ML20308A651
| ML20308A651 | |
| Person / Time | |
|---|---|
| Issue date: | 11/03/2020 |
| From: | Feitel R NRC/OIG |
| To: | |
| References | |
| Download: ML20308A651 (50) | |
Text
Office of the Inspector General U.S. Nuclear Regulatory Commission Annual Plan Fiscal Year 2021
FOREWORD I am pleased to present the Office of the Inspector General's (OIG) fiscal year (FY) 2021 Annual Plan for the U.S. Nuclear Regulatory Commission (NRC). The Annual Plan provides the audit and investigative strategies and associated summaries of the specific work planned for the coming year. It sets forth the OIG's formal strategy for identifying priority issues and managing its workload and resources for FY 2021 (Effective April 1, 2014, the NRC OIG was assigned also to serve as the OIG for the U.S. Defense Nuclear Facilities Safety Board; the OIG's annual plan for that agency is contained in a separate document).
The NRC's mission is to license and regulate the nation's civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety, to promote the common defense and security, and to protect the environment. The OIG is committed to overseeing the integrity of NRC programs and operations. Developing an effective planning strategy is a critical aspect of accomplishing this commitment. Such planning ensures that audit and investigative resources are used efficiently.
This Annual Plan was prepared to align with the OIG Strategic Plan for FYs 2019 - 2023, which is based, in part, on an assessment of the strategic challenges facing the NRC. The Strategic Plan identifies the OIG's priorities and establishes a shared set of expectations regarding the goals we expect to achieve and the strategies we will employ over that timeframe. The Strategic Plan is the foundation on which our Annual Plan is based. The OIG sought input from Congress, the NRC Commission, NRC Headquarters, and NRC Regions in developing this Annual Plan.
We have programmed all available resources to address the matters identified in this plan. This approach maximizes use of our resources. However, to respond to a changing environment, it is sometimes necessary to modify this plan as circumstances, priorities, or resources warrant.
Robert J. Feitel Digitally signed by Robert J. Feitel Date: 2020.11.03 12:47:38 -05'00' Robert J. Feitel Inspector General
TABLE OF CONTENTS MISSION AND AUTHORITY ........................................................................................................... 1 PLANNING STRATEGY .................................................................................................................. 3 AUDIT STRATEGY ......................................................................................................................... 4 INVESTIGATION STRATEGY......................................................................................................... 4 PERFORMANCE MEASURES ........................................................................................................ 6 OPERATIONAL PROCESSES ........................................................................................................ 7 AUDITS ................................................................................................................................. 7 INVESTIGATIONS ................................................................................................................ 9 HOTLINE ............................................................................................................................ 10 APPENDICES A. NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2021 Audit of the NRCs Reactor Inspection Issue Screening ....................................................... A-1 Audit of the NRCs Material Control and Accounting Inspection Program for Special Nuclear Material ....................................................................................................... A-2 Audit of the NRCs Use of Requests for Additional Information in Licensing Processes for Spent Nuclear Fuel ......................................................................................... A-3 Audit of NRC Pandemic Oversight of Nuclear Power Plants ................................................. A-4 Audit of COVID-19s Impact on Nuclear Materials and Waste Oversight .............................. A-5 Audit of the NRCs Internal Controls of Materials Exports ..................................................... A-6 Audit of the NRCs Drop-In Meeting Policies and Procedures ............................................... A-7 Audit of the NRCs Oversight of Counterfeit Reactor Components ....................................... A-8 Audit of the NRCs Process for Licensing Emerging Medical Technologies .......................... A-9 B. CORPORATE MANAGEMENT AUDITS PLANNED FOR FY 2021 Audit of the NRCs Fiscal Year 2020 Financial Statements ................................................... B-1 Audit of the NRCs Oversight of Licensee Use of Decommissioning Trust Funds ................. B-2 Audit of the NRCs Grants Pre-Award and Award Processes ............................................... B-3 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 ..................................................... B-4 Audit of the NRCs Compliance with Executive Order 13950, Combating Race and Sex Stereotyping.................................................................................................... B-5 Audit of the NRC Prohibited Securities Program ................................................................... B-6
Audit of NRCs Implementation of Enterprise Risk Management .......................................... B-7 Audit of the NRCs Implementation of the Federal Information Technology Acquisition Reform Act ......................................................................................................... B-8 Audit of the NRCs Fiscal Year 2021 Financial Statements ................................................... B-9 Audit of NRC'S Fiscal Year 2021 Compliance with Improper Payment Laws ...................... B-10 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 ................................................... B-11 Audit of the NRCs Change of Station Program .................................................................. B-12 Audit of the NRCs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 .................................................................... B-13 Audit of NRCs Knowledge Management Program ............................................................. B-14 Audit of the NRCs Equal Employment Opportunity Program .............................................. B-15 Audit of the NRCs Space Management in the Regions ...................................................... B-16 Audit of the Information System Security Officer Function .................................................. B-17 INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2021 ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS ABBREVIATIONS AND ACRONYMS
MISSION AND AUTHORITY The Nuclear Regulatory Commissions (NRC) Office of the Inspector General (OIG) was established on April 15, 1989, pursuant to Inspector General Act Amendments (the Act) contained in Public Law 100-504. The OIGs mission is to (1) conduct and supervise independent audits and investigations of agency programs and operations; (2) promote economy, effectiveness, and efficiency within the agency; (3) prevent and detect fraud, waste, and abuse in agency programs and operations; (4) develop recommendations regarding existing and proposed regulations relating to agency programs and operations; and (5) keep the agency head and Congress fully and currently informed about problems and deficiencies relating to agency programs. The Act also requires the Inspector General (IG) to prepare a semiannual report to the NRC Chairman and Congress summarizing the activities of the OIG.
In furtherance of the execution of this mission and of importance to the OIGs annual plan development, the IG summarizes what he considers to be the most serious management and performance challenges facing the NRC and assesses the agencys progress in addressing those challenges. The IG identified the following as the most serious management and performance challenges facing the NRC 1 for FY 2021.
0F
- 1. Strengthening Risk Informed Regulation
- 2. Regulatory Oversight of Decommissioning Trust Funds (DTF)
- 4. Readiness for New Technologies for Reactor Design and Operation
- 5. Continuous Improvement Opportunities for Information Technology (IT), Internal IT Security and Information Management
- 6. Strategic Workforce Planning
- 7. NRC and Agreement State Coordination on Oversight of Materials and Waste
- 8. Management and Transparency of Financial and Acquisitions Operations All audits and evaluations that were initiated in FY 2021 will be subject to these revised management and performance challenges.
Through its Issue Area Monitor (IAM) program, OIG staff monitor agency performance on these management and performance challenges. These challenges, in conjunction with the OIGs strategic goals, serve as an important basis for deciding which audits and evaluations to conduct each fiscal year.
1 The challenges are not ranked in any order of importance.
1
PLANNING STRATEGY The FY 2021 Annual Plan is linked with the OIGs Strategic Plan for FYs 2019 - 2023.
The Strategic Plan identifies the major challenges and critical risk areas facing the NRC so that OIG resources may be directed to these areas in an optimum fashion.
The Strategic Plan recognizes the mission and functional areas of the agency and the major challenges the agency faces in successfully implementing its regulatory program.
The plan presents strategies for reviewing and evaluating NRC programs under the strategic goals that the OIG established. The OIGs strategic goals are to (1) strengthen the NRCs efforts to protect public health and safety and the environment, (2) enhance the NRCs efforts to increase security in response to an evolving threat environment, and (3) increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources. To ensure that each audit and evaluation carried out by the OIG aligns with the Strategic Plan, program areas selected for audit and evaluation have been cross walked from the Annual Plan to the Strategic Plan (see planned audits in appendixes A, B, and C).
AUDIT AND INVESTIGATION UNIVERSE The NRCs fiscal year (FY) 2021 budget request is $863.4 million, including 2,868 full-time equivalents (FTE), as the full cost of agency programs. The agencys mission is to license and regulate the nations civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety, to promote the common defense and security, and to protect the environment. The agency also has a role in enhancing nuclear safety and security throughout the world.
The NRC is headquartered in Rockville, Maryland, just outside of Washington, DC; and, has four regional offices in Pennsylvania, Georgia, Illinois, and Texas. It also operates a technical training center in Chattanooga, Tennessee.
The agency carries out its mission through various licensing, inspection, research, and enforcement programs. NRC responsibilities include regulating 96 commercial nuclear power reactors licensed to operate in the United States; 79 licensed and/or operating independent spent fuel storage installations; 31 licensed and operating research and test reactors; 10 fuel cycle facilities; and approximately 2,000 licenses issued for medical, academic, and industrial uses of nuclear material. In FY 2019, the agency had six license renewal applications for operating power reactor sites. Additionally, the NRC is overseeing the decommissioning of 21 power reactor sites and 3 research and test reactors. The audit and investigation oversight responsibilities are, therefore, derived from the agencys wide array of programs, functions, and support activities established to accomplish the NRCs mission.
2
AUDIT STRATEGY Effective audit planning requires current knowledge about the agencys mission and the programs and activities used to carry out that mission. Accordingly, the OIG continually monitors specific issue areas to strengthen its internal coordination and overall planning processes. Under the offices Issue Area Monitoring (IAM) program, staff designated as Issue Area Monitors are assigned responsibility for keeping abreast of major agency programs and activities. The broad IAM areas address nuclear reactors, nuclear materials, nuclear waste, information management, security, financial and administrative programs, human resources, and international programs. Appendix E contains a listing of the IAMs and the issue areas for which they are responsible.
The audit planning process, which is informed by the OIG Strategic Plan and identified agency management and performance challenges, yields audit assignments that identify opportunities for efficiency, economy, and effectiveness in NRC programs and operations; detect and prevent fraud, waste, and mismanagement; improve program and security activities at headquarters and regional locations; and, respond to emerging circumstances and priorities. The priority for conducting audits is based on (1) mandatory legislative requirements; (2) critical agency risk areas; (3) emphasis by the President, Congress, the NRC Chairman, or other NRC Commissioners; (4) a programs susceptibility to fraud, manipulation, or other irregularities; (5) dollar magnitude or resources involved in the proposed audit area; (6) newness, changed conditions, or sensitivity of an organization, program, function, or activities; (7) prior audit experience, including the adequacy of internal controls; and, (8) availability of audit resources.
INVESTIGATION STRATEGY OIG investigation strategies and initiatives add value to agency programs and operations by identifying and investigating allegations of fraud, waste, and abuse leading to criminal, civil, and administrative penalties, and recoveries. The OIG has designed specific performance targets focusing on effectiveness. Because the NRCs mission is to protect public health and safety, the main investigative concentration involves alleged NRC misconduct or inappropriate actions that could adversely impact health and safety-related matters. These investigations typically include allegations of:
- Misconduct by high ranking and other NRC officials, such as managers and inspectors, whose positions directly impact public health and safety.
- Failure by NRC management to ensure that health and safety matters are appropriately addressed.
- Failure by the NRC to appropriately transact nuclear regulation.
- Conflicts of interest involving NRC employees and NRC contractors and licensees.
- Indications of management or supervisory retaliation claims.
3
The OIG will continue to monitor specific high-risk areas within the NRCs corporate management that are most vulnerable to fraud, waste, and abuse. A significant focus remains on matters that could negatively impact the security and integrity of NRC data and operations. This will also include efforts to ensure the continued protection of personal privacy information held within agency databases and systems. The OIG is committed to improving the security of the constantly changing electronic business environment by investigating computer-related fraud, waste, and abuse through proactive investigations and computer forensic examinations as warranted. Other proactive initiatives will focus on determining instances of procurement fraud and identifying vulnerabilities in NRC daily operations, including theft of property, insider threats, and U.S. government travel and purchase card abuse.
As part of these proactive initiatives, the OIG will meet with agency internal and external stakeholders to identify real and potential systemic issues or vulnerabilities. This approach enables opportunities to improve agency performance.
With respect to the OIGs strategic goals pertaining to safety and security, the OIG routinely interacts with public interest groups, individual citizens, industry workers, and NRC staff to identify possible lapses in NRC regulatory oversight that could impact public health and safety. The OIG conducts proactive reviews into areas of regulatory safety or security interest to identify emerging issues or address ongoing concerns regarding the quality of the NRCs regulatory oversight. Such areas might include new reactor licensing and relicensing of existing plants, aspects of the transportation and storage of high-level and low-level waste, as well as decommissioning activities. The OIG also participates in federal cyber, fraud, and other task forces to identify criminal activity targeted against the federal government. Finally, the OIG periodically conducts Event Inquiries and Special Inquiries.
Event Inquiry reports document the OIGs examination of events or agency regulatory actions to determine if staff actions may have contributed to the occurrence of an event.
Special Inquiry reports document those instances when an investigation identifies inadequacies in NRC regulatory oversight that may have resulted in a potential adverse impact on public health and safety.
Appendix C provides investigation objectives and initiatives for FY 2021. Specific investigations are not included in the plan because investigations are primarily responsive to reported violations of law and misconduct by NRC employees and contractors, as well as allegations of irregularities or abuse in NRC programs and operations.
4
PERFORMANCE MEASURES For FY 2021, we will use several key performance measures and targets for gauging the relevance and impact of our audit and investigative work. The OIG calculates these measures in relation to each of the OIGs strategic goals to determine how well we are accomplishing our objectives. The performance measures are:
- 1. Percentage of OIG audit products and activities that cause the agency to take corrective action to improve agency safety, security, or corporate management programs; ratify adherence to agency policies, procedures, or requirements; or identify real dollar savings or reduced regulatory burden (i.e., high impact);
- 2. Percentage of audit recommendations agreed to by the agency;
- 3. Percentage of final agency actions taken within 2 years on audit recommendations;
- 4. Percentage of OIG investigative products and activities that identify opportunities to improve agency safety, security, or corporate management programs; ratify adherence to agency policies/procedures; or confirm or disprove allegations of wrongdoing (e.g., high impact);
- 5. Percentage of agency actions taken in response to investigative reports;
- 6. Percentage of active cases completed in less than 18 months on average;
- 7. Percentage of closed investigations referred to the U.S. Department of Justice (DOJ) or other relevant authorities; and,
- 8. Percentage of closed investigations resulting in indictments, convictions, civil suits or settlements, judgments, administrative actions, monetary results, or IG clearance letters.
5
OPERATIONAL PROCESSES The following sections detail the approach used to carry out the audit and investigative responsibilities previously discussed.
AUDITS The OIGs audit process comprises the steps taken to conduct audits and involves specific actions, ranging from annual audit planning to performing audit follow-up. The underlying goal of the audit process is to maintain an open channel of communication between the auditors and NRC officials to ensure that audit findings are accurate and fairly presented in the audit report.
The OIG performs the following types of audits:
Performance - Performance audits focus on NRC administrative and program operations and evaluate the effectiveness and efficiency with which managerial responsibilities are carried out, including whether the programs achieve intended results.
Financial - These audits, which include the financial statement audit required by the Chief Financial Officers Act, attest to the reasonableness of the NRCs financial statements, and evaluate financial programs.
Contract - Contract audits evaluate the costs of goods and services procured by the NRC from commercial enterprises.
The key elements in the audit process are as follows:
Audit Planning - Each year, the OIG solicits suggestions from Congress, the Commission, agency management, external parties, and OIG staff. An annual audit plan (i.e., this document) is developed and distributed to interested parties. It contains a listing of planned audits to be initiated during the year and the general objectives of the audits. The annual audit plan is a living document that may be revised as circumstances warrant, with a subsequent redistribution of staff resources.
Audit Notification - Formal notification is provided to the office responsible for a specific program, activity, or function, informing them of the OIGs intent to begin an audit of that program, activity, or function.
Entrance Conference - A meeting is held to advise agency officials of the objective(s),
and scope of the audit, and the general methodology to be followed.
6
Survey - Exploratory work is conducted before the more detailed audit work commences to gather data for refining audit objectives, as appropriate; documenting internal control systems; becoming familiar with the activities, programs, and processes to be audited; and identifying areas of concern to management. At the conclusion of the survey phase, the audit team will recommend to the Assistant Inspector General for Audits (AIGA) a Go or No Go decision regarding the verification phase. If the audit team recommends a No Go, and it is approved by the AIGA, the audit is dropped.
Audit Fieldwork - A comprehensive review is performed of selected areas of a program, activity, or function using an audit program developed specifically to address the audit objectives.
End of Fieldwork Briefing with Agency - At the conclusion of audit fieldwork, the audit team discusses the tentative report findings and recommendations with the auditee.
Discussion Draft Report - A discussion draft copy of the report is provided to agency management to allow them the opportunity to prepare for the exit conference.
Exit Conference - A meeting is held with the appropriate agency officials to discuss the discussion draft report. This meeting provides agency management the opportunity to confirm information, ask questions, and provide any necessary clarifying data.
Formal Draft Report - If requested by agency management during the exit conference, a final draft copy of the report that includes comments or revisions from the exit conference is provided to the agency to obtain formal written comments.
Final Audit Report - The final report includes, as necessary, any revisions to the facts, conclusions, and recommendations of the draft report discussed in the exit conference or generated in written comments supplied by agency managers. Written comments are included as an appendix to the report. Some audits are sensitive and/or classified. In these cases, final audit reports are not made available to the public.
Response to Report Recommendations - Offices responsible for the specific program or audited process provide a written response on each recommendation (usually within 30 calendar days) contained in the final report. Agency management responses include a decision for each recommendation indicating agreement or disagreement with the recommended action. For agreement, agency management provides corrective actions taken or planned and actual or target dates for completion. For disagreement, agency management provides their reasons for disagreement and any alternative proposals for corrective action.
Impasse Resolution - If the response by the action office to a recommendation is unsatisfactory, the OIG may determine that intervention at a higher level is required.
The Executive Director for Operations is the NRCs audit follow-up official, but issues can be taken to the Chairman for resolution, if warranted.
Audit Follow-up and Closure - This process ensures that recommendations made to management are implemented.
7
INVESTIGATIONS The OIGs investigative process normally begins with the receipt of an allegation of fraud, mismanagement, or misconduct. Because a decision to initiate an investigation must be made within a few days of each referral, the OIG does not schedule specific investigations in its annual investigative plan.
Investigations are opened in accordance with OIG priorities as set forth in the OIG Strategic Plan and in consideration of prosecutorial guidelines established by the local U.S. Attorneys for the DOJ. OIG investigations are governed by the Council of the Inspectors General on Integrity and Efficiency Quality Standards for Investigations, the OIG Special Agent Handbook, and various guidance provided periodically by the DOJ.
Only four individuals in the OIG can authorize the opening of an investigative case: The Inspector General, the Deputy Inspector General, the Assistant Inspector General for Investigations (AIGI), and the Deputy Assistant Inspector General for Investigations.
Every allegation received by the OIG is given a unique identification number and entered into a database. Some allegations result in investigations, while others are retained as the basis for audits, referred to NRC management, or if appropriate, referred to another law enforcement agency.
When an investigation is opened, it is assigned to a special agent who prepares a plan of investigation. This planning process includes a review of the criminal and civil statutes, program regulations, and agency policies that may be involved. The special agent then investigates using a variety of techniques to ensure investigations are thorough, objective, and fully pursued to a logical conclusion.
In cases when the special agent determines that a crime may have been committed, he or she will discuss the investigation with a federal and/or local prosecutor to determine if prosecution will be pursued. In cases when a prosecuting attorney decides to proceed with a criminal or civil prosecution, the special agent assists the attorney in any preparation for court proceedings that may be required.
For investigations that do not result in prosecution and are handled administratively by the agency, the special agent prepares an investigative report summarizing the facts disclosed during the investigation. The investigative report is distributed to agency officials who have a need to know the results of the investigation. For investigative reports provided to agency officials, the OIG requires a response within 120 days regarding any potential action taken as a result of the investigative findings.
The OIG summarizes the criminal and administrative action taken as a result of its investigations and includes this data in its Semiannual Report to Congress.
As part of the investigation function, the OIG also periodically conducts Event Inquiries and Special Inquiries as discussed earlier.
8
HOTLINE The OIG Hotline Program provides NRC employees, contract employees, and the public with a confidential means of reporting to the OIG instances of fraud, waste, and abuse relating to agency programs and operations.
Please
Contact:
E-mail: Online Form Telephone: 1-800-233-3497 TDD 1-800-201-7165, or 7-1-1 Address: U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O5-E13 11555 Rockville Pike Rockville, MD 20852-2746 9
APPENDIX A NUCLEAR SAFETY AND SECURITY AUDITS PLANNED FOR FY 2021
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Reactor Inspection Issue Screening DESCRIPTION AND JUSTIFICATION:
NRC guidance (Inspection Manual Chapter 0612) requires inspectors to screen issues of concern identified at nuclear power plants to determine whether the issues in question fall under the agencys traditional enforcement program and the Reactor Oversight Process. If an issue of concern screens positive for traditional enforcement, a violation may result. If an issue screens positive for a performance deficiency under the Reactor Oversight Process, inspectors must determine if it is of minor or more than minor safety or security significance. Issues that screen minor are generally not documented, while more than minor issues become potential findings to be assessed following the Significance Determination Process (e.g., Green, White, Yellow, and Red). In 2013, the Government Accountability Office identified inconsistency among NRC regional inspection findings.
Since 2015 there has been a sharp overall decline in the number of Green findings. This information raises questions about the impact of the focus on consistency when inspectors are applying IMC 0612 issue screening guidance both for traditional enforcement and the ROP.
OBJECTIVE:
The audit objective is to assess the consistency with which staff screen issues of concern for traditional enforcement and Reactor Oversight Process purposes in accordance with agency guidance.
SCHEDULE:
Initiated in the 4th quarter of FY 2020.
STRATEGIC GOAL 1:
Safety-Strengthen the NRC's efforts to protect public health and safety and the environment Strategy 1-1: Identify risk areas associated with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 1:
Strengthening Risk Informed Regulation A-1
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Material Control and Accounting Inspection Program for Special Nuclear Material DESCRIPTION AND JUSTIFICATION:
The NRC grants licenses for the possession and use of special nuclear material (SNM) and establishes regulations to govern the possession and use of those materials. Among the NRCs licensees, fuel cycle facilities are licensed to process and handle SNM for the fabrication of fuel used by commercial nuclear power reactors to generate electricity. The NRCs regulations require that SNM license holders have material control and accounting (MC&A) systems to prepare and maintain accounting records, perform measurements, and analyze the information to confirm the presence of nuclear materials. The basic objective of MC&A is to protect against the loss or misuse of SNM. MC&A are activities the licensee and the NRC use to confirm in a timely manner that SNM has not been lost, stolen, or diverted. Failure to maintain knowledge of the location of SNM significantly increases the risk of loss. The NMSS is responsible for the MC&A Inspection program. Routine inspections typically are performed on a semiannual to annual basis. However, the NRC can conduct reactive inspections as necessary in response to an event. All inspections are performed by certified inspectors with specialized training and experience in material control and accounting.
OBJECTIVE:
The objective of this audit is to assess the effectiveness of the NRCs oversight of material control and accounting (MC&A) for special nuclear material at fuel fabrication facilities.
SCHEDULE:
Initiated in 4th quarter of FY 2020.
STRATEGIC GOAL 1:
Safety-Strengthen the NRC's efforts to protect public health and safety and the environment Strategy 1-1: Identify risk areas associated with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 7:
NRC and Agreement State Coordination on Oversight of Materials and Waste.
A-2
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Use of Requests for Additional Information in Licensing Processes for Spent Nuclear Fuel DESCRIPTION AND JUSTIFICATION:
The Division of Spent Fuel Management within the Office of Nuclear Material Safety and Safeguards (NMSS) develops and implements the NRCs regulatory, licensing, and inspection program for the safe and secure storage of nuclear reactor spent fuel. To become licensed to store spent fuel safely, an entity must apply to the NRC and, if applicable, respond to any requests for additional information (RAI) from NRC staff. RAIs are intended to help agency staff obtain information needed to make a regulatory decision that is fully informed, technically correct, and legally defensible. RAIs are necessary when the information was not included in an applicants initial submission, is not contained in any other docketed correspondence, or cannot reasonably be inferred from the information available to agency staff.
During a 2015 audit on the oversight of spent fuel pools, the OIG cited concerns about RAIs, including the amount of time it took to complete the RAI process and the resources required to conduct and review complex research and analyses requested through RAIs.
OBJECTIVE:
The objective of this audit is to assess the efficiency and effectiveness of the NRCs use of requests for additional information during the spent fuel licensing process.
SCHEDULE:
Initiated in 4th quarter of FY 2020.
STRATEGIC GOAL 1:
Safety-Strengthen the NRC's efforts to protect public health and safety and the environment Strategy 1-1: Identify risk areas associated with the NRCs oversight of DOE defense nuclear facilities and conduct audits and/or investigations that lead to improved NRC performance and communications.
MANAGEMENT CHALLENGE 7:
NRC and Agreement State Coordination on Oversight of Materials and Waste.
A-3
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of NRC Pandemic Oversight of Nuclear Power Plants DESCRIPTION AND JUSTIFICATION:
On January 31, 2020, the U.S. Department of Health and Human Services declared a public health emergency (PHE) for the United States to aid the nations healthcare community in responding to the Coronavirus Disease 2019 (COVID-19). On March 11, 2020, the COVID-19 outbreak was characterized as a pandemic by the World Health Organization. State and local jurisdictions rapidly enacted social distancing guidelines recommended by the Centers for Disease Control, and NRC offices and NRC-licensed facilities took steps to protect their employees and mitigate the spread of a novel disease in their communities.
The NRCs Reactor Oversight Process Baseline Inspection Program requires resident and regional inspectors to complete a minimum number of samples in a range of inspection procedures. NRC inspectors continued to inspect license nuclear power facilities, using new tools and guidance from NRC Headquarters and Regions. However, emergency measures taken in response to the COVID-19 pandemic limited inspectors ability to complete some scheduled baseline activities.
OBJECTIVE:
The audit objective is to assess the NRCs policies and procedures for conducting reactor inspections during the COVID-19 public health emergency and identify best practices that could be applied during future pandemics or other public health emergencies.
SCHEDULE:
Initiate in the 1st quarter of FY 2021.
STRATEGIC GOAL 1:
Safety-Strengthen the NRC's efforts to protect public health and safety and the environment Strategy 1-1: Identify risk areas associated with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 3:
Management of NRC response to the COVID-19 pandemic.
A-4
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of COVID-19s Impact on Nuclear Materials and Waste Oversight DESCRIPTION AND JUSTIFICATION:
On January 31, 2020, the U.S. Department of Health and Human Services declared a public health emergency (PHE) for the United States to aid the nation's healthcare community in responding to the Coronavirus Disease 2019 (COVID-19). The NRC recognized that during the current COVID-19 PHE, licensees may experience challenges in meeting certain regulatory requirements and has increased communications with licensees to understand the impact of COVID-19 on facility operational status and any potential compliance issues.
The NRC issued a letter to its byproduct material, uranium recovery, decommissioning, fuel facilities, and spent fuel storage licensees outlining the regulatory options to seek regulatory relief, including (1) exemptions from regulatory requirements, (2) amendments to license conditions or technical specifications, and (3) enforcement discretion. Typical requests involve relief from routine actions such as conducting audits, inventories, and completing employee retraining/recertification. The NRC considers the exemption requests on a case-by-case basis and, if a request meets the requirements for an exemption, provides written approval of an exemption for a specific period.
Requests for relief are only granted if NRC staff finds that they do not have a significant impact on safety or security. While providing relief from regulatory requirements, the NRC continues to assure that licensed facilities are operating safely during the COVID-19 PHE.
OBJECTIVES:
The audit objective is to assess and evaluate the NRCs nuclear materials and waste oversight processes during the COVID-19 pandemic.
SCHEDULE:
Initiate in the 2nd quarter of FY 2021.
STRATEGIC GOAL 1 and 2:
Safety Strengthen the NRCs efforts to protect public health and safety and the environment.
Security - Enhance the NRCs efforts to increase security in response to an evolving threat environment.
Strategy 1-1: Identify risk areas associated-with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.
Strategy 2-2: Identify risks in emergency preparedness and incident response, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 3:
Management of NRC response to the COVID-19 pandemic.
A-5
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Internal Controls of Materials Exports DESCRIPTION AND JUSTIFICATION:
The regulations in 10 CFR Part 110 Import and Export of Nuclear Equipment and Material, prescribe licensing, enforcement, and rulemaking procedures and criteria, under the Atomic Energy Act, for the export of nuclear equipment and material. The NRCs Office of International Programs (OIP) provides overall coordination for the NRC's international activities and develops and implements programs to carry out policies in the international arena, including export and import licensing responsibilities. In addition, the OIP establishes and maintains working relationships with individual countries and international nuclear organizations, as well as other involved U.S. government agencies.
The OIP also participates in international activities including International Atomic Energy Agency coordination, bilateral discussions with foreign nations on items of interest, and import and export notifications on nuclear materials and special nuclear materials transfers.
Additionally, in conjunction with the Office of Nuclear Security and Incident Response (NSIR), the OIP conducts physical protection and non-proliferation reviews of export license applications and foreign technical assistance requests.
OBJECTIVES:
The audit objective is to assess the effectiveness of the NRCs internal controls of materials exports licensing.
SCHEDULE:
Initiate in the 2nd quarter of FY 2021.
STRATEGIC GOAL 2:
Security - Strengthen the NRCs security efforts in response to an evolving threat Strategy 2-1: Identify risks involved in securing nuclear reactors fuel cycle facilities and materials and conduct audits and/or investigations that lead to NRC program and operational improvements.
Strategy 2-3: Identify risks in international security activities and conduct audits and/or investigations that lead to program and operational improvements.
MANAGEMENT CHALLENGE 7:
NRC and Agreement State Coordination on Oversight of Materials and Waste.
A-6
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Drop-In Meeting Policies and Procedures DESCRIPTION AND JUSTIFICATION:
External stakeholders have expressed concern about the frequency of senior agency management interactions with nuclear power industry representatives, some of which coincide with regulatory decisions such as backfit appeal. NRC guidance requires staff to avoid discussing specific details of regulatory matters with industry representatives in non-public interactions, although staff are permitted to discuss general information pertaining to agency activities.
OBJECTIVE:
The audit objective is to determine whether NRC policies and procedures for non-public interactions with industry stakeholders are adequate to prevent compromise of the independence of agency staff or the appearance of conflicts of interest.
SCHEDULE:
Initiate in the 3rd quarter of FY 2021.
STRATEGIC GOAL 1:
Safety-Strengthen the NRC's efforts to protect public health and safety and the environment Strategy 1-1: Identify risk areas associated with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 1:
Strengthening Risk Informed Regulation.
A-7
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Oversight of Counterfeit Reactor Components DESCRIPTION AND JUSTIFICATION:
Multiple NRC organizations play a role in overseeing nuclear power licensees efforts to prevent the use of counterfeit, fraudulent, and suspect items (CFSI) in nuclear power reactors. The NRC performs vendor quality assurance inspections, which may focus on CFSI based on risk insights, and cybersecurity inspections assess licensees policies and procedures for ensuring the integrity of digital components that are installed in plant safety systems. In addition, the NRCs new reactor construction inspections provide oversight during reactor construction activities, and agency investigators follow up on CFSI allegations to determine if enforcement action is warranted.
OBJECTIVE:
The audit objective is to assess whether the NRCs oversight activities reasonably assure nuclear power licensees prevent and detect installation of counterfeit, fraudulent, and suspect items in new and operating reactors.
SCHEDULE:
Initiate in the 4th quarter of FY 2021.
STRATEGIC GOAL 1:
Safety-Strengthen the NRC's efforts to protect public health and safety and the environment Strategy 1-1: Identify risk areas associated with the NRC's oversight of nuclear facilities, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 1:
Strengthening Risk Informed Regulation.
A-8
NUCLEAR SAFETY AND SECURITY AUDITS APPENDIX A Audit of the NRCs Process for Licensing Emerging Medical Technologies DESCRIPTION AND JUSTIFICATION:
Title 10 of the Code of Federal Regulations (10 CFR) Part 35, Subpart K, describes the process to obtain a license, or license amendment, for a new medical use of byproduct material or radiation from byproduct material, which is not addressed in other parts of Part 35 (i.e., an emerging medical technology). When licensing emerging medical technologies, the Office of Nuclear Material Safety and Safeguards (NMSS) staff coordinate within NRC to determine whether the emerging technology is already included in the regulations in 10 CFR Part 35, Subparts D through H. If the emerging medical technology is not specifically addressed in 10 CFR Part 35, Subparts D through H, the staff develops licensing guidance describing an acceptable approach for meeting NRC regulations.
In recent years, NMSS staff have issued specific licensing guidance and made determinations for 11 emerging medical technologies under Part 35.1000. Due to the growth in medical applications of radioisotopes and advancements in medical technologies for use in diagnosis, therapy, and medical research, it is anticipated that an increase will occur in the number of emerging medical technologies licensed by the NRC. Approximately 15 more technologies are anticipated to be reviewed in Fiscal Years 2020-2023.
OBJECTIVE:
To determine the NRCs efficiency in licensing emerging medical technologies, including developing technology specific guidance for emerging medical technologies covered under Subpart K.
SCHEDULE:
Initiate in the 4th quarter of FY 2021.
STRATEGIC GOAL 1:
Safety-Strengthen the NRC's efforts to protect public health and safety and the environment Strategy 1-2: Identify risk areas facing NRCs oversight of nuclear materials and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 7:
NRC and Agreement State Coordination on Oversight of Materials and Waste.
A-9
APPENDIX B CORPORATE MANAGEMENT AUDITS PLANNED FOR FY 2021
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Fiscal Year 2020 Financial Statements DESCRIPTION AND JUSTIFICATION:
Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 19-03, Audit Requirements for Federal Financial Statements, the OIG is required to audit the NRCs financial statements. The report on the audit of the agencys financial statements is due on November 16, 2020.
OBJECTIVES:
The audit objectives are to
- Express opinions on the agency's financial statements and internal controls over financial reporting;
- Review compliance with applicable laws, regulations, contracts, and grant agreements; and
- Review controls in the NRC's computer systems that are significant to financial statements.
SCHEDULE:
Initiated in the 3rd quarter of FY 2020.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-1
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Oversight of Licensee Use of Decommissioning Trust Funds DESCRIPTION AND JUSTIFICATION:
The NRC must obtain reasonable assurances from nuclear reactor licensees that funds will be available for the decommissioning process before operations begin. As a means of oversight of licensees decommissioning funding assurance (DFA), licensees are required to provide a DFA status report to the NRC biennially. Five years prior to permanent cessation of operations, licensees are required to provide the DFA status reports annually.
Prior to, or within two years after permanent cessation of operations, licensees are required to submit a Post Shut-Down Decommissioning Activity Report that includes a description and schedule for the planned decommissioning activities and a site-specific cost estimate.
Decommissioning trust funds may be used by licensees if the a) withdrawals are for expenses for legitimate decommissioning activities consistent with the definition of decommissioning in § 50.2; b) expenditure would not reduce the value of the decommissioning trust below an amount necessary to place and maintain the reactor in a safe storage condition if unforeseen conditions or expenses arise; and (c) withdrawals would not inhibit the ability of the licensee to complete funding of any shortfalls in the decommissioning trust needed to ensure the availability of funds to ultimately release the site and terminate the license.
OBJECTIVE:
The audit objective is to determine if the NRCs oversight of licensee use of their decommissioning trust funds is adequate.
SCHEDULE:
Initiated in the 4th quarter of FY 2020.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within the NRC, and make recommendations, as warranted, to address them.
MANAGEMENT CHALLENGE 2:
Regulatory Oversight of Decommissioning Trust Fund.
B-2
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Grants Pre-Award and Award Processes DESCRIPTION AND JUSTIFICATION:
In Fiscal Years (FY) 2018 - 2019, the NRC awarded 53 and 45 grants, totaling $15.5 million and $14.8 million, respectively, to universities for scholarships, fellowships, and faculty development grants. In addition, the agency made grants to trade schools and community colleges. The NRC intends grant funding to help support education in nuclear science, engineering, and related trades to develop a workforce capable of the design, construction, operation, and regulation of nuclear facilities and the safe handling of nuclear materials.
While the NRCs grant program supports over 500 students annually, it directs most grant money to university faculty and curriculum development. The NRC also notes a critical workforce need in the trade and craft areas of nuclear education and observes that outreach to pre-college students is essential to enable students to make informed decisions about pursuing the study of nuclear technology.
OBJECTIVES:
The audit objectives are to determine if (1) the NRCs processes for reviewing grant proposals and making awards comply with applicable federal regulations and agency guidance, and (2) internal controls over the processes are adequate.
SCHEDULE:
Initiated in the 4th quarter of FY 2020.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-3
CORPORATE MANAGEMENT AUDITS APPENDIX B Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 DESCRIPTION AND JUSTIFICATION:
The Federal Information Security Modernization Act (FISMA) was enacted in 2014. The FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, the FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the federal government information and information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.
The FISMA provides the framework for securing the federal governments information technology including both unclassified and national security systems. All agencies must implement the requirements of the FISMA and report annually to the Office of Management and Budget and Congress on the effectiveness of their security programs.
OBJECTIVE:
The evaluation objective will be to conduct an independent assessment of the NRCs FISMA implementation for Fiscal Year 2020.
SCHEDULE:
Initiated in the 4th quarter of FY 2020.
STRATEGIC GOAL 2:
Security - Strengthen the NRCs security efforts in response to an evolving threat.
Strategy 2-2: Identify risks in emergency preparedness and incident response, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 5:
Continuous Improvement Opportunities for Information Technology (IT), Internal IT Security and Information Management.
B-4
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Compliance with Executive Order 13950, Combating Race and Sex Stereotyping DESCRIPTION AND JUSTIFICATION:
Executive Order (E.O.) 13950, Combating Race and Sex Stereotyping, dated September 22, 2020, requires federal agencies, federal grantees, federal contractors, and the Uniformed Services to address trainings that include divisive concepts, race or sex stereotyping, and race or sex scapegoating.
Section 6(c)(ii) of the E.O. states that each agency head shall request the agency inspector general to thoroughly review and assess by the end of the calendar year, and not less than annually thereafter, agency compliance with the requirements of this order in the form of a report submitted to the Office of Management and Budget (OMB).
OBJECTIVE:
To review and assess agency compliance with the requirements of E.O. 13950, Combating Race and Sex Stereotyping.
SCHEDULE:
Initiate in the 1st quarter of FY 2021 STRATEGIC GOAL:
Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 6:
Strategic Workforce Planning B-5
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRC Prohibited Securities Program DESCRIPTION AND JUSTIFICATION:
NRC employees at a certain professional level are prohibited from owning stock in companies that would conflict with NRC work. These NRC employees, as well as their spouses and minor children, are prohibited by regulation from owning any securities issued by entities on the most recent list published annually by the Office of the General Counsel.
The NRC policies and procedures on this regulation are contained in Management Directive 7.7, Security Ownership.
Employees who become subject to this restriction as a result of initial employment or subsequent assignment to a covered position are required to certify that they are following the NRC security ownership restrictions. The employee has 90 days from the date of appointment to divest those securities. The employee should inform the Office of the General Counsel when the securities are divested. The extension deadline can be extended in cases of unusual hardship. In addition, the divestiture requirement can be waived under extremely limited circumstances, such as legal constraints that prevent divestiture.
OBJECTIVE:
The objective of this audit will be to determine whether the NRC has established and implemented an effective system of internal control over the NRC Security Ownership Program.
SCHEDULE:
Initiated in the 2nd quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-6
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Implementation of the Enterprise Risk Management Process DESCRIPTION AND JUSTIFICATION:
The Office of Management and Budget (OMB) substantively updated OMB Circular No. A-123 (OMB A-123) in 2016. It includes Enterprise Risk Management (ERM), as a means to coordinate with strategic planning and strategic review established by the Government Performance and Results Modernization Act of 2010, and the internal control processes required by the Federal Managers Financial Integrity Act and Government Accountability Offices Standards for Internal Control in the Federal Government. This change to OMB A-123 is meant to integrate governance structure to improve mission delivery, reduce costs, and focus corrective actions towards key risks. Implementation of the revised OMB A-123 will engage all agency management beyond the traditional ownership of OMB Circular No.
A-123 by the Chief Financial Officer community. It requires leadership from the agency Chief Operating Officer and Performance Improvement Officer, and close collaboration across all agency mission and mission-support functions.
The NRC revised its Management Directive 4.4 (MD 4.4) Enterprise Risk Management and Internal Control in December 2017 to address the updates to OMB A-123. MD 4.4 establishes the agencys ERM framework, provides a structured approach to managing risk that incorporates internal control, risk management, and enterprise risk management in the context of agency governance.
OBJECTIVE:
The audit objective will be to determine whether the NRCs Enterprise Risk Management process is being implemented in accordance with OMB A-123.
SCHEDULE:
Initiate in the 2nd quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within NRC and conduct audits and investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-7
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Implementation of the Federal Information Technology Acquisition Reform Act DESCRIPTION AND JUSTIFICATION:
In December 2014, Congress enacted the Federal Information Technology Acquisition Reform Act (FITARA) to promote federal information technology (IT) modernization and strengthen the federal IT workforce. Beginning in 2015, the Office of Management and Budget (OMB) issued guidance to assist agencies in establishing management practices that align IT resources with agency missions, goals, programmatic priorities, and statutory requirements. The Government Accountability Office (GAO) has issued periodic scorecards to assess agencies progress toward IT modernization goals in several key areas, assigning grades of A to F. The NRC has implemented changes in, and made several improvements to, IT management processes. However, the NRCs overall grade on the GAO scorecard has never been better than a C, and most recently dropped to a D-. The NRCs IT acquisitions program may not meet statutory requirements or promote efficient operations if the rating further declines.
OBJECTIVE:
The audit objective is to determine whether the NRCs IT acquisition program implementation meets statutory requirements and achieves the goals of the FITARA.
SCHEDULE:
Initiate in the 2nd quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-2: Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 5:
Continuous Improvement Opportunities for Information Technology (IT), Internal IT Security and Information Management.
B-8
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Fiscal Year 2021 Financial Statements DESCRIPTION AND JUSTIFICATION:
Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 19-03, Audit Requirements for Federal Financial Statements, the OIG is required to audit the NRCs financial statements.
OBJECTIVES:
The audit objectives are to:
- Express opinions on the agency's financial statements and internal controls over financial reporting;
- Review compliance with applicable laws, regulations, contracts, and grant agreements; and,
- Review controls in the NRC's computer systems that are significant to financial statements.
SCHEDULE:
Initiate in the 2nd quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-9
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of NRC'S Fiscal Year 2021 Compliance with Improper Payment Laws DESCRIPTION AND JUSTIFICATION:
An improper payment is (a) any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements, and (b) includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except for such payments where authorized by law), and any payment that does not account for credit for applicable discounts.
The Improper Payments Elimination and Recovery Act of 2010 (IPERA) (Public Law 111-204) amended the Improper Payments Information Act of 2002 and required agencies to identify and review all programs and activities they administer that may be susceptible to significant improper payments based on guidance provided by the Office of Management and Budget. For programs or activities with estimated improper payments, each agency was required to prepare a report on actions it has taken or plans to take to recover improper payments and prevent future improper payments. In addition, section 3 of the IPERA required Inspectors General to review each agencys improper payment reporting and issue an annual report. On March 2, 2020, the Payment Integrity Information Act of 2019 (PIIA) (Public Law 116-117) repealed the IPERA (and other laws) but set forth similar improper payment reporting requirements, including an annual compliance report by Inspectors General.
OBJECTIVES:
The audit objectives will be to assess the NRCs compliance with the IPERA, as amended by the PIIA, and report any material weaknesses in internal control.
SCHEDULE:
Initiate in the 2nd quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-10
CORPORATE MANAGEMENT AUDITS APPENDIX B Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 DESCRIPTION AND JUSTIFICATION:
The Federal Information Security Modernization Act (FISMA) was enacted in 2014. The FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, the FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the federal government information and information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.
The FISMA provides the framework for securing the federal governments information technology including both unclassified and national security systems. All agencies must implement the requirements of the FISMA and report annually to the Office of Management and Budget and Congress on the effectiveness of their security programs.
OBJECTIVE:
The evaluation objective will be to conduct an independent assessment of the NRCs FISMA implementation for Fiscal Year 2021.
SCHEDULE:
Initiate in the 2nd quarter of FY 2021.
STRATEGIC GOAL 2:
Security-Strengthen the NRC's security efforts in response to an evolving threat environment.
Strategy 2-2: Identify risks in emergency preparedness and incident response, and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 5:
Continuous Improvement Opportunities for Information Technology (IT), Internal IT Security and Information Management.
B-11
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Change of Station Program DESCRIPTION AND JUSTIFICATION:
Within the federal government, a permanent change of station (PCS) is the transfer of an employee from one official work site to another or the assignment of a new appointee to their first assignment site on a permanent basis.
The Federal Travel Regulation (FTR), issued by the Administrator of General Services, governs among other things, eligibility for relocation allowances (chapter 302), and permanent change of station allowances for subsistence and transportation expenses (Subchapter C). Much of the FTR, however, allows for agency discretion. NRC Management Directive 14.2, Relocation Allowances, provide NRC employees with the procedures, regulations, and requirements necessary to relocate to a permanent official duty station or to make a last move home and to claim reimbursement for the allowable expenses.
The agencys PCS obligations for FY 2018 and FY 2019 were approximately $6 million and
$6.1 million, respectively. Total moves processed in FY 2018 and FY 2019 totaled 56 and 58, respectively.
OBJECTIVE:
The objective of this audit is to determine whether the NRC has established and implemented an effective system of internal control over the Permanent Change of Station Program.
SCHEDULE:
Initiate in the 3rd quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-12
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 DESCRIPTION AND JUSTIFICATION:
The Digital Accountability and Transparency Act of 2014 (DATA Act) was enacted May 9, 2014 and requires federal agencies to report financial and payment data in accordance with data standards established by the Department of Treasury and the Office of Management and Budget. The data reported will be displayed on a website available to taxpayers and policy makers. In addition, the DATA Act requires Inspectors General (IGs) to review the data submitted by the agency under the Act and report to Congress on the completeness, timeliness, quality, and accuracy of this information. In accordance with the Act, the IG issued an audit report in November 2019, and plans to issue the next reports in 2021, and 2023. This audit pertains to the review of FY 2021 data. The OIG audit report is due in November 2021.
OBJECTIVES:
The audit objectives are to review the 1st quarter data submitted by the NRC under the DATA Act and (1) determine the completeness, timeliness, accuracy, and quality of the data sampled and (2) assess the implementation of the governing standards by the agency.
SCHEDULE:
Initiate in the 3rd quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within the NRC and conduct audits and/or investigations that lead to NRC program improvements.
MANAGEMENT CHALLENGE 5:
Continuous Improvement Opportunities for Information Technology (IT), Internal IT Security and Information Management.
B-13
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Knowledge Management Program DESCRIPTION AND JUSTIFICATION:
Knowledge management is a discipline that promotes an integrated approach to identifying, capturing, evaluating, retrieving, sharing, and effectively using an enterprise's information assets. These assets may include databases, documents, policies, procedures, and previously un-captured expertise and the experience of individual workers. Useful knowledge collected from these assets may include explicit, tactic, and embedded knowledge. An effective knowledge management system allows knowledge capital to be properly leveraged, increasing the efficiency with which the agency may reach its objectives. However, efforts to reduce the NRCs staffing and budget have raised knowledge management concerns that could adversely affect the performance of the agency.
OBJECTIVE:
The audit objective is to assess the effectiveness of the NRCs knowledge management program in helping the agency capture and transfer knowledge for the purposes of meeting its mission.
SCHEDULE:
Initiate in the 4th quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 6:
Strategic Workforce Planning.
B-14
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Equal Employment Opportunity Program DESCRIPTION AND JUSTIFICATION:
The NRC Office of Small Business and Civil Rights supports the NRC mission in protecting people and the environment by enabling the agency to have a diverse and inclusive workforce, to advance Equal Employment Opportunity (EEO) for employees and applicants, to provide fair and impartial processing of discrimination complaints, to afford maximum practicable prime and subcontracting opportunities for small businesses, and to allow for meaningful and equal access to agency-conducted and financially assisted programs and activities.
The NRC has established an EEO Complaint Process, which is available to employees (current and former) and applicants who believe they have been subjected to discrimination, reprisal, or workplace harassment. The process to file an EEO complaint requires an individual to contact an EEO Counselor within 45 calendar days of the date of the alleged discriminatory event or within 45 calendar days of the effective date of a personnel action. The EEO Counselor will attempt an informal resolution of the matter, or Alternative Dispute Resolution (ADR). If the matter is not resolved, the final interview will be conducted, and a notice of right to file a formal complaint will be given.
During FY 2019, EEO complaint activity started trending upward, even as NRC staffing levels declined. Based on the complaint activity, reprisal, age, and gender made up 60 percent of complaints filed by bases, and the number one issue raised was harassment.
OBJECTIVE:
To determine the efficiency and effectiveness of the NRCs Equal Employment Opportunity Program.
SCHEDULE:
Initiate in the 4th quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 6:
Strategic Workforce Planning.
B-15
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the NRCs Space Management in the Regions DESCRIPTION AND JUSTIFICATION:
On September 23, 2016, the Government Accountability Office reported that the federal government continues to maintain excess and underutilized property. In FY 2015, federal agencies reported more than 7,000 excess or underutilized real property assets. That stands in contrast to the Office of Management and Budgets 2015 National Strategy for the Efficient Use of Real Property (National Strategy) and its companion policy, the Reduce the Footprint Policy. The National Strategy is a three-step framework to improve real property management: freeze growth in the inventory; measure performance to identify opportunities for efficiency improvements through data driven decision-making; and, ultimately reduce the size of the inventory by prioritizing actions to consolidate, co-locate, and dispose of properties.
Given the decrease in the NRCs staffing, it is possible that NRC has not properly assessed its footprint in the regional offices.
OBJECTIVE:
The objective of this audit will be to determine if NRC is efficiently using real property in the NRC regional offices.
SCHEDULE:
Initiate in the 4th quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-1: Identify areas of corporate management risk within NRC and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 8:
Management and Transparency of Financial and Acquisitions Operations.
B-16
CORPORATE MANAGEMENT AUDITS APPENDIX B Audit of the Information System Security Officer Function DESCRIPTION AND JUSTIFICATION:
The NRC relies heavily on its IT infrastructure and systems to carry out the agencys mission to license and regulate the Nations civilian use of byproduct, source, and special nuclear materials to ensure adequate protection of public health and safety, promote the common defense and security, and protect the environment. As a result, risks to these systems have a direct impact on the agencys ability to carry out its mission. As the number and sophistication of cyberattacks grows, so does the likelihood that NRC systems and assets will be susceptible to such attacks. The Information System Security Officers (ISSOs) have direct responsibility for protecting a system and its data and are responsible for ensuring that the system is properly secured in accordance with NRC and federal policies and procedures. ISSOs play a critical role in addressing and offsetting risks to NRC systems. The ISSO is at the center of all information system security activities in all stages of a systems life cycle. The ISSO serves as the principle point of contact for questions about all aspects of a systems security.
OBJECTIVES:
The audit objectives are (1) to assess whether the ISSOs have the necessary skills needed to perform the work, and (2) determine the effectiveness of the ISSO function within the agency.
SCHEDULE:
Initiate in the 4th quarter of FY 2021.
STRATEGIC GOAL 3:
Corporate Management - Increase the economy, efficiency, and effectiveness with which the NRC manages and exercises stewardship over its resources.
Strategy 3-2: Identify risks in maintaining a secure infrastructure (i.e., physical, personnel, and cyber security), and conduct audits and/or investigations that lead to NRC program and operational improvements.
MANAGEMENT CHALLENGE 5:
Continuous Improvement Opportunities for Information Technology (IT), Internal IT Security and Information Management.
B-17
APPENDIX C INVESTIGATIONS - PRIORITIES, OBJECTIVES, AND INITIATIVES FOR FY 2021
INVESTIGATIONS APPENDIX C INTRODUCTION The Assistant Inspector General for Investigations (AIGI) is responsible for developing and implementing an investigative program that furthers the OIGs objectives. The AIGIs primary responsibilities include investigating possible violations of criminal statutes relating to NRC programs and activities, investigating allegations of misconduct by NRC employees, coordinating with the DOJ on OIG-related criminal matters, and working jointly on investigations and OIG initiatives with other federal, state, and local investigative agencies and other AIGIs.
The AIGI may initiate investigations that cover a broad range of allegations concerning criminal wrongdoing or administrative misconduct affecting various NRC programs and operations as a result of allegations or referrals from private citizens; licensee employees; NRC employees; Congress; other federal, state, and local law enforcement agencies; OIG audits; the OIG Hotline; and proactive efforts directed at identifying potential for fraud, waste, and abuse.
This investigative plan was developed to focus OIG investigative priorities and use available resources most effectively. It provides strategies and planned investigative work for the fiscal year in conjunction with the OIG Strategic Plan. OIG Investigations also considers the most serious management and performance challenges facing the NRC, as identified by the Inspector General, in the development of its investigative plan.
PRIORITIES The OIG will complete approximately 40 investigations, including Event/Special Inquiries in FY 2021. As in the past, reactive investigations into allegations of criminal and other wrongdoing will continue to claim priority on the OIGs use of available resources.
Because the NRCs mission is to protect public health and safety and the environment, Investigations main concentration of effort and resources will involve investigations of alleged NRC employee misconduct that could adversely impact public health and safety-related matters.
OBJECTIVES To facilitate the most effective and efficient use of limited resources, Investigations has established specific objectives aimed at preventing and detecting fraud, waste, and abuse as well as optimizing NRC effectiveness and efficiency, and addressing possible violations of criminal statutes, administrative violations relating to NRC programs and operations, and allegations of misconduct by NRC employees.
C-1
INVESTIGATIONS APPENDIX C INITIATIVES Safety and Security
- Investigate allegations that NRC employees improperly disclosed allegers (mainly licensee employees) identities and allegations; NRC employees improperly handled alleger concerns; and the NRC failed to properly address retaliation issues involving NRC management officials and/or NRC licensee employees who raised public health and safety or security concerns regarding NRC activities.
- Investigate allegations that the NRC has not maintained an appropriate arms length distance from licensees and contractors.
- Investigate allegations that NRC employees released predecisional, proprietary, or official-use-only information.
- Investigate allegations that NRC employees had improper personal relationships with NRC licensees and that NRC employees violated government-wide ethics regulations concerning the solicitation of employment with NRC licensees.
- Interact with public interest groups, individual allegers, and industry workers to identify indications of lapses or departure in NRC regulatory oversight that could create safety and security problems.
- Maintain close working relationships with members of the intelligence community to identify and address vulnerabilities and threats to the NRC.
- Conduct Event and Special Inquiries into specific events that indicate an apparent shortcoming in the NRCs regulatory oversight of the nuclear industrys safety and security programs to determine the appropriateness of the staffs actions to protect public health and safety.
- Proactively review and become knowledgeable in areas of NRC staff regulatory emphasis to identify emerging issues that may require future OIG involvement, such as decommissioning activities. Provide real time OIG assessments of the appropriateness of NRC staffs handling of contentious regulatory activities related to nuclear safety and security matters.
- Identify risks associated with the proliferation of nuclear material and nuclear technology.
- Coordinate with NRC staff to protect the NRCs infrastructure against both internal and external computer intrusions.
- Investigate allegations of misconduct by NRC employees and contractors, as appropriate.
Corporate Management
- Attempt to detect possible wrongdoing perpetrated against the NRCs procurement and contracting and grant program by maintaining a close working relationship with the Office of Administration, Division of Contracts, and cognizant NRC Program Offices.
- Conduct investigations appropriate for Program Fraud Civil Remedies Act action, including abuses involving false reimbursement claims by employees and contractors.
- As appropriate, coordinate with OIG Audit IAMs to identify areas or programs with indicators of possible fraud, waste, and abuse.
C-2
- Conduct fraud awareness and information presentations for NRC employees and external stakeholders regarding the role of the NRC OIG.
- As appropriate, investigate allegations of misconduct by NRC employees and contractors.
OIG Hotline
- Promptly process complaints received via the OIG Hotline. Initiate investigations when warranted and properly dispose of allegations that do not warrant OIG investigation.
Freedom of Information Act (FOIA) & Privacy Act
- Promptly process all requests for information received under the FOIA. Coordinate as appropriate with the General Counsel to the IG and the NRC FOIA/Privacy Act Section NRC Support
- Participate as observers on Incident Investigation Teams and Accident Investigation Teams as determined by the IG.
Liaison Program
- Maintain close working relationships with other law enforcement agencies, public interest groups, and Congress. This will be accomplished through periodic meetings with AIGIs, pertinent congressional staff, public interest groups, and appropriate law enforcement organizations.
- Maintain a viable regional liaison program to foster a closer working relationship with NRC regional offices.
- Establish and maintain NRC OIG active participation in OIG community fraud working groups, multiagency fraud task forces, and multiagency undercover operations where a nexus to NRC programs and operations has been clearly established.
ALLOCATION OF RESOURCES Investigations undertakes both proactive initiatives and reactive investigations.
Approximately 85 percent of available investigative resources will be used for reactive investigations. The balance will be allocated to proactive investigative efforts, such as reviews of NRC contract files, examinations of NRC information technology systems to identify weaknesses or misuse by agency employees, participation in interagency task forces and working groups, and reviews of delinquent government travel and purchase card accounts.
C-3
APPENDIX D ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS
ISSUE AREA MONITOR APPENDIX D ISSUE AREAS AND DESIGNATED ISSUE AREA MONITORS Corporate Support Functions Nuclear Materials (Safety and Security)
Tincy Thomas de Colón Regina Revinzon Vicki Foster Tim Wilson Megan Tate Roxana Hartsock Angel Wang Janelle Wiggs Jimmy Wong Stephanie Dingbaum Connor McCune Financial Reactor Safety Terri Cooper Felicia Silver Paul Rades Jenny Cheung Avinash Jaigobind Muhammad Arefin Chanel Stridiron Curtis Brown Brigit Larsen William Chung Reactor Security and Emergency Preparedness Information Technology Paul Rades Terri Cooper Amy Hardin Felicia Silver Kevin Guishard Jenny Cheung Muhammad Arefin Curtis Brown William Chung D-1
APPENDIX E ABBREVIATIONS AND ACRONYMS
ABBREVIATIONS AND ACRONYMS ADAMS Agencywide Document Access Management System AIGA Assistant Inspector General for Audits AIGI Assistant Inspector General for Investigations CFR Code of Federal Regulations COR Contracting Officers Representative DATA Digital Accountability and Transparency Act DOJ U.S. Department of Justice DPO Differing Professional Opinion EP Emergency Preparedness FISMA Federal Information Security Modernization Act FTR Federal Travel Regulation FITARA Federal Information Technology Acquisition Reform Act FY Fiscal Year GAO Government Accountability Office IAM Issue Area Monitor IG Inspector General IMPEP Integrated Materials Performance Evaluation Program IP Inspection Procedure IPAC Intra-Government Payment and Collection IPERA Improper Payments Elimination and Recovery Act of 2010 IPERIA Improper Payments Elimination and Recovery Improvement Act of 2012 IPIA Improper Payments Information Act of 2002 ISSO Information System Security Officer IT Information Technology LAR License Amendment Request MC&A Material Control and Accounting MD Management Directive NMSS Office of Nuclear Material Safety and Safeguards NOED Notices of Enforcement Discretion NRC U.S. Nuclear Regulatory Commission OIG Office of the Inspector General OMB Office of Management and Budget PCS Permanent Change of Station RAI Request for Additional Information RES Office of Nuclear Regulatory Research E-1
ABBREVIATIONS AND ACRONYMS RSO Radiation Safety Officers RPS Reactor Program System RRPS Replacement Reactor Program System SNM Special Nuclear Material TOC Table of Contents E-2