OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
Fiscal Year 2009
Financial Statement Audit
November 2009
A-15-09-19124
AUDIT REPORT
November 9, 2009
The Honorable Michael J. Astrue
Commissioner
This letter transmits the Independent Auditor’s Report on the audit of the Social Security Administration’s (SSA) Fiscal Year (FY) 2009 financial statements. The Report includes the Office of the Inspector General’s (OIG) Opinion on the Financial Statements, Report on Management's Assertion About the Effectiveness of Internal Control, and Report on Compliance and Other Matters.
Objective of a Financial Statement Audit
The objective of a financial statement audit is to determine whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management as well as evaluating the overall financial statement presentation.
The OIG’s audit was conducted in accordance with auditing standards generally accepted in the United States; Government Auditing Standards issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements. The audit included obtaining an understanding of the internal control, testing and evaluating the design and operating effectiveness of the internal control, and performing such other procedures as considered necessary under the circumstances. Because of inherent limitations in any internal control, misstatements because of error or fraud may occur and not be detected. The risk of fraud is inherent to many of SSA’s programs and operations, especially within the Supplemental Security Income program. In our opinion, individuals outside the organization perpetrate most of the fraud against SSA.
Audit of Financial Statements, Effectiveness of Internal Control, and Compliance with Laws and Regulations
The Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended, requires that SSA's Inspector General (IG) or an independent external auditor, as determined by the IG, audit SSA's financial statements in accordance with applicable standards. For comparative purposes, under a contract monitored by the OIG, PricewaterhourseCoopers LLP (PwC), an independent certified public accounting firm, audited SSA’s FY 2008 statements and issued an unqualified opinion on those statements. The OIG audited SSA’s FY 2009 financial statements and OIG issued an
unqualified opinion on those financial statements. The OIG also reported that SSA's assertion that its internal control over financial reporting was operating effectively as of September 30, 2009 was fairly stated, in all material respects, based on criteria established under OMB Circular A-123, Management’s Responsibility for Internal Control.
The OIG did identify a significant deficiency related to protecting information. In general, SSA needs to establish and implement a policy to periodically reassess the content of security access rights to ensure that employees and contractors are given least privilege access to perform their job.
The OIG identified no reportable instances of noncompliance with the laws, regulations, or other matters tested.
/s/
Patrick P. O’Carroll, Jr.
Inspector General
Enclosure
OFFICE OF THE INSPECTOR GENERAL
INDEPENDENT AUDITOR’S REPORT
November 9, 2009
The Honorable Michael J. Astrue
Commissioner
In accordance with the Chief Financial Officers (CFO) Act of 1990 (Public Law 101-576), as amended, we are responsible for conducting the financial statement audit of the Social Security Administration (SSA). In our audit of SSA for Fiscal Year 2009, we found the following.
• The consolidated balance sheets of SSA as of September 30, 2009 and 2008 and the related consolidated statements of net cost and of changes in net position and the combined statements of budgetary resources for the years then ended and the statement of social insurance as of January 1, 2009, 2008, 2007, and 2006 are presented fairly, in all material respects, in conformity with accounting principles generally accepted in the United States of America.
• Management fairly stated that SSA’s internal control over financial reporting was operating effectively as of September 30, 2009.
• SSA’s financial management systems substantially complied with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA).
• No reportable instances of noncompliance with laws, regulations, or other matters tested.
The following sections discuss in more detail (1) these conclusions; (2) our conclusions on Management’s Discussion and Analysis and other supplementary information; (3) our audit objectives, scope, and methodology; and (4) Agency comments and our evaluation.
OPINION ON FINANCIAL STATEMENTS
We have audited the accompanying consolidated balance sheets of SSA as of September 30, 2009, and the related consolidated statements of net cost and of changes in net position, and the combined statement of budgetary resources for the year then ended and the statement of social insurance as of January 1, 2009. These financial statements are the responsibility of SSA’s management. Our responsibility is to express an opinion on these financial statements based on our audits.
The consolidated balance sheets of SSA as of September 30, 2008, and the related consolidated statements of net cost and of changes in net position, and the combined budgetary resources for the year ended, and the statement of social insurance as of January 1, 2008, 2007, and 2006 were audited by other auditors whose report dated November 7, 2008 expressed an unqualified opinion on those statements. Their report thereon has been furnished to us, and our opinion expressed herein, insofar as it relates to the amounts as of and for the year ended September 30, 2008, is based solely on the report of the other auditors.
We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements.
An audit also includes assessing the accounting principles used and significant estimates made by management as well as evaluating the overall financial statement presentation. We believe that our audit and the report of other auditors provide a reasonable basis for our opinion.
In our opinion, based on our audit and the prior year audit reports of other auditors, the financial statements referred to above and appearing on pages 92 through 123 of this Performance and Accountability Report (PAR), present fairly, in all material respects, the financial position of SSA as of September 30, 2009 and 2008, and its net cost of operations, changes in net position, budgetary resources for the years then ended, and the financial condition of its social insurance program as of January 1, 2009, January 1, 2008, January 1, 2007, and January 1, 2006, in conformity with accounting principles generally accepted in the United States of America.
Our audit was conducted for the purpose of forming an opinion on the financial statements of SSA taken as a whole. The additional information presented on the statement of social insurance as of January 1, 2009, January 1, 2008, January 1, 2007, and January 1, 2006 is not a required part of the financial statements and is presented for purposes of additional analysis. Such information has been subjected to the auditing procedures applied in the audit of the financial statements and, in our opinion, are fairly stated in all material respects in relation to the consolidated and combined financial statements taken as a whole.
As discussed in Note 17 to the financial statements, the statements of social insurance present the actuarial present value of SSA’s estimated future income to be received from, or on behalf of, the participants and estimated future expenditures to be paid to, or on behalf of, participants during a projection period sufficient to illustrate long-term sustainability of the social insurance program. In preparing the statements of social insurance, management considers and selects assumptions and data that it believes provide a reasonable basis for the assertions in the statements. However, because of the large number of factors that affect the statements of social insurance and the fact that future events and circumstances cannot be known with certainty, there will be differences between the estimates in the statements of social insurance and the actual results, and those differences may be material.
REPORT ON MANAGEMENT’S ASSERTION ABOUT THE EFFECTIVENESS OF INTERNAL CONTROL
We have also examined management’s assertion, included in the accompanying Federal Managers’ Financial Integrity Act (FMFIA) Assurance Statement on page 41 of this PAR that SSA’s internal control over financial reporting was operating effectively as of September 30, 2009 based on criteria established under OMB Circular A-123, Management's Responsibility for Internal Control. We did not test all internal controls relevant to the operating objectives broadly defined by the Federal Managers’ Financial Integrity Act of 1982, such as those controls relevant to preparing statistical reports and ensuring efficient operations. SSA’s management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on management’s assertion based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA); the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 07-04 and, accordingly, included obtaining an understanding of the internal control, testing and evaluating the design and operating effectiveness of the internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.
Because of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be detected. Also, projections of any evaluation of the internal control to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
In our opinion, management’s assertion that SSA’s internal control over financial reporting was operating effectively as of September 30, 2009, is fairly stated, in all material respects, based on criteria established under OMB Circular A-123.
However, our work identified the need to improve certain internal controls, as described below and in a separate, limited-distribution management letter. As defined by OMB Bulletin No. 07-04 (updated via M-08-24), a significant deficiency is a deficiency in internal control, or a combination of deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected. A material weakness is a significant deficiency, or combination of significant deficiencies, that result in a more than remote likelihood that a material misstatement of the financial statements will not be prevented or detected. This material weakness definition aligns with the same material weakness definition used by management to prepare the Agency’s FMFIA assurance statement. This deficiency in internal control, although not considered to be a material weakness, represents a significant deficiency.
Significant Deficiency
SSA Needs to Further Strengthen Controls to Protect Its Information
Since FY 2005, the Agency has made significant progress in identifying and establishing a baseline for security access or "profiles" to their financially significant mainframe applications, security administration tools, and operating systems. However, we note the need for continued progress regarding the process to periodically re-certify this security access. Testing disclosed that a policy and procedure had not been established and consistently implemented across the Agency to periodically reassess the content of security access to ensure that employees and contractors are given least privilege access to perform their job responsibilities. During the audit, SSA management was unable to consistently provide documented evidence that security accesses were reviewed by management to determine that the system datasets, transactions, and resources for mainframe hosted applications, including financially significant systems and related tools, were in-line with the concept of least privilege.
Specific disclosure of detailed information about these exposures might further compromise controls and are therefore not provided within this report. Rather, the specific details of weaknesses noted are presented in a separate, limited-distribution management letter.
The need for a strong security program to address threats to the security and integrity of SSA operations grows and transforms as the Agency continues to progress with plans to increase dependence on the Internet and Web-based applications to serve the American public. Clear, continued, and measurable progress has been made toward the establishment of a strong overall security program. However, to more fully protect SSA from risks associated with the loss of data, loss of other resources, or compromised privacy of information associated with SSA’s enumeration, earnings, retirement, and disability processes and programs, SSA management must further strengthen its security program. Specifically, further progress is needed in the area of access assignments to application systems data and programs by SSA personnel, including the continual review of systems access via the periodic review of the content of profiles.
Recommendations
We recommend that SSA management implement a policy that requires a periodic review of the content of the Agency's profiles. The scope of the policy should include profiles that are Agencywide and those locally owned by divisions and/or components. The process should allow for and enforce a consistent approach for review and should require auditable artifacts to evidence the completion of these reviews. More specific recommendations focused on the individual exposures we identified are included in a separate, limited-distribution management letter.
We noted other matters involving the internal control and its operation that we will communicate in a separate letter.
REPORT ON COMPLIANCE AND OTHER MATTERS
SSA management is responsible for compliance with laws and regulations. As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, we performed tests of the compliance with laws and regulations including laws governing the use of budgetary authority, Government-wide policies and laws identified in Appendix E of OMB Bulletin No. 07-04 and other laws and regulations, noncompliance with which could have a direct and material effect on the financial statements. Under FFMIA, we are required to report whether SSA’s financial management systems substantially comply with the Federal financial management systems requirements, applicable Federal accounting standards, and the United States Government Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance with FFMIA, section 803(a), requirements.
We did not test compliance with all laws and regulations applicable to SSA. We limited our tests of compliance to the provisions of laws and regulations cited in the preceding paragraph of this report. Providing an opinion on compliance with those provisions was not an objective of our audit and, accordingly, we do not express such an opinion.
The results of our tests of compliance disclosed no instances of noncompliance with laws and regulations or other matters that are required to be reported by Government Auditing Standards or OMB Bulletin No. 07-04 and no instances of substantial noncompliance that are required to be reported under FFMIA.
CONSISTENCY OF OTHER INFORMATION
The Management’s Discussion and Analysis (MD&A) included on pages 5 through 44, and Required Supplementary Information (RSI) included on pages 1 and 124 through 144 of this PAR are not a required part of the financial statements but are supplementary information required by the Federal Accounting Standards Advisory Board and OMB Circular No. A-136, Financial Reporting Requirements. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of the MD&A and RSI. We compared this information for consistency with the financial statements and discussed the methods of measurement and presentation with SSA officials. On the basis of this limited work, we found no material inconsistencies with the financial statements; U.S. generally accepted accounting principles, or OMB guidance. However, we did not audit the information and express no opinion on it.
Our audit was conducted for the purpose of forming an opinion on the financial statements of SSA taken as a whole. The Schedule of Budgetary Resources, included on page 128 of this PAR, is not a required part of the financial statements but is supplementary information required by OMB Circular No. A-136, Financial Reporting Requirements. This information and the consolidating and combining information included on pages 124 to 127 of this PAR are presented for purposes of additional analysis and are not a required part of the financial statements. Such information has been subjected to the auditing procedures applied in the audit of the financial statements and, in our opinion, are fairly stated in all material respects in relation to the financial statements taken as a whole.
The other accompanying information included on pages 2 through 4, 44 through 91, 145, 146, and 155 to the end of this PAR, is presented for purposes of additional analysis and is not a required part of the financial statements. Such information has not been subjected to the auditing procedures applied in the audit of the financial statements and, accordingly, we express no opinion on it.
***********************
This report is intended solely for the information and use of management and the Inspector General of SSA, OMB, the Government Accountability Office, and Congress and is not intended to be and should not be used by anyone other than these specified parties. However, this report is a matter of public record, and its distribution is not limited.
/s/
Steven L. Schaeffer, C.P.A.
Assistant Inspector General for Audit