Date: April 23, 2008
To: The Commissioner
From: Inspector General
Subject: Assessing the Application Controls for the Social Security Administration's Modernized Claims System and National Disability Determination Services System (A-15-07-17155)
OBJECTIVE
We contracted with PricewaterhouseCoopers, LLP (PwC) to complete full-scope audits of the Social Security Administration's (SSA) National Disability Determination Services System and Modernized Claims System in conjunction with the Government Performance and Results Act. Attached is the final report presenting the results of PwC's review. For the applications included in this audit, PwC's objectives were to:
Assess the effectiveness of internal controls, both automated and manual, and test key controls over access controls, data input, data processing, data rejection, and data output as they relate to the performance indicators.
Assess the overall reliability of the applications' computer-processed data as they relate to the performance indicators. Data are reliable when they are complete, accurate, consistent and are not subject to inappropriate alteration.
Please provide within 60 days a corrective action plan that addresses each
recommendation. If you wish to discuss the final report, please call me or have
your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit,
at
(410) 965-9700.
Patrick P. O'Carroll, Jr.
OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
ASSESSING
THE APPLICATION CONTROLS FOR
THE SOCIAL SECURITY ADMINISTRATION'S
MODERNIZED CLAIMS SYSTEM AND
NATIONAL DISABILITY DETERMINATION
SERVICES SYSTEM
April
2008
A-15-07-17155
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
MEMORANDUM
Date: March 31, 2008
To: Inspector General
From: PricewaterhouseCoopers, LLP
Subject: Assessing the Application Controls for the Social Security Administration's Modernized Claims System and National Disability Determination Services System (A-15-07-17155)
OBJECTIVE
The Government Performance and Results Act of 1993 (GPRA) requires that the Social Security Administration (SSA) develop performance indicators that assess the relevant service levels and outcomes of each program activity. GPRA also calls for a description of the means employed to verify and validate the measured values used to report on program performance. The majority of data used in the calculation and measurement of performance indicators are generated from applications that support the Agency's mission and objectives. Therefore, application control reviews are essential in determining the completeness, accuracy, and validity of data.
Our audit was conducted in accordance with generally accepted government auditing
standards for performance audits. For the applications included in this audit,
our objectives were to:
Assess the effectiveness of internal controls, both automated and manual, and
test key controls over access controls, data input, data processing, data rejection,
and data output as they relate to the performance indicators.
Assess the overall reliability of the applications' computer-processed data
as they relate to performance indicators. Data are reliable when they are complete,
accurate, consistent and are not subject to inappropriate alteration.
BACKGROUND
We audited the following applications as they related to specific performance indicators audited during FY 2007.
Application
Related Performance Indicators
Modernized Claims System (MCS) " Disability Determination Services (DDS)
net accuracy rate (allowances and denials combined)
Maintain the number of initial disability claims pending in the Disability Determination
Services (DDS) (at/below the FY 2007 goal)
National Disability Determination Services System (NDDSS) " Number of SSI
[Supplemental Security Income] disabled beneficiaries earning at least $100
per month
" Number of Supplemental Security Income (SSI) non-disability redeterminations
processed
SSA administers the Old-Age and Survivors Insurance (OASI), Disability Insurance (DI), and SSI programs. The OASI program, authorized by Title II of the Social Security Act, provides income for eligible workers and eligible members of their families and survivors. The DI program, also authorized by Title II of the Social Security Act, provides income for eligible workers with qualifying disabilities and eligible members of their families, before those workers reach retirement age. The SSI program, authorized by Title XVI of the Social Security Act, was designed as a needs-based program to provide or supplement the income of aged, blind, and/or disabled individuals with limited income and resources.
SSA systems play a key role in the creation, collection, and reporting of performance indicator data for the Title II and Title XVI programs. MCS and NDDSS are two of these systems. MCS is the front-end data processing system for OASDI used to determine a claimant's eligibility, compute a monthly benefit amount, and establish a master record for beneficiaries who file under Title II. It provides the initial transactional Title II data used in the indicators, "Disability Determination Services (DDS) net accuracy rate (allowances and denials combined)" and "Maintain the number of initial disability claims pending in the Disability Determination Services (DDS) (at/below the FY 2007 goal)." NDDSS is the data processing system that tracks receipt, development, and clearance decisions of disability claims, both DI and SSI, and passes these data to the DI and SSI systems. It provides the initial transactional data for the indicators, "Number of SSI disabled beneficiaries earning at least $100 per month" and "Number of Supplemental Security Income (SSI) non-disability redeterminations processed."
RESULTS OF REVIEW
Our assessment identified issues with internal controls and data reliability for both applications reviewed in this report. Specifically, we noted weaknesses in the operating effectiveness of access controls related to application transactions. For NDDSS, we also noted programmers had update access to production datasets. As a result of these internal control weaknesses, we did not find the performance indicator data to be reliable.
Modernized Claims System
Application Background
To determine eligibility, a claimant must file a claim with SSA. The individual submits a claim at 1 of approximately 1,300 field offices (FO) or via the Internet. FO staff interview the claimant and provide assistance with the completion of necessary applications. Initial interviews are conducted in person or through telephone calls to obtain necessary information, such as income, resources, and work history. In addition, basic medical information concerning the disability, medical treatments, and identification of treating sources is also obtained. This information may also be supplied via the Internet. The FO staff inputs the application data into MCS.
MCS has built-in edits and controls to reduce the risk of incorrect data entry. These include, but are not limited to, the following.
Surface edits send an error message on-screen if a field is not the required
length, a mandatory field is not completed, data are repeated in a field, or
nonmatching types of data are entered.
Relationship edit checks validate data entered by the FO staff on one screen
with data entered on that screen (intrascreen edit) and all other input screens
(interscreen edit).
A file to screen edit checks to ensure that data entered and transmitted agree
with information contained in other SSA databases.
Adjudicative edits occur when data on the screen do not agree with the adjudicative
rules for documentation and entitlement factors programmed into MCS.
If the applicant is filing a claim that involves disability, the applicant signs a medical authorization release form. The FO staff mails these forms and medical evidence to the DDS for medical determination. MCS electronically sends the applicants' data to NDDSS. The DDS will review the medical evidence, make a disability determination, and record the disability determination in the system, NDDSS, which will electronically send the results to MCS.
Finally, MCS computes the monthly benefit payable based on the initial claim or the post-entitlement event. It will also create a Master Beneficiary Record (MBR), which summarizes each beneficiary's Title II claims.
Findings
Internal Controls and Data Reliability
Our review of access controls noted that two users had excessive access to Customer Information Control System (CICS) screen SC17 (Earnings) within the MCS and did not require this access to perform their jobs. CICS is a transaction processing system designed for both on-line and batch activity. SSA management did not appropriately restrict access to these transactions. The SSA Information System Security Handbook (ISSH) states, "Access to all SSA functions associated with software or enterprise systems must be managed based on need-to-know and least privilege. This specifically includes changes/updates to software, production jobs, and supporting hardware deployments. This access control maintenance policy must be applied across the SSA enterprise." In addition, Office of Management and Budget (OMB) Circular A-130 requires that agencies implement the practice of least privilege, whereby user access is restricted to the minimum necessary to perform his or her job, and enforce a separation of duties so steps in a critical function are divided among different individuals. It also emphasizes the importance of management controls - such as individual accountability requirements, separation of duties enforced by access controls, and limitations on the processing privileges of individuals - to prevent and detect inappropriate or unauthorized activities.
This issue was noted during the FY 2007 financial statement audit. Also, during the audit timeframe, SSA management removed the excessive application business user access to the MCS application. However, because this internal control weakness existed during the period of review, we did not find the performance indicator data to be reliable.
National Disability Determination Services System
Application Background
If a disability claimant satisfies all of the non-medical criteria, the case is referred to a State DDS to determine whether the claimant satisfies the medical criteria. Information regarding the disability claim is then entered into NDDSS. The following list summarizes some of the more important functions that NDDSS provides for the DDS offices and SSA.
Track the receipt, development, and clearance decisions of disability claims
by the DDS offices. SSA uses this tracking information to assess the timeliness
of the decisionmaking process by each DDS. SSA also uses the decisional data
as the basis for several quality control and assessment activities.
Pass disability decisional updates for Title II and XVI claims to the respective
payment systems. Once received from NDDSS, the respective system will then schedule
the corresponding benefit payment for disbursement to the claimant.
Provide automated Federal sample and targeted profile selections of disability
claims. The decisional data stored within NDDSS forms the basis for several
quality assurance studies, such as pre-effectuation reviews, Quality Assurance
reviews, and continuing disability reviews. Each one of these reviews is deemed
by SSA to serve as a key monitoring activity to ensure the appropriate benefit
payment to the corresponding claimants.
Provide management information to the Disability Operational Datastore, which
SSA then uses to measure operational effectiveness across a number of attributes,
such as DDS disability decision accuracy.
Findings
Internal Controls and Data Reliability
Our review of access controls revealed the following exceptions.
Two users had excessive access to the NDDSS CICS transactions and did not require this access to perform their job responsibilities.
Programmers had update access to NDDSS production datasets and did not require this access to perform their job responsibilities
The SSA ISSH states, "Access to all SSA functions associated with software or enterprise systems must be managed based on need-to-know and least privilege. This specifically includes changes/updates to software, production jobs, and supporting hardware deployments. This access control maintenance policy must be applied across the SSA enterprise." In addition, OMB Circular A-130 requires that agencies implement the practice of least privilege, whereby user access is restricted to the minimum necessary to perform his or her job, and enforce a separation of duties so steps in a critical function are divided among different individuals. It also emphasizes the importance of management controls - such as individual accountability requirements, separation of duties enforced by access controls, and limitations on the processing privileges of individuals - to prevent and detect inappropriate or unauthorized activities.
These issues were noted during the FY 2007 financial statement audit. Also, during the audit timeframe, SSA management removed the excessive application business user and programmer access to the NDDSS application. However, because this internal control weakness existed during the period of review, we did not find the performance indicator data to be reliable.
CONCLUSION AND RECOMMENDATION
We recommend SSA:
1. Consistently restrict access to CICS screens and datasets for MCS and NDDSS based on the concept of least privilege access.
AGENCY COMMENTS
The Agency agreed with our recommendation. The Agency's comments are included in Appendix D.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Process Flowcharts
APPENDIX D - Agency Comments
Appendix A
Acronyms
CICS Customer Information Control System
DDS Disability Determination Services
DI Disability Insurance
FO(s) Field Office(s)
FY Fiscal Year
GAO Government Accountability Office
GPRA Government Performance and Results Act of 1993
IDMS Integrated Disability Management System
ISSH SSA Information System Security Handbook
MBR Master Beneficiary Record
MCS Modernized Claims System
MSSICS Modernized Supplemental Security Income Claims System
NDDSS National Disability Determination Services System
OASI Old-Age and Survivors Insurance
OIG Office of the Inspector General
OMB Office of Management and Budget
PAR Performance and Accountability Report
PwC PricewaterhouseCoopers
SSA Social Security Administration
SSI Supplemental Security Income
U.S.C. United States Code
Appendix B
Scope and Methodology
We updated our understanding of the Social Security Administration's (SSA) Government
Performance and Results Act processes and relevant applications. This was completed
through research and questions to SSA management.
Through inquiry, observation, and other substantive testing, including testing of source documentation, we performed the following.
Reviewed applicable laws, regulations and SSA policy.
Assessed the effectiveness of internal controls, both automated and manual,
and tested key controls over access controls, data input, data processing, data
rejection, and data output as they related to the performance indicators.
Assessed the overall reliability of the applications' computer-processed data
as they relate to the performance indicators. Data are reliable when they are
complete, accurate, consistent and are not subject to inappropriate alteration.
We followed all performance audit standards in accordance with generally accepted
government auditing standards. In addition to these steps, we specifically performed
the following to test the applications in this report.
Inquired of personnel regarding application(s) that Modernized Claims System
(MCS) and National Disability Determination Services System (NDDSS) interfaced
with to report performance indicator results.
Completed an application controls review of MCS.
o Inspected a selection of users to determine whether their access to MCS transactions
and datasets was appropriate.
o Performed Computer Assisted Audit Tests over MCS data to determine whether
programmed edits and validations were operating as intended.
o Inspected a selection of sysouts to determine whether the data processed completely.
o Inspected a selection of disability records to determine whether the disability
decision was accurately transferred from NDDSS to MCS.
" Completed an application controls review of NDDSS.
o Inspected a selection of users to determine whether their access to NDDSS
transactions and datasets was appropriate.
o Inspected a selection of sysouts to determine whether the data processed completely.
o Inspected the interface records from NDDSS to the application Disability Operational
Data Store.
" Inquired, inspected, and observed the key controls over the general control
environment, specifically Entity-wide Security, Access Controls, Change Control,
System Software, and Service Continuity for MCS and NDDSS.
We assessed the computer-processed data reliability as it relates to the performance
indicators in accordance with GAO guidance. We determined that the performance
indicator data, which are processed through the MCS and NDDSS applications,
in this report are not sufficiently reliable given the audit objective and intended
use of the performance indicator data. We base this determination on the internal
control testing over the access controls, as previously discussed in this report.
Because the use of these performance data could lead to an incorrect or unintentional
message, we completed testing to determine whether a selection of users had
appropriate access to transactions and datasets specific to MCS and NDDSS to
provide support for our findings. Please see the MCS and NDDSS Findings sections
on pages 4 and 5 of this report for further discussion and recommendations regarding
the reliability of the performance indicator data.
Appendix C
Title II and Title XVI Process Including Modernized Claims System and National Disability Determination Services System - Flowchart
Title II and Title XVI Process Including Modernized Claims System and National Disability Determination Services System - Narrative
Claims are submitted at SSA field offices or via the Intranet.
Field office staff will conduct an interview with the claimant and provide assistance
in completion of necessary applications. The field office staff will input application
data into Modernized Claims System (MCS) for Disability Insurance (DI), Title
II, and the Modernized Supplemental Security Income (SSI) Claims System (MSSICS)
for SSI, Title XVI.
The transfer transactions trigger the writing of the claim records to the Traffic
file.
MCS, MSSICS, and the Integrated Disability Management System (IDMS) (claims
regarding continuing disability) records are input into a batch job named TRINDP.
TRINDP is run nightly processing files from MCS, MSSICS and IDMS.
This creates two Virtual Storage Access Method files: the 831 Download and INDP.
The 831 Download file is used by States running Versa and Levy and Nebraska
to receipt claims. The INDP file is used by States running Modernized Interim
Disability Adjudication System states and New York.
This file is used to create the prelim, which is an abbreviated version of the
claim record on the NDDSS Master.
The disability determinations services (DDS) receipts the claim into the NDDSS;
the prelim is converted to an active claim record.
Legacy system receipt functions correlate directly to the NDDSS Receipt screen.
Claim receipt, update, and closure transaction information is written real time
to the Traffic File in two formats: the 4648 (Data Transmission file) or the
DDS Image file.
A function called TRSPLIT extracts NDDSS records from the Traffic file, according
to record types. During TRSPLIT the following occurs:
o 4648 records update the backend systems of MCS, MSSICS, and IDMS with the
claim receipt, update, and closure information.
DDS Image records are transmitted to the Disability Operational Data Store.
Extractions from the NDDSS Master are provided for two batch processes called
DADSREPS and DAFOCUS.
DADSREPS is a daily batch process that produces the Management Information Reports
for states that elect to receive the reports, the Closed Claim Records for Office
of Disability, and the 831 Sample File. Two sample files are created from the
831, including the Office of Quality Performance (The records provided are those
meeting the random and targeted sample criteria) and the Disability Hearing
Office (Random sample information provided to the Federal Disability Determination
Service).
DAFOCUS is a weekly batch process that extracts closed and pending claims from
the NDDSS master. The extract provides a mirror image of all claims in the form
of two files, Closed and Pending.
Files transmitted from these batch jobs are available for States, the Office
of Disability Systems, the Office of Quality Performance, Federal Disability
Determination Service, and Regional Offices.
Appendix D
Agency Comments
SOCIAL SECURITY
MEMORANDUM
Date: March 31, 2008
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, "Assessing the Application Controls for the Social Security Administration's Modernized Claims System and National Disability Determination Services System" (A-15-07-17155)-INFORMATION
We appreciate OIG's efforts in conducting this review. Our comment on the recommendation is attached.
Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "ASSESSING THE APPLICATION CONTROLS FOR THE SOCIAL SECURITY ADMINISTRATION'S MODERNIZED CLAIMS SYSTEM AND NATIONAL DISABILITY DETERMINATION SERVICES SYSTEM" (A-15-07-17155)
Thank you for the opportunity to review and provide comments on this draft report.
Recommendation
Consistently restrict access to the Customer Information Control System (CICS) screens and datasets for the Modernized Claims System (MCS) and the National Disability Determination Services System (NDDSS) based on the concept of least privilege access.
Comment
We agree. We will consistently restrict access to CICS screens and datasets for MCS and NDDSS based on the concept of least privileged access. We believe the value of the data in these systems should be complete, accurate, and not subject to inappropriate alterations.
We will continue to educate staff on the merits of restricting the access of
Disability Determination Services (DDS) employees to our systems. We will make
sure employees understand that the best means of restricting systems access
is to assign DDS employees security profiles that adhere to our System Access
Policy principles of least privilege and need to know basis. We will issue instructions
regarding the security profiles available for assignment to DDS personnel. We
will also seek input on ways to better communicate information on DDS security
profiles and proper assignment. This effort will help us to achieve consistency
in restricting access to our systems. We plan to complete these actions by March
31, 2008.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Resource Management (ORM). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Resource Management
ORM supports OIG by providing information resource management and systems security.
ORM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, ORM is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.