Text

Audit of the Defense Nuclear Facilities Safety Boards Fiscal Year 2021 Compliance with Improper Payment Laws DNFSB-22-A-06 July 27, 2022 All publicly available OIG reports, including this report, are accessible through the OIGs website at:

www.nrcoig.oversight.gov

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov MEMORANDUM DATE:

July 27, 2022 TO:

Chair Joyce L. Connery FROM:

The Hon. Robert J. Feitel Inspector General

SUBJECT:

AUDIT OF THE DNFSBS FISCAL YEAR 2021 COMPLIANCE WITH IMPROPER PAYMENT LAWS (DNFSB-22-A-06)

Attached is the Office of the Inspector Generals (OIG) report titled Audit of the DNFSBs Fiscal Year 2021 Compliance with Improper Payment Laws.

The report presents the results of the subject audit. Following issuance of the discussion draft, Defense Nuclear Facilities Safety Board (DNFSB) staff indicated that they had no formal comments for inclusion in this report.

We appreciate the cooperation extended to us by members of the DNFSB staff during the audit. If you have any questions or comments about our report, please contact me at (301) 415-5930, or Eric Rivera, Acting Assistant Inspector General for Audits, at (301) 415-5915.

Attachment:

As stated cc:

Vice Chairman Summers Board Member Roberson Robert J.

Feitel Digitally signed by Robert J. Feitel Date: 2022.07.27 12:04:35 -04'00'

1 Improper Payment Law Enacted in 2020, the Payment Integrity Information Act of 2019 (PIIA) requires executive agencies to periodically review all programs and activities an agency administers and identify all programs and activities with outlays exceeding $10 million that may be susceptible to significant improper payments. The review should occur not less than once every three years for each program and activity. The PIIA requires the Office of the Inspector General (OIG) of each executive agency to annually determine agency compliance.

Each executive agency must complete the following, if applicable, for PIIA compliance:

Publish improper payments information with the annual financial statement of the executive agency for the most recent fiscal year and post the statement on the agency website with any accompanying materials required by the Office of Management and Budget (OMB);

Conduct a program-specific risk assessment for each program or activity that meets the PIIA requirements; Publish improper payments estimates in the accompanying materials to the annual financial statement; Publish programmatic corrective action plans; Publish improper payments reduction targets for programs and activities assessed to be at risk; and, Report an improper payment rate of less than 10 percent for each program and activity where an estimate was published.

Federal Improper Payment Guidance for Executive Agencies On March 5, 2021, the OMB issued Memorandum M-21-19, Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement. In addition, OMB Circular A-136 establishes additional payment integrity reporting requirements for executive agencies. Table 1 of this report lists the OMB requirements that correspond with the PIIA compliance requirements.

I. BACKGROUND

2 The audit objectives were to assess the Defense Nuclear Facilities Safety Boards (DNFSBs) compliance with the PIIA and report any material weaknesses in internal control. Appendix A of this report contains information on the audit scope and methodology.

The OIG determined that for fiscal year (FY) 2021, the DNFSB is not compliant with the PIIA. Specifically, the DNFSB did not meet all requirements for publishing and posting the annual financial statement and accompanying materials required under the PIIA and corresponding OMB guidance. At the same time, the OIG did not report any material weaknesses in internal control.

Table 1 of this report lists the PIIA requirements and the DNFSBs compliance with the statutory requirements.

Table 1: The DNFSBs FY 2021 Compliance with the PIIA Program Name Compliance Requirements Payroll*

1a. Published payment integrity information with the annual financial statement Not Compliant 1b. Posted the annual financial statement and accompanying materials on the agency website Not Compliant 2a. Conducted Improper Payment (IP) risk assessments for each program with annual outlays greater than $10,000,000 at least once in the last three years Compliant 2b. Adequately concluded whether the program is likely to make IPs and Unknown Payments (UP) above or below the statutory threshold Compliant

3. Published IP and UP estimates for programs susceptible to significant IPs in the accompanying materials to the annual financial statement N/A

4. Published corrective action plans for each program for which an estimate above the statutory threshold was published in the accompanying materials to the annual financial statement N/A 5a. Published IP and UP reduction target for each program for which an estimate above the statutory threshold was published in the accompanying materials to the annual financial statement N/A 5b. Has demonstrated improvements to payment integrity or reached a tolerable IP and UP rate N/A 5c. Has developed a plan to meet the IP and UP reduction target N/A

6. Reported an IP and UP estimate of less than 10% for each program for which an estimate was published in the accompanying materials to the annual financial statement N/A Source: OIG-generated from OMB M-21-19 requirements

• While other programs were reviewed in the DNFSBs risk assessment, payroll is the only program that met the statutory threshold.

II. OBJECTIVES III. FINDING

3 The DNFSB did not meet one of the six requirements for PIIA compliance. OMB M-21-19 states that if a program does not meet one or more of the requirements, then the agency is not compliant under PIIA.

To achieve compliance, the OMB directs each executive agency to include a link to paymentaccuracy.gov within its annual financial statement under OMB M 19. The OIG inquired with the OMB for further clarification on the requirements for including the link in the annual financial statement. The OMB confirmed that, to achieve compliance with PIIA, the agency should respond to all applicable questions in the OMB annual data call to provide required payment integrity information as stated in OMB A-136. In addition, the OMB asserted all agencies are required to provide the OMB with data related to the status of the agencys improper payment risk assessments, the identification and recovery of overpayments, and other reporting requirements applicable to the agency in the data call. If an agency answers the data call, then in accordance with OMB A-136, the OMB expects the agency to include a link to paymentaccuracy.gov under the payment integrity section in the agencys annual financial statement.

We found that the DNFSB did not respond to the OMBs FY 2021 data call to provide required payment integrity information. In addition, the DNFSBs FY 2021 annual financial statement did not include a link to paymentaccuracy.gov.

The OIG discovered the DNFSB was not included in the annual OMB email to notify executive agencies about the FY 2021 data call. However, OMB A-136 asserts that it is the agencys responsibility to contact the OMB to obtain access to the data call each year. Therefore, the DNFSB did not comply with all requirements to achieve PIIA compliance for FY 2021.

The OIG recommends the DNFSB:

1. Submit annual data call documentation to the OMB, as required by OMB Circular A-136;

2. Include the paymentaccuracy.gov link in the annual AFR, as required by Appendix C to OMB Circular A-123; and,

3. Develop and implement a process for continuous monitoring of financial statutory requirements.

IV. RECOMMENDATIONS

4

During the audit, the OIG made two observations regarding areas where the DNFSB could strengthen its payment integrity review. These observations did not rise to the level of a finding of noncompliance.

1. The PIIA requires agencies to triennially review all programs and activities that meet the statutory threshold to determine susceptibility to significant improper payments. Under the most recent Appendix C to OMB Circular A-123, risk assessments are only required for programs with outlays exceeding

$10 million. The DNFSB performed a qualitative risk assessment in FY 2020 where payroll was the only program above the $10 million threshold.

Although the DNFSBs risk assessment met the minimum statutory requirements, the OIG noted the agency did not assess payroll separately.

Instead, payroll was included and reviewed under total disbursements. While reviewing disbursements, the OIG noted discrepancies and difficulties in obtaining source documents for payroll. Therefore, the OIG suggests that, during its next improper payments risk assessment, the DNFSB perform a separate assessment of payroll, and any other applicable program, if it meets the statutory threshold in the applicable fiscal year.

2. When conducting a qualitative risk assessment, the OMB guidance directs agencies to ensure proper consideration is given to relevant risk factors that would help determine a programs susceptibility to improper payments. The most recent Appendix C to OMB Circular A-123 suggests 11 risk factors to agencies when performing qualitative risk assessments. This version of Appendix C was not issued yet when the DNFSB conducted its FY 2020 risk assessment. Therefore, the DNFSB did not document consideration of the OMBs suggested risk factors in that assessment. The OIG suggests the DNFSB apply and document any relevant OMB risk factors when it conducts its next risk assessment.

DNFSB management reviewed a discussion draft, stated their general agreement, and had no formal comments for inclusion in this report.

V. ADDITIONAL OBSERVATIONS VI. DNFSB COMMENTS

5 Appendix A Objectives The audit objectives were to assess the DNFSBs compliance with the PIIA and report any material weaknesses in internal control.

Scope The audit focused on improper payment compliance for FY 2021. We conducted this audit at the OIG headquarters in Rockville, Maryland, from February through June 2022.

Components of internal controls related to the audit objectives were reviewed and analyzed. The OIG reviewed the components of control environment, control activities, information and communication, and monitoring. Within those components, the OIG reviewed the principles of overseeing the internal control system; establishing structure, responsibility, and authority; designing control activities; implementing control activities through policies; using quality information; communicating internally; and, establishing and operating monitoring activities.

Methodology To accomplish the audit objectives, the OIG reviewed agency documents related to the DNFSBs compliance with the PIIA for FY 2021. The OIG also reviewed applicable federal laws, regulations, and requirements for the PIIA.

Since the DNFSB is subject to a triennial Appendix C to OMB A-123 risk assessment, the OIG reviewed the DNFSBs FY 2020 Improper Payments Risk Assessment report and supporting documentation as part of the review.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

OBJECTIVES, SCOPE, AND METHODOLOGY

6 Throughout the audit, auditors considered the possibility of fraud, waste, and abuse in the program.

The audit was conducted by Terri Cooper, Team Leader; Felicia Silver, Audit Manager; and Muhammad Arefin, Senior Auditor.

7 Please

Contact:

Email:

Online Form Telephone:

1-800-233-3497 TTY/TDD:

7-1-1, or 1-800-201-7165 Address:

U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O5-E13 11555 Rockville Pike Rockville, MD 20852 If you wish to provide comments on this report, please email the OIG using this link.

In addition, if you have suggestions for future OIG audits, please provide them using this link.

TO REPORT FRAUD, WASTE, OR ABUSE COMMENTS AND SUGGESTIONS