DEN-18153-7-001 - Alternate Format

System Review Report

System Review Report

November 4, 2009

Honorable Patrick P. O’Carroll, Jr.
Inspector General
Social Security Administration
Altmeyer Building, Suite 300
6401 Security Boulevard
Baltimore, Maryland 21235

Dear Inspector General O’Carroll:

We have reviewed the system of quality control for the audit organization of the Social Security Administration Office of the Inspector General (SSA OIG) in effect for the year ended March 31, 2009. A system of quality control encompasses the SSA OIG’s organizational structure and the policies adopted and procedures established to provide it with reasonable assurance of conforming with Government Auditing Standards. The elements of quality control are described in Government Auditing Standards. The SSA OIG is responsible for designing a system of quality control and complying with it to provide the SSA OIG with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects. Our responsibility is to express an opinion on the design of the system of quality control and the SSA OIG’s compliance therewith based on our review.

Our review was conducted in accordance with Government Auditing Standards and guidelines established by the Council of the Inspectors General on Integrity and Efficiency (CIGIE). During our review, we interviewed SSA OIG personnel and obtained an understanding of the nature of the SSA OIG audit organization, and the design of the SSA OIG’s system of quality control sufficient to assess the risks implicit in its audit function. Based on our assessments, we selected engagements and administrative files to test for conformity with professional standards and compliance with the SSA OIG’s system of quality control. The engagements selected represented a reasonable cross-section of the SSA OIG’s audit organization, with emphasis on higher risk engagements. Prior to concluding the review, we reassessed the adequacy of the scope of the peer review procedures. We believe that the procedures we performed provide a reasonable basis for our opinion.

In performing our review, we obtained an understanding of the system of quality control for the SSA OIG’s audit organization. In addition, we tested compliance with the SSA OIG’s quality control policies and procedures to the extent we considered appropriate. These tests covered the application of the SSA OIG’s policies and procedures on selected engagements. Our review was based on selected tests; therefore, it would not necessarily detect all weaknesses in the system of quality control or all instances of noncompliance with it.

There are inherent limitations in the effectiveness of any system of quality control, and therefore noncompliance with the system of quality control may occur and not be detected. Projection of any evaluation of a system of quality control to future periods is subject to the risk that the system of quality control may become inadequate because of changes in conditions, or because the degree of compliance with the policies or procedures may deteriorate.

Enclosure I of this report identifies the offices of the SSA OIG that we visited and the engagements that we reviewed. Enclosure II contains the SSA OIG’s response to the draft report.

In our opinion, the system of quality control for the audit organization of the SSA OIG in effect for the year ended March 31, 2009, has been suitably designed and complied with to provide the SSA OIG with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects. Federal audit organizations can receive a rating of pass, pass with deficiencies, or fail. The SSA OIG has received a peer review rating of pass.

In addition to reviewing its system of quality control to ensure adherence with Government Auditing Standards, we applied certain limited procedures in accordance with guidance established by the CIGIE related to the SSA OIG’s monitoring of engagements performed by Independent Public Accountants (IPA) under contract where the IPA served as the principal auditor. It should be noted that monitoring of engagements performed by IPAs is not an audit and therefore is not subject to the requirements of Government Auditing Standards. The purpose of our limited procedures was to determine whether the SSA OIG had controls to ensure IPAs performed contracted work in accordance with professional standards. However, our objective was not to express an opinion, and accordingly we do not express an opinion on the SSA OIG’s monitoring of work performed by IPAs.

During the course of our review, we observed positive audit practices in the SSA OIG. For example, SSA OIG integrated the Government Accountability Office’s standards and the SSA requirements into the relevant steps in the TeamMate library files. Additionally, in our judgment, the SSA OIG audit policies and procedures were particularly noteworthy for instructional value. These policies and procedures represent a useful tool for ensuring consistently effective approaches to audit engagements undertaken by team members.

Overall, we commend the SSA OIG for its comprehensive quality control practices.

Sincerely,

Glenn A. Fine
Inspector General

Enclosures

Enclosure I

SCOPE AND METHODOLOGY

We tested compliance with the SSA OIG audit organization’s system of quality control to the extent we considered appropriate. These tests included a review of 11 of 78 audit reports issued during the period April 1, 2008, through March 31, 2009, and semiannual reporting periods ending September 30, 2008, and March 31, 2009. The SSA OIG did not issue any attestation reports during this period. We also reviewed the internal quality control reviews performed by SSA OIG.

Two of the 11 reports we reviewed were performed by Independent Public Accountants (IPA). We reviewed the SSA OIG’s monitoring of these engagements where the IPA served as the principal auditor during the period April 1, 2008, through March 31, 2009. During the period, the SSA OIG contracted for the audit of its agency’s Fiscal Year 2008 financial statements, along with the Fiscal Year 2008 Federal Information Security Management Act (FISMA) audit. The SSA OIG also contracted for certain other engagements that were to be performed in accordance with Government Auditing Standards.

We visited the Baltimore, Maryland; Dallas, Texas; Kansas City, Missouri; and Birmingham, Alabama, offices of the SSA OIG.

SSA OIG Performance Audits Reviewed

Table 1 identifies the nine SSA OIG audits performed by the SSA OIG’s Financial, Information Technology, Dallas, Kansas City, and Birmingham Audit Divisions that we reviewed.

Table 1: SSA OIG Performance Audits
SSA OIG AUDIT DIVISION REPORT NO. REPORT DATE REPORT TITLE
Financial A-15-08-28031 07/02/2008 Congressional Response Report: Financial Institutions Deducting Fees and Garnishments from Social Security Benefits
Information Technology A-14-08-18014 09/02/2008 The Social Security Administration's Enterprise-Wide Infrastructure Contract
Dallas A-06-07-17047 04/18/2008 Social Security Administration Employees Acting as Representative Payees
Dallas A-06-08-18042 06/04/2008 Personally Identifiable Information Made Available to the General Public Via the Death Master File
Dallas A-06-08-18092 01/26/2009 Indirect Costs Claimed by the Texas Disability Determination Services
Kansas City A-07-08-18039 08/28/2008 Individual Volume Representative Payee in Topeka, Kansas
Kansas City A-07-09-19005 03/30/2009 Administrative Costs Claimed by the Utah Disability Determination Services
Birmingham A-08-08-18059 02/20/2009 Administrative Costs Claimed by the Kentucky Disability Determination Services
Birmingham A-08-08-18079 03/09/2009 Management Advisory Report: R 1 Religious Workers' Use of Social Security Numbers

SSA OIG Contractor Monitoring Files Reviewed

Table 2 identifies the two audits performed by IPAs for which we reviewed the SSA OIG’s monitoring activities.

Table 2: SSA OIG Monitoring Files for Contracted Audits
SSA OIG AUDIT DIVISION REPORT NO. REPORT DATE REPORT TITLE
Financial A-15-08-18087 11/07/2008 Fiscal Year 2008 Financial Statement Audit Oversight
Information Technology A-14-08-18063 09/19/2008 Fiscal Year 2008 Evaluation of the Social Security Administration's Compliance with the Federal Information Security Management Act

Enclosure II

SOCIAL SECURITY

October 27, 2009

Mr. Raymond J. Beaudet
Assistant Inspector General
for Audit
Department of Justice
Office of the Inspector General
1425 New York Avenue, N.W., Suite 5000
Washington, D.C. 20530

Dear Mr. Beaudet:

We reviewed your draft report on our quality control system. We are pleased with your conclusion that our quality control system has been suitably designed and complied with to provide reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects.

We appreciate the efforts of your staff in completing this review in a thorough fashion, with minimal interference to our normal work flows. My staff also appreciated the description in your draft report of our policies and procedures as particularly noteworthy and a useful tool for ensuring consistently effective audit approaches.

If you have any questions, please contact me at (410) 965-9700. I look forward to receiving your final report.

Sincerely,

/s/
Steven L. Schaeffer
Assistant Inspector General
for Audit

SOCIAL SECURITY ADMINISTRATION BALTIMORE MD 21235-0001