North Carolina’s Medicaid Control Environment, Risk Management Practices, and Governing Processes Were Assessed as Moderate Risk
Learn how the AI-generated research projects were createdOverall Conclusion
Overall, the audit determined that North Carolina's Medicaid control environment, risk management practices, and governing processes operate at a moderate risk level, with three risk areas rated high and three rated moderate; the State agency has implemented numerous controls but faces gaps in governance structure, strategic planning, performance management, ERM strategy, and compliance frameworks that could affect program integrity and outcomes.
Source Document
Audit Scope
Scope: The OIG performed a risk assessment of the North Carolina Department of Health and Human Services, Division of Health Benefits (State agency) for SFY 2022 (July 1, 2021 – June 30, 2022), aligning with the launch of managed care in North Carolina. The assessment considered recent data relative to the transformation, identifying 6 risk areas and 25 sub-risk areas using COSO ERM framework, GAO Green Book principles, and Federal Internal Control Requirements under 45 CFR § 75.303. The scope encompassed governance and culture, strategy and objective-setting, performance, review and revision, information, communication, and reporting, and federal internal control requirements; included assessment methodology, questionnaires, documentation review, interviews, and risk heat map; concluded overall risk at moderate and discussed implications for ongoing transition to managed care. It did not test transactions but reviewed program areas across Medicaid, including recipients’ eligibility, provider enrollment, payments, data systems, contract monitoring, and financial management. Appendix D provides the complete risk assessment.
Key Findings Summary
Review and Revision: With the transition to managed care, there was no formal ERM strategy or policies governing its ERM; Reviews Risk and Performance and Pursues Improvement in ERM were rated high due to missing formal policies for performance assessment and lack of documented ERM strategy.
Governance and Culture: The state agency established oversight bodies and committees, but several governance and structure controls were not fully defined; two sub-risk areas (Defines Desired Culture and Demonstrates Commitment to Core Values) were low risk, while Exercises Board Risk Oversight and Establishes Operating Structures were moderate risk, and Att…
Strategy and Objective-Setting: The sub-risk areas Analyzes Business Context and Defines Risk Appetite were moderate; Evaluates Alternative Strategies and Formulates Business Objectives were high risk due to lack of formal external environment assessments, no defined risk appetite, no documented objectives, and absence of formal performance measures.
View the Findings tab to see all 7 findings
AI-Assisted
AI Scope Summary
Assess and improve North Carolina’s Medicaid program governance, risk management, and internal controls, focusing on the transition to managed care, to determine risk levels and recommend mitigation actions.
AI-Generated Insight
This audit highlights the challenges states face in aligning the rapid transformation of Medicaid programs with robust governance and risk management. While North Carolina instituted several risk-aware practices during its transition to managed care, gaps in formal ERM strategy, objective-setting, and compliance monitoring left several high-risk areas under-addressed. Implementing an enterprise risk management program and standard internal controls would help NC DHHS strengthen program integrity, ensure regulatory compliance, and improve resource allocation as Medicaid evolves.