Apex Healthcare, Inc. SOC 1 Type II Report Report on the Suitability of the Design & Operating Effectiveness of Controls from October 1, 2012 through September 30, 2013 Confidential SOC 1 Type II Report Contents SECTION I: INDEPENDENT SERVICE AUDITOR’S REPORT ............................................................................... 1 SECTION II: MANAGEMENT ASSERTION ............................................................................................................ 4 SECTION III: DESCRIPTION OF APEX HEALTHCARE’S SYSTEM AND ASPECTS OF UI’S SYSTEM .................. 5 A. Company Overview .................................................................................................................................... 5 B. Scope of This Report ................................................................................................................................. 5 C. Systems Overview ..................................................................................................................................... 6 D. Overview of Company-Level Internal Control ............................................................................................. 7 E. Overview of the Claims Administration System .......................................................................................... 9 F. Overview of General Information Technology Environment ..................................................................... 14 G. Complementary User Entity Controls ....................................................................................................... 16 SECTION IV: INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS ............................................................................................................................................................................ 18 SECTION V: OTHER INFORMATION PROVIDED BY APEX HEALTHCARE, INC. .............................................. 34 Disaster Recovery and Business Continuity Plans .............................................................................................. 34 Section I: Independent Service Auditor’s Report Apex Healthcare, Inc. Naperville, Illinois Scope We have examined Apex Healthcare, Inc.’s (Apex) description of its claims administration system for processing the University of Illinois’ (UI) transactions throughout the period October 1, 2012 through September 30, 2013 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in Section III (the description). The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of Apex’s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Service organization’s responsibilities In Section II of this report, Apex has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. Apex is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service auditor’s responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period October 1, 2012 to September 30, 2013. An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of the service organization’s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the 1 | Pa ge Confidential SOC 1 Type II Report description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described in the assertion in Section III of this report. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria described in Apex’s assertion in Section II of this report, a. The description fairly presents Apex’s claims administration system to process transactions for its user entity that was designed and implemented throughout the period October 1, 2012 through September 30, 2013. b. The controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period October 1, 2012 through September 30, 2013 and user entities applied the complementary user entity controls contemplated in the design of Apex’s controls throughout the period October 1, 2012 through September 30, 2013. c. The controls tested, which together with the complementary user entity controls referred to in the scope paragraph and in Section III of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period October 1, 2012 through September 30, 2013. Description of tests of controls The specific controls tested and the nature, timing, and results of those tests are listed in Section IV of this report. However, the scope of our engagement did not include tests to determine whether controls not listed in Section IV were achieved; accordingly, we express no opinion on the achievement of controls not included in Section IV. Other Information The information in Section V describing Apex’s Disaster Recovery and Business Continuity Plans is presented by Apex to provide additional information and is not a part of Apex’s description of controls that may be relevant to user organizations’ internal control as it relates to an audit of financial statements. Such information has not been subjected to the procedures applied in the examination of the aforementioned description of Apex controls, and accordingly, we express no opinion on it. Restricted use This report, including the description of tests of controls and results thereof in Section IV of this report, is intended solely for the information and use of Apex, UI during some or all of the period October 1, 2012 through September 30, 2013, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about the controls 2 | Pa ge Confidential SOC 1 Type II Report implemented by user entities themselves, when assessing the risks of material misstatements of user entities' financial statements. This report is not intended to be and should not be used by anyone other than those specified parties. December 4, 2013 Chicago, Illinois 3 | Pa ge Confidential SOC 1 Type II Report Section III: Description of Apex Healthcare’s System and Aspects of UI’s System A. COMPANY OVERVIEW Apex Healthcare, Inc. (Apex or the Company) is a Naperville, Illinois based company providing third party benefit administration services, including on-line eligibility, enrollment and eligibility administration, member and provider service management, capitation and financial management, information management, authorization and referral management, quality assurance and control and utilization review. Apex’s expertise in benefits outsourcing coupled with state-of-the-art IT systems provide organizations with the streamlined benefits administration and seamless system integration of functions necessary to achieve improvements in the administration of their benefit programs. The Company utilizes a custom-developed application to administer its portfolio of services. Its custom- developed claims administration application software is used as an internal product for fully outsourced administration. The Company focuses on offering flexible administration solutions. Clients can choose from a fully bundled services package or a variety of specific options that meet their needs. B. SCOPE OF THIS REPORT Scope For the purposes of this report, the claims administration system includes the following performed solely for the benefit of Apex’s client, the University of Illinois (UI): • Eligibility Administration • Claims Processing and Reimbursement Administration • Customer Service Administration • Utilization Management This report covers the service offering described above for the period from October 1, 2012 through September 30, 2013. 5 | Pa ge Confidential SOC 1 Type II Report Changes in the Internal Control Environment Apex implemented the following changes to its service offering and related internal control (refer to Section Four to cross reference to control activities shown below): Change Control activity Effective Decreased the frequency in reviewing claims aging from bi- 3.6 October 1, 2012 weekly to monthly Management determined that these control activities were no longer key. Information is downloaded from the website by a person PY A.2.1 October 1, 2012 independent of those responsible for uploading data to Apex's system. USB ports, CD-Rom drives and other hardware equipment PY B.2.3 October 1, 2012 allowing the capability to retrieve data have been removed or disabled. The ability to retrieve data is restricted to management's computers and computers that reside in the server room. Subsequent Events Management is not aware of any relevant events that occurred subsequent to September 30, 2013 through the date of the service auditor’s report that would have a significant effect on management’s assertion. C. SYSTEMS OVERVIEW The claims administration system consists of the Eligibility Administration and Claims Reimbursement applications. Eligibility Administration Application The Eligibility administration application is a custom-developed, eligibility, enrollment and data exporting/importing application enabling the Company to fully automate and simplify eligibility administration. Custom-designed by senior management with over 15 years combined experience in benefits administration, the eligibility application is the primary software solution for the administration of eligibility and enrollment services. The application also feeds information to facilitate other services, such as claims reimbursement, capitation management, utilization management and reconciliation. Participant account inquiries are facilitated via call center functionality. Claims Reimbursement Application The claims reimbursement application is a custom-developed package for the processing of reimbursement claims, paper and electronic submissions, check generation, letter generation and report generation. 6 | Pa ge Confidential SOC 1 Type II Report The Eligibility Administration and Claims Reimbursement applications (Dbase applications) are developed in-house by experienced benefit programmers. The Dbase applications runs on redundant Windows XP servers in a load-balanced and fail-over scheme to provide the best possible service to UI’s professionals and employees. The program is written in Dbase. The Dbase applications and the databases reside on Apex’s servers. D. OVERVIEW OF COMPANY-LEVEL INTERNAL CONTROL Control Environment The Company’s internal control process is designed to provide reasonable assurance that the achievement of reliable, effective and efficient operations and compliance with applicable laws and regulations are met. The following describes the components of those control processes. The Chief Executive Officer monitors overall activities at the Company and primarily works with new client acquisitions. Senior and supporting management consists of a Director of Operations, Director of Information Technology, Director of Claims Administration and Director of Utilization Management. The Claims Reimbursement Department is responsible for coordinating and processing the payments of incoming claims using the claims reimbursement application. In addition, the department updates participant account balances, accepts new enrollments and terminates accounts via client and participant notifications. The Customer Service Department is responsible for assisting callers with general questions on benefit plans, enrollments and claims reimbursement issues. In addition to calls, the Customer Service Department assists participants via an e-mail program. The Information Technology Department is responsible for the Dbase applications development and the related life cycle of the Company’s proprietary claims administration system. Additionally, the Information Technology Department is responsible for maintaining the Company’s network, information security and internet technologies. Management Philosophy and Operating Style The Company’s senior management team believes that clients are best served when senior management is heavily involved on a day-to-day basis. The team works to provide cost efficient and quality services to managed healthcare providers in the day-to-day operations of the business, along with addressing significant business issues. Additionally, the highly qualified employees of the Company are given the appropriate training that is necessary to properly serve clients. This enables the employees to have the knowledge and skill set necessary to respond to clients efficiently. Personnel Policies and Procedures Hiring Process Due to the confidential and highly regulated nature of the Company’s business, every new hire goes through a thorough background check and screening process. Background checks are performed by an independent agency contracted by the Company. The Company only hires the most qualified employees to ensure individuals can effectively perform their given roles and responsibilities. The Company works hard to minimize employee turnover in order to increase efficiency within each department and provide the highest level of service to customers. Training 7 | Pa ge
Description: