UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General . January 8, 20 I0 MEMORANDUM FOR JOHN BERRY / j J. Director _ ~~ ~!l!I~\ FROM: PATRICKE.McFARLAND fYpV'" . Inspector General p V' SUBJECT: Review of the Service Credit Redeposit and Deposit System (Report Number 4A-CF-OO-IO-021) The purpose of this memorandum is to communicate to you the findings and conclusions resulting from our review of the Service Credit Redeposit and Deposit (SCRD) system. In your July 15,2009 memorandum, you requested that my office investigate the circumstances that led to incorrect computations of amounts owed by employees to obtain credit for previous federal service. Our review was limited to identifying the causes of the computational errors and validating whether the updated system is now correctly calculating initial balance, interest, and payments. Executive Summary Overall, nothing carne to our attention that caused us to believe that the Service Credit Redeposit and Deposit system version 4.4 is not properly calculating initial interest or accruing interest when payments are made. However, we did note several areas of concern associated with the original and continuing system development and maintenance process, as well as other system problems, unrelated to the computational module, that could result in accounts with understated or overstated balances. • Separation of duties: There is an inadequate separation of duties related to the procedures for managing changes to the SCRD application. Software modifications can be programmed and compiled by the same person. This means that unauthorized programming changes can be made to the application without the knowledge or approval of the system owners. The Benefit Systems Group (BSO), within the Center for Information Services (CIS), has purchased new change management software that ensures separation of duties and is designing and implementing new procedures. • System requirements: The system requirements (or business rules) were not fully developed and documented prior to system implementation. We identified a number of cases where either the business rules were incorrect or were not properly incorporated in the system. • Data entry errors: We found a high percentage of errors that occurred during the manual process of establishing employees' service credit accounts. In most of these cases, either incorrect periods of service or earnings amounts were entered. www.opm.gov www.lIsajobs.gov Honorable John Berry 2 Background Under the Civil Service Retirement System (CSRS), employees may make optional deposits for periods of service during which retirement contributions were not withheld from their pay. They may also redeposit refunds of retirement contributions during previous periods of service. Employees who are covered by the Federal Employees Retirement System (FERS) may make optional deposits of retirement contributions that were not withheld from their pay, but, prior to October 28, 2009, they could not redeposit refunds of retirement contributions. Under either system, interest is due on the deposited or redeposited amounts, although interest rates and periods vary. The purpose of making these deposits or redeposits is to obtain credit toward retirement for previous periods of service. Ownership of this service credit business process is shared between OPM's Center for Retirement and Insurance Services (CRIS) and the Office of the Chief Financial Officer (OCFO). Federal employees submit an application (standard forms 2803 or 3108) to participate in the program, and the CRlS staff gather the necessary information to process the request, including prior periods of service, earnings, refund amounts, and other related data. They determine the initial balance, including interest, and set up an account. The OCFO staff is responsible for processing service credit payments made after accounts have been established. Until 2006, this process was facilitated by a mainframe-based information system that had been in place for many years. This system handled basic transactions, but was not designed to accommodate the many complexities of the business process, particularly the special retirement rules for various classes of federal employees. These more complex transactions were processed manually. However, in April 2006, a newer, more modem version of the service credit system was released which was designed to allow most types of transactions to be automatically processed on users' desktop computers. The new system was designed and built using Microsoft .NET (dot NET) technology, a software framework that includes a large library of coded solutions to common programming problems and a virtual machine that manages the execution of programs written specifically for the framework. The .NET framework is intended to be used by most new applications created for the Windows platform. Before this project, aPM had limited experience developing software applications using .NET technology. Therefore, BSG, which was responsible for the project, turned to several contractors to assist in the system development process. In December 2007, the bank that manages. deposit payments generated a list of duplicate payments, and while researching the problem the CRIS staff discovered anomalies in the payment and interest amounts. It was later discovered that the system was not properly calculating interest in some cases. Attempts to correct the problems were not successful, and the system was eventually taken offline in July 2008. Corrections were made to the system and it was brought back on-line in October of2008. The BSG continued to work with the system owners, CRIS and OCFO, to identify and correct the problems and Service Credit account data in the system. In August 2009, a new version of the system (SCRD version 4.4) was distributed to users and a data fix routine was executed Honorable John Berry 3 which corrected the accounts. This system is now being used to establish new accounts, but CRIS and the OCFO continue to manually calculate balances and update accounts to reflect payment activity while system testing continues. aPM has convened a Tiger Team with full responsibility for correcting the current problems with the system. This group includes members from CRIS, OCFO, BSG, and the Office of the Inspector General (OIG). The mandate is to identify all existing problems in the SCRD application, develop a corrective action plan, correct all known issues, and implement an updated system that properly handles the majority of service credit cases. Our review was not conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). The nature and scope of the work performed was consistent with that expected of a GAGAS audit; however, because we consider this to be a review, the documentation, reporting, and quality control standards are not as stringent. Scope and Methodology Our office reviewed the change control process and performed tests of transactions in the SCRD system. We interviewed individuals involved in managing system changes, and examined documentation associated with user acceptance testing and approval. For our transaction testing, we selected a random sample of 100 from a universe of the 1,000 most recently established accounts as of August 26,2009. We also sampled 20 Peace Corps accounts to evaluate whether the special rules for these cases had been properly programmed in the system. Finally, we sampled 50 accounts from the universe of accounts set up between April 2006 and July 2008 where payments had been applied. Based on the business rules appropriate to the type of case involved in the sampled accounts, we manually re-calculated initial balances, including interest, and, in the cases where payments had been made, the current balance with accrued interest. We compared our results to the same information entered into the system's test environment. We used the following documentation, policies, and regulations to evaluate our results: • Federal Information System Controls Audit Manual (FISCAM) • 5 U.S.C. §§ 8334 and 8411 "Deductions, Contributions, and Deposits" and "Creditable Service" • 5 C.F.R. § 842.305 "Deposits for Civilian Service" • CSRS and FERS Handbook for Personnel and Payroll Offices o Administration and General Provisions: "OPM Responsibilities" (§4 1C2.1-1) o Service Credit Payments for Civilian Service: «CSRS" (§ 21A) o Service Credit Payments for Civilian Service: "FERS" (§ 21B) • CSRS and FERS Applications: Information about Service Credit Payments Page • Job Aids - Straight CSRS Deposits and Redeposits Training Manual, provided by the Center for Retirement and Insurance Services (CRIS) in Boyers, Pennsylvania. • OPM Website: http://www.opm.R:ov/retire/pre/csrs/index.asp Honorable John Berry 4 Results 1. Separation of Duties There is an inadequate separation of duties related to the procedures for managing changes to the SCRD application. Software modifications can be programmed and compiled by the same person. This means that unauthorized programming changes can be made to the application without the knowledge or approval of the system owners. We interviewed the BSG staff responsible for the SCRD system development and maintenance and found that .NET programmers typically make changes to source code and compile the code into an installation package for distribution. The installation package is placed on a network drive and made available to staff from the agency's Network Management Group to be distributed across the OPM network to user desktops. After changes are programmed, tested, and compiled, the installation package is distributed to business users for user acceptance testing. However, because the programmers can modify the source code and compile programs, there is nothing to prevent a programmer from making and compiling additional changes after user acceptance testing and approval. A better approach would be to limit programmers' access to the development process. When the user acceptance testing phase begins, the programmer should not be at all involved unless there are additional changes required; then the change management cycle should start from the beginning: development; unit, integration, and system testing; user acceptance testing; implementation. Ideally, the programmer's involvement would end after the system testing phase. A different person or group would then be responsible for compiling source code and distributing the installation packages after the user acceptance testing and approval phase. FISCAM section 3.3, Configuration Management, states that the "movement of programs and data among libraries should be controlled by an entity group or person that is independent of both the user and the programming staff. This group should be responsible for ... moving programs from development/maintenance to user testing and from user testing to production." FISCAM section 3.4, Segregation of Duties, states that "Work responsibilities should be segregated so that one individual does not control all critical stages of a process. For example, while users may authorize program changes, programmers should not be allowed to do so because they are not the owners of the system and do not have the responsibility to see that the system meets user needs. Similarly, one computer programmer should not be allowed to independently write, test, and approve program changes... "Inadequately segregated duties increase the risk that ... improper program changes could be implemented. For example a computer programmer responsible for authorizing, writing, testing, and distributing program modifications could either inadvertently or deliberately implement computer programs that did not process transactions in accordance with management's policies or that included malicious code." Honorable John Berry 5 The BSG managed the development, implementation, and ongoing maintenance of the SCRD system. In the Enterprise Server (mainframe) environment, there are well-established controls for ensuring separation of duties between the development, testing, and production areas. However, because the new system involved Microsoft's .NET technology, which was new to DPM, the development process occurred in a less controlled, server-based environment. As a result, programmers would have been able to make unapproved and/or untested system changes which may have caused the computational errors to occur. Although we could not document any such changes, we did obtain anecdotal evidence that a contractor supporting the system made a large number of "informal" changes just before the system's July 2008 failure. Based on interviews of knowledgeable staff, it is not clear whether these changes were tested and approved by the system owners prior to implementation. We were told that BSG has purchased new change management software that enforces proper separation of duties, and is designing and implementing new procedures. Recommendation 1 We recommend that BSG implement the new change management software as soon as possible, and design change management procedures that include appropriate separation of duties. Such procedures should also cover employee roles and responsibilities, change control and system documentation requirements, establishment of a decision-making structure, and configuration management training. DCID Response: "The DCIO has purchased a new configuration management tool (Serena) for the distributed environment at aPM that should mitigate the issue raised by DIG staff. We are currently awaiting the agreement on the service contract with the vendor so that the tool can be installed and training provided for those who will use the tool." Recommendation 2 We recommend that aPM provide funding for the SCRD system to adequately support ongoing maintenance and ensure an appropriate separation of duties. 2. System Requirements In addition to the lack of change management controls, we found that the business owners did not fully develop the system requirements during the SCRD system development project. While there is a "User Requirements Document for the Service Credit System (SCRD)" that quite comprehensively documents functional requirements, system integrity, and the technical environment, there are no business rules included in this document. Honorable John Berry 6 There are many complexities involved with the service credit business process, many of which derive from legislation affecting federal retirement. We reviewed CSRS and FERS handbooks, job aids, and relevant areas of the aPM website to obtain an understanding of these business rules. From our interviews and tests of transactions, we determined that many of the business rules were either not included in the SCRD system, or were not properly programmed. For example: • For CSRS cases that have a period of service spanning October 1, 1982, the system automatically splits it into two separate periods of service because there is a different procedure for calculating interest before and after this date. The system appropriately handles this business rule for CSRS cases; howev.er, it also incorrectly applies the same treatment to FERS cases. This causes the interest on FERS cases with periods of service spanning October 1, 1982 to be overstated. • The system applies an incorrect deduction rate for Peace Corps cases with periods of service in 1999 and 2000. This causes the initial balance owed to be understated. We were told that CRIS has been aware of this issue and is manually processing applications from Peace Corps members. However, we found several Peace Corps cases that had been processed incorrectly through the production SCRD system. • With several exceptions, employees covered by FERS are not allowed to obtain service credit for periods of service occurring on or after January 1, 1989. However, we found that the system will accept a FERS application with a period of service after this date, create an initial account balance, and trigger a bill. There should be edits that prevent transactions with invalid periods of service from being entered into the system. • To determine the retirement contributions that must be repaid for employees to obtain credit for past service, the amount that the employee earned during the period of service must be determined. There are CRIS job aids that describe how to calculate this amount. In cases where supporting documentation only references the annual salary for the applicable grade level and time period, the actual earnings amount must be inferred based on the date range of the period of service. The job aids contain various hourly tables that are used to determine the number of hours worked during a date range, and indicate that the earnings amount should be calculated based on the product of hours worked and the hourly rate. This approach is consistent with OPM salary tables, which present salaries in both annual and hourly amounts. However, we found that the system applies a factor to the salary based on the number of days worked rather than the number of hours. A 360-day year is assumed for this calculation. The use of either method only results in an estimate of the actual earnings amount; however, the hourly approach is slightly more accurate. In the future, CRIS has agreed to obtain the actual earnings amount, instead of salary or hourly wage amounts. This will result in a more precise calculation of the initial service credit balance owed. The Service Credit Tiger Team has established a scope document that contains a total of nine tasks detailing core business requirements that were not included in the existing SCRD Honorable John Berry 7 application (including the items detailed above), and two items that have been defined as 'enhancements' to be addressed after the next system update. Clearly, the business rules were not comprehensively identified and documented during the original SCRD system development process. This may have occurred because of a lack of knowledgeable business users involved in the original effort. However, CRIS has assigned new staff to the service credit project who appear to be very knowledgeable regarding the appropriate business rules and are working on the Tiger Team to correct the current application. Because the business rules were not fully developed and programmed into the original application, there are service credit accounts that have incorrect balances. Recommendation 3 We recommend that CRIS and the Tiger Team develop a comprehensive repository that contains all known business requirements, and ensure that the system is updated and thoroughly tested before being placed into production. CRIS Response: "RSP is working closely with the programmers to ensure appropriate business rules are applied. The requirements guide will be updated with the rules as necessary and detailed job aids for using the Service Credit system are being developed. In addition, rigorous testing of the system is now underway. The Tiger Team will recommend that the OCFO collaborate with CRIS on the documentation and storage of all business rules in a repository. The Tiger Team may not be in existence long enough to document all of the rules. However, the customer organizations should complete the process." Recommendation 4 We recommend that CRIS ensure that the business rules repository is maintained and updated when required, and that ongoing system enhancements are thoroughly tested before and after implementation. 3. Data Entry Errors In testing our random sample of 100 of the 1,000 most recently created accounts, we found that CRIS clerks had entered incorrect dates or salary rates in 18 cases (or an 18 percent error rate). One of these sample items had an error that resulted in an overcharge of $1,178.80. In addition, the BSG evaluated the service credit database to identify outliers that involved high-dollar account balances, and found that 40 percent were caused by data entry errors. FISCAM section 4.2, Business Process Controls, states that "The entity should implement procedures to reasonably assure that (1) all data input is done in a controlled manner, (2) data input into the application is complete, accurate, and valid, (3) any incorrect information is Honorable John Berry 8 identified, rejected, and corrected for subsequent processing, and (4) the confidentiality of data is adequately protected. Inadequate input controls can result in incomplete, inaccurate, and/or invalid records in the application data or unauthorized disclosure of application data." This situation apparentlyresulted from inadequately trained data entry clerks, a lack of system edits and validity checks, and an ineffective monitoring and auditing capability. As a result, there is a very high risk that initial account balances could be significantly understated or overstated. Recommendation 5 We recommend that appropriate validity checks and system edits be programmed into the system to prevent incorrect or unreasonable entries. CRlS Response: "RSP is working with the programmers to implement comprehensive edits and error messages. BSG staff will look at ways to build in validation edits and at a minimum add "pop-ups" when there is a possibility of erroneous data being entered although it may pass edits (such as the size of a Service Credit account)." Recommendation 6 We recommend that training aids be updated and that refresher training be provided to data entry clerks. CRIS Response: "Job aids are being developed and will be available once the system has been updated." Recommendation 7 We recommend a monitoring and auditing capability be established that includes second level review of transactions input into the system and periodic random sampling and reporting to management. CRlS Response: "RSP has implemented I00% review since October 2009 and the Quality Assurance Group will be conducting periodic audits." Recommendation 8 We recommend that aJl accounts established since April], 2006 be reviewed for accuracy of input data and corrected if necessary. Honorable John Berry 9 CRIS Response: "RSP has acknowledged that the error rate found by the IG was inordinately high due to the inexperience of the new staff handling the service credit claims as of October 2008. Before that date, experienced staff processed new claims and so we have a high confidence level that those claims were entered accurately. Therefore, we are working with the Quality Assurance Group to provide a random sampling review on service credit accounts computed between October 2008 and October 2009. Effective 10101/09 RSP has senior Legal Administrative Specialists reviewing all initial billing data entries prior to triggering and issuing statement. . In addition, aU accounts not paid in full by the employee's retirement date will be reviewed during the retirement adjudication process and the retiree will be given the opportunity to make payment." If we can be of assistance during your review of this report, please contact me or your staff can contact Michael R. Esser, Assistant Inspector General for Audits, on _ or _ _ Chief, Information Systems Audits Group, on _ cc: Elizabeth A. Montoya Chief of Staff and Director of External Affairs Richard B. Lowe Deputy Chief of Staff and Executive Secretariat Mark Reger Chief Financial Officer David M. Cushing Deputy Chief Financial Officer & Policy and Internal Control Group Kathleen McGettigan Deputy Associate Director Center for Retirement and Insurance Services Ronald C. Flom Associate Director & Chief Human Capital Officer Matthew E. Perry Acting Chief Information Officer
Reivew of the Service Credit Redeposit System
Published by the Office of Personnel Management, Office of Inspector General on 2010-01-08.
Below is a raw (and likely hideous) rendition of the original report. (PDF)