OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
ACCOUNTABILITY
OVER
DUPLICATE
PAYMENTS, EQUIPMENT AND
RECORDS IN
THE HURRICANE RECOVERY AREA
April
2007
A-06-06-26137
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: April 23, 2007
To: The Commissioner
From: Inspector General
Subject: Accountability over Duplicate Payments, Equipment and Records in the Hurricane Recovery Area (A-06-06-26137)
OBJECTIVE
Our objectives were to review the process for identifying and collecting overpayments that resulted from duplicate payments issued during the storm recovery efforts and determine whether the Social Security Administration (SSA) adequately accounted for and safeguarded equipment and records disposed of after the storms.
BACKGROUND
In the aftermath of the Gulf Coast hurricanes, SSA responded to its beneficiaries'
needs by issuing immediate payments to the individuals, as appropriate. From
August 31 through October 31, 2005, SSA issued 110,512 third-party drafts (TPD)
nationwide (see Appendix C for additional information).
Because of the widespread damage and resultant business closings, mail delivery problems, and relocation of recipients, SSA modified its procedures for issuing immediate payments. Those recipients who did not receive their benefits, by mail or electronic funds transfer, were instructed to go to any open SSA office to obtain a TPD (check). Immediate payments under Old-Age, Survivors and Disability Insurance (OASDI) and emergency payments issued for Supplemental Security Income (SSI) were issued through the Third Party Payment system (TPPS). TPPS is a register of TPDs issued to vendors for goods and services, to SSA employees for reimbursement of payments and to beneficiaries for Programmatic Emergency Advance and Immediate Payments.
In November 2005, SSA began to reconcile all TPDs to ensure they were accounted
for and correctly recorded in TPPS and that TPPS records matched the Social
Security numbers (SSN) and dollar amounts recorded in SSA's systems and records
(Master Beneficiary Record and/or Supplemental Security Record).
Additionally, numerous SSA facilities, records, and computer equipment in Regions
IV and VI were damaged by the floodwaters or contaminated and had to be destroyed.
SSA worked with General Services Administration contractors in the destruction
and disposal of 247 damaged computers and approximately 47,650 claimant files.
RESULTS OF REVIEW
SSA was proactive in ensuring its recipients' benefits continued uninterrupted and was diligent in processing immediate payments. During its November 2006 reconciliation, SSA identified overpayments that were not initially detected because of input errors. Additionally, SSA generally followed policies and procedures in disposing of equipment and records. However, we did have some concerns about the contracting process and final destruction of records in Region VI (see Appendix B for information on the Scope and Methodology).
OVERPAYMENTS DETECTED DURING THIRD-PARTY DRAFT RECONCILIATION
SSA identified 1,597 immediate payments totaling $1,231,848 that were not entered properly, which resulted in undetected overpayments. SSA mailed overpayment notices to OASDI beneficiaries and plans to collect overpayments made under the SSI program by collecting them from future benefits.
After the Gulf Coast hurricanes, SSA issued immediate payments as appropriate.
In cases where backlogs existed because of the volume of immediate payments
being issued, many offices could not keep up with TPPS data entry. In these
instances, the TPDs were manually recorded and sent to SSA Headquarters for
input.
In November 2006, SSA matched its TPPS records against SSA records and databases.
The reconciliation indicated there were overpayments not detected because of
input error, such as dollar amounts or SSNs not matching between SSA's databases.
The errors were detected, and corrections were made as necessary.
SSA reconciled immediate payments and reported that, as a part of its reconciliation, all immediate payments were recorded properly on the TPPS. To recover immediate payments that resulted in overpayments, SSA mailed overpayment notices to OASDI beneficiaries and is reducing future payments for SSI recipients.
SAFEGUARDING THE DESTRUCTION OF EQUIPMENT
SSA experienced significant equipment damage in the Gulfport and Moss Point, Mississippi areas (Region IV) and the New Orleans area (Region VI). Region IV reported 96 computers were damaged. The hard drives were removed from these computers, and they were destroyed in the presence of an SSA employee. All of the items were counted as they were hauled away.
Region VI reported that all of the 151 personal computers in the New Orleans Downtown, New Orleans East, and Kenner, Louisiana, offices were either exposed to rain or were underwater for several weeks. Representatives from the General Services Administration and Department of Health and Human Services, Federal Occupational Health Service, stated the contents of the three offices required complete disposal due to exposure to contaminated water, mold, and humidity.
SSA contracted with UNICOR/Federal Prison Industries to destroy damaged computers. An SSA Manager was present for the destruction and/or removal and ensured proper procedures were followed. The damaged equipment was removed by UNICOR/Federal Prison Industries for its destruction and recycling program. All items were shipped in locked trailers to UNICOR facilities in Texarkana, Texas.
Additionally, per SSA procedures, both Regions used Government-approved software to remove all data from the hard drives before they were crushed. UNICOR provided a Certificate of Recycling, stating that it warranties the complete disposition of the material.
Figure 1: Inside the Kenner, Louisiana, District Office
After the hurricanes, SSA purchased $761,263 in computer equipment to replace damaged computer workstations, servers, and printers.
SAFEGUARDING OF RECORDS DESTRUCTION
The floodwaters significantly damaged files in both Regions. Because the records either were no longer necessary or beyond recovery, SSA obtained approval from the National Archives and Records Administration to destroy them. In Region IV, SSA contracted with Shred-It to destroy and dispose of documents in the Gulfport and Moss Point, Mississippi offices. In Region VI, SSA contracted with Iron Mountain (through an existing General Services Administration contract) in the New Orleans, Louisiana, offices. The contractors provided Certificates of Destruction upon completion. To ensure the confidentiality of the records, background checks were conducted on all Iron Mountain personnel involved in the document destruction process. However, we learned that, while background checks were conducted on Iron Mountain employees, background checks were not conducted on the employees of American Recycling or Shred-It, who also were involved with the pick-up and destruction of the records in Region VI.
SSA's field office in Moss Point, Mississippi, reported 14,400 files damaged while the Gulfport, Mississippi, field office reported approximately 250 files damaged, all of which were deemed 100 percent destroyed. It should be noted that, in the Gulfport, Mississippi office, the damage to the active records was minimal because SSA had implemented electronic claims processing. The files were shredded on-site and witnessed by an SSA manager.
Figure 2: Inside the New Orleans, Louisiana, Downtown District Office
In the New Orleans area, about 33,000 files at the 3 locations were damaged beyond recovery. To protect the integrity of the document destruction, employees of the contracted vendor underwent background checks and picked up the records in the presence of SSA personnel. However, we found the documents were ultimately destroyed by a third-party whose employees did not undergo the required background checks, and it appears SSA was not aware the documents were transferred to a third-party for destruction.
Contract proposals received from Iron Mountain stated the Louisiana documents
(which were already boxed) would be removed and taken to an Iron Mountain facility
for destruction. However, we learned that the records were transferred to two
additional vendors, American Recycling and Shred-It. American Recycling transferred
the records to Shred-It, who ultimately destroyed the documents.
According to our interviews with SSA personnel, Iron Mountain did not fully
disclose that the documents would be transferred multiple times before they
were destroyed, compromising the integrity and confidentiality of the records.
Based on the contract, Iron Mountain was responsible for ensuring the destruction
of the documents. However, based on our interviews, while SSA employees were
present when the documents were picked up, neither SSA employees nor approved
personnel were present to verify the final destruction of those records, as
required by SSA policy.
CONCLUSION AND RECOMMENDATIONS
SSA is to be commended for its efforts in ensuring an uninterrupted flow of benefits to its beneficiaries. Our review noted that SSA was diligent in processing and verifying the immediate payments. However, its review process should be documented and incorporated as part of any future disaster recovery efforts. Additionally, SSA generally followed policies and procedures in the disposition of equipment. Still, we have some concerns over the contracting for the destruction of records. We recommend that SSA:
1. Document its process for identifying and reconciling duplicate immediate
payments and incorporate these procedures in future disaster recovery efforts.
2. Ensure Agency policies and procedures are explicitly stated in contracts
related to the disposal of records containing personally identifiable information.
3. Ensure that, when contracting with outside vendors, and personally identifiable information is involved, it is clear who will be performing the work.
4. Ensure that, when SSA records are to be destroyed, all contractor personnel involved have the requisite background checks performed and that approved personnel are present during the destruction.
AGENCY COMMENTS
SSA agreed with all our recommendations. See Appendix D for the full text of the Agency's comments.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Charts and Tables
APPENDIX D - Agency Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
SSA Social Security Administration
SSI Supplemental Security Income
SSN Social Security Number
TPD Third-Party Draft
TPPS Third Party Payment System
Appendix B
Scope and Methodology
Our objectives were to evaluate the process for identifying and collecting overpayments that resulted from duplicate payments issued during the storm recovery efforts and determine whether the Social Security Administration (SSA) adequately accounted for and safeguarded equipment and records disposed of after the storms.
In conducting our audit, we:
Reviewed SSA's policies, procedures, and emergency messages concerning immediate payments issued. Additionally, we reviewed SSA's control procedures and identified duplicate payments issued.
Reviewed SSA's policies, procedures, and emergency messages concerning disposition of electronic equipment. Additionally, we reviewed SSA's control procedures and safeguarding of assets during the disposition process.
Reviewed SSA's policies, procedures, and emergency messages concerning the destruction of documents.
Examined SSA's policies and procedures temporarily amended to effectively and efficiently respond to the disaster.
Reviewed SSA's reconciliation of Third-Party Drafts and Immediate Payments.
Interviewed Headquarters, Regional, and Field Office Personnel.
Made site visits to Dallas, Texas; Baltimore, Maryland; New Orleans, Louisiana; and Atlanta, Georgia to discuss reconciliation and payment procedures in the Regional and Field offices and Headquarters.
Visited Harahan, Louisiana, to interview a vendor contracted for document destruction.
We conducted our audit from May to December 2006 in accordance with generally accepted government auditing standards.
Appendix C
Charts and Tables
Beneficiaries and Recipients Impacted by the Hurricanes
Hurricane Title II Beneficiaries Title XVI Recipients Combined Total Title
II Benefits Title XVI Payments Combined Total
Katrina 652,945 134,222 787,167 $531,259 $39,334 $570,593
Rita 150,405 24,735 175,140 127,649 10,316 137,965
Totals 803,350
158,957
962,307
$658,908
$49,650
$708,558Note: Dollar amounts are in thousands (,000)
Hurricane Katrina Related Overpayments Detected after the Reconciliation of Third-Party Drafts
Total Dollar Amount
Title II 1,413 $1,164,116
Title XVI/Supplemental Security Income 184 67,732
Totals 1,597 $1,231,848
Hurricane Katrina Related Third-Party Draft Totals for the Period August 31, 2005 - October 31, 2005 (Split FY)
Total
Number of Drafts Paid Amount of Drafts
Paid Total Drafts Voided or Stopped Amount of Drafts Voided or Stopped
Retirement Survivors Income
35,903
$21,066,234
1,420
$922,153
Disability Income 29,149 16,085,471 1,220 697,739
Supplemental Security Income
45,089
21,174,412
1,360
649,372
Emergency Advance Payment
371
259,478
11
7,947
Totals 110,512 $58,585,595 4,011 $2,277,211
Appendix D
Agency Comments
SOCIAL SECURITY
MEMORANDUM
Date: April 5, 2007
To: Patrick P. O'Carroll, Jr.
Inspector General
From: Larry W. Dye/
Subject: Office of the Inspector General (OIG) Draft Report, "Accountability over Duplicate Payments, Equipment and Records in the Hurricane Recovery Area" (A-06-06-26137)-INFORMATION
We appreciate OIG's efforts in conducting this review. Our comments on the draft report content and recommendations are attached.
Let me know if we can be of further assistance. Staff inquiries may be directed to Candace Skurnik, Director, Audit Management and Liaison Staff, on extension 54636.
SSA Response
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "ACCOUNTABILITY
OVER DUPLICATE PAYMENTS, EQUIPMENT AND RECORDS IN THE HURRICANE RECOVERY AREA"
(A-06-06-26137)
Thank you for the opportunity to review and comment on the draft report. We
are pleased that the review found that: 1) we were proactive in ensuring recipients
benefits continued uninterrupted; 2) all immediate payments were recorded properly
as part of our reconciliation process and that we have taken action to recover
any overpayments; and
3) we generally followed policies and procedures in disposing of equipment and
records. Our responses to the specific recommendations are provided below:
Recommendation 1
SSA should document its process for identifying and reconciling duplicate immediate payments and incorporate these procedures in future disaster recovery efforts.
Response
We agree that the process for identifying and reconciling immediate payments issued by the Third Party Payment System (TPPS) against programmatic systems should be incorporated into future disaster recovery efforts. We will update any instructions regarding TPPS as appropriate.
Recommendation 2
SSA should ensure Agency policies and procedures are explicitly stated in contracts related to the disposal of records containing personally identifiable information.
Response
We agree. We currently have standard language regarding security background checks that is to be included in all contracts wherein the contractor will have access either to SSA facilities and/or to Agency programmatic or sensitive information. We also have standard language governing the protection of confidential information which is to be included in any contract wherein the contractor will have access to confidential information furnished via the Government. Finally, in October 2006, we finalized additional language that is to be used in all contracts wherein the contractor will have access to personally identifiable information (PII). Contracting officers are made aware of the need to use these clauses through instructions contained in the Social Security Acquisition Handbook.
Contracting officers in the Office of Acquisition and Grants (OAG) and the Regional Contracting Offices will review all acquisitions that involve the destruction or disposal of PII to ensure that they contain the afore-mentioned contract language. In April 2007, we will issue a reminder to all contracting officers about the applicability of these clauses to contracts that require the disposal or destruction of records containing PII.
Recommendation 3
SSA should ensure that, when contracting with outside vendors and personally identifiable information is involved, it is clear who will be performing the work.
Response
We agree. Contractors are currently required to "flow-down" the clauses referenced in the previous response to subcontractors. Contractor compliance with this requirement will address the concerns raised in the report regarding access to PII by persons not cleared through the Agency's security process. Additionally, by April 2007, OAG will draft language to be included in every solicitation and contract wherein the contractor will have access to PII that requires the contractor to notify the Agency of any work involving PII that is subcontracted to another entity. This language will direct the contractor to provide the contracting officer and the project officer with pertinent information about the subcontractor and the personnel involved.
Recommendation 4
SSA should ensure that, when SSA records are to be destroyed, all contractor personnel involved have the requisite background checks performed and that approved personnel are present during the destruction.
Response
We agree. OAG will assist the requiring component (i.e., the project officer's component) when requested.
Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Paul Davila, Director, (214) 767-6317
Paul Wood, Audit Manager, (214) 767-0058
Acknowledgments
In addition to those named above:
Warren Wasson, Senior Auditor
For additional copies of this report, please visit our web site at www.ssa.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-06-06-26137.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Resource Management (ORM). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Resource Management
ORM supports OIG by providing information resource management and systems security.
ORM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, ORM is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.