Skip to main content
U.S. flag

An official website of the United States government

Audit Reports


Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022

Requested By
Required by the Chief Financial Officers Act of 1990
Project ID
File Attachment
What We Looked At
This report presents the results of our quality control review (QCR) of the management letter that KPMG issued on its audit, under contract with us, of the Federal Aviation Administration’s (FAA) consolidated financial statements for fiscal years 2023 and 2022. This management letter discusses internal control matters that KPMG was not required to include in its audit report.
What We Found
Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
KPMG made eight recommendations to FAA in its management letter. FAA concurred with all eight recommendations.


No. 1 to FAA
KPMG recommends that FAA management require privileged users on the Windows virtual machine environment to authenticate using MFA. If it is not technically feasible, then we recommend that Windows security settings are updated to require a minimum password length for privileged accounts to 16 characters and maximum password age to be updated to 60 days.
No. 2 to FAA
KPMG recommends that FAA management design and implement documented control activities to monitor the effective operation of its existing process controls related to: Provisioning of new access requests for the service organization's system; and Monitoring FAA employees' access to the service organization's system.
No. 3 to FAA
KPMG recommends that FAA management take measures to ensure that FAA has sufficient control operator personnel available to support the annual recertification of FAA employees with system access within the reporting timeline prescribed by DOT.
No. 4 to FAA
KPMG recommends that FAA design and implement a procedure to identify and timely record contracting actions within the general ledger that were executed outside of the standard business process (i.e., CO authorizations documented outside of the procurement system).
No. 5 to FAA
KPMG recommends that FAA update its procurement policy to define the period of time permitted to document a contractor’s oral agreement.
No. 6 to FAA
KPMG recommends that FAA reinforce existing controls, to review individual lease payment schedules upon lease commencement or modification to ensure that the schedules are consistent with the underlying terms of the lease.
No. 7 to FAA
KPMG recommends that FAA design and implement procedures within its existing PP&E Accrual to obtain a complete listing of trailing costs related to completed assets and accrue for such assets that have remaining CIP balances as of the period-end.
No. 8 to FAA
KPMG recommends that management design and implement procedures to verify the completeness and accuracy of the non-LOI accrual average billing cycle data input used in the estimate calculation.