Text

Audit of the NRCs Prohibited Security Ownership Process OIG-21-A-17 September 30, 2021 All publicly available OIG reports (including this report) are accessible through the NRCs website at http://www.nrc.gov/reading-rm/doc-collections/insp-gen

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL September 30, 2021 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations Marian L. Zobler General Counsel FROM: Eric Rivera /RA/

Acting Assistant Inspector General for Audit

SUBJECT:

AUDIT OF THE NRCS PROHIBITED SECURITY OWNERSHIP PROCESS (OIG-21-A-17)

Attached is the Office of the Inspector Generals (OIGs) audit report titled Audit of the NRCs Prohibited Security Ownership Process.

The report presents the results of the subject audit. Following the September 23, 2021, exit conference, agency staff indicated that they had no formal comments for inclusion in this report.

Please provide information on actions taken or planned on each of the recommendations within 30 days of the date of this memorandum. Actions taken or planned are subject to OIG follow-up as stated in Management Directive 6.1.

We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact me at (301) 415-7032 or Vicki Foster, Team Leader, at (301) 415-5909.

Attachment:

As stated

Office of the Inspector General U.S. Nuclear Regulatory Commission Defense Nuclear Facilities Safety Board OIG-21-A-17 September 30, 2021 Results in Brief Audit of the NRCs Prohibited Security Ownership Why We Did This Review Mandated by Title 5, Code of Process Federal Regulations, Chapter What We Found XLVII, Part 5801, Section 102, Prohibited Securities and The NRC has not established and implemented an effective system implemented and enforced by the U.S. Nuclear Regulatory of internal controls over the NRCs prohibited security ownership Commissions (NRCs) process.

Management Directive 7.7, Security Ownership, it is agency Agency guidance requires covered employees to complete security policy to prohibit NRC employees with substantive ownership certification forms and report ownership of prohibited regulatory responsibilities from securities within required timeframes. However, the agency is not owning stocks, bonds, and other following its guidance; specifically, prohibited security process security interests issued by forms were untimely or missing. This circumstance occurred major entities in the commercial nuclear field. because the internal controls over the NRCs prohibited security ownership process are unclear and ineffective. As a result, the These NRC employees, subject to NRC is at an increased risk of having covered employees violate the prohibited security ownership prohibited securities regulation.

requirements, work in covered positions as named in the NRC Positions Subject to the Security Ownership Restriction, January What We Recommend 2020.

The report contains recommendations to establish and implement The NRC established the effective internal controls over the NRCs prohibited security prohibited security ownership ownership process to include clarifying roles and responsibilities, process to ensure public developing and implementing quality assurance measures, revising confidence that NRC programs and implementing guidance, and requiring annual training.

are conducted impartially and objectively.

The audit objective was to determine whether the NRC has established and implemented an effective system of internal control over the NRCs prohibited security ownership process.

Audit of the NRCs Prohibited Security Ownership Process TABLE OF CONTENTS ABBREVIATIONS AND ACRONYMS .......................................................... i I. BACKGROUND ................................................................................ 1 II. OBJECTIVE ...................................................................................... 2 III. FINDING ........................................................................................... 3 Agency Requirements are Not Followed ..................................... 3 Recommendations ...................................................................... 9 IV. AGENCY COMMENTS ................................................................... 11 APPENDIX A. OBJECTIVE, SCOPE, AND METHODOLOGY ............................... 12 TO REPORT FRAUD, WASTE, OR ABUSE ............................................. 14 COMMENTS AND SUGGESTIONS .......................................................... 14

Audit of the NRCs Prohibited Security Ownership Process ABBREVIATIONS AND ACRONYMS C.F.R. Code of Federal Regulations MD Management Directive NRC U.S. Nuclear Regulatory Commission OCHCO Office of the Chief Human Capital Officer OGC Office of the General Counsel OIG Office of the Inspector General SOC Security Ownership Certification i

Audit of the NRCs Prohibited Security Ownership Process I. BACKGROUND Mandated by Title 5, Code of Federal Regulations (C.F.R.), Chapter XLVII, Part 5801, Section 102, Prohibited Securities (5 C.F.R. 5801.102) and implemented and enforced by the U.S. Nuclear Regulatory Commissions (NRCs) Management Directive (MD) 7.7, Security Ownership, it is agency policy to prohibit NRC employees with substantive regulatory responsibilities from owning stocks, bonds, and other security interests issued by major entities in the commercial nuclear field. These NRC employees, subject to prohibited security ownership requirements, work in covered positions as named in the NRC Positions Subject to the Security Ownership Restriction, January 2020. The NRC established the prohibited security ownership process to ensure public confidence that NRC programs are conducted impartially and objectively.

Differentiation Between the Prohibited Security Ownership and Financial Disclosure Processes 5 C.F.R. 5801.102 establishes the prohibited security ownership process that is unique to the NRC, while the financial disclosure process is implemented government-wide.

The prohibited security ownership process is mandated by 5 C.F.R.

5801.102, and only pertains to NRC employees. 5 C.F.R. 5801.102 prohibits covered employees from owning stock in securities issued by entities that seek or possess NRC licenses to operate nuclear power plants or major fuel cycle facilities, companies that manufacture nuclear reactors, and certain mutual funds that specifically concentrate investments in the energy or utility sectors. NRC management and staff use NRC MD 7.7, last revised September 25, 2015, to implement prohibited security ownership requirements.

The financial disclosure process, which is distinct from the prohibited securities process, is mandated by the Ethics in Government Act of 1978, as amended, the U.S. Office of Government Ethics regulations and Title 5 C.F.R. Part 2634, Executive Branch Financial Disclosure, Qualified Trusts, and Certificates of Divestiture, and pertains to federal employees 1

Audit of the NRCs Prohibited Security Ownership Process government-wide. The purpose of financial disclosure is to help avoid conflicts between official duties and private financial interests or affiliations. The NRC implements financial disclosure requirements using MD 7.6, Public and Confidential Financial Disclosure Reports. There are some NRC employees who must report prohibited securities but are not subject to financial disclosure.

Roles and Responsibilities in the NRCs Prohibited Securities Ownership Process MD 7.7 identifies roles and responsibilities for implementing the NRCs prohibited security ownership process. The NRC Chairman, office directors, and employees have roles and responsibilities in the prohibited securities process. The NRC Office of the General Counsel (OGC) oversees process efficacy using Ethics Gateway--the repository for prohibited securities related data and information. The OGC contacts office directors who designate the covered positions within their respective offices and provide input on revisions to the prohibited securities list for annual publication. The Office of the Chief Human Capital Officer (OCHCO) staff notify employees upon appointment or conversion to a covered position about the responsibility for reporting prohibited securities.

NRC employees in covered positions inform the OGC whether or not they hold prohibited securities.

When an employee seeks a waiver or extension, the OGC will recommend to the NRC Chairman whether the Chairman should grant an exception to the security ownership restriction, or an extension to the deadline for divestiture.

II. OBJECTIVE The audit objective was to determine whether the NRC has established and implemented an effective system of internal control over the NRCs prohibited security ownership process.

Appendix A of this report provides information on the audit scope and methodology.

2

Audit of the NRCs Prohibited Security Ownership Process III. FINDING The NRC has not established and implemented an effective system of internal controls over the NRCs prohibited security ownership process.

A. Agency Requirements are Not Followed Agency guidance requires covered employees to complete security ownership certification (SOC) forms and report ownership of prohibited securities within required timeframes. However, the agency is not following its guidance; specifically, prohibited security process forms were untimely or missing. This circumstance occurred because the internal controls over the NRCs prohibited security ownership process are unclear and ineffective. As a result, the NRC is at an increased risk of having covered employees violate the prohibited securities regulation.

What Is Required NRCs Certification Requirements Agency guidance requires covered employees to complete SOC forms and report ownership of prohibited securities within required timeframes.

NRC MD 7.7 requires that upon promotion or other appointment to covered positions, employees subject to the security ownership restriction as identified in the position list provided annually by the OGC, shall sign an SOC form stating whether they own prohibited securities. Each employee who is subject to the security ownership restriction and who involuntarily acquires a prohibited security after commencement of duty through such means as inheritance, marriage, or gift must notify an OGC deputy ethics counselor in writing within 30 days after acquisition of the prohibited security. Additionally, each employee subject to the security ownership restriction who owns, or whose spouse or minor child owns, a security that was added to the prohibited securities list must notify an OGC deputy ethics counselor in writing within 30 days after publication of the list.

3

Audit of the NRCs Prohibited Security Ownership Process The covered employee, or the spouse or minor child of the covered employee, shall divest prohibited securities within 90 days after appointment to a covered position. Each employee who is subject to the security ownership restriction and who involuntarily acquires a prohibited security through such means as inheritance, marriage, or gift shall divest the prohibited securities within 90 days after acquisition. Additionally, any employee subject to the security ownership restriction, or the spouse or minor child of that employee, who owns a security interest in an entity at the time the entity is added to the prohibited securities list published by OGC must divest the prohibited security within 90 days after addition of the entity to the list. In cases of unusual hardship, the Chairman may extend the 90-day period in which individuals subject to the security ownership restriction are required to divest the prohibited asset.

What We Found The NRC is Not Following its Own Guidance The NRC is not following its SOC guidance; specifically, the forms were untimely or missing. The OIG requested the OGC to provide all SOC forms, waiver requests, and extension requests for covered employees and requested the OCHCO to provide the names of employees that had personnel actions1 from January 2019 to April 2021.

The following summarizes the OIGs analysis of the data obtained prior to the OGC granting the OIG access to Ethics Gateway:

The following SOC forms were untimely:

• Instead of providing all SOC forms in response to the initial data request, the OGC provided its own sample of 40 records from the OGC estimated total of 400 SOC forms within Ethics Gateway;

• In subsequent data requests for 171 SOC forms, the OGC provided 14 forms. Of the 14 SOC forms, 5 were completed after the employees appointment or conversion to a position covered by the security ownership restriction; and, 1

Personnel actions included newly hired and promoted employees.

4

Audit of the NRCs Prohibited Security Ownership Process

• The OGC provided two SOC forms that covered employees signed after the audit request date, including: one covered employee who onboarded March 2021 did not sign the SOC form until May 2021; and, another employee already working in a covered position therefore subject to prohibited securities before being promoted in March 2019, did not sign the SOC form until May 2021.

The following prohibited security waiver and extension requests were untimely:

• Of the four waiver and extension requests, covered employees submitted two waiver requests and one extension request beyond the reporting requirement as follows:

o In two instances, employees in covered positions submitted waiver requests during the years 2019 through 2021 for prohibited securities acquired in the year 2009; and, o For the extension request, the employee reported to an OGC deputy ethics counselor in April 2020, that the employee owned prohibited securities at the time of reassignment in November 2019 into a covered position.

During the Ethics Gateway observation, the OIG identified that the following SOC forms were missing:

• Two covered employees stated they signed their SOC forms twice, once during onboarding and another during May 2021 and June 2021, respectively.

• Three employees in covered positions were missing SOC forms, of which:

o Two employees were not listed as covered when they should have been classified as such; and, o One covered employee was missing an SOC form.

In a subsequent analysis of Ethics Gateway, the OIG developed a judgmental sample of 60 potential covered employees subject to prohibited securities based on their personnel actions, such as, new hires, 5

Audit of the NRCs Prohibited Security Ownership Process promotions, and departures. Of the 60 sampled employees, 51 were missing the SOC form in their employee profile within Ethics Gateway.

Why This Occurred Unclear and Ineffective Internal Controls Over the NRCs Prohibited Security Ownership Process Weaknesses exist in the NRCs prohibited security ownership process because internal controls over the NRCs prohibited security ownership process are unclear and ineffective.

Unclear Roles and Responsibilities The roles and responsibilities for implementing the NRCs prohibited security ownership process are unclear to OGC and OCHCO staff. As the NRCs lead office for ethics matters, the OGC is also the lead for implementing the prohibited securities ownership process. MD 7.7 indicates that OCHCO is responsible for giving SOC forms during onboarding, and employees are responsible for returning the SOC forms to the OGC.

Although OCHCO staff provide the SOC forms to employees during onboarding, OCHCO staff explained that it was the OGCs responsibility to obtain SOC forms when current employees move into covered positions.

Furthermore, since roles and responsibilities are unclear, the OCHCO and the OGC cannot confirm whether their offices received SOC forms from covered employees.

OGC management asserted that it is the OCHCOs responsibility to obtain SOC forms when current employees move into covered positions. The OGC affirmed that this is because OCHCO staff is aware of personnel actions. OGC management also affirmed that the OCHCO is responsible for the SOC forms if the employees are not subject to financial disclosure reporting requirements.

6

Audit of the NRCs Prohibited Security Ownership Process Inadequate Quality Assurance Measures The OGC does not conduct adequate quality assurance reviews and does not adequately retain prohibited securities records. Ethics Gateway was developed for the financial disclosure process, but is the only tool the OGC uses for monitoring information related to prohibited securities.

The OGC explained that one quality assurance internal control it conducts is a review of Ethics Gateway. Twice a year, the OGC conducts a review by filtering employee positions to ensure that the agency accurately captured covered positions in Ethics Gateway. Nonetheless, due to frequent personnel actions, a more systematic and formalized quality assurance review would verify that staff accurately record the employees subject to prohibited securities requirements in the system.

In addition, the OGC does not perform adequate quality assurance measures for records retention. The OGC indicated when Ethics Gateway was created in 2019, financial disclosure information was imported from the prior system; however, none of the SOC forms were uploaded. The OGC also indicated that some SOC forms were missing because the employees appointment dates occurred prior to importing the old data into the new Ethics Gateway. Furthermore, OGC indicated that the financial disclosure forms need to be kept for six years, anything after is automatically deleted from Ethics Gateway, although the record retention requirements do not explicitly mention prohibited securities. The OIG noted that some SOC forms for departed employees were retained in Ethics Gateway, while other departed employee profiles were deactivated.

Finally, in the newly deployed Ethics Gateway, the SOC form is contained electronically within a new entrants financial disclosure form, if they are a financial disclosure filer. Therefore, the OGC indicated that if an employee was a financial disclosure filer prior to 2019, and has been for some time prior, then they would not have a new entrant financial disclosure form electronically containing the SOC form.

Outdated Guidance MD 7.7 contains outdated guidance and is inconsistent with current practices. For example, the SOC form in MD 7.7 is not the same SOC form staff currently use.

7

Audit of the NRCs Prohibited Security Ownership Process MD 7.7 also contains inconsistent guidance to staff about the requirement to return the SOC form. MD 7.7 directs employees to send completed SOC forms to the OGC deputy ethics counselor, inconsistent with the current verbal requirement to return the SOC form to the OCHCO.

Furthermore, MD 7.7 directs employees to return the signed SOC form only if they own prohibited securities. Yet, the SOC form indicates that an employee is supposed to certify if they own prohibited securities or not.

Therefore, an employee should always complete, sign, and return the form.

Lack of Written Office Procedures The OGC has not fully developed and implemented written procedures for office coordination related to the prohibited security ownership process.

Currently, the OGC is developing a draft desk guide that addresses the prohibited security ownership process, and the office roles and responsibilities between the OGC and the OCHCO. This draft desk guide will provide the OCHCO with instructions to upload the completed SOC form into Ethics Gateway.

Employee Unawareness Covered employees indicated unawareness surrounding their adherence to the prohibited security ownership waiver and extension requests. In response to four individual requests for waivers and extensions, a former NRC Chairman declared that employees should have been aware of these requirements because there is an annual Yellow Announcement2 containing the list of positions subject to prohibited security ownership.

Additionally, the former NRC Chairman stated, to the extent an employee overlooked or misread these announcements, this does not justify a waiver or extension from the rule. However, the agency provides the Yellow Announcement once a year, and personnel actions involving covered positions frequently happen throughout the year.

The NRC requires one ethics training addressing prohibited securities, when employees onboard, with no refresher or annual training required 2

The OGC annually publishes an update to the NRC Prohibited Securities List. The most recent update was published as YA-20-0101, 2021 Update to NRC Prohibited Securities List, dated December 29, 2020.

8

Audit of the NRCs Prohibited Security Ownership Process thereafter unless the employee is appointed or converted into financial disclosure reporting positions. Annual or refresher training specific to prohibited securities ownership will improve covered employees awareness of the prohibited securities ownership requirements.

Why This Is Important Increased Risk of Violating Federal Regulations Without an effective system of internal controls over the prohibited securities ownership process, the NRC increases the risk of covered employees violating the prohibited securities regulation. For example, an OIG investigation concluded that an NRC employee was in a covered position and held prohibited securities for five years. The employee was not aware of the requirement until after being promoted into a financial disclosure reporting position, but could have had a conflict of interest with an NRC licensee by not reporting securities ownership promptly.

To avoid conflicts of interest, NRC employees must abide by the provisions in 5 C.F.R. 5801.102. By strengthening internal controls over the prohibited security ownership process, the agency will reduce the risk of conflicts of interest and ensure public confidence that the NRC conducts programs impartially and objectively.

Recommendations The OIG recommends that the Executive Director for Operations and the General Counsel:

1. Clarify roles and responsibilities for completion, tracking, and retention of security ownership forms;

2. Develop and implement quality assurance measures for the prohibited securities process to ensure staff adherence to timeliness metrics and ethics guidance;

3. Develop and implement quality assurance measures to ensure adequate monitoring of prohibited securities records including record retention and external audit capability; 9

Audit of the NRCs Prohibited Security Ownership Process

4. Revise MD 7.7, Security Ownership, to include roles and responsibilities clarifications, and remove inconsistencies and outdated information;

5. Develop, finalize, and implement the prohibited securities desk guide; and,

6. Require all NRC employees to complete annual training on the prohibited securities process, including waiver and extension requests, and require covered employees to sign annual security ownership certification forms.

10

Audit of the NRCs Prohibited Security Ownership Process IV. AGENCY COMMENTS An exit conference was held with the agency on September 23, 2021.

After reviewing a discussion draft, agency management provided comments that have been incorporated into this report, as appropriate.

As a result, agency management opted not to provide formal comments for inclusion in this report.

11

Audit of the NRCs Prohibited Security Ownership Process Appendix A OBJECTIVE, SCOPE, AND METHODOLOGY Objective The audit objective was to determine whether the NRC has established and implemented an effective system of internal control over the NRCs prohibited security ownership process.

Scope This audit focused on the implementation of the NRCs prohibited security ownership process. The OIG conducted this performance audit from February 23, 2021 through September 23, 2021 at NRC headquarters in Rockville, Maryland. Internal controls related to the audit objective were reviewed and analyzed. Specifically, the OIG reviewed the components of control environment, control activities, information and communication, and monitoring. Within those components, the OIG reviewed the principles of establishing an organizational structure; implementing control activities through policies; using quality information; communicating both internally and externally; and monitoring and evaluating the results.

Methodology To accomplish the audit objectives, the audit team reviewed relevant laws, regulations, and guidance including:

• Title 5, C.F.R., Chapter XLVII, Part 5801, Section 102, Prohibited Securities;

• Title 5 C.F.R. Part 2634, Executive Branch Financial Disclosure, Qualified Trusts, and Certificates of Divestiture;

• Ethics in Government Act of 1978;

• Government Accountability Office, Standards for Internal Control in the Federal Government (GAO-14-704G);

• MD 7.7, Security Ownership;

• MD 7.6, Public and Confidential Financial Disclosure Reports; and,

• Yellow Announcement, YA-20-0101, December 29, 2020.

12

Audit of the NRCs Prohibited Security Ownership Process The OIG interviewed individuals in the OCHCO and the OGC to obtain insights about the implementation and oversight of the prohibited security ownership process. Auditors conducted additional interviews with employees in covered positions.

Auditors requested information from the OCHCO and the OGC covering January 2019 to April 2021. The data requested included: employee action reports, all SOC forms, waiver and extension requests, divestitures, and lists of employees subject to the prohibited securities requirements.

The OIG compared the OCHCO employee action list with the OGC list of employees subject to the prohibited security requirements to develop the sample of SOC forms to be retrieved from Ethics Gateway.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Throughout the audit, auditors considered the possibility of fraud, waste, and abuse in the program.

The audit was conducted by Vicki Foster, Team Leader; Jimmy Wong, Audit Manager; Megan Velasquez, Senior Management Analyst; and Connor McCune, Senior Management Analyst.

13

Audit of the NRCs Prohibited Security Ownership Process TO REPORT FRAUD, WASTE, OR ABUSE Please

Contact:

Email: Online Form Telephone: 1-800-233-3497 TTY/TDD: 7-1-1, or 1-800-201-7165 Address: U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O5-E13 11555 Rockville Pike Rockville, MD 20852 COMMENTS AND SUGGESTIONS If you wish to provide comments on this report, please email OIG using this link.

In addition, if you have suggestions for future OIG audits, please provide them using this link.

14