| |
Search Options | |||
| Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us | |
|||
| Home > Electronic Reading Room > Document Collections > Inspector General Reports > 1998 > OIG/97A-18 |
Contents
Office of the Inspector General
U.S. Nuclear Regulatory Commission
Washington, D.C. 20555-0001
October 23, 1997
| Memorandum To: | Jesse L. Funches Chief Financial Officer |
| From: | Thomas J. Barchi Assistant Inspector General for Audits |
| Subject: | NRC's Effort to Document Compliance with the New Time and Attendance System Is Lacking |
Attached is the Office of the Inspector General's (OIG) audit report titled "NRC's Effort to Document Compliance With the New Time and Attendance System is Lacking."
On September 22, 1997, we provided a draft of this report to the Deputy Chief Financial Officer . On October 10, 1997, he responded to our draft report and agreed with our recommendation. He also detailed the corrective actions taken.
Please contact me on 415-5915 if we can assist you further in this matter.
The Nuclear Regulatory Commission (NRC) is in the process of replacing its current payroll and personnel systems. The systems, which currently are separate and only partially automated, are to be replaced with one integrated system called PAY/PERS. In February 1996, the Division of Accounting and Finance (DAF), Office of the Chief Financial Officer (OCFO), implemented the time and attendance (T&A) module of PAY/PERS. Because the T&A module shifts certain internal control responsibilities to the individual time and attendance units from the DAF, OIG's 1997 Annual Plan included a review of agency compliance with the new T&A requirements.
In December 1996, DAF began assessing agency compliance with the new T&A requirements. They completed their review in July 1997. Therefore, rather than duplicate their effort, OIG sought to determine if we could rely on DAF's review to answer the question of whether the new T&A requirements were being met.
Although DAF developed a methodology to assess agency compliance with T&A requirements, the methodology was not consistently followed nor were results summarized to attempt to assess agency compliance as whole. As a result, we believe that (1) OIG cannot rely on the T&A review to draws conclusions about the effectiveness of T&A controls, and (2) OCFO cannot use the review to make assessments for Federal Managers' Financial Integrity Act purposes. Our report recommends that the Chief Financial Officer assess what additional data and procedures are needed to determine agency-wide compliance with the new T&A requirements.
The Nuclear Regulatory Commission (NRC) is in the process of replacing its current payroll and personnel systems. The systems, which currently are separate and only partially automated, are to be replaced with one integrated system called PAY/PERS. In February 1996, the Division of Accounting and Finance (DAF), Office of the Chief Financial Officer (OCFO),(1) implemented the time and attendance (T&A) module of PAY/PERS. NRC plans to implement the full system in March 1998. The T&A system is a highly important component of any payroll system, but particularly for the NRC, with payroll making up about 56 percent of the Agency's operating budget. It is, therefore, crucial to determine that effective internal controls exist to support data recorded in the system. Because the T&A module shifts certain internal control responsibilities to the individual T&A units from DAF, the Office of the Inspector General's (OIG's) 1997 Annual Plan included a review of agency compliance with the new T&A requirements.
In December 1996, DAF began assessing agency compliance with the new T&A requirements. They completed their review in July 1997. Therefore, rather than duplicate their effort, OIG sought to determine if we could rely on DAF's review to answer the question of whether the new T&A requirements were being met.
We found that DAF's T&A review cannot be relied on to draw conclusions about the Agency's compliance with T&A requirements. First, DAF's review did not consistently follow its methodology. Second, in many cases, reviews of the T&A units were incomplete. We believe that DAF will have to perform additional procedures to correct the problems with their current review or rely on a future review to draw conclusions about the implementation of internal controls for NRC's T&A process. We also believe that DAF cannot rely on its review for reasonable assurance purposes under the Federal Managers' Financial Integrity Act (FMFIA).
Although DAF developed a methodology to assess agency compliance with T&A requirements, the methodology was inconsistently implemented and results were not summarized to assess agency compliance as a whole. The objectives of DAF's review were to assess agency compliance with T&A procedures and to use the assessment to determine reasonable assurance that controls were effective for reporting under the FMFIA. Because the review was inconsistent, and in some areas incomplete, this effort is inadequate to assess agency-wide compliance with T&A procedures. We therefore believe that OCFO cannot use this effort as the basis for asserting assurance about the effectiveness of T&A controls agency-wide.
DAF's methodology was to assess T&A compliance by reviewing all 278 T&A units. The assessment consisted of 1) completing a questionnaire while interviewing the timekeepers from each of the units, and 2) using a checklist to test for pre-determined attributes in the supporting documentation. We found that the items covered in the review were the significant procedures necessary to ensure protection of sensitive data, and accurate reporting of time worked. A separate review sheet was kept for the responses of each timekeeper, and a checklist was completed for each T&A report examined. DAF employed statistical sampling techniques to select the employees and pay periods to be reviewed.
As DAF's review progressed, assessment memoranda were issued to the organizations for which T&A units were reviewed, i.e., a single memorandum was issued to each region or office. Although some units did not fully comply with T&A requirements, all organizations received the same "satisfactory" memorandum which did not describe the deficiencies found. The memorandum stated, "the results of our review revealed that procedures are being followed and documentation is adequately maintained." DAF officials stated that the deficiencies found were considered insignificant and that they explained the deficiencies verbally to the timekeepers.
DAF planned to review 278 T&A units, 556 employees and 1,112 pay periods; however, those goals were not accomplished.(3) Four sample T&A units were missed and some employee checklists were only completed for one pay period instead of two. We found instances of non-compliance for several of the attributes tested, and for some attributes, there was no indication of whether they were tested. For example, one attribute tested was the existence of overtime certification. The checklist required that "yes," "no," or "n/a" be indicated; we found that on some checklists no such indication was made. Further review of the checklists showed that responses were missing for other attributes as well. Although DAF did not summarize the T&A data, we attempted to do so. Because of the inconsistency in the way the checklists were completed, we were unable to summarize the data or draw conclusions about agency-wide compliance.
In its 1997 Management Control Plan, OCFO stated that it was conducting T&A reviews to determine if timekeepers were following prescribed procedures. Because the T&A reviews were inconsistent and, in some cases incomplete, we believe that OCFO cannot rely on the T&A review to make FMFIA assertions.
The FMFIA was enacted on September 8, 1982, in response to continuing disclosures of waste, loss, unauthorized use, and misappropriation of funds or assets associated with weak internal controls and accounting systems. The FMFIA requires Federal managers to establish a continuous process for evaluating, improving, and reporting on the internal controls and accounting systems for which they are responsible. Office of Management and Budget (OMB) Circular A-123, Revised, "Management Accountability and Control," is the implementing guidance for FMFIA.
To meet FMFIA and OMB Circular A-123 requirements, NRC established a Management Control Program. The program requires most NRC offices, including OCFO, to complete a Management Control Plan by March 31, and a reasonable assurance letter by September 30, each year.
The April 22, 1997 Management Control Plan stated that OCFO was conducting T&A reviews to determine if timekeepers were following prescribed procedures. The plan states:
As the first phase of the implementation of a new Payroll/Personnel System, an automated T&A reporting system was implemented in February 1996, and a draft handbook was provided to each timekeeper. The implementation of the automated T&A system required transferring the responsibility for retaining certain official T&A records from the Payroll Operations Sections to the timekeepers. As stated above, OC [OCFO's predecessor] is performing T&A program reviews, and the reviews to date have shown that the timekeepers are performing their duties in accordance with prescribed procedures.
OCFO's final assessment would probably be made in its September 30, reasonable assurance statement. For the reasons stated in the first section of our findings, we believe that OCFO cannot use the T&A review to draw an agency-wide conclusion about the effectiveness of T&A controls and implementation of procedures.
Although DAF developed a methodology to assess agency compliance with T&A requirements, the methodology was not consistently followed, nor were results summarized to attempt to assess agency compliance as a whole. As a result, we believe that (1) OIG cannot rely on the T&A review to draws conclusions about the effectiveness of T&A controls, and (2) OCFO cannot use the review to make assessments for FMFIA purposes.
Based on our audit, we believe the CFO needs additional data to draw conclusions about agency-wide compliance with T&A requirements. If the CFO decides to use another method, we request that he advise OIG of the basis for determining reasonable assurance that T&A requirements are being met. However, if the CFO decides to rely on DAF's recent study, we recommend that he:
1. Obtain the information needed to complete the review, determine a tolerable error rate, and summarize and report the results.
On October 21, 1997, the Deputy Chief Financial Officer (DCFO) responded to our draft report and agreed with our recommendation. The DCFO informed us that the missing or incomplete information was gathered, summarized and analyzed. He also noted that the T&A review was "not the sole source of ensuring compliance with FMFIA requirements". In particular, he noted that OIG's 1996 financial statement audit did not disclose internal control deficiencies. Because FMFIA assurances are due each year, we do not believe it would have been appropriate to rely on a 1996 review to make 1997 FMFIA assurances about management controls.
The objective of our review of the Time and Attendance (T&A) System was to determine whether reliance could be placed on the Office of the Chief Financial Officer's (OCFO's) in-house review of the system and the resulting assessment. The purpose of that assessment was to evaluate the effectiveness of the internal controls for the T&A process. We interviewed OCFO officials and reviewed written guidance provided to timekeepers in NRC Handbook 10.43, Time and Attendance Reporting. We reviewed OCFO's statistical sampling plan, and examined the documentation which showed the work completed in the review. We did not reexamine the time sheets to verify the results obtained in the OCFO review.
Our review took place at NRC headquarters during July and August, 1997. The test data we reviewed included headquarters and regional offices. We conducted our review in accordance with generally accepted Government auditing standards.
Anthony C. Lipuma
Team Leader
Doris A. Martin
Senior Auditor
An Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated. Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted. The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.
The Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.
MIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate correction of problems and to avoid similar issues in the future. Agency tracking of recommendations is not required.
An Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports. The audit results are also reported in the OIG's "Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.
A Special Evaluation Report documents the results of short-term, limited assessments. It provides an initial, quick response to a question or issue, and data to determine whether an in-depth independent audit should be planned. Agency tracking of recommendations is not required.
Regulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations. Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress. Each report indicates whether a response is required.
1. Formerly Office of the Controller
2. Under the previous T&A system, time cards were signed by employees and certifying officials and were forwarded to DAF.
3. DAF planned to review 556 employees (2 employees for each of the 278 T&A units), and a total of 1,112 pay periods should have been reviewed (556 employees for 2 pay periods each).
|
Privacy Policy |
Site Disclaimer |