OIG/98A-08 - NRC Should Reconsider the Methodology and Implementation of the Management Control Program
December 9, 1998
|MEMORANDUM TO:||William D. Travers
Executive Director for Operations
|FROM:||Thomas J. Barchi
Assistant Inspector General for Audits
|SUBJECT:||NRC SHOULD RECONSIDER THE METHODOLOGY AND IMPLEMENTATION OF THE MANAGEMENT CONTROL PROGRAM|
Attached is the above referenced Office of the Inspector General (OIG) audit report. The audit's objective was to determine if the management control program is achieving its goals as established in NRC Management Directive 4.4, Management Controls.
On October 23, 1998, we provided a draft copy of the report to you for comment. Although the comments were due November 23, 1998, your staff requested and we granted an extension to December 7, 1998. On December 8, 1998, we contacted your staff and we were advised that the comments would be forthcoming. Because we have not yet received the comments, we are issuing the report without them. We will evaluate the comments and how they address our recommendations when we receive them.
Attachment: As stated
- Report Synopsis
- Agency Comments
- Objectives, Scope, and Methodology
- Office Submission Requirements per MD 4.4
- Major Contributors to This Report
- Glossary: Office of the Inspector General Products
The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires Federal managers to establish a continuous process for evaluating, improving, and reporting on the internal control and accounting systems for which they are responsible. The FMFIA specifies that, by December 31 of each year, the head of each executive agency submits to the President and Congress (1) a statement on whether there is reasonable assurance that the agency's controls are achieving their intended objectives and (2) a report on material weaknesses in the agency's controls. The Office of Management and Budget (OMB) Circular A-123, Revised, Management Accountability and Control, is the implementing guidance for FMFIA. The policy and procedures for the U.S. Nuclear Regulatory Commission's (NRC) management control program are documented in Management Directive (MD) 4.4, Management Controls.
We found that NRC's program remains in general compliance with the requirements of FMFIA. However, we found several weaknesses that diminish the program's effectiveness. Our review disclosed that (1) MD 4.4 is not consistently followed and we believe that supplemental guidance has undermined the program's effectiveness, and (2) the Executive Committee for Management Controls (ECMC) is not functioning as intended. As a result, the information provided to the ECMC varies widely and is of questionable value to the offices and senior agency managers.
NRC managers questioned the value of a separate office management control plan when other processes seem to fulfill that need. In particular, several managers, including the Executive Director for Operations, stated that the process for developing office operating plans could be a more effective tool for examining management controls than the required management control plans. These officials advised that assessing controls is a continuous process, and they do not need to rely on a management control plan to bring issues to their attention.
Because OMB does not require a separate management control program to meet FMFIA requirements, we believe the time is opportune to reevaluate how NRC assesses its management controls. NRC has the opportunity to modify its current procedures, or develop a new process, to provide timely and useful management information. Whatever direction NRC decides upon, we believe that the process must establish expectations for the participants and include centralized oversight to ensure consistency and consideration of issues from an agency-wide perspective.
The Office of the Inspector General (OIG) has reviewed the U.S. Nuclear Regulatory Commission's (NRC) management control program as implemented according to the agency's policy and procedure, Management Directive (MD) 4.4, Management Controls. Our objective was to determine if the program is achieving its goals as established by MD 4.4. Appendix I contains a detailed description of our objectives, scope, and methodology.
The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires Federal managers to establish a continuous process for evaluating, improving, and reporting on the internal control and accounting systems for which they are responsible. The FMFIA specifies that, by December 31 of each year, the head of each executive agency submits to the President and Congress (1) a statement on whether there is reasonable assurance that the agency's controls are achieving their intended objectives and (2) a report on material weaknesses in the agency's controls.
The Office of Management and Budget (OMB) Circular A-123, Revised, Management Accountability and Control, is the implementing guidance for FMFIA. The guidance requires agencies and individual Federal managers to take systematic and proactive measures to: (1) develop and implement appropriate cost-effective management controls for results-oriented management, (2) assess the adequacy of management controls in Federal programs and operations, (3) identify needed improvements, (4) take corresponding corrective action, and (5) report annually on management controls. The guidance allows management to integrate financial management initiatives into a single report, an "Accountability Report," to be issued no later than March 31.(1) The circular does not require a separate management control process to be instituted if the sole purpose is to satisfy the FMFIA reporting requirements. In fact, it emphasizes that efforts to meet the requirements of FMFIA should be an integral part of the entire cycle of planning, budgeting and management.
In 1995, the NRC redesigned and streamlined its management control program in accordance with OMB Circular A-123, Revised. NRC's policy and procedures for the agency's management control program are documented in MD 4.4, Management Controls. The directive requires that 12 offices and all 4 regions, designated as the highest risk with respect to programmatic and administrative activities, submit annual management control plans to the Chairman of the Executive Committee for Management Controls (ECMC). The Executive Director for Operations (EDO) serves as the Chairman, ECMC. At the end of each fiscal year, these same offices, the four regions, and an additional eight offices submit reasonable assurance statements to the Chairman of the ECMC. These reasonable assurance statements provide the primary basis to support the Chairman's informed judgement as to the overall adequacy and effectiveness of the agency's management controls. Appendix II contains a detailed list of the offices required to submit management control plans and reasonable assurance statements.
Annually, OIG performs a compliance audit of the FMFIA process. In FY 1995, the first year NRC implemented its revised program, OIG reported no material weaknesses .(2) However, that report made four recommendations to strengthen the agency's revised program to make it more consistent and effective. For example, the report recommended that the management control plans adhere to the prescribed reporting format outlined in draft MD 4.4 and the ECMC provide appropriate and timely feedback on management control plans.
Although NRC remains in general compliance with the requirements of FMFIA, our review noted some of the same weaknesses we disclosed in 1995. While NRC took corrective actions to address these issues, our current work found that some of the same inadequacies continue to exist and that the management control program needs improvements. We believe that these weaknesses diminish the program's effectiveness. We also found that NRC managers believe there are alternatives that can modify the management control program, making it a more meaningful and effective process.
The Current Management Control Program Needs Improvement
While NRC's management control program as stated in MD 4.4 meets the intent of OMB Circular A-123, Revised, the program's implementation needs improvement. We found that (1) MD 4.4 is not consistently followed and (2) the ECMC is not functioning as intended. In addition, we believe the supplemental guidance to MD 4.4 has undermined the program's requirements. As a result, the information provided to the ECMC varies widely and is of questionable value to the offices and senior agency managers.
The Implementation of MD 4.4 Is Inconsistent
Although MD 4.4 prescribes the minimum content for management control plans, the actual content of the offices' plans varied widely. We found that supplemental guidance to MD 4.4 has allowed wide reporting latitude, resulting in plans that do not address the basic tenets of MD 4.4 and weakening the usefulness of information provided.
One objective of the management control program is to provide an early warning system that can anticipate, identify, and resolve mission-critical issues. According to MD 4.4, 12 offices and 4 regions are required to maintain management control plans and reasonable assurance statements, while an additional 8 offices are required only to prepare reasonable assurance statements. Unless an extension is granted, management control plans are due on March 31 each year, while the reasonable assurance statements are due on September 30. The reasonable assurance statements form the basis for NRC's overall conclusion about the effectiveness of its management controls. Together, these documents are intended to provide a framework for continually monitoring and improving the agency's management controls.
MD 4.4 discusses the format and content of the management control plans and the requirements for reasonable assurance statements. Although the format and content for management control plans is to be tailored to each offices' operating environment, the management directive identifies minimum content requirements, such as: identification of major risk areas, significant control areas to be evaluated, significant weaknesses not previously reported, and the status of corrective actions.
MD 4.4 was approved in 1996. Each year since, the Office of the Chief Financial Officer (OCFO) issued supplemental guidance that was included with the request for submission of management control plans. Each of these supplements stated that there is "no prescribed format for management control plans." This guidance, however, did not supersede MD 4.4 and the directive remains the primary authoritative guidance for the management control program. NRC staff informed us that the supplemental guidance allows them to use their own judgement on what to report and how to report information in the management control plans. When they have reporting questions, they also seek guidance from the OCFO.
Our review of management control plans for FY 1998 and previous years disclosed that the form and content of the plans has varied widely. For example, as required in the management directive, we found that some plans identified major risk areas and plans for minimizing risk. However, other plans made no mention of risk areas, leaving a reviewer to speculate as to the existence or absence of risk. One office plan noted that because of its small size and "in light of the current operating plan," it did not require a management control plan. Staff from another office commented that they did not intend to conduct any management control reviews unless the ECMC requested them to do so.
We believe that the lack of consistency in the form and content of the management control plans weakens the usefulness of the information provided. In addition, we believe a consistent format would help to ensure that agency-wide issues are considered by the ECMC.
The ECMC Is Not Functioning As Intended
Although the ECMC had several meetings during the first few years of operation, we found that the ECMC has not met for more than a year or provided the oversight role as required in MD 4.4. As a result, we believe oversight has been inadequate and a key quality assurance component necessary for an effective program has been lost.
The ECMC is a senior management council chartered to provide oversight for the management control program using the collective judgement of agency senior managers. ECMC members included the EDO, Deputy EDOs and six office Directors. As stated in MD 4.4, some of the ECMC functions include: (1) ensuring the agency's commitment to an appropriate system of management controls, (2) providing the overall strategy and direction of the management control program, and (3) reviewing management control plans and reasonable assurance statements. As part of the review function, the ECMC is to provide guidance on the adequacy of management control plans and issues included in the plans. Additionally, the ECMC is to ensure that appropriate priorities are assigned to planned evaluations based on risk.
For the past year and one-half, the ECMC has not met as a body nor fulfilled these functions. ECMC members and others believed that NRC's January 1997 reorganization affected ECMC membership. For example, one individual speculated that there were many "acting" managers not aware they were ECMC members. During the reorganization, NRC created the Executive Council (EC),(3) the agency's senior management body. Recently, the EC approved a new ECMC membership to reflect this reorganization. The new ECMC membership will be composed of the EC and the Program Review Committee,(4) and its functions are expected to remain the same.
One of the ECMC functions, as stated in MD 4.4, is to provide guidance on the adequacy of management control plans. However, the supplemental guidance to MD 4.4 notified offices that the ECMC does not intend to "approve" or provide feedback on individual plans, although feedback may be provided when the ECMC determines that a plan is inadequate or needs significant improvement.
During our interviews, we found that most of the offices had never received any feedback. One indicated that "no news is good news." They assumed the plans were adequate if they did not get feedback from the ECMC. Other staff said that, because they do not receive feedback on their final submissions, they were not sure if the information provided was acceptable or even useful.
We believe that the lack of ECMC oversight has affected the adequacy of the present management control program causing the program to lose needed guidance. The lack of oversight contributes to the inconsistent approach to the form and content of management control plans. One Deputy Executive Director noted that to be effective, the new ECMC must establish clear expectations for the participating offices.
NRC Has Alternatives to the Present Methodology
NRC streamlined its management control program in response to OMB Circular A-123, Revised. However, this Circular does not require that an agency institute a separate management control process if the sole purpose is to satisfy FMFIA reporting requirements. Because senior NRC managers questioned the value of the current management control plans, we believe that NRC has alternatives available to modify and strengthen the existing process, or create a new process, and still meet FMFIA requirements.
Some office managers mentioned that they continuously monitor management controls as expected in the management directive. When the office identifies a potential or significant weakness, it is shared immediately with the next level of management. They do not wait to prepare a management control plan or reasonable assurance statement. Some office staff also questioned the usefulness of management control plans and one voiced the comment that preparing the plans is a paperwork exercise.
We found that regardless of management control plan shortcomings, senior managers use other means to assess management controls. To determine the adequacy and usefulness of management control plans, we sought the views of high level reviewers, including the EDO, two Deputy Executive Directors, the EDO's Assistant for Operations, and the Chief Financial Officer. Although some of these individuals acknowledge the variations in the format and content of management control plans, none rely solely on management control plans to bring significant issues to their attention. They said that weaknesses are brought to management's attention during the year through other methods, such as the budget process, the operating plan development process, reasonable assurance statements and senior management meetings.
Several senior managers commented that the operating plan development process may be a more effective tool for examining management controls than using the management control plans. In fact, one manager places much greater reliance on operating plans for identifying program shortcomings. This process is relatively new and is part of the agency's Planning, Budgeting and Performance Management process. Each office is responsible for developing a multi-year operating plan to track performance. Senior management monitors these plans quarterly. We believe that the operating plan may be a useful tool that could incorporate an assessment of management controls.
Since the agency revised its management control program in 1995, some wide variations continue to exist between the types of information provided in the management control plans. We believe that the value of some management control plans as a tool to assess management controls is questionable. Although supplemental guidance has been provided, we believe the guidance clouds the reporting requirements and reduces the program's usefulness.
Senior NRC managers believe that the process for developing operating plans provides a simultaneous opportunity to assess management controls. They rely on this process to ferret out program concerns and believe that preparing management control plans duplicates other activities. We believe reasonable assurance statements, on the other hand, may continue to be useful because NRC bases its overall conclusions about management controls on these documents. Since OMB does not require a separate management control program to meet FMFIA requirements, we believe the time is opportune to reevaluate how NRC assesses its management controls. NRC has the opportunity to modify its current process, or develop a new process, to provide timely and useful management information. Whatever direction NRC decides upon, the process must include centralized oversight to ensure consistency and consideration of issues from an agency-wide perspective.
To strengthen the management control program in providing timely and useful information, we recommend that the EDO, in his capacity as Chairman of the ECMC:
Reevaluate the current methodology for NRC's management control program with a view towards assessing the effectiveness and need for management control plans and reasonable assurance statements. This effort should also consider incorporating management control evaluations in other existing processes, such as the Planning, Budgeting and Performance Management process.
Ensure that there is effective centralized oversight of management control issues to ensure consistency and appropriate coordination of office and agency-wide issues. Further, develop a feedback mechanism so that NRC offices can gauge their success in providing management control issues to upper management.
Based on implementing recommendations 1 and 2, revise MD 4.4 as appropriate.
On October 23, 1998, we provided a draft of this report to the agency for comments. The agency requested and was granted an extension but had not produced their comments when this report was issued. We will evaluate the comments and how they address our recommendations when we receive them.
Objectives, Scope, and Methodology
The objective of our audit was to determine if the management control program is achieving its goals as established by the U.S. Nuclear Regulatory Commission Management Directive 4.4, Management Controls. The audit included review and evaluation of all management control plans and reasonable assurance statements(5) prepared during the period from fiscal year (FY) 1995 through FY 1998.
We conducted our review from June through September 1998. During this period, we interviewed (1) selected members of the Executive Committee for Management Controls, (2) the staff responsible for preparing management control plans from 11 headquarters offices and 1 region, and (3) the program managers from 2 offices that are required to prepare only an annual reasonable assurance letter.
We conducted our review according to generally accepted Government auditing standards.
Office Submission Requirements per MD 4.4
Based on Management Directive 4.4, Management Controls, the following 12 offices and all regions are required to submit a management control plan by March 31 each year and a reasonable assurance letter by September 30 each year to the Chairman of the Executive Committee for Management Controls (ECMC):
- Office of State Programs
- Office of Personnel (now the Office of Human Resources)
- Office of Information Resources Management (Now the Office of the Chief Information Officer)
- Office of Investigations
- Office for Analysis and Evaluation of Operational Data
- Office of Enforcement
- Office of Nuclear Regulatory Research
- Office of Administration
- Office of Nuclear Material Safety and Safeguards
- Office of Nuclear Reactor Regulation
- Office of the Controller (now the Office of the Chief Financial Officer)
- Office of International Programs
- Region I
- Region II
- Region III
- Region IV
In addition to those listed above, the following eight office are required to submit a reasonable assurance statement by September 30 each year to the Chairman of the ECMC.
- Advisory Committee on Reactor Safeguards and Advisory Committee on Nuclear Waste
- Atomic Safety and Licensing Board
- Office of Commission Appellate Adjudication
- Office of General Counsel
- Office of the Secretary
- Office of Public Affairs
- Office of Congressional Affairs
- Office of Small Business and Civil Rights
Major Contributors to This Report
Anthony C. Lipuma
Camilla W. Barror
Glossary: Office of the Inspector General Products
1. INVESTIGATIVE REPORT - WHITE COVER
An Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated. Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted. The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.
2. EVENT INQUIRY - GREEN COVER
The Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.
3. MANAGEMENT IMPLICATIONS REPORT (MIR) - MEMORANDUM
MIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate correction of problems and to avoid similar issues in the future. Agency tracking of recommendations is not required.
4. AUDIT REPORT - BLUE COVER
An Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports. The audit results are also reported in the OIG's "Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.
5. SPECIAL EVALUATION REPORT - BURGUNDY COVER
A Special Evaluation Report documents the results of short-term, limited assessments. It provides an initial, quick response to a question or issue, and data to determine whether an in-depth independent audit should be planned. Agency tracking of recommendations is not required.
6. REGULATORY COMMENTARY - BROWN COVER
Regulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations. Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress. Each report indicates whether a response is required.
1. Since fiscal year (FY) 1995, NRC has issued annual Accountability Reports which include the required statement on management controls and a section on the agency's management control program.
3. The Executive Council is comprised of three senior managers, the Executive Director for Operations, the Chief Financial Officer, and the Chief Information Officer. Because these three individuals report directly to the Chairman, the Council was formed to provide a forum for ensuring integration of programs including planning financial and human resources planning.
4. The Program Review Committee's (PRC) members are: the three Deputy Executive Directors for Operations; the Deputy Chief Financial Officer; the Director, Planning and Resource Management Division, Office of the Chief Information Officer; and the Deputy Director for Corporate Planning and Management in the Chairman's Office. The committee was established during 1997 as a result of new initiatives to replace the budget process with a program approach. The basic functions of the PRC are to monitor and evaluate the programs of the agency, evaluate policy and program guidance prior to EC endorsement, and to generally inform the EC.
5. At the time we completed field work, the 1998 reasonable assurance statements were not due.