Citizens Clearinghouse Project Audit Audit Opinion: Satisfactory November 26, 2013 Report Number 2013-AUD-08
Table of Contents Page Background 1 Audit Objectives and Scope 1 Individual Project Area Ratings 2 Future Project Deliverables 2 Audit Opinion 3 Audit Ratings 5 Distribution 6
Executive Summary Background During the 2013 session, the Florida Legislature passed SB 1770 which created section 627.3518 of the Florida Statutes. The bill states that in order to confirm eligibility with the corporation and to enhance access of new applicants for coverage and existing policyholders of the corporation to offers of coverage from authorized insurers, the corporation shall establish a program for personal residential risks in order to facilitate the diversion of ineligible applicants and existing policyholders from the corporation into the voluntary insurance market. Citizen s solution is to establish a Single Entry Multiple Carrier Interface (SEMCI) Clearinghouse, which will provide Florida s homeowners additional options for property insurance coverage in the private market. This will reduce the risk of considerably higher assessments to policyholders, and potentially all Floridians, following a major hurricane or several smaller storms. The new property insurance coverage clearinghouse, which is scheduled to be launched, beginning January 2014, will help agents for both new applicants and current Citizens policyholders identify available property insurance options in the private market. New insurance applicants receiving a private market offer for comparable coverage that is within 15% of Citizens quote will be required to obtain coverage with a private insurer. Citizen s policyholders will be ineligible for renewal with Citizens if the private carrier offers a rate equal to or less than the Citizen s offer for comparable coverage. The implementation of the clearinghouse has been identified as the highest priority project for Citizens. Bolt Solutions Inc. has been selected by the Citizens Board of Governors to provide the software platform linking private insurers with consumer insurance agents seeking to renew policies or purchase new coverage with Citizens. The cost of the Bolt contract is not to exceed $44.9 million over 10 years. Audit Objectives and Scope The Office of the Internal Auditor s primary focus is to actively participate in the planning, development and implementation phases of the Clearinghouse Project (the Project) in order to provide independent project assurance and support. The objective of the audit is to assess the efficiency and effectiveness of the project methodology and the project s implementation on an ongoing basis. The results of our audit to date are based upon interviews performed with management, direct observation, and review of applicable documents and testing of certain controls. Particular areas of focus included a review of the following: Project Management o Status Reporting Legal/Regulatory Compliance o Personal Information Privacy o Website Proper Disclosures o Right to Audit / Inspect Vendor o Customer Acknowledgment Form Training and Communication Vendor Contract Controls o Privacy, Confidentiality o Disaster Recovery/Business Continuity o Security Firewalls, Encryption, etc. o Liability Insurance Requirements 1
Executive Summary Individual Project Area Ratings Project Area/Deliverable Category Project Deliverable/Artifact Rating Legal/Compliance Vendor Contract, Storyboards, Legal Dept. Review Confirmation Satisfactory Vendor Personal Information Privacy Vendor Contract Satisfactory Vendor Website Proper Disclosures Storyboards / Legal Dept. Review Confirmation Satisfactory Vendor Right to Audit / Inspect Vendor Contract Satisfactory Project Management Project Management Plan document Satisfactory Status Reporting Weekly Status Reports Satisfactory Training and Communication Training and Communication Plans Satisfactory Vendor Contract Controls Vendor Contract / DRP / BCP Satisfactory Vendor Privacy, Confidentiality Vendor Contract Satisfactory Vendor Disaster Recovery/Business Continuity Vendor Contract / DRP / BCP Satisfactory Security Firewalls, Encryption, etc. Vendor Contract Satisfactory Vendor Liability Insurance Vendor Contract / Vendor Insurance Policies Satisfactory Future Project Deliverables As the Project is currently in flight and entering the development and implementation phases there are pending future deliverables planned for the project. The table below lists those deliverables that will be audited either on an ongoing basis or as the deliverables become available. Project Area/Deliverable Category Project Deliverable/Artifact Rating Implementation Commercial Lines Planning Commercial Lines Approach Report epas System Access Controls System Screen Scrape / Error Message OIA Review Internal Personnel - System Lockout - upon GO Live for new business System Screen Scrape / Error Message quotes/applications for HO3 Allowance for Mgt. override System Screen Scrape Legal/Compliance Vendor Contract / Storyboards Customer Acknowledgement of Offers Received Customer Acknowledgement Form / Storyboards Management Reporting Management Reports Ad-hoc / On - Demand Management Reports Compliance Management Reports Audit Log Audit Log Testing Test Plan OIA Review Vendor Management Vendor Internal Controls Service Organization Controls (SOC-1) / 2
Executive Summary Vendor IT - General/Application Controls Vendor Change Management Vendor Disaster Recovery Testing Results Vendor Security, Privacy, Confidentiality Statement on Standards for Attestation Engagements (SSAE 16) Report, Disaster Recovery Plan Testing Results, Insurance Policies Service Organization Controls (SOC-1) / Statement on Standards for Attestation Engagements (SSAE 16) Report Service Organization Controls (SOC-1) / Statement on Standards for Attestation Engagements (SSAE 16) Report Disaster Recovery Plan Testing Results Service Organization Controls (SOC-1) / Statement on Standards for Attestation Engagements (SSAE 16) Report Volume / Load Testing Vendor Volume/Load Testing Reports Vendor Go Live - both Bolt and Vendor Volume/Load Testing Reports Carriers Vendor Future Growth Vendor Volume/Load Testing Reports Audit Opinion The overall effectiveness of the processes and controls evaluated during the audit is rated as Satisfactory. Our audit of the Project Plan, the Action Items List, relevant documents and discussions with Project Team Members and Management, leads us to assess that the Project risks are being managed well and there are no major concerns or issues not being addressed that may impact implementation at this time in our audit. The Project Team has successfully performed, on a few occasions, a live Clearinghouse demonstration in the test environment, where the Agent interface could be observed and an external carrier and Citizens provided a real time quote to an Agent request. It is difficult for the OIA to ascertain with complete certainty whether the Project will be operationally ready to proceed with the required 'Go Live' date January 2, 2014. The projects overall status, as indicated by the Project Management Team, is a Yellow which means that all project deliverables may be at risk of being delivered at the time specified in the project plan due to the fast speed of development and the simultaneous work stream development methodology used to meet the regulatory implementation deadline. Project Management has not been in a position to fully develop a delivery plan to correct the overall project status to Green and has noted the project is to remain in the Yellow status for the remainder of the project s implementation to January 2, 2014. The OIA has noted certain risks associated with the successful delivery of the Project within the timeframe specified by SB 1770 : 3
Executive Summary 1. Carrier Load Capacity: The risk involves the carrier s ability to handle in a timely manner the volume of quotes that will be generated on a daily basis by the Clearinghouse. Bolt Project Team is gathering carrier quoting load capacity testing information in order to assess the level of quoting capacity risk. We would like to thank management and staff for their cooperation and professional courtesy throughout the course of this audit. 4
Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. 5
Appendix 2 Distribution Addressees Sarah Harrell, Program Director Citizens Clearinghouse Project Steve Bitar, Vice President of Agent and Consumer Services Copies Tom Lynch, Citizens Audit Committee Chairman John Wortman, Citizens Audit Committee Member Juan Cocuy, Citizens Audit Committee Member Yong Gilroy, Chief Insurance Officer Barry Gilway, President/CEO/Executive Director Dan Sumner, General Counsel Kelly Booten, Chief Systems & Operations Curt Overpeck, Chief Information Officer Christine Ashburn, Vice President of Communications John Rollins, Chief Risk Officer Deborah Kearney, Ethics and Compliance Officer Jennifer Montero, Chief Financial Officer Johnson Lambert, LLP (External Auditors) Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Don Gaetz, President of the Senate The Honorable Will Weatherford, Speaker of the House of Representatives Audit Performed By Sr. IT Internal Auditor Audit Director Under the Direction of Chris Chester John Fox Joe Martins Chief of Internal Audit 6