October 23, 2019
Required by the Federal Information Security Modernization Act of 2014
Quality Control Review of the Independent Auditor’s Report on DOT’s Information Security Program and Practices
What We Looked At
This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. The act also requires agencies to have annual independent reviews to determine the effectiveness of their programs, and report the results of these reviews to the Office of Management and Budget (OMB). To meet this requirement, we contracted with CliftonLarsonAllen LLP (CLA) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
We performed a QCR of CLA’s report and related documentation. Our QCR disclosed no instances in which CLA did not comply, in all material respects, with generally accepted Government auditing standards.
DOT concurs with 1 of CLA’s 14 recommendations and partially concurs with the remaining 13 recommendations. ClA considers recommendations 1, 2, 4, 8, 9, 10, 11, and 12 resolved but open pending completion of planned actions. CLA considers recommendations 3, 5, 6, 7, 13, and 14 open and unresolved.