1191 978-1-4673-0199-2/12/$31.00 ©2012 IEEE

2012 International Conference on Systems and Informatics (ICSAI 2012)

Fundamental Data Audit for Medical Insurance Fund Management Information System

Feng Wang, Hongmei Zhang, Huifang Hou College of Information Science and Engineering

Henan University of Technology Zhengzhou, 450001, P.R. China

Longju Yang Information Department

Henan Audit Cadre Training CenterZhengzhou, 450008, P.R. China

Hao Wang, Xiaofu Ba Yuzhou Municipal Audit Office

Yuzhou, 461670, P.R. China

Abstract—To prevent management risk of the medical insurance fund and to increase the service level, this paper presents an fundamental data audit approach for medical insurance fund management information system (MIFMIS). It combines manual audit with computer audit. The audit task is accomplished by using internal control audit, application program audit and data file audit. It was used in a practical MIFMIS audit case. And some serious irregularities were uncovered, such as absence of strict execution of internal control system, unsound control measures of application programs in the links of input and processing, and repeated insurance in different systems. The audit conclusions and suggestions have been accepted and rectification measures have been carried out, thus promoting the improvement and perfection of MIFMIS.

Keywords-medical insurance fund management information system (MIFMIS); internal control audit; application program audit; data file audit

I. INTRODUCTION In Mainland China, medical insurance is an important part

of the social security system. It is also an important system that guarantees the economic development, social stability, and people's normal and happy lives. With the development of the reform of basic medical insurance system, the growth of the national income and the enhancement of the insurance consciousness, there is a rapid increasing trend in the insurance portfolio. Therefore, the traditional way of management cannot adapt to the development of medical insurance. Medical insurance fund management information system (MIFMIS) makes full use of modern information technologies to implement the automation of business processing and the centralization of data storage. It simplifies the work procedure, optimizes the management mode, standardizes the business processing, improves the work efficiency and thus promotes the rapid development of medical insurance system.

The basic medical insurance system is a complicated systematic project because of its wide coverage and involving many departments. Its management relates to multifarious interests while influences the smooth implementation of medical insurance reform and the progress of building a harmonious society. Therefore, it is very important to perform information systems audit for MIFMIS, which includes the audits of both fund management activity and the whole running process. It is to perform audits on the budget and final account,

revenue and expenditure, the legality, authenticity, and validity of management, according to the national laws and regulations. With the rapid increase of insurance portfolio, traditional manual audit approach faces severe challenge because of its drawbacks of high cost, inefficiency, big risk, poor quality, etc. Thus it cannot adapt to the information development and many computer audit approaches have been adopted to overcome the limitations of traditional methods. However, most of the related works focused on capital audit [1-4], lacking audit on fundamental data. Obviously, the legality and authenticity of insured persons’ fundamental data is the key to the subsequent business processing. Therefore, it plays an important role in the audit for MIFMIS. This paper focuses on the fundamental data audit and accomplishes the audit task by internal control system audit, application program audit and data file audit.

II. SUMMARY OF INFORMATION SYSTEMS AUDIT Traditional audit is a kind of independent economic

supervision activity. Auditors perform examination and evaluation on the authenticity and legality of finance, revenues and expenditures and other economic activities. But with the increasing popularization of management information system, a lot of businesses become highly dependent on information system. The informatization of audit object makes it become inevitable to implement information systems audit. And it has been paid much attention in research and applications [5-8].

Information systems audit is the procedure of examination and evaluation of information technology infrastructure, according to generally accepted standards and specifications. It covers the whole processes of building an information system, including system planning, implementation, running and maintenance. It is also a management process to perform the tasks of supervision, evaluation and control on the completeness, validity, efficiency and security of information systems as well as the corresponding businesses. Its aims are to confirm whether the expected business goals are implemented and to put forward a series of improvement suggestions [5]. Compared with the traditional audit, information systems audit enlarges the audit scope and improves the audit efficiency and quality. Though the content of information systems audit differs with the concrete audit purpose, it includes mainly internal control system audit, system development and maintenance audit, application program audit and data file audit [5], [8], as shown in Tab. I.

1192

TABLE I. INFORMATION SYSTEMS AUDIT

Audit Object Audit Content Audit Purpose Internal control system Perform general control audits on system running environment, such as

organization and management, system operation, hardare and software, system security, documents, etc. Perform application control audits on input, processing and output of application systems and programs.

Examine the completeness, reasonableness and validity of internal control system.

System development and maintenance

Perform audits on activities of system planning, analysis, design, programming, testing, trial operations during the system development and maintenance, as well as the corresponding institutions and docements, etc.

Examine the controlled degree of development and maintenance, the scientificalness, advancement and reasonableness of approaches, as well as the appropriateness of system documents.

Application program Perform audits on the control measures of application programs, the legality of programming, the correctness of calculation and logic function, the efficiency of coding, etc.

Examine the conformity, legality, correctness, reliability and validity of application programs.

Data file Perform direct examination and analytical review audits on paper and electronic business data.

Examine the legality, authenticity and correctness of data file.

In Tab. I, the internal control system audit denotes the examination and evaluation on soundness and validity of internal control measures of information systems. Only sound and valid internal control measures can guarantee the secure, reliable and valid running of information systems. System development and maintenance audit is the security audit of information systems, which runs through the whole procedure of system construction. Application programs are the cores of information systems. Fair evaluation on the conformity, legality, correctness, reliability and validity of systems can be made only by passing through application program audit. Data processed by information systems directly influence the authenticity, correctness and reliability of output information. Thus data file audit for information systems is an important part in information systems audit and it directly relates to whether the audit conclusions are correct or not.

III. FUNDAMENTAL DATA AUDIT FOR MIFMIS In MIFMIS, fundamental data are the base of other

businesses, such as premium expropriation, payment, etc. The authenticity, correctness and reliability of fundamental data directly influence the authenticity, legality and validity of medical insurance activities. Therefore, the fundamental data plays an important role for the secure and reliable running of MIFMIS. In practical application, however, there are still exist many problems during the management of fundamental data, such as data irregularity and incomplete information, due to irregular operation, imperfect program control measures and some other management reasons. Meanwhile, there are mainly two kinds of basic medical insurance funds in Mainland China, i.e. the basic medical insurance for urban residents and the new rural cooperative medical insurance. Because the current information construction of medical insurances is not yet perfect, centralized management for the two medical insurances is not realized yet. On the one hand, there is a lot of redundant and garbage information in systems, due to the repeated construction. On the other hand, the information consistency cannot be guaranteed and there also exists risk of repeated insurance in different systems, for lacking information sharing among systems. This paper focuses on the fundamental data audit for MIFMIS. And approaches of internal control audit, application program audit and data file audit are adopted to perform the audit task in a practical MIFMIS audit case, by

combining manual audit with computer audit. The audit flowchart is shown in Fig. 1.

DB

Data acquisition

Data preprocessingAudit on data appropriateness

Audit on repeated insurance

Audit conclusions and suggestions

MIFMIS

Data file auditInternal control system audit and application

program audit

Figure 1. Flowchart of the fundamental data audit for MIFMIS.

In Fig. 1, internal control system audit and application program audit are used to perform the audit task of data appropriateness while data file audit is used to perform the audit task of repeated insurance.

A. Internal Control System Audit and Application Program Audit Firstly, sound internal control system can reduce mistakes,

plug up loopholes, ensure the correctness and reliability of input fundamental data, thus prevent management risk and

1193

provide firm foundation for improving the service level. The internal control system audit was performed by talking with associated personnel, drawing up questionnaires, field observation, examing organizational structure graph, checking rules and regulations, etc. The audit results showed that the internal control systems and establishments of the audited units were basically sound and reasonable, but there were loopholes during the concrete execution. Some operators didn't input and maintain the fundamental data strictly according to the regulations of operating. Therefore, it is one of the reasons that cause the inappropriateness of data in MIFMIS database.

Secondly, application programs are the cores of information systems. If the control measures of application programs are not sound, the correctness of input, processing, statistics, analysis and other data operations cannot be guaranteed. Thus result checking of programs, processing under control and some other computer assisted audit approaches were adopted to perform application program audit in the control link. Meanwhile, investigation, enquiries and some other manual approaches were also adopted to perform the validity, legality and correctness audits of application programs. The audit results showed that the audited systems were lack of sound and effective control measures in the links of input and processing. There were many inappropriate fundamental data in the databases. Some insured persons’ information was incomplete, e.g. no identification number and/or no home address. Some insured persons’ identification numbers were not typed correctly, where there were illegal characters and words. For example, there was Chinese character of "none" in the database of the basic medical insurance for urban residents while there were English character of "?" and Chinese characters and words of "line", "unit", "rate", "same" and "name" in the database of the new rural cooperative medical insurance. Because the input control measures of programs were not sound, data with incomplete and/or wrong information were put into information systems. Because the processing control measures of programs were not sound, those incomplete and/or incorrect data from input link were not examined and denied further processing. Furthermore, there were also defects in database design, where the field of identification number was not defined as the primary key and there were also no restrictions on the field. For these reasons, the correlative processing was influenced seriously. Therefore, unsound

control measures of application programs are another important reason that causes the inappropriateness of data in MIFMIS database.

Because the internal control system was not executed strictly and the control measures of application programs were not sound, some of the fundamental data put into MIFMIS were inappropriate. Thus the data correctness of statistic, analysis and other processing cannot be guaranteed.

B. Data File Audit In MIFMIS, the legality, authenticity and correctness of

fundamental data file directly influence the businesses of premium expropriation and payment and directly relate to the correctness of audit conclusions. As there are two kinds of basic medical insurance funds in Mainland China, i.e. the basic medical insurance for urban residents and the new rural cooperative medical insurance, correlative government departments have formulated regulations to strengthen standardized management. According to these regulations, if someone's registered permanent residence is changed from country to town, he/she can continue taking part in the new rural cooperative medical insurance and he/she can also take part in the basic medical insurance for urban residents. However, taking part in the two kinds of insurances simultaneously is not allowed. Therefore, approach of Structured Query Language (SQL) analysis was adopted to perform the audit on repeated insurance in the database of MIFMIS, where the fundamental data were limited in the year of 2009.

From Fig. 1, it is clear that data file audit consists of data acquisition, data preprocessing and data analysis, which are described in detail respectively in the following sections.

1. Data acquisition

According to the pre-audit investigation and concrete audit requirement, the data sources of insured persons in MIFMIS were firstly established. Then the correlative fundamental data in the audit scope were acquired under the cooperation and support of audited units, where the acquisition procedure was supervised by auditors. Finally, the authenticity and completeness of the acquired data were verified. The acquired insured persons' fundamental data were shown in Tab. II.

TABLE II. THE ACQUIRED INSURED PERSONS' FUNDAMENTAL DATA

Table Name Main Fields Remark

T_urbanPersons name, id_number, card_number, home_address, … Table of the basic medical insurance for urban residents

T_ruralPersons name, id_number, certificate _number, home_address, … Table of the new rural cooperative medical insurance

2. Data preprocessing

According to the audit results of internal control system audit and application program audit (refer to Section III.A for detail), the internal control systems of the audited units were not executed strictly and the application programs were lack of sound and effective control measures in the links of input and processing. Thus there were inappropriate problems in the fundamental data of the audited MIFMIS, such as incomplete

information, incorrect input, etc. To ensure the completeness, authenticity and reliability of audit data, approaches of using audit software, database management system and SQL analysis were adopted to perform the preprocessing tasks of data cleaning and data transformation. Then the data obtained by data preprocessing was further verified, thus meeting the need of audit analysis [9].

3. Data analysis

1194

Once the task of data preprocessing was accomplished, the processed fundamental data in the tables of T_urbanPersons and T_ruralPersons were then imported into the audit software of Auditor Office (AO). And SQL analysis approach was subsequently adopted to perform the audit analysis task of repeated insurance, based on the AO platform. The concrete audit steps are detailed as follows:

Step 1: Filtered the unrepeated identification numbers from the data of the basic medical insurance for urban residents, where the identification numbers were filled completely and appropriately. The selected data were saved into a new table named T_idOfUrbanPersons. The corresponding SQL was:

SELECT distinct id_number INTO T_idOfUrbanPersons FROM T_urbanPersons WHERE id_number is not null and id_number not like

'%none%'.

Step 2: Filtered the unrepeated identification numbers from the data of the new rural cooperative medical insurance, where the identification numbers were filled completely and appropriately. The selected data were saved into a new table named T_idOfRuralPersons. The corresponding SQL was:

SELECT distinct id_number INTO T_idOfRuralPersons FROM T_ruralPersons WHERE id_number is not null and id_number not like

'%none%' and id_number not like '%line%' and id_number not like '%unit%' and id_number not like '?' and id_number not like '%rate%' and id_number not like '%same%' and id_number not like '%name%'.

Step 3: Filtered insured persons who took part in both the basic medical insurance for urban residents and the new rural cooperative medical insurance from T_idOfUrbanPersons and

T_idOfRuralPersons. The selected data were saved into a new table named T_idOfRepeatedPersons. The corresponding SQL was:

SELECT a.id_number INTO T_idOfRepeatedPersons FROM T_idOfUrbanPersons a, T_idOfRuralPersons b WHERE a.id_number = b.id_number.

Step 4: Queried the detail information of insured persons from T_urbanPersons whose identification numbers were contained in the table of T_idOfRepeatedPersons. The corresponding SQL was:

SELECT * FROM T_urbanPersons WHERE id_number in (select id_number from

T_idOfRepeatedPersons) ORDER BY name.

From the above steps, solid audit evidence was collected. And the audited units confirmed that there indeed existed the phenomenon of repeated insurance in the database of MIFMIS. In 2009, total amount of 27160 persons took part in the new rural cooperative medical insurance and the basic medical insurance for urban residents simultaneously. Such irregularity not only violates the correlative regulations, but also increases the burden of governmental finance.

C. Audit Conclusions and Suggestions From the above audit analyses, some serious irregularities

in the fundamental data of the audited MIFMIS were uncovered by internal control system audit, application program audit and data file audit. Based on the audit evidence, concrete audit suggestions were put forward for the audited MIFMIS and corresponding management situation. The audit conclusions and suggestions were shown in Tab. III.

TABLE III. THE AUDIT CONCLUSIONS AND SUGGESTIONS

Audit Item Audit Conclusion Audit Suggestion Internal control system The internal control measures were not executed

strictly, where some operators didn't input and maintain the fundamental data strictly according to the regulations of operating.

(1) Check the identification numbers of insured persons, making sure the field of identification number is not null and confirmed to the specifications; (2) Step up tougher enforcement of the existing internal control system on operations. Intensify the cultivation and education of professional ethics and training of laws and regulations. Improve personnel's work responsibility. Intensify the operating training of MIFMIS, avoiding mistakes during the business processing and ensuring the appropriateness, completeness and correctness of input data.

Application program (1) The application programs were lack of sound and effective measures in the control links of input and processing. Some insured persons' fundamental information was incomplete, such as the fields of identification number and home address were empty. Some insured persons’ identification numbers were not typed correctly. And there were illegal characters and words in the field of identification number; (2) There were defects in database design.

Improve the information systems by building sound and effective control measures of application programs. The input data must undergo a process of checking reasonableness and validity, making sure the incorrect and inappropriate data can be detected in time and denied further processing. Thus the unauthorized problem data cannot be input into the database, ensuring the authenticity, completeness and reliability of MIFMIS. Especially for the field of identification number, system should provide strict control measures, such as judging automatically whether the input number confirms to the rules, showing error message if there exists repeated identification number, etc.

Data file In 2009's data of the basic medical insurance for urban residents, total amount of 27160 insured persons took part in the new rural cooperative medical insurance at the same time.

Improve further construction of information systems. Upgrade and integrate systems to implement the centralized storage and management of fundamental data. Avoid repeated insurance by information sharing.

1195

IV. CONCLUSIONS MIFMIS is an important part of social security system,

which implements the automation of business processing and the centralization of data storage. The secure and reliable running of MIFMIS plays an important role in maintaining social harmony and stability. Therefore, it is very important to perform information systems audit for MIFMIS. With the rapid increase of data in MIFMIS, the audit task cannot be accomplished only by the traditional manual approach. Computer assisted audit approaches should be integrated to overcome the limitations of manual audit and to improve the audit efficiency and quality. Fundamental data are the base of other businesses in MIFMIS. This paper focuses on the audit task of fundamental data in MIFMIS. Through combining traditional manual audit with computer audit, the task is accomplished by performing audits on internal control system, application program and data file. In a practical MIFMIS audit case, some serious irregularities were uncovered, such as absence of strict execution of internal control system, unsound control measures of application programs in the links of input and processing, imperfectness of database design, and repeated insurance in different systems. The audit conclusions and suggestions have been accepted and the corresponding rectification measures have been carried out, thus promoting the improvement and perfection of MIFMIS.

ACKNOWLEDGMENT This work was supported by the Doctoral Foundation of

Henan University of Technology under Grant 2010BS009.

REFERENCES [1] R. H. A, “Contents and methods of the internal audit of the medical

insurance fund,” Shanxi Science and Technology, no. 6, pp. 25-26, 2008.

[2] Y. Jiang, “Information systems auditing practice of medical insurance fund,” Audit Monthy, no. 3, pp. 26-28, 2009.

[3] J. H. Hou, “Discussion on the information systems audit of new rural cooperative medical fund,” Audit Monthy, no. 5, pp. 40-41, 2010.

[4] Y. Liu, “Audit supervision of payment risk of social pension insurance fund,” Journal of Qingdao Technical College, vol. 23, no. 3, pp. 83-86, 2010.

[5] J. C. Zhang, Information Systems Audit, Beijing: Tsinghua University Press, 2009.

[6] C. Allinson, “Information systems audit trails in legal proceedings as evidence,” Computers & Security, vol. 20, no. 5, pp. 409-421, 2001.

[7] W. Chen, H. Wang, and W. M. Zhu, “Study on data-oriented IT audit used in China,” Proc. of the 11th Joint Intern. Computer Conference. Singapore: World Scientific Publishing, pp. 666-669, 2005.

[8] Western Australia. Office of the Auditor General, Information systems audit report, West Perth, W.A. : Office of the Auditor General, 2011.

[9] W. Chen, S. F. Liu, and R. B. Qiu. “Study on audit data quality assessment methods,” Computer Engineering and Applications, vol. 44, no. 3, pp. 20-23, 2008.