Social Security Administration
Office of the Inspector General
Privacy Impact Assessment (PIA)
Title of System or Information Collection: Automated Working Papers System (TeamMate)
Contact name and telephone number: Michael Arbuco, (410) 966-1162
Is this system or information collection new or is an existing one being modified?
This PIA addresses a new electronic system for the collection of audit and other review information. It is designed to provide greater efficiency, flexibility and ease of information access and does not change the nature of the information collected, which is audit/review specific, or the reason we collect it.
Unique Project Identifier Number: GS03T04DSM0074
OMB Information Collection Approval Number and Expiration Date: N/A
1. Provide an overview of the system or collection and indicate the legislation authorizing this activity.
The Automated Working Papers System is a distributed information system supporting the OIG’s audit/review responsibilities authorized by the Inspector General Act of 1978, 5 U.S.C. App. 3. The system is maintained to increase the efficiency and productivity of the audit/review process by automating working paper preparation, internal review and retention. The system utilizes the commercial software product, TeamMate, to manage and integrate working papers prepared with various standard office automation products.
2. Describe the information the agency will collect and how the agency will use the collected information. Explain how the data collected are the minimum necessary to accomplish the purpose for this effort.
The system is used in conducting audit/review work of the Social Security Administration’s programs and operations and in preparing related reports on behalf of the OIG. It is a vertical application that documents the audit process – planning preparation, review and storage – in an electronic format. The nature and scope of the information is determined by the objectives of the audit/review. Therefore, the information pertaining to a specific audit may or may not contain personally identifiable information. To the extent that personally identifiable information is collected, it is generally maintained in the audit/review work papers and not disseminated to the public or readers of the related reports. The information is not retrievable by personally identifying information. The information may be used as part of the basis for developing the results of the audit/review and related recommendations.
3. Explain why the information is being collected.
Conducting audits and other reviews and the issuance of related reports are integral to OIG’s mission. See http://www.ssa.gov/oig/about/mission.htm (OIG Mission Statement). This includes supporting audit management activities and day-to-day administrative management needs.
4. Identify with whom the agency will share the collected information.
Only authorized staff conducting or reviewing audits/reviews use TeamMate. Access to information for individual audits is limited to staff assigned to the audit/review. Other offices within the OIG, such as the Office of Investigations or the Office of Chief Counsel to the Inspector General, may have a need on a case-by-case basis to review audits/reviews conducted using TeamMate. Other law enforcement agencies may be provided the information based on the scope and findings of an audit/review; information may also be shared with auditees and other third parties when necessary to obtain information relevant to the audit/review. The OIG’s audit/review process is subject to a quality control review conducted by the Inspector General of another agency.
5. Describe how the information will be obtained, from whom it will be collected, what the suppliers of information and the subjects will be told about the information collection, and how this message will be conveyed to them (e.g., written notice, electronic notice if a web-based collection, etc.). Describe any opportunities for individuals to decline to provide information or to consent to particular uses of the information and how individuals can grant consent.
We generally obtain information from the examination of the books and records and interviews of the auditee/reviewee and parties acting on behalf of such persons or entities. We collect information only where we have specific legal authority to do so and this information is collected primarily to meet our responsibilities under the Inspector General Act.
Such information is generally peripheral to the audit/review. An audit/review start notice is provided to the auditee containing the description and objectives of the audit/review. Sufficient background is included to inform the reader of the audit/review process. In addition to the audit/review start notice, auditors send a notification letter to the auditee on all audits and reviews. A notification letter provides a means of formalizing the understanding between the OIG and the auditee/reviewee concerning the objectives of the audit/review as well as apprising auditees/reviewees of the documents and records which it should make available to auditors. Prior to issuance of audit/review reports, the auditee/reviewee is generally provided a draft of the OIG report and given the opportunity to review and comment on the report.
Inspector General information collection authority is generally described in the Inspector General Act of 1978, as amended, 5 U.S.C. App. 3. Social Security employees are subject to agency standards which require cooperation with the Inspector General. Non-SSA personnel may generally be required, pursuant to contractual audit and access to records clauses, to provide personal information and cooperation with audits/reviews of their records.
6. Describe security measures in place to protect the information.
Access to the automated working papers is restricted by physical and computer-based access controls. Technological controls include multi-layer firewall architectures on LAN components. We will safeguard the security of information by requiring the use of access codes to enter the computer systems that will maintain the data and will store computerized records in secured areas that are accessible only to employees who require the information to perform their official duties. Access within OIG is strictly limited to authorized staff members. Access to information on specific audits is further restricted based on role-based security features that limit access to assigned auditors, reviewers, and managers. All computer files and printed listings are safeguarded in accordance with the provisions of the National Institute of Standards and Technology Federal Information Processing Standard 31 and applicable Social Security Administration security guidelines. Any manually maintained records will be kept in locked cabinets or in otherwise secure areas. Furthermore, SSA OIG employees having access to SSA OIG databases maintaining personal information must sign a sanction document annually, acknowledging their accountability for making unauthorized access to or disclosure of such information.
7. Describe plans for retention and destruction of data collected.
In accordance with the OIG Records Retention Schedule, working papers and associated electronic media are retained for a minimum of 8 years from the end of the fiscal year in which the audit/review report is closed and the findings resolved. There may be certain factors, such as a subsequent investigation, which would necessitate holding working papers for longer periods.
Identify whether a system of records is being created under section 552a of
Judy Ringle Michael Arbuco Robert Meekins
Attorney-Adviser Director, Software Deputy Assistant Inspector
and Support General for Executive
Date: 01/25/05 Date: 01/25/05 Date: 01/25/05