Date: November 10, 2004

To: The Commissioner

From: Acting Inspector General

Subject: Top Issues Facing Social Security Administration Management-Fiscal Year 2005

The Reports Consolidation Act of 2000 requires that we summarize for inclusion in the Social Security Administration's (SSA) Performance and Accountability Report, our perspective on the most serious management and performance challenges facing SSA. The top management issues facing SSA in Fiscal Year 2005, as determined by the Office of the Inspector General, are: Social Security Number Protection, Management of the Disability Process, Improper Payments, Internal Control Environment and Performance Measures, Critical Infrastructure Protection and Systems Security, and Service Delivery.
These areas are dynamic, so we encourage continuous feedback and additional areas to evaluate. Our summary of SSA's progress in addressing these management issues will be included in the Fiscal Year 2005 Performance and Accountability Report.

If you have any questions or need additional information, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.

Patrick P. O'Carroll, Jr.

The Reports Consolidation Act of 20001 requires that we summarize, for inclusion in the Social Security Administration's (SSA) Performance and Accountability Report, our perspective on the most serious management and performance challenges facing SSA. Since 1997, we have provided our perspective on these management challenges to Congress, SSA and other key decisionmakers. In developing this year's list, we considered
the four initiatives the Commissioner has identified as priorities: Service, Stewardship, Solvency, and Staff;
the most significant issues as outlined in the President's Management Agenda (PMA);
SSA's progress in responding to the Office of Management and Budget's (OMB) Scorecard;
the Inspector General's Strategic Plan;
the high-risk list prepared by the Government Accountability Office (GAO); and
our body of audit and investigative work.
Finally, we prepared a crosswalk to ensure there was no disconnect or gap among those reviewing SSA's programs and operations.

The SSN is the single most widely used identifier for Federal and State governments, as well as the private sector.
In FY 2003, SSA issued over 17.6 million original and replacement Social Security number (SSN) cards, and SSA received approximately $533 billion in employment taxes related to earnings under assigned SSNs. Protecting the SSN and properly posting the wages reported under SSNs are critical to ensuring eligible individuals receive the full benefits due them.

Efforts to Protect the SSN
The SSN has become a key to social, legal, and financial assimilation in this country. Because the SSN is so heavily relied on as an identifier, it is also valuable as an illegal commodity. Criminals improperly obtain SSNs by
(1) presenting false documentation;
(2) stealing another person's SSN;
(3) purchasing an SSN on the black market;
(4) using the SSN of a deceased individual; or
(5) creating a nine-digit number out of thin air.

To ensure SSN integrity, SSA must employ effective front-end controls in its enumeration process. To effectively combat SSN misuse, we believe SSA should establish a reasonable threshold for the number of replacement SSN cards an individual may obtain during a year and over a lifetime, continue to address identified weaknesses in its information security environment to better safeguard SSNs, and consider revising its policies to require that field offices obtain independent verification of the birth records for U.S. citizens under age 1 before SSN assignment.

SSA has taken steps to improve controls within its enumeration process, including establishing the Enumeration Response Team. As a result of the Team's efforts, SSA now performs full collateral verification of all immigration documents before assigning SSNs to noncitizens. SSA requires mandatory interviews for all applicants for original SSNs who are over age 12 (lowered from age 18) and requires evidence of identity for all children, regardless of age. In addition, SSA has established an Enumeration Center in Brooklyn, New York, that focuses exclusively on assigning SSNs and issuing SSN cards. SSA has also created an Identity Theft Workgroup in which we participate.

The SSN and Reported Earnings
Properly posting earnings ensures eligible individuals receive the full retirement, survivor and/or disability benefits due them. If earnings information is reported incorrectly or not reported at all, SSA cannot ensure all eligible individuals are receiving the correct payment amounts. In addition, SSA's disability programs depend on earnings information to determine whether an individual is eligible for benefits and to calculate the amount of benefit payments.

SSA spends scarce resources correcting earnings data when incorrect information is reported. The Earnings Suspense File (ESF) is the Agency's record of annual wage reports for which wage earners' names and SSNs fail to match SSA's records. As of October 2003,

SSA had posted 9.6 million wage items to its ESF for Tax Year 2001, representing about $56 billion in wages. This was before some planned edits, which may have further reduced this number.

While SSA has limited control over the factors that cause the volume of erroneous wage reports submitted each year, there are still areas where the Agency can improve its processes. SSA can improve wage reporting by educating employers on reporting criteria, identifying and resolving employer reporting problems, and encouraging greater use of the Agency's SSN verification programs. SSA also needs to coordinate with other Federal agencies with separate, yet related, mandates. For example, the Agency now collaborates with the Internal Revenue Service to achieve more accurate wage reporting.

SSA has taken steps to reduce the size and growth of the ESF. For example, SSA has expanded its Employee Verification Service by piloting an on-line service called the Social Security Number Verification Service, which allows employers to verify the names and SSNs of employees before reporting their wages to SSA. The Agency has also modified its automated processes to better identify the numberholder related to suspended items. Whereas previous internal edits used only the name and SSN related to the suspended wage, SSA stated the new processes would use information stored on the earnings and benefits records.

The SSN and Unauthorized Work
SSA also assigns nonwork SSNs to noncitizens who are (1) in the United States but are not authorized to work and (2) are not present in the United States but are entitled to a federally-financed benefit that requires an SSN. In recent years, SSA has strictly limited the assignment of such numbers.

Furthermore, SSA monitors noncitizens who show earnings under a nonwork SSN and reports this information to the Department of Homeland Security (DHS). Nonetheless, our audits have noted a number of issues related to nonwork SSNs, including (1) the type of evidence provided to obtain a nonwork SSN, (2) the reliability of nonwork SSN information in SSA's records, (3) the significant volume of wages reported under nonwork SSNs, and (4) the payment of benefits to noncitizens who qualified for their benefits while working in the country without proper authorization.

Recent legislation (Pub. L. 108-203, Social Security Protection Act of 2004) prohibits the payment of Title II benefits based on the earnings of any individual who is not a U.S. citizen or national and who has never been issued an SSN to work in the United States. SSA's implementation of this new law will require increased coordination with DHS to ensure SSA has the correct work status information in its systems.

In FY 2003, DDSs processed over 2.5 million initial disability claims, and the average processing time was 97 days.
SSA administers the Disability Insurance (DI) and Supplemental Security Income (SSI) programs, which provide benefits based on disability. Most disability claims are initially processed through a network of Social Security field offices and State Disability Determination Services (DDS). SSA representatives in the field offices are responsible for obtaining applications for disability benefits, disability report forms and authorization for disclosure of information forms as well as verifying non-medical eligibility requirements, which may include age, employment, marital status, or Social Security coverage information. After initial processing, the field office sends the case to a DDS to develop medical evidence and evaluate disability.

Once SSA establishes an individual is eligible for disability benefits under either the DI or SSI program, the Agency turns its efforts toward ensuring the individual continues to receive benefits only as long as SSA's eligibility criteria are met. For example, a continuing disability review (CDR) may show the individual no longer meets SSA's disability criteria or has demonstrated medical improvement.

If an individual disagrees with the Agency's decision on his/her claim or CDR, the claimant can appeal to SSA's Office of Hearings and Appeals (OHA). OHA's field structure consists of 10 regional offices and 140 hearing offices. OHA's administrative law judges hold hearings and issue decisions. In FY 2003, hearing offices processed 571,928 cases. OHA's average processing time has increased significantly from 274 days in FY 2000 to 344 days in FY 2003. Further, the pending workload was 591,562 cases on September 30, 2003, whereas it was 346,756 cases on September 30, 2000. We have focused our attention on weaknesses within OHA-such as the backlog of cases, safeguards for sensitive information in case files, and shredding documents.

GAO added modernizing Federal disability programs-including SSA's-to its 2003 high-risk list due, in part, to outmoded concepts of disability, lengthy processing times, and decisional inconsistencies. In September 2003, the Commissioner of Social Security proposed a new approach to improving the disability determination process, which includes several initiatives that emphasize timely and accurate disability decisions. For example, a quick-decision step would initially sort claims based on information provided by claimants to identify people who are obviously disabled. Additionally, the Commissioner proposed an in-line quality review process and a centralized quality control unit. The Commissioner views her September 2003 proposal as the first step in a collaborative process eventually leading to a final plan for disability improvements.

In addition to her long-term proposal, the Commissioner has accelerated the Agency's transition to the electronic disability folder. The electronic disability folder will allow for disability claims information to be stored electronically and transmitted electronically between field offices, DDSs, and OHA.

Disability Fraud
Fraud is an inherent risk in SSA's disability programs. Some unscrupulous people view SSA's disability benefits as money waiting to be taken. A key risk factor in the disability program is individuals who feign or exaggerate symptoms to become eligible for disability benefits. Another key risk factor is the monitoring of medical improvements for disabled individuals to ensure those individuals who are no longer disabled are removed from the disability rolls.

We are working with SSA to address the integrity of the disability programs through the Cooperative Disability Investigation (CDI) program. The CDI program's mission is to obtain evidence that can resolve questions of fraud in SSA's disability programs. The CDI program is managed in a cooperative effort between SSA's Office of Operations, the Office of the Inspector General, and the Office of Disability Programs. There are 18 CDI units operating in 17 States. In the first half of FY 2004, the CDI units saved SSA almost $64 million by identifying fraud and abuse related to initial and continuing claims within the disability program.

In FY 2003, SSA issued over $500 billion in benefit payments to about 50 million beneficiaries.
SSA issues benefit payments under the Old-Age, Survivors and Disability Insurance (OASDI) and SSI programs. Since SSA is responsible for issuing timely benefit payments for complex entitlement programs to about 50 million individuals, even the slightest error in the overall process can result in millions of dollars in over- or underpayments.

Improper payments are defined as payments that should not have been made or were made for incorrect amounts. Examples of improper payments include inadvertent errors, payments for unsupported or inadequately supported claims, or payments to ineligible beneficiaries. Furthermore, the risk of improper payments increases in programs with a significant volume of transactions, complex criteria for computing payments, and an overemphasis on expediting payments.

The President and Congress have expressed interest in measuring the universe of improper payments within the Government. In August 2001, OMB published the FY 2002 PMA, which included a Government-wide initiative for improving financial performance. In November 2002, the Improper Payments Information Act of 2002 was enacted, and OMB issued guidance in May 2003 on implementing this law.

Under the Act, agencies that administer programs where the risk of improper payments is significant must estimate their annual amount of improper payments and report this information in their Annual Performance and Accountability Reports. OMB works with each agency to establish goals for reducing improper payments for each program.

SSA and the Office of the Inspector General have had discussions on such issues as detected versus undetected improper payments and avoidable versus unavoidable overpayments that are outside the Agency's control and a cost of doing business. In August 2003, OMB issued specific guidance to SSA to only include avoidable overpayments in its improper payment estimate because these payments could be reduced through changes in administrative actions. Unavoidable overpayments that result from legal or policy requirements are not included in SSA's improper payment estimate.

SSA has been working to improve its ability to prevent over- and underpayments by obtaining beneficiary information from independent sources sooner and/or using technology more effectively. For example, the Agency is continuing its efforts to prevent improper payments after a beneficiary dies through the use of Electronic Death Registration information. Also, the Agency's CDR process identifies and prevents payments to beneficiaries who are no longer disabled.

In FY 2004, we focused on improper payments that go undetected by SSA's normal processes. For instance, in one review of disabled beneficiaries who work, we found that SSA had assessed about $1.78 billion in overpayments for about 117,320 individuals. However, we estimated the Agency did not detect about $1.37 billion in overpayments to about 63,000 beneficiaries. SSA is implementing eWork, a new initiative to strengthen controls in this area.

Working with SSA, we have made great strides in reducing benefit payments to prisoners and SSI payments to fugitive felons, and these efforts continue. However, our work has shown that improper payments-such as those related to workers' compensation-continue to diminish the Social Security trust funds. Additionally, with the passage of the Social Security Protection Act of 2004, SSA faces new challenges in preventing and recovering improper payments-such as OASDI benefits to fugitives.

Assessing the control environment over DDSs and SSA's performance measures helps ensure the Agency is properly managing its resources to meet it mission.

Internal control comprises the plans, methods, and procedures used to meet missions, goals, and objectives. Internal controls help safeguard assets and prevent and detect errors and fraud. Assessing the internal control environment is important since internal control is a critical part of performance-based management. SSA's internal control environment helps its managers achieve desired results through effective stewardship of public resources.

SSA is responsible for implementing policies for the development of disability claims under the DI and SSI programs. Disability determinations under both DI and SSI are performed by DDSs in each State in accordance with Federal regulations. In carrying out its obligation, each DDS is responsible for determining claimants' disabilities and ensuring adequate evidence is available to support its determinations. To assist in making proper disability determinations, each DDS is authorized to purchase medical examinations, x-rays, and laboratory tests on a consultative basis to supplement evidence obtained from the claimants' physicians or other treating sources. There are 52 DDSs located in each of the 50 States, the District of Columbia, and Puerto Rico. SSA reimburses the DDS for 100 percent of allowable expenditures up to its approved funding authorization. In FY 2003, SSA allocated over $1.6 billion to fund DDS operations.

During FYs 2000 through 2003, we conducted 15 DDS administrative cost audits. In 13 of the 15 audits, internal control weaknesses were identified. For example, we reported that improvements were needed to ensure Federal funds were properly drawn and payments to medical providers were in accordance with Federal regulations. The lack of effective internal controls can result in the mismanagement of Federal resources and increase the risk of fraud.

In 6 of the 15 DDS administrative cost audits, we reported unallowable indirect costs totaling about $12.3 million. As a result, we initiated a separate review of SSA's oversight of indirect costs. We reported that SSA needed to improve its oversight of indirect costs claimed by DDSs to ensure SSA funds obligated by DDSs through the indirect cost process benefited SSA's disability programs and the costs were equitably distributed to its programs.

Congress, external interested parties, and the general public need sound data to monitor and evaluate SSA's performance. SSA relies primarily on internally generated data to manage the information it uses to administer its programs and report to Congress and the public. The necessity for good internal data Government wide has resulted in the passage of several laws, including the Government Performance and Results Act. In addition to the legislation calling for greater accountability within the Government, the PMA has focused on the integration of the budget and performance measurement processes. The PMA calls for agencies to, over time, identify high quality outcome measures, accurately monitor the performance of programs, and begin integrating this presentation with associated costs.

SSA sets forth its mission and strategic goals in strategic plans, establishes yearly targets in its annual performance plan, and reports on its performance annually. Each year, we conduct audits to assess the internal control environment over SSA's performance measures. The objective of this work is to assess the reliability of SSA's performance data and evaluate the extent to which SSA's performance measures describe its planned and actual performance meaningfully.

Assessing the control environment over DDSs and SSA's performance measures helps ensure the Agency is properly managing its resources to meet its mission.

The information technology revolution has changed the way government and business operate. Today, the growth in computer interconnectivity brings a heightened risk of disrupting or sabotaging critical operations, reading or copying sensitive data, and tampering with critical processes. Those who wish to disrupt or sabotage critical operations have more tools than ever. The United States works to protect the people, economy, essential services, and national security by ensuring that any disruptions are infrequent, manageable, of minimal duration, and cause the least damage possible. The Government must continually strive to secure information systems for critical infrastructures. Protection of these systems is essential to telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services.

SSA's information security challenge is to understand and mitigate system vulnerabilities. At SSA, this means ensuring the security of its critical information infrastructure, such as access to the Internet and its networks. By improving systems security and controls, SSA will be able to use current and future technology more effectively to fulfill the public's needs. The public will not use electronic access to SSA services if it does not believe those systems are secure. SSA addresses critical information infrastructure and systems security in a variety of ways. For example, it has created a Critical Infrastructure Protection work group that works toward compliance with various directives, such as the Homeland Security Presidential Directives and the Federal Information Security Management Act of 2002. SSA has several other components throughout the organization that handle systems security, including the Office of Information Technology Security Policy within the Office of the Chief Information Officer.

Homeland Security Presidential Directive 7 requires that all Federal departments and agency heads identify, prioritize, assess, remediate, and protect their respective critical infrastructure and key resources. OMB provided guidance to Federal departments and agencies on how to prepare plans to protect physical and cyber critical infrastructure and key resources and to complete these plans by July 31, 2004. We have worked closely with SSA to help meet these requirements. The Agency plans must address identification, prioritization, protection, and contingency planning, including the recovery and reconstitution of essential capabilities.

One important issue in systems security is restricting physical access to the Agency's systems and data. We reported on physical security problems at several hearing offices and noted that non-SSA employees were allowed inappropriate access to secured areas. Though the managers at these sites took prompt action to remedy the security breaches, we believe the same security concerns may be present at other hearing offices. However, because our observations were limited to only a few offices, we do not know how pervasive these security breaches may be. We plan to better assess OHA's vulnerabilities in this area.

In addition, under the Federal Information Security Management Act, we independently evaluate SSA's security program. We also monitor the Agency's efforts and progress on the Expanded Electronic Government initiative of the PMA. Systems security is a key component of this initiative, and we are working with the Agency to resolve outstanding issues so it can get to "green" on the Electronic Government Scorecard.

Given the complexity of Agency programs, the billions of dollars in payments at stake, and the millions of citizens who rely on SSA, we must ensure that quality, timely, and appropriate services are consistently provided to the public-at-large.
One of SSA's goals is to deliver high-quality, "citizen-centered" service. This goal encompasses traditional and electronic services to applicants for benefits, beneficiaries and the general public. It includes services to and from States, other agencies, third parties, employers, and other organizations, including financial institutions and medical providers. This area includes basic operational services, and two of the greatest challenges in the area are the representative payee process and managing human capital.

Representative Payee Challenges
When SSA determines a beneficiary cannot manage his/her benefits, SSA selects a representative payee who must use the payments for the beneficiary's needs. There are about 5.4 million representative payees who manage benefit payments for 6.8 million beneficiaries. While representative payees provide a valuable service for beneficiaries, SSA must provide appropriate safeguards to ensure they meet their responsibilities to the beneficiaries they serve.

We have completed several audits of representative payees. Our audits have identified deficiencies with the accounting for benefit receipts and disbursements, vulnerabilities in the safeguarding of beneficiary payments, poor monitoring and reporting to SSA of changes in beneficiary circumstances, inappropriate handling of beneficiary-conserved funds, and
improper charging of fees.

In March 2004, the President signed into law the Social Security Protection Act of 2004. This Act provides several new safeguards for those individuals who need a representative payee. In addition, it presents significant challenges to SSA to ensure representative payees meet beneficiaries' needs. For example, it requires that SSA conduct periodic on-site reviews of representative payees and a statistically valid survey to determine how payments made to representative payees are being used. It also authorizes SSA to impose civil monetary penalties for offenses involving misuse of benefits received by a representative payee.

Human Capital Challenges
SSA, like many other Federal agencies, is being challenged to address its human capital shortfalls. In January 2001, GAO added strategic human capital management to its list of high-risk Federal programs and operations. In addition, Strategic Management of Human Capital is one of five Government-wide initiatives contained in the PMA.

By the end of 2012, SSA projects its DI and Old-Age and Survivors Insurance benefit rolls will increase by 35 percent and 18 percent, respectively. At the same time, 59 percent of SSA's employees will be eligible to retire. This retirement wave will result in a loss of institutional knowledge that will affect SSA's ability to deliver quality service to the public.

Along with the workload increase, the incredible pace of technological change will have a profound impact on both the public's expectations and SSA's ability to meet those expectations. In the face of these challenges, technology is essential to achieving efficiencies and enabling employees to deliver the kind of service every claimant, beneficiary and citizen needs and deserves.
The critical loss of institutional skills and knowledge, combined with greatly increased workloads at a time when the baby-boom generation will require its services, must be addressed by succession planning, strong recruitment efforts, and the effective use of technology.

SSA continues to score "green" in "Progress in Implementing the President's Management Agenda" on the OMB Scorecard and, in July 2004, improved its rating in "Status" from "yellow" to "green."