Audit Reports

KPMG recommends that FTA management revise the existing configuration management plans for the grant financial management application and the clearing house system to include procedures for source code access administration and required privileges, source code maintenance and storage, the process for source code deployment into the production, and any version control software utilized to support the systems.

KPMG recommends that FTA management reconfigure the grants management application to automatically remove roles that are not recertified annually.

KPMG recommends that FTA management reconfigure the application that supports the grants management system to automatically disable accounts after 60 days of inactivity.

KPMG recommends that FTA management update the grants management system platform's system security plan to reflect the configuration considerations in place.

KPMG recommends that FTA management ensure that new users are properly authorized by all required parties prior to the administration of access to FTA systems.

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes reviewing the SOC 1, 2, 3 reports, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.    

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes implementing the service organization's recommended complimentary user entity controls and monitoring these controls for proper implementation and operating effectiveness.  

KPMG recommends that FHWA management update its security documentation and system security plan, in accordance with Department requirements, to capture any control deviations and compensating controls used in lieu of automatically disabling inactive accounts.  

KPMG recommends that ESC management should provide a training refresher to contracting program managers and access control officers related to the separation process for contractors.    

KPMG recommends that OST management design and implement policies and procedures to evaluate the impact of known changes in TIFIA loan cash flow projections between the re-estimate date and the issuance of the financial statements on the subsidy re-estimate to then be considered for subsequent event disclosure.

KPMG recommends that MARAD management design and implement a process for recording donated PP&E from other federal entities to ensure these transactions are accurately recorded and in accordance with generally accepted accounting principles.

KPMG recommends that ESC management update the Journal Voucher Processing Standard Operating Procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the journal voucher control log reconciliation with the action taken and resolution obtained.

KPMG recommends that ESC management update procedures surrounding management's review of journal entries at ESC to ensure that journal entries are reviewed at an appropriate level of precision to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

KPMG recommends that FHWA and ESC management design and implement a control that is sufficiently precise to detect and correct UDO reconciliation discrepancies in the correct fiscal year in which they occur.