Article: Using Audit Software and the Death Master File to Catch Crooks
September 2002 Newsletter
Printer Friendly Version
Author: Ray Wessmiller, CISA, CGFM 
Ray Wessmiller is a Past President of the ISACA® National Capital Area Chapter. Comments on this article may be emailed to Ray at wessmillerr@ gao.gov.
Interested in tracking down crooks who use a phony social security number to qualify for benefit programs? If so, consider cross matching the beneficiary’s SSN to the Social Security Administration (SSA) death master file (DMF) to determine if the beneficiary is using the SSN of a dead person. With the growing popularity of easy to use audit and investigative software tools such as IDEA , it is easy to do.
If you don’t believe crooks use phony SSNs, then consider the newspaper story  reporting how an SSA Office of Inspector General (OIG) audit disclosed that Social Security paid $31 million to dead people who were listed as deceased in the agency’s own electronic files. One woman was still receiving benefit checks seven years from her reported death date, and auditors reported that more than $100,000 in benefits had been paid after her death. Authorities stopped the payments and are trying to determine who cashed her checks. According to the newspaper article, the audit has led to nearly 1,400 investigations resulting so far in the identification of $11.5 million in improper payments. Of that amount, $6.1 million either has been recovered or is scheduled for recovery.
The SSA death file was created in 1980 as the result of a “Freedom of Information Act” lawsuit filed in 1978 by Ronald Perholtz in Federal District Court. Data elements in the DMF include (1) Social Security Number, (2) date of birth, (3) date of death, (4) first and last name, (4) zip code of last known residence, and (5) zip code of lump sum payment. Each record also indicates if it is an addition, deletion or correction. The DMF is updated weekly and monthly. As of July 2002, the file contained over 71 million records. Approximately 2.5 million of these records are from the States and are restricted from re-disclosure to other than a few Federal benefit-paying agencies.
Each year SSA adds more than 2 million records to the file. The records include both beneficiary and non-beneficiary records and verified and non-verified data. Sources of death data are: family members; funeral homes; States, Federal agencies (Centers for Medicare & Medicaid Services, Department of Veteran’s Affairs, etc.), postal authorities, institutions and internal sources from SSA’s payment records. Ninety percent of the file includes reports from family members and funeral homes.
The death master file is not available
online from SSA, but a Death Master
File Extract of information is available
for sale on either CD-ROM, 3480/
3490 cartridge, magnetic tape, or
electronic download through SSA’s
distributor, the United States
Department of Commerce’s
National Technical Information
Service (NTIS). The NTIS address
is 5285 Port Royal Road, Springfield,
Virginia 22161, telephone
(703)605-6060 or 1(800)363-2068.
More information is available at
their Web site at
Customers of the DMF can receive an update file weekly or monthly depending on the schedule they select. The file is transmitted by cartridge or electronic media. SSA has a disclaimer included on the agreement for the DMF that states that SSA has not verified all of the death data included in the DMF and the receiving agency should independently verify this information. SSA also furnishes the DMF directly to other Federal agencies. Some agencies, with whom SSA has a quid pro quo arrangement, are not charged, while other agencies are charged.
Other parties have purchased SSA’s Death Master File Extract through NTIS and then posted it on their own different web sites. Although these private parties refer to their own web sites as SSA’s death index or SSA’s Death Master File, these are not endorsed by SSA, nor can SSA confirm that these private web sites are kept up-to- date or accurate with SSA’s death data in any way. If you want more information, visit www.ssa.gov/pubs/deathfile.htm.
SSA sells the file to NTIS, who in turn sells it to private organizations such as banks and credit companies. SSA charges enough to cover its costs, while NTIS, which is a self-supporting agency, charges enough to make a profit.
With tools like IDEA, you can also perform more sophisticated tests on SSNs, such as a test to determine if the beneficiary’s SSN is valid. Since 1973, social security numbers have been issued by SSA’s central office. An SSN consists of nine digits, commonly written as three fields separated by hyphens: AAA-GG-SSSS. SSN numbers are not random. On the contrary, there is a complex coding scheme behind the creation of each number. The digits in the Social Security number allow for the orderly assignment of numbers. The number is divided into three parts: the area, group and serial numbers. The first three (3) digits, or “area”, of a person’s social security number are determined by the ZIP Code of the mailing address shown on the application for a social security number. See www.ssa.gov/foia/stateweb.html for more information. Within each area, the group number, or middle two (2) digits, range from 01 to 99 but they are not assigned in consecutive order. For administrative reasons, group numbers issued first consist of the ODD numbers from 01 through 09 and then EVEN numbers from 10 through 98, within each area number allocated to a State. After all numbers in group 98 of a particular area have been issued, the EVEN Groups 02 through 08 are used, followed by ODD Groups 11 through 99.
Within each group, the serial numbers, or last four (4) digits, run consecutively from 0001 through 9999. Further information about Social Security Numbers that are currently assigned is available on SSA’s website at www.ssa.gov/foia/highgroup.htm. A pamphlet entitled “The Social Security Number” (Pub. No. 05-10633) also provides an explanation of the SSN’s structure and the method of assigning and validating Social Security numbers.
Understanding the coding scheme can lead to the design of a test for invalid SSNs. For example, any SSN conforming to one of the following criteria is an invalid number:
Any field all zeroes (no field of zeroes is ever assigned).
First three digits above 740
Patterns such as:
In response to the discovery of dead people receiving benefit checks, SSA has pledged to step up its campaign to catch crooks. For example, a recent newspaper article  describes an effort by SSA to identify employees whose names do not match their SSNs. According to the article, SSA will be sending a “no-match” letter to 750,000 of the nation’s 6.5 million employers. The letter will notify the employer that at least one of their employees has information on their W-2 that does not match information in SSA records. The audit community needs to follow the example set by SSA. As tools like IDEA become more powerful and more user-friendly, it is now within the capacity of all auditors to do so.
 Ray Wessmiller is a Past President of the ISACA®
National Capital Area Chapter. Comments on this article may be emailed to
 IDEA is a powerful, easy to use audit tool that allows users to display, analyze, manipulate, sample or extract data from files generated by a wide variety of computer systems. For more information about IDEA features, visit http://www.audimation.com/
 USA Today, August 31, 2001
 The Washington Post, April 29, 2002.
© Copyright 2007 - National Capital Area Chapter