SOCIAL SECURITY ADMINISTRATION
SINGLE AUDIT OF THE
COMMONWEALTH OF VIRGINIA
FOR THE FISCAL YEAR ENDED
JUNE 30, 2007
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA’s programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
We strive for continual improvement in SSA’s programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
Date: December 18, 2008 Refer To:
To: Candace Skurnik
Audit Management and Liaison Staff
From: Inspector General
Subject: Management Advisory Report: Single Audit of the Commonwealth of Virginia for the
Fiscal Year Ended June 30, 2007 (A-77-09-00005)
This report presents the Social Security Administration’s (SSA) portion of the single audit of the Commonwealth of Virginia for the Fiscal Year (FY) ended June 30, 2007. Our objective was to report internal control weaknesses, noncompliance issues, and unallowable costs identified in the single audit to SSA for resolution action.
The Auditor of Public Accounts performed the audit. We have not received the results of the desk review conducted by the Department of Health and Human Services (HHS). We will notify you when the results are received if HHS determines the audit did not meet Federal requirements. In reporting the results of the single audit, we relied entirely on the internal control and compliance work performed by the Auditor for Public Accounts, and the reviews performed by HHS. We conducted our review in accordance with the Quality Standards for Inspections issued by the President’s Council on Integrity and Efficiency.
For single audit purposes, the Office of Management and Budget (OMB) assigns Federal programs a Catalog of Federal Domestic Assistance (CFDA) number. SSA’s Disability Insurance (DI) and Supplemental Security Income (SSI) programs are identified by CFDA number 96. SSA is responsible for resolving single audit findings reported under this CFDA number.
The Virginia Disability Determination Services (DDS) performs disability determinations under SSA’s DI and SSI programs in accordance with Federal regulations. The Virginia DDS is reimbursed for 100 percent of allowable costs. The Department of Rehabilitative Services (DRS) is the Virginia DDS’ parent agency.
The single audit reported that:
1. DRS does not provide employees training on information security. The corrective action plan indicated that DRS is in the process of updating its Security Awareness Training Program to include information security as well as physical security (Attachment A, page 1).
2. DRS data exchanged between two computer systems was not adequately protected (e.g., encrypted). The corrective action plan indicated that DRS is working with SSA to correct the deficiency (Attachment A, pages 1 and 2).
3. One DRS employee had the dual ability to create and approve payroll transactions. The corrective action plan indicated that DRS will remove this employee’s ability to both create and approve transactions (Attachment A, page 3).
We recommend SSA:
1. Ensure DRS developed training that addressed information security.
2. Verify that controls have been put in place to protect DDS data exchanged between computer systems.
3. Confirm that DRS terminated the employee’s ability to create and approve payroll transactions.
The single audit also identified concerns related to policies and procedures applicable to DRS’ network administration and configuration; system and backup monitoring; and access and password controls (Attachment B). Although this finding was not specifically identified to SSA, it may have an impact on DDS operations. I am bringing this matter to your attention as it represents a potentially serious computer control problem for the Agency.
Please send copies of the final Audit Clearance Document to Shannon Agee. If you have questions contact Shannon Agee at (816) 936 5590.
Patrick P. O’Carroll, Jr.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration’s (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA’s financial statements fairly present SSA’s financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA’s programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG’s external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG’s media and public information policies, directs OIG’s external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG’s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG’s strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.