SOCIAL SECURITY ADMINISTRATION
ADMINISTRATIVE
COSTS
CLAIMED BY THE
MICHIGAN DISABILITY
DETERMINATION SERVICES
September
2009
A-05-08-18017
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: September 30, 2009
To: James F. Martin
Regional Commissioner Chicago
From: Inspector General
Subject: Administrative Costs Claimed by the Michigan Disability Determination Services (A-05-08-18017)
OBJECTIVE
For our audit of Fiscal Years (FY) 2006 and 2007 administrative costs claimed
by the Michigan Disability Determination Services (MI-DDS), our objectives were
to
evaluate MI-DDS' internal controls over the accounting and reporting of administrative
costs;
determine whether costs claimed by MI-DDS were allowable and properly allocated,
and funds were properly drawn; and
assess limited areas of the general security controls environment.
BACKGROUND
Disability determinations under the Social Security Administration's (SSA)
Disability Insurance and Supplemental Security Income programs are performed
by disability determination services (DDS) in each State or other responsible
jurisdiction, according to Federal regulations. Each DDS is responsible for
determining claimants' disabilities and ensuring that adequate evidence is available
to support its determinations. To make proper disability determinations, each
DDS is authorized to purchase consultative medical examinations and medical
evidence of record from the claimants' physicians or other treating sources.
SSA pays the DDS for 100 percent of allowable expenditures using a State Agency
Report of Obligations for SSA Disability Programs
(Form SSA-4513).
RESULTS OF REVIEW
Generally, MI-DDS had effective controls over the accounting and reporting of administrative costs. The costs MI-DDS claimed on Forms SSA-4513 for FYs 2006 and 2007-totaling $142,796,032-were allowable and funds were properly drawn. However, we found the general security control environment could be improved. Specifically, MI-DDS' security plan did not cover all the required parts outlined in SSA policy. In addition, MI-DDS did not maintain complete inventory records of computer equipment. Moreover, one retired contractor's computer access was not properly terminated. Finally, SSA did not rescind excess funding authorization balances from FYs 1999 and 2001 of $16,588 and $6,985, respectively.
GENERAL SECURITY CONTROLS
We had findings related to the (1) security plan; (2) computer inventory records and encryption; and (3) contractor systems access.
Security Plan Did Not Cover Required Eight Parts
MI-DDS Business Continuity Plans, in combination with emergency procedures for each of the four DDS offices, did not cover all eight required parts at the time of our review. According to SSA's Program Operations Manual System (POMS), each DDS must establish and maintain a DDS security plan. In the event of a disruption to any SSA system, a Business Continuity Plan can be activated and conducted in tandem with the security plan to ensure the recovery of the affected functions. However, the Business Continuity Plan, in combination with each DDS' emergency procedures, did not cover all eight required parts of a security plan, as outlined in SSA policy. Since SSA's policy for an eight-part security plan was not followed, essential information was missing. For instance, the plan was missing descriptions of
1. security measures in place during non-business hours,
2. systems review and recertification, and
3. security violations and resolution.
MI-DDS stated it was unaware of SSA's security plan requirements, though we located a November 2008 memorandum from SSA reminding all DDS Administrators of the eight parts of a security plan. In response to our inquiry, the MI-DDS contacted SSA regional office staff about updating the security plan. We recommend SSA work with MI-DDS to ensure it timely updates and submits a security plan that meets SSA requirements.
Inventory Records Did Not List Laptops
MI-DDS did not maintain complete inventory records of computer equipment because it excluded SSA-purchased laptop computer equipment from the MI-DDS inventory lists. During our visit, we identified four laptops that were not part of the inventory. SSA policy states an appropriate inventory and control mechanism is required to account for all property used for disability program purposes. SSA policy also makes each State responsible for maintaining an inventory of all equipment acquired-whether purchased through SSA or the State. Additionally, SSA policy requires that all sensitive equipment, including laptop computers, be inventoried. Finally, SSA has additional instructions related to laptop computer equipment, including a requirement that these laptops be encrypted using SSA-approved methods. Of the four laptops, staff stated that only one was encrypted. DDS management noted that although the remaining three laptops did not contain encryption software, the laptops were no longer being used and were locked in a cabinet.
According to MI-DDS staff, the DDS did not record SSA-purchased computer equipment in the official State inventory system because, according to State policy, equipment with a purchase value of less than $5,000 did not need to be inventoried. As noted earlier, SSA policy requires an inventory of such equipment and does not specify a purchase value. Not maintaining adequate inventory records hinders detection of stolen or misplaced equipment. We have identified this issue in another report, and SSA agreed that the DDS should inventory laptops. We recommend that SSA instruct MI-DDS to ensure all SSA-purchased computer equipment is tracked in an inventory system that complies with SSA's policies. In addition, since SSA regional office staffs were unable to provide a master inventory list identifying all SSA-purchased computer equipment, we also recommend that the SSA Regional Office staff verify the completeness of MI-DDS' updated inventory list.
Terminated Contractor Still Had Active Directory Account
According to SSA's POMS, DDS management must ensure inactive computer accounts are disabled after 30 days of inactivity or immediately upon a user's separation from duty. However, in our review of departing staff and contractors, we found that while a former medical contractor's access to the DDS system was disabled after he retired in September 2008, MI-DDS did not disable his Active Directory account. Individuals with an Active Directory account can still sign on to SSA's system. As a result of our inquiry, MI-DDS disabled his remaining access. Of the 116 cases we reviewed, this was the only incident we identified. Moreover, we believe the risk to SSA systems was minimal since the contractor did not have physical access to SSA computer systems either in-person or remotely, which would be necessary to use his Active Directory account.
CASH MANAGEMENT
As of May 2009, excess funding authorization existed in the FYs 1999 and 2001
Automated Standard Application for Payments (ASAP) accounts in the amounts of
$16,588 and $6,985, respectively. SSA establishes the DDS funding authority
for each account in the ASAP system. Funds drawn through the ASAP system are
restricted to program use, and any unused funds are to be returned to the Department
of the Treasury within 5 years of availability. SSA immediately rescinded the
cash balances after our inquiry.
CONCLUSION AND RECOMMENDATIONS
While MI-DDS' internal controls over the accounting and reporting of administrative costs were effective, the general physical security controls can be improved. We recommend that SSA:
1. Work with MI-DDS to ensure it timely updates and submits a security plan
that meets SSA requirements.
2. Instruct MI-DDS to ensure all SSA-purchased laptop computer equipment is
encrypted with software that complies with SSA's policies.
3. Instruct MI-DDS to ensure all SSA-purchased computer equipment is tracked
in an inventory system that complies with SSA's policies.
4. Once MI-DDS has provided an updated inventory list of all SSA-purchased computer
equipment, verify the completeness of the updated inventory list.
AGENCY COMMENTS
SSA and the Michigan Department of Human Services agreed with the findings and recommendations (see Appendices D and E for these comments).
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Background, Scope, and Methodology
APPENDIX C - Schedule of Total Costs Reported on Forms SSA-4513-State Agency
Reports of Obligations for SSA Disability Programs
APPENDIX D - SSA Comments
APPENDIX E - Michigan Department of Human Services Comments
APPENDIX F - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
Act Social Security Act
AIMS Administrative Instructions Manual System
ASAP Automated Standard Application for Payments
C.F.R. Code of Federal Regulations
DDS Disability Determination Services
DI Disability Insurance
Form SSA-4513 State Agency Report of Obligations for SSA Disability Programs
FY Fiscal Year
MI-DDS Michigan Disability Determination Services
MRM Materiel Resources Manual
OIG Office of the Inspector General
OMB Office of Management and Budget
POMS Program Operations Manual System
Pub. L. No. Public Law Number
SSA Social Security Administration
SSI Supplemental Security Income
U.S.C. United States Code
Appendix B
Background, Scope, and Methodology
BACKGROUND
The Disability Insurance (DI) program, established under Title II of the Social Security Act (Act), provides benefits to wage earners and their families in the event the wage earner becomes disabled. The Supplemental Security Income (SSI) program, established under Title XVI of the Act, provides benefits to financially needy individuals who are aged, blind, or disabled.
The Social Security Administration (SSA) is responsible for implementing policies for the development of disability claims under the DI and SSI programs. Disability determinations under both the DI and SSI programs are performed by disability determination services (DDS) in each State, Puerto Rico, and the District of Columbia in accordance with Federal regulations. In carrying out its obligation, each DDS is responsible for determining claimants' disabilities and ensuring adequate evidence is available to support its determinations. To assist in making proper disability determinations, each DDS is authorized to purchase medical examinations, X-rays, and laboratory tests on a consultative basis to supplement evidence obtained from the claimants' physicians or other treating sources.
SSA reimburses the DDS for 100 percent of allowable expenditures up to its
approved funding authorization. The DDS withdraws Federal funds through the
Department of the Treasury's Automated Standard Application for Payments system
to pay for program expenditures. Funds drawn down must comply with Federal regulations
and intergovernmental agreements entered into by the Department of the Treasury
and States under the Cash Management Improvement Act of 1990. An advance or
reimbursement for costs under the program must comply with Office of Management
and Budget (OMB) Circular A-87, Cost Principles for State, Local, and Indian
Tribal Governments. At the end of each quarter of the Fiscal Year (FY), each
DDS submits a State Agency Report of Obligations for SSA Disability Programs
(Form SSA-4513) to account for program disbursements and unliquidated obligations.
SCOPE
To accomplish our objectives, we reviewed the administrative costs the Michigan Disability Determination Services (MI-DDS) reported on its Forms SSA-4513 for FYs 2006 and 2007. For the periods reviewed, we obtained evidence to evaluate recorded financial transactions and determine whether they were allowable under OMB Circular A-87, and appropriate, as defined by SSA's Program Operations Manual System (POMS).
We also:
Reviewed applicable Federal laws, regulations and pertinent parts of POMS and
other instructions pertaining to administrative costs incurred by MI-DDS and
the draw down of SSA funds.
Reviewed the State of Michigan Single Audit report issued in 2006.
Interviewed staff at MI-DDS and the Chicago Regional Office.
Evaluated and tested internal controls regarding accounting and financial reporting
and cash management activities.
Verified the reconciliation of official State accounting records to the administrative
costs reported by MI-DDS on Forms SSA-4513 for FYs 2006 and 2007.
Examined the administrative expenditures (Personnel, Medical, and All Other
Non-Personnel costs) incurred and claimed by MI-DDS for FYs 2006 and 2007 on
Forms SSA-4513.
Examined the Indirect costs claimed by MI-DDS for FYs 2006 and 2007 and the
corresponding Indirect Cost Rate Agreements.
Compared the amount of SSA funds drawn to support program operations to the
allowable expenditures reported on Forms SSA-4513.
Conducted limited general control testing, which encompassed reviewing the physical
access security within the DDS.
The electronic data used in our audit were sufficiently reliable to achieve our audit objectives. We assessed the reliability of the electronic data by reconciling them with the costs claimed on the Forms SSA-4513. We also conducted detailed audit testing on selected data elements in the electronic data files.
We performed our audit at the MI-DDS in Detroit, Michigan; Kalamazoo, Michigan;
Lansing, Michigan; and the Office of Audit in Chicago, Illinois, from March
through June 2009. We conducted our audit in accordance with generally accepted
government auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient and appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives. We believe
the evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
METHODOLOGY
SAMPLING METHODOLOGY
Our sampling methodology encompassed the four general areas of costs as reported on Forms SSA-4513: (1) Personnel, (2) Medical, (3) Indirect, and (4) All Other Non Personnel costs. We obtained computerized data from MI-DDS for FYs 2006 and 2007 for use in statistical sampling. Also, we reviewed general security controls the DDS had in place.
Personnel Costs
We sampled 50 employee salary items from 1 randomly selected pay period in FY 2007. We tested regular and overtime payroll and hours for each individual selected. We verified that approved time records were maintained and supported the hours worked. We tested payroll records to ensure the MI-DDS correctly paid employees and adequately documented these payments.
We also sampled 50 medical consultant costs from 1 randomly selected pay period in FY 2007. We determined whether sampled costs were reimbursed properly and ensured the selected medical consultants were licensed.
Medical Costs
We sampled a total of 100 medical evidence of records and consultative examination records (50 items from each FY) using a proportional random sample. We determined whether sampled costs were properly reimbursed.
Indirect Costs
We reviewed the indirect cost base and computations used to determine those costs for reimbursement purposes. Our objective was to ensure SSA reimbursed MI-DDS in compliance with the approved Indirect Cost Rate Agreement. We analyzed the approved rate used, ensuring the indirect cost rate changed when the Indirect Cost Rate Agreement was modified. We reviewed the documentation and traced the base amounts to Forms SSA-4513 for the indirect cost computation components. We determined whether the approved rate used was a provisional, predetermined, fixed or final rate.
All Other Non-Personnel Costs
We stratified All Other Non-Personnel costs into nine categories: (1) Occupancy, (2) Contracted Costs, (3) New Electronic Data Processing, (4) Equipment Rental, (5) Communications, (6) Applicant Travel, (7) DDS Travel, (8) Supplies, and (9) Miscellaneous. We selected a stratified random sample of 51 items from FY 2006 and 50 items from FY 2007 based on the percentage of costs in each category (excluding the rent portion of Detroit DDS Occupancy) to total costs. We also performed a 100-percent review of the rent portion of Occupancy expenditures for the Detroit DDS office.
General Security Controls
We conducted limited general security control testing. Specifically, we reviewed the following eight areas relating to general security controls: (1) Perimeter Security, (2) Intrusion Detection, (3) Key Management, (4) Internal Office Security, (5) Equipment Rooms, (6) Security Plan, (7) Continuity of Operations, and (8) Other Security Issues. We determined whether the general security controls the DDS had in place were satisfactory.
Personally Identifiable Information
We reviewed a random sample of various mailed documents MI-DDS produced to determine if personally identifiable information was referenced only on those deemed necessary.
Appendix C
Schedule of Total Costs Reported on Forms SSA-4513-State Agency Reports of Obligations
for SSA Disability Programs
Michigan Disability Determination Services
FISCAL YEARS (FY) 2006 and 2007 COMBINED
REPORTING ITEMS FY 2006
DISBURSEMENTS FY 2007 DISBURSEMENTS TOTAL DISBURSEMENTS
Personnel $47,970,856 $45,672,482 $93,643,338
Medical 15,976,014 14,676,886 30,652,900
Indirect 3,554,689 3,175,993 6,730,682
All Other 6,216,690 5,552,422 11,769,112
TOTAL $73,718,249 $69,077,783 $142,796,032
Note: We did not identify any unliquidated obligations during this period.
Appendix D
SSA Comments
Appendix E
Michigan Department of Human Services Comments
Appendix F
OIG Contacts and Staff Acknowledgments
OIG Contacts
Walter Bayer, Director, Chicago Audit Division
Annette Dunn, Audit Manager, Chicago Audit Division
Acknowledgments
In addition to those named above:
Elizabeth Ochoa, Auditor-in-Charge
Gregory Geisert, Auditor
Nichole Purnell, Auditor
Wai Ho Yung, Auditor
Brennan Kraje, Jr., Statistician
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig
or contact the Office of the Inspector General's Public Affairs Staff Assistant
at (410) 965-4518. Refer to Common Identification Number A 05-08-18017.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Counsel to the Inspector
General (OCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.