Iowa Workforce Development

Office of Inspector General

U.S. Department of Labor
Office of Audit
Chicago Regional Audit Office

IOWA WORKFORCE DEVELOPMENT

Report No.: 05-98-003-03-315

Date: March 27, 1998

March 27, 1998

MEMORANDUM FOR:           RAYMOND J. UHALDE
                                                    Acting Assistant Secretary for Employment
                                                        and Training

                                                       / s /
FROM:                                      JOHN J. GETEK
                                                    Assistant Inspector General
                                                        for Audit

SUBJECT: Iowa Workforce Development
Final Audit Report No. 05-98-003-03-315

The attached subject final report is submitted for your resolution action. We request a response to this report within 60 days.

You are responsible for transmitting a copy of this report to the Iowa Workforce Development.

If you have any questions regarding this report, contact Preston Firmin, Regional Inspector General in Chicago at (312) 353-2416.

Attachment

Table of Contents

Acronyms/Abbreviations ii

Executive Summary iii

Chapter 1 -- Introduction

Background                                                                                                                             1
Principal Criteria                                                                                                                     1
Objective, Scope, and Methodology                                                                                     2

Chapter 2 -- Informed Consent

Is IWD in compliance with the UIPL and applicable State laws governing
confidentiality and disclosure? 4

Chapter 3 -- Safeguards

Are adequate controls in place to ensure that privacy is adequately protected
once the data are in the hands of private interests? 6

Chapter 4 -- Income and Costs

Is the State's accounting for costs and revenues applicable to the VIE
Agreement adequate? 15
Did VIE pay for all additional equipment and system design changes
necessary to provide the services? 18

Appendix A

Excerpts from Iowa Code 19

Appendix B

Analysis of Audits Performed 22

Appendix C

Iowa Workforce Development Response to Draft Report 25

Page i

Acronyms/Abbreviations

Addendum Modification to the Agreement between IWD and VIE dated
February 4, 1997

AE Auditing Entity

Agreement The Agreement between IWD and VIE dated
September 22, 1995

DOL U.S. Department of Labor

FCRA Fair Credit Reporting Act

IWD Iowa Workforce Development

OIG Office of Inspector General

SESA State Employment Security Agency

UI Unemployment Insurance

UIPL Unemployment Insurance Program Letter

UIS Unemployment Insurance Service (DOL)

VIE Verification of Income and Employment, Inc. (A division of Norwest Mortgage, Inc.)

Page ii

Executive Summary

On May 31, 1996, the Unemployment Insurance Service (UIS) issued Unemployment Insurance Program Letter (UIPL) No. 23-96 to clarify the Department of Labor's (DOL) position regarding disclosure of Unemployment Insurance (UI) wage records.

The DOL Office of Inspector General (OIG) has completed a program audit of the first State Agreement subject to the UIPL. We audited the procedures associated with the Agreement between Iowa Workforce Development (IWD) and Verification of Income and Employment, Inc. (VIE) for the period August 1, 1995 through May 19, 1997.

The audit objective was to answer the following questions regarding IWD's compliance with UIPL No. 23-96:

1. Is IWD in compliance with the UIPL and applicable State laws governing confidentiality and disclosure?

2. Are adequate controls in place to ensure that privacy is adequately protected once the data are in the hands of private interests?
3. Accounting:
a. Is the State's accounting for costs and revenues applicable to the VIE Agreement adequate?

b. Did VIE pay for all additional equipment and system design changes necessary to provide the services?

Our audit disclosed that:

a narrow reading of the relevant statutory provisions could arguably raise questions about IWD's statutory authority to disclose unemployment insurance wage records to third parties. IWD is in compliance with the informed consent provision of the UIPL; (See chapter 2.)

with respect to the UIPL safeguard provision, a) although IWD included controls in the VIE Agreement, and VIE included controls in the Subscriber Agreements, IWD has not developed written policies and

Page iii

IWD has adequate controls for reporting costs and revenues and IWD assured us that all excess revenue from the VIE project will be used solely to fund unemployment compensation programs. (See chapter 4.)

the VIE reimbursement covered IWD's costs of system design changes and additional equipment. (See chapter 4.)

We recommend that the Assistant Secretary for Employment and Training:

1. require IWD to develop written policies and procedures for conducting periodic audits of VIE's audit process to assure that each subscriber has on file a written release authorizing each access;
2. require IWD to develop written policies and procedures for conducting periodic audits to assure that the information is not being misused; and
3. direct the Unemployment Insurance Service to monitor VIE project revenues received by IWD to ensure that excess revenues are used only for UI purposes, in accordance with UIPL No. 23-96.

IWD officials generally concurred with our audit findings. (See IWD's complete response in Appendix C.)
However, IWD provided comments and a copy of Procedures and Policies recently drafted in response to our Recommendation Nos. 1 and 2. As a result, we consider Recommendation No. 1 resolved, but not closed, and Recommendation 2 unresolved. (See Chapter 3.) Recommendation No. 3 remains unresolved.

Page iv

Chapter 1 -- Introduction

Background:

In September 1995, Iowa Department of Employment Services, now known as Iowa Workforce Development (IWD) entered into an Agreement with Verification of Income and Employment, Inc. (VIE), a wholly owned subsidiary of Norwest Mortgage, Inc. The Agreement allows VIE to obtain electronic access to state unemployment insurance (UI) wage reporting records for the purpose of consumer credit verification. VIE, in turn, has Agreements with subscribers who can access the wage records through VIE. The purpose of the Agreements is to provide consumers with a vehicle to expedite the loan approval process by furnishing their wage record information to third party lending institutions. Access is based upon the consent of the individual consumer whose wage record is the subject of the inquiry.

On May 31, 1996, the Unemployment Insurance Service (UIS) issued Unemployment Insurance Program Letter (UIPL) No. 23-96 to clarify the Department of Labor's position regarding disclosure. In summary, the Department permits the disclosure of wage records if state law permits such disclosure and if certain conditions related to informed consent, safeguards, and income and costs are satisfied.

Principal Criteria:

Social Security Act, Section 303(a)(1)

UIPL No. 23-96 - Disclosure of Confidential Employment Information to Private Entities (the major provisions are detailed in Chapters 2 through 4)

Iowa Code (see Appendix A)

the Agreement dated September 22, 1995, between IWD and VIE

the Addendum dated February 4, 1997, between IWD and VIE

OMB Circular No. A-87 - Cost Principles for State, Local and Indian Tribal Governments

29 CFR 97 - Uniform Administrative Requirements for Grants and Cooperative Agreements to State and Local Governments

Objective, Scope, and Methodology:

Objective

The audit objective was to answer the following questions regarding IWD's compliance with UIPL No. 23-96:

1. Is IWD in compliance with the UIPL and applicable State laws governing confidentiality and disclosure?
2. Are adequate controls in place to ensure that privacy is adequately protected once the data are in the hands of private interests?
3. Accounting:
a. Is the State's accounting for costs and revenues applicable to the VIE Agreement adequate?
b. Did VIE pay for all additional equipment and system design changes necessary to provide the services?

Scope

IWD entered into an Agreement with VIE on September 22, 1995. We audited the IWD fund ledgers and procedures associated with the Agreement from project startup on
August 1, 1995 through February 28, 1997. We performed a reconciliation of IWD and VIE inquiry files for the period January 20 through April 19, 1997. We then selected a sample of 141 IWD transactions during the period April 20 through May 19, 1997, to determine if there was a written release authorizing each access and if it contained the required language. Fieldwork was conducted from March 18, 1997 through
January 22, 1998.

Methodology

To answer the audit objective, we interviewed key IWD and VIE staff, audited receipts and disbursements of IWD fund ledgers for the VIE project, reviewed IWD internal controls, and tested compliance with the provisions of UIPL No. 23-96. Work was performed at IWD offices in Des Moines, Iowa; VIE headquarters in West Des Moines, Iowa; and selected subscribers in the Des Moines metropolitan area.

The audit was performed in accordance with Government Auditing Standards as issued by the Comptroller General of the United States.

Page 2

* * * * *

This report addresses IWD's compliance with the requirements of UIPL No. 23-96 as follows:

Informed Consent - Chapter 2
Safeguards - Chapter 3
Income and Costs - Chapter 4

Page 3

Chapter 2 -- Informed Consent

Is IWD in compliance with the UIPL and applicable State laws governing confidentiality and disclosure?

We focused our review on:

a. determining if the State statutes permit disclosure, and
b. ensuring that the individual signed a release form, and that it contained a clear statement informing the individual that the credit company may use information from State government files.

a. State Law Regarding Disclosure

Section 303 (a) (1) of the Social Security Act has long been interpreted to prohibit disclosure of claimant and employer UI information. The UIPL No. 23-96 was issued to clarify the Department of Labor's position regarding disclosure, which is summarized in the statement:

. . . provided certain conditions are met, no issues are raised with respect to Federal UI law requirements when State law permits the information to be released.

We reviewed the following provisions of Iowa Code (included in Appendix A) in an attempt to determine if State law permits the information to be released:

Section 22.11
Section 17A.2
Section 96.11 (6)
Uniform Rules, Chapter X
Workforce Development (871), Chapter 42
Job Service (345), Chapter 8

A narrow reading of the relevant statutory provisions could arguably raise questions about IWD's statutory authority to disclose unemployment insurance wage records to third parties. Therefore, the ETA may wish to request that IWD obtain a legal opinion on this matter from the Iowa Office of Attorney General in order to ensure compliance with the UIPL No. 23-96.

Page 4

b. State Implementation of the Informed Consent Provision

The UIPL No. 23-96 further stipulates:

States must assure that all statements or forms provided under the terms of any Agreements require the informed consent of the individual to use the State's records.

From the very beginning, the IWD Agreement with VIE required that a release be obtained from the individual prior to requesting wage records. The VIE Subscriber Agreement likewise required the same and provided a sample consent form.

To satisfy the requirements of UIPL No. 23-96, an Addendum to the Agreement, dated February 4, 1997, revised the sample consent form to include language that the applicant authorizes the lender to verify employment and income history from such sources as Federal or state records, including State Employment Security Agency (SESA) records.

We selected a random sample of 141 IWD transactions during the period April 20 through May 19, 1997, to determine if there was a written release authorizing each access and if it contained the required language. Our testing disclosed five errors.

We believe IWD has complied with the informed consent provision to include a written release authorizing each access and that it contain the required language.

* * * * * * * In answer to the question, Is IWD in compliance with the UIPL and applicable State laws governing confidentiality and disclosure?, we concluded that a a narrow reading of the relevant statutory provisions could arguably raise questions about IWD's statutory authority to disclose unemployment insurance wage records to third parties. IWD is in compliance with the informed consent provision of the UIPL.

IWD Response:
IWD officials concurred with our conclusions.

Page 5

Chapter 3 -- Safeguards

Are adequate controls in place to ensure that privacy is adequately protected once the data are in the hands of private interests?

For purposes of discussion, we divided the UIPL No. 23-96 Safeguard provision into four parts:

A. Written assurances
B. Audit requirements
C. Termination provisions
D. Criminal penalties

A. Written assurances:
The UIPL No. 23-96 stipulates the following regarding written assurances:

States must safeguard the confidentiality of the UI information once a private entity has been granted access to it. In cases where the private entity is acting as a gateway and passes the information along to a subscriber or client, States must obtain written assurances from the private entity that such subscribers will also safeguard the confidentiality of the information and that the information may be used only for the specific credit transaction authorized by the individual's release.

To safeguard the UI data, IWD included controls in the Agreement with VIE. Per the Agreement, VIE must "take reasonable steps to assure that such information is not misused by the parties or any other person." In addition, "VIE agrees to take precautions to secure any access devices which allow access to Department's (IWD) wage record information."

VIE implemented safeguards to: 1) restrict access of the password to only supervisory personnel, 2) restrict access to the system to key personnel, 3) require the operator's initials on each inquiry, and 4) secure the access system within the facility. The Agreement also requires VIE to retain the wage record information for 24 months. In addition, VIE must "hold the wage record information confidential and shall not use it for any purpose other than as required by FCRA [Fair Credit Reporting Act] Section 609, including but not limited to preparation of any future reports on that individual."

Page 6

VIE's Subscriber Agreement outlines Access Security Requirements in Appendix C:

Only companies who are approved members of our service, certify that they have a permissible purpose for obtaining credit reports and obtain prior, written consent from the consumer, are permitted access to the credit information in our database.

The Subscriber Agreement also contains the following requirements:

- Your VIE subscriber number and password must be protected . . . known only to key personnel.

- Any system access software . . . must have your VIE subscriber password "hidden" or embedded so that the password is known only to supervisory personnel. Each user . . .must then be assigned unique logon passwords.

- Your VIE subscriber number and password are not to be released by telephone. . . .

- The ability to obtain credit information from VIE must be restricted to a few key personnel.

- Any terminal devices . . . should be placed in a secure location within your facility. Access . . . should be difficult for unauthorized persons.

- Operator's initials or user ID are to be included on each inquiry made to VIE.

- Any devices/systems . . . should be turned off and locked . . .when unattended by your key personnel.

- Hard copy VIE consumer reports are to be secured . . .and protected against release or disclosure to unauthorized persons.

- Hard copy VIE consumer reports are to be shredded when they are no longer needed. . . .

In summary, IWD has obtained reasonable written assurances from VIE that subscribers will also safeguard the confidentiality of the information and that the information may be used only for the specific credit transaction authorized by the individual's release.

Page 7

B. Audit requirements:

The UIPL No. 23-96 stipulates the following audit requirements:

States must periodically audit a sample of transactions accessing the wage records to assure that the private entity has on file a written release authorizing each access and that the information is not being misused or stored in a database for resale or other unauthorized purpose to assure that no access is made to the wage records without authorization. If the private entity acts as a gateway and audits its subscribers, it will be sufficient for the State to periodically audit the gateway's audit process. . . . System security through increased audits and other means must be such that any breach will be easily detected.

This provision requires that audits meet two criteria: 1) that the private entity has on file a written release authorizing each access; and 2) that the information is not being misused.

1. Audit to Assure a Written Release Authorizing Each Access:

IWD has not developed written policies and procedures for conducting periodic audits of the gateway's (VIE) audit process to assure that a written release is obtained authorizing each access.

The gateway (VIE) has been auditing the subscribers monthly since the inception of the Agreement with IWD. VIE's audits historically have determined if 1) there is a consent form signed by the consumer, and 2) the consent form advises the consumer that the subscriber may use information from SESA records. The results are reported to IWD in VIE's monthly billing reports. We believe that the VIE audit meets the gateway's UIPL No. 23-96 requirement for sampling transactions to assure a written release authorizing each access.

The UIPL also requires the State to audit VIE's audit process periodically. During the 19-month period we reviewed, the IWD Investigations and Recovery Bureau conducted one internal audit of VIE. However, the audit did not determine if the subscriber has on file a written release authorizing each access, and if it contained the required language, as required by UIPL No. 23-96. Instead, the audit focused on surveying consumers to determine if they applied for credit and signed a release. Furthermore, IWD did not audit VIE's audit process. (See Appendix B.)

Therefore, we believe IWD needs to develop written policies and procedures for conducting periodic audits of the gateway's (VIE) audit process for compliance with the UIPL No. 23-96 requirement that each subscriber has on file a written release authorizing each access.

Page 8

2. Audit to Assure Information Is Not Misused:

IWD has not developed written policies and procedures for conducting periodic audits to assure that the information is not misused.

This provision may be met in two ways: the State may conduct the audit to assure the information is not misused, or the gateway may conduct the audit, providing the State periodically audits the gateway's audit process. While the UIPL recognizes that no system is foolproof, system security through increased audits and other means must be such that any breach will be easily detected.

VIE, as the gateway, has not performed any procedures to assure the information is not misused. Furthermore, during the 19-month period we reviewed, the IWD auditors conducted one review of security procedures at VIE and visited two subscribers to review safeguards. (See Appendix B.) At the time of the review, there were approximately 100 subscribers. We do not consider this one-time, limited review of two subscribers adequate assurance that the information is not misused, as required by UIPL No. 23-96.

To illustrate the effect of not auditing to assure that the information is not misused, we noted the following examples of unauthorized access during our review:

Our audit found that a subscriber's authorized user provided her password to an unauthorized loan officer. The loan officer accessed a UI wage record in an attempt to locate an individual who was delinquent on a loan. VIE's monthly audit previously discovered this subscriber was using the system as a skip trace. The IWD auditors also noted the incident, and their report describes the VIE followup which resulted in only a verbal warning to the subscriber. The IWD auditors failed to question that this subscriber's Agreement should have been terminated in accordance with the terms of the VIE Subscriber Agreement and the UIPL No 23-96. The subscriber Agreement has now been terminated.

We performed a reconciliation of IWD and VIE inquiry files for the period January 20 through April 19, 1997. We discovered that VIE/Norwest technical data processing staff (who developed the system connection between VIE and the subscribers) had direct unlimited access to the same information the subscribers could access in the IWD wage history files. There were no controls to establish that test transactions do not access wage history files. VIE has now implemented a system enhancement that causes these transactions to be captured in VIE's tracking log. However, the current system still allows the technical staff access to all wage records at IWD.

Page 9

Accordingly, we believe that IWD needs to develop written policies and procedures for conducting periodic audits for compliance with the UIPL No. 23-96 requirement that the information is not misused. If IWD elects to have the gateway, VIE, conduct the audits, IWD must periodically audit the gateway's (VIE's) audit process.

C. Termination provisions:

The UIPL No. 23-96 stipulates the following termination provisions:

The State must be able to terminate the Agreement if it determines that the confidentiality provisions are not adhered to. The Department also recommends that the Agreement should contain a definite expiration date so that the State is assured an opportunity to periodically evaluate such disclosure.

The original Agreement was to continue until terminated by either party, by providing the other party 180 days notice of such termination. The Addendum adds that the Agreement "may be terminated by the SESA upon written notification to VIE, should VIE violate any term, condition, duty or requirement imposed by this Agreement. . . . In the event that the violation of this Agreement consists of a serious and flagrant breach of the requirements for prior written consent or the confidentiality or security of information pursuant to this Agreement and VIE has demonstrated a lack of control over its subscribers with continuation of the breach being probable, the SESA may terminate access within 24 hours after providing written notice of the breach via fax communication." The paragraph goes on to provide cure provisions.

IWD has provided for adequate termination provisions in the Agreement with VIE. However, neither the Agreement nor the Addendum contain a provision for a definite expiration date as recommended in the UIPL No. 23-96. The Assistant Secretary for Employment and Training may deem it appropriate to suggest to the Iowa Workforce Development to consider adding a definite expiration date to the Agreement with VIE.

D. Criminal penalties:

The UIPL No. 23-96 stipulates the following regarding criminal penalties:

All employees of private entities must be subject to the same confidentiality requirements -- and State Criminal penalties for violation of those requirements -- as are employees of the State UI agency.

VIE and its subscribers are bound by the confidentiality requirements of the Fair Credit Reporting Act (FCRA), because they meet the definition of a credit reporting agency in Section 603(f) of the Act.

Page 10

The FCRA Section 619 states that:

Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined not more than $5,000 or imprisoned not more than one year, or both.

The Agreement states:

VIE agrees that it will comply with the FCRA with respect to the wage records both as a Credit Reporting Agency and as a User, and that its Agreements with its subscribers will require the subscriber to comply with the FCRA as a User.

The Agreement includes Exhibit 1C, FCRA Acknowledgment, which is required to be signed by each subscriber. Exhibit 1C refers to Section 619 of the FCRA.

Attached to the Subscriber Agreement is a document entitled, "Access Security Requirements," which also includes this FCRA provision.

The Iowa Code also provides criminal penalties. Section 96.11(6)(f) provides for violations of the confidentiality requirements:

An employee of the division, an administrative law judge, or a member of the appeal board who violates this subsection is guilty, upon conviction, of a serious misdemeanor.

We found no other relevant State statutes concerning violations of confidentiality requirements. However, the FCRA penalties adopted in the Agreements are more severe than the State Statutes penalty. Therefore, we believe IWD is in compliance with this provision of the UIPL No. 23-96. * * * * * * * In answer to the question, Are adequate controls in place to ensure that privacy is adequately protected once the data are in the hands of private interests?, we concluded: a) although IWD included controls in the VIE Agreement, and VIE included controls in the Subscriber Agreements, IWD has not developed written policies and procedures for conducting periodic audits of VIE's audit process to assure that a written release is obtained authorizing each access; b) IWD has not developed written policies and procedures for conducting periodic audits to assure that the information is not misused; c) IWD's Agreement with VIE imposes more severe criminal penalties for confidentiality violations than would be applicable under State statute, thus exceeding the requirements of the UIPL.

Page 11

Recommendation:

We recommend that the Assistant Secretary for Employment and Training require that the Iowa Workforce Development comply with UIPL No. 23-96 by:

a. developing written policies and procedures for conducting periodic audits of VIE's audit process to assure that each subscriber has on file a written release authorizing each access; and
b developing written policies and procedures for conducting periodic audits to assure that the information is not being misused.

IWD Response:

IWD officials concurred with all our conclusions in chapter 3, except those relating to audit requirements. The response indicates they have drafted and implemented written audit standards.

The response goes on to cite recent audits which IWD officials believe demonstrate compliance with the UIPL No. 23-96 requirement that the State audit the gateway periodically. It details audits conducted by the IWD Investigations and Recovery Bureau, the OIG, and KPMG Peat Marwick LLP. The response indicates IWD officials also believe the monthly VIE audit process ensures security and assures that the information is not being misused.

Auditor's Conclusion:

We analyzed the audits conducted by the IWD Investigations and Recovery Bureau and KPMG Peat Marwick LLP and concluded that neither met the UIPL requirement that the State, at a minimum, audit the gateway's audit process to assure the subscriber has on file a written release authorizing each access and that the information is not being misused. See Appendix B for our analysis.

We also reviewed the document entitled "IWD Audit Procedures and Policies for VIE," which was recently drafted to address our audit recommendations. Our analysis on the adequacy of these procedures in meeting the two audit criteria stipulated in the UIPL
No. 23-96 is as follows:

Audit to Assure a Written Release Authorizing Each Access:

In the Procedures and Policies, IWD has delegated to VIE the responsibility for assuring there is a consent form signed by the consumer and the consent form advises the consumer that the subscriber may use information from SESA records. We believe these

Page12

VIE audit procedures meet the gateway's UIPL No. 23-96 requirement to assure a written release authorizing each access.

IWD intends to use an independent auditing entity (AE) to:

-review each of VIE's randomly selected audited transactions to ensure VIE has completed its procedures for auditing the transaction; and
-select a sample of VIE's audited transactions and send the consumers a copy of the consent form to confirm that the signature on the form is theirs.

We believe these AE procedures, when implemented, will meet the State's UIPL
No. 23-96 requirement to periodically audit the gateway's audit process to assure a written release authorizing each access. To completely meet this requirement, the State must carry out its oversight responsibility and take corrective action on any findings noted by the AE.

We consider Recommendation No. 1 resolved, but not closed, until the policies and procedures have been implemented.

Audit to Assure Information is Not Misused:

IWD has delegated to VIE the responsibility for assuring that information is requested only for a permissible purpose. VIE will use its monthly audit process to validate that the user has a permissible purpose (as demonstrated by a copy of the consumer's credit application) for access to IWD wage records.

IWD intends to use the AE procedures to ensure that VIE is performing its duties to assure that the information is not being misused.

However, the Procedures and Policies are silent about ensuring that the following safeguards in the Subscriber Agreement are met:

- Your VIE subscriber number and password must be protected . . . known only to key personnel.

- Any system access software . . . must have your VIE subscriber password "hidden" or embedded so that the password is known only to supervisory personnel. Each user . . . must then be assigned unique logon passwords.

- Your VIE subscriber number and password are not to be released by telephone. . . .

Page 13

- The ability to obtain credit information from VIE must be restricted to a few key personnel.
- Any terminal devices...should be placed in a secure location within your facility. Access . . . should be difficult for unauthorized persons.
- Operator's initials or user ID are to be included on each inquiry made to VIE.
- Any devices/systems . . . should be turned off and locked . . . when unattended by your key personnel.
- Hard copy VIE consumer reports are to be secured...and protected against release or disclosure to unauthorized persons.
- Hard copy VIE consumer reports are to be shredded when they are no longer needed. . . .

Therefore, there is little assurance that the wage data is not being misused or stored in a data base for resale or other unauthorized purpose after the initial credit application is processed.

We consider Recommendation No. 2 unresolved.

Page 14

Chapter 4 -- Income and Costs

Is the State's accounting for costs and revenues applicable to the VIE Agreement adequate?

For purposes of discussion, we divided the UIPL No. 23-96 Income and Costs provision into three parts:

A. UI allowable costs
B. State protection for claims
C. Use of revenue

A. UI unallowable costs:

The UIPL No. 23-96 stipulates the following regarding unallowable costs:

Under both the SSA [Social Security Act] and the OMB Circular No. A-87, costs of disclosing information for non-UI purposes are not allowable because such cost items are not necessary or reasonable for proper and efficient performance and administration of the Federal award allocated to carry out the State's UI program.

Section 303(a)(8) of the Social Security Act requires, as a condition for a state to receive administrative grants, that the State law provide for:

. . . the expenditure of all moneys received...solely for the purposes and in the amounts found necessary by the Secretary of Labor for the proper and efficient administration of such State law. . . .

Departmental regulations at 29 CFR 97.22 (Allowable Costs), state in part:

(b) Applicable cost principles. For each kind of organization, there is a set of Federal principles for determining allowable costs. Allowable costs will be determined in accordance with cost principles applicable to the organization incurring the costs. The following chart lists the kinds of organizations and the applicable cost principles.
For the costs of a--State, local or Indian tribal government, Use the principles in--OMB Circular A-87. . . .

OMB Circular No. A-87, Cost Principles for State, Local and Indian Tribal Governments, Part C. Basic Guidelines states:

1. Factors affecting allowability of costs. To be allowable under Federal awards, costs must meet the following general criteria:
a. Be necessary and reasonable for proper and efficient performance and administration of Federal awards.

According to the IWD records, the VIE project had a cash balance of $18,410 as of February 28, 1997. However, the VIE project fund ledgers showed a negative cash balance each month from inception until an adjustment for staff salaries was made in June 1996. During the period July 1996 through February 1997, the VIE project had a negative cash flow in 5 of the 8 months.

We recalculated the staff salaries and related costs for each month of the VIE project through February 1997. We found that by allocating the adjustment monthly, there was only a negative cash balance in the months when startup costs were incurred, prior to the VIE reimbursement.

IWD officials have informed us that future staff salaries will be allocated in the month in which they occur.

B. State protection for claims:

The UIPL No. 23-96 stipulates the following state protection for claims that may arise:

The Department recommends that any Agreement with a private entity should provide protection to the State for claims that may arise from any unauthorized use of UI records obtained under the Agreement.

OMB Circular No. A-87, Attachment B - Selected Items of Cost, states in part:

20. Fines and penalties. Fines, penalties, damages, and other settlements resulting from violations (or alleged violations) of, or failure of the governmental unit to comply with, Federal, State, local, or Indian tribal laws and regulations are unallowable except when incurred as a result of compliance with specific provisions of the Federal award or written instructions by the awarding agency authorizing in advance such payments.

In the Agreement with IWD ("the Department"), "VIE agrees to hold the Department harmless from any and all claims . . . made by anyone resulting from the release of wage records by the Department to VIE. . . . VIE will maintain a bond in the amount of $25,000 in favor of the Department at all times to secure this hold harmless obligation."

Page 16

The Addendum to the Agreement increased the surety bond from $25,000 to $500,000 and required VIE to purchase, in favor of the Department, $10 million worth of general liability and professional liability insurance.

We reviewed VIE's surety bond, bond rider and certificate of insurance, and found them in compliance with OMB Circular A-87, the UIPL, the Agreement and the Addendum.

C. Use of revenue:

Departmental regulations at 29 CFR 97.25, Program Income, state in part:

(g) Use of program income.
(2) Addition. When authorized, program income may be added to the funds committed to the grant Agreement by the Federal agency and the grantee. The program income shall be used for the purposes and under the conditions of the grant Agreement.

The UIPL No. 23-96 authorizes the states to add the revenue generated by the disclosure of UI wage records to the UI program funds:

It is the Department's position that income generated by a State UI agency from the sale of its wage records must be used only as necessary for the proper and efficient administration of the UI program pursuant to administrative requirements for grants to the States. (See 29 C.F.R. 97.25 (g)(2) and ET Handbook No. 336, the "Program and Budget Plan.") Therefore, States may not use any money generated by the disclosure authorized under this UIPL for any non-UI purposes. For example, income from sales may not benefit a State's general fund or another program.

We found that VIE project revenue exceeded costs by $18,410 at February 28, 1997. However, no steps have been taken to apply the excess revenues to UI operations. IWD officials have provided the OIG with written assurance that any and all excess revenue from the VIE project will be used solely to fund unemployment compensation programs in the State of Iowa.
* * * * * * * In answer to the question, Is the State's accounting for costs and revenues applicable to the VIE Agreement adequate?, we concluded that IWD has adequate controls for reporting costs and revenues and IWD assured us that all excess revenue from the VIE project will be used solely to fund unemployment compensation programs. * * * * * * * * * * * * * * * * * * * *

Page 17

Did VIE pay for all additional equipment and system design changes necessary to provide the services?

The Agreement between IWD ("the Department") and VIE provides:

VIE shall reimburse the Department for pre-approved costs incurred by the Department for system modifications necessary to the initial establishment of the services herein described; such costs may include, but are not limited to, application program and system conversion, file or database conversion, hardware acquisition, software acquisition, and security system enhancements.

As part of our review of the VIE project fund ledgers, we reviewed the separate fund ledger IWD established to track startup costs. We reviewed the costs of system design changes and additional equipment, totaling $39,586. We found them to be complete. IWD was reimbursed $40,760 in December 1995, which covered all these costs. In addition, in accordance with the Addendum, an additional $25,000 was received in February 1997 "to cover data processing and related additional start-up costs."
* * * * * * * In answer to the question, Did VIE pay for all additional equipment and system design changes necessary to provide the services?, we concluded that the VIE reimbursement covered IWD's costs of system design changes and additional equipment.

Recommendation:

We recommend that the Assistant Secretary for Employment and Training direct the Unemployment Insurance Service to monitor VIE project revenues received by IWD to ensure that excess revenues are used only for UI purposes, in accordance with UIPL No. 23-96.

IWD Response:

IWD officials concurred with our conclusions on Income and Costs.

Auditor's Conclusion:

Our finding and recommendation remains unresolved until ETA monitors the VIE project revenues for compliance with UIPL No. 23-96.

Page 18

Appendix A

Excerpts from Iowa Code

The following provisions of the Iowa Code may pertain to the release of unemployment insurance wage records:

Section 22.11 - Fair Information Practices:

Each state agency as defined in chapter 17A shall adopt rules which provide for the following:

...d. The procedures for allowing a person to review a government record about that person and have additions, dissents, or objections entered in that record unless the review is prohibited by statute.
e. The procedures by which the subject of a confidential record may have a copy of that record released to a named third party.

Section 17A.2 - Definitions:

As used in this chapter:

1. "Agency" means each board, commission, department, officer or other administrative office or unit of the state. . . .

Section 96.11 - Iowa Employment Security Law, Duties, powers, rules--privilege:

6. Records, reports and confidentiality. . . .

b. (1) . . . The department shall not disclose or open this information for public inspection in a manner that reveals the identity of the employing unit or the individual, except as provided in subparagraph (3) or paragraph "c."
(3) . . . Information in the department's possession that may affect a claim for benefits or a change in an employer's rating account shall be made available to the interested parties. The information may be used by the interested parties in a proceeding under this chapter to the extent necessary for the proper presentation or defense of a claim.
c. Subject to conditions as the department by rule prescribes, information obtained from an employing unit or individual in the course of administering this

Page 19

chapter and an initial determination made by a representative of the department under section 96.6, subsection 2, as to benefit rights of an individual may be made available for purposes consistent with the purposes of this chapter to any of the following:
(1) An agency of this or any other state or a federal agency responsible for the administration of an unemployment compensation law or the maintenance of a system of public employment offices. . . .

Uniform Rules Chapter X - Fair Information Practices:

Agency No. -- X.7(17A,22) Consent to disclosure by the subject of a confidential record. To the extent permitted by any applicable provision of law, a person who is the subject of a confidential record may have a copy of the portion of that record concerning the subject disclosed to a third party. A request for such a disclosure must be in writing and must identify the particular record or records that may be disclosed, and the particular person or class of persons to whom the record may be disclosed (and, where applicable, the time period during which the record may be disclosed). . . .

871 (Workforce Development) Chapter 42 - Public Records and Fair Information Practices:

The department of workforce development hereby adopts the rules of the Governor's Task Force on Uniform Rules of Agency Procedure relating to public records and fair information practices which are printed in the first Volume of the Iowa Administrative Code with the following exceptions and amendments:

...871 -- 42.7(22,84A) Consent to disclosure by the subject of a confidential record. Remove the parentheses around "(and, where applicable, the time period during which the record may be disclosed)". . . .

871 -- 42.11(22.84A) Release to a subject. 42.11(1) The subject of a confidential record may file a written request to review a confidential record about that person as provided in rule 42.6(22,84A). However, the agency shall not release the following records to the subject:

. . . d. As otherwise authorized by law.

Page 20

345 (Job Service) Chapter 8 - Public Records and Fair Information Practices:

The division of job service of the department of employment services hereby adopts the rules of the Governor's Task Force on Uniform Rules of Agency Procedure relating to public records and fair information practices which are printed in Volume I of the Iowa Administrative Code with the following exceptions and amendments:

. . . 345 -- 8.7(22,96) Consent to disclosure by the subject of a confidential record. Remove the brackets around "(and, where applicable, the time period during which the record may be disclosed)". Also, in lieu of the words "(Additional requirements may be necessary for special classes or records)", insert "If the agency is required to obtain from a third party a confidential record about the subject to establish eligibility under a program administered by the agency, the agency has the authority under Iowa Code subsection 96.11(8) to obtain a confidential record deemed necessary for the administration of Iowa Code chapter 96.

Page 21

Appendix B

Analysis of Audits Performed

The IWD response cites recent audits which IWD officials believe demonstrate compliance with the UIPL No. 23-96 requirement that the State audit the gateway periodically. It details audits conducted by the IWD Investigations and Recovery Bureau, the OIG, and KPMG Peat Marwick LLP. The response indicates IWD officials also believe the monthly VIE audit process ensures security and assures that the information is not being misused. The following is our analysis of these audits.

Audit to Assure a Written Release Authorizing Each Access:

The IWD Investigations and Recovery Bureau conducted one internal audit of VIE in January 1997. The auditors reviewed procedures at VIE, but failed to address the UIPL No. 23-96 requirements that the subscriber has on file a written release authorizing each access, and that it contain the required language. The auditors reported that this was too difficult to perform in a limited time.

Instead, the auditors randomly selected 50 transactions from the IWD log of VIE inquiries. They sent a questionnaire to the 50 consumers associated with transactions. The questionnaire asked the consumer if he/she (a) applied for credit in the past 90 days and (b) signed a release so the IWD wage records could be accessed. The IWD Investigations and Recovery Bureau reported the following results from the sample:

Description	Number of Responses	Percentage
Consumer did not respond	33	66%
Consumer responded that he/she applied for credit:
but could not remember signing consent form	11	22%
but did not sign consent form (referred to VIE)	2	4%
and signed consent form	4	8%
Total sample	50	100%

Page 22

Rather than following up on all 46 inadequate responses, the IWD merely referred two that did not sign the consent form to VIE, which were later resolved. Due to a lack of followup, definitive results are only known for 6 in the sample of 50.

Nevertheless, this limited sample of the consumers did not accomplish the objectives required in the UIPL No. 23-96 (the subscriber has on file a written release authorizing each access and that it contain the required language).

VIE engaged KPMG Peat Marwick LLP to review VIE's processes and records to validate compliance with VIE's Agreements to the SESAs, including the State of Iowa. The Agreed-Upon Procedures Audit selected a sample of 50 of VIE's audited transactions and agreed the social security number on the VIE log to the consent form obtained from the subscriber. The report does not address whether the consent forms contained the required language. VIE, on behalf of the auditors, also sent copies of the consent forms to the 50 consumers for verification, requesting only negative confirmations and that they be sent to KPMG Peat Marwick LLP. The report states that no exceptions were noted, but does not disclose the response rate.

Neither of the audits described above met the UIPL No. 23-96 requirement that the State at a minimum audit the gateway's audit process to ensure the subscriber has on file a written release authorizing each access and that it contain the required language.

The OIG subscriber audit was not performed under the auspices of IWD. We selected a random sample of 141 IWD transactions during the period April 20 through May 19, 1997, to determine if there was a written release authorizing each access and if it contained the required language. Our testing disclosed five errors.

Audit to Assure Information Is Not Misused:

As part of the IWD Investigations and Recovery Bureau internal audit of VIE in
January 1997, the auditors:

Visited two subscribers selected by VIE to determine compliance with the informed consent requirements and review safeguards. At the time of the review, there were approximately 100 subscribers. We do not consider this one-time, limited review of two subscribers adequate assurance that the information is not misused.

Reviewed security procedures at VIE, but failed to follow security of VIE transactions through the IWD system. As a result, the IWD review did not discover that there were no controls to establish that test transactions do not access wage history files, as noted during our OIG review. While we

Page 23

found no cases of unauthorized access in our limited review, the opportunity for abuse still exists.

Reviewed IWD files on disputed responses referred by VIE. The IWD response states that all problems, which have been detected, have been promptly addressed, and infers that this is adequate to assure information is not misused. We disagree.

Expressed concern that IWD and its officials need to be informed and agree with the type of business being supplied with confidential information. Yet, they performed no audit procedures to satisfy this concern.

Disclosed that VIE's monthly audit discovered a subscriber was using the system as a skip trace. The IWD report describes the VIE followup which resulted in only a verbal warning to the subscriber. The IWD auditors failed to question that this subscriber's Agreement should have been terminated in accordance with the terms of the VIE Subscriber Agreement and the UIPL No 23-96. As a result, our OIG audit sample found that the same subscriber again attempted to use the system to locate an individual. The Subscriber Agreement has now been terminated.

This IWD audit does not meet the UIPL No. 23-96 requirement that the State at a minimum audit the gateway's audit process to ensure the information is not misused.

The response concludes that VIE's monthly audit ensures detection of any lending institution which would use wage record access as a locator tool. Although the audit ensures detection of any subscriber in VIE's audit sample which would use the wage record access as a locator tool, it does not prevent any subscriber from using the system as a locator tool, as noted in the preceding paragraph. In addition, the subscriber in this example was not terminated until the practice was reported by the OIG.

Page 24

Appendix C

Iowa Workforce Development Response to Draft Report

Page 25

Iowa Workforce Development Response Page 2

Iowa Workforce Development Response Page 3

[ Return to Audit Reports ] [ Return to Audit Reports (Text Only) ]

[ Return to OA Home Page ] [ Return to OA Home Page (Text Only) ]