Update financial assistance policies and procedures toaddress what administrative requirements apply to agreements with for-profitand foreign entities.

Finalize and issue policies for signing and administering CRADAs .

Update policies and procedures to determine when it is appropriate to require approval of recipient subcontracts or subawards and communicate this requirement to recipients; review the $12,400 in unapproved subcontractor costs identified in this report; and recover any costs deemed unreasonable. Implementing this recommendation could result in $1.6 million in funds being put to better use.

Update the checklist for agreement files that describes whatpre- and post-award documentation is required under current DOT and FHWApolicies.

Update financial assistance policies and procedures toaddress what administrative requirements apply to agreements with for-profitand foreign entities.

Update financial assistance policies and procedures to specify what level of review is required to approve a justification for making a financial assistance award without using full and open competitive procedures.

Update financial assistance policies and procedures tospecifically address agreements using a work-order structure, includingprocedures to reduce the risk of using these agreements to circumvent thegeneral requirement to award financial assistance using full and opencompetitive procedures.

Update the checklist for agreement files that describes what pre- and post-award documentation is required under current DOT and NHTSA policies.

Provide guidance to OAs to reinforce a common definition ofR&D for use when determining whether a financial assistance award needs tobe identified as R&D.

Develop and implement a risk-based methodology for reviewinga number of grantee reimbursement requests in detail on a regular basis.

Recover $1,900 in unallowable costs and take appropriateaction to determine whether $8,000 in computer equipment costs was reasonable,and if not, seek recovery of these funds as well.

Update the checklist for agreement files that describes what pre- and post-award documentation is required under current DOT and OST-R policies.

Revise DOT financial assistance policies to require that OAsdefine what administrative requirements apply to agreements with for-profit andforeign recipients.

Revise DOT financial assistance policies to specify what officials are authorized to approve justifications for awarding financial assistance without full and open competition.

Developand issue guidance to OAs for clearly identifying awards as R&D .

Develop and implement an integrated Schedule, Budget, and Organizational Chart that incorporates all the partner agencies for the SENSR program.

Develop and implement a plan to identify and mitigate risks associated with the integration of SENSR into NextGen programs as well as into systems throughout the NAS.

Develop, document, and implement a supplemental guide to DOT's Office Space Design Standard Policy (Policy) to provide the Department and its Operating Administrations (OA) guidance for applying the Agency's utilization standard to existing office space—including those spaces that DOT continues to occupy under new agreements—and clarify those terms related to the application of the standard, as identified in this report—i.e., new acquisitions

Develop, document, and implement an internal control process to apply when an OA is planning to acquire or continue to occupy an office space that exceeds the Agency's utilization standard. At a minimum, the process should require the OA to justify with documented evidence that it has implemented a different standard based on mission requirements or that applying the Department's standard will not be cost-effective or a best value option. Implementing this recommendation could potentially put $2.1 million in funds to better use by preventing DOT from paying for unneeded space that exceeds the Agency's utilization standard.

Develop, document, and implement a supplemental guide to DOT's Policy to provide OAs guidance on how to determine peak occupancy and accurately calculate the utilization rates for all DOT office spaces in compliance with the methodology prescribed in the Policy.

Develop and implement a process for tracking DOT office spaces and their utilization rates. At a minimum, this process should include the ability to track staff counts and a requirement for the OAs to regularly maintain and report up-to-date data.

Develop, document, and implement departmentwide guidance on how all OAs are to conduct regular reviews of their office spaces to identify and execute cost-efficiency opportunities.

Supplement FTA's existing guidance by developing and implementing additional procedures to promote lessons learned.

Provide transit agencies with a centralized source for lessons learned and encourage them to regularly refer to it when updating their processes to protect rolling stock.

Ensures that the Foundation complies with the reporting requirements.

Ensures that the Native Village complies with the reporting requirements.

Ensures that the Authority complies with the equipment and real property management requirements.

Ensure that the City complies with the procurement and suspension and debarment requirements.

Provide training to warehouse staff to reinforce the proper procedures for processing and recording inventory transactions.

Continue to work with the service provider to correct system deficiencies that are causing processing errors for returned items.

Ensures that the Authority complies with the special tests and provisions requirements.

Ensures that the Authority complies with the subrecipient monitoring requirements.

Ensures that the Authority complies with the activities allowed or unallowed requirements.

Recovers $74,746 from the Authority, if applicable.

Ensures that the State complies with period of performance requirements.

Recovers $3,644,218 from the State, if applicable.

Ensures that the State complies with the special tests and provisions requirements.

Recovers $2,877,461 from the State, if applicable.

Ensures that the City complies with the subrecipient monitoring requirements.

Ensures that the Department complies with the subrecipient monitoring requirements.

KPMG recommends that FAA perform a review of the accounts payable accrual, including the procurement samples selected and their fiscal year allocation, at a level of precision to identify errors in order to prevent a potential misstatement.

KPMG recommends that FAA develop and implement policies and procedures to ensure that all assets that meet the criteria for the EC&D liability are included in the facility quantities report and that any converted assets are properly removed and re-included in the report under the new facility contraction.

KPMG recommends that FAA develop and implement policies and procedures to ensure that all assets are recorded with the appropriate useful life based on the asset dictionary.

KPMG recommends that FAA develop and implement policies and procedures to ensure accurate accounting for internal use software assets in accordance with SFFAS 10.

Ensures that the County complies with the reporting requirements.

Ensures that the City complies with the allowable costs/cost principles requirements.

Recovers $1,656 from the City, if applicable.

Ensures that the District complies with the activities allowed or unallowed requirements.

Recovers $221,551 from the District, if applicable.

Ensure that the Metro Regional Transit Authority complies with the special tests and provisions requirements.

Ensures that the Authority complies with the cash management requirements.

Ensures that the City complies with procurement and suspension and debarment requirements.

Recovers $81,888 from the City, if applicable.

Ensure that the City complies with the activities allowed or unallowed requirements.

Recover $41,733 from the City, if applicable.

Ensure that the City complies with the allowable costs/cost principles requirements.

Recover $107,181 from the City, if applicable.

Ensure that the City complies with the matching, level of effort, earmarking requirements.

Recover $8,067 from the City, if applicable.

Ensure that the City comply with the Allowable Costs/Cost Principles requirement.

Recover $83,547 from the City, if applicable.

Ensure that the City comply with the Allowable Costs/Cost Principles requirements.

Recover $30,335 from the City, if applicable.

Ensure that the City comply with cash management requirements.

Recover $13,465 from the City, if applicable.

Ensures that the Authority complies with the equipment and real property management requirements.

Ensures that the Authority complies with the reporting requirements.

Ensures that the Authority complies with the reporting requirements.

Ensures that the County complies with the Reporting requirements.

Ensures that the County complies with the Reporting requirements.

Ensures that the Authority complies with the internal control requirements.

KPMG recommends that ESC develop, implement, and document a timeline for journal vouchers to be approved and posted.

KPMG recommends that ESC establish a review control, with the appropriate level of precision, to ensure journal vouchers are posted in a timely manner and in accordance with the above policy.

KPMG recommends that FHWA management develop and implement a process to require documentation of the UPACS audit log review to be maintained to include documentation of the date reviewed, person who reviewed the log, and any follow-up actions required.

KPMG recommends that FHWA management update the UPACS standard operating procedures or other appropriate documentation to reflect the new audit log review process.

KPMG recommends that FHWA management develop a process to ensure the review of FMIS5 application access is completed by all divisions.

KPMG recommends that FHWA management update the FMIS5 standard operating procedures or other appropriate documentation to reflect the new review process.

KPMG recommends that FHWA management strengthen policies and procedures that require terminated user accounts to be removed from UPACS in a timely manner.

KPMG recommends that FHWA management update the UPACS standard operating procedures documents to reflect the new requirements.

Develop policy and procedures to verify and validate theaccuracy and completeness of the Department's key FISMA information repositoryand tool, currently the Cyber Security Assessment and Management tool (CSAM).

Direct OCIO to follow policy and conduct annual cybersecurity performance analysis reviews of OAs' cybersecurity programs, and submit reports to OAs with recommendations to address cybersecurity weaknesses.

Develop a process and policy where applicable to ensure the Department develops and maintain a comprehensive and accurate inventory of cloud systems, contractor systems, and websites that the public can access.

Direct OST to prioritize and resolve COE security weaknesses identified by assessor, and develop POA&Ms that realistically reflect resources and timeframes for completions of these actions.

Direct OST to establish MOUs that delineate the responsibilities for COE common controls with each of the following OAs: FHWA, FMCSA, FRA, FTA, OIG, MARAD, SLSDC, and NHTSA.

Direct OAs (FAA, FHWA, FMCSA, FRA, FTA, OST, PHMSA, MARAD, and NHTSA) with weaknesses in data protection and privacy to update the status and develop POA&Ms to address the weaknesses.

Update specialized training guidance in DOT Cybersecurity Action Memos policy and DOT Cybersecurity Compendium policy to clearly define requirements.

Enhance security awareness training policy to define processes to tailor this training to DOT's unique environment and use feedback to enhance its program.

Develop and define a taxonomy that describes the content of the hardware and software inventory and the process to assemble, verify and maintain adequate support for the inventory data as well as the related information reported to OMB and other external parties.

Develop a process to define its performance measures--that consider DOT's business environment--to assess the effectiveness of DOT's information security program, including its ISCM program.

Using NIST guidance, test and authorize CDM applications (such as BigFix) that have been placed into operation on DOT's networks without proper security control assessments.

Provide enterprise wide specialized training on contingencyplanning and testing on a periodic basis to appropriate security officials andstakeholders. Training should reinforcecrucial role contingency planning and testing plays in an effective informationsecurity program.

Develop a plan with target dates to address the Working Group's four deferred recommendations to enhance aircraft systems cybersecurity.

Develop a plan with target dates to finalize the application of CyRM to the mission support and research and development areas, and determine when full application of CyRM will occur.

Establish priorities for FAA-led research and development activities and incorporate these priorities into the budget process.

Develop and implement an action plan that establishes target action dates and assigns responsibility for following up on the key recommendations from the 2015 National Review of State Cost Estimation Practice.

Update FHWA's Guidelines on Preparing Engineer's Estimate, Bid Reviews, and Evaluation (2004 Guidance) to include: a. Estimating guidance for more recent project delivery methods, such as design-build and construction manager/general contractor and, b. Guidelines to account for contingencies and inflation when developing Engineer's Estimates.

Assess the validity and applicability of the threshold in FHWA's 2004 Guidance that is used to measure the accuracy of Engineer's Estimates.

Develop and implement an oversight process for Engineer's Estimates that assesses whether States are following FHWA's guidance and thresholds.

Require FHWA Headquarters and Division Offices to follow established procedures for reviewing and approving initial financial plans to ensure they include an assessment of the appropriateness of a P3 for project delivery.

Revise and issue guidance to communicate to FHWA staff and stakeholders the processes FHWA will use to take Federal stewardship considerations into account in approving P3 projects. This guidance should address FHWA's role, if any, in the assessment of traffic and revenue assumptions.

Develop and issue Agencywide guidance identifying risks specific to P3 projects that Division Offices should consider in their risk assessments of State and local transportation agencies' Federal-aid construction programs.

Consult with the Build America Bureau to define FHWA's and the Bureau's roles and responsibilities during the Operations and Maintenance phase for P3 projects.

Develop and issue guidance to internal and external stakeholders communicating the processes FHWA will use to oversee P3 projects, including during the Operations and Maintenance phase for P3 projects that remain funded by Federal loans.

Ensures that the Tribe complies with the procurement and suspension and debarment requirements.

We recommend that FHWA recovers $1,531,442 from the Tribe, if applicable.

Establish specific timeframes for issuing audit reports and verify that public agencies' independent audits are performed annually.

Update FAA's policy and procedures to require Airport District Offices (ADO) to obtain and review complete audit reports and ensure all required audit opinions are included.

Develop and implement procedures to ensure PFC expenditures at the Gary, IN, airport are independently audited, including the $18.3 million identified in our report.

Develop and implement policies and procedures for verifying that public agencies report accurate PFC collection and expenditure information to FAA.

Develop and implement policies and procedures that require ADO staff to consistently record certain items in the System of Airport Reporting database to enhance its oversight of the PFC program, such as the receipt of independent audit reports, PFC-related findings reported by independent auditors, follow-up actions and comments discussed with the public agency, status of audit findings, and whether the findings are repeated from prior years.

Develop a methodology to review completed PFC projects that determines whether they are achieving intended program goals, and identifies best practices and opportunities for improvement.

To improve the DOT's information security continuous monitoring program, DOT Chief Information Officer needs to update the department's federal information security modernization act standard operating procedures to include steps for verifying the accuracyand completeness of the Federal Aviation Administration's (FAA) CrossAgency Priority (CAP) goal metrics.

To improve the accuracy and completeness of the data FAA uses to report on its CAP goal metrics, the Federal Aviation Administrator needs to implement procedures that: define the requirements for selecting the operating systems to be monitored; criteria for determining which tools should be used to collect data for the CAP goal metrics; and verify the accuracy and completeness of the CAP goal metrics.

To improve the accuracy and completeness of the data FAA uses to report on its CAP goal metrics, the Federal Aviation Administrator needs to develop and implement controls for verifying, validating, and retainingdata used to report on CAP performance-based goal metrics.

Develop an implementation plan for deploying a scheduling system for controllers that includes schedule milestones, system requirements, risk assessment and mitigation, and funding requirements.

Assess and quantify the expected benefits of a customized controller scheduling tool.

LSC recommends STB discuss with ESC officials the need to substantially strengthen its system of review over financial information processed for the STB.

LSC recommends STB require ESC to determine the cause(s) for the instances of incorrect and/or improper accounting and financial reporting of STB data, and to take appropriate corrective actions to address these continuing problems.

LSC recommends STB ensure that the proper accounting procedures are in place and operating effectively for year-end financial statements when posting the costs incurred by contractors with advances.

LSC recommends STB develop a STB policy that: 1) implements the BFS guidance relating to interagency agreements; 2) identifies the responsibilities for the STB and its service provider; and 3) establishes a standard set of processes that support the recording, reporting, reconciliation, and measurement of intergovernmental activity and any identified differences.

LSC recommends STB ensure that actions are taken prior to the end of the fiscal year to address the differences identified in the FY 2018 report.

KPMG recommends that DOT management develop sufficient procedures and controls to address the identified GITC control deficiencies.

KPMG recommends that DOT management monitor progress to ensure that the GITC procedures and controls are implemented and operating effectively.

KPMG recommends that DOT Management perform a thorough and detailed review of the overall TIFIA cashflow model functionality and implementation to ensure that all assumptions areproperly applied in the execution of the cash flow projections.

KPMG recommends that DOT consider automating the calculations that are performed manually to reduce risk of misapplication of assumptions due to human error.

KPMG recommends that FAA management develop sufficient procedures and controls to address the identified GITC control deficiencies.

KPMG recommends that FAA management monitor progress to ensure that the GITC procedures and controls are implemented and operating effectively.

KPMG recommends that FAA management design and document policies, procedures, and controls related to the review of inventory shop orders that include standardized reports, an appropriate precision threshold for required analysis or follow-up, and evidence of review.

KPMG recommends that FAA management design and implement policies and procedures to conduct a held for repair unit cost calculation review, including approvals of adjustments due to unique circumstances.

KPMG recommends that FAA management revise its existing policy of expensing all projects initiated via RE&D funding, to include projects that have progressed beyond the preliminary design stage, and design and implement controls at the appropriate level of precision to determine whether projects should be expensed or capitalized, in accordance with the applicable accounting standards.

Allmond recommends that NTSB management redesign itsprovisioning process to require that when access is modified a new systemaccess request form is completed to reflect this change.

Allmond recommends NTSB require the completion andsubmission of an Oracle Federal Financial (OFF) User Access Form to the serviceprovider immediately upon separation of an OFF user from the agency and monitoragency separations on a weekly basis to align with user access terminationpolicies in place for other agency information systems.

Retrain responsible property custodians on the proper procedures for retiring and disposing of assets in a timely manner.

Strengthen policies and controls to assess construction in progress projects to expense costs that are no longer capitalizable.

Perform a review of the net book values for recorded PP&E assets to ensure no other anomalies for converted assets or conversion errors occurred and make adjustments to correct asset values if needed.

Conduct a workforce assessment of the staff assigned to review airspace waiver and authorization requests to determine if Air Traffic Organization (ATO) staffing is adequate, and take appropriate action based on the results.

Assess performance statistics for ATO's non-automated airspace waiver request process to determine if establishing volume and timeliness goals would enhance the process and if so, develop and implement these goals.

Use performance metrics for Low Altitude Authorization and Notification Capability (LAANC) to evaluate the system's effect on application processing volume and timeliness and take appropriate action based on the results.

Develop and implement internal controls to improve consistency in the use of standard template responses when corresponding with applicants regarding requests for information.

Update National Flight Standards Work Program Guidelines to require field offices perform inspections on a sample of commercial UAS operators in their area for a 2-year period, which will increase available inspection data for creating a risk profile of UAS.

Using available inspection and risk data, develop a baseline risk assessment profile of small commercial UAS operators, including those operators with waivers and airspace authorizations, to inform inspector surveillance planning decisions, as well as procedures to periodically update this risk assessment profile using future inspection data.

Issue guidance to field offices regarding where and how to obtain Agency information on waiver and/or authorization-holding UAS operators, to help inform their inspection planning.

Provide clarifying guidance to UAS operators on FAA's website or by other means regarding the small UAS rule provision relating to operations "over people."

Develop and implement contingency plan testing to validatethe effectiveness of techniques and procedures to react to and recover fromERAM outages, with air traffic controllers' and maintenance technicians'participation.

Evaluate, develop, and implement training, consistent with NIST guidelines, for maintenance technicians and air traffic control staff forresponding to ERAM in degraded system conditions and outages.

Upon completion of the safety review regarding removing ERAM's current backup system, determine what backup capability is required for ERAM and then develop and implement that capability.

Fully develop and implement a risk management strategy and the supporting procedures for maintaining an accurate system inventory.

Develop a configuration management plan with supporting policies and procedures and ensure that the existing Change Management Charter aligns with the plan.

Develop an ICAM strategy to guide its ICAM process and activities, and modify existing identity and access management policies and procedures to adequately address: a.) Processes to request, modify, and revoke privileged and non-privileged access; and b.) Processes to ensure separation of duties within the organization.

Fully implement the use of PIV cards for personnel to access STB's facilities.

Develop a privacy program, including related plans, policies and procedures, for the protection of personally identifiable information that is collected used, maintained, shared and disposed of by STB's information systems. Furthermore, identify roles and responsibilities for data exfiltration exercises.

Develop an Incident Response plan in accordance with NIST 800-61, rev. 2.

Modify incident response policies and procedures to incorporate the most recent incident attack vectors taxonomy in accordance with US-CERT.

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Develop and implement controls for periodically verifying that RO/ADO program managers are implementing FAA's policy for (a) assigning and monitoring grantee risk ratings, as required; (b) performing manual approvals, when required; and (c) performing quarterly reviews and, when applicable, modifying grantee risk ratings according to FAA guidance.

Formally request that OST Delphi system managers modify the wording of the warning message to AIP grantees to specifically state when documentation has not been attached to payment requests and that such documentation is required by FAA policy and the Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERA).

Formally request that OST Delphi system managers implement a function that denies AIP payments to grantees that do not provide the required supporting documentation at the time of the payment request.

Update FAA policy to include the availability of existing Delphi eInvoicing training and communicate the policy revision to all AIP grantees.

Develop and implement a plan to recover the $102,323 in questioned and unsupported costs identified in this report.

Communicate to AIP grantees FAA's policy requirement for maintaining all original documentation that supports grant payments and confirm that all grantees have acknowledged this requirement.

Update AIP payment policy to include a specific requirement that grantees submit payment requests on invoiced costs incurred up to the allowable Federal share, and communicate the revision to all AIP grantees.

Improve existing training for RO/ADO program managers to follow the AIP Handbook requirements for amending grant agreements when expanding project descriptions.

Ensures that the Territory complies with the equipment and real property requirements.

Ensures that the Territory complies with the special tests and provisions requirements.

Recovers $264,077 from the Territory, if applicable.

We recommend that FHWA ensures that the Navajo Nation complies with the equipment and real property requirements.

Ensures that AMTRAK complies with the equipment and real property management requirements.

Ensures that the Republic complies with the equipment and real property management requirements.

Ensures that the District complies with the procurement and suspension and debarment requirements.

Ensures that the University complies with the allowable costs/cost principles requirements.

Recovers $8,954 from the University, if applicable.

ensures that the University complies with the allowable costs/cost principles requirements.

Recovers $9,377 from the University, if applicable.

Ensures that the Authority complies with the matching requirements.

Recovers $2,787 from the Authority, if applicable.

Ensures that the Commonwealth complies with the equipment and real property management requirements.

Ensures that the State complies with the reporting requirements.

Ensures that the State complies with the matching, level of effort, earmarking requirements.

Ensures that the Authority complies with the subrecipient monitoring requirements.

Ensures that the Authority complies with the reporting requirements.

Ensures that the State complies with the matching, level of effort, earmarking requirements.

Ensures that the Confederated Tribes complies with the reporting requirements.

Ensures that the SC DOT complies with proper accounting requirements for accounts receivable and accounts payable.

Ensures that the City complies with the subrecipient monitoring requirements.

Recovers $2,780,059 from the City, if applicable.

Ensures that the State complies with the cash management requirements.

Ensures that the State complies with the subrecipient monitoring requirements.

Ensures that the State complies with the activities allowed or unallowed requirements.

Recovers $900,000 from the State, if applicable.

Recovers $143,000 from the State, if applicable.

Ensures that the State complies with the special tests and provisions requirements.

Ensures that the State complies with the reporting requirements.

Ensures that the City complies with reporting requirements.

Ensures that the City complies with subrecipient monitoring requirements.

Ensures that the City and County complies with the activities allowed or unallowed and allowable costs/cost principles requirements.

Recovers $24,080,771 from the City and County, if applicable.

Ensures that the City and County complies with the reporting requirements.

Ensures that the Tribe complies with the cash management requirements.

Recovers $3,077,574 from the Tribe, if applicable.

Ensures that the Tribe complies with the activities allowed/allowable costs and cost principles requirements.

Recovers $22,691 from the Tribe, if applicable.

Ensures that the Tribe complies with the equipment and real property requirements.

Ensures that the Tribe complies with the period of performance requirements.

Ensures that the Tribe complies with the special tests and provisions requirements.

Ensures that the Authority complies with the cash management requirements.

We recommend FTA recovers $30,641 from the Authority, if applicable.

Ensures that the State complies with the subrecipient monitoring requirements.

Recovers $106,181 from the State, if applicable.

Ensures that the Authority complies with the equipment and real property management requirements.

Ensures that the Authority complies with the equipment and real property management requirements.

Ensures that the State complies with the subrecipient monitoring requirements.

We recommend FTA recovers $99,226 from the State, if applicable.

Ensures that Guam complies with the equipment and real property management requirements.

Update DOT Orders 8000.8 and 8000.5A and make them available to DOT employees.

Require that Operating Administrations align any criminal referral procedures with updated DOT Orders.

Implement an annual mandatory training requirement on DOT employees' responsibility to report fraud, waste, and abuse to the OIG and requirements in DOT Orders 8000.8 and 8000.5A.

Ensures that the Council complies with the special tests and provisions requirements.

Ensures that the Authority complies with the equipment and real property management requirements.

Ensures that the State complies with the special tests and provisions requirements.

Ensures that the Agency complies with the procurement and suspension and debarment requirements.

Recovers $214,494 from the Agency, if applicable.

Ensures that the Authority complies with the reporting requirements.

Ensures that the Authority complies with subrecipient monitoring requirements.

Ensures that the Authority complies with special tests and provisions requirements.

Ensures that the Authority complies with the matching requirements.

Ensures that the State complies with the special tests and provisions requirements.

Recovers $214,516 from the State, if applicable.

Ensures that the Wyoming DOT complies with the reporting requirements.

Ensures that the Commonwealth complies with the subrecipient monitoring requirements.

Ensures that the State complies with the special tests and provisions requirements.

Develop and implement a risk-based process to monitor manufacturers' reporting of recall remedy, scope, and risk information. The process should include taking appropriate steps with manufacturers that are not in compliance, including enforcement actions when necessary, as well as verifying information submitted by manufacturers, and identifying and addressing potential inadequacies of recall remedies and scope.

Develop and implement a risk-based process—with specific timelines—that provides guidance for Office of Defects Investigation staff on identifying recalls with missing communications (e.g., dealer notifications, technical service bulletins), taking appropriate action to resolve the deficiency, and documenting the outcomes in an official recordkeeping system.

In accordance with the Government Accountability Office's Standards for Internal Control in the Federal Government and NHTSA's procedures, develop, implement, and document management controls, including a supervisory review process, for monitoring recall remedies, scope, and risk reporting and oversight of recall implementation.

Develop a training curriculum on staff responsibilities for updated recall monitoring and oversight processes, and provide this training to Office of Defects Investigation and Office of Vehicle Safety Compliance staff.

Update the recall reporting portal and issue written guidance to identify all recall scope, risk, and completion rate information that regulations require manufacturers to submit.

Document lessons learned from the Takata recalls, and develop and implement a plan for applying those lessons to help manufacturers improve completion rates of other recalls.

Conduct an independent review of FAA's oversight of American Airlines' flight operations to determine whether controls are in place and effective in preventing single points of failure; develop and implement corrective actions, if necessary.

Modify the existing tool used to evaluate the objectivity of inspectors to incorporate risk factors such as non-routine operations and the length of time inspectors oversee the same air carrier.

Develop and implement controls requiring oversight office staff to resolve complaints and follow key policy requirements such as directly contacting complainants and documenting investigations.

Establish and implement criteria for evaluating correspondence to ensure safety complaints are routed to FAA's Office of Audit and Evaluation.

Develop and implement inspector guidance on FAA's oversight requirements for flight test operations.

Provide the Allied Pilots Association with a revised response to its complaint based on results from the October 2017 independent assessment of the American Airlines flight test program.

Develop and implement a corrective action plan to address the recommendations made by the October 2017 independent assessment of the American Airlines flight test program.

Update and remediate the completion dates in the plans of action and milestones for SI-02.A and CM07.A.2 to ensure that the confidentiality, integrity, and availability of the system are not at risk.

Determine the impact of new hire training and certification time and fatigue mitigation requirements on technician staffing and incorporate into the maintenance technician staffing process.

Determine the impact of equipment age on workload and maintenance technician staffing needs and incorporate this factor into the staffing model, if found to be statistically significant.

Review and update the Facility, Service, and Equipment Profile policy to require user training and recurring data-validation reviews at the Support Center and national levels at defined intervals prior to running the staffing model.

Develop and implement a process to reduce and standardize codes in the Labor Distribution Reporting (LDR) system to improve accounting for direct maintenance workload.

Determine if the newly standardized LDR data are reliable for direct maintenance workloads in the Technical Operations Staffing Model, and if so, develop and implement an action plan with milestones to replace the workload assessments with LDR data.

Revise the current standard operating procedure, Tier 1/2/3 Staffing Allocations and Tier 1 Watch Coverage Requirements to: a. Define the job series and clarify whether system specialists and System Support Center coordinators are included in the Tier 1, 2, and 3 staffing targets;and b. Require annual review, validation, and updating of staffing allocation targets.

Update the target delivery dates for initiatives that are still in progress, including those without target delivery dates, and implement procedures for continually updating delivery dates and descriptions of initiatives as changes are made.

Develop and include in the monitoring plan quantifiable metrics or other indicators that can measure the effectiveness of the initiatives.

Consolidate duplicate initiatives within the monitoring plan.

Develop and issue comprehensive policy and procedures for the Pipeline Safety Research and Development Program that includes guidance for: a. notifying a wider spectrum of stakeholder representatives about future Research and Development forums, in order to increase their participation; b. addressing how the results of Research and Development forums are incorporated into the program plan; c. conducting all steps in the conflict-of-interest process; and d. following up with researchers on benefits and uses.

Complete upgrades to the conflict-of-interest portion of the Research and Development Management Information System.

Use Performance Improvement Council best practices to update future biennial Update Reports to Congress, to include additional context, such as analyses of current performance metrics and an evaluation of program success, trends, and anomalies.

Implement procedures to ensure the Federal Transit Administration distributes guidance to selected grantee recipients on the importance of accurate submission and proper review of timesheets to improve proper allocation of labor efforts and the identification and retention of required documentation to support a payment as proper in the Emergency Relief Program-Disaster Relief Appropriations Act program.

Work with the Office of Inspector General (OIG) to ensure it provides additional, clear, and precise travel guidance to employees and approving officials on the preparation and proper review of travel vouchers to improve the allocation of travel expenses in OIG-DRAA fund activity.

Work with OIG to ensure it updates its travel guidance to add instructions on how to split or allocate DRAA-related travel expenses to the appropriate accounting codes including codes for indirect costs and trains employees how to use this guidance.

Ensures that the Council complies with the cash management requirements.

Recovers $666,482 from the Council, if necessary.

Ensures the State complies with the period of performance requirements.

Determine the allowability of the $5,824 transaction, then review all construction projects to ensure that expenditures were properly paid within the period of performance, and recover any additional questioned costs, if applicable.

Ensures that the City complies with the reporting requirements.

Ensures that the City complies with the allowable cost/cost principles requirements.

Recovers $21,265 from the City, if applicable.

Ensures that the City complies with the allowable cost/cost principles requirements.

Recovers $37,543 from the City, if applicable.

Ensures that the DART complies with the allowable costs/cost principles requirements.

We recommend FTA recovers $122,558 from the DART, if applicale.

Ensures that the DART complies with the cash management requirements.

Ensures that the Authority complies with the allowable costs/cost principles requirements.

We recommend FAA recovers $38,339 from the Authority, if applicable.

Ensures that the County complies with the equipment and real property management requirements.

Ensures that the Authority complies with the reporting requirements.

Ensures that the NM DOT complies with the activities allowed or unallowed requirements.

Ensures that the NM DOT complies with the subrecipient monitoring requirements.

Ensures that the County complies with the equipment and real property requirements.

Ensures that the Authority complies with the procurement and suspension and debarment requirements.

Ensures that the Authority complies with the subrecipient monitoring requirements.

Ensures that the State complies with the special tests and provisions reqirements.

Ensures that the City complies with the Subrecipient monitoring requirements.

Provide written guidance specifically to grandfathered sponsors on what constitutes a grandfathered payment and how to accurately report grandfathered payments.

Develop and implement an internal control process to verify the accuracy of reports on grandfathered payments.

In accordance with Federal law, consider the State of Hawaii exceeding its statutory limit on the use of revenues for non-airport purposes as a factor in reducing AIP discretionary funds awarded to the State. Implementation of this recommendation could put $509,727 in funds to better use.

Revise and document a standardized data entry and validation process for the Service Areas to follow to help ensure consistent and accurate REMS data entry.

Develop, document, and implement a new lease approval process that will allow for more timely decisions and for improved coordination with Service Area staff on the status of the decisions made during this process. Implementing this recommendation could potentially put $14.6 million in funds to better use due to missed rent reduction opportunities, which timely and coordinated lease efficiency opportunity decisions could have potentially prevented.

Improve and document methods used to share and communicate Headquarters lease policies, guidance, and initiatives to all real estate staff members in the Service Areas.

Revise and document lease policy and templates to clarify that the indefinite holdover clause should only be used in office and warehouse leases where mission-critical safety equipment or functions are housed, and document a process to verify this policy is followed.

Revise, document, and implement a procedure to require and verify that for any office or warehouse lease whose firm-term portion is greater than one year, an analysis showing use of a firm-term lease is advantageous to the Agency is documented in the lease file.

Revise and document the real estate strategic planning process so that it: (1) provides for annual updates and (2) increase Service Area involvement and awareness.

Develop and implement a method for increasing the likelihood that LOBs provide the necessary funding to implement agreed upon lease efficiency opportunities.

Develop, document, and implement controls to (1) reconcile and validate the accuracy of lease payments that are made during the term of the lease and (2) verify that any lease payment made has an active and valid lease associated with it. Implementing this recommendation could potentially put $111,138 in funds to better use for uncollected interest on erroneous lease payments.

Take appropriate action to address the $9,964 in improper payments identified in this report.

Provide additional guidance and/or training to FAA staff to reinforce existing policy regarding: (1) the proper coding of payments captured under each of the various lease-related object class codes in the Agency's accounting system, Delphi; and (2) the requirement for approving officials to ensure the accuracy of accounting codes.

Develop, document, and implement a process to ensure that for any new or succeeding office space lease that does not meet the utilization standard, a justification is developed and documented in the lease file as to why the application of the Agency's space utilization standard is not cost effective.

Revise, document, and implement an internal control process to regularly track and assess the utilization rate for all office space leases in the Agency's current portfolio using data that is updated for accuracy on a regular basis. Implementing this recommendation could potentially put $22.9 million in funds to better use by preventing FAA from paying rent on unneeded space in excess of its utilization standard.

Update policy or develop procedures to place a greater emphasis on prevention in the SAPR training program and incorporate the Centers for Disease Control's elements of a comprehensive prevention program, such as providing bystander intervention training at all levels (students, faculty, staff, and leadership).

Complete a Sexual Assault Review Board review of all Academy policies and procedures, including the Midshipmen Regulations, to identify any gaps or inconsistencies with SAPR messaging and revise the policies and procedures accordingly.

Communicate the revised policies and procedures to all Academy stakeholders.

Establish and formalize in policy or procedures methodologies to evaluate the effectiveness of the SAPR program and its practices, including metrics to evaluate training outcomes.

Revise sexual assault policies and procedures and sexual harassment policies to clearly provide for documenting, tracking, and maintaining reports, such as by cross-referencing to the records maintenance standard operating procedure.

Develop and implement procedures for prioritizing responses to recommendations based on risk and aligning resources accordingly.

Develop and implement controls to ensure staff at all levels and faculty are held accountable for taking actions to support the SAPR program, including completing assigned action items.

Align the investigative reporting practice with the standard operating procedure for investigating an unrestricted report of sexual assault.

Develop and implement a procedure for reporting, investigating, and responding to sexual harassment complaints.

Develop and implement a procedure for validating the Academy's data on reported sexual assault and sexual harassment incidents.

Ensure that the Authority complies with the equipment and real property management requirements.

Ensure that the Authority complies with the special tests and provisions requirements.

We recommend FTA recovers $76,572 from the Authority, if applicable.

Ensure that the Commission complies with the reporting requirements.

Ensure that the City complies with the reporting requirements.

Ensure that the Authority complies with the procurement and suspension and debarment requirements.

Ensure that the Authority complies with the reporting requirements.

Ensure that the Authority complies with the special tests and provisions requirements.

Ensure that the Authority complies with the procurement and suspension and debarment requirements.

Define the projects that are considered pre-implementation (developmental) in the Agency budget guidance and Acquisition Management System policy and validate that developmental projects align with the definition and are funded under the appropriate budget activity.

Develop and implement a quality control checklist with criteria for determining when the use of incremental funding prior to PLA approval is permissible.

Develop and implement a control for enforcing the PMA limits on the assessment of program management fees for various administrative and contract support specified in the Agency's standard operating procedures.

Update PMA standard operating procedures to include a control that ensures project requirements are met before transferring expiring funds into the PMA account.

Amend the PLA close-out process to include the statement of outcomes and statement that work was concluded or if follow-on work is required.

Establish and implement a mechanism for providing oversight of developmental funding, to include records of decision regarding selecting, justifying, and measuring the outcomes of PLAs to ensure FAA is funding the highest priority work.

Provide detailed guidance for consistent BCA reviews, including whether reviewers should perform research to correct or complete missing information in project applications.

Establish and implement requirements regarding how BCA reviewers should document and maintain support for their reviews.

Define the C&C team's role in the BCA review process to include the necessary steps to carry out a systematic review.

Revise policy and guidance to include the standardized BCA review template and the requirement that a single responsible official finalize BCA reviews.

Revise AMS to include policy or guidance on justifying the use of program management task orders and a process for implementing assessment fees for multiple-award contracts.

Update SE2020's standard operating procedure for competition of SE2020 task orders, including strengthening procedures for follow-on awards.

Strengthen and document procedures to collect and analyze SE2020 task-order timeliness data to sustain improvements in task order award time.

Revise AMS to include policy or guidance for multiple-awards contracts to address acquisition planning, such as estimating contract hours and costs and overall contract estimates.

Strengthen, document, and implement controls for SE2020 invoice review to comply with the Prompt Payment Act. Implementation of this recommendation could put up to $44,000 in funds to better use.

Revise AMS to include policy or guidance for multiple-award contracts to describe the appropriate structure for fee payments in cost plus fixed-fee contracts.

Obtain direct and indirect cost audits for all SE2020 prime contractors for all base contract years, or document the risk assessments performed to justify when cost audits are not performed.

Revise AMS to include policy or guidance for obtaining direct and indirect cost audits for multiple-award cost-reimbursable contracts or to perform risk assessments to justify not obtaining them.

Enhance procedures and controls to require SE2020 staff with responsibility for oversight of task orders to track and document vendor performance through its Performance-Based Contract Monitoring (PBCM) system.

Revise AMS to require FAA's acquisition program office that manages multiple-award contract vehicles to develop and maintain comprehensive program management and governance plans.

Revise AMS to strengthen multiple-award contract oversight and management framework to ensure such multiple-award contracts follow sound business practices and AMS policies and procedures.

Allmond recommends NTSB enhance current policies and procedures over the review of year-end accruals by including a look-back analysis which compares disbursements made early in the subsequent fiscal year to the accrual estimated through the current process in order to identify items which should be included in its year-end accrual. In addition, if significant differences are identified, determine the appropriate corrective action necessary to increase the accuracy of its accrual estimation process.

Almond recommends that NTSB redesign the provisioning process to include that the system access request accurately describes the access required for each user and that when access is modified a new system access request form is completed to reflect this change.

KPMG recommends that management document their consideration of any factors that could impact the estimate in the current FY when preparing the annual grant accrual estimate.

KPMG recommends that management further document their analysis over the lookback review. Management should consider all factors that could result in a variance between the accrual and lookback calculation, make a determination as to the potential impact in the current year accrual calculation and ensuring the documented factors are accurately described and necessary revisions to the methodology are made.

KPMG recommends that management implement controls at the appropriate level of precision to ensure expense transactions are accurate, valid and properly posted to the general ledger.

KPMG recommends that management develop and implement its policies and procedures to ensure invoices are reviewed at the appropriate level of precision to ensure that amounts are properly expensed or capitalized. KPMG also recommends that management require appropriate level of detail from their contractors in order to effectively distinguish capital transactions from expense transactions.

KPMG recommends that the FAA perform a review of the AP accrual, including the procurement samples used for the percentage allocation, at a level of detail or precision to identify errors in order to prevent a misstatement.

KPMG recommends that LCSS implement policies and procedures to ensure LCSS user access is approved prior to the access being granted. In addition, KPMG recommends that LCSS management maintain documentation of the approvals, and ensure that user account request tickets are maintained properly.

KPMG recommends that the LCSS implement the procedures outlined by the LCSS System Security Plan to ensure that terminated and inactive users are removed appropriately and timely.

KPMG recommends that LCSS implement a process to review user access on a periodic basis.

KPMG recommends that the LCSS implement policies and procedures to ensure that periodic access reviews have a defined timeline, frequency, and provide adequate detail for the reviewer to determine if access is appropriate based on the user's roles and responsibilities.

KPMG recommends that FTA enhance its grant accrual retrospective review procedures to include a review, and adjustment, if necessary, of grantee expenditures used in the retrospective review to ensure such data is relevant and reliable.

KPMG recommends FHWA strengthen policies and procedures to ensure that terminated users' access is removed timely from UPACS and the application it supports, in accordance with the DOT Cybersecurity Compendium guidelines.

Finalize a timeline for identifying the remaining STARS requirements, including the additional requirements for the post-implementation enhancements

Implement a process in the FAA Requirements Management Plan to track and document when and how new requirements are validated and prioritized.

Redesign the power supply configuration of STARS rack assemblies to eliminate series connected power strips in the next STARS technical refresh of the 11 TRACONs.

Resolve the electrical configuration issue of the STARS rack assemblies at each of the 11 TRACONs by either: (a) obtaining approval for the configuration from a nationally recognized testing laboratory or (b) assessing and documenting risks posed by the STARS rack assemblies installed at each of the 11 facilities and FAA's acceptance of that risk on air traffic operations.

Collaborate with industry stakeholders to develop and implement a plan to collect and analyze reliable, accurate, and representative data on the frequency and severity of driver detention times.

Determine whether utility obligations are reportable for DATA Act purposes.

Improve controls to ensure that SLSDC excludes its zero dollar invoice related transactions from submissions.

Improve controls to ensure that FAA excludes micro- purchases from submissions.

Require MARAD, NHTSA, OST, and SLSDC to develop and disseminate policies and procedures for their risk management programs that include the appropriate elements such as criteria for making risk based decisions.

Implement controls to verify that information on threat activity has been communicated to senior agency officials and require retention of supporting documentation.

For the COE and FAA, update procedures and practices for monitoring and authorizing common security controls to (a) require supporting documentation for controls continual assessments, (b) complete reauthorization assessments for the controls, (c) finalize guidance for customers' use of controls, and (d) establish communication protocols between authorizing officials and common control providers regarding control status and risks.

Verify that FAA's criteria regarding designation and definition of contractor systems conforms to DOT guidance, and that systems are correctly classified.

Implement controls to continuously monitor and work with components to ensure network administrators are informed and action is taken to disable system accounts when users no longer require access or have been inactive beyond established thresholds.

Complete PIV enablement and requirements for remaining information systems, except those that are subject to exclusions that are documented and approved.

Take action to fully implement mandatory use of PIV cards for VDI access.

Implement processes verifying that personnel performing certain security related roles receive specialized training needed to meet OCIO guidance.

KPMG recommends that FAA Privacy Program conduct a review of its privacy program to identify changes needed to ensure that system's privacy plans are completed in accordance with the DOT Privacy Risk Management Policy.

KPMG recommends that FAA System Owner of System #2 ensure the system Privacy Plan includes all requirements established by the DOT Chief Privacy Officer in the privacy threshold assessment (PTA) and the adjudication statement is implemented.

KPMG recommends that FAA System Owner of System #5 ensure that the encryption protections for data at rest and during transit are implemented in accordance with the DOT Privacy Risk Management Policy.

KPMG recommends that FAA System Owner of System #5 confirm that the session time-out functionality has been implemented.

KPMG recommends that FAA System Owner of System #8 ensure that the encryption protections for data at rest are implemented in accordance with the DOT Privacy Risk Management Policy.

KPMG recommends that FAA System Owner of System #9 provide system specific and/or specialized/role based privacy job aides as needed to personnel who maintain and/or have access to PII data.

KPMG recommends that FAA System Owner of System #9 Ensure the Privacy Plan including all requirements established by the DOT Chief Privacy Officer in the PTA adjudication statement is implemented.

KPMG recommends that FAA System Owner of System #9 implement memoranda of understanding or similar agreements for internal sharing of PII.

KPMG recommends that FAA System Owner of System #9 ensure that encryption protections for data at rest is implemented in accordance with the DOT Privacy Risk Management Policy.

KPMG recommends that FAA System Owner of System #9 ensure that the Plan of Action and Milestones (POA&M) for encryption protections for data at rest is actively monitored and updated as changes occur prior to the estimated closure date of December 19, 2017.

KPMG recommends that Office of the Secretary of Transportation Departmental Chief Privacy Officer establish a continuous monitoring (CM) program for privacy supportive security controls to ensure PII systems remain compliant with DOT Privacy Risk Management policy.

KPMG recommends that Office of the Secretary of Transportation System Owner of System #15 ensure that the encryption protections for data at rest and during transit have been implemented in accordance with the DOT Privacy Risk Management Policy.

Establish a work breakdown structure, consistent with the DOT Earned Value Managment Implementation Guide standard, for investment projects when required by the DOT EVM Policy.

Establish a work breakdown structure, consistent with the DOT Earned Value Managment Implementation Guide standard, for investment projects when required by the DOT EVM Policy.

Ensure that artifacts illustrating implementation and execution of EVM are in accordance with the DOT EVM policy.

Retain evidence of the required EVM artifacts.

Revise the Emergency Relief Manual to include a definition of resilience improvement and identify procedures States should use to incorporate resilience into ERP-funded projects.

Develop and implement a process to identify best practices for improving the resilience of emergency relief projects and share them with Division Offices and State DOTs.

Develop and implement a process to track the consideration of resilience improvements for emergency relief projects and their associated costs.

KPMG recommends OST direct the OCIO to work with OAs' CIOs to conduct the required annual assessment of the DOT's and OA's EA programs against the GAO's EA Management Maturity Model.

KPMG recommends OST supplement the existing DOT EA Policy with operational guidance to clarify EA artifacts required by the DOT EA policy.

KPMG recommends NHTSA formally approve and distribute their OA level EA policy, otherwise the OA will rely on the DOT EA policy.

KPMG recommends FHWA formally approve and distribute their OA level EA policy, otherwise the OA will rely on the DOT EA policy.

KPMG recommends FRA retain evidence of the training provided to individuals with EA IT responsibility.

KPMG recommends FTA retain evidence of the training provided to individuals with EA IT responsibility.

KPMG recommends NHTSA retain evidence of the training provided to individuals with EA IT responsibility.

KPMG recommends PHMSA retain evidence of the training provided to individuals with EA IT responsibility.

KPMG recommends PHMSA produce and maintain evidence of EA reviews of IT investment risks that demonstrate alignment with appropriate DOT EA segments and DOT and OA EA standards.

KPMG recommends OST require that the EA artifacts illustrating implementation and execution of EA are in accordance with DOT EA policy.

KPMG recommends OST retain evidence of the required EA artifacts.

Revise the Safety Assurance System (SAS) risk-assessment tool to include weighted factors for each organizational risk evaluated by inspectors.

Update the scoring system and instructions in the Financial Condition Assessment Decision Aid to reflect that 10 characteristics are being evaluated.

Develop and provide additional guidance and training to inspectors to clarify the differences in the choices (word pictures) provided in the decision aids.

Reevaluate the decision aids to validate that: a. They include the appropriate areas of focus during reviews of the financial condition and transition or growth of regional air carriers; b.The weighting of the focus areas correlates to their potential impact on risks associated with financial distress or rapid growth or downsizing.

Revise validated guidance to emphasize the importance of completing decision aids periodically for baseline comparisons.

Implement a retention policy for completed decision aids so they will be available to inspectors for comparison and analysis during risk assessments.

Develop and provide guidance and training to show inspectors how to detect triggers that require the completion of a decision aid, as well as the importance of using decision aids to adjust surveillance.

Refine policies and procedures for collecting and analyzing safety data and metrics from regional airlines sector-wide and sharing that information with FAA's Flight Standards Offices.

Revise Agency guidance on risk-management processes to recommend adjustments to surveillance when the risk score is identified as high or document a reason for not adjusting surveillance given the risk.

Revise inspector guidance to provide actions inspectors should take after risks are identified through complaints, including reaching out to other offices if necessary and ensuring planned surveillance of the issue is actually completed.

Develop and implement policies and procedures to retain the original data files for purposes of validating the accuracy of the data being used to compute overflight fees.

Develop a timeline that indicates when FAA overflight-fee officials will start using updated software (that meet its system reliability requirements) for computing fees.

Develop and implement internal controls to oversee overflight-fee contractors, specifically, to review and approve flight data before the contractor submits them for billing.

Develop and implement internal controls to oversee Enterprise Services Center employees and require debt-collection training to ensure overflight fees are properly billed.

Establish policies and procedures that require staff to appropriately apply Federal laws and regulations and exclude aircraft users that are exempt or meet exception rules from receiving invoices for overflight fees.

Develop and implement policies and procedures to ensure that overflight-fee collection activities comply with Department of the Treasury requirements, such as:a. Ensuring debtors are given due process; implementation of this recommendation could put $1.48 million in funds to better use.b. Assessing late charges on all delinquent debts; implementation of this recommendation could put $9.3 million in funds to better use.c. Making timely referrals of delinquent overflight fees to Treasury; implementation of this recommendation could put $7.98 million in funds to better use.

Develop a comprehensive workforce plan by implementing the existing Human Capital Framework in accordance with the Department's Workforce Planning Guide.

Include in the workforce plan an assessment of whether the Agency should use retention incentives and, if appropriate, a plan for seeking authority to use retention incentives at levels above the fiscal year 2010 cap.

Include in the workforce plan an assessment of whether the Agency should use a special rate of pay for general engineers (series 0801) and, if appropriate, a plan for seeking authority to establish a higher rate of basic pay.

KPMG recommends that management continue to refine the EC&D estimation methodology to ensure that the methodology is based on relevant, sufficient, and reliable data that is supported by sufficient appropriate audit evidence.

KPMG recommends that management review any refinements to the methodology to ensure that the estimate is presented and disclosed in the financial statements in conformity with applicable accounting principles.

KPMG recommends that management establish appropriate communication channels with personnel outside of the Financial Statements and Reporting Division to ensure proper communication and coordination related to the calculation of material financial statement information

KPMG recommends that management perform an adequate review and approval of the accounting estimates, including: 1) Review of sources of relevant factors; 2) Review of development of assumptions; 3) Review of reasonableness of assumptions and resulting estimates; and 4) Consideration of changes in previously established methods to arrive at accounting estimates.

KPMG recommends that DOT establish a review control, with the appropriate level of precision, over the cash flow projections to ensure that the inputs are relevant and reliable.

KPMG recommends that DOT review the overall cash flow model functionality and implementation to ensure that all assumptions are properly applied, documented, and supported in the execution of the cash flow projections.

KPMG recommends that DOT consider automating the calculations that are performed manually to reduce the risk of misapplication of assumptions due to human error.

KPMG recommends that the Department complete the internal reviews currently planned or being performed, and properly report the results in compliance with the ADA, if necessary.

STB and its accounting service provider should implement accounting processes for estimating and recording the value of goods and/or services provided by vendors for open obligations, with and without an advance.

Develop written policies to: obtain invoices supporting the value of goods and services provided by vendors with advances so permanent reductions can be made to reduce the value of individual advances, close out advances where all services have been provided, and recoup all unused advance funding; including those currently outstanding.

Strengthen monitoring controls of financial management operations performed by the agency's accounting service provider. Develop policies, procedures and review checklists to ensure that monitoring processes are performed consistently and documented as required by GAO internal control standards.

Work with the accounting service provider to strengthen the service provider's quality control processes, and obtain documented assurances that quality control reviews have been performed on financial statements presented to the agency for audit

Determine the reasons that abnormal general ledger account balances were not identified, researched, and corrected, as appropriate despite the assurances provided in response to the same issues reported in the FY 2016 financial statement audit report. Implement additional controls to ensure abnormal account balances are properly identified, researched, and appropriate corrective actions are taken.

KPMG recommends that management continue to refine the EC&D estimation methodology to ensure that the methodology is based on relevant, sufficient, and reliable data which is properly supported by sufficient appropriate audit evidence.

KPMG recommends that management review any refinements to the methodology to ensure that the estimate is presented in conformity with applicable accounting principles and that the related disclosure is adequate.

KPMG recommends that management establish appropriate communication channels with personnel outside of the Financial Statements and Reporting Division to ensure proper communication and coordination related to the calculation of material financial statement information.

KPMG recommends that management perform an adequate review and approval of the accounting estimates, including: 1) Review of sources of relevant factors; 2) Review of development of assumptions; 3) Review of reasonableness of assumptions and resulting estimates; and 4) Consideration of changes in previously established methods to arrive at accounting estimates.

KPMG recommends that management develop and implement policies and procedures to ensure that only assets that exist and that may require future decommissioning and cleanup activities are included in the EC&D liability estimate.

Improve and implement reconciliation (walkthrough) procedures during the financial statement preparation process to ensure information included in its financial statements is supported by underlying accounting records and transactions.

Develop and implement accounting policies and procedures to recognize and record SLSDC's share of activities related to the operation of the South Channel Span of the Seaway International Bridge.

Develop and implement accounting policies and procedures to recognize and record SLSDC's expense activity associated with executed bridge repair service job orders.

Develop and implement accounting policies and procedures to recognize and record SLSDC's liabilities with SIBC for open service job orders.

Establish controls to ensure the appropriate useful lives of assets are recorded in the accounting system when new assets are placed into service.

Establish controls to review the nature and scope of projects prior to closure and conversion to PP&E to ensure that assets are properly recorded in the PP&E records.

Update asset disposal policy to better define procedures for disposal and establish specific parameters for timely completion.

Enhance certificates of disposal to include asset ID numbers to expedite disposal actions.

Perform a complete physical inventory of PP&E as required by SLSDC policy and research any differences identified.

Update the property records to include the serial numbers for buoys.

Coordinate with the Department of the Treasury to determine the appropriate treatment and custody of its funds currently held by SIBC.

Complete implementation of policies and procedures for: a. Risk management, including a risk management plan and assessment, b. System authorization, and c. Plans of actions and milestones.

Complete the system reauthorization of the STB LAN.

Complete service level agreements or similar documents that permit STB or its auditor to perform tests and/or obtain supporting documentation to demonstrate that cloud systems are properly authorized to operate.

Define specifications and acquire an automated solution to assist with the risk management program.

Develop policies and procedures for the implementation of an information security architecture.

Modify existing procedures to fully address identification, reporting, and resolution of information system flaws, including timely patch installation.

Incorporate missing elements into its enterprise-wide configuration management plan such as a change control board charter

Modify identity and access management policies and procedures to adequately address: a. Reviews of as-is states, desired states and a transition plan. b. Processes for assigning personnel risk designations prior to granting access to its systems.c. Processes for developing, documenting, and maintaining access agreements for individuals with system access. d. Requirements for remote access

Conduct a needs assessment to formally determine the organization's awareness and training needs, including but not limited to developing and implementing a formal process for assessing the skills, knowledge, and abilities of its workforce.

Develop and implement a formal process for measuring the effectiveness of its security awareness and training program.

Modify the training plan to include missing elements such as funding, goals and use of technology.

Develop and implement an ISCM program that, at a minimum provides awareness of threats and vulnerabilities.

Modify its policies and procedures to address missing components such as incident detection and analysis; incident prioritization, containment, eradication, and recovery; coordination, information sharing, and reporting; incident response training and testing, and considerations for major incidents.

Implement its contingency planning policy by performing business impact analyses, updating or completing system contingency plans, testing contingency plans, performing necessary backups and obtaining an adequate alternate processing site, it needed.

Develop and implement written policies and procedures for establishing new Centers or making adjustments to existing ones—including determining each Center's initial financial resource needs, changes to funding levels, locations, geographic areas of coverage, and small business/client populations.

Conduct a baseline program needs assessment of current funding levels, locations, geographic areas of coverage, and small business/client populations to be served—and take corrective actions as needed to meet determined needs.

Develop and implement an action plan for increasing future competition for Center operation.

Develop and implement performance measures for cooperative agreement requirements that assess how well the Centers achieve program objectives and desired outcomes

Implement policies and procedures to ensure OSDBU personnel comply with existing monitoring requirements for conducting annual performance evaluations and site visits

Recover the $69,312.00 in improper payments for unallowable labor charges

Implement policies and procedures to ensure that OSDBU's financial management practices comply with appropriation law, Federal regulations, and the Department's Financial Assistance Guidance Manual. Implementing this recommendation could potentially put $1,168,907 in funds to better use.

Take action to correct the $346,927 in improper payments related to OSDBU's financial management practices identified in this report.

Deobligate the $57,758 remaining on cooperative agreements that have ended, as identified by this audit as funds that could have been put to better use

Develop and implement a process to perform periodic financial assistance management reviews of OSDBU to ensure that OSDBU is informed about and complies with existing financial management assistance laws, regulations, and guidance.

Ensures that the City complies with period of availability requirements.

Recovers $23,598 from the City, if applicable.

Ensures that Amtrak complies with equipment and real property management requirements.

Ensures that the Authority complies with period of performance requirements.

Recovers $44,589 from the Authority, if applicable.

Ensures that the City complies with cash management requirements.

Recovers $66,667 from the City, if applicable.

Develop and implement policies and procedures, including a standard identification method, for tracking other transaction agreements (OTA).

Develop and implement criteria that: a. Describe when an OTA should be used rather than a contract or grant; b. Require awarding officials to document their rationale for using OTAs rather than contracts or grants.

Develop and implement policies and procedures to state when Acquisition Management System guidance, FAA financial assistance policies, and other requirements and guidance such as requirements for Independent Government Cost Estimates, including OTAs in Single Audits, and conflicts of interest analysis apply to OTAs.

Develop and implement policies to report OTA awards that involve Federal funds to USASpending.gov.

Establish documentation requirements for all types of OTAs, and develop and implement policies and procedures for maintaining complete files for the agreements, including evidence of legal reviews.

Develop and implement policies and procedures to ensure that OTAs are awarded and administered by properly authorized (warranted) officials, including: a. Creating and regularly maintaining a comprehensive list of awarding officials, the various types of agreements (e.g., contract, grant, OTA, reimbursable agreement, interagency agreement) they are authorized to sign, dollar limits (if any), and the dates the authority began and ended when applicable; b. Clarifying the Acquisition Management System to specify when it is appropriate to use an OTA that is also an interagency agreement or reimbursable agreement, and to specify what warrant authorities are required for officials signing these agreements.

Assess whether OTAs signed by individuals without proper authorization represent unauthorized commitments, and take appropriate corrective actions.

Develop and implement policies and procedures to standardize and enforce provisions of Tower Operating Agreement OTAs as a condition of providing air traffic control services, including: a. A procedure to provide for periodic inspections of the tower environment to detect problems that have an impact on FAA contract controllers and respond to them; b. Requiring all airport sponsors to sign Tower Operating Agreements.

Renegotiate tower leases requiring rent payments to airport sponsors to secure no-cost leases. Implementation of this recommendation could put $2.2 million in Federal funds to better use.

Recover the $19,000 overpayment to an OTA tower construction recipient, determine whether FAA overpaid other recipients on its tower construction agreements, and recover any overpayments and interest not applied to the construction projects.

Develop and implement policies and procedures for tower construction OTAs that at a minimum address aligning payments to actual needs and disposing of leftover funds and interest earned on advanced funds.

Develop a business case for the award of a new OTA, or an extension of the current OTA, to conduct research at and manage the Florida Test Bed that includes the potential for competition and a cost-benefit analysis that examines facility utilization (whether onsite or via remote access) and potential for cost sharing.

Follow DOT's cybersecurity policy, and track access and usage of OTA-covered information systems, including those at the Florida Test Bed.

Update the Financial Assistance Guidance Manual and other policies to reflect current authorities and oversight needs for OTAs, and clarify which provisions of the manual and other policies apply to these agreements.

Update the Financial Assistance Guidance Manual and other policies to reflect current authorities and oversight needs for OTAs, and clarify which provisions of the manual and other policies apply to these agreements.

Revise and implement policies and procedures for conducting pre-award reviews that assess the price reasonableness of each OTA.

Designate in writing which officials are authorized to award OTAs.

Ensures that the State complies with allowable cost principles requirements.

Recovers $176,050 from the State, if applicable.

Ensures that the State complies with subrecipient monitoring requirements.

Recovers $438,118 from the State, if applicable.

Ensures that the Authority complies with equipment and real property management requirements.

Ensures that the City complies with special test and provisions-wage rate requirements.

We recommend FTA ensures that the Division complies with reporting requirements.

Ensures that the County complies with cash management requirements.

Ensures that the County complies with procurement, suspension and debarment requirements.

Ensures that the County complies with special tests and provisions-wage rate requirements.

Ensures that the State complies with matching, level of effort, earmarking requirements.

Recovers $252,644 from the State, if applicable.

Ensures that the State complies with activities allowed or unallowed requirements.

Recovers $60,800 from the State, if applicable.

Ensures that the District complies with special tests and provisions-wage rate requirements.

Ensures that the Tribe complies with activities allowed or unallowed and allowable costs/cost principles requirements.

Determine an amount of questioned costs and recover from the Tribe, if applicable.

Ensures that the State DOT complies with subrecipient monitoring requirements.

Ensures that the State DOT complies with subrecipient monitoring requirements.

Ensures that the County complies with allowable costs/costs principles requirements.

Recovers $84,365 (2013-020 ($4,385) and 2013-022 ($79,980)) from the County, if applicable.

Ensures that the Authority complies with special tests and provisions-revenue diversion requirements.

Recovers $1,611,898 from the Authority, if applicable.

Ensures that the Authority complies with equipment and real property requirements.

Ensures that the State complies with special tests and provisions requirements.

Recovers $118,713 from the State, if applicable (Finding 2016-043).

Ensures that the State complies with special tests and provisions - wage rate requirements (Finding 2016-047).

Ensures that the Government of Guam complies with equipment and real property management requirements.

Ensures that the Government complies with equipment and real property management requirements.

Ensures that the Government complies with Special tests and provisions-wage rate requirements.

Ensures that the County complies with period of performance requirements.

Recovers $21,025 from the County, if applicable.

Ensures that the Authority complies with procurement, suspension, and debarment requirements.

Ensures that the Authority complies with allowable costs/cost principles requirements.

Ensures that the Authority complies with equipment and real property management requirements.

Ensures that the Territory complies with equipment and real property management Requirements.

Require the contactor to report on all seven technical performance measures to provide FAA with the ability to determine whether all performance requirements are being met and contractually required products and services are being received.

To disclose the total cumulative costs for the contract, identify and report the potential range or maximum value of incentive fees payable under the contract, about $78 million, when reporting to managers, Congress, and other stakeholders.

Modify the contract to clearly identify the differences between critical service specifications for ADS-B and the technical performance measures for ADS-B services that are used for computing incentive awards.

Conduct and document a review of incentive fee implementation to ensure that it motivates the contractor to exceed the contract specifications and also minimizes performance violations as stated in the H.7 clause. Consider adjustments to the incentive fee implementation as a result of the review.

Enforce the H.33 clause to reveal capital asset cost and gain necessary pricing information for use in negotiating additions and enhancements to the ADS-B contract as has occurred on at least nine occasions previously.

Conduct and document an analysis to determine whether or not duplicate subscription fee payments are being made due to radio stations that support multiple service volumes.

Strengthen future acquisitions by adding or modifying guidance to AMS to incorporate concepts from the OMB Capital Programming Guide on considering the use of successive or incrementally priced contract, orders, or contract line items when acquiring or developing systems spanning many years. This guidance may be incorporated into planned guidance regarding the use of modular contracting concepts.

Strengthen future acquisitions by expanding guidance in the AMS or the FAA Pricing Guide to: (1) better describe the process for (a) evaluating price reasonableness and (b) determining cost realism when evaluating proposals, to include a review of quantities and types of hardware proposed; and (2) include in existing oversight processes a check to ensure that independent government cost estimates and life cycle cost estimates are not established based solely on the awardee's proposal.

Strengthen future acquisitions by requiring that contracting officers and specialists in the Surveillance Contracting Branch keep hard and/or electronic back-up copies of contract file information in the contract file; keep the contract up to date, including modifications or changes such as partial acceptance, methodology for partial acceptance, pricing matrix adjustments, and other agreements created by correspondence outside the contract; and ensure that in Agency computers, a complete and accurate record of all contract actions and supporting documentation is established and maintained in real time.

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Ensures that the State complies with special tests and provisions requirements.

Ensures that the State complies with subrecipient monitoring requirements.

Ensures that the County complies with Allowable Costs/Costs Principles requirements.

Recovers $171,265 from the County, if applicable.

Ensures that the City and County complies with special tests and provisions - wage rate requirements.()

Ensures that the State complies with procurement and suspension and debarment requirements.

Recovers $466,262 from the State, if applicable.

Ensures that the State complies with special tests and provisions requirements.

Recovers $78,578 from the State, if applicable.

Ensures that the District complies with special tests and provisions - wage-rate requirements.

Ensures that the State complies with activities allowed or unallowed requirements.

Ensures that the State complies with special tests and provisions requirements.

Ensures that the State complies with procurement and suspension and debarment requirements.

Update OCIO-WCF billing procedures to ensure billings are accurately and consistently applied to intra-agency agreements for products and services, within specified scopes of work and periods of performance.

Document OCIO's process for preparing cost estimates that support its cybersecurity budget request and maintaining support documentation justifying the basis of estimates.

Implement the DOT Enterprise Program Management Review Framework and procedures for maintaining support documentation that complies with OMB design and planning requirements to justify its IT investments, including the Virtual Desktop Infrastructure and the Continuous Monitoring Software, and require the use of planning tools such as cost-benefit analyses to monitor the costs, schedule, and performance goals.

Develop and manage a business case consistent with OMB guidance for cybersecurity investments, and ensure that Continuous Diagnostic and Mitigation program is incorporated into that investment for reporting of costs, and other criteria as required by OMB.

Develop and implement a process specifying how OCIO prioritizes its cybersecurity IT investments, and follow through on its plan to develop separate plans that include which cybersecurity projects it plans to focus on to address near-term threats, important tactical cybersecurity goals, and remediation challenges.

Develop a plan with milestones to evaluate how FMCSA establishes baseline parameters for its quality assurance tools.

Update information systems to capture the explicit identification of compliance reviews as either comprehensive or focused, and the Behavior Analysis and Safety Improvement Categories assigned and reviewed.

Finalize the Agency's grants management manual and include controls to document that all grant management steps have been accomplished before a grant is awarded or closed, as well as steps to address alleged prohibited uses of Technical Assistance Grant funds.

Finalize the Technical Assistance Grant program's Business Process Documentation.

Revise the grant agreement template for Technical Assistance Grants to include the statutory language prohibition against using program funds for direct advocacy.

Develop and implement a process for field level inspectors to coordinate with TSA on programs with closely related safety and security responsibilities, such as results of air carrier cockpit access program audits.

Sensitive information redacted

Publish an FAA Notice to inspectors that communicates the existence of AC 120-110 and RTCA Report DO-329, highlights the blocking methods orchestrated by the Special Committee, and directs inspectors to communicate this information to the carriers they oversee.

Require air carriers to conduct a Safety Risk Assessment (under FAA’s Safety Management System) of their current secondary barrier methods using all information from the 2011 RTCA report on secondary barriers, either as a stand-alone Notice or incorporated into another Notice recommended above.

Meet with air carriers and TSA to discuss best practices that may be used to enhance cockpit security and reduce crew complacency.

Conduct outreach to industry and DHS to assess flight attendant concerns on additional training needed to better prepare for emergency situations, such as a crewmember lockout from the cockpit.

Ensures that the City complies with Allowable Costs/Cost Principles Requirements. ()

Recovers $147,515 from the City, if applicable.

Ensures that the City complies with Reporting Requirements.

Ensures that the City complies with Reporting Requirements.

Ensures that the State DOT Highways Division complies with Special Tests and Provisions-Wage Requirements.

Ensures that the State DOT Highways Division complies with Subrecipient Monitoring Requirements.

Ensures that the DOT complies with Internal Control Requirements.

Ensures that the Agency complies with Allowable Costs/Cost Principles Requirements.

Recovers $9,189 from the Agency, if applicable.

Ensures that the Agency complies with Allowable Costs/Cost Principles Requirements.

Recovers $26,665 from the Agency, if applicable.

Ensures that the Authority complies with Special Tests and Provisions Requirements.

Determine their portion of the $ 29,116 in Questioned Costs and recovers from the Authority, if applicable.

Ensures that the Authority complies with Equipment and Real Property Management Requirements.

Ensures that the Authority complies with Reporting Requirements.( )

Ensures that the Authority complies with Cash Management Requirements.

Ensures that the City complies with Allowable Costs/Cost Principles Requirements.

Recovers $41,494 from the City, if applicable.

Ensures that the Authority complies with Procurement and Suspension and Debarment Requirements.

Ensures that the Borough complies with Allowable Costs/Costs Principles Requirements.

Recovers $191,777 from the Borough, if applicable.

Ensures that the City complies with Cash Management Requirements.

Recovers $36,579 from the City, if applicable.

Ensures that the Department complies with Subrecipient Monitoring Requirements.

Ensures that the Department complies with Subrecipient Monitoring Requirements.

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Sensitive information redacted

Modify periodic training provided to FAA inspectors to include information on the importance of verifying check pilot qualifications prior to approval.

Clarify inspector guidance on performing and documenting APD training and observations to ensure authorization requirements are fulfilled.

Modify internal audit policies to ensure FAA audits provide accurate and thorough assessments of APD oversight at each office.

Develop and implement guidance requiring inspectors, or their designees, to verify that check pilots have met training requirements prior to performing recurrent observations.

Modify requirements within the risk-based oversight tool (SAS) for inspectors to ensure a sufficient number of check pilot records are evaluated to assess the accuracy of air carrier training.

Clarify surveillance requirements and the inspectors' role overseeing check pilots under AQP.

Develop and implement a training program on how to approve and oversee check pilots under AQPs for inspectors assigned to carriers using those programs.

Develop guidance and provide training to Hotline employees on how to accurately record specific data about Suspected Unapproved Parts (SUP) in FAA's database.

Develop a management control to ensure that all SUPs reports received by local inspection offices are submitted to the Hotline for processing.

Develop a management control to ensure FAA Hotline employees conduct trend analyses in accordance with the Hotline's guidance.

Develop a management control to ensure inspectors adhere to guidance when conducting SUPs investigations.

Revise FAA's risk-based oversight system to incorporate a risk indicator for manufacturers where unapproved parts have been found.

Require FAA Headquarters officials to forward all confirmed SUPs cases to Federal law enforcement agencies, whether or not criminal activity is suspected, in accordance with the letter agreement.

Coordinate with DOT's Office of Inspector General to determine the need for its investigators to receive all improper maintenance cases, including those initially reported as SUPs as well as those reported directly to FAA.

Require FAA Headquarters officials to provide quarterly SUPs investigation reports to Federal law enforcement agencies, in accordance with the letter of agreement.

Develop a management control to ensure inspectors issue UPNs consistently when notifying the aviation industry about unapproved parts.

Develop a management control to ensure inspectors follow existing guidance requiring operators to remove unapproved parts from use and their inventories.

Include a "best practice" in the SUPs Advisory Circular to encourage industry to register to receive automated notifications about unapproved parts.

Implement procedures to ensure selected Federal Aviation Administration employees receive additional guidance on procure-to-pay procedures needed to support Facilities and Equipment - Disaster Relief Appropriation Act program payments as proper.

Implement procedures to ensure the Federal Railroad Administration provides training to select grant recipients regarding the root causes of administrative errors and the identification and retention of required documentation to support a payment as proper in the High-Speed Intercity Passenger Rail program.

Implement procedures to ensure the Federal Transit Administration distributes guidance to grant recipients on the proper procedure for submitting payments that adhere to the grant agreement terms in the Formula Grants and Passenger Rail Investment and Improvement Act program.

Establish and implement controls to ensure the FMOCs meet contractual requirements to include in all Financial Capacity Assessment reports:a. Complete project ratings that are in accordance with all elements of FTA's rating criteria; andb. Sensitivity testing performed.

Require that FMOCs include in their Financial Capacity Assessment reports the rationales for all testing decisions and parameters selected for testing.

Establish and implement controls to ensure FTA regional staff follow the existing Federal Financial Report review procedures which require reviewing the reports and documenting the reviews.

Complete a financial analysis of all SFMTA's Federal expenditures incurred on the Central Subway project, including its indirect expenses, as reported in the Federal Financial Reports to quantify the amount of Federal funds to be reimbursed to FTA. Implementation of this recommendation could put at least $37 million in Federal funds to better use.

Revise FTA's policy guidance to include requirements identifying which project's third party agreements are critical versus those that are not, and which agreements are required to be completed and in place prior to FFGA approvals, to mitigate risks to project cost and schedule due to uncompleted third party agreements.

Develop and implement a process to require contracting officers to re-verify and document a firm's small/disadvantaged eligibility prior to awarding each individual procurement awarded under an eFAST master ordering agreement. Implementation of this recommendation could put $314 million in funds to better use by awarding those dollars to firms whose small/disadvantaged eligibility status was verified at the time of individual procurement award.

Develop and implement a process to periodically verify that justifications required by AMS section T3.2.4.A.6(c) are documented for each time and material type procurement awarded under an eFAST master ordering agreement, and that the justification addresses each of the four elements required (including explanations for why any of the individual elements were not addressed).

Strengthen guidance on utilizing performance-based contracting methods in service contracting, and train contracting and program staff how to use these methods in procurements awarded under an eFAST master ordering agreement.

Develop and implement a process to periodically verify that eFAST contracting officers are tracking contracting officer representatives' certifications and documenting them in the procurement files.

Develop and implement a process to promote regular communication between eFAST contracting officers and contracting officer representatives during the period of performance for procurements awarded under an eFAST master ordering agreement.

Develop and implement a process to promote contracting officer representatives to document and follow oversight plans for procurements awarded under an eFAST master ordering agreement, tailoring each plan to the procurement's unique risks and circumstances.

Develop and implement a process requiring contracting officer representatives to determine and document how they will validate that statement of work acceptance criteria have been met for each procurement awarded under an eFAST master ordering agreement.

Develop and implement a process requiring contracting officer representatives to maintain documented evidence of oversight for each procurement awarded under an eFAST master ordering agreement in either the official procurement files on FAA's eFAST Knowledge Services Network workspace, or in a format that is also accessible at any time to the eFAST office

Update reporting guidance so users can more efficiently and accurately identify reporting requirements for different accident and incident types and better understand the definitions of terms used on reporting forms.

Implement routine or Web-accessible training or other outreach to improve how information is provided to railroad reporting officers and enhance their understanding of key reporting requirements and common reporting errors.

Develop and implement a standard method for identifying and listing railroads in each FRA Region subject to 49 CFR Part 225 requirements.

Develop and implement procedures for tracking 49 CFR Part 225 audits of non-Class I railroads and identifying entities exempt from 49 CFR Part 225 reporting requirements.

Establish a risk-based prioritization for auditing non-Class I railroads every 5 years. Part of the prioritization process should include determining whether any higher-risk non-Class I railroads should be audited more frequently.

Formalize the 49 CFR Part 225 audit process with written guidance that identifies basic procedures, standards of evidence, and common sources of information, along with a process to update these standards and reevaluate audit priorities or scope when necessary.

Develop and initiate regular training to FRA staff responsible for 49 CFR Part 225 audits and establish a procedure to update the training when necessary.

Ensure the Tribe complies with Procurement, Suspension and Debarment Requirements.

Recover $25,646 from the Tribe, if applicable.

Ensure that Amtrak complies with Equipment and Real Property Management Requirements.

Ensure the Commission complies with Reporting Requirements.