The Social Security Administration (SSA) has implemented four of the seven open priority recommendations that the Government Accountability Office (GAO) identified in April 2020, including updating systems and establishing a risk management framework.
The four recommendations SSA addressed include: updating its system to ensure waivers for Disability Insurance (DI) overpayments over $1,000 are processed correctly; establishing an Enterprise Risk Management (ERM) framework and council to address cyber risks and potential impact on SSA’s mission; addressing Disability overpayment that results from the concurrent receipt of Federal Employees’ Compensation Act benefits; and strengthening oversight of representative payees to help manage beneficiary funds appropriately.
GAO identified one more open priority recommendation in May 2021, bringing the total open recommendations for SSA to four.
In SSA establishing an ERM framework, SSA included creating a council to govern the agency’s ERM function. The council includes the agency’s CIO and CISO and facilitates coordination between cybersecurity and ERM functions.
“This should help SSA address cyber risks in the context of other risks and their potential impacts on the mission of the agency,” wrote GAO.
The remaining open priority recommendations include:
- Improving SSA’s ability to detect, prevent, and recover potential DI benefit overpayments to the concurrent receipt of FECA benefits by having the Commissioner of Social Security “strengthen internal controls designed to prevent DI overpayments due to the concurrent receipt of FECA benefits by implementing the alternative that provides the greatest net benefits;”
- Adjust the minimum withholding rate to 10 percent of monthly DI benefits to allow quicker recovery of debt to ensure effective and appropriate recovery of DI overpayments and administration of penalties and sanctions;
- Develop and implement a process, documented in policies and procedures, to measure the effectiveness of SSA’s corrective actions for OASDI and SSI improper payments; and
- Establish a plan and time frame for reviewing the predictive model’s design, consider additional data sources that allow for additional screening or modeling of potentially high-risk organizational payees, and ensure that subsequent design decisions are documented sufficiently to develop a process more fully understood and replicated with minimal further explanation.
SSA agreed with the four remaining recommendations.