Audit Reports

Enforce existing manual controls for disabling inactive accounts after the specified period of inactivity and enable an information system to automatically disable inactive accounts after a specified period of inactivity, as required by NIST.

Identify and resolve discrepancies between the FAA ISPP and Center for Internet Security Benchmarks specific to the procurement system’s password configurations.  

If changes are needed, update the procurement system’s security documentation to reflect the database password requirements.  

Ensure that database password settings are in compliance with FAA ISPP.  

Review and update security documentation to ensure that database dependency on the general ledger and the related control deviation is documented and approved by the AO, as required by FAA policy.

Update application password settings to ensure compliance with the FAA ISPP.

Coordinate with the appropriate resources to ensure the implementation of an appropriate separation of duties process for system administrators and developers.

Update password settings to ensure compliance with the FAA ISPP.

Design and implement a process to ensure that the inventory application, database, and operating system changes are tested, documented, and approved prior to migration into production and update the change management ticketing system to capture required approvals and evidence of testing for application, database, or operating system changes, in accordance with FAA ISPP.

Configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

Design and implement controls to validate that all employee FEGLI elections are accurately recorded in the records of the shared service center.

Perform an annual review of existing sites to identify those that may be in dispute, and solicit input from legal counsel to determine and document whether these sites should be included in the environmental remediation liability, as defined by generally accepted accounting principles.

Ensure that existing procedures over the review of journal entries are performed, at an appropriate level of precision, to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

Update the Journal Voucher Processing standard operating procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the JV control log reconciliation with the actions taken and resolution obtained.

Update policies and procedures to clarify when acceptance should be recorded for a transaction.

Develop and implement guidance to formally document its assessments and recognition decisions, in accordance with SFFAC No. 5, as related to assets and liabilities of exchange transactions.

Update the standard operating procedures to define the triggering events for which the serviceable unit cost should be revalued in accordance with applicable accounting standards. 

Design and implement control activities to ensure that serviceable unit costs are only revalued as a result of valid triggering events which occur during the current period. 

Develop policies and procedures to ensure that judgments that inform accounting estimates are based on the best available information at the time of calculating and recording the CARES Act grant accrual estimate in the financial statements.

Develop procedures to document the period in which user access is granted and terminated to support the operating effectiveness of the shared service center’s user access controls.