oversight

Social Security Administration: Significant Progress Made in Year 2000 Effort, But Key Risks Remain

Published by the Government Accountability Office on 1997-10-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Report to Congressional Requesters




October 1997
                SOCIAL SECURITY
                ADMINISTRATION
                Significant Progress
                Made in Year 2000
                Effort, But Key Risks
                Remain




GAO/AIMD-98-6
                   United States
GAO                General Accounting Office
                   Washington, D.C. 20548

                   Accounting and Information
                   Management Division

                   B-276351

                   October 22, 1997

                   The Honorable Jim Bunning
                   Chairman, Subcommittee on Social Security
                   Committee on Ways and Means
                   House of Representatives

                   The Honorable Charles E. Grassley
                   Chairman
                   The Honorable John B. Breaux
                   Ranking Minority Member
                   Special Committee on Aging
                   United States Senate

                   Unless timely corrective action is taken, the Social Security Administration
                   (SSA), like other federal agencies, could face critical computer system
                   failures at the turn of the century due to incorrect information processing
                   relating to dates. In many systems, the year 2000 will be indistinguishable
                   from 1900. If left uncorrected, this could result in Social Security benefit
                   checks being issued incorrectly—or not on time—beginning in
                   January 2000 and in the malfunctioning of other beneficiary services
                   supported by automated systems. Because of the potential for serious
                   governmentwide disruption to critical functions and services from the
                   upcoming change of century, the Year 2000 computing problem has been
                   added to our list of high-risk issues.1

                   In light of the critical challenge facing SSA, you requested that we review
                   the agency’s actions to achieve Year 2000 information systems compliance.
                   Accordingly, this report discusses our assessment of the adequacy of steps
                   taken by SSA to ensure that computing problems related to the year 2000
                   are fully addressed, including its oversight of state Disability
                   Determination Services’ (DDS) Year 2000 program activities.


                   SSA first recognized the potential impact of the Year 2000 problem almost a
Results in Brief   decade ago and, in so doing, was able to launch an early response to this
                   challenge. It initiated early awareness activity and has made significant
                   progress in assessing and renovating mission-critical mainframe software
                   that enables it to provide Social Security benefits and other assistance to
                   the public. Because of the knowledge and experience gained through its
                   early Year 2000 efforts, SSA has come to be regarded as a federal leader in

                   1
                    High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997).



                   Page 1                                                 GAO/AIMD-98-6 SSA’s Year 2000 Effort
             B-276351




             addressing this issue. SSA’s Assistant Deputy Commissioner for Systems
             currently chairs the Chief Information Officers Council’s Subcommittee on
             the Year 2000 and works with other federal agencies to address Year 2000
             issues across government.

             While SSA deserves credit for its leadership, the agency remains at risk that
             not all of its mission-critical systems—those necessary to prevent the
             disruption of benefits—will be corrected before January 1, 2000. At
             particular risk are the systems that have not yet been assessed for the 54
             state DDSs that provide vital support to SSA in administering its disability
             insurance programs. Private contractors SSA hired to make 42 of the 54
             state DDS systems Year 2000 compliant reported that these offices had at
             least 33 million additional lines of software code that must be assessed
             and, where necessary, renovated. Given the potential magnitude of this
             undertaking, SSA could face major disruptions in its ability to process
             initial disability claims for millions of individuals throughout the country if
             these systems are not addressed in time for corrective action to be
             completed before the change of century.

             SSA also faces the challenge of ensuring that its critical data exchanges
             with federal and state agencies and other businesses are Year 2000
             compliant. It has taken a number of positive steps in this direction, such as
             identifying incoming and outgoing file exchanges with the external
             business community and developing a database to maintain information
             on the status of compliance activities. However, because SSA must rely on
             the hundreds of federal and state agencies and the thousands of
             businesses with which it exchanges files to make their systems compliant,
             SSA faces a definite risk that inaccurate data will be introduced into its
             databases. That risk could be magnified if SSA does not develop
             contingency plans to ensure the continuity of its critical systems and
             activities should systems not be corrected in time.


             SSA’s programs touch the lives of almost every individual in this country.
Background   Its Old Age, Survivors, and Disability Insurance (OASDI) programs—which
             comprise what is commonly called Social Security—provide benefits to
             retired and disabled workers and their dependents and survivors; its
             Supplemental Security Income (SSI) program provides assistance to aged,
             blind, and disabled individuals with limited income and resources.2



             2
              SSA’s OASDI and SSI programs are authorized under Titles II and XVI, respectively, of the Social
             Security Act.



             Page 2                                                     GAO/AIMD-98-6 SSA’s Year 2000 Effort
                             B-276351




                             In addition to paying benefits, SSA issues Social Security numbers to
                             eligible individuals and maintains and provides earnings records for
                             individuals working under employment covered by the program. SSA also
                             helps process claims for black lung benefits and provides support to other
                             programs, such as Medicare, Medicaid, and Railroad Retirement. More
                             than 50 million beneficiaries receive benefits and services under SSA’s
                             programs, which in fiscal year 1996 accounted for $386 billion—nearly
                             one-quarter of the nation’s $1.6 trillion in federal expenditures.

                             SSA administers its programs through five core business
                             processes—enumeration, earnings, claims, postentitlement, and informing
                             the public. Through these processes, as shown in table 1, SSA processes
                             claims for benefits, adjudicates appeals on disputed decisions, and handles
                             the millions of actions required each year to keep beneficiary records
                             current and accurate.

Table 1: SSA Core Business
Processes                    Process and Fiscal Year
                             1996 Workload                  Description
                             Enumeration                    Process through which SSA assigns Social Security
                                                            numbers to identify workers and beneficiaries, issues
                             16 million requests for new or replacement cards to individuals with existing numbers,
                             replacement Social Security and verifies Social Security numbers for employers and
                             cards                          government agencies.
                             Earnings                       Process used by SSA to establish and maintain a record
                                                            of an individual’s earnings for use in determining insured
                             240 million earnings records   status for entitlement to retirement, survivors’ disability,
                             processed                      and health insurance benefits and in calculating payment
                                                            amounts.
                             Claims                         Process comprising actions taken by SSA to determine an
                                                            individual’s eligibility for benefits, beginning with the
                             Initial Claims                 individual’s initial contact with SSA and continuing
                                                            through payment initiation or the three levels of
                             OASDI: 5 million               administrative appeal that a claimant may request.
                             SSI: 2 million
                             Postentitlement                Process involving actions that SSA takes after an
                                                            individual becomes entitled to Social Security or SSI
                             99 million transactions        benefits to ensure continuing eligibility and timely and
                                                            correct payment of benefits, such as changes of address,
                                                            benefits recomputations, and reviews of continuing
                                                            eligibility.
                             Informing the Public           Process used by SSA to disseminate information about
                                                            the programs it administers, including the issuance of
                             9 million statements issued    Personal Earnings & Benefit Estimate Statements.
                             Source: SSA.




                             Page 3                                              GAO/AIMD-98-6 SSA’s Year 2000 Effort
B-276351




SSA serves the public through its central office in Baltimore, Maryland, and
a network of field offices that includes 10 regional offices, approximately
1,300 field offices, and a nationwide toll-free telephone number. Field
offices are located in cities and rural communities across the nation and
are the agency’s physical point of contact with beneficiaries and the
public.

SSA also depends on 54 state DDS offices, along with one federally
administered DDS, to help process claims under its disability insurance
programs.3 State DDSs provide crucial support to the initial disability
claims process—one that accounts for a large proportion of SSA’s
workload—through their role in determining an individual’s medical
eligibility for disability benefits. DDSs make decisions regarding disability
claims in accordance with federal regulations and policies; the federal
government reimburses 100 percent of all DDS costs in making disability
determination decisions. The DDSs, during fiscal year 1996, processed more
than 2 million initial disability determination claims.

The process begins when individuals apply for disability benefits at an SSA
field office, where determinations are made on whether they meet
nonmedical criteria for eligibility. The field office then forwards these
applications to the appropriate state DDS, where a disability examiner
collects the necessary medical evidence to make the initial determination
of whether the applicant meets the definition of disability. Once the
applicant’s medical eligibility is determined, the DDS forwards this decision
to SSA for final processing.

Both SSA and the DDSs rely on information systems to support the
processing of benefits. SSA uses an information processing network that
links its distributed (field level) operations with its centralized mainframe
computers at headquarters. Each core process is supported by hundreds
of software programs that enable field office staff to perform data
collection and on-line editing of client information, using either terminals
or recently installed personal computers4 that communicate with SSA’s
centralized mainframe computers. These mainframe computers establish
and update beneficiary claims, process applications for Social Security
numbers, and establish and maintain individuals’ earnings histories. SSA’s

3
 The DDSs include all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands.
The federal DDS provides back-up services to state DDSs when the state offices are unable to keep up
with workloads and serves as a model office for testing new technologies and work processes.
4
 SSA’s “dumb” terminals are connected to its mainframe computers through its data network and are
controlled by software executed on the mainframes. Its personal computers, called intelligent
workstations, have their own data storage and processing capabilities.



Page 4                                                    GAO/AIMD-98-6 SSA’s Year 2000 Effort
              B-276351




              Chief Information Officer (CIO) provides primary oversight of the agency’s
              information systems investments; the Office of the Deputy Commissioner
              for Systems (referred to as the Office of Systems) is responsible for
              managing all facets of information systems planning, development,
              acquisition, and operation.

              State DDSs rely primarily on their internal systems to process medical
              determinations. In general, DDS computers are comprised of unique
              state-owned hardware of various ages and stages of completion and with
              differing capacity and maintenance levels. Similarly, the types of systems
              and levels of software used vary according to individual state needs. The
              majority of the DDSs—42 of the 54—use software developed by two private
              contractors, while the remaining 12 DDSs—referred to as independent
              DDSs—either process disability claims manually or use software that they
              have developed. DDS systems are linked to SSA’s mainframe computers via
              the National Disability Determination Service System (NDDSS). Records are
              established on the NDDSS through direct input by DDS staff or by uploading
              data from local databases. Since 1992, SSA’s Office of Systems has been
              responsible for disability system development. The office serves as the
              focal point for all disability-related hardware and software initiatives for
              the DDSs and is responsible for ensuring the integration of these activities
              on an enterprise basis.

              Because of its heavy reliance on technology, the Year 2000 problem
              presents SSA with the enormous challenge of reviewing all of its computer
              software and making the conversions required to ensure that its systems
              can handle the first change to a new century since the computer age
              began. The CIO has overall responsibility for the Year 2000 program;
              however, day-to-day responsibility for ensuring that changes are made to
              all systems used by SSA and the DDSs to support core business processes
              resides with the Office of Systems.


              In assessing the actions taken by SSA to address the Year 2000 problem, we
Scope and     reviewed numerous documents, including its Year 2000 tactical plan,
Methodology   systems inventories, test plans, and implementation schedules. We also
              analyzed internal tracking reports developed by the agency to monitor the
              progress of its Year 2000 activities, as well as its Year 2000 quarterly
              reports submitted to the Office of Management and Budget (OMB).

              We discussed SSA’s Year 2000 program activities with officials in various
              headquarters offices, including the Offices of the Deputy Commissioners



              Page 5                                      GAO/AIMD-98-6 SSA’s Year 2000 Effort
                       B-276351




                       for Systems; Operations; Finance, Assessment, and Management; and
                       Programs and Policy. We also met with management and staff at SSA’s
                       program service centers in Birmingham, Alabama, and Philadelphia,
                       Pennsylvania, and at its regional office in Atlanta, Georgia. In addition, we
                       examined Year 2000 program activities at DDS offices in Albany, New York;
                       Birmingham, Alabama; and Decatur, Georgia. We also interviewed
                       representatives of the two private contractors responsible for performing
                       Year 2000 work at most of the DDSs. We used our Year 2000 assessment
                       guide in evaluating SSA’s and the DDSs’ readiness to achieve Year 2000
                       compliance.5

                       We conducted our review from January 1997 through September 1997, in
                       accordance with generally accepted government auditing standards. We
                       requested comments on a draft of this report from the Commissioner of
                       Social Security or his designee. The Commissioner provided written
                       comments, which are discussed in the “Agency Comments” section and
                       are reprinted in appendix I.


                       At 12:01 a.m. on January 1, 2000, many computer systems worldwide could
Structured Approach    malfunction or produce inaccurate information simply because the date
and Rigorous Program   has changed. Unless corrected, such failures could affect SSA benefits
Management Can         payments received by millions of Americans.

Reduce Year 2000       The problem is rooted in how dates are recorded and computed. For the
Risk                   past several decades, systems have typically used two digits to represent
                       the year—such as “97” for 1997—to save electronic storage space and
                       reduce operating costs. In such a format, however, 2000 is
                       indistinguishable from 1900. As an example of the potential impact of this
                       ambiguity, a beneficiary born in 1925 and therefore turning 75 in 2000
                       could be seen as being negative 25 years old (if “now” is 1900)—not even
                       born yet—and therefore ineligible for benefits that the individual had been
                       receiving.

                       Correcting this problem will not be easy or inexpensive and must be done
                       while such systems continue to operate. Many of the government’s
                       computer systems were developed 20 to 25 years ago, use a wide array of
                       computer languages, and lack full documentation. Systems may contain up
                       to several million lines of software code that must be examined for
                       potential date-format problems.



                       5
                        Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997).



                       Page 6                                                 GAO/AIMD-98-6 SSA’s Year 2000 Effort
    B-276351




    The enormous challenge involved in correcting these systems is primarily
    managerial. Agencies’ success or failure will be determined largely by the
    quality of their program management and executive leadership. Top
    agency officials must understand the importance and urgency of this
    undertaking and communicate this to all employees. The outcome of these
    efforts will also depend on the extent to which agencies have
    institutionalized key systems-development and program-management
    practices, and on their experience with such large-scale software
    development or conversion projects. Accordingly, agencies must assess
    their information resources management capabilities and, where
    necessary, upgrade them. In so doing, they should consider soliciting the
    assistance of other organizations experienced in these endeavors.

    To assist agencies with these tasks, our assessment guide6 discusses the
    scope of the challenge and offers a structured, step-by-step approach for
    reviewing and assessing an agency’s readiness to handle the Year 2000
    problem. The guide describes in detail five phases, each of which
    represents a major Year 2000 program activity or segment. These are the
    following:

•   Awareness. This is a critical first step. Although many people may have
    heard about a Year 2000 problem, they may not know what it entails or
    why it matters. For agency personnel, this knowledge is imperative. This is
    also the phase in which the team within the agency that will take the lead
    in correcting the problem is identified. The team then examines the
    problem’s potential impact, gauges the adequacy of agency resources,
    develops a strategy, and secures strong, visible executive support.
•   Assessment. The main thrust of this phase is separating mission-critical
    systems—which must be converted or replaced—from important ones that
    should be converted or replaced and marginal ones that may be addressed
    now or deferred. Since the Year 2000 problem is primarily a business
    problem, it is essential to assess its likely impact on the agency’s major
    business functions. Following this, information systems in each business
    area should be inventoried and prioritized; project teams are then
    established and program plans devised. Testing strategies must be
    identified, and contingency planning must be initiated as well.
•   Renovation. This phase deals with actual changes—converting, replacing,
    or eliminating selected systems and applications. In so doing, it is
    important to consider the complex interdependencies among them.
    Changes must be consistent agencywide and information about them
    clearly disseminated to users.

    6
     GAO/AIMD-10.1.14, September 1997.



    Page 7                                     GAO/AIMD-98-6 SSA’s Year 2000 Effort
                           B-276351




                       •   Validation. Here, agencies test, verify, and validate all converted or
                           replaced systems and applications, ensuring that they perform as
                           expected. This critical phase may take over a year and consume up to half
                           of the Year 2000 program’s budget and resources. It is essential that
                           agencies satisfy themselves that their testing procedures can meet the
                           challenge and that their results can be trusted.
                       •   Implementation. Deploying and implementing Year 2000 compliant
                           systems and components requires extensive integration and acceptance
                           testing. And since not all agency systems will be converted or replaced
                           simultaneously, it may be wise to operate in a parallel processing
                           environment for a time, using old and new systems side by side. Such
                           redundancy can act as a fail-safe mechanism until it is clear that all
                           changed systems are operating correctly.

                           In February 1997 OMB, in consultation with the CIO Council, set
                           governmentwide Year 2000 program milestones for completing the
                           majority of the work in each phase of an agency’s Year 2000 activities.
                           According to OMB’s schedule, the assessment phase for mission-critical
                           systems, including performing an enterprisewide inventory, was to be
                           completed by the end of June 1997.


                           SSA began examining the Year 2000 problem almost a decade ago and since
Significant Progress       then has taken various steps to raise agency awareness of the issue. In
Made in Awareness,         addition, it has made significant progress in assessing and renovating
Assessment, and            much of the software on its centralized mainframe systems—the systems
                           that are essential to processing beneficiary claims and providing other
Renovation of SSA’s        services vital to the public.
Mission-Critical
                               first became aware of the Year 2000 problem in 1989, when one of the
Mainframe Systems          SSA
                           systems supporting its OASDI program experienced problems projecting
                           dates past 1999. Drawing from its experiences in addressing this problem,
                           SSA’s Office of Systems took the lead in raising awareness of the Year 2000
                           issue and its potential magnitude and impact on the agency’s operations.
                           As part of these efforts, the Office of Systems developed a Year 2000
                           tactical plan that presented the agency’s strategy for addressing the
                           problem. It also established a committee composed of senior management
                           to gain executive support for the project’s activities, as well as a Year 2000
                           project team with responsibility for coordinating and reporting on the
                           status of activities.




                           Page 8                                       GAO/AIMD-98-6 SSA’s Year 2000 Effort
                       B-276351




                       During its assessment phase, SSA completed key steps necessary for
                       determining the extent to which its centralized mainframe systems were
                       Year 2000 compliant. These steps included developing an inventory of
                       these systems, procuring a software tool to assist in identifying date fields
                       that needed changing, and developing program plans and schedules for
                       addressing these systems. During this phase, SSA also established a
                       strategy for testing its system solutions.

                       According to the Assistant Deputy Commissioner for Systems, SSA’s overall
                       approach gave highest priority to the major databases and mainframe
                       systems developed and centrally managed by the Office of Systems
                       because systems officials believed that these systems contained about 95
                       percent of all of the agency’s mission-critical software. The Assistant
                       Deputy Commissioner defined the agency’s mission-critical software as
                       being that which directly or indirectly affects SSA’s core business
                       processes, such as the processing and issuance of monthly beneficiary
                       checks. According to internal reports generated to track SSA’s progress,
                       these systems have about 24,000 software modules7 and approximately
                       34 million lines of computer code.

                       At the time of our review, SSA had made significant progress in the
                       renovation of its mission-critical mainframe systems. Specifically, SSA
                       reported that it had completed renovation and regression testing8 for
                       almost 80 percent of its software modules. In addition, it had developed a
                       Year 2000 test facility, as well as plans for conducting forward-date and
                       integration testing. SSA expects all of its mission-critical systems to be
                       certified as Year 2000 compliant and implemented by January 1999.


                       An agencywide assessment and inventory of information systems and their
State Disability       components provide the necessary foundation for detailed Year 2000
Determination          program planning. A thorough analysis and inventory ensure that all
Services Excluded      systems are identified and linked to a specific business area or process
                       and that all crosscutting systems are considered. Without a complete
From SSA’s Initial     agencywide assessment, SSA cannot give full consideration to the extent of
Year 2000 Assessment   its Year 2000 problem and the level of effort required to correct it.

                       7
                        SSA is tracking its Year 2000 project at the module level due to the many systems that are integrated.
                       SSA defines software modules as units of computer code that, when compiled/assembled and
                       executed, perform a specific business function.
                       8
                        SSA has identified three phases of validation testing for Year 2000 compliance: regression testing,
                       forward-date testing at the system unit level, and forward-date testing at its Year 2000 test facility.
                       Regression testing, as the first test phase, is done to ensure that the basic functionality of the software
                       still operates correctly after changes are made and when it is integrated with other software programs.



                       Page 9                                                        GAO/AIMD-98-6 SSA’s Year 2000 Effort
B-276351




Moreover, until such an assessment has been completed, SSA increases the
risk that benefits and services will be disrupted.

SSA did not include the DDS systems in its initial assessment of systems that
it considered a priority for correction. SSA acknowledges that these
systems are mission-critical because of their importance in determining
whether an individual is medically eligible to receive disability payments.
Accordingly, in December 1996 SSA began taking steps to assess the level
of effort required to address the Year 2000 problem at the DDSs. These
steps included contracting with the two vendors that originally installed
software in 42 of the 54 state DDSs to inventory, assess, renovate, and test
this software for Year 2000 compliance. Within these offices, the
contractors also are responsible for ensuring that the production
databases and NDDSS interfaces are Year 2000 compliant. SSA will require
the 12 independent DDSs whose software was not installed by these
contractors to perform their own corrective actions or, in a limited
number of cases, will perform corrective actions for them.

Even with Year 2000 action now underway, however, the potential
magnitude of the DDS problem makes systems correction by January 1,
2000, a high-risk area. In particular, although Office of Systems personnel
believe that their assessment of centralized mainframe systems considered
about 95 percent of the agency’s mission-critical software, inventories and
assessments for most DDSs have not yet been completed. SSA therefore
cannot yet know the full level of effort that will be required to make these
mission-critical systems Year 2000 compliant.

Estimates of the amount of software used by the DDSs suggest that
extensive work would be necessary to make them Year 2000 compliant.
Specifically, according to representatives of the two contractors, among
the 42 DDSs for which they are responsible, about 33 million lines of
software code must be considered for Year 2000 changes. They explained
that because the software used by these DDSs to process disability claims
has been modified over time to meet individual state needs, 42 different
systems must essentially be assessed. In addition, although SSA did not
have information on the total amount of disability software used by the
independent DDSs, officials in just one of the offices that we visited said
that they will have to review approximately 600,000 lines of code,
involving over 400 programs, to determine where corrective action is
needed.




Page 10                                     GAO/AIMD-98-6 SSA’s Year 2000 Effort
                         B-276351




                         Because DDS operations are vital to SSA’s ability to process initial disability
                         claims, it is important that these systems be addressed as soon as possible.
                         Disruptions to this service due to incomplete Year 2000 conversions will
                         prevent or delay SSA’s assistance to millions of individuals across the
                         country. In discussing the status of Year 2000 activity for the DDSs, SSA’s
                         Assistant Deputy Commissioner for Systems acknowledged the need for
                         more diligence in assessing and renovating the states’ systems and said
                         that SSA oversight of this work will increase.


                         An essential yet challenging aspect of SSA’s Year 2000 work will be
Resolving Data           ensuring that data exchanges with other federal and state agencies and
Exchange Issues and      businesses are Year 2000 compliant. This will not be easy, and cooperation
Developing               and assistance from other agencies and organizations will be crucial.
                         However, given the vast number of entities with which SSA exchanges data,
Contingency Plans        it is a necessary step to avoid having SSA’s own data corrupted by
Will Help Reduce Risk    noncompliant information from other sources. SSA recognizes the
                         importance of this matter and has taken a number of steps to address it.
                         Because many of these steps were under development at the time of our
                         review, we could not judge their effectiveness. As the year 2000 rapidly
                         approaches, however, SSA must be diligent in implementing measures to
                         monitor progress in this area and, where necessary, protect the integrity
                         and usefulness of its data. At the same time, SSA needs to have contingency
                         plans to ensure that strategies exist for mitigating any risks associated
                         with this and any of the other Year 2000 related issues that can affect the
                         agency’s ability to provide Social Security and other benefits and services
                         to the public.


Data Exchanges Present   In addressing the Year 2000 problem, agencies need assurance that data
Challenges               received from other organizations are accurate. Even if an agency has
                         made its own systems Year 2000 compliant, they can still be contaminated
                         by incorrect data entering from external sources. To combat this, agencies
                         must inventory and assess all internal and external data exchanges and
                         coordinate Year 2000 compliance activities, including, if necessary, the
                         development of appropriate bridges9 to maintain the integrity of replaced
                         or converted systems and the data within them.

                         SSAexchanges data files with hundreds of federal and state agencies and
                         thousands of businesses. These files contain data from such organizations

                         9
                          Bridging involves receiving information in one format, modifying it, and writing the output in another
                         format, such as receiving the year in a two-digit format, adding century information through the use of
                         an algorithm, then writing the output with a four-digit year.



                         Page 11                                                    GAO/AIMD-98-6 SSA’s Year 2000 Effort
B-276351




as the Internal Revenue Service, the Department of the Treasury, and the
states. Such exchanges may involve, for example, data reported on
individuals’ tax-withholding forms, or data pertaining to state wages and
unemployment compensation. Unless SSA is able to exchange data that is
Year 2000 compliant, program benefits and eligibility computations that
are derived from the data provided through these exchanges may be
compromised and SSA’s databases corrupted.

SSA  has for some time recognized the seriousness of this problem and is
taking action to address it. In 1995, it began sending letters to its data
exchange partners to advise them of the Year 2000 issue and the agency’s
plans for addressing it. During our review, SSA was in the process of
coordinating with external organizations on issues concerning data
formats, schedules for conversion and completion, and the need for
bridging to enable the exchange of data that are not compliant. In addition,
to facilitate data exchange compliance, SSA has developed a database that
maintains information on the status of compliance activities related to all
of its incoming and outgoing file exchanges. At the time of our review, this
database contained information on over 6,700 files that are exchanged
with external organizations.10

Given the magnitude of its data exchanges, one of SSA’s biggest challenges
will be coordinating its compliance work with that of its exchange
partners and, where necessary, developing mechanisms to ensure the
continued processing of its data. It will be critical for SSA to protect against
the potential for introducing and propagating errors from one organization
to another. In discussing SSA’s strategy for addressing this matter, the
Assistant Deputy Commissioner for Systems stated that priority will be
given to ensuring the compliance of data files received from external
sources that affect SSA’s ability to process and pay benefits. SSA has
identified approximately 100 files in this category, although the Year 2000
project director stated that this number could change as SSA continues to
review and include compliance information in its tracking system. Further,
because the accuracy of the data SSA receives is as important as whether
the data are presented in the correct format, the Assistant Deputy
Commissioner for Systems said that SSA plans to develop, and subject all
incoming data files to “reasonableness” edit checks.11


10
  In addition to these external exchanges, SSA has about 4,200 additional file exchanges internal to its
own operations or transmitted through its data center. SSA reports that it has included information in
its database on the compliance status of 90 percent of these almost 11,000 total files.
11
 Reasonableness checks are tests applied to fields of data by comparing them with other data of
known validity within transaction or master records.



Page 12                                                     GAO/AIMD-98-6 SSA’s Year 2000 Effort
                             B-276351




                             These are positive steps on SSA’s behalf to ensure the integrity and
                             accuracy of its data after the year 2000 arrives. However, SSA must be
                             diligent in implementing strategies and measures that facilitate its
                             coordination of compliance activities with other agencies and that give it
                             precise knowledge of the status of its data exchanges.


Contingency Plans Needed     Contingency planning is essential to Year 2000 risk management. It is the
to Help Mitigate Year 2000   mechanism by which an organization ensures that its core business
Risks                        processes will continue if corrective work has not been completed.
                             Agencies should develop realistic contingency plans, including the use of
                             manual or contract procedures, to ensure the continuity of their major
                             business processes.

                             At the time of our review, SSA officials acknowledged the importance of
                             contingency planning but had not developed specific plans to address how
                             SSA would continue to support its core business processes if its Year 2000
                             conversion activities experienced unforeseen disruptions. SSA officials
                             believe that the agency’s early start in addressing the initiative will ensure
                             that all systems are converted before any system failures are experienced.
                             In addition, SSA did not believe it had an alternative to completing its Year
                             2000 work on time since it cannot process and ensure the payment of
                             benefits without its many integrated systems. In response to our concerns
                             regarding the need for such plans, however, the Assistant Deputy
                             Commissioner for Systems said that SSA will develop contingency plans to
                             ensure the continued operation of systems supporting its core business
                             processes. In this regard, SSA established a Year 2000 contingency
                             workgroup and has begun outlining a contingency strategy for these
                             processes.


                             Like other federal agencies, SSA is vulnerable to systems failures resulting
Conclusions                  from the computer software changes necessitated by the new millennium.
                             Given that SSA’s programs touch virtually all of us, it is especially vital that
                             this agency make sufficient plans to ensure that it achieves Year 2000
                             compliance on time.

                             SSA has made significant progress in addressing many of the systems that
                             are critical to its mission and is regarded by many as a leader in the federal
                             arena. Nonetheless, the agency is at risk of not being able to adequately
                             process disability benefits at the turn of the century because it has not
                             assessed and corrected systems used by the state DDS offices to support



                             Page 13                                       GAO/AIMD-98-6 SSA’s Year 2000 Effort
                      B-276351




                      the processing of initial disability claims. Within the last year, SSA has
                      begun to address the DDS issue. But until it has made a full assessment of
                      these systems, it will not know the magnitude of the problem and,
                      therefore, the level of effort required to correct it. Further, while SSA
                      officials clearly recognize the importance of solving the Year 2000
                      problem, to reduce the risk of failure with its own effort, it is vital that the
                      agency take every measure possible to ensure that it is well positioned to
                      deal with unexpected problems and delays. This includes promptly
                      addressing critical data exchange issues as well as implementing Year 2000
                      contingency planning.


                      In light of the importance of SSA’s function to most Americans and the
Recommendations       risks associated with its Year 2000 program, we recommend that the
                      Commissioner of Social Security direct SSA’s Chief Information Officer, in
                      conjunction with the Deputy Commissioner for Systems, to take the
                      following actions:

                  •   Require expeditious completion of the assessment of mission-critical
                      systems at all state DDS offices and use the results of this assessment to
                      develop a Year 2000 plan that identifies, for each system, the specific tasks
                      and resources required and specific schedules and milestones for
                      completing all tasks and phases of the conversion for each state system.
                  •   Strengthen SSA’s monitoring and oversight of all state DDS Year 2000
                      activities, including ensuring that all conversion milestones are met and
                      that contractors and independent states submit biweekly reports that
                      identify progress against milestones in renovating all claims processing
                      software, databases, and data interfaces.
                  •   Include in SSA’s quarterly reports to OMB information on the status of DDS
                      Year 2000 activities.
                  •   Require expeditious completion of the agency’s Year 2000 compliance
                      coordination with all data exchange partners and of efforts to include
                      specific information on the status of compliance activities in the
                      automated data exchange tracking system. SSA should then use this system
                      to measure and report on the progress and coordination of its data
                      exchange compliance activities.
                  •   Develop contingency plans that articulate specific strategies for ensuring
                      the continued operation of core business functions if planned corrections
                      are not completed in time or if systems fail to operate as intended. These
                      plans should fully consider the disability claims processing functions
                      within the DDSs and the development and activation of manual or contract
                      procedures, as appropriate.



                      Page 14                                       GAO/AIMD-98-6 SSA’s Year 2000 Effort
                  B-276351




                  In commenting on a draft of this report, SSA agreed with all five of our
Agency Comments   recommendations and identified specific actions that it will take to ensure
                  an adequate transition to the year 2000. SSA also offered a specific
                  comment directed to particular language in the draft report, which we
                  incorporated where appropriate.


                  As agreed with your offices, unless you publicly announce the contents of
                  this report earlier, we plan no further distribution until 30 days from its
                  date. At that time, we will provide copies to the Commissioner of Social
                  Security; the Director, Office of Management and Budget; appropriate
                  congressional committees; and other interested parties. Copies will also be
                  made available to others upon request.

                  Please contact me at (202) 512-6253 or by e-mail at
                  willemssenj.aimd@gao.gov if you have any questions concerning this
                  report. Major contributors to this report are listed in appendix II.




                  Joel C. Willemssen
                  Director, Information Resources Management




                  Page 15                                    GAO/AIMD-98-6 SSA’s Year 2000 Effort
Contents



Letter                                                                                             1


Appendix I                                                                                        18

Comments From the
Social Security
Administration
Appendix II                                                                                       23

Major Contributors to
This Report
Table                   Table 1: SSA Core Business Processes                                       3




                        Abbreviations

                        CIO       Chief Information Officer
                        DDS       Disability Determination Service
                        NDDSS     National Disability Determination Service System
                        OASDI     Old Age, Survivors, and Disability Insurance
                        OMB       Office of Management and Budget
                        SSA       Social Security Administration
                        SSI       Supplemental Security Income


                        Page 16                                  GAO/AIMD-98-6 SSA’s Year 2000 Effort
Page 17   GAO/AIMD-98-6 SSA’s Year 2000 Effort
Appendix I

Comments From the Social Security
Administration

Note: GAO comments
supplementing those in the
report text appear at the
end of this appendix.




                             Page 18   GAO/AIMD-98-6 SSA’s Year 2000 Effort
Appendix I
Comments From the Social Security
Administration




Page 19                             GAO/AIMD-98-6 SSA’s Year 2000 Effort
Appendix I
Comments From the Social Security
Administration




Page 20                             GAO/AIMD-98-6 SSA’s Year 2000 Effort
                 Appendix I
                 Comments From the Social Security
                 Administration




Now on p. 9.

See comment 1.




                 Page 21                             GAO/AIMD-98-6 SSA’s Year 2000 Effort
              Appendix I
              Comments From the Social Security
              Administration




              The following is GAO’s comment on the Social Security Administration’s
              letter of October 2, 1997.


              1. Report revised to reflect SSA’s comment.
GAO Comment




              Page 22                                       GAO/AIMD-98-6 SSA’s Year 2000 Effort
Appendix II

Major Contributors to This Report


                       Valerie C. Melvin, Assistant Director
Accounting and         Mirko J. Dolak, Technical Assistant Director
Information            William G. Barrick, Senior Information Systems Analyst
Management Division,   Michael A. Alexander, Senior Information Systems Analyst
                       William N. Isrin, Operations Research Analyst
Washington, D.C.       Michael P. Fruitman, Communications Analyst




(511215)               Page 23                                  GAO/AIMD-98-6 SSA’s Year 2000 Effort
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested