-

 



U.S. DEPARTMENT OF LABOR
Employment and Training Administration
Washington, D. C. 20210

CLASSIFICATION

UI

CORRESPONDENCE SYMBOL

TEUMC

ISSUE DATE

August 4, 1987

RESCISSIONS

UIPL 11-83

EXPIRATION DATE

July 31, 1988

DIRECTIVE

:

UNEMPLOYMENT INSURANCE PROGRAM LETTER NO. 34-87

 

TO

:

ALL STATE EMPLOYMENT SECURITY AGENCIES

 

FROM

:

DONALD J. KULICK
Administrator
for Regional Management

 

SUBJECT

:

Unemployment Insurance (UI) Internal Security Risk Analysis (Vulnerability Assessment)

  1. Purpose. To rescind UIPL No. 11-83 and transmit revised policy and guidance on internal controls in the UI program.

  2. Reference. ET Handbook No. 376; GAL No. 43-81; UIPL No. 11-83.

  3. Background. Since Fiscal Year (FY) 1982, ETA has allocated resources for the Internal Security program in each State Employment Security Agency (SESA). SESAs need to continue to strengthen the UI internal security program by establishing sound internal security systems and internal controls and should, through UI risk analyses, continue to review the susceptibility of the UI program to loss by fraud, waste, abuse or unauthorized use of UI resources.

  4. Policy. All SESAs shall assure a risk analysis is conducted covering all UI program-operations when major system changes occur, but not less than once every three years. Such risk analyses should be used to determine the effectiveness of SESA UI program internal controls. The analysis may be completed as a separate review or as a part of an overall audit of agency operations, as established in OMB Circular No. A-128.

    UI risk analyses should be conducted when changes occur such as: significant changes to UI law, program, or personnel; implementation of new programs; changes in computer and physical security; recent errors or irregularities are detected. The risk analysis should take into account procedural and/or systems changes during the interval since the last risk analysis.

    Within each 3-year period, the risk analysis should encompass the assessment of the vulnerabilities in the following SESA/UI functions as appropriate:

    1. UI Division

      1. UI Benefits

        1. Benefit Determinations

        2. Benefit Payments

        3. UI Technical Services

        4. Interstate Claims

        5. Special Programs

        6. Benefit Records

        7. Appeals (Lower Authority)

        8. Returned Benefit Checks

        9. Claimant Addresses

        10. Benefit-Accounting

      2. UI Tax/Contributions

        1. Employer Status

        2. Employer Records

        3. Tax Collections

        4. Cashier

        5. Experience Rating

        6. Tax Audit

        7. Delinquent Tax Accounts

        8. Tax Refunds

        9. Tax Accounting

      3. Field Operations (Local Offices)

      4. Staff Functions

        1. Procedure Development

        2. Benefit Payment Control

        3. Research and Statistics

        4. Quality Control

      5. Microcomputer Control and Authorization

    2. Data Processing Installation

      1. Application Programming

      2. Technical Support

      3. Computer Operations

      4. Production Control

    3. Administrative/Management Services

      1. Personnel Department

      2. Supply Room/Warehouse

      3. Mail Room

      4. Forms Design and Printing

      5. Contracting and Procurement

      6. Facilities Management

    4. Staff Functions Reporting to the SESA Director

      1. Legal Staff

      2. Appeals Board (Higher Authority)

      3. Internal Security/Investigations (SESA)

    5. Financial Management

      1. Program Budget Plan

      2. Fund Accounting

  5. Responsibility. Each SESA shall assure a risk analysis of its UI program is conducted this FY, if one has not been done in the last three years. Thereafter, a risk analysis of the SESA UI program shall be done at least once every three years. The risk analysis must be conducted within existing resources.

  6. Action Required. All SESA Administrators shall:

    1. Develop an action plan, including scope of the review, schedule, methodology and resources to be used in conducting and completing a risk analysis of the SESA's UI operations.

    2. Submit a copy of their planned risk analysis schedule for each upcoming FY to the appropriate Regional Office by September 1st for that year.

  7. Inquiries. Refer all questions to the appropriate Regional Office.