Text

_

pa rano.

2 8V y.' jj}. %

UNITED STATES

, i NUCLEAR REGULATORY COMMISSION l

{.5,fff S /J WASHINGTON, D C. 20555 j

Jamary 7,1994 CHAIRMAN The Honorable Thomas S.

Foley Speaker of the United States House of Representatives Washington, D.C.

20515

Dear Mr. Speaker:

The Nuclear Regulatory Commission has evaluated itc management control and financial management systems for the fiscal year ending September 30, 1993, as required by the Federal Managers' Financial Integrity Act of 1982 (FMFIA).

The Commission believes this evaluation provides reasonable assurance that the NRC, as a whole, is in compliance with Sections 2 and 4 of the FMFIA.

We have four material weaknesses that, when considered together, are not sufficiently serious to prevent overall assurance that the NRC is in compliance with the FMFIA.

The NRC performed 19 management control reviews in FY 1993.-

Licensing and inspection programs reviewed included power reactor license maintenance and safety evaluations, early site permit

)

regulations and reviews, and high-level waste repository prelicensing.

Research programs reviewed. included generic safety issue resolution, high-level waste research, and earth sciences j

and reactor plant responses to seismic and other external events.

Administrative and other support areas reviewed included property management, document control dissemination and information, and telecommunications support.

The NRC's evaluation of management controls was performed in accordance with office'of Management and Budget (OMB) " Guidelines for the Evaluation and Improvement of and Reporting on Internal Control Systems in the Federal Government," dated December 1982, as required by OMB Circular A-123, " Internal Control Systems."

In FY 1992, we reported four material weaknesses.

The NRC took corrective action in FY 1993 to resolve two of these weaknesses involving the NRC's general ledger and the approval process for reimbursement for work performed by Department of Energy (DOE) national laboratories.

We expect to complete corrective action on the two remaining material weaknesses, computer security and management of DOE national laboratory agreements,-in calendar year 1994.

9401310282 940107 PDR COMMS NRCC CORRESPONDENCE PDR

2 i

In FY 1993, the Inspector General designated two additional areas as material weaknesses.

The'first weakness involves compliance with the Department of Treasury requirement to bill licensees within five business days after services are rendered.

Billing our licensees for fees for NRC services within five business days is not feasible or cost effective.

Therefore, NRC will seek a waiver from the Department of the Treasury for this requirement.

The second material weakness relates to audit coverage of DOE national laboratories.

The NRC Inspector General found that, because of a lack of audit coverage at the national laboratories by the DOE's Office of Inspector General, the DOE Inspector General was unable to provide assurance to NRC that monies spent by DOE and DOE Management and Operating Contractors on NRC's behalf were expended in conformance with applicable laws and regulations.

DOE has reported this as a material weakness.

Remedy of this weakness is outside the control of the NRC.

The NRC has four financial systems.

In FY 1993, the NRC performed a catailed review of its accounts receivable system and more limited reviews of its portion of the Federal Financial System (FFS), the payroll system, and the allotment / financial plan system.

These evaluations were performed in accordance with OMB " Guidelines for Evaluating Financial Management / Accounting Systems," dated May 1985, as required by OMB Circular A-127,

" Financial Management Systems."

The NRC identified no material non-conformances during these reviews.

The Department of the Treasury is reporting a material non-conformance in FFS, a system that NRC uses through an interagency agreement with the Department of the Treasury.

The material non-conformance results from the lack of adequate disaster recovery capabilities, in the event of a natural disaster, of the Data Center located in Hyattsville, Maryland.

This non-conformance is beyond the control of the NRC, and we understand that the Department of the Treasury will correct this inadequacy in FY 1994.

Additionally, NRC han one area of concern that we are carefully monitoring.

The General Accounting Office (GAO) pointed out a number of areas in the nuclear materials program that need improvement.

This program is implemented by NRC and the 29 Agreement States.

NRC has a comprehensive evaluation program for reviewing the adequacy of both NRC and Agreement State material licensing inspection programs.

We are taking actions to improve our ability to document the results of our evaluations and to ensure timely corrective actions of identified problems.

)

1 3

In FY 1993, the NRC continued to strengthen its management

{

control program, We improved instructions for performing risk.

assessments and management control reviews.

Through a study of l

our management control program, we identified the need for increased involvement of senior level managers, additional emphasis on programmatic controls, and a process that encourages i

more self-examination and reporting of management control weaknesses.

In December 1993, the Executive Director for Operations established an Executive Committee to evaluate various I

aspects of the management control program and to determine the best management control process for the agency.

I The results of our continuing evaluation are discussed in the enclosures.

Respectfully,

(

Kenneth C.

Rogers Acting Chairman

]

Enclosures:

i A.

Statistical Summary of Performance B.

Progress Report on High Risk Areas C.

Material Weaknesses--Schedule of Corrective Actions D.

Material Non-conformances--Schedule of Corrective Actions l

i I

I l

ENCLOSURE A STATISTICAL

SUMMARY

OF PERFORMANCE S e c t; io n_2, Internal Control Number of Material Weaknesses For that year, For that year, Number reported for number that have number still the first time in:

been corrected:

pending:

Prior Years 1

1 0

1991 Report 0

0 0

1992 Report 4

2 2

i 1993 Report 2

0 2

Ot the total number corrected, two were corrected in 1993.

Section 4,

Financial Management Systems Number of Material Non-Conformances For that year, For that year, Number reported for number that have.

number still

'the first time in:

been corrected:

pending:

Prior Years 0

0 0

i 1991 Report 0

0 0

1992 Report 0

0 0

1993 Report 0

0 0

i l

.. \\

.l x

4 i

Et1 CLOSURE B i

i l

PROGRESS REPORT ON HIGH RISK AREAS i

I IIRC has no designated high risk areas.

.I i

(

8 i

?

1 P

i I

i i

[

t I

t i

l J

I l

f s

i i

[

.t i

f k

'I l

i e

,,ww

.-.--....--.o

,-.w.

w w

..e e,+

,-v-.

+,. -,,

,---r-.

, +,

m-

.-%,-,..w, w - m v.e.

ENCLOSURE C SECTION 2, MATERIAL WEAKNESSES - SCHEDULE OF CORRECTIVE ACTIONS Summary / Table of Contents Target date Current for correction target Year first in 1992 FMFIA date for Title reported Report

' correction.

Page Controls for Management of 1992 September 1993 April 1994 2

Department of Energy (DOE)

National Laboratory Agreements DOE 01tice of Inspector General 1993 Mot Applicable Not Applicable 5

Audit Coverage of DOE National Laboratories Compliance of Computer Security 1992 September 1995 December 1994 7

Program with OMB Circular A-130 Written Waiver trom Department of 1993 Not Applicable September 1994 10 Treasury Requirement to Bill Licensees Within Five Business Days After Services Are Rendered i

l Process for Approving 1992 December 1992 Corrected 12 Payments to the-Department i

of Energy Laboratories j

Controls in NRC's General 1992 September 1993 Corrected 15 Ledger I

ll u

l

.1

Title _and_ Description of Material Weakness l

l "controla lor Ma naye nt :n t ot !)i:tu t t went 01 Enet yy (1101;) National 1.a liu ra t o r y Agreements" During a 1991 review of the NRC's agreements with DOE laboratories, the NRC's Office of Administration staff identified contract management practices in the NRC program offices that required improvement to adequately protect the NRC's business interests.

The NRC's project files did not reflect adequate analysis of proposed contractor costs or effective project monitoring.

The reviewers found that the agency needs to institute better control over these projects to ensure that required goods and services are obtained at reasonable prices.

Deficiencies identified during the review were attributed to the lack of an agency-wide standard'for contract management.

Pace of Corrective Action Year Identified:

1991 (The NRC identified the weakness and reported it in the 1991 FMFIA report, but it was not determined to be a material weakness until 1992.)

Original Targeted-Correction Date:

October 1992 Correc. tion Date in Last Yect's Report:

September 199?

Current Correction Date*

April.1994 i

j Reason for Change in Dates:

To ensure that the corrective actions were cost-effective, the management directive to implement the corrective actions was pilot-tested in the Office of. Nuclear Regulatory Research.

The Directive was revised on the basis'of experience gained from the project and to address office comments.

k HOSPpnsiple. Program Manager Patricia Harry, Director

' Office of Administration 1

I 2

b

-..a..

.m -

m-mm m

- *e-a

-w--

ss

__r__m m

v m, cv=~

-m3-oe,ayw o vy u

w e

n.ac-

+-w,--

a rwaw w

r w-f-

Source of Discovery NRC's Ottice of Administration management review of DOE national laboratory I

agreements dated September 6,

1991.

hppropriation/ Account No.

31XO200 Validation Process Used A management control review of the NRC's management of DOE national laboratory dgreements has been scheduled for FY 1995.

Results Indicato_rs Procedures for negotiating and managing agreements with DOE laboratories are consistent with sound business practices and contracting principles.

Uniform application of an agency-wide standard of contract management exists for projects placed with DOE.

A tramework exists for program management, control, administration, and monitoring OL projects placed with DOE.

i i

3 o

.m..,., _ ~,.,,.,..,. -.,..

..e

+

.,,c.,

,e....

u,

4 1 h

=-

t 4

Major Milestones Original Revised Actual Plan Plan Date (a)

Completed Actions / Events Issue interim agency-wide standards for 12/03/92 contract management for DOE laboratory

'g agreements for guidance and comment 1

(b)

Planned Actions / Events (Less than 12 months)

Submit draft directive to the Department 12/30/93 of Energy for comment Issue tinal agency-wide standards 10/01/92 4/15/94 for contract management of DOE laboratory agreements (c)

Planned Actions / Events (More than 12 months) flone 4

4 e

a

=

w

-es r-

--,+-e m-

.a.w--.

..u.

w-

-%-g

.w, v.

T_itle and Description'of Material Weakness I

" DOE Ottice of Inspector General Audit Coverage of DOE National Laboratories" During an independent audit of NRC's FY 1992 financial statements, the NRC Office of Inspector General (OIG) contract auditor found that the DOE Inspector General.was not able to provide adequate assurance that costs reported and reimbursed to DOE ~ meet i

applicable laws and regulations in that the DOE OIG, the cognizant audit agency, could not provide assurance relating to audit coverage for $109 million included in flRC's. financial statements.1 i

Pace of Corrective Action Year Identified:

1993 Original Targeted Correction Date:

Not Applicable.

Corrective action is the-responsibility of the DOE ~ Inspector General and is not within the control of NRC.

Correction Date in Last Year's Report:

Not Applicable Current Correction Date:

Not Applicable Reason for Change in Dates:

Not Applicable Responsible Procram Manager Ronald M.

Scroggins Deputy Chief Financial Officer / Controller

~

Source of Discovery liniependent.Auditoru' He po r t.

on NHC's 1992 Annual F i na ns! i a l Statements dat.ed May 28, 1993.

l l

"The Department of Energy has reported inadequate audit coverage of the Department's contract expenditures as a material weakness.

5 4

=

v-

~m

..-,e

..is r,.

5 Apprgpriatigp/Accgunt_Ng,

~

31XO200 Validation Process Used Review of DOE audit plan and reports to ensure adequate audit coverage of NRC activities.

i Results Indicators

- t Audit coverage is adequate to permit an independent auditor of HRC's annual financial statements to make a determination that the costs reported and reimbursed to DOE meet applicable laws and regulations.

Ma3gr Milestones i

original Revised Actual Plan Plan Date i.

(a)

Completed Actions / Events Initiate discussions with the DOE Office of 9/93 Inspector General IIRC has been advised that the DOE IG has 12/93 developed an audit strategy to address this problem (b)

Planned Actions / Events-(Less than 12' months)

Ilone (c)

Planned Actions / Events (More than 12 months)

None 6

6 o

. ~..

+- -.

,.-,.~ee--r,.+

.-,,..ww-w-...

• --.--c..-s,

..e-m m

m=--=-we-U.-.--

r-e

-.-m

---...m.-

I ul Title _and_D_escription of Material Weakness "Coiap i i a nce of Computer Sectarity Program with OMB Ciretilar A-130" The IIRC's computer security program has not met all the requirements of Office of Management and Budget (OMB) Circtilar tio. A-130, " Management of Federal I n f o rma t. i on Resources."

Pace of Corrective Action Year Identified:

1992 Original Targeted Correction Date:

September 1995 i

Correction Date in Last Year's Report:

September 1995 t

Current Correction Date:

December 1994 Reason for Change in Dates:

Corrective action progressed more quickly than originally expected.

Responsible Program Manager Gerald F.

Cranford, Director Office of Information Resources Management Source of Discovery Draft OIG Audit Report, OIG/92A-18, "Significant Weaknesses llamper NRC's Computer Security Program," dated October 13,- 1992.

7 t

l

.a

.__s

~,:

r

~

~.

Appropriation / Account No.

31XO200

' Validation Process Used

?

^i Agency-wide practices will be reviewed to ensure conformance with the standard.

procedures that have been issued and that provide for the inclusion of security requirements in the system development process.

Statements of work for sensitive system development will be reviewed to ensure that appropriate security requirements language is included.

'i Periodically, all agency systems will be' reviewed to determine which ones process sensitive data and whether a security plan has been written and certification and accreditation performed.

Besults Indicators Sensitive systems will have written security plans and documented certifications and

-i accreditations.

Major _Hilestones original Revised Actual Plan Plan Date (a)

Completed Actions / Events i

Develop detailed action plan to correct 1/31/93 1/31/93 weaknesses i

3 Develop standard procedures that include 2/28/93 2/12/93 security requirements in the system lifecycle development process.

q i

8

Major Milestones 1 continued)_

Original Revised Actual.

Plan Plan Date Develop methodology for certification and 2/28/93 3/31/93 accreditation process Modify-in-house software development guidance 4/15/93 2/12/93-to reflect security requirements issue contract to begin certitication and 8/31/93 5/5/93 accreditation (b)

Planned Actions / Events (Less than 12 months)

Certification and accreditation of first 4/30/94 2/28/94 major system Certification and accreditation of second 1/31/95 2/28/94 major system

)

Certification and accreditation of third 9/30/95 2/28/94 major system certification and accreditation _of remaining 12/31/94 l

1 mini-computer and mainframe applications

{c)

Planned Actions / Events (More than 12 months) 11one il 9

Title and Description of Material Weakness

" Written Waiver from the Department of Treasury of Requirement to Bill Licensees Within Five Business Days After Services Have Been Rendered" In correspondence and discussions with representatives from the Department of the Treasury in 1990, the controller explained that NRC's billing cycle does not incur additional interest expense to Treasury, and that while the NRC would continue to pursue measures that could shorten the billing cycle, the agency could not justify j

extraordinarily costly measures to do so.

However, the NRC has not sought a written waiver of the five-day billing requirement ~from the Department of the Treasury.

The NRC's fee billing practice was reviewed in FY 1992 as part of an ongoing effort to improve-financial management practices, and 10 CFR 170 was modified to change from six-month billing intervals to quarterly intervals.

Pace of Corrective Action Year Identified:

1993 Original Targeted correction Date:

Not Applicable Correction Date in Last Year's Report:

Not Applicable Current Correction Date:

September 1994 Reason for Changs in Dates:

Not Applicable Responsible Procram Managers Ronald M.

Scroggins Deputy Chief Financial Officer / Controller 10 4

4 m..-

Source of Discovery Independent Auditors' Report on 11RC's 1992 Annual Financial Statements dated May 28, 1993 Appropriation / Account No.

l t

31XO200 4

i Validation Process Used a

Not Applicable Results Indicators Receipt of written waiver of five-day billing requirement from the Department of Treasury Maior Milestones Original Revised Actual Plan Plan Date (a)

Completed Actions / Events

- l None (b)

Planned Actions / Events (Less than 12 months)

Request waiver of five-day billing requirement 3/31/94 from the Department of Treasury (c)

Planned Actions / Events (More-than 12 months) 13cne L

1 11 a

-.-. m 2

m m-r-

-=

e

--,---w e'e

+v*--

o

->~o, ey

-r4

.m

r Title and Description of Material Weakness

" Process for Approving Payments to the Department of Energy Laboratories" A significant number and amount of On-Line Payment and Collection System (OPAC).

payments of the Department of Energy (DOE) vouchers had not received postpayment review and approval by the NRC's Office of Research since about 1986.

An internal i

quality control process is needed to ensure that DOE vouchers are reviewed and approved by the NRC's program offices to ensure the reasonableness of the Department of Treasury's OPAC billings.

Pace of Corrective Action Year Identified:

1992 Original Targeted Correction Date: -September 1992 5

correction Date in Last Year's Report:

December 1992 Current Correction Date:

Completed July 1993 Reason for Change in Dates:

All actions, including the bulk of the review of vouchers from October 1988 through March 1992, were completed by December 1992.

However the review of the final one percent (approximately $2.4M) took longer than originally unticipated because of the time needed to retrieve archived materials and 3

because a number of vouchers had to be. reviewed by personnel not familiar with the work conducted owing to personnel attrition.

The number of incorrect or unsubstantiated billings was found to be comparatively insignificant, and no evidence of waste, fraud, or abuse was detected.

Because.the population of DOE vouchers for FY 1986 through FY 1988 would not be significantly different from the population reviewed, the NRC concluded that the amount paid to DOE through OPAC.for the period October 1985 through September'1988 represents a reasonable and proper expenditure of funds and discontinued further review of backlogged vouchers.

r 9

12

___-,s._

[

~

v, Responsible Program Manacers Eric Deckjord, Director, Office of Research Ronald M.

Scroggins, Deputy Chief Financial Officer / Controller Source of Discovery OIG Audit Report OIG/92A-08, Improvements Needed in NRC's Process for Approving t

Payments to the Department of Energy,"' dated August 31, 1992 y

Appropriatig fAccount No.

I 31X0200 i

validat. ion Process Used A nanagement control review of the payment approval process has been scheduled for FY.

1994.

Results Indicators DOE vouchers are reviewed and approved.in accordance with agency policy and procedures.

3 Approved vouchers are on file to support DOE payments.

i r

i 13 4

2

.~

m

...m.

m m

-. mm m--.

+ -

e w

-ce=

Major Milestones Original Revised Actual Plan Plan Date (a)

Completed Actions / Events Review and approve DOE vouchers on a 9/9/92 9/30/92 timely basis

[

Issue. guidance to the Office of Research 7/8/92 10/5/92 in the form of office letters to supplement existing agency regulations and clearly identify the responsibilities of project managers Institute procedures in the Offices of Research 9/9/92 11/4/92 as.d the Controller for ensuring that DOE vouchers are promptly reviewed, approved, and returned to the Division of Accounting Issue interim agency-wide standards for 13/ A 12/3/92 contract management-for DOE laboratory agreements for guidance and comment Complete review of prior years' vouchers 9/9/92 12/31/92 7/31/93 (b)

Planned Actions / Events (Less than 12 months) f r

None (c)

Planned Actions / Events (More'than 12 months) fione i

i

=

a 14

[

l 1

.. +

4 Title and Description of Material Weakness

" Controls in NRC's General I. edger" The Inspector General (IG) discussed internal control deficiencies in reporte on the general ledger issued.in November and December of 1992.

In classifying the general ledger as a material weakness, the IG noted that these deficiencies include NRC's failure to reconcile the general ledger with subsidiary ledgers, the failure to obtain approval from the originating branch before making adjustments to the general ledger, and incompatible financial systems.

In FY 1993, the general ledger accounting system was replaced by the' Federal Financial System (FFS) through an interagency agreement with the Department of Treasury.

Experience with FFS for one year provides reasonable assurance that the system is operating as intended.

The system provides extensive, useful information to users.

FFS conforms with the objectives detailed in OMB's Financial Management and Accounting Objectives.

As a result of-the corrective actionsaken, the general

.^

c ledger is no longer considered a material weakness.

3dditional information regarding interfaces and reconciliations of subsidiary systems with the general ledger is provided in the following section titled " Validation Process Used."

Pace of Corrective Action Year Identified:

1992 Original Targeted Correction Date:

September 1993 Correction Date in Last Year's Report:

September 1993 Current Correction Date:

Completed September 1993 Reason for. Change in Dates:

Not Applicable 1

15

Responsible Program Manager Ronald M.

Scroggins, Deputy Chief Financial Officer / Controller Source of Discovery OIG Report, "Heport on General Ledger Controls," dated November 27, 1992, and draft OIG Report.

"P -19w of NRC's Implementation of the Federal Managers' Financial Integrity Ac sc 992," dated December 7, 1992.

Appropr ia tionIAccot ;'-

31X0200 Validation Process Used An evaluation of FFS has been completed with-the exception of year-end processing, which will be evaluated by December 31, 1993.

FFS provides for full integration between subsystems and the general ledger.

Travel accounting was fully integrated into FFS in FY 1993, precluding the neceseity for corrective actions noted in the 1992 FMPIA report.

Three subsidiary systems were not integrated during the initial implementation.

Manual interfaces continue between FFS and accounts receivable for some of NRC's fees, payroll, and property.

Complete integration of accounts receivable is planned for implementation before the end of FY 1994.

A payroll interface will be implemented in conjunction with implementation of a payroll / personnel system ~ planned for 1996.

Until.these subsidiary systems are integrated, the integrity.of the data in the general ledger will be assured.through monthly reconciliations.

Policies and procedures for reconciling-property management records to the general ledger will be phased in and completed during FY 1994.

FFS tully supports the accounts payable function and complies with the Prompt Payment Act requirements.

l 16 l'

..--m.~..

.~

Results Indicators The general ledger is reconciled with subsidiary ledgers.

Approval is obtained from the originating branch before making adjustments to the general ledger.

Financial systems are compat.ble.

Major Milestones Original Revised Actual Plan Plan Date (a)

Completed Actions / Events Review OIG reports on the general ledger 3/31/93 2/12/93 and develop action plan to address the reports' findings and recommendations associated with the material weakness (b)

Planned Actions / Events (Less than 12 months) lione (c)

Planned Actions / Events (More than 12 months)

!Jone 17

8-t ENCLOSURE D SECTION 4, MATERIAL NON-CONFORMANCES - SCHEDULE OF CORRECTIVE ACTIONS NRC has no material non-conformances.

l

[

h n

- k

"' I

_______.__i______._. _ _ _. _. _. _ - -.. _ _ _ ~ _, _ _ =.

m.m.m

. m m..

m-m v.

..m.

=.m.

.m m.

m m-w

-#I