Auditing Risk-Bearing Contracts: Mitigate Transaction Processing Exposure

A version of this article was previously posted in the summer 2018 edition of New Perspectives Association of Healthcare Internal Auditors.

The increasing use of risk-bearing contracts poses significant challenges to providers as fee-for-service reimbursement models become increasingly obsolete. The shifting of portions of financial risk from health plans to providers requires taking on unfamiliar and complex responsibilities in providing health care services. Unique supporting functions need to be in place to process, pay, and account for claims.

Internal audits of risk-bearing contracts can reduce a provider’s financial exposure by helping ensure proper processes and controls have been established to achieve financial data integrity, comply with contractual performance obligations, and improve operations. Auditing the transactional infrastructure can help detect payment and reporting errors before they become a costly problem.


Providers and payers are entering into contracts or new payment models that expose the provider to financial uncertainty. Under these risk-based contracts, providers agree to deliver specific health care services for a stated amount prior to rendering those services. A contract may also require the sharing of risk between the provider and payer to create financial incentives for the provider to improve the quality of care or service delivered and control costs.

The capitation-arrangement model is a common example of this type of agreement. It requires a fixed per member, per month payment to the provider for covered health care services, whether those services are rendered to enrollees or not. A provider operating under a capitation agreement stands to either gain or lose income depending on the efficiency and cost effectiveness of its services.

Common risk-bearing arrangements are summarized in Exhibit One. Each type of risk-based contract can benefit from the assurance provided by internal audit.

Exhibit One: Risk-Bearing Arrangements

  • Capitation arrangements. Payments are made based on a per-member monthly fee with no regard to services rendered.
  • Bundled payments. Payments to the provider are determined by episodes of care rather than specific services performed.
  • Shared savings and shared loss. Typically added to fee-for-service contracts, providers are financially rewarded for achieving established quality standards and cutting costs.
  • Risk pools. Agreements between providers that share favorable and unfavorable financial outcomes of certain insurance plans.
  • Self-insurance. Organizations don’t purchase health insurance for their employees and instead self-insure for those costs.

Claims Processing Basics

A claims processing function is typically divided into three roles:

  • Claims processors conduct daily reviews and adjudication of electronic and paper claim submissions.
  • Auditors review system edits and the claims processors' daily work prior to the check-posting date. 
  • Claims analysts manage post-payment readjudication, including tasks such as processing overpayments, adjustments, provider disputes, and corrected claims.

Organizations may outsource components of this process; however, it’s still important for decision makers within those organizations to understand the basics of how their claims processing function works. This knowledge allows the internal control activities of the third-party service organization to be appropriately monitored and the performance of the service organization to be effectively evaluated. 

Audit Approach

A successful audit begins with an overarching work plan, including the identification of the key risks and controls that will be involved.

Establish the Audit Scope and Objectives

Identify all of the existing contractual and legal risk-bearing arrangements and gain an understanding of the underlying contracts as well as the related legislation, if applicable. Establishing a complete list of all in-scope arrangements can be difficult, so consider looking at payment streams and working backwards to identify the arrangements. Also, consider what the focus of the audit is—whether determining if reported metrics are correct, claims are properly processed, or the process is properly monitored and the necessary financial reporting controls are in place.

Communicate with Stakeholders

Discuss the processes already in place with the process owners, making sure the objectives of the audit are understood by each stakeholder. Consider any available documentation to understand the processes, policies, and procedures. Questionnaires can be helpful in obtaining information.

Walk Through a Sample of Transactions

Deepen your understanding of the processes you’ve already discussed with the stakeholders by walking through a sample of transactions in detail to see what is happening in practice. The goal is to understand the design of the related internal controls and to verify that they’re implemented properly.

Review Results

Consider if any significant gaps exist in the design or implementation of the internal controls and decide where to focus testing efforts.

Test Key Control Objectives

Once you’ve selected the key controls to test, take the time to fully understand the population you’ll be testing and select the most effective and efficient way to design the testing procedures. Sampling will be the best choice in many cases, but look for opportunities to use data analytics to test the entire population. With your testing results, you can make actionable observations at a granular level regarding the operating effectiveness of controls.

Compile and Communicate Findings

When communicating the audit findings with stakeholders, highlighting value is important. Providing a better understanding of unmitigated risks is of great benefit. Additionally, you can supply your organization with something that may not have previously existed—a list of all risk-bearing contracts. Key stakeholders will gain a better understanding of how many contracts exist, who is monitoring those contracts, and the aggregate financial magnitude of those arrangements.

Key Controls

One of the more challenging aspects of this audit is the identification of key risks and determining if significant risks lack associated control activities. Here are some of the key financial processing and reporting risks and related controls.

Claims Disbursement

Making sure that claims correctly reflect the actual service performed and provide information as required by contractual agreements is the primary function of claims disbursement controls. Before testing the more specific control activities, basic claims disbursement controls should be evaluated to help verify if claims payments are accurate, authorized, complete, and the process is being appropriately monitored.

Claims Processor

Each processor should be appropriately trained in claims processing, overpayment recovery, claims adjustments, and claims corrections. Management should periodically assess the adequacy of the skillsets of processor for their assigned responsibilities.

Segregation of duties among processors, auditors, and analysts within the claims process is also important. No one should have the ability to both initiate a claim and approve it for payment. Also, individuals auditing claims shouldn’t be initiating or approving claims.

Receipt of Claims

Providers may receive claims for medical services from others, such as in a capitated arrangement, and a payment is necessary. Most claims are received electronically or through a scanning mechanism, so controls over the receipt of claims should provide secure and complete processing.

If claims are received manually, the claims date stamp must accurately reflect when they were received and processed. Providers should evaluate the effectiveness of key controls of third-party service organizations if their controls are relied on.

Claims Logging

Providers should have established controls to help verify the proper logging of claims upon receipt. The turnaround time for claims processing should allow for secondary review of the claim by department supervisors before it’s submitted. We’ll discuss secondary reviews in further detail later.
Common controls include:

  • Monitoring lags in claims processing times with business partners
  • Batching claims logged daily as they are received from the scanning vendor
  • Conducting daily reconciliations of scanning vendor statements to confirm claim submission counts

When reconciling the statements of scanning vendors, providers should expect few differences, and evidence of the investigation should be maintained when follow-up is necessary.

Out-of-Network Providers

Since an organization may not be able to provide all the medical services needed in a risk-bearing arrangement, contracts will be executed with out-of-network providers and suppliers. Procedures and controls are necessary for managing this contracting.

The organization’s data management department should follow up with the provider and request more information when necessary to process claims. Edit reports can be used to flag providers that aren’t in the claims system. Regular reviews should identify non-contracted providers over a certain dollar amount or number of claims. 

Contracted Rates

The terms of contracts can change, so management should review, modify, and update contracted rates on a basis that’s appropriate for the payer. For example, Medicaid and Medicare rates should be updated quarterly. Quality reviews of master files, including reasonableness checks, should be considered after every set of rate changes.

Secondary Review

A secondary review of claims over a certain dollar threshold prior to processing can be an effective claims control. Policies and procedures defining the rigor of the secondary review and how it should be documented need to be established. During your audit, you should consider the effectiveness of the policy as well as the skillset and knowledge of those performing secondary reviews. In some organizations, a C-suite executive reviews all six-figure claims.

Automated controls can be designed to trigger medical reviews prior to payment for claims over a specified dollar amount or for those with edits.

Turnaround Time

Claims processing turnaround times can be subject to legal and regulatory requirements as well as contract terms. Controls should verify processing happens in a timely manner while allowing for the conduct of needed secondary reviews. Also, lag time in claims processing by business partners should be monitored.

Claims System Modifiers

Claims processing systems generally include edits for place of service, type of service, bundled services, global period, and other modifiers. Monitoring the types and quantities of corrections made to these edits can flag potentially significant claims errors for root cause analysis and remediation.

Common controls can include:

  • Built-in claims system edits that flag potential issues with modifiers to allow for audits of claims payments
  • Procedures ensuring the flagged claims are followed up on and that there’s an analysis for root cause as well as necessary fixes to the process
  • Automatic or manual checks to identify and deny potential duplicate claims when key data elements match, such as date of service, provider and procedure code

Error Corrections

Identified payment errors need procedures to ensure correction and, in the case of an overpayment, the initiation of the recovery process.

Consider the effectiveness of information technology tools, such as the front-end editor, in the oversight and management of rules. Errors found prior to posting should be corrected by the processor who made the error, and errors found after payment should be logged on an error report and corrected by the claims analysts.

Dual Eligibility

Plan members with dual insurance eligibility, commonly both Medicare and Medicaid coverage, need to have their benefits coordinated. If dual-eligibility patients are processed in separate systems, manual processes may need to be established and monitored to synchronize those systems for a single claim.

Claims Payment Batch Processing

Claims batches should be verified for completeness and accuracy prior to issuance of claims payments. Risks to consider include whether or not batch files are editable and if accounting personnel or others can change claim amounts. If the claims batch can be changed, there’s an increased risk of errors and misappropriation of assets. 

It’s also important to evaluate the controls for the setup of new claims payees and vendors and check for adequate segregation of duties. No individual with responsibility for processing claims should issue claim payments.

Claims Processing Accounting

Reconciliations should be performed between the claim batches in the claims processing system and the batches processed by the accounting system. A reconciliation process, including evidence of management’s review, will support the integrity of the recorded claims expense.

Procedures should exist to verify all claims processed in the claims system are coded to general ledger accounts. Claims system reports should be used as the basis of journal entries to record check run totals in the accounting system. If a significant number of general ledger accounts are used, assess the need for that practice.

Performance Metrics

Specific measurements and metrics should be in place to evaluate the overall performance of the claims function at the department level and at the individual processor level. Claims inventory should be measured and monitored to verify claims don’t remain in a pending status for too long. Production and quality are the two major categories of metrics.

Production metrics can include:

  • Intake. Total number of claims received over a period of time
  • Number of claims finalized. Total number of claims finalized over a period of time
  • Production cycle. Number of days it takes to process a claim from the time it’s received

Quality metrics can include:

  • Financial accuracy. Dollars paid in error
  • Processing accuracy. Number of claims with processing errors
  • Payment accuracy. Number of claims with incorrect payments

Many organizations evaluate production, but evaluating quality isn’t as common. Both are needed for effective monitoring. If metrics don’t exist, they should be established. Also, when evaluating performance for individual processors, other factors, like contract complexities; existence of embedded tools, including auto adjudication; and system setup, need to be considered.

Communication and Training

Identifying claims processing errors and acting to prevent their reoccurrence are key activities. Often, organizations find errors and correct the payments, but the root cause isn’t always determined and communicated to the processors.

Verify that a process exists to perform a root cause analysis on certain types or groups of errors and that this analysis is happening on a timely basis and in an effective manner. Once corrections have been made, major error patterns should be routinely aggregated and communicated to claims processors. The communication can be accomplished in a variety of ways, including through training and policy and procedure modification.


Procedures should be in place to ensure that recoveries of over payments are realized. Monitoring controls should also exist to verify that follow-up complies with organizational policy.

Key policy elements include the timing and form of the initial recovery communication as well as expectations on follow-up after that point. A best practice, for example, is that a second communication goes out 30–45 days after the first communication—and with more stern language—and after 45 days, that claim is offset against future payments.

Many organizations don’t understand their regulatory rights to realize recoveries through credit balance offsets. While systems limitations could be a related impediment, credit balance offsets can be a significant source of recoveries and should be considered.
Common collection follow-up processes include second letters, phone calls, and emails.

Lag Tables

Incurred but not yet reported (IBNR) liabilities need to be estimated for financial statement reporting. Reserves amounts are established to reflect expenses that have occurred but haven’t yet been reported for claims processing. Lag tables use historical data to estimate the span of time between the occurrence of claims and the dates when first reported.

The accuracy of the related source information is essential. If an actuarial specialist is used, they will typically not take responsibility for the data provided to them for their computations of IBNR. Because of this, organizations may want to test the completeness and accuracy of the historical data they supply. A process for how the actuarial work is supervised by management should also be in place.

If an actuary isn’t involved, organizations will also want to assess the reasonableness of their method for calculating their IBNR, in addition to evaluating the completeness and accuracy of the data. Procedures could include locking spreadsheets after the calculations are finalized to help protect the data.


Health care organizations need to design and implement processing infrastructure with robust controls to support risk-bearing contracts and increase their revenue from these arrangements.

Properly controlled business processes can help ensure that their financial exposure is well managed. A comprehensive internal audit approach will allow organizations to objectively assess their capabilities and reduce the risk of managing risk-bearing contracts.

We’re Here to Help

To learn more about how risk-bearing contracts could impact your health care organization, please contact a Moss Adams professional.

Contact Us with Questions

Enter security code:
 Security code