OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
FOLLOW-UP:
THE SOCIAL SECURITY
ADMINISTRATION'S INTERNAL USE OF
EMPLOYEES' SOCIAL SECURITY NUMBERS
June 2008
A-13-07-27164
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
MEMORANDUM
Date: June 9, 2008
To: The Commissioner
From: Inspector General
Subject: Follow-up: The Social Security Administration's Internal Use of Employees' Social Security Numbers (A-13-07-27164)
OBJECTIVE
Our objective was to determine the extent to which the Social Security Administration (SSA) implemented the recommendations from our August 2004 report, The Social Security Administration's Internal Use of Employees' Social Security Numbers.
BACKGROUND
The Social Security number (SSN) was created in 1936 as a means of tracking workers' earnings and eligibility for Social Security benefits. Nevertheless, the SSN has become a de facto national identifier used by Federal agencies, State and local governments, and private organizations. The expanded use of the SSN as a national identifier provides a tempting motive for unscrupulous individuals to acquire and use it for illegal purposes.
Federal agencies frequently ask individuals for their SSNs because, in certain instances, the law requires that they do so. Federal agencies have a responsibility to limit the risk of unauthorized disclosure of SSNs. Although no single Federal law regulates overall use and disclosure of SSNs by Federal agencies, the Freedom of Information Act of 1966, the Privacy Act of 1974, and the Social Security Act Amendments of 1990 generally govern disclosure and use of SSNs.
Our 2004 report contained several concerns about the use of the employees' SSNs and made five recommendations to address these issues. The Agency agreed with all of these recommendations. In this audit, we reviewed the extent to which SSA had implemented the five recommendations. See Appendix B for a detailed discussion of the Scope and Methodology.
In addition, we reviewed information SSA reported pertaining to the Office of Management and Budget's (OMB) request that Federal agencies, including SSA, review their use of SSNs. This request relates to the President's Identity Theft Task Force September 2006 interim recommendations. Specifically, the Task Force recommended that OMB require that all Federal agencies review their use of SSNs to determine whether such use can be eliminated, restricted, or concealed in agency business processes, systems and electronic forms. On January 16, 2007, the Agency reported to OMB how its business processes used SSNs as well as alternatives, vulnerabilities and safeguards for SSNs. During our review, we examined the accuracy of the information reported that pertained to Agency employees' SSNs. See the "Other Matter" section and Appendix C for the results of our review.
RESULTS OF REVIEW
SSA took corrective action on all recommendations from our August 2004 report, The Social Security Administration's Internal Use of Employees' Social Security Numbers. In addition, the Agency took other actions regarding the use of its employees' SSNs. Below, we discuss Recommendations 1 through 5, the corrective actions taken by the Agency, and the results of our current review.
Recommendation 1: We recommend SSA remind employees to secure any system or document containing employee SSNs when these systems or documents are not being used.
The Agency responded its Office of Systems Security Operations Management and Chief Security Officer issue periodic and ad hoc bulletins to SSA employees concerning systems security matters. Generally, the bulletins focus on systems security issues that impact a range of users and developers or are applicable Agency-wide. SSA has established systems security policies and procedures that require a suite of controls over systems that contain sensitive data, such as SSA clients' SSNs and employee SSNs. Therefore, SSA will take steps to ensure managers and staff adhere to the existing procedures and handling documents associated with administrative activities.
Our current review found the Agency had taken several actions to remind employees to secure systems and documents that contain employees' SSNs. On March 28, 2005, SSA issued the bulletin, Sensitive Information Reminder, which reminds employees to secure systems and/or documents containing employee SSNs. According to Agency staff, all policies and procedures related to protecting employees' SSNs should be represented in the Information Systems Security Handbook and the Information System Officer Guide. We reviewed the January 2007 Security Handbook and found it contained information about handling employees' SSNs.
Also, information about handling and securing Personally Identifiable Information, which can include SSNs, has been added to the Agency's Office of Systems Security Operations Management's website. We reviewed the website and found it provided guidance regarding the handling of employees' SSNs.
Recommendation 2: We recommend SSA consider using asterisks, if determined to be cost-effective, to hide the employee SSN on computer screens and reports in all existing and future systems. Asterisks are currently used in the Mainframe Time and Attendance System to hide the employee SSN.
SSA responded it would consider the costs and benefits of using asterisks when developing future enhancements.
During our current review, we examined the 38 automated information systems the Agency reported as using employees' SSNs. Of the 38, we found the Agency modified the computer screen display of employees' SSNs for 21 systems. Of the remaining 17, the Agency does not plan to modify the Travel Manager System. The new travel system, E2 Solutions, is scheduled to be fully implemented by spring 2009. One aspect of E2 Solutions is the ability to mask the entire SSN.
For all 38 systems, Agency staff reported there were mechanisms in place to safeguard employees' SSNs. For example, security profiles are used to limit access to only authorized employees. Access to the systems is also monitored through the use of "in-line audit systems" that check transactions for improper activity. We verified the manner in which employees' SSNs were shown on computer screens to system users for the 38 systems. After our review, the Agency reported updates to three additional systems. However, we did not verify the accuracy of this information. See Appendix D for the results of our review and reported updates concerning the computer screen display of employees' SSNs.
Recommendation 3: We recommend SSA identify the forms that request the employee's SSN. If the SSN is not required, eliminate its use on these forms.
In response to our prior audit, SSA stated it would modify internal forms and consider the continuing need to capture the SSN.
During our current review, Agency staff explained SSA was revising its forms that requested employees' SSNs. For example, in October 2007, staff reported five of SSA's employee-related forms had been modified. These forms were changed to request the last four digits of the SSN. As of October 3, 2007, we verified certain Agency forms had been modified concerning the collection of employees' SSNs. After our review, the Agency reported updates to 11 of its forms. We did not verify the accuracy of this information. See Appendix E for the forms we reviewed and the subsequent information reported for the display of employees' SSNs on SSA's forms.
Recommendation 4: We recommend SSA determine if it is cost beneficial to use an alternative primary identifier for its employees, such as the one used in the On-Line University , for all future SSA systems. If determined to be cost-beneficial, then implement an alternative primary identifier.
SSA agreed with our recommendation but indicated it was bound by Executive Order 9397 and the Civil Service Commission (now known as the Office of Personnel Management [OPM]) mandate to use the SSN as the identifying number for Federal employees. We verified OPM is developing an alternative identifier for all Federal employees, known as the Unique Employee Identifier (UEID). OPM has not developed all the UEID business requirements. Once the business requirements are developed, OPM will need to develop the information technology resources to support Federal agencies' use of the UEID.
Based on the planned use of the UEID by Federal agencies, SSA officials reported it is not financially prudent to develop an SSA-specific alternative primary identifier for its employees and/or modify its systems at this time. When OPM has implemented use of the UEID, the Agency can consider the modifications and timeframes required to implement the use of the UEID in the context of its budget and available resources.
Recommendation 5: We recommend SSA consider and use, as indicated in Agency policy, encryption if feasible and not cost prohibitive.
SSA responded it used dedicated lines and Connect Direct when transmitting payroll information to the Department of the Interior (the example cited in the prior report) and therefore believed it was in compliance with the policy as written. In our current review, we verified that SSA payroll information transmitted from the Agency to the Department of the Interior is encrypted.
CONCLUSION AND RECOMMENDATION
Based on our observations, examination of data, and discussions with SSA staff, we believe the recommendations from our prior report have been addressed by the Agency. SSA had taken action to implement the five recommendations from our August 2004 report. However, to further protect its employees' SSNs, we recommend SSA continue removing or minimizing the use of these SSNs in its systems and forms.
AGENCY COMMENTS
SSA agreed with our conclusion and recommendation. See Appendix G for the full text of SSA's comments.
OTHER MATTER
Other Actions Regarding the Use of Social Security Administration Employees' Social Security Numbers
During our current review, we examined other SSA actions regarding the use of employees' SSNs. On January 16, 2007, SSA reported to OMB how its business processes used SSNs, as well as alternatives, vulnerabilities and safeguards for SSNs. We examined the accuracy of the data applicable to the Agency's use of employees' SSNs. Based on our observations, review of the data, and discussions with SSA staff, we believe the information SSA reported to OMB on actions taken and pending regarding the use of employees' SSNs was accurate. See Appendix C for the specific employee-related information systems and forms included in our examination.
In a related matter, on May 22, 2007, OMB issued Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. According to OMB's Memorandum, safeguarding personally identifiable information in the Government's possession and preventing its breach are essential to ensure the Government retains the trust of the American public. In response to the OMB memorandum, on September 28, 2007, SSA issued its plan to eliminate the unnecessary collection and use of SSNs. See Appendix F for the excerpt of the plan that relates to employees' SSNs collection and use.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - The Social Security Administration's Response to the Office of
Management and Budget on the Use of Social Security Numbers
APPENDIX D - Employees' Social Security Number As Displayed on the Social Security
Administration's Computer Screens
APPENDIX E - Social Security Administration Forms: Request and Display of Employees'
Social Security Numbers
APPENDIX F - Excerpt: The Social Security Administration's Implementation Plan
to Eliminate the Unnecessary Use of Social Security Numbers
APPENDIX G - Agency Comments
APPENDIX H - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
OMB Office of Management and Budget
OPM Office of Personnel Management
SSA Social Security Administration
SSN Social Security Number
UEID Unique Employee Identifier
Appendix B
Scope and Methodology
To accomplish our objective, we:
Identified and reviewed applicable laws and regulations.
Identified and reviewed relevant Social Security Administration (SSA) policies and procedures.
Identified and reviewed prior relevant audits.
Interviewed SSA personnel responsible for controls over the use of Social Security numbers (SSN).
Identified and reviewed pertinent SSA employee forms that include SSNs.
Identified and reviewed pertinent SSA employee forms that include unique identifiers other than SSNs.
Determined the Agency's internal use of SSNs.
Observed the safeguards implemented by the Agency.
In addition, we observed the display and use of employees' SSNs in information systems, reviewed the display of SSNs on various forms and system-related data, and interviewed Agency staff. See Appendix C for a list of the information systems and forms reviewed. Also, we reviewed SSA's response to Office of Management and Budget Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, as it relates to the unnecessary collection and use of Agency employees' SSNs (see Appendix F).
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Our audit was performed between June and October 2007 in Baltimore, Maryland. The entities audited were the Offices of Human Resources; General Counsel; Budget, Finance, and Management, Acquisition and Grants; and Systems.
Appendix C
The Social Security Administration's Response to the Office of Management and
Budget on the Use of Social Security Numbers
We examined the accuracy of information reported by the Social Security Administration
(SSA) to the Office of Management and Budget (OMB) pertaining to the use of
Agency employees' Social Security numbers (SSN). In its September 2006 Summary
of Interim Recommendations, the President's Identity Theft Task Force recommended
that OMB require that all Federal agencies review their use of SSNs. Specifically,
agencies were to determine whether such use can be eliminated, restricted, or
concealed in agency business processes, systems and electronic forms.
On January 16, 2007, the Agency reported how its business processes used SSNs,
as well as alternatives, vulnerabilities and safeguards for SSNs. We examined
the data applicable to the use of Agency employees' SSNs. Based on our observations,
review of the data, and discussions with SSA staff, we believe the information
SSA reported to OMB on actions taken and pending regarding the use of employees'
SSNs was accurate. The following identifies, by business processes, the information
systems and forms we reviewed related to employees' SSNs.
Budget, Financial and Administrative Services Process
System/Form Name
Travel Manager System
Travel Credit Card Application
Administrative Payments Information Network System
Finance Interactive Voice Response System
Payments Claims and Enhanced Reconciliation System
Third Party Payment System
Purchase Card Application
Tally Up System
Suitability Checks for Employees and Contractors
Comprehensive Integrity Review Process System
Audit Trail System
Human Resources Process
System/Form Name
Collection of Time & Attendance Data
Mainframe Time & Attendance System
Transmission of Time & Attendance Data
Job Announcement Status Check
Awards Database
Official Personnel Folder Tracking System
Performance Assessment and Communications System
Mainframe Grievance Tracking System
Human Resource Management Information System
Employee Suggestion Program
Employee Assistance Program Client Database
Equal Employment Opportunity Complaint File/Complaint Form/Counseling File
Office of Civil Rights and Equal Opportunity iComplaints Database
Reasonable Accommodation Tracking System
Disability Services Team Database
Reasonable Accommodation Wizard
SSA-501-F3, Request for Reasonable Accommodation
Placement and Full Time Equivalent Pool Databases
Training Nomination and Authorization Form
Interactive Video Teletraining Online Course Registration Form
Interactive Video Teletraining One Touch Logon
Blackboard System
Career Development Program Application
Official Union Time Tracking System
Office of General Counsel Process
System Name
Salary Overpayments
Equal Employment Opportunity Cases
Merit Systems Protection Board Cases
Electronic Freedom of Information Act System
Freedom of Information Act Processes
Office of Appeals Process
Form Name
In-House Training Registration Form
Appendix D
Employees' Social Security Numbers As Displayed on the Social Security Administration's
Computer Screens
For the following 38 automated information systems, we verified the manner in which Agency employees' Social Security numbers were shown on computer screens to system users.
System Display of Employees' SSNs
Performance Assessment & Communications System (PACS) Last 4 Digits
iComplaints Asterisks Used
Labor Relations Case Tracking System Not Used
EEO Time Tracking System Not Used
Employee Suggestion Program Removed
Blackboard Not Used
IVT Online Registration Not Used
IVT One-Touch Systems Not Used
Training Online Nomination System Removed
Travel Manager Complete SSN
Travel Credit Card Application Complete SSN
Administrative Payments Information Network System Complete SSN
Finance Interactive Voice Response System Complete SSN
Payments Claims and Enhanced Reconciliation System Complete SSN
Third Party Payment System Asterisks Used
Purchase Card Application Complete SSN
Tally Up System Complete SSN
Suitability Checks for Employees and Contractors Complete SSN
Comprehensive Integrity Review Process System Complete SSN
Audit Trail System Not Used
Mainframe Time and Attendance System Asterisks Used
Transmission of Time and Attendance Data Complete SSN
Job Announcement Status Check Removed*
Awards Database Last 4 Digits
Official Personnel Folder Tracking System Last 4 Digits
Human Resource Management Information System Complete SSN
Employee Assistance Program Client Database Removed
Reasonable Accommodation Tracking System Complete SSN*
Disability Services Team Database Complete SSN
Reasonable Accommodation Wizard Complete SSN
Placement and Full Time Equivalent Pool Databases Complete SSN
Career Development Program Application Last 4 Digits*
Official Union Time Tracking System Complete SSN
Salary Overpayments Not Used
Equal Employment Opportunity Cases Not Used
Merit Systems Protection Board Cases Not Used
Electronic Freedom of Information Act System If Provided, Complete SSN
Freedom of Information Act Processes If Provided, Complete SSN
* After our review, the Agency reported updated information for these systems.
In addition, SSA's Office of Training reported the complete SSNs for non-SSA
employees is displayed on the Career Development Program Application for the
Senior Executive Service candidates. However, we did not verify the accuracy
of this information.
Appendix E
Social Security Administration Forms: Request and Display of Employees' Social
Security Numbers
During our review, we determined whether certain forms used by the Social Security Administration had been modified concerning the collection and display of its employees' Social Security numbers. Below are the forms we reviewed, and whether the forms have been or will be modified.
Form Number
Form
Title Requested Employees' SSN Data Implementation Date of Revisions
SSA-4392 Nomination for SSA Honor Award Last 4 Digits Completed
SSA-3136 Application to Participate in the Leave Transfer Program Last 4 Digits
Completed
SSA-3555 SSA Employment Agreement Last 4 Digits Completed
SSA-1400 Salary Recommendation Last 4 Digits Completed
SSA-476 Request for Official Correspondence Address Last 4 Digits Completed
SSA-231 PACS Performance Plan for Team Leaders Last 4 Digits Completed*
SSA-232 PACS Performance Plan: Managers and Supervisors Last 4 Digits Completed*
SSA-233 PACS Performance Plan: New Hires/Trainees Last 4 Digits Completed*
SSA-5072 Request for Medical Treatment Last 4 Digits May 2008*
SSA-171U3 Recommendation for Monetary or Time Off Awards Last 4 Digits Discontinued
paper form in November 2007*
SSA-331 Performance Assessment for Non Supervisory Employees Last 4 Digits Completed*
SSA-332 Performance Assessment for Supervisory Employees Last 4 Digits Completed*
SSA-170 Employee Suggestion Form Not Requested Completed
SSA-2770 Information for reporting non-receipt of hard copy salary check Last
4 Digits* Completed
SSA-2771 Information for reporting non-receipt of Direct Deposit/Electronic
Funds Transfer payment Last 4 Digits* Completed
SSA-3948 Request to Change to Part Time Employment Not Requested Completed*
SSA-71 Application for Leave Not Requested Completed*
SSA-501-F3 Request for Reasonable Accommodation Complete SSN
SSA-352-U10 Training Nomination and Authorization Form Complete SSN
Interactive Video Teletraining Online Course Registration Form Not Requested
Equal Employment Opportunity Complaint File/Complaint Form/Counseling File Not
Requested
Office of Disability Adjudication and Review In-House Training Registration
Form Not Requested
* After our review, the Agency reported changes had been made to these forms.
We did not verify the accuracy of this information.
Appendix F
Excerpt: The Social Security Administration's Implementation Plan to Eliminate
the Unnecessary Use of Social Security Numbers
Office of Management and Budget (OMB) Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, issued May 22, 2007, requires that all agencies (1) review their use of Social Security numbers (SSN) in agency systems and programs; (2) identify instances in which collection or use of the SSN is superfluous; and (3) establish, within 120 days, a plan to eliminate unnecessary collection and use of SSNs within 18 months. Generally, Personally Identifiable Information refers to information that can be used to distinguish or trace an individual's identity, such as his/her name, Social Security number, biometric records etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual such as date and place of birth, mother's maiden name, etc.
In response to the OMB memorandum, on September 28, 2007, SSA issued a plan to eliminate the unnecessary collection and use of SSNs. The following is an excerpt from the plan that relates to employees' SSN collection and use.
Many personnel-related activities require interagency operability. Executive Order 9397 requires federal agencies to use SSNs as numerical identifiers for individuals in most federal records systems. Therefore, until the Executive Order is partially rescinded, and the Office of Personnel Management (OPM) develops the Universal Employee Identifier (UEID), it is not efficient to create an interim replacement identifier for employees. However, SSA has taken steps to remove the SSN from several of its personnel forms and processes.
Payroll - Mainframe Time and Attendance System displays an employee's SSN only when it is initially being entered into the system. After initial entry, asterisks are used to hide the SSN and records are accessed by using an employee's name.
Training - Uses an employee personal identification number (PIN)
(6 digit number assigned to employees for systems access) to log on to the national
Interactive Video Training network. Prior to
June 4, 2007, employees used their SSNs to log on to the system.
Career Development Program Application - The employee identifier will be converted
from the SSN to the employee PIN by March 2008.
Labor Relations - Grievance Tracking - The current application which uses the SSN will be phased out by September 30, 2007. The replacement application uses a combination of name and locator.
Employee Suggestion Form - An online electronic process which does not use the SSN is used to process 92% of suggestions. Since electronic submission is voluntary and 8% of employees still use the paper form, the paper form was revised to eliminate the SSN in August 2007.
Employee Assistance Program (EAP) Client Database - The current application which uses the SSN will be phased out by December 31, 2007. The new application uses the SSN only to assign a case number which will be used throughout the process.
Equal Employment Opportunity (EEO) Complaints - A new version of the iComplaint system which masks the SSN with asterisks was implemented on July 28, 2007. The SSN is used to propagate the correct and appropriate personnel data for a given employee into the Human Resource Management Information System (HRMIS). Also, the vendor of iComplaints will make accommodations for the UEID in a future version.
The Office of Human Resources (OHR) has reviewed all SSA forms on the Human Resources internal website to determine necessary versus unnecessary use of the SSN and is making revisions to remove the SSN on the following forms:
o SSA-3948 - Request For Change to Part Time/Full-Time Employment - revision
completed in June 2007
o SSA-1400 - Salary Recommendation - mid September 2007
o SSA-3555 - Employment Agreement - revision completed in August 2007
o SSA-71 - Application for Leave - mid November 2007
OHR determined that it is no longer necessary to collect the entire SSN on the following forms but it is still necessary to collect a part of the SSN so that the data can be associated with the correct individual. The SSN will be truncated (last four digits only) on the following forms:
o SSA-4392 - Nomination for SSA Honor Award - mid September 2007
o SSA-3136 - Application to Participate in the Leave Transfer Program - mid
September 2007
o SSA-2770 - Information for Reporting Non-Receipt of Hard Copy Salary Check
- revision completed in August 2007
o SSA-2771 - Information for Reporting Non-Receipt of Direct Deposit/ Electronic
Fund Transfer (DD/EFT) Payments - revision completed in August 2007
o SSA-476 - Request for Official Correspondence Address - revision completed
in August 2007
o SSA-171U3 - Recommendation for Monetary or Time Off Award - mid November 2007
SSA-5072 - Request for Medical Treatment - is directed to employees' physicians, a non-Federal population. The form has to go through the Office of Publications and Logistics Management (OPLM) process and since it is a form that goes out to the public, OPLM has to send it to OMB for review, which usually takes nine months. OHR submitted its request to change this form in June 2007; it does not have a completion target. In the interim, SSA's nurses are instructing employees to provide only the last four digits of their SSN prior to submitting it to their doctors. We have no control over what a physician's office needs so it is conceivable that the physician's office may require the full SSN. OHR is monitoring the process for compliance with the new instruction.
Employee Performance Plans
o SSA currently has two major systems in use, the Performance Assessment and Communication System (PACS) which was implemented in October 2006 and the Pass/Fail system which has been in use since 1995. Forms SSA-230, 231, 232 and 233 were created during the development of PACS to document employee performance. These forms collect the entire SSN. PACS was implemented in October 2006, as a web-based application which requires managers to input only the last four digits of an employee's SSN. The paper SSA-231, 232 and 233 forms are available to be used in rare instances in which a supervisor has to issue a rating, but cannot access the web-based system. OHR plans to revise these forms to collect only the last four digits of the SSN by December 2007.
o Some of the union contracts for a small portion of SSA employees still require SSA to use a Pass/Fail system. The Pass/Fail system uses the SSA-331 and SSA-332 to document employee performance. These forms collect the entire SSN. OHR is working on revising both of these forms to collect only the last four digits of the SSN. The revisions should be completed by mid November 2007.
OHR has had a number of internal discussions about removing or masking the SSN from other applications, but it is deferring action until OPM proceeds with the UEID.
Appendix G
Agency Comments
MEMORANDUM
Date: April 28, 2008
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, "Follow-up: The Social Security Administration's Internal Use of Employees' Social Security Numbers" (A-13-07-27164)-INFORMATION
We appreciate OIG's efforts in conducting this review. Our response to the report findings and recommendation are attached.
Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "FOLLOW-UP: THE SOCIAL SECURITY ADMINISTRATION'S INTERNAL USE OF EMPLOYEES' SOCIAL SECURITY NUMBERS" (A-13-07-27164)
Thank you for the opportunity to review and comment on the draft report. Our response to the recommendation is provided below.
Recommendation 1
Continue removing or minimizing the use of these Social Security numbers (SSN)
in our systems and forms.
Response
We agree. We will continue to remove or minimize the use of SSNs in our systems
and forms wherever possible.
Appendix H
OIG Contacts and Staff Acknowledgments
OIG Contacts
Shirley E. Todd, Director, General Management Audit Division, (410) 966-9365
Randy Townsley, Audit Manager, (410) 966-1039
Acknowledgments
In addition to those named above:
Linda Webester, Auditor-in-Charge
Nicole Gordon, Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-13-07-27164.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Chief Counsel to the Inspector
General (OCCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.