United States Nuclear Regulatory Commission - Protecting People and the Environment

OIG/96A-05 - Review of NRC's Implementation of the Federal Managers' Financial Integrity Act for 1995

Contents


Overview

Office of The Inspector General
U.S. Nuclear Regulatory Commission
Washington, DC 20555
Review of NRC's Implementation of The FMFIA For 1995
January 4, 1996

Memorandum to: Chairman Jackson
Commissioner Rogers
From: Leo J. Norton
Acting Inspector General
Subject: Review of NRC's Implementation of the Federal Managers' Financial Integrity Act for 1995

The Federal Managers' Financial Integrity Act (FMFIA) requires Federal managers to establish a continuous process for evaluating, improving, and reporting on the internal control and accounting systems for which they are responsible. The FMFIA specifies that by December 31 of each year, the head of each executive agency subject to the Act shall submit a report to the President and Congress stating whether the evaluation of internal controls was conducted in accordance with the Internal Control Guidelines issued by the Office of Management and Budget (OMB) and whether the agency's system of internal accounting and administrative controls complies with the standards established by the Comptroller General.

Office of Management and Budget (OMB) Circular A-123, Revised, "Management Accountability and Control," is the implementing guidance for FMFIA. The term "internal controls," as envisioned by the FMFIA, is synonymous with "management controls" and encompasses program and administrative areas, as well as the accounting and financial management areas.

NRC recently redesigned and streamlined its management control program in accordance with the National Performance Review recommendations and the Office of Management and Budget's 1995 revision to OMB Circular A-123. The redesigned program required offices designated as highest risk (with respect to programmatic and administrative activities) to submit management control plans and reasonable assurance letters to NRC's Executive Committee for Management Controls. The Executive Director for Operations is Chairman of the Executive Committee.

Most other offices were required to submit reasonable assurance letters only. Although we found

that NRC has complied with the requirements of the FMFIA during Fiscal Year 1995, we are recommending some changes to strengthen the program and to make it consistent and more effective.

No material weaknesses were identified during 1995.

Attachment:
As stated

cc: H. Thompson, EDO
J. Milhoan, EDO
K. Cyr, OGC
J. Hoyle, SECY
D. Rathbun, OCA
J. Blaha, EDO
R. Scroggins, OC
P. Norry, ADM
G. Cranford, IRM
R. Bangart, OSP
W. Russell, NRR
E. Jordan, AEOD
D. Morrison, RES
C. Paperiello, NMSS
J. Funches, ICC
W. Beecher, OPA
T. Martin, RI
S. Ebneter, RII
H. Miller, RIII
L. Callan, RIV
OPA-RI
OPA-RII
OPA-RIII
OPA-RIV
OPA-RIV: Walnut Creek

To top of page

Report Synopsis

Continuing disclosures of Federal waste, loss, unauthorized use, and misappropriation of funds or assets associated with weak internal controls and accounting systems resulted in the passage of the Federal Managers' Financial Integrity Act (FMFIA) in September 1982. The FMFIA requires Federal managers to establish a continuous process for evaluating, improving, and reporting on the internal controls and accounting systems for which they are responsible.

NRC recently redesigned and streamlined its management control program in accordance with the National Performance Review recommendations and the Office of Management and Budget's 1995 revision to OMB Circular A-123. The redesigned program required offices designated as the highest risk to submit management control plans and reasonable assurance letters to an Executive Committee for Management Controls. The Executive Director for Operations is Chairman of the Executive Committee. Most other offices were required to submit reasonable assurance letters only.

To assist NRC in evaluating its management control program, OIG annually reviews NRC's program. Because the new program is in its infancy, we reduced the scope of this year's audit and confined our review to (1) an overall assessment of NRC's compliance with FMFIA and OMB Circular A-123, and (2) a review of management control plans and reasonable assurance letters for conformance with the criteria established for those documents. We did not assess the significance or accuracy of the issues reported.

Overall, we believe that NRC has complied with the requirements of the FMFIA during FY 1995 and that the redesigned management control program meets the intent of the 1995 revision to OMB Circular A-123. We also believe that changes are needed to bring consistency and discipline to the process and our report makes 4 recommendations to enhance NRC's management control program.

No material weaknesses were identified during 1995.


To top of page

Introduction

The Federal Managers' Financial Integrity Act (FMFIA) was enacted on September 8, 1982, in response to continuing disclosures of waste, loss, unauthorized use, and misappropriation of funds or assets associated with weak internal controls and accounting systems. Congress felt such abuses hampered the effectiveness and accountability of the Federal Government and eroded the public's confidence. The FMFIA requires Federal managers to establish a continuous process for evaluating, improving, and reporting on the internal controls and accounting systems for which they are responsible.

Office of Management and Budget (OMB) Circular A-123, Revised, "Management Accountability and Control," is the implementing guidance for FMFIA. The term "internal controls," as envisioned by the FMFIA, is synonymous with "management controls" and encompasses program and administrative areas, as well as the accounting and financial management areas. OMB defined management controls in Circular A-123 as the controls used to ensure that (1) organization, policies and procedures are reasonable to ensure that programs achieve their intended results; (2) resources are used consistent with agency mission; (3) programs and resources are protected from waste, fraud, and mismanagement; (4) laws and regulations are followed; and, (5) reliable and timely information is obtained, maintained, reported and used for decision making.

See Appendix I for the objectives, scope, and methodology of our review.


To top of page

Background

The FMFIA specifies that by December 31, 1983, and by each succeeding December 31, the head of each executive agency subject to the Act shall submit a report to the President and Congress stating whether the evaluation of internal controls was conducted in accordance with the Internal Control Guidelines issued by OMB and whether the agency's system of internal accounting and administrative controls complies with the standards established by the Comptroller General.

NRC recently redesigned and streamlined its management control program in accordance with the National Performance Review recommendations and the Office of Management and Budget's 1995 revision to OMB Circular A-123. The redesigned program required offices designated as the highest risk (with respect to programmatic and administrative activities) to submit management control plans and reasonable assurance letters to the Chairman, Executive Committee for Management Controls. The Executive Director for Operations is Chairman of the Executive Committee. Most other offices were required to submit reasonable assurance letters only. Under the revised program, office management control plans and reasonable assurance letters were due on June 23, 1995, and September 30, 1995, respectively. In subsequent years, management control plans will be due on March 31. Sixteen offices and regions were required to submit management control plans and reasonable assurance letters, while nine others were required to submit reasonable assurance letters only.

To assist NRC in evaluating its management control program, OIG annually reviews NRC's program. Because the new program is in its infancy, we reduced the scope of this year's review and confined it to (1) an overall assessment of NRC's compliance with OMB Circular A-123, and (2) a review of management control plans and reasonable assurance letters for conformance with the criteria established for those documents. We did not assess the significance or accuracy of the issues reported.


To top of page

Findings

Overall, we found that NRC's management control program meets the intent of OMB Circular A-123. However, the program needs strengthening to become a more effective management tool. Specifically, we found (1) the form and content of offices' management control plans was inconsistent and lacked required information; (2) wide variations in reporting may indicate the lack of a common understanding for identifying a risk area; and (3) one office submitted its reasonable assurance letter over two months late.


To top of page

The Form and Content of Management Control Plans Were Inconsistent and Feedback Was Not Provided

We found that the form and content of management control plans was inconsistent, and did not follow the guidelines provided in the EDO's memorandum. As a result, some plans lacked required information, leaving a reader to speculate whether prescribed actions were completed.

In a May 15, 1995 memorandum to office directors and regional administrators, the EDO announced NRC's redesigned and streamlined management control program. Attached to the EDO's memorandum was a description of the program and information required to be contained in management control plans. The plans were to address the following criteria: (1) identification of significant risk areas and plans for minimizing risk, (2) significant areas for management control reviews, the objectives of such reviews and expected completion dates, (3) significant management control deficiencies discovered and a description of corrective actions to minimize risk or resolve such deficiencies, and (4) the status of previously identified corrective actions.

While we examined conformance with all the criteria, we focused our attention on the identification of risk areas, future management control reviews and reporting of deficiencies. Our review of the sixteen plans submitted revealed that five offices did not disclose the significant risk areas in their operations (criteria 1), although all identified areas for future management control reviews (criteria 2). Further, six offices did not state whether significant deficiencies existed (criteria 3). Because they did not so state, a reader must speculate as to the existence or absence of deficiencies. The remaining offices identified significant risk areas in their operations, and described or stated the absence of significant deficiencies.

The attachment to the EDO's May 15 memorandum also provides for Executive Committee review of management control plans. It states that the Committee "Reviews management control plans submitted by the offices and regions and provides guidance concerning the adequacy of the plans and issues included in the plans." Although several management control plans did not contain the information prescribed in the EDO guidance, no feedback was provided to those offices. Each plan was accepted as submitted.

NRC Management Directive 4.4, Management Controls, is currently in draft, and specifies the minimum form and content for future management control plans. This criteria correlates with that contained in the EDO's May 15 guidance. To establish an effective and consistent program, we agree that management control plans should address the prescribed criteria. However, we believe that, in the future, appropriate feedback should be provided to those offices whose plans do not meet the criteria.

Since each management control plan was accepted as submitted for 1995, the variance in reporting level may suggest another possibility. The offices that prepared extensive plans and addressed all criteria may be expending unnecessary effort. If so, they should be advised what constitutes an appropriate acceptable reporting level for 1996.


To top of page

The Process for Identifying Risk Areas May Not Be Commonly Understood

The identification of major risk areas varied widely from office to office. As stated above, the management control plans submitted by 5 of the 16 offices did not address the major risk areas in their operations. According to the EDO's May 15 memo, the offices chosen to prepare management control plans were selected because they represented "the highest risk with respect to programmatic and administrative activities..." The failure to identify major risk areas appears to suggest that the preparers may not have fully understood the requirements. Because risk areas and controls to minimize risk were not identified, we believe the Executive Committee may not obtain sufficient information upon which to base an assessment of an NRC office or region. Two specific examples suggest this unintended situation.

First, one office stated that it had no major risk areas even though it met the criteria for submitting a management control plan. Most other offices identified major risk areas. Second, three of the four regions identified major risk areas in technical and administrative activities, however, a fourth region identified one administrative area as being of major risk. We believe this chasm in reporting further suggests that the process for identifying major risk areas may not be clearly understood.


To top of page

One Reasonable Assurance Letter Was Submitted Over Two Months Late

We found that as of December 13, 1995, the Office of the Controller had not prepared its reasonable assurance letter. As of that date, the letter was over two months late.

Subsequent to issuing our draft report, OC submitted its reasonable assurance letter to the EDO on December 20, 1995. In his response to our draft report, the Deputy Executive Director for Nuclear Materials Safety, Safeguards and Operations Support stated that OC's reasonable assurance letter was delayed until the materiality of a weakness in the financial system could be assessed.

OC advised us that NRC does not consider the issue to be a material weakness. We will, however, continue to pursue this issue during our 1995 audit of NRC's financial statements.


To top of page

Conclusion

Overall, we believe that NRC has complied with the requirements of the FMFIA during FY 1995 and that the redesigned management control program meets the intent of the 1995 revision to OMB Circular A-123. We also believe that implementation changes are needed to strengthen the program and to bring consistency and discipline to the process.

To be a consistent and effective program, the preparers of management control plans must have a common understanding of the requirements for those plans. To be sure, each plan may identify different risk areas and plans for additional reviews. However, this first round of submittals indicates that there is no common understanding of the reporting criteria, as one major office said it had no risk areas and others did not discuss significant risk areas in their operations.

Draft Management Directive 4.4 prescribes the minimum form and content requirements for future management control plans. However without a common understanding of the reporting criteria, the effectiveness of NRC's program will be diminished because the Executive Committee may not have the data it needs

to fully evaluate NRC activities. Additionally, consistency will be improved if the offices receive feedback on the adequacy plans submitted.

Because all management control plans were accepted for 1995, we believe a change in the reporting criteria as contained in draft MD 4.4 may be needed.


To top of page

Recommendations

The Executive Committee should:

  1. Review future management control plans to ensure completeness and adherence to the prescribed reporting format outlined in draft Management Directive 4.4 when it is finalized.

  2. Ensure that office directors and regional administrators have a common understanding of the reporting criteria.

  3. Provide appropriate and timely feedback on management control plans.

  4. Ensure that management control plans and reasonable assurance letters are prepared and submitted as required.


To top of page

Agency Comments

On December 26, 1995, the Deputy Executive Director for Nuclear Materials Safety, Safeguards and Operations Support responded to our draft report. He agreed in part with three recommendations and agreed with the fourth. Based on the responses provided, we have expanded on the information presented in our report.

Because this was the first year of the revised management control program, we did not evaluate weaknesses disclosed. Our objective was to provide feedback to the Executive Committee about the implementation of the new process. We believed this information would be useful to the EDO, as Chairman of the Executive Committee, in assessing whether the revised program met its objectives.

In his response, the Deputy EDO noted that the agency has "embarked on a new and very different approach to identifying and improving management controls." To assess whether management controls have improved under the new process, some basic reporting criteria, such as that identified in draft Management Directive 4.4, should be included in the management control plans. We believe this criteria will provide a common framework for evaluating the performance of each office and region in preparing their plans.

The Deputy EDO also stated that feedback on management control plans "will be provided when the committee determines a plan is inadequate or needs significant improvement." During the 1995 process, however, the Executive Committee did not review the management control plans. Instead, a committee staffer reviewed the plans, and will provide a summary to the Committee. Thus, the members of the Committee will only have indirect knowledge of the plans submitted. We believe that Committee review and feedback, if needed, is critical. Without it, the Executive Committee lacks a basis for assessing whether improvements to NRC's new and different approach meet stated objectives of improving management controls.

We agree with the Deputy EDO that the format and content of management control plans "should be tailored to each office's operating environment." However, as stated above, and what is in the draft Management Directive, certain basic reporting information is needed. Our assessment was based on whether the offices and regions provided the information requested by the EDO in his May 15, 1995 memo. Our intent was to provide the EDO with feedback about the level of compliance with the information he requested. We did not prescribe or suggest what the reporting requirements should be.

The Deputy EDO's responses generally addressed the concerns we identified. While the response to recommendation 1 does not assuage our concern, we believe that the corrective actions planned as part of recommendation 2 will help to resolve the issue. During our 1996 FMFIA audit, we will follow up on the implementation of our recommendations and examine whether NRC's modified program met stated objectives.


To top of page

Objectives, Scope, and Methodology

Our primary objective was to determine whether the U.S. Nuclear Regulatory Commission (NRC) complied with the provisions of the Federal Managers' Financial Integrity Act, which requires Federal managers to establish a continuous process for evaluating, improving, and reporting on the internal control and accounting systems for which they are responsible. A second objective was to review management control plans and reasonable assurance letters submitted to the Executive Committee for conformance with the criteria established by the EDO in his May 15, 1995 memo.

We conducted our review at NRC Headquarters in November and December 1995. We reviewed applicable laws and implementing guidance and the management control plans and reasonable assurance letters submitted by NRC offices in 1995. Our review included discussions with the Deputy CFO and Executive Committee staff.

Our review was conducted in accordance with generally accepted Government auditing standards and included such tests of the data and records and other auditing procedures as we considered necessary.


To top of page

Agency Comments on Draft Report

United States Nuclear Regulatory Commission
Washington, DC 20555-0001
December 26, 1995

Memorandum to: Leo J. Norton
Acting Inspector General
From: Hugh L. Thompson, Jr., Deputy Executive
Director for Nuclear Materials Safety, and Operations Support Office of the Executive Director for Operations
Subject: Draft Report - NRC's Compliance with the Federal Managers' Financial Integrity Act for 1995

This responds to the December 18, 1995, memorandum transmitting the subject audit report. I am pleased to note your conclusion that the NRC has met the requirements of the Federal Managers' Financial Integrity Act (Integrity Act), and our redesigned management control program meets the intent of the 1995 revision to Office of Management and Budget (OMB) Circular No. A-123, "Management Accountability and Control," dated June 21, 1995.

This determination is particularly gratifying this year, since we have embarked on a new and very different approach to identifying and improving management controls in the agency. I also am pleased to learn that your audit work this year has disclosed no material weaknesses in management controls. Our comments on your draft report are provided in the following paragraphs. As a preface to those comments I should clarify the role we envision for the Executive Committee. The Executive Committee is intended to provide high level oversight, strategy and direction to the management control program. Detailed administration of the management control program will be performed by the Office of the Controller. Therefore, some of the recommendations you make for the Executive Committee are more appropriately accomplished by the Office of the Controller.

We suggest that you change the term "high risk" on pages i and 2 of your report to "highest risk," to more accurately reflect the intent of the program. You use the phrase, "designated high risk offices" to describe those offices that are required to submit management control plans. This is not language that we have used in our program, and it conveys an inference that we do not intend. Our objective was to eliminate the requirement to prepare a plan in those offices that have relatively low risk. The term we used in describing the offices that should submit management control plans was "highest risk with respect to programmatic and administrative activities." "Highest risk" is a relative term and does not necessarily imply that an office is "high risk."

With respect to your specific recommendations, I submit the following:

Recommendation 1

The Executive Committee should review future management control plans to ensure completeness and adherence to the prescribed reporting format outlined in draft Management Directive 4.4 when it is finalized.

Response

Agree in part.

It is not the intent of the revised management control program to require compliance with a prescribed reporting format for management control plans. The intent of the program is to provide a framework within which office directors can carry out their management control responsibilities. Therefore, the format and content of the plans should be tailored to each office's operating environment. However, if certain designated management control activities are planned by the offices, or desired by the Executive Committee, the offices are asked to include these in their plans. This is information that generally will assist the Committee in carrying out its oversight responsibilities. A list of these designated activities was included in the instructions for preparing the plans. The Executive Committee will review the 1996 plans to ensure Committee concerns are addressed.

Recommendation 2

The Executive Committee should ensure that office directors and regional administrators have a common understanding of the reporting criteria.

Response

Agree in part. We agree that there should be a common understanding of the minimum information to be included in the plans, however, we do not want to discourage office directors from providing more than the minimum information or being more conservative than necessary in identifying risks. One of the primary advantages of having an Executive Committee is that its members can review the information submitted by each of the offices and determine whether other offices should focus on the same area, thus providing an agency-wide approach to controlling risk and improving controls. The Committee also can bring its agency-wide perspective to the process to identify issues that are major risks and significant deficiencies when viewed broadly that may not be obvious to individual office directors.

We would not expect nor want to encourage the offices' management control plans to be the same, since the plans should be tailored to each office's operating environment and should be another tool for the office directors to use in meeting their management control responsibilities. For example, although a risk would not fall into the "major" risk category if it has adequate controls, we see nothing wrong with the offices including information in their plans on how they are controlling risks, major or otherwise. This may be beneficial to a particular office director.

OC staff provided guidance to the offices, when requested, while the FY 1995 plans were being prepared. The staff will continue to provide assistance to the offices. Since this is a new program, we will determine if more definitive guidance should be provided to assist the offices in preparing their plans, without being too prescriptive. OC staff will survey the offices required to submit plans and determine which areas, if any, need clarification. The results of this audit will be considered in determining whether further clarification is needed.

Recommendation 3

The Executive Committee should provide appropriate and timely feedback on management control plans.

Response

Agree in part. As part of its oversight role, the Executive Committee may identify significant areas of concern for individual offices to address in the management control plans, as it did in FY 1995. The annual call for the management control plans also may contain specific items that the Committee believes should be in the plans.

The Executive Committee's role is to provide overall strategy and direction to the management control program. While the Committee will provide overall guidance to improve the adequacy of the plans and issues included in the plans, at this time it does not intend to "approve" each office's plan or to provide feedback on every individual plan. Feedback will be provided when the Committee determines a plan is inadequate or needs significant improvement. The intent of the agency's new management control program is to place the responsibility for an annual management control plan with the senior managers who are directly responsible for the management controls in their offices. We believe this approach will help the agency integrate the requirements of the Integrity Act into its day-to-day operations.

Recommendation 4

The Executive Committee should ensure that management control plans and reasonable assurance letters are prepared and submitted as required.

Response

Agree. We agree with the premise of your recommendation and believe we are complying. All designated offices submitted management control plans and assurance letters for FY 1995. The assurance statement from OC, referred to in your report, was delayed until the materiality of a weakness in the financial system could be assessed. The Deputy Chief Financial Officer/Controller (DCFO/Controller) believed this assessment was necessary to provide full disclosure in the Chairman's assurance statement regarding material weaknesses or non-conformances.


To top of page

U.S. NRC Functional Organization Chart

Figure 1: The U.S. NRC Functional Organization Chart


To top of page

Major Contributors to this Report

Anthony C. Lipuma
Team Leader

Gary S. Janosko
Audit Manager


To top of page

Glossary: Office of the Inspector General Products

Investigative

1. Investigative Report - White Cover

An Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated. Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted. The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.

2. Event Inquiry - Green Cover

The Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.

3. Management Implications Report (MIR) - Memorandum

MIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate correction of problems and to avoid similar issues in the future. Agency tracking of recommendations is not required.

Audit

4. Audit Report - Blue Cover

An Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports. The audit results are also reported in the OIG's "Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.

5. Special Evaluation Report - Burgundy Cover

A Special Evaluation Report documents the results of short-term, limited assessments. It provides an initial, quick response to a question or issue, and data to determine whether an in-depth independent audit should be planned. Agency tracking of recommendations is not required.

Regulatory

6. Regulatory Commentary - Brown Cover

Regulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations. Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress. Each report indicates whether a response is required.

To top of page

Page Last Reviewed/Updated Thursday, March 29, 2012