Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Management Letter for DOT’s Audited Consolidated Financial Statements for Fiscal Years 2019 and 2018

Required by the Chief Financial Officer Act of 1990
Project ID: 
QC2020025
What We Looked At
This report presents the results of our quality control review (QCR) of KPMG LLP’s management letter related to the audit it conducted, under contract with us, of the Department of Transportation’s (DOT) consolidated financial statements for fiscal years 2019 and 2018. In addition to its audit report on DOT’s financial statements, KPMG issued a management letter that discusses eight internal control matters that it was not required to include in its audit report.
 
What We Found
Our QCR of KPMG’s management letter disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
KPMG made 14 recommendations in its management letter. DOT concurred with all 14 recommendations.

Recommendations

Open

Closed

No. 1 to FTA

KPMG recommends that FTA management design and implement a process to ensure that a complete population of received FFRs are considered in the retrospective review.

No. 2 to FTA

KPMG recommends that FTA management document the revised FFR submission policy in their grant methodology to consider the potential impact on the retrospective review process.

Closed on 12.16.2020
No. 3 to FRA

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes reviewing the SOC-1 report, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.

Closed on 12.16.2020
No. 4 to FRA

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes implementing the service provider's recommended Complementary User Entity Controls (CUECs) and monitoring these controls for proper implementation and operating effectiveness.

No. 5 to FHWA

KPMG recommends that FHWA develop and implement a process to notify appropriate authoritative personnel in the event that the division sponsor has not completed its user reviews timely ensuring that monthly reviews of user access within the application are completed by all divisions in accordance with the Fiscal Management Information System Standard Operating Procedures (SOP).

No. 6 to FHWA

KPMG recommends that FHWA Management revise its currentbi-weekly review process in coordination with Human Resources to ensure thatthe grants management application system owners remove terminated users withina defined time period of their termination date and that the User AccessRemoval SOP be updated to reflect the Human Resource coordination and thedefined time period.

No. 7 to FHWA

KPMG recommends that the FHWA determine the appropriate role for the grant management application user based on job function, and revoke user access to the incompatible role.

No. 8 to FHWA

KPMG recommends that the FHWA ensure that access policies and procedures regarding segregation of duties are enforced when granting users access to the grants management application via Role Based Access Control procedures as defined in the Manage Accounts SOP.

No. 9 to FHWA

KPMG recommends that the FHWA develop and implement a periodic review of access for the Database Administrators and Developers for the grants management application.

No. 10 to FHWA

KPMG recommends FHWA management update the SOP, to clearlydefine the UPACS audit log environment, log mechanisms, and frequency anddocumentation of the log reviews.

No. 11 to FHWA

KPMG recommends FHWA management enforce the Manage Log Review Files SOP or similar procedure that requires the Windows System Administrator to review Grant Management Application/UPACS operating system logs on a daily basis and digitally certify the reviews on a weekly basis.

No. 12 to FHWA

KPMG recommends F HWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS operating system log records for completion. If SAs or DBAs determine that the Windows Weekly log records, are not completed as required, SAs and DBAs should follow-up with the Windows System Administrator to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.

No. 13 to FHWA

KPMGrecommends FHWA management enforce the Manage Log Review Files SOP or similarprocedure that requires the System Administrators to review Grant ManagementApplication/ UPACS logs on a daily basis and digitally certify the reviews on aweekly basis.

No. 14 to FHWA

KPMG recommends FHWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS log records for completion. If SAs or DBAs determine that the UNIX/Oracle log records, are not completed as required, SAs and DBAs should follow-up with the UNIX/Oracle System Administrators to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.