Audit Reports

KPMG recommends that FTA management design and implement a process to ensure that a complete population of received FFRs are considered in the retrospective review.

KPMG recommends that FTA management document the revised FFR submission policy in their grant methodology to consider the potential impact on the retrospective review process.

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes reviewing the SOC-1 report, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes implementing the service provider's recommended Complementary User Entity Controls (CUECs) and monitoring these controls for proper implementation and operating effectiveness.

KPMG recommends that FHWA develop and implement a process to notify appropriate authoritative personnel in the event that the division sponsor has not completed its user reviews timely ensuring that monthly reviews of user access within the application are completed by all divisions in accordance with the Fiscal Management Information System Standard Operating Procedures (SOP).

KPMG recommends that FHWA Management revise its currentbi-weekly review process in coordination with Human Resources to ensure thatthe grants management application system owners remove terminated users withina defined time period of their termination date and that the User AccessRemoval SOP be updated to reflect the Human Resource coordination and thedefined time period.

KPMG recommends that the FHWA determine the appropriate role for the grant management application user based on job function, and revoke user access to the incompatible role.

KPMG recommends that the FHWA ensure that access policies and procedures regarding segregation of duties are enforced when granting users access to the grants management application via Role Based Access Control procedures as defined in the Manage Accounts SOP.

KPMG recommends that the FHWA develop and implement a periodic review of access for the Database Administrators and Developers for the grants management application.

KPMG recommends FHWA management update the SOP, to clearlydefine the UPACS audit log environment, log mechanisms, and frequency anddocumentation of the log reviews.

KPMG recommends FHWA management enforce the Manage Log Review Files SOP or similar procedure that requires the Windows System Administrator to review Grant Management Application/UPACS operating system logs on a daily basis and digitally certify the reviews on a weekly basis.   

KPMG recommends FHWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS operating system log records for completion. If SAs or DBAs determine that the Windows Weekly log records, are not completed as required, SAs and DBAs should follow-up with the Windows System Administrator to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.   

KPMG recommends FHWA management enforce the Manage Log Review Files SOP or similar procedure that requires the System Administrators to review Grant Management Application/UPACS logs on a daily basis and digitally certify the reviews on a weekly basis.

KPMG recommends FHWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS log records for completion. If SAs or DBAs determine that the UNIX/Oracle log records, are not completed as required, SAs and DBAs should follow-up with the UNIX/Oracle System Administrators to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.