MEMORANDUM

Attached is a copy of our final report. Our objective was to evaluate the policies and procedures the Social Security Administration had in place to provide information to registered users of the Employee Verification Service.

Please comment within 60 days from the date of this memorandum on corrective action taken or planned on each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.

James G. Huse, Jr.

THE SOCIAL SECURITY ADMINISTRATION'S

EMPLOYEE VERIFICATION SERVICE

AUDIT REPORT

Executive Summary

Our objective was to evaluate the policies and procedures the Social Security Administration (SSA) had in place to provide information to registered users of the Employee Verification Service (EVS).

Title II of the Social Security Act requires SSA to maintain records of wage amounts that employers pay to individuals. Employers report wages paid to employees to SSA at the conclusion of each tax year. Wages on those employer reports containing invalid names and/or Social Security numbers (SSN) cannot be posted to an individual’s earnings record. Instead, these wages are placed in the Earnings Suspense File—a repository for unmatched wages. Suspended wages can affect a worker's eligibility for and/or the amount of retirement, disability, or survivor benefits. In addition, when wage reports cannot be matched to the correct individual, both SSA and the employer incur additional administrative costs in their efforts to correct unmatched wage reports.

The purpose of the EVS program is to ensure that employees’ names and SSNs are valid before the employer's wage reports are submitted to SSA. The use of EVS is voluntary, and can assist employers in eliminating common SSN reporting errors. Employers who wish to verify 51 or more SSNs at one time are encouraged to register for the EVS program. There are approximately 7,400 registered employers in the EVS program—including about 260 third-party users who submit requests on behalf of their clients.

Employers who register for the EVS program must sign a Privacy Act Statement, certifying they will maintain the confidentiality of the EVS data. Once registered for EVS, SSA provides the employer a requester identification number to access the program. EVS requests can be submitted on magnetic media (tape, cartridge, or diskette) or paper. For each employee record to be verified through the registered user process, employers must submit three required elements: employee SSN, last name, and first name. Optional elements include the employee’s middle initial, date of birth, and/or gender.

While the number of employers registering with EVS has increased since 1997, overall, just 7,400 employers—less than 1 percent of all U. S. employers—are registered to use the Service. Furthermore, only 392 employers (5 percent of those registered) submitted data to SSA since 1999. Almost half of those who submitted data were from the retail industry. Also, 10 of the 392 employers were among the chronic problem employers identified in a previous audit, Patterns of Reporting Errors and Irregularities by 100 Employers with the Most Suspended Wage Items, September 1999. Finally, while the number of employers registered for EVS has increased over recent years, the rate of usage actually decreased during the same period.

Under EVS, SSA did not disclose pertinent information that could have assisted registered employers. Specifically, SSA did not inform employers when a submitted SSN belonged to a deceased individual or when the SSN was issued to the individual for nonwork purposes. However, in other situations, SSA disclosed corrected SSNs to employers. Such disclosure is contrary to SSA’s policies under other verification services the Agency offers. By not disclosing that SSNs belonged to deceased individuals or were issued for nonwork purposes, SSA is missing an opportunity to correct employee information before it is submitted to the Agency in wage reports. This lost opportunity may cause additional administrative costs to the Agency.

The EVS program for registered users lacked the applicant information and system controls necessary for SSA to properly monitor and evaluate the program. SSA neither obtained adequate information from registered users when they registered, nor verified the information provided. In addition, our review of a sample of application folders showed that information employers are required to provide was missing. Further, EVS electronic data submissions and verifications were only maintained for a short period—90 days. We do not believe this is sufficient to properly monitor the program. Finally, SSA had not established a protocol for determining whether registered users should continue to have access to EVS, even though some users had not submitted EVS requests in the last 16 years.

In a previous report, issued in January 2001, we recommended that SSA seek legislative authority to obtain the tools necessary to require chronic problem employers to use EVS. We still believe these tools are needed given the low number of the Top 100 chronic problem employers using EVS. In addition, to assist EVS users with their earnings records, safeguard SSA data, and improve the monitoring of EVS, we recommend that SSA:

• Modify EVS to detect SSNs for deceased individuals, provide appropriate notification to employers, and issue an alert for necessary action by SSA staff;

• Modify EVS to detect SSNs for individuals in nonwork status, provide appropriate notification to employers, and issue an alert for necessary action by SSA staff;

• Ensure EVS procedures for providing corrected SSNs to registered users are consistent with SSA's proposed SSNVS program;

• Update the application form to include (1) the SSN of the representative who signed the application; (2) the total number of employees in their workforce; and (3) the identification numbers of related subsidiaries as well as the number of their employees;

• Obtain signed privacy statements from all EVS users, including those users who applied for the service before 1993 and were not required to sign the statement;

• Archive EVS data for at least 3 years so user activity and trends can be monitored; and

• Establish an annual or periodic reapplication process where EVS registered users are reauthorized to use the service. This process can also be used to re-contact EVS registered users who have not used EVS in the last 3 years—particularly the Top 100 chronic problem employers—to encourage greater use of EVS.

SSA generally agreed with all of our recommendations. See Appendix C for SSA’s comments.

APPENDICES

Appendix A – Employee Verification Service Application Process and Associated Documents

Appendix B – Flowchart of Employee Verification Service

Appendix C – Agency Comments

Appendix D – OIG Contacts and Staff Acknowledgments

Acronyms

Introduction

Our objective was to evaluate the policies and procedures the Social Security Administration (SSA) had in place to provide information to registered users of the Employee Verification Service (EVS).

Title II of the Social Security Act requires SSA to maintain records of wage amounts employers pay to individuals. Employers report wages paid to employees to SSA at the conclusion of each tax year (TY). Wages on those employer reports containing invalid names and/or Social Security numbers (SSN) cannot be posted to an individual’s earnings record. Instead, these wages are placed in the Earnings Suspense File (ESF)—a repository for unmatched wages. Suspended wages can affect a worker's eligibility for and/or the amount of retirement, disability, or survivor benefits. In addition, when wage reports cannot be matched to the correct individual, both SSA and the employer incur additional administrative costs in their efforts to correct unmatched wage reports.

As of October 2001, the ESF contained over 227 million Wage and Tax Statements (W-2) and $327 billion in wages accrued between TYs 1937 and 1999 that could not be matched to individuals' earnings records. During TY 1999 alone, the ESF grew by 8.3 million W-2s and $39.4 billion in wages. Approximately 96 percent of the ESF wages relate to TYs 1970 through 1999.

The purpose of the EVS program is to ensure that employees’ names and SSNs are valid before the employers' W-2s are submitted to SSA. The use of EVS is voluntary and can assist employers in eliminating common SSN reporting errors. Depending upon the number of SSNs they want to verify at one time, employers can call an 800 number for 5 or fewer, or submit a paper request of up to 50 names directly to a SSA field office. Employers who wish to verify 51 or more SSNs at one time are encouraged to register for the EVS program. There are approximately 7,400 registered employers in the EVS program—including about 260 third-party users who submit requests on behalf of their clients.

Employers who register to use EVS must sign a Privacy Act Statement certifying they will maintain the confidentiality of the EVS data. Once registered to use EVS, SSA provides the employer a requester identification number to access the system. SSA's Office of Central Operations (OCO) also maintains a database of all registered EVS users on a stand-alone computer. EVS requests submitted on magnetic media (tape, cartridge, or diskette) are sent to OCO. Paper requests are sent to the Wilkes-Barre Data Operations Center (WBDOC).

For each record to be verified, employers must submit three required elements: employee SSN, last name, and first name. If one of the required elements is missing, the record is returned to the employer as "non-verified." The employer can also submit non-required elements, such as the employee's middle initial, date of birth, and/or gender. If submitted, this additional information can assist EVS in locating a correct SSN. For example, if the submitted SSN is incorrect, EVS will attempt to locate the correct SSN based on the individual’s name, date of birth, and gender.

For employers who submit their requests on magnetic media, EVS returns the original name and SSN that was submitted with a verification code next to each record. The code will be "blank" for records that match SSA's records. Table 1 provides a list and descriptions for EVS verification codes.

SSA's online Privacy Act Statement for employers, regarding non-matched records, states that, in part, "…EVS information does not imply that you or your employee intentionally provided incorrect information about the employee's name or SSN. It is not a basis, in and of itself, for you to take any adverse action against the employee." The statement also notes that employers should not use EVS as a pretext for taking an adverse action against an employee since this action may violate State or Federal law and be subject to legal consequences.

We have issued several reports in recent years that included EVS-related recommendations. In a 1999 report, we identified types of wage report errors submitted by 100 employers with the most suspended items over a 4-year period. In a related report, we reviewed the activity of one of these employers and noted that many of its wage-reporting errors in 1997—involving approximately $10.2 million in suspended wages—could have been prevented if the employer had used EVS before submitting the W-2s. This report recommended that SSA review program procedures to increase awareness of EVS among employers with large numbers of suspended wage reports and broaden employer participation in its SSN verification services.

In a 2001 report on SSN misuse, we reported on the causes of invalid SSNs submitted by employees in the agricultural industry. We recommended that SSA pursue legislation to provide the authority to impose mandatory EVS on chronic problem employers. This report stated that employers in the agricultural industry—which depend on seasonal or transient workers—were reluctant to use EVS for fear of not having enough workers at critical times in their operations. As a result, these employers did not want to know whether their employees were submitting invalid SSNs.

To meet our objective, we:

• Discussed the EVS program with SSA staff in the Division of Employer Services and the Office of Systems Development and Design.

• Met with the Employer Services Liaison Officer in Philadelphia.

• Visited a teleservice center and two field offices in SSA’s Region III.

• Reviewed a list of all EVS registered users, which included employers and third-party users.

• Obtained EVS detail information for employer usage during Calendar Years (CY) 1999 through 2001.

• Selected a sample of 50 EVS application folders for the 231 CY 1999 users to review the completeness of the mandatory documents. This number included 4 State agencies erroneously included with the employer data. None of these State agencies were among our 50 sample cases and our final count of 392 users during CYs 1999 through 2001 did not include these agencies. Hence, in this report, we refer only to the 227 employers.

• Submitted 400 SSNs to the EVS program, as if we were a registered employer. Our test data included (1) SSNs belonging to individuals who were deceased; (2) individuals who were listed as not eligible to work; and (3) modified SSNs with valid names and information.

• Obtained verification data for 15 employers who submitted 962,179 SSNs for verification to SSA in late 2001.

• Obtained W-2 reporting summaries from SSA's Employer Report Query to determine the volume of W-2s reported by specific employers.

• Reviewed the implementation plans for SSA's new Social Security Number Verification Service (SSNVS).

Our audit did not include a test of information systems to verify the completeness and accuracy of the EVS data SSA provided or the Employer Report Query data. The SSA entity responsible for the maintenance of EVS is OCO within the Office of the Deputy Commissioner of Operations. We performed our audit at SSA's Headquarters in Baltimore, Maryland, and the Office of Audit in Philadelphia, Pennsylvania, between October 2001 and March 2002. We conducted our review in accordance with generally accepted government auditing standards.

Results of Review

While the number of employers registered to use EVS has increased over the last 5 years, overall, just 7,400 employers—less than 1 percent of all U. S. employers—are registered to use the Service. Furthermore, only 5 percent of registered employers used EVS during CYs 1999 through 2001. Under EVS, SSA did not disclose pertinent information that could have assisted registered employers. Specifically, SSA verified submitted SSNs even when SSA’s records indicated the individuals were deceased or were issued nonwork SSNs. However, in other situations, SSA disclosed corrected SSNs to employers. Such disclosure is contrary to SSA’s policies under other verification services offered by the Agency. Finally, the EVS program for registered users lacked both the applicant information and system controls necessary for SSA to properly monitor and evaluate the program.

Of the approximately 6.5 million U.S. employers submitting W-2s to SSA, only about 7,400 have registered to use the EVS service since 1983. On average, about 200 users submitted SSNs annually. Of the total registered users, only 392 unique registered users (5 percent) submitted SSNs to EVS from CY 1999 through 2001. These 392 registered users submitted over 55 million SSNs for verification during this 3-year period or approximately 18 million annually. EVS verified, or confirmed that the submitted employee information was valid, for approximately 90.2 percent of the submissions in 2001.

Our review of EVS activity from CYs 1999 through 2001 showed that the top 20 users represented a broad array of industries. While these 20 users represented only 5 percent of the 392 users noted above, they represented 59 percent of the submissions during the 3-year period. Figure 1 shows the industries of the top 20 EVS users.

Our review of recent EVS activity indicated that the number of applications for EVS has increased significantly since CY 1997 (see Figure 2). However, when we reviewed user activity during CYs 1999 through 2001, we determined that users who applied before CY 1997 were twice as likely to submit employee data through EVS. Our analysis showed that about 11 percent of pre-1997 applicants used EVS in the past 3 years, compared to approximately 5 percent of the 1997 and later applicants.

We reviewed the EVS activity among CY 1999 applicants to determine usage trends. First, we determined that 94 percent of the CY 1999 applicants failed to use EVS even once during CYs 1999 through 2001. Of the 6 percent of CY 1999 applicants that used EVS during this period, we determined that 53 percent used it only once; 22 percent used it twice, and the remaining 25 percent used it all 3 years (see Figure 3). The CY 1999 applicant data alone indicates SSA has an untapped potential for EVS growth among current applicants. SSA staff could not explain this low usage rate.

Our review also determined that only 10 percent of the employers with the worst reporting records identified earlier by the Office of the Inspector General (OIG) used EVS in recent years. A review of CY 1999 through CY 2001 EVS activity showed that only 10 of the Top 100 chronic problem employers had ever used EVS for SSN verification. All 10 employers registered for EVS in 1997 or later. While these users were only 10 of 392 employers (3 percent) using EVS during the 3-year period, they submitted approximately 14 million of the 55 million SSNs (25 percent). Just 2 of these 10 users alone submitted more than 10 million SSNs from CY 1999 to CY 2001.

Based on our EVS test data, SSA did not disclose pertinent information to registered employers, such as an individual's death or nonwork status. By verifying employee information for individuals who should not be working according to Agency records, SSA missed an opportunity to assist the employer as well as reduce Agency administrative costs. Also, SSA disclosed corrected SSNs through EVS that would not be disclosed under other of SSA’s SSN verification services, such as employer inquiries at a SSA field office.

Our audit tests showed that the EVS program verified SSNs belonging to individuals who were deceased. EVS verified all 25 SSNs in our test data that belonged to deceased individuals. In addition, to determine whether employers submitted SSNs related to deceased individuals, we reviewed EVS submissions from 15 employers sent to SSA in late 2001. Of the SSNs submitted by these employers, 4,556 SSNs related to deceased individuals and 776 (17 percent) were verified by EVS. Verifying the name and SSN of a deceased individual could indicate to an employer that the employee’s name and SSN are valid for wage reporting purposes.

By verifying SSNs related to deceased individuals, SSA (1) did not assist the employer in correcting its records before submitting its W-2s and (2) missed an opportunity to avoid wage posting errors which will later result in additional Agency administrative costs. Wages related to a deceased individual are placed in the ESF. In addition, if the date of death is correct, SSA may have an early indication of fraudulent SSN usage. Conversely, if the date of death is incorrect, the employee will not know this until SSA later sends a notice to the employer to confirm the employee’s death.

Although SSA provides employers verification feedback on an incorrect date of birth or gender, it is silent on the matter of a death record. While the date of birth and gender are irrelevant for wage report purposes—since SSA matches wage records on name and SSN alone—the presence of death information on the Numident is relevant for wage reporting purposes. In a recent audit, we reported that in TY 1998 SSA received approximately 64,800 wage items related to individuals listed as deceased in Agency records. In such cases, SSA sends notices to employers and employees to verify these wages.

To better assist employers, SSA could modify EVS to detect such death information and develop an appropriate notification to employers. For example, SSA could add a verification code in EVS to instruct the employer to have the employee visit a local field office to validate his or her SSN. In this way, SSA would encourage better employer reporting while not disclosing the death information in its records to the employer. In addition, should the date of death be in error, the employee can correct SSA's records. Finally, SSA would be able to capture such verification problems for later alerts to SSA’s field offices, as appropriate.

Our audit tests showed that the EVS program verified SSNs issued to individuals for nonwork purposes. SSA issues SSNs to individuals who are not eligible to work. EVS verified all 25 SSNs in our test data that had been issued for nonwork purposes. In addition, the 15 employers noted above submitted for verification 8,172 SSNs that had been in nonwork status at one point in time. We determined that EVS verified 1,128 of these SSNs (14 percent) for individuals who were in nonwork status at the time of verification. Verifying to an employer that a nonwork SSN is valid could indicate the employee is eligible to work. Since SSA is the entity that issued the nonwork SSNs, verifying illegal employment is sending a mixed message, and SSA is missing an opportunity to enforce its own regulations.

As of August 1997, SSA had issued approximately 7 million nonwork SSNs. However, in recent years, the number being issued has declined as SSA has strengthened controls over the issuance of nonwork SSNs (Table 2). For example, in March 2002, SSA provided additional guidance to field offices limiting the reasons for issuing nonwork SSNs, such as specifically eliminating their issuance solely for a driver's license.

A recent OIG audit recommended enhanced controls over nonwork SSNs as well as greater coordination between SSA and other Federal agencies to discourage illegal employment. This audit noted data compatibility problems between SSA and the Immigration and Naturalization Service, which will need to be resolved to improve the information in both agencies' databases.

Similar to our observation above, SSA could better assist employers and employees by modifying EVS to detect nonwork status and develop an appropriate notification informing the employer of the nonwork status of the individual’s SSN. This would provide the employee an opportunity to correct SSA's records, in the event his or her work status has changed since the SSN was issued. In addition, SSA would be able to capture such verification problems for later alerts to SSA’s field offices, as appropriate.

Our audit tests showed that EVS disclosed to employers corrected SSNs related to submitted employee information. This practice of providing corrected SSNs is allowed under EVS but is restricted under other SSA verification procedures, and will also be restricted under SSA’s proposed SSNVS program.

EVS for registered users provided employers a corrected SSN if the submitted SSN contained a transposition error or if only one digit was incorrect. We assessed this process using test data and found simple SSN errors were checked and corrected. However, EVS did not correct SSNs with more extensive errors—such as two non-adjacent incorrect digits. During CYs 1999 through 2001, SSA provided EVS users with 232,000 corrected SSNs. Figure 4 shows the number of corrected SSNs disclosed to registered employers during each of these years.

While SSA’s policy allows the Agency to share employee SSNs with employers, SSA is careful how it shares this information and has restricted some of its verification procedures. For example, SSA's POMS restricts the release by telephone of employee SSNs to employers. Instructions to field office and teleservice center staff stated:

Only a positive verification of an employee's SSN may be given to an employer by telephone. The employer must provide the name, SSN, date of birth and sex. If the information matches, you can advise the employer that according to our records the SSN given was assigned to the name given…If the name and SSN do not appear to match, do not disclose this fact, but advise the employer to have the employee contact the nearest SSA field office.

In addition, even under EVS for registered users, SSA is only allowed to share this information for current employees, not prospective employees. Finally, EVS for registered users requests that the employer using the service sign a privacy statement, which restricts the use of the SSN information. However, as we discuss later in this report, SSA has neither monitored EVS usage nor determined whether the SSNs provided by employers in fact belonged to their employees. In addition, not all of the employers using EVS had signed the privacy statements.

SSA’s proposed SSNVS is expected to restrict the disclosure of corrected SSNs. In this regard, SSA has indicated that corrected SSNs will not be disclosed under the new online system under any circumstances. As a result, SSA may soon be offering two verification programs for registered employers with conflicting disclosure policies—one providing corrected SSNs and the other providing only positive verifications.

SSA's EVS for registered users lacked both the applicant information and system controls necessary for managers to properly monitor and evaluate the EVS program. Based on our review of a sample of files, SSA (1) did not obtain adequate information from employers at the time of registration; (2) could not provide all the required documentation for registered users; (3) did not verify the user-provided information; and (4) did not adequately archive user-submitted data. Finally, SSA had not established a protocol for determining whether registered users should continue to have access to EVS.

When registering for the EVS program, an employer must complete an EVS Registration Form, which requires an Employer Identification Number (EIN), the number of SSNs to be verified, the type of data files (tape, diskette, etc.) that will be submitted, and a signature of the employer or an authorized representative (see Appendix A, page A-2). Although this information is necessary, the application did not obtain from the user (1) the SSN of the representative who signed the application; (2) the total number of employees in the employer’s workforce; or (3) the identification numbers of related subsidiaries and the number of their employees.

This additional information could assist SSA in improving the program's internal controls and in monitoring EVS activity. For example, before the application's approval, SSA could verify the representative's name and SSN or verify that the representative actually works for the employer through earnings information already in SSA's records. Furthermore, obtaining the number of employees for the employer and any subsidiaries—in addition to the number of SSNs to be verified—could provide additional baseline information to monitor EVS usage. Although the number of employees could also be verified through W-2 data already in SSA's files, requesting this information in the application could be an additional control.

The EVS application form requests the applicant's EIN but does not specify that all EINs expected to be used in submissions should also be provided. While some users volunteered this information, it was not required. For example, a user could be verifying both the employees at a parent company as well as the employees at various subsidiaries. However, if SSA were to later attempt to associate the SSN submissions with its own earnings records, it would have difficulty monitoring these employers and determining whether EVS was improving the employer’s wage reporting. This is particularly a problem with third-party users with multiple EINs since they may have large and varied client bases.

SSA lacked complete documentation in one-third of the employer folders we reviewed. We randomly selected 50 application folders from among the 227 registered employers who used EVS in CY 1999. Employer folders should contain original EVS Registration Forms and/or company stationery providing the information requested in the registration form. The folders should also contain signed privacy statements showing the employer agreed to use EVS within prescribed parameters (Figure A-4 in Appendix A).

While SSA has some ability to monitor EVS usage, the Agency has not maintained sufficient data for long-term monitoring of EVS trends—particularly as they relate to specific employers. In a discussion with SSA staff, we were told SSA maintained the employer data for 3 months before purging it. While SSA creates and maintains management reports based on summary data, the underlying support for these reports was not available for later monitoring. By comparison, SSA is considering maintaining 7 years of data related to the proposed SSNVS program.

SSA's summary data can be used to track potential misuse of the EVS program. For example, SSA may want to determine whether a user submitted an excessive number of SSNs. In such a case, SSA could set a threshold on EVS submissions—such as 200 percent of prior year W-2s reported—and this information would be available in the Agency's management information system. Based on such a comparison among 50 sample users from CY 1999, six of the 50 users (12 percent) had in fact exceeded a 200-percent threshold. For instance, 1 user submitted 12,891 SSNs for verification during CY 1999, but submitted only 1,397 W-2s for the same period. This use far exceeded a 200-percent threshold, and could indicate employer misuse of the EVS program. For example, such an employer might have improperly verified SSNs of its customers, or the employer could be underreporting earnings. Nonetheless, SSA staff told us that such comparisons and monitoring were not performed. As a result, SSA was not aware that this employer was verifying SSNs far in excess of its reported workforce.

SSA could also develop other measures using current data to determine the effectiveness of EVS. For example, SSA could document the number of suspended wage items versus submitted wage items for the year before EVS usage. Once the employer starts using the service, SSA could then use the pre-EVS data as a baseline to determine whether the rate of items going into the ESF is declining. Currently, the lack of archived EVS data limits SSA's ability to perform additional reviews of EVS effectiveness. In addition, SSA cannot identify trends and track the activity of individual users, which becomes more important if SSA wants to monitor and determine the extent of abuse. In terms of effectiveness, the Agency may want to know whether SSNs that could not be verified under EVS were later corrected, or left in error and submitted by employers during their annual wage reporting. Left uncorrected, the W-2s with invalid SSNs would accumulate in the ESF.

In addition, although EVS summary data helps to identify trends and track the activity of individual users, the specific employer data becomes more important if SSA wants to understand the cause of any problematic trends. For example, summary data on EVS usage can detect high levels of unverified SSNs. In our review of CYs 1999 through 2001 EVS summary data, we found that a number of employers had unusually high rates of unverified SSNs. For example, we determined that 16 of the 227 employers (7 percent) who submitted SSNs during CY 1999 had an unverified SSN rate of 50 percent or higher. We could not determine whether the high rate was related to trouble with the EVS program or employer misuse. However, when we reviewed these 16 employers’ submissions during CYs 2000 and 2001, we found that 11 of the employers stopped submitting SSNs while the remaining 5 employers had unverified rates below 50 percent. Nonetheless, SSA would be in a better position to understand such trends if it maintained the supporting employer data for the SSNs submitted.

SSA had not established a protocol for determining whether registered users should continue to have access to EVS. Once an employer or third-party registered with EVS, they remained in the user database indefinitely. A review of the 7,400 registered users indicated some users submitted their initial EVS applications in 1983. Since their initial applications, these employers have not been asked to re-certify.

Re-certification of users would allow SSA to

• determine whether the applicant is still an authorized representative of the employer (which can be verified against the employer's payroll records);

• obtain the number of expected SSN submissions;

• assess whether the user is an employer or third-party user; and

• have users who registered before 1993 complete privacy statements.

In addition to assisting SSA with monitoring, such a re-certification process could be used to update the user database. Under such a process, a user should complete the necessary paperwork or be prohibited from submitting data to EVS. As we have already noted, more than 7,000 registered users did not use EVS during CYs 1999 through 2001.

Conclusions and Recommendations

SSA could do more to assist EVS users with their wage reporting. Specifically, SSA did not inform employers when a submitted SSN belonged to a deceased individual or when the SSN was issued to the individual for nonwork purposes. In addition, while the number of employers registered with EVS has increased over the last 5 years, overall, very few employers use the service, including those employers with the most reporting errors. Furthermore, SSA may soon be offering two verification programs for registered employers with conflicting disclosure policies—one providing corrected SSNs and the other providing only positive verifications. Finally, EVS for registered users lacked both the applicant information and system controls necessary for managers to properly monitor and evaluate the program. Since some of the user application information is more than 19 years old, more current data could also assist SSA with this monitoring.

In a previous report issued in January 2001, we recommended that SSA seek legislative authority to obtain the tools necessary to require chronic problem employers to use EVS. We still believe these tools are needed given the low number of the Top 100 chronic problem employers using EVS. In addition, to assist EVS users with their earnings records, safeguard SSA data, and improve the monitoring of EVS, we recommend that SSA:

1. Modify EVS to detect SSNs for deceased individuals, provide appropriate notification to employers, and issue an alert for necessary action by SSA staff;
   
   
2. Modify EVS to detect SSNs for individuals in nonwork status, provide appropriate notification to employers, and issue an alert for necessary action by SSA staff;
   
   
3. Ensure EVS procedures for providing corrected SSNs to registered users are consistent with SSA's proposed SSNVS program;
   
   
4. Update the application form to include: (1) the SSN of the representative who signed the application; (2) the total number of employees in their workforce; and (3) the EINs of related subsidiaries as well as the number of their employees;
   
   
5. Obtain signed privacy statements from all EVS users, including those users who applied for the service prior to 1993 and were not required to sign the statement;
   
   
6. Archive EVS data for at least 3 years so user activity and trends can be monitored; and
   
   
7. Establish an annual or periodic reapplication process where EVS registered users are reauthorized to use the service. This process can also be used to recontact EVS registered users who have not utilized EVS in the last 3 years—particularly the Top 100 chronic problem employers—to encourage greater use of EVS.

SSA generally agreed with all of our recommendations. Specifically, SSA agreed to (1) modify EVS to detect individuals who are deceased or in nonwork status; (2) ensure that all its SSN verification programs are consistent with respect to the type of information provided to employers; (3) obtain the SSN of the representative who signed the EVS application; (4) obtain privacy statements from EVS users who registered before 1993 if they are current EVS users; (5) maintain EVS data for a longer period to monitor employer trends; and (6) establish a periodic reapplication process for EVS users. (See Appendix C for SSA’s comments.)

Appendices

Appendix A

Employee Verification Service Application Process and Associated Documents

2. Company Street Address, City, State, Zip Code (P.O. Box alone is not acceptable)

I understand that the Social Security Administration will verify Social Security numbers (SSN) solely to ensure that the records of my employees are correct for the purpose of my completing Internal Revenue Service Forms W-2 (Wage and Tax Statement).

I also understand that any information which I receive from records maintained by the Social Security Administration is governed by 5 USC § 552a(i) of the Federal Privacy Act. Under this Act, anyone who obtains this information under false pretenses, or uses it for a purpose other than that for which it was requested, may be punished by a fine or imprisonment or both.

Further, EVS information does not imply that you or your employee intentionally provided incorrect information about the employee's name or SSN. It is not a basis, in and of itself, for you to take any adverse action against the employee. EVS should only be used to verify workers currently employed. Company policy concerning the use of EVS should be applied consistently to all workers, e.g., if used for new hires, verify all new hires; if used to verify your database, verify the entire database. Any employer that uses the information SSA provides regarding name/SSN verification as a pretext for taking adverse action against an employee may violate State or Federal law and be subject to legal consequences.

Signature __________________________________ Date______________________

Name (Printed) _____________________________ Title ______________________

Figure A-4: Third-Party User Privacy Statement

The ____________________¹ certifies that it is authorized, under valid contracts with all outside employers of any individual for whom it will request Social Security number (SSN) verification, to handle annual wage reporting responsibilities with the Social Security Administration (SSA).

The ____________________¹ hereby acknowledges that it is authorized, under this agreement, to request SSN verification from SSA only for the purpose of handling annual wage reporting responsibilities for these employers. The ¹ understands that SSA agrees to verify SSNs solely to help ensure the accuracy of wage reporting.

The ____________________¹ also understands that information received from records maintained by SSA must be handled in accordance with the Privacy Act of 1974 (5 U.S.C. § 552a). Under the terms of this Act, anyone who knowingly and willfully requests or obtains from a Federal agency under false pretenses, any record concerning an individual or uses it for a purpose other than that for which it was requested, shall be subject to a criminal penalty (5 U.S.C. § 552a(i)(3)). Misuse of a SSN also is a violation of the Social Security Act (42 U.S.C. § 408).

Further, EVS information does not imply that you or your client intentionally provided incorrect information about the employee's name or SSN. It is not a basis, in and of itself, for your client to take any adverse action against an employee. EVS should only be used to verify workers currently employed. Your client's policy concerning the use of EVS should be applied consistently to all workers, e.g., if used for new hires, verify all new hires; if used to verify a client's database, verify the entire database. Any client/employer that uses the information SSA provides regarding name/SSN verification as a pretext for taking adverse action against an employee may violate State or Federal law and be subject to legal consequences.

Signature __________________________________ Date______________________

Name (Printed) _____________________________ Title ______________________

^1/ Enter Your Company's Name

Flowchart of Employee Verification Service

Agency Comments

We appreciate the OIG’s effort in conducting this review. Our comments on the draft report content and recommendations are attached.

Staff questions may be referred to Laura Bell on extension 5-2636.

SSA Response

Appendix D

OIG Contacts and Staff Acknowledgments

In addition to those named above:

Lou Faiola, Auditor-in-Charge
Kevin Joyce, Auditor
Charles Zaepfel, Computer Specialist