To: The Commissioner
From: Acting Inspector General
Subject: Top Issues Facing Social Security Administration Management-Fiscal Year 2005
The Reports Consolidation Act of 2000 requires that we summarize for inclusion
in the Social Security Administration's (SSA) Performance and Accountability
Report, our perspective on the most serious management and performance challenges
facing SSA. The top management issues facing SSA in Fiscal Year 2005, as determined
by the Office of the Inspector General, are: Social Security Number Protection,
Management of the Disability Process, Improper Payments, Internal Control Environment
and Performance Measures, Critical Infrastructure Protection and Systems Security,
and Service Delivery.
These areas are dynamic, so we encourage continuous feedback and additional
areas to evaluate. Our summary of SSA's progress in addressing these management
issues will be included in the Fiscal Year 2005 Performance and Accountability
Report.
If you have any questions or need additional information, please call me or
have your staff contact Steven L. Schaeffer, Assistant Inspector General for
Audit, at (410) 965-9700.
Patrick P. O'Carroll, Jr.
The Reports Consolidation Act of 20001 requires that we summarize, for inclusion
in the Social Security Administration's (SSA) Performance and Accountability
Report, our perspective on the most serious management and performance challenges
facing SSA. Since 1997, we have provided our perspective on these management
challenges to Congress, SSA and other key decisionmakers. In developing this
year's list, we considered
the four initiatives the Commissioner has identified as priorities: Service,
Stewardship, Solvency, and Staff;
the most significant issues as outlined in the President's Management Agenda
(PMA);
SSA's progress in responding to the Office of Management and Budget's (OMB)
Scorecard;
the Inspector General's Strategic Plan;
the high-risk list prepared by the Government Accountability Office (GAO); and
our body of audit and investigative work.
Finally, we prepared a crosswalk to ensure there was no disconnect or gap among
those reviewing SSA's programs and operations.
SOCIAL SECURITY NUMBER PROTECTION
The SSN is the single most widely used identifier for Federal and State governments,
as well as the private sector.
In FY 2003, SSA issued over 17.6 million original and replacement Social Security
number (SSN) cards, and SSA received approximately $533 billion in employment
taxes related to earnings under assigned SSNs. Protecting the SSN and properly
posting the wages reported under SSNs are critical to ensuring eligible individuals
receive the full benefits due them.
Efforts to Protect the SSN
The SSN has become a key to social, legal, and financial assimilation in this
country. Because the SSN is so heavily relied on as an identifier, it is also
valuable as an illegal commodity. Criminals improperly obtain SSNs by
(1) presenting false documentation;
(2) stealing another person's SSN;
(3) purchasing an SSN on the black market;
(4) using the SSN of a deceased individual; or
(5) creating a nine-digit number out of thin air.
To ensure SSN integrity, SSA must employ effective front-end controls in its
enumeration process. To effectively combat SSN misuse, we believe SSA should
establish a reasonable threshold for the number of replacement SSN cards an
individual may obtain during a year and over a lifetime, continue to address
identified weaknesses in its information security environment to better safeguard
SSNs, and consider revising its policies to require that field offices obtain
independent verification of the birth records for U.S. citizens under age 1
before SSN assignment.
SSA has taken steps to improve controls within its enumeration process, including
establishing the Enumeration Response Team. As a result of the Team's efforts,
SSA now performs full collateral verification of all immigration documents before
assigning SSNs to noncitizens. SSA requires mandatory interviews for all applicants
for original SSNs who are over age 12 (lowered from age 18) and requires evidence
of identity for all children, regardless of age. In addition, SSA has established
an Enumeration Center in Brooklyn, New York, that focuses exclusively on assigning
SSNs and issuing SSN cards. SSA has also created an Identity Theft Workgroup
in which we participate.
The SSN and Reported Earnings
Properly posting earnings ensures eligible individuals receive the full retirement,
survivor and/or disability benefits due them. If earnings information is reported
incorrectly or not reported at all, SSA cannot ensure all eligible individuals
are receiving the correct payment amounts. In addition, SSA's disability programs
depend on earnings information to determine whether an individual is eligible
for benefits and to calculate the amount of benefit payments.
SSA spends scarce resources correcting earnings data when incorrect information
is reported. The Earnings Suspense File (ESF) is the Agency's record of annual
wage reports for which wage earners' names and SSNs fail to match SSA's records.
As of October 2003,
SSA had posted 9.6 million wage items to its ESF for Tax Year 2001, representing
about $56 billion in wages. This was before some planned edits, which may have
further reduced this number.
While SSA has limited control over the factors that cause the volume of erroneous
wage reports submitted each year, there are still areas where the Agency can
improve its processes. SSA can improve wage reporting by educating employers
on reporting criteria, identifying and resolving employer reporting problems,
and encouraging greater use of the Agency's SSN verification programs. SSA also
needs to coordinate with other Federal agencies with separate, yet related,
mandates. For example, the Agency now collaborates with the Internal Revenue
Service to achieve more accurate wage reporting.
SSA has taken steps to reduce the size and growth of the ESF. For example, SSA
has expanded its Employee Verification Service by piloting an on-line service
called the Social Security Number Verification Service, which allows employers
to verify the names and SSNs of employees before reporting their wages to SSA.
The Agency has also modified its automated processes to better identify the
numberholder related to suspended items. Whereas previous internal edits used
only the name and SSN related to the suspended wage, SSA stated the new processes
would use information stored on the earnings and benefits records.
The SSN and Unauthorized Work
SSA also assigns nonwork SSNs to noncitizens who are (1) in the United States
but are not authorized to work and (2) are not present in the United States
but are entitled to a federally-financed benefit that requires an SSN. In recent
years, SSA has strictly limited the assignment of such numbers.
Furthermore, SSA monitors noncitizens who show earnings under a nonwork SSN
and reports this information to the Department of Homeland Security (DHS). Nonetheless,
our audits have noted a number of issues related to nonwork SSNs, including
(1) the type of evidence provided to obtain a nonwork SSN, (2) the reliability
of nonwork SSN information in SSA's records, (3) the significant volume of wages
reported under nonwork SSNs, and (4) the payment of benefits to noncitizens
who qualified for their benefits while working in the country without proper
authorization.
Recent legislation (Pub. L. 108-203, Social Security Protection Act of 2004)
prohibits the payment of Title II benefits based on the earnings of any individual
who is not a U.S. citizen or national and who has never been issued an SSN to
work in the United States. SSA's implementation of this new law will require
increased coordination with DHS to ensure SSA has the correct work status information
in its systems.
MANAGEMENT OF THE DISABILITY PROCESS
In FY 2003, DDSs processed over 2.5 million initial disability claims, and the
average processing time was 97 days.
SSA administers the Disability Insurance (DI) and Supplemental Security Income
(SSI) programs, which provide benefits based on disability. Most disability
claims are initially processed through a network of Social Security field offices
and State Disability Determination Services (DDS). SSA representatives in the
field offices are responsible for obtaining applications for disability benefits,
disability report forms and authorization for disclosure of information forms
as well as verifying non-medical eligibility requirements, which may include
age, employment, marital status, or Social Security coverage information. After
initial processing, the field office sends the case to a DDS to develop medical
evidence and evaluate disability.
Once SSA establishes an individual is eligible for disability benefits under
either the DI or SSI program, the Agency turns its efforts toward ensuring the
individual continues to receive benefits only as long as SSA's eligibility criteria
are met. For example, a continuing disability review (CDR) may show the individual
no longer meets SSA's disability criteria or has demonstrated medical improvement.
If an individual disagrees with the Agency's decision on his/her claim or CDR,
the claimant can appeal to SSA's Office of Hearings and Appeals (OHA). OHA's
field structure consists of 10 regional offices and 140 hearing offices. OHA's
administrative law judges hold hearings and issue decisions. In FY 2003, hearing
offices processed 571,928 cases. OHA's average processing time has increased
significantly from 274 days in FY 2000 to 344 days in FY 2003. Further, the
pending workload was 591,562 cases on September 30, 2003, whereas it was 346,756
cases on September 30, 2000. We have focused our attention on weaknesses within
OHA-such as the backlog of cases, safeguards for sensitive information in case
files, and shredding documents.
GAO added modernizing Federal disability programs-including SSA's-to its 2003
high-risk list due, in part, to outmoded concepts of disability, lengthy processing
times, and decisional inconsistencies. In September 2003, the Commissioner of
Social Security proposed a new approach to improving the disability determination
process, which includes several initiatives that emphasize timely and accurate
disability decisions. For example, a quick-decision step would initially sort
claims based on information provided by claimants to identify people who are
obviously disabled. Additionally, the Commissioner proposed an in-line quality
review process and a centralized quality control unit. The Commissioner views
her September 2003 proposal as the first step in a collaborative process eventually
leading to a final plan for disability improvements.
In addition to her long-term proposal, the Commissioner has accelerated the
Agency's transition to the electronic disability folder. The electronic disability
folder will allow for disability claims information to be stored electronically
and transmitted electronically between field offices, DDSs, and OHA.
Disability Fraud
Fraud is an inherent risk in SSA's disability programs. Some unscrupulous people
view SSA's disability benefits as money waiting to be taken. A key risk factor
in the disability program is individuals who feign or exaggerate symptoms to
become eligible for disability benefits. Another key risk factor is the monitoring
of medical improvements for disabled individuals to ensure those individuals
who are no longer disabled are removed from the disability rolls.
We are working with SSA to address the integrity of the disability programs
through the Cooperative Disability Investigation (CDI) program. The CDI program's
mission is to obtain evidence that can resolve questions of fraud in SSA's disability
programs. The CDI program is managed in a cooperative effort between SSA's Office
of Operations, the Office of the Inspector General, and the Office of Disability
Programs. There are 18 CDI units operating in 17 States. In the first half of
FY 2004, the CDI units saved SSA almost $64 million by identifying fraud and
abuse related to initial and continuing claims within the disability program.
IMPROPER PAYMENTS
In FY 2003, SSA issued over $500 billion in benefit payments to about 50 million
beneficiaries.
SSA issues benefit payments under the Old-Age, Survivors and Disability Insurance
(OASDI) and SSI programs. Since SSA is responsible for issuing timely benefit
payments for complex entitlement programs to about 50 million individuals, even
the slightest error in the overall process can result in millions of dollars
in over- or underpayments.
Improper payments are defined as payments that should not have been made or
were made for incorrect amounts. Examples of improper payments include inadvertent
errors, payments for unsupported or inadequately supported claims, or payments
to ineligible beneficiaries. Furthermore, the risk of improper payments increases
in programs with a significant volume of transactions, complex criteria for
computing payments, and an overemphasis on expediting payments.
The President and Congress have expressed interest in measuring the universe
of improper payments within the Government. In August 2001, OMB published the
FY 2002 PMA, which included a Government-wide initiative for improving financial
performance. In November 2002, the Improper Payments Information Act of 2002
was enacted, and OMB issued guidance in May 2003 on implementing this law.
Under the Act, agencies that administer programs where the risk of improper
payments is significant must estimate their annual amount of improper payments
and report this information in their Annual Performance and Accountability Reports.
OMB works with each agency to establish goals for reducing improper payments
for each program.
SSA and the Office of the Inspector General have had discussions on such issues
as detected versus undetected improper payments and avoidable versus unavoidable
overpayments that are outside the Agency's control and a cost of doing business.
In August 2003, OMB issued specific guidance to SSA to only include avoidable
overpayments in its improper payment estimate because these payments could be
reduced through changes in administrative actions. Unavoidable overpayments
that result from legal or policy requirements are not included in SSA's improper
payment estimate.
SSA has been working to improve its ability to prevent over- and underpayments
by obtaining beneficiary information from independent sources sooner and/or
using technology more effectively. For example, the Agency is continuing its
efforts to prevent improper payments after a beneficiary dies through the use
of Electronic Death Registration information. Also, the Agency's CDR process
identifies and prevents payments to beneficiaries who are no longer disabled.
In FY 2004, we focused on improper payments that go undetected by SSA's normal
processes. For instance, in one review of disabled beneficiaries who work, we
found that SSA had assessed about $1.78 billion in overpayments for about 117,320
individuals. However, we estimated the Agency did not detect about $1.37 billion
in overpayments to about 63,000 beneficiaries. SSA is implementing eWork, a
new initiative to strengthen controls in this area.
Working with SSA, we have made great strides in reducing benefit payments to
prisoners and SSI payments to fugitive felons, and these efforts continue. However,
our work has shown that improper payments-such as those related to workers'
compensation-continue to diminish the Social Security trust funds. Additionally,
with the passage of the Social Security Protection Act of 2004, SSA faces new
challenges in preventing and recovering improper payments-such as OASDI benefits
to fugitives.
INTERNAL CONTROL ENVIRONMENT AND PERFORMANCE MEASURES
Assessing the control environment over DDSs and SSA's performance measures helps
ensure the Agency is properly managing its resources to meet it mission.
Internal control comprises the plans, methods, and procedures used to meet missions,
goals, and objectives. Internal controls help safeguard assets and prevent and
detect errors and fraud. Assessing the internal control environment is important
since internal control is a critical part of performance-based management. SSA's
internal control environment helps its managers achieve desired results through
effective stewardship of public resources.
SSA is responsible for implementing policies for the development of disability
claims under the DI and SSI programs. Disability determinations under both DI
and SSI are performed by DDSs in each State in accordance with Federal regulations.
In carrying out its obligation, each DDS is responsible for determining claimants'
disabilities and ensuring adequate evidence is available to support its determinations.
To assist in making proper disability determinations, each DDS is authorized
to purchase medical examinations, x-rays, and laboratory tests on a consultative
basis to supplement evidence obtained from the claimants' physicians or other
treating sources. There are 52 DDSs located in each of the 50 States, the District
of Columbia, and Puerto Rico. SSA reimburses the DDS for 100 percent of allowable
expenditures up to its approved funding authorization. In FY 2003, SSA allocated
over $1.6 billion to fund DDS operations.
During FYs 2000 through 2003, we conducted 15 DDS administrative cost audits.
In 13 of the 15 audits, internal control weaknesses were identified. For example,
we reported that improvements were needed to ensure Federal funds were properly
drawn and payments to medical providers were in accordance with Federal regulations.
The lack of effective internal controls can result in the mismanagement of Federal
resources and increase the risk of fraud.
In 6 of the 15 DDS administrative cost audits, we reported unallowable indirect
costs totaling about $12.3 million. As a result, we initiated a separate review
of SSA's oversight of indirect costs. We reported that SSA needed to improve
its oversight of indirect costs claimed by DDSs to ensure SSA funds obligated
by DDSs through the indirect cost process benefited SSA's disability programs
and the costs were equitably distributed to its programs.
Congress, external interested parties, and the general public need sound data
to monitor and evaluate SSA's performance. SSA relies primarily on internally
generated data to manage the information it uses to administer its programs
and report to Congress and the public. The necessity for good internal data
Government wide has resulted in the passage of several laws, including the Government
Performance and Results Act. In addition to the legislation calling for greater
accountability within the Government, the PMA has focused on the integration
of the budget and performance measurement processes. The PMA calls for agencies
to, over time, identify high quality outcome measures, accurately monitor the
performance of programs, and begin integrating this presentation with associated
costs.
SSA sets forth its mission and strategic goals in strategic plans, establishes
yearly targets in its annual performance plan, and reports on its performance
annually. Each year, we conduct audits to assess the internal control environment
over SSA's performance measures. The objective of this work is to assess the
reliability of SSA's performance data and evaluate the extent to which SSA's
performance measures describe its planned and actual performance meaningfully.
Assessing the control environment over DDSs and SSA's performance measures helps
ensure the Agency is properly managing its resources to meet its mission.
CRITICAL INFRASTRUCTURE PROTECTION AND SYSTEMS SECURITY
The information technology revolution has changed the way government and business
operate. Today, the growth in computer interconnectivity brings a heightened
risk of disrupting or sabotaging critical operations, reading or copying sensitive
data, and tampering with critical processes. Those who wish to disrupt or sabotage
critical operations have more tools than ever. The United States works to protect
the people, economy, essential services, and national security by ensuring that
any disruptions are infrequent, manageable, of minimal duration, and cause the
least damage possible. The Government must continually strive to secure information
systems for critical infrastructures. Protection of these systems is essential
to telecommunications, energy, financial services, manufacturing, water, transportation,
health care, and emergency services.
SSA's information security challenge is to understand and mitigate system vulnerabilities.
At SSA, this means ensuring the security of its critical information infrastructure,
such as access to the Internet and its networks. By improving systems security
and controls, SSA will be able to use current and future technology more effectively
to fulfill the public's needs. The public will not use electronic access to
SSA services if it does not believe those systems are secure. SSA addresses
critical information infrastructure and systems security in a variety of ways.
For example, it has created a Critical Infrastructure Protection work group
that works toward compliance with various directives, such as the Homeland Security
Presidential Directives and the Federal Information Security Management Act
of 2002. SSA has several other components throughout the organization that handle
systems security, including the Office of Information Technology Security Policy
within the Office of the Chief Information Officer.
Homeland Security Presidential Directive 7 requires that all Federal departments
and agency heads identify, prioritize, assess, remediate, and protect their
respective critical infrastructure and key resources. OMB provided guidance
to Federal departments and agencies on how to prepare plans to protect physical
and cyber critical infrastructure and key resources and to complete these plans
by July 31, 2004. We have worked closely with SSA to help meet these requirements.
The Agency plans must address identification, prioritization, protection, and
contingency planning, including the recovery and reconstitution of essential
capabilities.
One important issue in systems security is restricting physical access to the
Agency's systems and data. We reported on physical security problems at several
hearing offices and noted that non-SSA employees were allowed inappropriate
access to secured areas. Though the managers at these sites took prompt action
to remedy the security breaches, we believe the same security concerns may be
present at other hearing offices. However, because our observations were limited
to only a few offices, we do not know how pervasive these security breaches
may be. We plan to better assess OHA's vulnerabilities in this area.
In addition, under the Federal Information Security Management Act, we independently
evaluate SSA's security program. We also monitor the Agency's efforts and progress
on the Expanded Electronic Government initiative of the PMA. Systems security
is a key component of this initiative, and we are working with the Agency to
resolve outstanding issues so it can get to "green" on the Electronic
Government Scorecard.
SERVICE DELIVERY
Given the complexity of Agency programs, the billions of dollars in payments
at stake, and the millions of citizens who rely on SSA, we must ensure that
quality, timely, and appropriate services are consistently provided to the public-at-large.
One of SSA's goals is to deliver high-quality, "citizen-centered"
service. This goal encompasses traditional and electronic services to applicants
for benefits, beneficiaries and the general public. It includes services to
and from States, other agencies, third parties, employers, and other organizations,
including financial institutions and medical providers. This area includes basic
operational services, and two of the greatest challenges in the area are the
representative payee process and managing human capital.
Representative Payee Challenges
When SSA determines a beneficiary cannot manage his/her benefits, SSA selects
a representative payee who must use the payments for the beneficiary's needs.
There are about 5.4 million representative payees who manage benefit payments
for 6.8 million beneficiaries. While representative payees provide a valuable
service for beneficiaries, SSA must provide appropriate safeguards to ensure
they meet their responsibilities to the beneficiaries they serve.
We have completed several audits of representative payees. Our audits have identified
deficiencies with the accounting for benefit receipts and disbursements, vulnerabilities
in the safeguarding of beneficiary payments, poor monitoring and reporting to
SSA of changes in beneficiary circumstances, inappropriate handling of beneficiary-conserved
funds, and
improper charging of fees.
In March 2004, the President signed into law the Social Security Protection
Act of 2004. This Act provides several new safeguards for those individuals
who need a representative payee. In addition, it presents significant challenges
to SSA to ensure representative payees meet beneficiaries' needs. For example,
it requires that SSA conduct periodic on-site reviews of representative payees
and a statistically valid survey to determine how payments made to representative
payees are being used. It also authorizes SSA to impose civil monetary penalties
for offenses involving misuse of benefits received by a representative payee.
Human Capital Challenges
SSA, like many other Federal agencies, is being challenged to address its human
capital shortfalls. In January 2001, GAO added strategic human capital management
to its list of high-risk Federal programs and operations. In addition, Strategic
Management of Human Capital is one of five Government-wide initiatives contained
in the PMA.
By the end of 2012, SSA projects its DI and Old-Age and Survivors Insurance
benefit rolls will increase by 35 percent and 18 percent, respectively. At the
same time, 59 percent of SSA's employees will be eligible to retire. This retirement
wave will result in a loss of institutional knowledge that will affect SSA's
ability to deliver quality service to the public.
Along with the workload increase, the incredible pace of technological change
will have a profound impact on both the public's expectations and SSA's ability
to meet those expectations. In the face of these challenges, technology is essential
to achieving efficiencies and enabling employees to deliver the kind of service
every claimant, beneficiary and citizen needs and deserves.
The critical loss of institutional skills and knowledge, combined with greatly
increased workloads at a time when the baby-boom generation will require its
services, must be addressed by succession planning, strong recruitment efforts,
and the effective use of technology.
SSA continues to score "green" in "Progress in Implementing the
President's Management Agenda" on the OMB Scorecard and, in July 2004,
improved its rating in "Status" from "yellow" to "green."