Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Management Letter for DOT’s Audited Consolidated Financial Statements for Fiscal Years 2019 and 2018

Required by the Chief Financial Officer Act of 1990
Project ID: 
QC2020025
What We Looked At
This report presents the results of our quality control review (QCR) of KPMG LLP’s management letter related to the audit it conducted, under contract with us, of the Department of Transportation’s (DOT) consolidated financial statements for fiscal years 2019 and 2018. In addition to its audit report on DOT’s financial statements, KPMG issued a management letter that discusses eight internal control matters that it was not required to include in its audit report.
 
What We Found
Our QCR of KPMG’s management letter disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
KPMG made 14 recommendations in its management letter. DOT concurred with all 14 recommendations.

Recommendations

Open

Closed

Closed on 05.04.2021
No. 1 to FTA

KPMG recommends that FTA management design and implement a process to ensure that a complete population of received FFRs are considered in the retrospective review.

Closed on 05.04.2021
No. 2 to FTA

KPMG recommends that FTA management document the revised FFR submission policy in their grant methodology to consider the potential impact on the retrospective review process.

Closed on 12.16.2020
No. 3 to FRA

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes reviewing the SOC-1 report, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.

Closed on 12.16.2020
No. 4 to FRA

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes implementing the service provider's recommended Complementary User Entity Controls (CUECs) and monitoring these controls for proper implementation and operating effectiveness.

Closed on 03.30.2021
No. 5 to FHWA

KPMG recommends that FHWA develop and implement a process to notify appropriate authoritative personnel in the event that the division sponsor has not completed its user reviews timely ensuring that monthly reviews of user access within the application are completed by all divisions in accordance with the Fiscal Management Information System Standard Operating Procedures (SOP).

Closed on 05.06.2021
No. 6 to FHWA

KPMG recommends that FHWA Management revise its currentbi-weekly review process in coordination with Human Resources to ensure thatthe grants management application system owners remove terminated users withina defined time period of their termination date and that the User AccessRemoval SOP be updated to reflect the Human Resource coordination and thedefined time period.

Closed on 03.30.2021
No. 7 to FHWA

KPMG recommends that the FHWA determine the appropriate role for the grant management application user based on job function, and revoke user access to the incompatible role.

Closed on 03.30.2021
No. 8 to FHWA

KPMG recommends that the FHWA ensure that access policies and procedures regarding segregation of duties are enforced when granting users access to the grants management application via Role Based Access Control procedures as defined in the Manage Accounts SOP.

Closed on 03.30.2021
No. 9 to FHWA

KPMG recommends that the FHWA develop and implement a periodic review of access for the Database Administrators and Developers for the grants management application.

Closed on 03.30.2021
No. 10 to FHWA

KPMG recommends FHWA management update the SOP, to clearlydefine the UPACS audit log environment, log mechanisms, and frequency anddocumentation of the log reviews.

Closed on 04.20.2022
No. 11 to FHWA

KPMG recommends FHWA management enforce the Manage Log Review Files SOP or similar procedure that requires the Windows System Administrator to review Grant Management Application/UPACS operating system logs on a daily basis and digitally certify the reviews on a weekly basis.   

Closed on 04.20.2022
No. 12 to FHWA

KPMG recommends FHWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS operating system log records for completion. If SAs or DBAs determine that the Windows Weekly log records, are not completed as required, SAs and DBAs should follow-up with the Windows System Administrator to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.   

Closed on 04.20.2022
No. 13 to FHWA

KPMG recommends FHWA management enforce the Manage Log Review Files SOP or similar procedure that requires the System Administrators to review Grant Management Application/UPACS logs on a daily basis and digitally certify the reviews on a weekly basis.

Closed on 04.20.2022
No. 14 to FHWA

KPMG recommends FHWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS log records for completion. If SAs or DBAs determine that the UNIX/Oracle log records, are not completed as required, SAs and DBAs should follow-up with the UNIX/Oracle System Administrators to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.