Date: November 30, 2005
To: The Commissioner
From: Inspector General
Subject: Top Issues Facing Social Security Administration Management-Fiscal Year 2006

The Reports Consolidation Act of 2000 requires that we summarize for inclusion in the Social Security Administration's (SSA) Performance and Accountability Report, our perspective on the most serious management and performance challenges facing SSA. We have determined that the top management issues facing SSA in Fiscal Year 2006 are: Social Security Number Protection, Management of the Disability Process, Improper Payments and Recovery of Overpayments, Internal Control Environment and Performance Measures, Systems Security and Critical Infrastructure Protection, and Service Delivery and Electronic Government.

These areas are dynamic, so we encourage continuous feedback and additional areas to evaluate. Our summary of SSA's progress in addressing these management issues will be included in the Fiscal Year 2006 Performance and Accountability Report.
If you have any questions or need additional information, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.

Patrick P. O'Carroll, Jr.

The Reports Consolidation Act of 20001 requires that we summarize, for inclusion in the Social Security Administration's (SSA) Performance and Accountability Report, our perspective on the most serious management and performance challenges facing SSA. Since 1997, we have provided our perspective on these management challenges to Congress, SSA and other key decisionmakers. In developing this year's list, we considered

the four initiatives the Commissioner has identified as priorities: Service, Stewardship, Solvency, and Staff;
the most significant issues as outlined in the President's Management Agenda (PMA);
SSA's progress in responding to the Office of Management and Budget's (OMB) Scorecard;
the Inspector General's Strategic Plan;
the high-risk list prepared by the Government Accountability Office (GAO); and
our body of audit and investigative work.

Finally, we prepared a crosswalk to ensure there was no disconnect or gap among those reviewing SSA's programs and operations.

In FY 2004, SSA issued over 17.8 million original and replacement Social Security number (SSN) cards, and SSA received approximately $545 billion in employment taxes related to earnings under assigned SSNs. Protecting the SSN and properly posting the earnings reported under SSNs are critical to ensure individuals entitled to benefits receive the full benefits due them.

Efforts to Protect the SSN
The SSN has become a key to social, legal, and financial assimilation in this country. Because the SSN is so heavily relied on as an identifier, it is also valuable as an illegal commodity. Criminals improperly obtain SSNs by (1) presenting false documentation; (2) stealing another person's SSN; (3) purchasing an SSN; (4) using the SSN of a deceased individual; or (5) contriving an SSN by selecting any nine digits.

SSA has taken steps to improve controls in its enumeration process. SSA verifies all immigration documents before assigning SSNs to noncitizens. Additionally, SSA requires (1) mandatory interviews for all applicants for original SSNs who are age 12 or older (lowered from age 18) and (2) evidence of identity for all children, regardless of age. In addition, SSA has established Enumeration Centers in Brooklyn, New York, and Las Vegas, Nevada, that focus exclusively on assigning SSNs and issuing SSN cards. Also, in FY 2005, SSA implemented new systems enhancements that simplified the interpretation of, and compliance with, SSA's complex enumeration policies. Furthermore, the Agency enhanced its Modernized Enumeration System to interrupt the issuance of SSN cards when a parent claims to have an improbably large number of children and add an alert to an individual's record when the SSN has been used to establish a fictitious identity.

In addition to these improvements, SSA is planning to implement several other enhancements that will better ensure SSN protection. These endeavors were required by the Intelligence Reform and Terrorism Prevention Act of 2004. The plans include the following:

Restricting the issuance of multiple replacement SSN cards to 3 per year and 10 in a lifetime.

Requiring independent verification of any birth record submitted by an individual to establish eligibility for an SSN, other than for purposes of enumeration at birth.

Coordinating with the Department of Homeland Security (DHS) and other agencies to further improve the security of Social Security cards and numbers.

Working with the Department of Health and Human Services to promulgate standards to increase the integrity and consistency of birth certificates.

We applaud the Agency for these efforts and believe, over the past several years, SSA has made significant strides in providing greater protection for the SSN. Nevertheless, throughout society, incidences of SSN misuse continue to rise. Accordingly, to further protect SSN integrity, we believe SSA should:

Encourage public and private entities to limit use of the SSN as an individual identifier.

Continue to address identified weaknesses in its information security environment to better safeguard SSNs.

Continue to coordinate with partner agencies to pursue any data sharing agreements that would increase data integrity.

The SSN and Reported Earnings
Properly posting earnings ensures eligible individuals receive the full retirement, survivor and/or disability benefits due them. If earnings information is reported incorrectly or not reported at all, SSA cannot ensure all individuals entitled to benefits are receiving the correct payment amounts. In addition, SSA's programs depend on earnings information to determine whether an individual is eligible for benefits and to calculate the amount of benefit payments.

SSA spends scarce resources correcting earnings data when incorrect information is reported. The Earnings Suspense File (ESF) is the Agency's record of annual wage reports for which wage earners' names and SSNs fail to match SSA's records. As of October 2004, SSA had posted approximately 9 million wage items to its ESF for Tax Year 2002, representing about $56 billion in wages. This was before some planned edits, which may have further reduced this number.

While SSA has limited control over the factors that cause the volume of erroneous wage reports submitted each year, there are still areas where the Agency can improve its processes. SSA can improve wage reporting by educating employers on reporting criteria, identifying and resolving employer reporting problems, and encouraging greater use of the Agency's SSN verification programs. SSA also needs to coordinate with other Federal agencies with separate, yet related, mandates. For example, the Agency now collaborates with the Internal Revenue Service (IRS) to achieve more accurate wage reporting.

SSA has taken steps to reduce the size and growth of the ESF. For example, in June 2005, SSA expanded its voluntary Social Security Number Verification Service (SSNVS) to all interested employers nationwide. SSNVS allows employers to verify the names and SSNs of employees before reporting their wages to SSA. SSA also participates in a joint program with DHS, called the Basic Pilot, which verifies the names and SSNs of employees as well as their citizenship and authorization to work in the U.S. economy. In December 2004, the Basic Pilot program was made available to employers nationwide.

The Agency is also modifying the information it shares with employers. Under the Intelligence Reform and Terrorism Prevention Act of 2004, SSA is required to add both death and fraud indicators to the SSN verification systems for employers, State agencies issuing drivers' licenses and identity cards, and other verification routines, as determined appropriate by the Commissioner of Social Security.

The SSN and Unauthorized Work
SSA assigns nonwork SSNs to noncitizens who are (1) in the United States but are not authorized to work and (2) are applying for, or are recipients of, a federally financed benefit that requires an SSN. Recently, SSA strictly limited the assignment of such numbers. Furthermore, SSA tracks earnings reported under a nonwork SSN and reports this information to DHS. Nonetheless, our audits have noted several issues related to nonwork SSNs, including (1) the type of evidence provided to obtain a nonwork SSN, (2) the reliability of nonwork SSN information in SSA's records, (3) the significant volume of wages reported under nonwork SSNs, and (4) the payment of benefits to noncitizens who qualified for their benefits while working in the country without proper authorization.

In March 2004, Congress placed new restrictions on the receipt of SSA benefits by noncitizens who are not authorized to work in the United States. Under the Social Security Protection Act of 2004, if a noncitizen worker was first assigned an SSN on or after January 1, 2004, Title II benefits are precluded based on his/her earnings unless the noncitizen was ever

assigned an SSN for work purposes or

admitted to the United States as a visitor for business (B-1) or as an allied crewman (D-1/D-2).

SSA's implementation of this new law will require increased coordination with DHS to ensure SSA has the correct work status information in its records.

SSA administers the Disability Insurance (DI) and Supplemental Security Income (SSI) programs, which provide benefits based on disability. Most disability claims are initially processed through a network of Social Security field offices (FO) and State Disability Determination Services (DDS). SSA representatives in the FOs are responsible for obtaining applications for disability benefits, disability report forms and authorization for disclosure of information forms as well as verifying non-medical eligibility requirements, which may include age, employment, marital status, or Social Security coverage information. After initial processing, the FO sends the case to a DDS to develop medical evidence and evaluate the disability.

Once SSA establishes an individual is eligible for disability benefits under either the DI or SSI program, the Agency turns its efforts toward ensuring the individual continues to receive benefits only as long as SSA's eligibility criteria are met. For example, a continuing disability review (CDR) may show the individual no longer meets SSA's disability criteria or has demonstrated medical improvement.

If an individual disagrees with the Agency's decision on his or her claim or CDR, the claimant can appeal to SSA's Office of Hearings and Appeals (OHA). OHA's field structure consists of 10 regional offices and 140 hearing offices. OHA's administrative law judges (ALJ) hold hearings and issue decisions. In FY 2004, hearing offices processed 497,379 cases. OHA's average processing time has increased significantly from 308 days in FY 2001 to 391 days in FY 2004. Further, the pending workload was 635,601 cases on September 30, 2004, whereas it was 392,387 cases on September 30, 2001. We have focused our attention on weaknesses within OHA-such as the backlog of cases, safeguards for sensitive information in case files, and shredding documents.

GAO added modernizing Federal disability programs-including SSA's-to its 2003 high-risk list due, in part, to outmoded concepts of disability, lengthy processing times, and decisional inconsistencies. To address improvements needed in SSA's disability programs, the Commissioner of Social Security presented to Congress, on September 25, 2003, her proposed plan for the disability determination process. On July 26, 2005, the Commissioner announced proposed regulations in the Federal Register, which outlines her plan. The proposed regulations would:

establish a Quick Disability Determination process through which State agencies will expedite initial determinations for claimants who are clearly disabled;

create a Federal Expert Unit to augment and strengthen medical and vocational expertise for disability adjudicators at all levels of the disability determination process;

eliminate the State agency reconsideration step and terminate the disability prototype that SSA is conducting in 10 States;

establish Federal reviewing officials to review State agency initial determinations upon the claimants' request;

preserve the claimants' right to request and be provided a de novo hearing, which will be conducted by an ALJ;

close the record after the ALJ issues a decision, but allow for the consideration of new and material evidence under certain circumstances;

gradually shift certain Appeals Council functions to a newly established Decision Review Board; and

strengthen in-line and end-of-line quality review mechanisms at the State agency, reviewing official, hearing, and Decision Review Board levels of the disability determination process.

In addition to the Commissioner's proposed improvements to the disability process, the Agency is transitioning to the electronic disability folder. The electronic disability folder will allow for disability claims information to be stored and transmitted electronically between FOs, DDSs, and OHA.

SSA is working to ensure that individuals with disabilities who want to work have the opportunity to do so. The Comprehensive Work Opportunity Initiative represents the Agency's overarching strategy to assist individuals with disabilities in attaining economic self-sufficiency and breaking through potential barriers to employment. The Ticket to Work program, which provides beneficiaries with disabilities expanded options for access to employment, vocational rehabilitation, and other support services to help them work, is one element of SSA's Comprehensive Work Opportunity Initiative.

Disability Fraud
Fraud is an inherent risk in SSA's disability programs. Some unscrupulous people view SSA's disability benefits as money waiting to be taken. A key risk factor in the disability program is individuals who feign or exaggerate symptoms to become eligible for disability benefits. Another key risk factor is the monitoring of medical improvements for disabled individuals to ensure those individuals who are no longer disabled are removed from the disability rolls.

We are working with SSA to address the integrity of the disability programs through the Cooperative Disability Investigation (CDI) program. The CDI program's mission is to obtain evidence that can resolve questions of fraud in SSA's disability programs. The CDI program is managed in a cooperative effort between SSA's Office of Operations, the OIG, and the Office of Disability Programs. There are 19 CDI units operating in 17 States. During FY 2004, the CDI units saved SSA almost $133 million by identifying fraud and abuse related to initial and continuing claims in the disability program.

Improper payments are defined as any payment that should not have been made or that was in an incorrect amount. Examples of improper payments include inadvertent errors, payments for unsupported or inadequately supported claims, or payments to ineligible beneficiaries. Furthermore, the risk of improper payments increases in programs with a significant volume of transactions, complex criteria for computing payments, and an overemphasis on expediting payments.

SSA and the OIG have discussed such issues as detected versus undetected improper payments and avoidable versus unavoidable overpayments that are outside the Agency's control and a cost of doing business. OMB issued specific guidance to SSA to only include avoidable overpayments in its improper payment estimate because those payments can be reduced through changes in administrative actions. Unavoidable overpayments that result from legal or policy requirements are not to be included in SSA's improper payment estimate.

The President and Congress have expressed interest in measuring the universe of improper payments in the Government. In August 2001, OMB published the PMA, which included a Government-wide initiative for improving financial performance, including reducing improper payments. In November 2002, the Improper Payments Information Act of 2002 was enacted, and OMB issued guidance in May 2003 on implementing this law. Under the Social Security Act, SSA must estimate its annual amount of improper payments and report this information in the Agency's annual Performance and Accountability Report. OMB will then work with SSA to establish goals for reducing improper payments in its programs.

SSA issues billions of dollars in benefit payments under the Old-Age, Survivors and Disability Insurance (OASDI) and SSI programs-and some improper payments are unavoidable. In FY 2004, SSA issued about $522 billion in benefit payments to about 52 million people. Since SSA is responsible for issuing timely benefit payments for complex entitlement programs to millions of people, even the slightest error in the overall process can result in millions of dollars in over- or underpayments. In FY 2005 (through June), SSA reported that it detected over $3 billion in overpayments. SSA also noted in its Performance and Accountability report for FY 2004 that the Agency recovered almost $2 billion in overpayments.

In January 2005, OMB issued a report Improving the Accuracy and Integrity of Federal Payments that noted that seven Federal programs-including SSA's OASDI and SSI programs-accounted for approximately 95 percent of the improper payments in FY 2004. However, this report also noted that SSA had reduced the amount of SSI improper payments by over $100 million since levels reported in FY 2003.

SSA has been working to improve its ability to prevent over- and underpayments by obtaining beneficiary information from independent sources sooner and using technology more effectively. For example, the Agency is continuing its efforts to prevent improper payments after a beneficiary dies through the use of Electronic Death Registration information. Also, the Agency's CDR process is in place to identify and prevent beneficiaries who are no longer disabled from receiving payments. Additionally, in FY 2005, SSA implemented eWork-a new automated system to control and process work related CDRs-which should strengthen SSA's ability to identify and prevent improper payments to disabled beneficiaries.

SSA is also taking action to prevent and recover improper payments.

Working with us in FY 2005 on an OIG audit of Individuals Receiving Benefits Under Multiple Social Security Numbers at the Same Address, SSA identified about $9.2 million in overpayments.

In another FY 2005 review-School Attendance by Student Beneficiaries over Age 18-we estimated that SSA disbursed about $70 million in incorrect payments to 32,839 students. SSA agreed with our recommendation to ensure the overpayments are established and collection activities initiated for the incorrect payments identified in this audit.

We have helped the Agency reduce improper payments to prisoners and improper SSI payments to fugitive felons. However, our work has shown that improper payments-such as those related to workers' compensation (WC)-continue to occur. Additionally, with the passage of the Social Security Protection Act of 2004, SSA has new opportunities and faces new challenges in preventing and recovering improper payments-such as OASDI benefits to fugitives.

Internal control comprises the plans, methods, and procedures used to meet missions, goals, and objectives. Internal controls help safeguard assets and prevent and detect errors and fraud. Assessing the internal control environment is important since internal control is a critical part of performance-based management. SSA's internal control environment helps its managers achieve desired results through effective stewardship of public resources.

SSA is responsible for implementing policies for the development of claims under the DI and SSI programs. Disability determinations under DI and SSI are performed by DDSs in each State in accordance with Federal regulations. Each DDS is responsible for determining claimants' disabilities and ensuring adequate evidence is available to support its determinations. Each DDS is authorized to purchase medical examinations, x-rays, and laboratory tests on a consultative basis to supplement evidence obtained from the claimants' physicians or other treating sources. There are 52 DDSs: 1 in each of the 50 States, the District of Columbia, and Puerto Rico. SSA reimburses the DDS for 100 percent of allowable expenditures up to its approved funding authorization. In FY 2005, SSA allocated over $1.7 billion to fund DDS operations.

During FY 2000 through July 2005, we conducted 39 DDS administrative cost audits. In 20 of the 39 audits, we identified internal control weaknesses. For example, we reported that improvements were needed to ensure Federal funds were properly drawn and payments to medical providers were in accordance with Federal regulations. The lack of effective internal controls can result in the mismanagement of Federal resources and increase the risk of fraud.

In 15 of the 39 DDS administrative cost audits, we reported about $21.2 million in unallowable indirect costs. As a result, we initiated a separate review of SSA's oversight of indirect costs. We reported that SSA needed to improve its oversight of indirect costs claimed by DDSs to ensure SSA funds obligated by DDSs benefited SSA and were equitably distributed to its programs.
Congress, external interested parties, and the general public need sound data to monitor and evaluate SSA's performance. SSA relies primarily on internally generated data to manage the information it uses to administer its programs and report to Congress and the public. The necessity for good internal data Government-wide has resulted in the passage of several laws, including the Government Performance and Results Act. In addition to legislation calling for greater accountability within the Government, the PMA has focused on the integration of the budget and performance measurement processes. The PMA calls for agencies to, over time, identify high quality outcome measures, accurately monitor programs' performance, and integrate this presentation with associated costs.

SSA sets forth its mission and strategic goals in strategic plans, establishes yearly targets in its annual performance plan, and reports on its performance annually. Each year, we assess the reliability of SSA's performance data and evaluate the extent to which SSA's performance measures describe its planned and actual performance. Assessing the control environment over DDSs and SSA's performance measures helps ensure the Agency is managing its resources to meet its mission.

The information technology revolution has changed the way governments and businesses operate. Today, the growth in computer interconnectivity brings a heightened risk of disrupting or sabotaging critical operations, reading or copying sensitive data, and tampering with critical processes. Those who wish to disrupt or sabotage critical operations have more tools than ever. The United States works to protect the people, economy, essential services, and national security by ensuring that any disruptions are infrequent, manageable, of minimal duration, and cause the least damage possible. The Government must continually strive to secure information systems for critical infrastructures.

SSA's information security challenge is to understand and mitigate system vulnerabilities. At SSA, this means ensuring the security of its critical information infrastructure, such as access to the Internet and its networks. By improving systems security and controls, SSA will be able to use current and future technology more effectively to fulfill the public's needs. The public will not use electronic access to SSA services if it does not believe those systems are secure. SSA addresses critical information infrastructure and systems security in a variety of ways. For example, it has created a Critical Infrastructure Protection work group that works toward compliance with various directives, such as the Homeland Security Presidential Directives (HSPD) and the Federal Information Security Management Act of 2002. Additionally, SSA created the Office of Information Technology Security Policy within the Office of the Chief Information Officer.

HSPD 7 requires that all Federal department and agency heads identify, prioritize, assess, remediate, and protect their respective critical infrastructure and key resources. To comply with HSPD 7, SSA submitted its Critical Federal Infrastructure Protection Plan to OMB in 2004. SSA continues to work with OMB to resolve any outstanding issues regarding its plan. We have worked with SSA to help meet these requirements. The Agency plans must address identification, prioritization, protection, and contingency planning, including the recovery and reconstitution of essential capabilities.

HSPD 12 mandates the development of a common identification Standard for all Federal employees and contractors. The Agency recently created a work group that coordinates with other agencies and OMB to address HSPD 12. We plan to evaluate SSA's efforts to comply with HSPD 12, as required by Federal Information Processing Standards 201.

Another important systems security issue is the restriction of physical access to the Agency's systems and data. We reported on physical security problems at several hearing offices and noted that non-SSA employees were allowed inappropriate access to secured areas. Though the managers at these sites took prompt action to remedy the security breaches, we believe the same security concerns may be present at other hearing offices. Because of our findings at several hearing offices, we plan to expand our reviews to determine whether OHA has established adequate physical security controls at its numerous remote hearing sites.
In addition, under the Federal Information Security Management Act, we independently evaluate SSA's security program. Systems security is a key component of this initiative, and we will continue to work with the Agency to resolve outstanding issues so it can reach green on the Electronic Government Scorecard.

One of SSA's goals is to deliver high-quality, "citizen-centered" service. This goal encompasses traditional and electronic services to applicants for benefits, beneficiaries and the general public. It includes services to and from States, other agencies, third parties, employers, and other organizations, including financial institutions and medical providers. This area includes basic operational services, and three of the greatest challenges in the area are the representative payee process, managing human capital and electronic Government.

Representative Payee Process
When SSA determines a beneficiary cannot manage his or her benefits, SSA selects a representative payee who must use the payments for the beneficiary's needs. There are about 5.4 million representative payees who manage benefit payments for 6.9 million beneficiaries. While representative payees provide a valuable service for beneficiaries, SSA must provide appropriate safeguards to ensure they meet their responsibilities to the beneficiaries they serve.

We have completed several audits of representative payees. Our audits have identified
deficiencies with the accounting for benefit receipts and disbursements,
vulnerabilities in the safeguarding of beneficiary payments,
poor monitoring and reporting to SSA of changes in beneficiary circumstances,
inappropriate handling of beneficiary-conserved funds, and
improper charging of fees.

In March 2004, the President signed into law the Social Security Protection Act of 2004. This Act provides several new safeguards for those individuals who need a representative payee. In addition, it presents significant challenges to SSA to ensure representative payees meet beneficiaries' needs. For example, it requires that SSA conduct periodic on-site reviews of representative payees and a statistically valid survey to determine how payments made to representative payees are being used. It also authorizes SSA to impose civil monetary penalties for offenses involving misuse of benefits received by a representative payee. In FY 2006, we plan to conduct reviews that focus on SSA's efforts to implement the provisions of the Social Security Protection Act of 2004.

Managing Human Capital
SSA, like many other Federal agencies, is being challenged to address its human capital shortfalls. As of January 2005, GAO has continued to identify strategic human capital management on its list of high-risk Federal programs and operations. GAO initially identified human capital management as high-risk in January 2001. In addition, Strategic Management of Human Capital is one of five Government-wide initiatives contained in the PMA.

By the end of 2012, SSA projects its DI and Old-Age and Survivors Insurance benefit rolls will increase by 35 percent and 18 percent, respectively. Further, by FY 2014, SSA projects 56 percent of SSA's employees will be eligible to retire. This retirement wave will result in a loss of institutional knowledge that will affect SSA's ability to deliver quality service to the public.
Along with the workload increase, the incredible pace of technological change will have a profound impact on both the public's expectations and SSA's ability to meet those expectations. In the face of these challenges, technology is essential to achieving efficiencies and enabling employees to deliver the kind of service that every claimant, beneficiary and citizen needs and deserves.
SSA's Office of Systems is responsible for guiding and managing the development, acquisition, and use of the information technology resources that support the Agency's program and business functions. The Office of Systems estimates 66 percent of its FY 2003 Information Technology workforce will be eligible for retirement over the next 10 years.

The critical loss of institutional skills and knowledge, combined with greatly increased workloads at a time when the baby-boom generation will require its services must be addressed by succession planning, strong recruitment efforts, and the effective use of technology. As of June 30, 2005, SSA continued to score "green" in "Progress in Implementing the President's Management Agenda" on the OMB Scorecard.

Electronic Government
The Expanded Electronic Government, or "e-Government," initiative of the PMA directs the expanded use of the Internet to provide faster and better access to Government services and information. Specifically, e-Government instructs SSA to help citizens find information and obtain services organized according to their needs.

According to SSA, its e-Government strategy is based on the deployment of high-volume, high-payoff applications, for both the public and the Agency's business partners. To meet increasing public demands, SSA has pursued a portfolio of services that enable on-line transactions and increase opportunities for the public to conduct SSA business electronically in a private and secure environment.

Over the past 6 years, SSA has launched the Internet Social Security Benefit Application and created on-line requests for Social Security Statements, replacement Medicare cards, proof of income letters and change of address. The Agency also added more on-line reports, such as the Adult Disability and Work History Report, the Childhood Disability Report and the Appeals Disability Report.