Oig'S Fy 2022 Annual Plan for NRC Dated October 27th, 2021

ML21300A177
Person / Time
Issue date:	10/27/2021
From:	Feitel R NRC/OIG, OIG Watch
To:
References
Download: ML21300A177 (54)
v • d • e

Text

Office of the Inspector General U.S. Nuclear Regulatory Commission Annual Plan Fiscal Year 2022

FOREWORD I am pleased to present the Office of the Inspector Generals (OIG) fiscal year (FY) 2022 Annual Plan for our work pertaining to the U.S. Nuclear Regulatory Commission (NRC). The Annual Plan provides the audit and investigative strategies and associated summaries of the specific work planned for the coming year. In addition, it sets forth the OIGs formal process for identifying priority issues and managing its workload and resources for FY 2022. Effective April 1, 2014, the NRC OIG was also Robert J. Feitel assigned to serve as the OIG for the Defense Nuclear Facilities Safety NRC and DNFSB Board (DNFSB); a separate document contains the OIGs annual plan for Inspector General our work pertaining to that agency.

The NRCs mission is to license and regulate the nations civilian use of radioactive materials to provide reasonable assurance of adequate public health and safety protection, promote common defense and security, and protect the environment. The OIG is committed to overseeing the integrity of the NRCs programs and operations. Developing an effective planning strategy is a critical aspect of accomplishing this commitment. In addition, such planning ensures that the OIG uses audit and investigative resources efficiently.

The OIG prepared this Annual Plan to align with the OIGs Strategic Plan for FYs 2019-2023, which is based, in part, on an assessment of the strategic challenges facing the NRC.

The Strategic Plan identifies the OIGs priorities and establishes a shared set of expectations regarding the goals we expect to achieve and the strategies we will employ over that timeframe. The OIG based this Annual Plan on the foundation of the Strategic Plan and the Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Nuclear Regulatory Commission in Fiscal Year 2022. The OIG sought input from Congress, NRC Commissioners, and NRC headquarters and regions in developing this Annual Plan.

We have programmed all available resources to address the matters identified in this plan.

This approach maximizes the use of our resources. However, it is sometimes necessary to modify this plan as circumstances, priorities, or resources warrant in response to a changing environment.

Robert J. Feitel Digitally signed by Robert J. Feitel Date: 2021.10.27 11:28:45 -04'00' Robert J. Feitel Inspector General

TABLE OF CONTENTS MISSION AND AUTHORITY ........................................................................................................... 1 PLANNING STRATEGY .................................................................................................................. 3 AUDIT STRATEGY ......................................................................................................................... 4 INVESTIGATION STRATEGY......................................................................................................... 4 PERFORMANCE MEASURES ........................................................................................................ 7 OPERATIONAL PROCESSES ........................................................................................................ 8 AUDITS ................................................................................................................................. 8 INVESTIGATIONS .............................................................................................................. 10 HOTLINE ............................................................................................................................ 11 APPENDICES A. NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2022 Audit of the NRCs Management Controls for Materials Exports ************************************* A-1 Audit of the NRCs Process for Licensing Emerging Medical Technologies *********************** A-2 Audit of the NRCs Engagement with the Public Related to Reactor Decommissioning Actions *************************************************************************************** A-3 Audit of the NRCs Oversight of ISFSI Safety at Decommissioned Nuclear Power Plants **** A-4 Audit of the NRCs Drop-In Meeting Policies and Procedures ***************************************** A-5 Audit of the NRCs Processes for Deploying Reactive Inspection Teams ************************** A-6 Audit of the NRCs Safety Inspections at Research and Test Reactors **************************** A-7 Audit of the NRC Oversight of Long-Lived Reactor Component Aging Management *********** A-8 Audit of the NRCs 2.206 Petition Process ****************************************************************** A-9 Audit of the NRCs Oversight of Counterfeit Reactor Components ******************************** A-10 B. CORPORATE MANAGEMENT AUDITS PLANED FOR FY 2022 Audit of the NRCs FY 2021 Financial Statements and Improper Payments ********************** B-1 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021 ********************************************************** B-2 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act for FY 2022 ********************************************************************************* B-3 Audit of the NRCs Fiscal Year 2022 Financial Statements and Improper Payments *********** B-4 Audit of the NRCs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 ************************************************************** B-5

Audit of the NRCs Change of Station Program *********************************************************** B-6 Audit of the NRCs Oversight of Decommissioning License Transfers ****************************** B-7 Audit of the NRCs Travel Charge Card Program ********************************************************* B-8 Audit of the NRCs Information Technology Services and Support *********************************** B-9 Evaluation of the NRCs Oversight of the Agencys Federally Funded Research and Development Center Contract ************************************************************ B-10 Defense Contract Audit Agency Audits ******************************************************************** B-11 Audit of the NRCs Knowledge Management ************************************************************ B-12 Peer Review of the Pension Benefit Guaranty Corporation (PBGC) OIG ************************ B-13 Audit of the NRCs Strategic Workforce Planning Process ******************************************** B-14 Audit of the NRCs Equal Employment Opportunity Program *************************************** B-15 Audit of the NRCs Differing Professional Opinions Program **************************************** B-16 Audit of the NRC Space Management in the Regions ************************************************* B-17 C. INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2022 D. ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS E. ABBREVIATIONS AND ACRONYMS

MISSION AND AUTHORITY The NRC OIG was established on April 15, 1989, pursuant to Inspector General Act Amendments (the Act) contained in Public Law 100-504. The OIGs mission is to provide independent and objective oversight of the Nuclear Regulatory Commissions operations in order to protect people and the environment. To fulfill its mission, the OIG:

• Conducts and supervises independent audits and investigations of agency programs and operations;

• Promotes economy, effectiveness, and efficiency within the agency;

• Prevents and detects fraud, waste, abuse and mismanagement in agency programs and operations;

• Develops recommendations regarding existing and proposed regulations relating to agency programs and operations; and,

• Keeps the agency head and Congress fully and currently informed about problems and deficiencies relating to agency programs.

The Act also requires the Inspector General (IG) to prepare a semiannual report to the NRC Chairman and Congress summarizing the activities of the OIG.

The Reports Consolidation Act of 2000 (Public Law 106-531) requires the OIG to annually update our assessment of the NRCs most serious management and performance challenges facing the agency and the agencys progress in addressing those challenges. This assessment supports the execution of the OIGs mission and is an important component of the OIGs Annual Plan development. The IG identified the following as the most serious management and performance challenges facing the NRC 1 0F for FY 2022:

1. Ensuring safety while transforming into a modern, risk-informed regulator;

2. Regulatory oversight of the decommissioning process and the management of decommissioning trust funds;

3. Using the COVID-19 lessons learned to strengthen NRC readiness to respond to future mission-affecting disruptions;

4. Readiness to license and regulate new technologies in reactor design, fuels, and plant controls, and maintaining the integrity of the associated intellectual property;

5. Ensuring the safe and effective acquisition, management, and protection of 1 This Annual Plan notes these challenges without any ranking order of importance.

1

information technology and data;

6. Strategic workforce planning during transformation and industry change;

7. Oversight of materials, waste, and the National Materials Program;

8. Management and transparency of financial and acquisitions operations; and,

9. NRC readiness to address cyber threats to critical national infrastructure sectors impacting the NRCs public health and safety mission and/or NRC licensees.

All audits and evaluations that the OIG initiates in FY 2022 will be subject to these revised management and performance challenges.

Through its Issue Area Monitor (IAM) program, and the conduct of audits and investigations, OIG staff monitor agency performance on these management and performance challenges. In conjunction with the OIGs strategic goals, these challenges serve as an important basis for deciding which audits and evaluations to conduct each fiscal year.

2

PLANNING STRATEGY The OIG links the FY 2022 Annual Plan with the OIGs Strategic Plan for FYs 2019 -

2023. The Strategic Plan identifies the significant challenges and critical risk areas facing the NRC so that the IG may direct optimum resources to these areas.

The Strategic Plan recognizes the mission and functional areas of the agency and the significant challenges the agency faces in successfully implementing its regulatory program. The plan presents strategies for reviewing and evaluating NRC programs under the strategic goals that the OIG established. The OIGs strategic goals are to:

• Strengthen the NRCs efforts to protect public health and safety and the environment;

• Enhance the NRCs efforts to increase security in response to an evolving threat environment; and,

• Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

To ensure that each audit and evaluation carried out by the OIG aligns with the Strategic Plan, program areas selected for audit and evaluation have been crosswalked from the Annual Plan to the Strategic Plan. See planned audits in appendices A, B, and C.

AUDIT AND INVESTIGATION OVERVIEW The NRCs FY 2022 budget request is $887.7 million, which includes 2,879 full-time equivalents, as the total cost of agency programs. The agency also has a role in enhancing nuclear safety and security throughout the world.

The NRC is headquartered in Rockville, Maryland, just outside of Washington, DC, and has four regional offices in Pennsylvania, Georgia, Illinois, and Texas. It also operates a professional development center in Rockville, Maryland, and a technical training center in Chattanooga, Tennessee.

The agency carries out its mission through various licensing, inspection, research, and enforcement programs. The NRCs responsibilities include regulating:

• 93 commercial nuclear power reactors operating in 28 states at 55 sites;

• 80 licensed or operating independent spent fuel storage installations;

• 31 licensed and operating research and test reactors;

• 9 fuel cycle facilities; and,

• Approximately 2,200 licenses issued for medical, academic, and industrial uses of nuclear material.

In FY 2020, the agency had six license renewal applications for operating power reactor sites. Additionally, the NRC is overseeing the decommissioning of 26 power reactor sites and 3 research and test reactors permanently shut down and in various stages of 3

decommissioning. The audit and investigation oversight responsibilities are, therefore, derived from the agencys wide array of programs, functions, and support activities established to accomplish the NRCs mission.

AUDIT STRATEGY Effective audit planning requires current knowledge about the agencys mission and the programs and activities used to carry out that mission. Accordingly, the OIG continually monitors specific issue areas to strengthen its internal coordination and overall planning processes. Under the offices IAM program, the OIG assigns responsibilities to staff, designated as issue area monitors, to keep abreast of significant agency programs and activities. The broad IAM areas address nuclear reactors, nuclear materials, nuclear waste, information management, security, financial and administrative programs, human resources, and international programs. Appendix D contains a listing of the OIG staff assigned as issue area monitors and the issue areas for which they are responsible.

The OIG Strategic Plan and identified agency management and performance challenges inform the audit planning process. The synergies yield audit assignments that identify opportunities for efficiency, economy, and effectiveness in NRC programs and operations; detect and prevent fraud, waste, abuse, and mismanagement; improve program and security activities at headquarters and regional locations; and, respond to emerging circumstances and priorities. The OIG prioritizes which audits the office conducts based on:

• Mandatory legislative requirements;

• Critical agency risk areas;

• Emphasis by the President, Congress, the NRC Chairman, or other NRC Commissioners;

• Susceptibility of a program to fraud, manipulation, or other irregularities;

• Dollar magnitude or other resources involved in the proposed audit area;

• Newness, changed conditions, or sensitivity of an organization, program, function, or activity;

• Prior audit experience, including the adequacy of internal controls; and,

• Availability of audit resources.

INVESTIGATION STRATEGY OIG investigation strategies and initiatives add value to agency programs and operations by identifying and investigating fraud, waste, abuse, and mismanagement allegations leading to criminal, civil, and administrative penalties, and recoveries. Accordingly, the OIG has designed specific performance targets focusing on effectiveness. Because the NRCs mission is to protect public health and safety, the fundamental investigative concentration involves alleged NRC misconduct or inappropriate actions that could 4

adversely impact health- and safety-related matters. Typically, these investigations include allegations of:

• Misconduct by high ranking and other NRC officials, such as managers and inspectors, whose positions directly impact public health and safety;

• Failure by NRC management to ensure that health and safety matters are appropriately addressed;

• Failure by the NRC to appropriately transact nuclear regulation;

• Conflicts of interest involving NRC employees and NRC contractors and licensees; and,

• Indications of management or supervisory retaliation claims.

The OIG will continue to monitor specific high-risk areas within the NRCs corporate management that are most vulnerable to fraud, waste, abuse, and mismanagement. A significant focus remains on matters that could negatively impact the security and integrity of the NRCs data and operations. This focus will also include efforts to ensure the continued protection of personal privacy information held within agency databases and systems. The OIG is committed to improving the security of the constantly changing electronic business environment by investigating computer-related fraud, waste, and mismanagement through proactive investigations and computer forensic examinations as warranted. Other actions to identify and prevent potential problems will focus on determining instances of procurement fraud and identifying vulnerabilities in NRC daily operations, including theft of property, insider threats, and U.S. government travel and purchase card mismanagement.

The OIG will meet with agency internal and external stakeholders to identify actual and potential systemic issues or vulnerabilities as part of these proactive initiatives. This approach enables opportunities to improve agency performance.

Concerning the OIGs strategic goals about safety and security, the OIG routinely interacts with public interest groups, individual citizens, industry workers, and NRC staff to identify possible lapses in NRC regulatory oversight that could impact public health and safety. In addition, the OIG conducts proactive reviews into areas of regulatory safety or security interest to identify emerging issues or address ongoing concerns regarding the quality of the NRCs regulatory oversight. Such assessments might include new reactor licensing and license renewals of existing plants, aspects of the transportation and storage of high-level and low-level waste, as well as decommissioning activities. The OIG also participates in federal cyber, fraud, and other task forces to identify criminal activity targeted against the federal government. Finally, the OIG periodically conducts Event Inquiries and Special Inquiries. Event Inquiry reports document the OIGs examination of events or agency regulatory actions to determine if staff actions may have contributed to the occurrence of an event. Special Inquiry reports document those instances when an investigation identifies inadequacies in NRC regulatory oversight that may have resulted in a potentially adverse impact on public health and safety.

5

Appendix C provides investigation objectives and initiatives for FY 2022. Specific investigations are not included in the plan because the OIGs investigations are primarily responsive to reported violations of law and misconduct by NRC employees and contractors as well as allegations of irregularities or mismanagement in NRC programs and operations.

6

PERFORMANCE MEASURES For FY 2022, we will use several key performance measures and targets for gauging the relevance and impact of our audit and investigative work. The OIG calculates these measures relative to each of the OIGs strategic goals to determine how well it is accomplishing our objectives. The performance measures are:

• Percentage of OIG audit products and activities that cause the agency to take corrective action to improve agency safety, security, or corporate management programs; ratify adherence to agency policies, procedures, or requirements; or identify actual dollar savings or reduced regulatory burden (i.e., high impact);

• Percentage of audit recommendations agreed to by the agency;

• Percentage of final agency actions taken within 2 years on audit recommendations;

• Percentage of OIG investigative products and activities that identify opportunities to improve agency safety, security, or corporate management programs; ratify adherence to agency policies/procedures; or confirm or disprove allegations of wrongdoing (e.g., high impact);

• Percentage of agency actions taken in response to investigative reports;

• Percentage of active cases completed in fewer than 18 months on average;

• Percentage of closed investigations referred to the U.S. Department of Justice (DOJ) or other relevant authorities; and,

• Percentage of closed investigations resulting in indictments, convictions, civil suits or settlements, judgments, administrative actions, monetary results, or IG clearance letters.

7

OPERATIONAL PROCESSES The following sections detail the approach used to carry out the audit and investigative responsibilities previously discussed.

AUDITS The OIGs audit process comprises the steps taken to conduct audits and involves specific actions, ranging from annual audit planning to performing audit follow-up. The underlying goal of the audit process is to maintain an open channel of communication between the auditors and NRC officials to ensure that audit findings are accurate and fairly presented in the audit report. The OIG performs the following types of audits:

• Performance audits focus on NRC administrative and program operations and evaluate the effectiveness and efficiency with which managerial responsibilities are carried out, including whether the programs achieve intended results;

• Financial audits, which include the financial statement audit required by the Chief Financial Officers Act, attest to the reasonableness of the NRCs financial statements and evaluate financial programs; and,

• Contract audits evaluate the costs of goods and services procured by the NRC from commercial enterprises.

The audit process comprises the following steps:

1. Audit Planning - Each year, the OIG solicits suggestions from Congress, the Commission, agency management, external parties, and OIG staff. It develops this Annual Plan and distributes it to interested parties. It lists the audits planned to be initiated during the year and their general objectives. The annual Audit Plan is a living document that may be revised as circumstances warrant, with a subsequent redistribution of staff resources;

2. Audit Notification - The OIG formally notifies the office responsible for a specific program, activity, or function, of its intent to begin an audit of that program, activity, or function;

3. Entrance Conference - The OIG meets with agency officials to advise them of the objective(s) and scope of the audit and the general methodology it will follow;

4. Survey - The OIG conducts exploratory work before the more detailed audit work commences to gather data for refining audit objectives, as appropriate; documenting internal control systems; becoming familiar with the activities, programs, and processes to be audited; and identifying areas of concern to management. At the conclusion of the survey phase, the audit team will recommend to the Assistant Inspector General for Audit (AIGA) a go or no go decision regarding the verification phase. If the audit team recommends a no go and it is approved by the AIGA, the audit is discontinued; 8

5. Audit Fieldwork - The OIG performs a comprehensive review of selected areas of a program, activity, or function using an audit program developed specifically to address the audit objectives;

6. End of Fieldwork Briefing with Agency - At the conclusion of audit fieldwork, the audit team discusses the tentative report findings and recommendations with the auditee;

7. Discussion Draft Report - The OIG provides a discussion draft copy of the report to agency management to enable them to prepare for the exit conference;

8. Exit Conference - The OIG meets with the appropriate agency officials to review the discussion draft report to provide agency management the opportunity to confirm information, ask questions, and clarify data;

9. Formal Draft Report - If requested by agency management during the exit conference, the OIG provides a final draft copy of the report that includes comments or revisions from the exit conference to obtain formal written comments;

10. Final Audit Report - The final report includes, as necessary, any revisions to the facts, conclusions, and recommendations of the draft report discussed in the exit conference or generated in written comments supplied by agency managers.

Written comments are included as an appendix to the report. Some audits are sensitive and/or classified. In these cases, final audit reports are not made available to the public;

11. Response to Report Recommendations - Offices responsible for the specific program or audited process provide a written response on each recommendation (usually within 30 calendar days) contained in the final report. Agency management responses indicate agreement or disagreement with the recommended action. For agreement, agency management provides corrective actions taken or planned and actual or target dates for completion. For disagreement, agency management provides reasons for disagreement and any alternative proposals for corrective action;

12. Impasse Resolution - If the response by the action office to a recommendation is unsatisfactory, the OIG may determine that intervention at a higher level is required. The Executive Director for Operations is the NRCs audit follow-up official, but issues can be taken to the Chairman for resolution, if warranted; and,

13. Audit Follow-up and Closure - This process ensures that recommendations made to management are implemented.

9

INVESTIGATIONS The OIGs investigative process typically begins with receiving an allegation of fraud, mismanagement, or misconduct. Because the OIG must decide to initiate an investigation within a few days of each referral, the office does not schedule specific investigations in its annual investigative plan.

The OIG opens investigations following its investigative priorities as outlined in the OIG Strategic Plan and considering prosecutorial guidelines established by the local U.S.

Attorneys for the DOJ. In addition, the Council of the Inspectors General on Integrity and Efficiency Quality Standards for Investigations, the OIG Special Agent Handbook, and various guidance provided periodically by the DOJ govern the OIGs investigations.

Only four individuals in the OIG can authorize the opening of an investigative case: the IG, the Deputy IG, the Assistant IG for Investigations (AIGI), and the Special Agent in Charge. Every allegation received by the OIG is given a unique identification number and entered into a database. Some allegations result in investigations, while the OIG retains others as the basis for audits, refers them to NRC management, or if appropriate, directs them to another law enforcement agency.

When the OIG opens an investigation, team leaders assign it to a special agent who prepares a plan of investigation. This planning process includes reviews of the criminal and civil statutes, program regulations, and agency policies that may be involved. The special agent then investigates using various techniques to ensure investigations are thorough, objective, and fully pursued to a logical conclusion.

In cases when the special agent determines that a crime may have been committed, he or she will discuss the investigation with a federal or local prosecutor to determine if prosecution will be pursued. In cases when a prosecuting attorney decides to proceed with a criminal or civil prosecution, the special agent assists the attorney in any preparation for court proceedings that may be required.

For investigations that do not result in a prosecution but are handled administratively by the agency, the special agent prepares a report summarizing the facts disclosed in the inquiry. The Office of Investigations distributes the report to agency officials who need to know the investigation results. For investigative reports provided to agency officials regarding substantiated administrative misconduct, the OIG requires a response within 120 days regarding any potential action taken due to the investigative findings. For all other investigative products, such as referrals of allegations and findings requiring a review of agency processes and procedures, the OIG requires a 90-day response unless the agency negotiates an alternative deadline.

The OIG summarizes the criminal and administrative action taken as a result of its investigations and includes this data in its Semiannual Report to Congress. As part of the investigation function, the OIG also periodically conducts Event Inquiries and Special Inquiries, as discussed earlier.

10

HOTLINE The Hotline Program provides NRC employees, other government employees, licensee/utility employees, contractors, and the public with a confidential means of reporting suspicious activity concerning fraud, waste, abuse, and employee or management misconduct. Mismanagement of agency programs or danger to public health and safety may also be reported. We do not attempt to identify persons contacting the Hotline.

Please

Contact:

E-mail: Online Form Telephone: 1-800-233-3497 TDD 1-800-201-7165, or 7-1-1 Address: U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O5-E13 11555 Rockville Pike Rockville, MD 20852-2746 11

APPENDIX A NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2022

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Management Controls for Materials Exports DESCRIPTION AND JUSTIFICATION: The regulations in 10 Code of Federal Regulations (C.F.R.) Part 110, Import and Export of Nuclear Equipment and Material, prescribe licensing, enforcement, and rulemaking procedures and criteria, under the Atomic Energy Act, for the export of nuclear equipment and material. The NRCs Office of International Programs (OIP) provides overall coordination for the NRCs international activities and develops and implements programs to carry out policies in the international arena, including export and import licensing responsibilities. In addition, the OIP establishes and maintains working relationships with individual countries and international nuclear organizations as well as other involved U.S. government agencies.

The OIP also participates in international activities including International Atomic Energy Agency coordination, bilateral discussions with foreign nations on items of interest, and import and export notifications on nuclear materials and special nuclear materials transfers.

Additionally, in conjunction with the office of Nuclear Security and Incident Response, the OIP conducts physical protection and non-proliferation reviews of export license applications and foreign technical assistance requests.

OBJECTIVE: The audit objective is to assess the effectiveness of the NRCs management controls of materials exports licensing.

SCHEDULE: Initiate in the first quarter of FY 2022.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of nuclear facilities and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 7: Oversight of materials, waste, and the National Materials Program.

A-1

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Process for Licensing Emerging Medical Technologies DESCRIPTION AND JUSTIFICATION: Title 10 C.F.R. Part 35 Subpart K describes the process to obtain a license, or license amendment, for a new medical use of byproduct material or radiation from byproduct material, which is not addressed in other parts of Part 35 (i.e., an emerging medical technology). When licensing emerging medical technologies, the Office of Nuclear Material Safety and Safeguards (NMSS) staff coordinates within the NRC to determine whether the emerging technology is already included in the regulations in 10 C.F.R. Part 35 Subparts D through H. If the emerging medical technology is not specifically addressed therein, the staff develops licensing guidance describing and acceptable approach for meeting NRC regulations.

In recent years, NMSS staff has issued specific licensing guidance and made determinations for 11 emerging medical technologies under 35.1000. Due to the growth in medical applications of radioisotopes and advancements in medical technologies for use in diagnosis, therapy, and medical research, the OIG anticipates an increase in the number of emerging medical technologies licensed by the NRC. Approximately 15 more technologies are anticipated to be reviewed through FY 2023.

OBJECTIVE: The audit objective is to determine the NRCs efficiency in licensing the use of emerging medical technologies, including developing technology-specific guidance for licensing the use of emerging medical technologies covered under 10 CFR 35 Subpart K.

SCHEDULE: Initiate in the first quarter of FY 2022.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of nuclear facilities and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-2

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Engagement with the Public Related to Reactor Decommissioning Actions DESCRIPTION AND JUSTIFICATION: The NRC considers public involvement in, and information about, its activities to be a cornerstone of strong, fair regulation of the nuclear industry. The NRC recognizes the publics interest in the proper regulation of nuclear activities and tries to provide opportunities for citizens to be heard. For that reason, consistent with The NRC Approach to Open Government, the agency provides opportunities for the public to participate meaningfully in its decision-making process, including in the decommissioning of power reactors.

When power reactor licensees submit a post-shutdown decommissioning activity report and a license termination plan, the NRC holds public meetings with the licensees in the vicinity of the facility after each of these submittals. The public is invited to comment on the decommissioning process and proposed regulations, in addition to observing or participating in meetings if sensitive information is not discussed. Several decommissioning actions have occurred in recent years and it is expected that up to five power reactors may shut down before the start of FY 2023.

OBJECTIVE: The audit objective is to determine if the NRC adequately implements its processes for public engagement in relation to reactor decommissioning actions.

SCHEDULE: Initiate in the fourth quarter of FY 2022.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of nuclear facilities and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-3

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Oversight of ISFSI Safety at Decommissioned Nuclear Power Plants DESCRIPTION AND JUSTIFICATION: The United States has entered a period where the national policy for storing and disposing of spent nuclear fuel is being reexamined. With the prospect of spent nuclear fuel being stored at current and former reactor sites for the foreseeable future, due to the uncertainty surrounding permanent repositories, the NRC has been reviewing issues associated with long-term storage.

Independent Spent Fuel Storage Installations (ISFSI) are facilities licensed by the NRC to store dry casks containing spent fuel. An ISFSI typically consists of a concrete storage pad, storage containers, and any support facilities. The majority of ISFSIs are located at operating reactor sites; however, some ISFSIs are located away from reactors and typically operate at sites with limited personnel or no personnel here reactor operations decommissioning is complete.

The NRCs ISFSI safety oversight program is designed to prevent radiation-related deaths and illnesses, and to protect the environment. The oversight program includes inspections and assessments of licensee activities with a focus on minimizing risk to public health and safety. The OIG last conducted an audit on the ISFSI safety oversight program in May 2011. With more power plants shutting down and an unprecedented growth in ISFSIs, the NRCs oversight of ISFSI safety at decommissioned sites is quickly emerging as an important area for re-examination.

OBJECTIVE: The audit objective is to determine if the NRCs ISFSI safety program at decommissioned nuclear power plants adequately protects the public and the environment.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of nuclear facilities and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 7: Oversight of materials, waste, and the National Materials Program.

A-4

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Drop-In Meeting Policies and Procedures DESCRIPTION AND JUSTIFICATION: External stakeholders have expressed concern about the frequency of senior agency management interactions with nuclear power industry representatives, some of which coincide with regulatory decisions such as backfit appeal.

NRC guidance requires staff to avoid discussing specific details of regulatory matters with industry representatives in non-public interactions, although the staff is permitted to discuss general information pertaining to agency activities.

OBJECTIVE: The audit objective is to determine whether NRC policies and procedures for non-public interactions with industry stakeholders are adequate to prevent compromise of the independence of agency staff or the appearance of conflicts of interest.

SCHEDULE: Initiated in the fourth quarter of FY 2021.

STRATEGIC GOAL 1: Safety Strengthen the NRC's efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated-with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-5

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Processes for Deploying Reactive Inspection Teams DESCRIPTION AND JUSTIFICATION: The NRC conducts routine inspections at nuclear power plants to maintain baseline safety and security oversight of nuclear power licensees.

However, the agency also conducts reactive inspections in response to events that may have compromised the safety or security at nuclear power plants. For example, an extreme weather event known as a derecho caused extensive damage to the Duane Arnold Energy Center in August 2020, and the NRC deployed a special inspection team to assess plant damage as well as the plant operators response to the derecho. The agency may also deploy more resource-intensive augmented or integrated inspection teams depending on an incidents risk significance, complexity, and generic safety or security implications.

According to Management Directive (MD) 8.3, NRC Incident Investigation Program, NRC managers should use a combination of deterministic and quantitative risk criteria in deciding whether to deploy special, augmented, or integrated inspection teams to power reactor sites. Deterministic criteria include major design, construction, or operational deficiencies that could have generic implications, failure of plant safety-related equipment, and physical or information security breaches. Risk criteria are based on conditional core damage probabilities ranging on a scale from 1E-6 or lower to 1E-3; accordingly, lower risk events merit special inspection teams, while progressively higher risk events merit augmented and integrated inspection teams.

The NRC may also deploy special, augmented, and integrated inspection teams to non-power reactor sites based on deterministic criteria. For example, MD 8.3 states that integrated inspection teams should be considered in response to events that cause significant radiological releases, or occupational or public radiological exposures that exceed specific regulatory limits. The guidance also recommends integrated inspection teams for a variety of other events that have actual or potential adverse health, safety, or security consequences.

OBJECTIVE: The audit objective is to assess the consistency with which the NRC follows agency guidance for deploying special, augmented, and integrated inspection teams in response to safety and security incidents at nuclear power plants.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 1: Safety Strengthen the NRC's efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated-with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-6

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Safety Inspections at Research and Test Reactors DESCRIPTION AND JUSTIFICATION: The NRC currently licenses 31 operating research and test reactors in the United States. Most are located at universities and colleges, while others are located at federal, state, and private sector facilities. Research and test reactors contribute to research in diverse fields such as physics, medicine, archeology, and materials science. Research and test reactors use a limited amount of radioactive material in their diverse designs and are rated at power levels ranging from 5 watts thermal energy to 20 megawatts. All are designed to be inherently safe and resistant to unintentional or intentional improper operation.

The NRC categorizes operating research and test reactors into two classes for inspection purposes. Class I reactors are rated at 2 megawatts or higher and are inspected annually.

Class II reactors are rated below 2 megawatts and are inspected biennially. NRC staff members use different procedures to inspect these two classes of research and test reactors, but the procedures all address safety, security, and transportation of radiological materials used in the reactors. The OIG audited NRC security inspections at research and test reactors in FY 2018 (OIG 18-A-07), and conducted investigative work pertaining to safety inspections at Class I research and test reactors during FY 2021.

OBJECTIVE: The audit objective is to determine whether the NRC performs safety inspections at Class II research and test reactors in accordance with agency guidance and inspection program objectives.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 1: Safety Strengthen the NRC's efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated-with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-7

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Oversight of Long-Lived Reactor Component Aging Management DESCRIPTION AND JUSTIFICATION: The application for renewal of a nuclear power plant operating license must include an assessment of structures and components subject to an aging management review. Such structures and components include, the reactor vessel, pressure retaining boundaries, containment, seismic structures, electrical cables, and other components not subject to replacement based on a qualified life or time period.

Further, the application must also demonstrate that the effects of aging on such components will be adequately managed so their intended function will be maintained for the period of extended operation. These components may be safety-related or non-safety-related items, the failure of which could diminish safety functions.

The NRC inspects each licensees aging management review and program implementation both during the license renewal process and after license approval. Once a nuclear power plant has been in a period of extended operation for 5 to 10 years, the NRC will verify that implementation of a licensees aging managing program ensures components are able to perform their intended functions. In addition, baseline inspection procedures for maintenance effectiveness and design basis assurance include assessment of aging management programs for plants in the period of extended operation. The NRC has issued license renewals for 85 operating nuclear power plants at 52 sites, and 34 of these plants have not yet entered the period of extended operation.

OBJECTIVE: The audit objective is to determine whether the NRC provides adequate oversight of licensee aging management programs for long-lived passive reactor components.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 1: Safety Strengthen the NRC's efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated-with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-8

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs 2.206 Petition Process DESCRIPTION AND JUSTIFICATION: The NRC created 10 C.F.R. Section 2.206, Requests for Action Under This Subpart (10 C.F.R. 2.206), as one method by which members of the public may bring safety and security issues to the agencys attention. Any person may file a request by using a 10 C.F.R. 2.206 petition to institute a proceeding pursuant to 10 C.F.R. Section 2.202 Orders (10 C.F.R. 2.202) to modify, suspend, or revoke a license, or for any other action as may be proper. In some circumstances, the NRC may issue orders or take other enforcement action against an NRC licensee or other person subject to the Commissions jurisdiction for violating NRC regulations.

The OIG audited the 10 C.F.R. 2.206 petition process in 2017 and found that unclear guidance for reviewing and dispositioning petitions in agency guidance (MD 8.11) could lead to inconsistent outcomes, thereby exacerbating public perceptions of anti-petitioner bias. The OIG also found that the NRC had not performed mandatory formal self-assessments, thereby missing opportunities to enhance the effectiveness, timelines, and credibility of the petition process. In 2019, the NRC revised MD 8.11 in response to OIG audit recommendations and Commission direction to improve the 2.206 petition process.

OBJECTIVE: The audit objective is to determine whether the NRC staff reviews 10 C.F.R. 2.206 petitions consistently in accordance with agency guidance, and support decisions on 10 C.F.R. 2.206 petitions with appropriate information.

SCHEDULE: Initiate in the fourth quarter of FY 2022.

STRATEGIC GOAL 1: Safety Strengthen the NRC's efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated-with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-9

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Oversight of Counterfeit Reactor Components DESCRIPTION AND JUSTIFICATION: Multiple NRC organizations play a role in overseeing nuclear power licensees efforts to prevent the use of counterfeit, fraudulent, and suspect items (CFSI) in nuclear power reactors. The NRC performs vendor quality assurance inspections, which may focus on CFSI, based on risk insights, and cybersecurity inspections assess licensees policies and procedures for ensuring the integrity of digital components that are installed in plant safety systems. In addition, the NRCs new reactor construction inspections provide oversight during reactor construction activities, and agency investigators follow up on CFSI allegations to determine if enforcement action is warranted.

OBJECTIVE: The audit objective is to assess whether the NRCs oversight activities reasonably ensure nuclear power reactor licensees programs are adequately positioned to mitigate the risk of counterfeit, fraudulent, and suspect items in new and operating reactors.

SCHEDULE: Initiated in the third quarter of FY 2021.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of nuclear facilities and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator.

A-10

APPENDIX B CORPORATE MANAGEMENT AUDITS PLANNED FOR FY 2022

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs FY 2021 Financial Statements and Improper Payments DESCRIPTION AND JUSTIFICATION: Under the Chief Financial Officers Act, the Government Management and Reform Act, and Office of Management and Budget (OMB)

Bulletin 21-04, Audit Requirements for Federal Financial Statements, the OIG is required to audit the NRCs financial statements. The report on the audit of the agencys financial statements is due on November 15, 2021.

The Payment Integrity Information Act (PIIA) requires each agency to annually estimate its improper payments. The PIIA defines an improper payment as any payment that should not have been made or was made in an incorrect amount (overpayment or underpayment) to an eligible recipient. Improper payments also include payments made to ineligible recipients or for ineligible goods or services, or payments for goods or services not received. Improper payments do not always result in an actual monetary loss to the government.

PIIA requires federal agencies to periodically review all programs and activities that the agency administers and identify all programs and activities that may be susceptible to significant improper payments.

OBJECTIVES: The audit objectives are to:

• Express opinions on the agencys financial statements and internal controls;

• Review compliance with applicable laws and regulations;

• Review controls in the NRCs computer systems that are significant to the financial statements; and,

• Assess the NRCs compliance with the PIIA and report any material weaknesses in internal control.

SCHEDULE: Initiated in the third quarter of FY 2021.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-1

CORPORATE MANAGEMENT AUDITS APPENDIX B Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021 DESCRIPTION AND JUSTIFICATION: The Federal Information Security Modernization Act of 2014 outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, the FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the Federal Government information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

The FISMA provides the framework for securing the federal governments information technology including both unclassified and national security systems. All agencies must implement the requirements of the FISMA and report annually to the OMB and Congress on the effectiveness of their security programs.

OBJECTIVE: The evaluation objective is to conduct an independent assessment of the NRCs FISMA implementation for FY 2021.

SCHEDULE: Initiated in the third quarter of FY 2021.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-2: Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5: Ensuring the safe and effective acquisition, management, and protection of information technology and data.

B-2

CORPORATE MANAGEMENT AUDITS APPENDIX B Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for FY 2022 DESCRIPTION AND JUSTIFICATION: The Federal Information Security Modernization Act of 2014 outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, the FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the Federal Government information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

The FISMA provides the framework for securing the federal governments information technology including both unclassified and national security systems. All agencies must implement the requirements of the FISMA and report annually to the OMB and Congress on the effectiveness of their security programs.

OBJECTIVE: The evaluation objective is to conduct an independent assessment of the NRCs FISMA implementation for FY 2022.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-2: Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5: Ensuring the safe and effective acquisition, management, and protection of information technology and data.

B-3

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs FY 2022 Financial Statements and Improper Payments DESCRIPTION AND JUSTIFICATION: Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 21-04, Audit Requirements for Federal Financial Statements, the OIG is required to audit the NRCs financial statements. The report on the audit of the agencys financial statements is due on November 15, 2022.

The Payment Integrity Information Act (PIIA) requires each agency to annually estimate its improper payments. The PIIA defines an improper payment as any payment that should not have been made or was made in an incorrect amount (overpayment or underpayment) to an eligible recipient. Improper payments also include payments made to ineligible recipients or for ineligible goods or services, or payments for goods or services not received. Improper payments do not always result in an actual monetary loss to the government.

PIIA requires federal agencies to periodically review all programs and activities that the agency administers and identify all programs and activities that may be susceptible to significant improper payments.

OBJECTIVES: The audit objectives are to:

• Express opinions on the agencys financial statements and internal controls;

• Review compliance with applicable laws and regulations;

• Review controls in the NRCs computer systems that are significant to the financial statements; and,

• Assess the NRCs compliance with the PIIA and report any material weaknesses in internal control.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-4

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 DESCRIPTION AND JUSTIFICATION: The Digital Accountability and Transparency Act of 2014 (DATA Act) was enacted May 9, 2014, and requires federal agencies to report financial and payment data in accordance with data standards established by the Department of Treasury and the OMB. The data reported is displayed on a public website.

In addition, the DATA Act requires IGs to review the data submitted by the agency under the act and report to Congress on the completeness, timeliness, quality, and accuracy of this information. This audit pertains to the review of data sampled for FY 2021 and is due November 8, 2021.

OBJECTIVES: The audit objectives are to review the first quarter data submitted by the NRC under the DATA Act; determine its completeness, timeliness, accuracy, and quality; and assess the implementation of the governing standards by the agency.

SCHEDULE: Initiated in the third quarter of FY 2021.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-5

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Change of Station Program DESCRIPTION AND JUSTIFICATION: Within the federal government, a permanent change of station (PCS) is the transfer of an employee from one official work site to another or the assignment of a new appointee to his or her first assignment site on a permanent basis.

The Federal Travel Regulation (FTR), issued by the Administrator of General Services, governs among other things, eligibility for relocation allowances (chapter 302) and PCS allowances for subsistence and transportation expenses (Subchapter C). Much of the FTR, however, allows for agency discretion. The NRC, MD 14.2, Relocation Allowances, provides NRC employees with the procedures, regulations, and requirements necessary to relocate to a permanent official duty station or to make a last move home, and to claim reimbursement for the allowable expenses.

The agencys PCS obligations for FY 2018 (58 moves) and FY 2019 (54 moves as of September 3, 2019) were approximately $6 million and $5.6 million, respectively.

OBJECTIVE: The audit objective is to determine whether the NRC has established and implemented an effective system of internal control over the PCS program.

SCHEDULE: Initiated in the third quarter of FY 2021.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-6

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Oversight of Decommissioning License Transfers DESCRIPTION AND JUSTIFICATION: When the decision is made to close a nuclear power plant permanently, the facility must be decommissioned by safely removing it from service and reducing residual radioactivity to a level that permits release of the property and termination of the operating license. The NRC has strict rules governing nuclear power plant decommissioning, involving cleanup of radioactively contaminated plant systems and structures and removal of the radioactive fuel. Nuclear power plants are initially licensed for 40 years, with the option to seek 20-year license extensions. The NRC requires a commercial nuclear power plant to be decommissioned within 60 years once a plant has been permanently retired. The license owner remains accountable to the NRC until decommissioning has been completed and the agency has terminated the license. If the licensee determines it does not want to decommission the plant, it can transfer its license to a company that will decommission the plant, and then transfer the license back to the original licensee for termination. The license transferee must abide by the same license requirements as the original licensee. Decommissioning companies generally have accelerated decommissioning models, which promise to complete decommissioning in less than half the timeframe, and approximately a third of the cost, of traditional decommissioning.

Twenty-two power reactors are currently undergoing decommissioning, with 10 license transfers to decommissioning companies, and 4 contracting with decommissioning companies. More power reactors entities are announcing their plans to decommission for economic or other reasons. It is essential to understand the NRC actions to ensure that licensees are decommissioning their plants safely and effectively for their employees and the public.

OBJECTIVE: The audit objective is to determine if the NRC is providing adequate oversight of decommissioning license transfers and programs.

SCHEDULE: Initiate in the fourth quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

Strategy 3-1: Identify areas of corporate management risk within the NRC and conduct audits and investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 2: Regulatory oversight of the decommissioning process and management of decommissioning trust funds.

B-7

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Travel Charge Card Program DESCRIPTION AND JUSTIFICATION: The NRCs Travel Charge Card Program is part of the governmentwide Commercial Charge Card Program established to pay the official travel expenses of employees while on temporary duty or other official business travel. The programs intent is to improve convenience for the traveler and reduce the governments costs of administering travel. The OMB has issued guidance that establishes requirements (including internal controls designed to minimize the risk of travel card misuse) and suggested best practices for the government travel card programs.

The NRC spent approximately $9.8 million and $7.2 million on employee travel in FYs 2019 and 2020, respectively. The Office of the Chief Financial Officer administers the NRCs travel charge card program and controls the use of agency funds to ensure that they are expended in accordance with applicable laws, regulations, and standards.

OBJECTIVE: The audit objective is to assess whether the NRCs policies and procedures are effective in preventing and detecting travel charge card misuse and delinquencies.

SCHEDULE: Initiate in the second quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-8

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Information Technology Services and Support DESCRIPTION AND JUSTIFICATION: The NRC offers various information technology services and support to employees. These services are acquired under the Global Infrastructure and Development Acquisition (GLINDA) initiative/contract. GLINDA is a blanket purchase agreement (BPA) with six awardees, that commenced in June 2017, with a total of 11 BPA calls issued against them for various IT services and support. The total obligated dollar value of all BPA calls under GLINDA is approximately $5,337,586.

The NRC obtained funds from the Coronavirus Aid, Relief, and Economic Security Act, also known as the CARES Act, to use on IT services and support because of mandatory telework as a result of the COVID-19 pandemic. It is essential to monitor these funds to ensure they are being spent effectively in helping employees meet the agencys mission.

OBJECTIVE: The audit objective is to determine if the NRCs information technology services and support are efficient and effective in meeting the agencys current and future IT needs.

SCHEDULE: Initiate in the first quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

Strategy 3-2: Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5: Ensuring the safe and effective acquisition, management, and protection of information technology and data.

B-9

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Oversight of the Agencys Federally Funded Research and Development Center Contract DESCRIPTION AND JUSTIFICATION: In October 1987, the NRC entered into a 5-year contract with Southwest Research Institute (SwRI) to operate a Federally Funded Research and Development Center (FFRDC) in San Antonio, Texas. SwRI established the Center for Nuclear Waste Regulatory Analyses (the Center) to provide the agency with long-term technical assistance and research related to the NRCs High-Level Waste program under the Nuclear Waste Policy Act of 1982, as amended. The current contract, which is expected to expire on March 29, 2023, has a ceiling of $52 million, and is one of the NRCs largest active contracts. The Commission must decide whether to renew the contract with SwRI.

The Federal Acquisition Regulation (FAR) requires that, prior to renewing a contract for an FFRDC, a sponsor must conduct a comprehensive review of the use and need of the FFRDC. The OIG previously reviewed the nature and adequacy of the NRCs renewal justification in 1992, 1997, 2002, 2007, 2012, and 2017.

OBJECTIVES: The audit objectives are to determine if the NRC is properly considering all FAR requirements for an FFRDC review in preparing its renewal justification, and if the NRC is adequately fulfilling its oversight responsibilities for the FFRDC.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-10

CORPORATE MANAGEMENT AUDITS APPENDIX B Defense Contract Audit Agency Audits DESCRIPTION AND JUSTIFICATION: The OIG and the Defense Contract Audit Agency (DCAA) have an interagency agreement whereby the DCAA provides contract audit services for the OIG. The DCAA is responsible for the audit methodologies used to reach the audit conclusions, monitoring its staff qualifications, and ensuring compliance with Generally Accepted Government Auditing Standards. The OIGs responsibility is to distribute the report to NRC management and follow up on agency actions initiated as a result of the report.

OBJECTIVE: The audit objective is to determine if the NRC contract costs are reasonable, allowable, and allocable.

SCHEDULE: Initiate in the first quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-11

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Knowledge Management DESCRIPTION AND JUSTIFICATION: Knowledge management is a discipline that promotes an integrated approach to identifying, capturing, evaluating, retrieving, sharing, and effectively using an enterprises information assets. These assets may include databases, documents, policies, procedures, previously uncaptured expertise and the experience of individual workers. Useful knowledge collected from these assets may include explicit, tactic, and embedded knowledge. An effective knowledge management system allows knowledge capital to be properly leveraged, increasing the efficiency with which the agency may reach its objectives. However, efforts to reduce the NRCs staffing and budget have raised knowledge management concerns that could adversely affect the performance of the agency.

OBJECTIVE: The audits objective is to assess the effectiveness of the NRCs knowledge management program in helping the agency capture and transfer knowledge for the purposes of meeting its mission.

SCHEDULE: Initiate in the first quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 6: Strategic workforce planning during transformation and industry change.

B-12

CORPORATE MANAGEMENT AUDITS APPENDIX B Peer Review of the Pension Benefit Guaranty Corporation Office of the Inspector General DESCRIPTION AND JUSTIFICATION: The Inspector General Act of 1978, as amended by the IG Reform Act of 2008, statutorily established the Council of Inspectors General on Integrity and Efficiency (CIGIE) as an independent entity within the executive branch. Prior to the establishment of the CIGIE, the Federal Inspectors General operated under the auspices of two councils, The President's Council on Integrity and Efficiency (PCIE) and the Executive Council on Integrity and Efficiency (ECIE).

In January 1986, the PCIE adopted and published, Quality Standards for Federal Offices of Inspector General. These standards applied to all OIG organizations in the federal government and were considered advisory. In October 2003, the PCIE and the ECIE updated and adopted these quality standards for the management, operation, and conduct of OIGs. Since 1988, Government Auditing Standards have required government audit organizations to implement an appropriate internal quality control system and undergo an external peer review. The 1988 amendments to the Inspector General Act of 1978 require that these external peer reviews be performed exclusively by an audit entity of the federal government, including the Government Accountability Office or another OIG, every 3 years.

OBJECTIVES: The objectives of the NRC OIG external peer review of the Pension Benefit Guaranty Corporation (PBGC) OIG are to determine whether the PBGC OIGs system of quality control was suitably designed, and whether the organization is complying in all material respects with its system of quality control, in order to provide it with reasonable assurance of conforming with applicable professional standards and legal and regulatory requirements, for the period under review, ending September 30, 2021.

SCHEDULE: Initiate in the first quarter of FY 2022.

STRATEGIC GOAL3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3.1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-13

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Strategic Workforce Planning Process DESCRIPTION AND JUSTIFICATION: Strategic workforce planning (SWP) addresses two critical needs: (1) aligning an organizations human capital program with its current and emerging mission and programmatic goals; and, (2) developing long-term strategies for acquiring, developing, and retaining staff to achieve programmatic goals. Strategic workforce planning is critical to the NRC because it will help maintain focus on longer-term workforce development and accomplishing organizational goals in a period of agency transformation and industry change.

The NRCs enhanced SWP is a structured, data-driven process. The SWP process develops short- and long-term strategies and action plans that enable the NRC to recruit, retain, and develop a skilled and diverse workforce with the competencies and agility to address emerging needs and workload fluctuations. The SWP process takes place on an annual cycle to develop strategies to address workforce needs in a budget execution year

+5.

The NRC faces the challenges of fulfilling the agency mission with mandates on limiting corporate costs and further reductions in staff. The NRC's proposed FY 2022 budget is

$887.7 million, an increase of $24.4 million over its enacted budget for FY 2021. This includes 2,879 FTEs, a slight increase compared to the FY 2021 enacted budget. These challenges make it clear that effective future workforce planning is even more important in an innovative industry.

OBJECTIVE: The audit objective will be to assess the effectiveness of the NRCs strategic workforce planning process.

SCHEDULE: Initiate in the first quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 6: Strategic Workforce Planning During Transformation and Industry Change B-14

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Equal Employment Opportunity Program DESCRIPTION AND JUSTIFICATION: The NRCs Office of Small Business and Civil Rights supports the NRC mission to protect people and the environment by enabling the agency to have a diverse and inclusive workforce, advancing Equal Employment Opportunity (EEO) for employees and applicants, providing fair and impartial processing of discrimination complaints, affording maximum practicable prime and subcontracting opportunities for small businesses, and allowing meaningful and equal access to agency-conducted and financially-assisted programs and activities.

The NRC has established an EEO Complaint Process, which is available to employees (current and former) and applicants who believe they have been subjected to discrimination, reprisal, or workplace harassment. The process to file an EEO complaint requires an individual to contact an EEO counselor within 45 calendar days of the date of the alleged discriminatory event or within 45 calendar days of the effective date of a personnel action. The EEO counselor will attempt an informal resolution of the matter or an alternative dispute resolution. If the matter is not resolved, a final interview will be conducted, and a notice of right to file a formal complaint will be given.

During FY 2020, EEO complaint activity started trending upward, even as NRC staffing levels declined. Based on the complaint activity, reprisal, age, and gender made up 60 percent of complaints filed by bases, and the number one issue raised was harassment.

OBJECTIVE: The audit objective is to determine the efficiency and effectiveness of the NRCs EEO Program.

SCHEDULE: Initiate in the second quarter of FY 2022.

STRATEGIC GOAL3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3.1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program improvements.

MANAGEMENT CHALLENGE 6: Strategic workforce planning during transformation and industry change.

B-15

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Differing Professional Opinions Program DESCRIPTION AND JUSTIFICATION: The NRCs Differing Professional Opinion (DPO) program enables an employee or contractor to express formal disagreement with an established staff view, management decision or policy position, or agency practices involving technical, legal, or policy issues; and include administrative and corporate support matters. A DPO can cover a broad range of concerns, provided the opinion is related to the NRCs mission and to the strategic goals and objectives that support the mission as addressed in the agencys Strategic Plan.

The NRCs Office of Enforcement administers the agencys DPO program and conducts periodic assessments of the program. MD 10.159, NRC Differing Professional Opinion Program, is the primary DPO programmatic guidance, and was revised in 2015 to reflect input from internal assessments, the OIG Safety Culture and Climate Survey, a business process improvement review, and an agency Safety Culture Task Force report.

The NRC posts summaries of closed DPO cases, along with supporting documentation, as appropriate, on its public website. Staff who submit DPOs may request that the information not be released publicly, and sensitive information pertaining to these cases (e.g.,

classified, proprietary, allegations-related) is to be processed in accordance with agency policy.

OBJECTIVE: The audit objective is to assess whether NRC employees suffer retaliation or other harm by expressing their professional opinions through the NRCs DPO program.

SCHEDULE: Initiate in the third quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3.1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety while transforming into a modern, risk-informed regulator B-16

CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Space Management in the Regions DESCRIPTION AND JUSTIFICATION: On September 23, 2016, the Government Accountability Office reported that the federal government continues to maintain excess and underutilized property. In FY 2015, federal agencies reported more than 7,000 excess or underutilized real property assets. That stands in contrast to the OMBs 2015 National Strategy for the Efficient Use of Real Property (National Strategy) and its companion policy, Reduce the Footprint. The National Strategy is a three-step framework to improve real property management: freeze growth in the inventory; measure performance to identify opportunities for efficiency improvements through data driven decision making; and, ultimately reduce the size of the inventory by prioritizing actions to consolidate, co-locate, and dispose of properties. Given the decrease in the NRCs staffing, it is possible that the NRC has not properly assessed its footprint in the regional offices.

OBJECTIVE: The audit objective will be to determine if the NRC is efficiently using real property in the NRC regional offices.

SCHEDULE: Initiate in the fourth quarter of FY 2022.

STRATEGIC GOAL 3: Corporate ManagementIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Management and transparency of financial and acquisitions operations.

B-17

APPENDIX C INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2022

INVESTIGATIONS APPENDIX C INTRODUCTION The Assistant Inspector General for Investigations (AIGI) is responsible for developing and implementing an investigative program that furthers the OIGs objectives. The AIGIs primary responsibilities include investigating possible violations of criminal statutes relating to NRC programs and activities, investigating allegations of misconduct by NRC employees, coordinating with the DOJ on OIG-related criminal matters, and working jointly on investigations and OIG initiatives with other federal, state, and local investigative agencies, and other AIGIs.

The AIGI may initiate investigations that cover a broad range of allegations. For example, investigations may concern criminal wrongdoing or administrative misconduct affecting various NRC programs and operations. In addition, the OIG initiates investigations due to allegations or referrals from private citizens, licensee employees, NRC employees, Congress, and other federal, state, and local law enforcement agencies. Investigations may also originate from OIG audits, the OIG Hotline, and proactive efforts to identify the potential for fraud, waste, abuse, and mismanagement.

The OIG developed this investigative plan to focus investigative priorities and use available resources most effectively. It provides strategies and planned investigative work for the fiscal year in conjunction with the OIG Strategic Plan. OIG Investigations also considers the most serious management and performance challenges facing the NRC, as identified by the IG, in developing its investigative plan.

PRIORITIES The OIG will complete approximately 40 investigations, including Event/Special Inquiries, in FY 2022. As in the past, reactive investigations into allegations of criminal and other wrongdoing will continue to prioritize the OIGs use of available resources. Because the NRCs mission is to protect public health and safety and the environment, Investigations main concentration of effort and resources involve investigations of alleged NRC employee misconduct that could adversely impact public health and safety-related matters.

OBJECTIVES To facilitate the most effective and efficient use of limited resources, Investigations has established specific objectives to prevent and detect fraud, waste, abuse, and mismanagement. These objectives seek to optimize the NRCs effectiveness and efficiency and address possible violations of criminal statutes, administrative violations relating to NRC programs and operations, and allegations of misconduct by NRC employees.

C-1

INVESTIGATIONS APPENDIX C INITIATIVES Safety and Security

• Investigate allegations that NRC employees improperly disclosed allegers (mainly licensee employees) identities and allegations, NRC employees improperly handled alleger concerns, and the NRC failed to adequately address retaliation issues involving NRC management officials or NRC licensee employees who raised public health and safety or security concerns regarding NRC activities;

• Investigate allegations that the NRC has not maintained an appropriate arms length distance from licensees and contractors;

• Investigate allegations that NRC employees released pre-decisional, proprietary, or official-use-only information;

• Investigate allegations that NRC employees had improper personal relationships with NRC licensees and that NRC employees violated government-wide ethics regulations concerning the solicitation of employment with NRC licensees;

• Interact with public interest groups, individual allegers, and industry workers to identify indications of lapses or departures in NRC regulatory oversight that could create safety and security problems;

• Maintain close working relationships with members of the intelligence community to identify and address vulnerabilities and threats to the NRC;

• Conduct Event and Special Inquiries into specific events that indicate an apparent shortcoming in the NRCs regulatory oversight of the nuclear industrys safety and security programs to determine the appropriateness of the staffs actions to protect public health and safety;

• Proactively review and become knowledgeable in areas of NRC staff regulatory emphasis to identify emerging issues that may require future OIG involvement, such as decommissioning activities;

• Provide real-time OIG assessments of the appropriateness of the NRC staffs handling of contentious regulatory activities related to nuclear safety and security matters;

• Identify risks associated with the proliferation of nuclear material and nuclear technology;

• Coordinate with NRC staff to protect the NRCs infrastructure against both internal and external computer intrusions; and,

• Investigate allegations of misconduct by NRC employees and contractors, as appropriate.

C-2

Corporate Management

• Attempt to detect possible wrongdoing perpetrated against the NRCs procurement and contracting and grant program by maintaining a close working relationship with the Office of Administration, Division of Contracts, and cognizant NRC Program Offices;

• Conduct investigations appropriate for Program Fraud Civil Remedies Act action, including abuses involving false reimbursement claims by employees and contractors;

• As appropriate, investigate allegations of misconduct by NRC employees and contractors.

OIG Hotline

• Promptly process complaints received via the OIG Hotline. Initiate investigations when warranted and properly dispose of allegations that do not warrant OIG investigation.

Freedom of Information Act (FOIA) and Privacy Act

• The OIG is an independent component within the Nuclear Regulatory Commission and responds to requests for records that are exclusively NRC OIG-related such as the OIG inspections, audits, or investigations relating to the programs and operations of the NRC.

• The General Counsel to the IG is the principal contact point within the OIG for advice and policy guidance on matters pertaining to administration of the FOIA.

All requests are handled professionally and expeditiously.

NRC Support

• Participate as observers on Incident Investigation Teams and Accident Investigation Teams as determined by the IG.

Liaison Program

• Coordinate with OIG Audit IAMs, as appropriate, to identify areas or programs with indicators of possible fraud, waste, abuse, and mismanagement;

• Conduct fraud awareness and informational presentations for NRC employees and external stakeholders regarding the role of the NRC OIG; and, C-3

ALLOCATION OF RESOURCES Investigations staff undertakes both proactive initiatives and reactive investigations.

The OIG uses approximately 85 percent of available investigative resources for reactive investigations. The office allocates the balance to proactive investigative efforts, such as reviews of NRC contract files, examinations of NRC information technology systems to identify weaknesses or misuse by agency employees, participation in interagency task forces and working groups, and reviews of delinquent government travel and purchase card accounts.

C-4

APPENDIX D ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS

ISSUE AREA MONITOR APPENDIX D ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS Corporate Support Functions Nuclear Materials (Safety and Security)

Tincy Thomas de Colón Regina Revinzon Karen Corado Tim Wilson Vicki Foster Roxana Hartsock Connor McCune Janelle Wiggs Megan Velasquez Stephanie Dingbaum Angel Wang John Thorp Jimmy Wong Reactor Safety Financial Paul Rades Terri Cooper Avinash Jaigobind Felicia Silver Chanel Stridiron Muhammad Arefin Brigit Larsen Curtis Brown John Thorp William Chung George Gusack Reactor Security and Emergency Preparedness Shreedhar Kandel Paul Rades Amy Hardin Information Technology John Thorp Terri Cooper Jenny Cheung Muhammad Arefin Curtis Brown William Chung George Gusack Shreedhar Kandel D-1

APPENDIX E ABBREVIATIONS AND ACRONYMS

ABBREVIATIONS AND ACRONYMS AIGA Assistant Inspector General for Audit AIGI Assistant Inspector General for Investigation BPA Blanket Purchase Agreement CFR Code of Federal Regulations CFSI Counterfeit, Fraudulent, and Suspect Items CIGIE Council of Inspectors General on Integrity and Efficiency DATA Act Digital Accountability and Transparency Act DCAA Defense Contract Audit Agency DNFSB Defense Nuclear Facilities Safety Board DOJ U.S. Department of Justice DPO Differing Professional Opinion ECIE Executive Council on Integrity and Efficiency EEO Equal Employment Opportunity EP Emergency Preparedness FAR Federal Acquisition Regulation FFRDC Federally Funded Research and Development Center FISMA Federal Information Security Modernization Act FOIA Freedom of Information Act FTR Federal Travel Regulation FY Fiscal Year GAO Government Accountability Office GLINDA Global Infrastructure and Development Acquisition IAM Issue Area Monitor IG Inspector General IPAC Intra-Government Payment and Collection MD Management Directive National National Strategy for the Efficient Use of Real Property Strategy NMSS Office of Nuclear Material Safety and Safeguards NRC U.S. Nuclear Regulatory Commission OGC Office of the General Counsel OIG Office of the Inspector General OIP Office of International Programs E-1

ABBREVIATIONS AND ACRONYMS OMB Office of Management and Budget PBGC Pension Benefit Guaranty Corporation PCIE Presidents Council on Integrity and Efficiency PCS Permanent Change of Station PIIA Payment Integrity Information Act RES Office of Nuclear Regulatory Research SWP Strategic Workforce Plan SwRI Southwest Research Institute The Act The Inspector General Act amendments The Center Center for Nuclear Waste Regulatory Analysis WBL Web Based Licensing E-2