Skip to main content
U.S. flag

An official website of the United States government

Recommendation Dashboard

OIG’s Office of Auditing and Evaluation makes recommendations to the Department of Transportation and a few independent transportation entities to correct deficiencies and encourage improvements in the safety, economy, efficiency, and management of their programs and operations. Our audit report findings and conclusions explain the basis for the specific corrective actions we recommend. This Recommendation Dashboard provides more information than ever before about the current status of OIG recommendations, which we plan to update on a weekly basis. For more information, see answers to frequently asked questions.

Open Recommendations by Agency Recommendations Glossary

The Recommendation Dashboard does not include data on many of our older audits for which all recommendations were closed prior to July 1, 2016.
Condensed View
ZA2021037 issued on

FAA Faces Challenges in Tracking Its Acquisition Workforce and Ensuring Compliance With Training, Certification, and Warrant Requirements

Closed on
No. 4 to FAA
Implement performance and certification metrics for CORs and P/PMs.
Audit Reports: ZA2024019 issued on

FAA’s Information Technology and Telecommunications Contracting Practices Limit Best Value Outcomes

No. 1 to FAA
Implement a written process for verifying compliance with Agency requirements for maintaining electronic, centralized files that include all documented contractual actions and determinations.
$311,611,640
No. 2 to FAA
Implement a written process for verifying compliance with Agency requirements for developing independent Government cost estimates (IGCEs) for contract modifications. Implementing this recommendation could put up to $311.6 million in Federal funds to better use by improving FAA’s ability to establish contract pricing that is fair, reasonable, and realistic.
No. 3 to FAA
Implement a written process for verifying that any extension of a contract’s performance period—including exercising an option period—is awarded prior to the contract expiring.
No. 4 to FAA
Update the Acquisition Management System (AMS) to specify what program offices are required to provide as part of an IT and telecom procurement request package. This documentation should include standard lead times for obtaining the Chief Financial Officer’s approval, submitting complete procurement packages, and references to guidance on how to develop sound IGCEs and complete requirements.
No. 5 to FAA
Update AMS to include limitations on how long contracts can be extended.
No. 6 to FAA
Implement written guidance to explain what authorities are appropriate to use to extend contracts beyond their initial performance periods, including any limitations associated with using each authority.
No. 7 to FAA
Update AMS to include when it is allowable and what is required to add work outside of a contract’s scope after the award is made.
Audit Reports: ZA2024018 issued on

FAA Did Not Fully Follow Its Processes When Awarding and Administering CARES Act-Funded Airport Development Grants and Contracts

Pandemic Oversight
No. 1 to FAA
Revise procedures for reviewing and approving grant application packages to add steps to verify that the applications are complete and accurate.
$27,000,000 Pandemic Oversight
No. 2 to FAA
Assess the CARES Act-funded airport development grants identified in this report that did not meet award requirements and recover the $27 million or identify the rationale for acceptance of these costs.
Pandemic Oversight
No. 3 to FAA
Revise CARES Act program guidance to identify which FAA office is responsible for collecting and reviewing airport sponsor annual financial reports.
Pandemic Oversight
No. 4 to FAA
Strengthen internal controls to verify that all reimbursement requests comply with FAA’s two-tier manual review process for CARES Act funds. This may include requiring Delphi controls are correctly established and maintained.
$18,700,000 Pandemic Oversight
No. 5 to FAA
Assess the 35 invoices—comprising $18.7 million in questioned costs—that did not receive sufficient review under the CARES Act guidance and seek recovery of any portion that is determined to be improper and/or unallowable or provide justification for approving the payments.
$10,600,000 Pandemic Oversight
No. 6 to FAA
Require FAA field offices to collect, review, and maintain required price and cost analyses before making grant awards. Implementation of this recommendation could result in funds put to better use of $10.6 million.
$49,600,000 Pandemic Oversight
No. 7 to FAA
Revise the Agency’s policies for collecting, reviewing, and approving Buy American Preferences waivers to require the waiver requests to be timely, complete, and accurate, and define the “extraordinary circumstances” that would allow grant recipients to deviate from Buy American requirements. Implementation of this recommendation could result in funds put to better use of $49.6 million.
Pandemic Oversight
No. 8 to FAA
After revising Buy American policies, develop and implement Buy American Preferences waiver training for field offices.
QC2024014 issued on

Quality Control Review of the Management Letter for the Great Lakes St. Lawrence Seaway Development Corporation's Audited Financial Statements for Fiscal Years 2023

No. 1 to GLS
Allmond recommends that GLS develop written policies and procedures for the annual monitoring of all user accounts. For user accounts relating to service organization systems, GLS should proactively generate or request a listing of user accounts, if one is not already provided by the service organization, and perform a review of the current system users and their permissions. The reviews should be documented and evidence of the review for each system should be retained according to the Agency’s document retention policy.
No. 2 to GLS
Allmond recommends that GLS should amend its policies and procedures to require the review and retention of external source documentation, such as original receipts, purchase confirmations, and other purchase verification for all purchase card transactions, so that: this information can be compared to the purchase order, purchase card log, and other internally-created documentation during the approval process, and the information is readily available for external review.
Audit Reports: QC2024016 issued on

Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022

No. 1 to OST
KPMG recommends that DOT OCIO management revise the website containing the policy documentation to ensure all documents are consistent and contain the same listing of required controls for moderate-impact systems.
No. 2 to OST
KPMG recommends that DOT OCIO management should document any Departmentwide tailoring decisions within the appropriate security documentation, as required by NIST.
No. 3 to OST
KPMG recommends that DOT OCIO management should define and document control tailoring requirements for the Department and Operating Administrations.
No. 4 to FAA
KPMG recommends that ESC management enforce its existing policy and provide additional training to personnel involved in the manual journal voucher process, specifically the appropriate timing and documentation related to segregation of duties in addition to reviewing each journal voucher to ensure its completeness and consistency with the supporting documentation.
No. 5 to FAA
KPMG recommends that ESC management review and update the journal voucher control log reconciliation process to ensure it is properly designed to identify all potential deviations from policy throughout the fiscal year.
No. 6 to FAA
KPMG recommends that ESC management create monitoring procedures over the journal voucher control log to ensure complete and accurate documentation over manual journal vouchers is maintained.
No. 7 to MARAD
KPMG recommends that MARAD management, in conjunction with their accounting service provider, ESC, develop a PP&E roll forward control that contains all activity within the relevant PP&E accounts by disclosure category, including additions, annual cost adjustments, year to date depreciation, capitalizations from construction in progress to other categories, and retirements.
Audit Reports: QC2024015 issued on

Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022

No. 1 to FAA
KPMG recommends that FAA management require privileged users on the Windows virtual machine environment to authenticate using MFA. If it is not technically feasible, then we recommend that Windows security settings are updated to require a minimum password length for privileged accounts to 16 characters and maximum password age to be updated to 60 days.
No. 2 to FAA
KPMG recommends that FAA management design and implement documented control activities to monitor the effective operation of its existing process controls related to: Provisioning of new access requests for the service organization's system; and Monitoring FAA employees' access to the service organization's system.
No. 3 to FAA
KPMG recommends that FAA management take measures to ensure that FAA has sufficient control operator personnel available to support the annual recertification of FAA employees with system access within the reporting timeline prescribed by DOT.
No. 4 to FAA
KPMG recommends that FAA design and implement a procedure to identify and timely record contracting actions within the general ledger that were executed outside of the standard business process (i.e., CO authorizations documented outside of the procurement system).
No. 5 to FAA
KPMG recommends that FAA update its procurement policy to define the period of time permitted to document a contractor’s oral agreement.
No. 6 to FAA
KPMG recommends that FAA reinforce existing controls, to review individual lease payment schedules upon lease commencement or modification to ensure that the schedules are consistent with the underlying terms of the lease.
No. 7 to FAA
KPMG recommends that FAA design and implement procedures within its existing PP&E Accrual to obtain a complete listing of trailing costs related to completed assets and accrue for such assets that have remaining CIP balances as of the period-end.
No. 8 to FAA
KPMG recommends that management design and implement procedures to verify the completeness and accuracy of the non-LOI accrual average billing cycle data input used in the estimate calculation.
Audit Reports: QC2024013 issued on

Quality Control Review of the Management Letter for the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2023 and 2022

No. 1 to STB
STB should research the impacted employee’s payroll records to confirm the error and determine why the error occurred. Appropriate action should be taken to identify any other affected employees and to correct the root cause of the error.
No. 2 to STB
STB should enforce standard operating procedures to require a second Human Resources Specialist or the Human Resources Director to review all employee transfer and onboarding documents to ensure that the documentation is complete and agrees with the information that was entered into the payroll and personnel system before the information is submitted to the payroll service provider.
No. 3 to STB
STB should perform and document its assessment of the recoverability of excess taxes that were paid in error by the agency in matching Old-Age, Survivors and Disability Insurance and Medicare contributions and the conclusion that was reached
Audit Reports: AV2024012 issued on

OST Complied With Federal Regulations, Policies, and Procedures Regarding Executive Travel on DOT Aircraft, but FAA Needs To Enhance Controls for Updating Flight Hour Rates

Closed on
No. 1 to FAA
Complete the ongoing effort to update the DOT aircraft flight hour use rates and the associated FAA policy and guidance, including documenting the methodology and process to perform annual rate recalculations for each aircraft type in accordance with OMB Circular No. A-126, as well as a threshold to apply rate updates.
Closed on
No. 2 to FAA
Establish a control in the Agency’s flight scheduling process to make sure FAA personnel use the correct aircraft flight hour rates when generating travel quotes.
Audit Reports: AV2024010 issued on

FAA Has Made Progress Verifying Compliance With Aviation Fuel Tax Requirements, but Challenges Remain With Testing and Enforcement

No. 1 to FAA
Issue compliance letters to jurisdictions that FAA has determined to be in compliance with the Amendment to Policy and Procedures Concerning the Use of Airport Revenue (Amendment) but that have not received official notification of compliance.
No. 2 to FAA
Develop and implement a testing plan to assess whether jurisdictions are following FAA’s requirements for compliance with the Amendment to the Revenue Use Policy.
No. 3 to FAA
Establish a plan of action to bring California, Kentucky, Nevada, Tennessee, and Guam into compliance with the Amendment to the Revenue Use Policy.
Audit Reports: AV2024011 issued on

FAA Addresses Resiliency in IIJA Aviation Programs but Lacks Data and a Framework for Prioritizing Climate Change Projects

No. 1 to FAA
Develop and implement a methodology to measure IIJA discretionary projects' contributions to meeting DOT's and FAA's strategic goals to reduce greenhouse gas emissions from transportation.
No. 2 to FAA
Update FAA advisory circulars on long-term aviation infrastructure as necessary to address resiliency and climate change effects in airport infrastructure projects.
Audit Reports: SA2024009 issued on

Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2023

Closed on
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
$6,464,590
No. 2 to OST
Determine the allowability of the questioned transactions and recover $6,464,590 if applicable.
Audit Reports: FS2024008 issued on

DOT’s Policies and Do Not Pay Portal Use Are Not Sufficient To Comply With the DNP Initiative

No. 1 to OST
Assess the appropriateness of the databases in the Do Not Pay (DNP) portal and document a reasonable justification for any databases that OST determines are not appropriate.
No. 2 to OST
For those DNP portal databases that OST deems appropriate, develop, and implement policies and procedures to ensure recipient eligibility is verified in the DNP portal prior to making payment.
Audit Reports: QC2024007 issued on

Quality Control Review on the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022

No. 1 to FTA
KPMG recommends that FTA management evaluate the COVID-19 grant programs and develop an estimation methodology responsive to the nature of the program and expected drawdown patterns.
No. 2 to FHWA
KPMG recommends that FHWA management consider the increased IIJA funding and subsequent increase in expenses and develop an estimation methodology responsive to fluctuations in future expenses.
No. 3 to FHWA
KPMG recommends that FHWA management review and update accounting policies and operating procedures to capitalize costs for the construction and procurement of non-heritage fixed assets on behalf of FLMA partners.
No. 4 to FHWA
KPMG recommends that FHWA management establish and maintain communications channels with FLMA partners and establish protocols for communicating asset-level detail for projects required by each agency’s property accountants.
No. 5 to FHWA
KPMG recommends that FHWA management perform an assessment of costs expensed for completed fixed asset construction projects to determine materiality and record correcting accounting entries as needed.
No. 6 to OST
KPMG recommends that DOT management perform procedures to consistently approve and document new or modified user account and recertification requests and timely remove separated users as required by internal policy and standards for effective internal control systems.
No. 7 to OST
KPMG recommends that DOT management update policies and procedures to assign backup responsibilities for control operators.
No. 8 to OST
KPMG recommends that DOT management provide training to system administrators on documented procedures.
No. 9 to OST
KPMG recommends that DOT management conduct monitoring to assess whether control operators are performing control activities in accordance with policy.
Audit Reports: QC2024004 issued on

Quality Control Review of the Independent Auditor’s Report on the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2023 and 2022

No. 1 to STB
STB management should review the current version of OMB Circular A-136 to independently verify that all required footnotes are included and bring any omissions to the service provider’s attention so that errors or omissions can be corrected.
No. 2 to STB
STB management should review the service provider’s Financial Statement and Notes Review Checklist to verify that the checklist is up to date and includes all required elements per OMB and Treasury guidance and then complete the checklist independently. Alternatively, STB management should develop and complete its own review checklist based on current Treasury and OMB reporting requirements.
No. 3 to STB
STB management should request its financial management service provider to: Reevaluate the inclusion of account balances that were excluded in the Other Liabilities footnote, or Disaggregate (i.e., separately report) intragovernmental other liabilities balances reported as a single line item on the balance sheet that are not included in the footnote so that the total amounts reported for Other Liabilities on the Balance Sheet and in the footnote agree.
No. 4 to STB
STB management should ensure that its review process includes procedures to disaggregate material balances reported in the financial statements and footnotes, agree balances to source documents, agree the footnotes to the principal financial statements, and verify the mathematical accuracy of all statements and schedules included in the financial statement package.
No. 5 to STB
Management’s review and certification of the financial statements and footnotes should be clearly documented and indicate what was reviewed, when the review was performed, and who performed the review for each reporting period.
No. 6 to STB
STB should perform a review of 100% of employee benefit elections and Official Personnel Folders (OPFs) to ensure they are complete and accurate.
No. 7 to STB
STB should develop policies and procedures that include the performance of periodic reviews of employees’ Official Personnel Folders to ensure that they are complete and accurate.
No. 8 to STB
STB should address missing or unavailable supporting documentation with its shared service provider to ensure that document retrieval tools are available and are working properly to allow retrieval of all stored documents.
No. 9 to STB
STB should obtain replacement documentation for employee forms and other documentation that have been determined to be incomplete or irretrievable from databases and other electronic sources following management’s initial and periodic routine reviews.
No. 10 to STB
We recommend that STB implement and enforce its existing policies and procedures requiring the periodic review of all open obligations to ensure that closeout of completed contracts, including the de-obligation of funds and return of the balances for any advanced payments, is performed regularly and timely.
Audit Reports: QC2024006 issued on

Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022

No. 1 to FAA
KPMG recommends that FAA management design and perform procedures to consistently approve and document new or modified user account and recertification requests and timely remove separated users as required by internal policy and standards for effective internal control systems.
Audit Reports: QC2024005 issued on

Quality Control Review on the Independent Auditor’s Report on the Great Lakes St. Lawrence Seaway Development Corporation’s Audited Financial Statements for Fiscal Years 2023 and 2022

No. 1 to GLS
GLS should amend its procedures relating to the annual count and valuation of OM&S to include verification of unit and total costs. This should include locating or reconstructing source documentation for the total quantity on hand for each item and matching the costs entered in the system to the source documents.
No. 2 to GLS
GLS should determine how average costs are calculated within the inventory tracking system. If the average cost in the system for specific inventory items does not represent the average cost of inventory on hand, the average cost in the system should be periodically adjusted when the annual inventory is performed or at year-end.
Audit Reports: IT2024001 issued on

DOT Needs To Improve Its High-Value Assets Governance Program To Effectively Identify, Prioritize, and Secure Its Most Critical Systems

Sensitive
No. 1 to OST
Sensitive information redacted
Sensitive
No. 2 to OST
Sensitive information redacted
Sensitive
No. 3 to OST
Sensitive information redacted
Sensitive
No. 4 to OST
Sensitive information redacted
Sensitive
No. 5 to OST
Sensitive information redacted
Sensitive
No. 6 to OST
Sensitive information redacted
Sensitive
No. 7 to OST
Sensitive information redacted
Audit Reports: QC2023047 issued on

Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security Program and Practices

No. 1 to OST
Develop and implement DOT’s zero trust architecture plan for network traffic that cannot be routed through traditional Trusted-Internet Connections (TIC) access points as required by OMB M-19-26, Update to the TIC Initiative.
No. 2 to OST
In coordination with Federal Aviation Administration (FAA), complete the pilot and testing of TIC 3.0 use cases and revise FAA policies to reflect requirements in OMB M-19-26, Update to TIC Initiative.
Audit Reports: AV2023045 issued on

DOT Has Effectively Managed the Aviation Manufacturing Jobs Protection Program and Should Capture Lessons Learned From Its Oversight Efforts

Closed on Pandemic Oversight
No. 1 to OST
Conduct an Aviation Manufacturing Jobs Protection program after-action review to identify lessons learned and incorporate improvements into future grant programs.
Audit Reports: IT2023043 issued on

DOT’s Cloud-Based Systems’ Security Weaknesses Hinder Its Transition to a Zero Trust Architecture

No. 1 to OST
Develop and implement policies and procedures governing DOT components and Operating Administrations’ adoption and use of cloud services for their cloud-based system and at a minimum require system owners to: a. Submit an Authorization to Operate letter to the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office before adopting and using cloud services to ensure (1) cloud services comply with FedRAMP security baselines, and (2) FedRAMP has an accurate inventory of DOT cloud services and cloud service providers. b. Conduct a quality and risk review of the Department’s cloud service providers cloud service offering authorization package to ensure that it clearly and accurately reflects the cloud service offering’s security posture so DOT’s Authorizing Official can make an informed risk-based authorization decision, as required by FedRAMP. c. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of the respective cloud service providers’ continuous monitoring activities to ensure their cloud systems’ security posture remains sufficient for their own use and supports ongoing authorization as required by FedRAMP.
No. 2 to OST
Incorporate the required standard cloud security clauses in the Department’s enterprise cloud service contracts as well as other cloud services contracts for FAA, MARAD, and OST to ensure the cloud services are secure.
No. 3 to OST
Working with the appropriate DOT procurement officials for FAA, FMCSA, FHWA, MARAD, FRA, NHTSA, PHMSA, and OST, set up service level agreements as required, with each of their cloud service providers to define and set agency expectations and cloud service provider-specific responsibilities.
No. 4 to OST
Direct and require confirmation of completion from FMCSA's cloud-based system owners for the National Registry of Certified Medical Examiners—Software-as-a-Service to include in its Executive Summary Authorization to Operate Letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.
No. 5 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Federal Human Resources Navigator—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Use personal identity verification cards as the primary authentication mechanism to ensure secure system login. c. Develop a Privacy Impact Analysis to help identify and manage personally identifiable information and privacy risks. d. Identify a security official to review system audit log files. e. Develop and implement a process to remove extracted data containing sensitive information within 90 days of extraction in accordance with DOT requirements.
No. 6 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Electronic Document Management System—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Require multifactor authentication for non-DOT system users. c. Develop and implement a process to automatically disable inactive system accounts after 60 days of inactivity.
No. 7 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Data Analysis Visualization Environment—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Develop and implement a process to conduct monthly vulnerability scans as required by DOT.
No. 8 to OST
Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labs—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Update its privacy threshold assessment and, if applicable, Privacy Impact Analysis to protect privacy, personally identifiable information, and other sensitive information stored in the cloud.
No. 9 to OST
Direct FAA's cloud-based system owner for the Emergency Notification System—Software-as-a-Service to provide evidence of the organizational administrator's quarterly reviews of Emergency Notification System application and documentation verifying they disable inactive accounts.
No. 10 to OST
Direct and require confirmation of completion from FRA's cloud-based system owner for its Cloud Application Services—Software-as-a-Service—to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as, required by FedRAMP. b. Update the Privacy Impact Analysis for the Railroad Compliance System to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.
No. 11 to OST
Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Web System—Platform-as-a-Service and Infrastructure-as-a-Service—to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop and implement a process to review audit logs and analyze vulnerability scan reports on its Platform-as-a-Service on a weekly basis to check for various risks, including software flaws per NHTSA's audit and accountability plan.
No. 12 to OST
Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Advanced Retrieval Tire, Equipment, Motor Vehicle, Information System—Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Update the Privacy Impact Analysis to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.
No. 13 to OST
Direct and require confirmation of completion from PHMSA's cloud-based system owner for the Pipeline Risk Management Information System—Infrastructure-as-a-service—and PHMSA Data Mart—Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for Pipeline Risk Management Information System. b. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for PHMSA Data Mart.
No. 14 to OST
Direct and require confirmation of completion from FMCSA's cloud-based system owner for the Cloud Environment—Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to enforce multifactor authentication for privileged and non-privileged network accounts. d. Update the Privacy Threshold Assessment and Privacy Impact Analysis to protect the privacy of its system users' personally identifiable information and other sensitive information.
No. 15 to OST
Direct and require confirmation of completion from FRA's cloud-based system owner for the Multiple Case Incident Analysis—Infrastructure-as-a-service to include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.
No. 16 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)—Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews of the system audit logs to enhance its ability to identify suspicious, inappropriate, unusual, or malevolent activity. d. Develop and implement a process that requires timely updates to security patches that address software flaws which mitigate the risks associated with mission-related operating system patches and data exfiltration. e. Develop a Privacy Impact Analysis to identify and protect personally identifiable information and other sensitive information hosted in the COE cloud.
No. 17 to OST
Direct and require confirmation of completion from FAA's cloud-based system owner for the FAA Cloud Services—Infrastructure-as-a-service and Platform-as-a-Service to: a. Incorporate flaw remediation into ongoing configuration management processes. b. Develop and implement a process to regularly manage malicious code protection to detect and eradicate malicious code at the entry point for its Infrastructure-as-a-service and Platform-as-a-Service. c. Develop and implement a change control process and use baseline configuration settings and document configuration settings to establish a basis for future builds, releases, and/or changes. d. Develop and implement a process to perform an automated review of network accounts or implement an alternative method for identifying users on the network in real-time. e. Develop and implement a process to require the most current cryptographic mechanisms to protect data during network transmission to provide complete boundary protection and reduce the risk of compromise. f. Develop and implement a process to encrypt data transmitted within the Infrastructure-as-a-service environment to reduce the risk of compromise and data exposure. g. Develop and implement a process to review vulnerability scans results and remediate vulnerabilities within specified timeframes as required by FAA's security handbook.
No. 18 to OST
Direct departmental security officials working with appropriate procurement officials to verify that service level agreements contain a requirement to report security incidents to DOT’s Security Operations Center and require confirmation of completion.
No. 19 to OST
Develop and implement a process that enables FAA’s Security Operations Center to receive the necessary log data for ensuring proper cybersecurity incident monitoring for all departmental cloud-based systems.
No. 20 to OST
Report DOT plans for fully adopting multifactor authentication and encryption for data at rest and in transit in accordance with Executive Order 14028.
No. 21 to OST
Update the Department’s zero trust architecture strategy and implementation plan to address the identified gaps and include migration steps and timelines consistent with direction from the Office of Management and Budget and National Institute of Standards and Technology guidelines.
Audit Reports: SA2023041 issued on

Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2023

Closed on
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
$2,892,004
No. 2 to OST
Determine the allowability of the questioned transactions and recover $2,892,004, if applicable.
Audit Reports: ST2023040 issued on

FMCSA Generally Met Requirements for Cross-Border Carriers’ Long-Haul Operations, but Compliance Reviews Were Not Timely

No. 1 to FMCSA
Revise FMCSA’s policy to define and allow for justifications for delaying compliance reviews beyond 18 months, and if delayed, determine how long a carrier should be permitted to continue to operate under provisional authority without a compliance review and require documentation of a decision to delay a carrier’s review.
No. 2 to FMCSA
Determine whether a revision to the Federal Motor Carrier Safety Regulations is necessary to implement the compliance review policy revisions.
Closed on
No. 3 to FMCSA
Develop and implement a recovery plan to complete compliance reviews for those carriers operating for more than 18 months under provisional authority and to establish a compliance review scheduling system for future provisional carriers.
Audit Reports: AV2023038 issued on

FAA Conducts Comprehensive Evaluations of Pilots With Mental Health Challenges, but Opportunities Exist to Further Mitigate Safety Risks

No. 1 to FAA
Collaborate with airlines, airline pilot unions, and the aerospace medical community to conduct an assessment to identify ways to address barriers that discourage pilots from disclosing and seeking treatment for mental health conditions, based on the latest data and evidence.
No. 2 to FAA
Develop and implement policy and protocol revisions recommended in the assessment.
Audit Reports: AV2023037 issued on

Regulatory Gaps and Lack of Consensus Hindered FAA’s Progress in Certifying Advanced Air Mobility Aircraft, and Challenges Remain

No. 1 to FAA
Accelerate—to the extent possible—the current rulemaking project (SFAR) regarding powered-lift pilot eligibility requirements and operating rules for powered-lift aircraft, and develop and implement a plan with milestones for completion of the rulemaking which includes a process for regularly updating stakeholders on these milestones.
Closed on
No. 2 to FAA
Accelerate—to the extent possible—the current rulemaking project (NPRM) that will integrate powered-lift into certain regulatory definitions, and develop and implement a plan with milestones for completion of the rulemaking which includes a process for regularly updating stakeholders on these milestones.
No. 3 to FAA
Identify the causes of the difficulties in communication and decision-making related to resolving disagreements on AAM, and develop and implement a process for better managing challenges during the deliberation process for consensus in future projects, as well as a decision-making process for when consensus cannot be reached.
No. 4 to FAA
Establish and implement policies and procedures explaining CECI’s roles and responsibilities in the certification process.
Audit Reports: AV2023035 issued on

FAA Faces Controller Staffing Challenges as Air Traffic Operations Return to Pre-Pandemic Levels at Critical Facilities

Closed on
No. 1 to FAA
Complete a comprehensive review of the model for distribution of certified professional controllers (CPCs) for air traffic control facilities and update interim CPC staffing levels as necessary.
No. 2 to FAA
Implement a new labor distribution system that includes features such as timekeeping, overtime and Controller-in-Charge tracking, and real-time leave balances.
Audit Reports: AV2023036 issued on

FAA Has Deployed a Prototype System for Monitoring Commercial Space Operations but Faces Integration Challenges

No. 1 to FAA
Update the commercial space operational shortfalls identified in the 2020 Concept of Operations, and report out on any changes to the shortfalls and plans for addressing them.
Closed on
No. 2 to FAA
Update and publish the status of Aviation Rulemaking Committee recommendations that have not been implemented, including establishing target action dates for recommendations that are aligned with implementation of the National Airspace System Space Integration Capabilities program.
No. 3 to FAA
Determine the workload impact of commercial space operations at air traffic facilities, and take action as needed.
No. 4 to FAA
Identify the specific direct tasks associated with commercial space operations, determine if they should be included in the en-route controller workload model, and if so, incorporate them in the next updated model.
Audit Reports: ST2023034 issued on

DOT Should Enhance Its Fraud Risk Assessment Processes for IIJA-Funded Surface Transportation Programs

No. 1 to OST
Require OAs to regularly assess fraud risks for each program; tailor their assessments based on factors such as size, resources, maturity, and experience in managing risks; and include relevant stakeholder input.
No. 2 to OST
Provide guidance to OAs on how to identify and assess fraud risks in their programs, including guidance on specific tools, methods, and sources for gathering information about fraud risks. This guidance should also address the leading practices for identifying and assessing the likelihood and impact of inherent fraud risks, determining fraud risk tolerance, examining the suitability of existing controls, prioritizing residual fraud risks, and documenting the program’s fraud risk profile to inform managers’ decisions on their responses to assessed risks.
Audit Reports: ST2023031 issued on

NHTSA Has Not Fully Established and Applied Its Risk-Based Process for Safety Defect Analysis

No. 1 to NHTSA
Assess timeliness goals by: a. Determining whether its current timeliness goals are realistic and attainable and, if necessary, revising those goals. b. Developing and implementing a plan for meeting timeliness goals.
Closed on
No. 2 to NHTSA
Develop and implement procedures for conducting audit query and timeliness query investigations.
No. 3 to NHTSA
Develop and implement a system of accountability to improve ODI’s compliance with processes, including: a. Notifying petitioners regarding the decision to grant or deny petitions within 120 days; b. Documenting timely supervisory review of documents and related analyses during the pre-investigative and investigative processes and conducting timely reviews of manufacturer-provided data; c. Developing and following a written plan for all phases of investigations; and d. Documenting substantive pre-investigative and investigative-related communication with manufacturers.
No. 4 to NHTSA
Develop and implement improved procedures for ensuring investigation documentation is uploaded to the public website, including: a. Establishing timelines for ensuring all required documents are posted; b. Identifying documents missing from the public website and mitigate the backlog; c. Assigning responsibilities between the Correspondence Research Division and investigators; and d. Establishing timelines for contractors to redact information.
No. 5 to NHTSA
Revise Information Request (IR) procedures to ensure consistent application by each of the divisions, and develop a system of accountability to ensure compliance with the revised procedures when: a. Issuing and approving a manufacturer-requested IR letter response extension; and b. Requesting information from manufacturers.
No. 6 to NHTSA
Develop and implement procedures for the planned integrated information system including a user guide for how to document decisions, actions taken, and communication with stakeholders, as well as where to store specific pre-investigative and investigative documentation.
No. 7 to NHTSA
Complete expeditious integration of the information systems for pre-investigation and investigation processes, including data migration.
No. 8 to NHTSA
Develop and implement a consistent procedure to govern ODI’s practice of negotiating a resolution of potential safety defects with manufacturers.
Closed on
No. 9 to NHTSA
Develop and implement a requirement that all information used to support decisions made during the pre-investigative and investigative processes are documented and retained, including the supporting information for safety defect analyses and related briefings.
No. 10 to NHTSA
Develop and implement guidance for determining which issues investigators should present at Hot Issues meetings based on ODI’s risk-based analysis process.
No. 11 to NHTSA
Reconcile the risk matrix and issue escalation procedures and establish specific guidance on when an investigation should be opened.
No. 12 to NHTSA
Develop a definition of high-interest topics and the actions needed to address these issues.
Audit Reports: ST2023032 issued on

PHMSA Established an Effective Integrated Inspection Program but Needs To Strengthen Guidelines To Mitigate Risks

No. 1 to PHMSA
Update the Integrated Inspection User’s Manual to reflect current processes and systems used and clarify requirements for system profiles.
No. 2 to PHMSA
Develop and implement a plan for ensuring supervisors verify lead inspectors have completed all documentation requirements identified in the Integrated Inspection User’s Manual.
No. 3 to PHMSA
Update RRIM Documentation with an explanation for how pipeline age and manufacturer, volume transported, pressure, seismicity, climate, geology, and demography should or should not be considered as part of the Risk Ranking Index Model.
Audit Reports: ZA2023030 issued on

Fragmented Processes Weaken DOT’s Accountability for Contractor Employee PIV Cards

Closed on
No. 1 to OST
Verify that each OA has a documented process in place to confirm that required PIV card-related security clauses are included in all applicable DOT contracts prior to award.
No. 2 to OST
Establish, document, and implement a process for the Department to track contractor employees’ PIV cards and record the dates the cards are collected and deactivated.
No. 3 to OST
Designate in writing points of accountability for overseeing the entirety of contractor employee PIV card collection and deactivation processes.
No. 4 to OST
Update or supplement the DOT PIV Card Program Order to define “promptly” in all uses throughout the Order.
No. 5 to OST
Develop and implement required annual training for all staff involved in contractor employee PIV card processes and a procedure to verify the training has occurred. The training attendees should include all staff listed in the DOT PIV Card Program Order who could potentially be involved and anyone else an individual OA assigns to this task.
No. 6 to OST
Update or supplement the DOT PIV Card Program Order to address the deactivation process in all instances where PIV cards are no longer needed. This should include establishing the accountable officials as well as concrete metrics when deactivation should occur from when the card is no longer needed.
Audit Reports: SA2023026 issued on

Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2023

Closed on
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
$14,886,138
No. 2 to OST
Determine the allowability of the questioned transactions and recover $14,886,138, if applicable.
Audit Reports: AV2023027 issued on

Opportunities Exist for FAA To Strengthen Its Workforce Planning and Training Processes for Maintenance Technicians

No. 1 to FAA
Establish and implement a maintenance technician workforce plan that considers factors such as average training time, training requirements, and staffing turnover for a period longer than 1 year.
Closed on
No. 2 to FAA
Update and implement a formal process that better defines roles and responsibilities and establishes improved communication and collaboration among the stakeholders responsible for maintenance technician training, including Technical Operations, Technical Training, and the FAA Academy.
Closed on
No. 3 to FAA
Develop and implement a process that includes defined roles and responsibilities for the groups within Technical Training responsible for the management of training solution procurements.
No. 4 to FAA
Update and implement a formal process to periodically evaluate training course feedback from maintenance technicians, generate regular reports for FAA Technical Training management’s review, and share the lessons learned to improve future course content and delivery.
Audit Reports: AV2023025 issued on

FAA Has Completed 737 MAX Return to Service Efforts, but Opportunities Exist To Improve the Agency’s Risk Assessments and Certification Processes

Closed on
No. 1 to FAA
Document the process by which key safety decisions, such as a potential grounding of an aircraft fleet, are made when the Agency identifies that urgent action is necessary.
No. 2 to FAA
Revise the Transport Airplane Risk Assessment Methodology (TARAM) handbook to incorporate current safety data, including available international data when appropriate.
No. 3 to FAA
Review the TARAM handbook’s quantitative safety guidelines to determine if they still meet the Agency’s needs, and implement identified corrections as appropriate.
No. 4 to FAA
Formalize training requirements for engineers responsible for completing TARAM analysis, as well as managers responsible for reviewing the analysis.
No. 5 to FAA
Review the TARAM and Transport Airplane Safety Manual (TASM), address any identified key differences the two documents, and integrate TASM into TARAM when appropriate.
No. 6 to FAA
Incorporate integrated System Safety Assessments into regulations or Agency guidance for future transport category airplane certification projects.
No. 7 to FAA
Identify lessons learned related to the application of the 737 MAX recertification and the Continued Operational Safety process that have not yet been addressed and include them into airplane certification and safety evaluation processes.
Audit Reports: AV2023024 issued on

FAA’s Office of Investigations and Professional Responsibility Needs To Enhance Internal Controls for Conducting Administrative Investigations

No. 1 to FAA
Require AXI to develop a process to collect and share best practices for investigators in compliance with AXI guidance.
No. 2 to FAA
Revise Security and Hazardous Materials Safety Order 1600.20 guidance to avoid overlap or contradiction with similar procedures contained in FAA Order 1600.38.
No. 3 to FAA
Revise AXI’s guidance to clarify that investigators should pursue administrative investigations when OIG declines cases for criminal referral.
No. 4 to FAA
Develop and publish roles and responsibilities for AXI deputy director position.
No. 5 to FAA
Develop and implement procedures for investigators to electronically record interviews in accordance with FAA’s Human Resources Policy Manual requirements.
No. 6 to FAA
Develop and implement a management control to credit and account for Agency and non-Agency investigator training courses in AXI’s electronic training system.
No. 7 to FAA
Develop and implement an internal control to ensure that only the management official with requisite signature authority signs for investigative reports.
No. 8 to FAA
Develop and implement procedures consistent with DOT Order 8000.8A to ensure investigators consistently send criminal cases to the Internal Investigations Division Manager and coordinate with OIG’s Office of Investigations on the referral process.
No. 9 to FAA
Develop and implement a management control to require the Internal Investigations Division Manager to track cases that have been rejected by the Internal Investigations Division (AXI-100).
No. 10 to FAA
Develop procedures to ensure the Investigations Standards and Policy Division (AXI-200) maintains auditable documentation, in accordance with established Agency retention periods, to support findings identified in its annual reports of AXI-100 investigation procedures.
No. 11 to FAA
Develop and implement a management control to ensure AXI-200 complies with its Program Reviewer Guide requirements to (a) prepare annual reports, (b) conduct the required number of annual reviews of AXI investigative operations, (c) use consistent investigative and reporting criteria, and (d) identify investigation case numbers when reporting its evaluation of AXI-100’s investigative operations.
Audit Reports: SA2023023 issued on

Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2022

Closed on
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
$5,538,037
No. 2 to OST
Determine the allowability of the questioned transactions and recover $5,538,037, if applicable.
Audit Reports: ZA2023022 issued on

DOT Faces Challenges in Meeting Federal CPARS Reporting Guidance

Closed on
No. 1 to OST
Develop and implement procedures to monitor Operating Administrations’ (OA) compliance with the 30-day registration requirement in accordance with the Transportation Acquisition Manual (TAM).
Closed on
No. 2 to OST
Update the TAM to require that contractor performance assessments be completed within 120 calendar days in accordance with the Contractor Performance Assessment Reporting System (CPARS) guide.
Closed on
No. 3 to OST
Develop and implement procedures to ensure those OAs without internal CPARS guidance have them established in compliance with TAM 1242.1503(a)(1).
Closed on
No. 4 to OST
Update the TAM to require each OA to develop and implement guidance to address turnover in CPARS staff as well as ensure departing personnel complete interim assessments.
Closed on
No. 5 to OST
Update the TAM to require CPARS role- and function-based training for all users not currently cited, including Alternate Focal Points and Assessing Official Representatives.
Closed on
No. 6 to OST
Update the TAM to require each OA to develop and implement guidance to assist OA CPARS officials in managing assessment disagreements with contractors.
Closed on
No. 7 to OST
Adopt a process to conduct periodic assessments to identify shortfalls and projected needs in CPARS training.
No. 8 to FAA
Develop and implement procedures to monitor compliance with the 30-day registration requirement.
Closed on
No. 9 to FAA
Update the Acquisition Management System to require CPARS training for all personnel who have CPARS responsibilities.
Closed on
No. 10 to FAA
Conduct an assessment of CPARS user training and develop and implement plans to meet identified needs, including training geared to assisting CPARS officials in developing skills for managing disagreements with contractors.
Audit Reports: FS2023020 issued on

FAA Can Strengthen Its Oversight of the AIP Acquired Noise Compatibility Land Program

$2,077,796
No. 1 to FAA
Develop and implement procedures to verify that airport sponsors have provided evidence satisfactory to FAA that the airport sponsor has or will obtain good title to land, prior to requesting reimbursement for costs associated with noise compatibility land acquisition. Implementing this recommendation could put up to $2,077,796 in funds to better use by requiring that only costs associated with completed noise land acquisitions are reimbursed.
No. 2 to FAA
Develop and implement a process to require airport sponsors to certify that noise exposure maps are a reasonable representation of current and/or future conditions at the airport at the time of grant award.
No. 3 to FAA
Update the Noise Land Management and Requirements for Disposal of Noise Land or Development Land Funded with AIP policy to establish a reasonable schedule for FAA Airport District Offices and Regional Offices to review Noise Land Inventory and Reuse Plans for accuracy and consistency with FAA policy.
No. 4 to FAA
Update and implement procedures to require airport sponsors to maintain Noise Land Inventory and Reuse Plans in electronic format available for FAA review, upon request.
$38,530,768
No. 5 to FAA
Require all airport sponsors that have acquired noise land to identify noise land eligible for disposal via sale and verify that noise land sales revenues are used in accordance with Federal law. Based on our review of five airports, implementing this recommendation could put up to $38,530,768 in funds to better use by generating revenue that could be reinvested in the program.
No. 6 to FAA
Update guidance to clarify for airport sponsors when noise land should be considered no longer needed for eligible current or planned airport purposes and disposed of in accordance with FAA policy.
No. 7 to FAA
Update guidance for Noise Land Inventory and Reuse Plans to require that the Noise Land Inventory include original acquisition dates, estimated or final completion dates for proposed or completed methods of disposal, and the date of FAA approval.
$66,160
No. 8 to FAA
Update guidance for Noise Land Inventory and Reuse Plans to require that the Noise Land Inventory include the Federal share of the sale price at the time of sale and how sales proceeds were used. Implementing this recommendation could put up to $66,160 in funds to better use by properly accounting for noise land disposal proceeds in accordance with Federal law.
No. 9 to FAA
Require the Rhode Island T.F. Green International Airport, Phoenix Sky Harbor International Airport, and Harry Reid International Airport to develop and submit for FAA’s approval current Noise Land Inventory and Reuse Plans after implementation of recommendations 4, 7, and 8.
Audit Reports: SA2023019 issued on

Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2022

Closed on
No. 1 to OST
Coordinate with impacted OAs to develop corrective action plans to resolve and close current and repeat findings highlighted in this report.
$3,546,767
No. 2 to OST
Determine the allowability of the questioned transactions and recover $3,546,767, if applicable.
Audit Reports: QC2023016 issued on

Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2022 and 2021

No. 1 to OST
KPMG recommends that DOT OCIO management revise the website containing the policy documentation to ensure all documents are consistent and contain the same listing of required controls for moderate-impact systems.
No. 2 to OST
KPMG recommends that DOT OCIO management should document any Department-wide tailoring decisions within the appropriate security documentation, as required by NIST.
No. 3 to OST
KPMG recommends that DOT OCIO management should define and document control tailoring requirements for the Department and its Operating Administrations.
No. 4 to OST
KPMG recommends that DOT OCIO management ensure that the process for provisioning privileged database system administrator accounts supporting the Federal Highway Administration’s grant system is performed in accordance with DOT policies.
No. 5 to FAA
KPMG recommends that ESC management create monitoring procedures over the existing management review of the JV control logs monthly reconciliation to ensure the consistent operation of the control, as defined within policy.
No. 6 to OST
KPMG recommends that OST-CFO management revise its accounting process to accrue TIFIA interest each period or document its current process as a non-GAAP policy and perform an annual materiality assessment to determine the annual impact of the unaccrued interest policy.
No. 7 to OST
KPMG recommends that OST-CFO management should perform a review of OST-CFO’s accounting policies and procedures as a control activity over the completeness of non-GAAP policies and procedures and update the non-GAAP listing and assessment accordingly.
No. 8 to OST
KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the relevant control objectives, related controls, and rationale for non-relevant control objectives and controls.
No. 9 to OST
KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the relevant complementary end user controls designed and implemented by DOT.
No. 10 to OST
KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the criteria used by management to evaluate the results of the service organization controls report and related findings.
Closed on
No. 11 to FTA
KPMG recommends that FTA management design and implement controls to track the status of Treasury warrant requests to ensure that the warrants are recorded in the financial system timely when processed.
Closed on
No. 12 to FTA
KPMG recommends that FTA management perform a review for the completeness of the financial statements provided to OST, including reviews for transactions recorded subsequent to the OST reporting date.
Audit Reports: QC2023018 issued on

Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Financial Statements for Fiscal Years 2022 and 2021

No. 1 to FAA
KPMG recommends that FAA management design and implement formal detective controls to log and monitor developer activities in the time and attendance production environment. All programmatic changes to the time and attendance production environment should be reviewed and reconciled from the logs to the approved change tickets.
Closed on
No. 2 to FAA
KPMG recommends that FAA management review and re-certify the FAA procurement system PTA in accordance with FAA policy.
No. 3 to FAA
KPMG recommends that FAA management perform a risk assessment to consider the potential impact of discrepancies between vendor-submitted invoice web portal amounts and the vendor-submitted supporting documentation, and respond to the level of risk identified as appropriate.
No. 4 to FAA
KPMG recommends that FAA management communicate the importance of its existing financial system goods and services acceptance processes, policies, and procedures with its CORs.
Closed on
No. 5 to FAA
KPMG recommends that FAA management quantify the impact of the non-GAAP assumption and record it as a part of their estimate if deemed material.
Closed on
No. 6 to FAA
KPMG recommends that FAA management update policies and procedures for the environmental remediation estimate to ensure that all methodology assumptions are documented.
Closed on
No. 7 to FAA
KPMG recommends that FAA management clarify its General Property, Plant & Equipment accounting policies for real property improvements to further document management’s criteria and considerations for capitalizing costs relating to building components typically expensed by FAA during the asset lifecycle.
Closed on
No. 8 to FAA
KPMG recommends that FAA management assess the nature of its FIA and Modernization costs incurred to document the specific criteria distinguishing the nature of these programs’ costs from other programs’ costs.
Closed on
No. 9 to FAA
KPMG recommends that FAA management continue to consider the appropriateness of its policies for real property, including improvement criteria, capitalization thresholds, and estimated useful lives, particularly for its fully depreciated real property.
No. 10 to FAA
KPMG recommends that FAA management assess the risks associated with recording UCOs with Advance within its business process, and design and implement a control activity to ensure timely and accurate recording of UCOs with Advance for which an advance payment associated with the RA has been received.
No. 11 to FAA
KPMG recommends that FAA management design and implement controls to perform a risk assessment for instances in which an AIP grant agreement remains open only for non-financial administrative or compliance requirements and respond to the risk of untimely deobligation of grant UDOs.
No. 12 to FAA
KPMG recommends that FAA management design and implement controls to ensure that the population generated to support the disclosure of future minimum lease payments is complete and accurate.
No. 13 to FAA
KPMG recommends that FAA management develop policies to define the scope of the lease disclosure.
No. 14 to FAA
KPMG recommends that FAA management design and implement control activities to monitor the effective operation of its process controls related to provisioning new payroll shared service center access requests.
No. 15 to FAA
KPMG recommends that FAA management develop policies and procedures for maintaining completed and authorized payroll shared service center access forms for new user access requests in a secure centralized location.
No. 16 to FAA
KPMG recommends that FAA management design and implement control activities to monitor the effective operation of its process controls related to monitoring FAA employees’ payroll shared service center access.
No. 17 to FAA
KPMG recommends that FAA management take measures to ensure that FAA has sufficient control operator personnel available to support the annual recertification of FAA employees with payroll shared service center access within the reporting timeline prescribed by DOT.
Audit Reports: QC2023017 issued on

Quality Control Review of the Management Letter for the National Transportation Safety Board’s Audited Financial Statements for Fiscal Years 2022 and 2021

Closed on
No. 1 to NTSB
Allmond recommends that NTSB management enforce the agency’s FPPS user termination process to require the completion and submission of an FPPS User Access Form to the service provider immediately upon separation of all FPPS users from the agency.
Closed on
No. 2 to NTSB
Allmond recommends that NTSB management work with the service organization to determine why the termination date for the user accounts did not agree with the effective date of the personnel actions for the employee separations.
Closed on
No. 3 to NTSB
Allmond recommends that NTSB management at least quarterly, perform a review of all FPPS users. If any separated employees, or any other system users who no longer need access, are identified in the listing, then work with the service organization to determine why this occurred and what actions are necessary to resolve the issue.
Audit Reports: QC2023015 issued on

Quality Control Review of the Management Letter for the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2022 and 2021

No. 1 to STB
STB perform a review of all employees’ leave balances to ensure they are accurate and comply with 5 United States Code (U.S.C.) § 6304 requirements.
No. 2 to STB
STB work with its payroll service provider to determine and address the cause of the error.
No. 3 to STB
STB perform a review of the identified employee’s leave balances (i.e., beginning balance, leave accrued/taken, and ending balance) for each year since the error first occurred in order to recalculate the employee’s corrected leave balance.
No. 4 to STB
Management record all equipment purchases that meet its capitalization thresholds as capitalized assets. If the acquired property is not ready to be placed into service, then that property should be classified as Construction in Progress or Other General Property, Plant and Equipment, depending on the circumstances that apply to the purchased items at that time.
No. 5 to STB
Management regularly assess all capitalized property and identify assets that require reclassification, such as when assets are being placed into, or taken out of, service.
No. 6 to STB
Management update its financial reporting and property management policies and procedures to include the recording of new capitalized purchases in accordance with generally accepted accounting principles.
Audit Reports: ZA2023014 issued on

DOT’s Oversight Is Not Sufficient To Ensure the City of Seattle Meets Requirements for Managing Federal Transportation Funds

No. 1 to OST
Develop and implement, for each discretionary grant program that relies on cost estimates to establish compliance with program requirements and eligibility, a risk-based process for validating cost estimates prior to the execution of grant award agreements, as well as document the Department's review of the cost estimates.
No. 2 to OST
Direct FHWA and FTA to coordinate with grantees to ensure the City of Seattle develops and implements appropriate internal controls to track Federal funds in accordance with 2 CFR 200.302(b)(1) and (3).
Closed on $21,000,000
No. 3 to FHWA
Remove $21 million in lapsed funding identified in this report from FHWA’s unobligated balances. Implementing this recommendation could put $21 million in funds to better use on other transportation programs.  
No. 4 to FHWA
Advise WSDOT as part of stewardship and oversight activities to include change orders in WSDOT's next project management review of SDOT.
No. 5 to FHWA
Direct the FHWA WA Division to review WSDOT's established process of reviewing subrecipients' supporting documentation for internal staffing charges (e.g., billing records, invoices, timecards) to ensure compliance with 2 CFR 200.403.
$753,839
No. 6 to FHWA
Work with WSDOT to collect adequate supporting documentation for $753,839 in internal staffing costs identified by OIG or recover from WSDOT any portion that is determined to be unallowable or unsupported.
Closed on
No. 7 to FRA
Incorporate change orders as a focus area in FRA’s annual review process.
No. 8 to FRA
Develop and implement policy to evaluate whether to deobligate funds when there is a significant reduction in project costs prior to closeout.
No. 9 to FTA
Include a sample of SDOT's change orders as part of FTA's triennial reviews. In doing so, FTA could better detect and prevent the risk for paying for unapproved change orders.
No. 10 to FTA
Require FTA Region 10 to conduct a review of the City of Seattle's internal controls for supporting documentation of expenditures billed to Federal awards to ensure compliance with 2 CFR 200.403.
$9,946,977
No. 11 to FTA
Recover the $9,946,977 in costs we identified for which SDOT provided incomplete information or provide a justification for accepting the costs.
Closed on $3,600,000
No. 12 to FTA
Direct FTA Region 10 to notify WSDOT in writing that the $3.6 million in lapsed funds identified in this report have been credited to the State and are available for other eligible transit projects. Implementing this recommendation could put up to $3.6 million in funds to better use.
Closed on $3,800,000
No. 13 to FTA
Require FTA Region 10 to review $3.8 million in inactive funds identified in this report and determine whether they will be used, and if not, deobligated. Implementing this recommendation could put up to $3.8 million in funds to better use.
No. 14 to FTA
Implement procedures and related mechanisms to show when unobligated transferred funds are obligated and to what projects.
Audit Reports: PT2023013 issued on

FAA’s Office of Audit and Evaluation Adheres to Investigative Practice Standards but Lacks Comprehensive Standard Operating Procedures

No. 1 to FAA
Establish and implement comprehensive written investigative policies and procedures for whistleblower investigations conducted by AAE that address best practice investigation standards in the areas of Qualifications, Independence, Due Professional Care, Planning, Execution, Reporting, and Information Management
No. 2 to FAA
Establish and implement a methodology for sufficiency reviews that provides greater tracking and documentation controls.
Closed on
No. 3 to FAA
Hire additional staff, as planned, for the Office of Whistleblower Ombudsman.
No. 4 to FAA
Revise FAA Order 1100.167B to readjust duties that are inconsistent with the limitations established by the Aircraft Certification, Safety, and Accountability Act of 2020.
Audit Reports: ST2023012 issued on

FHWA Has Made Progress Implementing a Tunnel Safety Program, but Work Remains To Complete a Reliable Inventory, Fully Assess Compliance, and Effectively Monitor Critical Risks

No. 1 to FHWA
Revise the October 2015 guidance on structures subject to the national tunnel inspection standards to clarify which structures align with the definition of a tunnel and explain how potential non-tunnel structures conflict with the definition.
No. 2 to FHWA
Issue guidance for FHWA Divisions on how to verify that State DOTs, Federal agencies, and tribal governments have reported all highway tunnels to the national tunnel inventory; and for informing those stakeholders of methods they could employ to identify all structures considered to be highway tunnels.
No. 3 to FHWA
Implement comprehensive procedures on the processing and publishing of national tunnel inventory data, including controls to reduce data errors.
Closed on
No. 4 to FHWA
Issue a report to Congress on the national tunnel inventory and consult with the relevant Congressional committees about the intent of the statutory provision to provide subsequent annual reports.
No. 5 to FHWA
Identify feasible improvements to the presentation of national tunnel inventory data on the Agency’s website to facilitate the public’s understanding and use of the data, and develop a plan to implement them.
No. 6 to FHWA
Document the quality control and quality assurance processes, incorporate controls to ensure that all tunnel program compliance determinations adhere to the applicable compliance criteria, and communicate the processes to all relevant program and Division staff.
No. 7 to FHWA
Assess the process for conducting compliance reviews of other Federal agencies and implement any recommended changes to ensure the reviews are effectively staffed and sufficiently independent.
Closed on
No. 8 to FHWA
Implement minimum training requirements for FHWA staff responsible for conducting tunnel safety program compliance reviews.
No. 9 to FHWA
Update the tunnel safety program compliance review manual to incorporate existing review process flexibilities, such as when unusual or unique circumstances impact tunnel inspection intervals.
No. 10 to FHWA
As part of the next update to the tunnel safety program compliance review manual, solicit and consider external stakeholder input on the Agency’s review procedures to include States, Federal agencies, and interested and knowledgeable private organizations and individuals.
No. 11 to FHWA
Update the guidance for the national critical findings database to clarify its scope and incorporate comprehensive controls for ensuring the quality of the reported data. Solicit external stakeholder input in developing the updated guidance and communicate it to all stakeholders.
No. 12 to FHWA
Communicate noteworthy practices on the critical findings process for tunnels and work with stakeholders to improve the guidance on which structural and safety deficiencies align with the definition of a critical finding.
Audit Reports: AV2023011 issued on

FAA Has Taken Steps To Validate Its Air Traffic Skills Assessment Test but Lacks a Plan To Evaluate Its Effectiveness

Closed on
No. 1 to FAA
Establish a plan for evaluating the ATSA's effectiveness.
Audit Reports: FS2023010 issued on

The Build America Bureau Has Not Established Adequate Controls To Oversee Its TIFIA Program

No. 1 to OST
Develop and implement procedures to comply with the TIFIA statute to issue loan application related notifications no later than 30 and 60 calendar days after receipt.
No. 2 to OST
Develop and implement procedures for timely collection of servicing fees and advisor fees in accordance with TIFIA program requirements.
No. 3 to OST
Develop an accurate reporting system to identify and monitor payments not received on the date they are due.
$200,000
No. 4 to OST
Reimburse the $200,000 advisor fee overpayment referenced in this report.
$40,500
No. 5 to OST
Collect the $40,500 in unpaid fiscal year 2019 servicing fees referenced in this report.
No. 6 to OST
Develop and implement a uniform policy identifying what documentation borrowers must submit with requisition request and disseminate to Operating Administrations.
Closed on $294,000,000
No. 7 to OST
Provide supporting documentation for the transactions related to the $294 million in unsupported costs we identified, and collect all unsupported costs or identify the Bureau’s rationale for accepting them.
No. 8 to OST
Develop and implement a process for revoking access to Bureau systems for separating Bureau employees.
Closed on
No. 9 to OST
Revoke access to the shared drive for the eight individuals identified in the report.
Closed on
No. 10 to OST
Assign the responsibility for updating the Bureau’s website to accurately reflect the TIFIA loan portfolio.
Audit Reports: QC2023005 issued on

Quality Control Review of the Independent Auditor’s Report on the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2022 and 2021

No. 1 to STB
STB management should review the current version of the Office of Management and Budget (OMB) Circular A-136 to independently verify that all required footnotes are included and bring any omissions to the service provider’s attention so that errors or omissions can be corrected.
No. 2 to STB
STB management should review the service provider’s Financial Statement and Notes Review Checklist to verify that the checklist is up to date and includes all required elements per OMB and Treasury guidance and then complete the checklist independently. Alternatively, STB management should develop and complete its own review checklist based on current Treasury and OMB reporting requirements.
No. 3 to STB
STB management should request its financial management service provider to: Reevaluate the inclusion of account balances that were excluded in the Other Liabilities footnote, or Disaggregate (i.e., separately report) intragovernmental other liabilities balances reported as a single line item on the balance sheet that are not included in the footnote so that the total amounts reported for Other Liabilities on the Balance Sheet and in the footnote agree.
No. 4 to STB
STB management should ensure that its review process includes procedures to disaggregate material balances reported in the financial statements and footnotes, agree balances to source documents, agree the footnotes to the principal financial statements, and verify the mathematical accuracy of all statements and schedules included in the financial statement package.
No. 5 to STB
STB should perform routine reviews of employee benefit elections and Official Personnel Folders (OPFs) to ensure they are complete and accurate.
No. 6 to STB
STB should address missing or unavailable supporting documentation with its shared service provider to ensure that document retrieval tools are available and are working properly to allow retrieval of all stored documents.
No. 7 to STB
STB should obtain replacement documentation for employee forms and other documentation that has been determined to be incomplete or irretrievable from databases and other electronic sources.
Audit Reports: QC2023007 issued on

Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2022 and 2021

No. 1 to FAA
KPMG recommends FAA design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policy.
No. 2 to FAA
KPMG recommends FAA design and implement procedures to consistently and timely notify account administrators of separations as required by internal policy.
Audit Reports: ST2023001 issued on

FTA Can Enhance Its Controls To Mitigate COVID-19 Relief Funding Risks

Pandemic Oversight
No. 1 to FTA
Design or redesign control activities for the four risks that have not been fully addressed and that FTA still deems as applicable. These are: a.) Risk of Fraud or Abuse, b.) Recipients May Attempt to Use Funding for a Non-Operating Expense Even Though They Have Furloughed Staff, c.) Private Sector Operators Are Now Eligible to Become Sub-recipients and d.) Limited Capacity of Current Oversight Contracts.
Closed on Pandemic Oversight
No. 2 to FTA
Document the determination that four of the risk areas in the August 2021 Internal Control Plan are no longer risks; therefore, additional controls are not necessary. These are: a. Pace/Speed of Obligations and Disbursements, b. Guidance and Instructions Related to the Use of COVID-19-Relief Funding, c. Risks Between Programs and d. Notification for Large Drawdown Requests.

Open Audit Recommendations

Open Financial Recommendations

Recommendation Dashboard
Reset

Filters