THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
CLAIMED BY THE
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
Date: February 29, 2008
To: Paul D. Barnes
Regional Commissioner Atlanta
From: Inspector General
Subject: Administrative Costs Claimed by the Alabama Disability Determination
Our objectives were to
evaluate the Alabama Department of Education's (AL DE) and Alabama Disability Determination Service's (AL DDS) internal controls over the accounting and reporting of administrative costs,
determine whether costs AL DDS claimed for Fiscal Years (FY) 2005 and 2006 were allowable and funds were properly drawn, and
assess limited areas of AL DDS' general security controls environment.
Disability determinations under the Social Security Administration's (SSA)
Disability Insurance and Supplemental Security Income programs are performed
by disability determination services (DDS) in each State or other responsible
jurisdiction, according to Federal regulations. In carrying out its obligation,
each DDS is responsible for determining claimants' disabilities and ensuring
adequate evidence is available to support its determinations. To make proper
disability determinations, each DDS is authorized to purchase consultative medical
examinations and medical evidence of record from the claimants' physicians or
other treating sources. SSA reimburses the
DDS for 100 percent of allowable expenditures. DDSs report program disbursements and unliquidated obligations each quarter on Form SSA 4513, State Agency Report of Obligations for SSA Disability Programs.
AL DDS, a division of AL DE, is located in Birmingham, Alabama, and has a branch office in Mobile, Alabama. AL DE maintains AL DDS' official accounting records and prepares its Forms SSA 4513. For additional background, scope and methodology, see Appendix B.
RESULTS OF REVIEW
AL DE's and AL DDS' internal controls over the accounting and reporting of administrative costs for FYs 2005 and 2006 were generally effective to ensure costs claimed were allowable and funds were properly drawn. However, AL DDS did not always properly manage its general security controls. As such, AL DDS' security practices and controls did not adequately protect office facilities and claimant data.
For the Birmingham AL-DDS office, we determined
perimeter access controls were not appropriately used and
recycling and cleaning practices placed claimants' personally identifiable information (PII) at risk.
For the Mobile AL-DDS office, we determined equipment rooms were not locked. Finally, AL DDS did not adequately document employees' annual security awareness training or establish a Security Plan that complied with SSA's requirements.
PERIMETER ACCESS CONTROLS NEEDED IMPROVEMENT
Intrusion Detection System Sensors Not Reactivated Timely and Perimeter Door Not Always Locked
SSA's policy requires that DDSs adequately safeguard claimant/program information and facilities used by their personnel. However, AL DDS' security practices did not maintain the integrity of its perimeter controls in the Birmingham office.
AL DDS installed an intrusion detection system (IDS) to enhance building security and supplement its 24 hour guard service but kept IDS sensors deactivated on three doors for approximately 5 hours beyond normal business hours. AL DDS deactivated IDS sensors each weekday morning to facilitate deliveries and provide employees access to a designated smoking area. While AL DDS used surveillance cameras to monitor all three doors and kept two of the three doors locked, it did not reactivate IDS sensors until approximately 10:00 p.m. each weeknight. AL DDS told us it delayed reactivating IDS sensors to accommodate its cleaning service. We believe AL DDS should reactivate IDS sensors at the end of the business day.
Additionally, AL DDS allowed one of the three doors to remain unlocked until 5:00 p.m. each weekday to provide employees access to a smoking area. While AL DDS has latticework around the smoking area, we do not believe this is an adequate safety measure. AL DDS should keep the unsecured door locked to prevent unauthorized access to its facilities.
Accordingly, AL DDS did not consistently maintain the integrity of its building access controls, which increased the building's vulnerability to intrusion. We recommend SSA address these perimeter security issues with AL DDS and instruct it to reactivate IDS sensors timely and keep the perimeter door locked.
Intrusion Detection System Not Adequately Protected
SSA policy instructs DDS management to ensure ongoing security of data, personnel and property by protecting its systems. However, AL DDS did not adequately protect access to its IDS. Although the DDS' guard station contained the IDS keypad, backup power supply and camera system, the DDS did not have a lock on the guard station door. While the guard is generally in the guard station, there are instances when the guard may be away from his post for a short period. Therefore, we believe an unattended and unlocked guard station could provide third parties access to the IDS and security equipment.
Furthermore, we found the IDS code displayed on the guard station wall. When we brought this to the Security Officer's attention, he removed the code from the wall. We believe its open display could have compromised the IDS code. As such, we believe AL DDS should change its IDS code. Also, AL DDS should install a lock on the guard station door and keep the guard station locked when it is unattended.
Intrusion Detection System Not Tested Semiannually
Contrary to SSA policy, AL DDS had not tested its IDS semiannually to ensure
all sensors were working properly. We believe AL DDS risked the IDS' effectiveness
by not testing it as required. We discussed this finding with AL DDS management
and learned they were amending their agreement with the monitoring company.
The renegotiated agreement will include semiannual testing of the system. While
AL DDS' actions adequately address our concern, we recommend it ensure the IDS
is tested semiannually.
PERSONALLY IDENTIFIABLE INFORMATION AT-RISK
Recycling Bins Not Adequately Secured
SSA policy requires that DDSs dispose of claimant PII so it is unattainable to unauthorized personnel. However, on two occasions during our field work, AL DDS' Birmingham office left a recycling bin containing PII outside on a loading dock. In fact, we determined the bin remained outside for multiple days.
AL DDS management told us it allowed employees to place recycling bins outside before the shredding contractor's scheduled pick up time. As a result, AL DDS inadvertently made claimant PII accessible to unauthorized personnel. We discussed our finding with AL DDS management, who told us they were addressing this issue and would no longer place recycling bins containing PII outside before the recycling contractor's arrival. The manager also stated they have instructed employees to check bins after the contractor completed its shredding to ensure no outside bins contain PII. Although AL DDS' actions adequately address our concerns, we recommend they monitor the recycling process.
Claimant Records Not Adequately Secured
SSA policy states DDSs should secure claimant records and folders to avoid unauthorized disclosures when sensitive areas are cleaned outside of normal business hours. However, AL DDS' contracted service cleaned the Birmingham office, including its sensitive areas, during non business hours; and one such area, the Data Entry unit, contained over 200 unsecured claimant folders.
In 2002, we identified and reported to SSA and AL DDS that the DDS allowed third parties, such as cleaning staff, access to sensitive areas where claimant data were unsecured. When we discussed our prior finding with AL DDS management, they told us they were more concerned with the flow of operations than with the risk of claimants' folders being compromised. Although AL DDS told us they did not believe available space would accommodate storage requirements, they agreed its contracted service could clean departments with a high volume of sensitive material, such as the Data Entry unit, during business hours. However, AL DDS has continued to allow cleaning staff access to unsecured sensitive claimant data. We recommend that SSA require that AL DDS either clean sensitive areas during business hours or implement a clean desk policy to ensure claimant data are properly secured.
EQUIPMENT ROOMS NOT LOCKED
SSA policy requires that DDSs keep utility boxes and closets locked to prevent tampering. However, during our site visit to the Mobile, Alabama, office, we found the mechanical and telephone rooms were unsecured, and the telephone room did not have a lock. After discussing our findings with AL DDS management, they immediately locked the mechanical room door and installed a lock on the telephone room door. We believe AL DDS adequately addressed our concern. However, AL DDS should remind its personnel about securing the equipment rooms to avoid any unnecessary risk. We recommend AL DDS monitor the equipment rooms to ensure they remain locked.
ANNUAL SECURITY AWARENESS TRAINING NOT ADEQUATELY DOCUMENTED
SSA policy requires that DDSs conduct annual security awareness training and obtain a signed statement of understanding from its employees. Although AL DDS conducted the required training, it required that employees sign a Form SSA 120, Application for Access to SSA Systems-a form that was designed for other purposes. We discussed this finding with AL DDS management, who stated they will obtain employees' signed statements of understanding in accordance with SSA policy. We believe AL DDS is adequately addressing our concern.
SECURITY PLAN NOT ADEQUATE
SSA policy requires that DDSs establish and maintain a written Security Plan for each of its sites. However, AL DDS' Security Plan only contained three of eight required parts, and these parts did not contain all of the required elements. For example, Part A, Physical Security DDS Description/Profile, did not contain
the size of office,
the situation of office (shared tenancy),
a description of existing security in place during non-business hours,
a description of computer system and communications equipment,
a description of workload, and
a DDS organizational chart and list of number and types of DDS personnel.
Also, Part F, Continuity of Operations Plan, did not contain a description of procedures and persons to contact at the Regional Office or the DDS' workload. Furthermore, Part G, Disaster Recovery Plan, did not contain a description of local resources AL DDS would need if a disaster occurred.
AL DDS management told us their Security Plan omissions were an oversight. AL DDS further stated it would revise its Security Plan and include the missing items. We believe an incomplete Security Plan could negatively impact the DDS' ability to resume operations in the event of a disaster or disruption of its workflow. AL DDS should ensure its Security Plan meets SSA's requirements.
CONCLUSION AND RECOMMENDATIONS
AL DE's and AL DDS' internal controls over the accounting and reporting of administrative costs for FYs 2005 and 2006 were generally effective to ensure costs claimed were allowable and funds were properly drawn. However, AL DDS' general security controls and practices did not always adequately protect office facilities and claimant data, and AL DDS did not have an adequate Security Plan.
Accordingly, we recommend that SSA instruct AL DDS to:
1. Reactivate the IDS' sensors at the end of the business day.
2. Keep the perimeter door locked.
3. Change the IDS code.
4. Install a lock on the guard station door.
5. Keep the guard station locked when it is unattended.
6. Ensure the IDS is tested semiannually.
7. Monitor the recycling process to ensure claimant PII is inaccessible to unauthorized personnel.
8. Require that its contracted service clean sensitive areas during business hours. If AL DDS continues cleaning sensitive areas during non business hours, it should ensure that claimant information is properly secured from unauthorized personnel.
9. Monitor equipment rooms at the Mobile, Alabama, office to ensure they remain locked.
10. Obtain signed statements of understanding from employees regarding annual security awareness training.
11. Revise its Security Plan to meet SSA's requirements.
AGENCY COMMENTS AND OIG RESPONSE
SSA agreed with all of our recommendations, except for Recommendation 2. For Recommendation 2, the Agency agreed with the intent of the recommendation and instructed the DDS to conduct a risk assessment to determine appropriate corrective action. We believe the Agency's response and planned actions adequately address our concerns. The full text of SSA's and AL-DDS' comments are included in Appendices D and E.
In September 2005, we issued a report on Disability Determination Services' Use of Social Security Numbers on Third Party Correspondence. In this report, we recommended that SSA:
Clarify existing policy to define what third parties may be provided a claimant's Social Security Number (SSN) as a part of the DDS's disability determination process. To ensure SSN integrity, we believe the SSN should only be disclosed when it is critical to a third party's ability to adequately respond to the DDS's information request.
SSA agreed with this recommendation and stated:
A claimant's SSN should only be disclosed when it is critical to a third party's ability to adequately respond to a DDS's information request. We will review and, to the extent necessary, clarify our existing policy to more clearly define which third parties should be provided a claimant's full or partial SSN as part of the DDS evidence collection process.
We asked AL DDS if it disclosed claimants' SSNs on documents sent to third parties. AL DDS confirmed that it includes claimants' SSNs on requests for medical evidence of record, consultative examinations and applicant travel documents and has been doing so for many years. We believe AL DDS should take steps to exclude the SSN from documents it sends to third parties.
Patrick P. O'Carroll, Jr.
APPENDIX A - Acronyms
APPENDIX B - Background, Scope and Methodology
APPENDIX C - Schedule of Total Costs Reported on Forms SSA 4513-State Agency Reports of Obligations for Social Security Administration Disability Programs
APPENDIX D - Agency Comments
APPENDIX E - Alabama Disability Determination Service Comments
APPENDIX F - OIG Contacts and Staff Acknowledgments
Act Social Security Act
AL DDS Alabama Disability Determination Service
AL DE Alabama Department of Education
C.F.R. Code of Federal Regulations
DDS Disability Determination Services
DI Disability Insurance
FY Fiscal Year
IDS Intrusion Detection System
PII Personally Identifiable Information
POMS Program Operations Manual System
SSA Social Security Administration
SSI Supplemental Security Income
SSN Social Security Number
Treasury Department of the Treasury Form
SSA 4513 State Agency Report of Obligations for SSA Disability Programs
Background, Scope and Methodology
The Disability Insurance (DI) program, established under Title II of the Social Security Act (Act), provides benefits to wage earners and their families in the event the wage earner becomes disabled. The Supplemental Security Income (SSI) program, established under Title XVI of the Act, provides benefits to financially needy individuals who are aged, blind, or disabled.
The Social Security Administration (SSA) is responsible for implementing policies for the development of disability claims under the DI and SSI programs. Disability determinations under both the DI and SSI programs are performed by disability determination services (DDS) in each State, Puerto Rico and the District of Columbia in accordance with Federal regulations. In carrying out its obligation, each DDS is responsible for determining claimants' disabilities and ensuring adequate evidence is available to support its determinations. To assist in making proper disability determinations, each DDS is authorized to purchase medical examinations, x-rays, and laboratory tests on a consultative basis to supplement evidence obtained from claimants' physicians or other treating sources.
SSA reimburses the DDS for 100 percent of allowable expenditures up to its approved funding authorization. The DDS withdraws Federal funds through the Department of the Treasury's (Treasury) Automated Standard Application for Payments System to pay for program expenditures. Funds drawn down must comply with Federal regulations and intergovernmental agreements entered into by Treasury and States under the Cash Management Improvement Act of 1990. An advance or reimbursement for costs under the program must comply with the Office of Management and Budget's Circular A 87, Cost Principles for State, Local and Indian Tribal Governments. At the end of each quarter of the Fiscal Year (FY), each DDS submits a State Agency Report of Obligations for SSA Disability Programs (Form SSA 4513) to account for program disbursements and unliquidated obligations.
To accomplish our objectives, we:
Reviewed applicable Federal laws, regulations and pertinent parts of SSA's Program Operations Manual System (POMS) DI 39500, DDS Fiscal and Administrative Management, and other instructions pertaining to administrative costs Alabama Disability Determination Service (AL DDS) incurred and requests for Federal funds covered by the Cash Management Improvement Act agreement.
Interviewed Alabama Department of Education's (AL DE) and AL DDS' staff and corresponded with SSA Regional Office personnel.
Reconciled the electronic disbursement files AL DE provided us to the administrative costs it reported on Forms SSA 4513 for FYs 2005 and 2006 through the quarter ended September 30, 2006.
Evaluated and tested internal controls over accounting, financial reporting and cash management activities.
Examined documentation for statistically selected direct cost transactions (personnel, medical services, and all other non personnel costs) AL DE reported for the audit period to determine whether the costs were allowable under Office of Management and Budget Circular A 87, Cost Principles for State, Local and Indian Tribal Governments, and if appropriate, as defined by POMS.
Examined the Indirect Cost Rate Agreements in effect during the audit period and evaluated the propriety of AL DE's calculation of reported indirect costs.
Compared the amount of SSA funds AL DE drew down to support program operations with the disbursements it reported on Forms SSA 4513.
Reviewed the State of Alabama Single Audit reports for FYs 2005 and 2006.
Conducted a physical inventory of selected (1) equipment items contained on AL DDS' inventory listings and (2) computer hardware items SSA provided to AL DDS.
Conducted limited general control testing-which encompassed reviewing the physical access security within AL DDS.
The electronic data used in our audit were sufficiently reliable to achieve
our audit objectives. We assessed the reliability of the electronic data by
reconciling them with the costs claimed on the Forms SSA-4513. We also conducted
detailed audit testing on selected data elements in the electronic data files.
We performed our audit at AL DE in Montgomery, Alabama; AL DDS in Birmingham and Mobile, Alabama; and the Office of Audit in Birmingham, Alabama, from March through October 2007. We conducted this financial audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Our sampling methodology encompassed the three areas of direct costs reported on Forms SSA 4513: (1) personnel, (2) medical, and (3) all other non personnel costs. We obtained computerized data from AL DE for FYs 2005 and 2006 for use in statistical sampling.
We reviewed a random sample of 50 personnel transactions from 1 randomly selected pay period in FY 2006. Because management is on a different pay schedule from other DDS employees, we also reviewed the Administrator's personnel transactions for the pay period following the one selected for other personnel. In addition, we reviewed all 45 medical consultants' transactions from 1 randomly selected pay period in FY 2006. We tested payroll records to ensure AL DE correctly paid these employees and adequately supported the payments.
We reviewed 100 medical costs items (50 items from each FY) using a stratified random sample. We distributed the sample items between medical evidence of records and consultative examinations based on the proportional distribution of the total medical costs for each year. We determined whether sampled costs were properly reimbursed.
All Other Non-Personnel Costs
We stratified all other non-personnel costs for each year into 10 categories: (1) Occupancy, (2) Contracted Costs, (3) Electronic Data Processing Maintenance, (4) Equipment Purchases, (5) Equipment Rental, (6) Communications, (7) Applicant Travel, (8) DDS Travel, (9) Supplies, and (10) Miscellaneous. For each year under review, we randomly selected 1 month's Occupancy costs and reviewed all transactions for each month. Next, we randomly selected 50 transactions to review for each year from the 9 remaining cost categories (100 sample items total). The number of sample items selected from each of the nine cost categories for each year was based on the proportional distribution of the costs included in each cost category for that year.
Schedule of Total Costs Reported on Forms SSA-4513-State Agency Reports of Obligations for Social Security Administration Disability Programs
Alabama Disability Determination Service
FISCAL YEARS (FY) 2005 and 2006 COMBINED
REPORTING ITEMS DISBURSEMENTS UNLIQUIDATED OBLIGATIONS TOTAL OBLIGATIONS
Personnel $40,642,058 $1,629,819 $42,271,877
Medical 20,819,723 2,007,402 22,827,125
Indirect 4,588,574 298,144 4,886,718
All Other 7,031,353 300,124 7,331,477
TOTAL $73,081,708 $4,235,489 $77,317,197
REPORTING ITEMS DISBURSEMENTS UNLIQUIDATED OBLIGATIONS TOTAL
Personnel $20,824,017 0 $20,824,017
Medical 11,868,623 0 11,868,623
Indirect 2,665,694 0 2,665,694
All Other 3,908,547 0 3,908,547
TOTAL $39,266,881 0 $39,266,881
REPORTING ITEMS DISBURSEMENTS UNLIQUIDATED OBLIGATIONS TOTAL
Personnel $19,818,041 $1,629,819 $21,447,860
Medical 8,951,100 2,007,402 10,958,502
Indirect 1,922,880 298,144 2,221,024
All Other 3,122,806 300,124 3,422,930
TOTAL $33,814,827 $4,235,489 $38,050,316
Date: February 21, 2008
To: Patrick P. O'Carroll, Jr
From: Regional Commissioner Atlanta
Subject: REPLY-Administrative Costs Claimed by the Alabama Disability Determination
Thank you for the opportunity to comment on the OIG draft report as outlined in the subject. Our comments are attached along with the response received from the Alabama Disability Determination Service.
We agree with your findings and present our views in the area that impacts the DDS as it relates to Personal Identifiable Information (PII) in the electronic environment.
If you wish to discuss our response, please call me or have your staff contact Joann Strange, Disability Program Administrator, at 404-562-1399.
Paul D. Barnes
Thank you for the opportunity to comment on the formal draft report of the Alabama Disability Service (DDS) Administrative Costs and General Security Controls for Fiscal Years 2005 and 2006.
SSA acknowledges that there were no adverse findings or corrective actions necessary regarding fiscal controls. Our comments below address the areas regarding general security controls where corrective action was recommended.
Finding - The intrusion detection system (IDS) sensors were not reactivated timely and the perimeter door was not always locked.
Recommendation 1 - Reactivate the IDS sensors at the end of the business day.
We agree and the AL DDS has implemented corrective action as recommended.
Recommendation 2 - Keep the perimeter door locked.
We agree with the intent of the recommendation. However, given that the perimeter door referenced leads to the employee smoking area which is frequented by employees throughout the day, we have instructed the DDS to conduct a risk assessment to determine appropriate corrective action.
Finding - The Intrusion detection system was not adequately protected.
Recommendation 3 - Change the IDS code.
We agree. The IDS code was changed on February 7, 2008.
Recommendation 4 - Install a lock on the guard station.
We agree. The guard station lock was installed on January 24, 2008 as recommended.
Recommendation 5 - Keep the guard station locked when unattended.
We agree. With the implementation of recommendation 4, the AL DDS will ensure
that the guard station is locked when unattended.
Finding - The intrusion detection system was not tested annually.
Recommendation 6- Ensure that the IDS is tested semiannually.
We agree. The AL DDS FY 2008 IDS vendor's maintenance agreement was revised to provide for semi-annual testing. First IDS testing was done on December 7, 2007 and documented.
Finding - Recycling bins were not adequately secured.
Recommendation 7 - Monitor the recycling process to ensure claimant PII is inaccessible to unauthorized personnel.
We agree. The DDS changed its recycling contractor and implemented monitoring procedures to ensure that PII will not be placed outdoors until the recycling contractor arrives.
Finding - Claimant records are not adequately secured.
Recommendation 8 - Require that its contracted service clean sensitive areas during business hours. If AL-DDS continues cleaning sensitive areas during non-business hours, it should ensure that claimant information is properly secured from unauthorized personnel.
We agree. The AL DDS instructed its contract cleaning service to clean sensitive areas during normal business hours.
Finding - Mobile equipment rooms were not locked.
Recommendation 9- Monitor equipment rooms in the Mobile, Alabama office to ensure they remain locked.
We agree. Appropriate personnel will ensure that these rooms are always secured and locked to prevent any unnecessary risks.
Finding - Annual security awareness training was not adequately documented.
Recommendation 10 - Obtain signed statements of understanding from employees regarding annual security awareness training.
We agree. The DDS designed a form that now requires an employee signature when
the annual security awareness training takes place.
Finding - The DDS Security Plan was not adequate.
Recommendation 11 - Revise the Security Plan to meet SSA's requirements.
We agree. SSA is working with the DDS to ensure that all eight parts of the Security Plan are complete and up to date in accordance with the POMS. The DDS has targeted all of their Security Plan revisions for February 29, 2008.
Finding - We asked AL-DDS if it disclosed claimant's SSNs on documents sent to third parties. AL-DDS confirmed that it includes claimant's SSNs on requests for medical evidence of record (MER), consultative examinations (CE) and applicant travel documents and has been doing so for many years.
Recommendation - The AL-DDS should take steps to exclude the SSN from documents that it sends to third parties.
SSA agrees that there is no need for DDSs to provide the claimant's SSN to third parties (e.g., employers, neighbors, relatives, day care providers, etc.) who are not MER, CE, or school sources. The AL-DDS also is in full agreement and does not include SSNs to these third parties.
However, the AL-DDS needs to provide a claimant's full SSN to MER, CE, and school providers to enable them to transmit evidence using Electronic Records of Evidence (ERE) Services. Also, legacy system programming, scanning procedures, and utilization of staff resources in the DDS would be adversely affected in obtaining the specific identified information if SSNs were not used. The applicant travel form is only provided to the claimant.
If your staff has any questions, please have them contact Joann Strange at
(404) 562 1399.
Alabama Disability Determination Service Comments
The Office of the Inspector General conducted an audit of the Administrative Costs claimed by the Alabama Disability Service (DDS) for Fiscal Years 2005 and 2006. In the OIG audit report there were a number of areas regarding general security controls where corrective action was recommended. There were no adverse findings or corrective actions recommended regarding fiscal controls.
Following are the findings where OIG recommended corrective action, along with the DDS response to those recommendations. Those findings and corrective actions are as follows:
Finding - The intrusion detection system (IDS) sensors were not reactivated timely and the perimeter door was not always locked. Recommendation- Reactivate the IDS sensors at the end of the business day. Recommendation - Keep the perimeter door locked.
Response - The DDS will reactivate the sensors at the end of the business day, as recommended in the report. Additionally, the perimeter door was put on its own sensor zone on February 7, 2008. The door in question leads to the employee smoking area. Employees exit to this area at various times during the workday for breaks and during lunch. This smoking area is enclosed by an eight foot fence, viewable by DDS security cameras and is frequently occupied by DDS employees. For these reasons, the DDS considers the possibility of an unauthorized entry during working hours from this area to be a very low risk item and will complete a risk assessment form regarding this issue.
Finding - The Intrusion detection system was not adequately protected.
Recommendation - Change the IDS code. Recommendation - Install a lock on the guard station. Recommendation - Keep the guard station locked when it is unattended.
Response- The IDS code was changed on February 7, 2008 as recommended. Although the security guards had been instructed prior to the audit that codes should not be displayed, they have been reminded that this should not be done and to do so violates security procedures. A lock was installed on the guard station, as recommended, on January 24, 2008. The guard station will be locked when it is unattended.
Finding - The intrusion detection system was not tested annually. Recommendation
Ensure that the IDS is tested semiannually.
Response - The maintenance agreement with the IDS vendor was amended starting
with FY 2008 to provide for semi-annual testing of the IDS. The IDS was tested
the first time in FY 2008 on December 7, 2007.
Finding - Recycling bins were not adequately secured. Recommendation - Monitor the recycling process to ensure claimant PII is inaccessible to unauthorized personnel.
Response - Starting with FY 2008, the DDS changed vendors for its recycling program. The new recycle containers are lockable and containers with PII will no longer be put outside before the recycling contractor's arrival. Employees have been instructed to check bins after the contractor has completed its shredding to ensure no outside bins contain PII. The DDS will continue to monitor the recycling process as recommended.
Finding - Claimant records are not adequately secured. Recommendation - Require the contracted service clean sensitive areas during business hours.
Response - The DDS has instructed its contract service to clean sensitive areas during business hours. It should be noted that this issue should resolve itself over time. The DDS is already processing its initial and OHA workloads in an electronic format rather than paper. The DDS is supposed to convert to an electronic format for CDR cases during this fiscal year. Pipeline paper cases should be eliminated in a relatively short period of time following this conversion. Electronic records are protected from unauthorized access by SSA systems security.
Finding - Mobile equipment rooms were not locked. Recommendation - Monitor equipment rooms in the Mobile, Alabama office to ensure they remain locked.
Response - The equipment rooms in the Mobile office will be monitored, as recommended, to ensure that they remain locked.
Finding - Annual security awareness training was not adequately documented. Recommendation - Obtain signed statements of understanding from employees regarding annual security awareness training.
Response - Although the DDS had documentation that the security awareness training
was conducted, it only obtained employee signatures on a new Form SSA 120 at
the time of the security awareness training. The DDS has designed an additional
form to be signed by employees at their annual security awareness training that
will be used for all annual security awareness training in the future. Signature
of the new/additional forms will start at the time of the next annual security
Finding - The DDS Security Plan was not adequate. Recommendation - Revise the Security Plan to meet SSA's requirements.
Response - The DDS has already added the recommended items identified in the audit to its Security Plan. However, some reformatting of the Security Plan still needs to be done. This should be completed no later than close of business on February 29, 2008. A copy of the reformatted Security Plan will be provided to the RO as soon as the reformatting has been completed.
Finding - The DDS utilizes the claimant's SSN on documents sent to medical providers. Recommendation - The AL-DDS should take steps to exclude the SSN from documents that it sends to third parties.
Response - The DDS does not use a claimant's SSN on documents going to third parties such as neighbors or friends etc. for information regarding claimants. The SSN is only used in documents being sent to providers of medical information. Applicant travel forms are only sent to claimants, not third parties, and the SSN is required for payment purposes. A large segment of the medical community relies on an SSN to identify/distinguish the claimant from other patients. Their computer software and business practices are structured to use the SSN as an identifier. The use of the SSN is a critical factor for obtaining information from medical vendors in order to collect the needed evidence for case processing. As long as an Form SSA 827 (Authorization To Disclose Information To The Social Security Administration) containing the claimant SSN accompanies requests for medical information from treating sources and consultative examination vendors, there is no value in removing the SSN from the request for medical information. It should be noted that the SSN is also used as the identifier for Medicare, Medicaid and military Tri-Care programs.
OIG Contacts and Staff Acknowledgments
Kimberly A. Byrd, Director, (205) 801-1650
Theresa Roberts, Audit Manager, (205) 801-1619
In addition to those named above:
Cliff McMillan, Senior Auditor
Janet Matlock, Senior Auditor
Charles Lober, Information Technology Specialist
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-08-07-17151.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office of Resource Management (ORM). To ensure compliance with policies and procedures, internal controls, and professional standards, we also have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management and program evaluations and projects on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as OIG liaison to the Department of Justice on all matters relating to the investigations of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Resource Management
ORM supports OIG by providing information resource management and systems security. ORM also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, ORM is the focal point for OIG's strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act of 1993.