Date: August 13, 2004
To: The Commissioner
From: Acting Inspector General
Subject: Performance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)
We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 16 of the
Social Security Administration's performance indicators established to comply
with the Government Performance and Results Act. The attached final report presents
the results of three of the performance indicators PwC reviewed. For each performance
indicator included in this audit, PwC's objectives were to:
Test critical controls over the data generation and calculation processes for
the specific performance indicator,
Assess the overall adequacy, accuracy, reasonableness, completeness, and consistency
of the performance indicator and supporting data, and
Determine if each performance indicator provides meaningful measurement of the
program and the achievement of its stated objectives.
This report contains the results of the audit for the following indicators:
Maintain zero outside infiltrations of Social Security Administration's programmatic
mainframes,
By 2005, substantially complete the most significant projects in the Social
Security Unified Measurement System and Managerial Cost Accountability System
Plan, and complete the plan by the end of 2008, and
Milestones in developing new performance management systems.
Please provide within 60 days a corrective action plan that addresses each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965 9700.
Patrick P. O'Carroll, Jr.
OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
Performance
Indicator Audit:
Management Information Systems
Development and Protection
August
2004
A-15-04-14071
AUDIT REPORT
Mission
We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
By conducting independent and objective audits, investigations, and evaluations, we are agents of positive change striving for continuous improvement in the Social Security Administration's programs, operations, and management and in our own office.
MEMORANDUM
Date: July 27, 2004
To: Acting Inspector General
From: PricewaterhouseCoopers LLP
Subject: Performance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)
The Government Performance and Results Act (GPRA) of 1993 requires the Social Security Administration (SSA) to develop performance indicators that assess the relevant service levels and outcomes of each program activity. GPRA also calls for a description of the means employed to verify and validate the measured values used to report on program performance.
OBJECTIVE
For each performance indicator included in this audit, our objectives were to:
1. Test critical controls over the data generation and calculation processes for the specific performance indicator.
2. Assess the overall adequacy, accuracy, reasonableness, completeness, and consistency of the performance indicator and supporting data.
3. Determine if each performance indicator provides meaningful measurement of the program and the achievement of its stated objectives.
We audited the following performance indicators as stated in SSA's Fiscal Year (FY) 2003 Performance and Accountability Report (PAR):
Performance Indicator FY 2003 Goal FY 2003 Reported Results
Maintain zero outside infiltrations of SSA's programmatic mainframes. Zero Infiltrations
Zero Infiltrations
By 2005, substantially complete the most significant projects in the Social
Security Unified Measurement System (SUMS) and Managerial Cost Accountability
System (MCAS) Plan, and complete the plan by the end of 2008. Refer to page
5 for FY 2003 goal.
SSA substantially completed the most significant projects in SUMS and MCAS.
Milestones in Developing New Performance Management Systems. Implement new Senior
Executive Service (SES) system. Implemented a new SES system.
BACKGROUND
SSA Information Systems
SSA has a complex computing environment that includes mainframe systems and UNIX, AS/400 and Windows servers. SSA also maintains over 60 firewalls and over 50,000 workstations. SSA uses these systems, including distributed systems that support the Agency's vast field office structure, to pay over $500 billion annually in benefits to approximately 51 million beneficiaries across the country. SSA maintains 5 mainframes logically partitioned into 21 system images with approximately 9 terabytes of data to process over 21 million transactions daily. The Agency operates the z/OS mainframe operating system, and uses Top Secret as their security software.
SUMS/MCAS Project
SSA's systems allow routine assessment of performance and financial information that managers can use to make day-to-day decisions. SSA will continue to enhance these systems over the next few years with the SUMS and MCAS initiatives.
Performance Management System
In FY 2003, SSA introduced a new performance management system for employees as part of an overall strategy to distinguish between levels of performance. This system was developed in October 2002 and is being implemented beginning with SES employees.
RESULTS OF REVIEW
Maintain zero outside infiltrations of SSA's programmatic mainframes
FY 2003 Goal: Zero infiltrations.
Actual FY 2003 Performance: Zero infiltrations.
SSA met its goal.
Indicator Background
A Plan
SSA maintains an Intrusion Protection Team (IPT) that was specifically designed
to prevent external infiltrations of systems. The IPT uses numerous software
tools to immediately detect attempts to infiltrate SSA's network and underlying
systems. Additionally, software controls at all levels of SSA systems are used
to prevent unauthorized access to SSA systems.
SSA created this performance indicator to document the Agency's success in protecting the mainframe computers, on which SSA's sensitive programmatic data resides. According to SSA security management, the indicator is intended to measure infiltrations from outside of SSA, and not infiltrations from authorized internal users who manage to elevate their privileges and perform unauthorized actions. Additionally, the indicator is intended to only measure infiltrations of the mainframe computers. Infiltrations that are related to non-mainframe systems, including SSA's Intranet, network, and distributed systems are excluded for reporting purposes within this indicator.
Findings
The intent of the indicator is to provide a picture of SSA's success in preventing mainframe infiltrations. We believe this is an important goal and its success is very relevant to the Agency. It is not possible to state that undetected infiltrations did not occur. Therefore the Agency cannot completely measure or fully assert that an outside infiltration has not occurred. We believe that the indicator "Actual FY 2003 Performance" results should be enhanced as follows:
Zero outside infiltrations of SSA's programmatic mainframes were detected.
We noted a number of inconsistencies in the descriptions of the indicator. Based
on the title of the indicator, internal infiltrations would not be included
in the calculation of this indicator; however, the definition, as described
in the FY 2003 PAR, is unclear with regard to inclusion of internal infiltrations:
"The goal is to prevent any unauthorized access and/or alteration of critical data that would result in improper disclosure, incorrect information or lack of data availability. An infiltration is an unauthorized access that requires a cleanup or restoration of back-up files to a state prior to the infiltration. This would include an authorized user who obtains elevated privileges and performs unauthorized actions resulting in infiltration." (emphasis added)
SSA management should reconsider the data definition that unauthorized access to SSA's mainframes is not considered an infiltration unless the unauthorized action results in the need for SSA systems personnel to perform clean-up or restoration activities. We believe that the definition too narrowly defines a mainframe infiltration and could omit important events such as unauthorized access which results in disclosure of sensitive SSA information or misuse of copied data that occurs but does not require cleanup or restoration activities. Additionally, the indicator excludes infiltrations of SSA's Intranet, network and distributed systems which maintain important Agency information.
SSA management should provide a clear statement of how preventing outside infiltrations of the mainframe relates to the Agency goal of "To ensure superior Stewardship of Social Security programs and resources," or the Agency objective of "Efficiently manage Agency finances and assets, and effectively link resources to performance outcomes." Although, as previously stated, the prevention of outside infiltrations is an important goal and clearly valuable to SSA, SSA should provide a clear link between this indicator and the overall strategic goal and objective to which it is aligned in the FY 2003 PAR.
We also noted the need for SSA to formally document policies and procedures for reporting mainframe infiltrations by all systems departments to the Office of Strategic Management.
Finally, we noted that the FY 2003 PAR makes reference to red teams as part of the Agency's overall strategy for protecting the mainframe from infiltrations; however, during interviews with senior SSA security management, we were informed that the red teams were never implemented by the Agency.
Substantially Complete the Most Significant Projects in the SUMS and MCAS Plan
FY 2003 Goal:
SUMS
1. Use of the SUMS Title XVI Post-eligibility Operational Data Store (PEODS)
and SUMS Work Measurement Data Warehouse (WMDW) as the sole source of Agency
information for managing the redeterminations and limited issue workloads. Complete
corrections to the cases in the data warehouse.
2. Complete the first stage of the national rollout of the Customer Service
Record (CSR) through the Visitor Intake Process (VIP) system in SSA field offices.
The Customer Service Query (CSQ) will contain an extract of data from eight
databases and will be displayed in VIP.
3. Data contained in the Title II Integrated Workload Management System (IWMS)
will be moved to the Title II Operational Data Store (ODS) and will be the basis
for the new processing time reports and SUMS counts.
4. Data on Title XVI Initial Claims processing time from the SSI Claims Report
(SSICR) will be moved to the WMW and accessed from the Common Front End to provide
web-based processing time reports.
MCAS
5. Cost Analysis System (CAS) Renovation - Office of Hearings and Appeals (OHA)
Work Counts: Release 7 of the CAS Renovation project under the umbrella MCAS
project will substantially automate the manual processes currently used to compute
basic workload count and work time by workload information for the OHA and to
enter that data to SSA's CAS. This project will reduce the time and effort required
to produce these data and will enhance the accuracy and integrity of SSA's managerial
cost accounting processes.
6. Complete Vision and Scope Document for Time Allocation. This document will
complete the user planning and analysis phase of the Time Allocation project
and will provide the basis for development of detailed requirements and project
plans for time allocation.
Actual FY 2003 Performance: SSA substantially completed the most significant projects in SUMS and MCAS.
SSA met its goal.
Indicator Background
The SUMS/MCAS performance indicator is comprised of six subprojects, which are intended to report the Agency's progress against predefined milestones related to the SUMS and MCAS enhancements. The SUMS and MCAS subprojects are related to automating the process of reporting the Agency's workloads to provide more efficient, timely and accurate cost data for the Agency. These improvements should enable SSA to more effectively link their resources to costs and performance.
Findings
We believe that the indicator is generally adequate and provides valuable information
relative to achieving enhancements in future reporting of workloads and time
allocation; however, SSA could enhance the disclosures in the PAR. SSA management
should provide a clear statement of how completion of the plan directly relates
to the achievement of the Agency's strategic objective "Efficiently manage
Agency finances and assets, and effectively link resources to performance outcomes"
and the strategic goal "To ensure superior Stewardship of Social Security
programs and resources." Although implementation of the systems enhances
the Agency's workload, cost and time allocation data, SSA should provide a clear
statement of how the data from the new systems will be used to achieve the overall
strategic goal and objective to which it is aligned in the FY 2003 PAR.
SSA should also clearly state how the completion of the subprojects will enable
the Agency to complete the most significant projects in the SUMS and MCAS plan
by 2005, or complete the entire plan by 2008. The indicator does not identify
the previously completed projects or the projects that remain outstanding. Additionally,
the indicator provides no context for why these six projects were identified
as milestones for FY 2003 or why they were deemed the most significant projects
in the SUMS and MCAS Plan.
Milestones in Developing New Performance Management Systems
FY 2003 Goal: Implement new Senior Executive Service system.
Actual FY 2003 Performance: Implemented a new SES system.
SSA met its goal. The five-tier Senior Executive Service (SES) performance management
system was implemented on October 1, 2002.
Indicator Background
The FY 2003 evaluation cycle required all SES employees to complete appraisals following the new performance management process. The five rating levels as documented in the performance management system are:
Outstanding: Consistently superior; significantly exceeds expectations of the
Fully Successful performance standard.
Excellent: Consistently exceeds expectations of the Fully Successful performance
standard.
Fully Successful: Consistently meets performance expectations.
Minimally Satisfactory: Marginally acceptable, needs improvement, occasionally
less than Fully Successful performance.
Unsatisfactory: Undeniably unacceptable; generally less than Fully Successful
performance.
This indicator is linked to the strategic objective of "Recruit, develop and retain a high-performing workforce." Implementation of a new performance management system is considered a critical part of SSA's Future Workforce Transition Plan (FWTP) to better manage and align SSA human capital in support of SSA's mission.
The implementation of a new performance management system for the SES employees has received significant support from the Commissioner, Deputy Commissioners, Performance Review Board and Executive Resources Board. Employees received guidance on developing and processing performance plans in areas such as conducting progress reviews, rating executives, procedures for non-standard situations, and using the performance management system as a decision making tool.
Findings
We believe that this indicator is generally adequate; however, some improvements could be made. This indicator captures the Agency's progress against predefined milestones for implementing the performance management system. However, the indicator does not measure the effectiveness of the new system in differentiating the performance of the workforce. The FY 2003 PAR fails to clearly explain how implementing a new performance management system for SES employees relates to the Agency goal "To strategically manage and align staff to support SSA's mission," or the Agency objective to "Recruit, develop and retain a high-performing workforce."
RECOMMENDATIONS
We recommend SSA:
1. Articulate and disclose the linkage of the performance indicators to the
Agency's strategic goals and objectives.
2. Maintain documentation that describes why the performance indicator goals
were established.
3. Document the policies and procedures used to prepare and disclose the results
of the performance indicators.
Specific to the performance indicator, "Maintain Zero Outside Infiltrations of SSA's Programmatic Mainframes," we recommend SSA:
4. Revise the performance indicator results to clarify that it measures only
detected infiltrations.
5. Ensure that the performance indicator definitions are meaningful, complete,
and consistent with the title.
AGENCY COMMENTS
SSA generally agreed with the recommendations in this report. Specific to Recommendation 4, SSA will change the data definition for the performance indicator "Maintain Zero Outside Infiltrations of SSA's Programmatic Mainframes" to clarify the potential sources of infiltrations. However, SSA stated that the title of this performance indicator will remain the same. The full text of SSA's comments can be found in Appendix D.
PwC RESPONSE
We believe SSA's proposed actions will strengthen the performance indicator reporting process. As such we encourage the Agency to move forward with its corrective actions.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Process Flowcharts
APPENDIX D - Agency Comments
Appendix A
Acronyms
CAS Cost Analysis System
CSO Chief Security Officer
CSQ Customer Service Query
CSR Customer Service Record
DIODS Disability ODS
EMODS Earnings ODS
FedCIRC Federal Computer Incident Response Center
FWTP Future Workforce Transition Plan
FY Fiscal Year
GPRA Government Performance and Results Act
IBM International Business Machines
IPT Intrusion Protection Team
IWMS Integrated Workload Management System
MCAS Managerial Cost Accountability System
ODS Operational Data Store
OHA Office of Hearings and Appeals
OHR Office of Human Resources
OPM Office of Personnel Management
OSM Office of Strategic Management
PAR Performance and Accountability Report
PEODS Post-eligibility Operational Data Store
SES Senior Executive Service
SSA Social Security Administration
SSASRT SSA Security Response Team
SSICR Supplemental Security Income Claims Report
SUMS Social Security Unified Measurement System
U.S.C. United States Code
VIP Visitor Intake Process
VPN Virtual Private Network
WMDW Work Measurement Data Warehouse
Appendix B
Scope and Methodology
We first updated our understanding of the Social Security Administration's (SSA) Government Performance and Results Act (GPRA) processes. This was completed through research and inquiry of SSA management. We also requested SSA to provide various documents regarding the specific programs being measured as well as the specific measurement used to assess the effectiveness and efficiency of the related program.
Through inquiry, observation, and other substantive testing including testing of source documentation, we performed the following as applicable:
Reviewed prior SSA, Government Accountability Office, and other reports related
to SSA GPRA performance and related information systems.
Met with the appropriate SSA personnel to confirm our understanding of each
individual performance indicator.
Flowcharted the processes (see Appendix C).
Where applicable, we tested key controls related to manual or basic computerized
processes (e.g., spreadsheets, databases, etc.).
Conducted and evaluated tests of the automated and manual controls within and
surrounding each of the critical applications to determine whether the tested
controls were adequate to provide and maintain reliable data to be used when
measuring the specific indicator.
Identified and extracted data elements from relevant systems and obtained source
documents for detailed testing selections and analysis.
Identified attributes, rules, and assumptions for each defined data element
or source document.
Tested the adequacy, accuracy, reasonableness, consistency, and completeness
of the selection.
Recalculated the metric or algorithm of key performance indicators to ensure
mathematical accuracy.
For those indicators with results that SSA determined using computerized data,
we assessed the completeness and accuracy of that data to determine the data's
reliability.
As part of this audit, we documented our understanding, as conveyed to us by Agency personnel, of the alignment of the Agency's mission, goals, objectives, processes, and related performance indicators. We analyzed how these processes interacted with related processes within SSA and the existing measurement systems. Our understanding of the Agency's mission, goals, objectives, and processes were used to determine if the performance indicators being used appear to be valid and appropriate given our understanding of SSA's mission, goals, objectives and processes. We followed all performance audit standards.
In addition to the steps above, we specifically performed the following to test the indicators included in this report:
MAINTAIN ZERO OUTSIDE INFILTRATIONS OF SSA'S PROGRAMMATIC MAINFRAMES
Assessed the reliability of the data by inquiring of appropriate personnel
as to the sources of the data included on, and the process for reviewing, the
Federal Computer Incident Response Center (FedCIRC) reports.
Reviewed the monthly FedCIRC reports for Fiscal Year (FY) 2003.
Interviewed various SSA personnel (including the Intrusion Protection Team (IPT),
SSA Security Response Team (SSASRT), Chief Security Officer (CSO), Virtual Private
Network (VPN) & Modems Administration and Support teams, Top Secret Administrators
and Security Officer) responsible for protecting the mainframe to gain an understanding
of the tools and processes implemented to protect, monitor and report on SSA's
systems security.
Performed (on SSA's FY 2003 Financial Statement Audit) penetration testing,
firewall assessments, mainframe operating system and Top Secret configuration
reviews.
SUBSTANTIALLY COMPLETE THE MOST SIGNIFICANT PROJECTS IN THE SUMS AND MCAS PLAN
Reviewed documentation related to project development, implementation and management
activities.
Reviewed the projects and found that they were developed in accordance with
Agency documentation policies regarding application software development.
Reviewed each of the projects and found they were released into production during
the timeframe reported in the FY 2003 PAR by obtaining their software release
documentation.
Reviewed each of the sub-projects and found that they were being used upon implementation
by interviewing a selection of end users.
MILESTONES IN DEVELOPING NEW PERFORMANCE MANAGEMENT SYSTEMS
Reviewed the five-level performance management system and found that it was
implemented for Senior Executive Service (SES) personnel in FY 2003 by reviewing
the SES Performance Plan/Rating (Form SSA-330 EF-WP).
Reviewed President's Management Agenda requirements.
Reviewed United States Code (U.S.C.) Title 5 criteria regarding SES employee
performance appraisal systems and applied such criteria to the performance indicator.
Assessed the reliability of the data by inquiring of appropriate personnel regarding
the implementation of the performance management system.
Reviewed the FY 2003 performance appraisals for a selection of SES personnel.
Assessed the adequacy of the performance management system and assessed how
successfully the indicator supports the Agency's goals and objectives.
Appendix C
Flowchart of Maintain Zero Outside Infiltrations of SSA's Programmatic Mainframes
Maintain zero outside infiltrations of SSA's programmatic mainframes
Activity Surrounding SSA Systems (Including the Firewalls, Internet, Intranet,
Network and E-mail).
SSA & International Business Machines (IBM) Sensors Monitor Activity.
Is Activity Unusual or Suspicious?
Yes - Alert Forwarded to IPT
No - Processed Normally by SSA Computing Environment
IPT Investigates Activity.
IPT Determines if Mainframe Infiltration Occurred.
Yes - Incident Response Team Alerted & Containment Procedures Activated
No - Processed Normally by SSA Computing Environment
Infiltration Included on FedCIRC Report.
Management Coordination & Executive Contact Teams Meet Regularly & Discuss
Security of SSA Systems (Including VPN & Modem Access, Top Secret, FedCIRC
Report).
CSO Reports Infiltrations to OSM on Monthly Basis.
Flowchart of Substantially Complete the Most Significant Projects in the SUMS
and MCAS Plan
Substantially Complete the Most Significant Projects in the SUMS and MCAS Plan
SUMS / MCAS Business Plan (Developed in 10/2002).
SUMS / MCAS Project Plan (Dated 10/4/02).
Milestones Accomplished Prior to Fiscal Year (FY) 2003.
SUMS Documentation Website
Title XVI Post-Eligibility (PE) ODS
Work Measurement Data Warehouse (WMDW)
Title II Initial Claims Operational Data Store (ODS)
Title XVI ODS
Disability ODS (DIODS)
Fraud ODS
Earnings ODS (EMODS)
Milestones Completed in FY 2003.
SUMS
Move Title XVI Initial Claims Processing from SSICR to WMW & Accessed from
Common Front End
Moved Data in Title II IWMS to Title II ODS for New Time Reports & SUMS
Counts (See Note)
Title XVI PEODS & WMDW for Managing Redeterminations & Limited Issue
Workloads
Completed 1st Stage of National Rollout for CSR Through VIP in SSA Field Offices
MCAS
CAS Renovation Project - Release 7 Automated OHA Work Counts
Completed Vision and Scope Document for Time Allocation
Milestones Scheduled in FY 2004 - FY 2005.
SUMS - According to the Project Plan, the following milestones will be achieved
in FY 2004 - FY 2005.
SUMS Counts Rqmts
T2 Initial Claims Phases
T16 Initial Claims Phases
CDR Phases
Redeterminations/Limited Issue Workloads,
Benefits Recomputation Phases
Appeals Phases
CSR Releases
Debt Management Phases
Inquiries Phases
MCAS - According to the Project Plan, the following milestones will be achieved
in FY 2004 - FY 2005.
Time Allocation Base System
Managerial Accounting:
CAS Renovation: Release 7, 8, 9
MCAS Reports
Work Measurement Trans.
MCAS Rel. 1 - CAS Replacement
MCAS Rel. 2 - Dist/Allo
Milestones Scheduled in FY2005-FY2008.
SUMS - According to the Project Plan, the following milestones will be achieved
in FY 2005 - FY 2008.
Debt Management Phase
Inquiries Phases
Enumeration Phase
Earnings Phases
Representative Payee Phases
Fraud Phases
Indirect Work Phases
Medicare Phases
Public Information Phases
Reimbursable Workload Phases
MCAS - According to the Project Plan, the following milestones will be achieved
in FY2005-2008.
Time Allocation Additional Workloads
Managerial Accounting
Strat. & Perf. Plans
SSA Program Data
Quality & Accuracy
Budget Formulation & Execution System
Note: This milestone was completed on 10/24/03 (after closure of FY 2003).
Flowchart of Milestones in Developing New Performance Management Systems
Milestones in Developing New Performance Management Systems
Title 5 United States Code / President's Management Agenda Requirements.
Office of Human Resources (OHR) Restructures SES Performance Management System
to Include 5 Levels.
Commissioner / Office of Personnel Management (OPM) Approval.
Yes - Restructured SES Performance Management System rolled out 10/1/02
No - OHR Restructures SES Performance Management System to Include 5 Levels
Employee/Supervisor Set Annual Performance Objectives.
Mid-Cycle Review / On-going Discussions.
Employee/Supervisor Complete Appraisal.
Performance Review Board Reviews /Recommends Final Appraisal Summary Rating.
Commissioner Assigns Final Appraisal Summary Rating.
Appraisal is finalized.
Appendix D
Agency Comments
SOCIAL SECURITY
MEMORANDUM
Date: July 14, 2004
To: Patrick P. O'Carroll, Jr.
Acting Inspector General
From: Larry W. Dye
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, "Performance Indicator Audit: Management Information Systems Development and Protection" (A-15-04-14071)-INFORMATION
We appreciate OIG's efforts in conducting this review. Our comments on the draft report are attached.
If you have any questions, you may contact Candace Skurnik, Director of the Audit Management and Liaison Staff, at extension 54636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "PERFORMANCE INDICATOR AUDIT: MANAGEMENT INFORMATION SYSTEMS DEVELOPMENT AND PROTECTION (A-15-04-14071)
Thank you for the opportunity to review and provide comments on this OIG draft report. We find the report useful in our ongoing efforts to improve strategic and performance management at the Social Security Administration (SSA).
Recommendation 1
Articulate and disclose the linkage of the performance indicators to the Agency's strategic goals and objectives.
Comment
We concur. The SSA Office of the Chief Strategic Officer (OCSO) is currently developing the fiscal year (FY) 2005/2006 Agency Performance Plan (APP) and will ask every sponsoring SSA component to improve the documentation linking performance indicators to Agency strategic goals and objectives. Our future performance plans will include a narrative explanation of the linkage between performance measures, targets and the Agency's strategic goals and objectives.
Recommendation 2
Maintain documentation that describes why the performance indicator goals were established.
Comment
We concur with this recommendation. Maintaining documentation of this nature has always been part of our standard operating procedure. OCSO has asked the Agency's planning representatives and data sources to enhance maintenance of documentation relating to performance indicator goals. We will modify SSA's Performance and Accountability Report (PAR) to include this information for the key performance measures.
Recommendation 3
Document the policies and procedures used to prepare and disclose the results of the performance indicators.
Comment
We agree. In conjunction with development of the FY 2005/2006 APP, OCSO will issue a reminder to SSA sponsoring components concerning the requirement to document policies and procedures used to prepare and disclose the results of performance indicators.
Recommendations specific to performance indicator, "Maintain Zero Outside Infiltrations of SSA's Programmatic Mainframes":
Recommendation 4
Revise the performance indicator results to clarify that it measures only detected infiltrations.
Comment
Since all the measures included in the PAR are based upon the information available
to the Agency, we believe it is implicit that this particular performance indicator
relates to detected infiltrations only. We have changed the data definition
for this performance indicator effective with the FY 2005/2006 APP to clarify
the potential sources of infiltrations. The title of the performance indicator
("Maintain Zero Outside Infiltrations of SSA's Programmatic Mainframes")
will remain the same.
Recommendation 5
Ensure that the performance indicator definitions are meaningful, complete, and consistent with the title.
Comment
We agree, and will review performance indicator data definitions in a manner consistent with this recommendation as we develop the FY 2005/2006 APP. We have changed the data definition for the "Maintain Zero Outside Infiltrations of SSA's Programmatic Mainframes" effective with the FY 2005/2006 APP.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Executive Operations (OEO). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Executive Operations
OEO supports OIG by providing information resource management and systems security.
OEO also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OEO is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.