A-12-07-17080 - Alternate Format

OFFICE OF
THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

ON-SITE SECURITY CONTROL
AND AUDIT REVIEW
AT HEARING OFFICES

September 2007

A-12-07-17080

AUDIT REPORT

Mission

By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.

MEMORANDUM

Date: September 28, 2007

To: The Commissioner

From: Inspector General

Subject: On-site Security Control and Audit Review at Hearing Offices (A-12-07-17080)

OBJECTIVE

Our objectives were to assess (1) the Social Security Administration's (SSA) procedures for selecting hearing offices for On-site Security Control and Audit Reviews (OSCAR), (2) SSA's system for ensuring appropriate correction of deficiencies identified through OSCARs, and (3) additional steps SSA can take to enhance the OSCAR Guide.

BACKGROUND

SSA must comply with the Federal requirements associated with management controls and provide assurances that its financial, programmatic and administrative processes are functioning as intended. These requirements include the Federal Managers' Financial Integrity Act (FMFIA). SSA designed the OSCAR program to satisfy the Federal requirements stated in the FMFIA.

The Office of Disability Adjudication and Review (ODAR) administers 140 hearing offices located in 10 regions throughout the United States. ODAR's Headquarters (HQ) is responsible for conducting OSCARs at these hearing offices. In addition to using its own staff, HQ has hired contractors in the past to perform these reviews. These reviews cover a number of programmatic and administrative functions, including: (1) third party draft accounts; (2) acquisitions; (3) time and attendance; (4) security of automated systems; and (5) physical and protective security.

Under current OSCAR procedures, ODAR is required to review 10 to 20 percent of hearing offices annually and complete its review of all offices within 5 years, with the understanding that accomplishment of this requirement is contingent on funding. In general, an OSCAR is supposed to be completed in 1 visit and, within 30 calendar days, the data and findings are supposed to be analyzed and a written report issued, including corrective actions. Once the final report is provided to the audited component, the hearing office manager has 30 days to respond (either directly or through its regional office (RO)) with a report of the corrective actions planned and/or taken. Also, the office/component should forward to HQ, within 90 days of issuing the corrective action report, a validation report stating that corrective actions have been implemented.

In addition to OSCARs, there are other reviews performed on hearing offices which serve as compensating controls. ROs perform administrative reviews on their hearing offices once every 3 years. An administrative review covers the same scope as an HQ OSCAR plus other areas such as a workload assessment. Also, each Hearing Office Director (HOD) conducts an annual self-OSCAR of the hearing office, except during the year a HQ OSCAR is performed.

RESULTS OF REVIEW

During Fiscal Years (FY) 2002 through 2006, ODAR did not meet the 10 percent national review threshold in 4 out of 5 years. In addition, ODAR was able to perform OSCARs at only 70 of the 140 (50 percent) hearing offices during the 5-year period. This occurred because ODAR was in the process of establishing a formal OSCAR program and other reviews limited their OSCAR coverage during this period. During FY 2007, ODAR plans to perform OSCARs on 20 percent of the hearing offices. We also found that during our review period ROs' administrative reviews were not documented in writing and self-OSCARs did not fully identify deficiencies, minimizing the usefulness of these compensating controls. In addition, we found that OSCAR reports were not prepared timely for hearing office action. Some recommendations had not been implemented 18 months after the report was provided to the hearing office, and ODAR was not regularly collecting and reviewing validation reports, which may have contributed to the lack of follow-through at the hearing offices. Finally, the OSCAR guidance could be more comprehensive, covering additional topics, such as physical security at permanent remote sites and protection of sensitive data.

OSCAR REVIEW COVERAGE

ODAR did not perform the required number of OSCAR reviews at hearing offices during our 5-year review period primarily because HQ was in the process of establishing the OSCAR program and other reviews of the hearing offices were being performed. We also found that other compensating reviews were not an adequate control in the absence of a full HQ OSCAR.

Required Coverage

The current OSCAR guide requires that ODAR review 10 to 20 percent of all hearing offices annually and complete the review of all within 5 years. However, as shown in Table 1, ODAR reviewed less than 10 percent of hearing offices in 4 out of 5 of the FYs. Moreover, ODAR reviewed only 70 of its 140 hearing offices, or 50 percent, during the 5-year period.

Table 1: Headquarters OSCARs During FYs 2002 through 2007
(Related to 140 Hearing Offices)
Fiscal Year Number of Hearing
Offices Covered by OSCARS Percentage of OSCARs Performed of Total Hearing Offices
2002 4 3%
2003 3 2%
2004 3 2%
2005 48 34%
2006 141 9%1
Total Hearing Offices 72 50%1
2007 28 (est.) 20% (est.)

Note 1: While 14 OSCARs were performed in FY 2006, 2 were follow-up OSCARs during the 5-FY period. OSCARs were conducted on the Pasadena hearing office in FYs 2004 and 2006 because it relocated; and on the Denver hearing office in FYs 2005 and 2006 because the initial OSCAR identified problems that necessitated further review.

Our review of specific regional coverage found ODAR conducted OSCARs at 80 percent or more of the hearing offices in 3 regions during the 5-year period (see Table 2). However, 4 regions were below 50 percent coverage for the period.

Table 2: OSCAR Coverage Per ODAR Region
During FYs 2002 through 2006
Region Number of Hearing Offices Number of Hearing Offices with Headquarters OSCAR Percentage
I 7 6 86%
II 14 7 50%
III 17 6 35%
IV 31 14 45%
V 19 8 42%
VI 16 7 44%
VII 7 4 57%
VIII 5 4 80%
IX 20 10 50%
X 4 4 100%
Total 140 70 50%

Resources and OSCAR Selection

During FYs 2002 through 2004 ODAR did not perform all the OSCARs needed to meet the 10 to 20 percent requirement. When we discussed this with ODAR management we were told that the organization was in the process of establishing the OSCAR program during this period. Moreover, ODAR management noted that from FY 2004 through April 2006 ODAR was conducting Hearing Office Management Process Reviews, which took resources away from the HQ OSCAR process.

During FY 2005, additional resources allowed ODAR to perform HQ OSCARs at 48 hearing offices. Accordingly, during that year ODAR exceeded the 10 to 20 percent requirement. However, our calculations show ODAR fell below the 10 percent requirement again in FY 2006 because 2 of the 14 OSCARs it performed were follow-up OSCARs on hearing offices that had already undergone an OSCAR during this same 5-year period.

ODAR management stated that the FY 2005 rate of HQ OSCARs was not sustained because during FY 2006 ODAR conducted OSCARs at the 10 ROs, which did not count toward the 140 hearing offices 5-year goal. ODAR wanted to ensure that ROs' operations complied with the OSCAR guide and the ROs were familiar with the OSCAR process and requirements. It is probable that ODAR would have met or exceeded the 10 percent annual requirement if it had not been for the RO OSCARs. As of June 2007, ODAR stated it expected to issue 28 OSCAR reports in FY 2007, which would put ODAR at 20 percent coverage for the FY.

In deciding which hearing offices to review, HQ relies on recommendations from each RO. HQ annually requests that each of ODAR's 10 ROs recommend hearing offices within their regions for an OSCAR. Depending on the level of funding for OSCARs, as well as the number of recommendations from the ROs, HQ decides on the number and the location of the hearing offices to be reviewed during a particular FY. When we discussed this process with RO managers, we were told that they recommended hearing offices for OSCARs during the years when such offices were not scheduled for administrative RO reviews and/or in cases where the RO had concerns about a particular office.

Other Hearing Office Reviews

ROs perform administrative reviews on their hearing offices once every 3 years. These Regional Office Management Reviews cover the same scope as a HQ OSCAR plus other areas, such as a workload assessment. After completing the review, the review team orally briefs the hearing office management of its findings and recommendations. These findings and recommendations were not documented. Although ODAR management stated that the results of these reviews were not documented because they contained sensitive information, the failure to document the findings could result in management's inability to determine whether documented deficiencies were corrected. Also, an audit trail would serve to guide future reviews to ensure deficiencies do not continue.

Each HOD also conducts an annual self-OSCAR of the hearing office except during the year a HQ OSCAR is performed. These self-OSCARs are documented in writing. Our review included six self-OSCARs from six hearing offices in five different regions. Of these six reviews, we identified three self-OSCARs performed within 9 months of the subsequent HQ OSCARs. We compared the findings resulting from a HQ OSCAR to the findings in the self-OSCAR performed immediately prior in each of the three hearing offices.

In our review, we found that the HQ OSCARs were identifying issues not detected in the self-OSCARs (see Table 3). For example, in January 2005 a self-OSCAR review was conducted at the Colorado Springs Hearing Office, which identified only one finding. The review found that the receptionist's workstation lacked a panic alarm, a requirement in the Physical and Protective Security section in the OSCAR guide. In September 2005, HQ staff performed an OSCAR review and documented a total of 37 findings, including:

4 related to third party drafts,
3 related to acquisitions,
7 related to time and attendance,
2 related to security of automated systems, and
21 related to physical and protective security. The self-OSCAR finding concerning the lack of a panic alarm at the receptionist's workstation was included among these findings since it had not been corrected after the self-OSCAR.

The purpose of the self-OSCAR is to ensure hearing offices are aware of existing policies and procedures, as well as taking steps to correct identified deficiencies. However, the disparity in findings noted above indicates the self-OSCAR review process is not always identifying such deficiencies.

Table 3: Headquarters OSCAR Versus Self-OSCAR Findings
Hearing Offices HQ OSCAR Report Date Total HQ OSCAR Findings Self-OSCAR Report Date Total Self-OSCAR Findings
Albuquerque, New Mexico 4/7/2005 34 1/29/2005 20
Colorado Springs, Colorado 9/30/2005 37 1/28/2005 1
Fort Worth, Texas 9/30/2005 38 1/6/2005 5
Total 109 26

Successful self-OSCARs are an important part of hearing office integrity since HQ OSCARs and RO administrative reviews cannot be performed at each location every year. In FY 2005, the SSA Office of the Inspector General (OIG) performed audits related to physical security at hearing offices in all 10 ODAR regions. In those audits, we identified physical security weaknesses in eight hearing offices that did not undergo HQ OSCARs during the 5-year period covering FYs 2002 through 2006. These weaknesses included (1) lack of semiannual testing of intrusion detection systems and duress alarm systems, (2) poor key security, and (3) missing peepholes in hearing office doors. It is likely that most, if not all, of these deficiencies could have been detected and corrected as part of a more robust self-OSCAR process.

TIMELINESS OF ISSUING OSCAR REPORTS

The majority of the HQ OSCARs exceeded the established 30-day timeframes for preparing OSCAR reports. In addition, the contractor hired to perform some of these OSCARs failed to issue a single audit within the established timeframes.

We examined the timeliness of issuing HQ OSCAR reports during a 12-month audit period (April 1, 2005 through March 31, 2006). The OSCAR guide requires the issuance of an OSCAR report within 30 calendar days from the completion of the OSCAR. Untimely issuance of HQ OSCAR reports could result in delaying implementation of OSCAR recommendations. During the audit period, 33 HQ OSCAR reports were issued; HQ performed 21, while the contractor performed 12. As shown in Figure 1, of the 21 HQ OSCAR reports, only 1 was issued within 30 days of the review completion date. It took 35 to 237 days to issue the remaining 20 reports, or an average of 127 days for all 21 reports. Also, of the 12 OSCAR reports issued by the contractor, none met the 30-day requirement. However, it took less time to issue these reports than those HQ issued. The contractor's reports were issued within 43 to 60 days of review completion date, or an average of 50 days. Additional review data is provided in Appendix D.

THE FOLLOW-UP PROCESS

We found that HQ OSCAR report recommendations were not being implemented timely at half of the hearing offices we visited. In addition, HQ was not collecting validation reports on a timely basis, which may have contributed to the lack of follow-through at the hearing offices.

Hearing Office Actions

Some of the hearing offices were not timely implementing the HQ OSCAR recommendations. We reviewed a sample of 6 OSCAR reports during April and May 2007 and found that more than 18 months after issuing these HQ OSCAR reports 3 hearing offices had not implemented 15 to 32 percent of their recommendations (see Table 4). Unimplemented recommendations related to deficiencies in a number of areas, such as (1) semiannual testing of intrusion detection systems and panic alarm systems; (2) availability of fire extinguishers; and (3) properly completing, processing and certifying leave requests.

Table 4: OSCAR Recommendations Not Implemented
Hearing Office HQ OSCAR Report Date OIG Review Date Recommendations
Total Number Not
Implemented Percent Not Implemented
Albuquerque, New Mexico 4/7/2005 4/18/2007 34 5 15%
Colorado Springs, Colorado 9/30/2005 4/17/2007 37 12 32%
Downey, California 6/3/2005 4/19/2007 17 0 0%
Fort Worth, Texas 9/30/2005 5/30/2007 38 0 0%
Manchester, New Hampshire 6/3/2005 5/31/2007 30 0 0%
Voorhees, New Jersey 5/5/2005 6/5/2007 25 7 28%
Total 181 24

In Table 5, we divided these OSCAR reports' recommendations into those requiring funding and those not requiring funding to implement. We did the same with the recommendations that were not implemented. As indicated in Table 5, all three offices with unimplemented recommendations had recommendations that did not require funding. These hearing offices, at a minimum, should have implemented all the recommendations not requiring funding.

Table 5: Recommendations Requiring Funding/Not Requiring Funding
Hearing Offices OSCAR Report Recommendations Recommendations Not Implemented
Do Not Require Funding Require Funding
Total Do Not Require Funding Require Funding
Total
Albuquerque, New Mexico 32 2 34 5 0 5
Colorado Springs, Colorado 24 13 37 4 8 12
Downey, California 5 12 17 0 0 0
Fort Worth, Texas 20 18 38 0 0 0
Manchester, New Hampshire 27 3 30 0 0 0
Voorhees, New Jersey 23 2 25 6 1 7
Total 131 50 181 15 9 24

CORRECTIVE ACTION AND VALIDATION REPORTS

As stated earlier, the OSCAR guide requires the hearing office to forward to HQ, within 90 days of issuing the corrective action report, a validation report confirming that all corrective actions have been implemented. However, HQ does not hold each hearing office to this 90-day requirement and does not require the hearing offices to forward the validation reports. Instead, HQ staff told us they follow-up periodically with each RO about its hearing offices' implementation of OSCAR recommendations.

Our earlier finding that three hearing offices had not implemented a number of recommendations indicates that the validation reports could have been useful to management. We believe that HQ should ensure components submit validation reports within the required 90 days unless the component has provided a valid reason that it is unable to do so. By the time the validation report is issued, the reviewed component should, at a minimum, ensure that all recommendations not requiring funding were implemented. Also, it may be helpful to both the hearing office and HQ if the report indicated which recommendations required funding, along with the dollar amount needed, since we believe that this would speed up the corrective action process.

ADDITIONAL STEPS

Our review found a few areas where the OSCAR guidance could be more comprehensive. We believe additional guidance related to remote hearing sites and sensitive personal data could improve oversight of the hearing offices.

Permanent Remote Hearing Sites

The current OSCAR guidance does not require a review of permanent remote hearing sites. As of June 2007, ODAR had 143 permanent remote hearing sites throughout the Nation. These remote sites are used on a regular basis by ODAR personnel and the public and may contain some of the same problems detected at hearing offices. For example, prior SSA OIG audits have found physical security weaknesses at a number of remote site locations. For this reason, we believe that permanent remote sites should undergo OSCARs and the OSCAR guide be revised accordingly.

Protection of Sensitive Data

Current hearing office OSCAR procedures did not include sufficient steps to ensure that personally identifiable information (PII) contained in SSA's automated systems is protected. Such procedures needed to be updated to provide for adequate review of handling PII contained in SSA's automated systems.

The OSCAR guide's chapter 4, Security of Automated Systems, includes procedures for reviewing SSA's automated systems and associated data at hearing offices. However, this guide was last updated in November 2004. The OSCAR guide should be updated to consider current work environments that allow some ODAR staff to work from home using an SSA-provided laptop. For example, the OSCAR guide does not include a review of procedures in place to ensure safeguarding laptop computers and/or the PII contained within the laptop computers taken outside hearing offices. In addition, the OSCAR could include a review of the digital recording laptops used to record hearings.

CONCLUSION AND RECOMMENDATIONS

Our review of the OSCAR process found a number of areas in need of improvement. For instance, ODAR has not met the 10 percent requirement over the 5-year period, though the number of HQ OSCARs performed in FY 2007 represents an encouraging development if it can continue. Lack of national coverage, combined with weak compensating controls via the RO administrative reviews and self-OSCARs, only increases the risk that hearing office problems will remain undetected. For those OSCARs performed during our audit period, the reports could have been more timely, recommendations should have been implemented, and HQ needed to track recommendation compliance. Finally, the OSCAR guide itself could be improved to reflect the way ODAR does its work, from remote hearing sites to work-at-home.

To improve the OSCAR process and increase its effectiveness, we recommend SSA:

1. Review funding priorities and ensure OSCARs are completed at all hearing offices within a 5-year period, in accordance with established policy.

2. Document Regional Office Management Reviews to the extent possible and maintain copies for the next HQ OSCAR.

3. Ensure hearing office management complete timely and accurate self-OSCARs, and provide training, as appropriate.

4. Ensure OSCAR reports are issued in a timely fashion, which includes working with appropriate SSA components to ensure any contractor(s) assisting with this process are also meeting contract specifications on report issuance.

5. Ensure hearing offices complete a validation report within 90 days of issuing the corrective action report, unless advance approval has been given for a delay.

6. Update the OSCAR guide as appropriate to reflect changes in ODAR's working environment, to include the treatment of permanent remote sites and protection of sensitive data.

AGENCY COMMENTS

SSA agreed with our recommendations and has already initiated corrective action. The full text of the agency's comments is included in Appendix E.

Patrick P. O'Carroll, Jr.

Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Sampling Methodology
APPENDIX D - Timeliness of Issuing OSCAR Reports
APPENDIX E - Agency Comments
APPENDIX F - OIG Contacts and Staff Acknowledgments

Appendix A
Acronyms

FMFIA Federal Managers' Financial Integrity Act
FY Fiscal Year
HOD Hearing Office Director
HQ Headquarters
ODAR Office of Disability Adjudication and Review
OIG Office of the Inspector General
OSCAR On-site Security Control and Audit Review
PII Personally Identifiable Information
RO Regional Office
SSA Social Security Administration

Appendix B
Scope and Methodology

To accomplish our objectives, we:
Reviewed Social Security Administration (SSA) policies and procedures, as well as prior Office of the Inspector General audits.
Reviewed the criteria pertaining to the process of On-site Security Control and Audit Reviews (OSCAR) at hearing offices.
Met with SSA staff to gain a better understanding of the OSCAR process, and to observe and note related best practices.
Reviewed the OSCAR process at hearing offices, and its administration by regional offices (RO) and the Headquarters (HQ) of the Office of Disability Adjudication and Review (ODAR).
Considered other reviews compensating to OSCARs, such as administrative reviews performed by ROs and self-OSCARs conducted by hearing offices.
Collected and analyzed data on hearing offices' OSCARs, ROs' administrative reviews of hearing offices, and hearing offices' self-OSCARs using questionnaires and matrices.
Obtained management information on all HQ OSCARS performed at hearing offices during Fiscal Years (FY) 2002, 2003, 2004, 2005 and 2006. We also obtained information on the FY 2007 HQ OSCAR process.
Collected and analyzed data related to the timeliness of issuing OSCAR reports related to OSCARs performed by ODAR's HQ and those performed by a contractor.
Selected 6 of the 33 HQ OSCARs for review and visited the hearing offices, as indicated in Appendix C, to determine whether the OSCAR follow-up process was correctly followed and that recommendations were implemented as required.

We found data used for this audit to be sufficiently reliable to meet our objectives. The entity audited was the Office of the Deputy Commissioner for Disability Adjudication and Review. We conducted our field work from December 2006 through June 2007, in Falls Church, Virginia; Boston, Massachusetts; Manchester, New Hampshire; New York, New York; Voorhees, New Jersey; Philadelphia, Pennsylvania; Dallas and Fort Worth, Texas; Albuquerque, New Mexico; Denver and Colorado Springs, Colorado; and Downey, California. We conducted this audit in accordance with generally accepted government auditing standards.

Appendix C
Sampling Methodology

The Office of Disability Adjudication and Review (ODAR) administers 140 hearing offices. During Fiscal Years 2002 through 2006, On-site Security Control and Audit Reviews (OSCAR) were performed on 70 of ODAR's 140 hearing offices. Our population totaled 33 hearing offices where Headquarters' (HQ) OSCARs were performed during our audit period. Our audit period was the 12 months starting
April 1, 2005 and ending March 31, 2006.

We reviewed this 12-month population to select a judgmental sample of hearing offices in which we performed our field work. We determined our sample based on geographical coverage, funding and proximity to our audit offices. We selected six hearing offices for review as indicated in Table C-1. We also performed a walk through of the process of OSCAR planning, follow-up and recommendation implementation at the Philadelphia Regional Office and the Philadelphia East Hearing Office. In addition, we obtained information from all 10 regional offices regarding HQ OSCARs and other reviews at hearing offices.

Table C-1: Hearing Offices Reviewed
ODAR Regions Hearing Office Location
Region I Manchester, New Hampshire
Region II Voorhees, New Jersey
Region VI Albuquerque, New Mexico
Fort Worth, Texas
Region VIII Colorado Springs, Colorado
Region IX Downey, California

We included the results of the review of our sample, as appropriate, in the body of the report.

Appendix D
Timeliness of Issuing OSCAR Reports
During our audit period (April 1, 2005 through March 31, 2006), 33 On-site Security Control and Audit Review (OSCAR) reports were issued; Headquarters (HQ) performed 21, while a contractor performed 12. As indicated in Table D-1, of the 21 HQ OSCAR reports, only 1 was issued within 30 days of the review completion date. It took 35 to 237 days to issue each of the remaining 20 reports, a median of 129 days and an average of 127 days for each of the 21 reports.

Table D-1: OSCARs Performed by Headquarters During the Audit Period
Hearing Offices OSCAR Completion Date OSCAR Report Issue Date Number of Days to Issue Report
1 Portland, Maine 11/5/2004 6/30/2005 237
2 Manchester, New Hampshire 11/19/2004 6/3/2005 196
3 Fort Lauderdale, Florida 3/18/2005 9/19/2005 185
4 Mobile, Alabama 12/3/2004 6/3/2005 182
5 Macon, Georgia 4/1/2005 9/19/2005 171
6 Miami, Florida 12/17/2004 6/6/2005 171
7 Fort Worth, Texas 4/15/2005 9/30/2005 168
8 Sacramento, California 2/18/2005 7/11/2005 143
9 Pasadena, California 1/14/2005 6/3/2005 140
10 Seattle, Washington 5/6/2005 9/19/2005 136
11 Evansville, Indiana 5/20/2005 9/26/2005 129
12 Downey, California 2/4/2005 6/3/2005 119
13 Knoxville, Tennessee 4/4/2005 7/21/2005 108
14 Oak Park, Michigan 6/10/2005 9/26/2005 108
15 Albany, New York 4/8/2005 7/23/2005 106
16 Saint Louis, Missouri 4/12/2005 7/23/2005 102
17 Oklahoma City, Oklahoma 4/22/2005 7/25/2005 94
18 Colorado Springs, Colorado 7/1/2005 9/30/2005 91
19 Pittsburgh, Pennsylvania 6/17/2005 7/30/2005 43
20 Houston-Bissonnet, Texas 2/15/2006 3/22/2006 35
21 Louisville, Kentucky 7/22/2005 8/1/2005 10
Total days 2,674
Median days
Average days 129
127

As indicated in Table D-2, none of the 12 OSCAR reports issued by the contractor met the 30-day requirement. However, it took less time to issue these reports than those HQ issued. The contractor's reports were issued within 43 to 60 days of review completion date, a median of 51 days, and an average of 50 days.

Table D-2: OSCARs Performed by Contractor During the Audit Period
Hearing Offices OSCAR Review Completion Date OSCAR Report Issue Date Number of Days to Issue Report
1 Hartford, Connecticut 4/6/2005 6/5/2005 60
2 Lexington, Kentucky 4/20/2005 6/13/2005 54
3 Voorhees, New Jersey 4/13/2005 6/5/2005 53
4 Kingsport, Tennessee 4/22/2005 6/13/2005 52
5 Albuquerque, New Mexico 2/16/2005 4/8/2005 51
6 Nashville, Tennessee 4/15/2005 6/5/2005 51
7 Eugene, Oregon 3/16/2005 5/5/2005 50
8 Little Rock, Arkansas 3/2/2005 4/21/2005 50
9 Metairie, Louisiana 3/9/2005 4/28/2005 50
10 Flint, Michigan 5/4/2005 6/17/2005 44
11 Paducah, Kentucky 5/11/2005 6/24/2005 44
12 Peoria, Illinois 3/23/2005 5/5/2005 43
Total days 602
Median days
Average days 51
50

Appendix E
Agency Comments

SOCIAL SECURITY

MEMORANDUM

Date: September 24, 2007

To: Patrick P. O'Carroll, Jr.
Inspector General

From: David V. Foster
Chief of Staff

Subject: Office of the Inspector General (OIG) Draft Report, "Onsite Security Control and Audit Review at Hearing Offices" (A-12-07-17080)-INFORMATION

We appreciate OIG's efforts in conducting this review. Our comments on the recommendations are attached.

Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at 410 965-4636.

SSA Response

COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "ONSITE SECURITY CONTROL AND AUDIT REVIEW AT HEARING OFFICES" (A-12-07-17080)

Thank you for the opportunity to review and provide comments on this draft report. We recognize the importance of complying with the Onsite Security Control and Audit Review (OSCAR) program which was designed to satisfy the requirements stated in the Federal Managers' Financial Integrity Act. We appreciate that the report notes our efforts to address deficiencies in the Office of Disability Adjudication and Review's (ODAR) Management Control Review (MCR) process from fiscal year (FY) 2002 - FY 2004. In addition, it cites our positive movement forward as ODAR transitioned from conducting management reviews of hearing offices to the formal OSCAR process. Although the report covers the last 5 years (FY 2002 - FY 2006), it accurately notes that ODAR did not begin conducting OSCARs as its main MCR activity until late FY 2004. During the period covered by the report, ODAR conducted an internal review known as the Hearing Office Management Process Review (HOMPR), also known as a "self-OSCAR." The HOMPR results were not documented in writing. Rather, they were conveyed verbally to hearing and regional office management teams, limiting our ability to track and follow through on the findings. Within this context, we acknowledge the need to continue our efforts to maintain and improve ODAR's OSCAR process. Our responses to the specific recommendations are as follows.

Recommendation 1

Review funding priorities and ensure OSCARs are completed at all hearing offices within a 5 year period, in accordance with established policy.

Comment

We agree. We will ensure that OSCARs are completed at all hearing offices within the 5 year period.

Recommendation 2

Document Regional Office Management Reviews to the extent possible and maintain copies for the next Headquarters' OSCAR.

Comment

We agree. We plan to issue an appropriate reminder to our regional management teams by January 31, 2008 and will maintain copies of the next Headquarters' OSCAR.

Recommendation 3

Ensure hearing office management complete timely and accurate self-OSCARs, and provide training, as appropriate.
Comment

We agree. We plan to provide training by February 28, 2008, as appropriate, to ensure that hearing office management completes timely and accurate self-OSCARs.

Recommendation 4

Ensure OSCAR reports are issued in a timely fashion, which includes working with appropriate SSA components to ensure any contractor(s) assisting with this process are also meeting contract specifications on report issuance.

Comment

We agree. We will ensure that ODAR OSCAR reports are issued in a timely fashion. We will work with the appropriate component responsible for ensuring the performance of any contractor approved to assist with the OSCAR process.

Recommendation 5

Ensure hearing offices complete a validation report within 90 days of issuing the corrective action report, unless advance approval has been given for a delay.

Comment

We agree. By January 31, 2008, we will issue an appropriate reminder to our regional and HO management teams to ensure the completion of a validation report within 90 days of the issuance of the corrective action report, unless advance approval has been given for a delay.

Recommendation 6

Update the OSCAR Guide as appropriate to reflect changes in ODAR's working environment, to include the treatment of permanent remote sites and protection of sensitive data.

Comment

We agree. We are reviewing and expect to revise our ODAR OSCAR protocol and guide by December 31, 2007. This review of our OSCAR process will reflect the reorganization of ODAR Headquarters as a Deputy Commissioner-level component. In addition, we will address the extent to which we can include our permanent remote sites in the OSCAR process, keeping in mind that any such review will be an abbreviated version. Our review will also reflect ODAR's effort to maintain and improve the Agency-wide effort to protect sensitive data.

Appendix F
OIG Contacts and Staff Acknowledgments
OIG Contacts
Walter Bayer, Director, Philadelphia Audit Division, (215) 597-4080
Michael Maloney, Audit Manager, Falls Church Audit Office (703) 578-8844
Acknowledgments
In addition to those named above:
Ehab Bestawrose, Auditor-in-Charge
Yaquelin Lara, Auditor
Mary Dougherty, Senior Auditor
David Mazzola, Audit Manager
Toni Paquette, Program Analyst
Denise Molloy, Senior Analyst
Joshua Campos, Auditor

For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-12-07-17080.

Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office of Resource Management (ORM). To ensure compliance with policies and procedures, internal controls, and professional standards, we also have a comprehensive Professional Responsibility and Quality Assurance program.

Office of Audit
OA conducts and/or supervises financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management and program evaluations and projects on issues of concern to SSA, Congress, and the general public.

Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as OIG liaison to the Department of Justice on all matters relating to the investigations of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.

Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.

Office of Resource Management
ORM supports OIG by providing information resource management and systems security. ORM also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, ORM is the focal point for OIG's strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act of 1993.