Inspector
General Statement
on the
Social Security Administration's
Major Management Challenges
November 2007
A-02-08-18061
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
November 7, 2007
The Honorable Michael J. Astrue
Commissioner
Dear Mr. Astrue:
The Reports Consolidation Act of 2000 (Pub. L. No. 106-531) requires Inspectors General to provide a summary and assessment of the most serious management and performance challenges facing Federal agencies and the agencies' progress in addressing them. This review is enclosed. As required by the Reports Consolidation Act, this Statement will be placed in the Social Security Administration's Fiscal Year 2007 Performance and Accountability Report.
In November 2006, we identified six significant management issues facing the Social Security Administration for Fiscal Year (FY) 2007.
Social Security Number Protection
Management of the Disability Process
Improper Payments and Recovery of Overpayments
Internal Control Environment and Performance Measures
Systems Security and Critical Infrastructure Protection
Service Delivery and Electronic Government
I congratulate you on the progress you have made during FY 2007 in addressing these challenges. My office will continue to focus on these issues in FY 2008. I look forward to working with you to continue improving the Agency's ability to address these challenges and meet its mission efficiently and effectively. I am providing you with the Office of the Inspector General's assessment of these six management challenges.
Sincerely,
Patrick P. O'Carroll, Jr.
Inspector General
Social Security Number Protection
In Fiscal Year (FY) 2007, the Social Security Administration (SSA) issued approximately 5.7 million original and 11.6 million replacement Social Security number (SSN) cards and received approximately $620 billion in employment taxes related to earnings under assigned SSNs. Protecting the SSN and properly posting the wages reported under SSNs are critical to ensuring eligible individuals receive the full benefits due them.
SSA has taken significant steps over the past several years to improve controls in its enumeration process. The Agency has made progress in providing greater SSN protection; nevertheless, incidents of SSN misuse continue to rise. To further strengthen SSN integrity, we believe SSA should (1) seek legislation to reduce the allowable circumstances in which entities may require the collection and use of SSNs as unique identifiers or recordkeeping tools and improve the protection of this information when obtained, (2) continue to address identified weaknesses in its information security environment to safeguard SSNs in a better way, and (3) continue to coordinate with partner agencies to pursue any data sharing agreements that would increase data integrity.
In May 2007, the Office of Management and Budget (OMB) issued Memorandum M-07-16 to Federal agencies regarding safeguarding against and responding to breaches of personally identifiable information (PII), including the establishment and implementation of plans to eliminate unnecessary collection and use of SSNs. We believe this is an important step in protecting SSNs in the Federal sector and can serve as a model for State and local governments, as well as private entities. We are encouraged that SSA is taking steps to implement this OMB guidance. For further information on the SSA's actions to protect PII, see our discussion in the Systems Security and Critical Infrastructure Protection section of this report.
Maintaining the integrity of the SSN and Social Security programs also involves properly posting earnings reported under SSNs. Accurate earnings records are used to determine both the eligibility for Social Security benefits and the amount of those benefits. The Earnings Suspense File (ESF) is the Agency's record of annual wage reports for wage earners whose names and SSNs fail to match SSA's records. As of October 2006, the ESF had accumulated approximately 264 million wage items for Tax Years 1937 through 2004, representing about $586 billion in wages.
While SSA cannot control all of the factors associated with erroneous wage reports, SSA can continue to improve wage reporting by educating employers on reporting criteria, identifying and resolving employer reporting problems, and encouraging greater use of both SSA's and the Department of Homeland Security's (DHS) employee verification programs. SSA can also improve coordination with other Federal agencies with separate, yet related, mandates. For example, the Agency needs to work with the Internal Revenue Service to achieve more accurate wage reporting. SSA also needs to work with DHS to improve controls over employee verification programs. Finally, SSA will need to coordinate closely with DHS on its recently proposed rule (Safe-Harbor Procedures for Employers Who Receive a No-Match Letter) requiring employers to take timely action on SSA no-match letters to avoid liability under immigration laws. The use of SSA's employer no-match letter process to assist DHS with its worksite enforcement mission has led to public concerns from labor advocacy groups and unions regarding individuals being denied employment inappropriately. In October 2007, a preliminary injunction was issued preventing the mailing of the letters based on a lawsuit filed by labor advocacy organizations.
Another area of concern related to SSN integrity is the use of nonwork SSNs by noncitizens for unauthorized employment in the United States. SSA assigns nonwork SSNs to noncitizens when (1) a Federal statute or regulation requires that noncitizens provide an SSN to receive a federally funded benefit to which they have established an entitlement or (2) a State or local law requires that noncitizens who are legally in the United States provide an SSN to receive public assistance benefits to which they are entitled and for which all other requirements have been met. SSA assigns these individuals SSN cards with a "Not Valid for Employment" annotation. SSA also provides information about earnings reported under a nonwork SSN to DHS as required by law. Nonetheless, prior audits have noted several issues related to nonwork SSNs, including the (1) type of evidence provided to obtain a nonwork SSN, (2) reliability of nonwork SSN information in SSA's records, (3) volume of wages reported under nonwork SSNs, and (4) restrictions on payment of benefits to noncitizens who qualified for their benefits while working in the United States but lack proper authorization. SSA's future accomplishments with nonwork SSNs will require increased coordination with DHS to ensure SSA has correct work status information.
SSA Has Taken Steps to Address this Challenge
Over the past 5 years, SSA has implemented numerous improvements to its enumeration process. For example, SSA implemented new systems software, which field offices are required to use, called the SS-5 Assistant. This program has simplified the interpretation of, and compliance with, SSA's complex enumeration policies and, unlike the traditional process, will not process an SSN request unless SSA staff enters all of the applicant's required information. SSA has also established five Social Security Card Centers that focus exclusively on assigning SSNs and issuing SSN cards-and it has plans to open more as resources permit.
In addition, SSA has implemented several enhancements designed to protect the
SSN under the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)
(Pub. L. No. 108-458). The enhancements include (1) restricting the issuance
of multiple replacement SSN cards to 3 per year and 10 in a lifetime; (2) requiring
independent verification of any birth record submitted by a U.S. born individual
to establish eligibility for an SSN, other than for purposes of enumeration
at birth; (3) consulting with DHS and other agencies to further improve the
security of SSNs and SSN cards; and (4) strengthening the standards and requirements
for citizenship and identity documents presented with SSN applications to ensure
the correct individual obtains the correct SSN. Additionally, SSA has significantly
decreased the number of nonwork SSNs it assigns to noncitizens as a result of
a change in regulations and field office compliance with procedures to ensure
that nonwork SSNs are issued only to qualified individuals.
SSA has also taken steps to reduce the size and growth of the ESF. In June 2005, the Agency expanded its voluntary Social Security Number Verification Service (SSNVS) to all interested employers nationwide. SSNVS allows employers to verify the names and SSNs of employees before reporting their wages to SSA. During Calendar Year 2006, SSNVS processed over 49 million verifications for over 13,400 registered employers.
SSA also supports DHS in administering "E-Verify" formerly known as the Basic Pilot Program, which verifies the names and SSNs of employees as well as their authorization to work in the United States. The "E-Verify" program is available to employers nationwide and was recently enhanced to include a Photo Screening Tool feature, which allows an employer to check the photos of a new hire's Employment Authorization Document or Permanent Resident Card ("Green Card") against images stored in DHS immigration databases. During FY 2006, "E-Verify" processed about 1.7 million verifications for approximately 12,000 employers.
The Agency continues to modify the information it shares with employers. Under IRTPA, SSA is required to add both death and fraud indicators to the SSN verification systems for employers, State agencies issuing drivers' licenses and identity cards, and other verification routines, as determined appropriate by the Commissioner of Social Security. SSA added death indicators to those verification routines used by employers and State agencies on March 6, 2006 and added fraud indicators in August 2007.
Management of the Disability Process
SSA needs to continue to improve critical parts of the disability process, such as making timely disability decisions and safeguarding the integrity of its disability programs. SSA's disability program has remained on the Government Accountability Office's (GAO) high-risk list since 2003 due, in part, to outmoded concepts of disability, lengthy processing times, and inconsistencies in disability decisions across adjudicative levels and locations.
At the forefront of congressional and Agency concern is the timeliness of SSA's disability decisions at the hearings adjudicative level. The average processing time for the Office of Disability Adjudication and Review (ODAR), responsible for SSA's hearings and appeals programs, continues to increase each FY-from 293 days in FY 2001 to 512 days in FY 2007. In our December 2006 report on Disability Insurance (DI) payments made during the appeals process, we found that financial performance and citizen satisfaction of the DI program could be greatly increased if SSA would establish a business process to allow more timely decisions on medical cessation appeals. In our March 2007 audit on ODAR's workload status reports, we reported that we found no clear link between the Agency's internal hearings workload benchmarks and the overall performance goal for the average processing time of a hearing.
ODAR's pending workload also continues to increase steadily. At the end FY 2007, the pending workload was 746,744 cases-up from 392,387 cases in FY 2001. We recently presented SSA with the results of our review on Administrative Law Judges' (ALJ) Caseload Performance. The review recommended SSA establish a performance accountability process to address ALJ performance when it falls below an acceptable level. The recommendation, when implemented by SSA, will assist the Agency in reducing pending workloads.
SSA Has Taken Steps to Address this Challenge
In August 2006, SSA implemented a Quick Disability Determination (QDD) process which uses a computer model to identify cases when the individuals are obviously disabled and are likely to be allowed. The QDD process was successful with Disability Determination Services (DDS) issuing decisions on 95 percent of cases within the required timeframe. Based on the results of the QDD process in the Boston region, the Commissioner of Social Security required DDSs nationwide to implement the QDD process by March 2008.
In response to our March 2007 audit on ODAR's workload status reports, the Agency has developed "guidelines" related to the steps in the hearings process to track the Agency's performance goal for average processing time. ODAR has also taken other steps, such as encouraging hearing offices to view case processing using a weekly rather than monthly timeframe, to improve office productivity.
To address its pending workload, ODAR accelerated and expanded efforts to address cases that have been waiting 1,000 days or more for a hearing-with the goal of having these cases to a negligible level by the end of FY 2007. Specifically, at the beginning of FY 2007, there were about 63,000 cases pending which were or would become over 1,000 days old by the end of the FY. As of end of FY 2007, this pending workload was reduced to 108 cases.
The Commissioner also recently announced additional initiatives in an effort to reduce the hearings backlog by FY 2012. Many of these initiatives are either ongoing or expected to begin within the next few months. The Commissioner's initiatives include:
Compassionate allowances where SSA plans to build on the success of the QDD process by implementing additional initiatives to quickly identify and allow applicants who are obviously disabled.
Increased adjudicatory capacity which includes filling hearing dockets of current ALJs to capacity by increasing staff overtime, improving ALJ productivity, hiring at least 150 ALJs and the necessary accompanying support staff, streamlining folder assembly, and using personnel from other SSA components to assist the most affected hearing offices.
Using automation and improved business processes such as video equipment in all hearings offices, electronic file assembly, electronic scheduling, and decision-writing templates to improve case processing at the hearings level.
Opening a National Hearing Center where ALJs in a centralized, fully electronic facility will handle electronic files and conduct only video hearings.
We continue to work with the Agency to safeguard the integrity of its disability programs with the Cooperative Disability Investigations (CDI) program. Under the CDI program, our Office of Investigations and SSA staff obtain evidence to resolve questions of fraud in disability claims. Since the program's inception in FY 1998, the 19 CDI units, operating in 17 States, have been responsible for over $879 million in projected savings to SSA's disability programs and over $539 million in projected savings to non-SSA programs.
Improper Payments and Recovery of Overpayments
Improper payments are defined as any payment that should not have been made or was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Examples of improper payments include payments made to ineligible recipients, duplicate payments, and payments that are for the incorrect amount. Furthermore, the risk of improper payments increases in programs with a significant volume of transactions, complex criteria for computing payments, and an overemphasis on expediting payments.
SSA and the Office of the Inspector General (OIG) have discussed such issues as detected versus undetected improper payments and avoidable versus unavoidable overpayments that are outside the Agency's control and a cost of doing business. OMB issued specific guidance to SSA to include only avoidable overpayments in its improper payment estimate because those payments can be reduced through changes in administrative actions. Unavoidable overpayments that result from legal or policy requirements are not to be included in SSA's improper payment estimate.
The President and Congress continue to express interest in measuring the universe of improper payments in the Government. In August 2001, OMB published the President's Management Agenda (PMA), which included a governmentwide initiative for improving financial performance, including reducing improper payments. The Improper Payments Information Act of 2002 (IPIA) (Pub. L. No. 107-300) was enacted in November 2002, and OMB issued guidance in May 2003 (OMB Memorandum M-03-13) on implementing this law. In August 2006, OMB updated and revised this guidance (OMB Memorandum M-06-23). Significant updates to the guidance include new language to clarify the definition of an improper payment and clarification of OMB's authority to require agencies to track programs under the IPIA with low error rates (i.e., less than 2.5 percent), but significant improper payment amounts.
SSA issues billions of dollars in benefit payments under the Old-Age, Survivors and Disability Insurance (OASDI) and Supplemental Security Income (SSI) programs-and some improper payments are unavoidable. In FY 2007, SSA issued over $612 billion in benefit payments to over 54 million people. Since SSA is responsible for issuing timely benefit payments for complex entitlement programs to millions of people, even the slightest error in the overall process can result in millions of dollars in over- or underpayments.
In January 2007, OMB issued a report, Improving the Accuracy and Integrity of Federal Payments, noting that eight Federal programs-including SSA's OASDI and SSI programs-accounted for more than 89 percent of the improper payments in FY 2006. However, this report also noted that the OASDI error rate dropped by 1/10th of 1 percent, which resulted in a $401 million reduction in improper payments.
In August 2007, we issued a report, Improper Payments Resulting from the Annual Earnings Test, that showed that SSA did not adjust the benefit payments for all beneficiaries who were subject to the Annual Earnings Test. We estimated SSA overpaid about $313 million to 89,300 beneficiaries and underpaid about $35 million to 12,800 beneficiaries. These payment errors primarily occurred because SSA did not process all records identified by its Earnings Enforcement Operation (EEO). Furthermore, unless SSA takes corrective action to process all future EEO selections, we estimated it would pay at least $104 million in overpayments and $11 million in underpayments annually.
SSA Has Taken Steps to Address this Challenge
SSA has been working to improve its ability to prevent over- and underpayments by obtaining beneficiary information from independent sources sooner and using technology more effectively. For example, the Agency is continuing its efforts to prevent payments after a beneficiary dies by using Electronic Death Registration information. Also, the Agency's Continuing Disability Review process is in place to identify and prevent beneficiaries who are no longer disabled from receiving payments.
SSA is also taking steps to recover overpayments. For example, the Agency generally agreed to the recommendations to improve its efforts for cross-program recovery of overpayments that were in our June 2007 report, Cross-Program Recovery of Benefit Overpayments. For the records we reviewed, we estimated SSA could collect a maximum of about $3.6 million over a 21-month period from SSI payments to recover OASDI overpayments. The amounts recovered could also earn about $149,000 in interest for the OASDI trust funds over the 21-month period. In addition, we estimated that over the 21-month period, SSA could recover a maximum of about $13.4 million in SSI overpayments. In September 2007, SSA implemented Cross Program Recovery III, which collects OASDI overpayments from SSI underpayments. SSA reported that the new program provided for the collection of over $4 million in its first month of implementation.
We will continue to work with SSA to identify and address improper payments in its programs. For example, in our review, Title II Disability Insurance Benefits with a Workers' Compensation Offset (issued in November 2006), we found that the percentage of payments in error identified in this report declined significantly when compared to the percentage we reported in our prior workers' compensation offset audits. However, although there has been an improvement in reducing improper payments due to workers' compensation, we still identified about 25,377 disability insurance claims totaling approximately $149 million that had payment errors. SSA agreed to implement the five recommendations we made regarding this workload.
Internal Control Environment and Performance Measures
Sound management of public programs includes both effective internal controls and performance measurement. Internal control comprises the plans, methods, and procedures used to meet missions, goals, and objectives. OMB's Circular No. A-123, Management's Responsibility for Management Control, requires the Agency and its managers to take systematic and proactive measures to develop and implement appropriate, cost-effective internal control for results-oriented management. Accordingly, SSA management is responsible for determining through performance measurement and systematic analysis if the programs it manages achieve intended objectives.
Establishing appropriate controls over the development of disability claims under the DI and SSI programs is one of the main work processes for which SSA is responsible. Disability determinations under DI and SSI are required to be performed by DDSs in each State in accordance with Federal regulations. Each DDS is responsible for determining claimants' disabilities and ensuring adequate evidence is available to support its determinations. SSA reimburses the DDS for 100 percent of allowable expenditures up to its approved funding authorization. In FY 2007, SSA allocated over $1.7 billion to fund DDS operations.
From FY 2000 through FY 2007, we conducted 61 DDS administrative cost audits. In 32 of the 61 audits, we identified internal control weaknesses and over $110 million that SSA reimbursed to the States that were not properly supported or could have been put to better use. Fourteen of the 61 audits conducted were completed in FY 2007. Six of these reports noted similar control weaknesses identified in DDS audits in previous years and over $28 million of questioned costs and/or funds that could be put to better use. We believe the large dollar amounts claimed by State DDSs and the control issues we have identified, warrant this issue remaining a major management challenge.
Another area that requires sound management and effective internal control is the selection and oversight of contractors assisting the Agency in meeting its mission. In FY 2007, SSA spent over $715 million on contracts. We reviewed 11 of SSA's contracts in FY 2007. We generally found that the costs claimed for services provided by the contractors involved were reasonable and allowable. While we noted no major concerns in the reviews conducted, we believe ensuring proper oversight and controls over its contracts is inherently a major management challenge for SSA due to the total dollar amounts awarded and risks involved with contractors adequately delivering services and meeting contract objectives.
The Government Performance and Results Act of 1993 (Pub. L. No. 103-62) and the PMA call for the identification of outcome measures that accurately monitor programs' performance. Also, SSA managers need sound information to monitor and evaluate performance. In FY 2007, we issued 7 audits that addressed 14 of SSA's performance measures. Four of the seven audits were based on work that began in FY 2006, with audit work continuing into FY 2007. The nine performance measures addressed in these four reports are listed below.
Increase the Usage of Electronic Entitlement and Supporting Actions "
Increase the Percent of Employee Reports (W-2 forms) Filed Electronically
Agency Decisional Accuracy Rate " Number of SSA Hearings Processed
Average Processing Time for Hearings Appeals " Average Processing Time
for SSA Hearings
Disability Determination Services Cases Processed per Workyear " Average
Processing Time for Initial Disability Claims
Number of Initial Disability Claims Processed by the Disability Determination
Services
We concluded the data used for five of the nine measures were reliable and that the data used for four of them were unreliable.
Three of the seven audits released in FY 2007 were based on work that began and was completed in FY 2007. The five performance measures addressed by these audits are listed below.
Percent of Individuals Who Do Business with SSA Rating the Overall Service
as "Excellent," "Very Good," or "Good" "
Percent of Old-Age, Survivors, and Disability Insurance Payments Free of Overpayment
and Underpayment
Minimize Skill and Knowledge Gaps in Mission-Critical Positions " Continue
to Achieve 2 Percent Productivity Improvement on Average
Align Employee Performance with Agency Mission and Strategic Goals
We concluded that the data used for four of the five measures were reliable and that the data used for one of them was unreliable.
Generally, when data was determined to be unreliable, it was due to weaknesses in internal or access controls over the systems used to collect and process it. Due to the control weaknesses, the data was not sufficiently secure to be certain of its integrity. The challenge SSA faces in this area is ensuring that it has reliable management information when making strategic and operational plans.
SSA Has Taken Steps to Address this Challenge
SSA has taken steps to develop internal controls over its operations and contractor
performance and in developing sound performance data. SSA has generally agreed
with our recommendations that address internal control weaknesses associated
with DDSs and has taken the recommended steps to ensure that reimbursements
provided to DDSs are allowable and properly supported. Additionally, SSA is
working to limit the number of employees that have access and the ability to
change data in its performance data collection systems to help ensure the integrity
of its management information. Also, the Agency has worked with us to determine
what is the best way to audit its performance data without significantly increasing
its data storage costs. This effort includes gaining real time access to SSA's
performance data, which allows us to test the data as it is being created.
Systems Security and Critical Infrastructure Protection
Protecting the critical infrastructure of the United States is essential to the Nation's security, public health and safety, economic vitality, and way of life. Attacks on critical infrastructure could significantly disrupt the functioning of Government and business alike and produce cascading effects far beyond the targeted sectors and physical location of the incident. Therefore, any disruptions in the operation of information systems that are critical to the Nation's infrastructure should be infrequent, manageable, of minimal duration and result in the least damage possible. The Government must make continuous efforts to secure information systems for critical infrastructures.
SSA's information security challenge is to understand and mitigate system vulnerabilities. Weaknesses in controls over access to its electronic information, technical security configuration standards, suitability, and continuity of systems operations have been identified. While many of these weaknesses have been resolved, SSA needs to monitor these issues diligently to ensure that they do not reoccur.
OMB continues to stress the importance of protecting the public's privacy and PII as emphasized by new guidance such as OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. This new guidance mandates agencies increase efforts to reduce the use of PII collected and held. OMB Memorandum M-07-16 complements existing PII guidance including OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, and OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments. OMB is also incorporating more privacy and PII protection questions in its annual Federal Information Security Management Act (FISMA) (Pub. L. No. 107-347, Title III) guidance (OMB Memorandum M-07-19).
SSA Has Taken Steps to Address this Challenge
SSA has taken numerous steps to address OMB guidance on PII. In September 2006, the Agency released, Policy and Procedures for All SSA Employees for Reporting the Loss or Suspected Loss of Personally Identifiable Information (Information Systems Security Handbook, Appendix V). This policy requires the reporting of incidents involving the loss or potential loss of PII within 1 hour of discovery. In March 2007, the Agency issued procedures on safeguarding PII while in transit or outside of secure SSA space. In September 2007, SSA issued the, SSA Breach Notification Policy, The Social Security Administration's Implementation Plan To Eliminate Unnecessary Use Of Social Security Numbers, and The Social Security Administration's Plan and Progress Update on Review and Reduction of Holdings of Personally Identifiable Information (PII). The Agency has also established workgroups, a PII Executive Steering Committee, which provides oversight and recommendations on SSA policy, and the PII Breach Response Group whose role is to engage in Agency planning in the event a breach occurs.
SSA addresses significant information technology control issues in many other ways. For example, the Agency developed and implemented configuration standards for all major operating system platforms and software components. SSA also began an extensive monitoring process to ensure that the Agency's over 100,000 servers and workstations are in compliance with established system configuration standards. Further, SSA maintained Certifications and Accreditations for all 20 major systems, which were substantially compliant with security standards. SSA has instituted access control policies to ensure appropriate segregation of duties by limiting access to critical information on a 'need only' basis.
Over the years, SSA has worked to establish sufficient access controls as evidenced by the use of Top Secret software and the System Security Profile Project (SSPP). An employee's profile is the primary element used to control access to SSA's databases. As a result of the SSPP, in FY 2005, the access control issue was removed as a reportable condition from SSA auditor's financial statement report. SSA needs to continue its efforts to fully implement the policies that control access to sensitive records. Such efforts should include:
Updating and developing new configuration standards when appropriate;
Strengthening its access control processes to ensure that the user profiles are adequately reviewed and tested;
Continuing to monitor the Agency's devices for compliance with established configuration standards;
Continuing to work the SSPP and the regular monitoring of accesses made to sensitive data; and
Controlling and monitoring DDS employees and contractors' access to sensitive SSA information.
SSA has implemented a variety of methods to protect its critical information
infrastructure and systems security. For example, SSA's Critical Infrastructure
Protection workgroup continuously looks to find ways to ensure Agency compliance
with various directives, such as Homeland Security Presidential Directives and
FISMA. To provide for the protection of the critical assets of the SSA National
Computer Center, SSA has initiated the Information Technology Operations Assurance
(ITOA) project. The objective of the ITOA project is to build a second, fully
functional, co-processing data center. SSA also routinely releases security
advisories to its employees and has hired outside contractors to provide expertise
in this area.
Service Delivery and Electronic Government
One of SSA's goals is to deliver high-quality "citizen-centered" service. This goal encompasses traditional and electronic services to applicants for benefits, beneficiaries and the general public. It includes services to and from States, other agencies, third parties, employers, and other organizations, including financial institutions and medical providers. This area includes the challenges of the Representative Payee Process, Medicare Prescription Drug Program, Managing Human Capital and Electronic Government (e-Government).
When SSA determines a beneficiary cannot manage his or her benefits, SSA selects a representative payee who must use the payments for the beneficiary's interests. In FY 2007, SSA reported there were approximately 5.3 million representative payees who managed about $49.9 billion in annual benefit payments for approximately 7.1 million beneficiaries in FY 2006. While representative payees provide a valuable service for beneficiaries, SSA must provide appropriate safeguards to ensure its responsibilities are met to the beneficiaries it serves.
In FY 2007, we identified several problematic conditions during our reviews
of SSA's representative payee process. We found SSA's procedures did not ensure
new representative payees were selected when the death of current payees occurred.
We were also unable to identify if SSA referred, as required, all misuse cases
to the OIG. Furthermore, SSA did not always use its authority to redirect benefit
payments to the local field office when representative payees failed to submit
annual accounting reports. Finally, in July 2007, the National Academy of Sciences
(NAS) issued a report, Improving the Social Security Representative Payee Program:
Serving Beneficiaries and Minimizing Misuse, that contained several recommendations
to improve SSA's representative payee program. For example, NAS reported that
SSA should take steps to prevent and detect misuse of beneficiary funds in a
better way. In addition, NAS recommended that SSA conduct targeted reviews of
those representative payees most likely to misuse benefits.
The Medicare Prescription Drug, Improvement and Modernization Act of 2003 (Pub.
L. No. 108-173) established a new, voluntary Prescription Drug Program that
became effective January 2006. Under this program, certain low-income individuals
are eligible to receive prescription drug coverage, premium, deductible, and
co-payment subsidies. Implementation of the program presented several challenges
for SSA. For example, SSA needed to conduct outreach efforts to promote the
program, perform income and resource verifications for individuals who applied
for low-income subsidies and review appeals for applicants who disputed SSA's
eligibility determinations.
As of January 2007, the GAO continued to identify strategic human capital management
on its list of high-risk Federal programs and operations. Further, Strategic
Management of Human Capital is one of five governmentwide initiatives contained
in the PMA. By the end of 2012, SSA projects its DI rolls will have increased
by 35 percent. Further, by FY 2015, 54 percent of current SSA employees will
be eligible to retire. This could result in a loss of institutional knowledge
that will affect SSA's ability to deliver quality service to the public.
SSA faces numerous challenges in its attempts to provide eServices to the public,
Government and business. For example, SSA is facing increased workloads as "baby
boomers" become eligible for retirement and as the disability beneficiary
population grows. At the same time, there is a greater need for prompt, secure,
and efficient Government Internet services. We believe SSA needs to increase
its efforts to encourage claimants to file claims via the Internet Social Security
Benefit Application (ISBA). The percentage of claims filed through the Internet
has remained at about 3 to 5 percent over the previous 5 years. Furthermore,
about 73 percent of claimants who file electronically for retirement or disability
benefits over ISBA still have to be contacted by SSA's field offices before
processing can be completed.
SSA Has Taken Steps to Address this Challenge
SSA has taken several actions to address the challenges of its representative payee process. This includes providing periodic reports mandated by Congress under the Social Security Protection Act of 2004 on its representative payee site reviews and other reviews. SSA has also established a Representative Payment Steering Committee to address the NAS conclusions and recommendations and planned enhancements to its information systems for the issuance of alerts to field offices to select a new representative payee when SSA is notified of a payee's death.
To manage the challenges presented by the Medicare Prescription Drug Program, SSA conducted more than 75,000 outreach events across the country to promote the program. Based on income and resource verifications performed as of February 2007, SSA approved low income subsidies to about 2.1 million applicants and denied low income subsidies to about 2.5 million applicants. SSA created a Subsidy Appeals Unit to process appeals of its subsidy eligibility determinations and continues to perform periodic redeterminations of subsidy eligibility.
Since June 2004, SSA has consistently scored "green" in both "Current Status" and "Progress in Implementing the PMA," for Human Capital on the Executive Branch Management Scorecard. The scorecard tracks how well the departments and major agencies are executing the governmentwide management initiatives. SSA has taken various actions to address its human capital challenges. In the Agency's FY 2006 Annual Human Capital Accountability Report, SSA reported it developed an Office of Personnel Management certified Human Capital Accountability System and Operating Plan. In addition, SSA reported it instituted changes in its organizational structure to expedite service to the public.
E-Government is a cornerstone of the PMA. SSA is incorporating this Presidential
initiative into its process by promoting convenient, quality on-line services.
SSA is currently using the Web to provide services through its Homepage. ISBA
has consistently rated at the top of all Federal offerings by the American Customer
Satisfaction Index Scorecard. In FY 2007, SSA reported a 292 percent increase
over the FY 2004 baseline in the use of electronic entitlement and supporting
actions during FY 2006. One of the more recent users of SSA's electronic services
was the Nation's first "baby boomer," who filed for retirement benefits
on-line.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Related Office of the Inspector General Reports
APPENDIX C - Office of the Inspector General Contacts
Appendix A
Acronyms
ALJ Administrative Law Judge
CDI Cooperative Disability Investigations
DDS Disability Determination Services
DHS Department of Homeland Security
DI Disability Insurance
EEO Earnings Enforcement Operation
ESF Earnings Suspense File
FISMA Federal Information Security Management Act
FY Fiscal Year
GAO Government Accountability Office
IPIA Improper Payments Information Act
IRTPA Intelligence Reform and Terrorism Prevention Act
ISBA Internet Social Security Benefit Application
ITOA Information Technology Operations Assurance
NAS National Academy of Sciences
OASDI Old-Age, Survivors and Disability Insurance
ODAR Office of Disability Adjudication and Review
OIG Office of the Inspector General
OMB Office of Management and Budget
PII Personally Identifiable Information
PMA President's Management Agenda
QDD Quick Disability Determination
SSA Social Security Administration
SSI Supplemental Security Income
SSN Social Security Number
SSNVS Social Security Number Verification Service
SSPP Standardized Security Profile Project
Appendix B
Related Office of the Inspector General Reports
Management Challenge Area, Report Title and Common Identification Number Report
Issued
Social Security Number Protection
Effectiveness of the Single Select Edit Routine (A-03-07-17065) September 28,
2007
The Validity of Earnings Posted to the Social Security Administration's Master
Earnings File for Children Ages 7 through 13 (A-02-06-26051) September 28, 2007
Social Security Numbers Assigned to Citizens of Compact of Free Association
Countries (Limited Distribution) (A-08-07-17077) September 24, 2007
Assessment of F-1 Students' Use of Social Security Numbers
(A-08-07-17085) September 12, 2007
State and Local Governments' Collection and Use of Social Security Numbers (A-08-07-17086)
September 10, 2007
Controls Over Employee Verification Programs (A-03-06-15036) September 4, 2007
Overstated Earnings and Their Effect on Social Security Administration Programs
(A-03-05-25018) August 7, 2007
Assignment of Social Security Numbers to J-1 Exchange Visitors
(A-08-07-17076) July 20, 2007
Field Office Use of the SS-5 Assistant (A-04-07-17026) July 2, 2007
Original Social Security Numbers Assigned to U.S. Citizens Age 12 or Older (A-08-07-17043)
June 18, 2007
The Las Vegas Social Security Card Center (A-09-06-16101) February 8, 2007
Impact of Unauthorized Employment on Social Security Benefits
(A-14-05-14042) December 21, 2006
Congressional Response Report: Accuracy of the Social Security Administration's
Numident File (A-08-06-26100) December 18, 2006
Management Challenge Area, Report Title and Common Identification Number Report
Issued
Social Security Number Protection
Congressional Response Report: Employer Feedback on the Social Security Administration's
Verification Programs (A-03-06-26106) December 14, 2006
Effectiveness of the Young Children's Earnings Records Reinstatement Process
(A-03-05-25009) October 20, 2006
Management Challenge Area, Report Title and Common Identification Number Report
Issued
Management of the Disability Process
Claimant Representatives Barred from Practicing before the Social Security Administration
(A-12-07-17057) September 28, 2007
Disability Insurance Beneficiaries Convicted of Crimes Against the Social Security
Administration's Programs (A-06-06-16132) September 24, 2007
Workload Activity at Five Hearing Offices in Region IV
(A-12-07-27091) September 10, 2007
Quick Disability Determinations (A-01-07-17035) May 31, 2007
Organizational Review of the Office of Disability and Income Security Programs
(A-12-07-27162) May 16, 2007
Management's Use of Workload Status Reports at Hearing Offices (A-12-06-26130)
March 26, 2007
Impact of Statutory Benefit Continuation on Disability Insurance Benefit Payments
Made During the Appeals Process
(A-07-05-15094) December 21, 2006
Childhood Continuing Disability Reviews and Age 18 Redeterminations (A-01-06-21093)
December 20, 2006
Title II Disability Insurance Benefits with a Workers' Compensation Offset (A-04-05-15133)
November 22, 2006
Management Challenge Area, Report Title and Common Identification Number Report
Issued
Improper Payments and Recovery of Overpayments
Administrative Finality in the Old-Age, Survivors and Disability Insurance Program
(A-01-07-27029) September 24, 2007
Improper Payments Resulting from the Annual Earnings Test
(A-09-07-17066) August 31, 2007
Underpayments on Prior Supplemental Security Income Records
(A-07-07-17034) August 31, 2007
Controls over Survivor's Benefits When Indications Exist a Wage Earner is Alive
(A-06-06-16088) August 8, 2007
The Social Security Administration's Monitoring of Dedicated Accounts for Supplemental
Security Income Recipients
(A-13-06-16032) August 3, 2007
Cross-Program Recovery of Benefit Overpayments (A-13-06-16031) June 22, 2007
The Social Security Administration's Controls and Procedures over Supplemental
Security Income Death Alerts (A-09-06-16128) May 31, 2007
FECA: A Nationwide Review of Federal Employees Who Received Compensation for
Lost Wages for Periods When "Earned Wages" Were Reported on the Social
Security Administration's Master Earnings File (A-15-06-16037) May 18, 2007
Adjustment of Widow's Insurance Benefits at Full Retirement Age
(A-01-07-27122) May 14, 2007
Supplemental Security Income Recipients Eligible as Disabled Adult Children
Under the Old-Age, Survivors and Disability Insurance Program (A-13-07-17073)
April 30, 2007
Accountability over Duplicate Payments, Equipment and Records in the Hurricane
Recovery Area (A-06-06-26137) April 23, 2007
Supplemental Security Income Payments Mailed to Field Office Addresses (A-06-06-26140)
April 23, 2007
The Social Security Administration's Accountability of Federal Emergency Management
Agency Funds Provided for Hurricane Relief Efforts (A-06-06-26138) March 23,
2007
Improper Payments and Recovery of Overpayments
Direct Deposits for Multiple Title XVI Recipients into the Same Bank Account
(A-02-06-25141) March 23, 2007
The Social Security Administration's Collection of Court-ordered Restitution
(A-02-06-26019) March 2, 2007
Government Pension Offset Exemption for Texas School Districts' Employees (A-09-06-26086)
January 8, 2007
Title II Beneficiaries in England (A-01-06-26131) December 11, 2006
Supplemental Security Income Recipients Whose Medicare Benefits Were Terminated
Due to Death (A-01-06-26105) November 14, 2006
Management Challenge Area, Report Title and Common Identification Number Report
Issued
Internal Control Environment and Performance Measures
Follow-Up Audit: Indirect Costs for the Connecticut Disability Determination
Services for the Period July 1, 2003 through June 30, 2005 (A-15-07-16034) September
28, 2007
Management Advisory Report: Single Audit of the State of Arizona for the Fiscal
Year Ended June 30, 2006 (A-77-07-00013) September 24, 2007
Management Advisory Report: Single Audit of the Commonwealth of Pennsylvania
for the Fiscal Year Ended June 30, 2006
(A-77-07-00012) September 24, 2007
Performance Indicator Audit: Staff Skills and Productivity
(A-02-07-17127) September 24, 2007
Contract with I. Levy and Associates for Development and Implementation of the
Electronic Folder Interface at Disability Determination Services (A-07-07-17104)
September 24, 2007
Performance Indicator Audit: Customer Satisfaction (A-15-07-17129) September
24, 2007
Management Advisory Report: Adequacy of the Administrative Practices in the
Atlanta North Office of Disability Adjudication and Review (Limited Distribution)
(A-04-07-27153) September 5, 2007
Management Advisory Report: Defense Contract Audit Agency's Audit of Lockheed
Martin Services, Inc., Incurred Costs for Calendar Year Ending December 31,
2005 (Limited Distribution)
(A-15-08-28046) August 31, 2007
Performance Indicator Audit: Improper Payments (A-15-07-17128) August 31, 2007
Administrative Costs Claimed by the New Jersey Department of Labor, Division
of Disability Determination Services (A-02-06-16043) August 3, 2007
Administrative Costs Claimed by the California Disability Determination Services
(A-09-06-16129) July 31, 2007
Administrative Costs Claimed by the Missouri Disability Determination Services
(A-07-06-16098) July 12, 2007
Administrative Costs Claimed by the West Virginia Disability Determination Services
(A-13-06-16121) June 27, 2007
Internal Control Environment and Performance Measures
Contract with Riojas Enterprises, Incorporated, for Case Folder Filing Support
Services - Contract #0600-98-34420 (A-04-07-17027) June 19, 2007
Administrative Costs Claimed by the New York Division of Disability Determinations
(A-02-07-17046) June 11, 2007
Performance Review of the Social Security Administration's National Computer
Center and Security West Building Guard Service Contract (Limited Distribution)
(A-15-06-16139) May 31, 2007
Administrative Costs Claimed by the Idaho Disability Determination Services
(A-09-06-16120) May 30, 2007
Contract for the Migration of I. Levy Software at Disability Determination Services
(Limited Distribution) (A-07-07-17033) May 24, 2007
Administrative Costs Claimed by the Illinois Disability Determination Services
(A-05-06-16118) May 22, 2007
Administrative Costs Claimed by the Mississippi Disability Determination Services
(A-08-06-16125) May 18, 2007
Performance Indicator Audit: Hearings and Appeals Process
(A-15-06-16113) May 17, 2007
Performance Indicator Audit: Disability Determination Services Processing (A-02-06-16110)
May 8, 2007
The Social Security Administration's Oversight of the PSI Group, Inc., Presort
Mail Contract -- Contract # GS-25F-0010M (Limited Distribution) (A-15-07-17032)
April 24, 2007
The Social Security Administration's Compliance with Employee Tax Requirements
(A-03-06-16062) April 6, 2007
Administrative Costs Claimed by the Tennessee Disability Determination Services
(A-04-06-16053) March 30, 2007
Defense Contract Audit Agency's Audit of Lockheed Martin Services, Inc. Incurred
Costs for Calendar Year Ending December 31, 2004 (Limited Distribution) (A-15-07-27117)
March 30, 2007
Internal Control Environment and Performance Measures
Management Advisory Report: Single Audit of the Puerto Rico Department of the
Family for the Fiscal Year Ended June 30, 2003 (A-77-07-00010) March 30, 2007
Administrative Costs Claimed by the Commonwealth of Puerto Rico Disability Determination
Program (A-06-06-16117) March 26, 2007
Administrative Costs Claimed by the Florida Division of Disability Determinations
(A-15-06-16127) March 23, 2007
Management Advisory Report: Single Audit of the State of Illinois for the Fiscal
Year Ended June 30, 2005 (A-77-07-00009) March 23, 2007
Management Advisory Report: Single Audit of the State of New Jersey for the
Fiscal Year Ended June 30, 2005
(A-77-07-00011) March 23, 2007
Performance Indicator Audit: Claims Processing (A-15-06-16109) March 16, 2007
Performance Indicator Audit: Electronic Service Delivery
(A-15-06-16111) March 8, 2007
Management Advisory Report: Single Audit of the Government of the District of
Columbia for the Fiscal Year Ended September 30, 2005 (A-77-07-00008) February
27, 2007
Controls over Representative Payee Accounting of Social Security Funds (A-15-06-16065)
February 26, 2007
Administrative Costs Claimed by the Maryland Disability Determination Services
(A-13-06-16029) February 5, 2007
Management Advisory Report: Single Audit of the Hawaii Department of Human Services
for the Fiscal Year Ended June 30, 2005 (A-77-07-00007) February 5, 2007
Contract for the Meridian Management Corporation at the Great Lakes Program
Service Center (Limited Distribution)
(A-05-07-17058) January 29, 2007
Internal Control Environment and Performance Measures
Management Advisory Report: Single Audit of the State of Washington for the
Fiscal Year Ended June 30, 2005
(A-77-07-00006) January 18, 2007
MAXIMUS' Indirect Cost Rates for Fiscal Years 2002 and 2003 (Limited Distribution)
(A-15-06-16091) December 21, 2006
Management Advisory Report: Single Audit of the State of South Carolina for
the Fiscal Year Ended June 30, 2005 (A-77-07-00005) December 4, 2006
Costs Claimed by the Association of University Centers on Disabilities Contract
Number 600-01-60127 (Limited Distribution)
(A-15-07-17031) December 1, 2006
Management Advisory Report: Single Audit of the Commonwealth of Pennsylvania
for the Fiscal Year Ended June 30, 2005
(A-77-07-00004) November 22, 2006
Management Advisory Report: Single Audit of the State of New York for the Fiscal
Year Ended March 31, 2005 (A-77-07-00003) November 22, 2006
Social Security Administration's Financial Report for Fiscal Year 2006 (A-15-06-16099)
November 7, 2006
Inspector General Statement on the Social Security Administration's Major Management
Challenges (A-02-07-17075) November 3, 2006
Administrative Costs Claimed by the Vermont Disability Determination Services
(A-01-06-16041) October 27, 2006
Management Advisory Report: Single Audit of the State of Maryland for the Fiscal
Year Ended June 30, 2005 (A-77-07-00002) October 27, 2006
Management Advisory Report: Single Audit of the State of Florida for the Fiscal
Year Ended June 30, 2005 (A-77-07-00001) October 27, 2006
Management Challenge Area, Report Title and Common Identification Number Report
Issued
Systems Security and Critical Infrastructure Protection
The Social Security Administration's Information Resources Management Strategic
Plan (A-14-07-27133) September 28, 2007
On-site Security Control and Audit Review at Hearing Offices
(A-12-07-17080) September 28, 2007
Access to Social Security Administration Data Provided by Disability Determination
Services Positional Profiles (Limited Distribution)
(A-14-07-17024) September 28, 2007
Fiscal Year 2007 Evaluation of the Social Security Administration's Compliance
with the Federal Information Security Management Act (A-14-07-17101) September
24, 2007
Compliance with Onsite Security Control and Audit Review Requirements at Field
Offices (A-02-07-27021) September 4, 2007
The Social Security Administration's Incident Response and Reporting System
(A-14-07-17070) August 3, 2007
Social Security Administration's Management of Information Technology Projects
(A-14-07-17099) July 26, 2007
Social Security Administration's Progress in Implementing Homeland Security
Presidential Directive 12 (A-14-07-27110) July 26, 2007
The Social Security Administration's Information Technology Maintenance and
Local Area Network Relocation Contract
(A-14-07-17022) May 21, 2007
General Controls Review of the Florida Division of Disability Determinations
Claims Processing System (A-14-06-16023) January 10, 2007
Management Challenge Area, Report Title and Common Identification Number Report
Issued
Service Delivery and Electronic Government
Payee Services, A Fee-for-Service Organizational Representative Payee for the
Social Security Administration (Limited Distribution)
(A-07-07-27150) September 24, 2007
Management Advisory Report: Third Parties Applying for Medicare Part D Low-Income
Subsidies on Behalf of Others (Limited Distribution) (A-08-07-27177) September
5, 2007
An Individual Representative Payee for the Social Security Administration in
the San Francisco Region (A-09-07-17063) July 3, 2007
Phase 6 of the Social Security Administration's Special Disability Workload
(A-13-07-27123) May 18, 2007
Kansas Department of Social and Rehabilitation Services, an Organizational Representative
Payee for the Social Security Administration (A-07-07-17045) March 23, 2007
Follow-up: Analysis of Information Concerning Representative Payee Misuse of
Beneficiaries' Payments (A-13-06-26097) January 18, 2007
Follow up on the Social Security Administration's Procedures to Identify Representative
Payees Who Are Deceased (A-01-06-16054) October 27, 2006
Appendix C
Office of the Inspector General Contacts
Walter Bayer, Director
Kim Byrd, Director
Cylinda McCloud-Keal, Director
Social Security Number Protection
Mark Bailey, Director
Management of the Disability Process
Rona Lawson, Director
Judith Oliveira, Director
Improper Payments and Recovery of Overpayments
Tim Nee, Director
Victoria Vetter, Director
Internal Control Environment and Performance Measures
Kitt Winter, Director Systems Security and Critical Infrastructure Protection
Jim Klein, Director
Shirley Todd, Director Service Delivery and Electronic Government
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-02-08-18061.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Resource Management (ORM). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Resource Management
ORM supports OIG by providing information resource management and systems security.
ORM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, ORM is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.