Text

MEMORANDUM DATE: September 9, 2022 TO: James Biggins Acting Executive Director of Operations FROM: Eric Rivera /RA/

Acting Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: RESULTS OF THE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARD'S FINANCIAL STATEMENTS FOR FISCAL YEAR 2021 (DNFSB-22-A-05)

REFERENCE:

OFFICE OF THE GENERAL MANAGER, MEMORANDUM DATED AUGUST 24, 2022 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated August 24, 2022. Based on this response, recommendations 2, and 5 are now closed. Recommendations 3, 4, 6, and 7 were previously closed. Recommendation 1 remains open and resolved. Please provide an updated status of the open and resolved recommendation by February 17, 2023.

If you have any questions or concerns, please call me at (301) 415-5915 or Terri Cooper, Team Leader, at (301) 415-5965.

Attachment:

As stated cc: T. Tadlock O. Fawole NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov

RESULTS OF THE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARD'S FINANCIAL STATEMENTS FOR FISCAL YEAR 2021 DNFSB-22-A-05 Status of Recommendations Recommendation 1: Review of the Service Organization Control (SOC 1) Reports.

We recommend the DNFSB implements policies and procedures to perform monitoring of the NFC, including obtaining and reviewing the SOC 1 report and appropriately implementing CUECs, as needed. Management should maintain evidence of its review of the USDA SOC 1 report and ensure all CUECs are implemented and operate effectively.

Agency Response Dated August 24, 2022: The DNFSB did not provide any updates to this recommendation in its response dated August 24, 2022. Below is the agencys previous response dated March 1, 2022.

Disagree. The OIG is incorrect that the SOC 1 report is required to maintain effective CUECs. In accordance with OMB guidance, DNFSB will continue its practice to use any of the acceptable methods of ensuring effective CUECs including one or more of the following procedures:

a) Obtaining and reading a System and Organization Controls report, if available; b) Contacting the service organization, through the user entity, to obtain specific information; c) Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization; and/or d) Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization.

The DNFSB meets regularly with NFC to obtain specific information regarding the implementation of support services provided by NFC.

Request Recommendation be closed.

2

RESULTS OF THE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARD'S FINANCIAL STATEMENTS FOR FISCAL YEAR 2021 DNFSB-22-A-05 Status of Recommendations Recommendation 1 (contd):

OIG Analysis: Based on the agencys response, the OIG will keep this recommendation at open and resolved status. The OIG will not close the recommendation until the DNFSB clearly states in its guidance the acceptable methods that are used to ensure effective CUECs.

Status: Open: Resolved.

Recommendation 2: Information Technology Access and Segregation of Duties.

We recommend the DNFSB defines and implements access and segregation of duties controls to:

a) Provision and periodically recertify user access to Symplicity; b) Segregate the duties of users with access to the financial data in Symplicity.

Agency Response Dated August 24, 2022: DNFSB contracted with Symplicity to ensure segregation of duties which includes the addition of a Read-only role to Symplicity in addition to the Super-User role. Super-User roles are limited to Finance personnel who input data in the system. Symplicity also completed annual certification of all users and their access roles.

Please see attached for evidence of both updates.

OIG Analysis: The OIG reviewed the supporting documentation attached to the DNFSBs response to this recommendation and verified that the agency has implemented appropriate access control and segregation of duties. Therefore, this recommendation is now closed.

3

RESULTS OF THE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARD'S FINANCIAL STATEMENTS FOR FISCAL YEAR 2021 DNFSB-22-A-05 Status of Recommendations Recommendation 2 (contd):

Status: Closed.

Recommendation 5: Imputed Financing Estimates and Lack of Documentation.

We recommend the DNFSB implement policies, procedures, and controls to ensure calculated imputed costs are reasonable and supportable.

Agency Response Dated August 24, 2022: In March 2022, a procedure document was completed that outlines the steps to be taken to compute imputed costs and serves as a reference guide for staff. See attached for evidence of the procedures. In addition, DNFSB has identified a source within the National Finance Center (NFC) that has begun providing the necessary payroll files for each pay period. This ensures that DNFSB has the relevant data available and ready when imputed costs are to be calculated. See attached for evidence of submission of payroll files from NFC.

OIG Analysis: The OIG reviewed the supporting documentation attached to the DNFSBs response to this recommendation and determined the actions meet the intent of the recommendation. This recommendation is now closed.

4