OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
ADMINISTRATIVE
COSTS CLAIMED
BY THE UTAH DISABILITY
DETERMINATION SERVICES
March
2009
A-07-09-19005
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: March 30, 2009
To: Martha Lambie
Acting Regional Commissioner Denver
From: Inspector General
Subject: Administrative Costs Claimed by the Utah Disability Determination Services (A-07-09-19005)
OBJECTIVE
Our objectives were to evaluate the Utah Disability Determination Services' (UT-DDS) internal controls over the accounting and reporting of administrative costs, determine whether costs claimed by the UT-DDS were allowable and properly allocated and funds were properly drawn, and assess limited areas of the general security controls environment. Our audit included the administrative costs claimed by the UT-DDS during Federal Fiscal Years (FY) 2006 and 2007.
BACKGROUND
The Disability Insurance (DI) program, established under Title II of the Social Security Act (Act), provides benefits to wage earners and their families in the event the wage earner becomes disabled. The Supplemental Security Income (SSI) program, established under Title XVI of the Act, provides benefits to financially needy individuals who are aged, blind, and/or disabled.
The Social Security Administration (SSA) is responsible for implementing policies for the development of disability claims under the DI and SSI programs. Disability determinations under both DI and SSI are performed by disability determination services (DDS) in each State and other responsible jurisdictions. Such determinations are required to be performed in accordance with Federal law and underlying regulations. In carrying out its obligation, each DDS is responsible for determining claimants' disabilities and ensuring adequate evidence is available to support its determinations. To assist in making proper disability determinations, each DDS is authorized to purchase medical examinations, X rays, and laboratory tests on a consultative basis to supplement evidence obtained from the claimants' physicians or other treating sources.
SSA reimburses the DDS for 100 percent of allowable reported expenditures up to its approved funding authorization. The DDS withdraws Federal funds through the Department of the Treasury's (Treasury) Automated Standard Application for Payments system to pay for program expenditures. Funds drawn down must comply with Federal regulations and intergovernmental agreements entered into by Treasury and States under the Cash Management Improvement Act of 1990.
An advance or reimbursement for costs under the program must comply with Office of Management and Budget Circular A 87, Cost Principles for State, Local, and Indian Tribal Governments. At the end of each quarter of the FY, each DDS is required to submit a State Agency Report of Obligations for SSA Disability Programs (SSA 4513) to account for program disbursements and unliquidated obligations. The SSA-4513 reports expenditures and unliquidated obligations for Personnel Service Costs, Medical Costs, Indirect Costs, and All Other Nonpersonnel Costs.
The Utah State Office of Rehabilitation is the UT-DDS' parent agency. The UT-DDS is located in Salt Lake City, Utah.
RESULTS OF REVIEW
Our evaluation of the UT-DDS' controls over the accounting and reporting of administrative costs disclosed that improvements were needed in the Medical Cost process. Specifically, the UT-DDS made duplicate payments for consultative examinations (CE) and medical evidence of record (MER), reimbursed CE providers at a rate that exceeded the maximum rate allowed under Federal regulations, did not follow its established criteria for incentive payments to CE providers, and needed to improve its controls over the CE provider sanction process. Other costs claimed by the UT-DDS during our audit period were allowable, properly allocated, and funds were properly drawn.
Regarding general security controls, we found the UT-DDS needed to improve its computer inventory controls. We also found the UT-DDS' security plan was incomplete, disaster recovery plan (DRP) had not been tested, spare office key management lacked controls, and computer system back-up data were not stored off-site.
DUPLICATE MEDICAL PAYMENTS
During our audit period, the UT-DDS made duplicate CE and MER payments totaling $6,280. Federal regulations provide that SSA "…will give the State funds…for necessary costs in making disability determinations…." Duplicate payments do not represent a necessary cost. According to the UT-DDS, the duplicate payments may have occurred because invoice payment authorizations were cancelled and subsequently reauthorized for payment without the UT-DDS first verifying a payment had been made. For example, if a vendor contacts the UT-DDS alleging nonpayment of an invoice, the UT-DDS can cancel the original authorization and reauthorize the invoice for payment. If the original invoice was paid, a duplicate payment could result. We recommend SSA instruct the UT-DDS to refund $6,280 in duplicate payments and establish procedures that prevent future duplicate medical payments.
EXCESSIVE CE COSTS
During FY 2006, the UT-DDS spent $4,248 in excessive CE fees. The excessive fees occurred because the UT-DDS reimbursed medical providers at a payment rate that exceeded the maximum rate paid by Federal or other agencies in the State for one type of CE. Specifically, for lumbar spine X rays the UT-DDS' rate of payment exceeded the rate paid by the Utah State Office of Rehabilitation.
CE Amount DDS Paid Highest Allowable Fee Number of Exams Purchased in FY 2006
Excess Fees
Lumbar Spine
X ray $90 $54 118 $4,248
Federal regulations require that each State determine the payment rates for medical or other services necessary to make determinations of disability. The rates may not exceed the highest rate paid by Federal or other agencies in the State for the same or similar types of service. Further, the State is responsible for monitoring the rates of payment for medical and other services to ensure the rates do not exceed the highest rate paid by Federal or other agencies in the State. We recommend SSA determine whether it was necessary for the UT-DDS to exceed the highest allowable fee to obtain lumbar spine X rays. If SSA determines it was not necessary for the UT-DDS to exceed the highest allowable rate of payment, it should take appropriate action, such as instructing the UT-DDS to refund the excess CE payments and limiting future CE rates of payment to the highest allowable fee.
INCENTIVE PAYMENTS
During our audit period, the UT-DDS made incentive payments to CE providers that were not in accordance with its own policy. SSA policy states that medical provider contracts should require time standards for the receipt of reports, including incentive provisions. According to UT-DDS policy, an incentive payment of $20 is made to CE providers if the CE report was received within 10 days of the date of the CE. For 18 of the 47 incentive payments we reviewed, the CE report was not received within 10 days. Therefore, the UT-DDS' failure to follow its policy resulted in improper incentive payments. We recommend SSA remind the UT-DDS to follow its established policy for incentive payments.
SANCTION LISTING
The UT-DDS did not review the Health and Human Services, Office of Inspector General (HHS/OIG) List of Excluded Individuals/Entities (LEIE) to ensure CE providers it intended to use were not barred from participation in any Federal or federally assisted program. The UT-DDS is at-risk of contracting with CE providers whose services have been sanctioned by other Federal agencies if it does not review the HHS/OIG sanction listing. SSA policy indicates that a qualified medical source must not be barred from participation in Federal programs. Also, underlying SSA procedures require that, before using the services of any CE provider, DDSs must review the LEIE for each CE provider and then at least annually.
The UT-DDS stated it was unaware of the requirement to review the HHS/OIG sanction
listing. Since learning of this requirement, the UT-DDS stated it will begin
using the HHS/OIG sanction listing. We recommend SSA instruct the UT-DDS to
review the HHS/OIG sanction listing to verify current CE providers are not sanctioned
from participation in any Federal or federally assisted program. We also recommend
SSA instruct the UT-DDS to review the HHS/OIG sanction listing as part of its
CE provider background check process.
INVENTORY CONTROLS
The UT-DDS did not maintain accurate and complete inventory records of computer equipment. Specifically, SSA-purchased computer equipment was not included in the official State inventory listing, and three surplus laptop computers were not listed in the State surplus equipment system. Not maintaining adequate inventory records hinders detection of stolen or misplaced equipment. SSA policy requires that all sensitive equipment be inventoried, , and SSA's definition of sensitive equipment includes computers. The UT-DDS did not record SSA-purchased computer equipment in the official State inventory system because, according to State policy, anything with a purchase value of less than $5,000 did not have to be on the fixed-asset inventory. We recommend SSA instruct the UT-DDS to work with its parent agency to ensure the SSA-purchased computer equipment is tracked with an inventory system that complies with the policies of SSA.
INCOMPLETE SECURITY PLAN
The UT-DDS' security plan did not adhere to SSA's policy requiring an eight-part security plan, with each part containing specific information. Because SSA's policy for an eight-part security plan was not followed, essential information was missing from the UT-DDS' security plan.
Specifically, the UT-DDS security plan was missing
1. a schedule on how new employees and contractors are trained;
2. instructions for the comprehensive integrity review process;
3. a description of SSA and UT-DDS responsibilities and a description of workload and workflow of the UT-DDS;
4. documented local resources needed to operate the UT-DDS in the event of a disaster; and
5. documented procedures for its review of the software lists/logs created from monitoring UT-DDS users.
Because the security plan is incomplete, there is a risk that critical business processes are not protected or will not recover timely in the event of a disaster. A delay in creating a complete security plan could result in a longer recovery period following a catastrophic event. The UT-DDS stated it was unaware of SSA's security plan requirements. We recommend SSA work with the UT-DDS to ensure a security plan meeting SSA requirements is completed timely.
DISASTER RECOVERY PLAN NOT TESTED
The UT-DDS' DRP was not tested as set forth in SSA policy. The DRP documents DDS data and personnel information involved in restoring system operations that are vital to disaster recovery. As a result of not testing the DRP, there was a risk that critical business processes were not protected or would not recover timely in the event of a disaster. The UT-DDS did not have policies in place to ensure the testing of the DRP. The UT-DDS' delay in testing the DRP could result in a longer recovery period following a catastrophic event. We recommend SSA work with the UT-DDS to ensure the DRP is tested timely.
KEY MANAGEMENT
The UT-DDS did not have a system to log spare office keys. In fact, the keys were kept in an unlocked drawer. Stolen or misplaced office keys could go undetected without adequate internal controls over office keys. This also creates a risk of unauthorized access to sensitive SSA information and systems and the interruption of service if the systems are compromised. SSA policy states that office keys should be logged to control their distribution. The UT-DDS Security Officer stated he was not aware of the requirement. We recommend SSA instruct the UT-DDS to maintain a log of all spare office keys.
BACK-UP FILES
Back-up data from the UT-DDS' computer system were not stored off-site. Although the UT-DDS had taken precautions to store the back-up tapes in a fireproof container, there remained a risk that the back-up data may be destroyed or be inaccessible under certain conditions.
SSA security guidelines highly recommend that a copy of back-up data files be stored off-site. UT-DDS personnel stated that because they do not have encryption software to back up of the computer system's data, they would prefer not to move these tapes off-site. However, additional DDS security guidelines permit the use of password protection to safeguard back-up media if encryption is not possible. We recommend the UT-DDS work with SSA to determine whether it is feasible to encrypt or password-protect the back-up tapes for off-site storage. If the DDS is unable to encrypt or password-protect the back-up tapes, the regional office should ensure the back-up tapes are adequately protected while on-site at the UT-DDS.
CONCLUSION AND RECOMMENDATIONS
Our evaluation of the UT-DDS' controls over the accounting and reporting of administrative costs disclosed that improvements were needed in the Medical Cost process. Specifically, the UT-DDS made duplicate payments for CE and MER, reimbursed CE providers at a rate that exceeded the maximum rate allowed under Federal regulations, did not follow its established criteria for incentive payments to CE providers, and needed to improve its controls over the CE provider sanction process. Other costs claimed by the UT-DDS during our audit period were allowable, properly allocated, and funds were properly drawn.
Regarding general security controls, we found the UT-DDS needed to improve its computer inventory controls. We also found the UT-DDS' security plan was incomplete, DRP had not been tested, spare office key management lacked controls, and computer system back-up data were not stored off-site.
We recommend the SSA Acting Regional Commissioner:
1. Instruct the UT-DDS to refund $6,280 in duplicate payments and establish procedures that prevent future duplicate medical payments.
2. Determine whether it was necessary for the UT-DDS to exceed the highest allowable fee to obtain lumbar spine X rays. If SSA determines it was not necessary for the UT DDS to exceed the highest allowable rate of payment, it should take appropriate action, such as instructing the UT-DDS to refund the excess CE payments and limiting future CE rates of payment to the highest allowable fee.
3. Remind the UT-DDS to follow its established policy for incentive payments.
4. Instruct the UT-DDS to review the HHS/OIG sanction listing (a) to verify current CE providers are not barred from participation in any Federal or federally assisted program and (b) as part of its CE provider background check process.
5. Instruct the UT-DDS to work with its parent agency to ensure the SSA-purchased computer equipment is tracked with an inventory system that complies with the policies of SSA.
6. Work with the UT-DDS to ensure (a) a security plan meeting SSA requirements is completed timely and (b) the DRP is tested timely.
7. Instruct the UT-DDS to maintain a log of all spare office keys.
8. Work with the UT-DDS to determine whether it is feasible to encrypt or password-protect the back-up tapes for off-site storage. If the UT-DDS is unable to encrypt or password-protect the back-up tapes, SSA should ensure the back-up tapes are adequately protected while on-site at the UT-DDS.
AGENCY COMMENTS
SSA and the UT-DDS agreed with our recommendations. See Appendices C and D, respectively, for the full text of SSA and UT-DDS' comments.
OTHER MATTER
Personally Identifiable Information
The UT-DDS routinely disclosed disability claimants' personally identifiable information (PII) to vendors. The UT-DDS processes over 14,000 disability determinations each FY. During the disability determination process, the UT-DDS purchases services including CE, MER and claimant travel. Our review of medical and applicant travel invoices revealed these documents contained PII including name, address, date of birth, and Social Security number (SSN). Although we have no reason to believe this information was abused, this practice could result in abuse of claimant's PII.
Federal guidance dictates that agencies should reduce their current holdings
of all PII to the minimum necessary for the proper performance of a documented
agency function. Agencies must also review their use of SSNs in agency systems
and programs to identify instances in which collection or use of the SSN is
superfluous.
On October 5, 2007, SSA's Office of Disability Determinations informed regional
offices that DDS' should review their processes to eliminate the use of the
SSNs on correspondence where possible. Given the prevalence of identity theft,
we encourage the Utah State Office of Rehabilitation and UT-DDS to take steps
to limit the disclosure of PII (in particular, redact or truncate claimants'
SSNs) in all third-party correspondence.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Agency Comments
APPENDIX D - State Agency Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
Act Social Security Act
AIMS Administrative Instructions Manual System
CE Consultative Examination
C.F.R. Code of Federal Regulations
DDS Disability Determination Services
DI Disability Insurance
DRP Disaster Recovery Plan
FY Fiscal Year
HHS Health and Human Services
LEIE List of Excluded Individuals/Entities
MER Medical Evidence of Record
MRM Materiel Resources Manual
OIG Office of the Inspector General
PII Personally Identifiable Information
POMS Program Operations Manual System
Pub. L. No. Public Law Number
SSA Social Security Administration
SSA-4513 State Agency Report of Obligations for SSA Disability Programs
SSI Supplemental Security Income
SSN Social Security Number
Treasury Department of the Treasury
U.S.C. United States Code
UT-DDS Utah Disability Determination Services
Appendix B
Scope and Methodology
SCOPE
To achieve our objective, we:
Reviewed applicable Federal laws and regulations, pertinent parts of the Social Security Administration's (SSA) Program Operations Manual System and other criteria relevant to administrative costs claimed by the Utah Disability Determination Services (UT-DDS), and the draw down of SSA program appropriations.
Interviewed staff at the Utah State Office of Rehabilitation and the UT-DDS.
Reviewed State policies and procedures related to personnel, medical services, and all other nonpersonnel costs.
Evaluated, tested, and documented internal controls regarding accounting, financial reporting, and cash management activities.
Reconciled State accounting records to the administrative costs reported by the UT-DDS on the State Agency Report of Obligations for SSA Disability Programs (SSA-4513) for Federal Fiscal Years (FY) 2006 and 2007.
Examined specific administrative expenditures (Personnel, Medical Services, and All Other Nonpersonnel Costs) incurred and claimed by the UT-DDS for FYs 2006 and 2007 on the SSA-4513. We used statistical sampling to select expenditures to test for support of the Medical Service and All Other Nonpersonnel Costs, as discussed below.
Examined the indirect costs claimed by UT-DDS for FYs 2006 and 2007.
Compared the amount of SSA funds drawn to support program operations to the expenditures reported on the SSA-4513.
Determined whether selected funds from cancelled warrants were properly returned to SSA.
Determined whether unliquidated obligations were properly supported.
Reviewed the UT-DDS' general security control.
Reviewed Office of Management and Budget guidance related to safeguarding personally identifiable information.
We determined the data provided by the State Office of Rehabilitation and UT DDS used in our audit were sufficiently reliable to achieve our audit objectives. We assessed the reliability of the data by reconciling them with the costs claimed on the SSA 4513. We also conducted detailed audit testing on selected data elements in the electronic data files.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We conducted fieldwork from March through October 2008.
METHODOLOGY
SAMPLING METHODOLOGY
The sampling methodology encompassed the four general areas of costs reported on the SSA-4513: (1) Personnel, (2) Medical, (3) Indirect, and (4) All Other Nonpersonnel Costs. We obtained a data extract of all costs and the associated invoices for FYs 2006 and 2007 for use in statistical sampling. This was obtained from the accounting systems used in the preparation of the SSA-4513.
Personnel Costs
We randomly selected one pay period, with a pay period end date of October 20, 2006, for review. We then selected a random sample of 50 regular employees for review and testing of the payroll records. For medical consultant costs, we also selected the pay period end date of October 20, 2006, for review. We then selected all 18 medical consultants for review and testing of the payroll records.
Medical Costs
We sampled 100 items (50 items from each of FYs 2006 and 2007) using a stratified random sample of medical costs based on the proportion of medical evidence of record and consultative examination costs to the total medical costs claimed.
Indirect Costs
UT-DDS indirect costs are computed by applying a federally approved rate to a cost base. This methodology was approved by the U.S. Department of Education, which is the Federal agency designated to negotiate and approve the indirect cost rate. On the final SSA-4513s, the UT-DDS claimed indirect costs of $572,380 for FY 2006 and $640,195 for FY 2007. We reviewed the FY 2006 and 2007 indirect cost calculations to ensure the correct rate was applied.
All Other Nonpersonnel Costs
We sampled 105 items (53 expenditures from FY 2006 and 52 from FY 2007) using
a stratified random sample. The random sample was based on the proportion of
costs in each of the cost categories to the total costs claimed.
Appendix C
Agency Comments
Wed Mar 18, 2009
Signed Formal Draft Report (A-07-09-19005) - Denver's Reply
Patrick,
Thank you for the opportunity to review the draft report, "Administrative
Costs Claimed by the Utah Disability Determination Services" (A-07-09-19005)
#22008026. The Utah DDS has responded to the specific recommendations, a copy
of which is attached. The Social Security Administration (Denver Regional Office)
is establishing timelines to ensure all actions are completed. Following are
our comments on the specific findings:
1. Instruct the UT-DDS to refund $6,280 in duplicate payments and establish
procedures that prevent future duplicate medical payments.
Comment: The DDS has already taken steps to prevent this situation from happening
in the future, as outlined in the attached response from Utah. The DDS is planning
on refunding this amount by using the ASAP system and filing corrected forms
SSA-4513 for the fiscal years involved. We require additional information from
the auditors on how the amount requested should be divided between Fiscal Years
2006 and 2007. This information should be added to the OIG report.
2. Determine whether it was necessary for the UT-DDS to exceed the highest allowable
fee to obtain lumbar spine x-rays. If SSA determines it was not necessary for
the UT-DDS to exceed the highest allowable rate of payment, it should take appropriate
action, such as instructing the UT-DDS to refund the excess CE payments and
limiting future CE rates of payment to the highest allowable fee.
Comment: We support the actions of the Utah DDS regarding these fees. The Utah
DDS CE Fee Schedule was reviewed and approved by Social Security. Our regional
office fiscal analyst approved the fees charged for lumbar spine X rays as being
necessary; the DDS should not be asked to refund the amount recommended in the
audit. In the future, the Utah DDS will use the fee schedules of the Utah State
Office of Rehabilitation and the Utah Department of Health & Workforce Services.
Use of these schedules will limit future CE rates to the highest allowable fee.
Since the questionable costs were based on fee schedules approved by Social
Security, refund of the $4,248 is not being requested.
3. Remind the UT-DDS to follow its established policy for incentive payments.
Comment: Completed; Utah DDS reminded of the importance of following established
policy.
4. Instruct the UT-DDS to review the HHS/OIG sanction listing (a) to verify
current CE providers are not barred from participation in any Federal or federally
assisted program and (b) as part of its CE provider background check process.
Comment: the Utah DDS has begun reviewing sanction listings when evaluating
prospective CE providers. The Social Security Administration (Denver Regional
Office) will work with the Utah DDS to ensure current CE providers are not on
the sanction list. The Denver Regional Office will control for completion.
5. Instruct the UT-DDS to work with its parent agency to ensure the SSA-purchased
computer equipment is tracked with an inventory system that complies with the
policies of SSA.
Comment: The Utah DDS will include SSA purchased equipment, including equipment
currently in the DDS, in the Parent Agency inventory system. The Denver Regional
Office will control to ensure completion.
6. Work with the UT-DDS to ensure (a) a security plan meeting SSA requirements
is completed timely and (b) the DRP is tested timely.
Comment: The Utah DDS is revising their Security Plan to meet SSA requirements
and will perform appropriate tests. Please refer to Utah's response for specific
features that will be included in the revised plan. The Denver Regional Office
will control for completion.
7. Instruct the UT-DDS to maintain a log of all spare office keys.
Comment: The Utah DDS is now logging spare keys and housing those in a locked
drawer.
8. Work with the UT-DDS to determine whether it is feasible to encrypt or password
protect the back-up tapes for off-site storage. If the DDS is unable to encrypt
or password-protect the back-up tapes, SSA should ensure the back-up tapes are
adequately protected while on-site at the UT-DDS.
Comment: The Utah DDS is working with SSA to encrypt or password protect these
tapes. The Denver Regional Office will control for completion.
9. Other Matter: "[W]e encourage the Utah State Office of Rehabilitation
and UT-DDS to take steps to limit the disclosure of PII (in particular, redact
or truncate claimants' SSNs) in all third-party correspondence."
Comment: Social Security will work with the Utah DDS to reduce their current
holdings of PII to the minimum necessary for the proper performance of a documented
agency function.
Please let me know if you need additional information. Staff questions may be
directed to Susan Neitzert, Center for Disability, at (303) 844-7100.
Martha Lambie
Acting Regional Commissioner, Denver
Appendix D
State Agency Comments
February 24, 2009
Patrick P. O'Carroll, Jr.
Inspector General
Social Security Administration
Baltimore, Maryland 21235-0001
As requested in your letter of February 20, 2009 regarding the audit of the Utah Disability Determination Services, please find below our comments regarding the recommendations in the report. We would like to thank Doug Kelly and Nick Moore for a very comprehensive and fair evaluation of the administrative costs claimed by the Utah DDS.
Duplicate Medical Payments
All requests for warrant reviews and payment reviews are now handled by a single
individual. This person is responsible for making sure that the vendors are
listed properly for payment and that if payment is made correctly. It is the
usual practice to obtain a copy of the warrant in question before any new or
additional payment is authorized. At this point in time with the electronic
system we now use it is a very low probability that duplicate payments are made.
The switch to a single person to insure a correct payment process was instituted
to address the prior possibility of missed and duplicate payments.
Excessive CE Costs.
Since 1994, the Utah DDS Fee Schedule has been reviewed and approved by the
Regional Office. In the future it is planned to primarily use the fee schedule
of the Utah State Office of Rehabilitation for laboratory and x-ray tests, and
the Utah Department of Health and Department of Workforce Services fee schedule
for physical and mental testing as the maximum amount we will pay unless we
receive approval through our Regional Office. Whenever possible, DDS will continue
to try to pay under maximum allowed. Two fee schedules are required since the
Utah State Office of Rehabilitation does not have many of the physical and mental
CE's DDS orders on their fee schedule.
Incentive Payments
Utah DDS had a process in place during the audit period that would allow for
holiday and weekend days for the receipt of records, allowing initial 1-2 day
leeway for reports to come in by mail for these days. DDS also had a process
where multiple people were paying CE payments. To address these potential sources
of error, the CE payments are completed by one individual who is primarily responsible
for CE payments, one other individual who is a backup, and a support payment
person. After reviewing current policy, it was decided to revise policy to allow
payment of the early reporting fees to reports received within 12 calendar days
after the examination so there is no question about timeframes.
Sanction Listing
DDS will include the HHS/OIG sanction listing as part of the provider background
check process.
Inventory Controls
This has been discussed with the parent agency and DDS will include the SSA
purchased computer equipment and be tracked by the parent agency inventory system.
Incomplete Security Plan
The Utah DDS Security Plan will be revised to include all of SSA's security
plan requirements and specifically address:
1. a schedule on how new employees and contractors are trained;
2. instructions for the comprehensive integrity review process;
3. a description of SSA and UT-DDS responsibilities and a description of workload
and workflow of the UT-DDS;
4. documented local resources needed to operate the UT-DDS in the event of a
disaster;
5. documented procedures for its review of the software lists/logs created from
monitoring UT-DDS users.
Disaster Recovery Plan Not Tested
The Utah DDS Disaster Recovery Plan will be tested according to SSA requirements
specifically including policies to insure the timely testing of the Utah DRP.
Key Management
The Utah DDS now has and will maintain a log of all spare office keys and the
spare keys will be kept in a locked desk drawer. This was facilitated by a move
to a new facility in late October 2008 which has allowed DDS to start from scratch
on key management.
Back-up Files
The Utah DDS will work with the regional office to either encrypt or password-protect
back-up tapes for off-site storage or to ensure back-up tapes are adequately
protected while on-site at the Utah DDS. Since the audit, the Utah DDS has moved
to a new facility which has significantly increased the adequacy of on-site
storage.
Donald R. Uchida
Executive Director
Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Mark Bailey, Director, Kansas City Audit Division
Ron Bussell, Audit Manager, Kansas City Audit Division
Acknowledgments
In addition to those named above:
Doug Kelly, Auditor-in-Charge
Nick Moore, Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number A-07-09-19005.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Counsel to the Inspector
General (OCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.