MEMORANDUM
Date: September 30, 2010 Refer To:
To: The Commissioner
From: Inspector General
Subject: Controls over Single Payment System Payments (A-02-09-29123)
The attached final report presents the results of our review. Our objective was to determine the effectiveness of controls over the release of Single Payment System payments.
Please provide within 60 days a corrective action plan that addresses each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at
(410) 965-9700.
/s/
Patrick P. O’Carroll, Jr.
Attachment
OFFICE OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
CONTROLS OVER
SINGLE PAYMENT SYSTEM
PAYMENTS
September 2010 A-02-09-29123
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA’s programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA’s programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: September 30, 2010 Refer To:
To: The Commissioner
From: Inspector General
Subject: Controls over Single Payment System Payments (A-02-09-29123)
OBJECTIVE
Our objective was to determine the effectiveness of controls over the release of Single Payment System (SPS) payments.
BACKGROUND
The Social Security Administration (SSA) administers the Old-Age, Survivors and Disability Insurance program under Title II of the Social Security Act. Before May 2002, SSA was unable to make certain Title II payments through its automated systems. For example, SSA used a manual payment process to make appointed representative fee payments, death underpayments to non beneficiaries, and reissued Lump Sum Death payments. In May 2002, SSA created SPS to replace the manual payment process.
SPS requires that employees enter their personal identification number (PIN) to approve a payment. SPS payments above certain dollar amounts require expert or manager approval before issuance. In these situations, more than one employee PIN must be used to approve a payment in SPS. Payments up to $6,000 only require the originator’s PIN for processing. SPS payments over $6,000 to $49,999 require two unique PINs before releasing them—the originator’s PIN and a technical expert or team leader’s PIN. SPS payments of $50,000 or more require three PINs—the originator’s PIN, the expert or team leader’s PIN, and a manager’s PIN. SPS can only process payments below $100,000; payments of $100,000 or more to one individual are divided into two or more payments for processing so payments are under $100,000.
SSA’s Top Secret System controls and monitors who can access and change critical data in SSA’s systems, including SPS. The Top Secret System protects against accidental or intentional corruption, destruction, disclosure, or denial of access to data by individually tracking an employee’s access to SSA’s systems. It also stores the employee’s name, PIN, and position information.
SSA’s Audit Trail System (ATS) collects and maintains electronic transactions entered into the Agency’s programmatic systems including SPS payment transactions. ATS contains the daily collection of data each time an employee performs an auditable task or transaction and stores it in a record specific to that individual. ATS collects employee PIN data, Social Security numbers, and Title II benefit or income data.
During a meeting with staff in SSA’s New York Region, a case was discussed where SPS released a payment with the same PIN accepted more than once in a situation where three unique PINs should have been required. We initiated this audit to determine the extent of such cases and identify the weakness in SPS controls that allowed release of the payment without the required number of unique PINs.
To meet our objective, we performed data analysis of the over 2.5 million payments processed through SPS from May 2002 through February 2010. Our analysis identified 867 SPS payments in which the first PIN appeared to match either the second or third PIN recorded. From this population, we identified the payments actually released without proper PIN approval. Additionally, we reviewed a sample of 264 SPS payments requiring two or three PINs for approval to determine the appropriateness of the payments as well as whether the individual approving the payments was authorized to do so. See Appendix B for details of our scope and methodology.
RESULTS OF REVIEW
The controls over the release of SPS payments were generally effective, though some improvements were needed. We did not identify any improper payments in our sample; however, SSA released eight SPS payments of $50,000 or more, totaling $474,935, without approval by three unique PINs.
SPS PAYMENTS OF $50,000 OR MORE
While SSA processed all SPS payments under $50,000 with two required unique PINs, it released eight SPS payments of $50,000 or more without the required three unique PINs. SPS processed one payment even though the second PIN matched the final PIN. SSA informed us that SPS programming logic, which had been changed since the date of the payment we identified, did not allow the second and final PINs to match. SPS processed the other seven payments even though the third PIN was the same as the first PIN.
In all eight payments, there were intervening actions between when the payment was entered and when it was approved. Per SSA staff, three unique PINs must approve SPS payments of $50,000 or more after payment data are changed or payments are disapproved. In these cases, the disapprovals and/or changes to the record occurred before SSA released the payments. SPS read the PIN that originally established the payment as the first PIN and then released the payment based on the presence of two additional unique PINs, despite the disapprovals or changes that occurred between the first PIN and the other two PINs.
For example, SSA released a $60,848 payment approved by only two unique PINs in July 2008. An SSA employee initially established the payment in SPS on April 1, 2008. SSA staff disapproved the payment a number of times. On July 2, 2008, an SSA employee disapproved the payment and then, after further review, approved the payment—becoming the originating PIN for the payment. Another employee provided the second PIN. Once the second PIN was added, the same employee who provided the originating PIN provided the third PIN needed to release the payment.
In the above example, the employee who served as the first and third PINs could alter the payment amount, direct deposit information, and/or address information to reroute the payment when he or she approved the payment as the first PIN. Once this employee approved the $60,848 payment, SSA’s policies and procedures required that two other employees approve the payment as the second and third PINs because the payment exceeded the $50,000 threshold. In this case, the system allowed this employee to serve as the first and third PINs.
At our request, SSA reviewed the eight cases and confirmed that they were appropriate payments sent to the right individuals. SSA also confirmed that, although SPS released these eight payments with only two unique PINs, the system should have required three unique PINs before releasing the payments. We met with SSA systems staff in Headquarters and worked with them to identify the error in the programming logic that allowed the release of these payments. Although the error in programming logic that allowed a payment to be released with the same second and third PINs was previously corrected, a change in programming logic to prevent the first and third PINs from matching, as in the example above, is still required. SSA staff told us they are correcting the programming language to prevent SPS from accepting duplicate PINs in the future.
CENTERS FOR SECURITY AND INTEGRITY REVIEWS
Employees in SSA’s program service centers (PSC) process SPS payments. SSA has eight PSCs, six of which are located in the regions, and two are located at the Agency Headquarters in Baltimore, Maryland. SSA’s regional Centers for Security and Integrity (CSI) use the PSC Onsite Security Control and Audit Review (OSCAR) guide to review the effectiveness of management controls in the PSCs. Per OSCAR guidance, regional CSIs are required to review 100 percent of SPS payments of $50,000 or more for accuracy and managerial oversight. The PSC OSCAR guide requires that staff ensure SPS payments were timely, completed for authorized situations, and supported by appropriate documentation. The PSC OSCAR guide does not specifically require that CSI staff review whether the payment was authorized by the appropriate level of staff or the required number of PINs.
CSI does not review SPS payments originating from the two PSCs at Agency Headquarters. SPS payments originating from these two PSCs are reviewed before release by Payment Determination Analysts (PDA) in the Office of Central Operations. PDAs analyze and review SPS payments to detect actual or potential fraud or abuse and approve the payments. They follow the review procedures in the OSCAR guide before releasing payments.
Of the eight payments of $50,000 or more released by two unique PINs, a PDA reviewed and released seven, and a manager in a PSC released one that was later reviewed by CSI. While PDAs or CSI staff reviewed all eight payments according to OSCAR guidance, they did not detect that the payments were released without the prerequisite three unique PINs. In fact, the PDAs who released seven of the eight payments, released the payments as the third PIN even though they had also signed the payments as the first PINs.
CONCLUSION AND RECOMMENDATIONS
While all the SPS payments we reviewed were for the right amount and paid to the right person, SSA released a few SPS payments that were inconsistent with the authorizations required under its policies and procedures. All payments requiring two PINs for approval had two unique PINs. However, SSA processed eight payments that required three unique employee PINs with only two unique PINs. Also, while SSA reported that the payments were reviewed according to OSCAR guidance, SSA staff conducting the reviews did not detect that the payments were not properly authorized prior to release.
Accordingly, we recommend that SSA:
1. Amend SPS controls to ensure three unique PINs are present before releasing payments for the situations similar to those we identified during our audit.
2. Revise PSC OSCAR instructions to require testing of the SPS system controls put in place in response to our first recommendation to ensure they are operating as intended.
AGENCY COMMENTS AND OIG RESPONSE
The Agency agreed with our recommendations (see Appendix C).
/s/
Patrick P. O’Carroll, Jr.
Appendices
APPENDIX A – Acronyms
APPENDIX B – Scope and Methodology
APPENDIX C – Agency Comments
APPENDIX D – OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
ATS Audit Trail System
CSI Center for Security and Integrity
OIG Office of the Inspector General
OSCAR Onsite Security Control and Audit Review
PDA Payment Determination Analyst
PIN Personal Identification Number
POMS Program Operations Manual System
PSC Program Service Center
SPS Single Payment System
SSA Social Security Administration
U.S.C. United States Code
Appendix B
Scope and Methodology
Our objective was to determine the effectiveness of controls over the release of Single Payment System (SPS) payments. To accomplish our objective, we:
• Reviewed applicable sections of the Social Security Act and other relevant legislation as well as the Social Security Administration’s (SSA) regulations, rules, policies, and procedures.
• Obtained two data extracts from the Audit Trail System (ATS) of SPS payments from May 1, 2002 through February 28, 2010.
For the first extract, we identified 867 SPS payments from a population of 2,578,983 SPS payments made in which it appeared the first personal identification number (PIN) matched either the second or third PIN. SSA policy dictates two unique PINs are required for payments of $6,000 to $49,999, and three unique PINs are required for payments of $50,000 or more. Upon further review, we concluded that 450 of the 867 payments only required 1 PIN for approval, and 409 payments had the required 2 unique PINs. The manner in which the data were recorded in ATS gave the appearance that these payments had two matching PINs even though only one PIN was required or two unique PINs were present when required. We identified eight SPS payments that required three unique PINs but only contained two.
The second extract consisted of 10,470 SPS payments from 1 segment of the population of SPS payments that required 2 or 3 PINs. We split the extract into 2 populations: (1) 7,405 payments requiring 2 PINs and (2) 3,065 payments requiring 3 PINs.
• Reviewed a random sample of 50 payments from each of the 2 populations to determine whether authorized SSA employees approved the payments.
• Analyzed each of the two populations to determine whether any indicators of fraud were present. To identify potential fraud, we reviewed the total amount each individual was paid, reviewed direct deposit account data as well as the address to which the payments were sent.
• Reviewed an additional 43 payments in the 2-PIN approval process to 17 individuals to determine the accuracy of the payments. The payments reflected some of the highest paid individuals.
• Reviewed an additional 121 SPS payments in the 3-PIN approval process to 54 individuals to determine the accuracy of the payments. Each of these 54 individuals received an SPS payment totaling over $130,000.
• Reviewed the final PIN approvers to determine whether SSA employees processed an above average quantity of payments.
• Referred cases with matching PINs to SSA.
• Referred cases in which the approver appeared not to have the appropriate SPS approval authority to SSA.
• Concluded SSA’s Center for Security and Integrity data conducted 100-percent reviews of SPS payments of $50,000 or more, as required by SSA’s policy.
• Conducted SPS system validation tests with SSA Office of Systems’ employees to determine whether fewer PINs than required could process payments through SPS.
We performed our audit in the New York Audit Division between September 2009 and June 2010. We tested the data obtained for our audit and determined them to be sufficiently reliable to meet our objectives. The entities audited were the Division of Systems Security and Program Integrity, a component of the Office of Public Service and Operations Support, which is under the Deputy Commissioner for Operations, and the Office of Retirement and Survivors Insurance Systems under the Deputy Commissioner for Systems. We conducted our audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.
Appendix C
Agency Comments
MEMORANDUM
Date: September 23, 2010 Refer Refer To: S1J-3
To: Patrick P. O'Carroll, Jr.
Inspector General
From: James A. Winn /s/
Executive Counselor to the Commissioner
Subject: Office of the Inspector General (OIG) Draft Report, "Controls Over Single Payment System Payments" (A-02-09-29123)--INFORMATION
Thank you for the opportunity to review the subject report. Please see our attached comments.
Please let me know if we can be of further assistance. Please direct staff inquiries to
Rebecca Tothero, Acting Director, Audit Management and Liaison Staff, at extension 6-6975.
Attachment:
SSA Response
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, “CONTROLS OVER SINGLE PAYMENT SYSTEM (SPS) PAYMENTS”
(A-02-09-29123)
Thank you for the opportunity to review the subject report. You analyzed more than 2.5 million SPS payments we made over nearly eight years and found only eight instances with minor issues. You also drew a sample of 264 payments and did not identify any improper payments in your sample. Your findings confirm that we have strong internal controls over SPS activity and that we process SPS payments correctly.
You state in your conclusion that, “SSA released a few SPS payments that were inconsistent with the authorizations required under its policies and procedures.” In response, we have already taken action to correct those inconsistencies.
Recommendation 1
Amend SPS controls to ensure three unique PINs are present before releasing payments for the situations similar to those we identified during our audit.
Comment
We agree. On August 21, 2010, we modified the SPS software. In order to generate payment, SPS now requires three unique personal identification numbers for SPS payments greater than $49,999.99.
Recommendation 2
Revise PSC OSCAR instructions to require testing of the SPS system controls put in place in response to our first recommendation to ensure they are operating as intended.
Comment
We agree in principle with your recommendation. However, instead of testing the SPS system controls we will semiannually review a representative sample of SPS payments of $50,000 or more to make sure the system’s change is operating as intended.
Appendix D
OIG Contacts and Staff Acknowledgments
OIG Contacts
Tim Nee, Director, New York Audit Division
Christine Hauss, Audit Manager
Acknowledgments
In addition to those named above:
Raquel Tavera, Program Analyst
Rajula Chandran, Senior IT Specialist
For additional copies of this report, please visit our Website at www.socialsecurity.gov/oig or contact the Office of the Inspector General’s Public Affairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number
A-02-09-29123.
DISTRIBUTION SCHEDULE
Commissioner of Social Security
Chairman and Ranking Member, Committee on Ways and Means
Chief of Staff, Committee on Ways and Means
Chairman and Ranking Minority Member, Subcommittee on Social Security
Majority and Minority Staff Director, Subcommittee on Social Security
Chairman and Ranking Minority Member, Committee on the Budget, House of Representatives
Chairman and Ranking Minority Member, Committee on Oversight and Government Reform
Chairman and Ranking Minority Member, Committee on Appropriations, House of Representatives
Chairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations,
House of Representatives
Chairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Committee on Finance
Chairman and Ranking Minority Member, Subcommittee on Social Security Pensions and Family Policy
Chairman and Ranking Minority Member, Senate Special Committee on Aging
Social Security Advisory Board
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration’s (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA’s financial statements fairly present SSA’s financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA’s programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG’s external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG’s media and public information policies, directs OIG’s external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG’s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG’s strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.