THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
SECURITY CONTROL AND AUDIT
REVIEW REQUIREMENTS AT
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
Date: September 4, 2007
To: The Commissioner
From: Inspector General
Subject: Compliance with Onsite Security Control and Audit Review Requirements at Field Offices (A-02-07-27021)
Our objectives were to assess (1) the Social Security Administration's (SSA) procedures for selecting field offices (FO) for Onsite Security Control and Audit Reviews (OSCAR), (2) SSA's system for ensuring appropriate correction of deficiencies identified through OSCARs, and (3) additional steps SSA can take to enhance the OSCAR guide.
SSA's Management Control Review Program was designed to improve the accountability and effectiveness of SSA programs and operations by establishing, assessing, and reporting on management controls. The Management Control Review is an important part of SSA's efforts to ensure its financial, program, and administrative processes are functioning as intended and comply with the Federal Managers' Financial Integrity Act.
The Management Control Review Program is implemented at FOs through the OSCAR process. OSCARs are performed in each region by Center for Security and Integrity (CSI) staff and an outside contractor. The CSI staff visits each FO to ensure the efficiency, effectiveness, and integrity of its operations. The staff uses the same standard guides, checklists, and tests in each region.
The OSCAR addresses nine areas related to FO operations: Third Party Draft Account, Acquisitions, Refund and Remittance Processes, Time and Attendance, Security of Automated Systems, Physical and Protective Security, Enumeration, Critical Payment System, and Integrity Review Areas.
CSI and the contractor review all OSCAR guide chapters during OSCARS. Additionally, each region assigns two chapters for self-review by FO managers, annually.
Within 45 days of the completion of the OSCAR, the CSI or contractor staff issues a final report on the deficiencies, if any, in management control they identified and recommendations for addressing the deficiencies. The FO manager has 45 days to develop a Corrective Action Plan to address any deficiencies noted in the final report. The Area Director must validate the Corrective Action Plan within 90 days of receipt. If the FO manager or Area Director cannot meet these timeframes, they can apply for an extension from CSI or SSA's Division of Financial Integrity.
The OSCAR guide allows each region to select either a 5-year plan or targeted review approach for FO reviews. The 5-year plan requires that regions conduct OSCARs in each of their FOs in 5 years and allows them to review FOs without using specific criteria for selection. The targeted approach allows regions to perform reviews based on stipulated target criteria, for example, when a new manager takes over an office or a manager's self-review identifies problems. Regions must document target review criteria for each OSCAR performed and maintain those records for at least 3 years. Additionally, each region is required to review a minimum of 10 percent of FOs each year.
We reviewed SSA's FO OSCAR selection process for Fiscal Years (FY) 2002 through 2006. Additionally, we visited 20 FOs nationwide, 2 FOs in each of SSA's 10 regions, in which OSCARs were conducted between April 1, 2005 and March 31, 2006. We reviewed FO managements' efforts to correct deficiencies noted in the OSCAR reports. We also interviewed SSA staff to solicit ideas for improving the OSCAR process. See Appendix B for additional background, scope, and methodology and Appendix C for a list of FOs visited.
RESULTS OF REVIEW
We found the OSCAR process for FOs to be generally effective in selecting FOs
for review and correcting deficiencies found. Most of the regional offices that
followed the 5-year plan reviewed or came close to reviewing 100 percent of
their FOs during FYs 2002 through 2006. Similarly, the five regions that chose
the targeted approach generally reviewed the required minimum 10 percent of
their FOs. Most of the deficiencies noted in OSCARS were corrected at the FOs
we visited, though some deficiencies still existed at the time of our review.
In addition, OSCAR reporting requirements were generally completed timely, but
late responses had not received extensions. Lastly, we identified some areas
of the OSCAR process that could be improved.
FIELD OFFICE SELECTION PROCESS
As of the end of FY 2006, 5 of SSA's 10 regions had chosen to follow a 5-year
plan, and 5 had chosen a targeted approach. Most of the five regions that followed
5-year plan reviewed or came close to reviewing 100 percent of their offices during
FYs 2002 through 2006 (see Table 1). In Region 8, however, one-quarter of the offices was not reviewed during the 5-year period.
Regions Using the 5 Year Plan Selection Method
Region Number of FOs in Region* Number of FOs Reviewed in 5-Year Cycle Percent of FOs Reviewed in 5-Year Cycle
Region 4 (Atlanta) 261 n/a** n/a**
Region 6 (Dallas) 151 151 100
Region 7 (Kansas City) 79 78 99
Region 8 (Denver) 58 43 74
Region 10 (Seattle) 53 53 100
*This includes all FOs open in FYs 2002 through 2006, and does not include teleservice centers.
** Region 4 changed from using a targeted approach to a 5-Year Plan beginning in FY 2005.
The five regions that chose the targeted approach generally reviewed the required minimum 10 percent of their FOs for each of the years we reviewed (see Table 2). Additionally, these regions used and documented target review criteria in accordance with the OSCAR guide.
Regions Using the Targeted Review Criteria Selection Method
Region Number of FOs in Region* Percent of FOs Reviewed Per FY
2002 2003 2004 2005 2006
Region 1 (Boston) 74 9 10 10 11 10
Region 2 (New York) 135 10 10 9 16 13
Region 3 (Philadelphia) 143 13 14 16 14 14
Region 5 (Chicago) 226 10 10 12 12 10
Region 9 (San Francisco) 168 13 16 13 10 10
*This includes all FOs open in FYs 2002 through 2006, and does not include teleservice centers.
We reviewed each deficiency identified in the latest OSCAR for 20 FOs to determine
whether the appropriate corrective actions were taken. In total, there were
716 deficiencies noted in the 20 offices; we found 53 of the deficiencies still present at the time of our visits.
The 53 deficiencies were more likely to fall into 2 OSCAR review areas: Time
and Attendance and Integrity Review. At the time of our visits, staff in 10
20 FOs visited were not fully complying with time and attendance documentation procedures, such as sequentially signing in and out and/or completing time sheets correctly. Also, integrity reviews were not performed timely at four FOs. For example,
3 of the 10 integrity reviews we examined at 1 FO were not completed within the required 30 days. Similarly, 1 of the 18 integrity reviews we examined at another FO took longer than the allotted 30 days.
The OSCAR process includes timeframes for issuing reports and corrective action plans, validating corrective actions taken, and allowing extensions. Generally, the reports, corrective action plans, and the validation of corrective actions were completed on time, or close to on time. Only one of the OSCAR reports was not timely; it was released 7 days after the 45 day deadline. Four of the 20 corrective action plans were not timely and were generally between 1 and 2 weeks late. Similarly, the area directors' validations of corrective actions were not timely in 6 of the 20 offices. Validations were generally from 1 week to 1 month past the allotted 90 days, with one validation being more than 4 months overdue. This office reported that the area director waited to validate corrective actions until the completion of some extensive office renovations that addressed some of the OSCAR findings. The offices that did not complete timely corrective action plans or validations of the plans did not request extensions, as the OSCAR manual allows.
ONSITE SECURITY CONTROL AND AUDIT REVIEWS GUIDE
As part of our audit, we solicited ideas from SSA staff on how to improve the OSCAR process. SSA staff suggested the following.
The enumeration chapter in the OSCAR guide should be updated since the Social Security Card application process has changed. The OSCAR guide requires that a reviewer verify that required fields in the application are completed. The current computer program, SS-5 Assistant, used to process Social Security Card applications has built-in controls that do not allow a user to proceed without filling in required information.
The OSCAR guide should further consider current work environments that allow some FO staff to work outside of the field office using an SSA-provided laptop. The OSCAR does not review procedures in place to ensure safeguarding laptop computers and/or the personally identifiable information contained within the laptop computers taken outside of FOs.
CONCLUSION AND RECOMMENDATIONS
While we found the OSCAR process for FOs to be generally effective in both selecting FOs for review and correcting deficiencies found, improvements can be made to make the OSCAR process more effective. We recommend SSA:
1. Ensure all regions using the 5-year plan selection method review all FOs within a 5-year period. Also, since Region 4 began using the 5-year plan selection method in FY 2005, it should be evaluated after it completes a full 5-year period to ensure the required number of FOs are reviewed.
2. Direct FO managers to ensure continued compliance with corrective actions taken for previously identified deficiencies.
3. Ensure reporting timeframes are met or appropriate extensions are requested and approved.
4. Update the OSCAR guide as needed to reflect changes in SSA's working environment, including updating the enumeration chapter and addressing personally identifiable information and laptop security.
The Agency agreed with all of our recommendations. The Agency's comments are included in Appendix D.
Patrick P. O'Carroll, Jr.
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Field Offices Reviewed
APPENDIX D - Agency Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments
CSI Center for Security and Integrity
FO Field Office
FY Fiscal Year
GAM General Administration Manual
OIG Office of the Inspector General
OSCAR Onsite Security Control and Audit Review
Pub. L. No. Public Law Number
SSA Social Security Administration
Scope and Methodology
To define the Onsite Security Control and Audit Review (OSCAR) process and criteria, we researched the OSCAR guide for field offices (FO), the Social Security Administration's (SSA) Management Control Review program, and the Federal Managers' Financial Integrity Act of 1982.
We researched the following sections of the Program Operations Manual System.
General (GN) 02403.002 Remittance Processing Responsibilities - General
GN 02403.006 Processing Remittances Received in the FO
GN 02403.009 Processing Cash Remittances Received in the FO
GN 02403.010 Completing the Cash Log
GN 02403.050 Unverified Alert Process - Remittances
GN 02403.100 Issuing and Reassigning SSA-1395-BK Receipt Books
GN 02403.145 Performing the Annual Management Review
We researched sections of the Administrative Instructions Manual System.
Financial Management Manual, Chapter 03, Finance and Accounting
General Administration Manual (GAM), Chapter 11, Emergency Management/Civil Defense
GAM, Chapter 12, Field Administration
GAM, Chapter 13, Health and Safety Management
Material Resources Manual, Chapter 04, Property Management
There were 1,348 FOs during FY 2002 through 2006 among 10 regions, as follows.
Region 1 (Boston) 74
Region 2 (New York) 135
Region 3 (Philadelphia) 143
Region 4 (Atlanta) 261
Region 5 (Chicago) 226
Region 6 (Dallas) 151
Region 7 (Kansas City) 79
Region 8 (Denver) 58
Region 9 (San Francisco) 168
Region 10 (Seattle) 53
To accomplish our objective for the FO selection process, we reviewed the OSCARs completed for FYs 2002 through 2006. To achieve our results, we:
Reviewed the OSCAR guide to gain an understanding of the two methods available to select FOs for OSCARs.
Determined whether all regions were reviewing the minimum required FOs each year of our period of review, per their chosen method of selection.
Determined whether those regions with a 5-year plan for FO reviews had reviewed each of their FOs in our 5-year period.
Determined whether each region using targeted review criteria as a basis for FO selection maintained documentation of such criteria for the minimum required time.
We identified 214 FOs in the 10 regions that had an OSCAR performed by the
Center for Security and Integrity or an outside contractor's staff from April
1, 2005 to
March 31, 2006. To accomplish our objective related to the corrective actions taken for deficiencies identified through OSCARs, we:
Selected a sample of 20 FOs, 2 per region, to review and measure overall characteristics.
Reconciled actual OSCAR reporting processes with OSCAR reporting criteria for the 20 FOs to determine whether OSCAR Reports and Corrective Action Plans were submitted and validated timely.
Performed on-site reviews at the 20 FOs to verify corrective actions were taken for deficiencies identified as part of an OSCAR.
We also solicited ideas for the improvement of the OSCAR process through review and analysis of our work results and interviews of relevant SSA personnel.
We performed our audit in the New York Audit Division and visited 20 FOs nationwide from December 2006 through June 2007. We found data used for this audit were sufficiently reliable to meet our objectives. The entities audited were SSA's Center for Security and Integrity and Division of Systems Security and Program Integrity, both under the Deputy Commissioner, Operations and SSA's Division of Financial Integrity, under the Deputy Commissioner, Budget, Finance and Management. We coordinated our review results with the auditees. Our audit was conducted in accordance with generally accepted government auditing standards.
Field Offices Reviewed
Number Region Field Office Location
1 1 Malden, Massachusetts
2 1 Lynn, Massachusetts
3 2 New York City, Downtown, New York
4 2 Hoboken, New Jersey
5 3 Fredericksburg, Virginia
6 3 Philadelphia, Downtown, Pennsylvania
7 4 Winder, Georgia
8 4 Gwinnett, Georgia
9 5 Kenosha, Wisconsin
10 5 Chicago, West Town, Illinois
11 6 Fort Worth, Texas
12 6 Dallas, Pleasant Grove, Texas
13 7 Warrensburg, Missouri
14 7 Emporia, Kansas
15 8 Denver, Colorado
16 8 Fargo, North Dakota
17 9 West Sacramento, California
18 9 San Mateo, California
19 10 Puyallup, Washington
20 10 Tacoma, Washington
Date: August 23, 2007
To: Patrick P. O'Carroll, Jr.
From: Larry W. Dye
Subject: Office of the Inspector General (OIG) Draft Report, "Compliance with Onsite Security Control and Audit Review Requirements at Field Offices" (A-02-07-27021)-INFORMATION
We appreciate OIG's efforts in conducting this review. Our comments on the recommendations are attached.
Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, on (410) 965-4636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL'S (OIG) DRAFT REPORT, "COMPLIANCE WITH ONSITE SECURITY CONTROL AND AUDIT REVIEW REQUIREMENTS AT FIELD OFFICES" (A-02-07-27021)
Thank you for the opportunity to review and provide comments on this draft report. Our comments on the draft recommendations are as follows.
Ensure all regions using the 5-year plan selection method review the required number of field offices (FO). Also, since Region 4 began using the 5-year plan selection method in fiscal year 2005, it should be evaluated after it completes a full 5-year period to ensure the required number of FOs are reviewed.
We agree. On August 13, 2007, we issued a memorandum to all Directors in the
Regional Centers for Security and Integrity (CSI) reminding them to ensure that
all sites are reviewed under the 5-year plan if that selection method is used.
We will complete an evaluation in
Region 4, after their full 5-year review period is complete, to ensure the required number of FOs have been reviewed.
Direct FO managers to ensure continued compliance with corrective actions taken for previously identified deficiencies.
We agree. As noted in the report, we implemented a two-chapter per year Onsite Security Control and Audit Reviews (OSCAR) self-review requirement for the field offices. In addition, we will include a reminder in the Annual Reminders to Managers, which is scheduled to be released in October 2007.
Ensure reporting timeframes are met or appropriate extensions are requested and approved.
We agree. On August 13, 2007, we issued a memorandum to all Directors in the
Regional CSIs to reinforce the importance of meeting the timeframes and that
requests for extensions are documented.
Update the OSCAR guide as needed to reflect changes in SSA's working environment, including updating the enumeration chapter and addressing personally identifiable information (PII) and laptop security.
We agree in part. We review and update the OSCAR guide on a monthly basis, to ensure it is in alignment with current security policies and procedures. We have added questions to the guide regarding security of laptops and of PII. In the current version of the field office OSCAR, laptop security is addressed in Chapter 5, "Security of Automated Systems," while the security of PII is addressed in Chapter 6, "Physical and Protective Security." Regarding the enumeration chapter, we do not think it should be updated at this time. We have had great success with initiatives such as the implementation of the SS-5 Assistant and the creation of the New York Modernized Enumeration System Workload Management Information website for monitoring of this workload to ensure the accuracy and integrity of our enumeration actions. There continue to be findings in this sensitive area, therefore, we do not anticipate eliminating a significant number of the chapter questions. We will continue to monitor this area to ensure that the enumeration chapter focuses on any noted areas of vulnerability.
OIG Contacts and Staff Acknowledgments
Tim Nee, Director, 212-264-5295
Victoria Abril, Audit Manager, 212-264-0504
In addition to those named above:
Denise Molloy, Senior Analyst, 212-264-4215
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig
or contact the Office of the Inspector General's Public Affairs Specialist at
(410) 965-3218. Refer to Common Identification Number A-02-07-27021.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office of Resource Management (ORM). To ensure compliance with policies and procedures, internal controls, and professional standards, we also have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management and program evaluations and projects on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as OIG liaison to the Department of Justice on all matters relating to the investigations of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Resource Management
ORM supports OIG by providing information resource management and systems security. ORM also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, ORM is the focal point for OIG's strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act of 1993.