Using a Business Operations
Management Approach to Control,
Analyze, and Improve Your
Information
John Gatto, CISA, CRISC, Divisional VP Audit Services at HCSC
Bobby Koritala, Sr VP of Operations at Infogix, Inc.
Biography
John Gatto, CISA, CRISC,
Divisional Vice President
Audit Services - HCSC
John Gatto has been with Health Care Service Corporation (HCSC) in Chicago, IL
since December, 2005. He is responsible for all aspects of IT Audit for the four
Plans comprising HCSC (Illinois, Texas, New Mexico and Oklahoma) and
encompasses NAIC / MAR compliance and testing, risk based audits, advisory
engagements for new development projects, coordination of SSAE #16 reviews
and E&Y Year-End Financial Audits. John is a member of a number of Steering
Committees within the IT area of HCSC.
Biography
Bobby Koritala
Sr Vice President of Operations
Infogix, Inc.
Bobby Koritala joined Infogix in 2009 and leads the Marketing and Product
Development Group. Prior to this, Bobby served as the Director of Risk
Technology Solutions at Protiviti, Vice-President of Investments at Open Prairie
Ventures, Director of Applied Technology at Blue Cross Blue Shield, Director of
Product Development at Lexis Nexis, and Senior Manager, Software Development
at SPSS. Bobby has a Bachelor of Arts degree in computer science and physics
from Coe College, a Master of Science degree from the University of Wisconsin,
and an MBA from Kellogg School of Management.
We Impact Millions of People. Every Day.








Health insurance claims
Property insurance billing
Utility billing
Bank statements
Gift cards
Mortgages
Purchases at stores
Credit card transactions
3/22/2016
4
Why Do We Exist?
To provide solutions that transform the operations of
our customers….thus allowing them to focus on what
is most important…….their customers.
3/22/2016
5
Our Business Operations Management Suite
 Key Performance and
Risk Indicators
 Real-Time Process
Performance
 Operational Intelligence
 Operational Reporting
 Analytics
 Balancing
 Reconciliation
 Exception Management
3/22/2016
6
Who We Help
Executives/
Leadership
Directors/
Managers
Insight
Analysts/
Developers
Control
3/22/2016
7
Functional Areas We Serve
• Operations
• Finance
• IT
3/22/2016
8
Environmental Challenges in Core Processes
• Lack of real-time operational
reporting
• Lack of visibility into your
process level information
• Disparate systems and
platforms
• Product centric information
silos
• Multiple manual steps and
semi-automated controls
3/22/2016
9
Our Solutions at Work
Governance
Processes
Management
Processes
3/22/2016
10
Presentation Objectives
HCSC & Infogix
NAIC MAR and IT Audit
Benefits of Insight
Looking Ahead
3/22/2016
11
Presentation Objectives
HCSC & Infogix
NAIC MAR and IT Audit
Benefits of Insight
Looking Ahead
3/22/2016
12
HCSC Environment
• Very complex infrastructure
• Very complex applications
• Mainframe and distributed
• Batch
• On-line / real time
• Thousands of interface files
• ACA expanding that problem
3/22/2016
13
Relationship
3/22/2016
14
Infogix Solutions Timeline
Implemented
ACR Summary
1982
Implemented
Insight on
13 Interfaces
1993
Implemented
ACR Detail
on MVS
2009
Started ACR
4.2 Upgrade
2011
2010
Developed Data
Integrity Policy
Added Insight to
all
1,856 ACR Controls
3/22/2016
15
• Many problems arising
• New Solutions Needed
3/22/2016
16
Presentation Objectives
HCSC & Infogix
NAIC MAR and IT Audit
Benefits of Insight
Looking Ahead
3/22/2016
17
NAIC MAR and IT Audit
3/22/2016
18
What is NAIC MAR?
National Association of Insurance Commissioners Model
Audit Rule (NAIC MAR)
Applicable for all private insurance carriers with written
premiums over $500 million
Similar to the Sarbanes-Oxley Act of 2002 (SOX) in that it
has SOX-like compliance requirements
For MAR compliance, IT is required to:
• perform self-assessment of internal controls of IT operations
• strengthen application interface controls over financially significant
applications
3/22/2016
19
HCSC Audit Plan
Risk Based
Advisory
13%
2012 MAR Hours
SOC-1
8%
Risk Based
Audits
22%
MAR
57%
General
Controls,
5,110
3/22/2016
Interfaces
, 3,450
20
NAIC MAR Interfaces
MAR System
MAR Interface
A financially significant
application / system
that is used to support a
business process or
transaction
A MAR System
transmitting data to or
“interfacing with”
another MAR System
Material to the financial
statements
Source to Target
Applications
3/22/2016
21
MAR Interface
Data transmission or feed into a financially significant
application, job, or process.
SYSTEM A
SYSTEM B
Data
IT Controls
Data
Missing File
Duplicate File
Balancing
3/22/2016
22
Interface Metrics
50
Target
Systems
110
Interfaces
3 Controls per
Interface
• Missing
• Duplicate
• Balancing
Sample size consist of 25
reports per control
3/22/2016
23
2012 MAR Overview
ITG GC’s
Application Interfaces
 50 unique target
systems
 110 interfaces
 balancing
 duplicate file
 missing file
 5 reports for admin
purposes
 IAM (68 applications)
 Reliance for E&Y
 SOC-1 – 25
 Financial -19









 Non-reliance - 24
Risk Management
Strategic Planning
Physical Security
Incident Management
Change Management
Release Management
IT Operations
AS/400
SDM
Non-ITG GC’s




Actuary
Dearborn National
Hallmark
Provider Services
3/22/2016
24
Interface Audits
- Back in The Day…
John Gatto, 2006
3/22/2016
25
Real Ugly
26
Real Ugly
3/22/2016
27
Interface Audit Challenges
Large
documentation
requests
25 days x 3
control = 75
Reports
Longer
turnaround for
documentation
requests
At minimum
5 business
days
Auditee
availability
Request helpdesk
ticket for each
unsuccessful Job
Review each
report in detail to
determine control
outcome
IT Audit
needs to
work around
Auditee
schedules
Auditee may
need
additional
time to
provide
Poor visibility
into results
3/22/2016
28
Presentation Objectives
HCSC & Infogix
NAIC MAR and IT Audit
Benefits of Insight
Looking Ahead
3/22/2016
29
Use of Insight
Using Insight
ITG
Corporate
Governance
IT Audit
3/22/2016
31
NAIC MAR Project
and Insight
• Identified Deficiencies by Internal and External Audit
• Implemented 3 Types of Controls
– Missing File Check
– Duplicate File Check
– Balancing
• Developed coordinated process with Corporate Governance,
Internal Controls Evaluation, Internal Audit and ITG Controls group.
• Needed ease of monitoring and testing
3/22/2016
32
• 25 days X 3 controls =
75 reports
• 5 to 10 business days
• Work around auditee
schedules
• Additional time could
be needed
• Poor visibility into
results
Using Insight
The Old Way
Benefits of Insight
• Dashboard vs. paper
• Reports readily
available
• No waiting period
• Auditee schedule not
impacted
• Linked to Insight
• Immediate availability
3/22/2016
33
View of Controls labeled by Source to Target System
A red gauge indicates an error. The green gauge indicates no errors. An empty gauge
indicates that the controls haven’t processed yet for the time frame specified within the
filter.
3/22/2016
34
Subview:
Balancing, Duplicate Check and Missing File Checks
3/22/2016
35
Execution Results: Job Name, Execution Date, Time and Return Code
3/22/2016
36
Drill Down to Return Code and Error Message
3/22/2016
37
ACR Reports – Detailed Information
3/22/2016
38
Resolution Notes
3/22/2016
39
Looking Ahead
3/22/2016
40
3/22/2016
41
Looking Ahead
•
Implement ACR Unix Controls
•
Insight Upgrade 6.3: Send Non ACR Controls to Insight
•
Insight Upgrade 6.3: Link to Help Desk
•
Continued Development of ACR and Insight Controls
3/22/2016
42
Typical Areas of Application








Claims
Data Warehouse
Actuarial Reserves
Billing
Statements
Payments
Commissions
Provider Services








Member Services
General Ledger
Financial Reporting
Compliance
SOX
NAIC MAR
Audit
Enrollment
3/22/2016
43
How We are Different
• Provide real-time end-to-end process level
performance measurement and visibility
• Real-time operational insight into errors and
process inefficiencies caused by disparate
systems and product silos
• Automate reporting, reconciliations, and
controls across your critical business
processes
3/22/2016
44
Putting it all Together
Infogix
Business Operations
Management Solution
3/22/2016
45
Sampling of Our Customers
3/22/2016
46
About Infogix
 Based in Chicago area
 Many customer relationships > 20 years
 Customers include:
• 20 of the Fortune 100
• 7/10 of top Commercial Banks
• 6/10 of top P & C Insurers
• 3/10 of top Health Insurers
3/22/2016
47
Questions?
3/22/2016
48