OIG-21-A-17, Status of Recommendations: Audit of the NRCs Prohibited Security Ownership Process Dated March 3rd, 2022
| ML22062A016 | |
| Person / Time | |
|---|---|
| Issue date: | 03/03/2022 |
| From: | Rivera E NRC/OIG/AIGA |
| To: | Dan Dorman, Marian Zobler NRC/EDO, NRC/OGC |
| References | |
| OIG-21-A-17 | |
| Download: ML22062A016 (10) | |
Text
March 3, 2022
MEMORANDUM TO: Daniel H. Dorman Executive Director for Operations
Marian L. Zobler General Counsel
FROM: Eric Rivera /RA/
Acting Assistant Inspector General for Audits
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS (OIG-21-A-17)
REFERENCE:
EXECUTIVE DIRECTOR FOR OPERATIONS AND GENERAL COUNSEL, MEMORANDUM DATED OCTOBER 29, 2021
Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated October 29, 2021. Based on this response, recommendations 1 through 6 from this report are open and resolved. Please provide an updated status of the open and resolved recommendations by May 31, 2022.
If you have any questions or concerns, please call me at (301) 415-5915 or Vicki Foster, Team Leader, at (301) 415-5909.
Attachment:
As stated
cc: S. Miotla, OEDO J. Jolicoeur, OEDO RidsEdoMailCenter Resource OIG Liaison Resource EDO_ACS Distribution
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 1: Clarify roles and responsibilities for completion, tracking, and retention of security ownership forms.
Agency Response Dated October 29, 2021: Agree: The revised and updated Office of the Chief Human Capital Officer (OCHCO) Desk Guide will clarify the roles and responsibilities for completion, tracking, and retention of security ownership forms. The Office of the General Counsel (OGC) will engage with its counterparts in OCHCO to review and align on the updated and revised Desk Guide to ensure clarity on roles and responsibilities, and retention requirements.
Target Completion Date: March 31, 2022
Point of
Contact:
Carrie Safford, OGC Meghan Creedon, OGC
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after verifying that the revised and updated OCHCO Desk Guide clarifies the roles and responsibilities for completion, tracking, and retention of security ownership forms. Therefore, this recommendation is open and resolved.
Status: Open: Resolved.
2
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 2: Develop and implement quality assurance measures for the prohibited securities process to ensure staff adherence to timeliness metrics and ethics guidance.
Agency Response Dated October 29, 2021: Agree: OGC and OCHCO will develop a process to engage on a periodic basis to ensure that (1) security ownership certification forms are being distributed to and collected from new employees and provided to OGC Ethics, and (2)
OGC is notified by OCHCO of existing employees moving into positions subject to the prohibited securities rule, and that the security ownership form has been provided to the employee by OCHCO.
Target Completion Date: March 31, 2022
Point of
Contact:
Carrie Safford, OGC Meghan Creedon, OGC
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when OIG reviews the process of engagement between OGC and OCHCO to ensure staff adhere to timeliness metrics and ethics guidance. Therefore, this recommendation is open and resolved.
Status: Open: Resolved.
3
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 3: Develop and implement quality assurance measures to ensure adequate monitoring of prohibited securities records including record retention and external audit capability.
Agency Response Dated October 29, 2021: Agree: OGC will develop an internal document detailing record retention requirements for ethics-related records.
Records retention will be based on NARA GRS 2.8.
Target Completion Date: December 31, 2021
Point of
Contact:
Carrie Safford, OGC Meghan Creedon, OGC
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after reviewing the internal document detailing record retention requirements and ensuring that the document also includes a provision for external audit capability. Therefore, this recommendation is open and resolved.
Status: Open: Resolved.
4
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 4: Revise MD 7.7, Security Ownership, to include roles and responsibilities clarifications, and remove inconsistencies and outdated information.
Agency Response Dated October 29, 2021: Agree: OGC will update MD 7.7.
Target Completion Date: June 30, 2022
Point of
Contact:
Carrie Safford, OGC Meghan Creedon, OGC
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the updated MD 7.7, Security Ownership, and verifies the inclusion of roles and responsibilities clarification, and the removal of inconsistencies and outdated information. Therefore this recommendation is remains open and resolved.
Status: Open: Resolved.
5
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 5: Develop, finalize, and implement the prohibited securities desk guide.
Agency Response Dated October 29, 2021: Agree: OGC, in coordination with OCHCO, will draft a section for inclusion in the OCHCO Desk Guide to address roles and responsibilities of prohibited securities security ownership forms, consistent with the actions to be taken in response to Recommendation 1.
Target Completion Date: March 31, 2022
Point of
Contact:
Carrie Safford, OGC Meghan Creedon, OGC
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the final OCHCO Desk Guide and the process to implement it.
Therefore, this recommendation is open and resolved.
Status: Open: Resolved.
6
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 6: Require all NRC employees to complete annual training on the prohibited securities process, including waiver and extension requests, and require covered employees to sign annual security ownership certification forms.
Agency Response Dated October 29, 2021: Agree: OGC will develop an annual training module for all NRC employees who do not already receive annual training on ethics rules and financial disclosure requirements (employees who file confidential financial disclosure forms (Form 450) and public financial disclosure forms (Form 278) already receive training on the prohibited securities rule (including waivers and extension) in their required annual training). This new training module will include information on the prohibited securities rule, including waiver and extension requests.
Regarding the recommendation to require covered employees to sign annual security ownership certification forms, confidential and public financial disclosure filers already certify disclosure of all their reportable financial holdings when they sign their respective financial disclosure forms. These financial disclosure forms are reviewed for prohibited securities. Employees in positions subject to the prohibited securities rule who do not file financial disclosure forms could satisfy this recommendation by answering quiz questions at the conclusion of the training module on the prohibited securities rule. Such questions could include where to find the prohibited securities list, who to contact in OGC Ethics with questions regarding prohibited securities, how to report prohibited securities holdings, etc.
To require filing of annual security ownership certification would necessitate a rulemaking approved by the Office of Government Ethics to modify the existing NRC Prohibited Security rule, 5 CFR 5801.102.
7
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 6 (cont.):
Agency Response Target Completion Date: June 30, 2022 Dated October 29, 2021 continued:
Point of
Contact:
Carrie Safford, OGC Meghan Creedon, OGC
Agency Response Dated February 16, 2022: OGC will develop annual stand-alone training on the Prohibited Securities Rule to be assigned to all NRC employees.
The training will include quiz questions, including one question that will ask the employee to attest that they understand that they are covered or not covered, and that if they are covered, they understand their obligations under the Prohibited Securities Rule, including the obligation to review annual updates issued by the NRC. OGC will be able to review responses for completion and accuracy and, as a quality assurance and internal control measure, OGC will cross-check the responses with Ethics Gateway to ensure the accuracy of information in employee profiles (i.e. by ensuring that the yes button is selected next to the statement is covered by the PSR). In order to ensure that covered employees attest to security ownership as part of the training curriculum, an employee will not be considered to have completed the training until the attestation question is completed. OGC will review completion reports and notify appropriate officials if an employee fails to complete the training. In addition to the above, OGC will continue to twice yearly review Ethics Gateway to ensure the agency is accurately capturing covered positions in Ethics Gateway.
With respect to your comment that the proposed action does not address the requirement for covered employees to sign annual security ownership certification forms, OGC notes that there is no requirement for covered employees to sign an annual security ownership certification form. As noted in OGCs previous response, this requirement was explicitly removed from NRCs regulations consistent with the Commissions statement that because the annual certifications have rarely revealed violations of the substantive restrictions, there is inadequate justification for continuing this requirement. OGC recognizes that there is a
8
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 6 (cont.):
Agency Response Dated February 16, 2022 continued: possibility that some employees may not have signed or may not have returned to OGC an SOC upon being appointed, promoted, or transferred to a position that is covered by the NRCs security ownership restriction. However, given the annual Yellow Announcement, the improved coordination with OCHCO developed in response to this audit, and the new training being developed, OGC continues to believe that it would not be consistent with the agencys Be riskSMART principles to use agency resources to attempt to fill the gap of missing SOCs.
Agency Response Dated February 23, 2022: OGC will retain prohibited securities training records on its ethics SharePoint site in accordance with NARA requirements. Ethics training records are governed by NARA General Records Schedule 2.6, Employee Training Records, item 020, Ethics training records. This schedule requires that agencies destroy ethics training records when 6 years old or when superseded, whichever is later, but longer retention is authorized if required for business use. Because the training will be required annually, OGC does not see a business reason to retain records for more than 6 years. Accordingly, prohibited securities training records will be retained for 6 years.
Annual training will include an attestation as part of the quiz questions, and that will be included in the training records that are kept for 6 years. The training will include quiz questions, including one question that will ask the employee to attest that they understand that they are covered or not covered, and that if they are covered, they understand their obligations under the Prohibited Securities Rule, including the obligation to review annual updates issued by the NRC. It will not ask employees to attest to ownership/non-ownership of prohibited securities, as that would be the equivalent of an annual SOC which is not permitted under the Prohibited Security Rule.
9
Audit Report
AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS OIG-21-A-17
Status of Recommendations
Recommendation 6 (cont.):
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews and verifies that the prohibited securities annual training content contains processes to ensure that NRCs records keeping system contains accurate covered employee profile information.
Therefore, this recommendation is open and resolved.
The OIG suggests that upon fully completing the annual training, the OGC cross-check the Ethics Gateway to ensure that a covered employees profile contains a signed security ownership certification form on file if the employee has been in a covered position for less than 6 years. Alternatively, the OIG suggests that the OGC consider the removal of security ownership certification forms from the 5 CFR 5801.102 entirely if adherence to the requirement of security ownership certification forms for covered employees cannot be effectively enforced or practiced.
Status: Open: Resolved.
10