ML21347A044

From kanterella
Jump to navigation Jump to search
OIG-22-A-03 - Results of the Audit of the United States Nuclear Regulatory Commission'S Financial Statements for Fiscal Year 2021 Dated December 10th, 2021
ML21347A044
Person / Time
Issue date: 12/10/2021
From: Feitel R
NRC/OIG
To: Christopher Hanson
NRC/Chairman
References
OIG-22-A-03
Download: ML21347A044 (26)
v  d  e


Text

December 10, 2021 MEMORANDUM TO: Chairman Christopher T. Hanson FROM: The Hon. Robert J. Feitel Robert J. Digitally signed by Robert J. Feitel Inspector General Feitel Date: 2021.12.10 08:10:55 -05'00'

SUBJECT:

RESULTS OF THE AUDIT OF THE UNITED STATES NUCLEAR REGULATORY COMMISSION'S FINANCIAL STATEMENTS FOR FISCAL YEAR 2021 (OIG-22-A-03)

The Chief Financial Officers Act of 1990, as amended (CFO Act), requires the Inspector General (IG) or an independent external auditor, as determined by the IG, to annually audit the United States Nuclear Regulatory Commissions (NRC) financial statements in accordance with applicable standards. In compliance with this requirement, the Office of the Inspector General (OIG) contracted with Grant Thornton to conduct this annual audit. Transmitted with this memorandum is Grant Thorntons audit report. Grant Thornton examined the NRCs Fiscal Year (FY) 2021 Agency Financial Report, which includes financial statements for FY 2021.

Grant Thorntons audit report contains the following:

Opinion on the Financial Statements; Opinion on Internal Control over Financial Reporting; and, Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements Objective of a Financial Statement Audit The objective of a financial statement audit is to determine whether the audited entitys financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930

includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation.

Grant Thorntons audit included, among other things, obtaining an understanding of the NRC and its operations, including internal control over financial reporting; evaluating the design and operating effectiveness of internal control and assessing risk; and, testing relevant internal controls over financial reporting. Because of inherent limitations in internal controls, misstatements due to error or fraud may occur and not be detected. Additionally, projections of any evaluation of any internal control to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or due to deterioration in the degree of compliance with the policies or procedures.

FY 2021 Audit Results The results are as follows:

Financial Statements Unmodified opinion Internal Control over Financial Reporting Adverse opinion Compliance with Laws and Regulations No instances of noncompliance noted.

The OIG Oversight of Grant Thorntons Performance To fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality of the audit work performed, we monitored Grant Thorntons audit of the NRCs FY 2021 financial statements by:

Reviewing Grant Thorntons audit approach and planning; Evaluating the qualifications and independence of Grant Thorntons auditors; Monitoring audit progress at key points; Examining the working papers related to planning and performing the audit and assessing the NRCs internal controls; 2

Reviewing Grant Thorntons audit report to ensure compliance with Government Auditing Standards and Office of Management and Budget Bulletin No. 21-04; Coordinating the issuance of the audit report; and, Performing other procedures deemed necessary.

Grant Thornton is responsible for the attached auditors report, dated December 8, 2021, and the conclusions expressed therein. The OIG is responsible for technical and administrative oversight regarding the firms performance under the terms of the contract. Our oversight, as differentiated from an audit in conformance with Government Auditing Standards, was not intended to enable us to express an opinion, and accordingly we do not express an opinion on:

The NRCs financial statements; Effectiveness of the NRCs internal control over financial reporting; and, The NRCs compliance with laws, regulations, contracts, and grant agreements.

However, our monitoring review, as described above, disclosed no instances where Grant Thornton did not comply, in all material respects, with applicable auditing standards.

Meeting with the Chief Financial Officer At the exit conference on December 2, 2021, representatives of the Office of the Chief Financial Officer, the OIG, and Grant Thornton discussed the results of the audit.

Comments of the Chief Financial Officer In her response, the Chief Financial Officer agreed with the report. The full text of her response follows this report.

The NRCs Financial Statements The NRCs audited FY 2021 financial statements can be found in the agencys financial report.

We appreciate the NRC staffs cooperation and continued interest in improving financial management within the NRC.

Attachment:

As stated 3

cc: Commissioner J. Baran Commissioner D. Wright D. Dorman, OEDO C. Johnson, OCFO J. Jolicoeur, OEDO EDO_ACS_Distribution RidsEDO MailCenter Resource RidsOCFOMailCenter Resource OIG Liaison Resource 4

GRANT THORNTON LLP REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS 1000 Wilson Boulevard, 14th Floor Arlington, VA 222091 D +1 703 847 7500 F +1 703 848 9580 Chairman Christopher T. Hanson United States Nuclear Regulatory Commission Hon. Robert J. Feitel, Inspector General United States Nuclear Regulatory Commission Report on the financial statements and internal control over financial reporting We have audited the accompanying financial statements of the United States Nuclear Regulatory Commission (the Agency or NRC), which comprise the consolidated balance sheet as of September 30, 2021, and the related consolidated statements of net cost, changes in net position, and the combined statement of budgetary resources for the year then ended, and the related notes to the consolidated financial statements.

We also have audited the internal control over financial reporting of the United States Nuclear Regulatory Commission as of September 30, 2021, based on criteria established under 31 U.S.C. 3512 (c),(d) (commonly known as the Federal Managers Financial Integrity Act or FMFIA) and in Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States.

Managements responsibility for the financial statements and internal control over financial reporting Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of effective internal control over financial reporting relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error. Management is also responsible for evaluating the effectiveness of internal control over financial reporting based on the criteria established under FMFIA and its assessment about the effectiveness of internal control over financial reporting as of September 30, 2021, included in the accompanying Managements Report on Internal Control over Financial Reporting.

Auditors responsibility Our responsibility is to express an opinion on these financial statements and an opinion on the entitys internal control over financial reporting based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin 21-04, Audit Requirements for Federal Financial Statements. Those standards and OMB Bulletin 21-04 require that we plan and perform the audit to obtain reasonable assurance GT.COM Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and each of its member firms are separate legal entities and are not a worldwide partnership.

about whether the financial statements are free from material misstatement and whether effective internal control over financial reporting was maintained in all material respects.

An audit of financial statements involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditors judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the Agencys preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances. An audit of financial statements also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.

An audit of internal control over financial reporting involves performing procedures to obtain audit evidence about whether a material weakness exists. The procedures selected depend on the auditors judgment, including the assessment of the risk that a material weakness exists. An audit of internal control over financial reporting also involves obtaining an understanding of internal control over financial reporting and testing and evaluating the design and operating effectiveness of internal control over financial reporting based on the assessed risk. Our audit of internal control also considered the Agencys process for evaluating and reporting on internal control over financial reporting based on criteria established under FMFIA. Our audits also included performing such other procedures as we considered necessary in the circumstances.

We did not evaluate all internal controls relevant to operating objectives as broadly established under FMFIA, such as those controls relevant to preparing performance information and ensuring efficient operations. We limited our internal control testing to testing controls over financial reporting. Our internal control testing was for the purpose of expressing an opinion on whether effective internal control over financial reporting was maintained, in all material respects. Consequently, our audit may not identify all deficiencies in internal control over financial reporting that are less severe than a material weakness.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our financial statement audit opinion and adverse audit opinion on internal control over financial reporting.

Definition and inherent limitations of internal control over financial reporting An entitys internal control over financial reporting is a process affected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America. An entitys internal control over financial reporting provides reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance with accounting principles generally accepted in the United States of America, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and (2) transactions are executed in accordance with provisions of applicable laws, including those governing the use of budget authority, regulations, contracts and grant

agreements, noncompliance with which could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements due to fraud or error. Also, projections of any assessment of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.

A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the Agencys financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Opinion on the financial statements In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the United States Nuclear Regulatory Commission as of September 30, 2021, and its net cost, changes in net position, and budgetary resources for the year then ended, in accordance with accounting principles generally accepted in the United States of America.

Basis for adverse opinion on internal control over financial reporting The following material weakness has been identified and included in the accompanying schedule of findings as Lack of Appropriate Management Controls over Financial Reporting.

We considered the material weakness identified above in determining the nature, timing, and extent of audit procedures applied in our audit of the 2021 financial statements, and our adverse opinion on internal control over financial reporting does not affect our opinion on the financial statements.

Adverse opinion on internal control over financial reporting In our opinion, because of the effect of the material weakness described in the Basis for adverse opinion paragraph on the achievement of the objectives of the criteria established under 31 U.S.C. 3512 (c),(d) (commonly known as FMFIA) and in Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States, the United States Nuclear Regulatory Commission has not maintained effective internal control over financial reporting as of September 30, 2021, based on criteria established under 31 U.S.C. 3512 (c),(d) (commonly known as FMFIA) and in the Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States.

As discussed in more detail, our fiscal year (FY) 2021 audit identified deficiencies in the Agencys controls over user account management for users with access to the Nuclear Regulatory Commission Financial Data, described in the accompanying schedule of findings as Item II. Lack of User Account Management Controls for Users with Access to Nuclear Regulatory Commission Financial Data, that collectively represent a significant deficiency in the Agencys internal control over financial

reporting. We considered this significant deficiency in determining the nature, timing, and extent of our audit procedures on the Agencys FY 2021 financial statements.

Although the significant deficiency in internal control did not affect our opinion on the Agencys 2021 financial statements, misstatements may occur in unaudited financial information reported internally and externally by the Agency because of this significant deficiency.

In addition to the material weakness in internal control over lack of appropriate management controls over financial reporting and the significant deficiency in internal control over the lack of user account management controls, we also identified deficiencies in the Agencys internal control over financial reporting that we do not consider to be material weaknesses or significant deficiencies. Nonetheless, these deficiencies warrant managements attention. We have communicated these matters to management and, where appropriate, will report on them separately.

Other matters 2020 Financial Statements The financial statements and internal control of the United States Nuclear Regulatory Commission as of and for the year ended September 30, 2020 were audited by other auditors. Those auditors report, dated November 12, 2020, expressed an unmodified opinion on those 2020 financial statements and an adverse opinion on internal control.

Required supplementary information Accounting principles generally accepted in the United States of America require that the information in Managements Discussion and Analysis, the combining schedule of budgetary resources, and information related to Deferred Maintenance and Repairs be presented to supplement the basic financial statements. Such information, although not a required part of the basic financial statements, is required by the Federal Accounting Standards Advisory Board and OMB Circular A-136, Financial Reporting Requirements, which consider it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. Management is responsible for preparing, measuring, and presenting the required supplementary information in accordance with accounting principles generally accepted in the United States of America. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America. These limited procedures consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with managements responses to our inquiries, the basic financial statements, and other knowledge we obtained during our audit of the basic financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance.

Other information Our audits were conducted for the purpose of forming an opinion on the basic financial statements as a whole. The Availability of Reference Materials in Nuclear Regulatory Commission Publications, About This Report, Table of Contents, The Commission, A Message from the Chairman, A Message from the Chief Financial Officer, Inspector Generals Letter Transmitting Independent Auditors Report, Managements Response to Independent Auditors Report and Other Information sections of the Agency Financial Report are presented for purposes of additional

analysis and are not a required part of the basic financial statements. Management is responsible for preparing and presenting other information included in documents containing the audited financial statements and auditors report, and for ensuring the consistency of that information with the basic financial statements and the required supplementary information. We read the other information in order to identify material inconsistencies, if any, with the basic financial statements. Such information has not been subjected to the auditing procedures applied in the audit of the basic financial statements, and accordingly, we do not express an opinion or provide any assurance on it.

Report on compliance with laws, regulations, contracts, and grant agreements and other matters As part of obtaining reasonable assurance about whether the Agencys financial statements are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements consistent with the auditors responsibility discussed below, in accordance with Government Auditing Standards. Noncompliance may occur that is not detected by these tests.

Managements responsibility Management is responsible for complying with laws, regulations, contracts, and grant agreements applicable to the Agency.

Auditors responsibility Our responsibility is to test compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the financial statements, and perform certain other limited procedures. We did not test compliance with all laws, regulations, contracts, and grant agreements.

Results of our tests of compliance with laws, regulations, contracts, and grant agreements The results of our tests disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards. However, the objective of our tests was not to provide an opinion on compliance with laws, regulations, contracts, and grant agreements applicable to the Agency. Accordingly, we do not express such an opinion.

Under the Federal Financial Management Improvement Act (FFMIA), we are required to report whether the Agencys financial management systems substantially comply with FFMIA Section 803(a) requirements. To meet this requirement, we performed tests of compliance with the federal financial management systems requirements, applicable federal accounting standards, and the United States Standard General Ledger (USSGL) at the transaction level. However, providing an opinion on compliance with FFMIA was not an objective of our audit, and accordingly we do not express such an opinion. The results of our tests of FFMIA Section 803(a) requirements disclosed no instances of substantial noncompliance that are required to be reported under FFMIA.

Agencys response to findings The Agencys response to our findings, which is described in the accompanying Managements Response to Independent Auditors Report, was not subjected to the

auditing procedures applied in the audit of the financial statements, and accordingly, we express no opinion on the Agencys response.

Intended purpose of report on compliance with laws, regulations, contracts, and grant agreements The purpose of this report is solely to describe the scope of our testing of compliance and the results of that testing, and not to provide an opinion on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering compliance. Accordingly, this report is not suitable for any other purpose.

Arlington, Virginia December 8, 2021

Schedule of Findings I. Material Weakness - Lack of Appropriate Management Controls over Financial Reporting Criteria:

In accordance with OMB Circular A-123 Managements Responsibility for Internal Control, issued under the authority of FMFIA and the Government Performance and Results Modernization Act, management is responsible for establishing and maintaining internal controls to achieve reliable financial reporting. According to the U.S. Government Accountability Office (GAO) Standards for Internal Control in the Federal Government (Green Book), management is responsible for implementing and evaluating its internal control system, including internal controls, to meet reporting objectives related to the preparation of reports for use by the Agency, its stakeholders, or other external parties. The following control weaknesses were noted related to the Agencys financial reporting process:

1. Financial Statement Compilation and Preparation Process Condition:

Through testing of the year-end financial statements, we noted the following conditions:

  • The draft Statement of Changes in Net Position provided did not consider updates to the OMB Circular A-136, Financial Reporting Requirements (A-136) format;
  • The draft Property and Equipment, Net note to the financial statements did not include all required information per A-136;
  • The draft Leases note was not accurately produced and not in the required format per A-136;
  • The draft Financial Statements to Reclassified Financial Statements note did not include an explanatory note required per A-136; and
  • The draft Contingencies note to the financial statements was not presented in a comparative format as required per A-136.

In addition, a full set of draft financial statements could not be provided until October 29, 2021, with support for note disclosures not completely available until November 2, 2021.

Cause:

The NRC does not have appropriate processes or controls in place to prevent or detect, on a timely basis, deviations from A-136 requirements as a component of their financial statement compilation and preparation process.

Effect:

If not corrected, the conditions noted above would have resulted in deviations from the requirements of A-136 and potential misstated financial statement line items and related note disclosures. Furthermore, the delays in providing draft financial statements and related information on a timely basis, contributed to delays to the audit and subsequent delays in publication of the NRC Agency Financial Report, beyond the A-136 deadline.

2. Accounts Payable Calculation Process, Non-Federal Condition:

The NRC calculates the accounts payable, non-federal amount quarterly as an average based on the historical trend of validated prior accruals. During our testing of the Quarter 3 FY 2021 Accounts Payable Accrual Estimation Reconciliation, we noted that beginning in Quarter 2 of FY 2019 and for the subsequent nine quarters, previously estimated accounts payable amounts were used as an input to the calculation rather than appropriately using the respective quarters validated accounts payable amounts.

Cause:

The condition noted above was a result of manual errors that were not prevented or detected through managements controls over the accounts payable, non-federal calculation processes, including the review over the reasonableness of the calculated accrual amount.

Effect:

This error was not detected during managements review, resulting in misstatements of accounts payable, non-federal at Quarter 3 FY 2021. Although we notified management of the error after our Quarter 3 FY 2021 testing, at Quarter 4 FY 2021, the NRC continued to utilize the estimated accounts payable amount for one quarter of input resulting in a $686,105 uncorrected error.

3. Accounts Receivable, Net - Calculation Processes Condition:

The NRC uses the Accounts Receivable (AR) Aging Audit Report to calculate the allowance for uncollectable accounts. During our testing of the Quarter 3 FY 2021 Non-Federal Allowance for Uncollectable Accounts calculation, Grant Thornton noted the report was generated with an erroneous Report Aging Date of 6/30/2020 rather than the correct date of 6/30/2021. This incorrect Report Aging Date had two distinct impacts:

  • Billings between 3/3/2020 and 6/22/2021, which should have been subject to aging analysis were not included; and
  • Accounts Receivable items subject to the aging analysis had an identified age of 365 days less than should have been calculated (e.g., an item billed on 3/2/2020 that was outstanding for 485 days as of 6/30/21 would have an identified age of 120 days within the report).This resulted in the wrong aging category being applied for many of the receivable items analyzed.

Grant Thornton notified NRC management of this error and management used a report with the appropriate parameters at year end; thus, this error did not impact Quarter 4 FY 2021 balances.

However, at Quarter 4 FY 2021, we noted other errors in multiple areas of Accounts Receivable and the allowance for uncollectable accounts calculation including, Unbilled Accounts Receivable calculations which were based on an estimated unbilled period of eight days rather than a period of four days.

Cause:

These errors above resulted from NRC management review controls not being thoroughly performed to prevent or detect errors in the Accounts Receivable and allowance for uncollectable accounts calculation process.

Effect:

At Quarter 3 FY 2021, both impacts contributed toward an understatement of Allowance for Uncollectable Accounts and a related overstatement of Accounts Receivable, Net - Non-Federal of $1.1 million.

At Quarter 4 FY 2021, the impacts contributed toward a $4.2 million Accounts Receivable, Net overstatement and $4 million Earned Revenue overstatement.

4. Unliquidated Obligations Population Lack of Reconciliation Process Condition:

The NRC generates two listings related to Unliquidated Obligations (ULOs): the ULO management report, and the ULO general ledger (GL) report. During Grant Thorntons testing related to 9/30/2021 ULO support, a difference of $7.5 million was noted between the ULO GL report and the ULO management report. NRC management was able to explain a portion of the difference; however, a net $4.5 million error in the ULO management report remains as of 9/30/2021. While the ULO GL report agrees to the GL, it does not contain the detailed information, included in the ULO management report, to allow management analysis of individual obligations.

Cause:

NRC management is unable to generate a complete and accurate listing of ULOs at the individual obligation level with enough detail for meaningful analysis.

Effect:

The NRCs inability to generate a complete and accurate detailed listing of ULOs at the individual obligation level inhibits the NRCs ability to perform adequate review of the ULO balance and increases the risk of potential misstatements to the Statement of Budgetary Resources.

5. Overstatement of New Obligations Condition:

In FY 2015, NRC management became aware of a systematic issue in the Financial Accounting and Integrated Management Information System (FAIMIS) which allowed for deobligations in excess of the remaining obligated amount. These issues related specifically to tax lines for change of station obligations, and resulted in a negative obligation. NRC employees erroneously deobligated the full amount of tax lines originally obligated, rather than the remaining unliquidated obligations. Systematic issues which allowed these excessive deobligations to occur were corrected in FY 2015. However, in FY 2021, $2.9 million of such excess deobligations were identified by NRC management and re-obligated using manual adjustments. This error correction was recorded incorrectly as a new obligation in the current year.

Cause:

The initial errors occurred because FAIMIS was not appropriately configured to prevent the recording of negative obligations. When corrections were subsequently made in FY 2021, management review controls did not detect errors in the correcting entries.

Effect:

The current years error resulted in a $2.9 million overstatement of New obligations and upward adjustments (total), and an understatement of the Unobligated balance from the prior year budget authority, net, as of 9/30/2021.

6. Decommission of Internal Use Software Condition:

During testing of Internal Use Software (IUS), a significant component of the NRCs reported property and equipment, Grant Thornton noted several instances in which IUS was decommissioned prior to FY 2021, but was not removed from the NRCs fixed asset ledger which supports the financial statement balance.

Cause:

Lack of appropriate management controls to remove IUS once identified as decommissioned led to the untimely removal of decommissioned IUS from the NRCs financial records.

Effect:

Our testing identified items resulting in the removal of $10 million dollars of IUS from the NRCs gross property and equipment during FY 2021, which should have been removed prior to FY 2021. The majority of these IUS items were fully depreciated and amortized prior to FY 2021 and as such, these corrections had immaterial impacts to both property and equipment, net, and FY 2021 gross cost.

7. Imputed Financing Calculation Process Condition:

Imputed financing/costs consists of retirement, health, and life insurance components.

The NRC utilizes semi-annual headcount reports to calculate multiple components of imputed costs. As of Quarter 4 FY 2021, Grant Thornton noted the NRC incorrectly calculated the agency contribution element of the retirement portion of imputed costs by utilizing the September 2020 semi-annual headcount report, as opposed to the March 2021 report utilized for base salaries and employee withholdings (additional components of the retirement calculation).

Cause:

The condition noted above resulted from NRC management controls not preventing or detecting errors during the imputed costs calculation process.

Effect:

As a result, imputed costs were overstated by $2.6 million. Furthermore, it was noted that the disclosure in Note 11 - Financing Sources Other Than Exchange Revenue is misstated. The imputed financing from the Civil Service Retirement System (CSRS) and Federal Employees Retirement System (FERS) should be presented as

$2,766,265 and $1,164,804, respectively, instead of the Note 11 disclosure of

$2,711,564 and $3,824,940, respectively.

8. Leasehold Improvement Reconciliation and Depreciation Condition:

The NRC performs a monthly reconciliation of its reported leasehold improvements (LHI) costs to the supporting schedules. Through control testing over the LHI reconciliation, for three out of four months selected for testing, Grant Thornton noted

the LHI amounts reported in the reconciliation did not agree with the supporting schedules included in the package. Despite these identified differences, no explanations were documented, and the reviewer approved the reconciliations.

In addition, during interim substantive testing, Grant Thornton identified two instances in which LHI assets, a significant component of the NRCs reported Property and equipment, net, were depreciated inappropriately over useful lives which were inconsistent with the NRCs capitalization policy.

Cause:

These errors occurred because the NRCs reconciliation control over LHI did not operate effectively to document explanations for identified differences. Furthermore, NRC management did not apply the appropriate useful life as stated in their capitalization policy.

Effect:

Recording LHI that do not agree to supporting schedules and approval of reconciliation controls with insufficient explanations for variances increase the risk of a material misstatement in Property and equipment, net. The substantive errors resulted in a total $370,193 overstatement of property and equipment, as of the interim period tested. While the NRC corrected these errors prior to fiscal year end reporting, similar unidentified errors could result in misstatements going undetected or prevented in a timely manner.

9. Ineffective Fluctuation Analysis Process Condition:

The NRC performs a quarterly fluctuation analysis to identify significant changes to reported line items on their financial statements and document explanations for the differences noted. Through testing over the quarterly fluctuation analysis control, Grant Thornton noted the explanations provided were insufficiently detailed for the fluctuations related to the following line items: Property and equipment, net; Other liabilities; Earned revenues; Appropriations received; and Appropriations used. The NRC only identified the general ledger accounts which comprise the line item and the amount of change across each account. The explanations documented do not account for logical consistency among the changes in the general ledger accounts or connect them to changes in the organizations business operations.

Cause:

This condition resulted from NRC management not requiring a sufficiently detailed explanation for variances noted in the fluctuation analysis.

Effect:

Due to the condition noted above, management is unable to determine whether the activity seen in the general ledger is reasonable or if the differences might be due to error or fraud. In addition, the control did not enable management to detect and correct other errors noted in our testing as described in this report.

10. Inaccurate and Unsupported Undelivered Orders Condition:

Grant Thornton selected a sample of undelivered orders (UDOs) with open balances on the management report provided by the NRC that aligned to general ledger accounts - 4801, 4802, 4871, and 4881. Based on the testing performed we noted

exceptions for obligations that were no longer valid, inaccurately recorded, or were not supported by the documentation provided.

Cause:

Requests for de-obligation were not processed timely in accordance with Federal Acquisition Regulations (FAR) 4.804. Some of the requests for de-obligation were not prepared timely and some requests for de-obligation were not posted timely.

Effect:

By not adjusting its UDOs in a timely manner, the NRC is at risk of understating its Unobligated balance from prior year budget authority. Additionally, by recording obligations without proper supporting documentation that the legal obligation existed as of the end of the year, NRC risks a potential violation of the Anti-deficiency Act by spending expending funds that expired without an obligation. The UDO testing resulted in known differences netting to an overstatement of $500,200. Based on our statistical sample we projected the NRCs UDOs could be overstated within the general ledger by as much as $4.7M.

Recommendations NRC management should consider taking all necessary actions to establish an appropriate internal control structure including the following:

1. Financial Statement Compilation and Preparation Process NRC management should enhance their controls processes over the compilation and preparation of the Agencys quarter-end and year-end financial statements to prevent or timely detect errors to their financial statements and the related note disclosures.

Thorough and robust review of the financial statements and related note disclosures should be completed considering the latest requirements of OMB A-136.

2. Accounts Payable Calculation Process 2 a. NRC management should update the instructions for the Accounts Payable Accrual Estimation Reconciliation to more clearly indicate that the validated amounts should be used rather than the previously estimated accrual amounts.

2 b. NRC management should review the accounts payable reconciliation in sufficient detail to detect errors in the application of the estimation methodology.

3. Accounts Receivable, Net - Calculation Processes 3 a. NRC management should update the instructions for the Computation of Allowances for Losses portion of the Unbilled Revenue Accrual and Reconciliation Checklist to include more detailed descriptions of the parameters needed when generating reports used in the calculation process.

3 b. NRC management should conduct its review of the calculation of Accounts Receivable - Non-Federal - Allowance for Uncollectable Accounts in sufficient detail to detect errors in the calculation.

3.c NRC management should implement stronger controls over the Unbilled Accounts Receivable calculation process and related reviews.

4. Unliquidated Obligations (ULO) Population Lack of Reconciliation Process NRC management should develop the ability to generate a complete and accurate listing of ULOs in a format which allows for appropriate oversight and review. The

report should contain all ULOs at the individual obligation level and be reconciled to the GL with any reconciling items supported by appropriate documentation.

5. Overstatement of New Obligations 5 a. NRC management should implement controls to prevent postings in FAIMIS resulting in a negative obligation.

5 b. NRC management should increase management review and scrutiny over correcting entries before entries are posted.

5 c. NRC management should review the financial statements in sufficient detail to detect similar errors in future periods.

6. Decommission of Internal Use Software (IUS)

NRC management should perform reviews of all software, including fully amortized IUS, throughout the year to verify the accuracy of the information reported and ensure disposals of property are recorded in a timely manner.

7. Imputed Financing Calculation Process 7.a NRC management should enhance its review procedures to include which documentation should be used in the imputed financing calculations.

7.b NRC management should perform the review of the imputed costs calculation and related disclosures in sufficient detail to detect any errors.

8. Leasehold Improvement Reconciliation and Depreciation 8 a. NRC management should enforce the execution of its existing control activities to document explanations for identified variances.

8 b. NRC management should implement processes and controls which verify that leasehold improvements are depreciated using the appropriate useful life and in operation date, in accordance with the managements policy.

9. Ineffective Fluctuation Analysis Process NRC management should enhance its fluctuation analysis control by requiring the explanations documented are supported by underlying business events, therefore connecting changes in the agencys accounting records to its business environment and operations.
10. Inaccurate and Unsupported Undelivered Orders 10 a. NRC management should improve its processes for reviewing and adjusting aged/stale obligations.

10 b. NRC management should improve its processes to only record an obligation in the accounting system when a legal obligation exists and appropriately retain supporting documentation.

II. Significant Deficiency -Lack of User Account Management Controls for Users with Access to NRC Financial Data Criteria:

In accordance with the FMFIA, management is responsible for establishing and maintaining internal controls to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. According to GAOs Green Book issued under the authority of the FMFIA, management should design control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing. Grant Thornton evaluated the accounting system used by the NRC to process and account for their expenditures and for financial reporting.

When appropriately designed and implemented, Segregation of Duties (SOD) and logical access controls protect systems from unauthorized use. Logical access controls/SOD controls require users to authenticate themselves while limiting the data and other resources that authenticated users can access and actions they can execute. The following control weaknesses were noted related to the Agencys logical access controls/SOD controls:

Condition:

We noted the following deficiencies related to logical access and SOD:

  • Users in the Financial Accounting and Integrated Management Information System (FAIMIS) user access list generated in September 2021 were assigned conflicting role assignments in accordance with the NRCs FAIMIS SOD matrix;
  • NRC management did not have automated or manual controls in place to identify and review if conflicting transactions completed by users with conflicting roles were in fact authorized;
  • The FAIMIS service provider had all privileged user administrative access to FAIMIS including application administrator access which allows the vendor to add and remove access to the application and other privileged functions.

While privileged user activities were subject to audit logging we noted:

o No controls were in place to monitor the privileged application administrators logged activity; o For all other privileged user administrator accounts (i.e. Operating System and Database Administrator privileged access), procedures were documented that included the requirement to complete a weekly review of reported audit log activities but did not specify or include what log activities would be considered potential misuse of privileged functions that would require further investigation.

  • Due to technical constraints in FAIMIS, the NRC was unable to deploy an automated control to deactivate users in FAIMIS after 90 days of inactivity as required by NRC policy;
  • The bi-annual user access recertification review of the NRCs FAIMIS performed in January 2021 was not complete and comprehensive.

Specifically:

o One user retained access to two roles (Vendor Entry and Vendor Approve) after the supervisor responsible for completing the review indicated these roles were not necessary and should be removed.

o Of the 14 supervisors responsible for performing the bi-annual user access review, 9 had users with SOD conflicts that were not identified as part of the recertification process.

  • The NRC did not retain the Strategic Acquisition Systems (STAQS) Access Request Form and related documents for 2 out of 8 sampled new users; and
  • The NRC was unable to provide completed termination checklists (NRC Form 270) for 6 out of 14 sampled separated employees.

Cause:

While the NRC created a SOD matrix that identified some conflicting roles in the financial system, NRC management did not perform the following:

  • Review and document the consideration of all conflicting roles, the potential impacts of these conflicting roles, or controls to mitigate the impacts of these conflicting roles;
  • Include the requirement to consider the SOD Matrix as part of its procedures for provisioning access; and
  • Reference the SOD Matrix as part of the Agencys bi-annual user access review.

Effect:

The absence of appropriately designed and/or implemented SOD and logical access controls increases the risk of a user inadvertently or intentionally completing unauthorized transactions which could lead to inaccuracies in financial reporting.

Recommendations Grant Thornton recommends the NRC develops, documents, and implements procedures to include the following:

11. Periodically review the segregation of duties matrix and update it to reflect relevant changes in business processes or role configurations within the application;
12. Include a justification for the conflicting roles that reference to compensating controls in place for the requested conflicting roles as part of requests for conflicting roles to be granted to a FAIMIS user;
13. Log and review any conflicting transactions performed by users with authorized conflicting roles to determine if the conflicting transactions were in fact authorized;
14. Validate temporary role assignments as a part of the bi-annual user access review to ensure they were removed on a timely basis;
15. Review administrator logged activity and document log activities that would require further investigation;
16. Implement the technical capability to disable or remove users who are inactive for greater than the organizationally defined threshold of 90 days;
17. Enhance the periodic recertification of access by ensuring that managers review the access privileges of their staff against the most current segregation of duties matrix to ensure the roles currently assigned conform to policy. In addition, we recommend the help desk documents the removal of roles that management has

noted as unnecessary and communicates the confirmation with management that the users roles were removed;

18. Enhance the process to help ensure that STAQS Access Request Forms are completed and retained; and
19. Enhance the process to help ensure that NRC Form 270 is completed and retained for each employee that is separated from the NRC.

Status of Prior Year Findings The financial statements and internal control of the United States Nuclear Regulatory Commission as of and for the year ended September 30, 2020 were audited by other auditors. Those auditors report, dated November 12, 2020, expressed an unmodified opinion on those 2020 financial statements and an adverse opinion on internal control.

FY 2020 Findings FY 2020 Recommendations Current Status Improve Controls over 1. Perform a more robust review of the While we noted Leases and future lease payments schedule to ensure it corrective actions Leasehold reflects all changes and updates to have been taken, Improvements occupancy agreements. This review should control deficiencies include a documented review by the group in Leasehold (Material Weakness) responsible for negotiating and signing Improvement occupancy agreements since they would be reconciliations and most familiar with all current occupancy associated agreements. depreciation contributed to a

2. Perform a more robust review of Material Weakness leasehold improvements and require over lack of accurate communication from accountable appropriate property managers to ensure that as management occupancy agreements change, projects controls over begin, or projects are completed, any financial reporting in impact to leasehold improvements in the FY 2021, as financial statements is recorded timely and described in the accurately. This review should also include schedule of findings timely and completely documenting the above.

status of leasehold improvements in process.

Improve Controls to 3. Strengthen its internal control to ensure While we noted De-Obligate Aged funds are de-obligated timely including management Unliquidated identifying amounts to be de-obligated and conducted cleanup Obligations on a posting the de-obligation to the accounting efforts over aged Timely Basis system. ULOs in FY 2021, continued control (Significant 4. Maintain adequate documentation, deficiencies in ULOs Deficiency) including correspondence, for the reasons contributed to a why an aged unliquidated obligation should Material Weakness not be de-obligated. over lack of appropriate

5. Review the process for generating the management unliquidated obligation subsidiary details controls over report (management report); ensure that financial reporting in amounts that are not ULOs are not included FY 2021, as in the management report; and reconciles described in the the management report to the general schedule of findings ledger. above.

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 3, 2021 MEMORANDUM TO: Eric Rivera Acting Assistant Inspector General for Audits Office of the Inspector General Digitally signed by Cherish K.

FROM: Cherish K. Johnson Cherish K. Johnson Johnson Chief Financial Officer Date: 2021.12.03 16:59:01 -05'00'

SUBJECT:

AUDIT OF THE FISCAL YEARS 2021 and 2020 FINANCIAL STATEMENTS This memorandum responds to the draft report on the audit of the Nuclear Regulatory Commissions (NRC) fiscal years 2021 and 2020 financial statements, provided on December 1, 2021. The audit was conducted by the firm Grant Thornton LLP under contract to the NRC Office of the Inspector General (OIG).

We concur that we have deficiencies in the areas of internal control over financial reporting and management controls for users with access to NRC financial data. We strive to continuously improve, and we have more improvements to make. We will implement corrective actions to eliminate these deficiencies.

The recommendations and NRCs response are outlined below. We appreciate the collaborative relationship between the Office of the Inspector General, the auditors, and the Office of the Chief Financial Officer in supporting our continuing effort to improve financial reporting.

Recommendation No. 1:

NRC management should enhance their controls processes over the compilation and preparation of the Agencys quarter-end and year-end financial statements to prevent or timely detect errors to their financial statements and the related note disclosures. Thorough and robust review of the financial statements and related note disclosures should be completed considering the latest requirements of OMB A-136.

NRC Response:

Agree. The Office of the Chief Financial Officer will enhance the controls over the financial statement preparation process.

Recommendation No. 2:

NRC management should update the instructions for the Accounts Payable Accrual Estimation Reconciliation to more clearly indicate that the validated amounts should be used rather than

the previously estimated accrual amounts.

NRC management should review the accounts payable reconciliation in sufficient detail to detect errors in the application of the estimation methodology.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the improve the accounts payable accrual estimation process.

Recommendation No. 3:

NRC management should update the instructions for the Computation of Allowances for Losses portion of the Unbilled Revenue Accrual and Reconciliation Checklist to include more detailed descriptions of the parameters needed when generating reports used in the calculation process.

NRC management should conduct its review of the calculation of Accounts Receivable - Non-Federal - Allowance for Uncollectable Accounts in sufficient detail to detect errors in the calculation.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the instructions for the unbilled revenue accrual checklist.

Recommendation No. 4:

NRC management should develop the ability to generate a complete and accurate listing of ULOs in a format which allows for appropriate oversight and review. The report should contain all ULOs at the individual obligation level and be reconciled to the GL with any reconciling items supported by appropriate documentation.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the unliquidated obligations report.

Recommendation No. 5:

NRC management should implement controls to prevent postings in FAIMIS resulting in a negative obligation.

NRC management should increase management review and scrutiny over correcting entries before entries are posted.

NRC management should review the financial statements in sufficient detail to detect similar errors in future periods.

NRC Response:

Agree. The Office of the Chief Financial Officer has corrected the FAIMIS system and will improve the review of correcting entries.

Recommendation No. 6:

NRC management should perform reviews of all software, including fully amortized IUS, throughout the year to verify the accuracy of the information reported and ensure disposals of property are recorded in a timely manner.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the reviews of software.

Recommendation No. 7:

NRC management should enhance review procedures to include which documentation should be used in the imputed financing calculations.

NRC management should perform the review of the imputed costs calculation and related disclosures in sufficient detail to detect errors.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the preparation and review of imputed financing.

Recommendation No. 8:

NRC management should enforce the execution of its existing control activities to document explanations for identified variances.

NRC management should implement processes and controls which verify that leasehold improvements are depreciated using the appropriate useful life and in operation date, in accordance with the managements policy.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the review of future lease payments, including coordinating with the Office of Administration.

Recommendation No. 9:

NRC management should enhance its fluctuation analysis control by requiring the explanations documented are supported by underlying business events, therefore connecting changes in the agencys accounting records to its business environment and operations.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the fluctuation analysis process.

Recommendation No. 10:

NRC management should improve its processes for reviewing and adjusting aged/stale obligations.

NRC management should improve its processes to only record an obligation in the accounting system when a legal obligation exists and appropriately retain supporting documentation.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the process to oversee obligations.

Recommendation No. 11:

Periodically review the segregation of duties matrix and update it to reflect relevant changes in business processes or role configurations within the application.

NRC Response:

Agree. The Office of the Chief Financial Officer will periodically review the segregation of duties matrix for FAIMIS.

Recommendation No. 12:

Include a justification for the conflicting roles that reference to compensating controls in place for the requested conflicting roles as part of requests for conflicting roles to be granted to a FAIMIS user.

NRC Response:

Agree. The Office of the Chief Financial Officer will include a justification for conflicting roles for FAIMIS.

Recommendation No. 13:

Log and review any conflicting transactions performed by users with authorized conflicting roles to determine if the conflicting transactions were in fact authorized.

NRC Response:

Agree. The Office of the Chief Financial Officer will review conflicting transactions in FAIMIS.

Recommendation No. 14:

Validate temporary role assignments as a part of the bi-annual user access review to ensure they were removed on a timely basis.

NRC Response:

Agree. The Office of the Chief Financial Officer will improve the bi-annual review process for FAIMIS.

Recommendation No. 15:

Review administrator logged activity and document log activities that would require further investigation.

NRC Response:

Agree. The Office of the Chief Financial Officer will review administrator logged activity for FAIMIS.

Recommendation No. 16:

Implement the technical capability to disable or remove users who are inactive for greater than the organizationally defined threshold of 90 days.

NRC Response:

Agree. The Office of the Chief Financial Officer will review the feasibility of a technical capability to remove users in FAIMIS.

Recommendation No. 17:

Enhance the periodic recertification of access by ensuring that managers review the access privileges of their staff against the most current segregation of duties matrix to ensure the roles currently assigned conform to policy. In addition, we recommend the help desk documents the removal of roles that management has noted as unnecessary and communicates the confirmation with management that the users roles were removed.

NRC Response:

Agree. The Office of the Chief Financial Officer will enhance the recertification of access process for FAIMIS.

Recommendation No. 18:

Enhance the process to help ensure that STAQS Access Request Forms are completed and retained.

NRC Response:

Agree. The Office of Administration will improve the process for STAQS access request forms.

Recommendation No. 19:

Enhance the process to help ensure that NRC Form 270 is completed and retained for each employee that is separated from the NRC.

NRC Response:

Agree. The office of the Human Capital Officer will improve the NRC Form 270 process.

cc: D. Dorman EDO C. Haney, DEDM D. Roberts, DEDR S. Miotla, AO/Acting J. Jolicoeur, OEDO

Retrieved from "https://kanterella.com/w/index.php?title=ML21347A044&oldid=3402559"