Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019

Required by the Chief Financial Officer Act of 1990
Project ID: 
QC2021014
What We Looked At
This report presents the results of our quality control review (QCR) of KPMG LLP’s management letter related to the audit it conducted, under contract with us, of the Federal Aviation Administration’s (FAA) consolidated financial statements for fiscal years 2020 and 2019. In addition to its audit report on FAA’s financial statements, KPMG issued a management letter that discusses 17 internal control matters that it was not required to include in its audit report.
 
What We Found
Our QCR of KPMG’s management letter disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
KPMG made 20 recommendations in its management letter. FAA concurred with all 20 recommendations.

Recommendations

Open

Closed

No. 1 to FAA

Enforce existing manual controls for disabling inactive accounts after the specified period of inactivity and enable an information system to automatically disable inactive accounts after a specified period of inactivity, as required by NIST.

No. 2 to FAA

I dentify and resolve discrepancies between the FAA ISPP and Center for Internet Security Benchmarks specific to the procurement system's password configurations.

No. 3 to FAA

If changes are needed, update the procurement system's security documentation to reflect the databasepassword requirements.

No. 4 to FAA

Ensure that database password settings are in compliance with FAA ISPP.

No. 5 to FAA

Review and update security documentation to ensure that database dependency on the general ledger and the related control deviation is documented and approved by the AO, as required by FAA policy.

No. 6 to FAA

Update application password settings to ensure compliance with the FAA ISPP.

No. 7 to FAA

Coordinate with the appropriate resources to ensure the implementation of an appropriate separation of duties process for system administrators and developers.

No. 8 to FAA

Update password settings to ensure compliance with the FAA ISPP.

No. 9 to FAA

Design and implement a process to ensure that the inventory application, database, and operating system changes are tested, documented, and approved prior to migration into production and update the change management ticketing system to capture required approvals and evidence of testing for application, database, or operating system changes, in accordance with FAA ISPP.

No. 10 to FAA

Configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

No. 11 to FAA

Design and implement controls to validate that all employee FEGLI elections are accurately recorded in the records of the shared service center.

No. 12 to FAA

Perform an annual review of existing sites to identify those that may be in dispute, and solicit input from legal counsel to determine and document whether these sites should be included in the environmental remediation liability, as defined by generally accepted accounting principles.

No. 13 to FAA

Ensure that existing procedures over the review of journal entries are performed, at an appropriate level of precision, to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

No. 14 to FAA

Update the Journal Voucher Processing standard operating procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the JV control log reconciliation with the actions taken and resolution obtained.

No. 15 to FAA

Update policies and procedures to clarify when acceptance should be recorded for a transaction.

No. 16 to FAA

Develop and implement guidance to formally document its assessments and recognition decisions, in accordance with SFFAC No. 5, as related to assets and liabilities of exchange transactions.

No. 17 to FAA

Update the standard operating procedures to define the triggering events for which the serviceable unit cost should be revalued in accordance with applicable accounting standards.

No. 18 to FAA

Design and implement control activities to ensure that serviceable unit costs are only revalued as a result of valid triggering events which occur during the current period.

No. 19 to FAA

Develop policies and procedures to ensure that judgments that inform accounting estimates are based on the best available information at the time of calculating and recording the CARES Act grant accrual estimate in the financial statements.

No. 20 to FAA

Develop procedures to document the period in which user access is granted and terminated to support the operating effectiveness of the shared service center's user access controls.