Date: May 16, 2008
To: The Commissioner
From: Inspector General
Subject: Performance Indicator Audit: Postentitlement Actions (A-15-07-17130)
We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 13 of the
Social Security Administration's (SSA) performance indicators established to
comply with the Government Performance and Results Act. Attached is the final
report presenting the results of three of the performance indicators PwC reviewed.
For the performance indicators included in this audit, PwC's objectives were
to:
Assess the effectiveness of internal controls and test critical controls over
data generation, calculation, and reporting processes for the specific performance
indicator.
Assess the overall reliability of the performance indicator's computer processed
data. Data are reliable when they are complete, accurate, consistent and not
subject to inappropriate alteration.
Test the accuracy of results presented and disclosed in SSA's Fiscal Year 2006
and 2007 Performance and Accountability Reports.
Assess if the performance indicator provides a meaningful measurement of the
program it measures and the achievement of its stated objective.
This report contains the results of the audit for the following indicators:
Number of SSI [Supplemental Security Income] disabled beneficiaries earning
at least $100 per month.
Number of Supplemental Security Income (SSI) non-disability redeterminations
processed.
Number of periodic CDRs [Continuing Disability Reviews] processed to determine
continuing entitlement based on disability.
Please provide within 60 days a corrective action plan that addresses each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.
Patrick P. O'Carroll, Jr.
OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
PERFORMANCE
INDICATOR AUDIT:
POSTENTITLEMENT ACTIONS
May 2008
A-15-07-17130
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
MEMORANDUM
Date: May 1, 2008
To: Inspector General
From: PricewaterhouseCoopers, LLP
Subject: Performance Indicator Audit: Postentitlement Actions (A-15-07-17130)
OBJECTIVE
The Government Performance and Results Act (GPRA) of 1993 requires that the Social Security Administration (SSA) develop performance indicators that assess the relevant service levels and outcomes of each program activity. GPRA also calls for a description of the means employed to verify and validate the measured values used to report on program performance.
Our audit was conducted in accordance with generally accepted government auditing standards for performance audits. For the performance indicators included in this audit, our objectives were to:
1. Assess the effectiveness of internal controls and test critical controls over the data generation, calculation, and reporting processes for the specific performance indicator.
2. Assess the overall reliability of the performance indicator's computer processed data. Data are reliable when they are complete, accurate, consistent and not subject to inappropriate alteration.
3. Test the accuracy of results presented and disclosed in SSA's Fiscal Year (FY) 2006 and 2007 Performance and Accountability Reports (PAR).
4. Assess if the performance indicator provides a meaningful measurement of
the program it measures and the achievement of its stated objective.
BACKGROUND
We audited the following performance indicators, as stated in the SSA FY 2006 or FY 2007 PAR.
Performance Indicator Goal
Reported Results
Number of SSI [Supplemental Security Income] disabled beneficiaries earning
at least $100 per month FY 2006
268,419 FY 2006 Actual
247,143
Number of Supplemental Security Income (SSI) non-disability redeterminations
[(RZ)] processed FY 2007
1,026,000 FY 2007 Actual
1,038,948
Number of periodic CDRs [Continuing Disability Reviews] processed to determine
continuing entitlement based on disability FY 2007
729,000 FY 2007 Actual
764,852
SSA administers the Old-Age and Survivors Insurance (OASI), Disability Insurance (DI), and SSI programs. The OASI program, authorized by Title II of the Social Security Act (Act), provides income for eligible workers and for eligible members of their families and survivors. The DI program, also authorized by Title II of the Act, provides income for eligible workers with qualifying disabilities and for eligible members of their families, before those workers reach retirement age. The SSI Program, authorized by Title XVI of the Act, was designed as a needs-based program to provide or supplement the income of aged, blind, and/or disabled individuals with limited income and resources.
To ensure continuous and correct payment of claims, SSA periodically performs reassessments of SSI recipients' non-medical factors (SSI Non-Disability RZs) as well as reassessments of DI and SSI beneficiaries' disability factors (periodic CDRs) to determine ongoing benefit eligibility.
SSI RZs are post-eligibility reviews of SSI non-medical factors, such as income, resources, and living arrangements. This information is used to determine recipients' financial eligibility for continued payment. RZs are scheduled based on the likelihood of changes in circumstances that may affect the payment amount. Unscheduled RZs are completed on an "as needed" basis and are triggered when SSA learns of certain changes in circumstances that could affect the continuing SSI payment amount.
SSA completes periodic DI and SSI CDRs to determine whether a disabled individual continues to be medically eligible to receive benefits. Periodic CDRs are required at a minimum of every 3 years unless SSA has determined the disability was classified as permanent, or the beneficiary has enrolled in the Ticket to Work program. Periodic CDRs are conducted by questionnaire (mailer) or by a medical reexamination of the beneficiaries' disability.
RESULTS OF REVIEW
Overall, we found the three indicators to be meaningful. However, our assessment identified issues with internal controls and data reliability for the three indicators in this review. Specifically, we noted weaknesses in the operating effectiveness of access controls related to application transactions. Specific to the indicators, "Number of Supplemental Security Income (SSI) non-disability redeterminations processed" and "Number of periodic CDRs processed to determine continuing entitlement based on disability," we noted programmers had update access to production datasets. It should be noted that during the audit, SSA management took corrective action to address these issues. However, as a result of the internal control weaknesses that existed during the period of review, we did not find the performance indicators data to be reliable.
We did not identify any significant exceptions related to the accuracy of presentation
or disclosure of the information related to these indicators contained in the
PAR or to the meaningfulness of these indicators.
Number of SSI disabled beneficiaries earning at least $100 per month
Indicator Background
SSA provides work incentive programs to SSI disabled recipients with jobs. These work incentives include the following.
Ticket To Work - This program is designed to assist disabled beneficiaries
to obtain employment. Enrollees may use the ticket to obtain the vocational
rehabilitation services, employment services, and other support services needed
to return to work or go to work for the first time. As long as a beneficiary
is using a ticket (as determined under SSA criteria), SSA will not initiate
a CDR.
Plan to Achieving Self-Support - This program allows SSI recipients to set employment
goals and set aside money for these goals. The wages earned under this program
will not affect their SSI eligibility or payment amount.
Special Benefits under sections 1619(a) and (b) of the Act - These programs
allow SSI recipients to work without losing SSI and Medicaid eligibility.
Impairment-Related Work Expenses - This program allows SSI recipients to use
income to obtain items, such as a cane or wheelchair, without the income used
to obtain such items affecting their SSI eligibility or payment amount.
Blind Work Expenses - This program does not count any earned income that an
SSI recipient uses to meet expenses that are required for the beneficiary to
work. Candidates must be receiving SSI payments due to blindness. Blind work
expense items do not have to be related to their blindness.
While participating in the work incentive programs, SSI recipients are required to report their earnings to SSA. The main methods SSA uses to obtain SSI recipients' earnings include the following.
SSI recipients report their earnings to SSA field offices (FO), SSA's 1-800
number, or by sending a letter to SSA. After receipt of the recipients' earnings
evidence (such as pay stubs for wages or a tax return for self-employment),
FO staff inputs earnings information into the Supplemental Security Record (SSR)
via the Modernized Supplemental Security Income Claims System (MSSICS).
SSA uses information contained in the Master Earnings File (MEF) to determine
whether there were any unreported earnings or earning discrepancies. The MEF
is a data repository for the Earnings Record Maintenance System (ERMS), containing
earnings data from employers and the Internal Revenue Service (IRS). The MEF
then interfaces with the SSR to provide SSI recipients earnings information
in the form of MEF alerts/diaries. This interface occurs in October, February
and June. SSA also receives quarterly State wage data from the Office of Child
Support Enforcement. As a result, alerts are generated when earned income data
on the SSR do not match within predefined tolerance levels with the MEF.
SSA uses the information from the MEF and the Office of Child Support Enforcement
to check for any discrepancies. After investigating and reconciling earnings
discrepancies, SSA FO staff corrects or posts verified earnings information
into MSSICS, if necessary. The Supplemental Security Income Records Maintenance
System (SSIRMS) processes the earnings information posted by FO staff to the
recipients' SSRs.
Each quarter, the Office of Research, Evaluation, and Statistics receives the
Work Incentive File from the Office of Applications and Supplemental Security
Income
Systems. This file contains terminated and active data records that include
beneficiaries' Social Security numbers and earnings information. The type of
earnings for each beneficiary is recorded as one of the following categories:
S (self-employment), W (wages), C (blind work expense), D (income excluded under
approved plan), T (impairment related work expenses), N (net loss), and B (student
earned income exclusion). These data elements are extracted and formatted into
an Excel file using Statistical Analysis Software. Each quarter, this Excel
file is sent to the performance indicator owner in the Office of Retirement
and Disability Policy, Office of Employment Support Programs. The performance
indicator owner manually calculates the results of the SSI recipients earning
at least $100 per month from the Excel spreadsheet. Each quarter, the performance
indicator is sent to the Office of Strategic Management (OSM) to be incorporated
as part of the centralized performance indicator tracking report.
Performance Indicator Calculation
Number of SSI disabled beneficiaries earning at least $100 per month =
Average of the SSI disabled beneficiaries earning at least $100 for the last
month of each quarter during the fiscal year
The average number of SSI disabled recipients earning at least $100 per month
for the last month of each quarter during the FY is reported in the PAR.
Findings
Internal Controls and Data Reliability
Our review of access controls noted that information technology personnel had excessive and/or unmonitored access to the Customer Information Control System (CICS) screens that allowed updates to SSA data via the programmatic mainframe applications, including MSSICS and ERMS. CICS is a transaction processing system designed for both on-line and batch activity. SSA management did not appropriately monitor access to these transactions. The SSA Information System Security Handbook (ISSH) states, "Access to all SSA functions associated with software or enterprise systems must be managed based on need-to-know and least privilege. This specifically includes changes/updates to software, production jobs, and supporting hardware deployments. This access control maintenance policy must be applied across the SSA enterprise." In addition, Office of Management and Budget (OMB) Circular A-130 requires that agencies implement the practice of least privilege, whereby user access is restricted to the minimum necessary to perform his or her job; and enforce a separation of duties so steps in a critical function are divided among different individuals. It also emphasizes the importance of management controls - such as individual accountability requirements, separation of duties enforced by access controls, and limitations on the processing privileges of individuals - to prevent and detect inappropriate or unauthorized activities.
This issue was noted during the FY 2006 financial statement audit. Also, during the audit timeframe, SSA management began monitoring the IT personnel usage of these transactions. However, because this internal control weakness existed during the period of review, we did not find the performance indicator data to be reliable.
Number of Supplemental Security Income (SSI) non-disability redeterminations processed
Indicator Background
SSI non-disability cases are selected for redeterminations based on the date of the recipients' last RZ and characteristics that distinguish low-error, middle-error, and high-error cases. The selected recipients are tracked in the Post-Entitlement Operational Data Store (PEODS). The RZ data are updated in the SSR, which is the master record for SSI recipients.
Based on error profiles, the cases are assigned either to the Wilkes-Barre Data Operations Center (WBDOC) or an FO. Claims representatives at the FO typically perform high-error profile RZs; however, beginning in October 2006, high-error cases have been released to the WBDOC for processing. These cases are processed in the same manner as the low- and middle-error cases, but using different forms, as discussed below.
Claims representatives (CR) at FOs will handle high-error profile RZs or WBDOC exclusion cases through face-to-face or telephone interviews. SSA requests that the SSI recipients bring financial documentation, such as rent receipts or bank records, to the interviews. During the interview, the CR inputs any changes to the recipients' non-medical factors via MSSICS, which updates the SSR with changes to the recipients' non-medical factors. The SSR provides data to PEODS to update the status of the RZ once it is completed.
Low- and middle-error profile RZs are reviewed by records processing clerks
at the WBDOC. SSI recipients are mailed forms to complete and return to the
WBDOC. Second requests are mailed out if recipients do not respond to the first
mailing within 90 days. If WBDOC does not receive the form within 180 days of
the first mailing
(90 days from the second mailing) and no disposition data have been posted,
the SSI and PEODS systems will automatically transfer control of the RZ to the
servicing office. All returned forms are manually reviewed for completeness
at the WBDOC. During the mailer reviews, the records processing clerk inputs
changes into MSSICS. If "no change" is indicated on the form, a completion
indicator is posted to the SSR. The SSR provides data to PEODS to update the
status of the RZ once it is completed.
Each week, PEODS transfers the composite high, middle, and low RZ data to the Title XVI Datawarehouse. Once a month, the Division of Cost Analysis reviews the RZ data maintained in the Title XVI Datawarehouse and provides the RZ information to OSM. The year-to-date total of the completed RZs is recorded in the PAR.
Performance Indicator Calculation
Total SSI Non-Disability RZs
Processed for FY 2007
=
Total Completed RZs for the period of October 1, 2006 to September 28, 2007
Findings
Internal Controls and Data Reliability
Our review of access controls revealed the following issues.
One programmer had unmonitored access to the MSSICS CICS transactions, and this
access was not reviewed by SSA management.
One programmer had update access to SSIRMS datasets, and this access was not
restricted or reviewed by SSA management.
The SSA ISSH states, "Access to all SSA functions associated with software or enterprise systems must be managed based on need-to-know and least privilege. This specifically includes changes/updates to software, production jobs, and supporting hardware deployments. This access control maintenance policy must be applied across the SSA enterprise." In addition, OMB Circular A-130 requires that agencies implement the practice of least privilege, whereby user access is restricted to the minimum necessary to perform his or her job, and enforce a separation of duties so steps in a critical function are divided among different individuals. It also emphasizes the importance of management controls - such as individual accountability requirements, separation of duties enforced by access controls, and limitations on the processing privileges of individuals - to prevent and detect inappropriate or unauthorized activities.
These issues, which were noted during the FY 2007 financial statement audit, could result in the accidental or inappropriate alteration of the data used to support the performance indicator. It should be noted, that during the audit, SSA management began monitoring the programmers' access to the SSIRMS datasets. However, because these internal control weaknesses existed during the period of review, we did not find the performance indicator data to be reliable.
Number of periodic CDRs processed to determine continuing entitlement based on disability
Indicator Background
Periodic CDRs are conducted through full medical reviews or beneficiary-completed questionnaires (mailers). The type of CDR to be completed is determined by the beneficiaries' probability of medical improvement. Beneficiaries with a high probability of medical improvement receive a full medical CDR.
A CDR begins when an FO receives an alert to review a beneficiary's case folder, containing background and medical information on the beneficiary, to determine whether a full medical CDR should be performed. The FO is able to determine the need for a full medical CDR, based on SSA policy. If unable to readily make that decision, it is transferred to the State disability determination services (DDS). The folders identified for full medical CDRs are also transferred to DDS for medical adjudication. The DDS disability adjudicator reviews the folder to determine whether a full medical CDR should be performed. If a full medical CDR is not performed, the beneficiary's record is updated in the Disability Control File and the case is not included in the performance indicator count.
When a full medical CDR is completed by the DDS, the determination of "continuance," "cessation," or "no decision" is input into the National Disability Determination Services System (NDDSS). NDDSS transfers these data to the Disability Operational Data Store (DIODS). DIODS produces the State Agency Operations Report on a monthly basis. Refer to the following formula.
Total full medical CDRs processed =
Total recorded medical CDRs less work- issue CDRs
CDR mailers are performed for beneficiaries who have a low probability of medical
improvement. These beneficiaries are identified through profiling, which is
the process in which the Office of Disability Determinations ranks all Title
II and XVI recipients based on the probability of cessation. The mailer forms
request information about the beneficiaries' medical improvement, recent education
or training, and recent attempts to work or return to work. CDR mailers are
tracked in the Office of Retirement and Disability Policy.
Beneficiaries return completed CDR mailers to the WBDOC. The WBDOC reviews the mailers for completeness and creates a data file to capture relevant information. The data file is sent to the Office of Continuing Disability Reviews Support to process using the beneficiary's mailer responses. The possible outcomes for the mailer CDRs are
deferred for a full medical review;
full medical review;
administrative closure; or
Processing Center review.
The Office of Disability Determinations updates the Disability Control File to reflect the results of the Office of Continuing Disability Reviews Support processing and completion of the CDR mailers. Only completed CDR mailers that have been deferred for a full medical review are included in the performance measure count. Refer to the following formula.
Total completed CDR mailer deferrals=
Total completed CDR mailers that have been deferred for full medical review
The CDR Mailer Deferrals report produces the total deferred CDR mailers completed
on a monthly basis. The year-to-date total of the completed full medical CDRs
on the report is combined with the year-to-date total of the deferred CDR mailers
and is recorded in the PAR.
Performance Indicator Calculations
Total fiscal year-to-date CDRs processed=
Total full medical CDRs processed
for the period October 1, 2006 to
September 28, 2007 plus the total completed CDR mailer deferrals for the period
October 1, 2006 to September 30, 2007
Findings
Internal Controls and Data Reliability
Our review of access controls revealed the following issues.
One programmer had unmonitored access to the MSSICS CICS transactions, and this
access was not reviewed by SSA management.
One programmer had update access to SSIRMS datasets, and this access was not
restricted or reviewed by SSA management.
Two users had excessive access to the NDDSS CICS transactions, and did not require
this access to perform their job responsibilities.
Programmers had update access to NDDSS production datasets, and did not require
this access to perform their job responsibilities.
The SSA ISSH states, "Access to all SSA functions associated with software or enterprise systems must be managed based on need-to-know and least privilege. This specifically includes changes/updates to software, production jobs, and supporting hardware deployments. This access control maintenance policy must be applied across the SSA enterprise." In addition, OMB Circular A-130 requires that agencies implement the practice of least privilege whereby user access is restricted to the minimum necessary to perform his or her job; and enforce a separation of duties so that steps in a critical function are divided among different individuals. It also emphasizes the importance of management controls - such as individual accountability requirements, separation of duties enforced by access controls, and limitations on the processing privileges of individuals - to prevent and detect inappropriate or unauthorized activities.
These issues, which were noted during the FY 2007 financial statement audit, could result in the accidental or inappropriate alteration of the data used to support the performance indicator. It should be noted that during the audit, SSA management began monitoring the programmers' access to the SSIRMS datasets and removed the excessive application business user and programmer access to the NDDSS application. However, because these internal control weaknesses existed during the period of review, we did not find the performance indicator data to be reliable.
RECOMMENDATION
We recommend SSA:
1. Consistently restrict access to CICS screens and datasets for ERMS, MSSICS, SSIRMS, and NDDSS based on the concept of least privilege access.
AGENCY COMMENTS
The Agency agreed with our recommendation. The Agency's comments are included
in Appendix D.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Process Flowcharts
APPENDIX D - Agency Comments
Appendix A
Acronyms
Act Social Security Act
CDR Continuing Disability Review
CICS Customer Information Control System
DDS Disability Determination Services
DI Disability Insurance
DIODS Disability Operational Data Store
ERMS Earnings Record Maintenance System
FO Field Office
FY Fiscal Year
GAO Government Accountability Office
GPRA Government Performance and Results Act
IRS Internal Revenue Service
ISSH SSA Information System Security Handbook
MBR Master Beneficiary Record
MEF Master Earnings File
MSSICS Modernized Supplemental Security Income Claims System
NDDSS National Disability Determination Services System
OMB Office of Management and Budget
ORES Office of Research, Evaluation, and Statistics
OSM Office of Strategic Management
PAR Performance and Accountability Report
PEODS Post-Entitlement Operational Data Store
RZ Redetermination
SSIRMS Supplemental Security Income Records Maintenance System
SSA Social Security Administration
SSI Supplemental Security Income
SSR Supplemental Security Record
U.S.C. United States Code
WBDOC Wilkes-Barre Data Operations Center
Appendix B
Scope and Methodology
We updated our understanding of the Social Security Administration's (SSA) Government
Performance and Results Act (GPRA) processes. This was completed through research
and questions to SSA management. We also requested SSA to provide various documents
regarding the specific programs being measured as well as the specific measurement
used to assess the effectiveness and efficiency of the related program.
Through inquiry, observation, and other substantive testing, including testing of source documentation, we performed the following.
Reviewed prior SSA, Office of the Inspector General and other reports related
to SSA's GPRA performance and related information systems.
Reviewed applicable laws, regulations and SSA policy.
Met with the appropriate SSA personnel to confirm our understanding of the performance
indicator.
Flowcharted the process. (See Appendix C.)
Tested key controls related to manual or basic computerized processes (for example,
spreadsheets or databases).
Conducted and evaluated tests of the automated and manual controls within and
surrounding each of the critical applications to determine whether the tested
controls were adequate to provide and maintain reliable data to be used when
measuring the specific indicator.
Identified attributes, rules, and assumptions for each defined data element
or source document.
Recalculated the metric or algorithm of the performance indicator to ensure
mathematical accuracy.
Assessed the completeness and accuracy of the data to determine the data's reliability
as they pertain to the objectives of the audit and intended use of the data.
As part of this audit, we documented our understanding, as conveyed to us by Agency personnel, of the alignment of the Agency's mission, goals, objectives, processes, and related performance indicators. We analyzed how these processes interacted with related processes within SSA and the existing measurement systems. Our understanding of the Agency's mission, goals, objectives, and processes were used to determine if the performance indicator appeared to be valid and appropriate given our understanding of SSA's mission, goals, objectives and processes.
We followed all performance audit standards in accordance with generally accepted
government auditing standards.
In addition to these steps, we specifically performed the following to test
the indicator included in this report.
Specific to the performance indicator, "Number of SSI [Supplemental Security Income] disabled beneficiaries earning at least $100 per month"
Inspected relevant policies and procedures as necessary.
Audited the design and effectiveness of the SSA internal controls and the accuracy
and completeness of the data related to the following areas.
Ensured that monthly earnings information provided by the claimant were accurately
posted to the Supplemental Security Record (SSR) by reviewing 45 redetermination
(RZ) cases in the field offices (FO). RZs are a review of the beneficiaries'
non-medical eligibility factors (that is, income, resources and living arrangements)
to ensure that they are still eligible for and are receiving the correct SSI
payment. Documents, such as pay stubs, are reviewed and used to determine the
beneficiaries' eligibility when applicable.
Ensured that monthly earnings information submitted by employers was complete
and accurate by verifying that returned submissions were resubmitted in a timely
fashion. Specifically, reviewed reports of unresolved items remaining for the
current tax year and compared SSA earnings records to Internal Revenue Services
earnings information.
Ensured that data extracts were complete, valid and restricted by review of
programming logic and extract code, review of user access, and change control.
Completed application control reviews over the Modernized Supplemental Security
Income Claims System (MSSICS), Supplemental Security Income Records Maintenance
System (SSIRMS), and Earnings Record Maintenance System (ERMS).
Completed a general computer control review as it relates to MSSICS, SSIRMS
and ERMS.
Re-performed key processes within test environments to verify controls.
Specific to the performance indicator, "Number of Supplemental Security Income (SSI) non-disability redeterminations processed"
Inspected relevant policies and procedures as necessary.
Audited the design and effectiveness of the SSA internal controls and the accuracy
and completeness of the data related to the following areas.
Ensured that RZs were completed in accordance to SSA policy by reviewing 45
RZ cases in FOs.
Ensured that data transferred from Post-Entitlement Operational Data Store (PEODS)
was complete, accurate, valid, and restricted by
re-performing reconciliations of data transfer to an Oracle database.
Completed application control reviews over MSSICS and SSIRMS, and PEODS.
Completed a general computer control review as it relates to MSSICS and SSIRMS.
Re-performed key processes within test environments to verify controls.
Specific to the performance indicator, "Number of periodic CDRs [Continuing Disability Reviews] processed to determine continuing entitlement based on disability"
Inspected relevant policies and procedures as necessary.
Audited the design and effectiveness of the SSA internal controls and the accuracy
and completeness of the data related to the following areas.
Ensured that CDRs were complete and accurate by testing 45 full medical CDRs.
Checked to verify that recently completed reviews were conducted correctly and
whether the decision and completion date of the CDR was accurate on the SSR/
Master Beneficiary Record. In addition, reviewed high profile case files for
full medical review.
Observed the CDR mailer process at the Wilkes-Barre Data Operations Center.
Completed application control review over National Disability Determination
Services System and Disability Operational Data Store.
Determined the adequacy of the programming logic used by SSA to calculate the
full medical reviews processed.
Re-performed key processes to verify controls.
Appendix C
Flowchart of the Number of Supplemental Security Income (SSI) Disabled Beneficiaries
Earning at Least $100 per Month
Flowchart of Supplemental Security Income (SSI) disabled beneficiaries earning
at least $100 per month - Narrative
SSI beneficiaries provide Social Security Administration (SSA) field office
(FO) staff with earnings information. FO staff inputs the unverified earnings
information via direct input or via Modernized Supplemental Security Income
Claims Systems (MSSICS).
After receipt of the beneficiaries' earnings evidence (pay stubs for wages or
a tax return for self-employment), SSA FO staff inputs verified earnings information
into the Supplemental Security Record (SSR) via direct input or via MSSICS.
SSI Records Maintenance System (SSIRMS) processes earnings information posted
by FO staff to the beneficiaries' SSR.
The Earnings Record Maintenance System (ERMS) updates the Master Earnings File
(MEF) with earnings data from employers and the Internal Revenue Service. SSA
uses information in the MEF to determine if there are any unreported earnings
or earnings discrepancies.
The MEF interfaces with the SSR to provide SSI beneficiary earnings information
in the form of MEF alerts/diaries every 4 months (October, February and June).
SSIRMS processes earnings information to the beneficiaries' SSR.
On a quarterly basis, the Office of Research, Evaluation and Statistics (ORES)
receives the data extract from the SSR in a Characteristic Extract Record Format
from the Office of Applications and Supplemental Security Income Systems (OASSIS).
ORES formats the data extract into an Excel file using Statistical Analysis
Software.
The quarterly results are compiled in a table (referred to as Table 7) and published
annually in the SSI Disabled Recipients Who Work report by ORES.
On a quarterly basis, ORES sends the Table 7 to the performance indicator owner
in the Office of Disability Income Security Programs, Office of Program Development
and Research.
Office of Program Development and Research manually calculates the results of
the SSI beneficiaries earning at least $100 per month using an excel spreadsheet.
Office of Program Development and Research forwards the results to Office of
Retirement and Disability Policy.
Office of Retirement and Disability Policy (the Office of the Deputy Commissioner)
reviews/approves and sends the results of the calculation to OSM.
OSM publishes the results in the Performance and Accountability Report (PAR).
Flowchart of Supplemental Security Income (SSI) Non-Disability Redeterminations
(RZ) Processed
Flowchart of SSI Non-Disability RZs Processed, continued
Flowchart of Supplemental Security Income (SSI) Non-Disability Redeterminations (RZ) Processed - Narrative
Scheduled RZs
Claims representatives at the Field Offices (FO) typically handle high-error
profile redeterminations through face-to-face or telephone interviews. However,
beginning in October 2006 a number of high error cases are also identified and
released for Wilkes-Barre Data Operations Center (WBDOC) processing. These cases
are processed in the same manner as the low and middle error cases, but using
different forms.
The updated information is input via on-line entry to the Modernized Supplemental
Security Income Claims System (MSSICS).
The Supplemental Security Record (SSR) is updated by overnight batch processing
and the information is transferred using the SSI Update System to Post-Entitlement
Operational Data Store (PEODS).
Mailers
WBDOC conducts RZs that have low and middle error profiles using computer generated
mail-out forms to be completed and returned by the beneficiaries. In addition,
beginning in October 2006 a number of high error cases are also identified and
released for WBDOC processing. These cases are processed in the same manner
as the low and middle error cases, but use forms Social Security Administration
(SSA)-3988/3989-OCR rather than the SSA-8202-OCR.
Forms are manually reviewed for completeness.
Incomplete forms are followed up by WBDOC employees.
Mailers are scanned and reviewed through an exception logic process that compares
the answers on the mailer to the SSR.
The mailer record is sorted into one of five categories: automated completion,
two WBDOC actions and two FO actions.
WBDOC and FO follow up on additional actions needed to complete RZ.
If a complication develops in the case, the case is transferred to the servicing
FO.
If "no change" is indicated, a completion indicator is posted to the
SSR.
The SSR is updated by overnight batch processing and the information is transferred
using the SSI Update System to PEODS.
Unscheduled RZs
Events such as the death of an eligible spouse and the effectuation of certain
appellate decisions trigger unscheduled RZs.
FO uses form SSA-8203-BK or MSSICS to conduct the RZ similar to a scheduled
RZ.
The updated information is input via on-line entry to the MSSICS.
The SSR is updated by overnight batch processing and the information is transferred
using the SSI Update System to PEODS.
After Batch Update
The SSR and PEODS are updated, the cases, identified by Social Security Numbers,
are considered "complete" receipts in PEODS.
When the processing of a redetermination is done and updated by the FO in MSSICS,
a completion count is taken.
PEODS redetermination data are updated automatically once a week.
The information is processed daily in the Title XVI Datawarehouse and available
to users every Monday.
Once a month, the Division of Cost Accounting reviews the redetermination data
on reports called the RZ SDO and LI SDO Reports and sends the completion data
to the Office of Strategic Management, which is reported at year-end in SSA's
Performance and Accountability Report.
Flowchart of the Number of Periodic Continuing Disability Reviews (CDR) Processed
to Determine Continuing Entitlement Based on Disability
Flowchart of Number of Periodic Continuing Disability Reviews (CDR) Processed to Determine Continuing Entitlement Based on Disability - Narrative
Periodic CDRs Processed
Full Medical Reviews
Field Offices (FO) forward the cases to the State disability determination services
(DDS) to perform the medical adjudication.
Once a determination is made by the DDS, the findings are input into the National
Disability Determination Services System (NDDSS) to report the outcome, either
continuance," "cessation," or "no decision" in the
event of an administrative closure. Updates to decisions and completion dates
are posted to the Supplemental Security Record (SSR) or Master Beneficiary Record
(MBR).
The data is transferred from the NDDSS to the Disability Operational Data Store
(DIODS).
The medical CDRs are posted monthly on a State Agency Operations Report year-to-date
report, which is produced from the DIODS.
The information, available weekly but reported monthly to the Commissioner's
Tracking Report, is used to calculate the performance indicator. The total recorded
CDRs less the number of recorded cases that are work issue CDRs equals the number
of reported medical CDRs processed.
CDR Mailers
Once a scannable mailer is received by the Wilkes-Barre Data Operations Center
(WBDOC), there is a preliminary screening for completeness.
Incomplete forms are followed up by WBDOC employees.
The mailer form is both scanned by equipment using optical character recognition
and physically input/keyed to create a data file.
The data file is transmitted to National Computer Center (NCC) at the Central
Office. NCC formats and names the file that is then passed along to the Office
of
Continuing Disability Reviews Support.
The Office of Continuing Disability Reviews Support processes the data through
decision-logic. The decision logic considers the beneficiary's mailer responses
together with the profile score signifying high, moderate, or low likelihood
of cessation due to medical improvement. The possible outcomes are either deferred,
full medical review, administrative closure or Processing Center review. Updates
of mailer data and determination results are input to SSR/MBR. Alerts are generated
for cases marked for a full medical review.
The Office of Disability Determinations makes the appropriate input to update
the Disability Control File to reflect the results of decision logic processing.
The Processing Center can make a determination to defer or full medical review,
or administrative closure.
The Office of Continuing Disability Reviews Support CDR Tracking file queries
the Disability Control File for Processing Center Review deferrals.
The Office of Continuing Disability Reviews Support CDR Tracking File is updated
with deferral mailer data.
The performance indicator data is pulled monthly from the Office of Continuing
Disability Reviews Support CDR Tracking Files using a FOCEXEC program.
CDR Mailer Deferral Report (table) is created.
The sections of the report are totaled on an EXCEL spreadsheet and reported
to Office of Strategic Management monthly for the performance measure calculation.
Appendix D
Agency Comments
SOCIAL SECURITY
MEMORANDUM
Date: April 30, 2008
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, "Performance Indicator Audit: Postentitlement Actions" (A-15-07-17130)-INFORMATION
We appreciate OIG's efforts in conducting this review. Our response to the recommendation is attached.
Please let me know if we can be of further assistance. Staff inquiries may
be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff,
at (410) 965-4636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL'S DRAFT REPORT, "PERFORMANCE
INDICATOR AUDIT: POSTENTITLEMENT ACTIONS" (A-15-07-17130)
Thank you for the opportunity to review and provide comments on this draft report.
Recommendation 1
Consistently restrict access to the Customer Information Control System screens and datasets for the Earnings Records Maintenance System, Modernized Supplemental Security Income Claims System, Supplemental Security Income Records Maintenance System, and National Disability Determination Services System based on the concept of least privilege access.
Comment
We agree. As the report notes, we have implemented corrective actions as these deficiencies emerged. We continue to believe the security over our critical high-risk systems is very strong.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Chief Counsel to the Inspector
General (OCCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.