Audit Reports

KPMG recommends that FAA management revise policies and procedures to ensure proper segregation of duties over the processing of manual JVs at FAA HQ.

KPMG recommends that FAA management emphasize the timely de-obligation of inactive UCOs identified during management's monitoring and review process.

KPMG recommends that FAA finalize the policies and procedures that specify the number of days within which property identified for disposal should be retired and recorded in the fixed asset sub-ledger.

KPMG recommends that FAA provide training to the various regions and property owners on the new policies and procedures noted in recommendation.

KPMG recommends that FAA continue to perform procedures to assess the amount of assets identified for retirement, by the various regions and property owners, which have not yet been recorded in the general ledger as of September 30th and record an accrual, as needed.

KPMG recommends that FAA strengthen policies and procedures over the ER liability to include requirement to revalidate all key data inputs and assumptions on an annual basis.

KPMG recommends that FAA strengthen policies and procedures over the ER liability to include requirement to document the key assumptions applied in the calculation of the liability.

KPMG recommends that FAA strengthen policies and procedures over the estimation of the EC&D liability to include requirements to revalidate all key data inputs and assumptions on an annual basis.

KPMG recommends that FAA strengthen policies and procedures over the estimation of the EC&D liability to include requirements to document the key assumptions applied in the calculation of the liability.

KPMG recommends that FAA strengthen policies and procedures over the estimation of the EC&D liability to include requirements to review the reasonableness of the formulas and calculations in the estimate.

KPMG recommends that FAA develop and implement procedures requiring periodic independent reviews of audit logs. The procedures should require reviews to be documented, include the items being reviewed, and the frequency within which the reviews should occur.

KPMG recommends that FAA management develop and implement procedures requiring periodic reviews of audit logs for all platforms, including the database. The procedures should include the items being reviewed and the frequency within which the reviews should occur. Lastly, the System Security Plan (SSP) should be updated to reflect the new implementation.

KPMG recommends that FAA management completes the implementation of procedures for granting physical access to the data center.

KPMG recommends that FAA management completes the implementation of procedures for retaining authorizing documents and maintaining user listings of individuals that are granted access.

KPMG recommends that FAA management completes the implementation of procedures for performing periodic reviews of access rights for existing data center users.

KPMG recommends that FAA management complete the relocation of the system, as soon as possible, to a secure data center with strong physical access controls.

KPMG recommends that FAA update the SSP and relevant policies and procedures to ensure segregation of duties is maintained throughout the change management process. If restricting developers' access to production libraries and datasets is not technically feasible or not operationally practical, FAA should identify a compensating control, such as independently conducting and documenting a periodic review of audit logs to identify inappropriate and unauthorized changes implemented outside of the formal change management process.

KPMG recommends that FAA management apply system patches for weaknesses identified in monthly vulnerability scans to strengthen patch management controls in the system environment.

KPMG recommends that FAA strengthen password complexity configurations for both systems, in accordance with the DOT Cyber Security Compendium; or,

KPMG recommends that FAA obtain a waiver from the DOT Chief Information Officer to relieve FAA of the implementation requirements within the DOT Cyber Security Compendium.

KPMG recommends that FAA management develop and implement policies and procedures, including increasing the level of precision of the quarterly review of user access, to remove application access for separated employees and contractors immediately upon termination or when determined that a user's access is no longer required.