Inspector General`s Report on SSA`s
Fiscal Year 1996 Financial Statements
A-13-96-51001
The Chief Financial Officers (CFO) Act of 1990, as
amended by the Government Management Reform Act (GMRA), requires
agencies to report annually to the Congress their financial status
and any other information needed to fairly present the agencies` financial
position and results of operations. To meet GMRA reporting requirements,
the Social Security Administration (SSA) prepares annual financial
statements which we audit.
The objectives of our audit were to express an opinion
on the fair presentation of SSA`s Fiscal Year (FY) 1996 principal
financial statements taken as a whole, test the Agency`s internal
control structure, and assess its compliance with applicable laws
and regulations that could have a material effect on its annual financial
statements. This report presents the results of our audit of SSA`s
financial statements, internal controls, and compliance with laws
and regulations.
As part of its FY 1996 audit efforts, the Office of
the Inspector General (OIG) reviewed SSA’s separation of duties
controls for the Modernized Supplemental Security Income Claims System
(MSSICS), the Modernized Claims System (MCS), and the Manual Adjustment
Credit and Award Data Entry (MACADE) system. These three systems
allow SSA workers to process Social Security and Supplemental Security
Income (SSI) benefit payments. Based on the collective results of
these reviews, we determined that SSA’s primary benefit payment
systems lack sufficient compensating controls to accommodate for
the lack of separation of duties in the above systems.
As in previous OIG reports, we continue to report the
following:
the SSA’s title XVI overpayment system
still contains systemic weaknesses which prevent its compliance
with Federal internal control standards;
the SSA is not complying with 20 Code of Federal
Regulations (CFR) §416.558(a) to provide title XVI recipients overpayment
notification; and
the SSA is not performing a sufficient number
of continuing disability reviews (CDR) as required by section 221(i)
of the Social Security Act.
OPINION ON FINANCIAL STATEMENTS
We have audited the accompanying combined statements
of financial position of SSA as of September 30, 1996 and 1995, and
the related combined statements of operations and changes in net
position, and cash flows for the FYs then ended. These statements
are the responsibility of SSA`s management. Our responsibility
is to express an opinion on these statements based on our audit.
We conducted our audit in accordance with generally
accepted government auditing standards and the Office of Management
and Budget (OMB) Bulletin 93-06, "Audit Requirements for Federal
Financial Statements." These standards require that we plan
and perform the audit to obtain reasonable assurance about whether
the financial statements are free of material misstatement. An audit
includes examining, on a test basis, evidence supporting the amounts
and disclosures in the financial statements. An audit also includes
assessing the accounting principles used and significant estimates
made by management, as well as evaluating the overall financial statement
presentation. We believe that our audit provides a reasonable basis
for our opinion.
In our opinion, the accompanying combined financial
statements present fairly, in all material respects, the financial
position of SSA at September 30, 1996 and 1995, and the results of
its operations, changes in net position, and cash flows for the FYs
then ended, in accordance with the accounting principles described
in Note 1 to the financial statements.
Our audit was conducted for the purpose of forming
an opinion on the financial statements described above. The presentation
of the financial statements includes an Overview of SSA and the Supplemental
Financial and Management Information, which are the responsibility
of SSA`s management. We have reviewed the Overview of SSA and
the Supplemental Financial and Management Information to determine
that they are not materially inconsistent with the information in
the combined financial statements. We also assessed the risk that
systems used to produce the performance measures in the Overview
did not report actual and complete information. However, such information,
including financial estimates, has not been subjected to the auditing
procedures applied in the audit of financial statements described
above and, accordingly, we express no opinion on the Overview of
SSA and the Supplemental Financial and Management Information.
In performing our tests of internal controls as part
of our FY 1996 financial statement audit, we identified two
weaknesses involving SSA`s internal control structure and operations
that we consider to be reportable conditions under standards established
by OMB Bulletin 93-06 and/or the Federal Managers` Financial
Integrity Act (FMFIA). We have summarized these conditions below.
We believe the two weaknesses are material under FMFIA criteria.
These weaknesses are not, however, material to the financial statements
taken as a whole.
Insufficient Separation of Duties or Compensating
Controls in On-line Systems
The SSA’s operating environment is highly automated.
Many of the Agency’s systems modernization efforts have resulted
in SSA processing claims and/or postentitlement actions on-line without
the traditional multiple levels of review. In essence, this reengineering
or streamlining of business processes has empowered SSA workers with
increased processing capabilities in order to meet the Agency`s
goal of providing world-class service. An inherent risk associated
with moving to an environment where employees have more on-line access
and processing power is that workers will perform incompatible functions
which would allow them to perpetrate and conceal errors or irregularities.
The General Accounting Office (GAO) provides that there
should be separation of duties between incompatible functions to
prevent an individual from introducing an error or irregularity into
the system and concealing it. The main purpose for separation of
duties is to reduce the risk of fraud and abuse. The extent to which
duties are segregated depends on the size of the organization and
the risk associated with its facilities and activities. Where separation
of duties is not operationally feasible, compensating controls need
to be implemented to safeguard operations. However, in an automated
environment, separation of duties cannot always be accomplished.
Other alternative controls can compensate for lack of separation
of duties, if they achieve the same goal.
The OIG’s FY 1996 audit coverage included audits
focusing on separation of duties controls for certain functions in
three of the on-line systems through which SSA employees can modify
a beneficiary’s or recipient’s record. Collectively, the
results of our audits indicate that there are insufficient separation
of duties or compensating controls to reduce, to an acceptable level,
the risk of undetected errors and/or irregularities in MSSICS, MCS,
and MACADE systems--the automated systems for processing Social Security
and SSI benefit payments.
We recognize that SSA is committed to use the latest
on-line technology, increase efficiency, ensure timely claims processing,
and use fewer people to perform more tasks. However, the desire to
obtain operational efficiency does not negate SSA’s responsibility
to design and maintain an internal control structure that provides
reasonable, but not absolute assurance that funds, property, and
other assets are safeguarded against waste, loss, and unauthorized
use or misappropriation. Therefore, where it is not operationally
feasible for SSA to implement separation of duties controls, the
Agency should implement compensating controls to minimize the risk
of undetected errors and/or irregularities.
Summaries of each of the audits are provided below.
The results of two of the audits will be issued shortly. The other
report was issued on September 23, 1996, but its distribution is
limited to authorized officials. We believe the recommendations contained
in each report will reduce SSA`s risk of fraud while allowing
SSA to achieve its operational and service delivery needs in an efficient
manner. Because there may be additional separation of duties concerns
in other SSA on-line systems, we plan to conduct additional audits,
such as our audit of the Critical Payment System.
MSSICS
The MSSICS is a complex automated system developed
to enhance the application process for SSI benefits. One objective
of our review of MSSICS focused on separation of duties controls
for the claims-taking process. The results of our review indicated
that SSA implemented several manual controls. However, these compensating
controls could not prevent or timely detect an SSA claims representative
from filing an application for a Social Security number (SSN) based
on fraudulent, questionable, or nonexistent documentation and subsequently
filing a claim for SSI benefits under that same SSN.
According to SSA security personnel, the Agency has
developed an enumeration edit check program to prevent the same person
from processing an SSN application and filing a claim for benefits.
This edit, however, has not yet been implemented.
MCS
The MCS is an automated system which allows a single
employee to process initial claims using a series of on-line screens.
The objective of our follow-up audit was to evaluate SSA`s progress
in implementing recommendations from a previous Department of Health
and Human Services/Office of Inspector General (HHS/OIG) report which
reviewed separation of duties controls in MCS. The SSA has partially
implemented the recommendations suggested in the previous HHS/OIG
report. However, weaknesses in SSA procedures remain because sufficient
controls do not exist through separation of duties or compensating
controls. As a result, SSA employees can add false claims to existing
accounts through improper use of existing, unknown/missing, or false
SSNs.
Moreover, improper use of SSNs is not likely to be
detected by SSA`s Title II Integrity Review. The review`s
scope does not adequately focus on potentially fraudulent situations,
emphasize verification of claims information to independent sources,
or otherwise provide summary management information.
MACADE
The MACADE is an on-line data entry input system designed
to enter transactions into the Manual Adjustment Credit and Award
Process (MADCAP) system. Prior to MACADE, transactions were originated
in paper form and batch processed. The MADCAP and MACADE are used
in program service centers (PSC) but not field offices. The objective
of our review of MACADE was to identify control weaknesses which
allow misappropriations to occur and remain undetected. The results
of our audit efforts at the Northeastern Program Service Center (NEPSC)
indicated control weaknesses within MACADE which allow PSC workers
to enter and conceal erroneous data. Specifically, a benefit authorizer
at NEPSC was able to execute multiple actions in MACADE/MADCAP to
generate payments of approximately $332,000 into various bank accounts
controlled by himself and his accomplices between April 1994 and
March 1995.
In a May 15, 1995 memorandum, we alerted SSA of the
need to implement control procedures to prevent the recurrence of
this type of fraudulent activity. The SSA responded with both interim
and long-term solutions which we support. However, in our September
23, 1996 report on MACADE, we recommended additional system modifications
to further strengthen internal controls to deter and prevent fraud.
The nature of the additional recommended corrective actions is sensitive
and confidential. For security reasons, specific details describing
how the fraud was perpetrated and the recommended preventive measures
are not provided. In general, SSA agreed with the recommendations.
Summary
The pervasive occurrence of the lack of separation
of duties and/or compensating controls where employees can enter
and conceal errors or irregularities in SSA’s on-line systems
leads us to believe that this condition is reportable as a material
weakness under FMFIA reporting criteria. Under FMFIA, a material
weakness is a deficiency that the agency head determines to be significant
enough to be reported outside of the agency. As provided in OMB Circular
A-123, it is management`s prerogative to report management control
deficiencies based on the citation`s use of the term "material
weakness."
In each of the above reports, we have recommended or
plan to recommend actions to strengthen SSA`s separation of duties
controls and/or to implement compensating controls. We make no additional
recommendations on resolving separation of duties issues in this
report, but affirm our support of the recommendations we are making
in the other reports. Also, the conditions described above may not
be limited to MSSICS, MCS, and MACADE, since many of SSA`s benefit
payment programs are on-line.
1. report this condition as a material weakness under
FMFIA.
SSA Comments and OIG Response
In its written response to our draft report (see
APPENDIX), SSA disagreed with our identification of the separation
of duties issue as a material weakness. The SSA comments cited
that while millions of transactions were processed by the 3 identified
systems, only 23 of the 65,000 SSA employees were referred to OIG
for investigation of fraud. The SSA also identified controls it
felt compensated for the lack of separation of duties--the Audit
Trail System (ATS), periodic reviews by the regional security staffs,
and publicizing the detection and prosecution of fraud cases.
We agree that there have not been a large number
of employee cases referred to OIG for fraud investigation. However,
the number of referred cases represents only the detected cases.
We believe the actual incidence of fraud within SSA is higher than
the detected cases. Also, our determination that the lack of separation
of duties was a material weakness under FMFIA was based on the
risk of loss--not the actual known losses. We believe it is in
the best interest of SSA to implement preventive measures now rather
than to risk accumulating actual losses before enacting necessary
controls.
We also disagree with SSA`s assessment of the
compensating controls it cited. The ATS neither prevents nor detects
fraud, but rather allows investigators to determine the extent
of the fraud by permitting the identification of the transactions
processed by an individual after the fraud is uncovered. The reviews
conducted by the regional security staffs were not designed to
detect employee fraud nor were they sufficiently routine to act
as an effective deterrent. Lastly, the publicizing of fraud cases
which have been detected and prosecuted, in our opinion, has only
minimal effect as a deterrent.
Accounts Receivable
As previously reported, SSA has reported its Debt Management
System (DMS) as a material weakness under FMFIA reporting criteria
since FY 1991. The SSA disclosed that the underlying systems which
generate accounts receivable did not permit the Agency to identify
how much is owed or how much has been collected. Since the initial
reporting, SSA has undertaken an extensive project to reengineer
and modernize its DMS. In its debt management transition plans, SSA
identified eight corrective measures for the title II system and
five for the title XVI system. Each of the planned corrective actions
required numerous systems revisions and upgrades.
As part of our review of SSA’s status of correcting
this material weakness, we reviewed the Agency’s title II transition
plan and systems validation documentation to determine what corrective
measures were planned for FY 1996 and what measures were placed
in operation. Our inquiries indicated that by the end of September 1996,
SSA had implemented three additional systems corrections that allowed
the overpayment systems to:
store actual monthly withholding amounts;
capture source document, indebtedness, and
cash collection details; and
ensure data elements are consistent with accounting
guidelines.
The remaining corrective measures are aging of debt
and month-to-month accounting--the ability to identify the accounting
month to which a particular overpayment amount relates. The SSA developed
software for aging debt and anticipates producing the first aging
report in December 1996. The SSA does not anticipate providing month-to-month
accounting until the Year 2000 because of the high degree of dependence
on other SSA initiatives to modernize its title II programmatic systems.
As a result of the three 1996 enhancements and SSA’s
prior implementation of three additional corrective measures, SSA
management believes it has sufficiently corrected the title II overpayment
system’s material weakness. Although SSA contends that it has
made systems enhancements to address most of the internal control
deficiencies in the title II system, the timing of the systems enhancements
did not provide us sufficient time to test the effectiveness of these
controls. Accordingly, we can neither concur nor take exception with
SSA’s determination.
The title XVI overpayment system, however, remains
a material weakness under FMFIA because it cannot generate reliable
accounts receivable data. Most of SSA’s corrective action has
focused on the title II system with little attention being given
to the title XVI systems. The five corrective measures for the title
XVI system remain unaddressed and many of the planned enhancements
remain unscheduled.
In the past, we recommended that SSA continue to address
systems deficiencies and accounting issues in the implementation
of both the title II and title XVI DMS. Accordingly, we make
no recommendations regarding the title II system, but reaffirm our
prior recommendations regarding the title XVI system.
SSA Comments
The SSA generally concurred with our finding.
Other Matters
Under OMB Bulletin 93-06, we are not responsible for
auditing the information presented in the Overview and Supplemental
Information sections of the Accountability Report. Our responsibilities
are limited to assessing the risk that systems used to produce performance
measures in the Overview did not report actual and complete information.
A recent SSA report entitled, "The Report of the Management
Information Partnership Team," indicated that some of the data
on which performance measures are based may have been inappropriately
manipulated in SSA field offices to indicate better operating efficiency
than actually occurred. The report listed 57 allegations of
inappropriate practices designed to distort management information.
We believe these allegations raise doubt about the accuracy of certain
performance measures. The affected performance measures are limited
to those measures reported under (1) SSA`s goal to provide world-class
public service in the Overview and (2) the Supplemental Financial
and Management Information.
The SSA`s management believes that the allegations
do not materially affect the accuracy of the performance measures
at the national level. We were informed by SSA management that they
had performed an analysis of the five most prevalent allegations
to support this conclusion. The SSA, however, was unable to provide
us with the analysis.
The report contained a number of recommendations to
address the inappropriate practices identified in the study. The
SSA is currently studying the report and is developing a number of
workgroups to address the identified inappropriate practices. The
SSA`s management has not, as yet, formally responded to the report
issued in June 1996.
We have not determined the validity of the report`s
allegations or the extent of the effect the inappropriate practices
may have on SSA`s performance measures. We plan to perform audit
work in this area in FY 1997.
Our review found that SSA had complied with the terms
and provisions of relevant laws and regulations for the tested transactions
that could materially affect SSA`s principal financial statements.
We noted the following nonmaterial but reportable matters.
Noncompliance with Legal Requirements to Notify
Beneficiaries of Due Process Rights
Our FY 1995 Management Letter detailed SSA’s noncompliance
with legal requirements (20 CFR §416.558(a)) to notify certain title
XVI recipients of new overpayments and collection decisions when
there is an existing overpayment in collection status on their records.
The SSA estimated there were as many as 3 million instances
of voided overpayment collection transactions where recipients had
not been notified of approximately $345 million of overpayments
posted to their records since 1983.
We previously recommended that SSA modify its system
to properly generate notices, and that SSA implement a manual control
to properly notify SSI recipients of such decisions. The SSA has
implemented a programmatic change to eliminate the voiding problem
and prevent future incidents of recipients not receiving the requisite
overpayment notification. Notwithstanding these corrective measures,
we have identified no SSA efforts to contact those title XVI recipients
already affected by voiding. We do not believe that successfully
modifying the title XVI systems to notify future recipients eliminates
SSA’s obligation to inform title XVI recipients who did not
previously receive proper notification.
Recommendation
We recommend that SSA:
2. in consultation with the Office of the General
Counsel, take such action as is necessary to rectify its continuing
noncompliance with laws and regulations in this regard.
SSA Comments and OIG Response
In its response, SSA stated it believes the implementation
of the systems changes eliminates its continuing noncompliance
problem. However, SSA agreed to investigate relevant statutory
requirements and pursue notification accordingly for the previously
affected SSI population.
We continue to believe that a noncompliance exists
for the previously affected SSI population.
Continuing Disability Reviews
As previously reported, SSA still does not fully comply
with section 221(i) of the Social Security Act, which requires
that SSA perform periodic reviews to determine beneficiaries` continued
eligibility for title II disability benefits. These reviews were
traditionally accomplished by referring nearly all disabled beneficiaries
to State disability determination services (DDS). The DDSs conduct
medical CDRs to reexamine the medical conditions of disabled beneficiaries
and determine their continued eligibility. However, resource limitations
and increased workloads in claims processing resulted in a substantial
backlog of CDRs not yet performed.
To address the backlog problem, SSA began using a mailer
process which profiles beneficiaries as to the likelihood of their
medical improvement and refers those most likely to improve to a
State DDS for a medical CDR. We believe SSA is taking the right approach
in addressing the title II backlog.
In the past, we expressed concern about requirements
extending SSA`s CDR responsibility to cover title XVI recipients.
Section 208(a) of the Social Security Independence and Program Improvements
Act of 1994 requires CDRs for at least 100,000 title XVI cases
annually from FY 1996 to FY 1998. Because of the extensive backlog
that existed prior to SSA’s responsibility for title XVI CDRs,
we were concerned that the additional mandate would further exacerbate
the backlog. As such, we recommended that SSA obtain additional funding
to perform CDRs.
Upon SSA’s request for funding to limit growth
of the CDR backlog, the Congress approved legislation (Public Law
(P.L.) 104-121) that allows an increase in discretionary spending
caps for FYs 1996 through 2002 to fund the cost of processing additional
CDRs. The Congress added $60 million and $160 million to the base
amount of $200 million for FYs 1996 and 1997, respectively.
In our assessment of SSA`s compliance with the
Social Security Act and the Social Security Independence and Program
Improvements Act of 1994, we reviewed SSA`s status in reducing
its backlog of title II cases and the Agency`s compliance with
title XVI CDR requirements. In FY 1996, SSA performed 355,000
title II CDRs (an increase of 151,000 from the FY 1995 figure of
204,000). The number of title XVI CDRs performed in FY 1996
was 163,000. Despite the increase in the number of CDRs performed
by SSA, a substantial backlog of approximately 1.8 million title
II CDRs remains. According to SSA, it is unlikely that the Agency
will perform 400,000 of the 1.8 million backlogged CDRs because it
would not be cost-effective. In regard to title XVI CDRs, SSA met
and exceeded the 100,000 CDRs required by P.L. 103-296. Therefore,
the only noncompliance issue with CDR requirements is for title II
disability cases.
As in prior audit reports, we reaffirm our support
of SSA’s continued use of the CDR mailer process which aids
in the identification of individuals due a CDR, and our suggestion
to expand the mailer process to include all beneficiaries overdue
a CDR. We make no additional recommendations in this report, but
continue to support our previous recommendations.
Pursuant to the reporting guidance developed by the
President`s Council on Integrity and Efficiency and the American
Institute of Certified Public Accountants, the following is a discussion
of the responsibilities of both management and auditor under the
CFO Act as amended.
The SSA`s management is responsible for designing
and maintaining an internal control structure that provides reasonable,
but not absolute, assurance that the following objectives are met:
obligations and costs are in compliance with
applicable laws and regulations;
funds, property, and other assets are safeguarded
against waste, loss, and unauthorized use or misappropriation;
assets, liabilities, revenues, and expenditures
applicable to Agency operations are properly recorded in order
to maintain accountability and to permit the preparation of reliable
financial and statistical reports; and
data that support related performance measures
are properly recorded and accounted for to permit preparation of
reliable and complete performance information.
AUDITOR`S RESPONSIBILITIES AND METHODOLOGIES
Our responsibilities are to:
express an opinion as to the fair presentation
of SSA`s principal financial statements;
report the results of our review of SSA`s
internal control structure, and the extent to which its weaknesses
may materially affect the financial statements taken as a whole;
report the results of our related tests of
SSA`s compliance with applicable laws and regulations that
could materially affect the principal financial statements; and
obtain an understanding of SSA`s internal
control structure related to performance measurement data, assess
related risks, but not test the underlying data, and report significant
internal control weaknesses.
We performed tests of applicable internal controls
and compliance with laws and regulations to determine the extent
of our auditing procedures necessary for expressing an opinion on
SSA`s principal financial statements, and to report our findings
resulting from our controls and compliance testing and not to express,
and we do not express, separate opinions about the adequacy of the
internal control structure or compliance with laws and regulations.
Our work was performed from March 1996 to November 1996 in accordance
with generally accepted government auditing standards and OMB Bulletin
93-06, "Audit Requirements for Federal Financial Statements."
Because of inherent limitations in any internal control
structure, losses, noncompliance, or misstatements may, nevertheless,
occur and not be detected. Also, projection of any evaluation of
the internal control structure to future periods is subject to the
risk that controls may become inadequate because of changes in conditions
or that the degree of compliance with controls may deteriorate. Our
consideration of the internal control structure would not necessarily
identify all matters in the internal control structure that might
be considered a reportable condition.
To fulfill these responsibilities, we:
reviewed the appropriate GAO, SSA, OIG, and
other reports relative to the scope of our financial statement
audit;
reviewed financial management systems reports
prepared by independent auditors for SSA`s reporting requirements
under FMFIA;
classified significant internal control policies
and procedures into six categories corresponding to SSA`s accounting
systems:
Accounts Receivable;
Investment Activities;
Land, Building, and Equipment;
Revenues (Financing);
Benefit Payments; and
Expenses;
obtained an understanding of the design of
relevant policies and procedures and whether they had been placed
in operation;
assessed control risk;
erformed control tests on each of the categories
listed above on a selected basis;
tested compliance with selected provisions
of the following laws and regulations which may materially affect
the financial statements or are specified in OMB Bulletin 93-06:
the CFO Act of 1990, as amended by GMRA;
Computer Security Act of 1987;
the FMFIA;
the OMB Bulletin 94-01;
Social Security Act, as amended; and
Public Laws 93-66, 94-241, 99-643, 103-296 and
104-134; and
reviewed internal controls pertaining to the
existence and completeness assertions for systems producing performance
measures in the Overview of SSA.
David C. Williams
Inspector General
Social Security Administration
November 22, 1996
From: Shirley S. Chater
Commissioner of Social Security
Subject: Office of Inspector General Draft Report, "Inspector
General`s Report on the Social Security Administration`s
Financial Statements" (A-13-96-51001)--INFORMATION
Attached are our comments on the subject report.
Attachment:SSA Response
COMMENTS ON THE OFFICE OF INSPECTOR GENERAL DRAFT
REPORT, "INSPECTOR GENERAL`S REPORT ON THE SOCIAL SECURITY
ADMINISTRATION`S FINANCIAL STATEMENTS" (A-13-96-51001)
We appreciate the efforts of the Office of Inspector
General (OIG) to review the Social Security Administration`s
(SSA) financial statements for fiscal year (FY) 1996. Our comments
on the respective report sections are included below.
Report on Internal Controls
Separation of Duties or Compensating Controls in
On-line Systems
We agree that it is important to take all reasonable
measures to prevent the occurrence of fraud with regard to the programs
administered by SSA. The agency has zero tolerance regarding employee
fraud, and has, and continues to take, proactive steps to prevent
employee fraud and misconduct. We recognize that the internal controls
for our operational systems can always be improved, and we are working
to make significant improvements to the controls in our systems.
We are concerned about any suggestion of reporting
the internal control matters presented in this report section as
a material weakness. We do not believe the facts presented in this
report, or the three prior reports discussed, support such a recommendation.
The three systems discussed in the report processed over 10 million
transactions in FY 1996. Over 99.9 percent of those transactions
were processed without any security violations. Approximately 7.2
million initial claims were processed through these systems in FY
1995, and of those, only 410 cases of fraud were found. This represents
less than six thousandths of one percent. With respect to employee
fraud, in FY 1996 SSA employed about 65,000 employees, however, only
23 cases of employee fraud were referred to OIG for investigation.
This represents less than four one-hundredths of one percent of SSA`s
employees. These figures clearly demonstrate that our internal controls
are reasonable.
About compensating controls, we agree that in today`s
automated environment, such controls are necessary to reduce the
risk of fraud. Each of the systems mentioned in this report writes
records to our Audit Trail System (ATS). As a result, SSA employees
know that actions taken through these systems are attributed to them.
We believe this ATS process constitutes a significant compensating
control.
We also believe effective compensating controls must
include controls outside the automated environment. Our regional
security staffs conduct periodic reviews of SSA offices, during which
staff data entries are checked for accuracy and appropriateness.
This manual control has a deterrent effect. We have also implemented
several initiatives that help to deter fraud as part of our tactical
plan item, Combating Fraud. These initiatives include increased communication
that fraud is being detected, perpetrators are being successfully
prosecuted, and resources dedicated to combat fraud, including the
provision for additional OIG investigative staff, are being increased.
Such compensating controls, including an active, dedicated OIG investigative
presence, may constitute a greater fraud deterrence than available
automated controls.
Other Matters Relating to Separation of Duties and
Compensating Controls In On-line Systems
The report refers to an enumeration edit check program
to prevent an SSA employee from processing a fraudulent application
for a Social Security Number (SSN), and then processing a fraudulent
supplemental security income (SSI) claim under the fraudulent SSN.
Such an edit program has not been planned for the enumeration system.
Instead, the needed fraud deterrence and identification will be built
into the Comprehensive Integrity Review Process, which will compare
audit trails from the enumeration and SSI claims systems for certain
cases.
OIG Note
Material was deleted from SSA`s comments relating
to a recommendation in the draft report that was changed in the
final report.
Accounts Receivable
As indicated in the OIG report, actions are underway
at SSA to enhance the ability of the Debt Management System to generate
reliable accounts receivable data for both Title II and Title XVI.
OIG does not offer any new recommendations in this area. The report
does note additional Title II debt system corrective measures recently
implemented by SSA. We also continue to implement accounting improvements
to the Title XVI debt management systems, and have formed an intercomponent
team to resolve all remaining Title XVI debt management weaknesses.
Report on Compliance With Laws and Regulations
Legal Requirements to Notify Beneficiaries of Due
Process Rights
OIG Recommendation
We recommend that SSA, in consultation with the Office
of the General Counsel, take such action as is necessary to rectify
its continuing noncompliance with laws and regulations in this regard.
SSA Comment
As noted in the OIG report, we recently implemented
a systems change to eliminate the continuance of the noncompliance
problem and assure proper overpayment notification in the future.
We, therefore, are not in continuing noncompliance with the applicable
laws and regulations. With regard to notification of those members
of the previously affected Title XVI population, we plan to investigate
the relevant statutory requirements relating to due process rights
notification, and the options available to the Agency to appropriately
notify these individuals.
OIG Note
Material was deleted from SSA`s comments relating
to information in the draft report which was changed in the final
report.
Continuing Disability Reviews (CDR)
OIG indicates that SSA`s CDR mailer process is
the right approach for addressing CDR case backlogs. OIG does not
offer any new recommendations, and we have no additional comments
on processing of the backlogs.
www.socialsecurity.gov
