ML19154A517
| ML19154A517 | |
| Person / Time | |
|---|---|
| Issue date: | 06/03/2019 |
| From: | Lee D NRC/OIG |
| To: | Kristine Svinicki NRC/Chairman |
| References | |
| OIG-19-A-12 | |
| Download: ML19154A517 (32) | |
Text
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws OIG-19-A-12 June 3, 2019 All publicly available OIG reports (including this report) are accessible through NRCs Web site at http://www.nrc.gov/reading-rm/doc-collections/insp-gen
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL June 3, 2019 MEMORANDUM TO: Kristine L. Svinicki Chairman FROM: David C. Lee /RA/
Acting Inspector General
SUBJECT:
AUDIT OF NRCS FISCAL YEAR (FY) 2018 COMPLIANCE WITH IMPROPER PAYMENT LAWS (OIG-19-A-12)
Attached is the Office of the Inspector Generals (OIG) audit report titled Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws.
The report presents the results of the subject audit. Following the May 29, 2019, exit conference, agency staff indicated they had formal comments for inclusion in this report.
These comments and OIGs analysis of the comments are included as report appendices.
Please provide information on actions taken or planned on each of the recommendation(s) within 30 days of the date of this memorandum. Actions taken or planned are subject to OIG followup as stated in Management Directive 6.1.
We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact Dr. Brett M. Baker, Assistant Inspector General for Audits, at 301-415-5915 or me at 301-415-5930.
Attachment:
As stated
Office of the Inspector General U.S. Nuclear Regulatory Commission Defense Nuclear Facilities Safety Board OIG-19-A-12 Results in Brief June 3, 2019 Why We Did This Review Audit of NRCs Fiscal Year (FY) 2018 Compliance with The Improper Payments Improper Payment Laws Information Act of 2002 (IPIA) requires all agencies to annually What We Found review programs and activities OIG found that NRC is generally compliant with IPIA, IPERA, and susceptible to significant improper payments and report IPERIA. OIG did not identify any material weaknesses in internal agency estimates to Congress. control during this audit. However, opportunities for improvement The Improper Payments exist to strengthen support for Appendix C compliance, and Elimination and Recovery Act of strengthen and coordinate internal control efforts.
2010 (IPERA) amended IPIA to require OIG to annually What We Recommend determine and report whether the agency is in compliance with The report has three recommendations: (1) Take steps to ensure improper payment laws. The the Appendix C risk assessment provides supportable information Improper Payments Elimination and Recovery Improvement Act for IPIA compliance, (2) review the various payment integrity-of 2012 (IPERIA) further related internal control efforts and revise procedures to enhance enhanced the requirements of consistency among the different internal control compliance IPIA to assist Federal requirements, and (3) update policies/procedures pertaining to the Government improper payment agencys improper payment notification, tracking, and monitoring.
reduction efforts. During fiscal year (FY) 2018, the Nuclear Agency management agreed with most of recommendations, with Regulatory Commission (NRC) the exception of recommendation 2 and as a result, provided self-reported approximately
$960,000 in improper payments. comments. Agency comments are included in Appendix B of this report.
The audit objectives were to assess NRCs compliance with the IPIA, as amended by the IPERA, and IPERIA, and report any material weaknesses in internal control.
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws TABLE OF CONTENTS ABBREVIATIONS AND ACRONYMS .......................................................... i I. BACKGROUND ................................................................................ 1 II. OBJECTIVE ...................................................................................... 3 III. FINDINGS......................................................................................... 3 A. Strengthen Support for Appendix C Compliance ................... 5 B. Strengthen and Coordinate Internal Control Efforts ............ 11 IV. CONSOLIDATED LIST OF RECOMMENDATIONS ....................... 17 V. AGENCY COMMENTS ................................................................... 18 APPENDIXES A. OBJECTIVE, SCOPE, AND METHODOLOGY ............................... 19 B. AGENCY FORMAL COMMENTS .................................................. 21 C. OIG ANALYSIS OF AGENCY FORMAL COMMENTS .................. 24 TO REPORT FRAUD, WASTE, OR ABUSE ............................................. 26 COMMENTS AND SUGGESTIONS .......................................................... 26
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws ABBREVIATIONS AND ACRONYMS AFR Agency Financial Report AICPA American Institute of Certified Public Accountants COR Contracting Officers Representative ERM Enterprise Risk Management EY Ernst & Young FAR Federal Acquisition Regulation FY Fiscal Year GAO Government Accountability Office IG Inspector General IIA Institute of Internal Auditors IPERA Improper Payments Elimination and Recovery Act IPERIA Improper Payments Elimination and Recovery Improvement Act IPIA Improper Payments Information Act ISPPIA International Standards for the Professional Practice of Internal Auditing LLP Limited Liability Partnership MD Management Directive NRC Nuclear Regulatory Commission OCFO Office of the Chief Financial Officer OIG Office of the Inspector General OMB Office of Management and Budget PSAT Programmatic Senior Assessment Team QPR Quarterly Performance Review i
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws SAT Senior Assessment Team SSCS Statement on Standards for Consulting Services SAM System for Award Management ii
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws I. BACKGROUND Improper Payment Laws Enacted in 2002, the Improper Payments Information Act (IPIA) requires each agency to annually estimate its improper payments.1 The Improper Payments Elimination and Recovery Act (IPERA) amended IPIA2 in 2010.
IPERA requires Federal agencies to periodically review all programs and activities the agency administers, and identify all programs and activities that may be susceptible to significant improper payments. In addition, IPERA requires each agency to conduct recovery audits3 with respect to each program and activity of the agency that expends $1,000,000 or more annually, if conducting such audits would be cost effective.
The Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA) was signed into law on January 10, 2013. It amended IPIA by establishing the Do Not Pay Initiative, which directs agencies to verify the eligibility of payments using databases before making payments.
Federal Improper Payment Guidance for Executive Agencies On June 26, 2018, the Office of Management and Budget (OMB) issued Memorandum M-18-20, Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement. Appendix C4 implements IPIA requirements. Table 1 of this report lists the IPIA requirements established in OMBs memorandum. OMB guidance also specifies that each agencys Inspector General (IG) should review 1
IPERA defines an improper payment as (A) any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements, and (B) includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except for such payments where authorized by law), and any payment that does not account for credit for applicable discounts.
IPERA provides a detailed explanation of what is considered a significant improper payment.
2 Unless otherwise indicated, from this point forward in this report, the term IPIA will imply IPIA, as amended by IPERA and IPERIA.
3 Recovery audits are also referred to as payment recapture audits.
4 For simplicity, the term Appendix C will be used in this report to refer to OMB M-18-20, Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement.
1
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws improper payment reporting in the agencys annual Agency Financial Report (AFR), and accompanying materials, to determine compliance with IPIA.
Scale of the Nuclear Regulatory Commissions Improper Payments The Nuclear Regulatory Commissions (NRC) improper payments are minimal compared to the improper payments of the entire Federal Government. In fiscal year (FY) 2016,5 the Federal Government reported
$144 billion of improper payments. During FY 2018, NRC self-reported approximately $960,000 in improper payments.
5 The most recent publicly available data for government-wide improper payments was from FY 2016.
2
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws II. OBJECTIVE The audit objectives were to assess NRCs compliance with the IPIA, as amended by the IPERA and IPERIA, and report any material weaknesses in internal control. The report appendix contains information on the audit scope and methodology.
III. FINDINGS NRC is generally compliant with IPIA, IPERA, and IPERIA. OIG did not identify any material weaknesses in internal control during this audit.
However, opportunities for improvement exist to strengthen support for Appendix C compliance, and strengthen and coordinate internal control efforts.
Compliance with Improper Payment Laws OIG determined the agency was in compliance with the requirements of IPIA for FY 2018, as demonstrated in Table 1.
3
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Table 1: NRCs FY 2018 Compliance with IPIA Published an AFR Conducted a Risk Improper Payment Corrective Action Published and is Meeting Reduction Improper Payment Assessment Published an Reported an Rate of < 10%
Program6 Name Estimate Published Plans Targets Commercial Compliant Compliant N/A N/A N/A N/A Payments Grants Compliant Compliant N/A N/A N/A N/A Employee Compliant Compliant N/A N/A N/A N/A Payments Payroll Compliant Compliant N/A N/A N/A N/A Source: OIG-generated from Appendix C requirements Per Appendix C, NRC is required to publish improper payment information in the most recent agency AFR and any accompanying materials required by OMB on the agency web site. NRC complied with these requirements, as applicable, by including sufficient improper payment information in its FY 2018 AFR. Four IPIA reporting requirements were not applicable7 due to NRCs determination of low risk of susceptibility to significant improper payments. (Refer to Table 1.)
Appendix C requires agencies to triennially review all programs and activities that meet the statutory significance threshold to determine if any are susceptible to significant improper payments. In FY 2017, NRC hired a contractor8 to conduct reviews in compliance with this requirement. NRCs 6
According to Appendix C, the term program includes activities or sets of activities recognized as programs by the public, OMB, or Congress, as well as those that entail program management or policy direction. This definition includes, but is not limited to, all grants including competitive grant programs and block/formula grant programs, non-competitive grants such as single-source awards, regulatory activities, research and development activities, direct Federal programs, all types of procurements (including capital assets and service acquisition), and credit programs. It also includes the activities engaged in by the agency in support of its programs.
7 OMB clarified that agencies deemed to have low risk of susceptibility to significant improper payments are not required to perform any Appendix C compliance steps after conducting a risk assessment.
8 NRC hired Ernst & Young (EY) Limited Liability Partnership (LLP), who subcontracted McConnell and Jones LLP, to perform the Appendix C requirement of conducting a risk assessment to determine program or activity susceptibility to significant improper payments.
4
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws contractor considered a universe of approximately 80,000 transactions, comprised of approximately $716 million distributed across four programs:
commercial payments, grants, employee payments, and payroll. NRCs contractor performed limited testing and qualitative analysis over each program. Based on the qualitative risk assessment and testing, NRC did not identify any programs susceptible to significant improper payments.
A. Strengthen Support for Appendix C Compliance Federal standards require agencies to monitor the quality of contractor work, while professional American Institute of Certified Public Accountants (AICPA) and Institute of Internal Auditors (IIA) standards require contractors to obtain and document sufficient information to support engagement results and conclusions. NRCs contractor did not effectively support the conclusions in the risk assessment report delivered to agency officials. This occurred because the contract requirements can be strengthened to include specification of Appendix C work expected in the contract and requiring contractor work be in accordance with AICPA and IIA professional standards. Also, a process to facilitate the quality assurance review of the contractor should be strengthened. Without improvement, NRC could potentially underreport the risk associated with susceptibility of significant improper payments.
What Is Required Appendix C requirements affirm that risk assessments be performed triennially for agencies deemed not susceptible to significant improper payments. The Government Accountability Office (GAO) clarifies that internal control compliance is ultimately the responsibility of agency management. Federal regulations mandate that quality assurance of contractors must be observed by Government personnel overseeing the contract. Professional AICPA and IIA standards necessitate responsible personnel to obtain and document sufficient information to support internal control contract engagement results and conclusions.
5
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Federal Improper Payment Guidance Appendix C9 established the threshold to determine significant improper payments as, both 1.5 percent of program outlays and $10,000,000 of all program or activity payments made during the fiscal year reported, or (2) $100,000,000 (regardless of the improper payment percentage of total program outlays). Once the threshold for significant improper payments is met, agencies are required to determine the susceptibility to significant improper payments by performing a risk assessment.
OMB requires agencies to use a systematic risk assessment to review all programs once every three years with the end goal of determining whether the program is or is not susceptible to significant improper payments. According to OMB, agencies should take into account those risk factors that are likely to contribute to a susceptibility of significant improper payments, and suggests seven10 risk factors for agencies to consider. OMB acknowledges that a quantitative or qualitative analysis (or a combination of the two) can satisfy both the systematic program review and inclusion of the OMB-suggested risk factors.
Federal Standards for Internal Control Responsibility The GAO Standards for Internal Control in the Federal Government (Green Book)11 states that agency management is responsible for an effective internal control system and allows management to engage external parties to perform certain operational processes for the entity.
Management, however, retains responsibility for the performance of processes assigned to service organizations.
9 Appendix C is one of four OMB appendices focusing on Federal internal control compliance and accountability.
10 The seven risk factors are (1) whether the program or activity reviewed is new to the agency; (2) the complexity of the program or activity reviewed, particularly with respect to determining correct payment amounts; (3) the volume of payments made annually; (4) whether payments or payment eligibility decisions are made outside of the agency, for example, by a State or local government, or a regional Federal office; (5) recent major changes in program funding, authorities, practices, or procedures; (6) the level, experience, and quality of training for personnel responsible for making program eligibility determinations or certifying that payments are accurate; and (7) significant deficiencies in the audit reports of the agency including, but not limited to, the agency IG or the GAO audit report findings, or other relevant management findings that might hinder accurate payment certification.
11 GAO Standards for Internal Control in the Federal Government (GAO-14-704G) was issued on September 10, 2014, with required agency compliance effective in FY 2016.
6
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Federal Regulation for Reviewing Contractor Work Performed The Federal Acquisition Regulation (FAR) states contracting officers may designate one or more representatives12 to perform specific functions, such as quality assurance, during the administration of the contract.
Professional Standards for Contractors Performing Internal Control Work The AICPA established the Statement on Standards for Consulting Services (SSCS). These standards call for professional competence, due professional care, planning and supervision, and obtaining sufficient relevant data when providing consulting services.
The International Standards for the Professional Practice of Internal Auditing (ISPPIA) is promulgated by the IIA. The ISPPIA provides a framework for performing a broad range of value-added internal auditing services. ISPPIA requires that those performing internal audits identify, analyze, evaluate, and document sufficient information to achieve the engagement's objectives, and ... identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives. The ISPPIA also stipulates that conclusions and engagement results must be based on appropriate analysis and evaluations, and internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions.
What We Found NRC did not effectively demonstrate support for the improper payments risk assessment. To support the NRCs Results of the FY 2017 Improper Payments Risk Assessment report and its conclusions, NRCs contractor performed separate qualitative and quantitative analyses. These separate analyses were not clearly supported by evidence.
12 The NRC Contracting Officer designated the administration and monitoring of NRCs contract for Appendix C compliance to the Contracting Officers Representative (COR).
7
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Qualitative Analysis The qualitative analysis supporting NRCs FY 2017 Improper Payments Risk Assessment report included a questionnaire asked to NRC process owners of the programs or activities that met the statutory significance threshold, with the ability to reply in open-ended answers. The qualitative analysis also included an overall risk rating based on risk rating sub-components for the process owner to consider. During OIGs review of the qualitative analysis, OIG noted the following:
Missing Link Between Responses and Risk Ratings - Questionnaire responses were not clearly tied to the seven risk rating sub-components13 and the overall risk rating. Specifically, process owners indicated prior improper payments identified, change in agency personnel, etc., which increase the susceptibility of risk to improper payments; however, the risk ratings did not reflect these statements by the process owners.
Risk Rating Parameters Leave Room for Subjective Interpretation -
Risk rating sub-components and subsequent overall risk ratings did not have additional guidance or parameters providing a systematic review for process owners.
Common Internal Control Risk Factors Not Considered - Typical internal control risk factors14 were not included or considered in the risk rating sub-components or overall risk rating.
Programs Overwhelmingly Rated Low Risk - Of the four programs (commercial payments, grants, employee payments, and payroll) considered for the qualitative analysis, the overall risk rating was labelled low risk, but without a clear rationale.
Quantitative Analysis The quantitative analysis performed by NRCs contractor, showed limited testing on a nonstatistical, judgmental sample of the four programs that 13 NRCs contractor identified the following risk rating sub-components: payment processing controls, quality of internal monitoring controls, human capital, nature of payments and recipients, complexity of program, payment management, and operating environment.
14 Internal control risk factors include both internal and external risk factors. The Green Book states, Internal risk factors may include the complex nature of an entitys programs, its organizational structure, or the use of new technology in operational processes. External risk factors may include new or amended laws, regulations, or professional standards; economic instability; or potential natural disasters. Additionally in OMBs Enterprise Risk Management (ERM), OMB mentions reputational risk, which damages the reputation of an Agency or component of an Agency to the point of having a detrimental effect capable of affecting the Agencys ability to carry out mission objectives.
8
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws met the statutory significance threshold. During OIGs review of the quantitative analysis, OIG noted the following:
Sampling Methodology Missing - NRCs contractor did not provide a detailed explanation of the reasoning for the number of samples selected, allocation of samples among the four programs considered, and the selection of the samples themselves.
Deviation From the Original Test Plan - NRCs contractor diverged from the original test plan citing lack of cost effectiveness and/or an expectation that data or information would be difficult to obtain without further support or explanation.
Reliance on NRCs Self-Reported Improper Payment Tracking -
When deviating from the original test plan, NRCs contractor attempted to modify and satisfy tests by reviewing NRCs self-reported tracking of improper payments to verify if the specific type of payment to be reviewed for the particular test appeared on the tracking spreadsheet. When the type of payment did not appear on NRCs self-reported improper payment tracking spreadsheet, NRCs contractor deemed the test a success without exceptions.
The contractors did not perform independent data reliability on the information within NRCs self-reported improper payments tracking spreadsheet to ensure accuracy, completeness, and reliability.
Testing and Conclusion Assumptions - NRCs contractor made assumptions about samples during testing and drew conclusions without obtaining supporting data, information, or documentation to verify the assumptions.
o One test reviewed payments of non-travel vouchers that were made within 30 days of approval. Despite discovering that a non-travel voucher was paid after almost 60 days, NRCs contractor documented in the testing support an assumption regarding the reasoning for the delayed payment and concluded that the overall test passed.
o Another test verified whether vendors were registered in the System for Award Management (SAM). However, when NRCs contractor found a vendor not included in SAM, the contractor assumed that it was due to the limitation of access to Government personnel or the typical sensitive nature of work performed by this vendor. NRCs contractor did not confirm the assumptions with a documented response from agency personnel and accordingly, concluded that the test was completed with no issues.
9
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Why This Occurred The language in the contract did not address performance requirements to ensure compliance with IPIA. Additionally, there is a need for improved contract monitoring and oversight through a process that facilitates stronger quality assurance review of the contractors work.
Contract Documents Did Not Address Appendix C Requirements NRCs contract documents did not specify the work expected to be performed for Appendix C compliance. Particularly, the contract documents did not identify deliverables such as the qualitative or quantitative analyses, nor the resulting risk assessment report.
Opportunities for Contract Administration and Monitoring Improvement There are opportunities to improve contract oversight. Specifically, there was no process in place to help the COR scrutinize the quality of the contractors analyses supporting NRCs Results of the FY 2017 Improper Payments Risk Assessment report. This includes requiring the contractors to perform work in accordance with professional AICPA and IIA standards.
Why This Is Important Potential Underreporting of the Level of Risk of Susceptibility to Significant Improper Payments NRC could potentially be underreporting the level of risk of susceptibility to significant improper payments, which may also lead to non-compliance with the requirements of Appendix C and accordingly, IPIA.
10
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Recommendations OIG recommends that the Office of the Chief Financial Officer
- 1. Take steps to ensure that the Appendix C risk assessment provides supportable information for IPIA compliance. This should include creating contract deliverables addressing Appendix C requirements and performing a quality assurance review to ensure that the contractors conclusions are thoroughly supported by evidence.
B. Strengthen and Coordinate Internal Control Efforts OMB requires a cohesive internal control effort, as well as sufficient controls surrounding payment integrity. However, NRC has insufficient internal control efforts surrounding payment integrity. This happened because NRC did not fully consider a comprehensive view of internal controls and deemed the current internal controls around payment integrity as sufficient. Without adequate internal controls and procedures, the agency operations surrounding payment integrity may not function efficiently.
What Is Required OMB requires an enterprise-wide view of all of the Federal internal control requirements, including those that impact payment integrity. This encompasses considering performing payment recapture audits, as well as documenting the agencys improper payments process.
Integrated Federal Internal Control Compliance Efforts In Appendix C and subsequent related town hall meetings, OMB clarified that agencies should move to interconnect Federal internal control requirements for reduction of improper payments as a means to reduce burden on the agency, duplicative efforts, and have an enterprise-wide view of the internal control efforts performed by the agency.
11
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws OMB Memorandum M-16-17,15 OMB Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control, requires agencies to identify and document the risks to the agency, as well as determine a risk appetite and profile.
OMB Memorandum M-18-16,16 Appendix A17 to OMB Circular A-123, Management of Reporting and Data Integrity Risk, requires that any information and supporting documentation, that is published publicly, must be supported by the proper internal controls. These internal controls include risk assessments for agency processes, identification of controls, and testing. The 2018 revision to Appendix A also gives agencies the discretion to use the prior iterations of OMB Circular A-123, Appendix A and its related implementation guidance as best practices.
Internal Control Improvements Outlined by OMB In a town hall discussing Appendix C implementation, OMB advocated for agencies to address the high level root cause of improper payments, as well as the reduction and overall prevention of improper payments.
Documentation Requirements for Internal Control Efforts The Green Book requires management to document the internal control responsibilities of the organization. Specifically, management must document an operational processs objectives and related risk, and control activity design, implementation, and operating effectiveness in agency policy. These policies require, the appropriate level of detail to allow management to effectively monitor the control activity. Additionally, those in key roles for the unit may further define policies through day-to-day procedures, which may include the timing of when a control activity occurs and any follow-up corrective actions to be performed by competent personnel if deficiencies are identified.
Management communicates to personnel the policies and 15 OMB Memorandum M-16-17 was published on July 15, 2016 and is effective in FY 2016.
16 OMB Memorandum M-18-16 was published and effective as of June 6, 2018.
17 The term Appendix A will be used in this report to refer to OMB M-18-16, Appendix A to OMB Circular A-123, Management of Reporting and Data Integrity Risk.
12
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws procedures so that personnel can implement the control activities for their assigned responsibilities.
The Green Book also specifies additional documentation requirements, such as developing and maintaining documentation of the agency internal control system. Management clearly documents internal control and all transactions and other significant events in a manner that allows the documentation to be readily available for examination. The Green Book provides that, documentation and records are properly managed and maintained.
What We Found NRC has separate internal control efforts for components that are involved in payment integrity and processing that are not fully coordinated. In addition, there are opportunities to improve the payment integrity-related internal controls.
Internal Control Efforts Could Be Enhanced NRCs FY 2018 agency-wide ERM risks did not include payment integrity risks. The risks identified in the FY 2018 ERM include emerging risks for processes that feed into or result from a payment with assumed integrity, but none that directly address payment integrity itself.
Separate from the internal control efforts dedicated towards ERM, NRC has a distinct Appendix A effort that does not correlate to the Appendix C efforts. Specifically, there was a lack of consistency between the Appendices A and C work done by NRC, such as:
The risk rating for individual processes dealing with payment integrity.
The risk factors and risk rating sub-components considered for the risk rating of individual processes.
The risks identified between Appendices A and C.
The payment integrity-related supporting documentation for Appendices A and C were different in items such as the process names, start/end points of processes, and tasks identified within a process.
13
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Opportunities To Improve Internal Control Efforts Surrounding Payment Integrity Policy/Procedure for the Agencys Improper Payment Notification, Tracking, and Correction NRCs management directives do not specifically address the Office of the Chief Financial Officers (OCFO) improper payments tracking process and procedures. The management directives do not address requirements for notifying OCFO of improper payments, nor for tracking, monitoring, or correcting improper payments. The agencys official directives do not show the interconnectedness of:
The various payment vehicles through the differing payment integrity-related processes, The role of the responsible payment approving officials for preventing and identifying improper payments, and The notification to OCFO of improper payments that have occurred.
High Level Root Cause Correction Although OCFOs self-reported improper payments tracking system corrects the individual improper payment transactions that have occurred, there is no indication in OCFOs tracking system that the agency addressed or corrected the high level root cause of the issue. OCFOs self-reported improper payments tracking did not identify or correct the common theme or high level root cause from the cumulative individual FY 2018 improper payments transactions that occurred.
Why This Occurred Opportunities exist for NRC to enhance consistency of its treatment of the various Federal internal control requirements. In addition, NRC considered the payment integrity controls to be sufficient.
14
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Enhance the Consistency of the Treatment of Federal Internal Control Requirements NRC could improve the consideration of an enterprise-wide view of the internal controls and risks, to connect to the various internal control requirements. On various occasions, OCFO officials confirmed the separate approaches for ERM, Appendix A, and Appendix C. Additionally, NRC policies and procedures also reflect this distinct approach between the various internal control requirements.
The Agency Considered Payment Integrity Controls to be Sufficient NRC believes the improper payment process is captured in the current management directives and shows the interaction between OCFO and the various payment approving officials throughout NRC. OIG recognized that the high level root cause of the FY 2018 improper payments were the result of a deficiency in the operations18 of the controls.
Why This Is Important As a result of these issues, NRC could be inefficiently using resources, not reducing or preventing improper payments, and not maintaining knowledge management of the improper payments process.
Potential Inefficient Use of Resources OMB wanted to reduce the burden on agencies that are trying to comply with the improper payment requirements. OMB recommended that agencies use the pre-existing internal control requirements. Additionally, it is an inefficient use of agency resources when hiring contractors to perform separate and distinct efforts for Appendices A and C.
Opportunities to Reduce or Prevent Improper Payments By not addressing the high level root cause of improper payments, NRC is not correcting the overarching issue causing the improper payment to 18 According to the Green Book, a deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
15
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws occur in the first place. Focusing on identifying the high level root cause will strengthen the processes that feed into OCFOs improper payments process and prevent future improper payments from happening.
Knowledge Management of the Improper Payments Process at NRC Formally documenting the agency improper payment notification, monitoring, and tracking process in a policy or procedure would reduce the risk of knowledge loss if key employees separate or are reassigned.
Recommendations OIG recommends that the Office of the Chief Financial Officer
- 2. Review the various payment integrity-related internal control efforts and revise procedures to enhance consistency among the different internal control compliance requirements.
- 3. Update policies/procedures pertaining to the agencys improper payment notification, tracking, and monitoring. This policy/procedure should include steps to address and correct the high level root cause of the improper payments identified.
16
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws IV. CONSOLIDATED LIST OF RECOMMENDATIONS OIG recommends that the Office of the Chief Financial Officer
- 1. Take steps to ensure that the Appendix C risk assessment provides supportable information for IPIA compliance. This should include creating contract deliverables addressing Appendix C requirements and performing a quality assurance review to ensure that the contractors conclusions are thoroughly supported by evidence.
- 2. Review the various payment integrity-related internal control efforts and revise procedures to enhance consistency among the different internal control compliance requirements.
- 3. Update policies/procedures pertaining to the agencys improper payment notification, tracking, and monitoring. This policy/procedure should include steps to address and correct the high level root cause of the improper payments identified.
17
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws V. AGENCY COMMENTS Agency officials met with OIG to provide informal verbal feedback immediately prior to the exit conference. The exit conference was held on May 29, 2019, where agency management provided additional comments.
Feedback from both meetings has been incorporated into the report, as appropriate.
On May 30, 2019, agency management provided formal comments to the draft report that stated the agencys agreement with the recommendations described in this report, with the exception of recommendation 2.
Appendix B contains a copy of the agencys formal comments. Appendix C contains OIGs analysis of the agencys formal comments.
18
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Appendix A OBJECTIVE, SCOPE, AND METHODOLOGY Objective The audit objectives were to assess NRCs compliance with the IPIA, as amended by the IPERA and IPERIA, and report any material weaknesses in internal control.
Scope The audit focused on improper payment compliance for FY 2018. OIG did not make a determination through independent testing, regarding the completeness of NRCs improper payment monitoring and tracking.
OIG conducted this audit from February through April 2019 at NRC headquarters in Rockville, Maryland. Internal controls related to the audit objectives were reviewed and analyzed.
Methodology To accomplish the audit objectives, OIG reviewed relevant laws, regulations, and guidance for this audit, including 31 United States Code § 3321 Improper Payments Information Act of 2002 (IPIA)
Improper Payments Elimination and Recovery Act of 2010 (IPERA)
Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA)
OMB Memorandum M-16-17, OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control OMB Memorandum M-18-16, Appendix A to OMB Circular A-123, Management of Reporting and Data Integrity Risk OMB Memorandum M-18-20, Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement GAO Standards for Internal Control in the Federal Government 19
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Federal Acquisition Regulation AICPA Statement on Standards for Consulting Services IIA International Standards for the Professional Practice of Internal Auditing Management Directive (MD) 11.1, NRC Acquisition of Supplies and Services MD 9.20, Organization and Functions, Office of the Chief Financial Officer MD 9.21, Organization and Functions, Office of Administration MD 4.1, Accounting Policy and Practices OIG interviewed NRC staff from OCFO and the Office of Administration.
OIG also reached out to OMB for clarification regarding agency and IG requirements for Appendix C.
Since NRC is subject to a triennial Appendix C risk assessment, OIG reviewed the NRCs FY 2017 Improper Payments Risk Assessment report and documentation supporting the risk assessment report as a part of the FY 2018 audit review.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Throughout the audit, auditors considered the possibility of fraud, waste, and abuse in the program.
The audit was conducted by Eric Rivera, Team Leader; Tincy Thomas de Colón, Audit Manager; and Felicia Silver, Audit Manager.
20
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Appendix B AGENCY FORMAL COMMENTS 21
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws 22
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws 23
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws Appendix C OIG ANALYSIS OF AGENCY FORMAL COMMENTS NRCs formal written comments to this report (Appendix B) discuss the agencys agreement with recommendations 1 and 3, while also stating disagreement with recommendation 2. In the agencys formal comments, it was noted that costs19 and benefits in implementing recommendations are considered. OIG reiterates that based on the audit, the agency is compliant with improper payment laws. However, OIG believes that opportunities for improvement exist, which would enhance overall efficiency, effectiveness, and value for processes addressing payment integrity, and accordingly, improper payments. Below is a summary of the agencys response to recommendation 2 and OIGs response.
Integration and Consistency Among the Different Internal Control Compliance Requirements Impacting Payment Integrity Agency Comments The agency believes the NRC has integrated internal control efforts, but acknowledges that ERM, Appendix A, and Appendix C are separate approaches. The agency cited the SAT and PSAT (through QPR meetings) as examples of the agencys enterprise-wide approach towards its ability to identify, mitigate, and communicate risks.
OIG Comments OIG acknowledges that the SAT and QPR meetings give the agency the flexibility to identify, mitigate, and communicate risks. However, the FY 2018 SAT meetings primarily comprised of addressing Appendix A requirements, including process identification and test plans which mirror those in the NRCs FY 2018 Report on Internal Control Monitoring and Support20 and 19 In the Green Book, GAO states that cost alone is not an acceptable reason to avoid implementing internal controls.
20 NRCs FY 2018 Report on Internal Control Monitoring and Support indicates that the purpose is to support NRC managements efforts to evaluate its internal controls over financial reporting in connection with the requirements of Office of Management and Budget (OMB) Circular A-123, Managements Responsibility for Internal Control, Appendix A, Internal Control over Financial Reporting.
24
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws documentation supporting that report. Furthermore, the same contractor21 leading the FY 2018 SAT meetings acknowledged in the subsequent supporting documentation for NRCs FY 2018 Report on Internal Control Monitoring and Support, that NRC should modify certain FY 2018 Appendix A22 processes and supporting documents to more closely mirror the Appendix C payment programs identified.
In the agencys ERM Framework, the PSAT is tasked to report risk by business line and openly discuss them during QPR meetings, in the agencys efforts to be in compliance with OMB Memorandum M-16-17, OMB Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control. Also, MD 4.4, Enterprise Risk Management and Internal Control states that the PSAT is responsible for communicating risks that are agencywide and/or of strategic interest from the business line/product line level to the enterprisewide level at the QPR meetings. A result of the QPR meeting discussions is a refined list of agencywide ERM risks. OIG reviewed the FY 2018 ERM risks and determined that the agency did not identify payment integrity related risks.23 Finally, Appendix C and subsequent town hall meetings with OMB discuss the importance of incorporating ERM and other internal control requirements to assist in the management of payment integrity risks. OMB acknowledges that the benefits of this integration of ERM and other internal control requirements is to reduce the burden on agencies, avoid duplication of efforts, and leverage work and findings across the agency, thereby saving agency resources and staff effort.
21 NRC hired EY, which subcontracted Castro & Company Limited Liability Company and McConnell and Jones LLP, to perform the Appendix A compliance work.
22 OIG addresses the inconsistencies between Appendices A and C in Finding B, What We Found sub-section of this report.
23 OIG addresses the need for enhancement of ERM in Finding B, What We Found sub-section of this report.
25
Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws TO REPORT FRAUD, WASTE, OR ABUSE Please
Contact:
Email: Online Form Telephone: 1-800-233-3497 TTY/TDD: 7-1-1, or 1-800-201-7165 Address: U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O5-E13 11555 Rockville Pike Rockville, MD 20852 COMMENTS AND SUGGESTIONS If you wish to provide comments on this report, please email OIG using this link.
In addition, if you have suggestions for future OIG audits, please provide them using this link.
26