SOCIAL SECURITY ADMINISTRATION
THE SOCIAL
SECURITY
ADMINISTRATION'S
COMPLIANCE WITH
THE EMPLOYEE RETIREMENT
INCOME SECURITY ACT
October
2004
A-14-04-24099
AUDIT REPORT
Mission
We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
By conducting independent and objective audits, investigations, and evaluations,
we are agents of positive change striving for continuous improvement in the
Social Security Administration's programs, operations, and management and in
our own office.
SOCIAL SECURITY
MEMORANDUM
Date: October 14, 2004
To: The Commissioner
From: Acting Inspector General
Subject: The Social Security Administration's Compliance with the Employee Retirement Income Security Act (A 14 04 24099)
OBJECTIVES
Our objectives were to: (1) determine how well the Social Security Administration (SSA) is complying with provisions of the Employee Retirement Income Security Act (ERISA), and (2) offer cost-effective recommendations to enhance SSA's processing of this workload.
BACKGROUND
Congress enacted the ERISA in 1974 as a result of concerns that funds of private
pension plans were being mismanaged and abused. ERISA and the Internal Revenue
Code require more than 1 million private pension, welfare and fringe benefit
plan administrators to file Form 5500, Annual Return/Report of Employee Benefit
Plan, with the Internal Revenue Service (IRS) annually. This report includes
Schedule SSA, Annual Registration Statement Identifying Separated Participants
With Deferred Vested Benefits. The IRS is responsible for sharing information
about certain accrued employee benefits reported by private pension plans with
SSA to enable SSA to provide notice to potential private pension beneficiaries
when they apply for Social Security benefits. In addition, the IRS provides
to SSA quarterly electronic Form 5500 updates that reflect changes to pension
plan administrators. Also, the Pension Benefit Guaranty Corporation (PBGC) provides
SSA with quarterly electronic updates when PBGC assumes responsibility for certain
insolvent plans.
SSA's Responsibilities
SSA is responsible under ERISA and the Social Security Act to take the information
it obtains from the IRS and the PBGC and notify certain individuals that they
may be eligible for deferred vested benefits from private pension plans. SSA
is responsible for notifying each new Social Security or Medicare claimant for
whom it has pension benefit information. This information can be used by the
claimant to claim any pension benefits due from the pension plan.
SSA's Processing of the Data
IRS initially receives all ERISA documents from pension plan administrators. ERISA documents may be filed electronically or on paper. IRS then scans and converts paper documents that follow a specified format to electronic files. These electronic files are sent to SSA along with electronically filed forms using the Department of Labor's (DOL) ERISA Filing Acceptance System (EFAST). EFAST was created by DOL, IRS, and PBGC to streamline the process for filing and processing the Form 5500s. However, until recently, SSA had no means to process the electronic records.
IRS sends all paper documents that cannot be scanned (i.e., paper documents
that do not follow the specified format) to SSA's Wilkes-Barre Data Operations
Center (WBDOC) in Pennsylvania for manual processing. If the paper documents
contain legible and complete individual records, WBDOC personnel key the records
into SSA's ERISA database. The database files are forwarded to SSA's Office
of Systems in Headquarters to be incorporated into the ERISA notice job stream,
which result in ERISA notices that are sent to potential pension plan beneficiaries.
If the paper documents that WBDOC receives contain illegible or incomplete records,
they are not processed and entered into the ERISA database and are instead sent
to Headquarters.
RESULTS OF REVIEW
SSA has complied with some of the requirements of ERISA by processing the paper Schedules SSA (Schedules) received at WBDOC, and by generating and issuing notices using that information. However, SSA cannot fulfill all of its responsibilities under ERISA because (1) a system to process quarterly electronic ERISA records for employer changes is not fully operational, and (2) paper Schedules received on behalf of IRS sometimes contain incomplete and illegible data. Additionally, internal controls can be strengthened to reduce the risk of error or fraud, and to safeguard SSA's business process investment.
SSA Is Making Progress by Processing Electronic ERISA Records
Until recently, SSA had been unable to meet many of its responsibilities under ERISA, since it began receiving electronic Schedules via DOL's EFAST in December 2000. EFAST was created by DOL, IRS, and PBGC to streamline the process for filing and processing the Form 5500s. However, SSA was unable to process these EFAST records until June 2004 because there was no computerized system to process them. Since there was no system, SSA had a backlog of 8.87 million unprocessed EFAST records as of February 2004. The EFAST records include both potential beneficiary records, as well as changes to pension plan administrators.
As a result of the unprocessed records, numerous individuals were not notified timely of their potential entitlement to receive deferred vested benefits from private pension plans, or they may have received notices containing inaccurate pension plan administrator information. For example, if only 1 percent of the 2.96 million unprocessed beneficiary records would result in an ERISA notice, then approximately 29,600 individuals would not have been informed timely of their potential entitlement to approximately $287.5 million in annual benefits.
In September 2003, the Office of Systems received permission from the Commissioner to develop and implement an automated system to process these records. Shortly thereafter, the Agency initiated the ERISA project to develop a system for processing the backlog of EFAST records. The ERISA Project Team identified many of the ERISA issues outlined in our report. Furthermore, in many cases, the Project Team has been proactive in developing plans to address issues discussed in this report. While this report was being prepared, SSA implemented a system to process pension plan beneficiary records in June 2004, and processed the existing backlog. However, it has not yet determined the additional functionality needed to process the electronic records that track changes in pension plan administrators. If plan administrator information is not properly updated, notices could be sent with incorrect pension plan information. These types of incorrect notices may result in inquiries by notice recipients, which SSA must research and resolve. Implementation of this system could reduce the number of unnecessary public inquiries. SSA should continue with its plan for evaluating whether these records need to be processed, and if so, then developing and implementing the system for processing EFAST records in accordance with SSA's established systems development lifecycle guidelines.
DOL recently initiated the EFAST 2 project, which aims to further streamline
the EFAST process through the use of the Internet. Even though SSA is a major
participant in the ERISA process, the Agency has not formally been invited to
participate in this important interagency project. If SSA does not participate
in this project, the process for sending information via the Schedules may not
be in a proper format or may not contain all relevant information that SSA needs
to process these documents. Also, SSA may have to build and/or modify existing
software to accommodate the EFAST 2 data, if the system is developed without
SSA's input. Therefore, SSA needs to participate in this endeavor to ensure
that SSA's requirements for processing ERISA data are adequately met.
Paper Documents Contain Incomplete and Illegible Data
For the period October 2003 through March 2004, WBDOC processed approximately 9.38 million hard copy (paper) beneficiary records from the IRS via the Schedules, and expended 48.2 work years (or approximately $2.1 million ) processing these records. The legible and complete records on the paper documents were manually entered into SSA's ERISA database for processing.
SSA personnel estimated that between 25-50 percent of the paper records were incomplete and illegible and, therefore, could not be processed without additional work to obtain complete and legible data. A Memorandum of Understanding (MOU) between SSA and IRS requires IRS to send SSA complete and legible data, and IRS agrees to correspond with the plan sponsors for corrections when the data is incomplete or illegible. However, rather than send incomplete and illegible records back to IRS for correction, WBDOC processed the records after contacting the plan administrators to obtain complete and legible data.
The Agency was unable to provide data to estimate the personnel cost or amount of time spent contacting plan administrators to obtain complete and legible data. As a result, we cannot estimate the part that could have been saved. SSA should return incomplete and illegible records to IRS for correction in accordance with the MOU.
Furthermore, when WBDOC ultimately cannot obtain complete and legible data, it does not process the records and, instead, sends them to the Office of Systems. In past years, Office of Systems' personnel have discarded some of these records rather than return them to IRS for the records to be corrected. The Office of Systems currently has several stacks of unprocessed documents that WBDOC could not process. Based upon WBDOC's methodology (see Appendix B), we estimated, as of March 12, 2004, the documents that could not be processed represented approximately 85,540 records. As a result, the individuals on these records may not be informed of their potential eligibility for deferred pension plan benefits when they initially file for Social Security or Medicare benefits.
During our audit, SSA informed IRS of the incomplete and illegible documents
and requested a name and address to return them. IRS stated it had no procedure
or staff in place to process the documents. Consequently, SSA was unable to
return the documents to IRS for correction. Furthermore, not only has IRS asked
SSA to renegotiate the existing MOU, it has asked SSA for funding to perform
duties related to the Schedules SSA previously performed without cost to SSA.
SSA needs to determine what its responsibilities are under ERISA regarding these
incomplete and illegible documents. SSA also needs to determine what its obligations
are concerning the existing MOU with IRS regarding these documents.
No Interagency Agreement with PBGC
PBGC was established by ERISA in 1974 to assume responsibility for certain insolvent plans. PBGC forwards a quarterly file to SSA, so that SSA's database can be updated to reflect PBGC as administrator for those plans. However, SSA has no interagency agreement with PBGC to define both parties' roles and responsibilities. The Agency could not provide an explanation as to why it did not implement an interagency agreement with PBGC. As a result, SSA cannot ensure that PBGC consistently fulfills its obligations to SSA under ERISA. Without such an agreement, PBGC could change the way it handles the ERISA data it provides to SSA. SSA often implements interagency agreements when there is a shared responsibility to receive and/or provide information with another agency. Additionally, because SSA has a systems investment in this business process, it is good business practice to have a formal agreement in place to define both parties' responsibilities for processing the ERISA data. Therefore, SSA should develop and implement an MOU with PBGC.
Programmer Access to ERISA Database
When an individual contacts SSA regarding a complex, inaccurate ERISA notice, the inquiry is generally handled by an SSA ERISA analyst with the assistance of an ERISA programmer in SSA's Office of Systems. In such cases, programmers can contact pension plan administrators via telephone to obtain specific information regarding an individual's record in SSA's ERISA database. If the record is incorrect, the programmer then has the ability to change or delete the record in the ERISA database. We found there is no audit trail or record of the transaction or appropriate compensating controls over this process.
If due care is not exercised to prohibit improper changes to the database, legal issues may arise concerning an individual's rights under ERISA. The Office of Management and Budget's (OMB) standards regarding segregation of duties require that key duties and responsibilities are divided among different people to reduce the risk of error. Also, OMB's principle of least privilege calls for agencies to restrict a user's access to the minimum needed to perform his or her job duties. In addition, the issue of inappropriate access to data files by programmers has also been part of the reportable condition identified during SSA's annual financial statement audit. Furthermore, the process to make changes to the ERISA database is not formally documented in SSA's policies and procedures manual. SSA should ensure adequate controls are in place to prevent programmers from improperly changing or deleting records contained in the ERISA database, and SSA should document formal procedures for handling ERISA inquiries from the public.
Formal Operating Procedures
Current operating procedures are outdated and do not address the procedures that changed as a result of the June 2004 software implementation to process the electronic records. The lack of formal operating procedures could result in inconsistent, inefficient, and/or incorrect responses to public inquiries by SSA personnel. Therefore, SSA needs to implement written operating procedures to adequately address the ERISA process, including changes resulting from the June 2004 software implementation.
RECOMMENDATIONS
We recommend SSA:
1. Continue to develop and implement its system to process all electronic EFAST records as soon as practicable.
2. Formally participate on the development team for DOL's EFAST 2 project.
3. Determine what its responsibilities are under ERISA and its obligations concerning the MOU with IRS regarding incomplete and illegible documents.
4. Develop and implement an MOU with PBGC to specify roles and responsibilities of both parties regarding the sharing of information.
5. Ensure adequate controls are in place to prevent improper changes or deletions of records in the ERISA database.
6. Document and implement formal procedures for the ERISA process, including the handling of ERISA inquiries from the public.
AGENCY COMMENTS AND OIG RESPONSE
SSA agreed with our recommendations. The Agency had one substantive concern regarding the estimate of work year savings which could not be accurately projected due to the lack of available data. Therefore, we removed the work year estimation from the report. The Agency also provided technical comments that we considered and incorporated, where appropriate. The text of SSA's comments is included in Appendix C. We commend SSA for its ongoing efforts to comply with ERISA.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Agency Comments
APPENDIX D - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
DOL Department of Labor
EFAST ERISA Filing Acceptance System
ERISA Employee Retirement Income Security Act
IRS Internal Revenue Service
MOU Memorandum of Understanding
OMB Office of Management and Budget
PBGC Pension Benefit Guaranty Corporation
SSA Social Security Administration
USCA United States Code Annotated
WBDOC Wilkes-Barre Data Operations Center
Appendix B
Scope and Methodology
To accomplish our objectives, we reviewed applicable policies, procedures, laws and regulations related to the Employee Retirement Income Security Act (ERISA), and ERISA systems development information. We interviewed SSA personnel in Headquarters and at Wilkes-Barre Data Operations Center (WBDOC) in Wilkes-Barre, Pennsylvania.
To estimate the quantity of unprocessed ERISA paper records maintained by the Office of Systems, we weighed them using the postal scale located in SSA's mail room. The total weight of all the packages was 61.1 pounds. We then applied the estimating methodology routinely used by WBDOC to estimate the number of ERISA records, as follows:
61.1 pounds @ 100 pages per pound = 6,110 pages
6,110 pages x 14 records per page = 85,540 records
We performed our work between December 2003 and April 2004. We conducted our
review in accordance with generally accepted government auditing standards.
The data in this report was used to provide background information only and
was not deemed necessary to support findings and recommendations. Therefore,
we did not determine the reliability of that data, and any limitations of the
data used in the context of this assignment should not lead to an incorrect
or unintentional conclusion.
Appendix C
Agency Comments
MEMORANDUM
September 7, 2004
To: Patrick P. O'Carroll, Jr.
Acting Inspector General
From: Larry W. Dye
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report "The Social Security Administration's Compliance With the Employee Retirement Income Security Act" (A-14-04-24099)--INFORMATION
We appreciate OIG's efforts in conducting this review. Our comments on the draft report content and recommendations are attached.
Please let me know if you have any questions. Staff inquiries may be directed
to
Candace Skurnik, Director, Audit Management and Liaison Staff, at extension
54636.
SSA Response
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT "THE SOCIAL SECURITY ADMINISTRATION'S COMPLIANCE WITH THE EMPLOYEE RETIREMENT INCOME SECURITY ACT" (A-14-04-24099)
Thank you for the opportunity to review and comment on the draft report. Overall, we agree with the report's conclusions and recommendations. We are pleased that the review recognizes our effort to comply with Employee Retirement Income Security Act (ERISA) requirements. Our responses to the recommendations and suggested technical comments below provide information or updated language on the actions we have taken or plan to take to move toward fulfillment of all of our responsibilities under ERISA.
We have one substantive concern about the calculation of estimated savings related to processing incomplete and/or illegible ERISA forms (page 5 of the report and Appendix B). The report notes that the forms required additional work compared to forms that were complete and legible. However, the estimate of the cost of processing this work assumes the same unit time as the overall workload and then identifies all of the processing time associated with processing the incomplete or illegible forms as the potential savings. As calculated, the estimate assumes this represents the savings by concluding that these records should have been sent back to the Internal Revenue Service (IRS) to be resolved. Since the records would ultimately have to be processed after the incomplete and/or illegible fields are resolved, the actual savings are the time and costs of only the Social Security Administration (SSA) work that would have been in addition to the effort of processing other complete and legible records; i.e., the time we spent resolving the incomplete and/or illegible fields. Additionally, because the report does not provide information on how much additional time we spent to process records that are incomplete or illegible, the potential savings cannot be estimated.
Recommendation 1
SSA should continue to develop and implement its system to process all electronic ERISA Filing Acceptance System (EFAST) records as soon as practicable.
Response
We agree. The system to process the EFAST records was released on June 10, 2004. As of June 25, 2004, all of the backlogged files were processed and updated to our ERISA master file. Phase II of ERISA EFAST is being considered by the Information Technology Advisory Board for implementation in fiscal year 2005.
Recommendation 2
SSA should formally participate on the development team for Department of Labor's (DOL) EFAST 2 project.
Response
We agree. We plan to work closely with DOL on the EFAST 2 project.
Recommendation 3
SSA should determine what its responsibilities are under ERISA and its obligations concerning the memorandum of understanding (MOU) with IRS regarding incomplete and illegible documents.
Response
We agree. Both IRS's and SSA's responsibilities regarding receiving incomplete and illegible documents from IRS are contained in the existing MOU. Currently, our General Counsel (GC) is evaluating the implications of IRS's non-compliance with the existing MOU to identify a possible resolution. Additionally, we are in the process of negotiating a new MOU with IRS and the issue of incomplete forms processing will be addressed during those negotiations.
Recommendation 4
SSA should develop and implement an MOU with the Pension Benefit Guarantee Corporation (PBGC) to specify roles and responsibilities of both parties regarding the sharing of information.
Response
We agree. The final version MOU between SSA and PBGC is currently being reviewed by our GC.
Recommendation 5
Ensure adequate controls are in place to prevent improper changes or deletions of records in the ERISA database.
Response
We agree. At the time of this review, OIG was evaluating the activity undertaken by our Office of Systems programmers who were contacting pension plan administrators to obtain information to change the database. We are aware of the need for guidelines on record changes and deletions for the ERISA workload to ensure separation of duties and will address ERISA access control issues as part of the Agency's Standardized Security Profile Project.
Recommendation 6
Document and implement formal procedures for the ERISA process, including the
handling of ERISA inquiries from the public.
Response
We agree. We have issued Program Operations Manual System instructions for Operations staff (field offices and teleservice centers) regarding handling inquiries from the public. We are currently developing procedures for our headquarters staff in the Division of Employer Services. It should be noted that all of the procedures will include instructions for correcting the ERISA database in an effort to ensure that controls are in place to prevent improper changes or deletions of records as they relate to recommendation 5 above.
[In addition to the items listed above, SSA provided technical comments which have been addressed in this report, where appropriate.]
Appendix D
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kitt Winter, Director (410) 966-9702
Albert Darago, Audit Manager (410) 965-9710
Acknowledgments
In addition to those named above:
Anita McMillan, Senior Systems Auditor
Deborah Kinsey, Senior Systems Auditor
For additional copies of this report, please visit our web site at www.ssa.gov/oig
or contact the Office of the Inspector General's Public Affairs Specialist at
(410) 966-3218. Refer to Common Identification Number A-14-04-24099.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Executive Operations (OEO). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Executive Operations
OEO supports OIG by providing information resource management and systems security.
OEO also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OEO is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.