Quality Control Review of the Assessment of DOT’s Protection of Privacy Information
What We Looked At
This report summarizes the results of an audit of DOT’s protection of privacy information. DOT has determined that 168 of its 464 computer systems contain personally identifiable information (PII) about the public and/or DOT employees. The Fiscal Year 2005 Consolidated Appropriations Act for Transportation, Treasury, Independent Agencies, and General Government, as amended, requires agencies to enhance the protection of PII they collect and use, and inspectors general to periodically audit their agencies’ privacy programs or hire independent, third party organizations to conduct the reviews.
We contracted with KPMG LLP, an independent public accounting firm, to conduct this audit subject to our oversight. The audit objectives were to determine whether (1) DOT has established adequate procedures for the collection, use, and security of PII; (2) DOT ensures compliance with its own privacy and data protection policies and applicable laws and regulations to prevent unauthorized access to or unintended use of PII; and (3) DOT’s Operating Administrations properly evaluate the necessity of using PII to process system data.
What We Found
We performed this QCR of KPMG’s report and related documentation. Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.
DOT concurred with KPMG’s 12 recommendations.