OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
CONSENT BASED
SOCIAL SECURITY NUMBER
VERIFICATION PROGRAM
July 2009
A-03-08-18067
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA’s programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA’s programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: July 10, 2009 Refer To:
To: The Commissioner
From: Inspector General
Subject: Consent Based Social Security Number Verification Program (A-03-08-18067)
OBJECTIVE
To assess the results to date of the pilot and interim consent- and fee-based verification programs and determine lessons learned that could be applied to the Consent Based Social Security Number Verification (CBSV) program.
BACKGROUND
Since October 2002, the Social Security Administration (SSA) has assisted companies that provide identity verification services for mortgage companies and financial institutions by verifying that the name and Social Security number (SSN) provided match or do not match SSA’s records. To provide registered companies a vehicle for purchasing SSN verifications, the Agency developed a centralized, automated process that could quickly respond to verification requests. This process reduces the burden on field office resources to process the many verification requests. Since its inception, there have been three iterations of the program. The initial program was the Agency’s pilot consent- and fee-based SSN verification program, Social Security Number Verification Pilot for Private Businesses (Pilot), which began in October 2002 and ended in February 2005. It was replaced with the Interim Verification Process (IVP) in March 2005, and this program ended in November 2008. IVP was replaced in November 2008 with the current CBSV program.
Pilot. SSA required that participating companies sign a User Agreement with the Agency and obtain written consent from the individual for whom verification would be requested before requesting verification from SSA. Four companies participated in the
Pilot and were required to pay a fee of $40,000 to assist with the Agency’s start-up costs, as well as pay advanced transaction fees $.26 per verification and $.0047 per record—for their total estimated annual verification requests.
IVP. SSA required that participating companies sign a User Agreement and obtain written consent from the individual before requesting verification through SSA. From Fiscal Years (FY) 2005 through 2007, the IVP program required manual submission of verification requests with consent forms via Compact Disc-Read Only Memory (CD), and charged companies a one-time registration fee of $77 and a transaction fee of $157 per CD submission to process verification requests. In FY 2008, the IVP program required electronic submission of verification requests, and charged each company a one-time registration fee of $381 and a transaction fee of $157 per electronic file submission. There were 11 companies (including the 4 Pilot companies) registered for this program.
CBSV. In November 2008, SSA replaced the IVP program with the CBSV program. However, unlike the previous programs, the CBSV program is available to all private businesses and Federal, State, and local government agencies. For CBSV, participating companies are also required to sign a User Agreement; pay a one-time, non-refundable registration fee of $5,000; and pay an advance transaction fee of $.56 per verification request. Further, participating companies are required to obtain written consent from the individual (or the individual’s legal guardian) before verifying the individual’s SSN through CBSV. As of February 2009, 86 companies had enrolled to use the CBSV program.
For the purpose of this review, we focused on SSA’s controls to test compliance with the requirements for consent, controls to ensure that companies complied with User Agreement requirements, and matching criteria used to ensure appropriate responses were provided to participating companies. We have elected to focus on these core issues because of the relevant importance to ensuring that only authorized access to this information is granted.
RESULTS OF REVIEW
While we found that SSA generally applied best practices learned from its Pilot and IVP programs to the CBSV, we believe improvements are still needed for the CBSV program. Specifically, our review found that SSA’s Pilot, IVP, and CBSV programs had adequate controls to test compliance with the consent requirement for verifications. For example, for the Pilot and CBSV programs, participating companies were required to hire independent certified public accountants (CPA) to ensure the companies obtained a valid consent before submitting the verification request to SSA. For the IVP program, the Agency conducted random sample tests on consent forms to ensure compliance with requirements before processing the verification requests.
We are, however, concerned about the Agency’s original estimates for the CBSV program. The first year program estimates for CBSV were not in line with the actual number of companies participating in the CBSV program and the related number of verification requests submitted to SSA. As of August 2007, SSA anticipated it would receive about $5.6 million based on 90 participating companies submitting about 10 million transactions. These anticipated funds were expected to cover SSA’s costs for developing the CBSV program and other related program costs. However, as of February 2009, SSA was scheduled to receive approximately $1.1 million from 86 participating companies, to process about 1.1 million verification requests. Moreover, as of April 2009, SSA’s total cost for developing the CBSV program had increased to about $7.8 million. Thus, SSA would not recoup $6.7 million of its costs during the first year of the program. The Agency expects to recoup the remaining costs by collecting transaction fees over the depreciable life (3 years). However, this raises concerns regarding the Agency’s ability to recoup its costs because of lower than expected participation.
Additionally, we determined that SSA did not comply with its policy requiring proof of parental and legal guardianship for individuals signing consent forms for SSN verification on behalf of minors and incompetent adults for the CBSV program. Moreover, SSA’s requirements for the compliance reviews conducted by an independent CPA were not specific enough to ensure uniformity in reporting of results. Finally, SSA did not require the date of birth (DoB) as part of the matching criteria for the CBSV program, which could lead to SSA providing false positive responses to participating companies, as well as increasing the risk that SSA will not detect instances of SSN misuse.
CBSV PARTICIPATING COMPANIES AND TRANSACTIONS FEES
The number of companies participating in the CBSV program and the number of verification requests that would be processed by SSA during the first year were not in line with the Agency’s estimate. As of August 2007, SSA anticipated it would receive about $5.6 million, based on 90 participating companies submitting about 10 million transactions, to cover its costs for the development of the CBSV program and other related program costs. However, as of February 2009, SSA was scheduled to receive approximately $1.1 million from the 86 actual participating companies to process about 1.1 million verification requests. Moreover, as of April 2009, SSA’s total cost for developing the CBSV program had increased to about $7.8 million. This raises concerns regarding the Agency’s ability to recoup its costs for system development and other related program costs because of lower than expected participation.
CBSV Participating Companies
In the 2007 Federal Register notice for the CBSV program, SSA estimated that 90 companies would participate in the CBSV program. Initially, to determine whether there was sufficient interest in CBSV to support proceeding with program development, the Agency established an enrollment period of December 2007 through June 2008. During this period, 94 companies enrolled to use the program and paid the $5,000 enrollment fee, but 12 of these companies withdrew from the program. SSA refunded the $5,000 registration fee to 6 of the 12 companies because the companies canceled their enrollment before the Agency’s revised deadline for cancellation. SSA did not refund the $5,000 registration fee for the other six companies because they did not opt out by the deadline. SSA considered these six companies “inactive,” but should they pursue CBSV in the future, they will not be required to pay another enrollment fee. In November 2008, the date of implementation, there were 82 companies enrolled to use CBSV. However, only 66 of the companies had made advanced payments for their estimated FY 2009 verification requests. The remaining 16 companies were in various stages of the registration process.
SSA reopened CBSV enrollment in January 2009, and as of February 2009, 86 companies had enrolled for CBSV. All but 1 of the 86 companies paid SSA the $5,000 registration fee, so SSA received $425,000 in fees. Further, only 68 of the 86 companies had paid transaction fees in advance for their FY 2009 estimated number of verification requests. According to SSA staff, the Agency did not receive advance payments for transaction fees from the remaining 18 companies because they were in various stages of the CBSV registration process or they had ceased CBSV registration activity. Table 1 summarizes the changes in the actual number of CBSV registered companies as of November 2008 and February 2009.
Table 1: Number of CBSV Enrolled Companies
CBSV
November 2008
(as of Implementation) CBSV
February 2009
(as of Reopened Enrollment)
Number of Companies Enrolled with Total Fees Paid 66 68
Number of Companies Enrolled without Total Fees Paid 16 18
Total Enrolled Companies 82 86
Estimated Transaction Fees
As of August 2007, SSA anticipated it would receive about $5.6 million based on 90 participating companies submitting about 10 million transactions. SSA expected the $5.6 million to cover the Agency’s costs for developing the CBSV program, as well as processing verification transactions. However, as of April 2009, SSA’s total cost for developing the CBSV program had increased to about $7.8 million.
As of November 2008, SSA’s records showed that the 82 enrolled companies had initially estimated their total FY 2009 verification requests would be about 7 million, resulting in about $3.9 million in transaction fees payable to SSA. However, the estimated total number of verification requests was reduced by 48 percent to 3.6 million verification requests because 27 companies lowered their estimated verification requests. Therefore, SSA would have received about $2 million in transaction fees from the companies for the 3.6 million verification requests.
As of February 2009, SSA’s records showed that 86 companies were registered for the CBSV program. The estimated total number of verification requests for these companies was further reduced by 69 percent to 1.1 million verification requests because 16 companies lowered their estimated verification requests. This is a total reduction of approximately 84 percent from the initial estimate of 7 million verification requests. SSA expects it will receive about $623,000 to process 1.1 million verification requests. As of February 2009, the Agency had received about $522,000 from 68 of the 86 companies to process approximately 1 million of the 1.1 million verification requests. Table 2 summarizes the estimated transaction fees from August 2007 to February 2009.
Table 2: Estimated Transaction Fees
August 2007 November
2008 February
2009
SSA Estimate Company’s Initial Estimate Company’s Revised Estimate Company’s Revised
Estimate
Number of Enrolled Companies 90 82 82 86
Total Estimated Verification Requests 10.0 million 7.0 million 3.6 million 1.1 million
Estimated Total Transaction Fees $5.6 million $3.9 million $2.0 million $623,000
Based on the reduction in the number of participating companies and estimated verification requests, it is questionable whether SSA will be able to fully recoup the
$7.8 million for the CBSV program system development and other related program costs. SSA is scheduled to receive about $1.1 million from the 86 companies that have registered for CBSV ($623,000 for transaction fees and $430,000 for registration fees), which results in about $6.7 million in unreimbursed costs. SSA expects to recoup the remaining costs for system development, and other program-related costs by collecting transaction fees over the depreciable life (3 years) of the CBSV program. SSA should periodically calculate the costs for the CBSV program so fees charged to participating companies can be adjusted.
CONSENT REQUIREMENT
Although SSA had adequate controls to test compliance with the consent requirements for the three programs, we found that for the CBSV program, the Agency was not complying with its policy of requiring proof of parental and legal guardianship authority for individuals signing consent forms on behalf of minors and incompetent adults.
Comparison of Consent Requirements
For the Pilot and CBSV programs, participating companies were required to use an approved consent form to secure authorization from individuals to obtain SSN verifications. The consent form was valid for verification for 90 days from the date of signature. SSA required that participating companies hire an independent CPA to assess compliance with obtaining a valid consent form before verification. For both programs, the CPAs were required to confirm the companies had (1) used the approved consent form, (2) used the SSN verification only for the purpose indicated on the consent form, and (3) obtained a valid consent from the individual signing the form. We found that for the Pilot program, the four participating companies had hired independent CPAs to determine whether they complied with the consent requirement (we discuss this in more detail in the next section of the report). For CBSV, SSA anticipates the CPAs will conduct annual compliance reviews and be required to submit the audit report to SSA 30 days after the review is completed. Further, the CPAs will provide the participating company with a copy of the report 30 days after the report is provided to SSA.
For the IVP program, participating companies were required to use the standardized consent form provided in the User Agreement. As with the Pilot and CBSV programs, the consent form was valid for verification requests for 90 days from the date of signature. However, unlike the Pilot and CBSV, SSA required that IVP-participating companies submit copies of the consent forms with the requests. Before processing the companies’ verification requests file data through SSA’s Enumeration Verification System (EVS), SSA conducted random sample tests on the file data to determine whether the file contained (1) a consent form for each verification request, (2) the proper consent form, and (3) all required information on the form. SSA did not process the verification requests if these conditions were not met.
Proof of Consent for Minors and Incompetent Adults
SSA did not establish a requirement for CBSV participating companies to obtain proof of a parent or legal guardian’s relationship to a minor or proof of guardianship for incompetent adults. The lack of this requirement for participating companies is not consistent with the Agency’s policy. According to SSA policy on who may consent to disclose personal information, relating to an individual’s record, to a third party, “…in all cases, proof of the parent’s or legal guardian’s relationship to the minor is required before a request on behalf of the minor can be accepted from a parent or legal guardian (e.g., a birth record showing the parent’s name or documentation from a court of the guardian’s appointment).” The policy further directs that, “…if proof of relationship is not established, do not disclose any information.” For incompetent adults, the policy states, “…proof of the guardianship appointment for the incompetent adult must accompany the consent to disclose information.” Without proof of legal relationship, SSA has no assurance the individual who signed the consent form had the legal right to do so.
SSA did not consider proof of parental and legal guardianship authority an issue for the Pilot and IVP programs because verification under these programs was open only to mortgage companies and other financial institutions. However, our review of IVP transactions for 2005 to 2008 showed that SSA verified the names and SSNs of 33 children, ranging in age from 2 to 17. Considering the CBSV program is open to any entity that registers to use it, proof of parental and legal guardianship is an issue for this program.
ASSESSMENT OF CPA REVIEWS AND SSA MONITORING OF CPA FINDINGS
SSA’s requirements for the compliance reviews conducted by an independent CPA were not specific enough to ensure uniformity in reporting results. Therefore, SSA may find it difficult to rely on the CPA reports to determine whether a company has complied with the terms and conditions of the User Agreements. Furthermore, although SSA did not establish procedures to monitor findings addressed in the CPA reports for the Pilot program, the Agency is developing a guide that will be used to evaluate and monitor the CPA compliance reviews for the CBSV program.
CPA Reviews
For the Pilot program, SSA reviewed all of the four FY 2003 CPA reports and focused on the two participating companies with the highest number of verification requests. The CPAs who conducted the reviews were from different firms. SSA found that although both CPA reports concluded the participating companies complied with the terms and conditions of the User Agreement, the reports differed significantly in the way findings related to the consent form were reported. The Agency found that one CPA report was specific in identifying and quantifying noted discrepancies on the sample consent forms reviewed. For example, the report specified the number of forms that were missing the date of signature, were modified, and/or contained incomplete contact information. The other report only indicated the participating company had obtained signed consent forms, which complied with the User Agreement model for each of the names and SSNs that were part of the sample. The Agency noted that the report did not offer specifics on the completion of information contained on the form, such as information that may have been missing in fields other than name and SSN.
We reviewed the FY 2003 CPA reports for all four Pilot-participating companies and found that generally, the reports offered some useful information that was not required for the review. For example, the reports identified the number of input errors, submission of multiple SSNs, and apparent errors in SSA’s reporting on verification results. However, the reports lacked specificity with which the CPAs reported on the results of their review for required performance elements. Examples of how the CPA reported on some of the performance criteria are shown in Appendix G.
Since the CBSV program requires CPA compliance reviews of participating companies, we believe the Agency should establish specific uniform requirements for each CPA conducting these reviews to ensure consistency in the information reported to SSA. At a minimum, the Agency should require that CPAs specify and quantify noted discrepancies on consent forms relative to the requirements such as those that are missing the reason for the verification, signature and date, and contact information for the individual signing the consent form. Capturing this type of data would help SSA determine whether participating companies have complied with the terms and conditions of the User Agreements.
SSA Monitoring of CPA Findings
SSA did not establish procedures to monitor findings addressed in the CPA reports for the Pilot program because the Agency was transitioning from the Pilot to implementation of the IVP program, which did not require a CPA review. As stated earlier, for the IVP program, participating companies were required to submit verification requests and copies of the associated consent forms to SSA. The Agency was responsible for assessing the forms’ compliance with requirements established in the IVP User Agreement. However, for the CBSV program, the Agency requires that participating companies hire an independent CPA to assess the company’s compliance with the terms and conditions of the CBSV User Agreement and specifically the consent requirement. According to SSA staff, the Agency is developing a guide to evaluate and monitor the CPA compliance reviews. At the time of our review, the guide had not been completed. We believe the Agency should ensure it develops the guide for monitoring findings addressed in the CPA reports for the Agency to capture trends that may identify the need for changes in the contractual provisions of the CBSV User Agreements, or cancel or suspend a company who does not comply with the terms and conditions of the User Agreement.
DOB REQUIREMENT FOR VERIFICATION
SSA did not use the DoB as part of the matching criteria for the CBSV program, which could lead to SSA providing false positive responses to participating companies. Further, it increases the risk that SSA will not detect instances of SSN misuse.
Providing the DoB on consent forms was required for the Pilot and IVP programs. For these programs, the DoB was also part of the programs’ verification matching criteria and thus was a mandatory data input element for the Pilot and IVP processing system. SSA’s process for SSN verification for CBSV required that the DoB of the individual for whom verification was being sought be provided on the consent form. However, it did not require that participating companies submit the DoB as part of the verification request. The Agency’s mandatory input elements for CBSV included only the individual’s name and SSN. The DoB was noted as an optional data input field for CBSV verifications in the User Guide provided to the participating companies. SSA uses the Social Security Number Verification Service (SSNVS) to determine whether a name and SSN provided for verification under the CBSV program matched its records. The matching criterion for SSNVS does not require the DoB.
According to SSA staff, the Agency eliminated the DoB requirement for CBSV to clarify that the CBSV program did not provide identity verification. However, we believe that by eliminating the DoB as a mandatory data element for CBSV, SSA increases the risk it may provide false positive responses to participating companies. Our review of the IVP transactions for 2005 to 2008 showed that when the DoB was included as part of the matching criteria, SSA provided the appropriate response to the participating companies. For example, a company submitted a name and SSN that matched SSA records, but the DoB did not match. The company had mistakenly replaced the year of birth with the year the request was made. In this case, SSA provided a no-match response. The company realized the error and resubmitted the verification request with the correct DoB. SSA provided a match response. We believe using the DoB as part of the CBSV matching criteria will provide more assurance the submitted name and SSN belong to an individual. Without the DoB, there is an increased risk that SSA may not detect instances of SSN misuse.
CONCLUSIONS AND RECOMMENDATIONS
The results of our audit indicate that a number of the control processes used in the Pilot and IVP programs are also used in the CBSV. The Pilot, IVP, and CBSV programs have not only given companies a means for efficient verification of large numbers of SSNs, but the programs have also benefited SSA by reducing the burden on field office resources to process the high volume of verification requests. Furthermore, the programs have given SSA the ability to manage an increasing workload more efficiently. However, based on our review, we believe SSA needs to take steps to strengthen its controls over the CBSV program to ensure (1) the Agency is reimbursed for the total costs of the program, (2) compliance with current policy for consent for minor and incompetent adults, (3) uniformity with reporting requirements for CPA compliance reviews, and (4) the matching criteria are sufficient to reduce the risk of providing false positive responses.
Accordingly, we recommend SSA:
1. Periodically calculate the costs for the CBSV program so that fees charged to participating companies can be adjusted.
2. Require that CBSV-participating companies obtain proof of parental and legal guardianship authority from individuals signing consent forms for SSN verification on behalf of minors and incompetent adults, as required by SSA policy.
3. Develop specific requirements for the compliance reviews conducted by independent CPAs to ensure uniformity in reporting results. At a minimum, require that CPAs specify and quantify noted discrepancies on consent forms or state that there were no noted discrepancies on consent forms, if applicable.
4. Establish written procedures (guide) that will allow the Agency to effectively evaluate and monitor the compliance reviews conducted by independent CPAs.
5. Require that participating companies submit the DoB as part of their verification request for the CBSV program.
AGENCY COMMENTS
SSA agreed with our recommendations. The full text of the Agency’s comments is included in Appendix H.
/s/
Patrick P. O’Carroll, Jr.
Appendices
APPENDIX A – Acronyms
APPENDIX B – Scope and Methodology
APPENDIX C – Consent- and Fee-Based Verification Programs
APPENDIX D – Summary of the Consent Requirements
APPENDIX E – Pilot Compliance Review Criteria
APPENDIX F – Consent-Based Social Security Number Compliance Review Criteria
APPENDIX G – Examples of Certified Public Accountant Findings
APPENDIX H – Agency Comments
APPENDIX I – OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
CBSV Consent Based Social Security Number Verification
CPA Certified Public Accountant
DoB Date of Birth
EVS Enumeration Verification System
FR Federal Register
FY Fiscal Year
IVP Interim Verification Process
OIG Office of the Inspector General
POMS Program Operations Manual System
SSA Social Security Administration
SSN Social Security Number
SSNVS Social Security Verification Service
U.S.C. United States Code
Appendix B
Scope and Methodology
To accomplish our objective, we:
• Reviewed applicable Federal law and regulations, as well as the Social Security Administration’s (SSA) policies and procedures as they relate to privacy and disclosure of personal information maintained in SSA’s official records.
• Reviewed the Intelligence Reform and Terrorism Prevention Act of 2004 for policy on the requirement for SSA to add death and fraud indicators to its Social Security number (SSN) verification systems.
• Reviewed policies and procedures regarding SSA’s development of its consent- and fee-based SSN verification programs.
• Reviewed User Agreements established between SSA and companies participating in the Pilot, Interim Verification Process (IVP), and Consent Based Social Security Number Verification (CBSV) programs.
• Reviewed User Guides provided to Pilot, IVP and CBSV participating companies.
• Reviewed management reports on companies enrolled for the CBSV service.
• Reviewed Reimbursable Agreements covering verification transaction fees for IVP and CBSV participating companies.
• Gained an understanding of SSA’s Pilot, IVP and CBSV verification processes.
• Obtained verification requests and results data for IVP participating companies for Fiscal Years 2005 through 2008.
We determined the IVP data used for this audit were sufficiently reliable to meet our objective. The Office of Central Operations was responsible for managing the IVP program. The Office of Public Service and Operations Support is responsible for managing the CBSV program. Both of these offices are under the Deputy Commissioner for Operations. Our work was conducted at the Philadelphia Audit Division, Philadelphia, Pennsylvania, between July 2008 and February 2009. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.
Appendix C
Consent- and Fee-Based Verification Programs
Since October 2002, the Social Security Administration (SSA) has assisted companies that provide identity verification services for mortgage companies and financial institutions by confirming the name and Social Security number (SSN) provided match SSA’s records. To provide registered companies a vehicle for purchasing SSN verifications, the Agency developed a centralized and automated process that could quickly respond to verification requests. This process also helps SSA by reducing the burden on field offices’ resources to process the many verification requests. Since its inception, there have been three iterations of the program. The initial program was the Agency’s pilot consent- and fee-based SSN verification program, Social Security Number Verification Pilot for Private Businesses (Pilot), which began in October 2002 and ended in February 2005. It was replaced in March 2005 with the Interim Verification Process (IVP) that ended in November 2008. IVP was replaced with the current Consent Based Social Security Number Verification (CBSV) program.
PILOT PROGRAM
SSA requires that participating companies sign a User Agreement with the Agency and obtain written consent from the individual for whom verification would be requested before requesting verification from SSA. Four companies participated in this Pilot program and were required to pay a fee of $40,000 to assist with the Agency’s start-up costs, as well as pay advanced transaction fees $.26 per verification and $.0047 per record—for their total estimated annual verification requests. SSA received about $160,000 for the start-up costs; however, it was not able to provide us with the amounts received in transaction fees from these companies. During Fiscal Years (FY) 2003 to 2005, SSA processed about 551,000 verification requests submitted by the 4 participating companies. As shown in Table C 1, the Agency was able to verify 89 percent of the submitted names and SSNs, but did not verify 11 percent of the submitted names and SSNs.
Table C 1: Summary of Verifications Submitted for the Pilot Program
Response FY 2003 FY 2004 FY 2005 Total Percent
Verified 71,455 261,042 159,651 492,148 89
Not Verified 9,215 31,189 18,724 59,128 11
Total 80,670 292,231 178,375 551,276 100
IVP PROGRAM
SSA required that participating companies sign a User Agreement with SSA and obtain written consent from the individual before requesting verification through SSA. Registered companies were required to pay a one-time registration fee and advanced transaction fees for their estimated annual verification requests. From FYs 2005 through 2007, the IVP program required manual submission of verification requests with consent forms and charged companies a one-time registration fee of $77 and a transaction fee of $157 to process verification requests. In FY 2008, the IVP program required electronic submission of verification requests and charged each company a one-time registration fee of $381 and a transaction fee of $157. There were 11 companies (including the 4 Pilot companies) registered for this program. As of FY 2008, only 7 of the 11 registered companies had submitted verification requests. As shown in Table C 2, during FYs 2005 to 2008, the 7 companies submitted about 1.9 million verification requests to SSA. SSA verified 92 percent of the submitted names and SSNs, but did not verify 8 percent of the submitted names and SSNs. Further, SSA received about $700,000 from the 7 companies for their verification transactions for FYs 2006 through 2008.
Table C 2: Summary of Verification Submitted for the IVP Program
Response FY 2005 FY 2006 FY 2007 FY 2008 Total Percent
Verified 292,356 513,167 500,406 396,880 1,702,809 92
Not Verified 29,507 50,606 47,269 27,341 154,723 8
Total 321,863 563,773 547,675 424,221 1,857,532 100
Death N/A N/A 27 19 46
CBSV PROGRAM
In November 2008, SSA replaced the IVP program with the CBSV. However, unlike the previous programs, CBSV is available to all private businesses and Federal, State, and local government agencies. For CBSV, participating companies are also required to sign a User Agreement, pay a one-time non-refundable registration fee of $5,000, and pay an advance transaction fee of $.56 per verification request. Further, participating companies are required to obtain written consent from the individual (or the individual’s legal guardian) before verifying the individual’s SSN through CBSV. As of February 2009, 86 companies were enrolled and SSA received about $947,000 in registration and transaction fees from these companies.
Appendix D
Summary of the Consent Requirements
Table D 1 provides a summary of the consent requirements the Social Security Administration (SSA) established for the Pilot, Interim Verification Program (IVP), and Consent Based Social Security Number Verification (CBSV) programs. For all three programs, participating companies were required to use an approved consent form to secure authorization from individuals to obtain Social Security number verifications. The consent form was valid for verification for 90 days from the date of signature. For the Pilot and CBSV programs, to assess each company’s compliance with obtaining a valid consent form prior to verification, SSA required that participating companies hire an independent certified public accountant (CPA) to conduct a compliance review. For the IVP program, participating companies submitted the consent forms to SSA who determined whether (1) a consent form was provided for each verification request, (2) a valid consent form was used, and (3) all required information was included on the form. SSA did not process the verification requests if these conditions were not met.
Table D 1: Consent Requirement
User Agreement Condition
User Agreement Specification
Pilot IVP CBSV
Consent Form
Company designed form, but required
SSA approval
Company designed form, but required
SSA approval
SSA standardized form
Consent Form Expiration1 90 days 90 days 90 days
Consent Form Submitted to SSA with Verification Requests
No2
Yes3
No2
Participating Company’s Consent Form Retention Requirement
3 years from date of verification
N/A
7 years from date of verification
Independent CPA Compliance Review Required
Yes
N/A
Yes
Notes
1. This was the expiration date unless the individual signing the consent form clearly indicated otherwise.
2. Consent form maintained by company. SSA required CPA compliance review of company to assess compliance with consent form requirements and other User Agreement terms and conditions.
3. Copies of consent forms submitted to SSA along with the verification requests. Before processing verification requests file data through SSA’s system, the Agency conducted random sample tests on the file data to determine if the file contained (1) a consent form for each verification request, (2) the proper consent form, and (3) all required information on the form.
Appendix E
Pilot Compliance Review Criteria
Appendix F
Consent Based Social Security Number Verification Compliance Review Criteria
Appendix G
Examples of Certified Public Accountant Findings
We reviewed the Fiscal Year 2003 certified public accountant (CPA) reports for all four of the Pilot participating companies and found that generally, the reports offered some useful information that was not required for the review. For example, the reports identified the number of input errors, submission of multiple Social Security numbers (SSN), and apparent errors in the Social Security Administration’s (SSA) reporting on verification results. However, the reports lack specificity with which the CPAs reported the results of their reviews for required performance elements. Table G 1 provides examples of how the CPAs reported on some of the performance criteria.
Table G 1: Examples of CPA Findings for the Four Pilot Companies
Performance Criteria Companies1
1 2 3 4
Company used the approved consent form. Specified and quantified discrepancies. Addressed only that the consent forms agreed with SSA’s model consent form. Specified and quantified discrepancies. Addressed only that the consent forms agreed with SSA’s model consent form.
Company complied with consent form expiration for submitting verification requests to SSA. Specified and quantified discrepancies. Specified that consent forms were signed within 90 days of verification requests. Specified and quantified discrepancies. Specified and quantified discrepancies.
Company used the SSN verification only for the purpose indicated on the consent form. Obtained written representation from company. Stated that requesting company confirmed use of verifications. Stated that verifications were for purposes stated on the consent forms. Not addressed in CPA report.
Note: 1. The companies are in order by volume of verification requests.
Appendix H
Agency Comments
MEMORANDUM
Date: July 01, 2009 Refer
Refer To: S1J-3
To: Patrick P. O'Carroll, Jr.
Inspector General
From: James A. Winn /s/
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, “Consent-based Social Security Number Verification Program” A-03-08-18067)—INFORMATION
Thank you for the opportunity to review and comment on the draft report. We appreciate OIG’s efforts in conducting this review. Attached is our response to the report recommendations.
Please let me know if we can be of further assistance. Staff inquiries may be directed to
Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.
Attachment
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL’S DRAFT REPORT, “CONSENT-BASED SOCIAL SECURITY NUMBER VERIFICATION PROGRAM”
(A-03-08-18067)
The Consent-Based Social Security Number Verification (CBSV) program is a reimbursable project and changes resulting from these recommendations may result in a change in cost to CBSV users.
Our responses to your specific recommendations are as follows.
Recommendation 1
Periodically calculate the costs for the CBSV program so fees charged to participating companies can be adjusted.
Comment
We agree. We have had this process in place since the inception of the CBSV program. The CBSV User Agreement, Section X, Cost of Services (page 9) states: “Periodically, but no less frequently than annually, SSA will recalculate its costs related to providing the services in this User Agreement and will adjust the fees charged accordingly.” We will continue to follow this agreement and make any necessary fee adjustments.
Since its inception, we have adjusted the price of CBSV three times. In August 2007, when we instituted the CBSV program, we charged $0.27 per verification request. In December 2007, we increased the price to $0.32, and in April 2008, we adjusted the price to $0.56 per verification request.
Recommendation 2
Require that CBSV-participating companies obtain proof of parental and legal guardianship authority from individuals signing consent forms for Social Security number (SSN) verification on behalf of minors and incompetent adults as required by our policy.
Comment
We agree. We will take the necessary steps to make this change. However, we may have to obtain Office of Management and Budget (OMB) approval prior to making the necessary amendments to the User Agreement.
Recommendation 3
Develop specific requirements for the compliance reviews conducted by independent Certified Public Accountants (CPA) to ensure uniformity in reporting results. At a minimum, require that CPAs specify and quantify noted discrepancies on consent forms or state that there were no noted discrepancies on consent forms, if applicable.
Comment
We agree. We will incorporate these instructions into our planned CBSV Compliance Review Handbook. As mentioned in our earlier comment, we may have to obtain OMB approval prior to making the necessary amendments to the User Agreement.
Recommendation 4
Establish written procedures (guide) that will allow the agency to effectively evaluate and monitor the compliance reviews conducted by independent CPAs.
Comment
We agree. We will incorporate these instructions into our planned CBSV Compliance Review Handbook. Again, we may have to obtain OMB approval prior to making the necessary amendments to the User Agreement.
Recommendation 5
Require that participating companies submit the date of birth as part of their verification request for the CBSV program.
Comment
We agree. We will take the necessary steps to make this change. As with the other recommendations, we may have to obtain OMB approval prior to making the necessary amendments to the User Agreement.
Appendix I
OIG Contacts and Staff Acknowledgments
OIG Contacts
Cylinda McCloud-Keal, Director, Philadelphia Audit Division
Carol Madonna, Audit Manager
Acknowledgments
In addition to those named above:
Brenda Williams, Auditor-in-Charge
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General’s Public Affairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number
A-03-08-18067.
DISTRIBUTION SCHEDULE
Commissioner of Social Security
Office of Management and Budget, Income Maintenance Branch
Chairman and Ranking Member, Committee on Ways and Means
Chief of Staff, Committee on Ways and Means
Chairman and Ranking Minority Member, Subcommittee on Social Security
Majority and Minority Staff Director, Subcommittee on Social Security
Chairman and Ranking Minority Member, Committee on the Budget, House of Representatives
Chairman and Ranking Minority Member, Committee on Oversight and Government Reform
Chairman and Ranking Minority Member, Committee on Appropriations, House of Representatives
Chairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations,
House of Representatives
Chairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Committee on Finance
Chairman and Ranking Minority Member, Subcommittee on Social Security Pensions and Family Policy
Chairman and Ranking Minority Member, Senate Special Committee on Aging
Social Security Advisory Board
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration’s (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA’s financial statements fairly present SSA’s financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA’s programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG’s external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG’s media and public information policies, directs OIG’s external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG’s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG’s strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.