A-07-02-32035 Alternate Format

SOCIAL SECURITY

MEMORANDUM

Date: September 20, 2002

To: The Commissioner

From: Inspector General

Subject: Summary of Single Audit Oversight Activities (A-07-02-32035)

The attached final Management Advisory Report presents a summary of internal control weaknesses at State Disability Determination Services reported in State single audits and identified during our October 2000 through April 2002 single audit oversight activities.

Please comment within 60 days from the date of this memorandum on corrective action taken or planned on each recommendation. If you wish to discuss the final report, please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.

James G. Huse, Jr.

OFFICE OF

THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

SUMMARY OF SINGLE AUDIT

OVERSIGHT ACTIVITIES

OCTOBER 2000

THROUGH

APRIL 2002

September 2002

A-07-02-32035

MANAGEMENT ADVISORY REPORT

Mission

We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.

Promote economy, effectiveness, and efficiency within the agency.

Prevent and detect fraud, waste, and abuse in agency programs and operations.

Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.

Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.

Access to all information necessary for the reviews.

Authority to publish findings and recommendations based on the reviews.

Vision

By conducting independent and objective audits, investigations, and evaluations, we are agents of positive change striving for continuous improvement in the Social Security Administration's programs, operations, and management and in our own office.

Executive Summary

OBJECTIVE

BACKGROUND

On July 5, 1996, the President signed the Single Audit Act Amendments of 1996, Public Law No. 104-156. The Amendments extended the statutory audit requirement to nonprofit organizations and revised various provisions of the 1984 Single Audit Act, including raising the Federal financial assistance dollar threshold for requiring an audit from $100,000 to $300,000. On June 30, 1997, the Office of Management and Budget issued revised Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations to implement the 1996 amendments. The revised Circular A-133 was effective July 1, 1996 and applies to audits of fiscal years (FY) beginning after June 30, 1996. This Circular requires non-Federal entities that expend $300,000 or more per year in Federal awards to have a single or program-specific audit conducted for that year.

The Social Security Administration (SSA) is responsible for the policies on developing disability claims under the Disability Insurance (DI) and Supplemental Security Income (SSI) programs. In accordance with Federal regulations, the DDS in each State generally performs disability determinations under the DI and SSI programs. In carrying out this function, the DDS is responsible for determining claimants’ disabilities and ensuring that adequate evidence is available to support its determinations. SSA reimburses the DDS for 100 percent of allowable expenditures. There are a total of 54 DDSs in the 50 States, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands. All DDSs are subject to single audit coverage except the federally adm inistered Virgin Islands DDS.

RESULTS OF REVIEW

We reviewed 103 single audits covering State fiscal year (SFY) operations at 53 DDSs (1 SFY 1997 single audit, 1 SFY 1998 single audit, 51 SFY 1999 single audits, and 50 SFY 2000 single audits). We compiled and categorized the audit findings as direct or crosscutting. Direct findings are those specifically identified to the DDS. Crosscutting findings impact more than one Federal program; however, they may not be identified to any one Federal program or may not be identified to all Federal programs. Our review disclosed common direct and crosscutting findings in the categories of cash management, equipment and real property management, and allowable costs. We also identified crosscutting findings in procurement and reporting categories. All the findings relate to DDS’ noncompliance with Federal requirements because of internal control weaknesses. Of the 103 single audits, 25 reported direct findings, and 89 reported crosscutting findings (see Appendix A).

Our review of the 25 single audits with direct findings disclosed:

non-adherence to Cash Management Improvement Act (CMIA) agreements,
weaknesses in computer controls,
weaknesses in equipment inventory,
costs that were not properly authorized and documented, and
improper accounting and reporting of non-SSA work costs.

We conduct audits of DDS administrative costs. Our recent audits of the Oregon, Connecticut and Arizona DDSs disclosed findings in the cash management, procurement, equipment and real property management, reporting, and allowable costs categories. These findings relate to DDS’ noncompliance with Federal requirements because of internal control weaknesses. Appendix D summarizes our findings.

A comparison of the Oregon, Connecticut, and Arizona DDS single audit findings and audits for the same reporting period disclosed significant differences. We reported our findings on incorrect FY payments, excess cash draws, inconsistent accounting obligations, inadequate computer access and security controls, missing inventory records, inaccurate and inconsistent reporting, and unreasonable medical fees. The single audits for Oregon, Connecticut, and Arizona did not report these findings. We present this comparison for informational purposes only. We will report our comparison to the cognizant Federal agency, the Department of Health and Human Services, in a separate management letter for any action it deems appropriate.

CONCLUSIONS AND RECOMMENDATIONS

The first five recommendations listed below were presented to SSA in our prior single audit summary report. Therefore, SSA should not consider these new recommendations for its audit recommendation tracking system. We do, however, reaffirm our position that SSA should take corrective action by being proactive in providing internal control guidance to DDSs. To do so, SSA should provide the following instructions to DDSs.

Adhere to the terms of the CMIA agreement.

Implement controls to prevent unauthorized computer access.

Develop a formal contingency plan to be followed in the event of a disaster that adversely affects operations.

Maintain complete and accurate equipment inventory records and perform periodic physical inventories.

Ensure that costs charged to SSA benefit its programs and are properly authorized and documented.

Implement controls to ensure that non-SSA work costs are properly accounted for and reported.

AGENCY COMMENTS

In response to our draft report, SSA agreed with all of our recommendations and outlined the corrective action taken on each recommendation. See Appendix E for the full text of SSA's comments to our draft report.

Table of Contents

Page

INTRODUCTION 1

RESULTS OF REVIEW 5

Cash Management 5

Equipment and Real Property Management 7

Computer Controls 7

Property Controls 8

Allowable Costs 9

Comparison of Single Audit and OIG Findings 12

Oregon DDS 12

Connecticut DDS 13

Arizona DDS 13

CONCLUSIONS AND RECOMMENDATIONS 14

APPENDICES

APPENDIX A – Summary of Single Audit Findings

APPENDIX B – Direct Findings Reported in 25 Single Audits

APPENDIX C – Crosscutting Findings Reported in 89 Single Audits

APPENDIX D – Findings We Identified During the Same Time Frame as the

Single Audits Reviewed

APPENDIX E – Agency Comments

APPENDIX F – OIG Contacts and Staff Acknowledgments

Acronyms

AIF Automated Investment Funds
AIS Automated Information Systems
CMIA Cash Management Improvement Act
DDS Disability Determination Services
DES Department of Economic Security
DHS Department of Human Services
DI Disability Insurance
DLES Department of Labor and Employment Security
DPHHS Department of Public Health and Human Services
DoE Department of Education
DoF Department of the Family
DRS Department of Rehabilitation Services
DSS Department of Social Services
DVR Division of Vocational Rehabilitation
EDP Electronic Data Processing
EIS Equipment Inventory System
FY Fiscal Year
LAE Limitation on Administrative Expenses
OIG Office of the Inspector General
OMB Office of Management and Budget
POMS Program Operations Manual System
SEFA Schedule of Expenditures of Federal Awards
SFY State Fiscal Year
SSA Social Security Administration
SSI Supplemental Security Income

Introduction

OBJECTIVE

Our objective was to summarize categories of internal control weaknesses at State Disability Determination Services (DDS) reported in State single audits and identified during our single audit oversight activities. To accomplish our objective, we reviewed 103 single audits covering 53 DDSs and categorized findings that were identified as directly affecting DDS operations and crosscutting findings that potentially affect DDS operations. Of the 103 single audits, 25 reported direct findings and 89 reported crosscutting findings. Appendix A lists the 103 single audits reviewed and identifies those with direct and/or crosscutting findings.

BACKGROUND

Single Audit Act

On July 5, 1996, the President signed the Single Audit Act Amendments of 1996, Public Law No. 104-156. The Amendments extended the statutory audit requirement to nonprofit organizations and revised various provisions of the 1984 Single Audit Act, including raising the Federal financial assistance dollar threshold for requiring an audit from $100,000 to $300,000. On June 30, 1997, the Office of Management and Budget (OMB) issued revised Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, to implement the 1996 amendments. The revised Circular A-133 was effective July 1,1996 and applies to audits of fiscal years (FY) beginning after June 30, 1996. This Circular requires non-Federal entities that expend $300,000 or more per year in Federal awards to have a single or program-specific audit conducted for that year.

State DDSs

The Disability Insurance (DI) program was established in 1954 under title II of the Social Security Act to provide benefits to disabled wage earners and their families. In 1972, Congress enacted the Supplemental Security Income (SSI) program, to provide income and disability coverage to financially needy individuals who are aged, blind and/or disabled.

The Social Security Administration (SSA) is responsible for the policies on developing disability claims under the DI and SSI programs. According to Federal regulations, the DDS in each State generally performs disability determinations under the DI and SSI programs. In carrying out this function, the DDS is responsible for determining claimants’ disabilities and ensuring that adequate evidence is available to support its determinations. In those limited instances where SSA makes disability determinations, regulations provide that each State agency will obtain and furnish medical or other evidence and provide assistance as may be necessary for SSA to carry out its responsibility for making such determinations. SSA reimburses the DDS for 100 percent of allowable expenditures. There are a total of 54 DDSs in the 50 States, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands.

Each DDS is managed by a State parent agency, which administers other State and Federal programs. There are also other agencies within the State that administer various aspects of Federal programs, such as cash draws and electronic data processing.

Direct and Crosscutting Findings

In conducting single audits, the auditor uses a risk-based approach to determine which Federal programs will receive audit coverage. The single audit also includes an audit of the State’s financial statements. The two parts of the single audit identify direct or crosscutting findings.

Direct findings are specifically identified to the Federal programs they affect. The direct SSA findings are identified in single audits by Catalog of Federal Domestic Assistance number 96. The single audits also report findings that impact more than one Federal program, referred to as crosscutting. However, crosscutting findings may not be identified to any one Federal program or may not be identified to all Federal programs. Thus, the auditor may not be in a position to identify findings for SSA-funded programs because of the limited scope of the single audit. While crosscutting findings are not specifically identified to SSA, they could impact DDS operations.

SCOPE AND METHODOLOGY

We reviewed 103 single audits as well as their related recommendations and auditee responses. Of the 103 single audits, 25 reported direct findings related to DDSs. These findings, questioned costs, and related recommendations were previously reported on a State-by-State basis to SSA’s Management Analysis and Audit Program Support Staff for resolution. In addition, 89 of the 103 single audits reported crosscutting findings that could possibly affect DDS operations. To identify crosscutting findings, we reviewed all findings reported for the State agency that managed the DDS and State agencies that performed functions for the DDS.

We also reviewed relevant provisions of the:

Single Audit Act Amendments of 1996, revised OMB Circular A-133, and OMB Circular A-133, Compliance Supplement (March 2000 revision);

OMB Uniform Administrative Requirements for Grants and Cooperative Agreements to State and Local Governments (Common Rule);

OMB Circular A-87, Cost Principles for State, Local and Indian Tribal Governments;

Title II and title XVI of the Social Security Act;

Program Operations Manual System (POMS) instructions;

Cash Management Improvement Act (CMIA) of 1990;

SSA Systems Security Handbook; and

Office of the Inspector General (OIG) administrative cost audit reports for the Oregon, Connecticut, and Arizona DDSs.

The Compliance Supplement identifies seven types of compliance requirements auditors should consider for the SSA programs in performing single audits. Our review of the 103 single audits identified common direct findings in 3 of the categories: cash management, equipment and real property management, and allowable costs. In addition to these categories, we identified crosscutting findings in the procurement and reporting categories. This report presents the findings by the related Compliance Supplement category.

Results of Review

Our analysis of the findings in 103 single audit reports disclosed direct and crosscutting findings in the cash management, equipment and real property management, and allowable cost categories. We also identified crosscutting findings in the procurement and reporting categories. All the findings relate to DDS’ noncompliance with Federal requirements because of a lack of adequate internal controls. Appendix B summarizes the 25 single audits with direct findings by DDS. Appendix C summarizes the 89 single audits with crosscutting findings by DDS.

Our audits at the Oregon, Connecticut, and Arizona DDSs disclosed findings in the cash management, procurement, equipment and real property management, reporting, and allowable cost categories. These findings also relate to DDS’ noncompliance with Federal requirements because of internal control weaknesses. Appendix D summarizes our audit findings.

In our opinion, a comparison of the Oregon, Connecticut, and Arizona DDS findings in the single audits and the OIG audits for the same reporting period disclosed significant differences. We reported findings on incorrect FY payments, excess cash draws, inconsistent accounting obligations, inadequate computer access and security controls, missing inventory records, inaccurate and inconsistent reporting, and unreasonable medical fees. The single audits for Oregon, Connecticut, and Arizona did not report these findings. We present this comparison for informational purposes only. We will report our comparison to the cognizant Federal agency, the Department of Health and Human Services, in a separate management letter for any action it deems appropriate.

CASH MANAGEMENT

The Congress enacted the CMIA of 1990 to ensure efficiency, effectiveness, and equity in transferring funds between the States and the Government. This Law requires the Government to enter into an agreement with States covering applicable Federal programs and to establish procedures and requirements for transferring Federal funds.

The CMIA requires the States to minimize the time between the receipt and disbursement of Federal funds and generally allows the Government to charge interest when a State receives Federal funds in advance of disbursements. The CMIA also generally allows the States to charge interest when State funds are paid out for Federal programs before Federal funds are made available. The States are supposed to calculate Federal and State interest liabilities for each applicable program and report liabilities to the Federal Government on the Annual Report to the U.S. Department of the Treasury.

Without cash management controls, States cannot identify and assess allowable cash needs. Without proper internal controls, DDSs may draw cash in excess of allowable expenditures.

Seven single audits reported direct findings related to States not adhering to CMIA agreements.

The Alabama Department of Education (DoE) did not draw funds in accordance with the funding techniques specified in the CMIA agreement, and the dates posted in the accounting system and used to compute interest liabilities were incorrect (SFY 1999).

The Colorado Department of Human Services (DHS) did not follow draw patterns prescribed in the CMIA agreement. In addition, the CMIA agreement included programs that were not required and omitted programs that were required (SFY 2000).

The Illinois DHS understated interest liabilities due the Government by $69,219, of which $12,994 related to SSA (SFY 1999).

The Oklahoma Department of Rehabilitation Services (DRS) did not maintain documentation to support cash draws, and funds were not drawn based on the time frame established in the CMIA agreement (SFY 2000).

The Puerto Rico Department of the Family (DoF) drew cash of $939,771 without required documentation showing it was needed to pay immediate expenditures. Our discussions with the Public Accounting Firm that conducted the audit disclosed that DoF told the auditor the accounting records were adjusted to ensure the $939,771 cash draw did not result in excess FY cash draws. However, DoF did not provide evidence of the adjustment to the auditor upon request, which resulted in the auditor questioning the costs (SFY 1997).

The Rhode Island DHS drew funds earlier than permitted by the terms of the CMIA agreement because there were no controls to monitor cash needs (SFYs 1999 and 2000).

The State audits identified similar crosscutting cash management findings in 29 single audits (see Appendix C).

EQUIPMENT AND REAL PROPERTY MANAGEMENT

Computer Controls

DDSs operate computer systems critical to the administration of SSA’s disability programs. These systems issue payments for administrative expenses and contain confidential claimant information, including Social Security numbers. SSA requires DDSs to develop, distribute, and implement a formal computer security policy addressing the confidentiality of sensitive information, data integrity, and authorized access to information.

A DDS’ computer security policy should identify computer access controls to ensure only authorized users access the system. Access controls include the use of personal identification numbers to identify users, passwords to authenticate the user’s identity, and profiles to specify the functions users can perform. Without proper access controls, the DDS is vulnerable to such security risks as the unauthorized use or sale of personal information and identity theft. Accidental or intentional modifications to confidential and sensitive information can adversely affect the quality of services and lead to unauthorized and inaccurate disbursements.

SSA’s Systems Security Handbook instructs DDSs to make every reasonable effort to avoid disruption of critical applications processed by automated data files and automated information systems (AIS) facilities. Furthermore, a DDS must also minimize, and be prepared to recover from, any disruption that occurs. Contingency plans should be documented as part of a DDS’ overall AIS security program. The lack of a contingency plan could cause a disruption of DDS claims processing and result in poor service to disability claimants.

Seven single audits disclosed direct findings related to weaknesses in computer controls, as follows.

The Alabama DoE had not developed a formal contingency plan to be followed in the event of a disaster that adversely affects the operations of its in-house data processing center (SFY 1999). DoE subsequently developed a plan; however, the SFY 2000 single audit reported that the contingency plan was not communicated to personnel responsible for execution of the plan, and had not been adequately updated and tested.

In addition, policies and procedures for systems (1) development and maintenance were informal and did not provide appropriate segregation of duties among data processing personnel and (2) access by users and data processing personnel were inadequate (SFY 2000).

The Kentucky DDS did not have formal policies and procedures to control its Wang system program modifications. Specifically, there was no segregation of duties between the DDS’s systems support and program control personnel (SFY 1999).

Some Minnesota Department of Economic Security (DES) employees had inappropriate access to mainframe data. In addition, the DES did not properly maintain its security infrastructure (SFY 2000).

A disaster recovery plan had not been designed or tested for the new accounting system for the New Mexico DoE, Division of Rehabilitation (SFYs 1999 and 2000).

The Oklahoma DRS did not have (1) procedures in place to ensure that only authorized personnel had appropriate access to mainframe data, (2) a fire suppression system in its computer room, and (3) a disaster recovery plan to be followed in the event of a disaster that adversely affects operations (SFY 2000).

Similar crosscutting computer systems and applications findings were identified in 30 single audits (see Appendix C).

Property Controls

The DDSs are responsible for maintaining, labeling, and inventorying all property they acquire or that SSA furnishes it to perform the disability determination function. Inventory records of equipment must include (1) an item description, (2) source of funds used in the purchase, (3) unit cost, (4) inventory or serial number, (5) date purchased, and (6) physical location, including building address and room or floor location. The lack of proper controls over inventory could result in misappropriation or improper disposition of property acquired with Federal funds.

Five single audits identified direct findings related to weaknesses in equipment inventory.

The Georgia Department of Human Resources did not follow established inventory maintenance guidelines (SFY 2000).

The Puerto Rico DoF did not reconcile physical inventory results with the accounting records or maintain accurate records for acquisitions and dispositions of property acquired with SSA funds (SFYs 1997 and 1998).

The Rhode Island DHS did not have a state-wide inventory system for fixed assets (SFYs 1999 and 2000). In addition, there were no procedures to ensure compliance regarding the use, management, and disposition of equipment (SFY 2000).

Similar crosscutting property control findings were identified in 18 single audits (see Appendix C).

ALLOWABLE COSTS

Allowable costs must be reasonable and necessary for proper and efficient performance and administration of Federal awards. A cost is allocable to a program or department if the goods or services involved are charged or assigned in accordance with benefits received. A cost may not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose was allocated to the Federal award as an indirect cost. To recover indirect costs, the organization must prepare cost allocation plans or indirect cost rate proposals in accordance with guidelines provided in OMB Circulars. Costs must be net of all applicable credits that result from transactions reducing or offsetting direct or indirect costs.

Internal control directives require that non-Federal entities receiving Federal awards maintain effective control and accountability for funds and assets purchased with such funds. Transactions should be properly recorded, accounted for, and executed in compliance with applicable laws, regulations and the provisions of contracts or grant agreements that could have a direct and material effect on a Federal program. Also, funds, property, and other assets should be safeguarded against loss from unauthorized use or disposition.

The absence of controls over goods and services charged to Federal awards results in the risk of misappropriation or misuse of funds. In addition, unallowable activities or costs could be charged to a Federal program and not be detected in a timely manner if proper internal controls are not in place to ensure that costs benefit the program and are properly authorized and documented.

Nineteen single audits reported direct findings related to inadequate internal controls over allowable costs.

The Alabama DoE did not have certifications to document that its employees worked solely on SSA's disability programs, as required by OMB Circular A-87 (SFY 1999).

The Arizona DES’ cost allocation plan did not include all equipment purchases in the allocation base. As a result, costs were not properly allocated to Federal programs (SFY 1999).

The Florida Department of Labor and Employment Security (DLES) inappropriately charged SSA $151,005 for payments of accumulated leave of terminated or retired employees. The payments should have been allocated as an administrative expense to all DLES activities, as required by OMB Circular A-87. In addition, $22,607 in salary costs for a DDS employee who performed non-SSA work were inappropriately charged to SSA (SFY 2000).

The Illinois DHS inappropriately charged SSA $90,000 for personnel and other costs in support of non-SSA work because there was no approved cost allocation methodology and Memorandum of Understanding (SFY 1999). In addition, the Illinois DDS did not maintain supporting documentation for payroll costs for employees who worked solely on the disability program (SFY 2000). The auditor could not determine the costs inappropriately charged to SSA.

The Michigan DDS did not maintain supporting documentation for payroll costs for employees who worked solely on the disability program. This resulted in questioned costs of $2,809 and $6,377 (SFYs 1999 and 2000).

The Mississippi DRS did not have a system in place to adequately document the personnel costs charged to Federal programs. In addition, personnel costs of DDS employees who performed non-SSA work were inappropriately charged to SSA. However, the State auditor did not determine the amount of these unallowable charges (SFY 1999).

The Montana Department of Public Health and Human Services’ (DPHHS) financial management control structure was not adequate to prevent or detect all errors. Therefore, the DPHHS could not ensure payments were made for allowable purposes. Specifically, inefficient transaction processing did not support Federal reporting or an accurate allocation of costs between State and Federal programs or prevent discrepancies between the State’s primary accounting system and its subsystems (SFY 1999).

The New Mexico DDS's accounting system's design did not allow a reconciliation of DDS encumbrances and related expenditures with the State's accounting system (SFYs 1999 and 2000).

The New York Department of Social Services, Office of Temporary and Disability Assistance (1) inappropriately charged SSA $475,785 for non-SSA, work-related activities (SFY 1999); (2) inappropriately charged non-SSA programs $760,211 for SSA work-related activities (SFY 2000); (3) did not follow cost allocation methodology procedures set forth in OMB Circular A-87 (SFYs 1999 and 2000); (4) did not charge parking costs of $1,700 to various Federal programs in accordance with OMB Circular A-87 (SFY 1999); (5) incorrectly recorded employee salaries of $158,201 and $4,263 in the State’s payroll system because of errors in employee timesheets (SFYs 1999 and 2000); (6) did not maintain documentation to support a $38,129 expenditure (SFY 2000); and (7) did not properly authorize a $1,785 expenditure (SFY 2000).

The Puerto Rico DoF (1) paid an employee $725 above the authorized salary (SFY 1997); (2) did not maintain supporting documentation for expenditures of $753,217, $170,768, and $4,214,001 (SFYs 1997 through 1999); (3) did not maintain documentation to support expenditure amounts to test the base used for indirect costs (SFYs 1998 and 1999); (4) claimed expenditures on the Financial Status Reports that were $899,764 greater than amounts recorded in the general ledger (SFY 1999); and (5) did not compare expenditures with budgeted amounts before disbursing Federal funds of $172,354 (SFY 1999).

The Rhode Island DHS allocated central service costs to various Federal programs, including SSA’s Disability programs, based on an estimated amount. Once actual amounts were available, DHS adjusted current year charges to account for the overcharge in previous FYs (SFY 2000).

The West Virginia DoE, Division of Rehabilitation Services, inappropriately charged $1,552,922 in indirect costs to SSA (SFY 2000).

SSA might have reimbursed the Wisconsin Division of Vocational Rehabilitation (DVR) for client rehabilitation services based on incorrect administrative costs. The State auditors could not determine how SSA’s reimbursement amount was calculated because DVR did not retain the supporting documentation (SFY 2000).

Crosscutting weaknesses related to allowable costs were disclosed in 62 single audits. The findings were in the following areas.

Payroll costs charged to Federal programs were not supported by time and attendance records. In addition, payroll costs were charged to Federal programs on which employees did not work.

Obligations were not liquidated within the established time limits, items were not reconciled timely, and expenditures were not claimed within the period of availability.

Indirect costs were not properly authorized, included costs charged directly to Federal programs, and were not equitably distributed to Federal programs.

Direct costs charged to Federal programs were not properly authorized, reviewed, documented, or recorded.

COMPARISON OF SINGLE AUDIT AND OIG FINDINGS

SSA OIG conducts audits of claims by DDSs for administrative costs based on the frequency of prior audits as well as annual referrals by SSA’s Office of Disability. Starting in FY 2002, we increased our audit coverage to provide for a more timely and effective review of administrative costs. We based this schedule on the following factors: (1) past administrative audits, (2) amount of costs, and (3) suggestions made by SSA. The audit frequency, based on total administrative costs incurred, is as follows.

Annual Administrative Cost Incurred by DDS	Audit Frequency
Over $50 million	Every 3 years
$20 to $50 million	5 to 7 years
Under $20 million	7 to 10 years

The objectives of the audits are to determine whether (1) expenditures and obligations are properly authorized and disbursed, (2) Federal funds drawn agree with total expenditures, and (3) internal controls over the accounting and reporting of administrative costs are adequate.

We performed administrative cost audits at the Oregon, Connecticut, and Arizona DDSs covering the same SFYs as the single audits discussed in this report. Our comparison of the direct single audit findings and OIG findings disclosed notable differences. Our findings were not identified in the single audits and therefore are discussed below.

Oregon DDS

Our audit of the Oregon DDS covered the period October 1995 through September 1998 and included any subsequent financial activities that affected those FYs as of December 31, 1999. The audit identified expenditures for rental payments reported in the wrong FY and excess cash draws (see Appendix D). The single audit did not report any direct findings for the Oregon DDS.

Connecticut DDS

Our audit of the Connecticut DDS covered the period October 1996 through September 1999, as reported to SSA as of December 31, 1999. The audit identified (1) expenditures reported in the wrong FY, (2) an unapproved office lease, and (3) weak computer security and access controls (see Appendix D). The single audit did not report any direct findings for the Connecticut DDS.

Arizona DDS

Our audit of the Arizona DDS covered the period October 1995 through September 1998 and included any subsequent financial activities that affected those FYs as of June 30, 1999. The audit identified (1) inconsistent accounting and reporting of obligations, (2) missing inventory records, and (3) unreasonable medical fees (see Appendix D). The single audit identified problems related to allowable costs (see Appendix B).

Conclusions and Recommendations

Adhere to the terms of the CMIA agreement.

Implement controls to prevent unauthorized computer access.

Develop a formal contingency plan to be followed in the event of a disaster that adversely affects operations.

Maintain complete and accurate equipment inventory records and perform periodic physical inventories.

Ensure that costs charged to SSA benefit its programs and are properly authorized and documented.

Implement controls to ensure that non-SSA work costs are properly accounted for and reported.

AGENCY COMMENTS

Appendices

Appendix A

Summary of Single Audit Findings

State	State Fiscal Year	Direct Findings					Crosscutting Findings
State	State Fiscal Year	Cash Management	Procurement	Equipment/Real Property Management	Reporting	Allowable Costs	Cash Management	Procurement³	Equipment/Real Property Management⁴	Reporting⁵	Allowable Costs
Alabama	1999/2000	X		X		X			X
Alaska	1999/2000									X	X
Arizona	1999/2000					X			X	X	X
Arkansas	1999/2000
California	1999/2000						X			X
Colorado	1999/2000	X				X				X	X
Connecticut	1999/2000						X	X	X		X
Delaware	1999/2000						X			X
District of Columbia	1999						X
Florida	1999/2000					X	X				X
Georgia	1999/2000			X					X
Guam	1999/2000						X	X	X	X	X
Hawaii	1999/2000								X	X	X
Idaho	1999/2000						X				X
Illinois	1999/2000	X			X	X			X		X
Indiana	1999/2000
Iowa	1999/2000								X
Kansas	1999/2000									X	X
Kentucky	1999/2000			X			X		X	X	X
Louisiana	1999/2000						X	X	X		X
Maine	1999/2000						X			X	X
Maryland	1999/2000						X		X	X
Massachusetts	1999/2000						X	X		X	X
Michigan	1999/2000				X	X					X
Minnesota	1999/2000			X					X		X
Mississippi	1999/2000					X	X		X		X
Missouri	1999/2000										X
Montana	1998/1999					X	X		X	X	X
Nebraska	1999/2000										X
Nevada⁷	1999/2000
New Hampshire	1999/2000						X	X			X
New Jersey	1999/2000							X
New Mexico	1999/2000			X		X					X
New York	1999/2000		X			X				X	X
North Carolina	1999/2000						X	X	X	X	X
North Dakota	1999/2000									X	X
Ohio	1999/2000						X	X	X