SOCIAL SECURITY ADMINISTRATION
THE SOCIAL
SECURITY ADMINISTRATION'S
CONSULTING SERVICES CONTRACT FOR THE
TIME ALLOCATION SYSTEM
August
2008
A-14-08-18020
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: August 5, 2008
To: The Commissioner
From: Inspector General
Subject: The Social Security Administration's Consulting Services Contract for the Time Allocation System (A-14-08-18020)
OBJECTIVE
The objectives of our audit were to determine whether APA, Incorporated, doing business as DecisionPath Consulting (DecisionPath), adhered to the negotiated contract terms, and whether Social Security Administration (SSA) personnel properly monitored the contract. The contract supports development of SSA's Time Allocation System (TAS). We reviewed the Agency's administrative controls and oversight of DecisionPath's work in support of TAS. We did not complete an audit of the overall TAS project. As with our other contract administration audits, we will continue to monitor the status of the contract and, if warranted, we will conduct an additional review on the TAS project at a later date.
BACKGROUND
SSA provides services to the Nation through a network of community-based offices, central processing facilities, associated State agencies, telephone centers, and its web site. TAS is designed to automatically capture time employees spend on various Agency workloads. The time is captured from the many systems that SSA employees use. These transaction data are processed with SSA payroll data, and based on defined business rules, the resulting data are allocated to workload categories. The Agency developed, and continues to enhance, TAS to improve the way workload data are captured for such purposes as determining resource requirements and measuring productivity. (See Appendix B for further details.)
SSA entered into two blanket purchase agreements (BPA) with DecisionPath to perform contract work for TAS under General Services Administration (GSA) Schedule contract number GS-35F-0300J. DecisionPath was expected to provide all necessary program management, project management, data warehousing, systems engineering and integration, and business intelligence expertise required to assist SSA in developing and deploying TAS.
Based on the two BPAs, the total volume of purchases from DecisionPath for TAS and TAS-related work is anticipated to be $29 million. SSA originally estimated the total TAS costs to be approximately $20 million. DecisionPath is one of three contractors engaged in implementing TAS. The total DecisionPath costs as of January 2008 were approximately $18.46 million.
RESULTS OF REVIEW
Based on Federal regulations, DecisionPath generally adhered to the negotiated contract terms to develop TAS and maintained adequate timekeeping records to support the employee hours billed (see Appendix C for the results of our tests of invoices and SSA's systems access controls). We found that SSA had controls in place for the administration, oversight and accountability of the contract, including the following.
Agency systems access by contractors expires after 1 year.
Contractor personnel must certify annually that they understand SSA's security,
confidentiality and ethics requirements.
DecisionPath submitted monthly technical reports and held regular planning and
status meetings with SSA staff.
We identified the following areas where contract management should be improved.
DecisionPath employees no longer working on the contract could still have badges
that authorized access to SSA facilities.
Contract employees' working status with SSA was not accurately reflected in
suitability records.
The new project officer and an alternate should be named in contract documents.
Near the end of our review, we shared our findings and recommendations with SSA employees responsible for managing the contract. SSA's contracting, program, facilities management and suitability offices have taken steps to address most of the issues we identified.
DecisionPath Employees No Longer Working on the Contract Could Still Access SSA Facilities
The temporary badges assigned to DecisionPath employees improperly had a "not-to-exceed date" that extended beyond the end of the contract period, and it extended more than 1 year from the issuance of the badges. Also, records maintained in the badging office only reflected one DecisionPath badge as returned when at least 11 employees who were issued badges no longer worked on the contract. Therefore, contract employees who were no longer working on the contract could still have had access to SSA facilities.
SSA policy in place during our review stated that contractor badges should have a "not-to-exceed date" of 1 year or the end of the contract, whichever is sooner. However, SSA employees improperly issued badges to DecisionPath employees to coincide with the 5-year life-cycle of a Homeland Security Presidential Directive (HSPD) 12 credential, even though they were not issued HSPD-12 badges.
Separated employees and contractors should return access badges to SSA management for destruction or revocation. SSA needs to ensure staffs who issue contractor badges follow current policy for expiration dates for contractors and that project officers ensure badges no longer needed by contract personnel are properly retrieved and destroyed.
Contract Employees' Working Status with SSA Was Not Accurately Reflected in Suitability Records
A number of DecisionPath employees who had either left DecisionPath or no longer worked on the contract were still being reported as active in SSA's suitability records. Additionally, the Agency's suitability records reflected only one DecisionPath employee as suitable to work under the current contract, SS00-06-40018, although they had been cleared for the same work on the BPA that was closed, SS00-04-40019. The lack of current suitability records diminishes the reliability of the Agency system that documents a contractor's authorization to work on an SSA contract award.
The suitability clause in the contract requires that personnel performing on the contract who either leave the company or are removed from the project notify the Agency's Protective Security Officer immediately. Suitability records should then reflect when contractor staff are no longer active on the contract. Additionally, the suitability records should reflect the contract number employees are cleared to work under.
The suitability records were not up-to-date because it is likely the suitability staff was not receiving information about the separated or retired contractor staff no longer working on the contract. SSA should ensure contractors notify the Protective Security Officer immediately when employees either leave the company or are removed from the project to ensure contractor staffs are correctly recorded in the suitability files. Also, the Agency should work to ensure its suitability documentation is current concerning which contracts an employee is cleared to work under.
The New Project Officer and an Alternate Should be Named in Contract Documents
In 2007, a new SSA project officer was assigned to the TAS contract. However, the former project officer, who had retired, was still named in the DecisionPath contract documents we reviewed. Additionally, no alternate had been named. As a result, SSA did not have someone officially designated in the contract documents as a project officer or a back-up to represent the contracting officer in his/her absence in the technical phases of the contract.
It is SSA practice to assign a project officer and an alternate on every contract. After we informed contract officials of this oversight, they named the new project officer and an alternate in the contract.
CONCLUSION AND RECOMMENDATIONS
DecisionPath generally adhered to the negotiated contract terms for the development of TAS, provided the Agency with technical progress reports and maintained adequate timekeeping records to support the employee hours billed. SSA had controls in place; however, there were areas where improvements could be made. These areas included (1) employees no longer working on the contract could still have had badges authorizing access to SSA facilities, (2) contract employees' working status with SSA was not accurately reflected in the suitability records, and (3) a new project officer and an alternate were not named in contract documents.
We therefore recommend that SSA:
1. Ensure staffs who issue contractor badges follow policy for expiration dates
for contractors.
2. Ensure contractors return badges no longer needed by contract personnel to
SSA management for disposal.
3. Ensure contract employees' working status is accurately recorded in the suitability
files.
4. Ensure all current and future contracts reflect the current project officer
and an alternate.
AGENCY COMMENTS
SSA agreed with all of our recommendations. SSA's comments are included in Appendix D.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Background
APPENDIX C - Scope, Methodology and Test Results
APPENDIX D - Agency Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
BPA Blanket Purchase Agreement
DecisionPath APA, Incorporated, doing business as DecisionPath Consulting
GSA General Services Administration
HSPD Homeland Security Presidential Directive
MRM Materiel Resources Manual
OIG Office of the Inspector General
SSA Social Security Administration
SUMS/MCAS Social Security Administration Unified Measurement and Managerial
Cost Accountability Systems
TAS Time Allocation System
Appendix B
Background
Time Allocation System
The July 31, 2003 Time Allocation System (TAS) Vision and Scope Statement serves as the foundation for the project and states the following.
This system will provide comprehensive management and financial information essential to the sound management of the Agency and its programs and workloads. Time allocation systems are necessary to measure or apportion the work time (e.g., work hours) worked by SSA employees among the various activities they perform, programs they support, and organizations in which they work. This information is used for such purposes as: cost allocation and analysis; budget formulation, justification and execution; staffing allocation methodologies; and productivity measurement systems.
Business objectives and success criteria cited in the 2003 TAS Vision Statement are to
provide time allocation measures that are valid for on-going workloads and tasks at the local office level, module and branch levels at a 95-percent confidence level;
develop and implement an integrated system that will allocate work time usage information among organizations and workload activities consistently in all components; and
automate the collection of data to the extent possible and support any remaining reporting by automated collection systems.
The TAS project supports the Social Security Administration Unified Measurement
and Managerial Cost Accountability Systems (SUMS/MCAS). The SUMS/MCAS vision
is to capture, count and measure all work consistently, regardless of where
the work is performed. This includes direct workloads as well as indirect support
and measurable staff work. MCAS is expected to satisfy Government-wide cost
accountability regulations, provide full costs for SSA programs and support
strategic decision-making. Before SUMS/MCAS, there were many sources of management
information that were not easily reconciled. With SUMS/MCAS, there will be one
uniform, consistent source of information.
Appendix C
Scope, Methodology and Test Results
We conducted our audit between August 2007and May 2008 in Baltimore and Gaithersburg,
Maryland. We reviewed the Agency's administrative controls and oversight of
DecisionPath's work in support of the Time Allocation System (TAS). As with
other contract administration audits we conduct, we will continue to monitor
the status of the contract and, if warranted, we will conduct an additional
review of the TAS project at a later date.
The principal entities audited were the Social Security Administration's (SSA) Offices of Acquisition and Grants (the contracting office) and Earnings, Enumeration and Administrative Systems (the program office). We also reviewed records and interviewed staff in the Agency's Offices of Budget, Finance and Management, and Operations.
We conducted our audit in accordance with generally accepted government auditing standards. We planned and performed the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. To meet our objectives, we
reviewed applicable Federal laws and regulations and applicable SSA policies
and procedures;
reviewed the General Services Administration (GSA) Schedule Contract Number
GS-35F-0300J and the two SSA Blanket Purchase Agreements (BPA) against the GSA
contract, SS00-06-40018 and SS00-04-40019;
interviewed Agency and APA, Incorporated, doing business as DecisionPath Consulting
(DecisionPath), staffs;
visited DecisionPath Consulting headquarters in Gaithersburg, Maryland;
tested a sample of invoices;
reviewed the contractor's monthly status reports;
reviewed the Agency systems access request forms and systems security records;
reviewed Agency contractor suitability records;
reviewed SSA-owned laptops assigned to DecisionPath employees; and
reviewed records from the SSA badging office.
Further, except for the issues noted in the findings, we determined the Agency's data related to invoices and contractor badging and suitability records pertaining to DecisionPath staff were sufficiently reliable given the audit objective and intended use of the data and should not lead to incorrect or unintentional conclusions.
Testing Methodology and Results
Sample 1 - Test of Invoices
For the two BPAs with DecisionPath for the development of TAS, we selected for review the highest dollar invoice from each purchase call. To perform our review, we obtained employee timesheets from DecisionPath for the periods indicated on the invoices. We found that DecisionPath had adequate timekeeping records to support all the hours billed.
For BPA SS00 04 40019, there were seven purchase calls, and for BPA
SS00-06-40018, there were three purchase calls. For BPA SS00-04-40019, there
were invoices submitted and paid totaling $10.9 million associated with the
seven purchase calls. We tested $1.5 million of the $10.9 million as shown in
Table 1.
Table 1: Invoices Selected Under Blanket Purchase Agreement SS00-04-40019
Call
Number
Invoice Number
Invoice
Amount Was Invoice Adequately Supported?
Call 0001 2023-5 $317,082.18 Yes
Call 0002 2024-4 $62,207.00 Yes
Call 0003 2025-6 $103,384.00 Yes
Call 0004 2026-4 $157,284.85 Yes
Call 0005 2027-5 $312,498.12 Yes
Call 0006 2028-9 $499,646.67 Yes
Call 0007 2031-2 $41,376.30 Yes
Total $1,493,479.12
Under the second BPA SS00-06-40018, there were invoices submitted and paid through July 23, 2007 totaling $3.9 million, associated with the three purchase calls. We tested $0.8 million of the $3.9 million as shown in Table 2 on page C-3.
Table 2: Invoices Selected Under Blanket Purchase Agreement SS00-06-40018
Call
Number Invoice Number Invoice Amount Was Invoice Adequately Supported?
Call 0001 2033-2 $482,688.04 Yes
Call 0002 2035-3 $48,708.30 Yes
Call 0003 2033-003-1 $230,822.92 Yes
Total $762,219.26
The invoice periods ranged from May 2004 through July 2007.
Sample 2 - Test of Systems Access Controls
We reviewed the Agency's security controls over all 33 DecisionPath staff who
were granted access to SSA's systems from the beginning of the contract through
August 3, 2007.
Specifically, we determined whether:
1. Approved Application for Access to SSA Systems (SSA -120) forms were on
file.
2. Approved High Assurance (Virtual Private Network) Access Forms were on file,
as appropriate.
3. Signed Contractor Personnel Security Certification(s) were on file.
4. Evidence of suitability determinations for contract employees were in SSA's
records.
We found that the required SSA security forms were prepared and signed for the DecisionPath staff who were granted access to SSA systems. Additionally, we found the Agency's Suitability Office had determined the DecisionPath employees suitable who (1) had access to programmatic and sensitive information and (2) worked on-site at SSA.
Finally, we looked at security systems records to determine the level of access actually granted to DecisionPath employees. We found that the DecisionPath staff was granted the approved levels necessary to perform tasks under the TAS contract.
Appendix D
Agency Comments
SOCIAL SECURITY
MEMORANDUM
Date: July 25, 2008
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster /s/
Executive Counselor to the Commissioner
Subject: Office of the Inspector General (OIG) Draft Report, "The Social Security Administration's Consulting Services Contract for the Time Allocation System" (A-14-08-18020)--INFORMATION
We appreciate OIG's efforts in conducting this review. Attached is our response to the recommendations.
Please let me know if we can be of further assistance. Your staff may direct staff inquiries to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL'S (OIG) DRAFT REPORT, "THE SOCIAL SECURITY ADMINISTRATION'S CONSULTING SERVICES CONTRACT FOR THE TIME ALLOCATION SYSTEM" (A-14-08-18020)
Thank you for the opportunity to review and provide comments on this draft report.
Recommendation 1
Ensure staffs who issue contractor badges follow policy for expiration dates
for contractors.
Comment
We agree. We will ensure staff that issue contractor badges follow policy regarding the expiration dates.
Recommendation 2
Ensure contractors return badges no longer needed by contract personnel to
management for disposal.
Comment
We agree. We will ensure contractor badges are returned for disposal once the
badge is no longer needed by the contractor. When contractor personnel performing
under this contract leave the company, are removed from the project, or are
arrested and charged with a crime during the term of this contract, the contractor
shall notify our Protective Security Officer immediately. The notification must
include the name of the contractor personnel and their
Social Security number. If the contractor personnel was arrested and charged
with a crime, the notification must also include the type of charge(s), the
court date, and, if available, the disposition of the charges(s).
Recommendation 3
Ensure contract employees' working status is accurately recorded in the suitability
files.
Comment
We agree. We conduct background investigations on contractor employees and maintain a database that contains data on these individuals. We will remind the contractor to notify the Protective Security Officer immediately when an employee either leaves the company or is removed from the project. When a contractor employee is removed from the contract for reasons other than suitability or a contract expires and is not extended, we will properly adjust and annotate the suitability database to reflect the actual status of the individual.
Recommendation 4
Ensure all current and future contracts reflect the current project officer
and an alternate.
Comment
We agree. We recently transitioned from the term "project officer" to the term "Contracting Officer's Technical Representative (COTR)." Consider updating the report to include the current terminology.
We will modify the contract in question to reflect the current COTR and alternate COTR. We will ensure that all future contracts are modified as soon as a new COTR or an alternate COTR has been designated. We will send a reminder to Contracting Officers via our acquisition update email notification system.
[In addition to the information listed above, SSA also provided technical comments which have been addressed, where appropriate, in this report.]
Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kitt Winter, Director, Information Technology Audit Division, (410) 965-9702
Mary Ellen Moyer, Acting Audit Manager, (410) 966-1026
Acknowledgments
In addition to those named above:
Deborah Kinsey, Auditor in Charge
Harold Hunter, Senior Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-14-08-18020.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Counsel to the Inspector
General (OCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.