THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
CLAIMED BY THE
We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
By conducting independent and objective audits, investigations, and evaluations, we are agents of positive change striving for continuous improvement in the Social Security Administration's programs, operations, and management and in our own office.
Date: September 21, 2004
To: James F. Martin
Regional Commissioner Chicago
From: Assistant Inspector General for Audit
Subject: Administrative Costs Claimed by the Minnesota Disability Determination
The objectives of our audit were to (1) evaluate Minnesota Disability Determination
Services' (MN-DDS) internal controls over the accounting and reporting of administrative
costs, (2) determine whether costs claimed were allowable and properly allocated
and funds were properly drawn, and (3) assess limited areas of the electronic
data processing general controls environment.
Disability determinations under both Disability Insurance and Supplemental Security Income are performed by Disability Determination Services (DDS) in each State or other responsible jurisdictions. Such determinations are required to be performed in accordance with Federal law and underlying regulations. In carrying out its obligation, each DDS is responsible for determining claimants' disabilities and ensuring that adequate evidence is available to support its determinations.
SSA reimburses the DDS for 100 percent of allowable program expenditures up to the limit of its funding authority. The DDS draws Federal funds through the Department of the Treasury's (Treasury) Automated Standard Application for Payments (ASAP) system in accordance with Federal Regulations and an intergovernmental agreement entered into by Treasury and the State of Minnesota under the Cash Management Improvement Act (CMIA).
The MN-DDS submits a State Agency Report of Obligations for SSA Disability Programs (Form SSA-4513) to SSA quarterly, for each Federal Fiscal Year (FY). These forms report cumulative disbursements of program funds and the remaining balance of unliquidated obligations.
The Minnesota Department of Employment and Economic Development (DEED) is the parent agency for the MN-DDS, which is located in St. Paul, Minnesota. See Appendix B for our Scope and Methodology.
RESULTS OF REVIEW
Generally, the MN-DDS had effective internal controls over the accounting and reporting of administrative costs and the costs it claimed during our audit period were allowable. However, improvements were needed in the areas of cash management and general security controls.
Funds to cover MN-DDS expenditures are drawn from the ASAP system. For each FY, the MN-DDS is assigned an account identification number in ASAP. Cash draws made from the account identification number are to reimburse MN-DDS for expenditures incurred during the same period as the account identification number's FY reporting period.
We found that the MN-DDS's former parent agency, Department of Economic Security (DES), drew funds from one FY's ASAP account to pay for another FY's expenditures. Specifically, DES:
Drew funds from the FY 2001 ASAP account to pay FY 2002 expenditures. This
caused cash draws for FY 2001 to exceed expenditures by $131,295, during the
quarter ended December 31, 2001. The incorrect cash draws were subsequently
corrected in the ASAP system.
Drew funds from the FY 2002 ASAP account to pay FY 2003 expenditures. This caused FY 2002 cash draws to exceed expenditures by $106,457, during the quarter ended December 31, 2002. The incorrect cash draws were subsequently corrected in the ASAP system.
Federal statute states, "The balance of an appropriation or fund limited for obligation to a definite period is available only for payment of expenses properly incurred during the period of availability or to complete contracts properly made within that period of availability and obligated consistent with section 1501 of this title."
We did not review the cash draw procedures of the MN-DDS's new parent agency, DEED. However, SSA should ensure that the MN-DDS and DEED are aware of the correct cash draw procedures for Federal funds.
Our assessment of limited areas of the electronic data processing general controls environment disclosed that the MN-DDS needs to finalize the development of and implement its contingency plan. Furthermore, the MN-DDS needs to identify and use an offsite storage facility for its electronic data backup files. The MN-DDS also needs to perform a risk assessment of its facility to determine if an intrusion detection system is needed to properly secure the DDS's office space and if perimeter security is needed at the secondary entrance door.
The MN-DDS did not have a contingency plan to follow in the event of a disaster that impacts DDS operations. SSA instructions state, "Events may occur which will prevent normal operations and interfere with the accomplishment of the mission of the DDS. Because of this, each office must prepare a contingency plan." The MN-DDS stated that a contingency plan is under development. The delay in implementing the contingency plan could result in a longer recovery period following a catastrophic event. The implementation of a contingency plan should be a priority for the MN-DDS.
Electronic Data Processing Backup Files
Data from the MN-DDS's Electronic Data Processing (EDP) systems is backed up
daily and the files were stored in a fire-proof vault at the MN-DDS. However,
DDS Security guidelines recommend that a copy of backup data files be stored
at an offsite location.
The MN-DDS stated that it plans to identify an offsite storage location. Until it does so, there is a risk that the data files may be destroyed or be inaccessible under certain situations. The identification of an offsite data storage facility should be a priority for the MN-DDS.
Intrusion Detection System
The MN-DDS did not have an Intrusion Detection System (IDS). DDS Security guidelines state, "An intrusion detection system is required in all facilities unless determined unnecessary (For example, office is located in a Government building with 24-hour/day-guard service, and the guard has the ability to adequately monitor the DDS facility)." MN-DDS did not have an IDS because it believes the facilities are adequately protected by the 24-hour guard stationed in the first floor lobby. However, the guard may not be able to adequately monitor the MN-DDS's space, since he/she is located in the building's lobby. Furthermore, the MN-DDS is located in private office space that is accessible to the general public. Accordingly, there is an increased risk that unauthorized individuals could gain access to the MN-DDS's office space during non-working hours and access the sensitive SSA information stored therein.
Secondary Entrance Door
One of the MN-DDS's hallway entrance doors does not have a perimeter security measure, such as a peephole, security window or camera. The DDS Security guidelines state that " perimeter doors should have peepholes if visibility is restricted." Although the MN-DDS has a camera to monitor the hallway near the office's main entranceway, the secondary entrance door is too far from the camera to be adequately observed. The lack of a perimeter security measure prevents the MN-DDS staff from seeing who is outside the door before it is opened and increases the risk of entry by an unauthorized individual.
CONCLUSIONS AND RECOMMENDATIONS
Generally, the MN-DDS had effective internal controls over the accounting and reporting of administrative costs and the costs it claimed during our audit period were allowable. However, improvements were needed in the areas of cash management and general security controls. Accordingly, we recommend that SSA instruct the MN-DDS and DEED to:
1. Ensure that funds drawn from a FY ASAP account identification number are used only to pay expenditures incurred during the same period as the account identification numbers FY reporting period.
2. Develop and implement a contingency plan that is in accordance with SSA instructions.
3. Identify an offsite electronic data storage facility.
4. Perform a risk assessment to determine if an IDS is needed to properly secure the DDS's office space as outlined in the DDS Security Document.
5. Perform a risk assessment to determine if a perimeter security measure is needed for the secondary entrance door, for example a peephole, security window or camera as outlined in the DDS Security Document.
In commenting on our draft report, SSA agreed with our recommendations. See Appendix C for the full text of SSA's comments.
DEED did not agree with our recommendations that a risk assessment be performed to determine if an IDS is needed to properly secure the MN-DDS's office space and if perimeter security is needed at the secondary entrance door. DEED stated that the MN-DDS's current security measures, camera monitoring and recording and on-site building security guards, meet the intent of SSA's physical security guidelines as outlined in the DDS Security Document. DEED further stated that staffing issues affect the feasibility of an IDS. See Appendix D for the full text of DEED's comments.
We remain committed to our recommendations. While we acknowledge DEED's comments on its current physical security measures, the MN-DDS is not in compliance with SSA's guidelines for DDS physical security. Specifically, SSA's physical security guidelines specify that an IDS is required in all DDS facilities unless determined unnecessary and that perimeter doors should have peepholes if visibility is restricted. When a DDS is unable to meet the physical security guidelines, SSA requires a risk assessment to be performed and included in its overall DDS Security Plan. The risk assessment should include specific elements, such as a description of the risk associated with not implementing a physical security guideline.
Steven L. Schaeffer
Appendix A - Acronyms
Appendix B - Scope and Sampling Methodology
Appendix C - Agency Comments
Appendix D - DEED Comments
Appendix E - OIG Contacts and Staff Acknowledgments
ASAP Automated Standard Application for Payments
C.F.R. Code of Federal Regulations
CMIA Cash Management Improvement Act
DEED Minnesota Department of Employment & Economic Development
DES Department of Economic Security
DDS Disability Determination Services
DoF Department of Finance
EDP Electronic Data Processing
FY Fiscal Year
IDS Intrusion Detection System
MN-DDS Minnesota Disability Determination Services
POMS Program Operations Manual System
SESAS State Employment Security Agency System
SSA Social Security Administration
SSA-4513 State Agency Report of Obligations for SSA Disability Programs
Treasury Department of the Treasury
U.S.C. United States Code
Scope and Sampling Methodology
To achieve our objectives, we:
Reviewed applicable Federal law and regulations, pertinent parts of Social Security Administration (SSA)'s Program Operations Manual System (POMS) and other criteria relevant to administrative costs claimed by Minnesota Disability Determination Services (MN-DDS) and drawdowns of SSA program grant funds.
Reviewed reports issued by the Minnesota Office of the Legislative Auditor. These reports presented the results of audits of the Minnesota Department of Economic Security (DES) and the State Department of Finance (DOF). The DES was the parent agency for MN-DDS during our audit period. The Minnesota Department of Employment and Economic Development (DEED) took over the parent agency role as a result of a State re-organization in 2003. The DOF is responsible for maintaining the financial and information systems used by the State agencies.
Interviewed staff and officials at MN-DDS, DEED, and SSA Chicago Regional Office.
Reviewed State policies and procedures related to personnel, medical services, and all other nonpersonnel costs.
Evaluated and tested internal controls regarding accounting, financial reporting and cash management activities.
Reconciled State accounting records to the administrative costs reported by MN-DDS on the State Agency Report of Obligations for SSA Disability Programs (Form SSA-4513) for Federal Fiscal Years (FY) 2001 and 2002.
Reviewed the administrative costs MN-DDS reported on its Forms SSA 4513 for FYs 2001 ($17,539,394) and 2002 ($18,727,156).
Examined certain administrative expenditures (personnel, medical service, and all other nonpersonnel costs) incurred and claimed by MN-DDS for FYs 2001 through 2002 on the Form SSA-4513. We used statistical sampling to select expenditures to test for support of the medical service and all other nonpersonnel costs.
Examined the indirect costs claimed by MN-DDS for FYs 2001 and 2002.
Discussed indirect costs with the cognizant agency for Minnesota, the U.S. Department of Labor.
Compared the amount of SSA funds drawn for support of program operations to the expenditures reported on the Form SSA-4513.
Reviewed MN-DDS electronic data processing general controls and physical security at their Metro Square complex offices in St. Paul, Minnesota.
We concluded that the electronic data used in our audit was sufficiently reliable to achieve our audit objectives. We assessed the reliability of the electronic data by reconciling it with the costs claimed on the Form SSA-4513. We also conducted detailed audit testing on selected data elements from the electronic files.
We performed work at the MN-DDS and DEED in St. Paul, Minnesota and the Office
of Audit in Chicago, Illinois. We conducted field work from October 2003 through
May 2004. The audit was conducted in accordance with generally accepted government
Our sampling methodology encompassed the four general areas of costs as reported on Form SSA-4513 (1) personnel, (2) medical, (3) indirect, and (4) all other nonpersonnel costs. We obtained data extracts from DEED for FYs 2001 and 2002 to use in statistical sampling. Additionally, we randomly selected a month from the 2 year audit period and reviewed supporting documents for all Medical Consultants under contract to MN-DDS. We also randomly selected one month from the audit period and reviewed all Non-DDS Personnel Costs claimed as electronic data processing (EDP) Maintenance and Miscellaneous Costs on the SSA-4513.
We randomly selected one pay period (April 2002) in the most recent year under review. We then selected a random sample of 50 employees for review and testing of the payroll records.
For medical consultant costs, we randomly selected one pay period (March 2002) from the most recent year under review. We selected all medical consultants during that time period and verified that the medical consultants were paid in accordance with the approved contract.
We stratified medical costs into medical evidence of record and consultative examinations, and selected a stratified random sample of 100 items (25 items from each stratum in FYs 2001 and 2002).
We determined that the State Wide Indirect Cost Allocation to the parent agency (DES) was performed using a Fixed Basis Cost Allocation Agreement approved by the cognizant Federal agency (U.S. Department of Health & Human Services). The amount allocated to each State department and agency was based on estimated central service costs. In a subsequent fiscal year, the cognizant agency compared the actual costs for that year with the estimated costs and adjusted the future year rate to compensate for the difference. The Cost Allocation Agreement states that costs allocated to the State departments and agencies under the agreement are approved for further allocation to Federal grants, contracts and other agreements performed at those departments and agencies. We reviewed the State-Wide Allocation for the randomly-selected month of May 2001, to verify that the State used the approved fixed amount to allocate central service costs to the DES.
We determined that DES used the State Employment Security Agency System (SESAS) cost accounting system software, originally developed for the U.S. Department Of Labor - Employment and Training Assistance division, to allocate costs to all of its components. This software takes all parent agency administrative costs that cannot be directly charged to a specific cost center and allocates these costs to all organizational components of the agency, based on the relative percentage of full-time equivalents. The allocation includes the parent agency's share of the State-Wide Indirect Cost Allocation. We reviewed the allocation of DES indirect costs in the randomly-selected month of April 2002, to verify that the SESAS software allocated the appropriate percentage of these costs to the MN-DDS.
All Other Nonpersonnel Costs
We separated Occupancy Costs from All Other Nonpersonnel Costs and treated them as a separate population. We randomly selected one month of Occupancy Costs from FYs 2001 and 2002 for our review.
We stratified All Other Nonpersonnel costs into nine cost categories: (1) Contracted Costs; (2) EDP Maintenance; (3) Equipment Rental ; (4) Equipment Purchases, (5) Communications Costs; (6) Applicant Travel; (7) DDS Personnel Travel; (8) Supplies and (9) Miscellaneous Costs. We then extracted certain debit transactions from the EDP Maintenance and Miscellaneous Costs categories that represented charges for non-DDS Personnel. From the remainder of All Other Nonpersonnel costs, we selected a stratified random sample of 50 items from each FY based on the percentage of costs in each category to total costs (excluding occupancy).
From: Jamison, Jim
Sent: Tuesday, September 14, 2004 9:54 AM
To: Schaeffer, Steve
Cc: Jamison, Jim; ||CHI ARC MOS; ||CHI ARC MOS CD; ||CHI ARC MOS CMR; ||CHI ORC; ||CHI OIG Audit; ^DCDISP Audit; ^DCFAM AMLS Controls; ^DCO Audit; McMullen, Theresa; Kalmoe, Dean; Wise, Ray; Roers, Wally; Moskop, Mark
Subject: Comments on Draft Report -- Minnesota DDS Administrative Costs Audit
September 14, 2004
To: Assistant Inspector General for Audit
From: Regional Commissioner Chicago
Subject: Draft Report of Administrative Costs Claimed by the Minnesota Bureau of Disability Determination Services (Your Request for Comments E-Mailed August 30, 2004) -- REPLY
Thank-you for the opportunity to comment on the subject report (A-05-04-14036).
We appreciate the efforts of your staff in conducting such a comprehensive review of DDS activities. We have completed our review and concur with all five of your staff's findings.
Questions about this memorandum may be directed to Jim Jamison, Financial Management Team Leader, at 312.575.4212.
James F. Martin
September 13, 2004
To: Steven L. Schaeffer, Assistant Inspector General for Audit, SSA
Mark Bailey, Director, Central Audit Division, SSA
From: Dennis Yecke, Deputy Commissioner, DEED
Re: OIG Federal Audit; A-05-04-14036 (08/30/04)
Dear Mr. Schaeffer:
The following is our written comments to your recommendations in the draft report Administrative Costs Claimed by the Minnesota Disability Determination Services (A-05-04-14036).
Recommendation 1. Ensure that funds drawn from a FY ASAP account identification number are used only to pay expenditures incurred during the same period as the account identification numbers FY reporting period.
We agree. We will draw funds from the appropriate year.
Recommendation 2. Develop and implement a contingency plan that is in accordance
with SSA instructions.
We agree. The State of Minnesota has directed all state departments to use business continuation plan software known as LDRPS. The DDS is actively working with the department at this time on completion of an LDRPS plan. Printed reports generated from a completed LDRPS plan will fit all of the requirements noted in the referenced POMS section, DI 39566.050. Since some of the document entry into the LDRPS database is contingent on assistance from Parent Agency security employees, the DDS will need to continue working with the Parent Agency toward completion of the LDRPS generated plan. The plan is scheduled to be completed by December 31, 2004.
Recommendation 3. Identify an offsite electronic data storage facility.
We agree. Starting in September 2004, daily backup tapes will be stored at a separate, offsite, location of the Parent Agency.
Recommendation 4. Perform a risk assessment to determine if an intrusion detection system is needed to properly secure the DDS's office space as outlined in the DDS Security Document.
We disagree. It is our contention that the current security measures
Steven L. Schaeffer
September 13, 2004
once augmented with the additional cameras that have been requested (the request is still pending at SSA) adequately meet the intent of the referenced DDS Security Document and that an additional risk assessment is not necessary.
The MN DDS has an electronic locking system in place for all entrance and exits to the DDS. Entry using an access coded card is electronically recorded into a WIN-PAK database. During the duration of the audit, DDS upgraded its security to include 10 color video cameras which record to a one terabyte caliber (installed in late February, 2004). Each entry and emergency exit has at least one camera which records a picture every two seconds. We currently have a request pending at SSA to increase the number of cameras to allow coverage of other sensitive areas of the office such as the electrical closet, the AS/400 room, the phone closet and the server room. Upon approval, additional cameras will be installed and added to the caliber.
Various staffing issues affect the feasibility of an intrusion detection alarm. At various times, our system's employees need to access the work space during non-working hours (computer maintenance). Adjudicators work an abundant amount of overtime throughout the year, when approved by the Regional Office. An intrusion detection alarm would create a new issue for our landlord which is not currently addressed in our lease.
In view of our camera monitoring and recording, on-site building security guards 24/7 and personnel issues, we assert that our current security measures adequately meet the intent of the referenced DDS Security Document.
Recommendation 5. Perform a risk assessment to determine if a perimeter security measure is needed for the secondary entrance door, for example a peephole, security window or camera as outlined in the DDS Security Document.
Please see reply for #4.
Dennis J. Yecke
cc: Matt Kramer
OIG Contacts and Staff Acknowledgments
Mark Bailey, Director, Central Audit Division, (816) 936-5591
Teresa Williams, Audit Manager, (312) 353-0331
In addition to those named above:
Robert Lenz, Senior Auditor
Anthony Lesniak, Auditor
Ken Bennett, Information Technology Specialist
Cheryl Robinson, Writer-Editor
For additional copies of this report, please visit our web site at www.ssa.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-05-04-14036.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office of Executive Operations (OEO). To ensure compliance with policies and procedures, internal controls, and professional standards, we also have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management and program evaluations and projects on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as OIG liaison to the Department of Justice on all matters relating to the investigations of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Executive Operations
OEO supports OIG by providing information resource management and systems security. OEO also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, OEO is the focal point for OIG's strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act of 1993.