ML22314A097

From kanterella
Jump to navigation Jump to search
OIG-23-A-02 Results of the United States Nuclear Regulatory Commission'S Financial Statements for Fiscal Year 2022, Dated November 10, 2022
ML22314A097
Person / Time
Issue date: 11/10/2022
From: Feitel R
NRC/OIG
To: Christopher Hanson
NRC/Chairman
References
OIG-23-A-02
Download: ML22314A097 (1)
v  d  e


Text

MEMORANDUM DATE: November 10, 2022 TO: Christopher T. Hanson Chair Digitally signed by Robert FROM: Robert J. Feitel Robert J. J. Feitel Inspector General Date: 2022.11.10 Feitel 10:18:54 -05'00'

SUBJECT:

RESULTS OF THE AUDIT OF THE UNITED STATES NUCLEAR REGULATORY COMMISSION'S FINANCIAL STATEMENTS FOR FISCAL YEAR 2022 (OIG-23-A-02)

The Chief Financial Officers Act of 1990, as amended (CFO Act), requires the Inspector General (IG) or an independent external auditor, as determined by the IG, to annually audit the United States Nuclear Regulatory Commissions (NRC) financial statements in accordance with applicable standards. In compliance with this requirement, the Office of the Inspector General (OIG) contracted with CliftonLarsonAllen (CLA) to conduct this annual audit. Transmitted with this memorandum is CLAs audit report. CLA examined the NRCs Fiscal Year (FY) 2022 Agency Financial Report, which includes financial statements for FY 2022. CLAs audit report contains the following:

  • Opinion on the Financial Statements;
  • Opinion on Internal Control over Financial Reporting; and,
  • Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements.

Objective of a Financial Statement Audit The objective of a financial statement audit is to determine whether the audited entitys financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation.

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov

CLAs audit included, among other things, obtaining an understanding of the NRC and its operations, including internal control over financial reporting; evaluating the design and operating effectiveness of internal control; assessing risk; and, testing relevant internal controls over financial reporting. Because of inherent limitations in internal controls, misstatements due to error or fraud may occur and not be detected.

Additionally, projections of any evaluation of any internal control to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or due to deterioration in the degree of compliance with the policies or procedures.

FY 2022 Audit Results The results are as follows:

Financial Statements

  • Unmodified opinion Internal Control over Financial Reporting
  • Unmodified opinion Compliance with Laws and Regulations
  • No instances of noncompliance noted.

The OIG Oversight of CLAs Performance To fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality of the audit work performed, we monitored CLAs audit of the NRCs FY 2022 financial statements by:

  • Reviewing CLAs audit approach and planning;
  • Evaluating the qualifications and independence of CLAs auditors;
  • Monitoring audit progress at key points;
  • Examining the working papers related to planning and performing the audit and assessing the NRCs internal controls;
  • Reviewing CLAs audit report to ensure compliance with Government Auditing Standards and Office of Management and Budget Bulletin No.

21-04; 2

  • Coordinating the issuance of the audit report; and,
  • Performing other procedures deemed necessary.

CLA is responsible for the attached auditors report, dated November 10, 2022, and the conclusions expressed therein. The OIG is responsible for technical and administrative oversight regarding the firms performance under the terms of the contract. Our oversight, as differentiated from an audit in conformance with Government Auditing Standards, was not intended to enable us to express an opinion, and accordingly we do not express an opinion on:

  • The NRCs financial statements;
  • Effectiveness of the NRCs internal control over financial reporting; and,
  • The NRCs compliance with laws, regulations, contracts, and grant agreements.

However, our monitoring review, as described above, disclosed no instances where CLA did not comply, in all material respects, with applicable auditing standards.

Meeting with the Deputy Chief Financial Officer At the exit conference on November 7, 2022, representatives of the Office of the Chief Financial Officer, the OIG, and CLA discussed the results of the audit.

Comments of the Deputy Chief Financial Officer In his response, the Deputy Chief Financial Officer agreed with the report. The full text of his response follows this report.

The NRCs Financial Statements The NRCs audited FY 2022 financial statements can be found in the agencys financial report.

We appreciate the NRC staffs cooperation and continued interest in improving financial management within the NRC.

Attachment:

As stated cc: Commissioner J. Baran Commissioner D. Wright Commissioner A. Caputo Commissioner B. Crowell D. Dorman, OEDO B. Ficks, OCFO 3

CliftonLarsonAllen LLP CLAconnect.com Independent Auditors Report Inspector General United States Nuclear Regulatory Commission Chair United States Nuclear Regulatory Commission In our audit of the fiscal year (FY) 2022 financial statements of the United States Nuclear Regulatory Commission (NRC), we found:

  • The NRCs financial statements as of and for the FY ended September 30, 2022, are presented fairly, in all material respects, in accordance with United States of America (U.S.) generally accepted accounting principles (GAAP);
  • The NRC maintained, in all material respects, effective internal control over financial reporting as of September 30, 2022; and
  • No reportable noncompliance for FY 2022 with provisions of applicable laws, regulations, contracts, and grant agreements we tested and no other matters.

The following sections discuss in more detail (1) our report on the financial statements and on internal control over financial reporting, which includes an other-matter paragraph, required supplementary information (RSI),1 and other information2 included in the Agency Financial Report (AFR); (2) our report on compliance with laws, regulations, contracts, and grant agreements and other matters; and (3) the NRCs response to our audit conclusions.

Report on the Audit of the Financial Statements and on Internal Control Over Financial Reporting Opinions on the Financial Statements and Internal Control Over Financial Reporting We have audited the accompanying financial statements of the NRC, which comprise the balance sheet as of September 30, 2022; the related statements of net cost, changes in net position, and budgetary resources for the FY then ended; and the related notes to the financial statements. In our opinion, the NRCs financial statements referred to above present fairly, in all material respects, the NRCs financial position as of September 30, 2022, and its net cost of operations, changes in net position, and budgetary resources for the FY then ended in accordance with U.S.

GAAP.

We also have audited the NRCs internal control over financial reporting as of September 30, 2022, based on criteria established under 31 U.S.C. § 3512(c), (d), commonly known as the Federal Managers Financial Integrity Act of 1982 (FMFIA). In our opinion, the NRC maintained, in all material respects, effective internal control over financial reporting as of September 30, 2022, based on criteria established under FMFIA.

1 The RSI consists of Managements Discussion and Analysis, the Combining Statement of Budgetary Resources, and Deferred Maintenance and Repairs, which are included with the financial statements.

2 Other information consists of information included with the financial statements, other than the RSI and the auditors report.

CLA (CliftonLarsonAllen LLP) is an independent network member of CLA Global. See CLAglobal.com/disclaimer.

Independent Auditors Report (Continued)

During our FY 2022 audit, we identified deficiencies in the NRCs internal control over financial reporting that we do not consider to be material weaknesses or significant deficiencies. 3 Nonetheless, these deficiencies warrant the NRC managements attention. We have communicated these matters to the NRC management and, where appropriate, will report on them separately.

Basis for Opinions We conducted our audits in accordance with U.S. generally accepted auditing standards; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB)

Bulletin No. 22-01, Audit Requirements for Federal Financial Statements (OMB Bulletin 22-01).

Our responsibilities under those standards are further described in the Auditors Responsibilities for the Audits of the Financial Statements and Internal Control Over Financial Reporting section of our report. We are required to be independent of the NRC and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements relating to our audits. We believe the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions.

Other Matter The financial statements of the NRC for the year ended September 30, 2021, were audited by another auditor, who expressed an unmodified opinion on those statements on December 8, 2021.

Responsibilities of Management for the Financial Statements and Internal Control Over Financial Reporting The NRC management is responsible for (1) the preparation and fair presentation of the financial statements in accordance with U.S. GAAP; (2) preparing, measuring, and presenting the RSI in accordance with U.S. GAAP; (3) preparing and presenting other information included in the AFR, ensuring the consistency of that information with the audited financial statements and the RSI; (4) designing, implementing, and maintaining effective internal control over financial reporting relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error, (5) assessing the effectiveness of internal control over financial reporting based on the criteria established under FMFIA; and (6) its assessment about the effectiveness of internal control over financial reporting as of September 30, 2022, included in the Federal Managers Financial Integrity Act Statement in the Managements Discussion and Analysis (MD&A) section of the AFR.

Auditors Responsibilities for the Audits of the Financial Statements and Internal Control Over Financial Reporting Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatements, whether due to fraud or error, and about whether effective internal control over financial reporting was maintained in all material respects, and to issue an auditors report that includes our opinions.

3 A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entitys financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Independent Auditors Report (Continued)

Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit of financial statements or an audit of internal control over financial reporting conducted in accordance with Government Auditing Standards will always detect a material misstatement or a material weakness when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.

Misstatements, including omissions, are considered to be material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the financial statements.

In performing an audit of financial statements and an audit of internal control over financial reporting in accordance with Government Auditing Standards, we:

  • Exercise professional judgment and maintain professional skepticism throughout the audits;
  • Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks.

Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements in order to obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion;

  • Obtain an understanding of internal control relevant to our audit of the financial statements in order to design audit procedures that are appropriate in the circumstances;
  • Obtain an understanding of internal control relevant to our audit of internal control over financial reporting, assess the risks that a material weakness exists, and test and evaluate the design and operating effectiveness of internal control over financial reporting based on the assessed risk. Our audit of internal control also considered the NRCs process for evaluating and reporting on internal control over financial reporting based on criteria established under FMFIA. We did not evaluate all internal controls relevant to operating objectives as broadly established under FMFIA, such as those controls relevant to preparing performance information and ensuring efficient operations. We limited our internal control testing to testing controls over financial reporting. Our internal control testing was for the purpose of expressing an opinion on whether effective internal control over financial reporting was maintained, in all material respects. Consequently, our audit may not identify all deficiencies in internal control over financial reporting that are less severe than a material weakness;
  • Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluate the overall presentation of the financial statements; and
  • Perform other procedures we consider necessary in the circumstances.

We are required to communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit, significant audit findings, and certain internal control related matters that we identified during the financial statements audit.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate

Independent Auditors Report (Continued) as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entitys financial statements will not be prevented, or detected and corrected, on a timely basis.

Definition and Inherent Limitations of Internal Control over Financial Reporting An entitys internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, the objectives of which are to provide reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance with U.S. GAAP, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and (2) transactions are executed in accordance with provisions of applicable laws, including those governing the use of budget authority, regulations, contracts, and grant agreements, noncompliance with which could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements due to fraud or error. We also caution that projecting any evaluation of effectiveness to future periods is subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

Required Supplementary Information U.S. GAAP issued by the Federal Accounting Standards Advisory Board (FASAB) require that the RSI be presented to supplement the financial statements. Such information is the responsibility of management, and although not a part of the financial statements, is required by FASAB, which considers it to be an essential part of financial reporting for placing the financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the RSI in accordance with Government Auditing Standards, which consisted of inquiries of management about the methods of preparing the RSI and comparing the information for consistency with managements responses to the auditors inquiries, the financial statements, and other knowledge we obtained during the audits of the financial statements, in order to report omissions or material departures from FASAB guidelines, if any, identified by these limited procedures. We did not audit, and we do not express an opinion or provide any assurance on the RSI because the limited procedures we applied do not provide sufficient evidence to express an opinion or provide any assurance.

Other Information The NRCs other information contains a wide range of information, some of which is not directly related to the financial statements. This information is presented for purposes of additional analysis and is not a required part of the financial statements or the RSI. The NRC management is responsible for the other information included in the AFR. The other information does not include the financial statements and our auditors report thereon. Our opinion on the financial statements does not cover the other information, and we do not express an opinion or any form of assurance thereon.

In connection with our audit of the financial statements, our responsibility is to read the other information and consider whether a material inconsistency exists between the other information and the financial statements, or the other information otherwise appears to be materially misstated. If, based on the work performed, we conclude that an uncorrected material misstatement of the other information exists, we are required to describe it in our report.

Independent Auditors Report (Continued)

Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements and Other Matters In connection with our audits of the NRCs financial statements, we tested compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements consistent with our auditors responsibilities discussed below.

We also performed tests of compliance with certain provisions of the Federal Financial Management Improvement Act (FFMIA). However, providing an opinion on compliance with FFMIA was not an objective of our audit, and accordingly, we do not express such an opinion.

Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements and Other Matters Our tests for compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements disclosed no instances of noncompliance or other matters for FY 2022 that would be reportable under Government Auditing Standards. In addition, our tests of compliance with the FFMIA Section 803(a) requirements disclosed no instances in which the NRCs financial management systems did not comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, or (3) application of the U.S.

Government Standard General Ledger (USSGL) at the transaction level. However, the objective of our tests was not to provide an opinion on compliance with laws, regulations, contracts, and grant agreements applicable to the NRC. Accordingly, we do not express such an opinion.

Basis for Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements and Other Matters We performed our tests of compliance in accordance with Government Auditing Standards. Our responsibilities under those standards are further described in the Auditors Responsibilities for Tests of Compliance section below.

Responsibilities of Management for Compliance with Laws, Regulations, Contracts, and Grant Agreements The NRC management is responsible for complying with laws, regulations, contracts, and grant agreements applicable to the NRC, including ensuring the NRCs financial management systems are in substantial compliance with FFMIA requirements.

Auditors Responsibilities for Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements Our responsibility is to test compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements applicable to the NRC that have a direct effect on the determination of material amounts and disclosures in the NRCs financial statements, including whether the NRCs financial management systems comply substantially with the FFMIA Section 803(a) requirements, and to perform certain other limited procedures. Accordingly, we did not test compliance with all laws, regulations, contracts, and grant agreements applicable to the NRC. We caution that noncompliance may occur and not be detected by these tests.

Purpose of Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements and Other Matters The purpose of this report is solely to describe the scope of our testing of compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements, and the results of that testing, and not to provide an opinion on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering compliance.

Independent Auditors Report (Continued)

Accordingly, this report on compliance with laws, regulations, contracts, and grant agreements is not suitable for any other purpose.

Status of Prior Years Control Deficiencies and Noncompliance Issues We have reviewed the status of the NRCs corrective actions with respect to the findings and recommendations included in the prior years Independent Auditors Report, dated December 8, 2021. The status of prior year findings is presented in Exhibit A.

The NRCs Response to Audit Conclusions Government Auditing Standards require the auditor to perform limited procedures on the NRCs response to the audit conclusions identified in our report and described in Exhibit B. The NRCs response was not subjected to the auditing procedures applied in the audits of the financial statements and, accordingly, we express no opinion on the response.

CliftonLarsonAllen LLP Greenbelt, Maryland November 10, 2022

Independent Auditors Report (Continued)

Exhibit A Status of Prior Year Findings and Recommendations Prior Findings Recommendations Current Status and Type Lack of Appropriate The NRC management should consider taking all Closed Management Controls necessary actions to establish an appropriate over Financial internal control structure including the following:

Reporting (Material Weakness) 1. Financial Statement Compilation and Preparation Process.

2. Accounts Payable Calculation Process.
3. Accounts Receivable, Net - Calculation Process.
4. Unliquidated Obligations (ULO) Population Lack of Reconciliation Process.
5. Overstatement of New Obligations.
6. Decommission of Internal Use Software (IUS).
7. Imputed Financing Reconciliation Process.
8. Leasehold Improvement Reconciliation and Depreciation.
9. Ineffective Fluctuation Analysis Process.
10. Inaccurate and Unsupported Undelivered Orders.

Independent Auditors Report (Continued)

Exhibit A Status of Prior Year Findings and Recommendations Prior Findings Recommendations Current Status and Type Lack of User Account 11. Periodically review the segregation of duties Closed Management Controls matrix and update it to reflect relevant changes for Users with Access in business processes or roll configurations to NRC Financial Data within the application.

(Significant Deficiency)

12. Include a justification for the conflicting roles that reference to compensating controls in place for the requested conflicting roles as part of requests for conflicting roles to be granted to a Financial Accounting Integrated Management Information System (FAIMIS) user.
13. Log and review any conflicting transactions performed by users with authorized conflicting roles to determine if the conflicting transactions were in fact authorized.
14. Validate temporary role assignments as a part of the bi-annual user access review to ensure they were removed on a timely basis.
15. Review administrator logged activity and document log activities that would require further investigation.
16. Implement the technical capability to disable or remove users who are inactive greater than the organizationally defined threshold of 90 days.
17. Enhance the periodic recertification of access by ensuring that managers review the access privileges of their staff against the most current segregation of duties matrix to ensure the roles currently assigned conform to policy. In addition, we recommend the help desk documents the removal of roles that management has noted as unnecessary and communicates the confirmation with management that the users roles were removed.
18. Enhance the process to help ensure that the Strategic Acquisition System (STAQS) Access Request Forms are completed and retained.
19. Enhance the process to help ensure that NRC Form 270 is completed and retained for each employee that is separated from the NRC.

Independent Auditors Report (Continued)

Exhibit B NRCs Response to Audit Findings and Recommendations

Retrieved from "https://kanterella.com/w/index.php?title=ML22314A097&oldid=3519272"