Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019

Requested By
Required by the Chief Financial Officer Act of 1990
Project ID
QC2021014
File Attachment
What We Looked At
This report presents the results of our quality control review (QCR) of KPMG LLP’s management letter related to the audit it conducted, under contract with us, of the Federal Aviation Administration’s (FAA) consolidated financial statements for fiscal years 2020 and 2019. In addition to its audit report on FAA’s financial statements, KPMG issued a management letter that discusses 17 internal control matters that it was not required to include in its audit report.
 
What We Found
Our QCR of KPMG’s management letter disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
KPMG made 20 recommendations in its management letter. FAA concurred with all 20 recommendations.

Recommendations

Closed on
No. 1 to FAA
Enforce existing manual controls for disabling inactive accounts after the specified period of inactivity and enable an information system to automatically disable inactive accounts after a specified period of inactivity, as required by NIST.
Closed on
No. 2 to FAA
Identify and resolve discrepancies between the FAA ISPP and Center for Internet Security Benchmarks specific to the procurement system’s password configurations.  
Closed on
No. 3 to FAA
If changes are needed, update the procurement system’s security documentation to reflect the database password requirements.  
Closed on
No. 4 to FAA
Ensure that database password settings are in compliance with FAA ISPP.  
Closed on
No. 5 to FAA
Review and update security documentation to ensure that database dependency on the general ledger and the related control deviation is documented and approved by the AO, as required by FAA policy.
Closed on
No. 6 to FAA
Update application password settings to ensure compliance with the FAA ISPP. 
Closed on
No. 7 to FAA
Coordinate with the appropriate resources to ensure the implementation of an appropriate separation of duties process for system administrators and developers.
Closed on
No. 8 to FAA
Update password settings to ensure compliance with the FAA ISPP.
Closed on
No. 9 to FAA
Design and implement a process to ensure that the inventory application, database, and operating system changes are tested, documented, and approved prior to migration into production and update the change management ticketing system to capture required approvals and evidence of testing for application, database, or operating system changes, in accordance with FAA ISPP.В 
Closed on
No. 10 to FAA
Configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements. 
Closed on
No. 11 to FAA
Design and implement controls to validate that all employee FEGLI elections are accurately recorded in the records of the shared service center.
Closed on
No. 12 to FAA
Perform an annual review of existing sites to identify those that may be in dispute, and solicit input from legal counsel to determine and document whether these sites should be included in the environmental remediation liability, as defined by generally accepted accounting principles.
Closed on
No. 13 to FAA
Ensure that existing procedures over the review of journal entries are performed, at an appropriate level of precision, to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.В 
Closed on
No. 14 to FAA
Update the Journal Voucher Processing standard operating procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the JV control log reconciliation with the actions taken and resolution obtained.
Closed on
No. 15 to FAA
Update policies and procedures to clarify when acceptance should be recorded for a transaction.
Closed on
No. 16 to FAA
Develop and implement guidance to formally document its assessments and recognition decisions, in accordance with SFFAC No. 5, as related to assets and liabilities of exchange transactions.
Closed on
No. 17 to FAA
Update the standard operating procedures to define the triggering events for which the serviceable unit cost should be revalued in accordance with applicable accounting standards. 
Closed on
No. 18 to FAA
Design and implement control activities to ensure that serviceable unit costs are only revalued as a result of valid triggering events which occur during the current period. 
Closed on
No. 19 to FAA
Develop policies and procedures to ensure that judgments that inform accounting estimates are based on the best available information at the time of calculating and recording the CARES Act grant accrual estimate in the financial statements.
Closed on
No. 20 to FAA
Develop procedures to document the period in which user access is granted and terminated to support the operating effectiveness of the shared service center’s user access controls.