Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 3, 2021 MEMORANDUM TO: Eric Rivera Acting Assistant Inspector General for Audits Office of the Inspector General Digitally signed by Cherish K.

FROM: Cherish K. Johnson Cherish K. Johnson Johnson Chief Financial Officer Date: 2021.12.03 16:59:01 -05'00'

SUBJECT:

AUDIT OF THE FISCAL YEARS 2021 and 2020 FINANCIAL STATEMENTS This memorandum responds to the draft report on the audit of the Nuclear Regulatory Commissions (NRC) fiscal years 2021 and 2020 financial statements, provided on December 1, 2021. The audit was conducted by the firm Grant Thornton LLP under contract to the NRC Office of the Inspector General (OIG).

We concur that we have deficiencies in the areas of internal control over financial reporting and management controls for users with access to NRC financial data. We strive to continuously improve, and we have more improvements to make. We will implement corrective actions to eliminate these deficiencies.

The recommendations and NRCs response are outlined below. We appreciate the collaborative relationship between the Office of the Inspector General, the auditors, and the Office of the Chief Financial Officer in supporting our continuing effort to improve financial reporting.

Recommendation No. 1:

NRC management should enhance their controls processes over the compilation and preparation of the Agencys quarter-end and year-end financial statements to prevent or timely detect errors to their financial statements and the related note disclosures. Thorough and robust review of the financial statements and related note disclosures should be completed considering the latest requirements of OMB A-136.

NRC Response:

Agree. The Office of the Chief Financial Officer will enhance the controls over the financial statement preparation process.

Recommendation No. 2:

NRC management should update the instructions for the Accounts Payable Accrual Estimation Reconciliation to more clearly indicate that the validated amounts should be used rather than

the previously estimated accrual amounts.

NRC management should review the accounts payable reconciliation in sufficient detail to detect errors in the application of the estimation methodology.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the improve the accounts payable accrual estimation process.

Recommendation No. 3:

NRC management should update the instructions for the Computation of Allowances for Losses portion of the Unbilled Revenue Accrual and Reconciliation Checklist to include more detailed descriptions of the parameters needed when generating reports used in the calculation process.

NRC management should conduct its review of the calculation of Accounts Receivable - Non-Federal - Allowance for Uncollectable Accounts in sufficient detail to detect errors in the calculation.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the instructions for the unbilled revenue accrual checklist.

Recommendation No. 4:

NRC management should develop the ability to generate a complete and accurate listing of ULOs in a format which allows for appropriate oversight and review. The report should contain all ULOs at the individual obligation level and be reconciled to the GL with any reconciling items supported by appropriate documentation.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the unliquidated obligations report.

Recommendation No. 5:

NRC management should implement controls to prevent postings in FAIMIS resulting in a negative obligation.

NRC management should increase management review and scrutiny over correcting entries before entries are posted.

NRC management should review the financial statements in sufficient detail to detect similar errors in future periods.

NRC Response:

Agree. The Office of the Chief Financial Officer has corrected the FAIMIS system and will improve the review of correcting entries.

Recommendation No. 6:

NRC management should perform reviews of all software, including fully amortized IUS, throughout the year to verify the accuracy of the information reported and ensure disposals of property are recorded in a timely manner.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the reviews of software.

Recommendation No. 7:

NRC management should enhance review procedures to include which documentation should be used in the imputed financing calculations.

NRC management should perform the review of the imputed costs calculation and related disclosures in sufficient detail to detect errors.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the preparation and review of imputed financing.

Recommendation No. 8:

NRC management should enforce the execution of its existing control activities to document explanations for identified variances.

NRC management should implement processes and controls which verify that leasehold improvements are depreciated using the appropriate useful life and in operation date, in accordance with the managements policy.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the review of future lease payments, including coordinating with the Office of Administration.

Recommendation No. 9:

NRC management should enhance its fluctuation analysis control by requiring the explanations documented are supported by underlying business events, therefore connecting changes in the agencys accounting records to its business environment and operations.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the fluctuation analysis process.

Recommendation No. 10:

NRC management should improve its processes for reviewing and adjusting aged/stale obligations.

NRC management should improve its processes to only record an obligation in the accounting system when a legal obligation exists and appropriately retain supporting documentation.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the process to oversee obligations.

Recommendation No. 11:

Periodically review the segregation of duties matrix and update it to reflect relevant changes in business processes or role configurations within the application.

NRC Response:

Agree. The Office of the Chief Financial Officer will periodically review the segregation of duties matrix for FAIMIS.

Recommendation No. 12:

Include a justification for the conflicting roles that reference to compensating controls in place for the requested conflicting roles as part of requests for conflicting roles to be granted to a FAIMIS user.

NRC Response:

Agree. The Office of the Chief Financial Officer will include a justification for conflicting roles for FAIMIS.

Recommendation No. 13:

Log and review any conflicting transactions performed by users with authorized conflicting roles to determine if the conflicting transactions were in fact authorized.

NRC Response:

Agree. The Office of the Chief Financial Officer will review conflicting transactions in FAIMIS.

Recommendation No. 14:

Validate temporary role assignments as a part of the bi-annual user access review to ensure they were removed on a timely basis.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the bi-annual review process for FAIMIS.

Recommendation No. 15:

Review administrator logged activity and document log activities that would require further investigation.

NRC Response:

Agree. The Office of the Chief Financial Officer will review administrator logged activity for FAIMIS.

Recommendation No. 16:

Implement the technical capability to disable or remove users who are inactive for greater than the organizationally defined threshold of 90 days.

NRC Response:

Agree. The Office of the Chief Financial Officer will review the feasibility of a technical capability to remove users in FAIMIS.

Recommendation No. 17:

Enhance the periodic recertification of access by ensuring that managers review the access privileges of their staff against the most current segregation of duties matrix to ensure the roles currently assigned conform to policy. In addition, we recommend the help desk documents the removal of roles that management has noted as unnecessary and communicates the confirmation with management that the users roles were removed.

NRC Response:

Agree. The Office of the Chief Financial Officer will enhance the recertification of access process for FAIMIS.

Recommendation No. 18:

Enhance the process to help ensure that STAQS Access Request Forms are completed and retained.

NRC Response:

Agree. The Office of Administration will improve the process for STAQS access request forms.

Recommendation No. 19:

Enhance the process to help ensure that NRC Form 270 is completed and retained for each employee that is separated from the NRC.

NRC Response:

Agree. The office of the Human Capital Officer will improve the NRC Form 270 process.

cc: D. Dorman EDO C. Haney, DEDM D. Roberts, DEDR S. Miotla, AO/Acting J. Jolicoeur, OEDO

SUBJECT:

AUDIT OF THE FISCAL YEARS 2021 and 2020 FINANCIAL STATEMENTS DATED: December 3, 2021 Distribution:

OCFO R/F DOC R/F RidsEdoMailCenter Resource RidsAdmMailCenter Resource RidsOIS Resource RidsOCHOResource Adams Yes No Initials: SJ/

Publicly Available Non-Publicly Available Sensitive Non-Sensitive G:\DFM\FSRT\FY 2021\Audit\FY 2021 FS Audit Response.docx ADAMS Accession No: ML21337A373