Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Quality Control Review of the Management Letter for FAA’s Financial Statements for Fiscal Years 2015 and 2014

Requested By
Required by the Chief Financial Officers Act
Project ID
QC2016023
File Attachment

This report presents the results of our quality control review of KPMG LLP’s management letter for the audit of FAA’s financial statements as of and for the years ended September 30, 2015 and September 30, 2014. The audit was required by the Chief Financial Officers Act of 1990. KPMG previously issued a “clean” (unmodified) opinion on these financial statements in its independent audit report. The management letter identified 12 additional financial reporting and information technology internal control weaknesses that were not required to be reported in KPMG’s independent audit report.

Recommendations

Closed on
No. 1 to FAA
KPMG recommends that FAA management revise policies and procedures to ensure proper segregation of duties over the processing of manual JVs at FAA HQ.
Closed on
No. 2 to FAA
KPMG recommends that FAA management emphasize the timely de-obligation of inactive UCOs identified during management's monitoring and review process.
Closed on
No. 3 to FAA
KPMG recommends that FAA finalize the policies and procedures that specify the number of days within which property identified for disposal should be retired and recorded in the fixed asset sub-ledger.
Closed on
No. 4 to FAA
KPMG recommends that FAA provide training to the various regions and property owners on the new policies and procedures noted in recommendation.
Closed on
No. 5 to FAA
KPMG recommends that FAA continue to perform procedures to assess the amount of assets identified for retirement, by the various regions and property owners, which have not yet been recorded in the general ledger as of September 30th and record an accrual, as needed.
Closed on
No. 6 to FAA
KPMG recommends that FAA strengthen policies and procedures over the ER liability to include requirement to revalidate all key data inputs and assumptions on an annual basis.
Closed on
No. 7 to FAA
KPMG recommends that FAA strengthen policies and procedures over the ER liability to include requirement to document the key assumptions applied in the calculation of the liability.
Closed on
No. 8 to FAA
KPMG recommends that FAA strengthen policies and procedures over the estimation of the EC&D liability to include requirements to revalidate all key data inputs and assumptions on an annual basis.
Closed on
No. 9 to FAA
KPMG recommends that FAA strengthen policies and procedures over the estimation of the EC&D liability to include requirements to document the key assumptions applied in the calculation of the liability.
Closed on
No. 10 to FAA
KPMG recommends that FAA strengthen policies and procedures over the estimation of the EC&D liability to include requirements to review the reasonableness of the formulas and calculations in the estimate.
Closed on
No. 11 to FAA
KPMG recommends that FAA develop and implement procedures requiring periodic independent reviews of audit logs. The procedures should require reviews to be documented, include the items being reviewed, and the frequency within which the reviews should occur.
Closed on
No. 12 to FAA
KPMG recommends that FAA management develop and implement procedures requiring periodic reviews of audit logs for all platforms, including the database. The procedures should include the items being reviewed and the frequency within which the reviews should occur. Lastly, the System Security Plan (SSP) should be updated to reflect the new implementation.
Closed on
No. 13 to FAA
KPMG recommends that FAA management completes the implementation of procedures for granting physical access to the data center.
Closed on
No. 14 to FAA
KPMG recommends that FAA management completes the implementation of procedures for retaining authorizing documents and maintaining user listings of individuals that are granted access.
Closed on
No. 15 to FAA
KPMG recommends that FAA management completes the implementation of procedures for performing periodic reviews of access rights for existing data center users.
Closed on
No. 16 to FAA
KPMG recommends that FAA management complete the relocation of the system, as soon as possible, to a secure data center with strong physical access controls.
Closed on
No. 17 to FAA
KPMG recommends that FAA update the SSP and relevant policies and procedures to ensure segregation of duties is maintained throughout the change management process. If restricting developers' access to production libraries and datasets is not technically feasible or not operationally practical, FAA should identify a compensating control, such as independently conducting and documenting a periodic review of audit logs to identify inappropriate and unauthorized changes implemented outside of the formal change management process.
Closed on
No. 18 to FAA
KPMG recommends that FAA management apply system patches for weaknesses identified in monthly vulnerability scans to strengthen patch management controls in the system environment.
Closed on
No. 19 to FAA
KPMG recommends that FAA strengthen password complexity configurations for both systems, in accordance with the DOT Cyber Security Compendium; or,
Closed on
No. 20 to FAA
KPMG recommends that FAA obtain a waiver from the DOT Chief Information Officer to relieve FAA of the implementation requirements within the DOT Cyber Security Compendium.
Closed on
No. 21 to FAA
KPMG recommends that FAA management develop and implement policies and procedures, including increasing the level of precision of the quarterly review of user access, to remove application access for separated employees and contractors immediately upon termination or when determined that a user's access is no longer required.