Date: October 25, 2004
To: The Commissioner
From: Acting Inspector General
Subject: Performance Indicator Audit: Processing Time (A 02 04 14072)
We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 16 of the
Social Security Administration's performance indicators established to comply
with the Government Performance and Results Act. The attached final report presents
the results of two of the performance indicators PwC reviewed. For the performance
indicators included in this audit, PwC's objectives were to:
Test critical controls over the data generation and calculation processes for
the specific performance indicator,
Assess the overall adequacy, accuracy, reasonableness, completeness, and consistency
of the performance indicator and supporting data, and
Determine if each performance indicator provides meaningful measurement of the
program and the achievement of its stated objectives.
This report contains the results of the audit for the following indicators:
Average Processing Time for Initial Disability Claims (Disability Insurance
and Supplemental Security Income)
Average Processing Time for Hearings
Please provide within 60 days a corrective action plan that addresses each
recommendation. If you wish to discuss the final report, please call me or have
your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit,
at
(410) 965-9700.
Patrick P. O'Carroll, Jr.
OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
PERFORMANCE
INDICATOR AUDIT:
PROCESSING TIME
October
2004
A-02-04-14072
AUDIT REPORT
Mission
We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
By conducting independent and objective audits, investigations, and evaluations,
we are agents of positive change striving for continuous improvement in the
Social Security Administration's programs, operations, and management and in
our own office.
MEMORANDUM
Date: October 12, 2004
To: Acting Inspector General
From: PricewaterhouseCoopers LLP
Subject: Performance Indicator Audit: Processing Time (A-02-04-14072)
The Government Performance and Results Act (GPRA) of 1993 requires the Social Security Administration (SSA) to develop performance indicators that assess the relevant service levels and outcomes of each program activity. GPRA also calls for a description of the means employed to verify and validate the measured values used to report on program performance.
To enhance the practical use of performance information, the Office of Management and Budget (OMB), in collaboration with other Federal agencies, has developed the Program Assessment Rating Tool (PART), comprised of assessment criteria on program performance and management. The PART establishes a high, "good government" standard of performance and will be used to rate programs in an open, public fashion.
OBJECTIVE
For each performance indicator included in this audit, our objectives were to:
1. Test critical controls over the data generation and calculation processes
for the specific performance indicator.
2. Assess the overall adequacy, accuracy, reasonableness, completeness, and
consistency of the performance indicator and supporting data.
3. Determine if each performance indicator provides meaningful measurement of
the program and the achievement of its stated objectives.
We audited the following performance indicators as stated in the SSA Fiscal
Year (FY) 2003 Performance and Accountability Report (PAR):
Performance Indicator
FY 2003 Goal FY 2003 Reported Results
Average Processing Time for Initial Disability Claims (Disability Insurance
(DI) and Supplemental Security Income (SSI)) 104 Days 97 Days
Average Processing Time for Hearings (Days) 352 Days 344 Days
BACKGROUND
SSA oversees two disability programs: the DI and SSI programs. The DI program, authorized by Title II of the Social Security Act, provides income for eligible workers who have qualifying disabilities and for eligible members of their families before those workers reach retirement age. The SSI Program, authorized by Title XVI of the Social Security Act, was designed as a needs-based program to provide or supplement the income of aged, blind, and/or disabled individuals with limited income and resources.
To determine eligibility for both DI and SSI, the applicant must first file a disability claim with SSA. This is typically accomplished through an appointment or walk-in visit to one of SSA's approximately 1,300 field offices (FO). Interviews are conducted by a claims representative (CR) with the applicants via the telephone or in person to determine the applicant's non-medical eligibility on the basis of income, resources, and work history. Basic medical information concerning the disability, medical treatments, and identification of treating sources is also obtained. The claims representative inputs the applicant's information into the Modernized Claims System (MCS) for DI claims or the Modernized SSI Claims System (MSSICS) for SSI claims. A relatively minor number of DI and SSI cases are input through the SSA Claims Control System (SSACCS). The SSACCS is used to process claims that cannot be processed through MCS or MSSICS.
Upon meeting the non-medical eligibility requirements, SSA sends the DI and SSI claims file to a State Disability Determination Services (DDS) office. The DDS is responsible for determining claimants' disabilities and ensuring that adequate evidence is available to support its determinations. Once the DDS makes a disability determination, it inputs the disability determination information into the National Disability Determination Service System (NDDSS). It then notifies the FO, and a letter is sent informing the claimant of the determination and of his/her appeal rights. The NDDSS transmits the disability determination data to the appropriate applicant's records within MCS and the SSI Records Maintenance System (SSIRMS). The closure date is used in the processing time calculation.
Applicants whose initial disability determination is denied have 60 days from the date they are notified of the determination to file for reconsideration. If the claim is denied on reconsideration, they have 60 days from the date they are notified to request a hearing before an administrative law judge (ALJ) of the Office of Hearings and Appeals (OHA). (For additional detail of this process, refer to the flowcharts in Appendix C.)
RESULTS OF REVIEW
Average Processing Time for Initial Disability Claims (DI and SSI)
FY 2003 Goal: 104 days
Actual FY 2003 Performance: 97 days
SSA met the goal.
Indicator Background
The Work Management System (WMS) maintains claims data from MCS. The SSACCS
maintains its own claims data. When a determination is made for a DI claim,
the Management Information Initial Claims Record (MIICR) reads the clearance
information from the WMS or from the SSACCS. MIICR writes data for the completed
claim into the MIICR Master File, which creates a file of completed claims for
the week. MIICR also creates a monthly file of completed claims and produces
the monthly Field Office Initial Disability Claims Report - Processing Time.
When a determination is made for an SSI claim, an initial determination date
is posted to the Supplemental Security Record (SSR) by the DDS, and claim data
is forwarded to the SSI Claims Exception Control System. This system ensures
the claim data is complete before the data is sent to the SSI Claims Report
(SSICR), which is a process that compiles the claims data for inclusion in the
Field Office Initial SSI Blind & Disabled Claims Report - Processing Time.
(For additional detail of this process, refer to the flowcharts located in Appendix
C.)
SSA calculates the initial disability claims processing times (days) for inclusion
in the PAR by obtaining monthly figures from the Field Office Initial Disability
Claims Report - Processing Time and Field Office Initial SSI Blind & Disabled
Claims Report - Processing Time. These monthly figures are summed to obtain
a grand total of both the Title II and Title XVI processing time. (See the formulas
below.)
Total Processing Time for Title II and Title XVI claims
Sum of the 12 months (October 2002 through September 2003) processing times
for Title II and Title XVI claims
Similar to the Title II and Title XVI processing time, the total number of claims processed is obtained per the Field Office Initial Disability Claims Report - Processing Time and Field Office Initial SSI Blind & Disabled Claims Report - Processing Time on a monthly basis and manually recorded onto a spreadsheet. These monthly figures are summed to obtain a total of both the Title II and Title XVI claims processed. (See the formula below.)
Total Claims for Title II and Title XVI
Sum of the 12 months (October 2002 through September 2003) for Title II and
Title XVI claims
The formulas within the spreadsheet calculate the average processing time for DI and SSI for the year. The formula divides the total processing time for Title II and Title XVI claims by the total claims for Title II and Title XVI. (See the formula below.)
Average Processing Time for DI and SSI
Total Processing Time for Title II and Title XVI claims
Total Claims for Title II and Title XVI
Findings
We were unable to recalculate the results of this performance indicator as reported in the PAR. The detailed data used to calculate the Title XVI processing time was not readily available. The data was not archived, and recreating the data for this audit was not considered to be worth the cost. The Supplemental Security Income Processing Time (SSIPT) application replaced SSICR, the previous Title XVI processing time application, on October 1, 2003, so the FY 2003 SSICR data was not retained. The Title II detailed data was available for a rolling 56 day period, but similar to the Title XVI data, it was not archived. Accordingly, we selected and recalculated the Title II processing time for the month of June 2003. We concluded that the Title II processing time for the month of June 2003 was accurate.
SSA had not documented policies and procedures related to the formal process to collect, review and make available the performance indicator data to Agency management. OMB Circulars A-123 and A-127 provide guidance for the retention of this data. Documentation describing the automated and manual controls involved in the calculation and reporting of the performance indicator do not exist.
We tested the logical access controls for the Title II and Title XVI mainframe datasets used to calculate the indicator and found that a total of 17 SSA employees and contractors had the "All" access designation within the Top Secret security software to these datasets. This level of access would allow users to create, delete and update any of the data (or datasets) contained within the datasets we reviewed without appropriate review or approval of the changes. This level of access prevents SSA from ensuring the integrity of this production data. Additionally, by allowing employees and contractors to have the "All" access designation, SSA is not conforming to the principles of "least privileged access" or segregation of duties. SSA is in the process of completing the Standardized Security Profile Project (SSPP). The goal of this project is address the principles of "least privileged access."
All of the source code for the SSICR processing system had not been maintained. Therefore, if a failure is encountered, it is not possible to review the entire source code to identify and correct the error. SSICR was replaced by SSIPT on October 1, 2004.
An audit trail for transactions processed through the SSACCS was not produced or reviewed. Therefore, claims entered through the normal application process may not be correctly processed. Claims data may be altered, lost, or misidentified during input and incorrect, inconsistent, or unreasonable data may be accepted as valid for both the processing of the claim and as it is included in the indicator calculation.
The Title II and Title XVI processing times were combined for purposes of reporting in the PAR. Because processing times differ between the two programs, changes in the mix of cases may impact the combined processing time. Accordingly, if SSA chooses to report these results together, they should disclose in the PAR the impact of changes in the mix of cases on the combined processing time. This would result in a more accurate assessment of how the Agency is meeting its' goal to deliver high quality, citizen-centered service.
We noted from a selection of 45 applications that 1 of the 45 Title XVI application dates was not correctly input into the application date field within MSSICS. Specifically, the incorrect month was input into MSSICS. Data input errors from source documents may result in inaccurate or untimely data used to calculate the processing time.
Average Processing Time for Hearings (Days)
FY 2003 Goal: 352 days
Actual FY 2003 Performance: 344 days
SSA met the goal.
Indicator Background
The OHA administers the nationwide hearings and appeals program for SSA. OHA includes a nationwide field organization staffed with ALJs who conduct hearings and make decisions on appeals filed by claimants, their representatives, or providers-of-service institutions under the Social Security Act.
Following receipt of a request for a hearing (RH), the hearing office (HO) staff will conduct initial screening and case preparation that include the following tasks:
Acknowledge receipt of the RH.
Establish an HO case control record on the Hearing Office Tracking System (HOTS).
Determine if the RH is a valid request.
Determine if the RH was timely filed.
Determine if the HO has venue, i.e., if the claimant resides within the HO's
service area.
Create an HO file.
Request the claim file from the FO if it has not been received.
Upon completion of the above tasks, a hearing will be scheduled. The ALJ hearing generally includes the following:
Introductions.
Opening statement.
Oaths or affirmations.
Citation of the evidence.
Oral testimony.
Presentation of written or oral argument.
Closing statement.
The ALJ will complete a written decision unless the RH was not filed in a timely manner. The written decision is the final decision or recommended decision depending on the circumstances of the case. The ALJ updates HOTS to denote that a decision has been made on the case. The decision is input into HOTS by the master docket clerk and mailed to the claimant. The mail date is the end date in the processing time calculation.
Each of the HOs provides the respective regional office with the total processing days and dispositions for inclusion in the combined regional processing time calculation. The HOs send this data through email as a dbase file. The regional offices combine each of the hearing offices' processing times to obtain the total processing time at the regional level and send this data through email as a dbase file to the national OHA. The national OHA combines the regional offices' data to obtain the overall processing time. (See the formulas below.)
Total Processing Time for Hearings
Sum of the 12 months (October 2002 through September 2003) of the hearing offices'
processing time.
Total Dispositions for Hearings
Sum of the 12 months (October 2002 through September 2003) of dispositions for
hearings.
Average Processing Time for Hearings
Total Processing Time for Hearings
Total Dispositions for Hearings
A Plan Findings
We were unable to recalculate the processing time reported in the PAR. The detailed data used to calculate this performance indicator was not maintained or archived.
SSA had not documented policies and procedures related to the formal process to collect, review and make available the performance indicator data to Agency management. OMB Circulars A-123 and A-127 provide guidance for the retention of performance indicator data. Documentation describing the automated and manual controls involved in the calculation and reporting of the performance indicator do not exist.
We noted from a selection of 45 Medicare case files that 7 of 45 RH dates were not input into the HOTS Medicare application correctly. Data input errors from source documents result in inaccurate or untimely data used in processing.
During our testing, we noted that the HOTS application was replaced by the Case Processing and Management System (CPMS). However, Medicare cases will continue to be processed through the HOTS application after the implementation of CPMS. The data reported on the PAR will be reported from two different systems for FY 2004. We noted the following weaknesses within the HOTS application:
Security incident reports cannot be produced to track the occurrence of inappropriate
access to the data.
The password parameters do not require a minimum password length, or require
change of password.
The password parameters are listed in clear text in the password file and are
not required to be alphanumeric.
User ids are not locked out after a set number of failed login attempts, and
a password history for the user is not maintained.
There are three students that have supervisor access to the HOTS application.
This level of access does not follow the least privileged access principle.
Claims entered into HOTS can be re-opened.
An audit trail is not maintained for the HOTS application.
OHA at Falls Church, Virginia maintains a draft contingency plan which is being updated to address the current weaknesses. The plan has not been approved by SSA management. In the event of an emergency, the OHA Falls Church, Virginia location may not be able to recover its critical operations.
Our review of the Windows 2000 system that HOTS resides on identified 28 security and compliance issues. This review was conducted in accordance with the baseline established by the SSA Risk Model, National Institute of Standards and Technology (NIST), and Defense Information Security Agency (DISA). There are 8 issues that were contrary to the requirements of the SSA Risk Model and 20 other conditions that were contrary to existing government guidelines from NIST and the DISA Windows 2000 Security Checklist, version 3.1.11.
RECOMMENDATIONS
We recommend SSA:
1. Maintain the detailed data used to calculate the performance indicator results
that are reported in the PAR and ensure this data is readily available for examination
in accordance with OMB Circulars A-123 and A-127.
2. Maintain documentation that describes how the performance indicator goals
were established, document the policies and procedures used to prepare and report
the results of the performance indicators, and keep a complete audit trail.
Specific to the performance indicator, "Average Processing Time for Initial Disability Claims," we recommend SSA:
3. Ensure that SSA personnel do not have the ability, through inappropriate
access, to directly modify, create or delete the datasets used to calculate
the results of this indicator.
4. Maintain all source code for all applications used to calculate the performance
indicator.
5. Maintain an audit trail that captures the user id or terminal, date and time
of the transaction being processed. Policies and procedures should be created
to review the audit trail for inappropriate access to data or processing of
transactions.
6. Disclose the impact on the mix of Title II and Title XVI claims and its impact
on combined processing time results reported in the PAR.
7. Ensure the correct data is input into the Title XVI application.
For the recommendations stated below, SSA management should take corrective action over the HOTS system and ensure that these recommendations are addressed in the CPMS system. Specific to the performance indicator, "Average Processing Time for Hearings (Days)," we recommend SSA:
8. Ensure the correct data is input into the HOTS system.
9. Strengthen the security internal to the HOTS system to include security incident
reports to track inappropriate access to data.
10. Strengthen password parameters in HOTS to require users to change their
passwords every 60 days, to encrypt the passwords located in the user table,
to lockout a user after a set number of failed attempts, to create alphanumeric
passwords, and to maintain a password history.
11. Reserve supervisory access in HOTS as the highest level of access and be
granted on a least privileged basis.
12. Ensure claims that are required to be opened are logged and reviewed by
management.
13. Maintain an audit trail that captures the user id or terminal, date and
time of the transaction being processed. Policies and procedures should be created
to review the audit trail for inappropriate access to data or processing of
transactions.
14. Ensure that the contingency plan is completed and approved by management.
15. Ensure that Windows 2000 is configured to be in compliance with the SSA
Risk Model and government guidelines from NIST and the DISA Windows 2000 Security
Checklist, version 3.1.11.
AGENCY COMMENTS AND PwC RESPONSE
The Agency agreed with 10 of the 15 recommendations. In a general response unrelated to a specific recommendation, SSA stated that it disagreed with the conclusion that it had not documented polices and procedures related to the formal process to collect and review performance indicator data, noting several manuals as sources of such documentation. We agree that SSA management has documented several technical and user manuals related to the use and processing of SSA management information. However, SSA was unable to provide policies and procedures related to the specific processes to collect, review, and provide data for calculation of the performance indicators audited.
In disagreeing with recommendation 6, SSA stated that disclosing the impact of combining Title II and Title XVI cases when measuring processing times for disability claims is not always relevant to overall processing time and such a discussion would not be appropriate for inclusion in the PAR. It added that it would report in the PAR when the workload mix changes significantly enough to impact processing time overall. We believe that the differences between the two programs processing times are relevant and that the reader would be better informed if SSA disclosed the mix of Title II and Title XVI claims and its impact on combined processing time results reported in the PAR.
In disagreeing with recommendations 8 through 11, the Agency stated that HOTS has been replaced with CPMS, so the recommendations focused on strengthening HOTS are moot. Additionally, SSA stated that CPMS has implemented additional edits and that it is controlled by Top Secret Security profiles, which help to ensure that CPMS avoids the type of weaknesses noted in HOTS.
HOTS was the focus of our audit work of the hearings processing time indicator since it was the system used during our audit period. While CPMS will measure the majority of the hearings claims in the future, HOTS will continue to be used in the near-term to track OHA's Medicare workload. Recognizing the results for this indicator will be calculated using both HOTS and CPMS in the future, we believe that SSA management should take corrective action to strengthen the HOTS system and ensure that these recommendations are addressed in the CPMS system. SSA should take the steps necessary to ensure that the data collected to measure and report on hearings processing time is accurate and properly secured.
Finally, in agreeing with recommendation 15, SSA questioned whether it was required to adhere to the DISA standards. We recognize that there has not been a directive for non-Department of Defense agencies to follow DISA standards. However, the DISA guidelines are government industry recognized best practices for securing information systems environments. Accordingly, we recommend that SSA ensure that the Windows 2000 environment is configured to be in compliance with the SSA Risk Model and government guidelines from NIST and the DISA Windows 2000 Security Checklist, Version 3.1.11.
The full text of the Agency's comments is in Appendix D.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Process Flowcharts
APPENDIX D - Agency Comments
Appendix A
Acronyms
ALJ Administrative Law Judge
CE Consultative Exam
CPMS Case Processing Management System
CR Claim Representative
DDS Disability Determination Services
DI Disability Insurance
DISA Defense Information Security Agency
FO Field Office
FY Fiscal Year
GAO Government Accountability Office
GPRA Government Performance and Results Act
HO Hearing Office
HOTS Hearing Office Tracking System
MAR Monthly Activity Report
MBR Master Beneficiary Record
MCS Modernized Claims System
MIICR Management Information Initial Claims Record
MSSICS Modernized Supplemental Security Income Claims Systems
NDDSS National Disability Determination Service System
NIST National Information Security Technology
OHA Office of Hearings and Appeals
OMB Office of Management and Budget
OSM Office of Strategic Management
PAR Performance and Accountability Report
PART Program Assessment Rating Tool
RH Request for Hearing
SSA Social Security Administration
SSACCS Social Security Administration Claims Control System
SSI Supplemental Security Income
SSICR Supplemental Security Income Claims Report
SSIPT Supplemental Security Income Processing Time
SSIRMS Supplemental Security Income Records Maintenance System
SSR Supplemental Security Record
TSC Tele-Service Center
WMS Work Management System
Appendix B
Scope and Methodology
We updated our understanding of the Social Security Administration's (SSA) Government
Performance and Results Act (GPRA) processes. This was completed through research
and inquiry of SSA management. We also requested SSA to provide various documents
regarding the specific programs being measured as well as the specific measurement
used to assess the effectiveness and efficiency of the related program.
Through inquiry, observation, and other substantive testing, including testing of source documentation, we performed the following, as applicable:
Reviewed prior SSA, Government Accountability Office, and other reports related
to SSA GPRA performance and related information systems.
Met with the appropriate SSA personnel to confirm our understanding of each
individual performance indicator.
Flowcharted the processes. (See Appendix C).
Tested key controls related to manual or basic computerized processes (e.g.,
spreadsheets, databases, etc.).
Conducted and evaluated tests of the automated and manual controls within and
surrounding each of the critical applications to determine whether the tested
controls were adequate to provide and maintain reliable data to be used when
measuring the specific indicator.
For those indicators with results that SSA determined using computerized data,
we assessed the completeness and accuracy of that data to determine the data's
reliability as it pertains to the objectives of the audit.
Identified and extracted data elements from relevant systems and obtained source
documents for detailed testing selections and analysis.
Identified attributes, rules, and assumptions for each defined data element
or source document.
As part of this audit, we documented our understanding, as conveyed to us by
Agency personnel, of the alignment of the Agency's mission, goals, objectives,
processes, and related performance indicators. We analyzed how these processes
interacted with related processes within SSA and the existing measurement systems.
Our understanding of the Agency's mission, goals, objectives, and processes
were used to determine if the performance indicators being used appear to be
valid and appropriate given our understanding of SSA's mission, goals, objectives
and processes. We followed all performance audit standards. In addition to the
steps above, we specifically performed the following to test the indicators
included in this report:
AVERAGE PROCESSING TIME FOR INITIAL DISABILITY CLAIMS (DISABILITY INSURANCE AND SUPPLEMENTAL SECURITY INCOME)
Audited the design and effectiveness of the SSA internal controls and the accuracy
and completeness of the data related to the following areas:
Ensured that the Date of Entitlement, Date of Filing, or Application Date were
accurately posted to the Master Beneficiary Record (MBR) or Supplemental Security
Record (SSR) by reviewing 45 initial disability insurance and supplemental security
income applications.
Ensured that the Disability Decision Date was accurately posted to the MBR or
SSR by reviewing 45 SSA 831-C3 forms within the case folders.
Observed the input of the Date of Entitlement, Date of Filing, or Application
Date in the field office.
Observed the input of the closure date in the Disability Determination Services.
Used a programming specialist to determine the adequacy of the programming logic
used by SSA to calculate the processing time for the Title II and Title XVI
initial disability claims.
Recalculated the Title II processing time for June 2003 and compared it to the
Title II processing time reported that month.
AVERAGE PROCESSING TIME FOR INITIAL HEARINGS (DAYS)
Audited the design and effectiveness of the SSA internal controls and the accuracy
and completeness of the data related to the following areas:
Ensured that the request for hearing date and mail date were accurately posted
to the Hearings Office Tracking System (HOTS) by reviewing 45 Administrative
Law Judge Medicare Case Folders for the request for hearing date and 45 Medicare
Transmittal of Decision or Dismissal by Office of Hearings and Appeal located
on form HA-505-1U3 for the mail date.
Observed the input of request for hearing date and mail date in the Medicare
hearing office.
Completed application control reviews over HOTS.
Completed a general computer control review as it relates to HOTS.
Determined the adequacy of the programming logic used by SSA to calculate the
processing time for the hearings.
Appendix C
Flowchart of Average Processing Time for Initial Disability Claims (DI and SSI)
Flowchart of Average Processing Time for Initial Disability Claims (DI and SSI)
cont.
Flowchart of Average Processing Time for Initial Disability Claims (DI and SSI)
cont.
Average Processing Time for Initial Disability Claims (DI and SSI)
Claimant contacts SSA through a field office (FO) visit, mail, or phone call
to the FO or tele-service center (TSC).
Through one of the above methods, SSA determines if the claimant is eligible
for Title II or Title XVI disability benefits.
If the claimant is not eligible for disability benefits, this process stops.
However if the claimant is eligible for disability benefits, their information
is recorded on the application forms and input into the Modernized Claims System
(MCS) for Title II benefits or into the Modernized Supplemental Security Income
Claims System (MSSICS) for Title XVI benefits.
The claimant's information is reviewed for non-medical eligibility and the effective
filing date is determined. Also, a non-medical determination is made if possible
and entered into the appropriate application.
A medical folder is created with form SSA-831 and is sent to the DDS.
Upon receipt, the DDS inputs the case on National Disability Determination Service
System (NDDSS), which interfaces with the appropriate Title II and Title XVI
applications.
DDS gathers and reviews medical evidence to make a medical determination. Additional
medical evidence is obtained from the claims examiner if needed.
DDS makes a medical determination and inputs the information into NDDSS and
on form SSA-831.
The claim is approved or denied as appropriate and the medical portion of the
determination is adjudicated.
The case is closed on NDDSS and the medical determination is transferred to
the appropriate Title II and Title XVI applications.
If the non-medical determination was not input prior to the DDS review, that
will occur.
The medical folder is filed.
For Title II claims, MCS updates the Work Management System (WMS) and form SSA-1418
updates the SSA Claims Control System (SSACCS) with claim information.
Management Information Initial Claims Record (MIICR) reads the claims information
from WMS and SSACCS.
MIICR writes the data for completed claims to the MIICR master file.
MIICR Edit creates a file of completed claims on a weekly basis.
MIICR Calculation computes the processing time and determines if the criteria
has been met on a monthly basis.
MIICR Sort sorts the data by component, office, etc. on a monthly basis.
MIICR Summary produces a record of the summarized number of days and counts
for each processing time for each office.
The Initial Disability Claims Report that includes overall processing time for
Title II claims is produced on a monthly basis.
For Title XVI claims, the SSR is updated with the initial determination date
and the claim is routed to the Exception Control.
The ZCXMAS file is created to re-circulate the data until the initial claims
are completed.
The ZCSTATS file is created when the end processing date is posted.
The ZSSICPT file is created to delivery the end of the line records or completed
claims to SIICR.
SSI Claims Report (SSICR) calculates the processing time and creates the processing
time report.
On a monthly basis, the overall processing time and total counts on the Initial
Disability Claims Report and Processing Time Report are input into an Excel
spreadsheet.
On an annual basis, the monthly processing times for Title II and Title XVI
are summed and the total monthly counts for Title II and Title XVI are summed.
The total processing time is divided by the count to produce the average number
of disability claims.
Flowchart of Average Processing Time for Hearings (Days)
Average Processing Time for Hearings (Days)
The claimant receives the determination.
The claimant may or may not request a hearing over the determination.
If the claimant requests a hearing, the request for hearing date is entered
into the HOTS application.
The ALJ may or may not conduct a hearing.
If the ALJ does not conduct a hearing, the claim is paid or dismissed.
Claimant receives the decision of the non-hearing in writing.
If a claimant does not receive a decision, a hearing is conducted by the ALJ.
ALJ makes a decision.
ALJ enters the decision into HOTS.
The clerk enters the disposition date and mail date into HOTS.
The decision letter is sent to the claimant.
The HOTS files from the regional office are sent to OHA and combined into HOTS.
The Monthly Activity Report (MAR) is produced by HOTS for the regional office.
The case load analysis report is processed by HOTS from the combination of the
monthly MARs provided by each of the regional offices. The case load analysis
contains the calculation of the processing time.
The MAR is posted to the SSA Intranet for review by the regional offices.
Appendix D
Agency Comments
SOCIAL SECURITY
MEMORANDUM
Date: October 1, 2004
To: Patrick P. O'Carroll, Jr.
Acting Inspector General
From: Larry W. Dye
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report "Performance Indicator Audit: Processing Time" (A-02-04-14072)--INFORMATION
We appreciate OIG's efforts in conducting this review. Our comments on the draft report content and recommendations are attached.
Let me know if we can be of further assistance. Staff inquiries may be directed to Candace Skurnik, Director, Audit Management and Liaison Staff on extension 54636.
SSA Response
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT "PERFORMANCE INDICATOR AUDIT: PROCESSING TIME" (A-02-04-14072)
Thank you for the opportunity to review and comment on the draft report. We agree with the recommendations that improved documentation and identification of all processes used to compute the reported data are necessary.
We disagree with the statement on page 4 that "SSA had not documented policies and procedures related to the formal process to collect, review, and make available the performance indicator data to Agency management." The Management Information Manual (MIM) II Chapters 8000-9000 include procedures for the field office (FO) processing time and the MIM IV Chapters 4100-4200 include procedures for the Disability Determination Services (DDS) processing time under the Management Information Initial Claims Record (MIICR) and the Supplemental Security Income Claims Report systems. Under the Social Security Unified Management System (SUMS), we have documented procedures for Title XVI in the Supplemental Security Income Processing Time Users Guide (updated March 2004). The Agency is in the process of converting Title II from MIICR to SUMS and will include the documented procedures under SUMS when the conversion has been completed.
We disagree with the statements on page 5, paragraph 4, which support the recommendation to report separate processing times for Title II and Title XVI. The paragraph states that "processing times differ between the two programs." Were there programmatic or legal differences, we would agree that separate reporting would be relevant. However, the disability decision criteria, procedures, and evidentiary requirements are fundamentally the same for both programs. Thus, that there may be differing processing times between the titles is coincidental and irrelevant. Accordingly, we do not agree that providing details in the Performance and Accountability Report (PAR) about the mix of cases used in the calculation is relevant.
Our responses to the specific recommendations are provided below.
Recommendation 1
Maintain the detailed data used to calculate the performance indicator results that are reported in the PAR and ensure this data is readily available for examination in accordance with Office of Management and Budget (OMB) Circulars A-123 and A-127.
Response
We agree. We are currently evaluating the costs involved in maintaining data beyond what the Agency already stores to support its operations. Storing additional data and, where necessary, retired legacy systems, to replicate data outcomes may prove to be too costly. If that is the case, alternatives will be explored.
Recommendation 2
Maintain documentation that describes how the performance indicator goals were established, document the policies and procedures used to prepare and report results of the performance indicators, and keep a complete audit trail.
Response
We agree. We are currently determining the best approach for maintaining documentation about how performance indicators and related goals are established.
Recommendations--Performance Indicator:
Average Processing Time for Initial Disability Claims
Recommendation 3
Ensure that SSA personnel do not have the ability, through inappropriate access, to directly modify, create or delete the datasets used to calculate the results of this indicator.
Response
We agree. Work within the Standardized Security Profile Project (SSPP) has ensured that only an authorized batch job submitted through Control-M can directly modify, create, or delete the datasets used to calculate processing time for SSI Initial Disability Claims. SSPP work continues as SSA addresses remaining user accesses to ensure least privilege is exercised.
Recommendation 4
Maintain all source code for all applications used to calculate the performance indicator.
Response
We agree. ENDEVOR currently houses and maintains all source code related to this measure.
Recommendation 5
Maintain an audit trail that captures the user id or terminal, date and time of the transaction being processed. Policies and procedures should be created to review the audit trail for inappropriate access to data or processing of transactions.
Response
We agree. Auditing features will be activated on all update access secondary User IDs (the only User IDs that will allow update access) as we further refine update access privileges.
Recommendation 6
Disclose the impact on the mix of Title II and Title XVI claims and its impact on combined processing time results reported in the PAR.
Response
We disagree. The workload mix would not always be relevant to the overall processing time and would not be appropriate to include in the PAR. However, when the trend in the workload mix changes significantly enough to impact processing time overall, we will report the results in the PAR.
Recommendation 7
Ensure the correct data is input into the Title XVI application.
Response
We agree. The Agency currently takes proactive steps to ensure claims entered through the normal application process are correct. There are FO and DDS procedures for the processing and quality review of the initial disability claims for both Titles II and XVI. For example, the DDSs have documented procedures for preparing the final determination in POMS DI 26500 and documented guidelines for providing quality review in POMS DI 30001.
Recommendations--Performance Indicator: Average Processing Times for Hearings (Days)
Recommendation 8
Ensure the correct data is input into the HOTS system.
Response
We disagree. Since the Hearing Office Tracking System (HOTS) has been replaced with the Case Processing and Management System (CPMS), this recommendation is moot. Although CPMS cannot guarantee correct data input of 100 percent, CPMS has implemented additional edits that were not previously part of the HOTS system. These edits should better ensure the quality of the data within the CPMS database.
Recommendation 9
Strengthen the security internal to the HOTS system to include security incident reports to track inappropriate access to data.
Response
We disagree. Since HOTS has been replaced with CPMS, this recommendation is moot. We would note that access to CPMS is controlled by Top Secret Security profiles. Individual profiles are managed by SSA component security officials. Security violations are written to an audit tracking file. These records include identifying information on the user who attempted access and the SSN they were trying to access.
Although HOTS will continue to be used for tracking OHA's Medicare workload, that is an interim workload, which we anticipate being transferred to the Centers for Medicare & Medicaid Services (CMS) by the end of fiscal year (FY) 2005.
Recommendation 10
Strengthen password parameters in HOTS to require users to change their passwords every 60 days, to encrypt the passwords located in the user table, to lockout a password after a set number of failed attempts, to create alphanumeric passwords, and to maintain a password history.
Response
See response to Recommendation 9. Again, we note that CPMS utilizes SSA's Enterprise Security Interface (ESI). The issues raised are addressed by ESI.
Recommendation 11
Reserve supervisory access in HOTS as the highest level of access and be granted on a least privileged basis.
Response
See response to Recommendation 9.
Recommendation 12
Ensure claims that are required to be opened are logged and reviewed by management.
Response
We agree. CPMS adheres to the Agency's standards for security, access and passwords. Accordingly, the concern stated above is addressed by using these standards. Further, we note however, for non-Medicare cases, CPMS does not allow reopening of cases.
Recommendation 13
Maintain an audit trail that captures the user id or terminal, date and time of the transaction being processed. Policies and procedures should be created to review the audit trail for inappropriate access to data or processing of transactions.
Response
See responses to Recommendations 5 and 12.
Recommendation 14
Ensure that the contingency plan is completed and approved by management.
Response
We agree. As the report notes, there is a draft plan maintained by OHA, Falls Church. It is currently in the review process.
Recommendation 15
Ensure that Windows 2000 is configured to be in compliance with the SSA Risk Model and government guidelines from NIST and the DISA Windows 2000 Security Checklist, Version 3.1.11.
Response
We agree in part. We agree that WINDOWS 2000 should be configured to be in compliance with the Risk Model. SSA's monitoring program scans for noncompliance and configurations are corrected, where needed. We will re-review National Institute of Standards and Technology (NIST) Guidelines ensure that we have incorporated all practicable elements into our Risk Model.
Regarding the inclusion of Defense Information Systems Agency (DISA) guides in the recommendation, DISA is charged with providing total information systems management for the Department of Defense (DoD). Its charter has always been focused on DoD service. There has not been a directive for non-DoD agencies to follow DISA standards. SSA complies with all regulations and guidance issued by NIST and OMB. These are the requirements that guide civilian agencies. SSA will continue to comply with all directives for information systems security management issued for the civilian sector. Occasionally, SSA elects to follow a DISA standard and adopts it as a best practice for the Agency. But, this is not required; it is just an example of SSA's diligence in protecting systems and data.
[SSA also provided technical comments, which have been addressed in this report, as needed.]
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Executive Operations (OEO). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Executive Operations
OEO supports OIG by providing information resource management and systems security.
OEO also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OEO is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.