A-07-02-32035 Alternate Format

SOCIAL SECURITY

MEMORANDUM

Date: September 20, 2002

To: The Commissioner

From: Inspector General

Subject: Summary of Single Audit Oversight Activities (A-07-02-32035)

The attached final Management Advisory Report presents a summary of internal control weaknesses at State Disability Determination Services reported in State single audits and identified during our October 2000 through April 2002 single audit oversight activities.

Please comment within 60 days from the date of this memorandum on corrective action taken or planned on each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.

James G. Huse, Jr.

OFFICE OF

THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

SUMMARY OF SINGLE AUDIT

OVERSIGHT ACTIVITIES

OCTOBER 2000

THROUGH

APRIL 2002

September 2002

A-07-02-32035

MANAGEMENT ADVISORY REPORT

Mission

We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.

Promote economy, effectiveness, and efficiency within the agency.

Prevent and detect fraud, waste, and abuse in agency programs and operations.

Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.

Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.

Access to all information necessary for the reviews.

Authority to publish findings and recommendations based on the reviews.

Vision

By conducting independent and objective audits, investigations, and evaluations, we are agents of positive change striving for continuous improvement in the Social Security Administration's programs, operations, and management and in our own office.

Executive Summary

OBJECTIVE

BACKGROUND

On July 5, 1996, the President signed the Single Audit Act Amendments of 1996, Public Law No. 104-156. The Amendments extended the statutory audit requirement to nonprofit organizations and revised various provisions of the 1984 Single Audit Act, including raising the Federal financial assistance dollar threshold for requiring an audit from $100,000 to $300,000. On June 30, 1997, the Office of Management and Budget issued revised Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations to implement the 1996 amendments. The revised Circular A-133 was effective July 1, 1996 and applies to audits of fiscal years (FY) beginning after June 30, 1996. This Circular requires non-Federal entities that expend $300,000 or more per year in Federal awards to have a single or program-specific audit conducted for that year.

The Social Security Administration (SSA) is responsible for the policies on developing disability claims under the Disability Insurance (DI) and Supplemental Security Income (SSI) programs. In accordance with Federal regulations, the DDS in each State generally performs disability determinations under the DI and SSI programs. In carrying out this function, the DDS is responsible for determining claimants’ disabilities and ensuring that adequate evidence is available to support its determinations. SSA reimburses the DDS for 100 percent of allowable expenditures. There are a total of 54 DDSs in the 50 States, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands. All DDSs are subject to single audit coverage except the federally adm inistered Virgin Islands DDS.

RESULTS OF REVIEW

We reviewed 103 single audits covering State fiscal year (SFY) operations at 53 DDSs (1 SFY 1997 single audit, 1 SFY 1998 single audit, 51 SFY 1999 single audits, and 50 SFY 2000 single audits). We compiled and categorized the audit findings as direct or crosscutting. Direct findings are those specifically identified to the DDS. Crosscutting findings impact more than one Federal program; however, they may not be identified to any one Federal program or may not be identified to all Federal programs. Our review disclosed common direct and crosscutting findings in the categories of cash management, equipment and real property management, and allowable costs. We also identified crosscutting findings in procurement and reporting categories. All the findings relate to DDS’ noncompliance with Federal requirements because of internal control weaknesses. Of the 103 single audits, 25 reported direct findings, and 89 reported crosscutting findings (see Appendix A).

Our review of the 25 single audits with direct findings disclosed:

non-adherence to Cash Management Improvement Act (CMIA) agreements,
weaknesses in computer controls,
weaknesses in equipment inventory,
costs that were not properly authorized and documented, and
improper accounting and reporting of non-SSA work costs.

We conduct audits of DDS administrative costs. Our recent audits of the Oregon, Connecticut and Arizona DDSs disclosed findings in the cash management, procurement, equipment and real property management, reporting, and allowable costs categories. These findings relate to DDS’ noncompliance with Federal requirements because of internal control weaknesses. Appendix D summarizes our findings.

A comparison of the Oregon, Connecticut, and Arizona DDS single audit findings and audits for the same reporting period disclosed significant differences. We reported our findings on incorrect FY payments, excess cash draws, inconsistent accounting obligations, inadequate computer access and security controls, missing inventory records, inaccurate and inconsistent reporting, and unreasonable medical fees. The single audits for Oregon, Connecticut, and Arizona did not report these findings. We present this comparison for informational purposes only. We will report our comparison to the cognizant Federal agency, the Department of Health and Human Services, in a separate management letter for any action it deems appropriate.

CONCLUSIONS AND RECOMMENDATIONS

The first five recommendations listed below were presented to SSA in our prior single audit summary report. Therefore, SSA should not consider these new recommendations for its audit recommendation tracking system. We do, however, reaffirm our position that SSA should take corrective action by being proactive in providing internal control guidance to DDSs. To do so, SSA should provide the following instructions to DDSs.

Adhere to the terms of the CMIA agreement.

Implement controls to prevent unauthorized computer access.

Develop a formal contingency plan to be followed in the event of a disaster that adversely affects operations.

Maintain complete and accurate equipment inventory records and perform periodic physical inventories.

Ensure that costs charged to SSA benefit its programs and are properly authorized and documented.

Implement controls to ensure that non-SSA work costs are properly accounted for and reported.

AGENCY COMMENTS

In response to our draft report, SSA agreed with all of our recommendations and outlined the corrective action taken on each recommendation. See Appendix E for the full text of SSA's comments to our draft report.

Table of Contents

Page

INTRODUCTION 1

RESULTS OF REVIEW 5

Cash Management 5

Equipment and Real Property Management 7

Computer Controls 7

Property Controls 8

Allowable Costs 9

Comparison of Single Audit and OIG Findings 12

Oregon DDS 12

Connecticut DDS 13

Arizona DDS 13

CONCLUSIONS AND RECOMMENDATIONS 14

APPENDICES

APPENDIX A – Summary of Single Audit Findings

APPENDIX B – Direct Findings Reported in 25 Single Audits

APPENDIX C – Crosscutting Findings Reported in 89 Single Audits

APPENDIX D – Findings We Identified During the Same Time Frame as the

Single Audits Reviewed

APPENDIX E – Agency Comments

APPENDIX F – OIG Contacts and Staff Acknowledgments

Acronyms

AIF Automated Investment Funds
AIS Automated Information Systems
CMIA Cash Management Improvement Act
DDS Disability Determination Services
DES Department of Economic Security
DHS Department of Human Services
DI Disability Insurance
DLES Department of Labor and Employment Security
DPHHS Department of Public Health and Human Services
DoE Department of Education
DoF Department of the Family
DRS Department of Rehabilitation Services
DSS Department of Social Services
DVR Division of Vocational Rehabilitation
EDP Electronic Data Processing
EIS Equipment Inventory System
FY Fiscal Year
LAE Limitation on Administrative Expenses
OIG Office of the Inspector General
OMB Office of Management and Budget
POMS Program Operations Manual System
SEFA Schedule of Expenditures of Federal Awards
SFY State Fiscal Year
SSA Social Security Administration
SSI Supplemental Security Income

Introduction

OBJECTIVE

Our objective was to summarize categories of internal control weaknesses at State Disability Determination Services (DDS) reported in State single audits and identified during our single audit oversight activities. To accomplish our objective, we reviewed 103 single audits covering 53 DDSs and categorized findings that were identified as directly affecting DDS operations and crosscutting findings that potentially affect DDS operations. Of the 103 single audits, 25 reported direct findings and 89 reported crosscutting findings. Appendix A lists the 103 single audits reviewed and identifies those with direct and/or crosscutting findings.

BACKGROUND

Single Audit Act

On July 5, 1996, the President signed the Single Audit Act Amendments of 1996, Public Law No. 104-156. The Amendments extended the statutory audit requirement to nonprofit organizations and revised various provisions of the 1984 Single Audit Act, including raising the Federal financial assistance dollar threshold for requiring an audit from $100,000 to $300,000. On June 30, 1997, the Office of Management and Budget (OMB) issued revised Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, to implement the 1996 amendments. The revised Circular A-133 was effective July 1,1996 and applies to audits of fiscal years (FY) beginning after June 30, 1996. This Circular requires non-Federal entities that expend $300,000 or more per year in Federal awards to have a single or program-specific audit conducted for that year.

State DDSs

The Disability Insurance (DI) program was established in 1954 under title II of the Social Security Act to provide benefits to disabled wage earners and their families. In 1972, Congress enacted the Supplemental Security Income (SSI) program, to provide income and disability coverage to financially needy individuals who are aged, blind and/or disabled.

The Social Security Administration (SSA) is responsible for the policies on developing disability claims under the DI and SSI programs. According to Federal regulations, the DDS in each State generally performs disability determinations under the DI and SSI programs. In carrying out this function, the DDS is responsible for determining claimants’ disabilities and ensuring that adequate evidence is available to support its determinations. In those limited instances where SSA makes disability determinations, regulations provide that each State agency will obtain and furnish medical or other evidence and provide assistance as may be necessary for SSA to carry out its responsibility for making such determinations. SSA reimburses the DDS for 100 percent of allowable expenditures. There are a total of 54 DDSs in the 50 States, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands.

Each DDS is managed by a State parent agency, which administers other State and Federal programs. There are also other agencies within the State that administer various aspects of Federal programs, such as cash draws and electronic data processing.

Direct and Crosscutting Findings

In conducting single audits, the auditor uses a risk-based approach to determine which Federal programs will receive audit coverage. The single audit also includes an audit of the State’s financial statements. The two parts of the single audit identify direct or crosscutting findings.

Direct findings are specifically identified to the Federal programs they affect. The direct SSA findings are identified in single audits by Catalog of Federal Domestic Assistance number 96. The single audits also report findings that impact more than one Federal program, referred to as crosscutting. However, crosscutting findings may not be identified to any one Federal program or may not be identified to all Federal programs. Thus, the auditor may not be in a position to identify findings for SSA-funded programs because of the limited scope of the single audit. While crosscutting findings are not specifically identified to SSA, they could impact DDS operations.

SCOPE AND METHODOLOGY

We reviewed 103 single audits as well as their related recommendations and auditee responses. Of the 103 single audits, 25 reported direct findings related to DDSs. These findings, questioned costs, and related recommendations were previously reported on a State-by-State basis to SSA’s Management Analysis and Audit Program Support Staff for resolution. In addition, 89 of the 103 single audits reported crosscutting findings that could possibly affect DDS operations. To identify crosscutting findings, we reviewed all findings reported for the State agency that managed the DDS and State agencies that performed functions for the DDS.

We also reviewed relevant provisions of the:

Single Audit Act Amendments of 1996, revised OMB Circular A-133, and OMB Circular A-133, Compliance Supplement (March 2000 revision);

OMB Uniform Administrative Requirements for Grants and Cooperative Agreements to State and Local Governments (Common Rule);

OMB Circular A-87, Cost Principles for State, Local and Indian Tribal Governments;

Title II and title XVI of the Social Security Act;

Program Operations Manual System (POMS) instructions;

Cash Management Improvement Act (CMIA) of 1990;

SSA Systems Security Handbook; and

Office of the Inspector General (OIG) administrative cost audit reports for the Oregon, Connecticut, and Arizona DDSs.

The Compliance Supplement identifies seven types of compliance requirements auditors should consider for the SSA programs in performing single audits. Our review of the 103 single audits identified common direct findings in 3 of the categories: cash management, equipment and real property management, and allowable costs. In addition to these categories, we identified crosscutting findings in the procurement and reporting categories. This report presents the findings by the related Compliance Supplement category.

Results of Review

Our analysis of the findings in 103 single audit reports disclosed direct and crosscutting findings in the cash management, equipment and real property management, and allowable cost categories. We also identified crosscutting findings in the procurement and reporting categories. All the findings relate to DDS’ noncompliance with Federal requirements because of a lack of adequate internal controls. Appendix B summarizes the 25 single audits with direct findings by DDS. Appendix C summarizes the 89 single audits with crosscutting findings by DDS.

Our audits at the Oregon, Connecticut, and Arizona DDSs disclosed findings in the cash management, procurement, equipment and real property management, reporting, and allowable cost categories. These findings also relate to DDS’ noncompliance with Federal requirements because of internal control weaknesses. Appendix D summarizes our audit findings.

In our opinion, a comparison of the Oregon, Connecticut, and Arizona DDS findings in the single audits and the OIG audits for the same reporting period disclosed significant differences. We reported findings on incorrect FY payments, excess cash draws, inconsistent accounting obligations, inadequate computer access and security controls, missing inventory records, inaccurate and inconsistent reporting, and unreasonable medical fees. The single audits for Oregon, Connecticut, and Arizona did not report these findings. We present this comparison for informational purposes only. We will report our comparison to the cognizant Federal agency, the Department of Health and Human Services, in a separate management letter for any action it deems appropriate.

CASH MANAGEMENT

The Congress enacted the CMIA of 1990 to ensure efficiency, effectiveness, and equity in transferring funds between the States and the Government. This Law requires the Government to enter into an agreement with States covering applicable Federal programs and to establish procedures and requirements for transferring Federal funds.

The CMIA requires the States to minimize the time between the receipt and disbursement of Federal funds and generally allows the Government to charge interest when a State receives Federal funds in advance of disbursements. The CMIA also generally allows the States to charge interest when State funds are paid out for Federal programs before Federal funds are made available. The States are supposed to calculate Federal and State interest liabilities for each applicable program and report liabilities to the Federal Government on the Annual Report to the U.S. Department of the Treasury.

Without cash management controls, States cannot identify and assess allowable cash needs. Without proper internal controls, DDSs may draw cash in excess of allowable expenditures.

Seven single audits reported direct findings related to States not adhering to CMIA agreements.

The Alabama Department of Education (DoE) did not draw funds in accordance with the funding techniques specified in the CMIA agreement, and the dates posted in the accounting system and used to compute interest liabilities were incorrect (SFY 1999).

The Colorado Department of Human Services (DHS) did not follow draw patterns prescribed in the CMIA agreement. In addition, the CMIA agreement included programs that were not required and omitted programs that were required (SFY 2000).

The Illinois DHS understated interest liabilities due the Government by $69,219, of which $12,994 related to SSA (SFY 1999).

The Oklahoma Department of Rehabilitation Services (DRS) did not maintain documentation to support cash draws, and funds were not drawn based on the time frame established in the CMIA agreement (SFY 2000).

The Puerto Rico Department of the Family (DoF) drew cash of $939,771 without required documentation showing it was needed to pay immediate expenditures. Our discussions with the Public Accounting Firm that conducted the audit disclosed that DoF told the auditor the accounting records were adjusted to ensure the $939,771 cash draw did not result in excess FY cash draws. However, DoF did not provide evidence of the adjustment to the auditor upon request, which resulted in the auditor questioning the costs (SFY 1997).

The Rhode Island DHS drew funds earlier than permitted by the terms of the CMIA agreement because there were no controls to monitor cash needs (SFYs 1999 and 2000).

The State audits identified similar crosscutting cash management findings in 29 single audits (see Appendix C).

EQUIPMENT AND REAL PROPERTY MANAGEMENT

Computer Controls

DDSs operate computer systems critical to the administration of SSA’s disability programs. These systems issue payments for administrative expenses and contain confidential claimant information, including Social Security numbers. SSA requires DDSs to develop, distribute, and implement a formal computer security policy addressing the confidentiality of sensitive information, data integrity, and authorized access to information.

A DDS’ computer security policy should identify computer access controls to ensure only authorized users access the system. Access controls include the use of personal identification numbers to identify users, passwords to authenticate the user’s identity, and profiles to specify the functions users can perform. Without proper access controls, the DDS is vulnerable to such security risks as the unauthorized use or sale of personal information and identity theft. Accidental or intentional modifications to confidential and sensitive information can adversely affect the quality of services and lead to unauthorized and inaccurate disbursements.

SSA’s Systems Security Handbook instructs DDSs to make every reasonable effort to avoid disruption of critical applications processed by automated data files and automated information systems (AIS) facilities. Furthermore, a DDS must also minimize, and be prepared to recover from, any disruption that occurs. Contingency plans should be documented as part of a DDS’ overall AIS security program. The lack of a contingency plan could cause a disruption of DDS claims processing and result in poor service to disability claimants.

Seven single audits disclosed direct findings related to weaknesses in computer controls, as follows.

The Alabama DoE had not developed a formal contingency plan to be followed in the event of a disaster that adversely affects the operations of its in-house data processing center (SFY 1999). DoE subsequently developed a plan; however, the SFY 2000 single audit reported that the contingency plan was not communicated to personnel responsible for execution of the plan, and had not been adequately updated and tested.

In addition, policies and procedures for systems (1) development and maintenance were informal and did not provide appropriate segregation of duties among data processing personnel and (2) access by users and data processing personnel were inadequate (SFY 2000).

The Kentucky DDS did not have formal policies and procedures to control its Wang system program modifications. Specifically, there was no segregation of duties between the DDS’s systems support and program control personnel (SFY 1999).

Some Minnesota Department of Economic Security (DES) employees had inappropriate access to mainframe data. In addition, the DES did not properly maintain its security infrastructure (SFY 2000).

A disaster recovery plan had not been designed or tested for the new accounting system for the New Mexico DoE, Division of Rehabilitation (SFYs 1999 and 2000).

The Oklahoma DRS did not have (1) procedures in place to ensure that only authorized personnel had appropriate access to mainframe data, (2) a fire suppression system in its computer room, and (3) a disaster recovery plan to be followed in the event of a disaster that adversely affects operations (SFY 2000).

Similar crosscutting computer systems and applications findings were identified in 30 single audits (see Appendix C).

Property Controls

The DDSs are responsible for maintaining, labeling, and inventorying all property they acquire or that SSA furnishes it to perform the disability determination function. Inventory records of equipment must include (1) an item description, (2) source of funds used in the purchase, (3) unit cost, (4) inventory or serial number, (5) date purchased, and (6) physical location, including building address and room or floor location. The lack of proper controls over inventory could result in misappropriation or improper disposition of property acquired with Federal funds.

Five single audits identified direct findings related to weaknesses in equipment inventory.

The Georgia Department of Human Resources did not follow established inventory maintenance guidelines (SFY 2000).

The Puerto Rico DoF did not reconcile physical inventory results with the accounting records or maintain accurate records for acquisitions and dispositions of property acquired with SSA funds (SFYs 1997 and 1998).

The Rhode Island DHS did not have a state-wide inventory system for fixed assets (SFYs 1999 and 2000). In addition, there were no procedures to ensure compliance regarding the use, management, and disposition of equipment (SFY 2000).

Similar crosscutting property control findings were identified in 18 single audits (see Appendix C).

ALLOWABLE COSTS

Allowable costs must be reasonable and necessary for proper and efficient performance and administration of Federal awards. A cost is allocable to a program or department if the goods or services involved are charged or assigned in accordance with benefits received. A cost may not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose was allocated to the Federal award as an indirect cost. To recover indirect costs, the organization must prepare cost allocation plans or indirect cost rate proposals in accordance with guidelines provided in OMB Circulars. Costs must be net of all applicable credits that result from transactions reducing or offsetting direct or indirect costs.

Internal control directives require that non-Federal entities receiving Federal awards maintain effective control and accountability for funds and assets purchased with such funds. Transactions should be properly recorded, accounted for, and executed in compliance with applicable laws, regulations and the provisions of contracts or grant agreements that could have a direct and material effect on a Federal program. Also, funds, property, and other assets should be safeguarded against loss from unauthorized use or disposition.

The absence of controls over goods and services charged to Federal awards results in the risk of misappropriation or misuse of funds. In addition, unallowable activities or costs could be charged to a Federal program and not be detected in a timely manner if proper internal controls are not in place to ensure that costs benefit the program and are properly authorized and documented.

Nineteen single audits reported direct findings related to inadequate internal controls over allowable costs.

The Alabama DoE did not have certifications to document that its employees worked solely on SSA's disability programs, as required by OMB Circular A-87 (SFY 1999).

The Arizona DES’ cost allocation plan did not include all equipment purchases in the allocation base. As a result, costs were not properly allocated to Federal programs (SFY 1999).

The Florida Department of Labor and Employment Security (DLES) inappropriately charged SSA $151,005 for payments of accumulated leave of terminated or retired employees. The payments should have been allocated as an administrative expense to all DLES activities, as required by OMB Circular A-87. In addition, $22,607 in salary costs for a DDS employee who performed non-SSA work were inappropriately charged to SSA (SFY 2000).

The Illinois DHS inappropriately charged SSA $90,000 for personnel and other costs in support of non-SSA work because there was no approved cost allocation methodology and Memorandum of Understanding (SFY 1999). In addition, the Illinois DDS did not maintain supporting documentation for payroll costs for employees who worked solely on the disability program (SFY 2000). The auditor could not determine the costs inappropriately charged to SSA.

The Michigan DDS did not maintain supporting documentation for payroll costs for employees who worked solely on the disability program. This resulted in questioned costs of $2,809 and $6,377 (SFYs 1999 and 2000).

The Mississippi DRS did not have a system in place to adequately document the personnel costs charged to Federal programs. In addition, personnel costs of DDS employees who performed non-SSA work were inappropriately charged to SSA. However, the State auditor did not determine the amount of these unallowable charges (SFY 1999).

The Montana Department of Public Health and Human Services’ (DPHHS) financial management control structure was not adequate to prevent or detect all errors. Therefore, the DPHHS could not ensure payments were made for allowable purposes. Specifically, inefficient transaction processing did not support Federal reporting or an accurate allocation of costs between State and Federal programs or prevent discrepancies between the State’s primary accounting system and its subsystems (SFY 1999).

The New Mexico DDS's accounting system's design did not allow a reconciliation of DDS encumbrances and related expenditures with the State's accounting system (SFYs 1999 and 2000).

The New York Department of Social Services, Office of Temporary and Disability Assistance (1) inappropriately charged SSA $475,785 for non-SSA, work-related activities (SFY 1999); (2) inappropriately charged non-SSA programs $760,211 for SSA work-related activities (SFY 2000); (3) did not follow cost allocation methodology procedures set forth in OMB Circular A-87 (SFYs 1999 and 2000); (4) did not charge parking costs of $1,700 to various Federal programs in accordance with OMB Circular A-87 (SFY 1999); (5) incorrectly recorded employee salaries of $158,201 and $4,263 in the State’s payroll system because of errors in employee timesheets (SFYs 1999 and 2000); (6) did not maintain documentation to support a $38,129 expenditure (SFY 2000); and (7) did not properly authorize a $1,785 expenditure (SFY 2000).

The Puerto Rico DoF (1) paid an employee $725 above the authorized salary (SFY 1997); (2) did not maintain supporting documentation for expenditures of $753,217, $170,768, and $4,214,001 (SFYs 1997 through 1999); (3) did not maintain documentation to support expenditure amounts to test the base used for indirect costs (SFYs 1998 and 1999); (4) claimed expenditures on the Financial Status Reports that were $899,764 greater than amounts recorded in the general ledger (SFY 1999); and (5) did not compare expenditures with budgeted amounts before disbursing Federal funds of $172,354 (SFY 1999).

The Rhode Island DHS allocated central service costs to various Federal programs, including SSA’s Disability programs, based on an estimated amount. Once actual amounts were available, DHS adjusted current year charges to account for the overcharge in previous FYs (SFY 2000).

The West Virginia DoE, Division of Rehabilitation Services, inappropriately charged $1,552,922 in indirect costs to SSA (SFY 2000).

SSA might have reimbursed the Wisconsin Division of Vocational Rehabilitation (DVR) for client rehabilitation services based on incorrect administrative costs. The State auditors could not determine how SSA’s reimbursement amount was calculated because DVR did not retain the supporting documentation (SFY 2000).

Crosscutting weaknesses related to allowable costs were disclosed in 62 single audits. The findings were in the following areas.

Payroll costs charged to Federal programs were not supported by time and attendance records. In addition, payroll costs were charged to Federal programs on which employees did not work.

Obligations were not liquidated within the established time limits, items were not reconciled timely, and expenditures were not claimed within the period of availability.

Indirect costs were not properly authorized, included costs charged directly to Federal programs, and were not equitably distributed to Federal programs.

Direct costs charged to Federal programs were not properly authorized, reviewed, documented, or recorded.

COMPARISON OF SINGLE AUDIT AND OIG FINDINGS

SSA OIG conducts audits of claims by DDSs for administrative costs based on the frequency of prior audits as well as annual referrals by SSA’s Office of Disability. Starting in FY 2002, we increased our audit coverage to provide for a more timely and effective review of administrative costs. We based this schedule on the following factors: (1) past administrative audits, (2) amount of costs, and (3) suggestions made by SSA. The audit frequency, based on total administrative costs incurred, is as follows.

Annual Administrative Cost Incurred by DDS	Audit Frequency
Over $50 million	Every 3 years
$20 to $50 million	5 to 7 years
Under $20 million	7 to 10 years

The objectives of the audits are to determine whether (1) expenditures and obligations are properly authorized and disbursed, (2) Federal funds drawn agree with total expenditures, and (3) internal controls over the accounting and reporting of administrative costs are adequate.

We performed administrative cost audits at the Oregon, Connecticut, and Arizona DDSs covering the same SFYs as the single audits discussed in this report. Our comparison of the direct single audit findings and OIG findings disclosed notable differences. Our findings were not identified in the single audits and therefore are discussed below.

Oregon DDS

Our audit of the Oregon DDS covered the period October 1995 through September 1998 and included any subsequent financial activities that affected those FYs as of December 31, 1999. The audit identified expenditures for rental payments reported in the wrong FY and excess cash draws (see Appendix D). The single audit did not report any direct findings for the Oregon DDS.

Connecticut DDS

Our audit of the Connecticut DDS covered the period October 1996 through September 1999, as reported to SSA as of December 31, 1999. The audit identified (1) expenditures reported in the wrong FY, (2) an unapproved office lease, and (3) weak computer security and access controls (see Appendix D). The single audit did not report any direct findings for the Connecticut DDS.

Arizona DDS

Our audit of the Arizona DDS covered the period October 1995 through September 1998 and included any subsequent financial activities that affected those FYs as of June 30, 1999. The audit identified (1) inconsistent accounting and reporting of obligations, (2) missing inventory records, and (3) unreasonable medical fees (see Appendix D). The single audit identified problems related to allowable costs (see Appendix B).

Conclusions and Recommendations

Adhere to the terms of the CMIA agreement.

Implement controls to prevent unauthorized computer access.

Develop a formal contingency plan to be followed in the event of a disaster that adversely affects operations.

Maintain complete and accurate equipment inventory records and perform periodic physical inventories.

Ensure that costs charged to SSA benefit its programs and are properly authorized and documented.

Implement controls to ensure that non-SSA work costs are properly accounted for and reported.

AGENCY COMMENTS

Appendices

Appendix A

Summary of Single Audit Findings

State	State Fiscal Year	Direct Findings					Crosscutting Findings
State	State Fiscal Year	Cash Management	Procurement	Equipment/Real Property Management	Reporting	Allowable Costs	Cash Management	Procurement³	Equipment/Real Property Management⁴	Reporting⁵	Allowable Costs
Alabama	1999/2000	X		X		X			X
Alaska	1999/2000									X	X
Arizona	1999/2000					X			X	X	X
Arkansas	1999/2000
California	1999/2000						X			X
Colorado	1999/2000	X				X				X	X
Connecticut	1999/2000						X	X	X		X
Delaware	1999/2000						X			X
District of Columbia	1999						X
Florida	1999/2000					X	X				X
Georgia	1999/2000			X					X
Guam	1999/2000						X	X	X	X	X
Hawaii	1999/2000								X	X	X
Idaho	1999/2000						X				X
Illinois	1999/2000	X			X	X			X		X
Indiana	1999/2000
Iowa	1999/2000								X
Kansas	1999/2000									X	X
Kentucky	1999/2000			X			X		X	X	X
Louisiana	1999/2000						X	X	X		X
Maine	1999/2000						X			X	X
Maryland	1999/2000						X		X	X
Massachusetts	1999/2000						X	X		X	X
Michigan	1999/2000				X	X					X
Minnesota	1999/2000			X					X		X
Mississippi	1999/2000					X	X		X		X
Missouri	1999/2000										X
Montana	1998/1999					X	X		X	X	X
Nebraska	1999/2000										X
Nevada⁷	1999/2000
New Hampshire	1999/2000						X	X			X
New Jersey	1999/2000							X
New Mexico	1999/2000			X		X					X
New York	1999/2000		X			X				X	X
North Carolina	1999/2000						X	X	X	X	X
North Dakota	1999/2000									X	X
Ohio	1999/2000						X	X	X	X	X
Oklahoma	1999/2000	X		X							X
Oregon	1999/2000										X
Pennsylvania	1999/2000							X	X	X
Puerto Rico	1997/1998/1999	X		X		X	X	X	X	X	X
Rhode Island	1999/2000	X		X		X		X	X	X	X
South Carolina	1999/2000									X	X
South Dakota	1999/2000									X	X
Tennessee	1999/2000								X		X
Texas	1999/2000						X
Utah	1999/2000						X	X			X
Vermont	1999/2000								X	X	X
Virginia	1999/2000								X		X
Washington	1999/2000									X	X
West Virginia	1999/2000					X					X
Wisconsin	1999/2000					X			X		X
Wyoming⁷	1999/2000

Note: See page A-1 for explanation of footnotes 1 through 7.

Appendix B

Direct Findings Reported in 25 Single Audits

STATE	DIRECT FINDINGS	QUESTIONED COSTS
Alabama 1999	The parent agency for the Alabama Disability Determination Services (DDS), the Department of Education (DoE), had not developed a formal contingency plan to be followed in the event of a disaster that adversely affects the operations of its in-house data processing center.	$0
	The DoE did not draw funds in accordance with the funding techniques specified in the Cash Management Improvement Act (CMIA) agreement.	$0
	The dates posted in DoE's accounting system, and used to compute interest liabilities, were incorrect.	$0
	The DoE did not have certifications to document that employees worked solely on the Social Security Administration's (SSA) disability programs, as required by Office of Management and Budget (OMB) Circular A-87.	$0
Alabama 2000	The DoE had informal policies and procedures for systems development and maintenance and did not provide appropriate segregation of duties among data processing personnel.	$0
	The DoE did not have adequate internal control policies and procedures for preventing unauthorized systems access by users and data processing personnel.	$0
	The DoE did not communicate the contingency plan to be followed in the event of a disaster that adversely affects operations to personnel responsible for execution of the plan and did not adequately update and test the plan.	$0
Arizona 1999	The cost allocation plan for the parent agency of the Arizona DDS, the Department of Economic Security (DES), did not include all equipment purchases in the allocation base. As a result, costs were not properly allocated to Federal programs.	$0
Colorado 2000	The parent agency for the Colorado DDS, the Department of Human Services (DHS), did not make timely payments to providers who perform medical examinations of disability claimants. Fifty-three percent of payments tested were made 45 or more days after DDS staff received the invoice.	$0
	The DHS did not draw funds in accordance with terms of the CMIA agreement.	$0
	The CMIA agreement included programs that were not required and omitted programs that were required.	$0
Florida 2000	Salary costs for a DDS employee who performed non-SSA work were inappropriately charged to SSA.	$22,607
	Payments for accumulated leave of terminated or retired employees were inappropriately charged to SSA. The payments should have been allocated as an administrative expense to all activities of the DDS' parent agency, the Department of Labor and Economic Security.	$151,005
Georgia 2000	The parent agency for the Georgia DDS, the DHS, did not follow established guidelines for maintaining equipment inventory.	$0
Illinois 1999	The Illinois DDS did not have an approved Memorandum of Understanding with SSA outlining the specifics of its non-SSA work. Furthermore, the DDS did not have a methodology for allocating costs of the non-SSA work between the State and Federal program.	$90,000
	The Illinois DDS did not submit the State Agency Report of Obligations, Time Report of Personnel Services, Monthly Obligation Report, and Cost-Effective Measurement System reports to SSA in the required time frames.	$0
	The parent agency for the Illinois DDS, the DHS, understated the CMIA interest liabilities due to the Federal Government.	$12,994
Illinois 2000	DHS did not have a certification process in place to verify that DDS employees worked solely on SSA’s disability programs as required by OMB Circular A-87.	$0
Kentucky 1999	The Kentucky DDS did not have formalized policies and procedures in place to control its Wang system program modifications. Specifically, a lack of segregation of duties existed between the DDS’ systems support and program control personnel.	$0
Michigan 2000	On the Schedule of Expenditures of Federal Awards, the Michigan DDS’ parent agency, the Family Independence Agency, did not list the Disability Insurance (DI) program, Catalog of Federal Domestic Assistance number 96.001, as an individual grant of the DI/Supplemental Security Income cluster and did not report the correct Federal assistance program title for the DI program.	$0
	The DDS did not have certifications to document that 4 of 13 sampled employees worked solely on SSA’s disability programs.	$9,186
Minnesota 2000	Some employees at the DES, the parent agency for the Minnesota DDS, had inappropriate access to mainframe data.	$0
	DES did not properly maintain its security infrastructure.	$0
Mississippi 1999	Personnel costs of DDS employees who performed non-SSA work were inappropriately charged to SSA.	$0
	The parent agency for the Mississippi DDS, the Department of Rehabilitation Services (DRS), did not have a system in place to adequately document the personnel costs charged to Federal programs.	$0
Montana 1999	The parent agency for the Montana DDS, the Department of Public Health and Human Services’ (DPHHS), did not have a financial management control structure adequate to prevent or detect all errors. Therefore, DPHHS could not ensure payments were made for allowable purposes. Specifically, DPHHS’ inefficient transaction processing did not accurately support Federal reporting, demonstrate accurate allocation of costs between State and Federal programs, and prevent discrepancies from existing between the State’s primary accounting system and DPHHS’ subsystems.	$0
New Mexico 1999	The new accounting system for the New Mexico DDS was not properly designed to allow reconciliation of DDS encumbrances and related expenditures.	$0
	A disaster recovery plan had not been designed or tested for the new accounting system at the DoE, the New Mexico DDS' parent agency.	$0
New Mexico 2000	The accounting system for the New Mexico DDS did not allow reconciliation of DDS encumbrances and related expenditures with the States’ accounting system.	$0
	A disaster recovery plan had not been designed or tested for the new accounting system at DoE, the New Mexico DDS' parent agency.	$0
New York 1999	The parent agency for the New York DDS, the Department of Social Services (DSS), did not follow cost allocation methodology procedures set forth in OMB Circular A-87.	$0
	DSS charged costs for non-SSA, work-related activities to SSA.	$475,785
	DSS did not charge $1,700 in parking costs to various Federal programs in accordance with OMB Circular A-87. As a result, SSA may have been charged parking costs that did not benefit its programs.	$0
	DSS did not have procedures to identify and exclude from its procurement process those subcontractors and subrecipients barred from participation in Federal programs.	$0
	DSS incorrectly recorded $158,201 in employee salaries in the State’s payroll system because of errors in employee timesheets. As a result, SSA may have been charged salary costs that did not benefit its programs.	$0
New York 2000	DSS incorrectly recorded salaries in the State’s payroll system because of errors in employee timesheets.	$4,263
	DSS did not follow cost allocation procedures set forth in OMB Circular A-87.	$0
	DSS did not properly authorize expenditures and did not maintain supporting documentation.	$0
	DSS incorrectly charged SSA costs of $760,211 to non-SSA programs.	$0
Oklahoma 2000	The parent agency for the Oklahoma DDS, the DRS, did not have a disaster recovery plan to be followed in the event of a disaster that adversely affects the Department's operations.	$0
	DRS did not have procedures in place to ensure that only authorized personnel had appropriate access to mainframe data. In addition, the computer room did not have a fire suppression system.	$0
	DRS did not draw funds in accordance with the terms of the CMIA agreement.	$0
Puerto Rico 1997	The parent agency for the Puerto Rico DDS, the Department of the Family (DoF), paid an employee above the authorized salary. The auditors estimated that questioned costs for improper salary payments could be in excess of $10,000.	$725
	DoF requested a cash draw without documentation showing the cash was needed to pay expenditures.	$939,771
	DoF did not reconcile physical inventory results with the accounting records, or maintain accurate records for acquisitions and dispositions of property acquired with SSA funds.	$0
	DoF did not maintain supporting documentation for expenditures.	$753,217
Puerto Rico 1998	DoF did not reconcile physical inventory results with the accounting records, or maintain accurate records for acquisitions and dispositions of property acquired with SSA funds.	$0
	DoF did not provide documentation to support expenditure amounts to test the base used for indirect costs.	$0
	DoF did not maintain supporting documentation for expenditures.	$170,768
Puerto Rico 1999	DoF claimed expenditures on the Financial Status Report that were greater than amounts recorded in the general ledger.	$899,764
	DoF did not maintain supporting documentation for expenditures.	$4,214,001
	DoF did not perform fiscal evaluations to ensure that disbursements were allowable.	$172,354
	DoF did not provide documentation to support expenditure amounts to test the base used for indirect costs.	$0
Rhode Island 1999	The parent agency for the Rhode Island DDS, the DHS, did not have a statewide inventory system and related controls for its fixed assets.	$0
	Federal cash draws made by DHS were not in accordance with the terms of the State’s CMIA agreement.	$0
Rhode Island 2000	DHS allocated central service costs to various Federal programs, including SSA’s disability programs, based on an estimated amount. Once actual amounts were available, DHS adjusted current year charges to account for the overcharge in previous fiscal years.	$0
	DHS did not draw funds in accordance with the CMIA agreement.	$0
	DHS did not have a statewide inventory system and procedures were not in place to ensure compliance regarding the use, management and disposition of equipment.	$0
West Virginia 2000	The parent agency for the West Virginia DDS, the DRS, did not properly apply or code indirect costs to the disability program.	$1,552,922
Wisconsin 2000	SSA might have reimbursed the parent agency for the Wisconsin DDS, the Division of Vocational Rehabilitation (DVR), for client rehabilitation services based on incorrect administrative costs. The auditors could not determine how SSA’s reimbursement amount was calculated because DVR did not retain the supporting documentation.	$0
Total Questioned Costs		$9,469,362

Appendix C

Crosscutting Findings Reported in 89 Single Audits

STATE	CROSSCUTTING FINDINGS	QUESTIONED COSTS
Alabama 1999/2000	There was no formal, written contingency plan for policies and procedures to be followed in the event of a disaster that adversely affects the operations of the data center.	$0
	Security software purchased had not been utilized, resulting in data processing systems not being protected from unauthorized access.	$0
Alaska 1999/2000	The payroll system did not have controls in place to meet financial reporting guidelines.	$0
	Indirect costs were charged without an approved indirect cost allocation plan (State Fiscal Year (SFY) 1999).	$0
	The indirect cost allocation plan had inadequate documentation of its allocations to Federal programs (SFY 2000).	$0
	Personal services expenditures were not charged to Federal programs in compliance with Office of Management and Budget (OMB) Circular A-87.	$0
Arizona 1999/2000	Internal controls were not in place to ensure overall efficiency and effectiveness, compliance with laws and regulations, and reliable and accurate financial reporting.	$0
	Errors were noted in the Random Moment Sample used to allocate payroll charges to Federal programs, which resulted in some programs being overcharged while others were undercharged.	$0
	There was no formal contingency plan in the event of a disaster that could adversely affect daily operations.	$0
California 1999/2000	Quarterly financial status reports were not reconciled to the accounting records.	$0
	Documentation of transactions to agencies regarding the CMIA agreement was inadequate, and the interest liability due to the Federal Government could not be determined.	$0
	Limitations in the automated accounting systems did not allow for expenditures to be reported by program on the SEFA.	$0
	The time between the receipt and disbursement of Federal funds was not minimized.	$0
Colorado 1999/2000	Revenue information was not reconciled and an automated system was not in place to track charges and resulting revenue and receipts.	$0
	Manual adjustments for payroll transactions were incorrectly performed.	$0
	The automated timekeeping system incorrectly classified hours worked by employees, resulting in employees being overpaid. In addition, payroll information from departmental sources was not reconciled with information from the State’s payroll system.	$0
	Employee time sheets did not contain documentation of supervisory approval.	$0
	Internal controls over the use of credit cards were weak. In addition, procedures for reviewing the purchase card function were not documented, and transaction account coding was not reviewed.	$0
Connecticut 1999/2000	All contractors were not required to certify that they were not suspended or debarred.	$0
Note: See page C-1 for footnote explanation.
Connecticut 1999/2000 (Continued)	Methodologies for random samples may not have been accurate resulting in costs being distributed to various programs at incorrect rates.	$0
	The cost allocation system showed that expenditures were charged to the wrong program.	$0
	Salaries were charged 100 percent to a Federal program when time was not devoted to the program.	$0
	Automated Data Processing system security reviews were not performed for the installations that were involved in administering programs.	$0
	Federal funds were advanced before actually needed.	$0
	Contracts did not identify the Federal program title.	$0
Delaware 1999/2000	The CMIA agreement was not followed, and the proper funding technique was not used when requesting Federal funds.	$0
	Inaccurate interest liability amounts were reported in the Annual Report required by the CMIA agreement.	$0
District of Columbia 1999	Federal draws were not accurately recorded in financial systems.	$0
Florida 1999/2000	Terms of the CMIA agreement concerning Federal draws and interest calculations were not followed.	$0
	Personnel costs were not properly allocated.	$0
	Cost were not allocated among computer users n the most equitable manner according to OMB Circular A-87.	$0
	Reconciliation worksheets associated with central service costs were improperly prepared, and costs subject to allocation were overstated by $12,029,469 in the statewide cost allocation plan.	$0
	The statewide cost allocation plan was not submitted timely for Federal approval.	$0
Note: See page C-1 for footnote explanation.
Georgia 1999/2000	Equipment inventories were not properly maintained.	$0
	Accounting data reconciliations were not consistently performed, and controls were not in place to safeguard data against unauthorized access.	$0
Guam 1999/2000	Internal controls over recordkeeping needed to be improved.	$0
	Copies of financial reports were not found.	$0
	Procedures were not followed to ensure that Federal reports were prepared and submitted timely.	$0
	Controls were not in place to ensure that funds were obligated during the period of availability.	$125,516
	A physical inventory of equipment was not conducted, and maintenance procedures designed to keep equipment in good condition were not established.	$0
	Controls were not in place to ensure that procurements were documented in sufficient detail.	$6,397,029
	Supporting documentation for invoices, purchase orders, and check copies were not retained for the required period of time.	$38,380
	Payments were recorded twice as expenditures under the same account numbers.	$88,287
	Controls were not maintained over the time elapsed between the transfer of Federal funds.	$0
	The Department had not prepared financial statements.	$7,146,869
Note: See page C-1 for footnote explanation.
Hawaii 1999/2000	Leave records were not maintained on a timely basis, and there was a lack of adequate review procedures to ensure that information was accurate and complete.	$0
	The Automated Recovery System used to account for overpayments was outdated resulting in inaccurate and untimely reporting.	$0
	Inventory records were not reported quarterly.	$0
	Required automated data processing reviews were not performed due to a lack of personnel resources.	$0
Idaho 1999/2000	Cash draws were not made timely resulting in interest liabilities that may be owed the Federal Government.	$13,000
	Costs allocated to Federal grants were not always based on actual time spent on the program.	$0
Illinois 1999	Controls were inadequate to maintain supporting documentation for receipts and make deposits in a timely manner.	$0
	A centralized system for accumulating and reporting lease costs, maintenance costs, minimum mileage requirements, and personal vehicle assignments for vehicles maintained at the central office were not established.	$0
	Formal tests of the disaster recovery plan to be used in the event of a disaster that could adversely affect daily operations were not conducted. In addition, recovery procedures for minicomputers and local area network environments were not formally documented.	$0
	Receipt account balances were not reconciled with the State Comptroller records timely. In addition, there was little or no documentation to support the reconciliations.	$0
Note: See page C-1 for footnote explanation.
Illinois 1999 (Continued)	Procedures to track or account for internal computer parts shipped from the warehouse to various locations were not completely followed.	$0
	Proper safeguards over property and equipment to prevent unauthorized access or theft were not maintained.	$0
	All required Electronic Data Processing (EDP) equipment information was not included on the Equipment Inventory System (EIS). In addition, unused or obsolete EDP equipment was not updated on the EIS.	$0
	Computer equipment purchases costing over $2,062,000 were held for over 1 year without being installed or placed in service.	$0
	Reviews of telecommunications invoices and phone calls made by employees were not documented.	$0
Iowa 1999/2000	An up-to-date and accurate inventory of all property items was not maintained.	$0
Kansas 1999/2000	Financial statements did not include certain assets and liabilities, and the State's accounting systems and processes did not capture and document information relating to these assets and liabilities.	$0
	Inter-agency transactions were recorded inconsistently resulting in expenditures being recorded twice.	$0
Kentucky 1999/2000	Policies and procedures for maintaining supporting documentation for expenditures were not in place.	$0
	Financial reports and accounting records contained inaccurate and incomplete documentation.	$0
	Financial statements could not be verified because documentation was not retained.	$0
	Automatic log-off security for the Automated Purchasing System was not implemented.	$0
	The SEFA was not complete and/or was inaccurate.	$0
Note: See page C-1 for footnote explanation.
Kentucky 1999/2000 (Continued)	Improper duplicate payments for purchase orders were made because prior expenditure documents were incorrect or incomplete.	$74,185
	The financial system did not accurately reflect adjustments made to financial transactions.	$0
	There were no mechanisms in place to ensure timely submissions of equipment conversions and there were no procedures for implementing a statewide physical inventory system.	$0
	Procedures were not in place to comply with the CMIA agreement.	$0
	Supporting documentation was not maintained to reconcile financial transactions.	$0
	Controls were not in place to ensure security over Personal Identification Numbers.	$0
	A system was not in place to identify specific expenditure types.	$0
Louisiana 1999/2000	Effective internal audit functions to examine, evaluate and report on the internal controls, including data processing, were lacking.	$0
	Adequate internal controls were not maintained or did not consistently adher to established procedures regarding federally funded programs.	$0
	CMIA agreement was not followed, and clearance patterns were not completely developed.	$0
	Internal controls had not been established over vendor reimbursements processed through the payment system to ensure assets were safeguarded.	$0
	Accounting controls were inadequate over movable property acquisition, disposition, valuation, and location.	$0
	An adequate monitoring system was not in place to ensure contractors' were audited.	$0
	Refunds of Federal expenditures were not applied to subsequent requests for Federal funds, as required by the CMIA agreement.	$48,226
Note: See page C-1 for footnote explanation.
Maine 1999/2000	Policies were not in place to ensure timely bank reconciliations were peformed.	$0
	Controls were not in place to ensure accurate reporting of Federal grant expenditures, resulting in costs being charged twice, and cost allocation plan errors were not detected.	$963,687
	Payroll and other costs were charged to the wrong program.	$415,757
	Information was not retained to support fixed assets reported on the Federal financial report. Transactions were not identified, classified and reported.	$0
	Procedures were not in place to consistently identify, value, and record amounts owed.	$0
	Controls were not in place to ensure compliance with the CMIA agreement.	$0
	Disbursements reported on the quarterly Federal cash transaction report were not supported.	$0
	Procedures to ensure compliance with monitoring requirements were not in place.	$0
	Procedures were not in place to ensure that the correct Catalog of Federal Assistance numbers were used.	$0
	Personnel costs were not properly distributed for employees who worked on multiple activities or cost objectives, and periodic certifications were not prepared.	$0
	Controls over payroll records were not effective to ensure compliance with OMB requirements.	$0
Maryland 1999/2000	Equipment purchases were not recorded nor the purchasing department notified before receipt.	$0
	Quarterly reports contained inaccurate or missing information regarding surplus personal property.	$0
	Expenditure amounts were not reconciled with amounts reported on the SEFA.	$0
	Cash draws were untimely resulting in interest liabilities.	$0
Note: See page C-1 for footnote explanation.
Massachusetts 1999/2000	Procedures were not in place to review vendor master files to identify vendors that should be deleted.	$$
	Lease accounting procedures were not monitored.	$0
	The cash management system was inadequate to reconcile financial transactions.	$0
	The method of accounting and reporting certain types of funds hampered the efficiency of the accounting and financial reporting process.	$0
	Distribution of personal service costs to Federal programs did not comply with Federal requirements. Periodic certifications stating that an employee worked solely on a program were not maintained.	$0
	The system used to allocate payments received on accounts did not properly record the payments.	$0
Michigan 2000	The personnel and payroll information system did not maintain the required internal controls for entering and reconciling payroll and personnel information.	$0
	Internal control procedures for preparing time and attendance records were not followed, and internal controls were not maintained over the processing of personnel and payroll transactions.	$0
Minnesota 1999/2000	Adequate oversight was not provided to vendors, and questions on allowable use of funds in some Federal programs were not resolved.	$0
	Accounts receivable balances and other financial transactions were not reconciled with various accounts, and the State's accounting system contained inaccurate object codes.	$0
	Procedures were not in place to monitor manual checks.	$0
	Computer controls were not in place concerning employee access, accounts, and passwords.	$0
	The Department of Finance did not provide adequate direction to State agencies for financial transactions.	$0
	Independent quality control reviews of system batch jobs were not conducted.	$0
Note: See page C-1 for footnote explanation.
Mississippi 1999/2000	The Cost Allocation Plan charged costs that were not approved before they were charged.	$0
	A completed Disaster Recovery Plan was not implemented.	$0
	Adequate controls over cash management were not maintained.	$0
	Information Technology Services did not contain an adequate power supply, and control weaknesses in the employee termination procedures were noted.	$0
Missouri 2000	Controls for the new State accounting system were inadequate.	$0
Montana 1999	The Information Services Division did not properly bill and collect service costs from benefiting departments.	$0
	Reviews and analysis of data processing and system security issues were not performed.	$0
	Federal reports were not properly supported, accurately prepared, or submitted promptly.	$0
	Funds were not drawn in accordance with the terms of the CMIA agreement.	$0
	The Agency Wide Accounting and Client System used to generate vendor and provider payments was not reconciled to the primary accounting system.	$0
Nebraska 1999/2000	Documents were not coded to the proper grant.	$6,566
	Procedures were not followed for posting adjustments timely.	$0
New Hampshire 1999/2000	Clearance patterns were not reviewed.	$0
	Contracts did not contain required language regarding debarment and suspension.	$0
	Vouchers were paid without proper authorization.	$8,427
	Salaries allocated to Federal programs were not supported by an effort-reporting system.	$5,932
Note: See page C-1 for footnote explanation.
New Jersey 2000	Procedures were not established to oversee the processing of contracts for the required certification.	$0
New Mexico 1999/2000	Application of consistent internal control procedures failed as a result of continued vacancies, lack of experienced accounting personnel, and the decrease in authorized positions in the Finance department.	$0
New York 1999/2000	Claims were not submitted timely for Federal reimbursement.	$0
	Quarterly financial status reports were not reconciled to State accounting records.	$0
	Presettlement reviews for allowability of claims were not conducted.	$0
	Reviews were not performed to assess or verify the allowability of claims charged to Federal programs from other State agencies.	$0
	Supporting documentation and records were not maintained for transactions with outside vendors.	$0
North Carolina 1999/2000	Employees had more access to the accounting system than necessary for their jobs.	$0
	Controls were not in place to ensure that grant draws were made in accordance with the CMIA agreement.	$0
	Financial statements were not filed timely.	$0
	Federal transactions were not reconciled to the general ledger.	$60,000
	Controls over fixed assets needed improvements, and an annual physical inventory had not been performed.	$0
	Prescribed procedures were not followed when processing cash disbursements.	$0
	Controls were not in place to ensure payments were based on authorized rates of disbursement.	$0
Note: See page C-1 for footnote explanation.
North Carolina 1999/2000 (Continued)	The method for compiling claims and benefits payable transactions were deficient.	$922,000
	Financial reports were inaccurate.	$0
	Prescribed procedures were not followed for procurement, and required competitive bids were not obtained.	$8,451
	Contract approval was not obtained before receiving services.	$0
	Invoices were not processed timely.	$0
North Dakota 2000	Controls were not in place to ensure reports were complete, accurate, and properly approved.	$0
	Adequate time records for individuals who worked on multiple cost activities were not kept.	$0
	Payroll costs charged were not properly supported, and the required certification stating that employees worked solely on a certain program was not completed.	$0
Ohio 1999/2000	There were no written procedures to track the computer program change request process.	$0
	Suspension and debarment certifications were not obtained.	$0
	Federal funds were drawn in error.	$747,972
	Amounts reported in the payment system were different than amounts reported in the Central Accounting System.	$106,189
	Supporting documentation for completed reports was not maintained.	$0
	The Department did not adequately monitor or perform reviews for program compliance.	$0
	Obligations were not liquidated within the established time limits.	$151,164
Note: See page C-1 for footnote explanation.
Oklahoma 1999/2000	Written accounting procedures and cost allocation plans were not in place.	$0
	A system was not in place to adequately document personnel costs charged to Federal programs.	$0
	The method to allocate direct and indirect costs was not approved.	$0
Oregon 1999/2000	Controls were not in place to ensure files were properly documented, reviewed, and retained.	$0
	Internal controls over check stock were not adequate.	$0
	Unresolved items were not reconciled timely.	$0
Pennsylvania 1999/2000	Procedures were not in place regarding the methodology, documentation, preparation, review and submission of reports.	$0
	Procedures were not in place to ensure signed certifications regarding debarment and suspension were documented.	$0
	Controls related to logical access, physical access, physical environment, systems development, program changes, and segregation of duties were not adequate.	$0
	Methodologies and procedures for accruing and reporting financial activity were not in place.	$0
	Documentation was not adequate to support the proper procurement of a telecommunications contract.	$0
Puerto Rico 1997/1998/	Procedures over disbursements were not adequate.	$0
1999	Federal funds were disbursed to a suspended party because there were no procedures preventing such disbursements.	$42,578
	Procedures were not in place to ensure single audits and financial reports were completed and submitted timely.	$0
	Bidding procedures were not followed, funds were disbursed without a signed contract, and documentation was not maintained to support expenditures.	$7,552,548
Note: See page C-1 for footnote explanation.
Puerto Rico 1997/1998/ 1999 (Continued)	Financial statements were not prepared in conformity with generally accepted accounting principles because of a lack of policies, procedures, and financial reporting practices. Therefore, fiscal and financial management did not have accurate, effective, and complete financial information on a timely basis to carry out other duties.	$0
	A detailed report of year-end obligations was not prepared to determine whether funds were properly obligated, resulting in potentially unallowable obligations. In addition, there was not an adequate filing system to allow the efficient retrieval of documentation supporting prior-period payments.	$2,700,019
	Property and equipment management procedures were not adequate.	$793,439
	The indirect cost plan was not available to the auditors for their review.	$0
	Federal funds were not drawn in accordance with the terms of the CMIA agreement.	$4,362,699
	Expenditures were charged to the wrong program.	$90,637
	A Corrective Action Plan to address findings identified in the prior year single audit was not prepared.	$0
	Documentation was not maintained to support indirect cost charges, and the wrong indirect cost rate was used.	$3,334,758
	Current year funds were used to pay prior year expenditures.	$39,651
	Transactions were not reviewed to ensure payments agreed with invoice amounts.	$0
	Interest liabilities that may be owed to the Federal Government were not calculated and reported.	$0
	The Financial Status Report did not agree with the general ledger.	$0
	Federal funds were expended for unallowable costs.	$12,500
	Reviews were not performed to ensure funds were expended for allowable activities.	$81,318
Note: See page C-1 for footnote explanation.
Puerto Rico 1997/1998/ 1999 (Continued)	Property and equipment management procedures were not adequate. Expenditures were not adequately supported before expending Federal funds.	$0
	Supporting documentation and accounting records were not retained for expenditures.	$0
	Evidence to support the draw of Federal funds could not be located.	$0
	Payroll disbursements were not properly recorded.	$0
Rhode Island 1999/2000	Controls were not in place to ensure that contractors had certifications and were not suspended or debarred.	$0
	Controls over inventory records used to identify equipment purchases were not adequate, nor were there procedures in place regarding the use, management, and disposition of all equipment.	$0
	Unique passwords for computer access were not required.	$0
	Controls for user access for the State accounting system were inadequate.	$0
	The accounting system did not capture all categories of long-term obligations.	$0
	Checks outstanding more than 180 days were not credited to the Federal Government.	$32,801
	Computer controls were not in place to ensure security in the use, management, and disposition of equipment.	$0
	Expenditures were not claimed within the period of availability.	$20,369
	Expenditures on the Federal Cash Transaction Reports were not consistent with amounts reported on quarterly Federal expenditure reports for each program.	$0
Note: See page C-1 for footnote explanation.
South Carolina 1999/2000	Written policies were not in place to maintain and store data that support the allocation of costs to various programs.	$0
	Adjusting journal entries were not prepared timely.	$0
	Procedures were not in place to ensure that quarterly cost allocation updates were input and reviewed.	$63,990
	Financial reports did not agree with amounts reported in the general ledger.	$0
South Dakota 1999/2000	Controls did not exist to ensure the accurate payment of administrative fees due to service providers.	$0
	The annual report contained data that were inaccurate or were not supported.	$0
Tennessee 1999/2000	Documentation to support access to the on-line purchasing system was not on file.	$0
	Proper controls over the purchasing system to ensure that design changes were implemented and followed were not in place.	$0
	Controls over the financial information data base need to be improved.	$0
	The accounting reporting system program changes were not properly documented and approved by management.	$0
	A complete inventory was not completed to ensure proper accounting for all equipment.	$0
	Written policies and procedures were not in place to ensure that serious administrative and programmatic deficiencies did not occur.	$0
Texas 1999	The CMIA agreement was not followed, and clearance patterns were not completely developed.	$0
Note: See page C-1 for footnote explanation.
Utah 1999/2000	Required certifications that contractors were not suspended or debarred were not obtained.	$0
	Federal funds were advanced inappropriately.	$147,158
	Certification and supporting documentation for payroll related expenses were not maintained.	$0
	Terms of the CMIA agreement ensuring that Federal draws are made timely were not followed.	$0
	Federal funds were not obligated within the period of availability.	$0
Vermont 1999/2000	Required reports were not filed timely.	$0
	System security reviews were not conducted.	$0
	Expenses were not properly allocated when invoices were sent out.	$0
	Procedures were not followed when transferring funds according to Federal guidelines.	$0
Virginia 1999/2000	Financial information was not properly recorded into the system.	$0
	User access was not monitored.	$0
	Controls were not in place over inventory policies and procedures.	$0
	Account reconciliations were not made timely.	$0
	Accurate and complete information was not used in financial accounting reports.	$0
	Documented procedures for the request, approval, and development of systems modification requests were not followed.	$0
Washington 2000	Federal programs were charged for direct and indirect unallowable costs that either contained no documentation to support them or because Federal regulations did not allow them.	$0
Note: See page C-1 for footnote explanation.
West Virginia 1999/2000	Reporting procedures were not sufficient to enable State departments to identify, verify, and report escheated warrants by grant to the Federal grantor. The Federal programs should have been credited for the amount of escheated warrants related to the Federal awards.	$0
Wisconsin 1999	There was no Disaster Recovery Plan.	$0
	There were no formal written procedures regarding proper request, oversight, and review for program changes.	$0
	Controls were not developed to limit programmers' ability to access certain files and prevent programs from being altered.	$0
	There were significant errors and inconsistencies in the financial information prepared by the Accounting Section.	$0
	Procedures were not developed to ensure that complete billing records were accurately entered into the billing system.	$0
Total Questioned Costs		$36,602,102
Note: See page C-1 for footnote explanation.

Appendix D

Findings We Identified During the Same Time Frame as the Single Audits Reviewed

OIG AUDIT	OFFICE OF THE INSPECTOR GENERAL (OIG) FINDINGS	QUESTIONED COSTS
Audit of the Administrative Costs Claimed by the Oregon Disability Determination Services (A-15-99-52021)	Fiscal Year (FY) 1999 rental expenses of $55,987 were accounted for and reported as expenditures for FY 1998. (Disability Determination Services (DDS) reclassified expense to FY 1999.) Drawdowns exceeded reported disbursements for FY 1998 by $27,544.	$0 $27,544
Audit of the Administrative Costs Claimed by the Connecticut Disability Determination Services (A-15-00-30016)	FY 1999 expenses of $121,965 were accounted for and reported as expenditures for FY 1998. (DDS reclassified expense to FY 1999.) The Social Security Administration did not approve the office lease. There was no comprehensive business continuity/contingency plan. Computer access controls were weak.	$0 $0 $0 $0
Audit of the Administrative Costs Claimed by the Arizona Department of Economic Security for its Disability Determination Services Administration (A-15-99-51009)	FY 1998 unliquidated obligations totaling $249,892 and FY 1998 automated investment funds (AIF) totaling $163,400 had not been reviewed and action taken to deobligate those amounts no longer deemed valid. AIF accounting records were not always segregated from limitation on administrative expenses (LAE) accounting records, causing reporting inaccuracies. AIF costs totaling $153,863 were inappropriately charged to the LAE funding. In addition, AIF expenditures totaling $95,697 were not captured from the accounting records. Inventory lists were not maintained. A process to determine the reasonableness of medical fees was not established.	$413,292 $249,560 $0 $0
Total Questioned Costs		$690,396

Appendix E

Agency Comments

MEMORANDUM

Date:

September 16, 2002

To:	James G. Huse, Jr. Inspector General
From:	Larry W. Dye Chief of Staff
Subject:	Office of the Inspector General (OIG) Draft Management Advisory Report "Summary of Single Audit Oversight Activities," A-07-02-32035—INFORMATION

We appreciate the OIG’s efforts in analyzing single audits for this review. Our comments on the draft management advisory report recommendations are attached.

Staff questions may be referred to Janet Carbonara on extension 53568.

COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL’S (OIG) DRAFT MANAGEMENT ADVISORY REPORT, "SUMMARY OF SINGLE AUDIT OVERSIGHT ACTIVITIES" (A-07-02-32035)

Thank you for the opportunity to review this OIG draft Management Advisory Report. The first five recommendations are from a prior single audit summary report (A-07-00-10032) and were implemented in August 2001 (recommendation 3) and October 2001 (recommendations 1, 2, 4 and 5). Information about the actions taken is provided below, along with our response to recommendation six.

Recommendation 1

SSA should provide instructions to the Disability Determination Services (DDS) to adhere to the terms of the Cash Management Improvement Act (CMIA) agreement.

Comment

SSA issued a DDS Administrators Letter on October 4, 2001 reminding the States to adhere to the terms of their CMIA agreements. Since the CMIA agreements are between the States and the Department of the Treasury (DT), SSA has a limited role with respect to these agreements. Therefore, we suggest that the OIG bring the results of its review on this matter to the attention of the DT Inspector General for follow-up action by that agency.

Recommendation 2

SSA should provide instructions to the DDSs to implement controls to prevent unauthorized computer access.

Comment

SSA issued a Regional Commissioners memorandum and a DDS Administrators Letter regarding DDS security on October 4, 2001. This document provided comprehensive guidance to the DDSs and regional offices regarding a number of security areas. Compliance with that document is being monitored through annual DDS self-reviews, regional security audits and PricewaterhouseCoopers security audits. In addition, the Agency has been working closely with the DDSs to develop systems risk models for the AS/400 and WANG systems, as well as installing monitoring software to check for compliance to critical systems setting. SSA will continue its efforts to prevent unauthorized computer access.

Recommendation 3

SSA should provide instructions to the DDSs to develop a formal contingency plan to be followed in the event of a disaster that adversely affects operations.

Comment

SSA issued a DDS Administrators Letter on August 6, 2001, transmitting the "Final DDS Security Document" which covers developing a formal contingency plan to prevent disruption of services in the event of a disaster. SSA will continue to work with the DDSs to ensure adherence.

Recommendation 4

SSA should provide instructions to the DDSs to maintain complete and accurate equipment inventory records and perform periodic physical inventories.

Comment

SSA issued a DDS Administrators Letter on October 4, 2001 reminding the States to maintain complete and accurate equipment inventory records and to perform periodic physical inventories.

Recommendation 5

SSA should provide instructions to the DDSs to ensure that costs charged to SSA benefit its programs and are properly authorized and documented.

Comment

SSA issued a DDS Administrators Letter on October 4, 2001 reminding the States to ensure that costs charged to SSA benefit its programs and are properly authorized and documented.

Recommendation 6

SSA should provide instructions to the DDSs to implement controls to ensure that non-SSA work costs are properly accounted for and reported.

Comment

SSA has revised and updated the Program Operations Manual System (POMS) DI 39563.210f and circulated it to all the regions for comments, which are currently being reviewed. The POMS emphasizes that a Memorandum of Understanding (MOU) between SSA and the State is necessary when the DDS will be processing non-SSA work. At a minimum the MOU must include:

Assurance that the processing of non-SSA work will not interfere with the prompt and effective completion of SSA work;

Funding for the non-SSA work will be provided in advance and SSA funding will only be used for the purposes of title II and title XVI; and

How the costs of the DDS will be allocated between the SSA and the non-SSA work.

Appendix F

OIG Contacts and Staff Acknowledgments

OIG Contacts

Francis W. Fernandez, Director, Western Audit Division (510) 970-1739
Mark Bailey, Deputy Director, Western Audit Division (816) 936-5591

Acknowledgments

In addition to those named above:

Shannon Agee, Lead Auditor
Wanda Craig, Auditor
Kim Beauchamp, Writer-Editor

For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General’s Public Affairs Specialist at (410) 966-1375. Refer to Common Identification Number A-07-02-32035.

Overview of the Office of the Inspector General

Office of Audit

The Office of Audit (OA) conducts comprehensive financial and performance audits of the Social Security Administration’s (SSA) programs and makes recommendations to ensure that program objectives are achieved effectively and efficiently. Financial audits, required by the Chief Financial Officers' Act of 1990, assess whether SSA’s financial statements fairly present the Agency’s financial position, results of operations and cash flow. Performance audits review the economy, efficiency and effectiveness of SSA’s programs. OA also conducts short-term management and program evaluations focused on issues of concern to SSA, Congress and the general public. Evaluations often focus on identifying and recommending ways to prevent and minimize program fraud and inefficiency, rather than detecting problems after they occur.

Office of Executive Operations

The Office of Executive Operations (OEO) provides four functions for the Office of the Inspector General (OIG) – administrative support, strategic planning, quality assurance, and public affairs. OEO supports the OIG components by providing information resources management; systems security; and the coordination of budget, procurement, telecommunications, facilities and equipment, and human resources. In addition, this Office coordinates and is responsible for the OIG’s strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act. The quality assurance division performs internal reviews to ensure that OIG offices nationwide hold themselves to the same rigorous standards that we expect from the Agency. This division also conducts employee investigations within OIG. The public affairs team communicates OIG’s planned and current activities and the results to the Commissioner and Congress, as well as other entities.

Office of Investigations

The Office of Investigations (OI) conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement of SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, physicians, interpreters, representative payees, third parties, and by SSA employees in the performance of their duties. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.

Counsel to the Inspector General

The Counsel to the Inspector General provides legal advice and counsel to the Inspector General on various matters, including: 1) statutes, regulations, legislation, and policy directives governing the administration of SSA’s programs; 2) investigative procedures and techniques; and 3) legal implications and conclusions to be drawn from audit and investigative material produced by the OIG. The Counsel’s office also administers the civil monetary penalty program.