Text

the Office of the Inspector Generals Fiscal Year 2024 Annual Plan for the U.S. Nuclear Regulatory Commission, Dated November 20, 2023
	ML23324A185
Person / Time
Issue date:	11/20/2023
From:	; NRC/OIG
To:	;
References
	Download: ML23324A185 (1)
	v • d • e

Office of the Inspector General U.S. Nuclear Regulatory Commission Annual Plan Fiscal Year 2024

FOREWORD I am pleased to present the Office of the Inspector Generals (OIG) fiscal year (FY) 2024 Annual Plan for our work pertaining to the U.S. Nuclear Regulatory Commission (NRC). The NRCs mission is to license and regulate the nations civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety, promote the common defense and security, and protect the Robert J. Feitel environment. The OIG is committed to overseeing the NRC and DNFSB integrity of the NRCs programs and operations.

Inspector General Developing an effective planning strategy is a critical aspect of accomplishing this commitment. In addition, such planning ensures that the OIG uses audit and investigative resources efficiently.

The Annual Plan provides the audit and investigative strategies and associated summaries of the specific work planned for the coming year.

In addition, it sets forth the OIGs formal process for identifying priority issues and managing its workload and resources for FY 2024. Since 2014, the NRC OIG has also been assigned to serve as the OIG for the Defense Nuclear Facilities Safety Board. A separate document contains the OIGs Annual Plan for our work pertaining to that agency.

The OIG prepared this Annual Plan to align with the OIG Strategic Plan for FYs 2024-2028, which is based, in part, on an assessment of the strategic challenges facing the NRC. The Strategic Plan identifies OIG priorities and establishes a shared set of expectations regarding the goals we expect to achieve and the strategies we will employ. The OIG based this Annual Plan on the foundation of the Strategic Plan and The Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Nuclear Regulatory Commission in Fiscal Year 2024. The OIG sought input from the NRC Chair, the NRC Commissioners, NRC headquarters and regional managers, and members of Congress in developing this Annual Plan.

We have programmed all available resources to address the matters identified in this plan. This approach maximizes the use of our resources.

However, it is sometimes necessary to modify this plan as circumstances, priorities, or resources warrant in response to a changing environment.

Robert J. Feitel Robert J. Feitel Inspector General i

TABLE OF CONTENTS MISSION AND AUTHORITY ..............................................................................................1 PLANNING STRATEGY ...................................................................................................... 2 AUDIT AND INVESTIGATION OVERVIEW ..................................................................... 3 AUDIT STRATEGY .................................................................................................. 4 INVESTIGATIVE STRATEGY ................................................................................. 5 PERFORMANCE MEASURES ............................................................................................ 6 OPERATIONAL PROCESSES ............................................................................................. 7 AUDITS .................................................................................................................... 8 INVESTIGATIONS................................................................................................. 10 HOTLINE ................................................................................................................12 APPENDICES A. NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2024 Audit of U.S. Nuclear Regulatory Commission Safety Inspections at Research and Test Reactors ............................................................................................ A-1 Audit of the U.S. Nuclear Regulatory Commissions Oversight of Long-Lived Reactor Component Aging Management ....................................................... A-2 Audit of the U.S. Nuclear Regulatory Commissions Oversight of Emergency Diesel Generators at Operating Nuclear Power Reactors .............................. A-3 Audit of the U.S. Nuclear Regulatory Commissions Reactor Operator Licensing Examination Process...................................................................... A-4 Audit of the U.S. Nuclear Regulatory Commissions Security Oversight of Category 1 and Category 2 Quantities of Radioactive Material ..................... A-6 Audit of the U.S. Nuclear Regulatory Commissions Uranium Recovery Licensing Process............................................................................................ A-8 Audit of the U.S. Nuclear Regulatory Commissions Web-Based Licensing System ............................................................................................................. A-9 Audit of the U.S. Nuclear Regulatory Commissions Traditional Enforcement Program .............................................................................................................A-10 Audit of the U.S. Nuclear Regulatory Commissions Technical Qualifications Programs ........................................................................................................ A-12 ii

B. CORPORATE SUPPORT AUDITS PLANNED FOR FY 2024 Audit of the U.S. Nuclear Regulatory Commissions Fiscal Year 2023 Financial Statements ....................................................................................... B-1 Audit of the U.S. Nuclear Regulatory Commissions Fiscal Year 2024 Financial Statements ...................................................................................... B-2 Audit of the U.S. Nuclear Regulatory Commissions Fiscal Year 2023 Compliance with the Requirements of the Payment Integrity Information Act of 2019 ................................................................................ B-3 Audit of the U.S. Nuclear Regulatory Commissions Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 ............................................................................................. B-4 Audit of the U.S. Nuclear Regulatory Commissions Contract Management of Information Technology Services................................................................... B-5 Audit of the U.S. Nuclear Regulatory Commissions Recruiting and Retention Activities ......................................................................................................... B-6 Audit of the U.S. Nuclear Regulatory Commissions Travel Charge Card Program ...........................................................................................................B-7 Audit of the U.S. Nuclear Regulatory Commissions Freedom of Information Act Process ................................................................................. B-8 Audit of the U.S. Nuclear Regulatory Commissions Personnel Vetting Process ............................................................................................... B-9 Audit of the U.S. Nuclear Regulatory Commissions Zero Trust Implementation ........................................................................................... B-10 Audit of the U.S. Nuclear Regulatory Commissions Table of Minimum Decommissioning Funding ........................................................................... B-11 Defense Contract Audit Agency Audits ....................................................... B-12 C. INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2024 INTRODUCTION-PRIORITIES AND OBJECTIVES .................................... C-1 INITIATIVES .................................................................................................. C-2 ALLOCATION OF RESOURCES .................................................................... C-4 D. ABBREVIATIONS AND ACRONYMS............................................................. D-1 iii

MISSION AND AUTHORITY The NRC OIG was established as a statutory entity on April 15, 1989, in accordance with the 1988 amendments to the Inspector General Act, to provide oversight of NRC operations. The OIGs mission is to provide independent, objective audit and investigative oversight of the NRC to protect people and the environment. To fulfill its mission, the OIG:

Conducts and supervises independent audits, evaluations, and investigations of agency programs and operations;

Promotes economy, effectiveness, and efficiency within the agency;

Prevents and detects fraud, waste, abuse, and mismanagement in agency programs and operations;

Develops recommendations regarding existing and proposed regulations relating to agency programs and operations; and,

Keeps the agency head and Congress fully and currently informed about problems and deficiencies relating to agency programs.

The Inspector General Act also requires the Inspector General (IG) to prepare a semiannual report to the NRC Chair and Congress summarizing the activities of the OIG.

The Reports Consolidation Act of 2000 (Public Law 106-531) requires the OIG to annually update our assessment of the NRCs most serious management and performance challenges facing the agency and the agencys progress in addressing those challenges. This assessment supports the execution of the OIGs mission and is an important component of the OIGs Annual Plan development. The IG identified the following as the most serious management and performance challenges facing the NRC for FY 2024: 1

1. Ensuring safety and security through risk-informed regulation of established and new nuclear technologies, as well as cyber and physical security activities impacting the NRCs mission;

2. Overseeing the decommissioning process and the management of decommissioning trust funds; 1 This Annual Plan notes these challenges without any ranking order of importance.

1

3. Implementing new legislative requirements related to NRC core mission areas and corporate support;

4. Ensuring the effective acquisition, management, and protection of information technology and data;

5. Hiring and retaining sufficient highly skilled employees to carry out the NRC mission;

6. Overseeing the safe and secure use of nuclear materials and storage and disposal of high- and low-level waste;

7. Managing financial and acquisitions operations to enhance fiscal prudence and transparency of resource management;

8. Maintaining public outreach related to the agencys regulatory process; and,

9. Planning for and assessing the impact of Artificial Intelligence and Machine Learning on nuclear safety and security.

All audits, evaluations, and investigations that the OIG initiates in FY 2024 will consider these revised management and performance challenges.

Through its Issue Area Monitoring program, and the conduct of audits and investigations, OIG staff monitors agency performance on these management and performance challenges. In conjunction with the OIGs strategic goals, these challenges serve as an important basis for deciding which audits and evaluations to conduct each fiscal year.

PLANNING STRATEGY The OIG links the FY 2024 Annual Plan with the OIGs Strategic Plan for FYs 2024-2028. The Strategic Plan identifies the significant challenges and critical risk areas facing the NRC so that the IG may direct optimum resources to these areas.

The Strategic Plan recognizes the mission and functional areas of the agency and the significant challenges the agency faces in successfully implementing its regulatory program. The plan presents strategies for reviewing and evaluating NRC programs under the strategic goals that the OIG established. The OIGs three NRC-specific strategic goals are individual and distinct; together, they allow 2

the OIG to assess its success in fulfilling its vision. The OIGs strategic goals for the NRC are:

SafetyStrengthen the NRCs efforts to protect public health and safety and the environment;

SecurityStrengthen the NRCs efforts to address evolving security threats; and,

Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

To ensure that each audit, evaluation, and investigation carried out by the OIG aligns with the Strategic Plan, in appendices A, B, and C the OIG has cross-walked the program areas selected for audit and evaluation from the Annual Plan to the Strategic Plan.

AUDIT AND INVESTIGATION OVERVIEW The NRCs FY 2024 budget request is $1,006.4 million, including 2,948.9 full-time equivalent (FTE) employees, which represents the total cost of agency programs.

The NRC is headquartered in Rockville, Maryland, just outside of Washington, DC, and has four regional offices in King of Prussia, Pennsylvania; Atlanta, Georgia; Lisle, Illinois; and, Arlington, Texas. It also operates a professional development center in Rockville, Maryland, and a technical training center in Chattanooga, Tennessee.

The agency carries out its mission through various licensing, inspection, research, and enforcement programs. The NRCs responsibilities include regulating:

93 commercial nuclear power reactors operating in 28 states at 54 sites;

79 licensed or operating independent spent fuel storage installations;

30 licensed and operating research and test reactors; 3

7 operational fuel cycle facility licenses; and,

Approximately 2,100 NRC material licenses.2 The OIGs audit and investigation oversight responsibilities are, therefore, derived from the agencys wide array of programs, functions, and support activities established to accomplish the NRCs mission.

AUDIT STRATEGY The OIG Strategic Plan and the OIG-identified agency management and performance challenges shape the audit planning process. The synergies yield audit assignments that identify opportunities for efficiency, economy, and effectiveness in NRC programs and operations; detect and prevent fraud, waste, abuse, and mismanagement; improve program and security activities at headquarters and regional locations; and, respond to emerging circumstances and priorities. The OIG prioritizes audits based on:

Legislative requirements;

Critical agency risk areas;

Emphasis by the President, Congress, the NRC Chair, or other NRC Commissioners;

Susceptibility of a program to fraud, manipulation, or other irregularities;

Amount of financial or other resources involved in a program area;

Newness, changed conditions, or sensitivity of an organization, program, function, or activity;

Prior audit experience, including assessments of the adequacy of internal controls; and,

Availability of audit resources.

Effective audit planning requires current knowledge about the agencys mission and the programs and activities used to carry out that mission. Accordingly, the 2 There are 39 Agreement States that regulate certain radioactive materials under agreements with the NRC. These Agreement States develop regulations consistent with the NRCs regulations and appoint officials to ensure nuclear materials are used safely and securely. Agreement States oversee approximately 15,800 materials licenses as of September 2022, based on the NRCs 2021-2022 Information Digest. These totals represent an estimate because the number of specific radioactive materials licenses per state may change daily.

4

OIG continually monitors specific issue areas to strengthen its internal coordination and overall planning processes. Under the offices Issue Area Monitoring program, the OIG assigns responsibilities to staff, designated as issue area monitors, to keep abreast of significant agency programs and activities. The broad monitoring areas address nuclear reactors, nuclear materials, nuclear waste, information management, security, financial and administrative programs, human resources, and international programs.

INVESTIGATIVE STRATEGY The OIGs responsibility for detecting and preventing fraud, waste, and abuse within the NRC includes investigating possible violations of criminal statutes relating to agency programs and activities, investigating misconduct by employees and contractors, coordinating with the U.S. Department of Justice on OIG-related criminal and civil matters, and coordinating investigations and other OIG initiatives with federal, state, and local investigative agencies, and other OIGs.

Investigations may be initiated as a result of allegations or referrals from private citizens; licensee employees; government employees; Congress; other federal, state, and local law enforcement agencies; OIG audits; the OIG Hotline; and, OIG initiatives directed at areas bearing a high potential for fraud, waste, and abuse. Because the NRCs mission is to protect the health and safety of the public, the OIGs Investigative Program directs much of its resources and attention to investigating allegations of NRC staff conduct that could adversely impact matters related to health and safety. These investigations may address allegations of:

Misconduct by NRC officials, such as managers and inspectors, whose positions directly impact public health and safety;

Failure by NRC management to ensure that health and safety matters are appropriately addressed;

Failure by the NRC to provide appropriate oversight of licensee activities to comply with nuclear regulations;

Conflicts of interest involving NRC employees, contractors, and licensees; including such matters as promises of future employment for favorable regulatory treatment, and the acceptance of gratuities; and,

Fraud in the NRCs procurement programs involving contractors violating government contracting laws and rules.

5

The OIG will continue to monitor specific high-risk areas within the NRCs corporate support program management that are most vulnerable to fraud, waste, abuse, and mismanagement. A significant focus remains on matters that could negatively impact the security and integrity of the NRCs data and operations. This focus will also include efforts to ensure the continued protection of personal privacy information held within agency databases and systems. The OIG is committed to improving the security of the constantly changing electronic business environment by investigating cyber-related fraud, waste, and mismanagement through proactive investigations and computer forensic examinations as warranted. Other actions to detect and prevent potential problems will focus on determining instances of procurement and grant fraud and identifying vulnerabilities in NRC daily operations, to include theft of property and funds, insider threats, U.S. government travel and purchase card mismanagement, and violations under the False Claims Act.

The OIG will meet with agency internal and external stakeholders to identify actual and potential systemic issues or vulnerabilities as part of these proactive initiatives. This approach enables opportunities to improve agency performance.

With regard to the OIGs strategic goal concerning safety and security, the OIG routinely interacts with public interest groups, individual citizens, industry workers, and NRC staff to identify possible lapses in NRC regulatory oversight that could impact public health and safety. In addition, the OIG conducts proactive reviews into areas of regulatory safety or security to identify emerging issues or address ongoing concerns regarding the quality of the NRCs regulatory oversight. Such assessments might focus on new reactor licensing and license renewals of existing plants, aspects of the transportation and storage of high-level and low-level waste, and decommissioning activities. The OIG also participates in federal cyber, fraud, and other task forces to identify criminal activity targeted against the federal government. Finally, the OIG periodically conducts Event Inquiries and Special Inquiries. Event Inquiry reports document the OIGs examination of events or agency regulatory actions to determine if staff actions may have contributed to the occurrence of an event.

Special Inquiry reports document those instances when an investigation identifies inadequacies in NRC regulatory oversight that may have resulted in a potentially adverse impact on public health and safety.

Appendix C provides investigative objectives and initiatives for FY 2024.

Specific investigations are not included in the plan because the OIGs investigations are primarily responsive to reported violations of law and 6

misconduct by NRC employees and contractors, as well as allegations of irregularities or mismanagement in NRC programs and operations.

PERFORMANCE MEASURES For FY 2024, we will use several key performance measures and targets for gauging the relevance and impact of our audit and investigative work. The OIG calculates these measures relative to each of the OIGs strategic goals to determine how well we are accomplishing our objectives. The performance measures are:

Percentage of OIG audit, inspection, and evaluation products and activities that cause the agency to take corrective action to improve agency safety, security, or corporate support programs; reinforce adherence to agency policies, procedures, or requirements; or identify actual dollar savings or reduced regulatory burden (i.e., high impact);

Percentage of audit recommendations agreed to by the agency;

Percentage of final agency actions taken within 2 years on audit recommendations;

Percentage of OIG investigative products and activities that identify opportunities to improve agency safety, security, or corporate support programs; reinforce adherence to agency policies/procedures; or confirm or disprove allegations of wrongdoing (e.g., high impact);

Percentage of agency actions taken in response to investigative reports;

Percentage of active cases completed in less than 18 months, on average;

Percentage of closed investigations with potential criminal violations referred to the DOJ or other relevant authorities; and,

Percentage of closed investigations resulting in specific actions, such as civil suits or settlements, judgments, administrative actions, monetary results, IG clearance letters, indictments, or convictions.

OPERATIONAL PROCESSES The following sections detail the approach used to carry out the audit and investigative responsibilities previously discussed.

7

AUDITS The audit process begins with the development of this Annual Plan. Each year, the OIG solicits suggestions from Congress, the Commission, agency management, external parties, and OIG staff. The Annual Plan lists the audits planned to be initiated during the year and their general objectives. The annual Audit Plan is a living document that may be revised as circumstances warrant, with a subsequent redistribution of staff resources. The OIG performs the following types of audits:

Performance audits focus on NRC administrative and program operations, and evaluate the effectiveness and efficiency with which managerial responsibilities are carried out, including whether the programs achieve intended results;

Financial audits, including the financial statement audit required by the Chief Financial Officers Act, attest to the reasonableness of the NRCs financial statements, and evaluate financial programs; and,

Contract audits evaluate the costs of goods and services procured by the NRC from commercial enterprises.

The OIGs audit process involves specific steps, ranging from annual audit planning to audit follow-up activities. The underlying goal of the audit process is to maintain an open channel of communication between the auditors and NRC officials to ensure that audit findings are accurate and fairly presented in the audit report. The audit process comprises the steps summarized in Figure 1.

Figure 1: Steps in the OIGs Audit Process Audit Step Action The OIG formally notifies the office responsible Audit Notification for a specific program, activity, or function of its intent to begin an audit.

The OIG meets with agency officials to advise Entrance them of the objective(s) and scope of the audit and Conference the general methodology it will follow.

The OIG conducts exploratory work to gather data for refining audit objectives, as appropriate; documenting internal control systems; becoming Survey familiar with the activities, programs, and processes to be audited; and, identifying areas of concern to management.

8

Based on the results of the survey work, the audit team recommends to the Assistant Inspector General for Audits (AIGA) whether to proceed with the audit. The OIG then performs a Audit Fieldwork comprehensive review of selected areas of a program, activity, or function using an audit program developed specifically to address the audit objectives.

End of Fieldwork At the conclusion of audit fieldwork, the audit Briefing with the team discusses the tentative report findings and Agency recommendations with the auditee.

The OIG provides a discussion draft copy of the Discussion Draft report to agency management to enable them to Report prepare for the exit conference.

The OIG meets with the appropriate agency officials to review the discussion draft report and Exit Conference provide agency management the opportunity to confirm information, ask questions, and clarify data.

If requested by agency management during the exit conference, the OIG provides a final draft Formal Draft copy of the report that includes comments or Report revisions from the exit conference and invites agency management to provide formal written comments.

The final report includes, as necessary, any revisions to the facts, conclusions, and recommendations of the draft report discussed in the exit conference or as a result of written comments on the draft by agency managers.

Final Audit Report Formal written comments by agency management are included as an appendix to the report, when applicable. Final audit reports will be publicly issued, except for those containing sensitive or classified information.

Offices responsible for the audited program or process provide a written response, usually within 30 calendar days, on each recommendation contained in the final report. If agency Response to management agrees with the recommendation, Report the response describes corrective actions taken or Recommendations planned, with actual or target completion dates.

However, if agency management disagrees, the response provides reasons for disagreement and proposes alternative corrective actions.

9

If the responsible office and the OIG reach an impasse over a recommended action, or the Impasse offices response to a recommendation is Resolution unsatisfactory, the OIG may request the intervention of the Chair, if warranted, to achieve a resolution.

Audit Follow-up This process ensures that recommendations made and Closure to management are implemented.

Source: OIG Audit Manual In its Semiannual Report to Congress, the OIG reports on the status of unimplemented audit recommendations and the expected timetable for agency implementation of final corrective actions.

INVESTIGATIONS The OIGs investigative process typically begins with the receipt of a complaint of fraud, mismanagement, or misconduct. Because the OIG must decide whether to initiate an investigation within a few days of such receipt, the office does not schedule specific investigations in its annual investigative plan.

The OIG opens an investigation following both its investigative priorities as outlined in the OIG Strategic Plan and the prosecutorial guidelines established by the DOJ. In addition, the Quality Standards for Investigations issued by the Council of the Inspectors General on Integrity and Efficiency, the OIGs Special Agent Handbook, and various guidance provided periodically by the DOJ, govern the OIGs investigations.

Only four individuals in the OIG can authorize the opening of an investigative case: the IG, the Deputy IG, the Assistant IG for Investigations (AIGI), and the Special Agent in Charge (SAC). Every complaint received by the OIG is given a unique identification number and entered into the OIG case management system. Some complaints result in investigations, while the OIG retains others as the basis for audits, refers them to NRC management, or if appropriate, directs them to another law enforcement agency.

When the OIG opens an investigation, the SAC or the Assistant Special Agent in Charge assigns it to an OIG special agent or investigator, who prepares a plan of investigation. This planning process includes reviews of relevant criminal and civil statutes, program regulations, and agency policies that may be involved.

The special agent or investigator then investigates using various techniques to 10

ensure investigations are thorough, objective, and fully pursued to a logical conclusion.

Where the special agent determines that a person may have committed a crime, the agent will discuss the investigation with a federal or local prosecutor to determine if prosecution will be pursued. If the prosecuting attorney decides to proceed with a criminal or civil prosecution, the special agent assists the attorney in any preparation for court proceedings that may be required.

For investigations that do not result in prosecution but are handled administratively by the agency, the special agent or investigator prepares a report summarizing the facts disclosed in the inquiry. The OIG distributes the report to agency officials who need to know the investigation results. For investigative reports provided to agency officials regarding substantiated administrative misconduct, the OIG requires a response within 120 days regarding any potential action based on the investigative findings. For all other investigative products, such as referrals of allegations and findings requiring a review of agency processes and procedures, the OIG generally requires a 90-day response unless the agency negotiates an alternative deadline. For certain non-criminal investigations, OIG special agents involve the senior engineers from the OIGs Technical Services Office to assist in the review of the complaints.

The OIG summarizes the criminal and administrative actions taken as a result of its investigations and includes this information in its Semiannual Report to Congress. As part of the investigation function, the OIG also periodically conducts Event Inquiries and Special Inquiries, as discussed earlier in this plan.

11

HOTLINE The OIG Hotline Program provides NRC employees, contract employees, and the public with a confidential means of reporting to the OIG instances of fraud, waste, and abuse relating to agency programs and operations.

Please

Contact:

Online: Hotline Form Telephone: 1.800.233.3497 TDD: 1.800.201.7165, or 7-1-1 Address: U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O12-A12 11555 Rockville Pike Rockville, Maryland 20852-2746 12

APPENDIX A NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2024

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of U.S. Nuclear Regulatory Commission Safety Inspections at Research and Test Reactors DESCRIPTION AND JUSTIFICATION: The NRC currently licenses 30 operating research and test reactors in the United States. Most are located at universities and colleges, while others are located at federal, state, and private sector facilities. Research and test reactors contribute to research in diverse fields such as physics, medicine, archeology, and materials science. Research and test reactors use a limited amount of radioactive material in their diverse designs and are rated at power levels ranging from 5 watts thermal energy to 20 megawatts.

All are designed to be inherently safe and resistant to unintentional or intentional mis-operation.

The NRC categorizes operating research and test reactors into two classes for inspection purposes. Class I reactors are rated at 2 megawatts or higher and are inspected annually. Class II reactors are rated below 2 megawatts and are inspected biennially. NRC staff use different procedures to inspect these two classes of research and test reactors; however, the procedures all address safety, security, and transportation of radiological materials used in the reactors. The OIG audited NRC security inspections at research and test reactors in FY 2018 (OIG-18-A-07) and conducted investigative work pertaining to safety inspections at Class I research and test reactors during FY 2022 and FY 2023.

OBJECTIVE: The audit objective is to determine whether the NRC performs safety inspections at Class II research and test reactors in accordance with agency guidance and inspection program objectives.

SCHEDULE: Initiated in the first quarter of FY 2023.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of operating and new nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety and security through risk-informed regulation of established and new nuclear technologies, as well as cyber and physical security activities impacting the NRCs mission.

A-1

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Oversight of Long-Lived Reactor Component Aging Management DESCRIPTION AND JUSTIFICATION: The application for renewal of a nuclear power plant operating license must include an assessment of structures and components subject to an aging management review. Such structures and components include the reactor vessel, pressure retaining boundaries, containment, seismic structures, electrical cables, and other components not subject to replacement based on a qualified life or time period. Further, the application must also demonstrate that the effects of aging on such components will be adequately managed so their intended function will be maintained for the period of extended operation. These components may be safety-related or non-safety-related items, the failure of which could diminish safety functions.

The NRC inspects each licensees aging management review and program implementation both during the license renewal process and after license approval. Once a nuclear power plant has been in a period of extended operation for 5 to 10 years, the NRC will verify that implementation of a licensees aging management program ensures components are able to perform their intended functions. In addition, baseline inspection procedures for maintenance effectiveness and design basis assurance include assessment of aging management programs for plants in the period of extended operation. The NRC has issued license renewals for 84 nuclear power plants currently in operation at 50 sites, and 54 of these plants have entered the period of extended operation.

OBJECTIVE: The audit objective is to determine whether the NRC provides adequate oversight of licensee aging management programs for long-lived passive reactor components.

SCHEDULE: Initiate in the third quarter of FY 2024.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of operating and new nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety and security through risk-informed regulation of established and new nuclear technologies, as well as cyber and physical security activities impacting the NRCs mission.

A-2

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Oversight of Emergency Diesel Generators at Operating Nuclear Power Reactors DESCRIPTION AND JUSTIFICATION: Emergency Diesel Generators (EDGs) serve as an emergency source of power for commercial nuclear power plants. When loss of offsite power occurs, EDGs rapidly start up to power electrically operated components needed to cool the reactor core, and to mitigate abnormal or emergency events that challenge reactor safety.

EDGs and their associated instrumentation, control circuits, and support systems are challenging to maintain, test and repair, so they require significant care and attention from licensees to ensure operability. The NRC has received a number of licensee event reports regarding EDG failures or problems with EDGs, and long-term EDG outages have been the subject of recent Differing Professional Opinions and allegations. The Operating Experience (OpE) program, which reviews and shares lessons learned from events and issues at operating reactors and other licensed facilities, has described in studies and specific event OpE communications the trends and events involving EDGs over the past decade.

OBJECTIVE: The audit objective is to determine whether the NRC effectively uses operating experience and provides appropriate oversight to ensure licensees adequately maintain, test, and operate their Emergency Diesel Generators.

SCHEDULE: Initiate in the second quarter of FY 2024.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of operating and new nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety and security through risk-informed regulations of established and new nuclear technologies, as well as cyber and physical security activities impacting the NRCs mission.

A-3

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Reactor Operator Licensing Examination Process DESCRIPTION AND JUSTIFICATION: The NRCs four regional offices are responsible for issuing licenses for reactor operators (RO) and senior reactor operators (SRO) of commercial nuclear power plants in accordance with the NRCs regulations in Title 10 of the Code of Federal Regulations (C.F.R.) Part 55, Operators Licenses. An applicant submits a completed application to the Regional Administrator having jurisdiction over the plant at which the applicant intends to work. A completed application describes the applicants qualifications and requires the facility licensee, for which the applicant will work, to certify that the applicant has satisfied the facility licensees training and experience requirements to be a licensed reactor operator or senior reactor operator.

Following completion of the facility-administered training program, the initial licensing examination is administered to one or more applicants. As set out in Part 55, the initial licensing examination for ROs consists of a 75-question, multiple-choice written examination and an NRC-administered operating test that includes a plant walkthrough and a performance demonstration on the facility licensees power plant simulator. SRO license applicants must pass an additional 25-question written examination and a rigorous operating test. The examinations may be prepared by the facility licensee and approved by the NRC, or the facility licensee may request the NRC to prepare the examinations. In either case, the examinations are prepared, administered, and graded using the guidance in the Operator Licensing Examination Standards for Power Reactors (NUREG-1021).

Following Revision 12 of NUREG-1021 in 2022, the NRC no longer offers a separate Generic Fundamentals Examination. Nuclear power plant fundamentals have been integrated into the site-specific initial licensing examination. NRC staff members raised concerns about this change, contending that eliminating the reactor fundamentals exam could impact the NRC processes for licensing reactor operators, compromising the agencys safety mission.

OBJECTIVE: The audit objective is to determine the effectiveness, efficiency, and integrity of the NRCs oversight of the reactor operator licensing examination process.

SCHEDULE: Initiate in the first quarter of FY 2024.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

A-4

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of operating and new nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety and security through risk-informed regulations of established and new nuclear technologies, as well as cyber and physical security activities impacting the NRCs mission.

A-5

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Security Oversight of Category 1 and Category 2 Quantities of Radioactive Material DESCRIPTION AND JUSTIFICATION: Radioactive materials are used throughout the U.S. for medical and industrial purposes such as treating cancer, sterilizing medical instruments, and detecting flaws in metal welds. Among the materials most commonly used for these applications are americium-241/beryllium, cesium-137, cobalt-60, and iridium-192. However, these materials, if used improperly, can be harmful and dangerous.

The International Atomic Energy Agencys Code of Conduct on the Safety and Security of Radioactive Sources establishes basic principles and guidance to promote the safe and secure use of radioactive material. It defines categories of radiation source quantities:

A Category 1 quantity of a given radionuclide, such as americium-241, is defined as an amount 1,000 times or more than the amount necessary to cause permanent human injury;

A Category 2 quantity is defined as an amount at least 10 times but less than 1,000 times the amount necessary to cause permanent human injury;

A Category 3 quantity of a given radionuclide is defined as at least the minimum amount, but less than 10 times the amount, sufficient to cause permanent injury; and,

Category 4 and 5 quantities of radioactive materials are unlikely to cause permanent injury.

The regulations in 10 C.F.R. Part 37 prescribe requirements for the physical protection program for any licensee that possesses an aggregated Category 1 or Category 2 quantity of radioactive material listed in Appendix A to Part 37. These requirements are intended to provide reasonable assurance of the security of Category 1 or Category 2 quantities of radioactive material by ensuring these materials are protected from theft or diversion. Only Category 1 and Category 2 radiation sources are subject to the requirements of Part 37 since Category 3 through Category 5 sources are not considered to be as dangerous.

OBJECTIVE: The audit objective is to determine whether the NRC provides adequate security oversight of Category 1 and Category 2 quantities of radioactive material.

SCHEDULE: Initiated in the second quarter of FY 2023.

A-6

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A STRATEGIC GOAL 2: SecurityStrengthen the NRCs security efforts to address evolving security threats.

STRATEGY 2-1: Identify risk areas involved in securing operating, new, and decommissioning nuclear reactors, fuel cycle facilities, and materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 6: Overseeing the safe and secure use of nuclear materials and storage and disposal of high- and low-level waste.

A-7

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Uranium Recovery Licensing Process DESCRIPTION AND JUSTIFICATION: The production of fuel for nuclear power plants begins with purifying and processing uranium ore through a series of steps. This process, also known as uranium recovery, focuses on concentrating (or milling) natural uranium ore extracted from the earth. These recovery operations produce a product, called yellowcake, which is then transported to a succession of fuel cycle facilities where the yellowcake is eventually transformed into fuel for nuclear power reactors. The NRC does not regulate uranium mining or mining exploration, but does have authority over in situ recovery, where the uranium ore is chemically altered underground before being pumped to the surface for further processing.

As part of its regulatory authority, the NRC oversees the licensing of uranium recovery facilities. By issuing or amending a current license, the NRC authorizes the licensee to construct and operate a uranium recovery facility, expand an existing facility, or restart an existing facility at a specific site, in accordance with established laws and regulations.

Currently, the NRC regulates active uranium recovery operations in New Mexico and Nebraska. The NRC expects to receive applications for new facilities, expansions, and restarts in a variety of projected locations throughout the United States. Section 201 of the Nuclear Energy Innovation and Modernization Act, enacted in 2019, required the NRC to identify ways to improve the efficiency and transparency of uranium recovery license issuance and amendment reviews.

OBJECTIVE: To determine if the NRC has effectively implemented actions to improve uranium recovery licensing efficiency.

SCHEDULE: Initiated in the fourth quarter of FY 2023.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

STRATEGY 1-2: Identify risk areas associated with the NRCs oversight of nuclear materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 6: Overseeing the safe and secure use of nuclear materials and storage and disposal of high- and low-level waste.

A-8

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Web-Based Licensing System DESCRIPTION AND JUSTIFICATION: The Web-Based Licensing (WBL) system supports the NRC and Agreement States in managing the licensing information of licensees that use radioactive materials. Deployed in August 2012, WBL is intended to provide an up-to-date, nationwide repository of licensing and inspection-related data of all licensees nationwide, a web-based license system for NRC licensees, and an avenue for Agreement States to use the same licensing and information platform as the NRC.

Designed to maintain information on materials licensees, the WBL system supports the entry of licensing information and license images that enable the NRC and Agreement States to manage the licensing lifecycle from initial application through license issuance, amendment, reporting, and termination.

The system now also contains materials inspection data and a module for decommissioning inspections.

The OIG last conducted an audit of the WBL system in 2015. The agency has made many changes to the WBL system since then, and subsequent OIG audits of NRC oversight of nuclear materials have identified potential areas for improvement to the WBL system.

OBJECTIVE: The audit objective is to determine if the WBL system is meeting its stated mission objectives to include accuracy of data and consistency of operation.

SCHEDULE: Initiate in the second quarter of FY 2024.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

STRATEGY 1-2: Identify risk areas associated with the NRCs oversight of nuclear materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 6: Overseeing the safe and secure use of nuclear materials and storage and disposal of high- and low-level waste.

A-9

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Traditional Enforcement Program DESCRIPTION AND JUSTIFICATION: The NRC regulates the civilian uses of nuclear materials in the United States to protect public health and safety, the environment, and the common defense and security. The NRC accomplishes its mission through licensing of nuclear facilities and the possession, use, and disposal of nuclear materials; the development and implementation of requirements governing licensed activities; and finally, inspection and enforcement activities to ensure compliance with these requirements.

Enforcement actions serve as a deterrent, emphasize the importance of compliance with regulatory requirements, and encourage the prompt identification and comprehensive correction of violations. The NRC Enforcement Policy establishes the general principles governing the NRCs Enforcement Program and specifies a process for implementing its enforcement authority in response to violations of agency requirements. The policy applies to all NRC licensees, to various categories of non-licensees, and to individual employees of licensed and non-licensed firms involved in NRC-regulated activities.

In traditional enforcement, violations are normally assigned severity levels (SLs) ranging from SL IV for violations of more than minor concern, to SL I for the most significant violations. The OIG recently investigated matters related to the NRCs oversight of research and test reactors and found some inconsistencies with the NRCs enforcement of certain performance deficiencies.

OBJECTIVE: The audit objective is to determine if the NRC traditional enforcement program results in consistent enforcement actions.

SCHEDULE: Initiate in the fourth quarter of FY 2024.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

STRATEGY 1-1: Identify risk areas associated with the NRCs oversight of operating and new nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.

STRATEGY 1-2: Identify risk areas associated with the NRCs oversight of nuclear materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

A-10

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A MANAGEMENT CHALLENGE 1: Ensuring safety and security through risk-informed regulations of established and new nuclear technologies, as well as cyber and physical security activities impacting the NRCs mission.

MANAGEMENT CHALLENGE 6: Overseeing the safe and secure use of nuclear materials and storage and disposal of high- and low-level waste.

A-11

NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the U.S. Nuclear Regulatory Commissions Technical Qualifications Programs DESCRIPTION AND JUSTIFICATION: The NRC staff has various technical positions, such as inspectors, project managers, and technical reviewers, that require employees to complete a qualification program. The goal of the qualification program is to prepare employees to perform regulatory duties and implement the agencys policies, programs, and activities associated with the regulation of nuclear reactors and material. The qualification programs help ensure staff members are well versed in the regulatory framework and in agency processes, practices, and procedures relevant to their position.

At the completion of the qualification program, employees must pass an oral qualification board to confirm that the individual can integrate and apply agency, office, and position-specific competencies to actual situations. Employees qualifications need to be maintained and enhanced through post-qualification and refresher training, as needed, to ensure the NRC has the skills needed to fulfill its mission.

The OIG issued a Special Inquiry report in February 2023 regarding concerns with Independent Spent Fuel Storage Installation inspections. During this investigation, the OIG also found that there may be some gaps related to managing, tracking, and monitoring its qualification programs. With the NRCs goal of hiring more than 200 additional technical staff for FY 2024, the qualification programs are necessary to maintain the technical credibility of regulatory oversight.

OBJECTIVE: The audit objective is to determine the adequacy of the NRCs technical qualifications programs in providing necessary proficiency.

SCHEDULE: Initiate in the third quarter of FY 2024.

STRATEGIC GOAL 1: SafetyStrengthen the NRCs efforts to protect public health and safety, and the environment.

STRATEGY 1-2: Identify risk areas associated with the NRCs oversight of nuclear materials, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 6: Overseeing the safe and secure use of nuclear materials and storage and disposal of high- and low-level waste.

A-12

APPENDIX B CORPORATE SUPPORT AUDITS PLANNED FOR FY 2024

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Fiscal Year 2023 Financial Statements DESCRIPTION AND JUSTIFICATION: Under the Chief Financial Officers Act, the Government Management and Reform Act, and Office of Management and Budget (OMB) Bulletin 22-01, Audit Requirements for Federal Financial Statements, the OIG is required to audit the NRCs financial statements. The report on the audit of the agencys financial statements was due no later than November 15, 2023, and was issued on November 9, 2023.

OBJECTIVES: The audit objectives were to:

Express opinions on the agencys financial statements and internal controls;

Review compliance with applicable laws and regulations; and,

Review controls in the NRCs computer systems that are significant to the financial statements.

SCHEDULE: Initiated in the second quarter of FY 2023.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC, and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 7: Managing financial and acquisitions operations to enhance fiscal prudence and transparency of resource management.

B-1

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Fiscal Year 2024 Financial Statements DESCRIPTION AND JUSTIFICATION: Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 21-04, Audit Requirements for Federal Financial Statements, the OIG is required to audit the NRCs financial statements. The report on the audit of the agencys financial statements is due no later than November 15, 2024.

OBJECTIVES: The audit objectives are to:

Express opinions on the agencys financial statements and internal controls;

Review compliance with applicable laws and regulations; and,

Review controls in the NRCs computer systems that are significant to the financial statements.

SCHEDULE: Initiate in the second quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 7: Managing financial and acquisitions operations to enhance fiscal prudence and transparency of resource management.

B-2

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Fiscal Year 2023 Compliance with the Requirements of the Payment Integrity Information Act of 2019 DESCRIPTION AND JUSTIFICATION: The Payment Integrity Information Act (PIIA) requires each agency to annually estimate its improper payments. The PIIA requires federal agencies to periodically review all programs and activities that the agency administers and identify all programs and activities that may be susceptible to significant improper payments.

OMB Memorandum M-21-19, dated March 5, 2021, requires the Inspector General to annually review relevant improper payment reporting and records pertaining to the programs within the agency to determine whether the agency complies with PIIA and OMB guidance.

OBJECTIVES: The audit objectives are to:

Assess the NRCs compliance with the PIIA; and,

Report any material weaknesses in internal control.

SCHEDULE: Initiate in the second quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 7: Managing financial and acquisitions operations to enhance fiscal prudence and transparency of resource management.

B-3

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 DESCRIPTION AND JUSTIFICATION: The Federal Information Security Modernization Act (FISMA) outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, the FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of federal government information and information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

The FISMA provides the framework for securing the federal governments information technology, including both unclassified and national security systems. All agencies must implement FISMA requirements and report annually to the OMB and Congress on the effectiveness of their security programs.

This audit will be conducted by a contractor at the headquarters location in Rockville, Maryland; the Region III location in Lisle, Illinois; the Region IV location in Arlington, Texas; and, the Technical Training Center location in Chattanooga, Tennessee.

OBJECTIVE: The audit objective will be to conduct an independent assessment of the NRCs FISMA implementation for FY 2024.

SCHEDULE: Initiate in the second quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-2: Identify infrastructure risks (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 4: Ensuring the effective acquisition, management, and protection of information technology and data.

B-4

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Contract Management of Information Technology DESCRIPTION AND JUSTIFICATION: The NRC offers various information technology (IT) services and support to employees. These services are acquired under the Global Infrastructure and Development Acquisition (GLINDA) initiative/contract. GLINDA is a blanket purchase agreement (BPA) with six awardees that commenced in June 2017, with a total of 11 BPA calls issued against them for various IT services and support. The total obligated dollar value of all BPA calls under GLINDA is approximately $5,337,586.

The NRC obtained funds from the Coronavirus Aid, Relief, and Economic Security Act, also known as the CARES Act, to use on IT services and support because of mandatory telework as a result of the Coronavirus Disease 2019 pandemic. It is essential to monitor these funds to ensure they are being spent effectively in helping employees meet the agencys mission.

OBJECTIVE: The audit objective is to determine if the NRC is efficiently and effectively managing IT-related contracts for the agencys information technology services and support.

SCHEDULE: Initiated in the third quarter of FY 2022.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-2: Identify infrastructure risks (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 4: Ensuring the effective acquisition, management, and protection of information technology and data.

B-5

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Recruiting and Retention Activities DESCRIPTION AND JUSTIFICATION: NRC personnel levels declined from approximately 3,780 full time equivalent (FTE) staff in FY 2015 to approximately 2,860 in FY 2023. More than three-quarters of these personnel work in the agencys nuclear reactor safety and nuclear materials and waste safety business lines, while the remaining personnel serve in corporate support and other business lines.

Renewed commercial interest in nuclear powerparticularly regarding advanced and small modular reactor designshas led to an increase in pre-licensing activities involving prospective reactor licensees. The NRC is currently engaged in a rulemaking to develop regulations for advanced reactor technologies, which differ significantly from light-water-reactor technologies that are covered by existing NRC regulations.

Congress has directed the NRC to identify skillsets needed to meet future licensing challenges associated with advanced and small modular reactors, and to fill skilled personnel shortfalls. In FY 2023, NRC staff undertook a variety of activities to hire new staff, with the goal of onboarding up to 400 new staff to offset attrition resulting from retirements and resignations. These recruiting efforts were supplemented by training, knowledge management, and career development activities to support retention of current employees.

OBJECTIVE: The audit objective is to assess the NRCs effectiveness in recruiting and retaining staff to address critical skills shortfalls.

SCHEDULE: Initiate in the third quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 5: Hiring and retaining sufficient highly skilled employees to carry out the NRC mission.

B-6

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Travel Charge Card Program DESCRIPTION AND JUSTIFICATION: The NRCs Travel Charge Card Program is part of the government-wide Commercial Charge Card Program established to pay the official travel expenses of employees while on temporary duty or other official business travel. The programs intent is to improve convenience for the traveler and reduce the governments costs of administering travel. The OMB has issued guidance that establishes requirements (including internal controls designed to minimize the risk of travel card misuse) and suggested best practices for government travel card programs.

The NRC spent approximately $2.8 million and $7.4 million on employee travel in Fiscal Years 2021 and 2022, respectively. The Office of the Chief Financial Officer administers the NRCs travel charge card program and controls the use of agency funds to ensure that they are expended in accordance with applicable laws, regulations, and standards.

OBJECTIVE: The audit objective is to assess whether the NRCs policies and procedures are effective in preventing and detecting travel charge card misuse and delinquencies.

SCHEDULE: Initiate in the first quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 7: Managing financial and acquisitions operations to enhance fiscal prudence and transparency of resource management.

B-7

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Freedom of Information Act Process DESCRIPTION AND JUSTIFICATION: The Freedom of Information Act (FOIA), 5 U.S.C. 552, grants every person the right to request access to federal agency records. Federal agencies are required to disclose records upon receiving a written request, with the exception of records that are protected from disclosure by one or more of the FOIAs nine exemptions. This right of access is enforceable in court.

The NRC makes many of its documents, such as agency regulations and policy statements, technical reviews, and reports to Congress, publicly available through its website. For documents that are not available through the website, people may submit FOIA requests by mail or email, or through the National FOIA Portal website. The NRC is required to respond to a FOIA request within 20 business days of receiving a perfected FOIA request. The agency may pause the 20-day response period one time to seek information from a requester. FOIA requests are subject to variable fees, which can be waived under certain circumstances. A pause in the response period to clarify fee assessments can be as long as needed.

During FY 2022, the NRC received 207 new FOIA requests. The agency processed 219 requests, while 91 remained pending at the end of the FY. The agency fully or partially granted 106 requests and denied 6 based on FOIA exemption criteria. Another 107 requests were denied on grounds other than FOIA exemption criteria (e.g., no records or referral to other agencies).

OBJECTIVE: The audit objective is to assess the consistency and timeliness of the NRCs FOIA request decisions, and to assess the agencys effectiveness in communicating FOIA policies to FOIA requestors.

SCHEDULE: Initiate in the first quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 8: Maintaining public outreach to continue strengthening the agencys regulatory process.

B-8

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Personnel Vetting Process DESCRIPTION AND JUSTIFIFCATION: Personnel vetting is a critical process to help protect the nations interests by providing a means to establish and maintain trust in the federal governments workforce. High-quality personnel vetting processes are necessary to minimize risks to the nation.

In March 2018, the Trusted Workforce (TW) 2.0 initiative was launched to fundamentally overhaul and improve the federal personnel vetting process by utilizing an ongoing vetting model known as Continuous Vetting (CV). The CV model is mandated by Executive Order (E.O.) 13467, as amended by E.O. 13741 and E.O. 13764, and with certain requirements enacted into law at 5 U.S.C. 11001.

Effective October 1, 2021, the NRCs cleared population was enrolled in CV, which will provide NRC adjudicators a real-time view of an individuals background and assist in the ongoing assessment of an individuals ability to meet the requirements for continued eligibility. This model of continuous vetting will reduce the number of periodic reinvestigations required to be performed and will limit the need for reinvestigations to an event- or risk-based model rather than the traditional calendar-driven model. This process is tracked through the NRCs Personnel Security Adjudication Tracking System.

The NRCs Office of Administration, Division of Facilities and Security, Personnel Security Branch, is responsible for ensuring that only authorized NRC employees, consultants, and contractors, have access to NRC facilities, classified information, and sensitive NRC information.

OBJECTIVE: The audit objective is to assess the effectiveness of the NRCs personnel vetting process.

SCHEDULE: Initiate in the third quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 1: Ensuring safety and security through risk-informed regulation of established and new nuclear technologies, as well as cyber and physical security activities impacting the NRCs mission.

B-9

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Zero Trust Implementation DESCRIPTION AND JUSTIFICATION: In January 2022, the Office of Management and Budget promulgated a zero-trust architecture strategy that requires federal agencies to implement specific cybersecurity standards by the end of fiscal year 2024 (OMB M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles). The goal of this strategy is to strengthen federal government defenses against cyber threats that could jeopardize public safety and privacy, damage the American economy, and weaken public trust in government.

A key tenet of a zero-trust architecture is that no network is considered trusted.

All network traffic must be encrypted and authenticated as soon as practicable.

Further, federal software applications cannot rely on network perimeter protections to guard against unauthorized access. Federal agencies should also have robust internal testing programs and scrutinize their applications from an adversarys perspective. This approach requires welcoming external partners to evaluate the real-world security of agency applications, and a process for coordinated disclosure of vulnerabilities by the general public. Additionally, the zero-trust strategy calls on federal data and cybersecurity teams within and across agencies to develop pilot initiatives and government-wide guidance on categorizing data based on protection needs, with the ultimate goal of automating security access rules.

OBJECTIVE: To assess the NRCs progress in implementing zero trust standards.

SCHEDULE: Initiate in the fourth quarter of FY 2024.

STRATEGIC GOAL 3: Corporate Support - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-2: Identify infrastructure risks (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 4: Ensuring the effective acquisition, management, and protection of information technology and data.

B-10

CORPORATE SUPPORT AUDITS APPENDIX B Audit of the U.S. Nuclear Regulatory Commissions Table of Minimum Decommissioning Funding DESCRIPTION AND JUSTIFIFCATION: NRC regulations require licensees to submit Decommissioning Funding Status (DFS) reports to the NRC biennially by March 31 for the preceding reporting calendar year. Under 10 CFR 50.75(b)(1) applicants and licensees are required to certify the amount of financial assurance for decommissioning, and 10 CFR 50.75(c) provides a Table of minimum amounts (January 1986 dollars) required to demonstrate reasonable assurance of funds for decommissioning by reactor type and power level. The decommissioning funding amounts certified by licensees under 10 CFR 50.75 do not represent the actual cost of plant decommissioning.

However, the NRC asserts they do provide assurance that licensees have available the bulk of the funds needed to safely decommission the facility.

For the biennial reporting period ending December 31, 2020, the Decommissioning Trust Funds dedicated to NRC requirements for decommissioning and radiological decontamination totaled $12.4 billion. The agency is currently in the process of completing its review of the biennial decommissioning reports submitted by licensees for the period ending December 31, 2022.

OBJECTIVE: The audit objective is to determine if the NRC Table of Minimum Decommissioning Funding in 10 CFR 50.75(c) is adequate to demonstrate reasonable assurance of funds for decommissioning.

SCHEDULE: Initiate in the fourth quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 2: Overseeing the decommissioning process and the management of decommissioning trust funds.

B-11

CORPORATE SUPPORT AUDITS APPENDIX B Defense Contract Audit Agency Audits DESCRIPTION AND JUSTIFICATION: The OIG and the Defense Contract Audit Agency (DCAA) have an interagency agreement whereby the DCAA provides contract audit services for the OIG. The DCAA is responsible for the audit methodologies used to reach an audits conclusions, monitoring audit staff qualifications, and ensuring compliance with Generally Accepted Government Auditing Standards. The OIGs responsibility is to distribute a completed audit report to NRC management and follow up on agency actions initiated as a result of the audit.

OBJECTIVE: The audit objective is to determine if NRC contract costs are reasonable, allowable, and allocable.

SCHEDULE: Initiate in the first quarter of FY 2024.

STRATEGIC GOAL 3: Corporate SupportIncrease the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.

STRATEGY 3-1: Identify areas of corporate support risk within the NRC and conduct audits and investigations that lead to NRC program and operational improvements.

MANAGEMENT CHALLENGE 7: Managing financial and acquisitions operations to enhance fiscal prudence and transparency of resource management.

B-12

APPENDIX C INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2024

INVESTIGATIONS APPENDIX C INTRODUCTION The AIGI is responsible for developing and implementing an investigative program that furthers the OIGs objectives. The AIGIs primary responsibilities include investigating possible violations of criminal statutes relating to NRC programs and activities; investigating allegations of misconduct by NRC employees; coordinating with the DOJ on OIG-related criminal matters; and, working jointly on investigations and OIG initiatives with other federal, state, and local investigative agencies, and other AIGIs.

The AIGI may initiate investigations that cover a broad range of allegations. For example, investigations may concern criminal wrongdoing or administrative misconduct affecting various NRC programs and operations. In addition, the OIG initiates investigations due to allegations or referrals from private citizens, licensee employees, NRC employees, Congress, and other federal, state, and local law enforcement agencies. Investigations may also originate from OIG audits, the OIG Hotline, and proactive efforts to identify the potential for fraud, waste, abuse, and mismanagement.

The OIG developed this investigative plan to focus investigative priorities and use available resources most effectively. It provides strategies and plans investigative work for the fiscal year in conjunction with the OIG Strategic Plan. The OIG Investigations Division also considers the most serious management and performance challenges facing the NRC, as identified by the IG, in developing its investigative plan.

PRIORITIES The OIG will complete approximately 30 investigations, including Event/Special Inquiries, in FY 2024. As in the past, reactive investigations into allegations of criminal and other wrongdoing, and allegations of safety and security significance, will continue to take priority when the OIG is deciding on the use of available resources. Because the NRCs mission is to protect public health and safety and the environment, Investigations main concentration of effort and resources involves investigations of alleged NRC employee misconduct that could adversely impact public health and safety-related matters.

C-1

INVESTIGATIONS APPENDIX C OBJECTIVES To facilitate the most effective and efficient use of limited resources, the Investigations Division has established specific objectives to prevent and detect fraud, waste, abuse, and mismanagement. These objectives seek to optimize the NRCs effectiveness and efficiency and address possible violations of criminal statutes, administrative violations relating to NRC programs and operations, and allegations of misconduct by NRC employees and managers.

INITIATIVES Safety and Security

Investigate allegations that NRC employees improperly disclosed allegers (mainly licensee employees) identities and allegations, improperly handled alleger concerns, or failed to adequately address retaliation issues involving licensee employees who raised public health and safety or security concerns regarding NRC activities;

Investigate allegations that the NRC has not maintained an appropriate arms length distance from licensees and contractors;

Investigate allegations that NRC employees released predecisional, proprietary, or official-use-only information;

Investigate allegations that NRC employees had improper personal relationships with NRC licensees and that NRC employees violated government-wide ethics regulations concerning the solicitation of employment with NRC licensees;

Interact with public interest groups, individual allegers, and industry workers to identify indications of lapses or departures in NRC regulatory oversight that could create safety and security problems;

Maintain close working relationships with members of the intelligence community to identify and address vulnerabilities and threats to the NRC;

Conduct Event and Special Inquiries into specific events that indicate an apparent shortcoming in the NRCs regulatory oversight of the nuclear industrys safety and security programs to determine if appropriate rules, regulations, and/or procedures were followed in the staffs actions to protect public health and safety; C-2

INVESTIGATIONS APPENDIX C

Proactively review and become knowledgeable in areas of NRC staff regulatory emphasis to identify emerging issues that may require future OIG involvement, such as decommissioning activities;

Provide real-time OIG assessments of the NRC staffs handling of contentious regulatory activities related to nuclear safety and security matters;

Coordinate with NRC staff to protect the NRCs infrastructure against both internal and external computer intrusions; and,

Investigate allegations of misconduct by NRC employees and contractors, as appropriate.

Corporate Support

Attempt to detect possible wrongdoing perpetrated against the NRCs procurement, contracting, and grant programs by maintaining a close working relationship with the Office of Administration, Acquisition Management Division, and cognizant NRC Program Offices;

Conduct investigations appropriate for Program Fraud Civil Remedies Act action, including investigations of abuses involving false reimbursement claims by employees and contractors; and,

As appropriate, investigate allegations of misconduct by NRC employees and contractors.

OIG Hotline

Promptly process complaints received through the OIG Hotline. Initiate investigations when warranted and properly dispose of allegations that do not warrant OIG investigation.

Freedom of Information Act (FOIA) and Privacy Act

The OIG is an independent component within the Nuclear Regulatory Commission and responds to requests for records that are exclusively NRC OIG-related, such as reports of OIG inspections, audits, or investigations relating to the programs and operations of the NRC; and, C-3

INVESTIGATIONS APPENDIX C

The General Counsel to the IG is the principal contact point within the OIG for advice and policy guidance on matters pertaining to administration of the FOIA. All requests are handled professionally and expeditiously.

NRC Support

Participate as observers on Incident Investigation Teams and Accident Investigation Teams as determined by the IG.

Liaison Program

Coordinate with OIG Audit Issue Area Monitoring, as appropriate, to identify areas or programs with indicators of possible fraud, waste, abuse, and mismanagement; and,

Conduct fraud awareness and informational presentations for NRC employees and external stakeholders regarding the role of the OIG.

ALLOCATION OF RESOURCES The OIG Investigations Division undertakes both proactive initiatives and reactive investigations. Approximately 75 percent of available investigative resources will be used for reactive investigations. The balance will be allocated to proactive investigative efforts such as reviews of NRC contract files, examinations of NRC information technology systems to identify weaknesses or misuse by agency employees, participation in interagency task forces and working groups, reviews of delinquent government travel and purchase card accounts, and other initiatives.

C-4

APPENDIX D ABBREVIATIONS AND ACRONYMS

ABBREVIATIONS AND ACRONYMS APPENDIX D ABBREVIATIONS AND ACRONYMS AIGA Assistant Inspector General for Audits AIGI Assistant Inspector General for Investigations BPA Blanket Purchase Agreement CARES Coronavirus Aid, Relief, and Economic Security Act C.F.R. Code of Federal Regulations CV Continuous Vetting DCAA Defense Contract Audit Agency DFS Decommissioning Funding Status DOJ U.S. Department of Justice EDG Emergency Diesel Generator E.O. Executive Order FISMA Federal Information Security Modernization Act FOIA Freedom of Information Act FTE Full-Time Equivalent FY Fiscal Year GLINDA Global Infrastructure and Development Acquisition IG Inspector General IT Information Technology NRC U.S. Nuclear Regulatory Commission OIG Office of the Inspector General OMB Office of Management and Budget OpE Operating Experience PIIA Payment Integrity Information Act RO Reactor Operator SL Severity Level SRO Senior Reactor Operator TW Trusted Workforce U.S.C. United States Code WBL Web-Based Licensing D-1

ML23324A185

Text

Contact:

Navigation menu

Search