Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020

Required by the Chief Financial Officers Act of 1990
Project ID: 
QC2022015
What We Looked At
We contracted with the independent public accounting firm KPMG LLP to audit the Department of Transportation’s (DOT) consolidated financial statements as of and for the fiscal years ended September 30, 2021, and September 30, 2020. KPMG was required to provide an opinion on those financial statements, report on internal control over financial reporting, and report on compliance with laws and other matters. The contract also required KPMG to perform the audit in accordance with U.S. generally accepted Government auditing standards, Office of Management and Budget audit guidance, and the Governmental Accountability Office’s and Council of the Inspectors General on Integrity and Efficiency’s Financial Audit Manual. We performed a quality control review of KPMG’s report dated November 12, 2021, and related documentation, and inquired of its representatives.
 
What We Found
Our quality control review disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
 
Recommendations
DOT concurred with KPMG’s seven recommendations. We agree with KPMG’s recommendations and are not making any additional recommendations.

Recommendations

Open

Closed

No. 1 to OST

KPMG recommends that DOT management design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policy.

No. 2 to OST

KPMG recommends that DOT management design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policy.

No. 3 to OST

KPMG recommends that DOT management design and implement component-specific system security plan requirements in instances where plans for those areas not addressed in the Departmental system security plan.

No. 4 to OST

KPMG recommends that DOT management design and implement procedures related to the retention of appropriate supporting evidence of internal controls, including but not limited to, access administration, access recertification, audit log review, and patch management.

No. 5 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations risk assessment to determine the impact of a timing gap between the issuance of service organization SOC reports and the Department’s fiscal year.

No. 6 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations documented review of applicable SOC reports, which includes a consideration of results year over year, implementation of the service organizations’ recommended complimentary user entity controls and monitor such controls for proper design, implementation and operating effectiveness.

No. 7 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations review and evaluation of findings identified within the service organization’s SOC report and assess the impact on the Department’s internal control over financial reporting.