U.S. DEPARTMENT OF LABOR
Employment and Training Administration
Washington, D. C. 20210
August 4, 1987
July 31, 1988
UNEMPLOYMENT INSURANCE PROGRAM LETTER NO. 34-87
ALL STATE EMPLOYMENT SECURITY AGENCIES
DONALD J. KULICK
Unemployment Insurance (UI) Internal Security Risk Analysis (Vulnerability Assessment)
Purpose. To rescind UIPL No. 11-83 and transmit revised policy and guidance on internal controls in the UI program.
Reference. ET Handbook No. 376; GAL No. 43-81; UIPL No. 11-83.
Background. Since Fiscal Year (FY) 1982, ETA has allocated resources for the Internal Security program in each State Employment Security Agency (SESA). SESAs need to continue to strengthen the UI internal security program by establishing sound internal security systems and internal controls and should, through UI risk analyses, continue to review the susceptibility of the UI program to loss by fraud, waste, abuse or unauthorized use of UI resources.
Policy. All SESAs shall assure a risk analysis is conducted covering all UI program-operations when major system changes occur, but not less than once every three years. Such risk analyses should be used to determine the effectiveness of SESA UI program internal controls. The analysis may be completed as a separate review or as a part of an overall audit of agency operations, as established in OMB Circular No. A-128.
UI risk analyses should be conducted when changes occur such as: significant changes to UI law, program, or personnel; implementation of new programs; changes in computer and physical security; recent errors or irregularities are detected. The risk analysis should take into account procedural and/or systems changes during the interval since the last risk analysis.
Within each 3-year period, the risk analysis should encompass the assessment of the vulnerabilities in the following SESA/UI functions as appropriate:
UI Technical Services
Appeals (Lower Authority)
Returned Benefit Checks
Delinquent Tax Accounts
Field Operations (Local Offices)
Benefit Payment Control
Research and Statistics
Microcomputer Control and Authorization
Data Processing Installation
Forms Design and Printing
Contracting and Procurement
Staff Functions Reporting to the SESA Director
Appeals Board (Higher Authority)
Internal Security/Investigations (SESA)
Program Budget Plan
Responsibility. Each SESA shall assure a risk analysis of its UI program is conducted this FY, if one has not been done in the last three years. Thereafter, a risk analysis of the SESA UI program shall be done at least once every three years. The risk analysis must be conducted within existing resources.
Action Required. All SESA Administrators shall:
Develop an action plan, including scope of the review, schedule, methodology and resources to be used in conducting and completing a risk analysis of the SESA's UI operations.
Submit a copy of their planned risk analysis schedule for each upcoming FY to the appropriate Regional Office by September 1st for that year.
Inquiries. Refer all questions to the appropriate Regional Office.