A-03-06-15036 - Alternate Format

MEMORANDUM

Date: September 4, 2007

To: The Commissioner

From: Inspector General

Subject: Controls Over Employee Verification Programs (A-03-06-15036)

The attached final report presents the results of our audit. Our objectives were to assess the controls over each employee verification program and identify best practices.

Please provide within 60 days a corrective action plan that addresses each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.

Patrick P. O'Carroll, Jr.

OFFICE OF
THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

CONTROLS OVER EMPLOYEE
VERIFICATION PROGRAMS

September 2007

A-03-06-15036

AUDIT REPORT

Mission

By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.

Executive Summary
OBJECTIVE

Our objectives were to assess the controls over each employee verification program and identify best practices.

BACKGROUND

To assist employers with accurate wage reporting, the Social Security Administration (SSA) has implemented several voluntary verification programs that allow employers to verify that the names and Social Security numbers (SSN) of existing and newly-hired employees match the Agency's records prior to submitting their wage reports to SSA. These verification programs include the Employee Verification Service (EVS) Telephone/Fax, EVS for Registered Users, and the Social Security Number Verification Service (SSNVS).

SSA also participates in a joint initiative with the Department of Homeland Security (DHS), the Employment Eligibility Verification System (EEVS), formerly known as the Basic Pilot. EEVS assists employers in verifying the employment eligibility of newly-hired employees. Participating employers register on-line with DHS to use the voluntary system. The information the employer submits to DHS is sent to SSA to verify the name, SSN, and date of birth (DoB) match SSA's records. SSA also provides DHS with U.S. citizenship information, as recorded in SSA records. When SSA records indicate U.S. citizenship and the employee has alleged U.S. citizenship, employment authorization is confirmed. DHS confirms the current employment-authorization for non-citizens.

RESULTS OF REVIEW

We found SSA could establish more effective controls over access to EVS Telephone/Fax and EVS for Registered Users. In addition, access controls over DHS' EEVS could be improved. For example, none of these verification programs required verification of a user's identity or authorization to use the verification programs on behalf of his/her employer. Only SSA's SSNVS had adequate access controls. In addition, we learned the feedback responses provided to employers were not consistent among the verification programs for (1) name and SSN matches, (2) death indicator responses, (3) corrected SSNs, and/or (4) work authorization status. For instance, an employer could submit the same name and SSN for verification and the data could be verified under the DHS' EEVS but fail verification under SSNVS. Finally, we found that both EVS programs and DHS' EEVS lack effective controls related to monitoring employers' usage of the programs and/or blocking unauthorized and inactive users from gaining access to the verification programs. Due to the vulnerabilities and inconsistencies we found among the verification programs, SSA's data could be susceptible to unauthorized access as well as inadvertent disclosure of personally identifiable information (PII) to unauthorized users.

Description
of Controls EVS Telephone/Fax EVS
Registered Users SSNVS EEVS
ERSC1 Teleservice Center
Access Controls
Verifies user's Identity No No No Yes No
Validates user's authority to use the program on behalf of his/her employer No No No Yes No
Verification Feedback
Uses name matching software N/A N/A No No Yes
Provides a death indicator response No Yes2 Yes Yes Yes2
Verifies information without providing corrected SSN N/A N/A No Yes Yes
Verifies work authorization status No Yes3 No No Yes
Monitoring Controls
Monitor employers usage No No No Yes No4
Blocks unauthorized use Yes5 No No Yes No
Deactivates inactive users N/A N/A No Yes No
Note 1: Within SSA, two components are primarily responsible for conducting the verifications by telephone-Teleservice Centers and the Employer Reporting Service Center (ERSC).
Note 2: While the program did not specifically note that the Agency's records showed a death, the program would not verify any data related to an individual shown as deceased in the Agency's records.
Note 3: While the program did not specifically note that the Agency's records showed the individual was unauthorized to work, the program would not verify any record related to an individual recorded as unauthorized to work in the Agency's records.
Note 4: DHS is developing this capacity.
Note 5: Although the ERSC cannot block incoming telephone calls, it maintains a list of problem employers on a "Do Not Verify" list to restrict further verification.

CONCLUSION AND RECOMMENDATIONS

We believe that providing employers with tools to verify the names/SSNs of their employees is crucial for accurate wage reporting. DHS' EEVS also helps ensure compliance with immigration laws by providing information on employee's work authorization. However, both SSA and DHS need to make certain that adequate security measures are in place to prevent and detect unauthorized or inappropriate access to the verification programs and SSA data. Furthermore, the two agencies need to ensure feedback responses provided to users of the verification programs are consistent to avoid skepticism about these programs and data and to prevent inadvertent disclosure of PII to unauthorized users.

To address the findings in this report, we recommend SSA:

1. Consider combining the EVS Telephone/Fax and EVS for Registered Users under SSNVS to ensure access and monitoring controls are in place to protect the program, safeguard data, prevent unauthorized access, and provide consistent information to employers.

2. Ensure that feedback responses provided to employers for the four verification programs are consistent as it relates to (a) name/SSN matches and (b) death indicator responses.

If the Agency determines that is not feasible to combine its employee verifications under the SSNVS umbrella, we have made a series of recommendations on what the Agency should do:

3. Implement procedures to verify the identity and authority for individuals to use EVS Telephone/Fax and EVS for Registered Users to ensure proper disclosure of verification data.

4. Discontinue the disclosure of corrected SSNs via the paper process under EVS for Registered Users.

5. Consider modifying all verification programs to detect SSNs for individuals in non-work status, provide employers with notification, and instruct employers to have their employees visit a field office to update the employee's record.

6. Establish monitoring controls for EVS Telephone/Fax and EVS for Registered Users that is consistent with SSNVS to detect potential misuse of the verification programs.

7. Develop procedures to block unauthorized users from gaining access to SSA's verifications programs. Ensure that unauthorized user information is shared among the verification programs to prevent further access to SSA data.

8. Establish a protocol to remove inactive users from the list of valid users for EVS for Registered Users until their identity and authorization to use the verification program has been verified and updated.

AGENCY COMMENTS

SSA agreed with all but one of our recommendations. In response to Recommendation 5, SSA stated that it believed that work authorization was DHS' responsibility and should be handled through DHS' EEVS process. Further, the Agency stated that although current disclosure policy would allow work authorization information to be provided to employers based on their wage reporting responsibilities, this information may not be current in SSA's Numident records. See Appendix F for the full text of SSA's comments.

OIG RESPONSE

In terms of Recommendation 5, we believe SSA should reconsider this recommendation because the Agency has a significant role in the workplace by (1) issuing Social Security cards with work authorization designations to assist employers when they hire new employees and (2) assisting DHS with EEVS to verify the identity and work authorization of new employees.

Since SSA's employee verification programs are more comprehensive than EEVS in that SSA verifies the identity of new and existing employees (i.e. SSNVS), we believe SSA is in a good position to assist with work authorization as well. Even if SSA's Numident records are out of date, two positive outcomes are possible if SSA verifies an employee's work authorization: (1) unauthorized workers are identified or (2) the employee's information is updated in SSA's records.

Currently, non-citizens with outdated information in SSA's systems are most likely unaware that their information is being reported to DHS as part of SSA's legal requirement to share such data with DHS for worksite enforcement. Moreover, these non-citizens will not be eligible for SSA benefits until their work authorization information has been corrected.

In terms of workloads, even if work authorization notifications to employers lead to additional workloads in the short-term, we believe this data-sharing will (1) improve the accuracy and integrity of SSA records and (2) reduce the number of nonwork SSNs shared with DHS in subsequent years, allowing DHS to better focus its resources. In addition, the earlier notifications could lessen field office workloads by reducing the number of "SSA tentative non-confirmations" under EEVS and eliminating the need for staff to verify the existence of a work-authorized SSN for non-citizens applying for SSA benefits.

Table of Contents
Page
INTRODUCTION 1
RESULTS OF REVIEW 3
Access Controls 3
Verification of User's Identity 3
Validation of User's Authorization to Represent Employer 4
Verification Feedback 5
Name Matching Software 6
Death Information 6
Corrected SSNs 7
Verifying Work Authorization Status 8
Monitoring Controls 9
Monitoring Usage 9
Blocking Unauthorized or Inactive Users 11
CONCLUSIONS AND RECOMMENDATIONS 13

APPENDICES
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Employee Verification Service
APPENDIX D - Social Security Number Verification Service
APPENDIX E - Employee Eligibility Verification System
APPENDIX F - Agency Comments
APPENDIX G - OIG Contacts and Staff Acknowledgments

Introduction
OBJECTIVE
Our objectives were to assess the controls over each employee verification program and identify best practices.

BACKGROUND

EVS Telephone/Fax is a voluntary program where employers can verify up to 5 employees' names/SSNs by calling SSA's toll-free numbers and up to 50 names/SSNs by submitting paper listings to SSA offices.

EVS for Registered Users is a voluntary electronic verification program established in the early 1980s. Under this program, employers can verify 51 or more employees' names/SSNs by submitting paper or magnetic media listings (tape, cartridge, compact disk, or diskette).

SSNVS is a voluntary on-line program that allows employers to validate the names/SSNs of employees. Established in 2002 as a pilot restricted to a limited number of employers, the program was rolled out to all employers in June 2005.

For SSNVS, employers can either verify up to 10 names/SSNs (per screen) on-line, and receive immediate results, or upload batch files of up to 250,000 names/SSNs and usually receive results the next Government business day.

A comparison of the four verification programs is shown in the following table.

Table 1: Comparison of Verification Programs
Characteristics EVS SSNVS EEVS
Telephone/
Fax Registered Users
Date Established 1983 1983 2002 1997
Registered employers as of 20061 Not available2 16,600 13,400 12,000
Verifications as of 20063 Not available2 31.5 million 49 million 1.7 million
Type of Employees Verified All
Employees All
Employees All
Employees
Newly-Hired
Purpose of Verification Program Ensure Accurate Wage Reporting Ensure Accurate Wage Reporting Ensure Accurate Wage Reporting Verify Work Authorization
Note 1: Employers can have multiple users registered to use the verification programs on their behalf.
Note 2: This data was unavailable because SSA does not capture employer and verification data for the EVS Telephone/Fax service.
Note 3: The verification data for the programs covered two different periods since SSA captures EVS and SSNVS data by Calendar Year (CY) and DHS captures the EEVS data by Fiscal Year.

Results of Review
We found SSA could establish more effective controls over access to EVS Telephone/Fax and EVS for Registered Users. In addition, access controls over DHS' EEVS could be improved. For example, none of these verification programs required verification of a user's identity or authorization to use the verification programs on behalf of his/her employer. Only SSA's SSNVS had adequate access controls. In addition, we learned the feedback responses provided to employers were not consistent among the verification programs for (1) name and SSN matches, (2) death indicator responses, (3) corrected SSNs, and/or (4) work authorization status. For instance, an employer could submit the same name and SSN for verification and the data could be verified under the DHS' EEVS but fail verification under SSNVS. Finally, we found that both EVS programs and DHS' EEVS lack effective controls related to monitoring employers' usage of the programs and/or blocking unauthorized and inactive users from gaining access to the verification programs. Due to the vulnerabilities and inconsistencies we found among the verification programs, SSA's data could be susceptible to unauthorized access as well as inadvertent disclosure of personally identifiable information (PII) to unauthorized users.

ACCESS CONTROLS

Although our review found that SSA had established controls over access to SSNVS, we found access controls for EVS Telephone/Fax, EVS for Registered Users, and DHS' EEVS needed to be improved. As illustrated in Table 2, our review found these three programs granted users access without verifying the users' identity or authority to use the verification programs.

Table 2: Access Controls
Description
of Controls EVS Telephone/Fax EVS
Registered Users SSNVS EEVS
ERSC Teleservice Center
Verifies user's identity No No No Yes No
Validates user's authority to use the program on behalf of his/her employer No No No Yes No

Verification of User's Identity

As we reported in our September 2006 congressional audit report, the SSNVS program had a mechanism in place to verify a user's identity prior to providing them access to the verification program. SSA authenticates the user's identity by verifying his or her name, SSN, and DoB against SSA's Numident file. However, we found users of EVS Telephone/Fax, EVS for Registered Users, and EEVS were allowed access to these programs and SSA data without obtaining and/or verifying their identities. Both EVS for Registered Users and EEVS did not require users to provide their SSNs or DoBs during the application process for authentication. Moreover, EVS Telephone/Fax did not require users to provide any identifying information (i.e. name, SSN, or DoB) prior to gaining access to SSA data.

According to SSA staff, the EVS programs were established many years ago to facilitate easy and accurate wage reporting for employers. Therefore, a user authentication step was not built into these older services. As for EEVS, we noted in our prior audit report, DHS staff would need to work with SSA and/or the IRS to obtain access to earnings records and Numident information to implement controls to verify a user's identity.

Validation of User's Authorization to Represent Employer

We found that as part of the SSNVS application process, SSA verified whether users had authorization from employers to use the verification program. However, this procedure or something similar was not performed for the remaining three verification programs. Under SSNVS, SSA verified the user's authorization by (1) searching the Master Earnings File (MEF) to determine whether wages were posted under the employer's Employer Identification Number (EIN) and (2) sending a letter to the employer notifying it that their employee had requested access to SSNVS on their behalf. To ensure the employer was aware what employee requested access to SSNVS on their behalf, SSA sent the letter to the employer's address shown in the Employer Identification File (EIF) and not the address provided by the user during the application process. SSA did not require authenticating users' authorization to use the two EVS programs because, as stated earlier, these older employer verification programs were established to facilitate easy and accurate wage reporting for employers. DHS was unable to perform the same level of verification for EEVS because it did not have access to earnings records such as the MEF or EIF. DHS staff noted they would need to work with SSA and/or the IRS to obtain access to earnings records to perform a similar verification.

We believe both agencies need to establish procedures to verify whether users have authorization to use the verification programs to decrease the risk that users may be accessing the verification programs for non-employment purposes. For example, a user could misuse EVS for Registered Users to verify the identity of an individual who is not an employee of the company and avoid paying SSA a fee for a non-program related verification.

VERIFICATION FEEDBACK

Our review determined that feedback responses provided to employers were not always consistent among the programs for (1) name and SSN matches, (2) death indicator responses, (3) corrected SSNs, and (4) work authorization status (see Table 3). For example, an employer could submit the same name and SSN for verification and the data could be verified under EEVS but fail verification under SSNVS. The inconsistent response would occur because SSA used an additional name matching routine as part of the EEVS validation process.

Table 3: Verification Feedback
Description of
Feedback EVS Telephone/Fax EVS Registered Users SSNVS EEVS
ERSC Teleservice Center
Uses name matching software N/A N/A No No Yes
Provides a death indicator response No Yes1 Yes Yes Yes1
Verifies information without providing corrected SSN N/A N/A No Yes Yes
Verifies work authorization status No Yes2 No No Yes

Note 1: While the program did not specifically note that the Agency's records showed a death, the program will not verify any data related to an individual shown as deceased in the Agency's records.

Note 2: While the program did not specifically note that the Agency's records showed the individual was unauthorized to work, the program would not verify any record related to an individual recorded as unauthorized to work in the Agency's records.

Name Matching Software

We found that the SSA and DHS programs were using different name matching routines for the electronic verification programs, which could result in inconsistent responses to employers. DHS' EEVS used a name matching software package as part of the validation that was not being used as part of EVS for Registered Users or SSNVS. When we compared feedback from EEVS and SSNVS, we found instances where employers could receive inconsistent feedback responses for the same data submitted. For example, we reviewed a case where an employer used EEVS to verify the name, SSN, and work authorization of a newly-hired employee and received a positive verification response. At the end of the year, this employer submitted its entire payroll for verification to SSNVS, which is encouraged by SSA, and the employee's name/SSN failed verification. The employer was perplexed as to why the same data did not verify under both programs. Based on our review of the two responses, we found that the employer provided a correct name and the positive verification response provided under EEVS was valid.

According to SSA staff, the Agency used the commercial software package to increase the number of positive verification responses provided under EEVS. SSA decided not to use the software package for EVS and SSNVS because it wanted to have a more stringent name/SSN verification routine to help ensure accurate wage reporting. SSA staff were unable to provide any data on the reliability of the name-matching software. We believe the verification responses should be consistent among the verification programs to avoid providing employers with false positive or false negative verification responses.

Death Information

Although we found all four verification programs detected death information during the verification process, the responses provided to employers differed among the programs. For SSNVS and EVS for Registered Users, SSA notified employers that the name/SSN combination had been verified but SSA's records indicated that the individual was deceased. EVS Telephone/Fax and EEVS did not disclose whether individuals were deceased. Under EVS Telephone/Fax, the response provided when a date of death was present on the numberholder's record varied depending on which component within SSA conducted the verification. If staff in the ERSC conducted the verification, employers were told the name/SSN combination matched SSA records and the date of death was ignored. However, if staff in the Teleservice Centers conducted the verification, employers were instructed to ask their employee to contact SSA to verify their SSN or to correct identifying information on SSA's records. Under EEVS, employers were provided a SSA tentative non-confirmation response that stated the SSN did not match SSA records.

SSA was required by the Intelligence Reform and Terrorism Prevention Act of 2004 to add death indicators to the SSN verification systems used by employers. To ensure the Agency has fully complied with this law, SSA needs to make every effort to provide employers using the EVS Telephone/Fax service with a death indicator consistent with the other verification programs. Failure to do so could cause unintended consequences, such as an employer relying on SSA's positive verification response for an individual who is actually deceased and unknowingly hiring someone who may have misused a deceased person's identity.

Corrected SSNs

Our review found EVS for Registered Users was the only electronic verification program that disclosed the corrected SSN to employers if the submitted SSN was incorrect. This correction process, called Single Select, was designed to resolve situations when the SSN did not verify because of transcription or keying errors where one digit was transposed with another or one number was simply incorrect. In a September 2003 report, SSA's Enumeration Response Team stated that the value of Single Select was that it increased the verification rate of EVS for Registered Users by about 2 percent.

In the same report, the Enumeration Response Team acknowledged that SSA's policy to use Single Select was inconsistent among its verification programs for employers. When SSNVS and EEVS were implemented, SSA decided not to use Single Select because of the Agency's apprehension to disclose SSNs to the public. The disclosure of corrected SSN should be significantly reduced in FY 2008 since SSA will no longer accept verification requests submitted by magnetic media for EVS for Registered Users. However, at the time of our review, the Agency had no plans to discontinue the disclosure of corrected SSNs via Single Select for verification requests submitted by paper to the WBDOC. We believe the Agency should discontinue the disclosure of corrected SSNs to ensure they are consistent with respect to the type of information provided to employers through its verification programs.
Verifying Work Authorization Status

DHS' EEVS program notified employers about the work authorization status of newly-hired employees, which is the overall goal of the program. However, we found that SSA's verification response varied based upon the service being used by the employer. For SSNVS and EVS for Registered Users, SSA would verify an individual's name/SSN combination even if the individual's record showed he/she was not eligible to work in the United States. Moreover, the feedback responses for work eligibility under EVS Telephone/Fax differed depending on which component conducted the verification. If the ERSC conducted the verification, then the employer was notified that the name/SSN combination had been verified and the work status was ignored. However, if the Teleservice Center conducted the verification, and SSA's records showed an individual was not authorized to work, the information was not verified, and the employer was instructed to have their employee visit a local field office.

In our September 2002 report, we recommended SSA modify its EVS program to detect SSNs for individuals in non-work status, provide appropriate notification to employers, and issue an alert for necessary action by SSA staff. The Agency decided not to implement the recommendation because (1) it did not believe the immigration/ citizenship status for non-citizens was reliable and (2) only DHS could determine the current work authorization status for non-citizens. Prior audit work has confirmed that SSA's information can be out-of-date if the SSN owner fails to notify the Agency of a change in their immigration status. For instance, in our June 2006 audit, we noted that based on our review of a sample of 275 noncitizens who worked under non-work SSNs in Tax Year (TY) 2003, it appeared 101 (37 percent) had work authorization. However, SSA's records had not been updated to reflect a change in these individuals' work status.

To update SSA records, non-citizens must visit a local field office to provide evidence of their current citizenship/work authorization status. In the case of employee verification, an employer's inability to obtain positive verification due to out-of-date information may lead to a small delay in the verification process, but it would lead to a correction of

SSA's records and may eventually benefit the employee at a later date. We still believe SSA should modify its verification programs to detect SSNs for individuals in non-work status and then instruct employers to have their employees visit a field office to update the employee's record.

MONITORING CONTROLS

We found that both EVS programs and DHS' EEVS lack effective controls related to monitoring employers' usage of the programs and/or blocking unauthorized and inactive users from gaining access to the verification programs (see Table 4). In contrast, SSNVS had adequate controls in place to detect unauthorized users and anomalies in their usage of the verification program.

Table 4: Monitoring Controls
Description of Control EVS Telephone/Fax EVS Registered Users SSNVS EEVS
ERSC Teleservice Center
Monitor employers usage No No No Yes No1
Blocks unauthorized use Yes2 No No Yes No
Deactivates inactive users N/A N/A No Yes No
Note 1: DHS is developing this capacity.
Note 2: Although the ERSC cannot block incoming telephone calls, it maintains a list of problem employers on a "Do Not Verify" list to restrict further verification.

Monitoring Usage

The SSNVS process (1) identifies users who improperly search for valid name/SSN combinations and (2) verifies whether the employee names and SSNs submitted for verification relate to wages recorded in SSA's MEF. Furthermore, DHS was in the process of implementing new monitoring controls for EEVS. The Deputy Director for U.S. Citizenship and Immigration Service (USCIS), stated in an April 2007 hearing before the Subcommittee on Immigration, Citizenship, Refugees, Border Security and International Law of the Committee on the Judiciary, House of Representatives, 110th Congress, that USCIS was establishing a monitoring and compliance unit to help detect unauthorized employment, to prevent verification-related discrimination or employer misuse of the program, and to detect identity and document fraud. The unit would be responsible for monitoring the employers' use of the system and conducting trend analysis to detect potential fraud and discrimination.

Through discussions with SSA staff, we found SSA did not have a system in place to monitor employers' usage of the two EVS verification programs to detect anomalies or inappropriate use of the programs. The Agency was not generating management information reports to identify employers who may have been improperly verifying names and SSNs or tracking usage trends among employers.

In addition, we found none of the verification programs were monitoring whether multiple employers were verifying the same SSN. Moreover, we found that none of the verification programs could detect the misuse of a valid name/SSN combination (e.g. identity theft). At a congressional hearing on July 25, 2006, the Associate Director of USCIS noted that this was problem for the EEVS program. Specifically, she stated the following:

The current Basic Pilot is not fraud proof and was not designed to detect identity fraud. In fact, a recent analysis of Basic Pilot systems data found multiple uses of certain I-94 numbers, A-numbers, and SSNs in patterns that could suggest fraud…Findings concerning potential fraud (e.g., SSNs being run multiple times in improbable patterns, employers not indicating what action they took after receiving a final nonconfirmation) will be referred to ICE Worksite Enforcement investigators.

Blocking Unauthorized or Inactive Users

In our review, we found that three of the four verification programs did not have a mechanism in place to block unauthorized and/or inactive users from gaining access to the verification programs. If SSA or DHS had determined that a user inappropriately used EVS for Registered Users or EEVS, the two agencies did not have a system in place to deactivate the user's access to the verifications programs. Additionally, SSA and DHS did not have a process in place to prevent inactive users from gaining access to EVS for Registered Users or EEVS. For example, there were 12 users that were granted access to this program in the 1980s and none of the users submitted verifications requests within FYs 2002 to 2005. Yet, SSA still considers them as valid users and anyone could submit verification requests under their PINs. To ensure appropriate use of its services and data, we believe SSA should consider removing inactive users from its list of valid users until the Agency has verified their identity and authorization to use the verification program.

Moreover, although our review found both EVS Telephone/Fax and SSNVS had a process in place that deactivated users' access to the verification programs for inappropriate use, this data was not shared among the verification programs. Therefore, known program abusers identified under these programs had the ability to gain access to the other verification programs without the risk of being detected. For example, the ERSC maintained a log called the "Do Not Verify" list to prevent access by companies that had misused the EVS Telephone/Fax service. However, ERSC does not block incoming calls. Instead, SSA staff were expected to review this listing when they received a call and refuse to verify information for listed employers. Moreover, if a listed employer called the Teleservice Center later that day to verify information, SSA staff would have no reason not to provide verification services.

Conclusions and Recommendations
We believe that providing employers with tools to verify the names/SSNs of their employees is crucial for accurate wage reporting. DHS' EEVS also helps ensure compliance with immigration laws by providing information on employee's work authorization. However, both SSA and DHS need to make certain that adequate security measures are in place to prevent and detect unauthorized or inappropriate access to the verification programs and SSA data. Furthermore, the two agencies need to make sure that feedback responses provided to users of the verification programs are consistent to avoid skepticism about SSA programs and data and to prevent inadvertent disclosure of PII to unauthorized users.

RECOMMENDATIONS

To address the findings in this report, we recommend SSA:

1. Consider combining the EVS telephone/fax and EVS for Registered Users under SSNVS to ensure access and monitoring controls are in place to protect the program, safeguard data, prevent unauthorized access, and provide consistent information to employers.

2. Ensure feedback responses provided to employers for the four verification programs are consistent as it relates to (a) name/SSN matches and (b) death indicator responses.

If the Agency determines that is not feasible to combine its employee verifications under the SSNVS umbrella, we have made a series of additional recommendations:

3. Implement procedures to verify identity and authority for individuals to use EVS Telephone/Fax and EVS for Registered Users to ensure proper disclosure of verification data.

4. Discontinue the disclosure of corrected SSNs via the paper process under EVS for Registered Users.

5. Consider modifying all SSA verification programs to detect SSNs for individuals in non-work status, provide employers with notification, and instruct employers to have their employees visit a field office to update the employee's record.

6. Establish monitoring controls for EVS Telephone/Fax and EVS for Registered Users that is consistent with SSNVS to detect potential misuse of the verification programs.

AGENCY COMMENTS

OIG RESPONSE

Appendix A
Acronyms
BSO Business Service Online
CY Calendar Year
DHS Department of Homeland Security
DoB Date of Birth
EEVS Employment Eligibility Verification System
EIF Employer Identification File
EIN Employer Identification Number
ERSC Employer Reporting Service Center
EVS Employee Verification Service
FO Field Office
FY Fiscal Year
IRS Internal Revenue Service
MEF Master Earnings File
OIG Office of the Inspector General
PII Personally Identifiable Information
PIN Personal Identification Number
POMS Program Operations Manual System
SSA Social Security Administration
SSN Social Security Number
SSNVS Social Security Number Verification Service
TY Tax Year
TSCOG Teleservice Center Operating Guide
USCIS U.S. Citizenship and Immigration Service
WBDOC Wilkes-Barre Data Operations Center
Forms
Form I-9 Employment Eligibility Verification Form
Form I-94 Arrival/Departure Record
Form SS-5 Application for a Social Security Number
Form W-2 Wage and Tax Statement
"A" Number Alien Registration Number
I-94 Number Arrival/Departure Number

Appendix B
Scope and Methodology

To accomplish our objective, we:

Reviewed pertinent sections of the Social Security Administration's (SSA) policies and procedures as well as other relevant Federal laws and regulations.

Reviewed Office of the Inspector General, Government Accountability Office, and Department of Homeland Security (DHS) reports, and other relevant documents.

Established accounts with the Social Security Number Verification Service (SSNVS) and DHS' Employment Eligibility Verification System (EEVS), formerly known as the Basic Pilot.

For SSA's Employee Verification Service (EVS) and SSNVS, we:
Obtained a current list of registered users;
Obtained user feedback data;
Obtained sample submission data;
Identified the number of registered employers using the service as of Calendar Years (CY) 2006; and
Identified the number of verifications submitted in CYs 2003 to 2006.

For DHS' EEVS, we:
Obtained a current list of registered users;
Obtained user feedback data;
Obtained sample submission data;
Identified the number of registered employers using the service as of Fiscal Years (FY) 2006; and
Identified the number of verifications submitted in FYs 2003 to 2006.

Discussed the following with SSA and DHS staff:
controls in place under EVS, SSNVS and EEVS to ensure appropriate access to the verification programs;
controls in place under EVS, SSNVS and EEVS to ensure the appropriate feedback responses to users; and
controls in place under EVS, SSNVS, and EEVS to ensure users are not misusing programs.

Our review of internal controls was limited to obtaining an understanding of the verification programs. We determined that the list of registered users, feedback data, and submission data for the verification programs were generally reliable. The entities audited were the Office of Earnings, Enumeration and Administrative Systems under the Deputy Commissioner for Systems, the Office of Central Operations under the Deputy Commissioner for Operations, and the Employer Wage Reporting and Relations Staff under the Deputy Commissioner of Budget, Finance and Management. We conducted the audit between November 2005 and April 2007 in Philadelphia, Pennsylvania. We conducted our audit in accordance with generally accepted government auditing standards.

Appendix C
Employee Verification Service

Social Security Number (SSN) verification is essential to ensuring that wage reports are properly matched to the right SSN. Since the 1980s, the Social Security Administration (SSA) has worked to offer the employer community various methods to verify their employees' SSNs. One of the methods is the Employee Verification Service (EVS). EVS offers several submission methods depending upon the number of employees verified at a time.

EVS Telephone/Fax

Telephone: For up to five SSNs, employers can call SSA's toll-free numbers to verify SSNs. Employers can either call 1 of the 37 Teleservice Centers or the Employer Reporting Service Center (ERSC). Table C-1 below shows the criterion each component uses to verify SSNs for employers.

Table C-1: Criteria for Verifying Social Security Numbers by Telephone
Requirements ERSC1 Teleservice Centers 2
Verify user's identity No No
Verify user's authorization to use the program No No
Verify up to five SSNs (name, date of birth and gender) Yes Yes
Verify the Employer Identification Number (EIN) Yes Yes
Verify employer is not on "Do Not Verify" list 3 Yes No
If data agrees, provide positive response Yes Yes
If data disagrees, request employee visit a local field office Yes Yes
If record shows date of death, special indicator, or non-work status, request employee visit a field office No Yes
Note 1: SSA Program Operations Manual (POMS), ER 00301.010 -Telephone Calls.
Note 2: SSA Teleservice Center Operating Guide (TSCOG), TC 31001.090 - Request to Verify SSN or Work Authorization.
Note 3: The "Do Not Verify" list includes names of companies the ERSC determined had misused the verification service.

Fax: For up to 50 names and SSNs, employers have the option to fax a paper listing to a local field office or the ERSC. Both components will indicate on the paper requests whether submitted data matches SSA records or instruct the employer to have the employee visit a local field office.

EVS for Registered Users

For more than 50 names and SSNs, employers may use EVS for Registered Users by completing a registration form and Privacy Act Statement. As part of the registration process, the employers must submit the company's EIN, full address, name, and title of contact person and approximate number of employees' SSNs the employers wishes to verify. The employers have the option of submitting their verification requests by paper or magnetic media (tape, cartridge, compact disk, or diskette). However, SSA plans to discontinue accepting verifications request submitted by magnetic media as of October 2007 and will only accept paper requests. As shown in Table C-2, for EVS for Registered users, employers are provided with several verification responses for the data submitted.

Table C-2: EVS Verification Codes Provided to Users
EVS Code Description of Code
"Blank" Name and SSN match SSA's records.
1 SSN not in file (never issued to anyone).
2 Name and date of birth match; gender does not match.
3 Name and gender match; date of birth does not match.
4 Name matches; date of birth and gender do not match.
5 Name does not match; date of birth and gender not checked.
6 SSN Not Verified; Other Reason1
Y Death indicator
* Input SSN did not verify; SSA located a different SSN.
Note 1: Starting in August 2007 SSA will provide employers with code 6, if an individual's Numident record includes a fraud indicator.

Appendix D
Social Security Number Verification Service

To increase the ease and convenience of verifying employee names and Social Security Numbers (SSN), the Agency developed the Social Security Number Verification Programs (SSNVS), a free on-line program. After a 2-year pilot, SSNVS was expanded to all employers in June 2005. At the end of Calendar Year (CY) 2005, the Social Security Administration (SSA) reported that SSNVS processed about 25 million verifications for over 12,000 employers. As illustrated in Figure D-1, the use of the program increased in CY 2006 by almost doubling the total verifications processed to 49 million.

Figure D-1: SSNVS Verifications for CY 2003 to 2006

To obtain access to SSNVS, employers and third parties must first register on-line at SSA's Business Service Online (BSO) website. Following registration, SSA will mail an activation code, which is a code needed to gain access to SSNVS, directly to the company's address shown in the Employer Identification File (EIF). Once the registered users activate SSNVS using their Personal Identification Number (PIN) and the activation code, they can start submitting verifications. Registered users can:

Submit up to 10 employee names and SSNs (per screen) via the on-line SSNVS and receive immediate results; and

Upload files containing up to 250,000 employee names and SSNs and usually receive verification results the next Government business day. This bulk procedure allows employers to verify an entire payroll database or verify at one time the names and SSNs of a large number of newly hired workers.

SSA will return a verification code to the employer for each employee whose information does not match SSA's record. In addition to the verification code, SSA provides a death indicator if the employee's Numident record includes a date of death. Table D-1 provides descriptions for the SSNVS verification codes.

Table D-1: SSNVS Verification Codes Provided to Users
SSNVS Code Description of Code
"Blank" Name and SSN match SSA's records.
1 SSN not in file (never issued to anyone)
2 Name and date of birth match; gender code does not match
3 Name and gender code match; date of birth does not match
4 Name matches; date of birth and gender code do not match
5 Name does not match; date of birth and gender code not checked
6 SSN Not Verified; Other Reason1
Y Death indicator
Note 1: Starting in August 2007 SSA will provide employers with code 6, if an individual's Numident record includes a fraud indicator.

Appendix E
Employment Eligibility Verification System

The Employment Eligibility Verification System (EEVS), formerly known as the Basic Pilot, is an ongoing joint initiative between the Social Security Administration (SSA) and the Department of Homeland Security (DHS). The purpose of the EEVS is to assist employers in verifying the employment eligibility of newly hired employees. The President signed The Basic Pilot Program Extension and Expansion Act of 2003 (Public Law Number 108-156) into law on December 3, 2003. This law extended the operation of the EEVS for an additional 5 years (to a total of 11 years) and expanded the operation to all 50 States not later than December 1, 2004. Although EEVS has only been expanded for a short period, we found that the number of verifications have significantly increased during this period (see Figure E-1).

Figure E-1: EEVS Verifications for FY 2003 to 2006

The EEVS program uses the information in Government databases (SSA databases and, if needed, DHS databases) to determine the employment eligibility of new hires. The Social Security number (SSN) and Alien Registration Number ("A" Number) or I-94 Number (Admission Number) are used for these checks. The employer must complete the DHS-issued Employment Eligibility Verification Form (Form I-9) for each employee
and then enter elements of this data into the EEVS within 3 days of hiring, including the employee's SSN, name, date of birth (DoB), and whether the new-hire indicated he or she was a U.S. citizen and, if not, the "A" Number or I 94 Number.

The system first checks the information entered against SSA's database to verify the name, SSN, and DoB of newly hired employees, regardless of citizenship. When the Numident shows the U.S. as the place of birth for the newly hired employee or a code indicating the number holder is a U.S. citizen and the new hire indicated that he/she is a U.S. citizen, the EEVS automated system confirms employment eligibility. If the EEVS system cannot confirm employment eligibility based on the information in SSA's database or an "A" Number or I-94 Number was entered, the EEVS system checks the data against DHS' database.

The employer will receive notification of "SSA tentative non-confirmation" of employment eligibility when the SSN, name, or DoB does not match the information in SSA's database or if a death indicator is present. In addition, employers will receive an "SSA tentative non-confirmation" if the new-hire indicated he or she was a U.S. citizen and SSA's records did not show that the person was a U.S. citizen. The employer will receive notification of "DHS tentative nonconfirmation" of employment eligibility when DHS' database does not show the new hire as authorized for employment. In these cases, the employer asks the employee whether he or she wishes to contest the tentative non-confirmation. If contested, the employee must contact SSA or DHS within 8 Government working days of the notification. After the employee contacts SSA or DHS to correct the record, the employer resubmits the query through the EEVS system. If the system does not confirm employment eligibility after the employer resubmits the query, the employer may terminate the new-hire.

Appendix F
Agency Comments

MEMORANDUM

Date: August 22, 2007

To: Patrick P. O'Carroll, Jr.
Inspector General

From: Larry W. Dye

Subject: Office of the Inspector General (OIG) Draft Report, "Controls Over Employee Verification Programs" (A-03-06-15036)--INFORMATION

We appreciate OIG's efforts in conducting this review. Our comments on the recommendations are attached.

Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, on (410) 965-4636.

COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL'S (OIG) DRAFT REPORT, "CONTROLS OVER EMPLOYEE VERIFICATION PROGRAMS" (A-03-06-15036)

Thank you for the opportunity to review and provide comments on this draft report. Our comments on the draft recommendations are as follows.

Recommendation 1

Consider combining the Employee Verification Service (EVS) Telephone/Fax and EVS for Registered Users under Social Security Number Verification Service (SSNVS) to ensure access and monitoring controls are in place to protect the program, safeguard data, prevent unauthorized access, and provide consistent information to employers.

Comment

We agree. SSNVS uses the Integrated Registration for Employer Services (IRES) system for registering employees of businesses who are authorized by their employers to verify names and Social Security numbers (SSN) for wage reporting purposes. The report found that IRES contained the appropriate safeguards and security for accessing personal information. The Agency currently has a parallel automated telephone verification service in development. The Telephone National 800 # Employer Verification (TNEV) is an Agency approved project that is scheduled to be implemented in May 2008. TNEV will use IRES to register employees who will complete the name/SSN verifications. Utilizing IRES will ensure that the same level of security and authentication exists as in SSNVS.

In conjunction with the development of TNEV, it is currently being evaluated as to whether the Agency should limit name and SSN verifications to the SSNVS and TNEV processes. This course of action would no longer provide live agents for telephone verifications of names and SSNs in either the Office of Earnings Operations (OEO) or the national 800 number. Therefore, employers requesting to verify more than 10 names and SSNs by TNEV would be directed to utilize SSNVS via the proper website address. SSNVS has the ability to verify up to 250,000 names and SSNs overnight or up to 10 names and SSNs online. If this process is adopted, TNEV and SSNVS would offer consistency in the responses provided to the employers and provide a secure registration process for all users.

If the Agency decides not to move forward with limiting name and SSN verifications to the SSNVS and TNEV processes, we will reevaluate other avenues to implement this audit recommendation in the future.

Recommendation 2

Ensure feedback responses provided to employers for the four verification programs are consistent as it relates to: a) name and SSN matches; and b) death indicator responses.

Comment

We agree. See our response to recommendation 1. Current disclosure policy allows for the same data to be shared with employers via any SSN verification process. The routine use established for the applicable Privacy Act system of records, the SSN Master File (i.e., Numident records), allows information from that system to be disclosed to employers consistent with their wage reporting responsibilities. It should be noted that feedback response differences between the Employment Eligibility Verification System (EEVS) and the various SSN verification processes were established for different purposes; therefore, it may be appropriate to maintain different matching protocols. EEVS was designed to verify work eligibility status (determined by citizenship status) and is driven by Department of Homeland Security (DHS) needs. The other programs verify only the SSN, name and date of birth match (and also check for death information) for the purpose of wage reporting; citizenship status is not checked. We do note, however, that a future release of SSNVS (August 2007) will return successful and unsuccessful matches to the user. This brings the functionality of EVS and SSNVS in line with each other.

Lastly, the implementation of this recommendation could be affected by the outcomes for several pending developments concerning the EEVS program, as several States are enacting legislation requiring employers to use EEVS. It should be noted that although comprehensive immigration reform legislation did not pass, there are other pending legislative proposals mandating the use of EEVS. If the legislation is passed, or EEVS is otherwise implemented on a mandatory basis, the need for other SSN verification programs for employers may diminish, as all employers will be required to use EEVS for new hires.

Recommendation 3

Implement procedures to verify identity and authority for individuals to use EVS Telephone/Fax and EVS for Registered Users to ensure proper disclosure of verification data.

Comment

We agree. With the implementation of recommendations 1 and 2, this recommendation will be unnecessary. However, if recommendations 1 and 2 are not implemented, we will reevaluate other avenues to implement this audit recommendation in the future.

Recommendation 4

Discontinue the disclosure of corrected SSNs via the paper process under EVS for Registered Users.

Comment

Recommendation 5

Consider modifying all SSA verification programs to detect SSNs for individuals in non-work status, provide employers with notification, and instruct employers to have their employees visit a field office to update the employee's record.

Comment

We disagree. Work authorization is DHSs responsibility and should be handled through the DHS EEVS process. Even though current disclosure policy would allow this type of information to be provided to the employer based on their wage reporting responsibilities, SSA's Numident work authorization information may no longer be current. A number holder (NH) could have acquired work authorization status after the non-work SSN card was issued. SSA verifies with DHS all immigration documents presented in support of the SSN application at the time the application is taken. The Numident then serves as a "snap shot in time" as it records the individual's work authorization status at the time the SSN card was issued. The Numident is not intended, and does not act, as a repository of work authorization status. Only DHS can determine current work authorization for a noncitizen. Even though DHS has jurisdiction over work authorization determinations, we have concerns that prior OIG audits have identified that DHS was unable to locate the immigration and work authorization status of cases selected for review. Therefore, the Agency would have to expend resources to work with NHs to correct information, even though it was accurate when the application for an SSN was completed. Confusion over this point would require a strong outreach effort to employers to prevent unintentional dismissal of employees. Such a process may also be very work-intensive, and require a significant investment of operational resources.

Recommendation 6

Establish monitoring controls for the EVS Telephone/Fax and EVS for Registered Users that is consistent with the SSNVS to detect potential misuse of the verification programs.

Comment

Develop procedures to block unauthorized users from gaining access to SSA's verification programs. Ensure that unauthorized user information is shared among the verification programs to prevent further access to SSA data.

Comment

Recommendation 8

Establish a protocol to remove inactive users from the list of valid users for EVS for Registered Users until their identity and authorization to use the verification program has been verified and updated.

Comment

Appendix G
OIG Contacts and Staff Acknowledgments
OIG Contacts
Walter E. Bayer, Director, Philadelphia Audit Division, (215) 597-4066
Cylinda McCloud-Keal, Audit Manager, Philadelphia Audit Office, (215) 597-0572
Acknowledgments
In addition to those named above:
Virginia Harada, Auditor-in-Charge

For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-03-06-15036.

Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office of Resource Management (ORM). To ensure compliance with policies and procedures, internal controls, and professional standards, we also have a comprehensive Professional Responsibility and Quality Assurance program.

Office of Audit
OA conducts and/or supervises financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management and program evaluations and projects on issues of concern to SSA, Congress, and the general public.

Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as OIG liaison to the Department of Justice on all matters relating to the investigations of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.

Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.

Office of Resource Management
ORM supports OIG by providing information resource management and systems security. ORM also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, ORM is the focal point for OIG's strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act of 1993.