This is the accessible text file for GAO report number GAO-15-181 entitled 'Defense Nuclear Facilities Safety Board: Improvements Needed to Strengthen Internal Control and Promote Transparency' which was released on February 19, 2015. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: January 2015: Defense Nuclear Facilities Safety Board: Improvements Needed to Strengthen Internal Control and Promote Transparency: GAO-15-181: GAO Highlights: Highlights of GAO-15-181, a report to congressional requesters. Why GAO Did This Study: Congress established DNFSB in 1988 to provide independent analysis and recommendations to the Department of Energy (DOE) to ensure adequate protection of public health and safety at defense nuclear facilities. DNFSB consists of a five-member Board, which currently has two vacancies, and about 103 technical, legal, and administrative staff. DNFSB's fiscal year 2013 budget was $26.8 million. Until fiscal year 2012, DNFSB was not required to have an IG and did not have routine independent oversight by any other federal entity. GAO was asked to review the operations and oversight of DNFSB. This report examines the extent to which DNFSB had (1) policies and procedures governing the activities of the Board and technical staff; (2) assessed its internal controls; (3) meeting and voting practices that are transparent to the public; and (4) taken steps to obtain IG oversight and the results of those steps. GAO reviewed relevant federal laws, regulations, and guidance; analyzed DNFSB documents, including records of internal control assessments; interviewed officials from DNFSB, NRC-OIG, and DOE; and gathered information from 14 other federal agency IGs. What GAO Found: Until 2013, the Defense Nuclear Facilities Safety Board (DNFSB) had few written policies and procedures for its Board members and technical staff work, and some policies and procedures recently developed for the Board were not consistently followed. For example, Board procedures call for the Board to approve and implement an annual resource plan that would prioritize DNFSB's work for the coming year, but DNFSB has not approved a resource plan for fiscal year 2015. DNFSB officials did not know when the Board would pass a resource plan. DNFSB also began developing detailed written policies and procedures for its technical staff in 2013. DNFSB anticipates implementing 90 technical policies and procedures by 2016, according to agency officials. As of the end of September 2014, 16 had been implemented. DNFSB records of internal control assessments were missing or incomplete in every fiscal year from 2007 through 2014. Office of Management and Budget (OMB) guidance for internal control directs agencies to document their internal control activities and to retain that documentation. DNFSB has a four-step internal control assessment process consisting of the selection of the areas to be assessed, performance of the assessments, management review of the assessments, and annual management assurance statements to the Chairman of the overall adequacy of internal control within the agency. However, records were missing or incomplete at each step, and DNFSB officials said that some steps likely were not performed, in part due to the departure of officials responsible for them. Having documentation of internal control assessment activities would provide DNFSB with a record that it is performing all steps of its internal control process and help provide reasonable assurance that control activities are being accurately performed. The Board at DNFSB does not have meeting and voting practices that are transparent to the public. Until October 2014, the Board did not hold public meetings to deliberate and conduct business, and it instead employs a voting practice known as notational voting. Under this practice, the Board circulates written materials for members to review, comment on, and vote on in writing. DNFSB does not publicly disclose the results of these votes, unlike many other agencies. In June 2014, the Board voted to create a policy to disclose its voting results. However, in October 2014, a Board member raised concerns that the policy was not being developed. Moreover, as of November 2014, such a policy had not been developed. The Administrative Conference of the United States, an independent federal agency that provides advice on agency procedures, recommended in June 2014 that agencies using notational voting publicly disclose the conclusions reached via such voting. Having a policy to disclose the matters on which the Board is voting and the results of those votes would enhance DNFSB's transparency, allowing the public to be aware of the Board's decisions, which is important given DNFSB's mission. DNFSB took some steps to obtain Inspector General (IG) services from the Nuclear Regulatory Commission's Office of the IG (NRC-OIG) and 17 other OIGs but did not meet two statutory deadlines to obtain IG services. In January 2014, the NRC-OIG became DNFSB's IG by statute and began work in April 2014. What GAO Recommends: GAO recommends, among other things, that DNFSB document its internal control assessment activities and implement a policy to publicly disclose the results of Board votes. In commenting on a draft of this report, DNFSB described actions it had taken or planned to take to address these recommendations. View [hyperlink, http://www.gao.gov/products/GAO-15-181]. For more information, contact John Neumann at (202) 512-3841 or neumannj@gao.gov. [End of section] Contents: Letter: Background: DNFSB Had Few Written Policies and Procedures for the Board and Technical Staff until 2013: DNFSB Assessments of Internal Control Were Largely Limited to Administrative Activities, and Records Are Missing and Incomplete: Until 2014, DNFSB Did Not Meet to Conduct Agency Business and Does Not Publicly Disclose Vote Results: DNFSB Took Steps to Obtain IG Services but Did Not Meet Statutory Deadlines: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Comments from the Defense Nuclear Facilities Safety Board: Appendix II: Comments from the Nuclear Regulatory Commission: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Examples of Planned and Implemented Policies and Procedures for the Defense Nuclear Facilities Safety Board's Technical Staff's Work Activities: Table 2: Status of Defense Nuclear Facility Safety Board Records of Internal Control for Fiscal Years 2007 through 2014: Abbreviations: ACUS: Administrative Conference of the United States: DNFSB: Defense Nuclear Facilities Safety Board: DOE: Department of Energy: ECIC: Executive Committee on Internal Controls: EEO: Equal Employment Opportunity: FCC: Federal Communications Commission: FMFIA: Federal Managers Financial Integrity Act: FOIA: Freedom of Information Act: FTE: full-time equivalent: IG: Inspector General: NDAA: National Defense Authorization Act: NRC: Nuclear Regulatory Commission: NRC-OIG: Nuclear Regulatory Commission Office of the Inspector General: OMB: Office of Management and Budget: USPS-OIG: United States Postal Service Office of Inspector General: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: January 20, 2015: The Honorable Claire C. McCaskill: United States Senate: The Honorable Michael D. Rogers: House of Representatives: The Honorable Michael R. Turner: House of Representatives: The Defense Nuclear Facilities Safety Board (DNFSB) was established by statute in 1988 to provide independent analysis, advice, and recommendations to the Secretary of Energy regarding the adequate protection of public health and safety at the Department of Energy's (DOE) defense nuclear facilities. DOE's defense nuclear facilities conduct the study, testing, refurbishment, and dismantlement of nuclear weapons, disposal of nuclear waste and components, and decommissioning and cleanup of facilities once they are no longer needed.[Footnote 1] These facilities are located at 10 sites across the United States, and DOE requested $14.2 billion in funding for weapons activities and environmental cleanup in fiscal year 2014. [Footnote 2] DNFSB reviews and evaluates the content and implementation of public health and safety standards at all of these facilities, as well as other requirements relating to facility design, construction, operation, and decommissioning. Since DNFSB began operating, it has issued 58 recommendations, of which DOE has implemented 52, and 6 of which DOE is in the process of implementing. Until December 2011, DNFSB was not required to have an Inspector General (IG) and did not have other routine independent oversight by any federal entity. We last audited the agency in 1991 and made five recommendations to, among other things, enhance DNFSB's independence, improve its operations, and increase its planning activities. Prior to this review, four of the recommendations were closed as implemented. [Footnote 3] The one that was not implemented recommended that—to ensure that DNFSB conducted its reviews independently from DOE and that significant concerns about health and safety were made known to the public—DNFSB establish operating procedures to ensure that all DNFSB activities were conducted in a manner clearly independent from DOE. In its response to the recommendation, DNFSB stated that it believed it was operating independently of DOE and did not intend to change its operational methods. As part of this review, we determined the status of the final recommendation, which is discussed later in this report. You asked us to review the operations and oversight of DNFSB. [Footnote 4] This report examines the extent to which DNFSB had (1) policies and procedures governing the activities of Board and technical staff, (2) assessed its internal controls, (3) meeting and voting practices that are transparent to the public, and (4) taken steps to obtain IG oversight and the results of those steps.[Footnote 5] To determine the extent to which DNFSB has policies and procedures governing the activities of Board members and technical staff, we reviewed and analyzed DNFSB's enabling statute and federal standards for internal control.[Footnote 6] We reviewed DNFSB documents, including DNFSB's written policies, procedures, and guidance in place or being developed as of September 2014 to guide the activities of Board members and technical staff, time frames and plans for implementing policies and procedures, and a 2012 external risk assessment report on DNFSB's policies, procedures, and internal controls. We reviewed DNFSB's procedures for Board voting and records of Board votes posted on its internal website from the earliest record posted, in July 2013, through June 2014, when DNFSB stopped posting votes. We also interviewed DNFSB officials, including the Chairman, current and former Board members, General Counsel, and key technical staff regarding implemented and planned policies and procedures. To determine the extent to which DNFSB has assessed its internal controls, we reviewed the law commonly known as the Federal Managers' Financial Integrity Act (FMFIA),[Footnote 7] the federal standards for internal control, and the Office of Management and Budget (OMB) Circular A-123, which defines management's responsibility for internal control in federal agencies.[Footnote 8] We reviewed DNFSB internal assessments of policies and procedures and DNFSB's Performance and Accountability Reports for fiscal years 2007 through 2013. We also interviewed DNFSB officials regarding how internal control assessments were conducted and how internal control assurance statements were developed.[Footnote 9] To determine the extent to which DNFSB's meeting and voting practices are transparent to the public, we reviewed the requirements of the Government in the Sunshine Act of 1976, as amended (Sunshine Act). We reviewed Federal Register notices for Sunshine Act meetings and public hearings conducted under DNFSB's statutory authority for the most recent 5 years—from November 2009 through October 2014. We reviewed a report to the Administrative Conference of the United States (ACUS)[Footnote 10] prepared by staff counsel, which discusses Sunshine Act practices across the federal government and makes recommendations to improve public transparency and interviewed the report's author to discuss the recommendations. We also reviewed an ACUS document about federal agencies' regulations on Sunshine Act meetings.[Footnote 11] We also interviewed a representative of the Sunlight Foundation, an organization focused on improving transparency in government, to discuss public transparency and how agencies typically disclose the results of their votes. We reviewed DNFSB's policies and procedures for Board voting and records of Board votes posted on its internal website from August 2013, when posting began, through June 2014, when DNFSB stopped posting votes. We also reviewed DNFSB's external public website to determine what information was publicly posted. In addition, we interviewed DNFSB officials to discuss their views about conducting business at public meetings and whether and how often DNFSB has held public meetings and hearings. To determine the extent to which DNFSB has taken steps to obtain IG oversight and the results of those steps, we reviewed laws requiring DNFSB to obtain IG services. We reviewed the Inspector General of 1978, as amended (IG Act) and a Council of Inspectors General on Integrity and Efficiency document describing the IG role and typical IG services. We reviewed DNFSB and the Nuclear Regulatory Commission's Office of Inspector General (NRC-OIG) documentation and interviewed officials to discuss the negotiations DNFSB held with the NRC-OIG and the United States Postal Service Office of Inspector General (USPS- OIG). We developed a standard set of questions for 17 other federal agency IGs, and we used them to gather information on the extent of DNFSB's negotiations with these IGs and reviewed relevant documentation. Thirteen out of 17 federal agency IGs responded to our inquiry. We conducted this performance audit from August 2013 to January 2015 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: DNFSB's mission is to provide independent analysis, advice, and recommendations to the Secretary of Energy--in the Secretary's role as operator and regulator of DOE's defense nuclear facilities--to ensure adequate protection of public health and safety at these facilities. Specifically, DNFSB is responsible for (1) reviewing and evaluating the content and implementation of the standards relating to the design, construction, operation, and decommissioning of DOE defense nuclear facilities; (2) investigating any event or practice at these facilities that it determines has adversely affected or may adversely affect public health and safety; (3) analyzing design and operational data, including safety analysis reports from these facilities; (4) reviewing new facility design and monitoring construction; and (5) making recommendations to the Secretary of Energy as necessary to ensure adequate protection of public health and safety, considering the technical and economic feasibility of implementing them. By statute, the Secretary of Energy must respond in writing to DNFSB's recommendations and any reporting requirements that DNFSB establishes. The Secretary's response must accept or reject the recommendations, in whole or in part, and must be published in the Federal Register. If DNFSB transmits a recommendation relating to an imminent or severe threat to public health and safety, the recommendation is also transmitted to the President and to the Secretary of Defense. After reviewing DOE's response, the President must accept or reject DNFSB's recommendation. DNFSB is not authorized to issue regulations governing DOE or to require DOE to take action apart from establishing reporting requirements. Instead, DNFSB uses both informal interactions and formal communications with DOE to ensure that DNFSB's concerns are addressed. DNFSB consists of a five-member Board, as well as technical, legal, and administrative staff. The Board members are nominated by the President and confirmed by the Senate. The President designates the Chairman and Vice Chairman from members of the Board. Members' terms are 5 years--but members can serve after the expiration of their term until a successor has taken office--and may be reappointed. The statute requires the Board to be composed of respected experts in nuclear safety, and who can--according to a DNFSB document--provide honest technical information to ensure that the administration and Congress have unbiased and timely information on the state of health and safety at DOE defense nuclear facilities. The statute also requires that no more than three members of the Board may be of the same political party. As of January 2015, there were two vacancies on the Board.[Footnote 12] In addition, the renomination of one member, who continues serving after the expiration of her term, has been submitted by the President to the Senate. DNFSB is the only government agency that provides independent scientific and technical safety oversight of DOE's defense nuclear facilities. DNFSB provides safety oversight at approximately 150 facilities at 10 active DOE sites throughout the United States. DNFSB's most recent strategic plan states that DOE's nuclear weapons program is technically challenging and hazardous, and that evaluating the safety of the facilities requires specific analyses of many unique processes and hazards. For example, DNFSB oversees facilities that are responsible for refurbishing or dismantling nuclear weapons, storing a significant inventory of radioactive waste, or deteriorating and past their design life. In its fiscal year 2014 annual report to Congress, DNFSB stated it is actively overseeing the design and construction of 10 new DOE defense nuclear facilities with a projected total cost of approximately $25 billion. Most of the work of the Board is conducted by DNFSB's technical department--the majority of which are located at DNFSB's headquarters in Washington, D.C.--and site representatives, who are present at the five sites with the most significant hazardous operations.[Footnote 13] The technical department is divided into five issue areas--nuclear programs and analysis, nuclear weapons programs, nuclear materials processing and stabilization, nuclear facility design and infrastructure, and performance assurance. Approximately 85 of DNFSB's 103 staff members work in the technical department, which accounts for 80 percent of DNFSB's annual budget of $26.8 million for fiscal year 2013. Technical department staff members are engineers and scientists with expertise in the issue areas such as facility safety and hazard analysis, nuclear explosive technology, the storage of nuclear materials, and waste management. The remaining staff are divided between the General Counsel's office, which provides legal advice regarding the Board's authorizing statute and other laws, and the General Manager's office, which plans, directs, and evaluates the agency's executive and administrative operations. Certain laws and guidance regarding internal control and public transparency, among other topics, apply to DNFSB. Specifically, FMFIA requires executive branch agencies to establish internal administrative controls that ensure compliance with statutory requirements and are consistent with federal standards.[Footnote 14] GAO issues federal standards for internal control to fulfill its responsibility to promulgate standards under this law.[Footnote 15] FMFIA calls for the heads of executive agencies to annually evaluate the adequacy and effectiveness of their agencies' internal control in a management assurance statement, and OMB provides guidance for agencies to use in evaluating their system of administrative controls. [Footnote 16] According to OMB guidance, agencies must establish internal control systems that provide reasonable assurance regarding the agency's proper use of funds and resources, compliance with statutes and regulations, and preparation of reliable financial reports. In addition, the Sunshine Act generally requires that meetings of agencies headed by Boards--such as the Board of DNFSB--be publicly announced in advance and that members of the public be permitted to attend such meetings. Meetings, as defined by the Sunshine Act, are the deliberations of at least a quorum of the agency's members necessary to take action on behalf of the agency, where such deliberations determine or result in the joint conduct or disposition of official agency business. Meetings may be closed, in whole or in part, to the public under certain circumstances--for example, if the meetings relate solely to the agency's internal personnel rules and practices or disclose matters that are specifically authorized to be kept secret in the interests of national defense or foreign policy and are, in fact, so classified.[Footnote 17] Under the IG Act, Inspectors General are responsible for, among other things, coordinating audits and investigations. They are also responsible for keeping the agency head and Congress informed about the problems and deficiencies related to the administration of an agency's programs, corrective actions needed, and the progress of those corrective actions. The IG Act provides specific protections to IG independence by authorizing them to select and employ their own staffs, make such investigations and reports as they deem necessary, and report the results of their work directly to Congress. In addition, the IG Act provides the IGs with a right of access to information, and prohibits interference with IG audits or investigations by agency personnel. The act further provides the IGs with the duty to inform the Attorney General of suspected violations of federal criminal law. However, the act does not require all agencies to have an IG. DNFSB is one of the agencies not required by the IG Act to have an IG. We have recommended, on a case-by-case basis, that specific small agencies could benefit from obtaining IG oversight from another agency's IG office where the missions of the two agencies are somewhat similar.[Footnote 18] In December 2011, a law was passed requiring DNFSB to obtain IG services.[Footnote 19] DNFSB Had Few Written Policies and Procedures for the Board and Technical Staff until 2013: DNFSB had few written policies and procedures for its Board and technical staff work until 2013. DNFSB developed written procedures for the Board in January 2013 and revised them in 2014, but some are inconsistently followed or do not align with Board practices. DNFSB also began developing detailed written policies and procedures for its technical staff work in January 2013, but few had been completed and implemented as of September 2014. DNFSB paused the development and implementation process for the technical staff procedures from May to late September 2014 to assess its effectiveness. DNFSB officials told us they resumed development and implementation in late September 2014 and plan to complete implementation by 2016. Written Procedures for the Board Were Not in Place until 2013, and Some Are Inconsistently Followed: Before 2013, DNFSB had no written procedures governing the Board. DNFSB officials told us that written procedures had not been needed because for many years Board members followed informal procedures and were able to regularly reach unanimous decisions. However, we identified one instance in which the absence of written procedures contributed to different opinions on whether Board members could release or discuss draft information with DOE. Specifically, according to a document from the NRC-OIG, which investigated the situation, a former Board member provided a predecisional draft of a letter to DOE. The document shows that other Board members stated that providing predecisional information to DOE violated the Board's practice of not releasing draft information to DOE and allegedly undermined the Board's effectiveness and independence. The NRC-OIG found, however, that the Board had no written policy or guidance in place that prohibited such disclosures. Under federal standards for internal control, agencies are to clearly document internal control in management directives, administrative policies, or operating manuals and have them available for examination.[Footnote 20] In January 2013, the Board developed written procedures, which describe the roles and responsibilities of the Board Chairman and members, and document the way the Board should conduct agency business. For example, the Board procedures describe how the Board should hold briefings with technical staff, conduct meetings as defined by the Sunshine Act, and vote on recommendations to DOE, among other things. In February 2014, DNFSB revised its 2013 procedures and practices to create or clarify specific steps for certain important business processes, according to DNFSB officials. The revisions: * Created a process for Board approval of a resource plan. Prior to February 2014, DNFSB officials told us the agency had no formal resource plan. The revised procedures require the Board members to approve a resource plan--consisting of an annual work plan and staffing plan--that will prioritize DNFSB's workload and describe the number of staff and specific staff expertise needed for the following fiscal year. * Clarified the processes for Board members to request Board action on policy or technical staff support. Prior to the implementation of the 2014 procedures, there was no formal way for Board members to request that a matter be put to a Board vote. The procedures added a process by which Board members can submit written requests that the Board take action on a policy matter before the agency. According to one current and one former Board member, in the past, it was difficult to obtain technical staff support because DNFSB's enabling statute gives the Chairman, and not other Board members, the broad authority to direct the technical staff. The revised procedures clarified that individual Board members may seek nominal staff support by making a request directly to the applicable office director, or seek more significant support that could impact the annual work plan by putting a written request before the Board for a vote. Our review of DNFSB's voting records following implementation of the revised procedures shows that individual Board members have used the written request process to request Board action on matters such as having a public business meeting and requesting that staff be tasked with preparing for an additional public hearing on safety culture. * Created a process for requesting formal amendments to the Board's final documents. According to DNFSB officials, prior to these procedures, there were no formal procedures to allow Board members to request amendments to documents before final consideration and vote. Under the revised procedures, Board members can now submit requests for formal amendments. One Board member told us that the new amendment process allows for minority opinions to be formally proposed and considered. Some of the Board's procedures are not consistently followed, however. For example, the revised Board procedures call for the Board to approve an annual resource plan, consisting of a staffing plan and an annual work plan for its technical, legal, and administrative offices, during the budget submission process, which usually occurs in February. DNFSB officials told us that before the revised Board procedures, DNFSB did not develop an annual resource plan but rather relied on informal processes to prioritize DNFSB's workload. Since the revised Board procedures were adopted nearly a third of the way through the fiscal year--in February 2014--DNFSB officials told us that there was no formal Board direction for the agency to develop and approve a staffing plan or work plans for fiscal year 2014. DNFSB officials told us that, under the procedures, the agency would have developed a resource plan for fiscal year 2015 as part of the next budget submission. According to a Board member, however, the technical office began developing a work plan for fiscal year 2014 in August 2013, and there was an expectation that one would be developed and approved. For fiscal year 2014, DNFSB developed and the Board approved a staffing plan, but the technical office work plan was ultimately not approved. In August 2014, DNFSB officials told us that work on the fiscal year 2014 work plan had ended. Agency officials told us they were instead focusing on developing a fiscal year 2015 resource plan as part of its next budget submission but, as of December 2014, DNFSB did not have an approved resource plan. DNFSB officials did not know when the Board would approve a resource plan. In addition, DNFSB has not consistently followed its procedure for recording the vote of a Board member who cannot participate in voting. Board procedures for how to record a vote for a Board member who cannot participate for a considerable period of time call for the Board member to be designated as "non-participating," be recorded as not casting a vote, and not be included for the purposes of determining a quorum.[Footnote 21] However, our review of DNFSB internal voting records found that a Board member on an extended leave of absence was listed as "Abstain" at least 35 times since the implementation of the revised Board procedures. The designation of "Abstain" would indicate that the Board member was present and would be counted in determining a quorum when, in fact, he was not present and not counted. We found no evidence, however, that the outcome of any votes was affected. Following our May 2014 discussion with DNFSB officials about the issue, the Board took action to follow its procedure of designating the Board member on extended leave as "non- participating" and recording his participation in subsequent votes as not casting a vote. We also found that DNFSB has not consistently followed its procedure for recording the outcome of Board votes. Board procedures require DNFSB to document the approval or disapproval of a final Board vote, but our review of internal Board voting records since the implementation of the revised Board procedures found that the Board did not clearly state the outcome of 23 out of 59 votes reviewed. Board members and DNFSB officials told us that they were unaware that the voting results were not clearly recorded, but they noted that there was no confusion among Board members or staff employees about the vote outcomes. Subsequent to our discussion with officials, our review of voting results for the period late May through June 2014-- which are posted on DNFSB's internal website--show that the voting results are now clearly recorded. Furthermore, DNFSB's procedure for how it determines a majority vote for recommendations to DOE does not reflect the Board's interpretation and practice for determining a majority vote. Specifically, Board procedures state that the approval of a recommendation to DOE requires a majority vote of a quorum. Because DNFSB's enabling statute defines a quorum as three Board members, under the Board's voting procedure, a recommendation would always pass with the approval of two Board members because two is a majority of a quorum of three.[Footnote 22] However, we found that this procedure does not align with DNFSB officials' understanding and implementation of it. Our review of voting records and interviews with DNFSB officials showed that the Board has interpreted the procedure to mean approval requires the majority of those voting once a quorum has been established, as opposed to a majority of a quorum.[Footnote 23] According to DNFSB officials, this interpretation is based on the fact that the Board cannot act to approve any action until a quorum has first been established. Without a clearly written procedure that aligns with the Board's practice on how it determines a majority vote, the potential exists for Board members in the future to misinterpret the procedure. DNFSB Began Developing Written Policies and Procedures for Technical Staff in 2013, but Few Have Been Implemented: Before 2013, the agency had almost no written policies and procedures, consistent with federal standards of internal control, governing the work of the technical staff--who are responsible for executing DNFSB's health and safety mission at DOE's defense nuclear facilities and activities. DNFSB first began developing detailed policies and procedures for the technical staff in January 2013.[Footnote 24] According to DNFSB officials, before 2013, policies and procedures for the technical staff were mainly high level, and they consisted of three agency policy statements and two internal procedures. Specifically, the Board issued three agency policy statements from 1990 through 1996. These covered DNFSB's review of DOE's responses and implementation plans for recommendations, agency policy on transmittal of site visit reports and related safety information, and the Board's oversight of decommissioning activities. The two internal procedures, issued in 2007 and 2009, instructed staff on tracking DOE commitments associated with recommendations and DOE commitments associated with other issues that did not warrant a recommendation. According to DNFSB officials, the agency did not have a need in the past for detailed written policies and procedures for technical work because the technical staff are experts and have sufficient knowledge to perform their work, and management had knowledge about the daily operations of technical staff. DNFSB officials told us that there were no standard ways of conducting technical staff work and that staff would perform the same work in different ways based on their expert knowledge. According to a DNFSB document, work products were consistently reviewed and carefully screened by management for technical accuracy and consistency. According to DNFSB officials, the agency began developing detailed policies and procedures for the technical staff's work in response to a 2012 external risk assessment report. The DNFSB-commissioned external risk assessment found that DNFSB's policies and procedures were not sufficient in a number of areas, including those governing technical staff's work. The report stated that this finding posed a high risk for the agency because the lack of policies and procedures raised questions about the standards followed in performing reviews, the content of DNFSB's reports and correspondences, and the performance and achievement of agency goals. In addition, the report stated that DNFSB managers noted that the lack of policies and procedures hindered the development of new staff. The report stated that DNFSB's technical reports are judged by outside parties to be of high quality. According to DNFSB documentation, DNFSB anticipates implementing a total of 90 policies and procedures for technical staff over a 3-year period from fiscal year 2014 to fiscal year 2016.[Footnote 25] The new policies and procedures are to cover seven broad types of work activities performed by the technical staff (see table 1). Table 1: Examples of Planned and Implemented Policies and Procedures for the Defense Nuclear Facilities Safety Board's Technical Staff's Work Activities: Technical staff work activity: Supporting strategic planning and Board activities; Examples of planned and implemented policies and procedures in the technical staff work activity: * Developing input to the Annual Performance Plan and Annual Performance Report; * Supporting Board investigations; * Prioritizing internal technical work[A]; Total number of policies and procedures planned: 5; Number of policies and procedures implemented as of September 2014: 1. Technical staff work activity: Technical staff assignments and work control; Examples of planned and implemented policies and procedures in the technical staff work activity: * Staff resource planning and prioritization; * Developing technical staff oversight plans[A]; * Expectations for technical group leads, cognizant engineers, and site representatives; Total number of policies and procedures planned: 13; Number of policies and procedures implemented as of September 2014: 1. Technical staff work activity: Conducting technical staff reviews; Examples of planned and implemented policies and procedures in the technical staff work activity: * Planning and conducting technical staff reviews[A]; * Developing agendas for technical staff reviews[A]; * Documenting and reviewing engineering calculations[A]; Total number of policies and procedures planned: 12; Number of policies and procedures implemented as of September 2014: 5. Technical staff work activity: Communicating, coordinating, and developing technical staff work products; Examples of planned and implemented policies and procedures in the technical staff work activity: * Developing the Board's Annual Report to Congress; * Developing Board letters; * Developing Board recommendations; Total number of policies and procedures planned: 21; Number of policies and procedures implemented as of September 2014: 0. Technical staff work activity: Tracking and resolution of issues; Examples of planned and implemented policies and procedures in the technical staff work activity: * Tracking and closing internal staff commitments to Board[A]; * Tracking and closing Board safety issues and DOE's commitments to the Board[A]; * Identifying, documenting, and applying lessons learned; Total number of policies and procedures planned: 6; Number of policies and procedures implemented as of September 2014: 5. Technical staff work activity: General work practices; Examples of planned and implemented policies and procedures in the technical staff work activity: * Reviewing electrical systems and designs; * Overseeing new facility construction and startups; * Managing and retaining technical staff records and information[A]; Total number of policies and procedures planned: 27; Number of policies and procedures implemented as of September 2014: 4. Technical staff work activity: Hiring, development, and training; Examples of planned and implemented policies and procedures in the technical staff work activity: * Training of new technical staff; * Developing technical staff; * Required reading list for technical staff; Total number of policies and procedures planned: 6; Number of policies and procedures implemented as of September 2014: 0. Source: GAO analysis of Defense Nuclear Facilities Safety Board data. AO-15-181: [A] Example of technical policies and procedures that DNFSB has implemented as of September 2014. [End of table] As of September 2014, DNFSB had implemented 16 of the 90 planned policies and procedures for the technical staff's work. Additionally, a further 50 of the planned policies and procedures were in development. According to a DNFSB document, DNFSB prioritized and divided the implementation into three phases based on how frequently the technical staff performed an activity and whether the policy or procedure had a clear development path. The implementation phases are as follows: * Phase 1 - These policies and procedures focus on activities that the technical staff perform frequently to fulfill DNFSB's mission, such as reviewing DOE directives, tracking DOE's commitment to resolving safety issues in recommendations, and developing externally released documents. Phase 1 comprises 29 technical policies and procedures. According to DNFSB officials, implementing Phase 1 will eliminate most of the risk that the 2012 external risk assessment report found because Phase 1 covers approximately 90 percent of the technical staff's work. As of September 2014, DNFSB had implemented 14 of the 29 policies and procedures, and 15 were in development. DNFSB officials had told us they planned to complete implementation of Phase 1 by mid- November 2014 but, according to a DNFSB document, officials expect to complete Phase 1 by March 2015. * Phase 2 - These policies and procedures focus on the planning and prioritization of technical activities, such as annual planning, and provide expanded guidance for Phase 1 policies and procedures, such as guidance on developing technical reports. Phase 2 comprises 36 policies and procedures. As of September 2014, DNFSB had implemented 2 of 36, and 31 were in development. DNFSB expects to complete implementation by the end of fiscal year 2015, according to agency officials. * Phase 3 - These policies and procedures focus on technical activities performed less frequently, such as developing the annual report to Congress and hiring technical staff. Phase 3 comprises 25 policies and procedures, and DNFSB plans to begin implementation of Phase 3 in fiscal year 2016 and expects to complete it by the end of fiscal year 2016, according to agency officials. From May to late September 2014, the agency paused the development and implementation of most of its Phase 1 technical policies and procedures, in part, to assess its technical staff's understanding and compliance with the newly implemented policies and procedures, and have sufficient time to accomplish primary mission activities, such as addressing emergency events at nuclear facilities sites. According to DNFSB officials, only one set of technical policies and procedures, related to developing the annual work plan, was implemented during the pause. DNFSB officials told us that they resumed the development and implementation of the Phase 1 policies and procedures in late September 2014 and plan to complete them by March 2015. DNFSB has also implemented two Phase 2 policies and procedures. According to DNFSB documentation, the agency will complete an implementation plan and schedule for Phase 2 by the end of December 2014. DNFSB Assessments of Internal Control Were Largely Limited to Administrative Activities, and Records Are Missing and Incomplete: Until fiscal year 2014, DNFSB largely limited its assessment of the adequacy and effectiveness of its internal controls to its administrative and legal activities, and the agency's records of those assessments are missing or incomplete. DNFSB has a four-step process for assessing its internal control activities, but we found that records at each step were missing or incomplete, and DNFSB officials said that it was likely that some assessments were not performed. In addition, in fiscal years 2012 and 2013, the DNFSB Chairman did not use the language prescribed by OMB guidance in the agency's FMFIA- required internal control assurance statements to clearly summarize the condition of internal control at the agency. DNFSB Assessments of Internal Control Were Largely Limited to Administrative and Legal Policies and Procedures: From fiscal year 2007 through fiscal year 2013, DNFSB largely limited its assessment of the adequacy and effectiveness of its internal control to administrative and legal policies and procedures, but recently expanded its assessment to include some of the newly- implemented policies and procedures for the technical staff. FMFIA establishes overall requirements with regard to internal control. OMB implementing guidance for FMFIA directs agencies to establish, assess, correct, and report on the adequacy and effectiveness of internal controls over all programs and operations to provide reasonable assurance that agency operations are effective, efficient, and in compliance with laws and regulations.[Footnote 26] According to DNFSB officials and records, however, for fiscal years 2007 through 2013, DNFSB principally assessed only its administrative and legal policies and procedures. As previously discussed, DNFSB had few policies or procedures for the technical staff until some were developed and implemented in fiscal year 2014, which meant that there were few to be assessed by DNFSB. Beginning in fiscal year 2015, DNFSB documents indicate that the agency plans to expand the number of assessments it conducts to a minimum of 30--nearly double the number it usually conducted in the past. As a part of these plans, DNFSB is to include some of the new policies and procedures implemented for the technical staff, such as planning and conducting technical staff reviews and tracking and closure of internal staff commitments to the Board. Expansion of its planned assessments to include the newly implemented policies and procedures for the technical staff will help the agency assess the effectiveness of these policies and procedures and whether additional improvements are needed. To assess the adequacy and effectiveness of its internal control, DNFSB instituted a four-step process in 2007, and, in general, that process still is used. The first step begins with the selection of the control areas to be assessed for that year. In the past, these control areas were selected by the general manager's office, with input from members of DNFSB's Executive Committee on Internal Controls (ECIC). The ECIC is composed of DNFSB's senior internal management--such as its technical director, general manager, and general counsel--and since 2013 has also included two members of the Board. Beginning in fiscal year 2013, the areas were selected by the ECIC as a whole. The senior managers assign these assessments to the respective DNFSB program managers. In the second step, program managers complete the assessments. Areas assessed may include the financial reporting program, the classified document handling program, or the maintenance of accurate time and attendance records. Program managers may judge their programs as effective, effective with minor exceptions, or ineffective. Senior managers are to develop corrective action plans for areas judged ineffective. The third step consists of ECIC review of the completed assessments and corrective action plans for significant deficiencies identified during the assessments. The fourth step consists of the development of annual assurance statements by DNFSB's senior internal management, stating whether there was reasonable assurance that internal controls were adequate and effective, which are submitted to the Chairman. Some significant deficiencies may be considered reportable conditions, which are reported to the Chairman in these statements. These statements and the assessment findings provide the primary basis for the Chairman's annual evaluation and management assurance statement of the overall adequacy and effectiveness of internal controls within the agency, a statement which is required by FMFIA. According to DNFSB officials, the ECIC generally met twice a year through fiscal year 2013, but since then, meets three times a year--once in June, to review completed assessments, identify where corrective action plans are needed, and select the assessment areas for the next year; in September, to review the status of the corrective action plans and to review assurance assessments from DNFSB's senior management; and, in March, to further review the corrective action plans. Records Documenting the Four-Step Internal Control Process Are Missing or Incomplete: From fiscal years 2007 through 2014, DNFSB records documenting the four steps of its internal control process were missing or incomplete, and DNFSB officials said that some steps likely were not performed. OMB implementing guidance for FMFIA directs agencies to have a clear, organized strategy for internal control assessment, with well-defined documentation processes that contain an audit trail, verifiable results, and specific document retention periods so that someone not connected with the procedures can understand the assessment process.[Footnote 27] However, DNFSB could not consistently provide complete records documenting the control areas that were selected for assessment, the internal control assessments conducted by program managers, the ECIC supervisory reviews, or the assurance statements used as the basis for the Chairman's FMFIA internal control assurance statement. DNFSB officials stated that the missing or incomplete records were due to a lack of staff to conduct the assessments or staff that had left DNFSB. Such documentation, consistent with OMB's implementing guidance, would provide DNFSB with an institutional record to assist in providing reasonable assurance that it is performing all the steps of its internal control assessment process. For the first step, DNFSB could not provide complete records documenting which areas were selected for assessment by the ECIC. Specifically, as shown in table 2, DNFSB could not provide records of its planning meetings for 3 years--2008, 2010, and 2011. DNFSB officials stated that they could not be certain that the ECIC had met to assign control areas for assessment in those missing years or provide further explanation for the missing records. DNFSB is also missing records for the second step--the internal control assessments conducted by program managers--in almost every year from fiscal year 2007 through 2014. For example, as shown in table 2, for fiscal year 2009, DNFSB was missing four records of planned assessments--officials were able to provide us with complete records for 9 assessments out of the 13 areas planned for assessment by the ECIC. For fiscal year 2010, DNFSB could not provide any records of internal assessment for the 12 programs it planned to assess. In fiscal year 2012, it provided 20 assessments out of the 23 programs planned by the ECIC. In fiscal year 2014, ECIC records state it planned to assess its emergency preparedness program, but DNFSB instead provided an assessment record for its drug free workplace program. DNFSB officials stated that someone must have inadvertently transposed the list of areas planned for assessment. Because DNFSB was unable to provide records documenting the ECIC's planned assessments for fiscal years 2008 and 2013, we were unable to determine how many internal control assessments were missing or not done in those years. DNFSB, however, provided all 18 records for fiscal year 2011. In addition, some records were incomplete or did not conform to DNFSB's established process. For example, in 2008, two of the five records that DNFSB provided to us were contractor memos that did not conform to DNFSB guidance on internal control assessments. In 14 other instances, the assessments do not contain the signature of a supervisor's review, or the staff member performing the assessment also signed off on its supervisory review. In 2009, of the nine assessments provided, all but one did not have the approval of a manager or were approved by the same official performing the review. In 2012, an assessment in the general counsel's office was approved by the same official who conducted the review. In 2013, four assessments in the general manager's office were approved by the same official who conducted the reviews and, in 2014, one assessment in that office was not signed. A DNFSB official said this was "not ideal," but probably due to a lack of staff. Under federal standards for internal control, key responsibilities, such as reviewing transactions (in these cases, control assessments), should be segregated among different people to reduce the risk of error or fraud. Without such segregation of responsibilities, particularly in assessments of internal control, DNFSB does not have reasonable assurance that control activities are being accurately performed. Table 2: Status of Defense Nuclear Facilities Safety Board Records of Internal Control for Fiscal Years 2007 through 2014: Fiscal years: 2007; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: Yes; Planned assessments: 17; Step 2: Internal control assessments records: Complete records provided: 6; Incomplete records provided: 2; Records not provided: 9; Step 3: ECIC supervisory review records: Records provided: No; Step 4: Directors' signed internal control assurance statements: Records provided: No. Fiscal years: 2008; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: No; Planned assessments: [A]; Step 2: Internal control assessments records: Complete records provided: 3; Incomplete records provided: 2; Records not provided: [A]; Step 3: ECIC supervisory review records: Records provided: No; Step 4: Directors' signed internal control assurance statements: Records provided: No. Fiscal years: 2009; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: Yes; Planned assessments: 13; Step 2: Internal control assessments records: Complete records provided: 9; Incomplete records provided: 0; Records not provided: 4; Step 3: ECIC supervisory review records: Records provided: Yes; Step 4: Directors' signed internal control assurance statements: Records provided: Partial. Fiscal years: 2010; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: No; Planned assessments: 12; Step 2: Internal control assessments records: Complete records provided: 0; Incomplete records provided: 0; Records not provided: 12; Step 3: ECIC supervisory review records: Records provided: Yes; Step 4: Directors' signed internal control assurance statements: Records provided: Partial. Fiscal years: 2011; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: No; Planned assessments: 18; Step 2: Internal control assessments records: Complete records provided: 18; Incomplete records provided: 0; Records not provided: 0; Step 3: ECIC supervisory review records: Records provided: Yes; Step 4: Directors' signed internal control assurance statements: Records provided: Yes. Fiscal years: 2012; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: Yes; Planned assessments: 23; Step 2: Internal control assessments records: Complete records provided: 20; Incomplete records provided: 0; Records not provided: 3; Step 3: ECIC supervisory review records: Records provided: Yes; Step 4: Directors' signed internal control assurance statements: Records provided: Partial. Fiscal years: 2013; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: Yes; Planned assessments: [A]; Step 2: Internal control assessments records: Complete records provided: 12; Incomplete records provided: 0; Records not provided: [A]; Step 3: ECIC supervisory review records: Records provided: No; Step 4: Directors' signed internal control assurance statements: Records provided: Yes. Fiscal years: 2014; Step 1: Executive Committee on Internal Controls (ECIC) planning records: Records provided: Yes; Planned assessments: 15; Step 2: Internal control assessments records: Complete records provided: 15; Incomplete records provided: 0; Records not provided: 1[B]; Step 3: ECIC supervisory review records: Records provided: Yes; Step 4: Directors' signed internal control assurance statements: Records provided: [C]. Source: GAO analysis of Defense Nuclear Facilities Safety Board records. GAO-15-181. [A] Due to missing ECIC planning records in these years, we were unable to determine how many internal control assessment records were missing or not done. [B] ECIC records state it planned to assess its emergency preparedness program, but it instead provided an assessment record for its drug free workplace program. According to a DNFSB document, someone inadvertently transposed the list of areas planned for assessment. [C] The internal control assurance statements for fiscal year 2014 were not available at the time of our review, but complete records were provided with the agency comments. [End of table] DNFSB officials said that while some of these missing internal control assessments had been performed, some may not have been. According to DNFSB officials, many of the DNFSB officials with responsibility for these assessments have left the agency, but one official remaining from that period said he thought that he had completed assessments for the acquisition and finance division in fiscal year 2010. In addition, in fiscal years 2009 and 2010, DNFSB could not provide records documenting that the general counsel's office had performed its assigned assessments. This official stated that these assessments were likely not performed due to turnover in the general counsel's office. In one instance, we found that when a program assessment was not completed, a problem with the program was not identified and resolved. Specifically, DNFSB officials told us that the planned assessment of the Equal Employment Opportunity (EEO) program in fiscal year 2012 was likely not conducted because the official in charge had retired. The ECIC identified this program again for review in fiscal year 2014, when the assessment found that the DNFSB had not submitted its annual report on its EEO programs--as directed by Equal Employment Opportunity Commission guidance--since fiscal year 2012.[Footnote 28] According to DNFSB officials, the agency subsequently submitted the required report for fiscal year 2013. At the third step of the internal control assessment process--the ECIC supervisory review of the assessments--DNFSB could also not provide complete records documenting the ECIC supervisory review meetings had occurred. For example, as shown in table 2, DNFSB provided records for fiscal years 2009 through 2012, but it could not provide records of its ECIC review meetings in 2007, 2008, and 2013. DNFSB officials stated that they thought that the ECIC had probably met to perform supervisory reviews in those missing years but could not provide any further records of those meetings. In some instances, we found that problems identified in internal control assessments were not resolved in a timely fashion. Federal standards for internal control direct management to promptly evaluate any findings from audits and other reviews, determine proper actions, and to complete, within established time frames, all actions to correct or resolve matters. DNFSB internal control program guidance, published in 2007 and revised in 2013, directs managers to create corrective action plans for significant deficiencies, and for the ECIC to monitor them to ensure that they are corrected. Formal corrective action plans are not required for nonsignificant deficiencies, but DNFSB guidance states that they should also be corrected on a timely basis and monitored at the office level. As such, according to DNFSB officials, DNFSB has implemented a formal mechanism to track resolution of problems in work areas that are judged "ineffective." Those which are judged "effective, with minor exceptions"--but nonetheless have recommended corrective actions--are not tracked. In 2012, three internal control assessments--for the drug free workplace program, the classified document program, and the employee awards program--stated that the programs were effective with minor exceptions, and that policies and procedures needed to be finalized for these programs by December 2012 or January 2013. However, as of September 2014, these policies and procedures had not been finalized, even though the drug free workplace program and the classified document program are designated as high-risk programs. Procedures exist for the drug free workplace, classified document, employee awards programs, but they are outdated--dating back to 1996, 2000, and 1999, respectively. Without a mechanism for the ECIC to track and ensure the prompt resolution of all problems identified in its assessments, DNFSB cannot have reasonable assurance that all internal control problems are being corrected in a timely manner. For the fourth step of DNFSB's internal control assessment process, DNFSB provided internal control assurance statements from its senior internal management for fiscal years 2011 and 2013 but provided partial or no records for the 5 other fiscal years we reviewed. [Footnote 29] These statements provide the basis for the Chairman's FMFIA management assurance statement. DNFSB provided complete records of assurance statements for fiscal years 2011 and 2013. DNFSB provided only the technical director's assurance statements for fiscal years 2009 and 2012 and the statements from the general counsel and technical director for fiscal year 2010. DNFSB officials said they were not certain whether the senior managers had completed the remaining missing assurance statements for the other fiscal years. As a result, we could not determine what evidence the DNFSB Chairman used as the basis of his FMFIA internal control assurance statement for those years and whether those statements were accurate. DNFSB Chairman Did Not Use Prescribed Language to Report on Its Internal Controls: In fiscal years 2012 and 2013, the Chairman's annual internal control assurance statement did not contain the language prescribed by OMB guidance for FMFIA-required internal control assurance statements to clearly summarize the condition of internal control at the agency. Under FMFIA, agency management must provide an annual assurance statement on the adequacy of internal controls. OMB, which provides guidance to agencies carrying out FMFIA's reporting requirements, has directed agencies to use one of three prescribed terms for the agency's assessment of internal controls--unqualified (no material weaknesses reported), qualified (one or more material weaknesses reported), or statement of no assurance (no processes in place or pervasive material weaknesses). From 2007 through 2011, the Chairman's internal control assurance statements used one of these three prescribed terms to summarize the condition of the agency's internal control. The Chairman's two most recent internal control assurance statements, however, did not contain any of these three prescribed terms. Instead, in 2012, the Chairman stated he could provide "a statement of assurance," and in 2013, the Chairman stated he could provide "reasonable assurance" about the adequacy of its internal controls. DNFSB officials stated that the OMB guidance was unclear, and that the Chairman's statement also explained that the agency had found no material weaknesses, which agency officials stated they believed was sufficient. Without the prescribed terms, however, the assurance statements are not consistent with OMB guidance for summarizing the condition of an agency's internal controls. If the Chairman used one of the three prescribed terms in OMB guidance to describe his assessment of DNFSB's internal control, it would help ensure that his assurance statement is clearly understood by others, as the guidance defines the meaning of each prescribed term. Because of the missing internal control assessments, we were unable to determine the basis for the Chairman's annual assurance statement for fiscal years 2007 through 2013. In 2012, an external risk assessment of DNFSB stated that the technical director did not have documentation underpinning his annual assurance statement to the Chairman and instead based it on his knowledge gained from daily operations and weekly meetings. The report stated that DNFSB needed to implement a more disciplined approach to and documentation of mission-related activities in the technical department to meet OMB guidance for internal control, and that this documentation should be used as the basis for the technical director's assurance statement. In DNFSB's annual performance and accountability report for fiscal year 2012, DNFSB noted that the report had identified "a number of opportunities for improvement," but described the results of the external risk assessment report done that year as "generally positive." Current Board members, however, told us that they were aware that the results of the 2012 external risk assessment report were not generally positive. In its fiscal year 2013 performance and accountability report, DNFSB identified the lack of formal internal controls for its technical staff work as a reportable condition. According to DNFSB officials, the lack of a formal internal control program for the technical department was not considered to rise to the level of a material weakness, as management considered technical operations as a whole to be effective. Until 2014, DNFSB Did Not Meet to Conduct Agency Business and Does Not Publicly Disclose Vote Results: Until October 2014, the DNFSB Board did not meet to conduct agency business, and it does not publicly disclose the results of its votes. Instead of holding meetings to deliberate and conduct business, the Board generally conducts most agency business through notational voting. The Board holds occasional hearings to receive testimony from DOE and the public regarding either a particular site or topic of interest, but the Board does not conduct agency business at these hearings. In addition, DNFSB does not publicly disclose the results of the Board's notational votes or identify the Board members voting for or against recommendations to DOE. Recently, the Board voted to develop a formal procedure to disclose voting results to the public, but the procedure has not been finalized. Until Recently, the Board Did Not Hold Meetings to Conduct Agency Business: Until October 2014, the Board did not meet to conduct agency business. The Sunshine Act does not require agencies to meet to conduct business. However, if an agency holds a meeting as defined by the Sunshine Act--which is defined as the deliberations of a quorum or more of Board members that determine or result in the joint conduct or disposition of official agency business--it generally must be open to the public.[Footnote 30] The Sunshine Act states that the public is entitled to the fullest practicable information regarding the decision- making processes of the federal government. Other than the public business meeting the Board held on October 30, 2014, DNFSB officials could not provide specific information on the last time the Board met to conduct agency business, and the Board Chairman stated that the Board had not held a public meeting during the 8 years he had been on the Board. According to DNFSB members and officials, instead of conducting business at public meetings, the Board employs an alternate voting practice known as notational voting. Under this practice, the Board circulates written materials for members to review, comment on in writing, and vote on in writing. Notational voting is not prohibited by the Sunshine Act and is widely practiced by agencies, according to a report by a member of staff counsel from ACUS--an independent federal agency that provides advice on agency procedures.[Footnote 31] However, the report's author stated that notational voting was the least efficient method for conducting official agency business and that it may hamper collegiality among a board. Additionally, the report noted that overreliance on notational voting could "swallow" the rule of openness created by the Sunshine Act. DNFSB officials told us that the agency has established a mechanism to ensure that any gathering where a quorum of Board members is present does not meet the definition of a meeting. In 1991, DNFSB finalized a rule implementing the Sunshine Act, which required the agency general counsel or designee to attend any briefings or informal preliminary discussions where a quorum of Board members was present to assure that the discussions did not become deliberations and Sunshine Act meetings.[Footnote 32] In 2012, a DNFSB document identified implementation of this rule as a deficiency, and established a control in 2013 to ensure that the general counsel's secretary is included on requests for Board briefings, and an attorney is assigned to each briefing. DNFSB officials told us that any gathering of three or more Board members--such as daily update briefings or briefings from the technical staff on potential recommendations--always has a member of the general counsel's office present to ensure that Board members do not question or engage in debate with each other. A Board member told us that holding meetings was not likely to change the individual Board members' decisions since they are experts in their field and were unlikely to change their opinions by meeting in person to discuss or debate topics. A Board member stated that it is better if Board members reach their decisions on their own and that negotiating among Board members could lead to "groupthink." The Chairman also said that by not holding public meetings, DNFSB can keep the public and media's attention focused on DNFSB's oversight of DOE, rather than on DNFSB's decision-making processes. DNFSB, pursuant to its statutory authority, holds occasional hearings to receive testimony from DOE and the public regarding either a particular site or topic of interest, such as DOE's safety culture. [Footnote 33] DNFSB publicizes all of these hearings in the Federal Register as both hearings and Sunshine Act meetings, but Board members stated that no agency business is conducted at these hearings. DNFSB officials said that some of these hearings could have been meetings as defined by the Sunshine Act. However, Board members said that these hearings are scripted and rehearsed ahead of time, and that they do not debate Board business with each other at these hearings. DNFSB did not identify any hearings where the Board members engaged in public deliberations. DNFSB officials told us that they publicize the hearings as both hearings and meetings in case a Board member chooses to discuss or debate a topic with another Board member. The Federal Register notices for these hearings do not specify that agency business will likely not be conducted at these meetings, however, so it is not clear to the public that the hearings are not intended to be Sunshine Act meetings. By not clearly distinguishing in the Federal Register between public hearings and public meetings, DNFSB risks misleading the public about the intent and content of the hearings, and may give the public the impression that Board business is being conducted publicly when it is not. In April 2014, the Board voted to approve a Board member's proposal to hold a Sunshine Act meeting. DNFSB publicized this public business meeting in a Federal Register notice, and on October 30, 2014, held the meeting, at which DNFSB staff presented annual work plans and staffing plans for fiscal year 2015. The Board Does Not Have a Policy to Publicly Disclose Its Votes: Since 2013, DNFSB has used notational voting to decide a range of matters, but it does not have a policy to disclose that the votes have taken place or the results of those votes. The Sunshine Act requires agencies to make public the transcript, minutes, or recordings of meetings, but it does not require agencies to disclose the results of business conducted through notational voting, or even to disclose that such a vote has occurred. According to DNFSB officials, prior to implementation of Board procedures in 2013, the Board voting process was less formal and focused on achieving unanimity. The Board generally only voted on recommendations to DOE, and these recommendations stated that the Board had voted unanimously to approve them. Our review of a selection of recent internal DNFSB voting records showed that the Board is currently using notational voting to decide on a range of matters--from the updated 2014 Board procedures to the agency's strategic plan--in addition to formal recommendations to DOE.[Footnote 34] However, DNFSB has not disclosed the results of these votes to the public, or that these votes have occurred. DNFSB members and officials told us that although they do not publicly disclose the results of their votes, the records may be available to those who file Freedom of Information Act (FOIA) requests. A recent NRC-OIG report found, however, that management had not implemented effective internal controls for DNFSB's FOIA process.[Footnote 35] The report states that DNFSB staff do not always follow FOIA guidance when searching for records and responding to requests. As a result, inaccurate and incomplete responses have occurred. In June 2014, ACUS recommended that agencies which use notational voting disclose to the public what types of business they conduct via notational voting, summarize the business conducted through notational voting, and disclose the conclusions--including votes--the agency reaches via this method.[Footnote 36] The ACUS official's report stated that many agencies have voluntarily implemented procedures for disclosing matters conducted through nonpublic decision-making processes and provide an opportunity for members to explain their decisions. Furthermore, an ACUS official and a representative of the Sunlight Foundation--an organization focused on improving transparency in government--stated that disclosing the results of notational votes is important for public transparency. The Sunlight Foundation representative said that it was very unusual for an agency not to publicly disclose the results of its votes as a matter of routine, and that he had never heard of an agency requiring a FOIA request before making voting results public. Other agencies--such as the NRC, Federal Communications Commission (FCC), and the Chemical Safety Board-- routinely disclose the results of their votes. For example, the NRC makes the full voting record public on its website, including commissioner comments and edits to documents, and the FCC allows commissioners to publish individual statements on matters, if they wish. The Board recently voted to develop a formal policy to disclose its voting results to the public. Specifically, in June 2014, according to Board voting records, the Board voted in favor of a proposal to publicly disclose the results of its votes. The Board member who proposed the change commented in writing on the vote record that there are no current means for Board members to publicly express a minority viewpoint on individual actions the Board may take, and that the records of these expressions should not require a FOIA request. During the October 2014 public business meeting, a Board member raised concerns that the policy was not being developed. As of November 2014, a formal policy to disclose the voting results to the public had not been developed. Having a policy to disclose what matters have been considered by notational vote and the results of those votes, including concurring and dissenting comments, if any, would enhance DNFSB's public transparency and allow the public to be knowledgeable about the Board's decisions and its decision-making process. DNFSB Took Steps to Obtain IG Services but Did Not Meet Statutory Deadlines: DNFSB took some steps to obtain IG services from the NRC-OIG and 17 other IG offices, but it did not meet two statutory deadlines to conclude an agreement for such services, and the NRC-OIG was authorized by law to serve as DNFSB's IG in January 2014. In December 2011, the Consolidated Appropriations Act for Fiscal Year 2012--the 2012 law--required DNFSB to enter into an agreement with the NRC-OIG for IG services for fiscal years 2012 and 2013 by March 22, 2012. [Footnote 37] The 2012 law further required DNFSB to obtain IG services annually after the agreement expired but did not appropriate money specifically for the IG services. DNFSB and the NRC-OIG began discussions in January 2012, but DNFSB and NRC-OIG officials told us that it quickly became clear that the agencies disagreed over the scope and cost of services intended by the 2012 law. Specifically, the NRC-OIG proposed that it would provide the full scope of IG services-- to include statutorily mandated audits, performance audits, other audits deemed necessary by the IG, and investigations--at a cost of $300,000 for the remainder of fiscal year 2012, and $765,000 for fiscal year 2013.[Footnote 38] However, DNFSB documents show that DNFSB interpreted the requirements of the 2012 law as requiring less than the full scope of IG services because the 2012 law did not specifically reference the IG Act, and it did not define IG services. DNFSB instead proposed that the NRC-OIG provide only statutorily mandated audits, such as financial audits. In addition, according to DNFSB documents, DNFSB considered the NRC-OIG's proposed cost for IG services to be disproportionately high for DNFSB's size and scope of operations after DNFSB reviewed the IG costs for other federal agencies. According to DNFSB officials, as it became clear that the agency would not reach an agreement with the NRC-OIG by the statutory deadline, it contacted nine other IG offices in March and April 2012 to inquire about obtaining limited IG services. A DNFSB document states that it sought a more cost-effective option than the NRC-OIG proposal. DNFSB officials stated that, while the outreach did not comply with the statute, they hoped it would be interpreted as a "good faith" effort to comply. However, over the next 4 months, all of these IGs declined to provide their services.[Footnote 39] According to DNFSB documents and information we collected from IG officials, IGs stated that they declined because they did not have expertise in DNFSB's mission or were constrained by their own limited resources. After it was unable to reach an agreement with the NRC-OIG or the nine other IG offices for IG services, DNFSB contracted with an external auditing firm for a risk assessment of its programmatic and administrative operations in August 2012. DNFSB paid approximately $138,000 for the risk assessment.[Footnote 40] As previously discussed, this risk assessment found that DNFSB's policies and procedures were not sufficient in a number of areas, including those governing technical staff's work and that this posed a high risk for the agency. According to letters sent to congressional committees in August 2012, DNFSB characterized the risk assessment as IG services for the remainder of fiscal year 2012. However, according to the contract with the external auditing firm, the risk assessment was intended as an initial step in preparing for obtaining IG services or having an IG. Also, according to a January 2013 letter DNFSB sent to a Member of Congress and interviews with DNFSB officials, the risk assessment was not a substitute for having an IG. Subsequently, with new requirements in the National Defense Authorization Act (NDAA) for Fiscal Year 2013, DNFSB restarted negotiations with the NRC-OIG for IG services. The negotiations began in January 2013, but DNFSB and NRC-OIG were unable to conclude an agreement for IG services by the act's deadline of October 1, 2013. The NDAA required DNFSB to enter into an agreement for IG services, in accordance with the IG Act, with a federal agency IG with expertise related to DNFSB's mission.[Footnote 41] In addition, the NDAA requires DNFSB to ensure that future presidential budget submissions included a separate line item for IG services. According to DNFSB and NRC-OIG documents and officials, DNFSB and the NRC-OIG negotiated from January 2013 through September 2013. However, according to DNFSB and NRC-OIG documents and officials, the agencies ultimately could not agree for the following reasons: * Independence of the IG - NRC-OIG officials expressed concern that DNFSB's draft agreements included terms that would interfere with the OIG's independence. For example, one of DNFSB's draft agreements stated that the NRC-OIG would propose an audit plan to the DNFSB, but the Board Chairman would authorize such audits as he deemed necessary, and the other draft agreements included a citation to the IG Act which the NRC-OIG stated would cause confusion about its independence. However, DNFSB officials stated that their draft agreements to the NRC- OIG did not include any provisions that could permit interference with the NRC-OIG's activities. * Cost of IG services - DNFSB proposed providing $400,000 to the NRC- OIG if no specific amount was appropriated to DNFSB for IG services, and that DNFSB would reimburse the NRC-OIG for any costs in excess of that amount--up to $850,000--if DNFSB funds were available. The NRC- OIG officials stated that DNFSB's proposed funding level did not provide adequate resources to provide on a limited scale the oversight required by law and that it was inconsistent with an unenacted Senate bill that would have appropriated $850,000 to the NRC-OIG to provide IG services to DNFSB. However, DNFSB officials stated that a report accompanying an unenacted House bill, included, at DNFSB's request, $200,000 of DNFSB's appropriation to be used to procure IG services from the NRC-OIG. * Transfer of payment for IG services - DNFSB officials indicated that they did not think that the agency had the statutory authority to transfer DNFSB's full-time equivalents (FTE) and management responsibility for the FTEs to the NRC-OIG to pay for IG services. In addition, the NRC-OIG could not use its appropriations to provide DNFSB with IG services because it is funded by fees from NRC licensees. DNFSB proposed that the NRC-OIG invoice DNFSB monthly for IG services, but the NRC-OIG was concerned this would affect its independence. As the discussions with the NRC-OIG continued, DNFSB also contacted 12 IGs--4 of which it had previously contacted--from April to September 2013 to attempt to obtain IG services.[Footnote 42] Ultimately, according to DNFSB documents and information we collected from IG officials, DNFSB could not reach an agreement for IG services with any of the IGs by the statutory deadline of October 2013. Most IGs declined to provide IG services because they stated, among other reasons, that they did not have expertise relating to DNFSB's mission or had insufficient resources. However, in November 2013, the USPS-OIG responded to DNFSB's inquiry and began negotiations. In December 2013, DNFSB and the USPS-OIG reached an agreement for IG services. Specifically, the USPS-OIG was to conduct three to four audits and investigations annually at a cost of $135,000 for fiscal year 2014, which would be funded on a monthly reimbursable basis. A USPS-OIG official stated that the USPS IG has expertise in DNFSB's mission because the IG served for 5 years as the NRC IG. The USPS-OIG official also stated that the USPS IG was not concerned about independence because the USPS-OIG would direct the audit and investigative services that DNFSB needed, and its budget would cover these services until DNFSB reimbursed it. According to the agreement, the USPS-OIG would have sole discretion to determine the staffing, conduct, and scope of any audits and investigations performed for DNFSB. However, this agreement was rendered moot by the Consolidated Appropriations Act for Fiscal Year 2014, which was signed into law in January 2014, and authorized the NRC-OIG to serve as DNFSB's IG and appropriated $850,000 to the NRC-OIG to provide IG services to DNFSB. In April 2014, the NRC-OIG began providing IG services to DNFSB. From April to September 2014, the NRC-OIG had four auditors and one investigator working at DNFSB. In September 2014, the NRC-OIG issued reports on its audits of DNFSB's purchase card and FOIA programs. [Footnote 43] In addition, in October 2014, the NRC-OIG issued a report on the management and performance challenges facing DNFSB. [Footnote 44] According to the NRC-OIG's plan for audits for fiscal year 2015, the NRC-OIG will review topics including DNFSB's processes for developing, implementing, and maintaining policy guidance for staff; and its compliance with the Sunshine Act. Conclusions: DNFSB provides important oversight and advice to DOE about the protection of public health and safety at DOE's defense nuclear facilities. To better carry out its responsibilities, DNFSB has recently been taking steps to assess and improve its own management and operations and to improve its own internal control. However, DNFSB faces further challenges in improving its internal control and public transparency practices to help ensure that DNFSB is effectively meeting its mission, operating with effective internal control, and informing the public of its activities. Since 2013, DNFSB has implemented important Board procedures and is developing and implementing detailed policies and procedures for technical staff. DNFSB's policies and procedures--when fully developed and implemented--should help provide the Board and staff better assurance that the agency's operations are effective and efficient. However, some Board procedures are not consistently followed or do not align with Board practices. For example, the Board has not followed its new procedure to develop and approve an annual resource plan. As of December 2014, DNFSB did not have an approved resource plan for fiscal year 2015. Additionally, the Board procedure for determining a majority vote to approve recommendations does not accurately reflect the Board's interpretation and practice for determining a majority vote. Until the Board clarifies the procedure defining a majority vote--as the majority of the number of Board members voting once a quorum has been established, and not a majority of a quorum--the Board procedures will not align with the Board's interpretation and practices for voting. In addition, DNFSB's plans to expand the number and scope of internal control assessments it performs will help the agency better assess whether its policies and procedures are effective as they are, or whether additional improvements are needed. However, without complete records documenting DNFSB's internal control assessment activities, consistent with OMB's guidance, the agency does not have an institutional record to help ensure that it is performing all the steps of its internal control assessment process. Furthermore, without segregating the responsibilities among different people in reviews of assessments of internal control, DNFSB does not have reasonable assurance that control activities are being accurately performed. Also, although it has a mechanism to track programs that are judged "ineffective," without a similar formal mechanism within the ECIC to track and ensure the prompt resolution of all problems identified in its assessments, DNFSB cannot provide reasonable assurance that all internal control problems are being corrected in a timely manner. Moreover, if the Chairman used one of the three prescribed terms in OMB guidance to describe his assessment of DNFSB's internal control, it would help ensure that his assurance statement is clearly understood by others, as the guidance defines the meaning of each prescribed term. Finally, DNFSB's current meeting and voting practices may limit opportunities for public participation and transparency. The Sunshine Act declares that it is the government's policy that the public is entitled to the fullest practicable information regarding the decision- making processes of the federal government. However, by not clearly distinguishing in the Federal Register between public hearings it conducts under its statutory authority and public business meetings, DNFSB risks misleading the public about the intent and content of the hearings, and may give the public the impression that Board business is being conducted publicly when it is not. Instead of conducting business at public meetings, DNFSB generally conducts most agency business through notational voting. The Board recently voted to develop a policy to disclose the results of Board votes, consistent with a ACUS recommendation, but it is unclear whether DNFSB will follow through with development of the policy because a Board member raised concerns during an October 2014 public business meeting that the policy was not being developed. Having a policy to disclose which matters have been considered by notational voting and the results of those votes, including concurring and dissenting comments, if any, would enhance DNFSB's public transparency and allow the public to be knowledgeable about the Board's decisions and its decision-making process. Recommendations for Executive Action: To improve internal control and promote transparency, we recommend that the Defense Nuclear Facilities Safety Board (DNFSB) take the following six actions: * To help ensure that DNFSB's policies and procedures are clear and align with Board practices, we recommend that DNFSB modify the Board procedure that defines what constitutes a majority of votes needed to approve a recommendation. * To ensure consistency with OMB's guidance for internal control assessment, we recommend that DNFSB clearly document each step of its control assessment activities; maintain that documentation to provide evidence that assessment and control activities are being performed; and ensure that key responsibilities, such as reviewing control assessments, should be segregated among different people to help ensure that control activities are being accurately performed. * To ensure consistency with federal standards for internal control, we recommend that DNFSB develop and implement a formal mechanism within its ECIC to ensure the prompt resolution of all problems identified in its internal control assessments. * To ensure consistency with OMB's guidance on FMFIA-required internal control assurance statements, we recommend that DNFSB ensure that, in the future, the Chairman's internal control assurance statement uses one of the three prescribed terms to clearly describe the results of the agency's assessment--unqualified, qualified, or statement of no assurance. * To promote public transparency and openness, we recommend that DNFSB: - clearly distinguish in Federal Register notices and during the proceedings between (1) public hearings held pursuant to DNFSB's statutory authority and (2) meetings as defined by the Sunshine Act, required to be open to the public; and: - develop and implement a policy to publicly disclose, such as on its external website, those matters that have been considered by notational vote and the results of the Board's votes by Board member, including concurring and dissenting comments, if any. Agency Comments and Our Evaluation: We provided a draft of this report to DNFSB, DOE, and the NRC-OIG for review and comment. DNFSB provided written comments, which are reproduced in appendix I. Of the six recommendations directed to it, DNFSB agreed with one, discussed actions taken or planned to take for four, and disagreed with one. DNFSB also disagreed with the finding for one recommendation for which it is taking action. DNFSB also provided technical comments, which we incorporated as appropriate. DOE did not provide written comments but provided technical comments, which we incorporated as appropriate. The NRC-OIG stated in a letter, reproduced in appendix II, that it had no comments on the report. Regarding our first recommendation to clearly define what constitutes a majority of votes needed to approve a DNFSB recommendation, DNFSB stated that it has amended the Board procedures to improve clarity in response to our recommendation. Regarding our second recommendation to clearly document each step of its internal control assessment activities, maintain documentation to provide evidence that these activities are being performed, and ensure that key responsibilities are segregated among different people, DNFSB's views were mixed. Specifically, DNFSB stated that it has made improvements to documenting each step of its internal control assessment activities and maintaining that documentation as we recommended, and that further improvements will be identified and implemented. However, DNFSB stated that it did not believe it was practicable to completely segregate internal control assessment activities, as discussed in the recommendation, due to the small size of the agency. As we state in the report, federal standards for internal control direct that key responsibilities should be segregated to reduce the risk of error or fraud. Without such segregation of responsibilities, particularly in assessments of internal control, DNFSB does not have reasonable assurance that control activities are being accurately performed. Thus, we continue to believe that DNFSB should fully implement this recommendation to the extent practical. DNFSB agreed with our third recommendation that it develop a formal mechanism to ensure the prompt resolution of all problems identified in its internal control assessments and stated that it agrees with this recommendation and has tasked its staff to revise the Board's internal control program policy and procedures. DNFSB accepted the fourth recommendation that the Chairman's annual internal control assurance statement uses one of three terms-- unqualified, qualified, or no statement of assurance--prescribed by OMB guidance to improve the clarity of assurance statements in the future. However, in its written comments, DNFSB stated that it disagreed with our finding that its 2013 internal control assurance statement was not consistent with OMB guidance. DNFSB stated that OMB guidance does not require the explicit use of the terms--unqualified, qualified, or no statement of assurance--but requires that one of these three concepts be conveyed. DNFSB also stated that the Board's fiscal year 2013 and 2014 assurance statements each took the form of an unqualified statement of assurance, as each stated that the agency had found no material weaknesses in the design or operation of its internal control. However, OMB guidance clearly states that the internal control assurance statement must take one of the three forms, citing the three terms. In addition, as we note in the report, in prior years--from 2007 through 2011--the Chairman's internal control assurance statements used one of these three prescribed terms to summarize the condition of the agency's internal control. DNFSB disagreed with our fifth recommendation that it clearly distinguish in Federal Register notices and during the proceedings between public hearings held pursuant to DNFSB's statutory authority and public meetings as defined by the Sunshine Act. In written comments, DNFSB stated that neither the Board's statute nor the Sunshine Act prohibits the Board's current practice of noticing a public proceeding as both a public hearing and a Sunshine Act meeting. The Board stated that it advertises its public hearings as being conducted pursuant to the Board's statutory authority as hearings and in compliance with the Sunshine Act as open meetings to accord maximum flexibility to the Board and in the event that Board members wish to engage in deliberations. The written comments stated that the Board was not aware of a single instance in its history in which a member of the public expressed any confusion or concern because a Board activity was advertised as both a public hearing and a meeting. DNFSB also stated that it includes language in its Federal Register notices to denote that the proceeding is being convened as both a Sunshine Act meeting and a statutory hearing, and that while the proceeding is not required to be noticed under the Sunshine Act, doing so furthers the public interests. In DNFSB's written comments, one Board member, however, provided a dissenting statement saying that he agreed with our recommendation and adding that, to his knowledge, the flexibility cited by DNFSB has never been needed or used. As we state in the report, by not clearly distinguishing between public hearings and public meetings, DNFSB risks misleading the public about the intent and content of the hearings, and may give the public the impression that Board business is being conducted publicly when it is not. Moreover, by including language explaining that the proceeding is not required to be conducted in an open meeting under the Sunshine Act, DNFSB risks further obfuscating the intent and content of the event. As such, we continue to believe that DNFSB should fully implement this recommendation to clearly distinguish between public hearings intended to receive testimony, and Board meetings to conduct business. Regarding our sixth recommendation to develop and implement a policy to publicly disclose those matters that have been considered by a notational vote and the results of the Board's votes by Board member-- in December 2014, while DNFSB officials were reviewing our draft report, the agency implemented such a policy. Thus, we consider this recommendation fully addressed. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the appropriate congressional committees, the Chairman of the Defense Nuclear Facilities Safety Board, the Secretary of Energy, the Chairman of the NRC, and other interested parties. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff members have any questions about this report, please contact me at (202) 512-3841 or neumannj@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix III. Signed by: John Neumann: Director, Natural Resources and Environment: [End of section] Appendix I: Comments from the Defense Nuclear Facilities Safety Board: Defense Nuclear Facilities Safety Board: Washington, DC 20004-2901: Peter S. Winokur, Chairman: Jessie H. Roberson, Vice Chairman: Sean Sullivan: December 18, 2014: Mr. John Neumann: Director, Natural Resources and Environment: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Neumann: This letter provides the comments of the Defense Nuclear Facilities Safety Board (Board) to the draft audit report of the Government Accountability Office (GAO), GAO-15-181, Defense Nuclear Facilities Safety Board: Agency Needs to Take Steps to Improve Internal Control and Promote Transparency. The Board appreciates GAO's review and its recommendations for executive action, most of which the Board accepts and many of which the Board already had begun implementing. Some of the audit findings identify internal control items or record- keeping issues that the Board has been addressing as a result of risk assessment of internal controls completed in 2012. The risk assessment led to the creation of a three-phased program that may eventually implement up to 90 new work procedures for the Technical Staff by the end of FY 2016, with phase one procedures providing the majority of the organizational elements needed for internal controls. At the conclusion of FY 2014,59 new procedures had been developed, and 14 of29 phase one procedures had been implemented. This is an important initiative that will be completed as soon as practicable; however, because this is a resource-intensive effort, the rate of development and implementation must be balanced against other important considerations The Board is committed to completing this effort by the end of FY 2016 and confident that the effort will achieve lasting change. With regard to the specific recommendations presented in the draft audit report, the Board offers the following comments: 1. "To help ensure that DNFSB's [Defense Nuclear Facilities Safety Board] policies and procedures are clear and align with Board practices, we recommend that DNFSB modify the Board procedure that defines what constitutes a majority of votes needed to approve a recommendation." Response: As the body of the draft audit report states, no confusion about the outcome of Board votes has been expressed by Board members or employees. Furthermore, the existing Board procedures made clear that in the event of a tie vote, the proposal failed. To improve clarity as recommended in the draft audit report, the Board procedures have been amended to state that once a quorum has been achieved, a majority of those voting must vote in favor of a motion for it to pass. In situations where four or five Board members are participating, this amendment will ensure that at least three votes are required to approve the action, rather than two (i.e., a "majority of a quorum"). 2. "To ensure consistency with OMB's guidance for internal control assessment, we recommend that DNFSB clearly document each step of its control assessment activities; maintain that documentation to provide evidence that assessment and control activities are being performed; and ensure that key responsibilities, such as reviewing control assessments, should be segregated among different people to help ensure that control activities are being accurately performed." Response: The Board appreciates the need to clearly document each step of its control assessment activities and to maintain better control over such documentation to demonstrate that internal assessment and control activities are being performed. The Board already has made improvements related to these first two sub-recommendations as part of the recordkeeping processes defined by the developing Technical Staff internal controls. Further improvements will be identified and implemented. However, given the Board's size, we do not believe it to be practicable for the agency to completely segregate internal control assessment activities as discussed in the third subrecommendation. In keeping with the spirit of the sub-recommendation, though, the Board will strive to segregate activities to the maximum extent practicable to help ensure that control activities are being accurately performed. 3. "To ensure consistency with federal standards for internal control, we recommend that DNFSB develop and implement a formal mechanism within its ECIC [Executive Committee on Internal Controls] to ensure the prompt resolution of all problems identified in its internal control assessments." Response: The Board agrees and has tasked its staff to revise the Board's Internal Control Program policy and procedures. 4. "To ensure consistency with OMB's guidance on FMFIA [Federal Managers Financial Integrity Act]-required internal control assurance statements, we recommend that DNFSB ensure that, in the future, the Chairman's internal control assurance statement uses one of the three prescribed terms to clearly describe the results of the agency's assessment--unqualified, qualified, or statement of no assurance." Response: The Board accepts the recommendation in order to improve the clarity of its assurance statement in the future. However, the Board disagrees with the finding that its 2013 assurance statement was inconsistent with OMB guidance for summarizing the condition of an agency's internal control OMB Circular A-123, Management's Responsibility for Internal Control (page 16) does not direct agencies to use one of three prescribed terms for the agency's FMFIA-required internal control assurance statement, but rather mandates that the statement take one of three forms (unqualified, qualified, or statement of no assurance). In other words, the OMB circular does not require the explicit use of the terms "unqualified," "qualified," or "statement of no assurance" but requires that one of these three concepts be conveyed. OMB Circular A -123 provides a sample assurance statement on page 32 for Internal Control over Financial Reporting (which also must take one of those forms); the sample does not use any of the three terms cited by GAO, nor do the examples found on pages 63- 65 of the Implementation Guide for OMB Circular A -123, Management's Responsibility for Internal Control (the only examples OMB provides in A-123 or its supporting documents for reporting pursuant to Section 2 of FMFIA). The Board's FY 2013 and FY 2014 assurance statements each took the form of an unqualified statement of assurance, as each stated that "no material weaknesses were found in the design or operation of internal controls," consistent with the language provided in the illustrative template for an unqualified statement of assurance on internal control. 5. "To promote public transparency and openness, we recommend that DNFSB: Clearly distinguish in Federal Register notices and during the proceedings between (1) public hearings held pursuant to DNFSB's statutory authority and (2) meetings as defined by the Sunshine Act, required to be open to the public." Response: Neither the Board's statute nor the Sunshine Act prohibits the Board's current practice of noticing a public proceeding as both a public hearing and Sunshine Act meeting. The Board advertises its public hearings as being conducted pursuant to the Board's statutory authority as hearings and in compliance with the Sunshine Act as open meetings, in order to accord maximum flexibility to the Board. Holding hearings is one of the primary "Powers of the Board" from the Board's enabling legislation which it uses to gather technical information and inform the public. Though traditionally the Board has not engaged in deliberations at its public hearings, the hearings are properly advertised to meet the requirements both of the Board's enabling legislation and the Sunshine Act in the event Board members wish to engage in deliberations. Furthermore, at its public hearings and meetings, the Board always notices the agenda in the Federal Register and posts the agenda on the Board's internet website to ensure that the public is clearly informed as to the purpose and subject matter to be discussed at the Board's public hearings and meetings. In addition, within each agenda, the Board ensures that time is made available for public comment. Finally, the Board's Federal Register notices comply fully with all legal requirements. In addition, though not required by law, rule, or regulation, the Board actively publicizes its public hearings and meetings by placing advertisements in local newspapers for hearings held in the field, and by notifying public interest groups and concerned citizens through direct mail notifications. While on location for a field hearing and meeting, one or two Board members often meet with public interest groups or concerned citizens who have expressed interest in the Board's work separately from the public hearings and meetings. The Board is unaware of a single instance in the Board's entire history in which a member of the public expressed any confusion or concern because a Board activity was advertised as a both a public hearing and meeting. For example, the Board uses the following language in its Federal Register notices to denote that the proceeding is being convened as both a Sunshine Act meeting and a statutory hearing: Summary: Pursuant to the provisions of the "Government in the Sunshine Act" (5 U.S.c. § 552b), and as authorized by 42 U.S.c. § 2286b, notice is hereby given of the Defense Nuclear Facilities Safety Board's (Board) public meeting and hearing described below. The Board invites any interested persons or groups to present any comments, technical information, or data concerning safety issues related to the matters to be considered. Moreover, the Board always follows up this statement with explanatory language indicating that while the proceeding is not required to be noticed under the Sunshine Act, doing so furthers the public interest: Status: Open. While the Government in the Sunshine Act does not require that the scheduled discussion be conducted in an open meeting, the Board has determined that an open meeting in this specific case furthers the public interests underlying both the Government in the Sunshine Act and the Board's enabling legislation. The Board believes this language is sufficient and therefore declines to modify its Federal Register notices. 6. "To promote public transparency and openness, we recommend that DNFSB: Develop and implement a policy to publicly disclose, such as on its external website, those matters that have been considered by notational vote and the results of the Board's votes by Board member, including concurring and dissenting comments, if any." Response: The Board proactively posts on its internet website all significant Board actions, including all Recommendations and the Secretary's comments on and responses to such Recommendations, and significant correspondence to or from the Secretary of Energy, the Deputy Secretary of Energy, the Administrator of the National Nuclear Security Administration, and other senior DOE officials. The Board also posts documents filed with Congress, such as the Board's budget requests, its Annual Reports to Congress, and its Performance and Accountability Reports. The Board also posts reports documenting routine, ongoing oversight activities, such as the weekly Site Representative reports from each of the DOE sites where the Board has personnel on location. In keeping with its desire to promote public transparency and openness, the Board has implemented a procedure satisfying this recommendation. Sincerely, Signed by: Peter S. Winokur, Ph.D. Chairman: cc: Ms. Janet Frisch. [End of letter] Defense Nuclear Facilities Safety Board: Washington, DC 20004-2901: Peter S. Winokur, Chairman: Jessie H. Roberson, Vice Chairman: Sean Sullivan: December 18, 2014: Board Member Sullivan provides the following statement: I would have accepted GAO recommendation number 5 which would have the Board clearly distinguish in our Federal Register notices between hearings held pursuant to our enabling statute and meetings subject to the Sunshine in Government Act. I see no point in continuing a practice that may potentially confuse people simply to retain the flexibility to deliberate during hearings. To my knowledge, the Board has never deliberated during hearings, nor has any Board Member ever indicated a desire to do so. There is no point in retaining a flexibility that is not likely to be used. Accepting the recommendation would not have precluded the Board from noticing a combined hearing and meeting for any occasion where we actually intended to take testimony and deliberate. Signed by: Sean Sullivan: [End of section] Appendix II: Comments from the Nuclear Regulatory Commission: United States Nuclear Regulatory Commission: Office of the Inspector General: Washington, D.C, 20555-0001: December 8, 2014: Mr. John Neumann, Director: Natural Resources and Environment: U.S. Government Accountability Office: 701 5th Avenue, Suite 2700: Seattle, WA 98104: Dear Mr. Neumann: The Nuclear Regulatory Commission's Office of the Inspector General appreciates the opportunity to review your draft report entitled Nuclear Safety Board: Agency Needs to Take Steps to Improve Internal Control and Promote Transparency (GAO-1S-181). We have no comments on the report. Sincerely, Signed by: Hubert T. Bell: Inspector General: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: John Neumann, (202) 512-3841 or neumannj@gao.gov: Staff Acknowledgments: In addition to the individual named above, Janet Frisch (Assistant Director), Cheryl Arvidson, Julia Coulter, Cindy Gilbert, Jackson Hufnagle, Rich Johnson, J. Lawrence Malenich, Timothy M. Persons, Carla Rojas Paz, Jeanette Soares, and Kiki Theodoropoulos made significant contributions to this report. [End of section] Footnotes: [1] The phrase "defense nuclear facilities" is defined as (1) a production facility or utilization facility under the control or jurisdiction of the Secretary of Energy and operated for national security purposes and (2) certain nuclear waste storage facilities under the control or jurisdiction of the Secretary of Energy. The term does not include any facility or activity pertaining to the Naval nuclear propulsion program; the transportation of nuclear explosives or nuclear material; any facility that does not conduct atomic energy defense activities; or any facility owned by the United States Enrichment Corporation. [2] The 10 sites are the Hanford Site, Washington; Idaho National Laboratory, Idaho; Lawrence Livermore National Laboratory, California; Los Alamos National Laboratory, New Mexico; Nevada National Security Site, Nevada; Oak Ridge National Laboratory/Y-12 National Security Complex, Tennessee; Pantex Plant, Texas; Sandia National Laboratories, New Mexico; Savannah River Site, South Carolina; and the Waste Isolation Pilot Plant, New Mexico. [3] GAO, Nuclear Safety: The Defense Facilities Safety Board's First Year of Operation, [hyperlink, http://www.gao.gov/products/GAO/RCED-91-54] (Washington, D.C.: February 1991). [4] This report is in response to requests between 2012 and 2014 from Representative Michael Turner (Chairman of the House Armed Services Subcommittee on Strategic Forces during the 112TH Congress); Representative Michael D. Rogers (Chairman of the House Armed Services Subcommittee on Strategic Forces during the 113TH Congress); and Senator Claire C. McCaskill (Chairman, Senate Homeland Security and Governmental Affairs Subcommittee on Financial and Contracting Oversight during the 113TH Congress). [5] In this report, we refer to the agency as DNFSB and to the five- member board as the Board. [6] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [7] 31 U.S.C. § 3512(c), (d). FMFIA establishes federal agencies' overall requirements with regard to internal control, which includes accounting and administrative controls. [8] OMB, Management's Responsibility for Internal Control, Circular A- 123 (Washington, D.C.: Dec. 21, 2004). [9] Assurance statements--required by FMFIA--represent the informed judgment of a federal agency's head as to the overall adequacy and effectiveness of internal control within their agency. [10] ACUS is an independent federal agency dedicated to improving the administrative process through consensus-driven applied research, providing nonpartisan expert advice and recommendations for improvement of federal agency procedures. Its membership is composed of innovative federal officials and experts with diverse views and backgrounds from both the private sector and academia. [11] Bull, Reeve T. The Government in the Sunshine Act in the 21st Century, Final Report to the Administrative Conference of the United States (Washington, D.C.: Mar. 10, 2014). [12] The DNFSB Chairman retired in January 2015, and had not been replaced at the time of publication. [13] These five sites are the Hanford Site, Washington state; Los Alamos National Laboratory, New Mexico; Oak Ridge National Laboratory/ Y-12 National Security Complex, Tennessee; Pantex Plant, Texas; and Savannah River Site, South Carolina. [14] 31 U.S.C. § 3512(c), (d). [15] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [16] OMB, Management's Responsibility for Internal Control, Circular A- 123 (Washington, D.C.: Dec. 21, 2004). [17] 5 U.S.C. § 552b(c). [18] GAO, U.S. Export-Import Bank: Views on Inspector General Oversight, [hyperlink, http://www.gao.gov/products/GAO-01-1038R] (Washington, D.C.: Sept. 6, 2001); Chemical Safety Board: Improvements in Management and Oversight Are Needed, [hyperlink, http://www.gao.gov/products/GAO-08-864R] (Washington, D.C.: Aug. 22, 2008); and National Mediation Board: Strengthening Planning and Controls Could Better Facilitate Rail and Air Labor Relations, [hyperlink, http://www.gao.gov/products/GAO-14-5] (Washington, D.C.: Dec. 3, 2013). [19] Pub. L. No. 112-74, div. B, tit. IV, 125 Stat. 786, 880 (2011). [20] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [21] Three members of the Board constitute a quorum, but a lesser number may hold hearings. 42 U.S.C. § 2286(e). According to the Board's enabling statute and procedures, a quorum is needed for the Board to take action on a Board document, such as a recommendation. Board members casting a vote to approve, disapprove, or abstain are included in determining a quorum. However, a Board member who is recorded as not voting or having recused himself is not counted in determining a quorum. [22] The Defense Nuclear Facilities Safety Board (DNFSB), Board Procedures (Washington, D.C.: February 2014). [23] When the Board only has three members, and two vote to approve a recommendation, both a majority of a quorum and a majority of those voting approve the recommendation. However, if the Board has five members, and only two vote to approve a recommendation, the recommendation would be approved by a majority of a quorum but not a majority of those voting, Our review of voting records did not find any instances of recommendations being approved without a majority of those voting to approve them. [24] All DNFSB staff, including the technical staff, are covered by DNFSB's administrative and legal policies, such as those for human resources, travel, security, and property management. [25] When we refer to policies and procedures, this also includes guidance. DNFSB refers to guidance as "work practices" and are not mandatory. [26] OMB Circular A-123. [27] OMB Circular A-123. [28] Equal Employment Opportunity Commission, Management Directive 715, Oct. 1, 2003. Management Directive 715 provides policy guidance and standards to federal agencies for establishing and maintaining effective programs of equal employment opportunity under Section 717 of Title VII of the Civil Rights Act of 1964, as amended, (42 U.S.C. § 2000e-16) and Section 501 of the Rehabilitation Act (29 U.S.C. § 791) and directs federal agencies to report annually to EEOC on these programs. [29] The internal control assurance statements for fiscal year 2014 were not available at the time of our review. [30] Exceptions to the requirement for meetings, as defined by the Sunshine Act, to be open to the public include meetings about recommendations to DOE before they are transmitted to DOE or classified information. [31] Bull, Reeve T. The Government in the Sunshine Act in the 21st Century, Final Report to the Administrative Conference of the United States (Washington, D.C.: Mar. 10, 2014). [32] 10 C.F.R. § 1704.3(b). [33] These hearings are open to the public, and video recordings and transcripts are posted on the public website. [34] Because DNFSB did not keep formal voting records prior to 2013, and only began putting the internal voting records on its intranet beginning in March 2013, we generally only reviewed records from August 2013 through June 2014. [35] NRC-OIG/DNFSB-OIG, Audit of the Board's Freedom of Information Act Process, DNFSB-14-A-02 (Washington, D.C.: September 2014). [36] Administrative Conference of the United States, Recommendation 2014-2, 79 Fed. Reg. 35,988 (June 25, 2014). [37] Pub. L. No. 112-74, div, B. tit. IV, 125 Stat. 786, 880 (2011). [38] According to the draft memorandum of agreement that the NRC-OIG sent to DNFSB, the costs proposed for the remaining fiscal year 2012 and fiscal year 2013 would cover the salaries, benefits, and training of five NRC-OIG full-time employees who would conduct audits and investigations. [39] The nine IGs that DNFSB contacted were those of the: Department of Defense, Department of Transportation, Federal Deposit Insurance Corporation, General Services Administration, National Aeronautics and Space Administration, National Labor Relations Board, National Science Foundation, U.S. Agency for International Development, and U.S. Postal Services Administration. [40] In August 2012, DNFSB also contracted with an additional external auditing firm for a workforce assessment. [41] Pub. L. No. 112-239, div. C, tit. XXXII, § 3202(f)(1) (2013). [42] The eight additional IGs were those of the: U.S. Army; Defense Threat Reduction Agency; Environmental Protection Agency; GAO; U.S. Navy; U.S. Air Force; DOE; and Intelligence Community, which is a coalition of 17 federal agencies and organizations that gather and analyze intelligence information for foreign relations and national security purposes. [43] The Nuclear Regulatory Commission's Office of the Inspector General, Audit of the Board's Purchase Card Program, DNFSB-14-A-01, (Washington, D.C.: September 2014) and the Nuclear Regulatory Commission's Office of the Inspector General, Audit of Board's Freedom of Information Act Program, DNFSB-14-A-02 (Rockville, MD: September 2014). [44] The Nuclear Regulatory Commission's Office of the Inspector General, Inspector General's Assessment of the Most Serious Management and Performance Challenges Facing the Defense Nuclear Facilities Safety Board, DNFSB-15-A-01 (Rockville, MD: October 2014). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]