Develop and implement a formal process to integrate the results of the STB's business impact analysis (BIA) with its enterprise risk management activities.
Recommendation Dashboard
OIG’s Office of Auditing and Evaluation makes recommendations to the Department of Transportation and a few independent transportation entities to correct deficiencies and encourage improvements in the safety, economy, efficiency, and management of their programs and operations. Our audit report findings and conclusions explain the basis for the specific corrective actions we recommend. This Recommendation Dashboard provides more information than ever before about the current status of OIG recommendations, which we plan to update on a weekly basis. For more information, see answers to frequently asked questions.
Open
Closed
507
2485
101
241
35
2992
2485
4
1076
366
38
108
353
33
70
7
78
19
675
53
112
0
0
Audit Reports: QC2024038 issued on
Quality Control Review of the Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices
No. 1 to STB
No. 2 to STB
Update existing methods of resource allocation to account for system categorization.
No. 3 to STB
Perform a cost benefit analysis of introducing automation to support a centralized view of cybersecurity risks, manage risk designations, maintain privileged accounts, and test system contingency plans; and apply the appropriate risk mitigation strategy.
No. 4 to STB
Develop profiles of expected activities on its networks and systems.
No. 5 to STB
Develop qualitative and quantitative performance measures to evaluate the effectiveness of the following: Configuration management plan and change control activities; Data exfiltration and enhanced network defenses; Data breach response plan; Privacy awareness training program; Incident response capability; ISCM policies, strategy, and processes; Incident detection, analysis, handling, and response activities; Information system contingency plans. For all performance measures, ensure that supporting data is obtained accurately, consistently, and in a reproducible format.
No. 6 to STB
Develop a formal process to collect, analyze, and respond to feedback on the performance of its secure configuration policies and procedures and security awareness and training program.
No. 7 to STB
Resume the assessment of the skills and knowledge of its workforce to tailor its awareness and specialized security training.
No. 8 to STB
Obtain access to the appropriate subject matter experts or training to assist with the implementation of secure configuration settings for its information systems.
No. 9 to STB
Implement the logging requirements outlined within OMB's M-21-31.
Audit Reports: SA2024037 issued on
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2024
No. 1 to OST
We recommend that DOT coordinate with impacted Operating Administrations to develop a corrective action plan to resolve and close the findings highlighted in this report.
No. 2 to OST
We recommend that DOT determine the allowability of the questioned transactions and recover $919,266, if applicable.
No. 3 to OST
We recommend that DOT work with FTA to determine the allowability of the questioned tribal transactions and recover $116,487, if applicable.
Audit Reports: FS2024036 issued on
GLS Lacks Effective Controls To Reliably Estimate Seaway Infrastructure Program Costs
No. 1 to GLS
Develop and implement a formal cost-estimating process that incorporates, as applicable, the best practices in the Government Accountability Office Cost Guide to better ensure that SIP project estimates are reliable.
No. 2 to GLS
Establish controls to ensure independent Government cost estimates are performed in accordance with Federal regulations.
No. 3 to GLS
Develop and implement policies and procedures to document and retain copies of all independent Government estimates for SIP projects in contract files.
No. 4 to GLS
Develop and implement a formal written process for capturing total costs and associated support for completed SIP projects to ensure accurate and timely reporting.
Audit Reports: SA2024034 issued on
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2024
No. 1 to OST
Coordinate with impacted Operating Administrations to develop a corrective action plan to resolve and close the findings highlighted in this report.
No. 2 to OST
Determine the allowability of the questioned transactions and recover $2,576,852 if applicable.
No. 3 to FTA
Work with FTA to determine allowability of the questioned tribal transactions and recover $105,674, if applicable.
Audit Reports: ZA2024033 issued on
FTA’s Oversight of SEPTA’s Compliance With Buy America Rolling Stock Requirements Faced Several Challenges
No. 1 to FTA
Initiate actions to establish requirements for recipients (or third-party auditors) for how manufacturers' rolling stock documentation will be reviewed when conducting pre-award and post-delivery audits.
No. 2 to FTA
Initiate actions to establish requirements for recipients (or third-party auditors) to maintain pre-award and post-delivery audit documentation in a manner that protects manufacturers' sensitive data while also providing supporting evidence of the work described in the audit.
No. 3 to FTA
Amend FTA's Master Agreement to clarify that recipients must obtain the same level of access as third-party auditors would have to confidential information to improve oversight and transparency into manufacturers' adherence to Buy America rolling stock requirements.
No. 4 to FTA
Initiate actions to establish requirements for recipients (or their auditors) to document their verification of suppliers' Buy America information.
No. 5 to FTA
Develop and implement Buy America policies or guidance as to how to account for hardware and domestic shipping costs when computing domestic content percentages.
No. 6 to FTA
Develop and implement Buy America policies or guidance detailing when to initiate Buy America rolling stock compliance reviews and apply the corrective actions (i.e., specific conditions and remedies for noncompliance) described in the Uniform Grant Guidance.
No. 7 to FTA
For the $30.8 million in questioned costs relating to CRRC MA suppliers' certificates, work with SEPTA to confirm Buy America compliance for those suppliers and determine if any amount is unsupported or unallowable under Buy America rules. Should any amount be found to be unsupported or unallowable, provide a justification for accepting the costs or take appropriate corrective actions.
No. 8 to FTA
Complete FTA's enhanced Buy America review and take correction actions as deemed necessary to address any instances of noncompliance with Buy America rolling stock requirements on the CRRC MA contract, including but not limited to deobligating unexpended funds. Implementing this recommendation could put up to $35.5 million in funds to better use.
Audit Reports: AV2024032 issued on
FAA’s Acquisition and Fiscal Law Division’s Work Environment Impacts Its Ability To Provide Legal Advice in Support of a Safe National Airspace System
No. 1 to FAA
Require a leadership assessment be performed for each member of the AGC-500 management team, followed by tailored professional development.
No. 2 to FAA
Require an independent workplace survey of AGC-500 be conducted and expand to all AGC as needed.
No. 3 to FAA
Implement an action plan to address needs identified in the independent workplace survey.
No. 4 to FAA
Provide training to all AGC-500 attorneys on the capabilities and use of the modified Case Document Management System.
No. 5 to FAA
Develop a management control that ensures that the attorneys use the Case Document Management System to input, track, and monitor their work, including all case-related communications.
No. 6 to FAA
Finalize and distribute revised AGC-500 business rules that emphasize employees' rights to contact OIG without reporting it to FAA management.
Audit Reports: AV2024031 issued on
FAA Has Begun To Deploy TFDM, but Cost Growth Has Resulted in Significant Program Changes and Delayed Benefits
No. 1 to FAA
Develop a cost-benefit analysis to assess whether FAA should reconsider the decision to remove the Data Comm requirement for a two-way interface between TFDM and TDLS.
No. 2 to FAA
Evaluate and resolve human factors issues within TFDM to improve how the system provides critical flight information to controllers.
No. 3 to FAA
Perform an assessment to determine if more scenario-based exercises are needed to improve future training and if so, implement revised TFDM training.
Audit Reports: FS2024030 issued on
DOT’s Working Capital Fund Oversight and Management Are Insufficient To Achieve Cost Recovery for IT Services
No. 1 to OST
OCIO to update and publish billing rates to approximate cost recovery in accordance with 49 U.S. Code (U.S.C.) § 327. Implementing this recommendation could put up to $194 million in funds for better use.
No. 2 to OST
OFM to develop procedures to prevent future overbillings such as the $16,949.05 overbilled and identified in this report as a questioned cost.
No. 3 to OST
OCIO to develop and implement a review process to validate the charges in its Financial Management System are accurate prior to providing OFM documentation used to bill customers.
No. 4 to OST
OCIO to follow the procedures for reporting WCF transactions to OFM, including the $14.7 million identified in this report in accordance with DOT Order 2300.3B.
No. 5 to OST
OFM to obtain approved Intra-Agency Agreements (IAAs) before providing services and review the $9.96 million identified in this report as questioned costs.
No. 6 to OST
OCIO to develop a process for identifying severable services on IAAs to ensure that billing occurs in the correct fund year in accordance with the DOT Order and the Principles of Federal Appropriations Law.
No. 7 to OST
OFM to develop and implement policies and procedures for collecting advance payments before products or services are provided in accordance with law.
No. 8 to OST
OCIO to follow OFM policies and procedures for collecting advance payments prior to providing products or services and review the $29.5 million in questioned costs identified in this report after implementing recommendation 7.
No. 9 to OST
OFM to develop and implement written procedures for determining if the WCF is recovering costs and identifying advances and excess funds that should be returned to Treasury.
Audit Reports: ZA2024026 issued on
FTA’s Oversight of Its Region 9 Recipients Is Insufficient To Confirm Compliance With CARES Act Funding Requirements
No. 1 to FTA
Implement written procedures to test recipients' CARES Act payments using methodologies to sufficiently validate that costs are supported and eligible. These procedures should include guidance for determining the extent of transaction level testing needed to sufficiently validate recipient's payment.
No. 2 to FTA
Implement written procedures to test recipients' financial system controls to prevent duplicate payments from Federal, State, and local sources.
No. 3 to FTA
Implement a written policy requiring that FTA officials develop and implement enhanced oversight processes to specifically mitigate identified risks associated with any funding appropriation, when applicable.
No. 4 to FTA
For FTA funds identified at elevated risk for misuse, implement written procedures to strengthen the Agency's ability to assess expense eligibility prior to recipients receiving payments. Implementing this recommendation could put up to $446.9 million in Region 9 funds to better use by improving FTA's ability to identify unsupported costs and ineligible expenses before issuing CARES Act payments. This could also result in hundreds of millions in Agency funds put to better use among the other nine FTA regions.
Audit Reports: FS2024025 issued on
FTA’s Oversight of Federally Funded Real Property Is Insufficient To Ensure Grant Recipients Meet Federal Reporting and Disposal Requirements
No. 1 to FTA
Develop and implement processes to identify grant awards since FTA’s implementation of the Transit Award Management System that provide Federal funding for reportable real property and use this information to improve oversight of real property reporting.
No. 2 to FTA
Develop and implement a process to identify and provide oversight of real property to active recipients with new grants that do not receive a triennial or State management review.
No. 3 to FTA
Update FTA’s Contractors Manual to require contractors to request a current and complete real property inventory that complies with FTA Circular 5010.1E reporting requirements and require contractors to review and verify that the real property inventory complies with FTA reporting requirements.
No. 4 to FTA
Update FTA Circular 5010.1E to increase clarity for grant recipients regarding FTA’s requirements for real property reporting, including a requirement to report on all real property to which FTA retains an interest, regardless of when the grant for the real property was awarded.
No. 5 to FTA
Update FTA Circular 5010.1E to increase clarity for grant recipients regarding FTA’s requirements for real property reporting, including the requirement to track all FTA-funded improvements and renovations to real property.
No. 6 to FTA
Update FTA Circular 5010.1E to require that grant recipients submit a complete real property inventory in accordance with 2 Code of Federal Regulations § 200.330.
No. 7 to FTA
Develop and implement a process to require grant recipients to annually certify, when applicable, adherence to FTA’s requirements for the approval of disposed real property funded with Federal grant assistance.
No. 8 to FTA
Establish and implement a process to verify that FTA’s financial interest in real property dispositions is managed in accordance with FTA Circular 5010.1E. Implementing this recommendation could put up to $996,877 in funds to better use.
Audit Reports: SA2024024 issued on
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2023
No. 1 to OST
Coordinate with impacted Operating Administrations to develop a corrective action plan to resolve and close the findings highlighted in this report.
No. 2 to OST
Determine the allowability of the questioned transactions and recover $29,997 if applicable.
No. 3 to OST
Works with FHWA to determine the allowability of the questioned tribal transactions and recover $10,210,603, if applicable.
Audit Reports: AV2024023 issued on
FAA’s Report on Air Traffic Modernization Presents an Incomplete and Out-of-Date Assessment of NextGen
No. 1 to FAA
An update on the status and future milestones of NextGen programs and their capabilities, including Trajectory Based Operations.
No. 2 to FAA
Current total NextGen modernization expenditures from all FAA budget sources.
No. 3 to FAA
The most current projection of NextGen benefits for completed and planned implementations.
Audit Reports: ST2024021 issued on
Opportunities Exist To Improve FHWA’s Oversight of STIPs Including Those With IIJA-Funded Projects
No. 1 to FHWA
Provide FHWA Division Offices and State DOTs with all planned IIJA guidance areas and associated targeted completion dates.
No. 2 to FHWA
Identify a list of any outstanding technical assistance requests from Division Offices and State DOTs for IIJA guidance clarifications and fulfill them.
No. 3 to FHWA
Develop and implement a policy to require Headquarters’ concurrence when Division Offices are making procedural revisions to their standard operating procedures for reviewing and approving STIPs to ensure continued alignment with the Agency’s standards prescribed in its template.
Audit Reports: ST2024020 issued on
FRA Lacks Written Procedures and Formal Planning for Oversight of Railroad Hours of Service Compliance and the Passenger Railroad Fatigue Management Requirements
No. 1 to FRA
Finalize and implement the draft HOS complaints SOP to provide details on the HOS SME’s evaluation, investigation procedures, and tracking.
No. 2 to FRA
Develop, document, and implement a process to routinely analyze HOS complaint data to identify trends and communicate results to enforcement staff.
No. 3 to FRA
Develop, document, and implement a process for analyzing excess service reports, identifying trends, and communicating results to enforcement staff.
No. 4 to FRA
Improve how excess service reports are submitted by railroads or processed by FRA to facilitate data collection and analysis.
No. 5 to FRA
Formally document the HOS audit process, including factors to consider when selecting railroads for audit (such as complaints, excess reports, and/or other factors), in a compliance manual or SOP.
No. 6 to FRA
Develop and implement centralized storage for key HOS audit documents, such as executive summaries, inspection reports, or other pertinent correspondence.
No. 7 to FRA
Evaluate inspector and SME staffing needs based on data to effectively perform HOS oversight, including audits, and document the results.
No. 8 to FRA
Update the OP Compliance Manual, the Signal Compliance Programs and Policies, and/or General Manual to clarify the definitions of HOS-related activity codes for OP and S&TC disciplines so that inspectors can accurately record activities that do not result in findings of noncompliance and include specific guidance to inspectors completing HOS-related inspection reports, including the correct use of source codes for specific HOS activities, and when multiple same-day HOS reports should be created.
No. 9 to FRA
Modify the Railroad Inspection System for Personal Computers (RISPC) to only accept correct HOS-related inspection report entries and add activity codes to record defects and violations of 49 C.F.R. § 228.407.
No. 10 to FRA
Develop and implement training for OP and S&TC Division specialists and inspectors on reporting HOS-related inspections correctly, including the mandatory use of activity code 228 in conjunction with either HSL or 228P, and the meaning of those activity codes.
No. 11 to FRA
Develop, document, and implement a review process that includes the HOS SME to check the accuracy of HOS-related inspection reports.
No. 12 to FRA
Document and implement HOS oversight planning processes, including guidance on data sources that should be used to inform planning.
No. 13 to FRA
Review and clarify FRA’s Civil Penalties Schedule to include all sections of 49 U.S.C. Chapter 211 and 49 C.F.R. Part 228 Subparts D and F in the published violation base amounts for HOS civil penalties.
No. 14 to FRA
Correct the RCS error that results in incorrect case-level violation counts.
No. 15 to FRA
Document the current RCS configuration that shows formulas for calculations performed by the system and data sources.
No. 16 to FRA
Formalize existing RCC enforcement process guidance in a standard operating procedure, memo, or manual and provide training for users of RCS, including data quality steps.
No. 17 to FRA
Develop, document, and implement guidance on producing Annual Enforcement Reports, including parameters for what information is included or updated, and validating the accuracy of reported data.
No. 18 to FRA
Finalize the process document for conducting a baseline review of all passenger railroads subject to 49 C.F.R. § 228.407 and complete the baseline review.
No. 19 to FRA
Finalize and implement the draft SOP for oversight of 49 C.F.R. § 228.407.
Audit Reports: ZA2024019 issued on
FAA’s Information Technology and Telecommunications Contracting Practices Limit Best Value Outcomes
No. 1 to FAA
Implement a written process for verifying compliance with Agency requirements for maintaining electronic, centralized files that include all documented contractual actions and determinations.
No. 2 to FAA
Implement a written process for verifying compliance with Agency requirements for developing independent Government cost estimates (IGCEs) for contract modifications. Implementing this recommendation could put up to $311.6 million in Federal funds to better use by improving FAA's ability to establish contract pricing that is fair, reasonable, and realistic.
No. 3 to FAA
Implement a written process for verifying that any extension of a contract’s performance period—including exercising an option period—is awarded prior to the contract expiring.
No. 4 to FAA
Update the Acquisition Management System (AMS) to specify what program offices are required to provide as part of an IT and telecom procurement request package. This documentation should include standard lead times for obtaining the Chief Financial Officer’s approval, submitting complete procurement packages, and references to guidance on how to develop sound IGCEs and complete requirements.
No. 5 to FAA
Update AMS to include limitations on how long contracts can be extended.
No. 6 to FAA
Implement written guidance to explain what authorities are appropriate to use to extend contracts beyond their initial performance periods, including any limitations associated with using each authority.
No. 7 to FAA
Update AMS to include when it is allowable and what is required to add work outside of a contract's scope after the award is made.
Audit Reports: ZA2024018 issued on
FAA Did Not Fully Follow Its Processes When Awarding and Administering CARES Act-Funded Airport Development Grants and Contracts
No. 1 to FAA
Revise procedures for reviewing and approving grant application packages to add steps to verify that the applications are complete and accurate.
No. 2 to FAA
Assess the CARES Act-funded airport development grants identified in this report that did not meet award requirements and recover the $27 million or identify the rationale for acceptance of these costs.
No. 3 to FAA
Revise CARES Act program guidance to identify which FAA office is responsible for collecting and reviewing airport sponsor annual financial reports.
No. 4 to FAA
Strengthen internal controls to verify that all reimbursement requests comply with FAA’s two-tier manual review process for CARES Act funds. This may include requiring Delphi controls are correctly established and maintained.
No. 5 to FAA
Assess the 35 invoices—comprising $18.7 million in questioned costs—that did not receive sufficient review under the CARES Act guidance and seek recovery of any portion that is determined to be improper and/or unallowable or provide justification for approving the payments.
No. 6 to FAA
Require FAA field offices to collect, review, and maintain required price and cost analyses before making grant awards. Implementation of this recommendation could result in funds put to better use of $10.6 million.
No. 7 to FAA
Revise the Agency’s policies for collecting, reviewing, and approving Buy American Preferences waivers to require the waiver requests to be timely, complete, and accurate, and define the “extraordinary circumstances” that would allow grant recipients to deviate from Buy American requirements. Implementation of this recommendation could result in funds put to better use of $49.6 million.
No. 8 to FAA
After revising Buy American policies, develop and implement Buy American Preferences waiver training for field offices.
Audit Reports: QC2024016 issued on
Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022
No. 1 to OST
KPMG recommends that DOT OCIO management revise the website containing the policy documentation to ensure all documents are consistent and contain the same listing of required controls for moderate-impact systems.
No. 2 to OST
KPMG recommends that DOT OCIO management should document any Departmentwide tailoring decisions within the appropriate security documentation, as required by NIST.
No. 3 to OST
KPMG recommends that DOT OCIO management should define and document control tailoring requirements for the Department and Operating Administrations.
No. 4 to FAA
KPMG recommends that ESC management enforce its existing policy and provide additional training to personnel involved in the manual journal voucher process, specifically the appropriate timing and documentation related to segregation of duties in addition to reviewing each journal voucher to ensure its completeness and consistency with the supporting documentation.
No. 5 to FAA
KPMG recommends that ESC management review and update the journal voucher control log reconciliation process to ensure it is properly designed to identify all potential deviations from policy throughout the fiscal year.
No. 6 to FAA
KPMG recommends that ESC management create monitoring procedures over the journal voucher control log to ensure complete and accurate documentation over manual journal vouchers is maintained.
No. 7 to MARAD
KPMG recommends that MARAD management, in conjunction with their accounting service provider, ESC, develop a PP&E roll forward control that contains all activity within the relevant PP&E accounts by disclosure category, including additions, annual cost adjustments, year to date depreciation, capitalizations from construction in progress to other categories, and retirements.
Audit Reports: QC2024015 issued on
Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022
No. 1 to FAA
KPMG recommends that FAA management require privileged users on the Windows virtual machine environment to authenticate using MFA. If it is not technically feasible, then we recommend that Windows security settings are updated to require a minimum password length for privileged accounts to 16 characters and maximum password age to be updated to 60 days.
No. 2 to FAA
KPMG recommends that FAA management design and implement documented control activities to monitor the effective operation of its existing process controls related to:
Provisioning of new access requests for the service organization's system; and
Monitoring FAA employees' access to the service organization's system.
No. 3 to FAA
KPMG recommends that FAA management take measures to ensure that FAA has sufficient control operator personnel available to support the annual recertification of FAA employees with system access within the reporting timeline prescribed by DOT.
No. 4 to FAA
KPMG recommends that FAA design and implement a procedure to identify and timely record contracting actions within the general ledger that were executed outside of the standard business process (i.e., CO authorizations documented outside of the procurement system).
No. 5 to FAA
KPMG recommends that FAA update its procurement policy to define the period of time permitted to document a contractor’s oral agreement.
No. 6 to FAA
KPMG recommends that FAA reinforce existing controls, to review individual lease payment schedules upon lease commencement or modification to ensure that the schedules are consistent with the underlying terms of the lease.
No. 7 to FAA
KPMG recommends that FAA design and implement procedures within its existing PP&E Accrual to obtain a complete listing of trailing costs related to completed assets and accrue for such assets that have remaining CIP balances as of the period-end.
No. 8 to FAA
KPMG recommends that management design and implement procedures to verify the completeness and accuracy of the non-LOI accrual average billing cycle data input used in the estimate calculation.
Audit Reports: QC2024014 issued on
Quality Control Review of the Management Letter for the Great Lakes St. Lawrence Seaway Development Corporation’s Audited Financial Statements for Fiscal Year 2023
No. 1 to GLS
Allmond recommends that GLS develop written policies and procedures for the annual monitoring of all user accounts. For user accounts relating to service organization systems, GLS should proactively generate or request a listing of user accounts, if one is not already provided by the service organization, and perform a review of the current system users and their permissions. The reviews should be documented and evidence of the review for each system should be retained according to the Agency’s document retention policy.
No. 2 to GLS
Allmond recommends that GLS should amend its policies and procedures to require the review and retention of external source documentation, such as original receipts, purchase confirmations, and other purchase verification for all purchase card transactions, so that: this information can be compared to the purchase order, purchase card log, and other internally-created documentation during the approval process, and the information is readily available for external review.
Audit Reports: QC2024013 issued on
Quality Control Review of the Management Letter for the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2023 and 2022
No. 1 to STB
STB should research the impacted employee’s payroll records to confirm the error and determine why the error occurred. Appropriate action should be taken to identify any other affected employees and to correct the root cause of the error.
No. 2 to STB
STB should enforce standard operating procedures to require a second Human Resources Specialist or the Human Resources Director to review all employee transfer and onboarding documents to ensure that the documentation is complete and agrees with the information that was entered into the payroll and personnel system before the information is submitted to the payroll service provider.
No. 3 to STB
STB should perform and document its assessment of the recoverability of excess taxes that were paid in error by the agency in matching Old-Age, Survivors and Disability Insurance and Medicare contributions and the conclusion that was reached.
Audit Reports: AV2024012 issued on
OST Complied With Federal Regulations, Policies, and Procedures Regarding Executive Travel on DOT Aircraft, but FAA Needs To Enhance Controls for Updating Flight Hour Rates
No. 1 to FAA
Complete the ongoing effort to update the DOT aircraft flight hour use rates and the associated FAA policy and guidance, including documenting the methodology and process to perform annual rate recalculations for each aircraft type in accordance with OMB Circular No. A-126, as well as a threshold to apply rate updates.
No. 2 to FAA
Establish a control in the Agency’s flight scheduling process to make sure FAA personnel use the correct aircraft flight hour rates when generating travel quotes.
Audit Reports: AV2024010 issued on
FAA Has Made Progress Verifying Compliance With Aviation Fuel Tax Requirements, but Challenges Remain With Testing and Enforcement
No. 1 to FAA
Issue compliance letters to jurisdictions that FAA has determined to be in compliance with the Amendment to Policy and Procedures Concerning the Use of Airport Revenue (Amendment) but that have not received official notification of compliance.
No. 2 to FAA
Develop and implement a testing plan to assess whether jurisdictions are following FAA’s requirements for compliance with the Amendment to the Revenue Use Policy.
No. 3 to FAA
Establish a plan of action to bring California, Kentucky, Nevada, Tennessee, and Guam into compliance with the Amendment to the Revenue Use Policy.
Audit Reports: AV2024011 issued on
FAA Addresses Resiliency in IIJA Aviation Programs but Lacks Data and a Framework for Prioritizing Climate Change Projects
No. 1 to FAA
Develop and implement a methodology to measure IIJA discretionary projects' contributions to meeting DOT's and FAA's strategic goals to reduce greenhouse gas emissions from transportation.
No. 2 to FAA
Update FAA advisory circulars on long-term aviation infrastructure as necessary to address resiliency and climate change effects in airport infrastructure projects.
Audit Reports: SA2024009 issued on
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2023
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
No. 2 to OST
Determine the allowability of the questioned transactions and recover $6,464,590 if applicable.
Audit Reports: FS2024008 issued on
DOT’s Policies and Do Not Pay Portal Use Are Not Sufficient To Comply With the DNP Initiative
No. 1 to OST
Assess the appropriateness of the databases in the Do Not Pay (DNP) portal and document a reasonable justification for any databases that OST determines are not appropriate.
No. 2 to OST
For those DNP portal databases that OST deems appropriate, develop, and implement policies and procedures to ensure recipient eligibility is verified in the DNP portal prior to making payment.
Audit Reports: QC2024007 issued on
Quality Control Review on the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022
No. 1 to FTA
KPMG recommends that FTA management evaluate the COVID-19 grant programs and develop an estimation methodology responsive to the nature of the program and expected drawdown patterns.
No. 2 to FHWA
KPMG recommends that FHWA management consider the increased IIJA funding and subsequent increase in expenses and develop an estimation methodology responsive to fluctuations in future expenses.
No. 3 to FHWA
KPMG recommends that FHWA management review and update accounting policies and operating procedures to capitalize costs for the construction and procurement of non-heritage fixed assets on behalf of FLMA partners.
No. 4 to FHWA
KPMG recommends that FHWA management establish and maintain communications channels with FLMA partners and establish protocols for communicating asset-level detail for projects required by each agency’s property accountants.
No. 5 to FHWA
KPMG recommends that FHWA management perform an assessment of costs expensed for completed fixed asset construction projects to determine materiality and record correcting accounting entries as needed.
No. 6 to OST
KPMG recommends that DOT management perform procedures to consistently approve and document new or modified user account and recertification requests and timely remove separated users as required by internal policy and standards for effective internal control systems.
No. 7 to OST
KPMG recommends that DOT management update policies and procedures to assign backup responsibilities for control operators.
No. 8 to OST
KPMG recommends that DOT management provide training to system administrators on documented procedures.
No. 9 to OST
KPMG recommends that DOT management conduct monitoring to assess whether control operators are performing control activities in accordance with policy.
Audit Reports: QC2024004 issued on
Quality Control Review of the Independent Auditor’s Report on the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2023 and 2022
No. 1 to STB
STB management should review the current version of OMB Circular A-136 to independently verify that all required footnotes are included and bring any omissions to the service provider’s attention so that errors or omissions can be corrected.
No. 2 to STB
STB management should review the service provider’s Financial Statement and Notes Review Checklist to verify that the checklist is up to date and includes all required elements per OMB and Treasury guidance and then complete the checklist independently. Alternatively, STB management should develop and complete its own review checklist based on current Treasury and OMB reporting requirements.
No. 3 to STB
STB management should request its financial management service provider to:
Reevaluate the inclusion of account balances that were excluded in the Other Liabilities footnote, or
Disaggregate (i.e., separately report) intragovernmental other liabilities balances reported as a single line item on the balance sheet that are not included in the footnote so that the total amounts reported for Other Liabilities on the Balance Sheet and in the footnote agree.
No. 4 to STB
STB management should ensure that its review process includes procedures to disaggregate material balances reported in the financial statements and footnotes, agree balances to source documents, agree the footnotes to the principal financial statements, and verify the mathematical accuracy of all statements and schedules included in the financial statement package.
No. 5 to STB
Management’s review and certification of the financial statements and footnotes should be clearly documented and indicate what was reviewed, when the review was performed, and who performed the review for each reporting period.
No. 6 to STB
STB should perform a review of 100% of employee benefit elections and Official Personnel Folders (OPFs) to ensure they are complete and accurate.
No. 7 to STB
STB should develop policies and procedures that include the performance of periodic reviews of employees’ Official Personnel Folders to ensure that they are complete and accurate.
No. 8 to STB
STB should address missing or unavailable supporting documentation with its shared service provider to ensure that document retrieval tools are available and are working properly to allow retrieval of all stored documents.
No. 9 to STB
STB should obtain replacement documentation for employee forms and other documentation that have been determined to be incomplete or irretrievable from databases and other electronic sources following management’s initial and periodic routine reviews.
No. 10 to STB
We recommend that STB implement and enforce its existing policies and procedures requiring the periodic review of all open obligations to ensure that closeout of completed contracts, including the de-obligation of funds and return of the balances for any advanced payments, is performed regularly and timely.
Audit Reports: QC2024006 issued on
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022
No. 1 to FAA
KPMG recommends that FAA management design and perform procedures to consistently approve and document new or modified user account and recertification requests and timely remove separated users as required by internal policy and standards for effective internal control systems.
Audit Reports: QC2024005 issued on
Quality Control Review on the Independent Auditor’s Report on the Great Lakes St. Lawrence Seaway Development Corporation’s Audited Financial Statements for Fiscal Years 2023 and 2022
No. 1 to GLS
GLS should amend its procedures relating to the annual count and valuation of OM&S to include verification of unit and total costs. This should include locating or reconstructing source documentation for the total quantity on hand for each item and matching the costs entered in the system to the source documents.
No. 2 to GLS
GLS should determine how average costs are calculated within the inventory tracking system. If the average cost in the system for specific inventory items does not represent the average cost of inventory on hand, the average cost in the system should be periodically adjusted when the annual inventory is performed or at year-end.
Audit Reports: IT2024001 issued on
DOT Needs To Improve Its High-Value Assets Governance Program To Effectively Identify, Prioritize, and Secure Its Most Critical Systems
No. 1 to OST
Sensitive content redacted.
No. 2 to OST
Sensitive information redacted
No. 3 to OST
Sensitive information redacted
No. 4 to OST
Sensitive information redacted
No. 5 to OST
Sensitive information redacted
No. 6 to OST
Sensitive information redacted
No. 7 to OST
Sensitive information redacted
Audit Reports: QC2023047 issued on
Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security Program and Practices
No. 1 to OST
Develop and implement DOT’s zero trust architecture plan for network traffic that cannot be routed through traditional Trusted-Internet Connections (TIC) access points as required by OMB M-19-26, Update to the TIC Initiative.
No. 2 to OST
In coordination with Federal Aviation Administration (FAA), complete the pilot and testing of TIC 3.0 use cases and revise FAA policies to reflect requirements in OMB M-19-26, Update to TIC Initiative.
Audit Reports: AV2023045 issued on
DOT Has Effectively Managed the Aviation Manufacturing Jobs Protection Program and Should Capture Lessons Learned From Its Oversight Efforts
No. 1 to OST
Conduct an Aviation Manufacturing Jobs Protection program after-action review to identify lessons learned and incorporate improvements into future grant programs.
Audit Reports: IT2023043 issued on
DOT’s Cloud-Based Systems’ Security Weaknesses Hinder Its Transition to a Zero Trust Architecture
No. 1 to OST
Develop and implement policies and procedures governing DOT components and Operating Administrations’ adoption and use of cloud services for their cloud-based system and at a minimum require system owners to: a. Submit an Authorization to Operate letter to the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office before adopting and using cloud services to ensure (1) cloud services comply with FedRAMP security baselines, and (2) FedRAMP has an accurate inventory of DOT cloud services and cloud service providers. b. Conduct a quality and risk review of the Department’s cloud service providers cloud service offering authorization package to ensure that it clearly and accurately reflects the cloud service offering’s security posture so DOT’s Authorizing Official can make an informed risk-based authorization decision, as required by FedRAMP. c. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of the respective cloud service providers’ continuous monitoring activities to ensure their cloud systems’ security posture remains sufficient for their own use and supports ongoing authorization as required by FedRAMP.
No. 2 to OST
Incorporate the required standard cloud security clauses in the Department’s enterprise cloud service contracts as well as other cloud services contracts for FAA, MARAD, and OST to ensure the cloud services are secure.
No. 3 to OST
Working with the appropriate DOT procurement officials for FAA, FMCSA, FHWA, MARAD, FRA, NHTSA, PHMSA, and OST, set up service level agreements as required, with each of their cloud service providers to define and set agency expectations and cloud service provider-specific responsibilities.
No. 4 to OST
Direct and require confirmation of completion from FMCSA's cloud-based system owners for the National Registry of Certified Medical Examiners—Software-as-a-Service to include in its Executive Summary Authorization to Operate Letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.
No. 5 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Federal Human Resources Navigator—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Use personal identity verification cards as the primary authentication mechanism to ensure secure system login. c. Develop a Privacy Impact Analysis to help identify and manage personally identifiable information and privacy risks. d. Identify a security official to review system audit log files. e. Develop and implement a process to remove extracted data containing sensitive information within 90 days of extraction in accordance with DOT requirements.
No. 6 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Electronic Document Management System—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Require multifactor authentication for non-DOT system users. c. Develop and implement a process to automatically disable inactive system accounts after 60 days of inactivity.
No. 7 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Data Analysis Visualization Environment—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Develop and implement a process to conduct monthly vulnerability scans as required by DOT.
No. 8 to OST
Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labs—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Update its privacy threshold assessment and, if applicable, Privacy Impact Analysis to protect privacy, personally identifiable information, and other sensitive information stored in the cloud.
No. 9 to OST
Direct FAA's cloud-based system owner for the Emergency Notification System—Software-as-a-Service to provide evidence of the organizational administrator's quarterly reviews of Emergency Notification System application and documentation verifying they disable inactive accounts.
No. 10 to OST
Direct and require confirmation of completion from FRA's cloud-based system owner for its Cloud Application Services—Software-as-a-Service—to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as, required by FedRAMP. b. Update the Privacy Impact Analysis for the Railroad Compliance System to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.
No. 11 to OST
Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Web System—Platform-as-a-Service and Infrastructure-as-a-Service—to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop and implement a process to review audit logs and analyze vulnerability scan reports on its Platform-as-a-Service on a weekly basis to check for various risks, including software flaws per NHTSA's audit and accountability plan.
No. 12 to OST
Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Advanced Retrieval Tire, Equipment, Motor Vehicle, Information System—Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Update the Privacy Impact Analysis to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.
No. 13 to OST
Direct and require confirmation of completion from PHMSA's cloud-based system owner for the Pipeline Risk Management Information System—Infrastructure-as-a-service—and PHMSA Data Mart—Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for Pipeline Risk Management Information System. b. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for PHMSA Data Mart.
No. 14 to OST
Direct and require confirmation of completion from FMCSA's cloud-based system owner for the Cloud Environment—Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to enforce multifactor authentication for privileged and non-privileged network accounts. d. Update the Privacy Threshold Assessment and Privacy Impact Analysis to protect the privacy of its system users' personally identifiable information and other sensitive information.
No. 15 to OST
Direct and require confirmation of completion from FRA's cloud-based system owner for the Multiple Case Incident Analysis—Infrastructure-as-a-service to include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.
No. 16 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)—Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews of the system audit logs to enhance its ability to identify suspicious, inappropriate, unusual, or malevolent activity. d. Develop and implement a process that requires timely updates to security patches that address software flaws which mitigate the risks associated with mission-related operating system patches and data exfiltration. e. Develop a Privacy Impact Analysis to identify and protect personally identifiable information and other sensitive information hosted in the COE cloud.
No. 17 to OST
Direct and require confirmation of completion from FAA's cloud-based system owner for the FAA Cloud Services—Infrastructure-as-a-service and Platform-as-a-Service to: a. Incorporate flaw remediation into ongoing configuration management processes. b. Develop and implement a process to regularly manage malicious code protection to detect and eradicate malicious code at the entry point for its Infrastructure-as-a-service and Platform-as-a-Service. c. Develop and implement a change control process and use baseline configuration settings and document configuration settings to establish a basis for future builds, releases, and/or changes. d. Develop and implement a process to perform an automated review of network accounts or implement an alternative method for identifying users on the network in real-time. e. Develop and implement a process to require the most current cryptographic mechanisms to protect data during network transmission to provide complete boundary protection and reduce the risk of compromise. f. Develop and implement a process to encrypt data transmitted within the Infrastructure-as-a-service environment to reduce the risk of compromise and data exposure. g. Develop and implement a process to review vulnerability scans results and remediate vulnerabilities within specified timeframes as required by FAA's security handbook.
No. 18 to OST
Direct departmental security officials working with appropriate procurement officials to verify that service level agreements contain a requirement to report security incidents to DOT’s Security Operations Center and require confirmation of completion.
No. 19 to OST
Develop and implement a process that enables FAA’s Security Operations Center to receive the necessary log data for ensuring proper cybersecurity incident monitoring for all departmental cloud-based systems.
No. 20 to OST
Report DOT plans for fully adopting multifactor authentication and encryption for data at rest and in transit in accordance with Executive Order 14028.
No. 21 to OST
Update the Department’s zero trust architecture strategy and implementation plan to address the identified gaps and include migration steps and timelines consistent with direction from the Office of Management and Budget and National Institute of Standards and Technology guidelines.
Audit Reports: SA2023041 issued on
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2023
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
No. 2 to OST
Determine the allowability of the questioned transactions and recover $2,892,004, if applicable.
Audit Reports: ST2023040 issued on
FMCSA Generally Met Requirements for Cross-Border Carriers’ Long-Haul Operations, but Compliance Reviews Were Not Timely
No. 1 to FMCSA
Revise FMCSA's policy to define and allow for justifications for delaying compliance reviews beyond 18 months, and if delayed, determine how long a carrier should be permitted to continue to operate under provisional authority without a compliance review and require documentation of a decision to delay a carrier’s review.
No. 2 to FMCSA
Determine whether a revision to the Federal Motor Carrier Safety Regulations is necessary to implement the compliance review policy revisions.
No. 3 to FMCSA
Develop and implement a recovery plan to complete compliance reviews for those carriers operating for more than 18 months under provisional authority and to establish a compliance review scheduling system for future provisional carriers.
Audit Reports: AV2023038 issued on
FAA Conducts Comprehensive Evaluations of Pilots With Mental Health Challenges, but Opportunities Exist to Further Mitigate Safety Risks
No. 1 to FAA
Collaborate with airlines, airline pilot unions, and the aerospace medical community to conduct an assessment to identify ways to address barriers that discourage pilots from disclosing and seeking treatment for mental health conditions, based on the latest data and evidence.
No. 2 to FAA
Develop and implement policy and protocol revisions recommended in the assessment.
Audit Reports: AV2023037 issued on
Regulatory Gaps and Lack of Consensus Hindered FAA’s Progress in Certifying Advanced Air Mobility Aircraft, and Challenges Remain
No. 1 to FAA
Accelerate—to the extent possible—the current rulemaking project (SFAR) regarding powered-lift pilot eligibility requirements and operating rules for powered-lift aircraft, and develop and implement a plan with milestones for completion of the rulemaking which includes a process for regularly updating stakeholders on these milestones.
No. 2 to FAA
Accelerate—to the extent possible—the current rulemaking project (NPRM) that will integrate powered-lift into certain regulatory definitions, and develop and implement a plan with milestones for completion of the rulemaking which includes a process for regularly updating stakeholders on these milestones.
No. 3 to FAA
Identify the causes of the difficulties in communication and decision-making related to resolving disagreements on AAM, and develop and implement a process for better managing challenges during the deliberation process for consensus in future projects, as well as a decision-making process for when consensus cannot be reached.
No. 4 to FAA
Establish and implement policies and procedures explaining CECI's roles and responsibilities in the certification process.
Audit Reports: AV2023035 issued on
FAA Faces Controller Staffing Challenges as Air Traffic Operations Return to Pre-Pandemic Levels at Critical Facilities
No. 1 to FAA
Complete a comprehensive review of the model for distribution of certified professional controllers (CPCs) for air traffic control facilities and update interim CPC staffing levels as necessary.
No. 2 to FAA
Implement a new labor distribution system that includes features such as timekeeping, overtime and Controller-in-Charge tracking, and real-time leave balances.
Audit Reports: AV2023036 issued on
FAA Has Deployed a Prototype System for Monitoring Commercial Space Operations but Faces Integration Challenges
No. 1 to FAA
Update the commercial space operational shortfalls identified in the 2020 Concept of Operations, and report out on any changes to the shortfalls and plans for addressing them.
No. 2 to FAA
Update and publish the status of Aviation Rulemaking Committee recommendations that have not been implemented, including establishing target action dates for recommendations that are aligned with implementation of the National Airspace System Space Integration Capabilities program.
No. 3 to FAA
Determine the workload impact of commercial space operations at air traffic facilities, and take action as needed.
No. 4 to FAA
Identify the specific direct tasks associated with commercial space operations, determine if they should be included in the en-route controller workload model, and if so, incorporate them in the next updated model.
Audit Reports: ST2023034 issued on
DOT Should Enhance Its Fraud Risk Assessment Processes for IIJA-Funded Surface Transportation Programs
No. 1 to OST
Require OAs to regularly assess fraud risks for each program; tailor their assessments based on factors such as size, resources, maturity, and experience in managing risks; and include relevant stakeholder input.
No. 2 to OST
Provide guidance to OAs on how to identify and assess fraud risks in their programs, including guidance on specific tools, methods, and sources for gathering information about fraud risks. This guidance should also address the leading practices for identifying and assessing the likelihood and impact of inherent fraud risks, determining fraud risk tolerance, examining the suitability of existing controls, prioritizing residual fraud risks, and documenting the program’s fraud risk profile to inform managers’ decisions on their responses to assessed risks.
Audit Reports: ST2023031 issued on
NHTSA Has Not Fully Established and Applied Its Risk-Based Process for Safety Defect Analysis
No. 1 to NHTSA
Assess timeliness goals by: a. Determining whether its current timeliness goals are realistic and attainable and, if necessary, revising those goals. b. Developing and implementing a plan for meeting timeliness goals.
No. 2 to NHTSA
Develop and implement procedures for conducting audit query and
timeliness query investigations.
No. 3 to NHTSA
Develop and implement a system of accountability to improve ODI’s compliance with processes, including: a. Notifying petitioners regarding the decision to grant or deny petitions within 120 days; b. Documenting timely supervisory review of documents and related analyses during the pre-investigative and investigative processes and conducting timely reviews of manufacturer-provided data; c. Developing and following a written plan for all phases of investigations; and d. Documenting substantive pre-investigative and investigative-related communication with manufacturers.
No. 4 to NHTSA
Develop and implement improved procedures for ensuring investigation documentation is uploaded to the public website, including:
a. Establishing timelines for ensuring all required documents are posted; b. Identifying documents missing from the public website and mitigate the backlog; c. Assigning responsibilities between the Correspondence Research Division and investigators; and d. Establishing timelines for contractors to redact information.
No. 5 to NHTSA
Revise Information Request (IR) procedures to ensure consistent application by each of the divisions, and develop a system of accountability to ensure compliance with the revised procedures when: a. Issuing and approving a manufacturer-requested IR letter response extension; and b. Requesting information from manufacturers.
No. 6 to NHTSA
Develop and implement procedures for the planned integrated information system including a user guide for how to document decisions, actions taken, and communication with stakeholders, as well as where to store specific pre-investigative and investigative documentation.
No. 7 to NHTSA
Complete expeditious integration of the information systems for pre-investigation and investigation processes, including data migration.
No. 8 to NHTSA
Develop and implement a consistent procedure to govern ODI’s practice of negotiating a resolution of potential safety defects with manufacturers.
No. 9 to NHTSA
Develop and implement a requirement that all information used to support decisions made during the pre-investigative and investigative processes are documented and retained, including the supporting information for safety defect analyses and related briefings.
No. 10 to NHTSA
Develop and implement guidance for determining which issues investigators should present at Hot Issues meetings based on ODI's risk-based analysis process.
No. 11 to NHTSA
Reconcile the risk matrix and issue escalation procedures and establish specific guidance on when an investigation should be opened.
No. 12 to NHTSA
Develop a definition of high-interest topics and the actions needed to address these issues.
Audit Reports: ST2023032 issued on
PHMSA Established an Effective Integrated Inspection Program but Needs To Strengthen Guidelines To Mitigate Risks
No. 1 to PHMSA
Update the Integrated Inspection User’s Manual to reflect current processes and systems used and clarify requirements for system profiles.
No. 2 to PHMSA
Develop and implement a plan for ensuring supervisors verify lead inspectors have completed all documentation requirements identified in the Integrated Inspection User’s Manual.
No. 3 to PHMSA
Update RRIM Documentation with an explanation for how pipeline age and manufacturer, volume transported, pressure, seismicity, climate, geology, and demography should or should not be considered as part of the Risk Ranking Index Model.
Audit Reports: ZA2023030 issued on
Fragmented Processes Weaken DOT’s Accountability for Contractor Employee PIV Cards
No. 1 to OST
Verify that each OA has a documented process in place to confirm that required PIV card-related security clauses are included in all applicable DOT contracts prior to award.
No. 2 to OST
Establish, document, and implement a process for the Department to track contractor employees’ PIV cards and record the dates the cards are collected and deactivated.
No. 3 to OST
Designate in writing points of accountability for overseeing the entirety of contractor employee PIV card collection and deactivation processes.
No. 4 to OST
Update or supplement the DOT PIV Card Program Order to define “promptly” in all uses throughout the Order.
No. 5 to OST
Develop and implement required annual training for all staff involved in contractor employee PIV card processes and a procedure to verify the training has occurred. The training attendees should include all staff listed in the DOT PIV Card Program Order who could potentially be involved and anyone else an individual OA assigns to this task.
No. 6 to OST
Update or supplement the DOT PIV Card Program Order to address the deactivation process in all instances where PIV cards are no longer needed. This should include establishing the accountable officials as well as concrete metrics when deactivation should occur from when the card is no longer needed.
Audit Reports: SA2023026 issued on
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2023
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
No. 2 to OST
Determine the allowability of the questioned transactions and recover $14,886,138, if applicable.
Audit Reports: AV2023027 issued on
Opportunities Exist for FAA To Strengthen Its Workforce Planning and Training Processes for Maintenance Technicians
No. 1 to FAA
Establish and implement a maintenance technician workforce plan that considers factors such as average training time, training requirements, and staffing turnover for a period longer than 1 year.
No. 2 to FAA
Update and implement a formal process that better defines roles and responsibilities and establishes improved communication and collaboration among the stakeholders responsible for maintenance technician training, including Technical Operations, Technical Training, and the FAA Academy.
No. 3 to FAA
Develop and implement a process that includes defined roles and responsibilities for the groups within Technical Training responsible for the management of training solution procurements.
No. 4 to FAA
Update and implement a formal process to periodically evaluate training course feedback from maintenance technicians, generate regular reports for FAA Technical Training management's review, and share the lessons learned to improve future course content and delivery.
Audit Reports: AV2023025 issued on
FAA Has Completed 737 MAX Return to Service Efforts, but Opportunities Exist To Improve the Agency’s Risk Assessments and Certification Processes
No. 1 to FAA
Document the process by which key safety decisions, such as a potential grounding of an aircraft fleet, are made when the Agency identifies that urgent action is necessary.
No. 2 to FAA
Revise the Transport Airplane Risk Assessment Methodology (TARAM) handbook to incorporate current safety data, including available international data when appropriate.
No. 3 to FAA
Review the TARAM handbook’s quantitative safety guidelines to determine if they still meet the Agency’s needs, and implement identified corrections as appropriate.
No. 4 to FAA
Formalize training requirements for engineers responsible for completing TARAM analysis, as well as managers responsible for reviewing the analysis.
No. 5 to FAA
Review the TARAM and Transport Airplane Safety Manual (TASM), address any identified key differences the two documents, and integrate TASM into TARAM when appropriate.
No. 6 to FAA
Incorporate integrated System Safety Assessments into regulations or Agency guidance for future transport category airplane certification projects.
No. 7 to FAA
Identify lessons learned related to the application of the 737 MAX recertification and the Continued Operational Safety process that have not yet been addressed and include them into airplane certification and safety evaluation processes.
Audit Reports: AV2023024 issued on
FAA’s Office of Investigations and Professional Responsibility Needs To Enhance Internal Controls for Conducting Administrative Investigations
No. 1 to FAA
Require AXI to develop a process to collect and share best practices for investigators in compliance with AXI guidance.
No. 2 to FAA
Revise Security and Hazardous Materials Safety Order 1600.20 guidance to avoid overlap or contradiction with similar procedures contained in FAA Order 1600.38.
No. 3 to FAA
Revise AXI's guidance to clarify that investigators should pursue administrative investigations when OIG declines cases for criminal referral.
No. 4 to FAA
Develop and publish roles and responsibilities for AXI deputy director position.
No. 5 to FAA
Develop and implement procedures for investigators to electronically record interviews in accordance with FAA’s Human Resources Policy Manual requirements.
No. 6 to FAA
Develop and implement a management control to credit and account for Agency and non-Agency investigator training courses in AXI's electronic training system.
No. 7 to FAA
Develop and implement an internal control to ensure that only the management official with requisite signature authority signs for investigative reports.
No. 8 to FAA
Develop and implement procedures consistent with DOT Order 8000.8A to ensure investigators consistently send criminal cases to the Internal Investigations Division Manager and coordinate with OIG’s Office of Investigations on the referral process.
No. 9 to FAA
Develop and implement a management control to require the Internal Investigations Division Manager to track cases that have been rejected by the Internal Investigations Division (AXI-100).
No. 10 to FAA
Develop procedures to ensure the Investigations Standards and Policy Division (AXI-200) maintains auditable documentation, in accordance with established Agency retention periods, to support findings identified in its annual reports of AXI-100 investigation procedures.
No. 11 to FAA
Develop and implement a management control to ensure AXI-200 complies with its Program Reviewer Guide requirements to (a) prepare annual reports, (b) conduct the required number of annual reviews of AXI investigative operations, (c) use consistent investigative and reporting criteria, and (d) identify investigation case numbers when reporting its evaluation of AXI-100’s investigative operations.
Audit Reports: SA2023023 issued on
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2022
No. 1 to OST
Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.
No. 2 to OST
Determine the allowability of the questioned transactions and recover
$5,538,037, if applicable.
Audit Reports: ZA2023022 issued on
DOT Faces Challenges in Meeting Federal CPARS Reporting Guidance
No. 1 to OST
Develop and implement procedures to monitor Operating Administrations’ (OA) compliance with the 30-day registration requirement in accordance with the Transportation Acquisition Manual (TAM).
No. 2 to OST
Update the TAM to require that contractor performance assessments be completed within 120 calendar days in accordance with the Contractor Performance Assessment Reporting System (CPARS) guide.
No. 3 to OST
Develop and implement procedures to ensure those OAs without internal CPARS guidance have them established in compliance with TAM 1242.1503(a)(1).
No. 4 to OST
Update the TAM to require each OA to develop and implement guidance to address turnover in CPARS staff as well as ensure departing personnel complete interim assessments.
No. 5 to OST
Update the TAM to require CPARS role- and function-based training for all users not currently cited, including Alternate Focal Points and Assessing Official Representatives.
No. 6 to OST
Update the TAM to require each OA to develop and implement guidance to assist OA CPARS officials in managing assessment disagreements with contractors.
No. 7 to OST
Adopt a process to conduct periodic assessments to identify shortfalls and projected needs in CPARS training.
No. 8 to FAA
Develop and implement procedures to monitor compliance with the 30-day registration requirement.
No. 9 to FAA
Update the Acquisition Management System to require CPARS training for all personnel who have CPARS responsibilities.
No. 10 to FAA
Conduct an assessment of CPARS user training and develop and implement plans to meet identified needs, including training geared to assisting CPARS officials in developing skills for managing disagreements with contractors.
Audit Reports: FS2023020 issued on
FAA Can Strengthen Its Oversight of the AIP Acquired Noise Compatibility Land Program
No. 1 to FAA
Develop and implement procedures to verify that airport sponsors have provided evidence satisfactory to FAA that the airport sponsor has or will obtain good title to land, prior to requesting reimbursement for costs associated with noise compatibility land acquisition. Implementing this recommendation could put up to $2,077,796 in funds to better use by requiring that only costs associated with completed noise land acquisitions are reimbursed.
No. 2 to FAA
Develop and implement a process to require airport sponsors to certify that noise exposure maps are a reasonable representation of current and/or future conditions at the airport at the time of grant award.
No. 3 to FAA
Update the Noise Land Management and Requirements for Disposal of Noise Land or Development Land Funded with AIP policy to establish a reasonable schedule for FAA Airport District Offices and Regional Offices to review Noise Land Inventory and Reuse Plans for accuracy and consistency with FAA policy.
No. 4 to FAA
Update and implement procedures to require airport sponsors to maintain Noise Land Inventory and Reuse Plans in electronic format available for FAA review, upon request.
No. 5 to FAA
Require all airport sponsors that have acquired noise land to identify noise land eligible for disposal via sale and verify that noise land sales revenues are used in accordance with Federal law. Based on our review of five airports, implementing this recommendation could put up to $38,530,768 in funds to better use by generating revenue that could be reinvested in the program.
No. 6 to FAA
Update guidance to clarify for airport sponsors when noise land should be considered no longer needed for eligible current or planned airport purposes and disposed of in accordance with FAA policy.
No. 7 to FAA
Update guidance for Noise Land Inventory and Reuse Plans to require that the Noise Land Inventory include original acquisition dates, estimated or final completion dates for proposed or completed methods of disposal, and the date of FAA approval.
No. 8 to FAA
Update guidance for Noise Land Inventory and Reuse Plans to require that the Noise Land Inventory include the Federal share of the sale price at the time of sale and how sales proceeds were used. Implementing this recommendation could put up to $66,160 in funds to better use by properly accounting for noise land disposal proceeds in accordance with Federal law.
No. 9 to FAA
Require the Rhode Island T.F. Green International Airport, Phoenix Sky Harbor International Airport, and Harry Reid International Airport to develop and submit for FAA’s approval current Noise Land Inventory and Reuse Plans after implementation of recommendations 4, 7, and 8.