Date: May 2, 2008
To: The Commissioner
From: Inspector General
Subject: Performance Indicator Audit: Earnings Information (A-15-07-17126)
We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 13 of the 
  Social Security Administration's (SSA) performance indicators established to 
  comply with the Government Performance and Results Act. Attached is the final 
  report presenting the results of two of the performance indicators PwC reviewed. 
  For the performance indicators included in this audit, PwC's objectives were 
  to:
  Assess the effectiveness of internal controls and test critical controls over 
  data generation, calculation, and reporting processes for the specific performance 
  indicator. 
  Assess the overall reliability of the performance indicator's computer processed 
  data. Data are reliable when they are complete, accurate, consistent and not 
  subject to inappropriate alteration.
  Test the accuracy of results presented and disclosed in SSA's Fiscal Year 2006 
  and 2007 Performance and Accountability Reports.
  Assess if the performance indicator provides a meaningful measurement of the 
  program it measures and the achievement of its stated objective. 
This report contains the results of the audit for the following indicators.
Issue annual SSA-initiated Social Security Statements to eligible individuals 
  age 25 and older.
  Remove 3 percent of the earnings items that remain in the Earnings Suspense 
  File for a new tax year and post the earnings to the correct earnings records.
  
  Please provide within 60 days a corrective action plan that addresses each recommendation. 
  If you wish to discuss the final report, please call me or have your staff contact 
  Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.
Patrick P. O'Carroll, Jr.
OFFICE 
  OF
  THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
PERFORMANCE 
  INDICATOR AUDIT:
  EARNINGS INFORMATION
May 2008
  
  A-15-07-17126
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
 Conduct and supervise independent and objective audits and investigations 
  relating to agency programs and operations.
  Promote economy, effectiveness, and efficiency within the agency.
  Prevent and detect fraud, waste, and abuse in agency programs and operations.
  Review and make recommendations regarding existing and proposed legislation 
  and regulations relating to agency programs and operations.
  Keep the agency head and the Congress fully and currently informed of problems 
  in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
 Independence to determine what reviews to perform.
  Access to all information necessary for the reviews.
  Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management 
  by proactively seeking new ways to prevent and deter fraud, waste and abuse. 
  We commit to integrity and excellence by supporting an environment that provides 
  a valuable public service while encouraging employee development and retention 
  and fostering diversity and innovation.
  
  MEMORANDUM 
Date: April 24, 2008
  To: Inspector General
  From: PricewaterhouseCoopers, LLP
  Subject: Performance Indicator Audit: Earnings Information (A-15-07-17126)
OBJECTIVE
The Government Performance and Results Act (GPRA) of 1993 requires that the Social Security Administration (SSA) develop performance indicators that assess the relevant service levels and outcomes of each program activity. GPRA also calls for a description of the means employed to verify and validate the measured values used to report on program performance.
Our audit was conducted in accordance with generally accepted government auditing standards for performance audits. For the performance indicators included in this audit, our objectives were to:
1. Assess the effectiveness of internal controls and test critical controls over the data generation, calculation, and reporting processes for the specific performance indicator.
2. Assess the overall reliability of the performance indicator's computer processed data. Data are reliable when they are complete, accurate, consistent and are not subject to inappropriate alteration.
3. Test the accuracy of results presented and disclosed in the Fiscal Year (FY) 2006 and 2007 Performance and Accountability Reports (PAR).
4. Assess if the performance indicator provides a meaningful measurement of 
  the program it measures and the achievement of its stated objective.
  
  BACKGROUND
We audited the following performance indicators as stated in the SSA FY 2006 or 2007 PAR:
Performance Indicator Goal Reported Results
  Issue annual SSA-initiated Social Security Statements [Statement] to eligible 
  individuals age 25 and older. FY 2007
  100% FY 2007 Actual
  100%
  Remove 3 percent of the earnings items that remain in the Earnings Suspense 
  File (ESF) for a new tax year and post the earnings to the correct earnings 
  records. FY 2006
  3% FY 2006 Actual
  1%
SSA administers the Old-Age and Survivors Insurance (OASI), Disability Insurance (DI), and Supplemental Security Income (SSI) programs. The OASI program, authorized by Title II of the Social Security Act (Act), provides income for eligible workers and eligible members of their families and survivors. The DI program, also authorized by Title II of the Act, provides income for eligible workers with qualifying disabilities and eligible members of their families before those workers reach retirement age. The SSI program, authorized by Title XVI of the Act, was designed as a needs-based program to provide or supplement the income of aged, blind, and/or disabled individuals with limited income and resources.
Widely considered the Nation's most successful domestic Federal program, Social Security provides a basic level of protection to all covered workers based on their past earnings. Because of the importance of the earnings records, SSA management continuously strives to improve the integrity of earnings information. The two indicators reviewed and discussed in this report measure management's ongoing efforts to ensure the accuracy of earnings record information retained by SSA.
For several years, SSA has been issuing annual Statements to eligible individuals. These Statements are provided to improve communications with the public and improve the accuracy of earnings information retained by SSA. SSA provides the Statements in two ways.
1. "To all eligible individuals (Social Security Number [SSN] holders 
  age 25 and older who are not yet in benefit status and for whom SSA can determine 
  a current mailing address)," and 
  
  2. At any time to workers of any age who request them. 
The Statement is a record of the earnings on which individuals have paid Social Security taxes during working years and a summary of the estimated benefits the individuals and their families may receive as a result of those earnings. SSA intends for the Statements to be used in several ways, including identification of earnings mistakes by the individuals receiving the Statements.
SSA receives Wage and Tax Statements (W-2) from employers and self-employment earnings from the Internal Revenue Service (IRS). The annual earnings posting cycle for receiving and validating these data, including identifying and posting corrections, is approximately 2 years. SSA receives approximately 250 million earnings records annually and attempts to match these earnings records against the master record of all issued SSNs. Without a match, SSA is unable to post the reported earnings to the appropriate record, and these earnings are placed in the ESF.
Records are posted to the ESF for a number of reasons, including:
Earnings records fail the name and SSN validation test.
  Earnings records consist of invalid SSNs.
  SSA records indicate that the individual is under age 7. These records are assigned 
  a special indicator of Young Children's Earnings (YCER).
  SSA records indicate the individual is deceased. These records are assigned 
  a special indicator of Earnings After Death (EAD).
  An individual informs SSA that posted earnings are erroneous.
SSA management told us that approximately 10 percent of the received earnings records do not initially match SSA data. SSA has developed several computerized matching processes to correct these suspended records and is typically able to match 64 percent (16 million) of the initially suspended records. As a result, approximately 9 million unmatched or suspended records are added to the ESF each year. The ESF contains over 250 million suspended records.
RESULTS OF REVIEW
We did not identify any significant findings related to the internal controls, 
  data reliability, meaningfulness, accuracy of presentation, or disclosure of 
  the information for the indicator "Issue annual SSA-initiated Social Security 
  Statements to eligible individuals age 25 and older." 
  However, our assessment revealed areas for improvement related to internal controls, 
  data reliability, and the accuracy and completeness of the results presented 
  and disclosed in the PAR for the indicator "Remove 3 percent of the earnings 
  items that remain in the Earnings Suspense File (ESF) for a new tax year and 
  post the earnings to the correct earnings records." We also noted that 
  previously reported internal control weaknesses related to this indicator had 
  not been remediated by the Agency.
Issue annual SSA-initiated Social Security Statements to eligible individuals age 25 and older
Indicator Background
In line with improving the public's knowledge of Social Security programs is the issuance of the Statement. The Statement informs workers of their posted earnings for each year, provides Old-Age, Survivors and Disability Insurance (OASDI) benefits estimates, and provides valuable information about Social Security programs and services. The Statement allows workers to ensure the accuracy of SSA's information regarding their earnings and better plan for their financial future.
The Agency is required to be in compliance with section 1143 of the Act, which mandates the issuance of Statements to individuals age 25 and older who are not yet in benefit status and for whom SSA can determine a current mailing address. This allows SSA to educate workers and help them begin planning for retirement earlier by providing them with estimated future benefit payments. The Agency established this performance indicator to highlight the importance of providing this service.
SSA produces Statements using weekly and daily operations. The weekly operation is as follows.
A file is created based on a query of the Numident for individuals who are 
  25 or older and are not deceased.
  This file is cross-referenced against the Personal Earnings and Benefit Estimate 
  Statement (PEBES) data file for individuals who have received statements within 
  
  1 year. If a match is found, the individual will not receive a second statement.
  The file is next compared against the Master Beneficiary Record (MBR) and Claims 
  Control file to determine whether the individual is receiving benefits or has 
  a claim pending. If this condition occurs, the individual will not receive a 
  statement. 
  Finally, the individuals' addresses are obtained from the Internal Revenue Service 
  or a Territory File. 
After successful completion of the weekly operation, the Statement information is run through a daily operation that includes the following.
The file is checked for multiple SSNs and current claim benefits.
  The individuals' earnings information and insured status is obtained from the 
  Master Earnings File (MEF). SSA works to resolve any errors noted with the earnings 
  records.
  The individuals' benefit estimates are calculated.
  The individuals' Statements are transmitted for printing. If an exception in 
  the Statement occurs, it is sent to the Target Notice Architecture for resolution.
  An SSA contractor prints and mails the Statements.
The purpose of this indicator is to " ensure that all eligible individuals are issued an annual Social Security Statement as required by law." However, it should be noted that SSA is not able to confirm receipt of these Statements by the eligible individuals, only that the Statements were sent. An OIG review found that Statements were being returned to SSA as undeliverable. OIG also suggested that SSA should consider allowing access to the Statement on-line for those individuals who would like the opportunity to obtain and view a Statement on-line.
The calculation is performed by dividing the total number of Statements that are initiated by SSA (SSA-Initiated Personal Earnings and Benefit Estimate Statement [SIPEBES]) issued during the FY by the total number of SIPEBES required to be sent by law during the FY.
Performance Indicator Calculation
Percentage of SSA-Initiated Social Security Statements to Eligible Individuals 
  Age 25 and Older Issued
= Total number of SIPEBES issued during the fiscal year
  Total number of SIPEBES required to be sent by law during the fiscal year
Findings
We did not identify any significant findings related to the internal controls, data reliability, accuracy of presentation, meaningfulness, or disclosure of the information related to this indicator contained in the FY 2007 PAR.
Remove 3 percent of the earnings items that remain in the Earnings Suspense File (ESF) for a new tax year and post the earnings to the correct earnings records
Indicator Background
This indicator supports the Agency's objective of "Ensure the accuracy of earnings records so that eligible individuals can receive the proper benefits due them." Earnings are the primary basis for determining the amount of benefits payable to OASDI beneficiaries. When an earnings report (W-2 or a report of self-employment income) cannot immediately be matched with an individual because of inconsistent identifying data (name or SSN), the reported earnings are placed in the ESF until the Agency succeeds in properly associating the earnings to the right individual.
SSA's Offices of Quality Performance (OQP) and Systems continue to develop and implement automated matching software to analyze the approximately 9 million records added annually to the ESF. Using various algorithms, the software attempts to match information in the ESF with SSA's master record information. The matching software is typically run against the ESF at the end of each tax reporting period. The result for this indicator is determined by comparing the number of items added to the ESF for a tax year to the number of items later removed by the matching software, which is recorded in the Reinstates File. SSA had developed and implemented matching software with the goal of reducing the ESF by 3 percent in the current year; however, in the FY 2006 performance period, the number of items removed from the ESF did not result in the anticipated success rate.
At the end of the fiscal year, OQP obtains a copy of the ESF and Reinstates Files from the Office of Systems. OQP personnel count the number of items in the ESF for the tax year. OQP personnel then count the number of Origin of Validation Reinstatement (OVR) codes of 40 and 45 in the Reinstates File (this indicates those items that were reinstated by the new procedures developed by OQP and the Office of Systems).
The calculation is performed by dividing the count of items noted with the codes of 40 or 45 in the Reinstates File by the count of items in the ESF for the tax year under review plus the number of OVR codes of 40 or 45 in the Reinstates file. The result of this calculation is multiplied by 100 to show the result as a percentage.
Performance Indicator Calculation
Performance 
  = Total number of OVR codes 40 & 45
  (Total number of items in ESF + Total number of OVR codes 40 & 45) X 100
Findings
Six members of OQP's programming staff and three operational personnel had 
  the "All" access designation (within the Top Secret security software) 
  to the Reinstates File dataset used to calculate the indicator results. This 
  level of access allows users to create, delete and modify any of the data (or 
  datasets) contained in the datasets we reviewed. Therefore, the data used to 
  calculate the performance indicator could be inappropriately modified and could 
  impact the results of this performance indicator. This level of access prevents 
  SSA from ensuring the integrity of these production data. By allowing programming 
  personnel to have the "All" access designation, SSA is not conforming 
  to Office of Management and Budget Circular A-130, Management of Federal Information 
  Resources, Appendix III, Security of Federal Automated Information Resources, 
  principles of "least privilege" or segregation of duties. Therefore, 
  the data cannot be considered reliable since the access control issue created 
  the potential for inappropriate alteration. 
  
  Further, we noted that the Reinstates File retains the most recent data and 
  previous earnings records that were reinstated for the same individual are not 
  included in the performance indicator calculation of earnings records removed. 
  Specifically, SSA does not include counts that could not be validated and/or 
  explained by the OQP process. SSA management could not determine the extent 
  of the understatement. As a result, the actual results of the performance indicator 
  could not be completely and accurately calculated. 
In addition, SSA management did not maintain an independent copy of the ESF and Reinstates File used to calculate this indicator. As a result, we were given the OQP copy of the ESF and Reinstates File extracts for our recalculation testing. Because archives of the ESF and Reinstates File were not maintained and no copies of the extracts were maintained independently, we could not verify and validate that the extracts provided by OQP were accurate and complete.
Lastly, during our review of the narrative information contained in the PAR related to this performance indicator, we identified an inconsistency between the data definition and the stated FY 2006 indicator goal. The FY 2006 goal for this indicator was 3 percent; however, the second sentence of the data definition states, "The five percent reduction will be achieved by using new matching routines developed by the Office of Quality Performance (OQP) and Office of Systems." Although the goal of this performance indicator was not met, this inconsistency could cause confusion for the users of the PAR.
As of February 25, 2008, SSA's Annual Performance Plan did not include this indicator as a performance measure.
CONCLUSION AND RECOMMENDATIONS
The indicator, "Remove 3 percent of the earnings items that remain in the Earnings Suspense File (ESF) for a new tax year and post the earnings to the correct earnings records," is no longer included in SSA's Annual Performance Plan. However, if this or a similar indicator is reported in the future, as a best practice SSA should:
Ensure the performance indicator titles, definitions, and goals presented in the PAR are accurate and consistent.
Disclose in the PAR the limitations within the ESF and Reinstates File that may have resulted in the potential understatement of the results for these performance indicators.
Maintain an independent audit trail including the computer files used to perform the calculations.
In addition, based on our testing, we recommend SSA:
1. Restrict access to the OQP copies of the ESF and Reinstates File based on the concept of least privilege access.
AGENCY COMMENTS
The Agency agreed with our recommendation. However, based on technical comments provided separately by SSA, we made a slight change to the wording of the recommendation for clarity purposes. The Agency's comments are included in Appendix D.
 Appendices
  APPENDIX A - Acronyms
  APPENDIX B - Scope and Methodology
  APPENDIX C - Process Flowcharts 
  APPENDIX D - Agency Comments
Appendix A
  Acronyms
  Act Social Security Act
  DACUS Death Alert Control and Update System
  DI Disability Insurance
  EAD Earnings after Death
  ESF Earnings Suspense File
  FY Fiscal Year
  GAO Government Accountability Office
  GPRA Government Performance and Results Act
  IRS Internal Revenue Service
  ISSH Information System Security Handbook
  IST Intelligence Search Technology
  JFMIP Joint Financial Management Improvement Program
  MBR Master Beneficiary Record
  MEF Master Earnings File
  OASDI Old-Age, Survivors and Disability Insurance
  OASI Old-Age and Survivors Insurance
  OEEAAS Office of Earnings, Enumeration, and Administrative Systems
  OMB Office of Management and Budget
  OQP Office of Quality Performance
  OVR Origin of Validation Reinstatement
  PAR Performance and Accountability Report
  PEBES Personal Earnings and Benefit Estimate Statement
  PwC PricewaterhouseCoopers
  SIPEBES SSA-Initiated Personal Earnings and Benefit Estimate Statement
  SSA Social Security Administration
  SSI Supplemental Security Income
  SSN Social Security Number
  SSR Supplemental Security Record
  Statement Social Security Statement
  U.S.C. United States Code
  W-2 Wage and Tax Statements
  YCER Young Children's Earnings
  
  Appendix B
  Scope and Methodology
  We updated our understanding of the Social Security Administration's (SSA) Government 
  Performance and Results Act (GPRA) processes. This was completed through research 
  and inquiry of SSA management. We also requested SSA provide various documents 
  regarding the specific programs being measured as well as the specific measurement 
  used to assess the effectiveness and efficiency of the related program.
Through inquiry, observation, and other substantive testing, including testing of source documentation, we performed the following.
Reviewed prior SSA, Government Accountability Office, Office of the Inspector 
  General and other reports related to SSA's GPRA performance and related information 
  systems.
  Reviewed applicable laws, regulations and SSA policy. 
  Met with the appropriate SSA personnel to confirm our understanding of the performance 
  indicators.
  Flowcharted the processes (see Appendix C).
  Tested key controls related to manual or basic computerized processes (for example, 
  spreadsheets, databases, etc.).
  Conducted and evaluated tests of the manual controls within and surrounding 
  each of the critical applications to determine whether the tested controls were 
  adequate to provide and maintain reliable data to be used when measuring the 
  specific indicators. 
  Identified attributes, rules, and assumptions for each defined data element 
  or source document.
  Recalculated the metrics or algorithms of the performance indicators to ensure 
  mathematical accuracy.
  Assessed the completeness and accuracy of the data to determine the data's reliability 
  as they pertain to the objectives of the audit and intended use of the data.
As part of this audit, we documented our understanding, as conveyed to us by Agency personnel, of the alignment of the Agency's mission, goals, objectives, processes, and related performance indicators. We analyzed how these items interacted with related processes within SSA and the existing measurement systems. Our understanding of the Agency's mission, goals, objectives, and processes were used to determine if the performance indicators appear to be valid and appropriate given our understanding of SSA's mission, goals, objectives and processes.
We followed all performance audit standards in accordance with generally accepted government auditing standards.
In addition to these steps, we specifically performed the following to test the indicators included in this report.
Specific to the performance indicator, "Issue annual SSA-initiated Social Security Statements to eligible individuals age 25 and older"
Inspected relevant policies and procedures as necessary.
  Reviewed the extraction codes including the elimination process for the NUMIDENT, 
  Personal Earnings and Benefit Estimate Statement, Master Beneficiary Record 
  (MBR) and Territory Address Files.
  Reviewed access to extraction files to ensure personnel did not have direct 
  dataset access.
  Verified automated codes by conducting data analysis over the MBR, Supplemental 
  Security Record (SSR) and Death Alert Control and Update System (DACUS) data 
  to ensure edits were meeting the required criteria and were working properly.
  Selected a sample of 45 Social Security numbers (SSN) from the NUMIDENT segment 
  and verified statements were sent or had met extraction criteria.
  Selected a sample of 45 history records transmitted for printing and verified 
  PEBES history file was updated.
Specific to the performance indicator, "Remove 3 percent of the earnings items remaining in the Earning Suspense File (ESF) for a new tax year and post the earnings to the correct earnings records"
Inspected relevant policies and procedures as necessary.
  Reviewed relevant documentation for the sources of the data included on the 
  ESF and the Reinstates File, the matching routines for suspended records and 
  the process for reinstating those records to the Master Earnings File (MEF).
  Reviewed the process for controlling access to the ESF and Reinstates File and 
  tested the appropriateness of the access privileges granted to the Reinstates 
  File and ESF for a selection of SSA personnel.
  Sampled 45 lead SSNs to verify corresponding MEF, NUMIDENT, and Intelligence 
  Search Technology score data were correctly assigned. 
  Reviewed counts for matching routines to verify SSNs were assigned appropriate 
  codes during phase matching routines.
  Recalculated the results of the performance indicator by obtaining a copy of 
  the Reinstates File and ESF extracts and determining the number of records that 
  were posted to the Reinstates File from Calendar Year 2002 based on Office of 
  Quality Performance matching processes and ESF records from Calendar Year 2002.
Appendix C
  Process Flowcharts
Issue Annual Social Security Administration-Initiated Social Security Statements to Eligible Individuals Age 25 and Older - Flowchart
Issue Annual Social Security Administration-Initiated Social Security Statements to Eligible Individuals Age 25 and Older - Narrative
The following occurs during the weekly operation.
  o Select names by age range (>= 25 years) and no death record from the NUMIDENT.
  o Eliminate if received Personal Earnings and Benefit Estimate Statement (PEBES) 
  within 1 year - input is received from the PEBES file to complete.
  o Eliminate if receiving benefits or if claim is pending within one year. Determined 
  through input from the Master Beneficiary Record (MBR) and Claims Control file.
  o Obtain taxpayer addresses from Internal Revenue Service or Territory Files.
The following occurs during the daily operation.
  o Combine records with multiple Social Security numbers (SSN) and re-check for 
  claim benefits.
  o Obtain earnings record and determine insured status from the Master Earnings 
  File (MEF).
  o Resolve earnings record problems.
  o Calculate benefit estimates.
  o Save history record, transmit for printing; send exceptions to Target Notice 
  Architecture.
  o Send information to the printing and mailing contractor.
  o Social Security Statements are sent.
  o Executive Management Information System updated.
  o Reporting of performance measure results in the Performance and Accountability 
  Report (PAR).
  
  Remove 3 Percent of the Earnings Items That Remain in the Earnings Suspense 
  File (ESF) for a New Tax Year and Post the Earnings to the Correct Earnings 
  Records - Flowchart 
Remove 3 Percent of the Earnings Items That Remain in the Earnings Suspense File (ESF) for a New Tax Year and Post the Earnings to the Correct Earnings Records - Narrative
Office of Quality Performance (OQP) receives copy of suspense file from Office 
  of Systems.
  OQP creates snapshot copy of suspense file. Note: There is a four year lag between 
  the tax year and year calculated.
  OQP separates suspense items into categories.
  OQP assigns unique control numbers and obtains NUMIDENT and MEF characteristics.
  OQP creates snapshot copy of Reinstate Files.
  OQP creates ALPHADENT file from the NUMIDENT.
  Perform matching routine (Phase 5). Lead Social Security Number (SSN) = Suspense 
  SSN.
  Perform matching routine (Phase 6). Match Suspense SSN to Reported SSN.
  Perform matching routine (Phase 7). Match Suspense Name to Reported Name and 
  Suspense Employer Identification Number (EIN) to Reported EIN.
  Perform matching routine (Phase 8). Match Suspense name to ALPHADENT names.
  OQP loads focus database with lead SSN data characteristics.
  Decision tree program executed to identify the lead SSNs that meet testing criteria.
  Load Postit Focus database with Suspense and Lead SSN data.
  OQP creates CRKver file and sends to Office of Systems.
  Office of Systems assigns Origin of Validation Reinstatement (OVR) codes 40 
  and 45 to items posted by OQP.
  OQP uses the count of items noted with the code of 40 or 45 in the Reinstates 
  file and divides this number by the count of items in the Earnings Suspense 
  File (ESF) for the tax year under review, plus the number of OVR codes of 40 
  or 45 in the Reinstates file.
  The result of this calculation is multiplied by 100 to show the result as a 
  percentage.
  Reporting of 'Remove 3 percent of the earnings items that remain in the ESF 
  for a new tax year and post the earnings to the correct earnings records' in 
  the Performance and Accountability Report.
  
  Appendix D
  Agency Comments
  
  SOCIAL SECURITY
MEMORANDUM
Date: April 24, 2008 
  
  To: Patrick P. O'Carroll, Jr.
  Inspector General
From: David V. Foster 
  Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, "Performance Indicator Audit: Earnings Information" (A-15-07-17126)--INFORMATION
We appreciate OIG's efforts in conducting this review. Our comments regarding the draft report and response to the recommendation are attached.
Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL'S DRAFT REPORT, "PERFORMANCE INDICATOR AUDIT: EARNINGS INFORMATION" (A-15-07-17126)
Thank you for the opportunity to review and provide comments on this draft report. In the report, you acknowledge that the performance indicator, "Remove 3 percent of the earnings items that remain in the Earnings Suspense File (ESF) for a new tax year and post the earnings to the correct earnings records," is no longer included in our Annual Performance Plan. However, during your review you identified three "best practices" we should consider, such as: 1) ensure the performance indicator titles, definitions, and goals presented in the Performance and Accountability Report (PAR) are accurate and consistent; 2) disclose in the PAR the limitations within the ESF and Reinstates File that may have resulted in the potential understatement of the results for these performance indicators; and 3) maintain an independent audit trail including the computer files used to perform the calculations. We agree with these "best practices" and will incorporate them if this, or a similar performance indicator, is reported in the future.
Recommendation
Restrict access to the ESF and Reinstates File based on the concept of least privilege access.
Comment
We agree. We are currently working on evaluating access utilizing the Standardized Security Profile Project (SSPP). As part of our execution of SSPP, we will review users' access to the files identified in this review and will reduce those users to "least privilege" access. We expect to complete this task no later than September 2010.
 Overview of the Office of the Inspector General
  The Office of the Inspector General (OIG) is comprised of an Office of Audit 
  (OA), Office of Investigations (OI), Office of the Chief Counsel to the Inspector 
  General (OCCIG), Office of External Relations (OER), and Office of Technology 
  and Resource Management (OTRM). To ensure compliance with policies and procedures, 
  internal controls, and professional standards, the OIG also has a comprehensive 
  Professional Responsibility and Quality Assurance program. 
  
  Office of Audit
  OA conducts financial and performance audits of the Social Security Administration's 
  (SSA) programs and operations and makes recommendations to ensure program objectives 
  are achieved effectively and efficiently. Financial audits assess whether SSA's 
  financial statements fairly present SSA's financial position, results of operations, 
  and cash flow. Performance audits review the economy, efficiency, and effectiveness 
  of SSA's programs and operations. OA also conducts short-term management reviews 
  and program evaluations on issues of concern to SSA, Congress, and the general 
  public.
  
  Office of Investigations
  OI conducts investigations related to fraud, waste, abuse, and mismanagement 
  in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, 
  contractors, third parties, or SSA employees performing their official duties. 
  This office serves as liaison to the Department of Justice on all matters relating 
  to the investigation of SSA programs and personnel. OI also conducts joint investigations 
  with other Federal, State, and local law enforcement agencies.
  
  Office of the Chief Counsel to the Inspector General
  OCCIG provides independent legal advice and counsel to the IG on various matters, 
  including statutes, regulations, legislation, and policy directives. OCCIG also 
  advises the IG on investigative procedures and techniques, as well as on legal 
  implications and conclusions to be drawn from audit and investigative material. 
  Also, OCCIG administers the Civil Monetary Penalty program.
  
  Office of External Relations
  OER manages OIG's external and public affairs programs, and serves as the principal 
  advisor on news releases and in providing information to the various news reporting 
  services. OER develops OIG's media and public information policies, directs 
  OIG's external and public affairs programs, and serves as the primary contact 
  for those seeking information about OIG. OER prepares OIG publications, speeches, 
  and presentations to internal and external organizations, and responds to Congressional 
  correspondence. 
  
  Office of Technology and Resource Management
  OTRM supports OIG by providing information management and systems security. 
  OTRM also coordinates OIG's budget, procurement, telecommunications, facilities, 
  and human resources. In addition, OTRM is the focal point for OIG's strategic 
  planning function, and the development and monitoring of performance measures. 
  In addition, OTRM receives and assigns for action allegations of criminal and 
  administrative violations of Social Security laws, identifies fugitives receiving 
  benefit payments from SSA, and provides technological assistance to investigations.