OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
ADMINISTRATIVE COSTS
CLAIMED BY THE
KENTUCKY DISABILITY
DETERMINATION SERVICES
February 2009
A-08-08-18059
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA’s programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA’s programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: February 20, 2009 Refer To:
To: Paul D. Barnes
Regional Commissioner
Atlanta
From: Inspector General
Subject: Administrative Costs Claimed by the Kentucky Disability Determination Services
(A 08 08 18059)
OBJECTIVE
For our audit of Federal Fiscal Years (FFY) 2005 and 2006 administrative costs claimed by the Kentucky Disability Determination Services (KY-DDS), our objectives were to
• evaluate the Kentucky Cabinet for Health and Family Services’ (KY CHFS) and KY DDS’ internal controls over the accounting and reporting of administrative costs;
• determine whether costs claimed by KY-DDS were allowable and funds were properly drawn; and
• assess limited areas of the general security controls environment.
BACKGROUND
Disability determinations under the Social Security Administration’s (SSA) Disability Insurance and Supplemental Security Income programs are performed by disability determination services (DDS) in each State or other responsible jurisdiction. Such determinations are required to be performed in accordance with Federal law and underlying regulations. Each DDS is responsible for determining claimants’ disabilities and assuring that adequate evidence is available to support its determinations. To make proper disability determinations, each DDS is authorized to purchase consultative examinations (CE) and medical evidence of record from the claimants’
physicians or other treating sources. SSA pays the DDS for 100 percent of allowable reported expenditures up to its approved funding authorization, based on a State Agency Report of Obligations for SSA Disability Programs (Form SSA 4513).
KY-DDS, a division of KY CHFS, is located in Frankfort, Kentucky, and its branch office is located in Louisville, Kentucky. KY CHFS maintains KY-DDS’ official accounting records and prepares its Form SSA 4513. For additional background, scope and methodology, see Appendix B.
RESULTS OF REVIEW
KY CHFS’ and KY DDS’ internal controls over the accounting and reporting of administrative costs for FFYs 2005 and 2006 were generally effective to ensure costs claimed were allowable and funds were properly drawn. However, we determined that KY DDS’ inventory controls were not sufficient. We also determined that KY DDS’ general security controls and practices did not adequately protect claimant data or ensure the ongoing security of personnel and property. In addition, KY DDS’ Security Plan did not meet SSA requirements. Moreover, SSA policy for DDSs did not always provide sufficient guidance.
INVENTORY CONTROLS NEEDED IMPROVEMENT
KY DDS did not maintain accurate and complete inventory records of computer equipment.
• We were unable to locate 26 (6.9 percent) of the 379 items randomly selected for review. While most of the 26 missing items were office furniture, 7 were computers. After our on-site inventory review, KY DDS management advised us that they located one computer and found documentation indicating three others were surplused. However, KY DDS management could not determine the status (location) of two computers. Additionally, while they believed the final missing computer had been surplused, they could not find evidence to verify this determination. We do not know whether any of these computers contained personally identifiable information (PII). However, KY DDS told us they believed that if the computers ever contained PII, it would have been erased—as this is the DDS’ customary practice when surplusing/disposing of computers.
• We also determined KY DDS did not always (1) account for and record equipment SSA purchased, (2) accurately record the location of items, (3) remove items from the inventory report that had been sold or surplused, or (4) identify the source of funds used to purchase the equipment.
SSA policy indicates that DDSs are responsible for inventory of all equipment acquired—whether purchased through SSA or the State. In addition, policy requires that DDSs record the description; source of funds used in the purchase (State or Federal); inventory or serial number; date purchased; and physical location, including building address and room or floor location, for each inventory item. Policy also requires that DDSs label equipment purchased with Federal trust funds to identify that it was SSA purchased. Because proper equipment accountability reduces the risk of loss or theft, we recommend SSA instruct KY DDS to establish adequate internal controls over inventory to ensure that inventory records are reliable and maintained in accordance with SSA policy.
GENERAL SECURITY CONTROLS WERE INSUFFICIENT
KY DDS’ general security controls were insufficient, which increased the risk of unauthorized access and loss of sensitive information and equipment. While KY DDS evaluated the Louisville office’s security controls and created a Corrective Action Plan for weaknesses identified, it did not prepare a Risk Assessment Plan. In addition, the Frankfort office’s general security controls needed improvement, and KY DDS did not prepare a Risk Assessment Plan for that office either.
SSA provides DDSs with mandatory standards for maintaining and safeguarding the Agency’s systems and claimant data, along with discretionary standards for protecting facilities and personnel. SSA also requires that DDS management prepare a Risk Assessment Plan for any physical security guideline it cannot meet.
Louisville Office’s Security Controls Were Not Adequate
Physical security controls at the building where the Louisville office is located did not adequately protect or limit access to DDS space. The Louisville office is located on four floors in a privately owned multi tenant building.
The building was not protected with 24 hour security guard service and the building did not have an intrusion detection system (IDS). Additionally, the perimeter walls were not made of slab to slab construction, several perimeter doors did not have peepholes or non rising/spot welded hinges, and several utility boxes were not locked or secured. The computer room walls were not constructed to prevent unauthorized entry. For example, the walls were not slab-to-slab construction and did not have a chain link fence, heavy wire mesh, or motion sensor devices in the space between the false ceiling and the true ceiling. Furthermore, an elevator on one floor opened directly into KY DDS’ area. KY DDS positioned a security guard at the elevator to prevent unauthorized access during business hours, and KY DDS management told us they provided a stand in for the guard when needed. Yet, during a site visit, we noted that the security guard had stepped away from his post, but no alternate took his place.
KY DDS’ access controls at the Louisville office were also inadequate because the DDS did not change door codes when staff with knowledge of the codes left or no longer needed to know them. In addition, KY DDS did not adequately protect or limit access to claimant data at the Louisville office because it had not implemented a clean desk policy and secured claimant records. As such, contracted personnel who cleaned the office during non business hours had access to sensitive areas and data.
As of our last visit, the Louisville office had not implemented the security measures previously mentioned. KY DDS recognized these limitations in its 2006 and 2008 security reviews and stated in each year’s Corrective Action Plan that they were “reviewing the practice” or “considering a change.” However, KY DDS has taken no action to reduce or eliminate these vulnerabilities and did not prepare a Risk Assessment Plan that addressed these issues. In fact, KY DDS management told us they were unclear on SSA policy concerning the Risk Assessment Plan.
We recommend that SSA and KY DDS timely reduce or eliminate the physical security issues identified at the Louisville office. Furthermore, SSA should instruct KY DDS to implement a clean desk policy and ensure that all door codes are changed when staff with knowledge of the codes leave or no longer have a need to know the codes. We also recommend SSA work with KY DDS to develop a Risk Assessment Plan for the Louisville office.
Frankfort Office’s Security Controls Needed Improvement
Because KY DDS uses an IDS and guard services at the Frankfort office, we believe that the office’s overall security controls were generally adequate. However, we found some controls that needed improvement. SSA policy requires that DDSs adequately safeguard systems, claimant information, and facilities to prevent unauthorized entry, access, or disclosure. We found the following conditions at the Frankfort office.
• Although KY DDS installed an IDS at this facility in June 2007, management had not scheduled any testing. SSA’s DDS internal office security guidelines instruct DDSs to test IDSs semiannually to ensure all sensors are working properly.
• KY DDS kept its undistributed keys in an unlocked file in the Commissioner’s staff area. SSA’s internal office security guidelines direct DDSs to limit possession of office keys to management or individuals who must have them.
• KY DDS’ computer room did not have slab to slab construction to prevent unauthorized entry, and the DDS did not use an alternate measure, such as installing chain link fences, heavy wire mesh, or motion sensor devices in the space between the facility’s false ceiling and the true ceiling.
• Three utility boxes were unlocked. SSA’s perimeter office security guidelines instruct DDSs to keep utility boxes locked to prevent tampering.
• The DDS had not tested its uninterruptible power supply (UPS). Without testing its UPS, KY DDS could not ensure power would be adequate for orderly shutdown.
• Management was unclear on policy regarding the Risk Assessment Plan and had not prepared one for the Frankfort office.
We discussed these security control issues with KY DDS management, who generally agreed to correct each. However, KY DDS management stated that it would be costly for the building owner to raise the wall in the computer room. We recommend SSA work with KY DDS to ensure the above security control issues are addressed and develop a Risk Assessment Plan for the Frankfort office.
SECURITY PLAN NOT ADEQUATE
KY-DDS’ Security Plan for Frankfort and Louisville did not adequately meet SSA requirements. In addition, the Security Plan only contained six of the eight required parts, and these parts did not include all the required elements. Parts D (Systems Review/Recertification Plan [Technical Security]) and H (Risk Assessment/Exceptions) were missing from the Security Plan. Part A (Physical Security DDS Description/Profile) did not disclose the size of the office, and Part G (Disaster Recovery Plan) did not cite the local resources needed to operate in the event of a disaster. After discussing the Security Plan’s missing parts and elements, KY DDS management stated they will revise the Security Plan. We recommend SSA ensure KY DDS submits a revised Security Plan that meets the Agency’s requirements.
DISABILITY DETERMINATION SERVICES’ RESPONSIBILITY OVER EQUIPMENT RENTALS
Because the contract was between the Commonwealth of Kentucky and the vendor, KY CHFS believed SSA was not a party to the equipment rental agreement. However, SSA funds were used for these expenditures. In addition, KY DDS management told us they were unclear with regard to their responsibility over rental equipment.
We recommend that the Atlanta Regional Office work with SSA’s Office of Disability Determinations to review policy concerning SSA-funded rental equipment and revise it, where necessary, to provide specific guidance on DDS responsibilities. In addition, it is essential that this guidance specify whether DDSs should retain documentation regarding SSA approval, and if so, the retention period. Currently, State agencies are required to retain financial records and supporting documents pertinent to disability determinations for 3 years or until a Federal audit has been performed and all findings resolved. We believe the Agency should consider a similar retention period.
DISABILITY DETERMINATION SERVICES’ RESPONSIBILITY OVER EMPLOYEE TRAVEL
While policy requires that DDSs obtain SSA Regional Office approval before staff travels to National Association of Disability Examiners (NADE) meetings, KY DDS was unable to provide documentation that supported SSA’s approval for staff traveling to a NADE meeting. KY DDS management and SSA’s Disability Program Administrator agreed prior approval was obtained. However, no documentation was retained. We recommend that the Atlanta Regional Office work with SSA’s Office of Disability Determinations to clarify in policy whether documentation should be retained regarding SSA approval, and if so, the retention period for these approvals.
POLICY SILENT ON DISABILITY DETERMINATION SERVICES VERIFYING THAT MEDICAL CONSULTANTS HAVE NOT BEEN SANCTIONED
SSA policy does not require that DDSs review the U.S. Department of Health and Human Services, Office of Inspector General, List of Excluded Individuals/Entities to ensure medical consultants are not included on the list. This list identifies individuals and entities that are sanctioned from participating in any Federal or federally assisted program. We believe DDSs should be required to consult this list before retaining the services of all medical consultants. Therefore, we recommend the Atlanta Regional Office work with SSA’s Office of Disability Determinations to establish such a policy.
CONCLUSION AND RECOMMENDATIONS
KY CHFS and KY DDS generally had effective controls over the accounting and reporting of administrative costs for FFYs 2005 and 2006. However, our review of KY DDS’ controls over physical security and inventory disclosed that the DDS could be vulnerable to unauthorized access and loss of sensitive information and equipment. In addition, KY DDS did not have an adequate Security Plan. Furthermore, we found SSA needed to enhance its guidance to DDSs.
We recommend SSA’s Atlanta Regional Office:
1. Instruct KY DDS to establish adequate internal controls over inventory to ensure that inventory records are reliable and maintained in accordance with SSA policy.
2. Work with KY DDS to timely reduce or eliminate the Louisville office’s physical security control weaknesses.
3. Instruct KY DDS to change door codes at the Louisville office when staff with knowledge of the codes leave or no longer have a need to know them.
4. Instruct KY DDS to implement a clean desk policy at the Louisville office.
5. Instruct KY DDS to test the Frankfort office’s IDS semiannually.
6. Instruct KY DDS to keep the Frankfort office’s undistributed keys in a locked drawer or cabinet.
7. Work with KY DDS to enhance security controls for the Frankfort office’s computer room and utility boxes.
8. Instruct KY DDS to routinely test the Frankfort office’s UPS.
9. Ensure KY DDS establishes a Security Plan, which meets SSA requirements, for the Frankfort and Louisville offices—this includes developing Risk Assessment Plans for each office’s physical security vulnerabilities.
We also recommend the Atlanta Regional Office work with SSA’s Office of Disability Determinations to:
10. Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals and document retention for equipment rentals.
11. Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals and document retention for DDS staff travel to NADE conferences.
12. Establish policy that requires DDSs to review U.S. Department of Health and Human Services, Office of Inspector General, List of Excluded Individuals/Entities to determine whether medical consultants have been sanctioned from participating in any Federal or federally assisted program.
AGENCY COMMENTS AND OIG RESPONSE
SSA agreed with our recommendations. We appreciate that the Regional Office provided guidance to the DDS for Recommendations 10 through 12; however, we believe the region needs to work with SSA’s Office of Disability Determinations to “document” these policies so all DDSs will be held to the same standards. The full text of SSA’s and KY-CHFS’ comments are included in Appendices D and E.
OTHER MATTER
CLAIMANTS’ PERSONALLY IDENTIFIABLE INFORMATION DISCLOSED TO THIRD PARTIES WHO MAY NOT NEED TO KNOW
KY DDS routinely disclosed disability claimants’ PII to vendors. During the disability determination process, KY DDS purchases services that include medical evidence (CE and medical evidence of record) and claimant travel. Our review of medical and applicant travel invoices revealed that these documents contained PII including names, addresses, dates of birth, Social Security numbers (SSN), and telephone numbers. Although we have no reason to believe this information had been abused, this practice potentially could result in the misuse of claimants’ PII.
Federal guidance dictates that agencies should reduce their current holdings of all PII to the minimum necessary for the proper performance of a documented agency function. Agencies must also review their use of SSNs in agency systems and programs to identify instances in which collection and use of the SSN is superfluous.
On October 5, 2007, SSA’s Office of Disability Determinations informed Regional Offices that DDSs should review their processes to eliminate the use of SSNs on correspondence where possible. Given the prevalence of identity theft, we encourage KY CHFS and KY DDS to take steps to limit the disclosure of PII (in particular, redact or truncate claimants’ SSNs) in all third party correspondence.
/s/
Patrick P. O’Carroll, Jr.
Appendices
APPENDIX A – Acronyms
APPENDIX B – Background, Scope and Methodology
APPENDIX C – Schedule of Total Costs Reported on Form SSA-4513—State Agency Report of Obligations for Social Security Administration Disability Programs
APPENDIX D – Agency Comments
APPENDIX E – Kentucky Cabinet for Health and Family Services Comments
APPENDIX F – OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
Act Social Security Act
C.F.R. Code of Federal Regulations
CE Consultative Examination
DDS Disability Determination Services
DI Disability Insurance
FFY Federal Fiscal Year
IDS Intrusion Detection System
KY CHFS Kentucky Cabinet for Health and Family Services
KY-DDS Kentucky Disability Determination Services
NADE National Association of Disability Examiners
OMB Office of Management and Budget
OIG Office of the Inspector General
PII Personally Identifiable Information
POMS Policy Operations Manual System
SSA Social Security Administration
SSI Supplemental Security Income
SSN Social Security Number
UPS Uninterruptible Power Source
FORM
SSA-4513 State Agency Report of Obligations for SSA Disability Programs
Appendix B
Background, Scope and Methodology
BACKGROUND
The Disability Insurance (DI) program, established under Title II of the Social Security Act (Act), provides benefits to wage earners and their families in the event the wage earner becomes disabled. The Supplemental Security Income (SSI) program, established under Title XVI of the Act, provides benefits to financially needy individuals who are aged, blind, and/or disabled.
The Social Security Administration (SSA) is responsible for implementing policies for the development of disability claims under the DI and SSI programs. Disability determinations under both the DI and SSI programs are performed by disability determination services (DDS) in each State, Puerto Rico, and the District of Columbia. Such determinations are required to be performed in accordance with Federal law and underlying regulations. In carrying out its obligation, each DDS is responsible for determining claimants’ disabilities and ensuring that adequate evidence is available to support its determinations. To assist in making proper disability determinations, each DDS is authorized to purchase medical examinations, X-rays, and laboratory tests on a consultative basis to supplement evidence obtained from the claimants’ physicians or other treating sources.
SSA reimburses the DDS for 100 percent of allowable reported expenditures up to its approved funding authorization. The DDS withdraws Federal funds through the Department of the Treasury’s Automated Standard Application for Payments System to pay for program expenditures. Funds drawn down must comply with Federal regulations and intergovernmental agreements entered into by the Department of the Treasury and States under the Cash Management Improvement Act of 1990. An advance or reimbursement for costs under the program must comply with Office of Management and Budget (OMB) Circular A 87, Cost Principles for State, Local, and Indian Tribal Governments. At the end of each quarter of the Federal Fiscal Year (FFY), each DDS submits a State Agency Report of Obligations for SSA Disability Programs (Form SSA 4513) to account for program disbursements and unliquidated obligations.
SCOPE
To accomplish our objectives, we reviewed the administrative costs Kentucky Disability Determination Services (KY DDS) reported on its Form SSA-4513 for FFYs 2005 and 2006. For the periods reviewed, we obtained evidence to evaluate recorded financial transactions and determine whether they were allowable under OMB Circular A 87 and appropriate, as defined by SSA’s Program Operations Manual System (POMS).
We also:
• Reviewed applicable Federal laws, regulations and pertinent parts of POMS DI 39500, DDS Fiscal and Administrative Management, and other instructions pertaining to administrative costs incurred by KY DDS and draw down of SSA funds.
• Interviewed Kentucky Cabinet for Health and Family Services and KY DDS staff and corresponded with SSA Regional Office personnel.
• Evaluated and tested internal controls regarding accounting and financial reporting and cash management activities.
• Verified the reconciliation of official State accounting records to the administrative costs reported by KY DDS on Form SSA 4513 for FFYs 2005 and 2006.
• Examined the administrative expenditures (personnel, medical service, and all other non-personnel costs) incurred and claimed by KY DDS for FFYs 2005 and 2006 on Form SSA-4513.
• Examined the indirect costs claimed by KY DDS for FFYs 2005 and 2006 and the corresponding Indirect Cost Rate Agreements.
• Compared the amount of SSA funds drawn to support program operations to the allowable expenditures reported on Form SSA 4513.
• Reviewed the State of Kentucky Single Audit reports issued in 2005 and 2006.
• Conducted limited general control testing—which encompassed reviewing the physical access security in the DDS.
The electronic data used in our audit were sufficiently reliable to achieve our audit objectives. We assessed the reliability of the electronic data by reconciling them with the costs claimed on the Form SSA-4513. We also conducted detailed audit testing on selected data elements in the electronic data files.
We performed our audit at the KY DDS in Frankfort and Louisville, Kentucky, and the Office of Audit in Birmingham, Alabama, from March through September 2008. We conducted our audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
METHODOLOGY
Our sampling methodology encompassed the four general areas of costs as reported on Form SSA-4513: (1) personnel, (2) medical, (3) indirect, and (4) all other non personnel costs. We obtained computerized data from KY DDS for FFYs 2005 and 2006 for use in statistical sampling. Also, we reviewed general security controls the DDS had in place.
Personnel Costs
We sampled 50 employee salary items from 1 randomly selected pay period in FFY 2006. We tested regular and overtime payroll and hours for each individual selected. We verified that approved time records were maintained and supported the hours worked. We tested payroll records to ensure KY DDS correctly paid employees and adequately documented these payments.
We reviewed all 39 medical consultants’ costs from 1 randomly selected pay period in FFY 2006. We determined whether sampled costs were reimbursed properly and ensured the selected medical consultants were licensed.
Medical Costs
We sampled a total of 100 medical evidence of records and consultative examination records (50 items from each FFY) using a proportional random sample. We determined whether sampled costs were properly reimbursed.
Indirect Costs
We reviewed the indirect cost base and computations used to determine those costs for reimbursement purposes. Our objective was to ensure SSA reimbursed KY DDS in compliance with the approved Indirect Cost Rate Agreement. We analyzed the approved rate used, ensuring the indirect cost rate changed when the Indirect Cost Rate Agreement was modified. We reviewed the documentation and traced the base amounts to Form SSA-4513 for the indirect cost computation components. We determined whether the approved rate used was a provisional, predetermined, fixed, or final rate.
All Other Non-Personnel Costs
We stratified all other non-personnel costs into nine categories: (1) Occupancy, (2) Contracted Costs, (3) Electronic Data Processing Maintenance, (4) Equipment Purchases and Rental, (5) Communications, (6) Applicant Travel, (7) DDS Travel, (8) Supplies, and (9) Miscellaneous. We selected a stratified random sample of 50 items from each FFY based on the percentage of costs in each category (excluding the rent portion of Occupancy) to total costs. We also performed a 100 percent review of the rent portion of Occupancy expenditures.
General Security Controls
We conducted limited general security control testing. Specifically we reviewed the following eight areas relating to general security controls: (1) Perimeter Security, (2) Intrusion Detection, (3) Key Management, (4) Internal Office Security, (5) Equipment Rooms, (6) Security Plan, (7) Continuity of Operations, and (8) Other Security Issues. We determined whether the general security controls the DDS had in place were satisfactory.
INVENTORY
We reviewed 25 percent of KY DDS’ inventory items. We used KY DDS’ current listing of equipment purchased to randomly select our sample items. We selected 255 items for Frankfort and 124 for Louisville. For each sample item, we determined whether the item was currently at the location listed or KY DDS had disposal documentation to support its prior existence.
Appendix C
Schedule of Total Costs Reported on Form SSA-4513—State Agency Report of Obligations for Social Security Administration Disability Programs
Kentucky Disability Determination Services
FEDERAL FISCAL YEARS (FFY) 2005 and 2006 COMBINED
REPORTING ITEMS DISBURSEMENTS UNLIQUIDATED OBLIGATIONS TOTAL
OBLIGATIONS
Personnel $47,639,421 $0 $47,639,421
Medical 18,838,195 10,100 18,848,295
Indirect 4,460,903 0 4,460,903
All Other 9,196,399 127,926 9,324,325
TOTAL $80,134,918 $138,026 $80,272,944
FFY 2005
REPORTING ITEMS DISBURSEMENTS UNLIQUIDATED OBLIGATIONS TOTAL
OBLIGATIONS
Personnel $23,601,423 $0 $23,601,423
Medical 9,305,310 0 9,305,310
Indirect 2,291,485 0 2,291,485
All Other 5,119,460 0 5,119,460
TOTAL $40,317,678 $0 $40,317,678
FFY 2006
REPORTING ITEMS DISBURSEMENTS UNLIQUIDATED OBLIGATIONS TOTAL
OBLIGATIONS
Personnel $24,037,998 $0 $24,037,998
Medical 9,532,885 10,100 9,542,985
Indirect 2,169,418 0 2,169,418
All Other 4,076,939 127,926 4,204,865
TOTAL $39,817,240 $138,026 $39,955,266
Appendix D
Agency Comments
SOCIAL SECURITY
Refer To: J. Irwin 2-1407
MEMORANDUM
Date: January 16, 2008
To: Inspector General
From: Regional Commissioner
Atlanta
Subject: Administrative Costs Claimed by the Kentucky Disability
Determinations Services (A-08-08-18059)
Thank you for the opportunity to comment on the findings and the recommendations presented in your draft report of the Kentucky Disability Determinations Services (KY DDS). We believe that the Office of Inspector General (OIG) Audit regarding internal controls over the accounting and reporting of administrative costs, the proper drawdown of funds, the accuracy of costs claimed, and the assessment of the KY DDS’ limited areas of general security controls environment , was detailed and thorough.
Specifically, our comments on the twelve recommendations are as follows:
1. Instruct KY-DDS to establish adequate internal controls over inventory to ensure that inventory records are reliable and maintained in accordance with SSA policy.
We agree with the recommendation. KY has taken action to resolve this issue. During the OIG audit, the KY DDS was not able to locate seven items identified as computer equipment that may contain Personally Identifiable Information (PII). The seven items were initially believed to consist of three servers, three workstations and one laptop computer. A PII report was made 12/4/08 to the NCSC based on an example provided to the DDS by OIG from a similar review (CAPRS # 740977). After a records search, the DDS was able to locate inventory records for all but two of the computers; however, DDS review indicates that it is highly unlikely that any PII was actually compromised.
The KY DDS stated that a process has been implemented to ensure that internal controls over inventory are reliable and maintained in accordance with SSA policy. The KY DDS met with Parent Agency representatives to develop a process that would improve inventory controls. The Parent Agency has given the DDS more direct control over inventory management. In December, 2008, the DDS created a team of six employees, led by an Inventory Delegated Authority, who will manage all DDS inventory. These six employees have each completed two state sponsored training classes on the state accounting system (eMars). The team is in the process of tagging and entering all of the KY DDS’ fixed assets into eMars. No further action is required.
2. Work with KY DDS to timely reduce or eliminate the Louisville office’s physical security control weaknesses.
We agree with this recommendation. KY has been provided clarification on SSA‘s physical security policy for preparing Risk Assessment Plans for all offices. Most of the information for the KY DDS Security Plan exists; however, it had not been put into the most current format. The KY DDS Security Officer is reviewing current security plans to ensure that they meet SSA’s requirement, this action will be completed before March 31, 2009.
KY has requested funding for the security equipment that will address the Louisville Office’s physical security control weaknesses cited in the OIG report. The Region has approved the request and forwarded it to the Office of Disability Determinations (ODD) for review and funding. The request includes a door access system for the entire office, an intrusion detection system (IDS), security cameras, and partition walls and doors. The total cost of the project is estimated to be $35,875. We will continue to work with KY until the project is completed.
3. Instruct KY DDS to change door codes at the Louisville office when staff with knowledge of the codes leaves or no longer has the need to know them.
We agree with this recommendation. In January 2008, Kentucky implemented a policy to change door codes every quarter or sooner if an employee leaves the DDS. The Louisville office manager will ensure that action is taken to change the door codes quarterly and/or when someone leaves the Louisville office. Funding has been requested and, forwarded to ODD, to make changes to have a badge access system on all doors. We will continue to work with the DDS until the badge access system is completed.
4. Instruct the KY DDS to implement a clean desk policy at the Louisville office.
We agree with this recommendation. The KY DDS has already implemented a clean desk policy at the Frankfort and Louisville offices. No further action is necessary.
5. Instruct KY DDS to test the Frankfort offices IDS semi-annually.
We agree with this recommendation. KY DDS has already implemented a policy to have office IDS equipment tested semi-annually. On January 12, 2009, a representative from the KY DDS’ security vendor performed a test of all IDS
equipment in the Frankfort office. This will be performed semi-annually as recommended by OIG. No further action is necessary.
6. Instruct the KY DDS to keep the Frankfort office’s undistributed keys in a locked drawer or cabinet.
We agree with this recommendation. The KY DDS has already implemented a policy to keep undistributed keys secure. The DDS has organized all of the undistributed keys and they are now kept in a locked cabinet in the Building Manager’s office. The Building Manager’s office is locked when it is not occupied. No further action is necessary.
7. Work with the KY DDS to enhance security controls for the Frankfort office’s computer room and utility boxes.
We agree with this recommendation. KY has already taken action to secure the Frankfort computer room and utility boxes. The DDS has requested funding for the installation of motion detectors for the Frankfort computer room. The DDS has also contacted the building owner and the Parent Agency facilities personnel to inquire about having a chain-link fence installed around the utility boxes in the mailroom. We will continue to work with the DDS until the motion detector and a chain-link fence are installed in Frankfort.
8. Instruct the KY DDS to routinely test the Frankfort office’s uninterruptible power supply
We agree with this recommendation. KY has already implemented a policy to routinely test the Frankfort Office’s uninterruptible power supply. The DDS has made arrangements to test the computer room UPS before the end of the first quarter of calendar year 2009. Plans are to perform the test once a quarter. No further action is necessary.
9. Ensure KY DDS establishes a Security Plan, which meets SSA requirements, for the Frankfort and Louisville offices—this includes developing Risk Assessment Plan’s for each office’s physical security vulnerabilities.
We agree with this recommendation. KY has recently updated security plans in place for both Frankfort and Louisville offices. DDS management have been reminded to develop risk assessments of their facilities (location, crime rate, current security level, etc.), and they will comply. The KY DDS Security Officer is currently reviewing the security plans for both the Frankfort and Louisville offices to ensure that the plans meet SSA’s requirements. The review will be completed before March 31, 2009. The DDS and SSA will continue to monitor these plans to ensure compliance.
10. Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals and document retention for equipment rentals.
We agree with this recommendation. SSA has provided policy clarification to KY and the DDS will continue to follow SSA requirements to obtain prior approvals and retain proper document retention for equipment rentals. No further action is necessary.
11. Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals and document retention for DDS staff travel to NADE conferences.
POM policy is very clear on this issue; approval for DDS staff travel to NADE conferences must be obtained prior to travel. The KY DDS has always followed SSA’s policy for obtaining approval; however, the DDS was unable to locate documentation of approvals. SSA discussed travel policy and document retention with Kentucky and they will comply. No further action is necessary.
12. Establish policy that requires DDSs to review U.S. Department of Health and Human Services, Office of Inspector General, List of Excluded Individuals/Entities to determine whether medical consultants have been sanctioned from participating in any Federal or Federally assisted program.
We agree with this recommendation. The DDS already has this policy in place. A DDS employee is already designated to complete this task. The employee prints the information off the OIG website and highlights the vendors for KY and the surrounding states; then checks the DDS Vendor File to see if the vendors identified/performed consultative exams or if they are a MER vendor. If any problems are identified, then the problem is taken to the person who maintains the vendor file to take appropriate action to remove the vendor. No further action is necessary.
Also, we believe KY DDS should take steps to exclude the SSN from documents it sends to third parties.
We agree with this recommendation. The KY DDS implemented the policy to remove SSNs from documents sent to third parties in November, 2007. No further action is necessary.
Please direct any questions you may have to Josie Irwin at (404) 562-1407.
Paul D. Barnes
cc: Stephen C. Jones
Josie Irwin
Appendix E
Kentucky Cabinet for Health and Family Services Comments
January 23, 2009
Ms. Kimberly Byrd
Director
Social Security Administration
Office of the Inspector General
Atlanta Audit Division – Birmingham
Office of Audit
1200 8th Avenue North, 8th floor
Birmingham, AL. 35285
Dear Ms. Byrd:
We appreciate the work that the Social Security Administration, Office of the Inspector General, did in auditing the fiscal reporting and security controls of the Kentucky Cabinet for Health and Family Services. We also appreciate the opportunity to comment on the findings and the recommendations presented in your report of the Kentucky Disability Determinations Services (KY DDS).
The Kentucky Cabinet for Health and Family Services is committed to following the policies and regulations of the Social Security Administration. As noted in our response, we agree with all of your findings and in most cases we have already put plans into place to improve our controls.
Attached you will find our response to your findings. If you should have any questions about our responses, please do not hesitate to call DDS Commissioner Stephen Jones at 502-564-5028 or my office at 502-564-7042.
Sincerely,
Janie Miller
Secretary
cc: Patrick P. O’Carroll, Jr
SSA Inspector General
Stephen Jones
Commissioner, Department for Income Support
1) Instruct the Kentucky Disability Determination Services (KY DDS) to establish adequate internal controls over inventory to ensure that inventory records are reliable and maintained in accordance with Social Security Administration (SSA) policy.
We agree with the recommendation. After a records search, the KY DDS was able to locate inventory records for all but two of the computers. KY DDS review indicated that it is highly unlikely that any Personally Identifiable Information (PII) was actually compromised.
The KY DDS has implemented a new inventory control process to ensure that internal controls over inventory are reliable and maintained in accordance with SSA policy. The KY DDS has met with Cabinet for Health and Family Services (CHFS) inventory employees to develop a process that will improve inventory controls. The DDS has been given more direct control over inventory management. In December 2008, the KY DDS created a team of 6 employees, led by an Inventory Delegated Authority, who will manage all KY DDS inventory. These 6 employees have each completed 2 state sponsored training classes on the state accounting system (eMars). The team is in the process of tagging and entering into eMars, all of the KY DDS’s fixed assets.
2) Work with KY DDS to timely reduce or eliminate the Louisville branch office’s physical security control weaknesses.
We agree with this recommendation. We have been provided with clarification on the SSA physical security policy for preparing Risk Assessment Plans for all offices. Most of the information for the KY DDS Security Plan exists; however, it had not been put into the most current format. The KY DDS Security Officer is reviewing current Security Plans to ensure that they meet SSA’s requirement, this action will be completed before March 31, 2009.
We have requested funding for security equipment that will address the Louisville DDS branch office’s physical security control weaknesses cited in the Office of the Inspector Generals (OIG) report. Josie Irwin, the Kentucky Disability Program Administrator (DPA) has informed us that the Atlanta Region has approved the request and forwarded it to the Office for Disability (OD) for review and funding. The request includes a door access system for the entire office, an intrusion detection system, security cameras, and partition walls and doors. The total cost of the project is estimated to be $35,875.
The KY DDS has instituted a clean-desk policy in the Louisville and Frankfort offices.
3) Instruct KY DDS to change door codes at the Louisville office when staff with knowledge of the codes leaves or no longer has the need to know them.
We agree with this recommendation. In January, 2008, the KY DDS implemented a policy to change door codes every quarter, or when someone is terminated. During 2008 the Louisville DDS branch office manager changed the door codes on a regular basis. Most recently the codes were changed in January 2009. Funding has been requested to have a badge access system installed on all doors.
4) Instruct the KY DDS to implement a clean desk policy at the Louisville branch office.
We agree with this recommendation. The KY DDS has implemented a clean desk policy at the Frankfort and Louisville offices.
5) Instruct KY DDS to test the Frankfort offices IDS semi-annually
We agree with this recommendation. The KY DDS has implemented a policy to have office IDS equipment tested semi-annually. On January 12, 2009 a representative from the DDS’s security vendor performed a test of all IDS equipment in the Frankfort office. This will be performed semi-annually as recommended by OIG.
6) Instruct the KY DDS to keep the Frankfort office’s undistributed keys in a locked drawer or cabinet.
We agree with this recommendation. The Kentucky DDS has implemented a policy to keep undistributed keys secure. The Kentucky DDS has organized all of the undistributed keys and they are now kept in a locked cabinet in the Building Manager’s office. The Building Manager’s office is locked when it is not occupied.
7) Work with the KY DDS to enhance security controls for the Frankfort office’s computer room and utility boxes.
We agree with this recommendation. The KY DDS has taken action to secure the Frankfort computer room and utility boxes. The KY DDS has requested funding for the installation of motion detectors for the Frankfort computer room. The KY DDS has also contacted the building owner and the parent agency facilities personnel to inquire about having a chain-link fence installed around the utility boxes in the mailroom.
8) Instruct the KY DDS to routinely test the Frankfort office’s uninterruptible power supply (UPS)
We agree with this recommendation. The KY DDS has implemented a policy to routinely test the Frankfort Office’s UPS. The KY DDS has made arrangements to test the computer room UPS before the end of the 1st quarter of calendar year 2009. Plans are to perform the test on a regular basis.
9) Ensure KY DDS establishes a Security Plan, which meets SSA requirement, for the Frankfort and Louisville offices—this includes developing Risk Assessment Plan’s for each office’s physical security vulnerabilities.
We agree with this recommendation. The Kentucky DDS Security Officer is reviewing the current security plan for both Frankfort and Louisville to ensure that the plans meet SSA’s requirements; the review will be completed before March 31, 2009.
10) Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals and document retention for equipment rentals.
We agree with this recommendation. The Kentucky Disability Program Administrator has provided policy clarification to the KY DDS. The KY DDS will follow SSA requirements to obtain prior approvals and retain documents for equipment rentals.
11) Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals and document retention for DDS staff travel to NADE conferences.
We agree with this recommendation. The KY DDS follows SSA’s policy for obtaining approval; however, for the period involved in the audit, they were unable to locate documentation of approvals. SSA discussed travel policy and document retention with Kentucky. In the future, Kentucky will retain travel authorization documents according to SSA policy.
12) Establish policy that requires DDSs to review U.S. Department of Health and Human Services, Office of Inspector General, List of Excluded Individuals/Entities to determine whether medical consultants have been sanctioned from participating in any Federal or Federally assisted programs.
The KY DDS already has this policy in place. A KY DDS employee completes this task every month.
OTHER MATTER:
Also, we believe KY DDS should take steps to exclude the SSN from documents it sends to third parties.
The KY DDS implemented a policy to remove Social Security Numbers from documents sent to 3rd parties in November 2007.
Appendix F
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kimberly A. Byrd, Director, (205) 801-1650
Theresa Roberts, Audit Manager, (205) 801-1619
Acknowledgments
In addition to those named above:
Hollie Reeves, Senior Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General’s Public Affairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number
A-08-08-18059.
DISTRIBUTION SCHEDULE
Commissioner of Social Security
Office of Management and Budget, Income Maintenance Branch
Chairman and Ranking Member, Committee on Ways and Means
Chief of Staff, Committee on Ways and Means
Chairman and Ranking Minority Member, Subcommittee on Social Security
Majority and Minority Staff Director, Subcommittee on Social Security
Chairman and Ranking Minority Member, Committee on the Budget, House of Representatives
Chairman and Ranking Minority Member, Committee on Oversight and Government Reform
Chairman and Ranking Minority Member, Committee on Appropriations, House of Representatives
Chairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations,
House of Representatives
Chairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Committee on Finance
Chairman and Ranking Minority Member, Subcommittee on Social Security Pensions and Family Policy
Chairman and Ranking Minority Member, Senate Special Committee on Aging
Social Security Advisory Board
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration’s (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA’s financial statements fairly present SSA’s financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA’s programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG’s external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG’s media and public information policies, directs OIG’s external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG’s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG’s strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.