Text

Fiscal Year (Fy) 2020 Annual Plan for the U.S. Nuclear Regulatory Commission Dated November 20, 2019
	ML19324E430
Person / Time
Issue date:	11/20/2019
From:	Lee D; NRC/OIG
To:	;
References
	Download: ML19324E430 (50)
	v • d • e

/

Office of the Inspector General U.S. Nuclear Regulatory Commission Annual Plan Fiscal Year 2020

FOREWORD I am pleased to present the Office of the Inspector General's (OIG) fiscal year (FY) 2020 Annual Plan for the U.S. Nuclear Regulatory Commission (NRC). The Annual Plan provides the audit and investigative strategies and associated summaries of the specific work planned for the coming year. It sets forth OIG's formal strategy for identifying priority issues and managing its workload and resources for FY 2020 (Effective April 1, 2014, the NRC OIG was assigned also to serve as the OIG for the U.S. Defense Nuclear Facilities Safety Board; OIG's annual plan for that agency is contained in a separate document).

NRC's mission is to license and regulate the Nation's civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety, to promote the common defense and security, and to protect the environment. OIG is committed to overseeing the integrity of NRC programs and operations. Developing an effective planning strategy is a critical aspect of accomplishing this commitment. Such planning ensures that audit and investigative resources are used efficiently.

This Annual Plan was prepared to align with the OIG Strategic Plan for FYs 2019 - 2023, which is based, in part, on an assessment of the strategic challenges facing NRC. The Strategic Plan identifies OIG's priorities and establishes a shared set of expectations regarding the goals we expect to achieve and the strategies we will employ over that timeframe. The Strategic Plan is the foundation on which our Annual Plan is based. OIG sought input from Congress, the NRC Commission, NRC Headquarters, and NRC Regions in developing this Annual Plan.

We have programmed all available resources to address the matters identified in this plan. This approach maximizes use of our resources. However, to respond to a changing environment, it is sometimes necessary to modify this plan as circumstances, priorities, or resources warrant.

David C. Lee Deputy Inspector General

TABLE OF CONTENTS MISSION AND AUTHORITY ........................................................................................................... 1 PLANNING STRATEGY .................................................................................................................. 3 AUDIT STRATEGY ......................................................................................................................... 4 INVESTIGATION STRATEGY ......................................................................................................... 4 PERFORMANCE MEASURES ........................................................................................................ 6 OPERATIONAL PROCESSES ........................................................................................................ 7 AUDITS................................................................................................................................. 7 INVESTIGATIONS ................................................................................................................ 9 HOTLINE ............................................................................................................................ 10 APPENDICES A. NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2020 Audit of NRCs Nuclear Power Emergency Preparedness Program ...................... A-1 Audit of NRCs Reactor Inspection Issue Screening .............................................. A-2 Audit of NRCs Integrated Materials Performance Evaluation Program ................. A-3 Audit of NRCs Drop-In Meeting Policies and Procedures...................................... A-4 Audit of NRCs Regulatory Oversight of Radiation Safety Officers......................... A-5 Audit of NRCs Material Control and Accounting Inspection Program for Special Nuclear Material ........................................................................................ A-6 Audit of NRCs Use of Requests for Additional Information in Licensing Processes for Spent Nuclear Fuel .......................................................................... A-7 Audit of NRCs Nuclear Power Surveillance Test Inspection Program..A-8 B. CORPORATE MANAGEMENT AUDITS PLANNED FOR FY 2020 Audit of NRCs Grants Pre-Award and Award Processes ...................................... B-1 Audit of NRCs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 (DATA Act) ..................................... B-2 Survey of NRCs Safety Culture and Climate ......................................................... B-3 Audit of NRCs Fiscal Year 2019 Financial Statements ......................................... B-4 Audit of NRCs Property Management Program ..................................................... B-5 Audit of the NRC Audit of NRCs Implementation of Enterprise Risk Management .................................................................................................. B-6 Audit of NRCs Knowledge Management Program ................................................ B-7

Audit of NRCs Compliance with Improper Payment Laws ..................................... B-8 Audit of NRCs Fiscal Year 2020 Financial Statements ......................................... B-9 Audit of NRCs Change of Station Program ......................................................... B-10 Audit of NRCs Space Management in the Regions ............................................. B-11 Audit of NRCs Drug-Free Workplace Program Implementation ........................... B-12 Independent Evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2019 ...................... B-13 Audit of the Information System Security Officer Function .................................... B-14 Audit of NRCs Implementation of the Federal Information Technology Acquisition Reform Act (FITARA) ........................................................................................... B-15 Independent Evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2020 ...................... B-16 INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2020 ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS ABBREVIATIONS AND ACRONYMS

MISSION AND AUTHORITY The Nuclear Regulatory Commissions (NRC) Office of the Inspector General (OIG) was established on April 15, 1989, pursuant to Inspector General Act Amendments (the Act) contained in Public Law 100-504. OIGs mission is to (1) conduct and supervise independent audits and investigations of agency programs and operations; (2) promote economy, effectiveness, and efficiency within the agency; (3) prevent and detect fraud, waste, and abuse in agency programs and operations; (4) develop recommendations regarding existing and proposed regulations relating to agency programs and operations; and (5) keep the agency head and Congress fully and currently informed about problems and deficiencies relating to agency programs. The Act also requires the Inspector General (IG) to prepare a semiannual report to the NRC Chairman and Congress summarizing the activities of the OIG.

In furtherance of the execution of this mission and of importance to OIGs annual plan development, the IG summarizes what he considers to be the most serious management and performance challenges facing NRC and assesses the agencys progress in addressing those challenges. The IG identified the following as the most serious management and performance challenges facing NRC1 for FY 2019

1. Regulation of nuclear reactor safety and security programs

2. Regulation of nuclear materials and radioactive waste safety and security programs.

3. Management of information and information technology.

4. Management of financial programs.

5. Management of corporate functions.

The IG revised these management and performance challenges in October 2019 as noted in the list below.2

1. NRC and Agreement State Coordination on Oversight of Materials and Waste

2. Continuous Improvement Opportunities for Information Technology (IT) and Information Management (includes internal IT security)

3. Management and Transparency of Financial and Acquisitions Operations

4. Strategic Workforce Planning

5. Strengthening Oversight of External Security

6. Readiness for Advanced Reactor Technologies

7. Strengthening Risk Informed Oversight All audits and evaluations that were initiated in FY 2019 will be subject to the former 1 The challenges are not ranked in any order of importance.

2 Ibid.

1

management and performance challenges, while all audits and evaluations commencing in FY 2020 will be subject to the revised management and performance challenges.

Through its Issue Area Monitor (IAM) program, OIG staff monitor agency performance on these management and performance challenges. These challenges, in conjunction with OIGs strategic goals, serve as an important basis for deciding which audits and evaluations to conduct each fiscal year.

2

PLANNING STRATEGY The FY 2020 Annual Plan is linked with OIGs Strategic Plan for FYs 2019 - 2023. The Strategic Plan identifies the major challenges and critical risk areas facing the NRC so that OIG resources may be directed in these areas in an optimum fashion.

The Strategic Plan recognizes the mission and functional areas of the agency and the major challenges the agency faces in successfully implementing its regulatory program.

The plan presents strategies for reviewing and evaluating NRC programs under the strategic goals that OIG established. OIGs strategic goals are to (1) strengthen NRCs efforts to protect public health and safety and the environment, (2) enhance NRCs efforts to increase security in response to an evolving threat environment, and (3) increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources. To ensure that each audit and evaluation carried out by OIG aligns with the Strategic Plan, program areas selected for audit and evaluation have been cross walked from the Annual Plan to the Strategic Plan (see planned audits in appendixes A, B, and C).

AUDIT AND INVESTIGATION UNIVERSE NRCs FY 2020 budget request is $921.1 million as the full cost of agency programs.

The agency's mission is to license and regulate the Nations civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety, to promote the common defense and security, and to protect the environment.

The agency also has a role in enhancing nuclear safety and security throughout the world.

NRC is headquartered in Rockville, Maryland, just outside of Washington, DC; has four regional offices located throughout the United States; and operates a technical training center located in Chattanooga, Tennessee.

The agency carries out its mission through various licensing, inspection, research, and enforcement programs. NRC responsibilities include regulating 96 commercial nuclear power reactors licensed to operate in the United States; 79 licensed and or operating Independent Spent Fuel Storage Installations; 31 licensed and operating research and test reactors; 10 fuel cycle facilities; and approximately 2,000 licenses issued for medical, academic, and industrial uses of nuclear material. In FY 2019, the agency had 6 license renewal applications for operating power reactor sites. Additionally, NRC is overseeing the decommissioning of 21 power reactor sites and 3 research and test reactors. The audit and investigation oversight responsibilities are therefore derived from the agencys wide array of programs, functions, and support activities established to accomplish NRC's mission.

3

AUDIT STRATEGY Effective audit planning requires current knowledge about the agencys mission and the programs and activities used to carry out that mission. Accordingly, OIG continually monitors specific issue areas to strengthen its internal coordination and overall planning process. Under the offices Issue Area Monitoring (IAM) program, staff designated as Issue Area Monitors are assigned responsibility for keeping abreast of major agency programs and activities. The broad IAM areas address nuclear reactors, nuclear materials, nuclear waste, information management, security, financial and administrative programs, human resources, and international programs. Appendix E contains a listing of the IAMs and the issue areas for which they are responsible.

The audit planning process, which is informed by the OIG Strategic Plan and identified agency management and performance challenges, yields audit assignments that identify opportunities for efficiency, economy, and effectiveness in NRC programs and operations; detect and prevent fraud, waste, and mismanagement; improve program and security activities at headquarters and regional locations; and respond to emerging circumstances and priorities. The priority for conducting audits is based on (1) mandatory legislative requirements; (2) critical agency risk areas; (3) emphasis by the President, Congress, NRC Chairman, or other NRC Commissioners; (4) a programs susceptibility to fraud, manipulation, or other irregularities; (5) dollar magnitude or resources involved in the proposed audit area; (6) newness, changed conditions, or sensitivity of an organization, program, function, or activities; (7) prior audit experience, including the adequacy of internal controls; and (8) availability of audit resources.

INVESTIGATION STRATEGY OIG investigation strategies and initiatives add value to agency programs and operations by identifying and investigating allegations of fraud, waste, and abuse leading to criminal, civil, and administrative penalties and recoveries. By focusing on results, OIG has designed specific performance targets focusing on effectiveness. Because NRC's mission is to protect public health and safety, the main investigative concentration involves alleged NRC misconduct or inappropriate actions that could adversely impact health and safety-related matters. These investigations typically include allegations of

Misconduct by high-ranking NRC officials and other NRC officials, such as managers and inspectors, whose positions directly impact public health and safety.

Failure by NRC management to ensure that health and safety matters are appropriately addressed.

Failure by the NRC to appropriately transact nuclear regulation.

Conflicts of interest involving NRC employees and NRC contractors and licensees.

Indications of management or supervisory retaliation.

4

OIG will continue to monitor specific high-risk areas within NRCs corporate management that are most vulnerable to fraud, waste, and abuse. A significant focus remains on matters that could negatively impact the security and integrity of NRC data and operations. This will also include efforts to ensure the continued protection of personal privacy information held within agency databases and systems. OIG is committed to improving the security of the constantly changing electronic business environment by investigating computer-related fraud, waste, and abuse, though proactive investigations and computer forensic examinations as warranted. Other proactive initiatives will focus on determining instances of procurement fraud, identifying vulnerabilities in NRC daily operations, to include but not limited to, theft of property, insider threats, and Government travel and purchase card abuse.

As part of these proactive initiatives, OIG will meet with agency internal and external stakeholders to identify systemic issues or vulnerabilities. This approach will allow the identification of potential vulnerabilities and an opportunity to improve agency performance.

With respect to OIGs strategic goals pertaining to safety and security, OIG routinely interacts with public interest groups, individual citizens, industry workers, and NRC staff to identify possible lapses in NRC regulatory oversight that could impact public health and safety. OIG also conducts proactive reviews into areas of regulatory safety or security interest to identify emerging issues or address ongoing concerns regarding the quality of NRCs regulatory oversight. Such areas might include new reactor licensing and relicensing of existing plants, aspects of the transportation and storage of high-level and low-level waste, as well as decommissioning activities. Finally, OIG periodically conducts Event Inquiries and Special Inquiries. Event Inquiry reports document OIGs examination of events or agency regulatory actions to determine if staff actions may have contributed to the occurrence of an event. Special Inquiry reports document those instances where an investigation identifies inadequacies in NRC regulatory oversight that may have resulted in a potential adverse impact on public health and safety.

Appendix D provides investigation objectives and initiatives for FY 2020. Specific investigations are not included in the plan because investigations are primarily responsive to reported violations of law and misconduct by NRC employees and contractors, as well as allegations of irregularities or abuse in NRC programs and operations.

5

PERFORMANCE MEASURES For FY 2020, we will use several key performance measures and targets for gauging the relevance and impact of our audit and investigative work. OIG calculates these measures in relation to each of OIGs strategic goals to determine how well we are accomplishing our objectives. The performance measures are

1. Percentage of OIG audit products and activities that cause the agency to take corrective action to improve agency safety, security, or corporate management programs; ratify adherence to agency policies, procedures, or requirements; or identify real dollar savings or reduced regulatory burden (i.e., high impact).

2. Percentage of audit recommendations agreed to by the agency.

3. Percentage of final agency actions taken within 2 years on audit recommendations.

4. Percentage of OIG investigative products and activities that identify opportunities to improve agency safety, security, or corporate management programs; ratify adherence to agency policies/procedures; or confirm or disprove allegations of wrongdoing (e.g., high impact).

5. Percentage of agency actions taken in response to investigative reports.

6. Percentage of active cases completed in less than 18 months on average.

7. Percentage of closed investigations referred to the U.S. Department of Justice (DOJ) or other relevant authorities.

8. Percentage of closed investigations resulting in indictments, convictions, civil suits or settlements, judgments, administrative actions, monetary results, or IG clearance letters.

6

OPERATIONAL PROCESSES The following sections detail the approach used to carry out the audit and investigative responsibilities previously discussed.

AUDITS OIGs audit process comprises the steps taken to conduct audits and involves specific actions, ranging from annual audit planning to performing audit followup. The underlying goal of the audit process is to maintain an open channel of communication between the auditors and NRC officials to ensure that audit findings are accurate and fairly presented in the audit report.

OIG performs the following types of audits:

Performance - Performance audits focus on NRC administrative and program operations and evaluate the effectiveness and efficiency with which managerial responsibilities are carried out, including whether the programs achieve intended results.

Financial - These audits, which include the financial statement audit required by the Chief Financial Officers Act, attest to the reasonableness of NRCs financial statements and evaluate financial programs.

Contract - Contract audits evaluate the costs of goods and services procured by NRC from commercial enterprises.

The key elements in the audit process are as follows:

Audit Planning - Each year, suggestions are solicited from Congress, the NRC Commission, agency management, external parties, and OIG staff. An annual audit plan (i.e.,

this document) is developed and distributed to interested parties. It contains a listing of planned audits to be initiated during the year and the general objectives of the audits. The annual audit plan is a living document that may be revised as circumstances warrant, with a subsequent redistribution of staff resources.

Audit Notification - Formal notification is provided to the office responsible for a specific program, activity, or function, informing them of OIGs intent to begin an audit of that program, activity, or function.

Entrance Conference - A meeting is held to advise agency officials of the objective(s), and scope of the audit, and the general methodology to be followed.

7

Survey - Exploratory work is conducted before the more detailed audit work commences to gather data for refining audit objectives, as appropriate; documenting internal control systems; becoming familiar with the activities, programs, and processes to be audited; and identifying areas of concern to management. At the conclusion of the survey phase, the audit team will recommend to the Assistant Inspector General for Audits (AIGA) a Go or No Go decision regarding the verification phase. If the audit team recommends a No Go, and it is approved by the AIGA, the audit is dropped.

Audit Fieldwork - A comprehensive review is performed of selected areas of a program, activity, or function using an audit program developed specifically to address the audit objectives.

End of Fieldwork Briefing With Agency - At the conclusion of audit fieldwork, the audit team discusses the tentative report findings and recommendations with the auditee.

Discussion Draft Report - A discussion draft copy of the report is provided to agency management to allow them the opportunity to prepare for the exit conference.

Exit Conference - A meeting is held with the appropriate agency officials to discuss the discussion draft report. This meeting provides agency management the opportunity to confirm information, ask questions, and provide any necessary clarifying data.

Formal Draft Report - If requested by agency management during the exit conference, a final draft copy of the report that includes comments or revisions from the exit conference is provided to the agency to obtain formal written comments.

Final Audit Report - The final report includes, as necessary, any revisions to the facts, conclusions, and recommendations of the draft report discussed in the exit conference or generated in written comments supplied by agency managers. Written comments are included as an appendix to the report. Some audits are sensitive and/or classified. In these cases, final audit reports are not made available to the public.

Response to Report Recommendations - Offices responsible for the specific program or audited process provide a written response on each recommendation (usually within 30 calendar days) contained in the final report. Agency management responses include a decision for each recommendation indicating agreement or disagreement with the recommended action. For agreement, agency management provides corrective actions taken or planned and actual or target dates for completion. For disagreement, agency management provides their reasons for disagreement and any alternative proposals for corrective action.

Impasse Resolution - If the response by the action office to a recommendation is unsatisfactory, OIG may determine that intervention at a higher level is required. The Executive Director for Operations is NRCs audit followup official, but issues can be taken to the Chairman for resolution, if warranted.

Audit Followup and Closure - This process ensures that recommendations made to management are implemented.

8

INVESTIGATIONS OIGs investigative process normally begins with the receipt of an allegation of fraud, mismanagement, or misconduct. Because a decision to initiate an investigation must be made within a few days of each referral, OIG does not schedule specific investigations in its annual investigative plan.

Investigations are opened in accordance with OIG priorities as set forth in the OIG Strategic Plan and in consideration of prosecutorial guidelines established by the local U.S. attorneys for the DOJ. OIG investigations are governed by the Council of the Inspectors General on Integrity and Efficiency Quality Standards for Investigations, the OIG Special Agent Handbook, and various guidance provided periodically by DOJ.

Only four individuals in the OIG can authorize the opening of an investigative case: the IG, the Deputy IG, Assistant Inspector General for Investigations (AIGI), and the Senior Assistant for Investigative Operations. Every allegation received by OIG is given a unique identification number and entered into a database. Some allegations result in investigations, while others are retained as the basis for audits, referred to NRC management, or, if appropriate, referred to another law enforcement agency.

When an investigation is opened, it is assigned to a special agent who prepares a plan of investigation. This planning process includes a review of the criminal and civil statutes, program regulations, and agency policies that may be involved. The special agent then conducts the investigation and uses a variety of investigative techniques to ensure investigations are thorough, objective, and fully pursued to a logical conclusion.

In cases where the special agent determines that a crime may have been committed, he or she will discuss the investigation with a Federal and/or local prosecutor to determine if prosecution will be pursued. In cases where a prosecuting attorney decides to proceed with a criminal or civil prosecution, the special agent assists the attorney in any preparation for court proceedings that may be required.

For investigations that do not result in prosecution and are handled administratively by the agency, the special agent prepares an investigative report summarizing the facts disclosed during the investigation. The investigative report is distributed to agency officials who have a need to know the results of the investigation. For investigative reports provided to agency officials, OIG requires a response within 120 days regarding any potential action taken as a result of the investigative findings.

OIG collects data summarizing the criminal and administrative action taken as a result of its investigations and includes this data in its semiannual reports to Congress.

9

As part of the investigation function, OIG also periodically conducts Event Inquiries and Special Inquiries as discussed earlier.

HOTLINE The OIG Hotline Program provides NRC employees, contract employees, and the public with a confidential means of reporting to the OIG instances of fraud, waste, and abuse relating to agency programs and operations.

Please

Contact:

E-mail: Online Form Telephone: 1-800-233-3497 TDD 1-800-201-7165, or 7-1-1 Address: U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O5-E13 11555 Rockville Pike Rockville, MD 20852-2746 10

APPENDIX A BACK to TOC NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2020

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Nuclear Power Emergency Preparedness Program DESCRIPTION AND JUSTIFICATION:

Emergency preparedness (EP) is intended to ensure that nuclear power plant licensees are capable of implementing adequate measures to protect public health and safety in the event of a radiological emergency. As a condition of their licenses, licensees of nuclear power plants must develop and maintain emergency plans that meet comprehensive NRC EP requirements. NRC oversees EP plans and activities through inspection of the requirements of emergency preparedness and the evaluation of their implementation through periodic exercises and drills. In EP policymaking and planning NRC coordinates with Federal partners, and licensees must coordinate EP planning with State and local authorities.

NRCs proposed Reactor Oversight Program enhancement measures recommend changes to EP oversight, including modifications of the EP Significance Determination Process and reduction of certain uses of Inspection Procedure 71111.01, used to inspect weather-related risks, offsite power systems, alternate AC power sources, and external flooding mitigation measures.

OBJECTIVE:

The audit objective is to determine whether NRCs emergency preparedness oversight program for nuclear power plants adequately addresses adverse weather conditions and related communications with external stakeholders.

SCHEDULE:

Initiate in the 4th quarter of FY 2019.

STRATEGIC GOALS 1 and 2:

Safety Strengthen NRCs efforts to protect public health and safety and the environment.

Security - Strengthen NRCs security efforts in response to an evolving threat.

Strategy 1-1:

Identify risk areas associated with NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

Strategy 2-1:

Identify risks involved in securing nuclear reactors, fuel cycle facilities, and materials, and conduct audits and/or investigations that lead to NRC program and operational improvements MANAGEMENT CHALLENGE 1:

Regulation of nuclear reactor safety and security programs.

A-1

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Reactor Inspection Issue Screening DESCRIPTION AND JUSTIFICATION:

NRC guidance (Inspection Manual Chapter 0612) requires inspectors to screen issues of concern identified at nuclear power plants to determine whether the issues in question fall under the agencys traditional enforcement program and the Reactor Oversight Process. If an issue of concern screens positive for traditional enforcement, a violation may result. If an issue screens positive for a performance deficiency under the Reactor Oversight Process, inspectors must determine if it is of minor or more than minor safety or security significance. Issues that screen minor are generally not documented, while more than minor issues become potential findings to be assessed following the Significance Determination Process (e.g., Green, White, Yellow, and Red). In 2013, the Government Accountability Office identified inconsistency among NRC regional inspection findings.

Since 2015 there has been a sharp overall decline in the number of Green findings. This information raises questions about the impact of the focus on consistency when inspectors are applying IMC 0612 issue screening guidance both for traditional enforcement and ROP.

OBJECTIVE:

The audit objective is to assess the consistency by which staff screen issues of concern for traditional enforcement and Reactor Oversight Process purposes in accordance with agency guidance.

SCHEDULE:

Initiate in the 1st quarter of FY 2020.

STRATEGIC GOAL 1:

Safety Strengthen NRCs efforts to protect public health and safety and the environment.

Strategy 1-1:

Identify risk areas associated with NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1:

Regulation of nuclear reactor safety and security programs.

A-2

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Integrated Materials Performance Evaluation Program (IMPEP)

DESCRIPTION AND JUSTIFICATION:

The IMPEP process employs a team of NRC and Agreement State staff to assess both Agreement State and NRC regional radioactive materials licensing and inspection programs. It is designed to assess whether public health and safety are adequately protected from the potential hazards associated with the use of radioactive materials, and that Agreement State programs are compatible with the NRC's program.

Management Directive (MD) 5.6, Integrated Materials Performance Evaluation Program (IMPEP), establishes the process by which the Office of Nuclear Material Safety and Safeguards (NMSS) conducts its periodic assessments. IMPEPs review approximately 8-10 Agreement State and NRC Regional radioactive materials licensing and inspection programs per year. The IMPEP review teams consist of a combination of NRC and Agreement State staff.

OBJECTIVE:

The audit objective is to assess and evaluate the IMPEP program, determine if the program is meeting its stated objectives, and to identify any areas for improvement.

SCHEDULE:

Initiated in the 1st quarter of FY 2020.

STRATEGIC GOALS 1 and 2:

Safety Strengthen NRCs efforts to protect public health and safety and the environment.

Security - Strengthen NRCs security efforts in response to an evolving threat.

Strategy 1-2:

Identify risk areas facing NRC's oversight of nuclear materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

Strategy 2-2:

Identify risks in emergency preparedness and incident response, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 2:

Regulation of nuclear materials and radioactive waste safety and security programs.

A-3

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Drop-In Meeting Policies and Procedures DESCRIPTION AND JUSTIFICATION:

External stakeholders have expressed concern about the frequency of senior agency management interactions with nuclear power industry representatives, some of which coincide with regulatory decisions such as backfit appeal. NRC guidance requires staff to avoid discussing specific details of regulatory matters with industry representatives in non-public interactions, although staff are permitted to discuss general information pertaining to agency activities.

OBJECTIVE:

The audit objective is to determine whether NRC policies and procedures for non-public interactions with industry stakeholders are adequate to prevent compromise of the independence of agency staff or the appearance of conflicts of interest.

SCHEDULE:

Initiate in the 2nd quarter of FY 2020.

STRATEGIC GOAL 1:

Safety Strengthen NRCs efforts to protect public health and safety and the environment.

Strategy 1-1:

Identify risk areas associated with NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1:

Regulation of nuclear reactor safety and security programs.

A-4

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Regulatory Oversight of Radiation Safety Officers DESCRIPTION AND JUSTIFICATION:

Radiation Safety Officers (RSOs) are responsible for radiological safety in conjunction with the use, handling, and storage of radioactive materials in programs licensed by the Nuclear Regulatory Commission (NRC). NRC requires that most of its licensees employ RSOs to assess whether all licensed activities are carried out in compliance with the requirements of their NRC materials license, as well as with applicable regulations.

RSOs must have adequate training to understand the hazards associated with radioactive material and be familiar with all applicable regulatory requirements. RSOs must have the knowledge, skill, and resources to reasonably determine that a licensees activities involving radiation and radioactive materials are conducted safely. RSOs should also have independent authority to stop operations they consider unsafe. Additionally, they should have sufficient time and commitment from management to fulfill their duties and responsibilities including determining whether radiation safety procedures are being implemented and that the required records of licensed activities are maintained.

Because RSOs work for licensees involved with several different areas of nuclear material, RSOs play a vital role in radiation protection programs as they are ultimately responsible for overseeing safe operations within those programs.

OBJECTIVE:

To determine the adequacy of NRCs regulatory oversight of Radiation Safety Officers.

SCHEDULE:

Initiated in the 2nd quarter of FY 2020.

STRATEGIC GOAL 1:

Safety Strengthen NRCs efforts to protect public health and safety and the environment.

Strategy 1-2:

Identify risk areas facing NRC's oversight of nuclear materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 2:

Regulation of nuclear materials and radioactive waste safety and security programs.

A-5

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Material Control and Accounting Inspection Program for Special Nuclear Material DESCRIPTION AND JUSTIFICATION:

The NRC grants licenses for the possession and use of special nuclear material (SNM) and establishes regulations to govern the possession and use of those materials. NRC regulations require that SNM license holders have material control and accounting (MC&A) systems to prepare and maintain accounting records, perform measurements, and analyze the information to confirm the presence of nuclear materials. The basic objective of MC&A is to protect against the loss or misuse of SNM. MC&A are activities the licensee and the NRC use to confirm in a timely manner that SNM has not been lost, stolen, or diverted.

Failure to maintain knowledge of the location of SNM significantly increases the risk of loss.

The NMSS is responsible for the MC&A Inspection program. Routine inspections typically are performed on a semiannual to annual basis. However, the NRC can conduct reactive inspections as necessary in response to an event. All inspections are performed by certified inspectors with specialized training and experience in material control and accounting.

OBJECTIVE:

The objective of this audit is to assess the effectiveness of the NRCs MC&A inspection program over the accounting and control of SNM at fuel facilities.3 SCHEDULE:

Initiate in 2nd quarter of FY 2020.

STRATEGIC GOALS 1 and 2:

Safety Strengthen NRCs efforts to protect public health and safety and the environment.

Security - Strengthen NRCs security efforts in response to an evolving threat.

Strategy 1-2:

Identify risk areas facing NRC's oversight of nuclear materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

Strategy 2-2:

Identify risks in emergency preparedness and incident response, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 2:

Regulation of nuclear materials and radioactive waste safety and security programs.

3 The NRC classifies special nuclear materials and the facilities that possess them into three categories based upon the materials' potential for use in nuclear weapons, or their "strategic significance." The three categories are: Category I: High strategic significance; Category II: Moderate strategic significance; and Category III: Low strategic significance. The NRC's physical security requirements differ by category, with Category I facilities subject to more stringent requirements.

A-6

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Use of Requests for Additional Information in Licensing Processes for Spent Nuclear Fuel DESCRIPTION AND JUSTIFICATION:

The Division of Spent Fuel Management within the Office of Nuclear Material Safety and Safeguards (NMSS) develops and implements NRCs regulatory, licensing, and inspection program for the safe and secure storage of nuclear reactor spent fuel. To become licensed to store spent fuel safely, an entity must submit an application to NRC and, if applicable, respond to any requests for additional information (RAI) from NRC staff. RAIs are intended to help agency staff obtain information needed to make a regulatory decision that is fully informed, technically correct, and legally defensible. RAIs are necessary when the information was not included in an applicants initial submission, is not contained in any other docketed correspondence, or cannot reasonably be inferred from the information available to agency staff.

During a 2015 audit on the oversight of spent fuel pools, OIG cited concerns about RAIs, including the amount of time it took to complete the RAI process and the resources required to conduct and review complex research and analyses requested through RAIs.

OBJECTIVE:

The objective of this audit is to assess the efficiency and effectiveness of NRCs use of requests for additional information during the spent fuel licensing process.

SCHEDULE:

Initiate in 4th quarter of FY 2020.

STRATEGIC GOAL 1:

Safety Strengthen NRCs efforts to protect public health and safety and the environment.

Strategy 1-3:

Identify risk areas associated with NRC's oversight of high-level and low level waste, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 2:

Regulation of nuclear materials and radioactive waste safety and security programs.

A-7

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRCs Nuclear Power Surveillance Test Inspection Program DESCRIPTION AND JUSTIFICATION:

NRC inspects surveillance testing of safety structures, systems, and components at commercial nuclear power plants. The purpose of these inspections is to evaluate licensees surveillance testing activities and their effectiveness in demonstrating that plant systems are capable of performing intended safety functions consistent with their design and licensing bases. Failure to identify and resolve performance degradation of structures, systems, and components could result in long periods of unknown equipment unavailability.

Surveillance test inspections are performed in accordance with Inspection Procedure (IP) 71111.22, which requires inspectors to evaluate 14-22 samples annually per unit at each site.

Inspectors are to select risk- or safety-significant surveillance activities based on risk information.

Verification of activities under this procedure should focus on performance-based field observations of complete surveillance test evolutions, followed by verification of the bases and of the proper demonstration of performance that supports operability determinations. Additionally, once or twice a year, inspectors should consider conducting a vertical slice review of work activities on safety-significant systems to assess whether different aspects of the licensees processes work effectively together (e.g., Maintenance, Operations, Risk Management, Scheduling, etc.).

OBJECTIVE:

The audit objective is to assess NRCs conduct of surveillance test inspection activities relative to IP 71111.22 requirements.

SCHEDULE:

Initiate in the 1st quarter of FY 2020.

STRATEGIC GOAL 1:

Strengthen NRCs efforts to protect public health and safety and the environment.

Strategy 1-1: Identify risk areas associated with NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1:

Regulation of nuclear reactor safety programs.

A-8

APPENDIX B BACK to TOC CORPORATE MANAGEMENT AUDITS PLANNED FOR FY 2020

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Grants Pre-Award and Award Processes DESCRIPTION AND JUSTIFICATION:

In Fiscal Year 2018 (FY18), NRC awarded grants totaling $15.5 million to universities for scholarships, fellowships, and faculty development grants. This figure also included grants to trade schools and community colleges. NRCs intends grant funding to help support education in nuclear science, engineering, and related trades to develop a workforce capable of the design, construction, operation, and regulation of nuclear facilities and the safe handling of nuclear materials. The Office of Management and Budget requested NRC develop performance metrics for the grants program and require grantees to address those metrics in 6-month performance progress reports. While NRCs grant program supports over 500 students annually, it directs most grant money to university faculty and curriculum development. NRC also notes a critical workforce need in the trade and craft areas of nuclear education and observes that outreach to pre-college students is essential to enable students to make informed decisions about pursuing the study of nuclear technology.

OBJECTIVES:

The audit objectives are to determine if (1) NRCs policies and procedures for reviewing grants proposals and making awards comply with applicable federal regulations, and (2) internal controls over the pre-award and award process are adequate.

SCHEDULE:

Initiated in the 2nd quarter of FY 2018.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 5:

Management of corporate functions.

B-1

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 (DATA Act)

DESCRIPTION AND JUSTIFICATION:

The Digital Accountability and Transparency Act of 2014 (DATA Act) was enacted May 9, 2014 and requires Federal agencies to report financial and payment data in accordance with data standards established by the Department of Treasury and the Office of Management and Budget. The data reported will be displayed on a Web site available to taxpayers and policy makers. In addition, the DATA Act requires Inspectors General (IGs) to review the data submitted by the agency under the act and report to Congress on the completeness, timeliness, quality and accuracy of this information. In accordance with the act, the IG issued an audit in November 2017, and plans to issue the next audits in 2019, and 2021. This audit pertains to the review of data sampled for FY 2019. The OIG audit report is due November 8, 2019.

OBJECTIVES:

The audit objectives are to review the 1st quarter data submitted by NRC under the DATA Act and (1) determine the completeness, timeliness, accuracy and quality of the data sampled and (2) assess the implementation of the governing standards by the agency.

SCHEDULE:

Initiated in the 3rd quarter of FY 2019.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 3:

Management of information and information technology.

B-2

CORPORATE MANAGEMENT AUDITS APPENDIX B Survey of NRCs Safety Culture and Climate DESCRIPTION AND JUSTIFICATION:

In 1998, 2002, 2006, 2009, 2012, and 2015 OIG contracted with an international survey firm to conduct surveys that evaluated the organizational safety culture and climate of the agencys workforce and identified agency strengths and opportunities for improvements.

Comparisons were made to the previous surveys as well as to national and Government norms. In response to the survey results, the agency evaluated the key areas for improvement and developed strategies for addressing them.

A clear understanding of NRCs current safety culture and climate will facilitate identification of agency strengths and opportunities for improvement as it continues to experience significant challenges. These challenges include the licensing of new reactor facilities, operating under reduced budgets and realignment of program offices.

OBJECTIVES:

The survey objectives will be to

Measure NRCs safety culture and climate to identify areas of strength and opportunities for improvement.

Compare the results of this survey against the survey results that OIG previously reported.

Provide, where practical, benchmarks for the qualitative and quantitative findings against other organizations.

SCHEDULE:

Initiated in the 4th quarter of FY 2019.

STRATEGIC GOAL:

Addresses all strategic goals.

Strategy:

Addresses all strategies.

MANAGEMENT CHALLENGE:

Addresses all management challenges.

B-3

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Fiscal Year 2019 Financial Statements DESCRIPTION AND JUSTIFICATION:

Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 19-01, Audit Requirements for Federal Financial Statements, OIG is required to audit NRCs financial statements. The report on the audit of the agencys financial statements is due on November 19, 2019. In addition, OIG will issue a report on NRCs closing package financial statements.

OBJECTIVES:

The audit objectives are to

Express opinions on the agencys financial statements and internal controls,

Review compliance with applicable laws and regulations,

Review controls in NRCs computer systems that are significant to the financial statements, SCHEDULE:

Initiated in the 4th quarter of FY 2019.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 4:

Management of financial programs.

B-4

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Property Management Program DESCRIPTION AND JUSTIFICATION:

It is the policy of NRC to manage property in its possession or agency property in its contractors possession effectively and efficiently and to provide sufficient controls to deter or eliminate loss through fraud, waste, or misuse. NRC has an established property management program to account for and control property. The NRC Office of Administration, Directorate for Space Planning and Consolidation, administers the NRC space and property management program, including property records and inventory, redistribution and disposal, office space allocation, and ensuring compliance with Federal property management policies and regulations.

Government personal property is defined as any equipment, furniture, or supply items that are owned, leased, borrowed, donated, forfeited, transferred from another Federal agency, purchased with NRC funds, or otherwise in the possession or control of the NRC. Property management encompasses both capitalized and non-capitalized property. Capitalized property is any NRC-purchased property with an initial acquisition cost of $50,000 or more.

Non-capitalized property is NRC property with an initial acquisition cost of less than

$50,000. During FY 2018, NRC managed roughly $65 million of capitalized property and purchased approximately $3 million of non-capitalized property tracked by the Office of Administration. In addition, a large percentage of IT equipment (i.e. laptops, phones, tablets) were removed from the Office of Administrations property database and are now maintained by the Office of the Chief Information Officer.

OBJECTIVE:

The audit objective will be to determine if NRC has established and implemented an effective system of internal controls for maintaining accountability and control of government property.

SCHEDULE:

Initiate in the 1st quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5:

Management of corporate functions.

B-5

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Implementation of Enterprise Risk Management DESCRIPTION AND JUSTIFICATION:

On July 15, 2016, the Office of Management and Budget (OMB) substantively updated OMB Circular No. A-123 Managements Responsibility for Enterprise Risk Management and Internal Control (OMB A-123). It includes the Enterprise Risk Management (ERM) as a means to coordinate with strategic planning and strategic review established by the Government Performance and Results Modernization Act of 2010, and the internal control processes required by the Federal Managers Financial Integrity Act and Government Accountability Offices Standards for Internal Control in the Federal Government. This change to OMB A-123 is meant to integrate governance structure to improve mission delivery, reduce costs, and focus corrective actions toward key risks. Implementation of the revised OMB A-123 will engage all agency management beyond the traditional ownership of OMB A-123 by the Chief Financial Officer community. It requires leadership from the agency Chief Operating Officer and Performance Improvement Officer, and close collaboration across all agency mission and mission-support functions.

NRC revised its Management Directive 4.4, Enterprise Risk Management and Internal Control (MD 4.4) in December 2017 to address the updates to OMB A-123. MD 4.4 establishes the agencys ERM framework, provides a structured approach to managing risk that incorporates internal control, risk management, and enterprise risk management in the context of agency governance.

OBJECTIVE:

The audit objective will be to determine whether NRCs Enterprise Risk Management process is being implemented in accordance with OMB A-123.

SCHEDULE:

Initiate in the 2nd quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 5:

Management of corporate functions.

B-6

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Knowledge Management Program DESCRIPTION AND JUSTIFICATION:

Knowledge management is a discipline that promotes an integrated approach to identifying, capturing, evaluating, retrieving, and sharing an enterprise's information assets. These assets may include databases, documents, policies, procedures, and previously uncaptured expertise and experience in individual workers. However, efforts to reduce NRCs staffing and budget have raised knowledge management concerns affecting the performance of the agency. Additionally, OIGs recent management challenges reports note a key NRC corporate support function challenge includes recruiting, training, and effectively transferring knowledge to NRC new hires.

OBJECTIVE:

The audit objective is to assess the effectiveness of NRCs knowledge management program in helping the agency capture and transfer knowledge for the purposes of meeting its mission.

SCHEDULE:

Initiate in the 2nd quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5:

Management of corporate functions.

B-7

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Compliance with Improper Payment Laws DESCRIPTION AND JUSTIFICATION:

An improper payment is (a) any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements, and (b) includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except for such payments where authorized by law), and any payment that does not account for credit for applicable discounts.

The Improper Payments Information Act of 2002 (IPIA), as amended by the Improper Payments Elimination and Recovery Act of 2010 (IPERA), requires each agency to annually estimate its improper payments. IPERA requires Federal agencies to periodically review all programs and activities that the agency administers and identify all programs and activities that may be susceptible to significant improper payments. In addition, IPERA requires each agency to conduct recovery audits with respect to each program and activity of the agency that expends $1,000,000 or more annually, if conducting such audits would be cost effective. Lastly, the Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA) amended IPIA by establishing the Do Not Pay Initiative, which directs agencies to verify the eligibility of payments using databases before making payments.

OBJECTIVES:

The audit objectives will be to assess NRCs compliance with the IPIA, as amended by the IPERA, and IPERIA, and report any material weaknesses in internal control.

SCHEDULE:

Initiate in the 2nd quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 4:

Management of financial programs.

B-8

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Fiscal Year 2020 Financial Statements DESCRIPTION AND JUSTIFICATION:

Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 19-01, Audit Requirements for Federal Financial Statements, OIG is required to audit NRCs financial statements. The report on the audit of the agencys financial statements is due on November 15, 2020. In addition, OIG will issue a report on NRCs closing package financial statements.

OBJECTIVES:

The audit objectives are to

Express opinions on the agencys financial statements and internal controls,

Review compliance with applicable laws and regulations,

Review controls in NRCs computer systems that are significant to the financial statements,

Assess the agencys compliance with Office of Management and Budget (OMB) Circular A-123, Revised, Managements Responsibility for Enterprise Risk Management and Internal Control.

SCHEDULE:

Initiate in the 3rd quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 4:

Management of financial programs.

B-9

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Change of Station Program DESCRIPTION AND JUSTIFICATION:

Within the Federal Government, a permanent change of station (PCS) is the transfer of an employee from one official work site to another or the assignment of a new appointee to their first assignment site on a permanent basis.

The Federal Travel Regulation (FTR), issued by the Administrator of General Services, governs among other things, eligibility for relocation allowances (chapter 302), and permanent change of station allowances for subsistence and transportation expenses (Subchapter C). Much of the FTR, however, allows for agency discretion. NRC, Management Directive 14.2, Relocation Allowances, provide NRC employees with the procedures, regulations, and requirements necessary to relocate to a permanent official duty station or to make a last move home and to claim reimbursement for the allowable expenses.

The agencys PCS obligations for FY 2018 and FY 2019 (as of September 3, 2019) were approximately $6 million and $5.6 million respectively. Total moves processed in FY 2018 and FY 2019 (as of September 3, 2019) totaled 58 and 54 respectively.

OBJECTIVE:

The objective of this audit is to determine whether NRC has established and implemented an effective system of internal control over the Permanent Change of Station Program.

SCHEDULE:

Initiate in the 3rd quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 4:

Management of financial programs.

B-10

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Space Management in the Regions DESCRIPTION AND JUSTIFICATION:

On September 23, 2016, the Government Accountability Office reported that the Federal Government continues to maintain excess and underutilized property. In FY 2015, Federal agencies reported more than 7,000 excess or underutilized real property assets. That stands in contrast to the Office of Management and Budget 2015 National Strategy for the Efficient Use of Real Property (National Strategy) and its companion policy, the Reduce the Footprint policy. The National Strategy is a three-step framework to improve real property management: freeze growth in the inventory; measure performance to identify opportunities for efficiency improvements through data driven decision-making; and ultimately reduce the size of the inventory by prioritizing actions to consolidate, co-locate, and dispose of properties.

Given the decrease in NRCs staffing, it is possible that NRC has not properly assessed its footprint in the NRC Regional Offices.

OBJECTIVE:

The objective of this audit will be to determine if NRC is efficiently using real property in the NRC regional offices.

SCHEDULE:

Initiate in the 4th quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-1:

Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5:

Management of corporate functions.

B-11

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Drug-Free Workplace Program Implementation DESCRIPTION AND JUSTIFICATION:

The Federal Drug-Free Workplace Program is a comprehensive program to address illicit drug use by federal employees. On September 15, 1986, President Reagan signed Executive Order 12564, establishing the goal of a Drug-Free Federal Workplace. The Order made it a condition of employment that all Federal employees refrain from using illegal drugs on or off duty.

Because of NRCs national security and public health and safety responsibilities and the sensitive nature of its work, NRC has a compelling obligation to detect and eliminate illegal drug use from its workplace and has developed the NRC Drug-Free Workplace Plan. The most recent revision was published in August 2007. The NRC Drug-Free Workplace Plan includes awareness and education opportunities for all employees, information about drug testing and counseling, and provisions for rehabilitation for employees who use illegal drugs.

By 2008, NRC completed actions recommended by NRC OIG contained in Audit of NRCs Drug Testing Program, thus strengthening the drug testing programs effectiveness as a deterrent to illegal drug use. However, recent revisions to marijuana use laws, as well as the opioid epidemic ,have raised National attention to the tragedies that result from illegal drug use.

OBJECTIVE:

The audit objective is to assess the effectiveness and efficiency of NRCs implementation of the NRC Drug-Free Workplace Program.

SCHEDULE:

Initiate in the 1st quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-2:

Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5:

Management of corporate functions.

B-12

CORPORATE MANAGEMENT AUDITS APPENDIX B Independent Evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2019 DESCRIPTION AND JUSTIFICATION:

The Federal Information Security Modernization Act was enacted in 2014. FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the Federal Government information and information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

FISMA provides the framework for securing the Federal Governments information technology including both unclassified and national security systems. All agencies must implement the requirements of FISMA and report annually to the Office of Management and Budget and Congress on the effectiveness of their security programs.

OBJECTIVE:

The evaluation objective will be to conduct an independent assessment of the NRCs FISMA implementation for Fiscal Year 2019.

SCHEDULE:

Initiated in the 4th quarter of FY 2019.

STRATEGIC GOAL 2:

Security Strengthen NRCs security efforts in response to an evolving threat environment.

Strategy 2-1:

Identify risks involved in securing nuclear reactors, fuel cycle facilities, and materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 3:

Management of information and information technology.

B-13

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the Information System Security Officer Function DESCRIPTION AND JUSTIFICATION:

NRC relies heavily on its IT infrastructure and systems to carry out the agencys mission to license and regulate the Nations civilian use of byproduct, source, and special nuclear materials to provide reasonable assurance of adequate protection of public health and safety to promote the common defense and security, and to protect the environment. As a result, risks to these systems have a direct impact on the agencys ability to carry out its mission. As the number and sophistication of cyberattacks grow, so does the likelihood that NRC systems and assets will be susceptible to such attacks. The Information System Security Officers (ISSOs) have direct responsibility for protecting a system and its data and are responsible for ensuring that the system is properly secured in accordance with NRC and Federal policies and procedures. ISSOs play a critical role in addressing and offsetting risks to NRC systems. The ISSO is at the center of all information system security activities in all stages of a systems life cycle. The ISSO serves as the principle point of contact for questions about all aspects of a systems security.

OBJECTIVES:

The audit objectives are (1) to assess whether the ISSOs have the necessary skills needed to perform the work, and (2) determine the effectiveness of the ISSO function within the agency.

SCHEDULE:

Initiate in the 3rd quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-2:

Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 3:

Management of information and information technology B-14

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRCs Implementation of the Federal Information Technology Acquisition Reform Act (FITARA)

DESCRIPTION AND JUSTIFICATION:

In December 2014, Congress enacted the Federal Information Technology Acquisition Reform Act (FITARA) to promote Federal information technology (IT) modernization and strengthen the Federal IT workforce. Beginning in 2015, the Office of Management and Budget (OMB) issued guidance to assist agencies in establishing management practices that align IT resources with agency missions, goals, programmatic priorities, and statutory requirements. The Government Accountability Office (GAO) has issued periodic scorecards to assess agencies progress toward IT modernization goals in several key areas, assigning grades of A to F. NRC has implemented changes in and made several improvements to IT management processes. However, NRCs overall grade on the GAO scorecard has never exceeded a C, and most recently dropped to a D-. NRCs IT acquisitions program may not meet statutory requirements or promote efficient operations if the rating further declines.

OBJECTIVE:

The audit objective is to determine whether NRCs IT acquisition program implementation meets statutory requirements and achieves the goals of FITARA.

SCHEDULE:

Initiate in the 1st quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-2:

Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 3:

Management of information and information technology.

B-15

CORPORATE MANAGEMENT AUDITS APPENDIX B Independent Evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2020 DESCRIPTION AND JUSTIFICATION:

The Federal Information Security Modernization Act was enacted in 2014. FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the Federal Government information and information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

FISMA provides the framework for securing the Federal Governments information technology including both unclassified and national security systems. All agencies must implement the requirements of FISMA and report annually to the Office of Management and Budget and Congress on the effectiveness of their security programs.

OBJECTIVE:

The evaluation objective will be to conduct an independent assessment of the NRCs FISMA implementation for Fiscal Year 2020.

SCHEDULE:

Initiate in the 3rd quarter of FY 2020.

STRATEGIC GOAL 3:

Corporate Management Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

Strategy 3-2:

Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 3:

Management of information and information technology.

B-16

APPENDIX C BACK to TOC INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2020

INVESTIGATIONS APPENDIX C INTRODUCTION The Assistant Inspector General for Investigations (AIGI) has responsibility for developing and implementing an investigative program that furthers OIGs objectives. The AIGIs primary responsibilities include investigating possible violations of criminal statutes relating to NRC programs and activities, investigating allegations of misconduct by NRC employees, interfacing with DOJ on OIG-related criminal matters, and coordinating investigations and OIG initiatives with other Federal, State, and local investigative agencies and other AIGIs.

Investigations covering a broad range of allegations concerning criminal wrongdoing or administrative misconduct affecting various NRC programs and operations may be initiated as a result of allegations or referrals from private citizens; licensee employees; NRC employees; Congress; other Federal, State, and local law enforcement agencies; OIG audits; the OIG Hotline; and proactive efforts directed at identifying potential for fraud, waste, and abuse.

This investigative plan was developed to focus OIG investigative priorities and use available resources most effectively. It provides strategies and planned investigative work for FY 2020 in conjunction with the OIG Strategic Plan. The most serious management and performance challenges facing the NRC, as identified by the IG, were also considered in the development of this plan.

PRIORITIES The OIG will initiate approximately 40 investigations, including Event/Special Inquiries in FY 2020. As in the past, reactive investigations into allegations of criminal and other wrongdoing will continue to claim priority on OIGs use of available resources. Because NRCs mission is to protect public health and safety and the environment, Investigations main concentration of effort and resources will involve investigations of alleged NRC employee misconduct that could adversely impact public health and safety related matters.

OBJECTIVES To facilitate the most effective and efficient use of limited resources, Investigations has established specific objectives aimed at preventing and detecting fraud, waste, and abuse as well as optimizing NRC effectiveness and efficiency. Investigations will focus its investigative efforts in a number of areas, as follows, which include possible violations of criminal statutes and administrative violations relating to NRC programs and operations and allegations of misconduct by NRC employees.

C-1

INVESTIGATIONS APPENDIX C INITIATIVES Safety and Security

Investigate allegations that NRC employees improperly disclosed allegers (mainly licensee employees) identities and allegations; NRC employees improperly handled alleger concerns; and NRC failed to properly address retaliation issues involving NRC management officials and/or NRC licensee employees who raised public health and safety or security concerns regarding NRC activities.

Investigate allegations that NRC has not maintained an appropriate arms length distance from licensees, and contractors.

Investigate allegations that NRC employees released predecisional, proprietary, or official-use-only information.

Investigate allegations that NRC employees had improper personal relationships with NRC licensees and where NRC employees violated government-wide ethics regulations concerning the solicitation of employment with NRC licensees.

Interact with public interest groups, individual allegers, and industry workers to identify indications of lapses or departure in NRC regulatory oversight that could create safety and security problems.

Maintain close working relationships with members of the intelligence community to identify and address vulnerabilities and threats to the NRC.

Conduct Event and Special Inquiries into specific events that indicate an apparent shortcoming in NRCs regulatory oversight of the nuclear industrys safety and security programs to determine the appropriateness of the staffs actions to protect public health and safety.

Proactively review and become knowledgeable in areas of NRC staff regulatory emphasis to identify emerging issues that may require future OIG involvement such as decommissioning activities. Also provide real time OIG assessments of the appropriateness of NRC staffs handling of contentious regulatory activities related to nuclear safety and security matters.

Identify risks associated with the proliferation of nuclear material and nuclear technology.

C-2

INVESTIGATIONS APPENDIX C

Coordinate with NRC staff to protect NRCs infrastructure against both internal and external computer intrusions.

Investigate allegations of misconduct by NRC employees and contractors, as appropriate.

Corporate Management

Attempt to detect possible wrongdoing perpetrated against NRCs procurement and contracting and grant program by maintaining a close working relationship with the Office of Administration, Division of Contracts and cognizant NRC Program Offices.

Conduct investigations appropriate for Program Fraud Civil Remedies Act action, including abuses involving false reimbursement claims by employees and contractors.

As appropriate, coordinate with OIG Audit IAMs to identify areas or programs with indicators of possible fraud, waste, and abuse.

Conduct fraud awareness and information presentations for NRC employees and external stakeholders regarding the role of NRC OIG.

As appropriate, investigate allegations of misconduct by NRC employees and contractors.

OIG Hotline

Promptly process complaints received via the OIG Hotline. Initiate investigations when warranted and properly dispose of allegations that do not warrant OIG investigation.

Freedom of Information Act (FOIA) & Privacy Act

Promptly process all requests for information received under FOIA. Coordinate as appropriate with the General Counsel to the IG and FOIA/Privacy Section.

C-3

INVESTIGATIONS APPENDIX C NRC Support

Participate as observers on Incident Investigation Teams and Accident Investigation Teams as determined by the IG.

Liaison Program

Maintain close working relationships with other law enforcement agencies, public interest groups, and the Congress. This will be accomplished through periodic meetings with AIGIs, pertinent congressional staff, public interest groups, and appropriate law enforcement organizations.

Maintain a viable regional liaison program to foster a closer working relationship with NRC regional offices.

Establish and maintain NRC OIG active participation in OIG community fraud working groups, multiagency fraud task forces, and multiagency undercover operations where a nexus to NRC programs and operations has clearly been established.

ALLOCATION OF RESOURCES Investigations undertakes both proactive initiatives and reactive investigations.

Approximately 85 percent of available investigative resources will be used for reactive investigations. The balance will be allocated to proactive investigative efforts such as reviews of NRC contract files, examinations of NRC information technology systems to identify weaknesses or misuse by agency employees, participation in interagency task forces and working groups, reviews of delinquent Government travel and purchase card accounts, and other initiatives.

C-4

APPENDIX D BACK to TOC ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS

ISSUE AREA MONITOR APPENDIX D ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS Nuclear Materials (Safety and Security)

Michael Blair Kristen Lipuma Roxana Hartsock Deyanara Gonzalez Lainez Janelle Wiggs Stephanie Dingbaum Connor McCune REACTOR SAFETY Avinash Jaigobind Ebaide Esoimeme Tim Wilson REACTOR SECURITY AND EMERGENCY PREPAREDNESS Amy Hardin Chanel Stridiron FINANCIAL Eric Rivera Felicia Silver Curtis Brown Jenny Cheung INFORMATION TECHNOLOGY Eric Rivera Terri Cooper Jimmy Wong Jenny Cheung William Chung Mathew Soares NRC Corporate Support Functions Ziad Buhaissi Tincy Thomas de Colón Vicki Foster Ashley Garrett George Gusack Regina Revinzon D-1

APPENDIX E BACK to TOC ABBREVIATIONS AND ACRONYMS

APPENDIX E ABBREVIATIONS AND ACRONYMS ADAMS Agencywide Document Access Management System AIGA Assistant Inspector General for Audits AIGI Assistant Inspector General for Investigations CFR Code of Federal Regulations COR Contracting Officers Representative DATA Digital Accountability and Transparency Act DOJ U.S. Department of Justice DPO Differing Professional Opinion EP Emergency Preparedness FISMA Federal Information Security Modernization Act FTR Federal Travel Regulation FITARA Federal Information Technology Acquisition Reform Act FY Fiscal Year GAO Government Accountability Office IAM Issue Area Monitor IG Inspector General IMPEP Integrated Materials Performance Evaluation Program IP Inspection Procedure IPAC Intra-Government Payment and Collection IPERA Improper Payments Elimination and Recovery Act of 2010 IPERIA Improper Payments Elimination and Recovery Improvement Act of 2012 IPIA Improper Payments Information Act of 2002 ISSO Information System Security Officer IT Information Technology LAR License Amendment Request MC&A Material Control and Accounting MD Management Directive NMSS Office of Nuclear Material Safety and Safeguards NOED Notices of Enforcement Discretion NRC U.S. Nuclear Regulatory Commission OIG Office of the Inspector General OMB Office of Management and Budget PCS Permanent Change of Station E-1

APPENDIX E ABBREVIATIONS AND ACRONYMS RAI Request for Additional Information RES Office of Nuclear Regulatory Research RSO Radiation Safety Officers RPS Reactor Program System RRPS Replacement Reactor Program System SNM Special Nuclear Material TOC Table of Contents E-2

ML19324E430

Text

Contact:

Navigation menu

Search