A-09-07-27154 - Alternate Format

OFFICE OF
THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

SOCIAL SECURITY CARDS
MAILED TO THE SOCIAL SECURITY
ADMINISTRATION'S FIELD OFFICES

August 2008

A-09-07-27154

AUDIT REPORT

Mission

By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.

MEMORANDUM

Date: August 19, 2008

To: The Commissioner

From: Inspector General

Subject: Social Security Cards Mailed to the Social Security Administration's Field Offices (A 09 07 27154)

OBJECTIVE

Our objective was to evaluate the Social Security Administration's (SSA) controls over the receipt, safeguarding, and disposition of Social Security cards mailed to its field offices (FO).

BACKGROUND

In Fiscal Year (FY) 2007, SSA processed approximately 17.4 million applications for Social Security cards: about 11.7 million replacement Social Security cards and 5.7 million original Social Security cards. SSA generally mails Social Security cards to the address where the applicant resides. Occasionally, applicants may request to pick up their card at an FO. Specifically, applicants who plan to relocate but do not have a forwarding address, are homeless, or have experienced problems receiving mail may have their Social Security cards mailed to an FO. Any cards mailed to an SSA office should be addressed directly to the FO manager.

We identified 20,362 Social Security cards that were mailed to FOs in the United States and District of Columbia in FY 2007. We evaluated the adequacy of SSA's policies and procedures by reviewing the FO with the highest number of cards mailed to the office in each of SSA's 10 regions. These FOs received 5,740 Social Security cards in FY 2007.

RESULTS OF REVIEW

SSA needs to strengthen its controls over the receipt, safeguarding, and disposition of Social Security cards mailed to its FOs. Of the 10 FOs selected for review, we found that

9 did not have formal, written policies to ensure proper receipt, control, and disposition of Social Security cards mailed to the office;

7 did not maintain logs to determine whether Social Security cards were received in the mail, picked up by the applicant, or destroyed by the office;

5 did not ensure Social Security cards were properly secured at all times; and

10 did not always address Social Security cards to the FO manager, as required.

As a result, the Social Security cards mailed to FOs may have been susceptible to loss or theft. This occurred, in part, because (1) SSA's policies did not provide national guidance for securing, monitoring, tracking, or, if necessary, destroying Social Security cards received in the mail and (2) FOs were not fully aware that Social Security cards mailed to the office should be addressed to the FO manager.

LACK OF FORMAL POLICIES AND PROCEDURES

We found that 9 of 10 FOs did not have formal, written policies and procedures to ensure proper receipt, safeguarding, and disposition of Social Security cards mailed to the office (see Appendix B). Although the FOs had generally developed informal guidelines for handing Social Security cards received in the mail, we found the lack of formal policies and procedures had resulted in inconsistent practices between the FOs. We believe national guidance is necessary to ensure Social Security cards are properly controlled and safeguarded at all FOs.

Although SSA's policies require that detailed records be maintained for claimant checks mailed to an FO, they do not provide national guidance for securing, monitoring, tracking, or, if necessary, destroying Social Security cards mailed to FOs.

As a result of a prior OIG audit, one regional office issued written instructions to its FOs to implement new procedures for the receipt, control, and disposition of Social Security cards mailed to the office. In addition, during our review, two FOs issued written instructions to improve controls over the handling of Social Security cards.

We also identified inconsistent practices between the FOs. For example, some FOs retained unclaimed Social Security cards for about 30 days while other FOs retained them for up to 8 months. In addition, one FO required that applicants sign a form when they picked up their cards while the remaining nine FOs did not obtain any written acknowledgment. Therefore, we encourage SSA to develop national policies and procedures to ensure uniformity in FO practices for processing Social Security cards mailed to the office.

RECEIPT AND DISPOSITION OF SOCIAL SECURITY CARDS NOT LOGGED

We found that 7 of 10 FOs did not maintain logs to account for the receipt and disposition of Social Security cards mailed to the office (see Appendix B). In addition, two FOs only retained partial logs of the Social Security cards the FO either received or destroyed. Unless written records are properly maintained and retained, FOs may be ill equipped to determine whether the Social Security cards were received in the mail, picked up by the applicant, or destroyed by the office.

As a result of a prior OIG audit, one regional office developed a log for its FOs to record the date each Social Security card is received, name and Social Security number (SSN) on the card, date the card is picked up, name of management official releasing the card to the applicant, and date the card is shredded, if not picked up within 30 days.

During our review, two FOs developed logs to account for the receipt and disposition of Social Security cards received in the mail. Another two FOs revised their existing logs-one included the date of disposition for all Social Security cards received while the other included the date of the SSN application and extended the retention period from 30 days to 3 years. Other FOs generally believed a log was an effective tool for monitoring and controlling Social Security cards, especially since a log is also used for claimant checks mailed to the office.

Of the 5,740 Social Security cards mailed to the 10 FOs in our sample in FY 2007, we selected the 50 most recent Social Security cards mailed to each FO as of September 30, 2007. We found FOs were unable to provide logs or other written records to support the receipt and disposition of 437 (87.4 percent) of the 500 Social Security cards in our sample (see Appendix D). Although the FOs did not report any instances of loss or theft, we believe they should retain written documentation to substantiate whether the Social Security cards were received, picked up, or destroyed.

STORAGE OF SOCIAL SECURITY CARDS COULD BE IMPROVED

We found that 5 of 10 FOs did not properly secure Social Security cards at all times (see Appendix B). Based on our interviews, these FOs stored the cards in a locked cabinet or drawer only at the end of the day. In addition, one FO placed the Social Security cards in a locked file cabinet during the day; however, all employees had unrestricted access to the key. Unless the cards are properly safeguarded at all times, there is an increased risk of SSN misuse, unauthorized disclosure, and identity theft.

As a result of a prior OIG audit, one regional office issued written instructions that stated all Social Security cards held in the FO should be secured in a locked file cabinet. In addition, SSA's policies require that FOs store any Social Security cards that are returned to the office and cannot be immediately destroyed in a locked cabinet or drawer. We believe this policy should be adopted for all cards held in the FO.

For example, one FO stored its Social Security cards on an open rack on the Operations Supervisor's desk during the day. The District Manager stated the rack allowed all employees to readily retrieve the cards when applicants visited the office to pick them up. However, to provide adequate safeguards over the Social Security cards mailed to the office, we believe FOs should restrict access to the cards and secure them in a locked cabinet or drawer at all times.

SOCIAL SECURITY CARDS NOT PROPERLY ADDRESSED

We found that none of the 10 FOs always ensured Social Security cards mailed to the office were addressed to the FO manager, as required (see Appendix B). This occurred because eight FOs were not fully aware that Social Security cards mailed to the office should be addressed to the FO manager. Instead, they entered the FO's mailing address without a "care of" or "attention" heading. The remaining two FOs were aware of the requirement but inadvertently entered incorrect addresses because of clerical errors.

SSA's policies allow applicants to pick up their Social Security cards at an SSA office under certain circumstances. Social Security cards mailed to an SSA office should be addressed directly to the FO manager. Such a practice is necessary to establish proper accountability and control over the cards.

As part of our review of the 50 most recent Social Security cards mailed to each FO as of September 30, 2007, we evaluated how these cards were addressed. We found that 443 (88.6 percent) of the 500 Social Security cards in our sample were not addressed in accordance with SSA's policies and procedures (see Appendix D). During our review, FOs agreed to remind staff to properly address Social Security cards to management officials only.

CONCLUSION AND RECOMMENDATIONS

Given the increased emphasis on the protection of personally identifiable information and the prevalence of identity theft, SSA needs to strengthen its controls and procedures over the Social Security cards mailed to its FOs. We found that FOs did not always (1) have formal, written policies for the receipt and disposition of Social Security cards; (2) maintain logs to determine whether the cards were received, picked up, or destroyed; (3) ensure cards were properly secured at all times; and (4) address cards to the FO manager. As a result, the Social Security cards mailed to FOs may be susceptible to loss or theft. Therefore, we recommend that SSA:

1. Develop formal, written policies and procedures over the receipt, safeguarding, and disposition of Social Security cards mailed to its FOs.

2. Direct FOs to maintain a log to account for the receipt and disposition of Social Security cards received in the mail.

3. Instruct FOs to properly secure Social Security cards (for example, in a locked cabinet or drawer) at all times.

4. Implement controls to ensure Social Security cards mailed to the office are addressed to management officials.

AGENCY COMMENTS

SSA agreed with all of our recommendations. See Appendix E for the text of SSA's comments.

Patrick P. O'Carroll, Jr.

Appendices
APPENDIX A - Acronyms
APPENDIX B - Summary of Field Office Results
APPENDIX C - Scope and Methodology
APPENDIX D - Sampling Methodology and Results
APPENDIX E - Agency Comments
APPENDIX F - OIG Contacts and Staff Acknowledgments

Appendix A
Acronyms
FO Field Office
FY Fiscal Year
MES Modernized Enumeration System
OIG Office of the Inspector General
POMS Program Operations Manual System
SSA Social Security Administration
SSN Social Security Number

Appendix B
Summary of Field Office Results

Field Office
Lack of Formal Policies and Procedures Receipt and Disposition of Cards Not Logged Storage of Social Security Cards Could Be Improved Social Security Cards Not Properly Addressed
Hyannis, MA " " " "
Rio Grande, NJ " " "
Salisbury, MD " , 4 "
Panama City, FL " " "
Minneapolis, MN " "4 "4 "
Oklahoma City, OK "4 " "
Kansas City, MO " " "
Denver, CO " "4 " "
San Diego, CA " "3
Seattle, WA " " "
Total
9
7
5
10

Appendix C
Scope and Methodology

We obtained a data extract from the Social Security Administration's (SSA) Modernized Enumeration System (MES) of Social Security cards that were mailed to its field offices (FO) between October 1, 2006 and September 30, 2007. Using this data extract, we identified a population of 20,362 Social Security cards that were mailed to FOs in the United States and District of Columbia.

From our population, we reviewed the FO with the highest number of Social Security cards mailed to the office in each of SSA's 10 regions in Fiscal Year (FY) 2007. Specifically, we evaluated the adequacy of SSA's policies and procedures over the receipt and disposition of Social Security cards mailed to its FOs. The following table provides a breakdown of the FOs selected for review, along with the number of cards mailed to the office during FY 2007:

SSA Region Field Office Social Security Cards
Boston, MA Hyannis, MA 281
New York, NY Rio Grande, NJ 77
Philadelphia, PA Salisbury, MD 2,887
Atlanta, GA Panama City, FL 763
Chicago, IL Minneapolis, MN 424
Dallas, TX Oklahoma City, OK 81
Kansas City, MO Kansas City, MO 180
Denver, CO Denver, CO 481
San Francisco, CA San Diego, CA 363
Seattle, WA Seattle, WA 203
Total 5,740

To accomplish our objective, we

reviewed SSA's Program Operations Manual System and other policy memorandums;

interviewed employees from SSA's Headquarters, 10 regional offices, and 10 FOs to obtain information about its policies and procedures over the receipt, safeguarding, and disposition of Social Security cards addressed to FOs;

for each FO, selected the 50 most recent Social Security cards mailed to the office as of September 30, 2007; and

determined whether the Social Security cards were properly addressed, secured, received, picked up, or destroyed.

We determined the computer processed data from the MES were sufficiently reliable for our intended use. Our work was conducted at 10 SSA FOs between January and March 2008. The entity reviewed was the Office of the Deputy Commissioner for Operations.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Appendix D
Sampling Methodology and Results

From the Social Security Administration's (SSA) Modernized Enumeration System, we obtained a data extract of Social Security cards that were mailed to its field offices (FO) in Fiscal Year (FY) 2007. We identified a population of 20,362 Social Security cards that were mailed to FOs in the United States and District of Columbia.

From our population, we reviewed the FO with the highest number of Social Security cards mailed to the office in each of SSA's 10 regions. A total of 5,740 cards were mailed to these FOs in FY 2007. We selected a total of 500 Social Security cards to evaluate the adequacy of SSA's policies and procedures. Specifically, for each FO, we selected the 50 most recent cards mailed to the office as of September 30, 2007.

Based on our interviews, we found that FOs were unable to provide logs or other written records to support the receipt and disposition of 437 (87.4 percent) of the 500 Social Security cards in our sample. In addition, we found that 443 (88.6 percent) of the 500 Social Security cards in our sample were not addressed in accordance with SSA's policies and procedures. The following tables provide the details of our sample results.

Table 1 - Receipt and Disposition of Social Security Cards Not Logged

Field Office
Population
Sample Cards Not
Logged
Hyannis, MA 281 50 50
Rio Grande, NJ 77 50 50
Salisbury, MD 2,887 50 37
Panama City, FL 763 50 50
Minneapolis, MN 424 50 50
Oklahoma City, OK 81 50 50
Kansas City, MO 180 50 50
Denver, CO 481 50 50
San Diego, CA 363 50 0
Seattle, WA 203 50 50
Total 5,740 500 437

Table 2 - Social Security Cards Not Properly Addressed

Field Office
Population
Sample Cards Improperly Addressed
Hyannis, MA 281 50 50
Rio Grande, NJ 77 50 50
Salisbury, MD 2,887 50 50
Panama City, FL 763 50 13
Minneapolis, MN 424 50 50
Oklahoma City, OK 81 50 50
Kansas City, MO 180 50 50
Denver, CO 481 50 50
San Diego, CA 363 50 30
Seattle, WA 203 50 50
Total 5,740 500 443

Appendix E
Agency Comments

SOCIAL SECURITY

MEMORANDUM

Date: July 28, 2008

To: Patrick P. O'Carroll, Jr.
Inspector General

From: David V. Foster
Executive Counselor to the Commissioner

Subject: Office of the Inspector General (OIG) Draft Report, "Social Security Cards Mailed to the Social Security Administration's Field Offices" (A-09-07-27154) INFORMATION

We appreciate OIG's efforts in conducting this review. Attached is our response to the recommendations.

Please let me know if we can be of further assistance. Direct staff inquiries to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965 4636.

COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL'S DRAFT REPORT, "SOCIAL SECURITY CARDS MAILED TO THE SOCIAL SECURITY ADMINISTRATION'S FIELD OFFICES" (A-09-07-27154)

Thank you for the opportunity to review and provide comments on this draft report. We are committed to ensuring that we properly handle all Social Security cards in Field Offices (FOs) to protect the integrity of the Social Security Number.

Recommendation 1

Develop formal, written policies and procedures over the receipt, safeguarding, and disposition of Social Security cards mailed to its FOs.

Comment

We agree. We will develop policies and procedures over the receipt, safeguarding, and disposition of Social Security cards mailed to our FOs. Once developed, we will distribute the Program Operations Manual System to all employees.

Recommendation 2

Direct FOs to maintain a log to account for the receipt and disposition of Social Security cards received in the mail.

Comment

We agree. We will include in our development of policies/procedures, outlined in recommendation 1, guidance to ensure the importance of the control and security of Social Security cards received in the mail. In order to balance the need for security with service delivery concerns, we will need to make certain that the control methods are not overly burdensome on the FOs.

Recommendation 3

Instruct FOs to properly secure Social Security cards (for example, in a locked cabinet or drawer) at all times.

Comment

We agree. We will include in our development of the policies/procedures, outlined in recommendation 1, instructions for FOs to properly secure Social Security cards at all times.

Recommendation 4

Implement controls to ensure Social Security cards mailed to the office are addressed to management officials.

Comment

We agree. We will release a reminder in our December 2008, Annual Security Reminders, Administrative Message. Once the policies/procedures are in place regarding recommendations 1, 2, and 3, we will pursue adding questions covering all of these issues in our Onsite Security Control and Audit Review guide in order to ensure compliance.

Appendix F
OIG Contacts and Staff Acknowledgments
OIG Contacts
James J. Klein, Director, San Francisco Audit Division, (510) 970-1739
Jack H. Trudel, Audit Manager, (510) 970-1733
Acknowledgments
In addition to those named above:
Regina Finley, Auditor

For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Staff Assistant at (410) 965 4518. Refer to Common Identification Number A-09-07-27154.

Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.

Office of Audit
OA conducts financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.

Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.

Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.

Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG's media and public information policies, directs OIG's external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.

Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG's strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.