Audit Reports

-A A +A
skip-to-content
February 8, 2023

Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2022 and 2021

Required by the Chief Financial Officers Act of 1990
Project ID: 
QC2023016
View PDF Document
What We Looked At
This report presents the results of our quality control review (QCR) of KPMG LLP’s management letter for its audit, conducted under contract with us, of the Department of Transportation’s (DOT) consolidated financial statements for fiscal years 2022 and 2021. The management letter discusses six internal control matters that KPMG was not required to include in its audit report.
 
What We Found
Our QCR of the management letter disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
 
Our Recommendations
KPMG made 12 recommendations in its management letter. DOT concurred with all 12 recommendations.

Recommendations

Open

Closed

No. 1 to OST

KPMG recommends that DOT OCIO management revise the website containing the policy documentation to ensure all documents are consistent and contain the same listing of required controls for moderate-impact systems.

No. 2 to OST

KPMG recommends that DOT OCIO management should document any Department-wide tailoring decisions within the appropriate security documentation, as required by NIST.

No. 3 to OST

KPMG recommends that DOT OCIO management should define and document control tailoring requirements for the Department and its Operating Administrations.

No. 4 to OST

KPMG recommends that DOT OCIO management ensure that the process for provisioning privileged database system administrator accounts supporting the Federal Highway Administration’s grant system is performed in accordance with DOT policies.

No. 5 to FAA

KPMG recommends that ESC management create monitoring procedures over the existing management review of the JV control logs monthly reconciliation to ensure the consistent operation of the control, as defined within policy.

No. 6 to OST

KPMG recommends that OST-CFO management revise its accounting process to accrue TIFIA interest each period or document its current process as a non-GAAP policy and perform an annual materiality assessment to determine the annual impact of the unaccrued interest policy.

No. 7 to OST

KPMG recommends that OST-CFO management should perform a review of OST-CFO’s accounting policies and procedures as a control activity over the completeness of non-GAAP policies and procedures and update the non-GAAP listing and assessment accordingly.

No. 8 to OST

KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the relevant control objectives, related controls, and rationale for non-relevant control objectives and controls.

No. 9 to OST

KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the relevant complementary end user controls designed and implemented by DOT.

No. 10 to OST

KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the criteria used by management to evaluate the results of the service organization controls report and related findings.

No. 11 to FTA

KPMG recommends that FTA management design and implement controls to track the status of Treasury warrant requests to ensure that the warrants are recorded in the financial system timely when processed.

No. 12 to FTA

KPMG recommends that FTA management perform a review for the completeness of the financial statements provided to OST, including reviews for transactions recorded subsequent to the OST reporting date.