A-15-05-15114 - Alternate Format

OFFICE OF
THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

PERFORMANCE INDICATOR AUDIT:
CLAIMS PROCESSING

October 2005

A-15-05-15114

AUDIT REPORT

Mission

We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

By conducting independent and objective audits, investigations, and evaluations, we are agents of positive change striving for continuous improvement in the Social Security Administration's programs, operations, and management and in our own office.
MEMORANDUM

Date: October 27, 2005

To: The Commissioner

From: Inspector General

Subject: Performance Indicator Audit: Claims Processing (A-15-05-15114)

We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 16 of the Social Security Administration's (SSA) performance indicators established to comply with the Government Performance and Results Act. The attached final report presents the results of one of the performance indicators PwC reviewed. For the performance indicators included in this audit, PwC's objectives were to:

Assess the effectiveness of internal controls and test critical controls over the data generation, calculation, and reporting processes for the specific performance indicator.
Assess the overall reliability of the performance indicator's computer processed data. Data are reliable when they are complete, accurate, consistent and are not subject to inappropriate alteration.
Test the accuracy of results presented and disclosed in the Fiscal Year 2004 Performance and Accountability Report.
Assess if the performance indicator provides a meaningful measurement of the program it measures and the achievement of its stated objective.

This report contains the results of the audit for the following indicators:

Number of initial disability claims pending.
Retirement and Survivors Insurance claims processed.
Percent of Supplemental Security Income aged claims processed by the time the first payment is due or within 14 days of the effective filing date.

Please provide within 60 days a corrective action plan that addresses each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at
(410) 965-9700.

Patrick P. O'Carroll, Jr.

MEMORANDUM

Date: October 12, 2005

To: Inspector General

From: PricewaterhouseCoopers, LLP

Subject: Performance Indicator Audit: Claims Processing (A-15-05-15114)

OBJECTIVE

The Government Performance and Results Act (GPRA) of 1993 requires the Social Security Administration (SSA) to develop performance indicators that assess the relevant service levels and outcomes of each program activity. GPRA also calls for a description of the means employed to verify and validate the measured values used to report on program performance.

To enhance the practical use of performance information, the Office of Management and Budget (OMB), in collaboration with other Federal agencies, developed the Program Assessment Rating Tool (PART), comprised of assessment criteria on program performance and management. The PART establishes a high, "good government" standard of performance and will be used to rate programs in an open, public fashion.

Our audit was conducted in accordance with generally accepted government auditing standards for performance audits. For the performance indicators included in this audit, our objectives were to:
1. Assess the effectiveness of internal controls and test critical controls over the data generation, calculation, and reporting processes for the specific performance indicator.

2. Assess the overall reliability of the performance indicator's computer processed data. Data are reliable when they are complete, accurate, consistent and are not subject to inappropriate alteration.

3. Test the accuracy of results presented and disclosed in the
Fiscal Year (FY) 2004 Performance and Accountability Report (PAR).

4. Assess if the performance indicator provides a meaningful measurement of the program it measures and the achievement of its stated objective.

BACKGROUND

We audited the following performance indicators as stated in the SSA FY 2004 PAR:

Performance Indicator FY 2004 Goal FY 2004 Reported Results
Number of Initial Disability Claims Pending 582,000 624,658
Retirement and Survivors Insurance (RSI) Claims Processed 3,285,000 3,399,471
Percent of Supplemental Security Income (SSI) Aged Claims Processed by the Time the First Payment is Due or within 14 Days of the Effective Filing Date 75% 84.1%

SSA administers the Old-Age and Survivors Insurance (OASI), Disability Insurance (DI), and the Supplemental Security Income (SSI) programs. The OASI program, authorized by Title II of the Social Security Act, provides income for eligible workers and for eligible members of their families and survivors. The DI program, also authorized by Title II of the Social Security Act, provides income for eligible workers with qualifying disabilities and for eligible members of their families before those workers reach retirement age. The SSI Program, authorized by Title XVI of the Social Security Act, was designed as a needs-based program to provide or supplement the income of aged, blind, and/or disabled individuals with limited income and resources.

To determine eligibility for both Title II and Title XVI programs, the applicant must first file a claim with SSA. This is typically accomplished through an appointment or walk-in visit to one of SSA's approximately 1,300 field offices (FO). Interviews are conducted by field office personnel with the applicants via the telephone or in person to determine the applicant's non-medical eligibility. If the applicant is filing for benefits based on disability, basic medical information concerning the disability, medical treatments, and identification of treating sources is obtained.

Field office personnel input the applicant's information into the Modernized Claims System (MCS) for OASI and DI claims or the Modernized SSI Claims System (MSSICS) for SSI claims. A relatively minor number of OASI and DI claims are input through the SSA Claims Control System (SSACCS). The SSACCS is used to process claims that cannot be processed through MCS. A favorable or unfavorable determination on the receipt of benefits is made on the OASI and non-disability SSI claims. DI and SSI disability claims are sent to the State Disability Determination Services (DDS) office for the review of medical information and determination of the receipt of benefits.

RESULTS OF REVIEW

Our assessment of internal controls identified the following issues in at least one of the three performance indicators reviewed. The internal controls and data reliability issues included insufficient documentation to describe the performance indicator process:

detailed data used to calculate the performance indicator was not maintained,

an audit trail for transactions processed through the SSACCS application was not created or reviewed,

SSA programmers had system access that would allow them to change the performance indicator data, and

weaknesses were found in the configuration of the Title XVI Datawarehouse UNIX system and Oracle database that contains data used to calculate the performance indicator results.

We noted an issue regarding the accuracy of the PAR presentation and disclosure that included inaccurate performance trend information reported in the PAR. We also found that one performance indicator was not clearly linked to SSA's strategic objectives.

Number of Initial Disability Claims Pending

Indicator Background

The performance indicator measures the number of DI and SSI disability initial claims that have not been reviewed by the DDS. The DDS is responsible for determining the status of a claimant's disability and ensuring that adequate evidence is available to support the determination. Upon determining that an applicant has met the non-medical eligibility requirements, SSA sends the DI and SSI initial claims file to the DDS. When a claim determination is made by the DDS, the status is entered into the National Disability Determination Services System (NDDSS) as completed. If the DDS has
not completed its review, the status of the claim is pending in the NDDSS. The data within NDDSS is automatically transferred to the Disability Operational Datastore (DIODS). The total number of pending initial disability claims are reported as of
September 24, 2004 on the State Agency Operations Report (SAOR). Refer to the formula below.

Total Claims Pending for Title II and Title XVI

Total Workloads of Initial
Closed Pending Claims as of
September 24, 2004

Findings

The DIODS data used to classify the initial disability claims as pending was not archived and maintained in accordance with OMB Circular A-123, Management Accountability and Control, Attachment II, Establishing Management Controls. SSA management stated that the detailed data was not maintained due to limited data storage space and lack of personnel resources. We were able to recalculate the indicator using summary data from DIODS, but we could not verify the accuracy of the summary data.

As a result of these issues, PwC was unable to validate the accuracy of the reported indicator results and could not consider the data to be reliable.

We did not identify any significant exceptions related to the disclosure of the information related to this indicator contained in the PAR, or to the meaningfulness of this indicator.

Retirement and Survivors Insurance Claims Processed

Indicator Background

The performance indicator measures the retirement (old-age), survivors, auxiliaries (dependents of the retirees) and totalization (claims by eligible individuals who have earned work credit overseas) claims processed. Processed RSI claims include claims that have received a favorable or unfavorable determination on benefits.

The Title II Operational Datastore (TII ODS) calculates the total number of RSI claims processed based on the fields for wage earners and dependents in the Retirement, Survivors and Insurance Trust Fund and provides the result to the Integrated Work Management System (IWMS). On a monthly basis, an SSA analyst queries IWMS for the retirement, survivors, auxiliaries and totalization claims processed and sums these categories to obtain the final indicator count.

Total RSI Claims Processed

Total RSI Claims processed for the period of October 1, 2003 to September 24, 2004

Findings

Internal Controls and Data Reliability

SSA had not documented policies and procedures related to the formal process to collect, review and make available the performance indicator data to Agency management. Documentation describing the automated and manual controls involved in the calculation and reporting of the performance indicator did not exist. OMB Circular A-123, Management Accountability and Control, requires, "…documentation for transactions, management controls, and other significant events must be clear and readily available for examination."

We tested the IWMS datasets used to calculate the indicator and found that a total of five SSA programmers had the "All" access designation within the Top Secret security software to these datasets. This level of access allows users to create, delete and modify any of the data (or datasets) contained within the datasets we reviewed. This level of access prevents SSA from ensuring the integrity of this production data. By allowing programmers to have the "All" access designation, SSA is not conforming to the OMB Circular A-130 Appendix III, Security of Federal Automated Information Resources, principles of "least privileged access" or segregation of duties. While we were able to recalculate the indicator results, as a result of this issue, we could not consider the data to be reliable.

An audit trail for transactions processed through the SSACCS is not produced or reviewed. Therefore, transaction data may be altered or lost during input, resulting in potentially incorrect or inconsistent data being accepted as valid for processing. As a result of the lack of an audit trail, we were unable to conclude on the accuracy of the data reported in the PAR.

Accuracy of PAR Presentation and Disclosure

The performance trend in the PAR, "Agency performance this fiscal year is slightly above FYs 2001 and 2003 but slightly below FY 2002," was not accurately disclosed. The reported FY 2004 results were actually slightly above the FY 2002 results.

Performance Indicator Meaningfulness

The linkage between the performance indicator and the SSA's strategic objective "Improve service with technology" was not apparent. The indicator measured the total number of retirement and survivors insurance claims processed. While the noted improvements are relevant to the objective, the enabling technology improvements, e.g., the use of the Internet or investments in technology, were not identified in the disclosure, nor were the claims processing improvements related to levels of effort or cost.

Percent of Supplemental Security Income Aged Claims Processed by the Time the First Payment is Due or within 14 Days of the Effective Filing Date

Indicator Background

This performance indicator was reported as a non-GPRA PART performance indicator in the FY 2004 PAR. The performance indicator measures SSI aged claims that are processed by the time the first payment is due or within 14 days of the effective filing date and compares it to the total number of SSI aged claims processed. Refer to the following formula.

% of SSI Aged Claims Processed by the Time the First Payment is Due or within 14 Days

(SSI Aged Claims Processed by the Time the First Payment is Due) + (SSI Aged Claims Processed within 14 Days)
____________________________

Total SSI Aged Claims Processed

The Title XVI Operational Datastore (TXVI ODS) receives the date of the favorable or unfavorable determination of the SSI aged claims as well as the application date and payment date. This data is collected from the TXVI ODS by the Title XVI Datawarehouse and SSI Processing Time (SSIPT) system. The Title XVI Datawarehouse calculates the indicator. The results are posted to the SSA Intranet on an annual basis.

Findings

Internal Controls and Data Reliability

We tested the Title XVI ODS datasets used to calculate the indicator and found that a total of three SSA programmers had the "All" access designation within the Top Secret security software to these datasets. This level of access allows users to create, delete and modify any of the data (or datasets) contained within the datasets we reviewed. This level of access prevents SSA from ensuring the integrity of this production data. By allowing programmers to have the "All" access designation, SSA is not conforming to OMB A-130 Appendix III, Security of Federal Automated Information Resources, principles of "least privileged access" or segregation of duties.

Our review of the Title XVI Datawarehouse UNIX system and Oracle database identified seven security and compliance exceptions. This review was conducted against the SSA developed UNIX Risk Model configuration standard, National Institute of Standards and Technology (NIST) guidelines that include 5153 Section 3.2.2 and 800-18 Section 6.MA.2, and the Defense Information Security Agency (DISA) Security Technical Implementation Guides (STIGS) Security Checklist version 4R4, Section 3.8.1. We identified two exceptions to the requirements of the SSA UNIX Risk Model and three exceptions to the existing government guidelines from NIST and the DISA UNIX Security Checklist version 4R4. During our review of the Oracle database, we were informed by SSA management that SSA has not developed a configuration standard (risk model) for the Oracle database environment. We identified one exception to the requirements of the SSA Security Handbook.

While we were able to recalculate the indicator results, as a result of these security issues, the data used to calculate this performance indicator could not be considered reliable.

CONCLUSION AND RECOMMENDATIONS

Specific to the performance indicator, "Number of Initial Disability Claims Pending," we recommend SSA:

1. Maintain the detailed data used to calculate the performance indicator results that are reported in the PAR.

Specific to the performance indicator, "RSI Claims Processed," we recommend SSA:

2. Clearly articulate a direct linkage of the performance indicator to the Agency's strategic goals and objectives in the PAR. If possible, include claims processed from internet or a description of technology investments that support the strategic objective. If this cannot be done, SSA should disclose the reason why this indicator is linked to the relevant strategic goal and objective.

Specific to the performance indicators, "Number of Initial Disability Claims Pending" and "RSI Claims Processed," we recommend SSA:

3. Maintain an audit trail for SSACCS that captures the user ID, terminal, date and time the transaction was processed. Policies and procedures should be implemented requiring a review of the audit trail for inappropriate access or processing of transactions.

Specific to the performance indicator, "Percent of SSI Aged Claims Processed by the Time the First Payment is Due or within 14 Days of the Effective Filing Date," we recommend SSA:

4. Ensure that the Title XVI Datawarehouse UNIX system is configured to be in compliance with the SSA Risk Model and government guidelines from NIST and DISA. Ensure that the Title XVI Datawarehouse Oracle database is configured to be in compliance with the SSA Security Handbook. Ensure the risk model for the Oracle database is kept current with the SSA Security Handbook and Government guidelines.

5. Maintain documentation that describes how the performance indicator goals were established, document the policies and procedures used to prepare and report the results of the performance indicators, and keep a complete audit trail.

6. Ensure that the "least privileged access" principle is in place for SSA personnel that have the ability to directly modify, create or delete the datasets used to calculate the results of this indicator.

AGENCY COMMENTS

SSA agreed with three recommendations, partially agreed with one recommendation, and disagreed with two recommendations. For recommendation 1, SSA disagreed and stated that system capacity and limited resources would prevent them from full implementation of this recommendation. For recommendation 3, SSA disagreed and stated that SSACCS is only a secondary source for claims processing data and will be phased out. Therefore, SSA does not believe it would be cost-effective to invest resources in providing an audit trail for this system. For recommendation 4, SSA stated that it agreed with the intent of the recommendation, but not its breadth. Specifically, SSA stated that NIST and DISA guidelines are not always applicable, and therefore not adopted. The full text of SSA's comments can be found in Appendix D.

PWC RESPONSE

In response to comments regarding recommendation 1, one of the objectives of the GPRA audit is to ensure the accuracy of results reported in the PAR for each of the indicators under audit. We are willing to discuss any alternate methods the Agency is considering to ensure that the indicator results are auditable. However, SSA is responsible for meeting the requirements of OMB Circular A-123, Management Accountability and Control, which states, "…documentation for transactions, management controls, and other significant events must be clear and readily available for examination." In addition, although PwC was able to recalculate the results using summary data from DIODS, we could not consider the data to be reliable as the Government Accountability Office defines reliability in Assessing the Reliability of Computer-Processed Data (October 2002) as:

" Data are reliable when they are (1) complete (they contain all of the data elements and records needed for the engagement) and (2) accurate (they reflect the data entered at the source or, if available, in the source documents).

For recommendation 3, PwC has not been provided any documentation detailing the timeframe for the "phase out" of SSACCS. As such, PwC continues to recommend that SSA maintain an audit trail for SSACCS since this data is used for calculation of the indicator results.

In response to comments on recommendation 4, we continue to recommend that SSA ensure that the Title XVI Datawarehouse UNIX system is configured to be in compliance with the SSA Risk Model and Government guidelines from NIST and DISA. Where SSA believes NIST and DISA guidelines are not applicable to its system environment, SSA should document the specific circumstances that preclude them from implementation.

Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Process Flowcharts
APPENDIX D - Agency Comments

Appendix A
Acronyms
DDS Disability Determination Service
DI Disability Insurance
DIODS Disability Operational Datastore
DISA Defense Information Security Agency
FO Field Office
FY Fiscal Year
GPRA Government Performance and Results Act
IWMS Integrated Work Management System
MCS Modernized Claims System
MSSICS Modernized Supplemental Security Income System
NDDSS National Disability Determination Service System
NIST National Institute of Standards and Technology
OASI Old-Age and Survivors Insurance
OMB Office of Management and Budget
PAR Performance and Accountability Report
PART Program Assessment Rating Tool
RSI Retirement and Survivors Insurance
SAOR State Agency Operations Report
SSA Social Security Administration
SSACCS Social Security Administration Claims Control System
SSI Supplemental Security Income
SSIPT Social Security Income Processing Time
STIGS Security Technical Implementation Guides
TII ODS Title II Operational Datastore
TXVI ODS Title XVI Operational Datastore
U.S.C. United States Code

Appendix B
Scope and Methodology
We updated our understanding of the Social Security Administration's (SSA) Government Performance and Results Act (GPRA) processes. This was completed through research and inquiry of SSA management. We also requested SSA to provide various documents regarding the specific programs being measured as well as the specific measurement used to assess the effectiveness and efficiency of the related program.

Through inquiry, observation, and other substantive testing, including testing of source documentation, we performed the following:

Reviewed prior SSA, Government Accountability Office, Office of the Inspector General and other reports related to SSA's GPRA performance and related information systems.
Met with the appropriate SSA personnel to confirm our understanding of the performance indicators.
Flowcharted the processes. (See Appendix C).
Tested key controls related to manual or basic computerized processes (e.g., spreadsheets, databases, etc.).
Conducted and evaluated tests of the automated and manual controls within and surrounding each of the critical applications to determine whether the tested controls were adequate to provide and maintain reliable data to be used when measuring the specific indicator.
Identified attributes, rules, and assumptions for each defined data element or source document.
Recalculated the metric or algorithm of key performance indicators to ensure mathematical accuracy.
For those indicators with results that SSA determined using computerized data, we assessed the completeness and accuracy of that data to determine the data's reliability as it pertains to the objectives of the audit.

As part of this audit, we documented our understanding, as conveyed to us by Agency personnel, of the alignment of the Agency's mission, goals, objectives, processes, and related performance indicators. We analyzed how these processes interacted with related processes within SSA and the existing measurement systems. Our understanding of the Agency's mission, goals, objectives, and processes were used to determine if the performance indicators appear to be valid and appropriate given our understanding of SSA's mission, goals, objectives and processes.

We followed all performance audit standards in accordance with generally accepted government auditing standards. In addition to the steps above, we specifically performed the following to test the indicators included in this report:

NUMBER OF INITIAL DISABILITY CLAIMS PENDING

Audited the design and effectiveness of the SSA internal controls and the accuracy and completeness of the data related to the following areas:
Competed application control reviews over Disability Operational Datastore (DIODS).
Determined the adequacy of the programming logic used by SSA to calculate the initial disability claims pending.

RETIREMENT AND SURVIVORS INSURANCE (RSI) PROCESSED

Audited the design and effectiveness of the SSA internal controls and the accuracy and completeness of the data related to the following areas:
Completed application control review over Title II Operational Datastore (TII ODS) and Integrated Work Management System (IWMS).
Determined the adequacy of the programming logic used by SSA to calculate the RSI processed.
Recalculated the RSI processed for the Fiscal Year (FY) 2004 and compared it to the RSI processed for the year.

PERCENT OF SUPPLEMENTAL SECURITY INCOME (SSI) AGED CLAIMS PROCESSED BY THE TIME THE FIRST PAYMENT IS DUE OR WITHIN 14 DAYS OF THE EFFECTIVE FILING DATE

Audited the design and effectiveness of the SSA internal controls and the accuracy and completeness of the data related to the following areas:
Completed application control reviews over the Title XVI Operational Datastore (TXVI ODS) and Title XVI Datawarehouse.
Completed reviews for the Title XVI ODS and Title XVI Datawarehouse UNIX system and ORACLE database.
Determined the adequacy of the programming logic used by SSA to calculate the indicator.
Recalculated the indicator for the FY 2004 and compared it to the number reported in the Performance Accountability Report.

Appendix C
Number of Initial Disability Claims Pending
2004 Process Flowchart

2004 Process Flowchart Narrative
Number of Initial Disability Claims Pending
Claimant contacts the SSA via a FO in-person visit, mail, or phone call to the FO or TSC.
If the FO or TSC can interview the claimant, the FO or TSC will verify non-medical factors.
If the FO or TSC is not available to interview the claimant, the FO or TSC will set up an in-office or telephone interview.
During the interview, the FO personnel's review determines if the claimant is eligible for Title II and/or Title XVI benefits. If the claimant does not qualify for Title II and/or Title XVI benefits, the claimant can continue or stop the filing of the application.
Claimants that are eligible for Title II or Title XVI benefits complete the application form. The FO personnel enter the Title II application into MCS or SSACCS. The FO personnel enter the Title XVI application into MSSICS.
The FO personnel review non-medical issues and determine the claimant's effective filing date.
If the determination is a technical denial, the FO personnel will enter the decision.
If the determination is not a technical denial, a medical folder is created for the claimant and sent to the State Disability Determination Services (DDS) for the review of medical factors and determination of receipt of benefits.
NDDSS receives the claimant's data from MCS, SSACCS and MSSICS.
NDDSS provides the total number of pending disability claims to the DIODS.
DIODS produces the pending disability claims count on a weekly basis on the SAOR.
The DDS staff analyzes the SAOR report to identify anomalies and corrects errors, if applicable.
The year-end SAOR report produces the indicator results on the PAR.

RSI Claims Processed
2004 Process Flowchart

2004 Process Flowchart Narrative
Retirement and Survivors Insurance Claims Processed
Claimant contacts the SSA via a FO in-person visit, mail, or phone call to the FO or TSC.
If the FO or TSC can interview the claimant, the FO or TSC will verify non-medical factors.
If the FO or TSC is not available to interview the claimant, the FO or TSC will set up an in-office or telephone interview.
During the interview, the FO personnel's review determines if the claimant is eligible for Title II benefits. If the claimant does not qualify for Title II benefits, the claimant can continue or stop the filing of the application.
Claimants that are eligible for Title II benefits complete the application form. The FO personnel enter the Title II application into MCS or SSACCS.
The FO personnel's review determines the claimant's effective filing date, verifies the claimant's identify via the Numident and verifies the claimant's earnings via the Earnings Retirement Claims System.
MCS performs edit checks and provides an initial entitlement decision.
MCS interfaces with the WMS to provide the RSI processed claims data.
SSACCS and WMD interface with the TII ODS to provide the RSI processed claims data.
IWMS received data from the TII ODS. The SSA staff retrieves the RSI processed claims data from the GETWORK module of IWMS.
The SSA staff reviews the GETWORK report for errors and inconsistencies.
The final indicator number is reported in the PAR.

Percent of SSI Aged Claims Processed by the Time the First Payment is Due or within 14 Days of the Effective Filing Date
2004 Process Flowchart

2004 Process Flowchart Narrative
Percent of SSI Aged Claims Processed by the Time the First Payment is Due or within14 Days of the Effective Filing Date
Claimant contacts the SSA via a FO in-person visit, mail, or phone call to the FO or TSC.
If the FO or TSC can interview the claimant, the FO or TSC will verify non-medical factors.
If the FO or TSC is not available to interview the claimant, the FO or TSC will set up an in-office or telephone interview.
During the interview, the Field Office personnel determine if the claimant is eligible for Title XVI benefits. If the claimant does not qualify for Title XVI benefits, the claimant can continue or stop the filing of the application.
Claimants that are eligible for Title XVI benefits complete the application form. The field office personnel enter the Title XVI application data into MSSICS.
The field office personnel's review determines the claimant's effective filing date and verifies the claimant's identify via the Numident.
The field office personnel adjudicate the application.
The claims data is sent to the SSI Exception Controls Systems.
The Title XVI ODS receives data from the SSI Exception Controls System.
The Title XVI Datawarehouse/ SSIPT are updated with the summary data of the processing time of SSI Aged claims.
SSA retrieves the indicator results from the SSA Intranet and reports the results on the PAR.

Appendix D
Agency Comments

SOCIAL SECURITY

MEMORANDUM

Date: October 11, 2005

To: Patrick P. O'Carroll, Jr.
Inspector General

From: Larry W. Dye
Chief of Staff

Subject: Office of the Inspector General (OIG) Draft Report "Performance Indicator Audit: Claims Processing" (A-15-05-15114) -- INFORMATION

We appreciate OIG's efforts in conducting this review. Our comments on the draft report content and recommendations are attached.

Let me know if we can be of further assistance. Staff inquiries may be directed to Candace Skurnik, Director, Audit Management and Liaison Staff on extension 54636.

Attachment:
SSA Response

COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "PERFORMANCE INDICATOR AUDIT: CLAIMS PROCESSING"
(A-15-05-15114)

Thank you for the opportunity to review and comment on the draft report. We acknowledge the findings and intent of the recommendations. We recognize that the objective of the audit was to review the Fiscal Year (FY) 2004 Performance and Accountability Report (PAR). Nonetheless, we believe the report should have noted where SSA has recognized shortcomings and has undertaken corrective actions.

Our specific responses to the report's recommendations are provided below.

Recommendation 1

Specific to the performance indicator, "Number of Initial Disability Claims Pending:" maintain the detailed data used to calculate the performance indicator results that are reported in the PAR.

Comment

We disagree. Although the report acknowledges system capacity is a compelling factor for not maintaining data for tracing data integrity, the diversion of already limited resources to support such activity is equally compelling. Satisfying this recommendation would require SSA to preserve and maintain, among other things, data transactions, source code, multiple versions of software and the operating system in use during the potential audit review period. Staff would then need to be available to reconstruct all this to support an audit. The magnitude of such an effort would seriously impede work to implement new information technology supported processes that support SSA programs and their clients. We have recommended to OIG and PwC representatives that they take advantage of real-time auditing, and they agreed to explore such an option for subsequent fiscal year audits.

Moreover, the data from the Disability Insurance Operational Data Store (DIODS) is used to determine the number of disability claims pending. Office of Management and Budget's (OMB) Circular A-11, section 230f states "Performance data need not be perfect to be reliable, particularly if the cost and effort to secure the best performance data will exceed the value of any data so obtained". Therefore, since PwC was able to recalculate the results using summary data from DIODS, we suggest PwC revise their statement in Findings that they could not consider the data reliable.

Recommendation 2

Specific to the performance indicator, "RSI Claims Processed:" clearly articulate a direct linkage of the performance indicator to the Agency's strategic goals and objectives. If possible, include claims processed from internet or a description of technology investments that support the strategic objective. If this cannot be done, SSA should disclose the reason why this indicator is linked to the relevant strategic goal and objective.

Comment

We agree. We have enhanced language in the FY 2005 PAR to make this linkage more apparent.

Recommendation 3

Specific to the performance indicators, "Number of Initial Disability Claims Pending" and "RSI Claims Processed:" maintain an audit trail for SSA Claims Control System (SSACCS) that captures the user ID, terminal, date and time the transaction was processed. Policies and procedures should be implemented requiring a review of the audit trail for inappropriate access or processing of transactions.

Comment

We disagree. SSACCS is only a secondary source for claims processing data. All cases have some Modernized Claims Systems (MCS) involvement (and the attendant audit trail), but in cases (approximately 6%) where MCS does not provide all of the data necessary to calculate a pending or processed count, SSACCS data are used.

Because SSACCS will be phased out, it is not cost-effective to invest resources for enhancing this system to provide the audit trail PwC recommends. Again, we refer to OMB's Circular A-11 guidance in section 230.f, mentioned above.

Recommendation 4

Specific to the performance indicator, "Percent of SSI Aged Claims Processed by the Time the First Payment is Due or within 14 Days of the Effective Filing Date:" ensure that the Title XVI Datawarehouse UNIX system is configured to be in compliance with the SSA Risk Model and government guidelines from the National Institute of Standards and Technology (NIST) and the Defense Information Security Agency (DISA). Ensure that the Title XVI Datawarehouse Oracle database is configured to be in compliance with the SSA Security Handbook. Create a risk model for the Oracle database that is in compliance with the SSA Security Handbook and Government guidelines.

Comment

We agree with the intent of the recommendation, but not its breadth.

Concerning PwC's finding that the T16 Datawarehouse was non-compliant with settings in the risk model, we concur and have already taken corrective action.

Although SSA reviews NIST and DISA guidelines when updating each operating system Risk Model, full adoption of the guidelines would adversely affect the Agency's ability to conduct its core business under the current Information Technology (IT) environment. Moreover, the recommendations made are frequently not applicable to SSA systems environment because we do not utilize the specific components of the operating system discussed in these documents, or because SSA is using that component in a manner different than that envisioned by NIST or DISA.

Therefore, it would be inappropriate for the Agency to state we are in full compliance with these guidelines for the reasons stated above. However, the Agency has implemented the guidelines where they are applicable to our processing environment. We believe our configuration management program affords the Agency the best possible protections while also supporting our core business processes.

Recommendation 5

Specific to the performance indicators, "RSI Claims Processed" and "Percent of SSI Aged Claims Processed by the Time the First Payment is Due or within 14 Days of the Effective Filing Date:" maintain documentation that describes how the performance indicator goals were established, document the policies and procedures used to prepare and report the results of the performance indicators, and keep a complete audit trail.

Comment

We agree. Policies and procedures have been developed and were provided to the auditors. This should be acknowledged in their final report.

Recommendation 6

Ensure the "least privileged access" principle is in place for SSA personnel that have the ability to directly modify, create or delete the datasets used to calculate the results of this indicator.

Comment

We agree. SSA is in the midst of reevaluating access rights for all its programmatic and administrative systems. Much progress has been made, and we are pleased to report that the systems SSA identified as the most tempting for high-risk activity have been successfully secured. We continue to address the remaining systems. Both the Integrated Work Management System and T16 Operational Datastore, specifically noted in this report, have been recently evaluated and action has been taken to restrict access and monitor programmers' interactions with these systems.

Overview of the Office of the Inspector General

The Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office of Executive Operations (OEO). To ensure compliance with policies and procedures, internal controls, and professional standards, we also have a comprehensive Professional Responsibility and Quality Assurance program.

Office of Audit

OA conducts and/or supervises financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management and program evaluations and projects on issues of concern to SSA, Congress, and the general public.

Office of Investigations

OI conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as OIG liaison to the Department of Justice on all matters relating to the investigations of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.

Office of the Chief Counsel to the Inspector General

OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.

Office of Executive Operations

OEO supports OIG by providing information resource management and systems security. OEO also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, OEO is the focal point for OIG's strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act of 1993.