- 16 December 2021
This document is intended for Pooling Participants’ signers of compliance certificates, as well as anyone wanting to understand the process, its checks, and more specifically, the Pooling Participant audit.
Adopted by the Board of Directors on December 3, 2021
As required under section 43 of the Act Respecting Prescription Drug Insurance, all insurers and employee benefit plan administrators (the Participants) are required to share the risks involved in the costs of drugs for residents of Quebec according to mutually agreed-upon criteria.
To meet this obligation, the industry set up a risk-sharing system (Pooling). The Quebec Drug Insurance Pooling Corporation (QDIPC) is the organization that manages this system. It is the only organization recognized for this purpose by the Government of Quebec. Its role is to ensure that the Pooling process operates properly.
With this in mind, the QDIPC adopted a Pooling Participant Audit Policy. This policy allows it to verify information submitted by Participants during the compensation process.
What is a Participant Audit?
Every year, the Participants send the QDIPC data used to establish compensation among them. They declare that the information is complete, accurate, verifiable and in compliance with the rules established by the QDIPC by signing a compliance certificate1. The purpose of the audit is to verify some of these declarations.
[1] For questions related to signing the compliance certificate, refer to the explanatory QDIPCinfo – Compliance Certificate: a responsibility devoted to this topic.
Why is the Participant audit carried out?
Apart from the usual checks carried out annually, all Participants periodically undergo compliance audits.
The audit process allows the QDIPC to verify that the data submitted by the Participant properly reflect the Pooling rules mainly Pooling terms and conditions, rules for setting the size of groups2 and statements made in the compliance certificate.
The audit process also allows the QDIPC to be aware of new market practices. It can thus detect new risks and any potential inequity that could impact the Pooling process and undermine the system.
In so doing, the QDIPC fulfills its mandate, which consists of ensuring the sound management of the Pooling system by seeing to it that the process distributes pooled claims fairly among the Participants.
[2] For questions related to the determination of group size, refer to the explanatory Terms of Application – Group Size
What are the responsibilities of the different stakeholders?
- The Board of Directors
The Board of Directors is responsible for the periodic review of the Pooling Participant Audit Policy. - The Audit Committee
The Audit Committee is responsible for the implementation of the Audit Policy. It recommends to the Board of Directors the choice of an auditor, who must be independent of the Corporation and the Participants. Note that the oversight and supervision of a Participant’s audit fall under the responsibility of the Audit Committee. This Committee is made up of members without any ties to Quebec’s Drug Insurance industry and is independent of the QDIPC’s general management team. - General Management
The general management team handles the coordination and implementation of the activities that need to be carried out for an audit process. It serves as a liaison between the different parties involved. - The Auditor
The responsibility of the independent auditor consists of qualifying the reliability of the data sent by a Participant as part of a specific compensation process. They must act methodically, rigorously and objectively. - Audited Participants
All Participants must maintain adequate records of their data, ensure that errors are prevented and send the Pooling Manager complete and reliable data. They must be able to support the information provided to the Manager.Audited participants must cooperate with the auditors. They must provide auditors, merely upon request and in a timely manner, any information, explanation and/or supporting document needed to implement the audit procedures.
How do you ensure the protection of confidential information?
The QDIPC has established numerous measures to protect the information exchanged during Participant audits, including:
Protection measures
- The auditor’s contractual commitment. The auditor is bound to the QDIPC through a confidentiality provision. They undertake to, among other things, use the confidential information only for the agreed upon purposes and to treat this privileged information with a level of security comparable to that provided by the QDIPC. The auditor provides a declaration of commitment from its main employees as well as an annual certification of compliance;
- Limits on collection of information. The auditor asks Participants only for the information required for the performance of their mandate. Exposure and claims files contain no names of employees or claimants. During the audit, certain pieces of confidential information may be required. In such cases, the auditor will stick to the minimum needed for the performance of their mandate. Participants may at any time use additional means of protection: passwords, secure sharing service or their own protected internal email system;
- Inclusion of confidentiality provisions in the Code of Ethics and Professional Conduct applicable to directors and employees of the QDIPC. These must sign a Declaration of Ethics and Professional Conduct every year;
- Non-nominal report. Except for the Audit Committee, information shared with members of other Committees including the Board of Directors is in the form of de-identified reports so that the Participant is never identified. The possible issues are discussed without identifying the Participant;
- Limited access to the nominal report. Only QDIPC employees, certain duly authorized representatives and certain directors without ties to the Industry have access to certain personalized data. Only consulting firms acting as independent external consultants as part of the process have access to the conclusions of the audit report. These firms are also bound by strict confidentiality provisions and must provide certificates of compliance at the end of the year.
How to prepare for an audit
The General Manager informs the Participants who will be undergoing an audit before the process begins. The initial communication will provide, in advance, a list of the work to do in preparation for the audit.
The auditor uses random sampling, which is guided by risks based on Participants’ declarations. Participants must therefore be ready to justify each information contained in the files transmitted.
Among the questions asked, the auditor pays special attention to the reconciliation of data between current data and the files sent to the manager mentioned in the Appendix.
What are the steps involved in the Participant audit?
Every year, the Audit Committee establishes the list of Participants that will undergo an audit. To this end, the Audit Committee establishes the list of audited Participants. To do so, the Audit Committee collects information from the following people or groups: the Pooling Process and Terms Committee, the Pooling Manager, consulting actuaries, the expert actuarial consultant, auditors and the general manager.
- Information gathering
Audits are conducted in accordance with audit standards generally accepted in Canada and applicable to this type of mandate.
As a rule, the auditors visit the premises of the audited Participants. The audits can also be conducted virtually. However, the QDIPC prefers that the data be collected in person.
The QDIPC considers that the cooperation between the auditor and the audited Participant is an essential factor in the success of its verification operations. These interactions allow a better mutual understanding of the challenges encountered: as much for the understanding of the rules by the audited as for insights into changing market practices by the QDIPC.
- Data analysis and verifications
The auditor must analyze the data obtained objectively and independently. The verifications mainly involve the following elements:
-
- Number of certificates subject to pooling
- Group eligibility
- Total value of claims reported
- Eligibility of claims (DIN paid for a Quebec resident, who is part a group subject to Pooling and the amount must be net of any discounts or rebates granted by pharmaceutical companies)
- Application of pooling thresholds
- Compliance with requirements to obtain prior approvals
- Groupings and divisions of groups
Generally speaking, the auditors review the procedures used in the company and compare the information in the files with the data reported in the compensation process.
If needed, the auditors may speak directly to the independent expert firms mandated by the QDIPC, either the consulting actuary, the actuarial consultant or the Pooling Manager.
In certain cases, the audit can lead to a resubmission of data. This new data must be sent directly to the compensation Manager. However, once the audit has begun, the audited Participant cannot submit new data without informing the auditor.
- Exit meeting with the audited Participant
Throughout the audit, the auditors mention their observations to the audited parties. In fact, it amounts to a continual improvement process. When the work is finished, the auditors hold a wrap-up meeting. They discuss their observations and the preliminary conclusions they have reached with the representatives of the audited party.
- Presentation of observations to the Audit Committee and production of a report
The audit reports objectively describe errors, weaknesses or discrepancies identified, as well as the auditor’s qualification of the reliability of the data provided by the Participant.
- Follow-up by the Audit Committee
The Audit Committee analyzes the reports received. If necessary, the Audit Committee may consider the impact of the errors and/or discrepancies detected on the compensation process and evaluate the necessity of carrying out further verifications or ask the audited party to resubmit certain data.
- End of the Audit
Once the audit is over, the QDIPC sends a closing letter to the audited party. This letter discusses the audit process, describes the auditors’ main observations and may ask the audited party to make changes in their practices.
At their discretion, the audited party has 30 days to answer the closing letter. QDIPC undertakes to respond to the audited party in a timely manner.
Should the disagreement continue after these letters, the audited party has 15 days from the date of receipt of the last letter from the general manager to request a meeting with the Audit Committee to assert their objection
The audit timetable
The events in the timetable represent the usual audit process sequence. The audits take place under the supervision of the QDIPC. A delay in one step may result in delays later in the calendar of activities
February 28th: Compensation Manager sends out the request for data as well as the compliance certificate to be completed.
March 31st: Deadline to submit information to the Manager.
April : The Manager conducts a macro-analysis of all data received. The Participant may be asked to answer questions.
Late avril : The Audit committee selects the Participants that will be audited.
May : The general manager informs the audited parties. The Pooling Manager sends the data received from the audited to the auditors.
Mid-May : The auditor communicates with the audited parties to plan the start of work. They send the preliminary list of documents to prepare and reconciliations to provide.
May-July : Audit of the selected Participants. Auditors visit the Participants involved and ask to provide detailed information.
| Throughout the audit process, if errors are detected, the audited parties may be asked to resubmit data.
If so, the new data is sent directly to the compensation Manager. The audited party must communicate with the auditor before resubmitting data to the Manager. |
At the same time, the consulting actuary analyzes information received from the entire market. If it concerns an audited party, these verifications may lead to a discussion between the auditor and the consulting actuary.
Late July : The Audit Committee receives a verbal report from the auditors on the progress of their work.
August – September :
Auditors work on the information received and write preliminary reports.
Late September : Presentation of the auditors’ preliminary report to the Audit Committee.
| Due to unforeseen circumstances, Participant audits may delay the closing of the process under way. |
October : Receipt of the auditors’ final report
October 31st :
Target date for data revisions after the audits have been carried out and errors detected.
November :
After receiving confirmation from all parties involved, the Audit Committee confirms to the chair of the Process and Terms Committee that audits are completed to their satisfaction paving the way for the closure of the entire Compensation Process.
What is the cost of an audit and what are the applicable penalties?
The QDIPC assumes the cost of regular audits – it is included in its regular operating budget. However, under its Pooling Participants Audit Policy, the QDIPC reserves the right to bill the audited party for extra expenses incurred when circumstances result in additional costs.
Conclusion
The QDIPC is committed to the principles of sound governance. In order to ensure the fairness of the pooling process and the uniform application of the rules for all Participants, the QDIPC has established certain measures, including an annual Pooling Participant Audit process.
This compliance audit process is independent, rigorous, methodical and objective. The audit gives the QDIPC and all Participants confidence in the level of reliability of the data used in the Process. The QDIPC also receives advice for improving the implementation of the rules in order to create a fair and just Pooling Process.
This way, the QDIPC fulfills its mandate and ensures the sound management of the Pooling system of risks underwritten by Quebec’s private drug insurance industry.
APPENDIX
Reconciliation of the number of contracts pooled for the year
|
Participant |
Number |
Comments |
| Contracts with health coverage as of December 31st. This must include all current Canadian contracts. | Confirm the data source. Must include billed, self-billed and administrative service only (ASO) contracts. Do not include if a third-party payer reports this contract in their submittal to the QDIPC. | |
| Plus: Contracts with health coverage that ended during the year | Provide details | |
| Minus: Contracts with 6,000 health certificates or more | Provide details | |
| Minus: Effect of groupings of several contracts under a single employer for compensation purposes | Provide details | |
| Minus: Contracts with fewer than 6,000 health certificates without Quebec participants | Provide details | |
| Plus: Effect of dividing multi-employer contracts for compensation purposes | Provide details | |
| Plus or minus: Other adjustments | Justify any other adjustment | |
| Equals: number of contracts that should have been submitted to the compensation process | – | |
| Contracts subject to the compensation process, in accordance with the compliance certificate submitted to the QDIPC (EXPO file) | – | If the number of contracts submitted is different from the total above, comment on the reasons for the difference. |
| Difference | 0 |