oversight

Reivew of the Service Credit Redeposit System

Published by the Office of Personnel Management, Office of Inspector General on 2010-01-08.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          UNITED STATES OFFICE OF PERSONNEL MANAGEMENT

                                                Washington, DC 20415



   Office of the
Inspector General
                                                . January 8, 20 I0


        MEMORANDUM FOR JOHN BERRY                                                       / j   J.
                                  Director                              _    ~~ ~!l!I~\
        FROM:	                    PATRICKE.McFARLAND              fYpV'" .
                                  Inspector General              p      V'


        SUBJECT:	                 Review of the Service Credit Redeposit and Deposit System (Report
                                  Number 4A-CF-OO-IO-021)

        The purpose of this memorandum is to communicate to you the findings and conclusions
        resulting from our review of the Service Credit Redeposit and Deposit (SCRD) system. In your
        July 15,2009 memorandum, you requested that my office investigate the circumstances that led
        to incorrect computations of amounts owed by employees to obtain credit for previous federal
        service. Our review was limited to identifying the causes of the computational errors and
        validating whether the updated system is now correctly calculating initial balance, interest, and
        payments.

        Executive Summary

        Overall, nothing carne to our attention that caused us to believe that the Service Credit Redeposit
        and Deposit system version 4.4 is not properly calculating initial interest or accruing interest
        when payments are made. However, we did note several areas of concern associated with the
        original and continuing system development and maintenance process, as well as other system
        problems, unrelated to the computational module, that could result in accounts with understated
        or overstated balances.

             •	 Separation of duties: There is an inadequate separation of duties related to the procedures
                for managing changes to the SCRD application. Software modifications can be
                programmed and compiled by the same person. This means that unauthorized
                programming changes can be made to the application without the knowledge or approval
                of the system owners. The Benefit Systems Group (BSO), within the Center for
                Information Services (CIS), has purchased new change management software that
                ensures separation of duties and is designing and implementing new procedures.
             •	 System requirements: The system requirements (or business rules) were not fully
                developed and documented prior to system implementation. We identified a number of
                cases where either the business rules were incorrect or were not properly incorporated in
                the system.
             •	 Data entry errors: We found a high percentage of errors that occurred during the manual
                process of establishing employees' service credit accounts. In most of these cases, either
                incorrect periods of service or earnings amounts were entered.




        www.opm.gov	                                                                           www.lIsajobs.gov
Honorable John Berry                                                                           2


Background

Under the Civil Service Retirement System (CSRS), employees may make optional deposits for
periods of service during which retirement contributions were not withheld from their pay. They
may also redeposit refunds of retirement contributions during previous periods of service.
Employees who are covered by the Federal Employees Retirement System (FERS) may make
optional deposits of retirement contributions that were not withheld from their pay, but, prior to
October 28, 2009, they could not redeposit refunds of retirement contributions. Under either
system, interest is due on the deposited or redeposited amounts, although interest rates and
periods vary. The purpose of making these deposits or redeposits is to obtain credit toward
retirement for previous periods of service.

Ownership of this service credit business process is shared between OPM's Center for
Retirement and Insurance Services (CRIS) and the Office of the Chief Financial Officer (OCFO).
Federal employees submit an application (standard forms 2803 or 3108) to participate in the
program, and the CRlS staff gather the necessary information to process the request, including
prior periods of service, earnings, refund amounts, and other related data. They determine the
initial balance, including interest, and set up an account. The OCFO staff is responsible for
processing service credit payments made after accounts have been established.

Until 2006, this process was facilitated by a mainframe-based information system that had been
in place for many years. This system handled basic transactions, but was not designed to
accommodate the many complexities of the business process, particularly the special retirement
rules for various classes of federal employees. These more complex transactions were processed
manually. However, in April 2006, a newer, more modem version of the service credit system
was released which was designed to allow most types of transactions to be automatically
processed on users' desktop computers.

The new system was designed and built using Microsoft .NET (dot NET) technology, a software
framework that includes a large library of coded solutions to common programming problems
and a virtual machine that manages the execution of programs written specifically for the
framework. The .NET framework is intended to be used by most new applications created for the
Windows platform. Before this project, aPM had limited experience developing software
applications using .NET technology. Therefore, BSG, which was responsible for the project,
turned to several contractors to assist in the system development process.

In December 2007, the bank that manages. deposit payments generated a list of duplicate
payments, and while researching the problem the CRIS staff discovered anomalies in the
payment and interest amounts. It was later discovered that the system was not properly
calculating interest in some cases. Attempts to correct the problems were not successful, and the
system was eventually taken offline in July 2008.

Corrections were made to the system and it was brought back on-line in October of2008.
The BSG continued to work with the system owners, CRIS and OCFO, to identify and correct
the problems and Service Credit account data in the system. In August 2009, a new version of
the system (SCRD version 4.4) was distributed to users and a data fix routine was executed
Honorable John Berry                                                                           3


which corrected the accounts. This system is now being used to establish new accounts, but
CRIS and the OCFO continue to manually calculate balances and update accounts to reflect
payment activity while system testing continues.

aPM has convened a Tiger Team with full responsibility for correcting the current problems
with the system. This group includes members from CRIS, OCFO, BSG, and the Office of the
Inspector General (OIG). The mandate is to identify all existing problems in the SCRD
application, develop a corrective action plan, correct all known issues, and implement an updated
system that properly handles the majority of service credit cases.

Our review was not conducted in accordance with Generally Accepted Government Auditing
Standards (GAGAS). The nature and scope of the work performed was consistent with that
expected of a GAGAS audit; however, because we consider this to be a review, the
documentation, reporting, and quality control standards are not as stringent.

Scope and Methodology

Our office reviewed the change control process and performed tests of transactions in the SCRD
system. We interviewed individuals involved in managing system changes, and examined
documentation associated with user acceptance testing and approval. For our transaction testing,
we selected a random sample of 100 from a universe of the 1,000 most recently established
accounts as of August 26,2009. We also sampled 20 Peace Corps accounts to evaluate whether
the special rules for these cases had been properly programmed in the system. Finally, we
sampled 50 accounts from the universe of accounts set up between April 2006 and July 2008
where payments had been applied. Based on the business rules appropriate to the type of case
involved in the sampled accounts, we manually re-calculated initial balances, including interest,
and, in the cases where payments had been made, the current balance with accrued interest. We
compared our results to the same information entered into the system's test environment.

We used the following documentation, policies, and regulations to evaluate our results:

   •	 Federal Information System Controls Audit Manual (FISCAM)
   •	 5 U.S.C. §§ 8334 and 8411 "Deductions, Contributions, and Deposits" and "Creditable
      Service"
   •	 5 C.F.R. § 842.305 "Deposits for Civilian Service"
   •	 CSRS and FERS Handbook for Personnel and Payroll Offices
          o	 Administration and General Provisions: "OPM Responsibilities" (§4 1C2.1-1)
          o	 Service Credit Payments for Civilian Service: «CSRS" (§ 21A)
          o	 Service Credit Payments for Civilian Service: "FERS" (§ 21B)
   •	 CSRS and FERS Applications: Information about Service Credit Payments Page
   •	 Job Aids - Straight CSRS Deposits and Redeposits Training Manual, provided by the
      Center for Retirement and Insurance Services (CRIS) in Boyers, Pennsylvania.
   •	 OPM Website: http://www.opm.R:ov/retire/pre/csrs/index.asp
Honorable John Berry                                                                             4


Results

1. Separation of Duties

   There is an inadequate separation of duties related to the procedures for managing changes to
   the SCRD application. Software modifications can be programmed and compiled by the
   same person. This means that unauthorized programming changes can be made to the
   application without the knowledge or approval of the system owners.

   We interviewed the BSG staff responsible for the SCRD system development and
   maintenance and found that .NET programmers typically make changes to source code and
   compile the code into an installation package for distribution. The installation package is
   placed on a network drive and made available to staff from the agency's Network
   Management Group to be distributed across the OPM network to user desktops.

   After changes are programmed, tested, and compiled, the installation package is distributed
   to business users for user acceptance testing. However, because the programmers can
   modify the source code and compile programs, there is nothing to prevent a programmer
   from making and compiling additional changes after user acceptance testing and approval.

   A better approach would be to limit programmers' access to the development process. When
   the user acceptance testing phase begins, the programmer should not be at all involved unless
   there are additional changes required; then the change management cycle should start from
   the beginning: development; unit, integration, and system testing; user acceptance testing;
   implementation. Ideally, the programmer's involvement would end after the system testing
   phase. A different person or group would then be responsible for compiling source code and
   distributing the installation packages after the user acceptance testing and approval phase.

   FISCAM section 3.3, Configuration Management, states that the "movement of programs
   and data among libraries should be controlled by an entity group or person that is
   independent of both the user and the programming staff. This group should be responsible
   for ... moving programs from development/maintenance to user testing and from user testing
   to production."

   FISCAM section 3.4, Segregation of Duties, states that "Work responsibilities should be
   segregated so that one individual does not control all critical stages of a process. For
   example, while users may authorize program changes, programmers should not be allowed to
   do so because they are not the owners of the system and do not have the responsibility to see
   that the system meets user needs. Similarly, one computer programmer should not be allowed
   to independently write, test, and approve program changes...

   "Inadequately segregated duties       increase the risk that ... improper program changes could
   be implemented. For example         a computer programmer responsible for authorizing,
   writing, testing, and distributing program modifications could either inadvertently or
   deliberately implement computer programs that did not process transactions in accordance
   with management's policies or that included malicious code."
Honorable John Berry                                                                         5


   The BSG managed the development, implementation, and ongoing maintenance of the SCRD
   system. In the Enterprise Server (mainframe) environment, there are well-established
   controls for ensuring separation of duties between the development, testing, and production
   areas. However, because the new system involved Microsoft's .NET technology, which was
   new to DPM, the development process occurred in a less controlled, server-based
   environment.

   As a result, programmers would have been able to make unapproved and/or untested system
   changes which may have caused the computational errors to occur. Although we could not
   document any such changes, we did obtain anecdotal evidence that a contractor supporting
   the system made a large number of "informal" changes just before the system's July 2008
   failure. Based on interviews of knowledgeable staff, it is not clear whether these changes
   were tested and approved by the system owners prior to implementation.

   We were told that BSG has purchased new change management software that enforces
   proper separation of duties, and is designing and implementing new procedures.

   Recommendation 1

  We recommend that BSG implement the new change management software as soon as
  possible, and design change management procedures that include appropriate separation of
  duties. Such procedures should also cover employee roles and responsibilities, change
  control and system documentation requirements, establishment of a decision-making
  structure, and configuration management training.

   DCID Response:

   "The DCIO has purchased a new configuration management tool (Serena) for the distributed
   environment at aPM that should mitigate the issue raised by DIG staff. We are currently
   awaiting the agreement on the service contract with the vendor so that the tool can be
   installed and training provided for those who will use the tool."

   Recommendation 2

   We recommend that aPM provide funding for the SCRD system to adequately support
   ongoing maintenance and ensure an appropriate separation of duties.

2. System Requirements

   In addition to the lack of change management controls, we found that the business owners
   did not fully develop the system requirements during the SCRD system development project.
   While there is a "User Requirements Document for the Service Credit System (SCRD)" that
   quite comprehensively documents functional requirements, system integrity, and the
   technical environment, there are no business rules included in this document.
Honorable John Berry                                                                                6


   There are many complexities involved with the service credit business process, many of
   which derive from legislation affecting federal retirement. We reviewed CSRS and FERS
   handbooks, job aids, and relevant areas of the aPM website to obtain an understanding of
   these business rules. From our interviews and tests of transactions, we determined that many
   of the business rules were either not included in the SCRD system, or were not properly
   programmed. For example:

   •	 For CSRS cases that have a period of service spanning October 1, 1982, the system
      automatically splits it into two separate periods of service because there is a different
      procedure for calculating interest before and after this date. The system appropriately
      handles this business rule for CSRS cases; howev.er, it also incorrectly applies the same
      treatment to FERS cases. This causes the interest on FERS cases with periods of service
      spanning October 1, 1982 to be overstated.

   •	 The system applies an incorrect deduction rate for Peace Corps cases with periods of
      service in 1999 and 2000. This causes the initial balance owed to be understated. We
      were told that CRIS has been aware of this issue and is manually processing applications
      from Peace Corps members. However, we found several Peace Corps cases that had been
      processed incorrectly through the production SCRD system.

   •	   With several exceptions, employees covered by FERS are not allowed to obtain service
        credit for periods of service occurring on or after January 1, 1989. However, we found
        that the system will accept a FERS application with a period of service after this date,
        create an initial account balance, and trigger a bill. There should be edits that prevent
        transactions with invalid periods of service from being entered into the system.

   •	 To determine the retirement contributions that must be repaid for employees to obtain
      credit for past service, the amount that the employee earned during the period of service
      must be determined. There are CRIS job aids that describe how to calculate this amount.
      In cases where supporting documentation only references the annual salary for the
      applicable grade level and time period, the actual earnings amount must be inferred based
      on the date range of the period of service. The job aids contain various hourly tables that
      are used to determine the number of hours worked during a date range, and indicate that
      the earnings amount should be calculated based on the product of hours worked and the
      hourly rate. This approach is consistent with OPM salary tables, which present salaries in
      both annual and hourly amounts.

        However, we found that the system applies a factor to the salary based on the number of
        days worked rather than the number of hours. A 360-day year is assumed for this
        calculation. The use of either method only results in an estimate of the actual earnings
        amount; however, the hourly approach is slightly more accurate. In the future, CRIS has
        agreed to obtain the actual earnings amount, instead of salary or hourly wage amounts.
        This will result in a more precise calculation of the initial service credit balance owed.

   The Service Credit Tiger Team has established a scope document that contains a total of nine
   tasks detailing core business requirements that were not included in the existing SCRD
Honorable John Berry                                                                             7


   application (including the items detailed above), and two items that have been defined as
   'enhancements' to be addressed after the next system update. Clearly, the business rules
   were not comprehensively identified and documented during the original SCRD system
   development process. This may have occurred because of a lack of knowledgeable business
   users involved in the original effort. However, CRIS has assigned new staff to the service
   credit project who appear to be very knowledgeable regarding the appropriate business rules
   and are working on the Tiger Team to correct the current application.

   Because the business rules were not fully developed and programmed into the original

   application, there are service credit accounts that have incorrect balances.


   Recommendation 3

   We recommend that CRIS and the Tiger Team develop a comprehensive repository that
   contains all known business requirements, and ensure that the system is updated and
   thoroughly tested before being placed into production.

   CRIS Response:

   "RSP is working closely with the programmers to ensure appropriate business rules are
   applied. The requirements guide will be updated with the rules as necessary and detailed job
   aids for using the Service Credit system are being developed. In addition, rigorous testing of
   the system is now underway.

   The Tiger Team will recommend that the OCFO collaborate with CRIS on the
   documentation and storage of all business rules in a repository. The Tiger Team may not be
   in existence long enough to document all of the rules. However, the customer organizations
   should complete the process."

   Recommendation 4

   We recommend that CRIS ensure that the business rules repository is maintained and
   updated when required, and that ongoing system enhancements are thoroughly tested before
   and after implementation.

3. Data Entry Errors

   In testing our random sample of 100 of the 1,000 most recently created accounts, we found
   that CRIS clerks had entered incorrect dates or salary rates in 18 cases (or an 18 percent error
   rate). One of these sample items had an error that resulted in an overcharge of $1,178.80. In
   addition, the BSG evaluated the service credit database to identify outliers that involved
   high-dollar account balances, and found that 40 percent were caused by data entry errors.

   FISCAM section 4.2, Business Process Controls, states that "The entity should implement
   procedures to reasonably assure that (1) all data input is done in a controlled manner, (2) data
   input into the application is complete, accurate, and valid, (3) any incorrect information is
Honorable John Berry                                                                               8


   identified, rejected, and corrected for subsequent processing, and (4) the confidentiality of
   data is adequately protected. Inadequate input controls can result in incomplete, inaccurate,
   and/or invalid records in the application data or unauthorized disclosure of application data."

   This situation apparentlyresulted from inadequately trained data entry clerks, a lack of
   system edits and validity checks, and an ineffective monitoring and auditing capability. As a
   result, there is a very high risk that initial account balances could be significantly understated
   or overstated.

   Recommendation 5

   We recommend that appropriate validity checks and system edits be programmed into the

   system to prevent incorrect or unreasonable entries.


   CRlS Response:


   "RSP is working with the programmers to implement comprehensive edits and error

   messages. BSG staff will look at ways to build in validation edits and at a minimum add
   "pop-ups" when there is a possibility of erroneous data being entered although it may pass
   edits (such as the size of a Service Credit account)."

   Recommendation 6

   We recommend that training aids be updated and that refresher training be provided to data

   entry clerks.


   CRIS Response:


   "Job aids are being developed and will be available once the system has been updated."


   Recommendation 7


   We recommend a monitoring and auditing capability be established that includes second­

   level review of transactions input into the system and periodic random sampling and

   reporting to management.


   CRlS Response:


   "RSP has implemented I00% review since October 2009 and the Quality Assurance Group

   will be conducting periodic audits."


   Recommendation 8


   We recommend that aJl accounts established since April], 2006 be reviewed for accuracy of

   input data and corrected if necessary.

Honorable John Berry                                                                                   9


       CRIS Response:

       "RSP has acknowledged that the error rate found by the IG was inordinately high due to the
       inexperience of the new staff handling the service credit claims as of October 2008. Before
       that date, experienced staff processed new claims and so we have a high confidence level that
       those claims were entered accurately. Therefore, we are working with the Quality Assurance
       Group to provide a random sampling review on service credit accounts computed between
       October 2008 and October 2009. Effective 10101/09 RSP has senior Legal Administrative
       Specialists reviewing all initial billing data entries prior to triggering and issuing statement. .
       In addition, aU accounts not paid in full by the employee's retirement date will be reviewed
       during the retirement adjudication process and the retiree will be given the opportunity to
       make payment."

 If we can be of assistance during your review of this report, please contact me or your staff can
 contact Michael R. Esser, Assistant Inspector General for Audits, on _           or _
_        Chief, Information Systems Audits Group, on _

cc:	       Elizabeth A. Montoya

           Chief of Staff and Director of External Affairs


           Richard B. Lowe

           Deputy Chief of Staff and Executive Secretariat


           Mark Reger

           Chief Financial Officer


           David M. Cushing

           Deputy Chief Financial Officer & Policy and Internal Control Group


           Kathleen McGettigan

           Deputy Associate Director

           Center for Retirement and Insurance Services


           Ronald C. Flom

           Associate Director & Chief Human Capital Officer


           Matthew E. Perry

           Acting Chief Information Officer