CPA firm using a risk based approach will recommend which transaction cycles should be included in scope in each fiscal year for the assessment of internal control over financial reporting. The CPA firm shall provide the supporting documentation used for the risk assessment determination. Historically, cycles that have been considered under ICOFR include but not limited to the following:Basic Health Program (BHP)Budget (including Government Charge Card)Children’s Health Insurance Program (Including processes and locations outside of BaltimoreCenter for Medicare and Medicaid Innovation (CMMI)Contingent LiabilitiesFinancial ReportingFund Balance with Treasury (FBWT)Health Information and Technology for Economic and Clinical Health Act (HITECH Act), Medicaid only.Human Resources (HR)TravelInnovation Payment Contractor (IPC)Medicaid (Including processes and locations outside of Baltimore)Medicaid and Entitlement Benefits Due & Payable (EBDP)Medicare Hospital Insurance (HI)/Supplementary Medical Insurance (SMI) Fee for Service (FFS) (including processes and locations outside of Baltimore)Medicare Advantage (Part C) (including processes and locations outside of Baltimore)Medicare EBDPProperty, Plant, and Equipment (PP&E)Prescription Drug Program (Part D) (including processes and locations outside of Baltimore)Statement of Social Insurance (SOSI)Treasury Managed-Trust Funds (TMTF)Consumer Operated and Oriented Plan Program (COOP)Health Insurance Rate Review (HIRR) Grant ProgramExchange (Note: The A-123 review and cycle memo will also encompass financial activities performed by third party contractor(s))Premium Stabilization Program (Note: CMS anticipates that the CPA firm will review Risk Adjustment (RA), including several functions related to the EDGE server, using the 5 step A-123 process.)1332 State Innovation Waiver Grant ProgramThe CPA firm shall ensure that all significant financial statement accounts are covered and all significant financial key controls are considered and identified. In addition, it is anticipated that new processes or cycles may be identified as part of the scope in any given year. For any new processes or cycles, the CPA firm shall document (i.e., develop cycle memos) and test, accordingly.Link Accounts and Transaction CyclesThe significant financial statement accounts identified must be linked to the transaction cycles that provide the source data. This step ensures that a transaction cycle has been associated with all significant accounts.Crosswalk of Applications to Cycle MemosThe CPA firm shall create a separate Attachment (see Attachment B) to the IT test plan to identify and cross walk all applications (all systems and their related sub-system) to each of the cycle memos and highlight which applications will be tested under A-123 based on: (1) materiality, (2) prior year findings, and (3) risk level (high to medium). Additionally, the CPA firm shall complete the FFMIA System Inventory (Appendix XVIII).Work Products and Documentation (Deliverables)As a result of the aforementioned steps, the scope of the fiscal year review will be determined. The following is a list of work products that shall be prepared as a result of completing this step of the assessment:Project Work PlanPlanning/Scoping DocumentAssessment Process DocumentationRisk Assessment Chart (Appendix XVII of HHS Guidance)Control Matrix (Appendix II of HHS Guidance) Crosswalk of Applications to Cycle Memos (Attachment B)FFMIA System Inventory (Appendix XVIII of HHS Guidance).Step B: Document Controls and Evaluate Design of the ControlsThe CPA firm shall review and update the documentation of ICOFR at the process (or transaction) level for CMS locations, Baltimore Applications, Contractors, DCs, and SSMs in scope. The CPA firm shall also leverage existing available documentation, including, but not limited to documentation from other audits or reviews such as external financial statement auditors (including the prior year(s) “Report of Independent Auditors on Internal Control”), SSAE 18 audits, CPIC, FFMIA, FISMA, 912 evaluations, Security Control Assessments (SCAs), GAO/OIG audits, and existing A-123 compliance efforts. As a result of previous A-123 efforts, cycle memos were developed that document internal controls at the transaction level. CMS contractor cycle memos and other control documentation should be available upon the CPA firm’s arrival on-site at CMS contractor locations. The CPA firm shall review and update these cycle memos/documentation.Identify Related Laws and RegulationsThe first step in documenting internal controls is to identify significant provisions of laws and regulations that could have a direct and material effect on the financial statements. In addition, the GAO/ President’s Council on Integrity and Efficiency (PCIE) Financial Audit Manual recommends considering any other general or entity-specific laws.Document Key Controls at the Entity LevelThe CPA firm shall review and update CMS entity-level controls using current HHS methodology. Evaluation at the entity-wide level provides information that aids in determining the nature and extent of internal control testing that may be required at the transaction cycle level. Consideration must be given to the five internal control components that are described in the HHS Guidance.Identify and Document Key Controls at the Major Transaction Cycle, Sub-Cycle or Account LevelDocumentation shall be prepared in the form of a cycle memo that reflects an understanding, from beginning to end, of the underlying processes and document flows involved in each major transaction cycle. These would be the processes for initiating, authorizing, recording, processing and reporting accounts and transactions that affect the financial reports. Major transaction cycle narratives and flowcharts shall identify the major IT system involved; the IT controls shall be documented separately.Because some transaction cycles flow from one OPDIV to another, the CPA firm shall coordinate the documentation of affected transaction cycles and identification of key controls, e.g., the Payment Management System.Documenting Key Controls over Major Transaction CyclesCycle memos shall be used to document the understanding of major transaction cycles, and narratives, flowcharts, and control matrices shall be used.A major transaction cycle narrative is a written summary of the transaction process. For each major transaction cycle, the narrative describes:The initiation point;The processing type (e.g., automated versus manual, preventative versus detective);The completion point;Other data characteristics such as source; receipt; processing; and transmission;Key activities/class of transactions within the process;Controls in place to mitigate the risk of financial statement errors;Supervisor/manager review; process and calculations performed in preparation of financial reporting; and process outputs;Use of computer application controls and general IT controls over spreadsheets/data used in the preparation of financial reporting;Identification of errors; types of errors found; reporting errors; and resolving errors; andAbility of personnel to override the process or controls.The CPA firm shall review, validate, and/or update the key controls within the major transaction cycle. Controls are the specific policies, procedures, and activities that are established to manage or mitigate risks identified in the risk assessment process. Key controls are those controls designed to meet the control objectives and cover management’s financial statement assertions. In other words, they are the controls that management relies upon to prevent and detect material errors and misstatements. In addition, as part of the control identification process, the CPA firm shall identify redundant controls or controls that are ineffective and recommend eliminating them.The Control Matrix (Appendix II of HHS Guidance) lists management’s assertions, control characteristics such as frequency, preventive/detective or automated/manual, and the significance of controls.IT ControlsFor each major transaction cycle, the CPA firm shall identify and document all applications and systems processing environments (see Attachment B) and recommend based on risk, materiality, and prior audit/review findings (including findings in the prior year(s) “Report of Independent Auditors on Internal Control”) which major Baltimore Office applications and or systems shall be reviewed. The evaluation of the control structure with respect to systems should be included in the assessment. The control structure will include processes such as access controls, computer operations, and change management. IT controls that relate directly to transaction cycles shall be documented separately to aid in the evaluation. In addition, ICOFR are frequently embedded within software applications. These should be reflected on the previously discussed Control Matrix (Appendix II of HHS Guidance).Technology-based (automated) controls shall be assessed and key controls in the IT applications and system designs shall be identified, as CMS significantly relies on IT systems to process financial transactions and report the associated financial information. To support its assessment of ICOFR, the CPA firm shall ensure that applicable IT system components, such as automated calculations, accumulations, interfaces and reports are operating effectively.The CPA firm shall make sure the entire major transaction cycle process is documented. The CPA firm shall integrate other review processes in the evaluation of the IT controls over ICOFR. Processes used to comply with FFMIA and FISMA serve as a foundation for documenting and evaluating IT puterized operations can introduce additional risk factors not present in manual systems. The CPA firm shall consider the following factors and assess the overall impact of computer processing on inherent risk.Uniform processing of transactions;Automatic processing;Increased potential for undetected misstatements;Existence and completeness of the audit trail;Nature of the hardware and software used; andUnusual or non-routine transactions.Assessing IT RiskThe general methodology that shall be used to assess computer-related controls involves evaluating:General controls at the entity-wide and installation levels;General controls as they are applied to the application being examined; andApplication controls, which are the controls over input, processing, and the output of data associated with individual applications.As part of assessing control risk, the CPA firm shall make a preliminary assessment of whether computer-related controls are likely to be effective using NIST Special Publication 800-30, Risk Management Guide for IT Systems. This assessment may be based on discussions with personnel throughout the entity (program managers, system administrators, information resource managers, and system security managers). Preliminary assessments may also take the form of observations of computer-related operations or reviews of written policies and procedures. Regardless of the method, the protocols must be in compliance with guidelines set forth in the ARS or CMS’ Minimum Security Requirements (CMSRs). Controls that are not properly designated or would not be effective may indicate weaknesses that are required to be reported.Based on the assessment of inherent and control risks, including the preliminary evaluation of computer-based controls, the CPA firm should identify the general controls that are properly designed and should be tested to determine if they are operating effectively.General ControlsThere are five major categories of general controls that shall be considered:Security management;Access controls;Configuration Management;Segregation of duties; andContingency Planning.Application ControlsThere are four major categories of business process application controls that should be considered:Application security;Business Process Controls;Interface Controls; and Data management System Controls.The objective of application level general controls is to help management assure the confidentiality, integrity, and availability of information assets, and provide reasonable assurance that application resources and data are protected against unauthorized:Modification;Disclosure;Loss; andImpairment.Mapping of Current IT Audits and ReviewsThe CPA firm shall create a mapping of current year IT audits, reviews, and/or independent FISMA evaluations to the appropriate ARSs or CMSRs for each of the selected sites and applications. This mapping shall be the basis for each of the sites and application test plans. The CPA firm shall create an ongoing database which would map new reports and findings as received along with the controls tested.The mapping of IT controls (see Attachment A) shall include at a minimum:Control Family (e.g., access controls);Applicable CMSR or ARS number;FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (high, medium, or low);IT audit or review leveraged (with identifying date of report used);Whether the audit or review leveraged control passed or failed;Recommendation if control shall be tested under A-123 (yes or no).Documenting IT ControlsWorkpapers shall contain documentation such as copies of written policies and procedures, written memoranda, flowcharts of system configurations and significant processes identifying key internal controls, etc. The documentation shall identify the control objectives and related control points designed to achieve those objectives. The CPA firm shall assist with the completion of, and have CMS Business Owners (Major Applications and General Support System), CMS Contractors, SSMs, and DCs sign the HHS A-123 Appendix D FFMIA System Compliance Evaluation Tool (Appendix IX of HHS Guidance). Workpapers shall be maintained in accordance with guidelines set forth in CMS Information Security Testing Approach. Reports shall be prepared for each entity or system using CMS Reporting Standard for Information System Testing.Obtain and Document the Business Owner’s ConcurrenceBefore finalizing the documentation of a major transaction cycle, the CPA firm shall review the documentation with the business owners to ensure that key controls are identified and appropriately address the identified risks. Because the accuracy of the documentation and the identification of key controls are so critical, sign off from business owners shall be obtained on each document, attesting to its accuracy.Evaluate the Design of Key ControlsAfter documenting key controls, the CPA firm shall evaluate the design of the controls. A control gap may be identified. A control gap exists when a control for a given financial assertion does not exist, or does not adequately address a relevant assertion. If the transaction cycle documentation reveals the lack of an adequate control at a certain point in the cycle, the CPA firm shall determine if a secondary or mitigating control that would detect problems exists elsewhere in the cycle. Identifying such controls may enable the team to provide assurance on the ICOFR despite the lack of a primary control. The lack of a control shall be documented on the Control Deficiency Log (Appendix V of HHS Guidance).The CPA firm shall also assess the existing key controls to determine whether they are suitably designed to prevent or detect material errors or misstatements. This can be accomplished by performing a “walk-through.” A transaction cycle walk-through can be thought of as a “mini-test” that traces the transaction or process from beginning to completion. The walk-through should include selecting transactions and assessing whether the design of the control, assuming the control is properly executed, would detect errors or misstatements. Tests of design may include interviews, observations, inspection of documents (e.g., reports, completed forms), or inspection of screen prompts such as errors or warnings. During the walk-through, the CPA firm shall ensure that the major transaction cycle documentation and key controls identified are accurate and complete. If any deviations or omissions are detected, the process documentation shall be updated accordingly.The walk-through shall document the results of the assessment of design in a memorandum that includes the:Name and contact number of any person interviewed;Specific items selected for assessment;Control gaps identified;Results of the assessment; andConclusion regarding whether the design of a control is effective or not.The determination whether the design of a control is effective or not is a subjective judgment. Guidelines for the characterization are:Effective: The control is suitably designed to prevent or detect material errors or misstatements on a timely basis.Not Effective: The design of the control would not prevent or detect material errors or misstatements on a timely basis.The documentation memorandum shall note an identifying number, amount, and date for each transaction reviewed. The control number shall be the same as it appears on the Control Matrix (Appendix II of HHS Guidance). The documentation shall be written in sufficient detail to enable another professional with similar experience and knowledge to re-perform the assessment using the same items. Summary documentation and conclusions will be recorded using the Design Matrix (Appendix III of HHS Guidance).Work Products and Documentation (Deliverables)The following is a list of work products that shall be prepared as a result of completing this step of the assessment:Process-level flowcharts, narratives (cycle memos) and Cycle Memo and Flowchart Checklist (Appendix X of HHS Guidance)Updated GAO Internal Control Management and Evaluation Tool (Appendix XI of HHS Guidance)Assessment of entity-level controlsMapping of Current IT Audits and Reviews (Attachment A)Control Matrix (Appendix II of HHS Guidance)Design Matrix (Appendix III of HHS Guidance)Control Deficiency Log (Appendix V of HHS Guidance)CMS’s FFMIA System InventoryWalk-through memorandums and supporting documentationNote: The CPA firm will be provided the work products listed above resulting from the prior year assessment.Step C: Test Operating EffectivenessThis phase requires testing the operation of the key controls that were identified in the major transaction cycle documentation and making a determination of whether the control is operating effectively or not effectively. The testing shall address both manual and IT controls.Define and Document the Testing ApproachThe CPA firm shall develop an overall testing strategy and a detailed test plan for each major transaction cycle for CMS, including selected locations and CMS contractors. In developing the overall testing strategy, the CPA firm shall describe, in a narrative form with supporting schedules, its detailed approach for conducting testing, including a description of the approach to test various financial statements and related footnotes as well as a description of sampling techniques to be used when conducting testing. In developing the detailed test plan, the CPA firm shall define a testing procedure for each key control. Steps included in the detailed test plan shall address relevant financial statement assertions. The test plan shall document the following: (a) relevant financial statement assertion; (b) detailed testing procedure performed; (c) source of the documents reviewed; (d) detailed description and number of samples selected; (e) date tested; (f) results; and (g) reference to the documentation for any test failures.The CPA firm shall develop an IT test plan for each of the selected sites and applications tested (CMS contractors, DCs, SSMs, and Baltimore applications) subject to the task requirements that shall include the applicable CMS ARSs or CMSRs (which include the integration of such requirements as NIST, FISCAM, FedRAMP, FIPS, and other directives). Additionally, the CPA firm shall cross-walk the applicable CMSRs to the Internet Only Manual, Publication 100-6, Chapter 7, Medicare Financial Management Manual, Internal Control Requirements, Control Objective A, Information Systems control objectives and ensure each control objective is tested accordingly.In addition Attachment A: Mapping of the Controls shall be completed for each selected site or application subject to the task requirements, e.g., CMS contractors, DCs, SSMs, and Baltimore applications, in order to document leveraging of relevant reviews/audits.During the testing of controls, if the CPA firm identifies an A-123 deficiency as a repeat finding the CPA firm shall reference the existing CAP number in the A-123 site report.The CPA firm shall test all prior year(s) A-123 and CFO findings, and other findings provided by the ATT, to determine if the status of the finding has been corrected or not and document as part of the test plan.Timing of TestingTesting should occur throughout the year. The results of testing completed prior to and as of June 30th in any given fiscal year will form the basis of the June 30th assurance statement. As testing continues into the fourth quarter, the results of that testing, along with any items corrected since the June 30th assurance statement will be considered in the September 30th assurance statement update.Extent of TestingCMS and the CPA firm shall agree on the test plans prior to testing. The sampling methods and the minimum sample size for testing shall be based on the HHS Guidance for OMB Circular A-123 Assessments (provides testing sample sizes based on the operational frequency of controls: annual, quarterly, etc.) and are subject to approval by CMS. The CPA firm shall test IT controls by appropriate standards (CMS policies and procedures, e.g., ARSs and CMSRs) to complete task requirements. The CPA firm shall submit recommended sample sizes for manual and automated Financial and IT control activities for each site location (i.e., CMS Applications, Contractors, DCs, and SSMs) before testing commences. The extent of testing shall be documented in the test plan and signed off by the business owners as deemed necessary by the ATT.Test of the Key ControlsThe Internal Control Review shall address at a minimum the quarter beginning July 1, through the quarter ending June 30, of the current fiscal year. Draft results shall be submitted to the ATT no later than June 15, of the current fiscal year.Once the test plan for each major transaction cycle has been developed, the CPA firm shall test controls to ensure that they are operating effectively and may be relied upon to ensure that the financial statement assertions are valid. Results of completed test plans shall be summarized and recorded in the Test Documentation Matrix (Appendix IV of HHS Guidance). The tests shall be documented in such a manner that they can be re-created, if necessary. Testing approach (including sample sizes) should follow the HHS Guidance. Workpapers shall meet requirements described later in this SOW under CMS Required Report Guidelines and Deliverable Tasks – Final Documentation.The IT testing shall be documented in accordance with CMS Reporting Standards for Information System Testing (Note: CMS Reporting Standards for Information Systems Testing referenced throughout this document may be superseded by updated guidance). The review shall be conducted in accordance with, but not limited to, applicable FedRAMP, FISCAM, FISMA and NIST standards/guidance.The CPA firm shall provide a database that will house the A-123 workpapers, reports, cycle memos, and other supporting documentation. Workpapers shall contain sufficient information to enable an experienced auditor/accountant having no previous connections with this review, to ascertain from them the evidence that supports the CPA firm’s significant conclusions and judgments reached. The CPA firm shall store this information in such a way that they can be accessed by CMS immediately upon request. Final copies of the CPA firm’s workpapers, reports, cycle memos, and documentation supporting the review shall be provided each year in a format agreeable to CMS. The contract will require the CPA firm to meet CMS information security requirements (see CMS Information Security Contract Clause / Provision)For each area reviewed, the CPA firm shall maintain an ongoing dialogue with the business owner(s)/stakeholder(s) regarding any findings and/or issues noted during the assessment. The CPA firm shall obtain business owner(s)/stakeholder(s) concurrence regarding A-123 deficiencies and work with the entity to develop the related CAPs.If testing results in a finding, the CPA firm shall document the instance in the Control Deficiency Log (Appendix V of HHS Guidance). Findings will be discussed between the CPA firm and the ATT to determine the severity level (i.e. Control Deficiency, Significant Deficiency, or Material Weakness).The CPA firm shall be involved in the coordination with the CFO Act auditors while on-site at the various locations. This shall include, but not be limited to, such activities as planning, scoping, testing approach, walkthroughs of processes, documentation, and testing.The CPA firm shall conduct an Internal Control Review and CAP Follow-Up Review for all applicable CMS locations, Baltimore Applications, Contractors, DCs, and SSMs.Requirements for the Internal Control Review at CMS Baltimore Applications, Contractors, DCs, and SSMsThe assessment shall include the following control objective areas as outlined in Internet Only Manual (IOM) Publication 100-6, Chapter 7 – Internal Control Requirements:Control Objective A – Information Systems and the associated CMSRsControl Objective B – Claims ProcessingControl Objective F – Medical ReviewControl Objective G – Medicare Secondary Payer (MSP)Control Objective I – Provider AuditControl Objective J – Financial Control Objective K – Debt ReferralControl Objective L – Non MSP Debt CollectionThe CPA firm shall provide a written report which includes an executive summary and the following listed sections:Introduction and Purpose;Summary Description (history, background, function, etc.);Planning and Scoping the Review;Test Results; andDetails of Test Results.The CPA firm shall conduct an entrance conference, a weekly status meeting, and an exit conference for CMS contractors, Baltimore Applications, selected CMS locations, SSM, and DCs. For each engagement, the CPA firm shall provide a written list of deficiencies at the exit conference.The CPA firm shall assist with the completion of the HHS A-123 FFMIA System Compliance Evaluation Tool and Certification(s) (Appendix IX of HHS Guidance) for each Baltimore Application, DC, and SSM. Additionally, the CPA firm shall assist with the completion of CMS Assessment/Audit Tracking Sheet (CAATS) Template which is used to upload findings into CMS FISMA Controls Tracking System (CFACTS).CMS Information Security Policies, Standards, and Procedures available on the CMS website including, but not limited to:CMS Information Security PolicyCMS Policy for the Information Security ProgramCMS Information Systems Security and Privacy Policy (IS2P2) [Final 04/26/2016, Document #: CMS-CIO-POL-SEC-2016-0001]CMS Standard/ ARS - Acceptable Risk Safeguards (ARS) [Final 11/21/2017, Document #: CMS_CIO-STD-SEC01-3.1]CMS/Business Partner System Security Manual (BPSSM), Rev. 12 [Issued 11/15/2013, eCHIMP CR#: 8460]Test Compliance with Related Laws and RegulationsThe CPA firm shall consider the related laws and regulations that were identified in the documentation phase when formulating and executing test plans.Evaluate the Operation of the ControlsTest results shall be summarized using the Test Documentation Matrix (Appendix IV of HHS Guidance) and for the IT testing the contractor shall use CMS Reporting Standards for Information System Testing. Based upon the results of testing, the CPA firm shall determine whether the operation of the control was effective or not effective and document this conclusion in the Test Documentation Matrix (Appendix IV of HHS Guidance).Work Products and Documentation (Deliverables)The following is a list of work products that shall be prepared as a result of completing this step of the assessment:Test Approach and Detailed Test Plans (IT and Non-IT);Test Documentation Matrix (Appendix IV of HHS Guidance) and documentation in accordance with CMS Reporting Standards for Information System Testing. Please refer to CMS website(s):HHS/CMS: CMS Information Security and Privacy OverviewInformation Security and Privacy LibraryAttachment A: Mapping of the Controls;CAATS Template;Control Deficiency Log (Appendix V of HHS Guidance);Internal Control Review Report for each selected CMS location, Baltimore Application, Contractor, DC, and SSM in scope;CMS Information Security Testing Approach. Please refer to the following CMS website(s):HHS/CMS: CMS Information Security and Privacy OverviewInformation Security and Privacy LibraryHHS A-123 FFMIA System Compliance Evaluation Tool and Certification(s) (Appendix IX of HHS Guidance); andSupporting Workpapers.Step D: Identify and Address Deficiencies in the Current Review; Validate Prior A-123, CFO, and Other CAPs for CMS Contractors, SSMs, DCs, and Baltimore Applications; and CMS locations.The CPA firm shall test the operating effectiveness of the key controls and identify and provide assistance to correct any deficiencies in ICOFR.Interpret the ResultsThe CPA firm shall evaluate the results of documentation and testing. As a result of the evaluation of the design and operating effectiveness of the key controls, the CPA firm shall conclude if:There are control gaps;The design of the controls is effective or not effective; and/orThe operating effectiveness of the controls is effective or not effective.The CPA firm shall consider whether an ineffective key control would allow a material error or significant deficiency to occur and go undetected. The ICOFR is subject to cost-benefit constraints, and no system is designed to provide absolute assurance that errors or misstatements will not occur. Therefore, the CPA firm and CMS management shall use judgment to decide whether the deficiencies resulting from ineffective key controls would allow material errors or misstatements to occur and not be detected.If design or operating effectiveness deficiencies are noted, the CPA firm shall discuss the deficiency with CMS management and business owner to determine the validity of the deficiency, and if compensating controls exist to mitigate the deficiency. If compensating controls are identified, testing of the compensating controls is required to provide evidence that the compensating controls are operating effectively to prevent or detect a material error or significant deficiency.Categorize the Types of Control DeficienciesThe CPA firm shall discuss the potential impact of any control gaps or deficiencies on financial reporting with CMS management and business owners. The magnitude or significance of the consequence of the deficiency will determine the category, and will be recorded on the Control Deficiency Log (Appendix V of HHS Guidance). The CPA firm shall recommend to CMS the category for each deficiency according to the impact on CMS’s financial statements. The CPA firm and CMS shall agree on the categorization of the deficiencies as a control deficiency, a significant deficiency, or material weakness, and the CPA firm shall obtain concurrence from the business owner regarding the deficiency. The CPA firm shall have the responsibility in assisting CMS in reporting all control deficiencies, significant deficiencies, and material weaknesses to HHS. To evaluate deficiencies, the CPA firm may use the guiding principles outlined in A Framework for Evaluating Control Exceptions released on December 20, 2004.Control DeficiencyA control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.Significant DeficiencyA deficiency or combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.Material WeaknessA material weakness is a deficiency, or a combination of deficiencies in internal control such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected on a timely basis.Assist in Creating Current Year Corrective Action Plans to Remedy Deficiencies and Test Remediated ControlsThe CPA firm shall assist CMS in creating current year CAPs using the template in the HHS Guidance, Appendix VI, and shall obtain concurrence from the business owners. The CPA firm shall allow sufficient time for the retest of the control to determine whether the CAP has been successful. The CPA firm shall assist in creating a CAP that will consist of revising or enhancing an already existing control, or implementing a new control. The CPA firm shall test these enhanced or new controls between June 30th and September 30th to determine that the design and operation of the controls are effective and ensure that the CAPs are adequate to address the deficiency(s) so that the deficiency(s) may be corrected in a timely manner. The CAP (Appendix VI of HHS Guidance) shall be used as a tool by the CPA firm and CMS to monitor CAPs.Requirements for a CAP Follow Up Review at CMS Contractors, SSMs, DCs, and Baltimore Applications.The CPA firm shall develop review procedures and methodologies that shall be used to validate that prior year CAPs submitted for review by CMS have been implemented and are operating effectively. CMS shall provide the list of prior year CAPs to be reviewed for each selected CMS Baltimore Applications, Contractor, DC, and SSM.The CPA firm shall:review the CAPs to determine whether CMS Contractors, DCs, and SSMs, have implemented corrective actions and the CAPs are operating effectively;address whether or not the original finding has been corrected; andmake a recommendation to CMS as whether or not to close the CAP or have it remain open. If testing is needed in addition to the current year test plan, it shall be completed.The CPA firm shall submit a CAP Follow-Up Report for each CMS Contractor, SSM, DC, and Baltimore Application reviewed. The format of the CAP Follow Up Report shall be approved by the ATT.Validation of Prior A-123 CAPs and Selected CMS CAPsThe CPA firm shall examine all CMS’s prior A-123 CAPs, CFO CAPs, and other CAPs and make recommendations to CMS management as to what CAPs shall remain open or be closed. In addition, the CPA firm shall provide CMS with explanation and documentation to support recommendations regarding the previous A-123 CAPs and other selected CMS CAPs. It should be noted that for CMS locations not in scope, the review shall be conducted via desk review. The status of CAPs shall be reported quarterly.Work Products and Documentation (Deliverables)The CPA firm shall provide CMS the following list of work products that shall be prepared as a result of completing this step of assessment:Control Deficiency Log (Appendix V of HHS Guidance);Corrective Action Plan (Appendix VI of HHS Guidance);Remediated Deficiencies Documentation;CAP Follow Up Reports for selected CMS locations and Baltimore Applications, Contractors, DCs, and SSMs; andQuarterly CAP Follow Up Report for CMS locations.Step E: Report on Internal Controls over Financial ReportingReporting on the A-123 review of internal controls over financial reporting occurs throughout the process. The CPA firm shall assist CMS by preparing drafts of the required reports per the guidelines below.Submit Required Reports to HHSCMS is required to submit various reports to HHS. Due dates for drafts from the CPA firm will be determined by the ATT.Initial Assurance StatementCMS shall issue an assurance statement on ICOFR as of June 30th. This assurance is a subset of the FMFIA assurance. The CPA firm will assist the ATT in preparing the assurance statement and shall also prepare the related supporting narrative. CMS will submit the assurance statement to HHS by approximately August 8th of the current fiscal year.The assurance statement will be stated in one of the following forms:Unmodified Statement of Assurance: no material weaknesses or lack of compliance reported; Modified Statement of Assurance: considering the exceptions explicitly noted (one or more material weaknesses or lack of compliance reported); or Statement of No Assurance: no processes in place or pervasive material weaknesses.The assurance statement states that the ICOFR are operating effectively with the exception of material weaknesses found in the design or operation of internal controls (if any). For modified statements of assurance, all material weaknesses must be listed. For the statement format, the CPA firm shall follow guidance from the ATT. The CPA firm shall also assist the ATT in completing the Integrity Act Assurance Checklist (Appendix XIV of HHS Guidance).Interim Supporting NarrativeIn addition to the initial assurance statement, the CPA firm shall submit to CMS the CDLs and CAPs, and a supporting narrative paper. The supporting narrative paper shall include the rationale for the type of assurance statement issued based on the results of the A-123 review, including IT and Non-IT CDLs and open CAPs, and any other factors used in the A-123 assessment.The supporting narrative paper shall include separate sections for both the IT perspective and Non-IT perspective and shall include information such as the following:OverviewIT Scope and non-IT scopeSummary of resultsObservations/deficiencies noted Status of Deficiencies and CAPs reviewedEvaluation of findings identified during other audits or reviews, such as CPIC reviews and SSAE 18 auditsDiscussion of current year results relative to prior audits or reviews, including results from prior CFO auditsOther FactorsConclusion for IT perspectiveConclusion for Non-IT PerspectiveDiscussion of work performed, and evaluation of results regarding compliance with laws and regulationsConclusion for compliance with laws and regulationsOverall conclusionUpdated Assurance StatementAs testing continues into the fourth quarter, the results of that testing, along with any items corrected since third quarter reporting, must be considered in the September 30th assurance statement update. In addition, the CPA firm shall prepare the Final Supporting Narrative and Appendix IXs to include changes from June 30th to September 30th. The CPA firm shall assist CMS with the completion of the updated assurance statement, and Integrity Act Assurance Checklist as of September 30th, of the current fiscal year. For the current FY assessment, the update is due to HHS by approximately October 14. The CPA firm shall prepare an updated CDL and an updated CAP.Based on the fourth quarter findings (after June 30th but before September 30th), there may be changes in the status of the ICOFR assurance statement delivered to HHS. These changes could include:A material weakness discovered as of June 30th but corrected as of September 30th. The assurance statement should identify the material weakness and corrective action taken and state that the material weakness has been resolved by September 30, 20YY.A material weakness discovered after June 30th but prior to September 30th. The assurance statement should be updated to include the subsequently identified material weakness.In addition, if activities or programs experience significant modification after June 30th and before September 30th, the controls within that major transaction cycle shall be reevaluated to ensure that no material weaknesses exist that should be reported to HHS. Examples of significant modifications include: significant changes in the mission, programs, or systems; updated CPIC Assurance Statements received from CMS contractors; SSAE 18 Bridge Letters; results of the financial statement or FISMA audit performed by an independent public accounting firm or the OIG; or results of program audits performed by OIG or GAO.Work Products and Documentation (Deliverables)The following is a list of work products that shall be produced as a result of completing this step of the assessment:Required HHS Reports;Interim and Final Integrity Act Assurance Checklist (Appendix XIV of HHS Guidance);Initial and Final CDLs (Appendix V of HHS Guidance);Initial and Final CAPs (Appendix VI of HHS Guidance);Initial Statement of Assurance as of June 30th, of the current fiscal year, accompanied by a Supporting Narrative Paper;Final Statement of Assurance updated through September 30th, of the current fiscal year; andFinal Supporting Narrative Paper and Appendix IXs of HHS Guidance updated through September 30th, 20YY. CMS Required Report Guidelines and Deliverable TaskThe CPA firm shall submit all reports to the CMS COR/ATT by e-mail. The CPA firm and the ATT shall agree on a report format if not specifically identified below and the format shall adhere to current CMS software standards (for example, Microsoft Office 20YY). Deliverables include the following (see also the Schedule of Deliverables (Attachment C)):Contractor and CMS Initial MeetingThe CPA firm shall participate in an initial meeting with the ATT. The purpose of the initial meeting is for CMS and the CPA firm to discuss the following:The objectives of the review to be performed;Introduction of the CPA firm, COR, and the ATT for the contract; andQuestions and answers regarding the engagement.Other kickoff meetings shall be held as appropriate with various groups of business owner(s)/stakeholder(s) to discuss the objectives, logistics, and other aspects of the review.2.Entrance Conferences with CMS locations, Contractors, Baltimore Applications, DCs, and SSMsThe CPA firm shall provide the ATT, CMS locations, Contractors, Baltimore Applications, DCs, SSMs, and designated CMS business owner(s)/stakeholder(s) with the following:Entrance Conference Appointment: Five business days notice of the time and place for all entrance conferences.Entrance Conference Agenda: Including an attendee list, the estimated fieldwork start and finish dates, and the scope of work to be performed.3.A-123 Weekly Status MeetingsThe CPA firm shall conduct weekly status meetings with ATT staff beginning one week after the initial meeting. The COR shall determine the meeting frequency (generally weekly) and attendees. The CPA firm shall provide the ATT and the designated CMS business owner(s)/stakeholder(s) with the following:Two business days’ notice of the time and place for all status meetings;A status meeting agenda, including a comprehensive status by component, a list of significant findings/potential issues, and upcoming activities/deliverables; andThe CPA firm shall notify the COR/ATT of any major concerns or issues identified during the field work that requires immediate attention or correction.4.Monthly Status ReportingThe CPA firm shall submit a Monthly Status Report containing status information on the assessment. At a minimum, each status report shall contain the following:Start, estimated completion, and completion dates for the assessment; Status of the assessment (percent completed); andA narrative of specific activities (broken down by IT and non-IT) performed during the month and significant findings/potential issues identified thus far, and concerns that may affect the completion of the work, and planned activities.The first report is due thirty days after the initial meeting with CMS and on the 28th of each month thereafter until the end of the contract.5.Project Work Plan (PWP)The CPA firm shall submit a detailed PWP of its technical approach of how it shall accomplish the assessment. The PWP shall include an assessment schedule and detailed description of the CPA firm’s project plan for performing the necessary documentation and assessment activities using the procedures and methodologies that it shall develop. The CPA firm’s PWP shall be structured to ensure that the assessment is conducted and completed on a flow basis. The PWP shall follow the steps below:The PWP shall show all tasks scheduled with major milestone and target dates.The CPA firm shall submit its PWP to CMS; target date is within three weeks of the initial meeting/teleconference.The PWP is subject to CMS approval. The CPA firm shall periodically amend this PWP as appropriate based on comments received from the COR and/or as work changes/developments necessitate a modification, which is subject to the COR approval.Planning/Scoping Document and Assessment Process DocumentationThe CPA firm shall submit a planning/scoping document that includes the following:The recommended materiality levels to be used in planning the overall assessment of internal control over financial reporting at CMS.A risk assessment at the financial statement line item, account (or groups of accounts), and disclosure levels that also includes which of these fall within the materiality threshold previously defined. This assessment should also identify the business processes, application systems, and systems processing environments that relate to each significant account or group of accounts; and determine the relevance of each management assertion (existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure) for each significant item identified as in scope.The methodology that shall be used to assess IT risk as it relates to what documentation, audits, and or reviews that shall be leveraged for the engagement and what gaps or risks that the CPA firm shall recommend for testing.Central Office Applications Identification - The CPA firm shall create a separate Attachment (see Attachment B) to identify and cross walk all applications to each of the cycle memos and highlight which applications is material in scope, as well as which applications are high to moderate risk, for the A-123 assessment.The Assessment Process Documentation (including a Risk Assessment Chart) shall be prepared in accordance with the HHS Guidance.The target date for these reports is four weeks after the initial meeting/teleconference with CMS.7.On-Site ActivitiesThe CPA firm shall conduct the on-site fieldwork activities at each selected CMS locations, the selected Baltimore Application, Contractor, DC, and SSM according to their PWP in the most efficient and expedient manner possible. The CPA firm shall maintain an ongoing dialogue with CMS locations, Baltimore Applications, Contractors, DCs, and SSMs regarding any findings and/or issues noted during the fieldwork. The CPA firm shall conduct entrance/exit conferences, and status meetings for the selected CMS locations, Baltimore Applications, Contractors, DCs, and SSMs staff every week, beginning one week after commencement of fieldwork.The CPA firm shall provide the ATT, CMS locations, Baltimore Applications, Contractors, DCs, and SSMs and the designated CMS business owner(s)/stakeholder(s) with the following:A two business days notice of the time and place for all status meetingsA status meeting agenda, including a list of potential issues and estimated exit conference date and draft findings or outstanding issues once known, at least 48 hours prior to the status meeting. The CPA firm shall provide CMS locations, selected Baltimore Applications, Contractors, DCs, and SSMs an agenda showing all outstanding items and/or concerns.The CPA firm shall provide the COR/ATT with any major concerns during the fieldwork upon discovery, as well as in the Monthly Status Report. The CPA firm shall brief the COR/ATT and CMS business owner(s)/stakeholder(s) prior to presenting formal findings to the selected CMS locations, Baltimore Applications, Contractors, DCs, and SSMs.The CPA firm shall obtain written concurrence on any finding(s) from the entity reviewed.8.A-123 Internal Control over Financial Reporting EducationThe CPA firm shall use the time prior to the start of field work to gain an understanding of applicable policies and procedures. The CPA firm shall provide assistance in situations where some components in scope for the A-123 review need guidance and instruction regarding their roles and responsibilities, and development/maintenance of their policies and procedures. This assistance will be most important for the components that have had, for example, staff turnover, policy changes, new business processes, etc. Specifically, the CPA firm shall assist in situations where components might have difficulty in providing descriptions of control policies and procedures needed for the development of internal control documentation (e.g. cycle memos) for the A-123 self-assessment. This education includes providing examples of applicable control policies, Standard Operating Procedures (SOPs), etc., as well as communicating to component personnel appropriate internal controls for their operations.Throughout each phase of work, the CPA firm shall work with the ATT and CMS business owner(s)/stakeholder(s) to ensure that appropriate knowledge transfer occurs.9.Documentation on Internal Control over Financial ReportingThe CPA firm shall review and update the current cycle memos for CMS, selected locations, and selected Contractors. The CPA firm shall (for documentation not adequately developed) submit documentation for internal controls over financial reporting at both the entity level and at the process (or transaction) level for significant financial statement line items, accounts, disclosures, relevant management assertions, and the controls over those assertions. Documentation will also include an assessment of entity-level controls, Control Matrix, Design Matrix, CDLs, walk-through memorandums, and reports with supporting workpapers for components of the A-123 review. The format of this documentation must be agreed to by CMS COR/ATT.10.Evaluation of Design and Test of Operating EffectivenessThe CPA firm shall submit the documentation for testing the operating effectiveness of non-IT and IT controls. This documentation will include the testing approach and detailed test plans, Test Documentation Matrix (Appendix IV of HHS Guidance), CMS Reporting Standards for Information System Testing for IT testing, CDL (Appendix V of HHS Guidance), completed CAATS Template, an Internal Control Review Report for each of the selected CMS locations, Baltimore Applications, Contractors, DCs, and SSMs in scope, and CMS Information Security Testing Approach. IT test plans shall include IT mapping (Attachment A) and Application Crosswalk (Attachment B).The format of this documentation must be agreed to by CMS.11.Conduct A-123 presentations, as required, to the Risk Management and Financial Oversight Committee (RMFOC); CFO audit support; and other needed supportKey CPA firm personnel shall prepare Microsoft PowerPoint presentations and present them to the RMFOC regarding A-123 matters on an as needed basis. The presentations should usually be no more than 20 minutes.The CPA firm shall provide support to the CMS financial statement audit in order to minimize duplication of efforts, and create a more efficient review and audit process. Activities will include, but not be limited to, coordinating activities to include CFO auditor participation/walkthrough, making A-123 workpapers and copies available, responding to audit questions, and attending meetings to discuss A-123 and CFO topics.It will be necessary to provide support to various reviews and audits which could involve an array of stakeholders such as the IRS, GAO, OIG, and others. Activities will include, but not be limited to, coordinating activities to include stakeholder participation/observation, making A-123 workpapers and copies available, responding to audit and other questions, and conducting/attending meetings and presentations as needed.12.Final Exit Conference for CMS selected locations, Baltimore Applications, Contractors, DCs, and SSMsThe CPA firm shall schedule a final exit conference with the ATT, CMS locations, Baltimore Applications, Contractors, DCs, SSMs, and designated business owner(s)/stakeholder(s) after the release of draft findings or outstanding items. The scheduling of the final exit conference shall provide adequate time for CMS locations, Baltimore Applications, Contractors, DCs, and SSMs to review the draft findings or outstanding items.The CPA firm shall provide the following:Exit Conference Appointment: Two business days notice of the time and place of the conference; andFinal Exit Conference Agenda: Including an attendance record, summary of review areas, results, and the estimated draft and final report issuance dates.13.Draft Report Issuance for CMS locations, Baltimore Applications, Contractors, DCs, and SSMsThe target date for the CPA firm to issue electronic reports (to the ATT, CMS business owner(s)/stakeholder(s), selected CMS locations, Baltimore Applications, Contractors, DCs, SSMs, and others as applicable) is within two weeks after the date of the exit conference. In preparing and issuing the draft reports, the CPA firm shall consider all discussion and evidence provided by the ATT, CMS business owner(s)/stakeholder(s), CMS locations, Baltimore Applications, Contractors, DCs, and SSMs in reaching its draft conclusions. Along with the draft reports, the CPA firm shall send the A-123 CDL/CAP template and the draft CAP Follow Up Reports to the ATT.14.Final Report Issuance for CMS locations, Baltimore Applications, Contractors, DCs, and SSMsThe target date for the CPA firm to issue final reports is within two weeks after the issuance of the draft report. In preparing the final reports, the CPA firm shall consider all discussion, evidence, and comments provided by the ATT, CMS business owner(s)/stakeholder(s), selected CMS locations, Baltimore Applications, Contractors, DCs, and SSMs in reaching its final conclusions. Along with the final reports, the CPA firm shall send the final versions of the A-123 CDL/CAP templates, and the CAP Follow Up Reports.Finalized work papers shall be available for review prior to the issuance of final reports.15.Results of Testing and Interim Assurance StatementThe CPA firm shall submit a draft Interim Assurance Statement, Supporting Narrative, CDL/CAP templates, and the FFMIA System Compliance Evaluation Tool and Certification(s) (Appendix IX of HHS Guidance). In addition, assistance shall be provided in preparing the Integrity Act Assurance Checklist (Appendix XIV of HHS Guidance). Target deliverable date: June 15th, 20YY.16.Report on Validation of Previous CMS A-123, CFO, and Selected CMS CAPsThe CPA firm shall report quarterly on the status of the CAPs and prepare documentation (test steps, results, and work paper references) to support recommendations of whether or not to close the CAP or have it remain open. These reports are due on or before: December 31, March 31, June 30, and September 30, of the current fiscal year. This will include follow up on all previous CMS A-123 CAPs, CFO, and other CAPs as applicable.17.CAP Follow Up ReportsThe CPA firm shall submit draft and final CAP Follow Up Report for all applicable CMS Baltimore Applications, Contractors, DCs, and SSMs in scope. Target date for the draft report is within two weeks after the exit conference. Target date for the final report is within two weeks of issuance of the draft CAP Follow Up Report.18.Updated Assurance Statement and Supporting InformationThe CPA firm shall submit a final Assurance Statement, Supporting Narrative, CDL/CAP templates, and an updated FFMIA System Compliance Evaluation Tool and Certification (s) (Appendix IX of HHS Guidance). In addition, assistance shall be provided in preparing the Integrity Act Assurance Checklist (Appendix XIV of HHS Guidance). Target deliverable date: September 15th, 20YY.19.DocumentationThe CPA firm shall provide an electronic database that will house the A-123 workpapers, reports, cycle memos, and other supporting documentation. The CPA firm shall store this information in such a way that they can be accessed by CMS immediately upon request. Final copies of the CPA firm’s workpapers, reports, cycle memos, and documentation supporting the review shall be provided each year in an electronic format acceptable to CMS. The contract will require the CPA firm to meet CMS information security requirements (see CMS Information Security Contract Clause / Provision).Documentation shall provide sufficient detail to enable an experienced reviewer having no previous connection to the review to understand from the review documentation the nature, timing, extent, and results of the review procedures performed; the review evidence obtained; and its source and the conclusions. The CPA firm shall prepare review documentation that contains support for deficiencies, conclusions, and recommendations before they issue the report.The testing work papers shall follow the guidelines below:Workpapers are to be available, completed, reviewed, and signed off by preparers and reviewers for CO cycles (Target deliverable date: June 30th, 20YY); and before each final report is issued to CMS selected locations, CO Applications, Contractors, DCs, and SSMs reviewed.Include a work paper indexing format that is consistent for all work papers (IT and Non IT).Separate work papers must exist for all CMS cycles including selected locations, Baltimore Applications, Contractors, DCs, and SSMs reviewed.Each control objective and/or control activity shall have a lead sheet that summarizes the test. It shall include:Control number or control objectiveFrequency of controlSample size, including the description and source of documents inspectedControl descriptionControl ownerTest procedure(s)Test details – including sample selections (i.e., quarter, month, plan number, etc.), attributes tested, and results obtained for each sample.Analysis, comments, and reference to supporting documentationConclusion of testTest datePreparer name and date preparedReviewer name and date reviewedNote: Standard tick marks shall be utilized and applied consistently across all workpaper documentation.If a control is operating effectively, the lead sheet shall be accompanied by an example of a successful test including the documents tested (i.e., report, checklist, email, etc.). It is not necessary to provide positive evidence of all tests when a control is operating effectively, however a summary of sample attributes successfully tested shall be included in the workpapers.If a control fails, supporting documentation must accompany the lead sheet to support each control failure.Prior year CAP ID numbers shall be referenced in the work papers as applicable.20.Required ReportsThe CPA firm shall submit required draft reports to the ATT (deliverable date(s) to be specified by the ATT) for review and approval in advance of the HHS due date(s).21.Deliverable InstructionsSee Schedule of Deliverables (Attachment C)Part Two - ICORObjectivesOMB Circular A-123, Appendix A, Management of Reporting and Data Integrity Risk, issued June 2018, aligns with OMB Circular A-123’s expansion of internal controls from financial reporting to all reporting objectives, leveraging the analysis of Enterprise Risk Management (ERM).? Prior to this update, Appendix A was prescriptive and rigorous in what agencies were required to implement in order to provide reasonable assurances over ICOFR.? This update balances that rigor with giving agencies the flexibility to determine which control activities are necessary to achieve reasonable assurances over internal controls and processes that support overall data quality contained in agency reports in support of data-driven decisions, Federal Government-wide management analysis, and transparency.? The updated Appendix A requires consideration of internal controls over reporting in our annual assurance statement.? There is flexibility for agencies to implement current requirements. Our objective is to take a maturity model approach toward implementation of the updated Appendix A, with an emphasis on integrating internal control activities with ERM processes.Internal Control Over Reporting ObjectivesReporting objectives pertain to the preparation of reports for use by agencies and stakeholders. External reporting objectives may be driven by statutory requirements, or the need for integrity, accountability or transparent government data. Internal requirements generate internal reporting objectives and may be responsive to a variety of potential needs, including agency plans at strategic, operational or other various levels. The overall relationship among the four subcategories of reporting objectives can be illustrated and described as:External financial reporting objectives. Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders.External nonfinancial reporting objectives. Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders.Internal financial reporting objectives and nonfinancial reporting objectives. Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance. These reporting objectives are referenced by the table below from the revised circular:Figure 1: Illustrative Relationship within Reporting Category of ObjectivesPurposeThe CPA firm shall:Develop the CMS overall OMB Circular A-123, Appendix A Assessment Plan spanning the base year and the Option years of this contract.Develop a methodology/criteria that will be used to assess processes and controls that will support CMS in achieving compliance with the revised OMB Circular A-123, Appendix A released June 2018.Develop a list of CMS business processes that should be assessed as part of the agency’s Appendix A review. Identify significant CMS reports and develop a ranking using a risk-based approach.Develop documentation of CMS business processes (that have not been previously documented) that are needed in support of CMS’s Appendix A reviews.Develop a testing cycle and execute test plans for the CMS business processes/reports.Report on the above activities, and integrate results with Part I of this SOW to provide draft CMS interim and annual assurance statements.Work Products and Documentation (Deliverables)The CPA firm shall provide CMS the following list of work products:Base Year: PlanningRisk Assessment ResultsPlanning/Scoping DocumentProject Work PlanOMB Circular A-123 five year Assessment PlanMethodology/Criteria for conducting assessment (Including several implementation options for management consideration)Timeline for CMS to reach a matured ICOR model Report on Internal ControlReports and Presentation to leadership on ICOR approaches, assumptions, justifications, future milestonesSupporting Work Papers Option Years 1-4:PlanningRisk Assessment ResultsPlanning/Scoping DocumentMethodology/Criteria for conducting ICOR assessmentProject Work PlanDocument and Evaluate Design of ControlsTest Operating EffectivenessTest Approach and Detailed Test Plans and Supporting WorkpapersIdentify & Address Deficiencies/Validate CAPs/Close CAPsReport on Internal ControlReports and Presentation to leadership on the results of assessment conductedAttachment A: Sample of Mapping of ControlsNAME OF CMS Baltimore APPLICATION, CONTRACTOR, DC, OR SSMExample Mapping of Controls:CMSR ControlFamilyARS/CMSR Control #FIPS 199 Category(L/M/H)912 EvaluationDate912SCA DateFISMA TestingDatePass/FailRecommend A-123 Testing?(Yes/No )Zzzzzz ZzzzzzzZZ-XL/M/HMM/DD/20YYMM/DD/20YY?MM/DD/20YY?Pass/FailYes/NoAccess Controls AC-1H10/02/2010?FailYesAccess Controls AC-10.0M?03/01/2011FailYesKey:X – Denotes Numbers (0 through 9)Z – Denotes Letters (A through Z)L – LowM – ModerateH – HighMM – Month (01 through 12)DD – Day (01 through 31)20YY – Year (e.g. 2018, 2019, 2020, etc.)Blank Template for Mapping of Controls:CMSR ControlFamilyARS/CMSR Control #FIPS 199 Category(L/M/H)912 EvaluationDate912SCA DateFISMA TestingDatePass/FailRecommend A-123 Testing?(Yes/No )????????????????????????????????????????????????????????????????????????????????Attachment B: Crosswalk of Baltimore Office Applications to Cycle Memos TemplateBaltimore OfficeSystems/ApplicationsFIPS 199 Category(L/M/H)Currently IdentifiedRelated Cycle????????????????????FIPS 199 Category Key:L – LowM – ModerateH – HighAttachment C: Schedule of DeliverablesThe CPA firm shall submit reports and deliverables in accordance with the following schedule. Deliverables shall be subject to CMS ATT review, comment, and acceptance.Page Ref.DescriptionRecipient(s)DeliveryDate(s)1P. 34F.1 – Contractor and CMS Initial MeetingCMS TBD.2P. 35F.2 – Entrance Conferences with CMS locations, Contractors, DCs, and SSMsCMS locations, Contractors, DCs, & SSMsBefore the start of each engagement with each CMS locations, Contractor, DC, & SSMs.3P. 35F.3 – A-123 Weekly Status MeetingsCMS Begin one week after the initial meeting.4P. 35F.4 – Monthly Status ReportingCMS COR/ATT and Contract Specialist (CS) Within 30 days after the initial meeting at CMS and the 28th of each month thereafter until the end of the contract.5P. 35F.5 – Project Work Plan (PWP)CMS ATT, COR, and CSTarget date is within three weeks of the initial meeting with CMS.6P. 36F.6 – Planning/Scoping Document and Assessment Process DocumentationCMS ATT and COR The target date is four weeks after the initial meeting with CMS.7P. 36F.7 – On-Site ActivitiesCMS locations, Baltimore Applications, Contractors, DCs, and SSMsIn accordance with the PWP.8P. 37F.8 – A-123 Internal Control over Financial Reporting EducationCMS locations, Baltimore Applications, Contractors, DCs, and SSMsAs needed.9P. 37F.9 – Documentation on Internal Control over Financial ReportingCMS ATT, COR, CMS locationsIn accordance with the PWP.The format of this documentation must be agreed to by the CMS COR / ATT.10P. 38F.10 – Evaluation of Design and Test of Operating EffectivenessCMS ATT, COR, CMS locations and Applications, Contractors, DCs, and SSMsIn accordance with the PWP.11P. 38F.11 – Conduct A-123 presentations, as required, to the Risk Management and Financial Oversight Committee (RMFOC); CFO audit support; and other needed supportCMS ATT, COR, RMFOC, etc.As needed.12P. 39F.12 – Final Exit Conference for CMS locations, CO Applications, Contractors, DCs, and SSMsCMS ATT, COR, ROs, CMS locations and Applications, Contractors, DCs, and SSMsIn accordance with the PWP.13P. 39F.13 – Draft Report Issuance for CMS, Baltimore Applications, Contractors, DCs, and SSMsCMS ATT, COR, CMS locations and Applications, Contractors, DCs, and SSMsTarget date is within two weeks from the exit conference date.Target date for all to be complete is May 31st, 20YY.14P. 39F.14 – Final Report Issuance for CMS locations, Baltimore Applications, Contractors, DCs, and SSMsCMS ATT, COR, CMS locations and Applications, Contractors, DCs, and SSMsTarget date is within two weeks from the draft report issuance dateTarget date for all to be complete is June 15th, 20YY15P. 39F.15 – Results of Testing and Interim Assurance StatementCMS ATT and CORTarget date is June 15th, 20YY16P. 39F.16 – Report on Validation of Previous CMS A-123, CFO, and Selected CMS CAPsCMS ATT, COR, CMS locationsDecember 31st,March 31st,June 30th, and September 30th, of each fiscal year. 17P. 40F.17 – CAP Follow Up ReportsCMS ATT, COR, CMS locations and Applications, Contractors, DCs, and SSMsTarget date for draft is within two weeks from the exit conference date. Target date for final is within two weeks from issuance of the draft.18P. 40F.18 – Updated Assurance Statement and Supporting InformationCMS ATT and CORApproximately September 15th, 20YY.19P. 40F.19 – DocumentationCMS ATT and CORIn accordance with the PWP.20P. 41F.20 – Required ReportsCMS ATT and CORTBD.21P. 44C. Work Products and Documentation (Deliverables)CMS ATT and CORTBD.Attachment D: HHS AppendixesThe following HHS Appendixes listed below and referenced throughout this document may be superseded by updated Appendixes at the HHS’ discretion:HHS AppendixFile AttachmentHHS Appendix #HHS AppendixNameAppendix IIOMB Circular A-123 Appendix A - Control MatrixAppendix IIIOMB Circular A-123 Appendix A - Design MatrixAppendix IVOMB Circular A-123 Appendix A - Test Documentation MatrixAppendix VFMFIA Control Deficiency LogAppendix VIFMFIA Corrective Action PlanAppendix VIIA-123 Progress ReportAppendix IXFFMIA System Compliance Evaluation ToolAppendix XCycle Memo and Flowchart ChecklistAppendix XIInternal Control Management and Evaluation ToolAppendix XIIIOpDiv Assurance Statement Examples and TemplatesAppendix XIVIntegrity Act Assurance ChecklistAppendix XVIIA-123 Risk Assessment by Major Transaction Cycle Heat MapAppendix XVIIIOpDiv FFMIA System Inventory ................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Table of Contents - General Services Administration

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches