OFFICE OF
THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

THE SOCIAL SECURITY ADMINISTRATION'S
CONSULTING SERVICES CONTRACT FOR THE
TIME ALLOCATION SYSTEM

August 2008

A-14-08-18020

AUDIT REPORT



Mission

By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.

MEMORANDUM

Date: August 5, 2008

To: The Commissioner

From: Inspector General

Subject: The Social Security Administration's Consulting Services Contract for the Time Allocation System (A-14-08-18020)

OBJECTIVE

The objectives of our audit were to determine whether APA, Incorporated, doing business as DecisionPath Consulting (DecisionPath), adhered to the negotiated contract terms, and whether Social Security Administration (SSA) personnel properly monitored the contract. The contract supports development of SSA's Time Allocation System (TAS). We reviewed the Agency's administrative controls and oversight of DecisionPath's work in support of TAS. We did not complete an audit of the overall TAS project. As with our other contract administration audits, we will continue to monitor the status of the contract and, if warranted, we will conduct an additional review on the TAS project at a later date.

BACKGROUND

SSA provides services to the Nation through a network of community-based offices, central processing facilities, associated State agencies, telephone centers, and its web site. TAS is designed to automatically capture time employees spend on various Agency workloads. The time is captured from the many systems that SSA employees use. These transaction data are processed with SSA payroll data, and based on defined business rules, the resulting data are allocated to workload categories. The Agency developed, and continues to enhance, TAS to improve the way workload data are captured for such purposes as determining resource requirements and measuring productivity. (See Appendix B for further details.)

SSA entered into two blanket purchase agreements (BPA) with DecisionPath to perform contract work for TAS under General Services Administration (GSA) Schedule contract number GS-35F-0300J. DecisionPath was expected to provide all necessary program management, project management, data warehousing, systems engineering and integration, and business intelligence expertise required to assist SSA in developing and deploying TAS.

Based on the two BPAs, the total volume of purchases from DecisionPath for TAS and TAS-related work is anticipated to be $29 million. SSA originally estimated the total TAS costs to be approximately $20 million. DecisionPath is one of three contractors engaged in implementing TAS. The total DecisionPath costs as of January 2008 were approximately $18.46 million.

RESULTS OF REVIEW

Based on Federal regulations, DecisionPath generally adhered to the negotiated contract terms to develop TAS and maintained adequate timekeeping records to support the employee hours billed (see Appendix C for the results of our tests of invoices and SSA's systems access controls). We found that SSA had controls in place for the administration, oversight and accountability of the contract, including the following.

Agency systems access by contractors expires after 1 year.
Contractor personnel must certify annually that they understand SSA's security, confidentiality and ethics requirements.
DecisionPath submitted monthly technical reports and held regular planning and status meetings with SSA staff.

We identified the following areas where contract management should be improved.

DecisionPath employees no longer working on the contract could still have badges that authorized access to SSA facilities.
Contract employees' working status with SSA was not accurately reflected in suitability records.
The new project officer and an alternate should be named in contract documents.

Near the end of our review, we shared our findings and recommendations with SSA employees responsible for managing the contract. SSA's contracting, program, facilities management and suitability offices have taken steps to address most of the issues we identified.

DecisionPath Employees No Longer Working on the Contract Could Still Access SSA Facilities

The temporary badges assigned to DecisionPath employees improperly had a "not-to-exceed date" that extended beyond the end of the contract period, and it extended more than 1 year from the issuance of the badges. Also, records maintained in the badging office only reflected one DecisionPath badge as returned when at least 11 employees who were issued badges no longer worked on the contract. Therefore, contract employees who were no longer working on the contract could still have had access to SSA facilities.

SSA policy in place during our review stated that contractor badges should have a "not-to-exceed date" of 1 year or the end of the contract, whichever is sooner. However, SSA employees improperly issued badges to DecisionPath employees to coincide with the 5-year life-cycle of a Homeland Security Presidential Directive (HSPD) 12 credential, even though they were not issued HSPD-12 badges.

Separated employees and contractors should return access badges to SSA management for destruction or revocation. SSA needs to ensure staffs who issue contractor badges follow current policy for expiration dates for contractors and that project officers ensure badges no longer needed by contract personnel are properly retrieved and destroyed.

Contract Employees' Working Status with SSA Was Not Accurately Reflected in Suitability Records

A number of DecisionPath employees who had either left DecisionPath or no longer worked on the contract were still being reported as active in SSA's suitability records. Additionally, the Agency's suitability records reflected only one DecisionPath employee as suitable to work under the current contract, SS00-06-40018, although they had been cleared for the same work on the BPA that was closed, SS00-04-40019. The lack of current suitability records diminishes the reliability of the Agency system that documents a contractor's authorization to work on an SSA contract award.

The suitability clause in the contract requires that personnel performing on the contract who either leave the company or are removed from the project notify the Agency's Protective Security Officer immediately. Suitability records should then reflect when contractor staff are no longer active on the contract. Additionally, the suitability records should reflect the contract number employees are cleared to work under.

The suitability records were not up-to-date because it is likely the suitability staff was not receiving information about the separated or retired contractor staff no longer working on the contract. SSA should ensure contractors notify the Protective Security Officer immediately when employees either leave the company or are removed from the project to ensure contractor staffs are correctly recorded in the suitability files. Also, the Agency should work to ensure its suitability documentation is current concerning which contracts an employee is cleared to work under.

The New Project Officer and an Alternate Should be Named in Contract Documents

In 2007, a new SSA project officer was assigned to the TAS contract. However, the former project officer, who had retired, was still named in the DecisionPath contract documents we reviewed. Additionally, no alternate had been named. As a result, SSA did not have someone officially designated in the contract documents as a project officer or a back-up to represent the contracting officer in his/her absence in the technical phases of the contract.

It is SSA practice to assign a project officer and an alternate on every contract. After we informed contract officials of this oversight, they named the new project officer and an alternate in the contract.

CONCLUSION AND RECOMMENDATIONS

DecisionPath generally adhered to the negotiated contract terms for the development of TAS, provided the Agency with technical progress reports and maintained adequate timekeeping records to support the employee hours billed. SSA had controls in place; however, there were areas where improvements could be made. These areas included (1) employees no longer working on the contract could still have had badges authorizing access to SSA facilities, (2) contract employees' working status with SSA was not accurately reflected in the suitability records, and (3) a new project officer and an alternate were not named in contract documents.

We therefore recommend that SSA:

1. Ensure staffs who issue contractor badges follow policy for expiration dates for contractors.
2. Ensure contractors return badges no longer needed by contract personnel to SSA management for disposal.
3. Ensure contract employees' working status is accurately recorded in the suitability files.
4. Ensure all current and future contracts reflect the current project officer and an alternate.

AGENCY COMMENTS

SSA agreed with all of our recommendations. SSA's comments are included in Appendix D.

Patrick P. O'Carroll, Jr.

Appendices
APPENDIX A - Acronyms
APPENDIX B - Background
APPENDIX C - Scope, Methodology and Test Results
APPENDIX D - Agency Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments

Appendix A
Acronyms

BPA Blanket Purchase Agreement
DecisionPath APA, Incorporated, doing business as DecisionPath Consulting
GSA General Services Administration
HSPD Homeland Security Presidential Directive
MRM Materiel Resources Manual
OIG Office of the Inspector General
SSA Social Security Administration
SUMS/MCAS Social Security Administration Unified Measurement and Managerial Cost Accountability Systems
TAS Time Allocation System

Appendix B
Background

Time Allocation System

The July 31, 2003 Time Allocation System (TAS) Vision and Scope Statement serves as the foundation for the project and states the following.

This system will provide comprehensive management and financial information essential to the sound management of the Agency and its programs and workloads. Time allocation systems are necessary to measure or apportion the work time (e.g., work hours) worked by SSA employees among the various activities they perform, programs they support, and organizations in which they work. This information is used for such purposes as: cost allocation and analysis; budget formulation, justification and execution; staffing allocation methodologies; and productivity measurement systems.

Business objectives and success criteria cited in the 2003 TAS Vision Statement are to

provide time allocation measures that are valid for on-going workloads and tasks at the local office level, module and branch levels at a 95-percent confidence level;

develop and implement an integrated system that will allocate work time usage information among organizations and workload activities consistently in all components; and

automate the collection of data to the extent possible and support any remaining reporting by automated collection systems.

The TAS project supports the Social Security Administration Unified Measurement and Managerial Cost Accountability Systems (SUMS/MCAS). The SUMS/MCAS vision is to capture, count and measure all work consistently, regardless of where the work is performed. This includes direct workloads as well as indirect support and measurable staff work. MCAS is expected to satisfy Government-wide cost accountability regulations, provide full costs for SSA programs and support strategic decision-making. Before SUMS/MCAS, there were many sources of management information that were not easily reconciled. With SUMS/MCAS, there will be one uniform, consistent source of information.

Appendix C
Scope, Methodology and Test Results
We conducted our audit between August 2007and May 2008 in Baltimore and Gaithersburg, Maryland. We reviewed the Agency's administrative controls and oversight of DecisionPath's work in support of the Time Allocation System (TAS). As with other contract administration audits we conduct, we will continue to monitor the status of the contract and, if warranted, we will conduct an additional review of the TAS project at a later date.

The principal entities audited were the Social Security Administration's (SSA) Offices of Acquisition and Grants (the contracting office) and Earnings, Enumeration and Administrative Systems (the program office). We also reviewed records and interviewed staff in the Agency's Offices of Budget, Finance and Management, and Operations.

We conducted our audit in accordance with generally accepted government auditing standards. We planned and performed the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. To meet our objectives, we

reviewed applicable Federal laws and regulations and applicable SSA policies and procedures;
reviewed the General Services Administration (GSA) Schedule Contract Number GS-35F-0300J and the two SSA Blanket Purchase Agreements (BPA) against the GSA contract, SS00-06-40018 and SS00-04-40019;
interviewed Agency and APA, Incorporated, doing business as DecisionPath Consulting (DecisionPath), staffs;
visited DecisionPath Consulting headquarters in Gaithersburg, Maryland;
tested a sample of invoices;
reviewed the contractor's monthly status reports;
reviewed the Agency systems access request forms and systems security records;
reviewed Agency contractor suitability records;
reviewed SSA-owned laptops assigned to DecisionPath employees; and
reviewed records from the SSA badging office.

Further, except for the issues noted in the findings, we determined the Agency's data related to invoices and contractor badging and suitability records pertaining to DecisionPath staff were sufficiently reliable given the audit objective and intended use of the data and should not lead to incorrect or unintentional conclusions.

Testing Methodology and Results

Sample 1 - Test of Invoices

For the two BPAs with DecisionPath for the development of TAS, we selected for review the highest dollar invoice from each purchase call. To perform our review, we obtained employee timesheets from DecisionPath for the periods indicated on the invoices. We found that DecisionPath had adequate timekeeping records to support all the hours billed.

For BPA SS00 04 40019, there were seven purchase calls, and for BPA
SS00-06-40018, there were three purchase calls. For BPA SS00-04-40019, there were invoices submitted and paid totaling $10.9 million associated with the seven purchase calls. We tested $1.5 million of the $10.9 million as shown in Table 1.

Table 1: Invoices Selected Under Blanket Purchase Agreement SS00-04-40019
Call
Number
Invoice Number
Invoice
Amount Was Invoice Adequately Supported?
Call 0001 2023-5 $317,082.18 Yes
Call 0002 2024-4 $62,207.00 Yes
Call 0003 2025-6 $103,384.00 Yes
Call 0004 2026-4 $157,284.85 Yes
Call 0005 2027-5 $312,498.12 Yes
Call 0006 2028-9 $499,646.67 Yes
Call 0007 2031-2 $41,376.30 Yes
Total $1,493,479.12

Under the second BPA SS00-06-40018, there were invoices submitted and paid through July 23, 2007 totaling $3.9 million, associated with the three purchase calls. We tested $0.8 million of the $3.9 million as shown in Table 2 on page C-3.

Table 2: Invoices Selected Under Blanket Purchase Agreement SS00-06-40018
Call
Number Invoice Number Invoice Amount Was Invoice Adequately Supported?
Call 0001 2033-2 $482,688.04 Yes
Call 0002 2035-3 $48,708.30 Yes
Call 0003 2033-003-1 $230,822.92 Yes
Total $762,219.26

The invoice periods ranged from May 2004 through July 2007.

Sample 2 - Test of Systems Access Controls

We reviewed the Agency's security controls over all 33 DecisionPath staff who were granted access to SSA's systems from the beginning of the contract through
August 3, 2007.

Specifically, we determined whether:

1. Approved Application for Access to SSA Systems (SSA -120) forms were on file.
2. Approved High Assurance (Virtual Private Network) Access Forms were on file, as appropriate.
3. Signed Contractor Personnel Security Certification(s) were on file.
4. Evidence of suitability determinations for contract employees were in SSA's records.

We found that the required SSA security forms were prepared and signed for the DecisionPath staff who were granted access to SSA systems. Additionally, we found the Agency's Suitability Office had determined the DecisionPath employees suitable who (1) had access to programmatic and sensitive information and (2) worked on-site at SSA.

Finally, we looked at security systems records to determine the level of access actually granted to DecisionPath employees. We found that the DecisionPath staff was granted the approved levels necessary to perform tasks under the TAS contract.

Appendix D
Agency Comments

SOCIAL SECURITY

MEMORANDUM

Date: July 25, 2008

To: Patrick P. O'Carroll, Jr.
Inspector General

From: David V. Foster /s/
Executive Counselor to the Commissioner

Subject: Office of the Inspector General (OIG) Draft Report, "The Social Security Administration's Consulting Services Contract for the Time Allocation System" (A-14-08-18020)--INFORMATION

We appreciate OIG's efforts in conducting this review. Attached is our response to the recommendations.

Please let me know if we can be of further assistance. Your staff may direct staff inquiries to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.

COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL'S (OIG) DRAFT REPORT, "THE SOCIAL SECURITY ADMINISTRATION'S CONSULTING SERVICES CONTRACT FOR THE TIME ALLOCATION SYSTEM" (A-14-08-18020)

Thank you for the opportunity to review and provide comments on this draft report.

Recommendation 1

Ensure staffs who issue contractor badges follow policy for expiration dates for contractors.
Comment

We agree. We will ensure staff that issue contractor badges follow policy regarding the expiration dates.

Recommendation 2

Ensure contractors return badges no longer needed by contract personnel to management for disposal.
Comment

We agree. We will ensure contractor badges are returned for disposal once the badge is no longer needed by the contractor. When contractor personnel performing under this contract leave the company, are removed from the project, or are arrested and charged with a crime during the term of this contract, the contractor shall notify our Protective Security Officer immediately. The notification must include the name of the contractor personnel and their
Social Security number. If the contractor personnel was arrested and charged with a crime, the notification must also include the type of charge(s), the court date, and, if available, the disposition of the charges(s).

Recommendation 3

Ensure contract employees' working status is accurately recorded in the suitability files.
Comment

We agree. We conduct background investigations on contractor employees and maintain a database that contains data on these individuals. We will remind the contractor to notify the Protective Security Officer immediately when an employee either leaves the company or is removed from the project. When a contractor employee is removed from the contract for reasons other than suitability or a contract expires and is not extended, we will properly adjust and annotate the suitability database to reflect the actual status of the individual.

Recommendation 4

Ensure all current and future contracts reflect the current project officer and an alternate.
Comment

We agree. We recently transitioned from the term "project officer" to the term "Contracting Officer's Technical Representative (COTR)." Consider updating the report to include the current terminology.

We will modify the contract in question to reflect the current COTR and alternate COTR. We will ensure that all future contracts are modified as soon as a new COTR or an alternate COTR has been designated. We will send a reminder to Contracting Officers via our acquisition update email notification system.

[In addition to the information listed above, SSA also provided technical comments which have been addressed, where appropriate, in this report.]

Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kitt Winter, Director, Information Technology Audit Division, (410) 965-9702
Mary Ellen Moyer, Acting Audit Manager, (410) 966-1026
Acknowledgments
In addition to those named above:
Deborah Kinsey, Auditor in Charge
Harold Hunter, Senior Auditor

For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-14-08-18020.

Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.

Office of Audit
OA conducts financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.

Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.

Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.

Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG's media and public information policies, directs OIG's external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.

Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG's strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.