A-07-07-17136 - Alternate Format

OFFICE OF
THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

ADMINISTRATIVE COSTS CLAIMED
BY THE COLORADO DISABILITY
DETERMINATION SERVICES

April 2008

A-07-07-17136

AUDIT REPORT

Mission

By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.

MEMORANDUM

Date: April 14, 2008

To: Nancy A. Berryhill
Regional Commissioner Denver

From: Inspector General

Subject:Administrative Costs Claimed by the Colorado Disability Determination Services (A-07-07-17136)

OBJECTIVE

Our objectives were to evaluate the Colorado Disability Determination Services (CO DDS) internal controls over the accounting and reporting of administrative costs, determine whether costs claimed by the CO-DDS were allowable and properly allocated and funds were properly drawn, and assess limited areas of the general security controls environment. Our audit included the administrative costs claimed by the CO-DDS during Federal Fiscal Years (FY) 2005 and 2006.

BACKGROUND

The Disability Insurance (DI) program, established under Title II of the Social Security Act (Act), provides benefits to wage earners and their families in the event the wage earner becomes disabled. The Supplemental Security Income (SSI) program, established under Title XVI of the Act, provides benefits to financially needy individuals who are aged, blind, and/or disabled.

The Social Security Administration (SSA) is responsible for implementing policies for the development of disability claims under the DI and SSI programs. Disability determinations under both DI and SSI are performed by Disability Determination Services (DDS) in each State, and other responsible jurisdictions. Such determinations are required to be performed in accordance with Federal law and underlying regulations. In carrying out its obligation, each DDS is responsible for determining claimants' disabilities and ensuring that adequate evidence is available to support its

determinations. To assist in making proper disability determinations, each DDS is authorized to purchase medical examinations, x-rays, and laboratory tests on a consultative basis to supplement evidence obtained from the claimants' physicians or other treating sources.

SSA reimburses the DDS for 100 percent of allowable reported expenditures up to its approved funding authorization. The DDS withdraws Federal funds through the Department of the Treasury's (Treasury) Automated Standard Application for Payments (ASAP) system to pay for program expenditures. Funds drawn down must comply with Federal regulations and intergovernmental agreements entered into by Treasury and States under the Cash Management Improvement Act of 1990.

An advance or reimbursement for costs under the program must comply with the Office of Management and Budget's Circular A 87, Cost Principles for State, Local, and Indian Tribal Governments. At the end of each quarter of the FY, each DDS is required to submit a State Agency Report of Obligations for SSA Disability Programs (SSA 4513) to account for program disbursements and unliquidated obligations. The SSA-4513 reports expenditures and unliquidated obligations for personnel service costs, medical costs, indirect costs, and all other nonpersonnel costs.

The Office of Self Sufficiency is the CO-DDS' parent agency. The CO DDS is located in Aurora, Colorado.

RESULTS OF REVIEW

Other than the areas discussed in this report, the CO-DDS had effective controls over the accounting and reporting of administrative costs. Furthermore, the costs it claimed during our audit period were allowable, properly allocated, and funds were properly drawn. However, the majority of the CO-DDS' indirect costs charged to SSA during our audit period were based on a cost allocation plan (CAP) that has not been approved by the Division of Cost Allocation (DCA). Accordingly, the allowability of these indirect

costs are subject to change following approval of the CAP and the methodologies contained therein. We also found excessive funding authority existed during FY's before our audit period that needed to be rescinded. With regard to the CO DDS' general security controls, they do not have an intrusion detection system (IDS) that covers the interior office space, and the security plan does not meet SSA's requirements as it lacks continuity of operations and disaster recovery plans.

INDIRECT COSTS

During our audit period, indirect costs were charged to SSA based on a proposed CAP that has not been approved by DCA. Specifically, $1,736,619 of the $2,698,902 of indirect costs charged to SSA during our audit period were based on the State Fiscal Year (SFY) 2006 proposed CAP that was submitted to DCA, but, as of the date of this report, had not been approved. Although a State can claim reimbursement of indirect costs based on a proposed CAP, the resulting indirect costs charged to a Federal program must be retroactively adjusted if the CAP approved by DCA differs from the proposed CAP. Accordingly, the final allowability of indirect costs charged to SSA during our audit period are subject to change following approval of the SFY 2006 and 2007 CAPs and the methodologies contained therein.

Historically, it takes longer than 2 years from the start of the Colorado Department of Human Services' (CDHS) SFY to the final approval of that SFY's CAP, as shown in the table on the following page. This occurs because CDHS does not submit its SFY CAP to DCA for approval in a timely manner. For example, CDHS did not submit its SFY 2006 CAP to DCA for approval until 27 months after the start of the SFY. Furthermore, a lengthy negotiation process between DCA and CDHS following the submission of the CAP contributes additional time to the CAP approval process. For example, it took DCA 28 months to approve the SFY 2005 CAP once it was submitted by CDHS 8 months after the start of the SFY.

Number of Months Elapsing from the Beginning of the State FY
Until the Submission and Approval of the CAP
State FY CAP Months Elapsing
Submission of CAP Months Elapsing
Approval of CAP
2007 Not submitted Not Approved
2006 27 Not Approved
2005 8 36
2004 19 26
2003 16 28
2002 23 35
2001 20 25
2000 9 26

To determine the reasonableness of indirect costs charged to SSA, we reviewed indirect costs for the period July through September 2006. These costs were claimed based on the allocation methodologies outlined in the proposed SFY 2006 CAP. Therefore, we compared the cost claimed during this period to the allocation methodologies proposed in the SFY 2006 CAP. We found that these costs were charged to SSA in accordance with the cost allocation methodologies outlined in the proposed SFY 2006 CAP.

If the methodology used to allocate indirect costs to SSA as outlined in the SFY 2006 proposed CAP is subsequently approved by DCA in the final SFY 2006 and 2007 CAPs, the indirect costs charged to SSA will remain allowable. However, there is a financial risk to SSA when costs are charged to its programs based on proposed CAPs that have not been approved by DCA. Specifically, it is possible that the negotiation process between CDHS and DCA could result in the approval of a CAP containing a cost allocation methodology that is different than that proposed. If that occurs, the costs charged under a proposed CAP may be over or understated. Accordingly, we recommend SSA work together with CDHS to ensure that indirect costs claimed during the fourth quarter of FY 2005 and all of FY 2006 are in accordance with the applicable CAPs once they are approved by DCA and collect any costs determined to be unallowable.

EXCESS FUNDING AUTHORITY

Our review of ASAP account balances for our audit period (FYs 2005 and 2006), did not identify any excess funding authority. However, we did find that excess funding authorization existed in the CO-DDS' FY 2002 through 2004 ASAP accounts in the amount of $77,659. SSA establishes the CO-DDS' funding authority for each account within the ASAP system. Funds drawn through the ASAP system are restricted solely for program use, and any unused funds are required to be returned to Treasury. SSA should reduce DDS funding authorizations when they are no longer needed to make disability determinations. Rescinding excess funding authorization decreases the risk of funds being spent on expenditures not related to the proper FY. The following chart illustrates excess funding authority by FY and ASAP account number.

FEDERAL FY ASAP
ACCOUNT NUMBER EXCESS FUNDING AUTHORITY
2002 0204CODI02 $2,974
2003 0304CODI00 $38,601
2003 0304CODI02 $5,032
2004 0404CODI02 $31,052
TOTAL $77,659

The Denver Regional Office (RO) was aware that the State had drawn all the funds needed for these FYs and that excess funding authorizations existed. However, the RO stated that it would not reduce excess funding authorization until the CO-DDS submits final SSA-4513s for these FYs, which it has not done. We recommend SSA instruct the CO-DDS to submit a final SSA-4513 for FYs 2002 through 2004 and, upon receipt, rescind the excess funding authorization totaling $77,659.

INTRUSION DETECTION SYSTEM

The CO-DDS did not have an IDS that covered its interior office space and all points of entry. An IDS has not been installed because the CO DDS believed its facility was adequately protected by its key card access system and security guard. SSA instructions state, "An IDS is required in all facilities unless determined unnecessary...." For example, an IDS may not be necessary if the office is located in a building with 24 hour per day guard service and the guard has the ability to adequately monitor the DDS facility. However, the guard service at the CO-DDS did not offer 24 hour per day protection. The security guard was in service only during CO-DDS office hours; therefore, the security guard was not able to continually monitor the DDS' space. Without an IDS, there is an increased risk that unauthorized individuals could gain access during nonworking hours to sensitive SSA information stored within the CO DDS office space. We recommend SSA instruct the CO-DDS to install an IDS that covers its interior office space and all points of entry.

SECURITY PLAN

The CO-DDS security plan did not meet current SSA requirements. Specifically the security plan did not contain continuity of operations (COOP) or disaster recovery plans (DRP) to follow in the event of a disaster impacting CO-DDS operations. SSA instructions state each DDS must establish and maintain a written DDS Security Plan and that the security plan should consist of eight parts including the COOP and DRP. The CO-DDS stated that they were unaware of the current security plan requirements but will develop a COOP and DRP. An incomplete security plan increases the risk that the CO-DDS may not perform critical operations after a disaster. We recommend SSA work with the CO-DDS to ensure a security plan meeting SSA requirements is completed timely.

CONCLUSION AND RECOMMENDATIONS

Other than the areas discussed in this report, the CO-DDS had effective controls over the accounting and reporting of administrative costs. Furthermore, the costs it claimed during our audit period were allowable, properly allocated, and funds were properly drawn. However, the majority of the CO-DDS' indirect costs charged to SSA during our audit period were based on a CAP that has not been approved by DCA. Accordingly, the allowability of these indirect costs are subject to change following approval of the CAP and the methodologies contained therein. We also found excessive funding authority existed during FYs before our audit period that needed to be rescinded. Lastly, the CO DDS did not have an IDS that covers the interior office space, and its security plan did meet SSA's requirements.

We recommend the SSA Regional Commissioner:

1. Work together with CDHS to ensure that indirect costs claimed during the fourth quarter of FY 2005 and all of FY 2006 and are in accordance with the applicable CAPs once they are approved by DCA and collect any costs determined to be unallowable.

2. Instruct the CO-DDS to submit a final SSA-4513 for FYs 2002 through 2004 and upon receipt rescind the excess funding authorization totaling $77,659.

3. Instruct the CO-DDS to install an IDS that covers its interior office space and all points of entry.

4. Work with the CO-DDS to ensure a security plan meeting SSA requirements is completed timely.

OTHER MATTERS

PERSONALLY IDENTIFIABLE INFORMATION

Disability claimants of the CO-DDS have personally identifiable information (PII) routinely disclosed to vendors. The CO-DDS processes over 30,000 disability determinations each FY. During the disability determination process, the CO-DDS purchases services that include medical evidence (consultative examinations and medical evidence of record) and claimant travel. Our review of medical and applicant travel invoices revealed that these documents contained PII including name, address,
date of birth, Social Security number (SSN), and telephone number. Although we have no reason to believe this information has been abused, this practice could potentially result in the accidental disclosure of claimant's PII.

Federal guidance dictates that agencies should reduce their current holdings of all PII to the minimum necessary for the proper performance of a documented agency function. Agencies must also review their use of SSNs in agency systems and programs to identify instances in which collection or use of the SSN is superfluous.

On October 5, 2007, SSA's Office of Disability Determinations informed ROs that DDSs should review their processes to eliminate the use of the SSN on correspondence where possible. The CO-DDS informed us that it has begun removing the SSNs from documents where it is not absolutely necessary.

AGENCY COMMENTS

In commenting on our draft report, SSA and CDHS generally agreed with our recommendations. See Appendices C and D, respectively, for the full text of SSA's and CDHS' comments.

Patrick P. O'Carroll, Jr.

Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Agency Comments
APPENDIX D - Colorado Department of Human Services' Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments

Appendix A
Acronyms
Act Social Security Act
ASAP Automated Standard Application for Payments
CAP Cost Allocation Plan
CDHS Colorado Department of Human Services
C.F.R. Code of Federal Regulations
CO-DDS Colorado Disability Determination Services
COOP Continuity of Operations Plan
DCA Division of Cost Allocation
DDS Disability Determination Services
DI Disability Insurance
DRP Disaster Recovery Plan
FY Fiscal Year
HHS Department of Health and Human Services
IDS Intrusion Detection System
PII Personally Identifiable Information
POMS Program Operations Manual System
Pub. L. No. Public Law Number
RO Regional Office
SFY State Fiscal Year
SSA Social Security Administration
SSA-4513 State Agency Report of Obligations for SSA Disability Programs
SSI Supplemental Security Income
SSN Social Security Number
Treasury Department of the Treasury
U.S.C. United States Code

Appendix B
Scope and Methodology
SCOPE

To achieve our objective, we:

Reviewed applicable Federal laws and regulations, pertinent parts of the Social Security Administration's (SSA) Program Operations Manual System and other criteria relevant to administrative costs claimed by the Colorado Disability Determination Services (CO-DDS), and the draw down of SSA program appropriations.

Interviewed staff at the Colorado Department of Human Services (CDHS) and the CO-DDS.

Reviewed State policies and procedures related to personnel, medical services, and all other nonpersonnel costs.

Evaluated and tested internal controls regarding accounting, financial reporting, and cash management activities.

Reconciled State accounting records to the administrative costs reported by the CO-DDS on the State Agency Report of Obligations for SSA Disability Programs
(SSA-4513) for Federal Fiscal Years (FY) 2005 through 2006.

Examined specific administrative expenditures (personnel, medical services, and all other nonpersonnel costs) incurred and claimed by the CO-DDS for FYs 2005 and 2006 on the SSA-4513. We used statistical sampling to select expenditures to test for support of the medical service and all other nonpersonnel costs as discussed in the following methodology section of this appendix.

Examined the indirect costs claimed by CO-DDS for FYs 2005 through 2006 and the corresponding cost allocation plan.

Compared the amount of SSA funds drawn for support of program operations to the expenditures reported on the SSA-4513.

Determined whether selected funds from cancelled warrants were properly returned to SSA.

Determined whether unliquidated obligations were properly supported.

Reviewed the CO-DDS' general security controls.

Reviewed Office of Management and Budget guidance related to safeguarding personally identifiable information.

We determined that the data provided by CDHS and CO-DDS used in our audit were sufficiently reliable to achieve our audit objectives. We assessed the reliability of the data by reconciling it with the costs claimed on the SSA-4513. We also conducted detailed audit testing on selected data elements in the electronic data files.

We performed work at CDHS, CO-DDS, and the Kansas City, Missouri, Office of Audit. We conducted fieldwork from March through September 2007. The audit was conducted in accordance with generally accepted government auditing standards.

METHODOLOGY

SAMPLING METHODOLOGY

The sampling methodology encompassed the four general areas of costs reported on the SSA-4513 (1) personnel, (2) medical, (3) indirect, and (4) all other nonpersonnel costs. We obtained a data extract of all costs and the associated invoices for FYs 2005 through 2006 for use in statistical sampling. This was obtained from the accounting systems used in the preparation of the SSA-4513.

Personnel Costs

We randomly selected 1 pay period, the month of April, in FY 2006 for review. We then selected a random sample of 50 regular employees for review and testing of the payroll records. For medical consultant costs we also selected the month of April, in FY 2006, for review. We then selected all 25 medical consultants for review and testing of the payroll records.

Medical Costs

We sampled 100 items (50 items from each of FY 2005 and 2006) using a stratified random sample of medical costs based on the proportion of medical evidence of record and consultative examination costs to the total medical costs claimed.

Indirect Costs

We selected 1 quarter of FY 2006 the most recent quarter to review indirect expenses. We selected indirect costs pools that represented 79 percent of the indirect cost claimed in the selected quarter. We ensured the selected pools were allocated in accordance with the proposed State FY 2006 cost allocation plan. We determined the allocation method was reasonable for the type of expense being allocated.

All Other Nonpersonnel Costs

We sampled 100 items (50 expenditures from FY 2005 and 50 from FY 2006) using a stratified random sample. The random sample was based on the proportion of costs in each of the cost categories to the total costs claimed.

Appendix C
Agency Comments

MEMORANDUM

Date: March 28, 2008

To: Patrick P. O'Carroll, Jr.
Inspector General

From: Nancy Berryhill
Denver Regional Commissioner

Subject: Administrative Costs Claimed by the Colorado Disability Determination Services (A-07-07-17136)--REPLY

Thank you for the opportunity to review the draft report of the 2007 audit of the Colorado Disability Determination Services (CO DDS). Essentially, the audit found that the CO DDS had effective controls over the accounting and reporting of administrative costs, and that costs claimed during the audit period were allowable and properly allocated and funds were properly drawn. However, there were four areas where recommendations have been made requiring SSA actions. Our assessment of these findings and recommendations, along with our response, is outlined below.

Indirect Costs: At the time of the 2007 audit, the State Fiscal Year 2006 Cost Allocation Plan (CAP) had been submitted to HHS Division of Cost Accounting (DCA), but had not been approved. It was noted that the Colorado Department of Human Services (CDHS) has not submitted timely CAPs and the negotiation process between CDHS and DCA can be lengthy. We concur with this finding. In our meetings with DCA it has been noted that state agencies have no incentive to submit plans timely, and the process for deferring payment because the CAP is out of date is too cumbersome to be an effective tool. We appreciate the analysis you provided of the reasonableness of indirect costs charged in 2006. As DCA provides us with copies of the approved CAP (or the modifications to the new CAP), we will be alert to changes that can retroactively impact costs claimed. In addition, we continue to work with CDHS regarding the need for timely submission of the plan.

Excess Funding Authority: Review of the Automated Standard Application for Payments (ASAP) account balances did not identify any excess funding authority but it did find excess account balances existed in ASAP for FY 2002 through FY 2005, totaling $77,659. We are aware that account balances may exist for extended periods after the close of the fiscal year, as the DDS has five years from the end of the fiscal year during which they may continue to submit expenses. Additionally, the regional office staff has no direct access to ASAP and cannot take action to rescind excess funding authorizations. However, as recommended, we did request CO DDS (and all DDSs in our region) to submit final SSA-4513s for FY 2002 through 2006 and final allowance advices have been issued. Rescission of excess funding authorization has been deferred to central office staff.

Intrusion Detection System (IDS): The CO DDS does not have an IDS that covers interior office space and all points of entry. We have asked the DDS to correct this security issue and will be working with them to obtain funding to cover the costs.

Security Plan: The CO DDS Security Plan did not meet current SSA requirements as it was missing a Continuity of Operation Plan (COOP) and Disaster Recovery Plan (DRP). We have provided the DDS with essential contact information and other suggestions on content for these plans, and will continue to work with them to achieve timely development of these documents.

Although not one of the findings of the audit, the issue of Personally Identifiable Information (PII) was raised. As this is an issue of great concern to this Agency, we have monitored all the DDSs in this region with regard to their use of PII. The CO DDS has eliminated the use of PII in all correspondence, except requests to medical sources or CE providers, where use of some PII information remains necessary. We continue to work with our DDSs and as an agency to protect PII and eliminate use of SSN or other such data where it is not required.

If you wish to discuss our comments, please contact me. Staff may contact Elaine Rametta, Acting Deputy Director of the Center for Disability, at 303 844-4375 or via email at Elaine.rametta@ssa.gov.

Nancy Berryhill

Appendix D
Colorado Department of Human Services' Comments

Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Mark Bailey, Director, Kansas City Audit Division, (816) 936-5591
Ken Bennett, Information Technology Specialist, (816) 936-5593
Acknowledgments
In addition to those named above:
Doug Kelly, Auditor-in-Charge

For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-07-07-17136.

Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Chief Counsel to the Inspector General (OCCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.

Office of Audit
OA conducts financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.

Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCCIG administers the Civil Monetary Penalty program.

Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG's media and public information policies, directs OIG's external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.

Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG's strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.