Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019

Required by the Chief Financial Officer Act of 1990
Project ID: 
QC2021015
What We Looked At
This report presents the results of our quality control review (QCR) of KPMG LLP’s management letter related to the audit it conducted, under contract with us, of the Department of Transportation’s (DOT) consolidated financial statements for fiscal years 2020 and 2019. In addition to its audit report on DOT’s financial statements, KPMG issued a management letter that discusses 12 internal control matters that it was not required to include in its audit report.
 
What We Found
Our QCR of KPMG’s management letter disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
KPMG made 14 recommendations in its management letter. DOT concurred with all 14 recommendations.

Recommendations

Open

Closed

No. 1 to FTA

KPMG recommends that FTA management revise the existing configuration management plans for the grant financial management application and the clearing house system to include procedures for source code access administration and required privileges, source code maintenance and storage, the process for source code deployment into the production, and any version control software utilized to support the systems.

No. 2 to FTA

KPMG recommends that FTA management reconfigure the grants management application to automatically remove roles that are not recertified annually.

No. 3 to FTA

KPMG recommends that FTA management reconfigure the application that supports the grants management system to automatically disable accounts after 60 days of inactivity.

No. 4 to FTA

KPMG recommends that FTA management update the grants management system platform's system security plan to reflect the configuration considerations in place.

No. 5 to FTA

KPMG recommends that FTA management ensure that new users are properly authorized by all required parties prior to the administration of access to FTA systems.

No. 6 to FTA

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes reviewing the SOC 1, 2, 3 reports, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.

No. 7 to FTA

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes implementing the service organization's recommended complimentary user entity controls and monitoring these controls for proper implementation and operating effectiveness.

No. 8 to FHWA

KPMG recommends that FHWA management update its security documentation and system security plan, in accordance with Department requirements, to capture any control deviations and compensating controls used in lieu of automatically disabling inactive accounts.

No. 9 to OST

KPMG recommends that ESC management should provide a training refresher to contracting program managers and access control officers related to the separation process for contractors.

No. 10 to OST

KPMG recommends that OST management design and implement policies and procedures to evaluate the impact of known changes in TIFIA loan cash flow projections between the re-estimate date and the issuance of the financial statements on the subsidy re-estimate to then be considered for subsequent event disclosure.

No. 11 to MARAD

KPMG recommends that MARAD management design and implement a process for recording donated PP&E from other federal entities to ensure these transactions are accurately recorded and in accordance with generally accepted accounting principles.

No. 12 to OST

KPMG recommends that ESC management update the Journal Voucher Processing Standard Operating Procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the journal voucher control log reconciliation with the action taken and resolution obtained.

No. 13 to OST

KPMG recommends that ESC management update procedures surrounding management's review of journal entries at ESC to ensure that journal entries are reviewed at an appropriate level of precision to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

No. 14 to FHWA

KPMG recommends that FHWA and ESC management design and implement a control that is sufficiently precise to detect and correct UDO reconciliation discrepancies in the correct fiscal year in which they occur.