Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020

Required by the Chief Financial Officers Act of 1990
Project ID: 
QC2022018
What We Looked At
This report presents the results of our quality control review (QCR) of the management letter that KPMG issued on its audit, under contract with us, of the Federal Aviation Administration’s (FAA) consolidated financial statements for fiscal years 2021 and 2020. This management letter discusses internal control matters that KPMG was not required to include in its audit report.
 
What We Found
Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
 
Our Recommendations
KPMG made six recommendations to FAA in its management letter. FAA concurred with all six recommendations.

Recommendations

Open

Closed

No. 1 to FAA

KPMG recommends that FAA configure the password length for Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

No. 2 to FAA

KPMG recommends that FAA design and implement formal detective controls to log and monitor developer activities in the time and attendance system production environment. All programmatic changes to the time and attendance system production environment should be reviewed and reconciled from the logs to the approved change tickets.

No. 3 to FAA

KPMG recommends that FAA design and implement a process to ensure that inventory system application, database and operating system changes are tested, documented, and approved prior to migration into production in accordance with FAA policy; and update the change management ticketing system to capture required approvals and evidence of testing for inventory system application, database or operating system changes.

No. 4 to FAA

KPMG recommends that FAA configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

No. 5 to FAA

KPMG recommends that FAA update the control to investigate cases removed from the Legal Letter and Contingent Liability Report period over period prior to recording the legal liability.

No. 6 to FAA

KPMG recommends that FAA ensure that policies and procedures for revoking access to the shared services center for separated users include:
a. Timely notifying shared services center managers of FAA employees that have separated from the agency to ensure that access is removed; and
b. Enforcing the timeline for removal of separated employees from shared services center, by reviewing active user listings on a periodic basis to ensure that no separated employees still have access.