Recommendation Dashboard

skip-to-content
-A A +A

OIG’s Office of Auditing and Evaluation makes recommendations to the Department of Transportation and a few independent transportation entities to correct deficiencies and encourage improvements in the safety, economy, efficiency, and management of their programs and operations. Our audit report findings and conclusions explain the basis for the specific corrective actions we recommend. This Recommendation Dashboard provides more information than ever before about the current status of OIG recommendations, which we plan to update on a weekly basis. For more information, see answers to frequently asked questions.

 

Open Recommendations by Agency

As of: The Recommendation Dashboard does not include data on many of our older audits for which all recommendations were closed prior to July 1, 2016.

 
 
Audit Report: FS2024008 issued on 11.20.2023
DOT’s Policies and Do Not Pay Portal Use Are Not Sufficient To Comply With the DNP Initiative
No. 1 to OST

Assess the appropriateness of the databases in the Do Not Pay (DNP) portal and document a reasonable justification for any databases that OST determines are not appropriate.

No. 2 to OST

For those DNP portal databases that OST deems appropriate, develop, and implement policies and procedures to ensure recipient eligibility is verified in the DNP portal prior to making payment.

Audit Report: QC2024007 issued on 11.15.2023
Quality Control Review on the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022
No. 1 to FTA

KPMG recommends that FTA management evaluate the COVID-19 grant programs and develop an estimation methodology responsive to the nature of the program and expected drawdown patterns.

No. 2 to FHWA

KPMG recommends that FHWA management consider the increased IIJA funding and subsequent increase in expenses and develop an estimation methodology responsive to fluctuations in future expenses.

No. 3 to FHWA

KPMG recommends that FHWA management review and update accounting policies and operating procedures to capitalize costs for the construction and procurement of non-heritage fixed assets on behalf of FLMA partners.

No. 4 to FHWA

KPMG recommends that FHWA management establish and maintain communications channels with FLMA partners and establish protocols for communicating asset-level detail for projects required by each agency’s property accountants.

No. 5 to FHWA

KPMG recommends that FHWA management perform an assessment of costs expensed for completed fixed asset construction projects to determine materiality and record correcting accounting entries as needed.

No. 6 to OST

KPMG recommends that DOT management perform procedures to consistently approve and document new or modified user account and recertification requests and timely remove separated users as required by internal policy and standards for effective internal control systems.

No. 7 to OST

KPMG recommends that DOT management update policies and procedures to assign backup responsibilities for control operators.

No. 8 to OST

KPMG recommends that DOT management provide training to system administrators on documented procedures.

No. 9 to OST

KPMG recommends that DOT management conduct monitoring to assess whether control operators are performing control activities in accordance with policy.

Audit Report: QC2024006 issued on 11.14.2023
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2023 and 2022
No. 1 to FAA

KPMG recommends that FAA management design and perform procedures to consistently approve and document new or modified user account and recertification requests and timely remove separated users as required by internal policy and standards for effective internal control systems.

Audit Report: IT2024001 issued on 10.30.2023
DOT Needs To Improve Its High-Value Assets Governance Program To Effectively Identify, Prioritize, and Secure Its Most Critical Systems
Sensitive
No. 1 to OST

Sensitive information redacted

Sensitive
No. 2 to OST

Sensitive information redacted

Sensitive
No. 3 to OST

Sensitive information redacted

Sensitive
No. 4 to OST

Sensitive information redacted

Sensitive
No. 5 to OST

Sensitive information redacted

Sensitive
No. 6 to OST

Sensitive information redacted

Sensitive
No. 7 to OST

Sensitive information redacted

Audit Report: QC2023047 issued on 09.27.2023
Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security Program and Practices
No. 1 to OST

Develop and implement DOT’s zero trust architecture plan for network traffic that cannot be routed through traditional Trusted-Internet Connections (TIC) access points as required by OMB M-19-26, Update to the TIC Initiative.

No. 2 to OST

In coordination with Federal Aviation Administration (FAA), complete the pilot and testing of TIC 3.0 use cases and revise FAA policies to reflect requirements in OMB M-19-26, Update to TIC Initiative.

Audit Report: AV2023045 issued on 09.19.2023
DOT Has Effectively Managed the Aviation Manufacturing Jobs Protection Program and Should Capture Lessons Learned From Its Oversight Efforts
Pandemic Oversight
No. 1 to OST

Conduct an Aviation Manufacturing Jobs Protection program after-action review to identify lessons learned and incorporate improvements into future grant programs.

Audit Report: IT2023043 issued on 08.30.2023
DOT’s Cloud-Based Systems’ Security Weaknesses Hinder Its Transition to a Zero Trust Architecture
No. 1 to OST

Develop and implement policies and procedures governing DOT components and Operating Administrations’ adoption and use of cloud services for their cloud-based system and at a minimum require system owners to: a. Submit an Authorization to Operate letter to the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office before adopting and using cloud services to ensure (1) cloud services comply with FedRAMP security baselines, and (2) FedRAMP has an accurate inventory of DOT cloud services and cloud service providers. b. Conduct a quality and risk review of the Department’s cloud service providers cloud service offering authorization package to ensure that it clearly and accurately reflects the cloud service offering’s security posture so DOT’s Authorizing Official can make an informed risk-based authorization decision, as required by FedRAMP. c. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of the respective cloud service providers’ continuous monitoring activities to ensure their cloud systems’ security posture remains sufficient for their own use and supports ongoing authorization as required by FedRAMP.

No. 2 to OST

Incorporate the required standard cloud security clauses in the Department’s enterprise cloud service contracts as well as other cloud services contracts for FAA, MARAD, and OST to ensure the cloud services are secure.

No. 3 to OST

Working with the appropriate DOT procurement officials for FAA, FMCSA, FHWA, MARAD, FRA, NHTSA, PHMSA, and OST, set up service level agreements as required, with each of their cloud service providers to define and set agency expectations and cloud service provider-specific responsibilities.

No. 4 to OST

Direct and require confirmation of completion from FMCSA's cloud-based system owners for the National Registry of Certified Medical Examinersâ€"Software-as-a-Service to include in its Executive Summary Authorization to Operate Letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.

No. 5 to OST

Direct and require confirmation of completion from OST's cloud-based system owner for the Federal Human Resources Navigatorâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Use personal identity verification cards as the primary authentication mechanism to ensure secure system login. c. Develop a Privacy Impact Analysis to help identify and manage personally identifiable information and privacy risks. d. Identify a security official to review system audit log files. e. Develop and implement a process to remove extracted data containing sensitive information within 90 days of extraction in accordance with DOT requirements.

No. 6 to OST

Direct and require confirmation of completion from OST's cloud-based system owner for the Electronic Document Management Systemâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Require multifactor authentication for non-DOT system users. c. Develop and implement a process to automatically disable inactive system accounts after 60 days of inactivity.

No. 7 to OST

Direct and require confirmation of completion from OST's cloud-based system owner for the Data Analysis Visualization Environmentâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Develop and implement a process to conduct monthly vulnerability scans as required by DOT.

No. 8 to OST

Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labsâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Update its privacy threshold assessment and, if applicable, Privacy Impact Analysis to protect privacy, personally identifiable information, and other sensitive information stored in the cloud.

No. 9 to OST

Direct FAA’s cloud-based system owner for the Emergency Notification Systemâ€"Software-as-a-Service to provide evidence of the organizational administrator’s quarterly reviews of Emergency Notification System
application and documentation verifying they disable inactive accounts.

No. 10 to OST

Direct and require confirmation of completion from FRA’s cloud-based system owner for its Cloud Application Servicesâ€"Software-as-a-Serviceâ€"to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as, required by FedRAMP. b. Update the Privacy Impact Analysis for the Railroad Compliance System to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.

No. 11 to OST

Direct and require confirmation of completion from NHTSA’s cloud-based system owner for the Web Systemâ€"Platform-as-a-Service and Infrastructure-as-a-Serviceâ€"to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop and implement a process to review audit logs and analyze vulnerability scan reports on its Platform-as-a-Service on a weekly basis to check for various risks, including software flaws per NHTSA’s audit and accountability plan.

No. 12 to OST

Direct and require confirmation of completion from NHTSA’s cloud-based system owner for the Advanced Retrieval Tire, Equipment, Motor Vehicle, Information Systemâ€"Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Update the Privacy Impact Analysis to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.

No. 13 to OST

Direct and require confirmation of completion from PHMSA's cloud-based system owner for the Pipeline Risk Management Information Systemâ€"Infrastructure-as-a-serviceâ€"and PHMSA Data Martâ€"Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for Pipeline Risk Management Information System. b. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for PHMSA Data Mart.

No. 14 to OST

Direct and require confirmation of completion from FMCSA’s cloud-based system owner for the Cloud Environmentâ€"Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to enforce multifactor authentication for privileged and non-privileged network accounts. d. Update the Privacy Threshold Assessment and Privacy Impact Analysis to protect the privacy of its system users’ personally identifiable information and other sensitive information.

No. 15 to OST

Direct and require confirmation of completion from FRA’s cloud-based system owner for the Multiple Case Incident Analysisâ€"Infrastructure-as-a-service to include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.

No. 16 to OST

Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)â€"Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews of the system audit logs to enhance its ability to identify suspicious, inappropriate, unusual, or malevolent activity. d. Develop and implement a process that requires timely updates to security patches that address software flaws which mitigate the risks associated with mission-related operating system patches and data exfiltration. e. Develop a Privacy Impact Analysis to identify and protect personally identifiable information and other sensitive information hosted in the COE cloud.

No. 17 to OST

Direct and require confirmation of completion from FAA’s cloud-based system owner for the FAA Cloud Servicesâ€"Infrastructure-as-a-service and Platform-as-a-Service to: a. Incorporate flaw remediation into ongoing configuration management processes. b. Develop and implement a process to regularly manage malicious code protection to detect and eradicate malicious code at the entry point for its Infrastructure-as-a-service and Platform-as-a-Service. c. Develop and implement a change control process and use baseline configuration settings and document configuration settings to establish a basis for future builds, releases, and/or changes. d. Develop and implement a process to perform an automated review of network accounts or implement an alternative method for identifying users on the network in real-time. e. Develop and implement a process to require the most current cryptographic mechanisms to protect data during network transmission to provide complete boundary protection and reduce the risk of compromise. f. Develop and implement a process to encrypt data transmitted within the Infrastructure-as-a-service environment to reduce the risk of compromise and data exposure. g. Develop and implement a process to review vulnerability scans results and remediate vulnerabilities within specified timeframes as required by FAA’s security handbook.

No. 18 to OST

Direct departmental security officials working with appropriate procurement officials to verify that service level agreements contain a requirement to report security incidents to DOT’s Security Operations Center and require confirmation of completion.

No. 19 to OST

Develop and implement a process that enables FAA’s Security Operations Center to receive the necessary log data for ensuring proper cybersecurity incident monitoring for all departmental cloud-based systems.

No. 20 to OST

Report DOT plans for fully adopting multifactor authentication and encryption for data at rest and in transit in accordance with Executive Order 14028.

No. 21 to OST

Update the Department’s zero trust architecture strategy and implementation plan to address the identified gaps and include migration steps and timelines consistent with direction from the Office of Management and Budget and National Institute of Standards and Technology guidelines.

Audit Report: SA2023041 issued on 08.15.2023
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2023
Closed on 09.08.2023
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$2,892,004
No. 2 to OST

Determine the allowability of the questioned transactions and recover $2,892,004, if applicable.

Audit Report: ST2023040 issued on 08.02.2023
FMCSA Generally Met Requirements for Cross-Border Carriers’ Long-Haul Operations, but Compliance Reviews Were Not Timely
No. 1 to FMCSA

Revise FMCSA’s policy to define and allow for justifications for delaying compliance reviews beyond 18 months, and if delayed, determine how long a carrier should be permitted to continue to operate under provisional authority without a compliance review and require documentation of a decision to delay a carrier’s review.

No. 2 to FMCSA

Determine whether a revision to the Federal Motor Carrier Safety Regulations is necessary to implement the compliance review policy revisions.

Closed on 09.06.2023
No. 3 to FMCSA

Develop and implement a recovery plan to complete compliance reviews for those carriers operating for more than 18 months under provisional authority and to establish a compliance review scheduling system for future provisional carriers.

Audit Report: AV2023038 issued on 07.12.2023
FAA Conducts Comprehensive Evaluations of Pilots With Mental Health Challenges, but Opportunities Exist to Further Mitigate Safety Risks
No. 1 to FAA

Collaborate with airlines, airline pilot unions, and the aerospace medical community to conduct an assessment to identify ways to address barriers that discourage pilots from disclosing and seeking treatment for mental health conditions, based on the latest data and evidence.

No. 2 to FAA

Develop and implement policy and protocol revisions recommended in the assessment.

Audit Report: AV2023036 issued on 06.21.2023
FAA Has Deployed a Prototype System for Monitoring Commercial Space Operations but Faces Integration Challenges
No. 1 to FAA

Update the commercial space operational shortfalls identified in the 2020 Concept of Operations, and report out on any changes to the shortfalls and plans for addressing them.

No. 2 to FAA

Update and publish the status of Aviation Rulemaking Committee recommendations that have not been implemented, including establishing target action dates for recommendations that are aligned with implementation of the National Airspace System Space Integration Capabilities program.

No. 3 to FAA

Determine the workload impact of commercial space operations at air traffic facilities, and take action as needed.

No. 4 to FAA

Identify the specific direct tasks associated with commercial space operations, determine if they should be included in the en-route controller workload model, and if so, incorporate them in the next updated model.

Audit Report: AV2023037 issued on 06.21.2023
Regulatory Gaps and Lack of Consensus Hindered FAA’s Progress in Certifying Advanced Air Mobility Aircraft, and Challenges Remain
No. 1 to FAA

Accelerate—to the extent possible—the current rulemaking project (SFAR) regarding powered-lift pilot eligibility requirements and operating rules for powered-lift aircraft, and develop and implement a plan with milestones for completion of the rulemaking which includes a process for regularly updating stakeholders on these milestones.

No. 2 to FAA

Accelerate—to the extent possible—the current rulemaking project (NPRM) that will integrate powered-lift into certain regulatory definitions, and develop and implement a plan with milestones for completion of the rulemaking which includes a process for regularly updating stakeholders on these milestones.

No. 3 to FAA

Identify the causes of the difficulties in communication and decision-making related to resolving disagreements on AAM, and develop and implement a process for better managing challenges during the deliberation process for consensus in future projects, as well as a decision-making process for when consensus cannot be reached.

No. 4 to FAA

Establish and implement policies and procedures explaining CECI’s roles and responsibilities in the certification process.

Audit Report: AV2023035 issued on 06.21.2023
FAA Faces Controller Staffing Challenges as Air Traffic Operations Return to Pre-Pandemic Levels at Critical Facilities
No. 1 to FAA

Complete a comprehensive review of the model for distribution of certified professional controllers (CPCs) for air traffic control facilities and update interim CPC staffing levels as necessary.

No. 2 to FAA

Implement a new labor distribution system that includes features such as timekeeping, overtime and Controller-in-Charge tracking, and real-time leave balances.

Audit Report: ST2023034 issued on 06.20.2023
DOT Should Enhance Its Fraud Risk Assessment Processes for IIJA-Funded Surface Transportation Programs
No. 1 to OST

Require OAs to regularly assess fraud risks for each program; tailor their assessments based on factors such as size, resources, maturity, and experience in managing risks; and include relevant stakeholder input.

No. 2 to OST

Provide guidance to OAs on how to identify and assess fraud risks in their programs, including guidance on specific tools, methods, and sources for gathering information about fraud risks. This guidance should also address the leading practices for identifying and assessing the likelihood and impact of inherent fraud risks, determining fraud risk tolerance, examining the suitability of existing controls, prioritizing residual fraud risks, and documenting the program’s fraud risk profile to inform managers’ decisions on their responses to assessed risks.

Audit Report: ST2023032 issued on 05.31.2023
PHMSA Established an Effective Integrated Inspection Program but Needs To Strengthen Guidelines To Mitigate Risks
No. 1 to PHMSA

Update the Integrated Inspection User’s Manual to reflect current processes and systems used and clarify requirements for system profiles.

No. 2 to PHMSA

Develop and implement a plan for ensuring supervisors verify lead inspectors have completed all documentation requirements identified in the Integrated Inspection User’s Manual.

No. 3 to PHMSA

Update RRIM Documentation with an explanation for how pipeline age and manufacturer, volume transported, pressure, seismicity, climate, geology, and demography should or should not be considered as part of the Risk Ranking Index Model.

Audit Report: ST2023031 issued on 05.31.2023
NHTSA Has Not Fully Established and Applied Its Risk-Based Process for Safety Defect Analysis
No. 1 to NHTSA

Assess timeliness goals by: a. Determining whether its current timeliness goals are realistic and attainable and, if necessary, revising those goals. b. Developing and implementing a plan for meeting timeliness goals.

Closed on 09.01.2023
No. 2 to NHTSA

Develop and implement procedures for conducting audit query and
timeliness query investigations.

No. 3 to NHTSA

Develop and implement a system of accountability to improve ODI’s compliance with processes, including: a. Notifying petitioners regarding the decision to grant or deny petitions within 120 days; b. Documenting timely supervisory review of documents and related analyses during the pre-investigative and investigative processes and conducting timely reviews of manufacturer-provided data; c. Developing and following a written plan for all phases of investigations; and d. Documenting substantive pre-investigative and investigative-related communication with manufacturers.

No. 4 to NHTSA

Develop and implement improved procedures for ensuring investigation documentation is uploaded to the public website, including:
a. Establishing timelines for ensuring all required documents are posted; b. Identifying documents missing from the public website and mitigate the backlog; c. Assigning responsibilities between the Correspondence Research Division and investigators; and d. Establishing timelines for contractors to redact information.

No. 5 to NHTSA

Revise Information Request (IR) procedures to ensure consistent application by each of the divisions, and develop a system of accountability to ensure compliance with the revised procedures when: a. Issuing and approving a manufacturer-requested IR letter response extension; and b. Requesting information from manufacturers.

No. 6 to NHTSA

Develop and implement procedures for the planned integrated information system including a user guide for how to document decisions, actions taken, and communication with stakeholders, as well as where to store specific pre-investigative and investigative documentation.

No. 7 to NHTSA

Complete expeditious integration of the information systems for pre-investigation and investigation processes, including data migration.

No. 8 to NHTSA

Develop and implement a consistent procedure to govern ODI’s practice of negotiating a resolution of potential safety defects with manufacturers.

Closed on 09.01.2023
No. 9 to NHTSA

Develop and implement a requirement that all information used to support decisions made during the pre-investigative and investigative processes are documented and retained, including the supporting information for safety defect analyses and related briefings.

No. 10 to NHTSA

Develop and implement guidance for determining which issues investigators should present at Hot Issues meetings based on ODI’s risk-based analysis process.

No. 11 to NHTSA

Reconcile the risk matrix and issue escalation procedures and establish specific guidance on when an investigation should be opened.

No. 12 to NHTSA

Develop a definition of high-interest topics and the actions needed to address these issues.

Audit Report: ZA2023030 issued on 05.24.2023
Fragmented Processes Weaken DOT’s Accountability for Contractor Employee PIV Cards
No. 1 to OST

Verify that each OA has a documented process in place to confirm that required PIV card-related security clauses are included in all applicable DOT contracts prior to award.

No. 2 to OST

Establish, document, and implement a process for the Department to track contractor employees’ PIV cards and record the dates the cards are collected and deactivated.

No. 3 to OST

Designate in writing points of accountability for overseeing the entirety of contractor employee PIV card collection and deactivation processes.

No. 4 to OST

Update or supplement the DOT PIV Card Program Order to define “promptly” in all uses throughout the Order.

No. 5 to OST

Develop and implement required annual training for all staff involved in contractor employee PIV card processes and a procedure to verify the training has occurred. The training attendees should include all staff listed in the DOT PIV Card Program Order who could potentially be involved and anyone else an individual OA assigns to this task.

No. 6 to OST

Update or supplement the DOT PIV Card Program Order to address the deactivation process in all instances where PIV cards are no longer needed. This should include establishing the accountable officials as well as concrete metrics when deactivation should occur from when the card is no longer needed.

Audit Report: SA2023026 issued on 05.03.2023
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2023
Closed on 05.30.2023
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$14,886,138
No. 2 to OST

Determine the allowability of the questioned transactions and recover $14,886,138, if applicable.

Audit Report: AV2023027 issued on 05.02.2023
Opportunities Exist for FAA To Strengthen Its Workforce Planning and Training Processes for Maintenance Technicians
No. 1 to FAA

Establish and implement a maintenance technician workforce plan that considers factors such as average training time, training requirements, and staffing turnover for a period longer than 1 year.

No. 2 to FAA

Update and implement a formal process that better defines roles and responsibilities and establishes improved communication and collaboration among the stakeholders responsible for maintenance technician training, including Technical Operations, Technical Training, and the FAA Academy.

No. 3 to FAA

Develop and implement a process that includes defined roles and responsibilities for the groups within Technical Training responsible for the management of training solution procurements.

No. 4 to FAA

Update and implement a formal process to periodically evaluate training course feedback from maintenance technicians, generate regular reports for FAA Technical Training management’s review, and share the lessons learned to improve future course content and delivery.

Audit Report: AV2023025 issued on 04.26.2023
FAA Has Completed 737 MAX Return to Service Efforts, but Opportunities Exist To Improve the Agency’s Risk Assessments and Certification Processes
No. 1 to FAA

Document the process by which key safety decisions, such as a potential grounding of an aircraft fleet, are made when the Agency identifies that urgent action is necessary.

No. 2 to FAA

Revise the Transport Airplane Risk Assessment Methodology (TARAM) handbook to incorporate current safety data, including available international data when appropriate.

No. 3 to FAA

Review the TARAM handbook’s quantitative safety guidelines to determine if they still meet the Agency’s needs, and implement identified corrections as appropriate.

No. 4 to FAA

Formalize training requirements for engineers responsible for completing TARAM analysis, as well as managers responsible for reviewing the analysis.

No. 5 to FAA

Review the TARAM and Transport Airplane Safety Manual (TASM), address any identified key differences the two documents, and integrate TASM into TARAM when appropriate.

No. 6 to FAA

Incorporate integrated System Safety Assessments into regulations or Agency guidance for future transport category airplane certification projects.

No. 7 to FAA

Identify lessons learned related to the application of the 737 MAX recertification and the Continued Operational Safety process that have not yet been addressed and include them into airplane certification and safety evaluation processes.

Audit Report: AV2023024 issued on 04.12.2023
FAA’s Office of Investigations and Professional Responsibility Needs To Enhance Internal Controls for Conducting Administrative Investigations
No. 1 to FAA

Require AXI to develop a process to collect and share best practices for investigators in compliance with AXI guidance.

No. 2 to FAA

Revise Security and Hazardous Materials Safety Order 1600.20 guidance to avoid overlap or contradiction with similar procedures contained in FAA Order 1600.38.

No. 3 to FAA

Revise AXI’s guidance to clarify that investigators should pursue administrative investigations when OIG declines cases for criminal referral.

No. 4 to FAA

Develop and publish roles and responsibilities for AXI deputy director position.

No. 5 to FAA

Develop and implement procedures for investigators to electronically record interviews in accordance with FAA’s Human Resources Policy Manual requirements.

No. 6 to FAA

Develop and implement a management control to credit and account for Agency and non-Agency investigator training courses in AXI’s electronic training system.

No. 7 to FAA

Develop and implement an internal control to ensure that only the management official with requisite signature authority signs for investigative reports.

No. 8 to FAA

Develop and implement procedures consistent with DOT Order 8000.8A to ensure investigators consistently send criminal cases to the Internal Investigations Division Manager and coordinate with OIG’s Office of Investigations on the referral process.

No. 9 to FAA

Develop and implement a management control to require the Internal Investigations Division Manager to track cases that have been rejected by the Internal Investigations Division (AXI-100).

No. 10 to FAA

Develop procedures to ensure the Investigations Standards and Policy Division (AXI-200) maintains auditable documentation, in accordance with established Agency retention periods, to support findings identified in its annual reports of AXI-100 investigation procedures.

No. 11 to FAA

Develop and implement a management control to ensure AXI-200 complies with its Program Reviewer Guide requirements to (a) prepare annual reports, (b) conduct the required number of annual reviews of AXI investigative operations, (c) use consistent investigative and reporting criteria, and (d) identify investigation case numbers when reporting its evaluation of AXI-100’s investigative operations.

Audit Report: SA2023023 issued on 03.22.2023
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2022
Closed on 05.19.2023
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$5,538,037
No. 2 to OST

Determine the allowability of the questioned transactions and recover
$5,538,037, if applicable.

Audit Report: ZA2023022 issued on 03.15.2023
DOT Faces Challenges in Meeting Federal CPARS Reporting Guidance
No. 1 to OST

Develop and implement procedures to monitor Operating Administrations’ (OA) compliance with the 30-day registration requirement in accordance with the Transportation Acquisition Manual (TAM).

No. 2 to OST

Update the TAM to require that contractor performance assessments be completed within 120 calendar days in accordance with the Contractor Performance Assessment Reporting System (CPARS) guide.

No. 3 to OST

Develop and implement procedures to ensure those OAs without internal CPARS guidance have them established in compliance with TAM 1242.1503(a)(1).

No. 4 to OST

Update the TAM to require each OA to develop and implement guidance to address turnover in CPARS staff as well as ensure departing personnel complete interim assessments.

No. 5 to OST

Update the TAM to require CPARS role- and function-based training for all users not currently cited, including Alternate Focal Points and Assessing Official Representatives.

No. 6 to OST

Update the TAM to require each OA to develop and implement guidance to assist OA CPARS officials in managing assessment disagreements with contractors.

No. 7 to OST

Adopt a process to conduct periodic assessments to identify shortfalls and projected needs in CPARS training.

No. 8 to FAA

Develop and implement procedures to monitor compliance with the 30-day registration requirement.

Closed on 11.09.2023
No. 9 to FAA

Update the Acquisition Management System to require CPARS training for all personnel who have CPARS responsibilities.

No. 10 to FAA

Conduct an assessment of CPARS user training and develop and implement plans to meet identified needs, including training geared to assisting CPARS officials in developing skills for managing disagreements with contractors.

Audit Report: FS2023020 issued on 02.28.2023
FAA Can Strengthen Its Oversight of the AIP Acquired Noise Compatibility Land Program
$2,077,796
No. 1 to FAA

Develop and implement procedures to verify that airport sponsors have provided evidence satisfactory to FAA that the airport sponsor has or will obtain good title to land, prior to requesting reimbursement for costs associated with noise compatibility land acquisition. Implementing this recommendation could put up to $2,077,796 in funds to better use by requiring that only costs associated with completed noise land acquisitions are reimbursed.

No. 2 to FAA

Develop and implement a process to require airport sponsors to certify that noise exposure maps are a reasonable representation of current and/or future conditions at the airport at the time of grant award.

No. 3 to FAA

Update the Noise Land Management and Requirements for Disposal of Noise Land or Development Land Funded with AIP policy to establish a reasonable schedule for FAA Airport District Offices and Regional Offices to review Noise Land Inventory and Reuse Plans for accuracy and consistency with FAA policy.

No. 4 to FAA

Update and implement procedures to require airport sponsors to maintain Noise Land Inventory and Reuse Plans in electronic format available for FAA review, upon request.

$38,530,768
No. 5 to FAA

Require all airport sponsors that have acquired noise land to identify noise land eligible for disposal via sale and verify that noise land sales revenues are used in accordance with Federal law. Based on our review of five airports, implementing this recommendation could put up to $38,530,768 in funds to better use by generating revenue that could be reinvested in the program.

No. 6 to FAA

Update guidance to clarify for airport sponsors when noise land should be considered no longer needed for eligible current or planned airport purposes and disposed of in accordance with FAA policy.

No. 7 to FAA

Update guidance for Noise Land Inventory and Reuse Plans to require that the Noise Land Inventory include original acquisition dates, estimated or final completion dates for proposed or completed methods of disposal, and the date of FAA approval.

$66,160
No. 8 to FAA

Update guidance for Noise Land Inventory and Reuse Plans to require that the Noise Land Inventory include the Federal share of the sale price at the time of sale and how sales proceeds were used. Implementing this recommendation could put up to $66,160 in funds to better use by properly accounting for noise land disposal proceeds in accordance with Federal law.

No. 9 to FAA

Require the Rhode Island T.F. Green International Airport, Phoenix Sky Harbor International Airport, and Harry Reid International Airport to develop and submit for FAA’s approval current Noise Land Inventory and Reuse Plans after implementation of recommendations 4, 7, and 8.

Audit Report: SA2023019 issued on 02.15.2023
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2022
Closed on 05.23.2023
No. 1 to OST

Coordinate with impacted OAs to develop corrective action plans to resolve and close current and repeat findings highlighted in this report.

$3,546,767
No. 2 to OST

Determine the allowability of the questioned transactions and recover $3,546,767, if applicable.

Audit Report: QC2023016 issued on 02.08.2023
Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2022 and 2021
No. 1 to OST

KPMG recommends that DOT OCIO management revise the website containing the policy documentation to ensure all documents are consistent and contain the same listing of required controls for moderate-impact systems.

No. 2 to OST

KPMG recommends that DOT OCIO management should document any Department-wide tailoring decisions within the appropriate security documentation, as required by NIST.

No. 3 to OST

KPMG recommends that DOT OCIO management should define and document control tailoring requirements for the Department and its Operating Administrations.

No. 4 to OST

KPMG recommends that DOT OCIO management ensure that the process for provisioning privileged database system administrator accounts supporting the Federal Highway Administration’s grant system is performed in accordance with DOT policies.

No. 5 to FAA

KPMG recommends that ESC management create monitoring procedures over the existing management review of the JV control logs monthly reconciliation to ensure the consistent operation of the control, as defined within policy.

No. 6 to OST

KPMG recommends that OST-CFO management revise its accounting process to accrue TIFIA interest each period or document its current process as a non-GAAP policy and perform an annual materiality assessment to determine the annual impact of the unaccrued interest policy.

No. 7 to OST

KPMG recommends that OST-CFO management should perform a review of OST-CFO’s accounting policies and procedures as a control activity over the completeness of non-GAAP policies and procedures and update the non-GAAP listing and assessment accordingly.

No. 8 to OST

KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the relevant control objectives, related controls, and rationale for non-relevant control objectives and controls.

No. 9 to OST

KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the relevant complementary end user controls designed and implemented by DOT.

No. 10 to OST

KPMG recommends that OST management implement policies and procedures to strengthen their process to timely assess applicable third-party service organization reports such as consistently identifying and documenting the criteria used by management to evaluate the results of the service organization controls report and related findings.

No. 11 to FTA

KPMG recommends that FTA management design and implement controls to track the status of Treasury warrant requests to ensure that the warrants are recorded in the financial system timely when processed.

No. 12 to FTA

KPMG recommends that FTA management perform a review for the completeness of the financial statements provided to OST, including reviews for transactions recorded subsequent to the OST reporting date.

Audit Report: QC2023018 issued on 02.08.2023
Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Financial Statements for Fiscal Years 2022 and 2021
No. 1 to FAA

KPMG recommends that FAA management design and implement formal detective controls to log and monitor developer activities in the time and attendance production environment. All programmatic changes to the time and attendance production environment should be reviewed and reconciled from the logs to the approved change tickets.

No. 2 to FAA

KPMG recommends that FAA management review and re-certify the FAA procurement system PTA in accordance with FAA policy.

No. 3 to FAA

KPMG recommends that FAA management perform a risk assessment to consider the potential impact of discrepancies between vendor-submitted invoice web portal amounts and the vendor-submitted supporting documentation, and respond to the level of risk identified as appropriate.

No. 4 to FAA

KPMG recommends that FAA management communicate the importance of its existing financial system goods and services acceptance processes, policies, and procedures with its CORs.

No. 5 to FAA

KPMG recommends that FAA management quantify the impact of the non-GAAP assumption and record it as a part of their estimate if deemed material.

No. 6 to FAA

KPMG recommends that FAA management update policies and procedures for the environmental remediation estimate to ensure that all methodology assumptions are documented.

No. 7 to FAA

KPMG recommends that FAA management clarify its General Property, Plant & Equipment accounting policies for real property improvements to further document management’s criteria and considerations for capitalizing costs relating to building components typically expensed by FAA during the asset lifecycle.

No. 8 to FAA

KPMG recommends that FAA management assess the nature of its FIA and Modernization costs incurred to document the specific criteria distinguishing the nature of these programs’ costs from other programs’ costs.

No. 9 to FAA

KPMG recommends that FAA management continue to consider the appropriateness of its policies for real property, including improvement criteria, capitalization thresholds, and estimated useful lives, particularly for its fully depreciated real property.

No. 10 to FAA

KPMG recommends that FAA management assess the risks associated with recording UCOs with Advance within its business process, and design and implement a control activity to ensure timely and accurate recording of UCOs with Advance for which an advance payment associated with the RA has been received.

No. 11 to FAA

KPMG recommends that FAA management design and implement controls to perform a risk assessment for instances in which an AIP grant agreement remains open only for non-financial administrative or compliance requirements and respond to the risk of untimely deobligation of grant UDOs.

No. 12 to FAA

KPMG recommends that FAA management design and implement controls to ensure that the population generated to support the disclosure of future minimum lease payments is complete and accurate.

No. 13 to FAA

KPMG recommends that FAA management develop policies to define the scope of the lease disclosure.

No. 14 to FAA

KPMG recommends that FAA management design and implement control activities to monitor the effective operation of its process controls related to provisioning new payroll shared service center access requests.

No. 15 to FAA

KPMG recommends that FAA management develop policies and procedures for maintaining completed and authorized payroll shared service center access forms for new user access requests in a secure centralized location.

No. 16 to FAA

KPMG recommends that FAA management design and implement control activities to monitor the effective operation of its process controls related to monitoring FAA employees’ payroll shared service center access.

No. 17 to FAA

KPMG recommends that FAA management take measures to ensure that FAA has sufficient control operator personnel available to support the annual recertification of FAA employees with payroll shared service center access within the reporting timeline prescribed by DOT.

Audit Report: QC2023017 issued on 02.08.2023
Quality Control Review of the Management Letter for the National Transportation Safety Board’s Audited Financial Statements for Fiscal Years 2022 and 2021
No. 1 to NTSB

Allmond recommends that NTSB management enforce the agency’s FPPS user termination process to require the completion and submission of an FPPS User Access Form to the service provider immediately upon separation of all FPPS users from the agency.

No. 2 to NTSB

Allmond recommends that NTSB management work with the service organization to determine why the termination date for the user accounts did not agree with the effective date of the personnel actions for the employee separations.

No. 3 to NTSB

Allmond recommends that NTSB management at least quarterly, perform a review of all FPPS users. If any separated employees, or any other system users who no longer need access, are identified in the listing, then work with the service organization to determine why this occurred and what actions are necessary to resolve the issue.

Audit Report: ZA2023014 issued on 02.01.2023
DOT’s Oversight Is Not Sufficient To Ensure the City of Seattle Meets Requirements for Managing Federal Transportation Funds
No. 1 to OST

Develop and implement, for each discretionary grant program that relies on cost estimates to establish compliance with program requirements and eligibility, a risk-based process for validating cost estimates prior to the execution of grant award agreements, as well as document the Department's review of the cost estimates.

No. 2 to OST

Direct FHWA and FTA to coordinate with grantees to ensure the City of Seattle develops and implements appropriate internal controls to track Federal funds in accordance with 2 CFR 200.302(b)(1) and (3).

Closed on 09.26.2023
$21,000,000
No. 3 to FHWA

Remove $21 million in lapsed funding identified in this report from FHWA’s unobligated balances. Implementing this recommendation could put $21 million in funds to better use on other transportation programs.  

No. 4 to FHWA

Advise WSDOT as part of stewardship and oversight activities to include change orders in WSDOT's next project management review of SDOT.

No. 5 to FHWA

Direct the FHWA WA Division to review WSDOT's established process of reviewing subrecipients' supporting documentation for internal staffing charges (e.g., billing records, invoices, timecards) to ensure compliance with 2 CFR 200.403.

$753,839
No. 6 to FHWA

Work with WSDOT to collect adequate supporting documentation for $753,839 in internal staffing costs identified by OIG or recover from WSDOT any portion that is determined to be unallowable or unsupported.

Closed on 03.31.2023
No. 7 to FRA

Incorporate change orders as a focus area in FRA’s annual review process.

No. 8 to FRA

Develop and implement policy to evaluate whether to deobligate funds when there is a significant reduction in project costs prior to closeout.

No. 9 to FTA

Include a sample of SDOT's change orders as part of FTA's triennial reviews. In doing so, FTA could better detect and prevent the risk for paying for unapproved change orders.

No. 10 to FTA

Require FTA Region 10 to conduct a review of the City of Seattle's internal controls for supporting documentation of expenditures billed to Federal awards to ensure compliance with 2 CFR 200.403.

$9,946,977
No. 11 to FTA

Recover the $9,946,977 in costs we identified for which SDOT provided incomplete information or provide a justification for accepting the costs.

Closed on 07.14.2023
$3,600,000
No. 12 to FTA

Direct FTA Region 10 to notify WSDOT in writing that the $3.6 million in lapsed funds identified in this report have been credited to the State and are available for other eligible transit projects. Implementing this recommendation could put up to $3.6 million in funds to better use.

Closed on 09.29.2023
$3,800,000
No. 13 to FTA

Require FTA Region 10 to review $3.8 million in inactive funds identified in this report and determine whether they will be used, and if not, deobligated. Implementing this recommendation could put up to $3.8 million in funds to better use.

No. 14 to FTA

Implement procedures and related mechanisms to show when unobligated transferred funds are obligated and to what projects.

Audit Report: QC2023015 issued on 02.01.2023
Quality Control Review of the Management Letter for the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2022 and 2021
No. 1 to STB

STB perform a review of all employees’ leave balances to ensure they are accurate and comply with 5 United States Code (U.S.C.) § 6304 requirements.

No. 2 to STB

STB work with its payroll service provider to determine and address the cause of the error.

No. 3 to STB

STB perform a review of the identified employee’s leave balances (i.e., beginning balance, leave accrued/taken, and ending balance) for each year since the error first occurred in order to recalculate the employee’s corrected leave balance.

No. 4 to STB

Management record all equipment purchases that meet its capitalization thresholds as capitalized assets. If the acquired property is not ready to be placed into service, then that property should be classified as Construction in Progress or Other General Property, Plant and Equipment, depending on the circumstances that apply to the purchased items at that time.

No. 5 to STB

Management regularly assess all capitalized property and identify assets that require reclassification, such as when assets are being placed into, or taken out of, service.

No. 6 to STB

Management update its financial reporting and property management policies and procedures to include the recording of new capitalized purchases in accordance with generally accepted accounting principles.

Audit Report: PT2023013 issued on 01.25.2023
FAA’s Office of Audit and Evaluation Adheres to Investigative Practice Standards but Lacks Comprehensive Standard Operating Procedures
No. 1 to FAA

Establish and implement comprehensive written investigative policies and procedures for whistleblower investigations conducted by AAE that address best practice investigation standards in the areas of Qualifications, Independence, Due Professional Care, Planning, Execution, Reporting, and Information Management

No. 2 to FAA

Establish and implement a methodology for sufficiency reviews that provides greater tracking and documentation controls.

Closed on 03.24.2023
No. 3 to FAA

Hire additional staff, as planned, for the Office of Whistleblower Ombudsman.

No. 4 to FAA

Revise FAA Order 1100.167B to readjust duties that are inconsistent with the limitations established by the Aircraft Certification, Safety, and Accountability Act of 2020.

Audit Report: ST2023012 issued on 01.17.2023
FHWA Has Made Progress Implementing a Tunnel Safety Program, but Work Remains To Complete a Reliable Inventory, Fully Assess Compliance, and Effectively Monitor Critical Risks
No. 1 to FHWA

Revise the October 2015 guidance on structures subject to the national tunnel inspection standards to clarify which structures align with the definition of a tunnel and explain how potential non-tunnel structures conflict with the definition.

No. 2 to FHWA

Issue guidance for FHWA Divisions on how to verify that State DOTs, Federal agencies, and tribal governments have reported all highway tunnels to the national tunnel inventory; and for informing those stakeholders of methods they could employ to identify all structures considered to be highway tunnels.

No. 3 to FHWA

Implement comprehensive procedures on the processing and publishing of national tunnel inventory data, including controls to reduce data errors.

Closed on 11.13.2023
No. 4 to FHWA

Issue a report to Congress on the national tunnel inventory and consult with the relevant Congressional committees about the intent of the statutory provision to provide subsequent annual reports.

No. 5 to FHWA

Identify feasible improvements to the presentation of national tunnel inventory data on the Agency’s website to facilitate the public’s understanding and use of the data, and develop a plan to implement them.

No. 6 to FHWA

Document the quality control and quality assurance processes, incorporate controls to ensure that all tunnel program compliance determinations adhere to the applicable compliance criteria, and communicate the processes to all relevant program and Division staff.

No. 7 to FHWA

Assess the process for conducting compliance reviews of other Federal agencies and implement any recommended changes to ensure the reviews are effectively staffed and sufficiently independent.

No. 8 to FHWA

Implement minimum training requirements for FHWA staff responsible for conducting tunnel safety program compliance reviews.

No. 9 to FHWA

Update the tunnel safety program compliance review manual to incorporate existing review process flexibilities, such as when unusual or unique circumstances impact tunnel inspection intervals.

No. 10 to FHWA

As part of the next update to the tunnel safety program compliance review manual, solicit and consider external stakeholder input on the Agency’s review procedures to include States, Federal agencies, and interested and knowledgeable private organizations and individuals.

No. 11 to FHWA

Update the guidance for the national critical findings database to clarify its scope and incorporate comprehensive controls for ensuring the quality of the reported data. Solicit external stakeholder input in developing the updated guidance and communicate it to all stakeholders.

No. 12 to FHWA

Communicate noteworthy practices on the critical findings process for tunnels and work with stakeholders to improve the guidance on which structural and safety deficiencies align with the definition of a critical finding.

Audit Report: AV2023011 issued on 01.11.2023
FAA Has Taken Steps To Validate Its Air Traffic Skills Assessment Test but Lacks a Plan To Evaluate Its Effectiveness
No. 1 to FAA

Establish a plan for evaluating the ATSA's effectiveness.

Audit Report: FS2023010 issued on 12.19.2022
The Build America Bureau Has Not Established Adequate Controls To Oversee Its TIFIA Program
No. 1 to OST

Develop and implement procedures to comply with the TIFIA statute to issue loan application related notifications no later than 30 and 60 calendar days after receipt.

No. 2 to OST

Develop and implement procedures for timely collection of servicing fees and advisor fees in accordance with TIFIA program requirements.

No. 3 to OST

Develop an accurate reporting system to identify and monitor payments not received on the date they are due.

$200,000
No. 4 to OST

Reimburse the $200,000 advisor fee overpayment referenced in this report.

$40,500
No. 5 to OST

Collect the $40,500 in unpaid fiscal year 2019 servicing fees referenced in this report.

No. 6 to OST

Develop and implement a uniform policy identifying what documentation borrowers must submit with requisition request and disseminate to Operating Administrations.

Closed on 03.06.2023
$294,000,000
No. 7 to OST

Provide supporting documentation for the transactions related to the $294 million in unsupported costs we identified, and collect all unsupported costs or identify the Bureau’s rationale for accepting them.

No. 8 to OST

Develop and implement a process for revoking access to Bureau systems for separating Bureau employees.

Closed on 06.02.2023
No. 9 to OST

Revoke access to the shared drive for the eight individuals identified in the report.

Closed on 09.22.2023
No. 10 to OST

Assign the responsibility for updating the Bureau’s website to accurately reflect the TIFIA loan portfolio.

Audit Report: QC2023005 issued on 11.14.2022
Quality Control Review of the Independent Auditor’s Report on the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2022 and 2021
No. 1 to STB

STB management should review the current version of the Office of Management and Budget (OMB) Circular A-136 to independently verify that all required footnotes are included and bring any omissions to the service provider’s attention so that errors or omissions can be corrected.

No. 2 to STB

STB management should review the service provider’s Financial Statement and Notes Review Checklist to verify that the checklist is up to date and includes all required elements per OMB and Treasury guidance and then complete the checklist independently. Alternatively, STB management should develop and complete its own review checklist based on current Treasury and OMB reporting requirements.

No. 3 to STB

STB management should request its financial management service provider to: Reevaluate the inclusion of account balances that were excluded in the Other Liabilities footnote, or Disaggregate (i.e., separately report) intragovernmental other liabilities balances reported as a single line item on the balance sheet that are not included in the footnote so that the total amounts reported for Other Liabilities on the Balance Sheet and in the footnote agree.

No. 4 to STB

STB management should ensure that its review process includes procedures to disaggregate material balances reported in the financial statements and footnotes, agree balances to source documents, agree the footnotes to the principal financial statements, and verify the mathematical accuracy of all statements and schedules included in the financial statement package.

No. 5 to STB

STB should perform routine reviews of employee benefit elections and Official Personnel Folders (OPFs) to ensure they are complete and accurate.

No. 6 to STB

STB should address missing or unavailable supporting documentation with its shared service provider to ensure that document retrieval tools are available and are working properly to allow retrieval of all stored documents.

No. 7 to STB

STB should obtain replacement documentation for employee forms and other documentation that has been determined to be incomplete or irretrievable from databases and other electronic sources.

Audit Report: QC2023007 issued on 11.14.2022
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2022 and 2021
No. 1 to FAA

KPMG recommends FAA design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policy.

No. 2 to FAA

KPMG recommends FAA design and implement procedures to consistently and timely notify account administrators of separations as required by internal policy.

Audit Report: ST2023001 issued on 10.12.2022
FTA Can Enhance Its Controls To Mitigate COVID-19 Relief Funding Risks
Pandemic Oversight
No. 1 to FTA

Design or redesign control activities for the four risks that have not been fully addressed and that FTA still deems as applicable. These are: a.) Risk of Fraud or Abuse, b.) Recipients May Attempt to Use Funding for a Non-Operating Expense Even Though They Have Furloughed Staff, c.) Private Sector Operators Are Now Eligible to Become Sub-recipients and d.) Limited Capacity of Current Oversight Contracts.

Closed on 05.11.2023
Pandemic Oversight
No. 2 to FTA

Document the determination that four of the risk areas in the August 2021 Internal Control Plan are no longer risks; therefore, additional controls are not necessary. These are: a. Pace/Speed of Obligations and Disbursements, b. Guidance and Instructions Related to the Use of COVID-19-Relief Funding, c. Risks Between Programs and d. Notification for Large Drawdown Requests.

Audit Report: QC2022042 issued on 09.28.2022
Quality Control Review on the Independent Auditor’s Report on the Assessment of DOT’s Information Security System Program and Practices
No. 1 to OST

The Department should ensure that adequate resources are made available and are prioritized to validate the accuracy and completeness of asset inventory counts prior to submission to the Department of Homeland Security (DHS) as part of CIO FISMA Metrics.

No. 2 to OST

Coordinate with the components to develop or revise their plans to fully transition the remaining information systems to enable and enforce PIV, except those that are subject to exclusions that are documented and approved.

No. 3 to OST

FAA should develop and implement procedures to perform periodic reviews of mobile devices to ensure non-compliant mobile devices are upgraded to the current operating system release.

No. 4 to OST

Strengthen processes to ensure privileged account reviews are completed and privileged account activities are logged and periodically reviewed, in accordance with DOT policy.

No. 5 to OST

In coordination with the OA system owners, complete DOT’s plans to implement existing solutions where possible and create a plan to address all exceptions where there is not a current solution for encryption of data at rest and in transit.

No. 6 to OST

In coordination with the OA system owners, complete the deployment of DOT’s data loss prevention controls to include the utilization or activation of enhanced DLP features available within existing tools and to develop and implement policies and procedures which eliminate or restrict the ability of users to connect mass storage devices to DOT networks and systems.

No. 7 to OST

Enhance current procedures to implement and require the retention of records to track when computer media are sanitized prior to disposal or reuse and implement procedures to validate the remediation of computer media that have failed media sanitization upon return to DOT.

No. 8 to OST

In coordination with the OA system owners, strengthen DOT’s oversight of the contingency planning processes to ensure contingency planning documentation is developed, updated, and tested in a timely manner, in accordance with policy.

Audit Report: IT2022040 issued on 09.28.2022
DOT Has Made Progress Meeting the Requirements of the Geospatial Data Act of 2018
Closed on 10.03.2023
No. 1 to OST

The Director of Bureau of Transportation Statistics complete and implement the DOT Geospatial Standards Implementation Plan in accordance with section 756(b) of the Geospatial Data Act of 2018.

Audit Report: AV2022041 issued on 09.28.2022
FAA Has Made Progress on a UAS Traffic Management Framework, but Key Challenges Remain
No. 1 to FAA

Establish a process that requires FAA to review the UTM Pilot Program and Field Test results and determine whether the results can inform rulemaking, the final implementation plan, concept of operations documents, and the FAA BEYOND program.

No. 2 to FAA

Implement enhanced processes for communicating UTM information to update industry stakeholders on FAA’s plans for UTM implementation as well as ongoing efforts.

Closed on 07.28.2023
No. 3 to FAA

Develop milestones for near-term UTM efforts and broader timelines for when FAA expects to implement policies and processes for reviewing and approving UTM technologies and capabilities, and establish a process for measuring and updating progress with achieving the milestones.

No. 4 to FAA

Document FAA’s plan for continued collaboration with NASA and other Federal Agencies regarding ongoing and future UTM activities.

Audit Report: ZA2022039 issued on 09.20.2022
Weaknesses in DOT’s ITSS Award and Invoice Processes Increase the Risk of Inefficiencies During Acquisitions of Critical IT Products and Services
No. 1 to OST

Provide written procedures and guidance documenting requirements and steps-based on the size and scope of the procurement need-that staff in the Office of the Chief Information Officer (OCIO) should follow when requesting a new or extension of an ITSS award. This documentation should include standard lead times for required steps and submitting complete procurement packages to the contracting staff to help prevent any lapses in contract vehicles.

No. 2 to OST

Implement a process to verify OCIO staff comply with the written procedures and guidance provided in recommendation one.

Closed on 09.28.2022
$525,000,000
No. 3 to OST

Implement a process for verifying that an independent government cost estimate is completed prior to the award of an ITSS contract vehicle, in compliance with DOT requirements. Implementing this recommendation could put up to $525 million in Federal funds to better use by improving the Department’s ability to establish ITSS contract vehicle pricing that is fair, reasonable, and realistic.

$956,781
No. 4 to OST

Provide support for or recover the $956,781 the Department paid on its ITSS contract vehicles based on contractor hours and materials billed without appropriate support.

$132,899
No. 5 to OST

Provide support for or recover the $132,899 the Department paid based on contractor hours billed that did not align with the ITSS contract vehicle terms.

Closed on 09.28.2022
$412
No. 6 to OST

Recover the $412 improper payment for 5 hours of excessive contractor charges billed and paid under the Non-Core Telecommunications Services ITSS contract vehicle.

$40,270
No. 7 to OST

Validate the remaining $40,270 in excessive contractor charges billed and paid under the Non-Core Telecommunications Services ITSS contract vehicle, and recover the amount improperly paid.

No. 8 to OST

Implement a process for contracting regular, risk-based reviews of a sample of ITSS vehicle time and material type invoices to verify that contractor charges are accurate and reasonable. This procedure should apply to all ITSS invoices, including those funded directly by DOT Operating Administrations (OA).

No. 9 to OST

Establish and implement written guidance on steps and techniques for reviewing ITSS contract vehicle invoices. The suggested steps and techniques should be tailored to address specific risks associated with the vehicle, including the scope and contract type. This guidance should apply to reviews of all ITSS invoices, including those funded directly by the OAs.

Audit Report: ST2022037 issued on 09.20.2022
DOT Can Improve Processes for Evaluating the Impact of Time Zone Changes and Promoting Uniform Time Observance
Closed on 03.15.2023
No. 1 to OST

Evaluate the convenience of commerce questions to determine whether they reflect modern commerce-related impacts of time zone changes and, if necessary, update them.

No. 2 to OST

Develop and implement guidance for collecting and validating information on the impact of proposed time zone changes that constitutes the best and most relevant evidence.

No. 3 to OST

Conduct a study and provide a summary of findings to the public on whether non-uniform adoption and observance of time zones and DST is a problem nationwide.

Closed on 02.14.2023
No. 4 to OST

Review time zone and DST-related content on the following DOT websites to identify errors and make corrections.
DOT website “Daylight Saving Time.”
DOT website “Uniform Time.”
BTS website “History of Time Zones.”
BTS website “History of Daylight Savings Time.”

Closed on 05.09.2023
No. 5 to OST

Develop and implement a process for maintaining and, when boundaries in the regulations change, updating a publicly available map and GIS dataset showing precise time zone boundaries.

Audit Report: SA2022035 issued on 08.03.2022
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2022
Closed on 10.25.2022
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted.

$7,148,093
No. 2 to OST

Determine the allowability of the questioned transactions and recover $7,148,093, if applicable.

Audit Report: AV2022034 issued on 07.27.2022
FAA Has Opportunities To Better Inform International Pilot Training for Boeing Aircraft Through Enhanced Transparency and Oversight
Closed on 08.02.2022
No. 1 to FAA

Develop and implement procedures to document within Flight Standardization Board reports the experience level of pilots used to establish pilot training recommendations.

No. 2 to FAA

Develop and implement a process to evaluate existing Boeing airplane flight manuals to determine whether they contain required normal, non-normal, and emergency procedures that are necessary for the safe operation of the aircraft. Within this process, include methods to determine what corrective actions are needed if deficiencies are identified.

No. 3 to FAA

Develop and implement a documented process to identify what information manufacturers must include in airplane flight manuals.

No. 4 to FAA

Develop guidance for air carriers to support the development and implementation of automation management policies. Following publication of the guidance, validate that air carriers' policies, procedures, and training are consistent with the new guidance.

Audit Report: ST2022031 issued on 07.20.2022
Opportunities Exist for FHWA To Strengthen Its Oversight of Contract Change Orders Under the Federal-aid Highway Program
No. 1 to FHWA

Enhance the Fiscal Management Information System or develop an agency-wide data management process to provide FHWA personnel with access to change order information for performing their oversight, which includes identifying and monitoring change orders.

No. 2 to FHWA

Evaluate and revise as necessary the Agency processes, including Compliance Assessment Program reviews, to include an oversight methodology that can generate accurate, statistically valid, and representative compliance results for change orders.

No. 3 to FHWA

Develop and implement guidance for use by FHWA and States that a. includes a consistent definition of "change order," b. delineates the differences between a major change and a significant change; and c. further clarifies what may constitute a major change.

No. 4 to FHWA

Update FHWA's Contract Administration Core Curriculum Manual, dated October 2014, to clearly reflect that FHWA may assign its change order approval responsibilities to State DOTs through Stewardship and Oversight Agreements.

No. 5 to FHWA

Develop and implement internal guidance for the Agency's Program Review Library to clearly define the terms "formal report" and "substantive report."

No. 6 to FHWA

Establish clear roles and responsibilities to verify that FHWA Division Offices monitor and track their reports and associated findings and recommendations related to change orders.

Audit Report: AV2022032 issued on 07.18.2022
FAA Quickly Awarded CARES Act Funds but Can Enhance Its Oversight Approach To Promote Effective Stewardship
Closed on 04.05.2023
Pandemic Oversight
No. 1 to FAA

Assess the risk of improper payment for debt service, payroll, operating and maintenance expenses, and CARES Act reimbursement requests, and revise FAA's policy on supporting documentation requirements to account for risk level.

Closed on 08.02.2022
Pandemic Oversight
$271,234,899
No. 2 to FAA

Request supporting documentation for the transactions related to the $271 million in unsupported costs we identifed, and collect all unsupported costs or Identify FAA's rationale for accepting them.

Closed on 08.02.2022
Pandemic Oversight
$85,817,209
No. 3 to FAA

Assess transactions related to the $85 million we identified in grant recipients' improper use of funds due to noncompliance with law or ineligible use of funds, and recover unallowable reimbursements.

Closed on 09.30.2022
Pandemic Oversight
$3,300,656
No. 4 to FAA

Recover the $3.3 million for services rendered or payment that was due prior to the allowable period.

Closed on 01.04.2023
Pandemic Oversight
No. 5 to FAA

Develop and implement a plan to encourage recipients to expend CARES Act funds.

Closed on 01.18.2023
Pandemic Oversight
No. 6 to FAA

Review workforce retention data provided by sponsors, and update records as needed to ensure compliance with law.

Closed on 01.17.2023
Pandemic Oversight
No. 7 to FAA

Develop a plan for implementing future workforce retention requirements as a condition of grants-in-aid based practices and lessons learned from prior efforts.

Audit Report: FS2022030 issued on 06.27.2022
DOT’s Fiscal Year 2021 Payment Integrity Information Act Compliance Review
No. 1 to OST

Design and implement controls to confirm that its annual PIIA reporting to the Payment Accuracy website is accurate.

No. 2 to OST

Develop and implement a process to verify that population identification procedures used to create the universe for the statistical sampling of improper payments include adequate information, with detailed instructions to reproduce the same results.

No. 3 to OST

Implement a quality assurance process to verify that population identification procedures are followed.

Audit Report: SA2022029 issued on 05.18.2022
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2022
Closed on 09.07.2023
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$3,534,794
No. 2 to OST

Determine the allowability of the questioned transactions and recover $3,534,794, if applicable.

Audit Report: ST2022028 issued on 04.27.2022
FRA Uses Automated Track Inspections To Aid Oversight but Could Improve Related Program Utilization Goals and Track Inspection Reporting
Closed on 08.16.2022
No. 1 to FRA

Update and implement Automated Track Inspection Program (ATIP) fleet utilization performance metric(s) and establish a process to monitor ATIP contractor performance.

Closed on 09.28.2022
No. 2 to FRA

Document the current ATIP survey prioritization process and establish a schedule for running the prioritization tool with updated data.

Closed on 03.22.2023
No. 3 to FRA

Revise the Track and Rail and Infrastructure Integrity Compliance Manual to include specific guidance for inspectors completing ATIP-related inspection reports.

Closed on 03.13.2023
No. 4 to FRA

Modify the programming logic of the Railroad Inspection System for Personal Computers so that the system will accept only correct ATIP-related inspection report entries.

Closed on 03.08.2023
No. 5 to FRA

Develop and implement training for Track Division specialists and inspectors on how to correctly prepare ATIP-related inspection reports.

No. 6 to FRA

Document and implement the track safety inspection planning processes, including guidance to district track specialists and inspectors on data sources that can be used to inform planning (e.g., risk assessment models, planning tools, and ATIP data).

Audit Report: AV2022027 issued on 04.27.2022
FAA Made Progress Through Its UAS Integration Pilot Program, but FAA and Industry Challenges Remain To Achieve Full UAS Integration
No. 1 to FAA

Establish goals, milestones, and performance measures of success for the BEYOND program to guide and track Agency and participants’ progress toward achieving beyond visual line of sight operations.

Closed on 11.01.2023
No. 2 to FAA

Communicate to BEYOND stakeholders how program operational, societal and economic benefit data will be used, analyzed, and shared to inform new policies, safety reviews, and rulemaking, including the rule for UAS operations beyond visual line of sight.

Closed on 11.01.2023
No. 3 to FAA

Implement a process to periodically assess the data collected during BEYONDâ€"annually at a minimumâ€"to determine if it is providing needed information and make adjustments as necessary.

Closed on 06.14.2023
No. 4 to FAA

Provide stakeholders and the general public with non-proprietary information related to BEYOND results via the FAA website or other appropriate means.

No. 5 to FAA

Identify intra-agency points of connection and lines of authority responsible for approving and integrating new UAS technologies, evaluate options to improve working across lines of business, and implement the best option based on the Agency’s evaluation.

No. 6 to FAA

Evaluate the causes of IPP program manager turnover as well as the communication and transfer of knowledge, policies, and procedures to new program managers in the transition process, and implement actions to address those issues in BEYOND.

Audit Report: AV2022026 issued on 03.30.2022
While FAA Is Coordinating With Other Agencies on Counter-UAS, Delays in Testing Detection and Mitigation Systems Could Impact Aviation Safety
No. 1 to FAA

Conduct a UAS detection and C-UAS program assessment that includes a determination of future resource needs and organizational structure based on how to best align those resources.

No. 2 to FAA

Evaluate the UAS detection and C-UAS coordination request process to identify and correct inefficiencies to improve timeliness in anticipation of future program growth.

No. 3 to FAA

Finalize internal UAS detection and C-UAS request processing and document retention guidance.

Audit Report: ST2022025 issued on 03.23.2022
PHMSA Can Enhance Its Hazardous Material Fitness Reviews by Meeting Its Application Processing Goal and Addressing Oversight Gaps
Closed on 05.13.2022
No. 1 to PHMSA

Develop and implement a plan to complete an automated tool for tracking safety profile evaluations.

Closed on 01.03.2023
No. 2 to PHMSA

Conduct a historic analysis and use the results as the basis for timeliness goals for Tier 2 evaluations and Tier 3 inspections in the revised Field Operations Manual .

Closed on 06.28.2023
No. 3 to PHMSA

Develop and implement a plan that updates the interagency agreement for processing approval and special permit applications, including details for conducting Tier 2 evaluations and Tier 3 fitness inspections within the 120-day goal.

Closed on 07.05.2022
No. 4 to PHMSA

Update the various software for processing applications by adding a field for the fitness inspection report number.

Closed on 07.05.2022
No. 5 to PHMSA

Update the Case Management System by adding a field to identify the application tracking number associated with a fitness inspection.

Closed on 07.05.2022
No. 6 to PHMSA

Develop and implement a plan to complete revision of the Field Operations Manual , directing that fitness memorandums include additional information identifying relevant inspections, using quality control items, and conducting risk assessments.

Closed on 08.23.2022
No. 7 to PHMSA

Synchronize the revised Approvals Program Desk Guide and the revised risk-based guidelines for referring foreign cylinder applicants.

Closed on 01.03.2023
No. 8 to PHMSA

Develop and implement a plan to complete an assessment of PHMSA oversight of U.N. Third-Party Packaging Certification Agencies and other independent entities that monitor approval and special permit holders.

Closed on 07.05.2022
No. 9 to PHMSA

Develop and implement guidelines on prioritizing fitness inspections along with other types of inspections.

Closed on 04.17.2023
No. 10 to PHMSA

Develop and implement a mechanism to improve the linking of applicants with incident and enforcement data.

Closed on 07.28.2022
No. 11 to PHMSA

Develop and implement a plan to revise application processing software user guides, with instructions to identify blank automated fitness reports.

Closed on 07.28.2022
No. 12 to PHMSA

Develop and implement a plan to update PHMSA's website on delayed application status with all required data.

Audit Report: FS2022024 issued on 03.23.2022
DOT Does Not Ensure Compliance With All Single Audit Provisions of OMB’s Uniform Guidance
Closed on 04.28.2022
No. 1 to OST

Designate a single audit accountable official (SAAO) responsible for ensuring that the OAs fulfill all the requirements of the Uniform Guidance and provide the official's name and title to OMB.

No. 2 to OST

Require the SAAO to designate a key management single audit liaison to serve as the Federal awarding agency's management point of contact for the single audit process both within and outside the Federal Government and provide the official's name and title to OMB.

No. 3 to OST

Require the SAAO to develop and implement a policy to ensure Operating Administrations (OA) meet Uniform Guidance's requirements for Federal awarding agencies.

No. 4 to OST

Require the SAAO to develop and implement processes to ensure that OAs confirm its recipients' single audits and reporting packages are completed and timely submitted to the Federal Audit Clearinghouse (FAC).

No. 5 to OST

Require the SAAO to develop and implement processes that ensure OAs download single audit reports from FAC's Image Management System and OAs identify and track single audit findings directly related to their programs.

No. 6 to OST

Require the SAAO to develop and implement processes that ensure OAs issue timely management decisions on all single audit findings affecting their programs.

No. 7 to OST

Require the SAAO to develop and implement processes that ensure OAs follow up on single audit findings and verify that OAs recipients took appropriate and timely corrective actions.

Audit Report: AV2022023 issued on 03.14.2022
FAA Needs Additional Accountability and Transparency in Reporting Performance Measures and Targets for Major System Investments and Environmental Reviews
Closed on 11.09.2023
No. 1 to FAA

Develop and implement a written policy to document the process for adding and removing programs and reporting the names of all the programs tracked in the major system investments performance measure.

Closed on 07.26.2023
No. 2 to FAA

Develop and implement a written policy or procedure to establish an internal control mechanism to identify all major transportation projects on the Federal Infrastructure Permitting Dashboard that should be tracked in the environmental performance measure and document reasons why projects are or are not determined to be major transportation projects.

Closed on 07.26.2023
No. 3 to FAA

Review and update the definition of the types of projects included in major transportation projects, to ensure all major transportation projects are being tracked under the measure.

Audit Report: FS2022022 issued on 02.15.2022
Outdated Policies Hinder FHWA’s Ability To Oversee Unobligated Emergency Relief Funds
No. 1 to FHWA

Direct the Office of Infrastructure to follow the FHWA Emergency Relief (ER) Manual regarding deallocations of unobligated funds.

Closed on 04.03.2023
$5,200,000
No. 2 to FHWA

Identify any balance of allocated quick release funds older than 6 months, that will not be obligated through the remainder of the fiscal year and that are no longer needed, including the unobligated quick release amounts described in this report, withdraw or deallocate as appropriate in accordance with the ER policy. Implementation of this recommendation could put $5.2 million in funds to better use.

No. 3 to FHWA

Update the ER Manual's quick release procedures to clarify the documentation needed for funding approval and the responsibilities to maintain sufficient evidence of required approvals for quick release requests submitted in accordance with emergency relief policy and program requirements.

Closed on 04.03.2023
$1,958,064
No. 4 to FHWA

Instruct the FHWA Texas Division to coordinate with the Texas DOT to deobligate the funds the State no longer needs, as discussed in this report. Implementation of this recommendation could put $1,958,064 in funds to better use.

No. 5 to FHWA

Update the ER Manual to incorporate the requirements in FHWA Order 5182.1, including the routine review of unobligated balances so that funds can be deallocated when no longer needed.

$176,030
No. 6 to FHWA

Recover the $176,029.71 in unallowable emergency relief payments identified in this report.

Audit Report: SA2022021 issued on 02.09.2022
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2021
Closed on 05.23.2022
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$5,409,880
No. 2 to OST

Determine the allowability of the questioned transactions and recover $5,409,880, if applicable.

Audit Report: QC2022017 issued on 01.31.2022
Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
Closed on 01.05.2023
No. 1 to OST

KPMG recommends that ESC management correct the ESC server inventory list to ensure that all production servers are correctly categorized

Closed on 01.05.2023
No. 2 to OST

KPMG recommends that ESC management implement a quality assurance process to confirm that all servers and systems are included during the semiannual review process.

Closed on 10.19.2022
No. 3 to MARAD

KPMG recommends that MARAD management develop and implement policies and procedures to timely evaluate and respond to changes in MARAD’s programs or activities prompted by public law or DOT directives that could impact financial reporting objectives and cause revision to its accounting treatment.

Closed on 10.20.2022
No. 4 to MARAD

KPMG recommends that MARAD management should design and implement processes to timely correct identified errors or account for changes in accounting policies.

Closed on 02.13.2023
No. 5 to OST

KPMG recommends that ESC management update procedures surrounding management’s review of journal entries to ensure journal entries are reviewed at an appropriate level of precision to determine that all manually posted entries are complete, accurate, and adequately supported by documentation.

Closed on 03.30.2023
No. 6 to OST

KPMG recommends that OST management obtain documentation from external borrowers to support the input assumption that the remaining loan value will not be disbursed.

Closed on 03.30.2023
No. 7 to OST

KPMG recommends that OST management maintain a documentation trail that includes support for each current year input in accordance with the TIFIA Loan Subsidy Re- estimates Standard Operating Procedures.

Audit Report: FS2022019 issued on 01.31.2022
Management Letter Report on the Great Lakes Saint Lawrence Seaway Development Corporation’s Audited Financial Statements for Fiscal Years 2021 and 2020
Closed on 03.07.2023
No. 1 to GLS

Implement controls that require that the correct micro-purchase thresholds are assessed before approving SAM waivers.

Closed on 03.07.2023
No. 2 to GLS

Review payments made to the non-SAM approved vendor and determine whether the amounts are recoverable in accordance with the Payment Integrity Information Act of 2019.

Closed on 03.08.2023
No. 3 to GLS

Document and follow established controls to require that supporting documentation for CDs is obtained in a timely manner and recorded accurately so the system of record properly reflects information related to the CDs.

Closed on 03.08.2023
No. 4 to GLS

Develop and implement controls to require that employees are removed from CD accounts when they separate from the corporation and replace with current employees.

Closed on 03.23.2023
No. 5 to GLS

Implement procedures to perform periodic reviews of OM&S purchases for valuation accuracy.

Closed on 09.19.2023
No. 6 to GLS

Follow up on prior help requests submitted to system support to verify that the OM&S cost corrections have been made.

Closed on 03.23.2023
No. 7 to GLS

Work with system support to correct the deficiencies that cause OM&S cost errors.

Audit Report: QC2022020 issued on 01.31.2022
Quality Control Review of the Management Letter for the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2021 and 2020
No. 1 to STB

STB management should review the current version of OMB Circular A-136 to independently verify that all required footnotes are included and bring any omissions to the service provider’s attention so that errors or omissions can be corrected.

No. 2 to STB

STB management should review the service provider’s Financial Statement and Notes Review Checklist to verify that the checklist is up to date and includes all required elements per OMB and Treasury guidance and then complete the checklist independently. Alternatively, STB management should develop and complete its own review checklist based on current Treasury and OMB reporting requirements.

No. 3 to STB

STB management should request its financial management service provider to:
a. Reevaluate the inclusion of account balances that were excluded in the Other Liabilities footnote, or
b. Disaggregate (i.e. separately report) intragovernmental other liabilities balances reported as a single line item on the balance sheet that are not included in the footnote so that the total amounts reported for Other Liabilities on the Balance Sheet and in the footnote agree.

No. 4 to STB

STB should perform routine reviews of employee benefit elections and Official Personnel Folders to ensure they are complete and accurate.

No. 5 to STB

STB should address missing or unavailable supporting documentation with its shared service provider to ensure that document retrieval tools are available and are working properly to allow retrieval of all stored documents.

No. 6 to STB

STB management should work with the service provider to identify, at least quarterly, upward adjustments that have been offset by downward adjustments in the general ledger or perform an independent review of the general ledger activity of both accounts so that manual adjustments can be recorded to properly state the ending balances of both accounts, if needed.

No. 7 to STB

STB management should design and implement policies and procedures which enhance the internal review process for upward and downward adjustment transactions and includes a reconciliation of the UDO balances with the supporting documentation to ensure that transactions have been recorded correctly.

No. 8 to STB

STB should amend its existing policy regarding the review and approval of journal vouchers to include a review of all non-reversing entries recorded during the fiscal year and to review all year-end journal vouchers before they are recorded in the agency’s general ledger.

Audit Report: QC2022018 issued on 01.31.2022
Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
Closed on 11.02.2022
No. 1 to FAA

KPMG recommends that FAA configure the password length for Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

No. 2 to FAA

KPMG recommends that FAA design and implement formal detective controls to log and monitor developer activities in the time and attendance system production environment. All programmatic changes to the time and attendance system production environment should be reviewed and reconciled from the logs to the approved change tickets.

Closed on 11.02.2022
No. 3 to FAA

KPMG recommends that FAA design and implement a process to ensure that inventory system application, database and operating system changes are tested, documented, and approved prior to migration into production in accordance with FAA policy; and update the change management ticketing system to capture required approvals and evidence of testing for inventory system application, database or operating system changes.

Closed on 11.28.2022
No. 4 to FAA

KPMG recommends that FAA configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

Closed on 05.22.2023
No. 5 to FAA

KPMG recommends that FAA update the control to investigate cases removed from the Legal Letter and Contingent Liability Report period over period prior to recording the legal liability.

No. 6 to FAA

KPMG recommends that FAA ensure that policies and procedures for revoking access to the shared services center for separated users include:
a. Timely notifying shared services center managers of FAA employees that have separated from the agency to ensure that access is removed; and
b. Enforcing the timeline for removal of separated employees from shared services center, by reviewing active user listings on a periodic basis to ensure that no separated employees still have access.

Audit Report: AV2022016 issued on 01.12.2022
Changes in Requirements and Schedule Delays Contributed to the Termination of the NAS Voice System Contract
Closed on 06.07.2022
No. 1 to FAA

Finalize the report on the NVS contract failure and the program termination, and develop action items to address the failures and a plan for implementing them.  

Audit Report: QC2022015 issued on 11.15.2021
Quality Control Review of the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
Closed on 01.06.2023
No. 1 to OST

KPMG recommends that DOT management design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policy.

No. 2 to OST

KPMG recommends that DOT management design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policy.

No. 3 to OST

KPMG recommends that DOT management design and implement component-specific system security plan requirements in instances where plans for those areas not addressed in the Departmental system security plan.

No. 4 to OST

KPMG recommends that DOT management design and implement procedures related to the retention of appropriate supporting evidence of internal controls, including but not limited to, access administration, access recertification, audit log review, and patch management.

Closed on 03.30.2023
No. 5 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations risk assessment to determine the impact of a timing gap between the issuance of service organization SOC reports and the Department’s fiscal year.

Closed on 03.30.2023
No. 6 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations documented review of applicable SOC reports, which includes a consideration of results year over year, implementation of the service organizations’ recommended complimentary user entity controls and monitor such controls for proper design, implementation and operating effectiveness.

Closed on 03.30.2023
No. 7 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations review and evaluation of findings identified within the service organization’s SOC report and assess the impact on the Department’s internal control over financial reporting.

Audit Report: QC2022013 issued on 11.12.2021
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
Closed on 11.02.2022
No. 1 to FAA

KPMG recommends FAA design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policy.

No. 2 to FAA

KPMG recommends FAA design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policy.

Closed on 07.20.2023
No. 3 to FAA

KPMG recommends FAA design and implement component-specific system security plan requirements in instances where plans for those areas are not addressed in the Departmental system security plan.

Audit Report: SA2022010 issued on 11.10.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2021
Closed on 03.18.2022
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$9,236,974
No. 2 to OST

Determine the allowability of the questioned transactions and recover $9,236,974, if applicable.

Audit Report: ST2022009 issued on 11.09.2021
Weaknesses in NHTSA’s Training and Guidance Limit Its Ability To Set and Enforce Federal Motor Vehicle Safety Standards
Closed on 05.04.2022
No. 1 to NHTSA

Update the existing written procedure for acting on rulemaking petitions to meet the required 120-day timeline.

Closed on 04.05.2022
No. 2 to NHTSA

Develop and implement a written process for reviewing compliance test reports.    

Closed on 06.07.2022
No. 3 to NHTSA

Develop and implement a training curriculum process for Safety Compliance Engineers.

Closed on 01.31.2023
No. 4 to NHTSA

Implement and communicate guidance on conducting compliance investigations.

Closed on 03.01.2022
No. 5 to NHTSA

Develop and implement a targeted process for reviewing and prioritizing conformity packages to meet the required 30-day timeframe.

Closed on 10.18.2022
No. 6 to NHTSA

Finalize and implement the Import and Certification Division's process to monitor and investigate Registered Importers' compliance with Federal regulations.

Audit Report: ZA2022008 issued on 10.27.2021
MARAD's Ability To Achieve Cost-Effective USMMA Contracts Is Compromised by Several Management Control Weaknesses
Closed on 04.04.2022
$4,900,000
No. 1 to MARAD

Establish and implement a control process to verify compliance with Federal requirements to establish files with complete documentation for all USMMA contracts and ensure that these files are readily accessible to principal users. Implementing this recommendation could put $4.9 million in Federal funds to better use by providing complete documentation to support that MARAD made efficient, compliant, and sound contracting decisions and actions.    

Closed on 06.24.2022
No. 2 to MARAD

Establish and implement a control process to verify compliance with Department requirements to use contract file checklists for all USMMA contracts.

Closed on 02.17.2022
No. 3 to MARAD

Require and verify all MARAD acquisition staff attend annual refresher training on Federal, departmental, and MARAD-specific procurement and acquisition workforce requirements. Post training material in a central location that all staff can reference and access.  

Closed on 08.09.2022
No. 4 to MARAD

Develop and implement standardized contract forms and templates to document completion of procurement requirements when awarding USMMA contracts below the Simplified Acquisition Threshold (SAT).  

Closed on 06.24.2022
$52,600,000
No. 5 to MARAD

For USMMA contracts that exceed the SAT, establish and implement a process(s) to verify compliance with applicable Federal, departmental, and MARAD procurement requirements associated with market research, independent Government cost estimates, source selection strategies, price and cost analysis, acquisition planning, and legal review. Implementing this recommendation could put $52.6 million in Federal funds to better use by improving MARAD's ability to efficiently award USMMA contracts that result in the best value to the Agency and meet its needs.

Closed on 05.08.2023
No. 6 to MARAD

Establish and implement a control process to verify the Agency’s oversight procedures regarding warrant requirements are correctly and consistently carried out for contract officers (CO) assigned to USMMA contracts.  

Closed on 12.22.2022
No. 7 to MARAD

Establish and implement a control process to verify compliance with Federal requirements to maintain accurate and complete data in the Federal acquisition system (previously the Federal Acquisition Institute’s Acquisition Training Application System, now Cornerstone OnDemand) for all USMMA contracting officer’s representatives (COR).  

Closed on 08.31.2022
No. 8 to MARAD

Establish and implement a control process to verify compliance with Federal, departmental, and MARAD requirements to use COR appointment letters and verify that all CORs assigned to USMMA contracts are properly certified.  

Closed on 10.28.2022
No. 9 to MARAD

Establish and implement a process for maintaining and tracking progress on USMMA Capital Improvement Program (CIP) projects, analyzing how changes to Academy plans will impact the cost and schedule of existing and planned CIP projects and contracts, and confirming that congressionally appropriated CIP funds are efficiently expended.  

Closed on 10.28.2022
No. 10 to MARAD

Establish and implement a requirement that any project change(s) to an approved CIP, Long Range Strategy, or other facilities-related Academy plan be submitted to and approved by the Office of the Secretary of Transportation before the change becomes final.  

Audit Report: QC2022006 issued on 10.25.2021
Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security System Program and Practices
No. 1 to OST

Develop and communicate an organization wide Supply Chain Risk Management strategy and implementation plan to guide and govern supply chain risks.

No. 2 to OST

Undertake a strategic analysis of the Inspector General FISMA Metrics and the weaknesses identified in the audit, to develop a multi-year strategy and approach to include objective milestones, and resource commitments by the Department and the CIO that address the corrective actions
necessary to show steady, measurable improvements towards an effective information security program.

No. 3 to OST

Work with the Federal Aviation Administration’s CIO and Federal Motor Carrier Safety Administration’s Information Security System Manager(ISSM), to investigate and remediate cross-site scripting vulnerabilities identified in public facing web applications.

No. 4 to OST

Work and coordinate with system owners to identify and remediate weak and default authentication mechanisms within their systems and the Common Operating Environment.

No. 5 to OST

Develop and implement a process to facilitate centralized monitoring, oversight (by ISSMs and their alternates) and escalation efforts to ensure the timely completion of required security awareness training and role based training for all DOT personnel leveraging an automated integrated solution(s) and dashboards.

Audit Report: IT2022003 issued on 10.20.2021
FMCSA’s IT Infrastructure Is at Risk of Compromise
Closed on 05.11.2023
No. 1 to FMCSA

Change the passwords for the compromised web servers to strong passwords that meet DOT's Cybersecurity Compendium requirements.

Closed on 01.31.2022
No. 2 to FMCSA

Restrict access to administrator login pages to only verified administrators and computers.

Closed on 01.31.2022
No. 3 to FMCSA

Identify and remove all malware that was uploaded to FMCSA's web servers.

Closed on 10.25.2023
No. 4 to FMCSA

Develop and implement stronger malicious code protection and detection controls.

Closed on 11.01.2023
Sensitive
No. 5 to FMCSA

Sensitive information redacted

Closed on 01.31.2022
Sensitive
No. 6 to FMCSA

Sensitive information redacted

Closed on 01.31.2022
No. 7 to FMCSA

Change the passwords for FMCSA's compromised databases.

Closed on 01.31.2022
Sensitive
No. 8 to FMCSA

Sensitive information redacted

Closed on 05.11.2023
No. 9 to FMCSA

Validate whether production data is being used on other preproduction databases that FMCSA hosts.

Closed on 01.31.2022
$570,367,559
No. 10 to FMCSA

Establish and implement security safeguards for the protection of PII in accordance with DOT policy. Implementing this recommendation could put up to $570,367,559 of funds to better use by avoiding the cost of credit monitoring for affected individuals.

Closed on 10.03.2023
No. 11 to FMCSA

Implement monitoring controls and alerts to identify when database admin accounts log in from non-authorized IP addresses.

Closed on 01.20.2023
No. 12 to FMCSA

Implement real time security monitoring tools and alert features to monitor FMCSA web servers and databases for access from unauthorized IP addresses.

Closed on 11.01.2023
No. 13 to FMCSA

Develop and implement a plan to remediate all identified critical, high, and medium vulnerabilities on FMCSA devices older than October 8, 2019.

Audit Report: IT2022005 issued on 10.20.2021
FTA Does Not Effectively Assess Security Controls or Remediate Cybersecurity Weaknesses To Ensure the Proper Safeguards Are in Place to Protect Its Financial Management Systems
Closed on 02.01.2022
Pandemic Oversight
No. 1 to FTA

Select and implement security control-process isolation to protect its financial management systems (FMS and ECHO-Web) against risk.

Closed on 08.18.2022
Pandemic Oversight
No. 2 to FTA

Perform an assessment of its financial management systems (FMS, ECHO-Web, and TrAMS) security controls that at a minimum reflect the correct security control types and update each system’s system security plan with the correct control types.

Closed on 09.23.2022
Pandemic Oversight
No. 3 to FTA

Update the security assessment documents for its financial management systems (FMS, ECHO-Web, and TrAMS) to properly reflect the results of all security controls (e.g., common, hybrid, and system-specific) for selection, implementation, and assessment, per DOT requirements.

Closed on 09.23.2022
Pandemic Oversight
No. 4 to FTA

Obtain and assess all up-to-date security authorization documents associated with its financial management systems (FMS, ECHO-Web, and TrAMS) inherited controls (e.g. common, hybrid) to determine and monitor the effectiveness of its inherited controls and risk per NIST & DOT security requirements.

Sensitive
Pandemic Oversight
No. 5 to FTA

Sensitive information redacted

Closed on 01.31.2022
Sensitive
Pandemic Oversight
No. 6 to FTA

Sensitive information redacted

Closed on 12.14.2022
Pandemic Oversight
No. 7 to FTA

Implement secure configuration settings for its financial management systems (FMS and ECHO-Web) databases in accordance with Federal and DOT policies.

Closed on 12.05.2022
Sensitive
Pandemic Oversight
No. 8 to FTA

Sensitive information redacted

Closed on 01.13.2023
Pandemic Oversight
No. 9 to FTA

Develop and implement a plan that ensures continuity of federal workforce and contractual resources to fulfill contingency responsibilities for its financial management systems (FMS and ECHO-Web) to maintain continued operations should an emergency event incapacitate the primary personnel.

Closed on 01.13.2023
Pandemic Oversight
No. 10 to FTA

Conduct, document, and communicate the results of its annual incident response and data breach plan testing for financial management systems before authorization to operate (ATO); to ensure effectiveness in the event of a security incident or data breach is discovered within FTA or an external party (e.g. FTA recipient, common control provider).

Closed on 05.18.2022
Pandemic Oversight
No. 11 to FTA

Establish, document, and implement a security incident reporting process and procedures for its recipients to report incidents that affect their login credentials.

Closed on 08.19.2022
Pandemic Oversight
No. 12 to FTA

Require the FTA Information System Security Manager (ISSM)/ Privacy Officer to adhere to its Incident and Data Breach Response Plan to report recipient cybersecurity incidents involving FTA information systems or user accounts.

Sensitive
Pandemic Oversight
No. 13 to FTA

Sensitive information redacted

Audit Report: AV2022004 issued on 10.20.2021
FAA Lacks Effective Oversight Controls To Determine Whether American Airlines Appropriately Identifies, Assesses, and Mitigates Aircraft Maintenance Risks
No. 1 to FAA

Develop and implement root cause analysis training for inspectors more in line with training in the aviation industry.

Closed on 05.22.2023
No. 2 to FAA

Develop and implement a management control to ensure that inspectors maintain the link between the compliance action and the corrective action validation inspection within its inspection databases.

No. 3 to FAA

Develop and implement a management control to ensure inspectors require air carriers to provide written root cause analyses and that these analyses do not specifically identify human factors issues as root causes.

Closed on 01.12.2023
No. 4 to FAA

Develop and implement a management control to ensure that inspectors do not send compliance action close out letters until the corrective actions have been completed and validated.

No. 5 to FAA

Develop and implement a team inspection approach in order to periodically assess the air carrier's Safety Management System.

No. 6 to FAA

Develop and implement Safety Management System training for inspectors that is specifically designed to aid inspectors in evaluating air carrier risk assessments.

No. 7 to FAA

Revise the Safety Management Systems data collection tool to allow inspectors to perform more detailed reviews and accurately document the results of these reviews.

Audit Report: QC2022002 issued on 10.06.2021
Quality Control Review of the Independent Auditor’s Report on DOT’s Compliance with the Digital Accountability and Transparency Act
No. 1 to OST

Implement and document a formal quarterly review process to ensure that any nonfatal warnings related to cross-validations of Files C, D1, and D2 at the OA level are investigated, and actions to address the warnings are clearly documented.

No. 2 to OST

Develop a complete inventory of DATA Act data element sources and definitions that exist within their systems and establish controls to ensure that the inventory is updated in response to relevant changes to DOT systems or DAIMS guidance.

No. 3 to OST

Implement a control to ensure that transaction level information is reported in File C in accordance with the data standards.

Closed on 03.01.2023
No. 4 to OST

Implement and document an internal oversight review process for financial assistance awards to ensure that controls are in place to verify recipients are registered in SAM at the time of financial assistance award.

Audit Report: QC2022001 issued on 10.04.2021
Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices
No. 1 to STB

Develop an enterprise architecture that includes information security considerations and the resulting risk to the Agency, as well as incorporates STB’s existing cyber security architecture.

Closed on 04.14.2022
No. 2 to STB

Identify and define all software programs that are not authorized to execute on STB information systems.

Closed on 06.15.2022
No. 3 to STB

Establish and implement procedure to manage hardware asset inventory connected to STB’s network.

Closed on 03.28.2022
No. 4 to STB

Review all open Plan Of Actions & Milestones and assign scheduled completion dates which account for the required resources and corrective actions, including milestones, to manage and mitigate the identified risk.

No. 5 to STB

Develop a Supply Chain Risk Management strategy and supporting policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Closed on 04.14.2022
No. 6 to STB

Develop a process to make improvements to its baseline configuration, secure configuration, and flaw remediation policies and procedures through the use of lessons learned.

Closed on 06.15.2022
No. 7 to STB

Implement documented processes for configuration management changes as required by STB policies and procedures.

No. 8 to STB

Evaluate deviations from Center for Internet Security benchmarks and determine if the associated configurations should align with best practices or if deviations should be risk accepted.

Closed on 04.14.2022
No. 9 to STB

Update vulnerability management procedures to support implementation of STB’s Vulnerability Disclosure Policy.

Closed on 04.11.2022
No. 10 to STB

Update the Access Recertification Process document to align with STB’s existing practices to ensure users complete all required training and onboarding forms.

Closed on 04.11.2022
No. 11 to STB

Develop and implement a written policy or procedure to establish an internal control mechanism to identify all major transportation projects on the Federal Infrastructure Permitting Dashboard that should be tracked in the environmental performance measure and document reasons why projects are or are not determined to be major transportation projects.

Closed on 03.28.2022
No. 12 to STB

Develop a process to make improvements to the effectiveness of its Identity, Credential, and Access Management policy, strategy, and road map.

Closed on 06.15.2022
No. 13 to STB

Define procedures to review and remove unnecessary PII collection on an organization defined frequency.

Closed on 05.02.2022
No. 14 to STB

Perform the review of Privacy Threshold Analysis for STB General Support System, At Hoc, and Dynamic Case Management system on an annual basis.

No. 15 to STB

Implement data protection policies and procedures for Data at Rest, prevention and detection of untrusted removable media, and destruction or reuse of media containing PII or other sensitive agency data.

Closed on 06.15.2022
No. 16 to STB

Address the knowledge, skills, and abilities gaps identified during the FY 2020 skill gap assessment through training or talent acquisition.

No. 17 to STB

Complete the transition from traditional three (3) year authorizations to ongoing authorizations for STB-LAN.

No. 18 to STB

Implement documented processes for collecting and reporting performance metrics at the organization and system level to assess the effectiveness of Information Security Continuous Monitoring program.

No. 19 to STB

Develop a process to make improvements to the effectiveness of its ISCM program through the collection and reporting of quantitative and qualitative performance metrics, and lessons learned.

Closed on 03.28.2022
No. 20 to STB

Define the performance metrics for measuring the incident response capability.

Closed on 03.28.2022
No. 21 to STB

Update STB Incident Response Plan to include requirements for the technologies utilized to support Incident Response processes.

Closed on 03.28.2022
No. 22 to STB

Define the frequency for the performance of Post Incident activities.

Closed on 03.28.2022
No. 23 to STB

Update STB Incident Response plan containment strategies to reflect the current agencies risk prioritization processes.

Closed on 03.28.2022
No. 24 to STB

Implement documented processes for Incident Response resolutions of tickets in consistent manner, as required by STB policies and procedures.

Closed on 03.28.2022
No. 25 to STB

Define the frequency for the performance of system level Business Impact Analyses (BIA).

Closed on 06.15.2022
No. 26 to STB

Review the organization wide BIA on an annual basis.

Closed on 05.09.2023
No. 27 to STB

Conduct a tabletop exercise of the General Support System’s information system contingency plan (ISCP) on an annual basis.

Audit Report: ZA2021037 issued on 09.27.2021
FAA Faces Challenges in Tracking Its Acquisition Workforce and Ensuring Compliance With Training, Certification, and Warrant Requirements
Closed on 07.17.2023
No. 1 to FAA

Establish and implement an effective process for: (i) identifying and tracking the Agency's acquisition workforce (such as Contracting Officers (COs), Contracting Officer’s Representatives (CORs) and Program/Project Managers (P/PMs) ) and (ii) collecting and maintaining their certifications and related training records. Data collected via this process and maintained in repositories should be complete, accurate, and readily accessible.

Closed on 07.13.2023
No. 2 to FAA

Identify, remove, and/or rectify those COs, CORs, and P/PMsâ€"currently assigned to a contract or programâ€"that lack the required training or certification to fulfill their designated role.  

Closed on 10.31.2022
No. 3 to FAA

Develop and implement training and guidance related to the Agency’s replacement of FAITAS. This training and guidance should address acquisition certification requirements, documentation, and application processes under the new system.

No. 4 to FAA

Implement performance and certification metrics for CORs and P/PMs.

Closed on 10.20.2022
No. 5 to FAA

Revise AMS to reflect FAA’s decision to delegate approval authority for COR certifications to the Acquisition Career Manager.  

Closed on 10.20.2022
No. 6 to FAA

Strengthen the process for nominating CORs to include completing, issuing, and storing COR Delegation Letters and Nomination Forms in the contract file.  

Closed on 07.13.2023
No. 7 to FAA

Strengthen quality assurance procedures to verify accuracy when identifying and reporting the acquisition P/PMs assigned to OMB Major Programs.  

Closed on 12.07.2022
No. 8 to FAA

Establish a timeline to implement and verify compliance with the requirement that all P/PMs assigned to OMB Major Programs obtain and maintain a FAC P/PM Information Technology Certification.  

Audit Report: QC2021038 issued on 09.27.2021
Quality Control Review of the Independent Auditor’s Report on DOT’s Enterprise Services Center
Closed on 01.12.2022
Sensitive
No. 1 to OST

Sensitive information redacted

Closed on 08.31.2022
Sensitive
No. 2 to OST

Sensitive information redacted

Closed on 08.31.2022
Sensitive
No. 3 to OST

Sensitive information redacted

Closed on 08.31.2022
Sensitive
No. 4 to OST

Sensitive information redacted

Audit Report: SA2021036 issued on 08.31.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2021
Closed on 01.12.2022
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$32,153,264
No. 2 to OST

Determine the allowability of the questioned transactions and recover $32,153,264, if applicable.

Audit Report: AV2021035 issued on 08.18.2021
FAA’s Approach for Establishing and Modifying Air Traffic Controller Staffing Levels Needs Improvement To Properly Identify Staffing Needs at Contract Towers
No. 1 to FAA

Analyze and document the justification for the FAA Contract Tower (FCT) Program's minimum staffing requirements.

No. 2 to FAA

Develop and implement an internal process to periodically review, and maintain supporting records for FCT controller staffing minimums.

No. 3 to FAA

Develop and implement an internal process—including roles and responsibilities, timeframes, and criteria—to ensure contract requirements are met, and overpayments made to contractors are recovered.

$5,140,000
No. 4 to FAA

Recover overpayments to contractors, estimated minimum of $2.64 million and minimum of $2.5 million.

Audit Report: AV2021034 issued on 08.11.2021
FAA Can Increase Its Inspector Staffing Model’s Effectiveness by Implementing System Improvements and Maximizing Its Capabilities
No. 1 to FAA

Institute a process that compares the inspector staffing model estimates to actual staffing levels. The process should identify the reasons for the differences between the two figures, establish performance measures that help assess the accuracy of the model's results, and actions taken to improve future forecasting.

Closed on 09.07.2023
No. 2 to FAA

Finalize the demand-driven metrics and determine how they will be used in conjunction with the inspector staffing model.  

No. 3 to FAA

Develop and implement a plan with milestones for completing the air carrier and general aviation staffing models, including information on how the Agency plans on using them in conjunction with the current staffing model, the process by which the business rules are updated, and the results of the most recent review of the business rules.

No. 4 to FAA

Produce inspector staffing estimates and actual staffing levels at the functional and field office levels. Include these figures in the Agency's annual safety workforce plan.

No. 5 to FAA

Reinstitute the process in which Flight Standards office managers review their staffing estimates.

No. 6 to FAA

Track progress on implementing the Office Workload List, including milestones to show when the Agency anticipates using information from the system to assist with inspector staffing decisions.

No. 7 to FAA

Update information regarding implementation of the Designee Management System, including milestones to show when FAA anticipates fully integrating individual designees into the system and how it intends to use the system's data to determine whether to adjust its inspector workforce staffing levels and responsibilities.

Audit Report: IT2021033 issued on 08.02.2021
FAA Is Taking Steps to Properly Categorize High-Impact Information Systems but Security Risks Remain Until High Security Controls Are Implemented
Sensitive
No. 1 to FAA

Sensitive information redacted

Sensitive
No. 2 to FAA

Sensitive information redacted

Closed on 01.12.2023
Sensitive
No. 3 to FAA

Sensitive information redacted

Sensitive
No. 4 to FAA

Sensitive information redacted

Sensitive
No. 5 to FAA

Sensitive information redacted

Sensitive
No. 6 to FAA

Sensitive information redacted

Audit Report: ST2021032 issued on 07.21.2021
FTA Made Progress in Providing Hurricane Sandy Funds but Weaknesses in Tracking and Reporting Reduce Transparency Into Their Use
No. 1 to FTA

Establish and implement written policies and procedures to accurately communicate allocated amounts over time through FTA's documents, such as notices, memoranda, and letters; the grant management system; and external reports.

Closed on 11.23.2021
No. 2 to FTA

Complete the planned update to FTA’s Assistance Listings internal guidance to include procedures to ensure the Agency complies with the Office of Management and Budget assistance listing requirements that are intended to make obligation information readily identifiable on USASpending.gov.  

Audit Report: ST2021030 issued on 07.14.2021
FMCSA Has Gaps and Challenges in Its Oversight of CDL Disqualification Regulations
Closed on 11.15.2023
No. 1 to FMCSA

Improve current requirements for States to record, track, and maintain paper-based convictions sent and received via mail by incorporating its standardized method for States to aggregate paper-based convictions to facilitate FMCSA's evaluation of State performance.

Closed on 11.01.2023
No. 2 to FMCSA

Finalize and implement standardized operating procedures for conducting annual program reviews and for supervisory quality control reviews of completed annual program reviews. 

Closed on 11.09.2023
No. 3 to FMCSA

Modify the annual program review checklist to require reviewers to address key factors and determine whether:  a. sampled out-of-State convictions were posted to driver records within the required 10 days; b. results from a review of in-State convictions and paper notifications of out-of-State convictions were documented; c. sample testing was conducted of the greater of 2 percent of electronic transactions in a month or a total of five transactions, in accordance with FMCSA’s 2016 policy memorandum; d. States are sending convictions either electronically or via mail but not using both methods; e. States begin disqualification periods on or after the date the out-of-State conviction is received; and f. States that are offering administrative appeals for out-of-State disqualifications and permitting them to be overturned are identified.    

Closed on 11.09.2023
No. 4 to FMCSA

Finalize and implement a standard operating procedure for determining when a State is not making a good faith effort to timely mitigate compliance issues and when to impose sanctions on noncompliant States.  

Closed on 11.29.2023
No. 5 to FMCSA

Complete the Agency's review of the State Compliance Records Enterprise system and implement identified improvements for managing States' compliance issues.

No. 6 to FMCSA

Develop and implement a process to segregate non-CDL holder convictions from all Commercial Driver's License Information System reports and workbooks utilized to evaluate State's compliance with CDL regulations.

Closed on 11.15.2023
No. 7 to FMCSA

Develop and implement a plan for coordinating with the American Association of Motor Vehicle Administrators to mitigate risks when States transition to new software systems. 

Audit Report: FI2021029 issued on 07.12.2021
FAA’s Ability To Manage Its National Airspace System Inventory Is Limited by Several Gaps in Its Processes That Remain After Adoption of the Agency’s Current Inventory Management System
No. 1 to FAA

Revise FAA's process for identifying excess, obsolete, or unserviceable inventory toinclude consideration for the quantity of repairable parts on hand, and theexpected future demand for those parts.

Closed on 08.18.2021
No. 2 to FAA

Develop and implement an interim process for receiving, sorting, and disposing of excess, obsolete, or unserviceable inventory items at the Thomas Road Warehouse that includes the tracking of individual inventory parts from receipt through to final disposition.

Closed on 07.27.2022
No. 3 to FAA

Implementan oversight process for core due-ins that includes continuous tracking as wellas following up on any core due-ins that are not returned within 30 days.

Closed on 07.27.2022
No. 4 to FAA

Evaluate and revise the Advance Due-In Report to maximize its effectiveness in accurately tracking actual due-ins from the field.

$38,000,000
No. 5 to FAA

Research,identify, and account for the due-ins identified in the Advance Due-in Reportand request that parts be returned. If unreturned, bill NAS customersaccordingly. Implementation of this recommendation could put over $38 million infunds to better use.

Closed on 08.18.2021
No. 6 to FAA

Document and implement FAA's process forconducting monthly exchange and repair inventory value calculations.

Closed on 08.12.2021
No. 7 to FAA

Develop and implement a plan to continuously track,reconcile, and reduce the inventory quantity discrepancies that currently existbetween the Logistics Center Support System and the Warehouse ManagementSystem.

Audit Report: ST2021028 issued on 07.07.2021
MARAD Has Made Progress in Addressing NAPA Recommendations Related to Mission Focus, Program Alignment, and Ability To Meet Objectives
No. 1 to MARAD

Develop a plan with milestones for completing the remaining eight applicable recommendations.

No. 2 to MARAD

Track implementation of the plan with milestones.

Audit Report: ST2021027 issued on 06.30.2021
Fully Implementing a Grants Management Framework Will Enhance FRA’s Amtrak Funding Oversight
No. 1 to FRA

Establish and implement measurable goals and metrics for assessing the effectiveness of the oversight program.

Closed on 04.27.2022
No. 2 to FRA

Complete and implement procedures for systematically tracking issues identified through reviews of Amtrak's use of Federal funds and compliance with cooperative agreements.

Closed on 10.21.2022
No. 3 to FRA

Finalize and implement procedures for taking action to address Amtrak’s noncompliance with cooperative agreement terms and conditions.  

No. 4 to FRA

Implement the plan to complete information system improvements and centralize Amtrak oversight data in accordance with established milestones.

Audit Report: ZA2021026 issued on 06.02.2021
Gaps in Guidance, Training, and Oversight Impede FAA’s Ability To Comply With Buy American Laws
Closed on 11.04.2022
$127,000,000
No. 1 to FAA

Revise the Acquisition Management System (AMS) to include policy and guidance covering the BAA and BAP laws and requirements, specifically on the application of clauses, exceptions, and waivers, as well as when to obtain contractor certifications. Implementing this recommendation could put $127 million to better use by reducing the risk of FAA improperly procuring foreign-made supplies and products.  

Closed on 07.27.2022
No. 2 to FAA

Develop and implement formal training that focuses on the application of FAA’s BAA and BAP requirements, contract clauses, and waivers, as well as on obtaining and retaining required vendor certifications.  

Closed on 11.08.2022
No. 3 to FAA

Revise AMS to include policy and guidance for FAA’s Electronic Document Storage record-keeping system to include the retention of BAA and BAP documents in the official contract file.  

Closed on 11.04.2022
No. 4 to FAA

Revise AMS to include guidance and procedures on how to monitor post-award compliance with the BAA requirements, including actions to take when acquisition clausesâ€"such as vendor certification requirementsâ€"are incomplete or erroneously omitted.    

Closed on 10.06.2021
No. 5 to FAA

Revise the National Acquisition Evaluation Program evaluation form and procedures to require evaluators to review and document Buy American compliance, e.g., by listing the categories of Buy American clauses as separate entries and including procedures that show evaluators how to test and document compliance.

Closed on 06.28.2022
No. 6 to FAA

Enhance existing quality control procedures to require acquisition personnel to enter FAA domestic content data (i.e., place of manufacture codes) accurately in the Federal Procurement Data Systemâ€"Next Generation.  

Closed on 03.28.2023
No. 7 to FAA

Develop and implement procedures for collecting, tracking, analyzing, and reporting on FAA’s use of the BAP waivers and the BAA exceptions.  

Closed on 04.10.2023
No. 8 to FAA

Develop and implement procedures to ensure FAA posts information on its existing use of BAP blanket waivers, as well as any newly executed waivers, for direct contracts on a public website.  

Audit Report: SA2021025 issued on 05.26.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2021
Closed on 07.29.2021
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$8,008,786
No. 2 to OST

Determine the allowability of the questioned transactions and recover $8,008,786, if applicable.

Audit Report: AV2021024 issued on 05.19.2021
DOT Appropriately Relied on Unsubsidized Carriers in Accordance With Its Policy but Conducted Limited Oversight of the Essential Air Service Communities They Serve
Closed on 09.21.2021
No. 1 to OST

Notify communities of their right to petition the Department about issues with basic essential air service.    

No. 2 to OST

Conduct periodic reviews of the level of basic essential air service in accordance with Federal regulations.

Audit Report: AV2021023 issued on 03.30.2021
NextGen Benefits Have Not Kept Pace With Initial Projections, but Opportunities Remain To Improve Future Modernization Efforts
Closed on 10.18.2021
No. 1 to FAA

Publish metrics that measure performance of NextGen improvements across the NAS. 

Closed on 01.18.2022
No. 2 to FAA

Develop and implement a process that incorporates interim adjusted benefit projections and interim implementation analyses to support prioritization of NextGen programs and deployment locations. 

Closed on 10.18.2021
No. 3 to FAA

Update and provide stakeholders a risk adjusted NextGen benefit projection. 

Audit Report: AV2021022 issued on 03.10.2021
FAA Has Made Progress in Implementing ASIAS, but Work Remains To Better Predict, Prioritize, and Communicate Safety Risks
Closed on 09.30.2022
No. 1 to FAA

Develop and implement models based on criteria to prioritize requests for ASIAS safety information across the ASIAS communities. 

Closed on 03.29.2023
No. 2 to FAA

Disseminate ASIAS aggregated, confidential national-level metrics, such as known risk monitoring, on a regular basis to the Safety Analysis and Promotion Division and principal aviation safety inspectors. 

No. 3 to FAA

Determine if the ASIAS non-confidential information is beneficial to Flight Standards inspectors, and if so, implement guidance to field-level personnel so that inspectors have an understanding of how, when, and why they should use the system.

Audit Report: ZA2021021 issued on 03.02.2021
Vulnerabilities in MARAD’s NSMV Program May Hinder Effective Achievement of Program Goals
Closed on 04.26.2021
No. 1 to MARAD

Document and implement a risk management process to analyze program risk, including risk identification, likelihood and consequence, mitigation strategy, and monitoring activities. This documented process should also include steps for monitoring, tracking, and updating risks throughout the life of the program. This recommendation should be completed prior to the start of full-scale vessel construction.

Closed on 05.14.2021
No. 2 to MARAD

Obtain, review, and approve complete versions of each of the following VCM oversight plans: the Configuration Design and Technical Management Plan; Quality Assurance, Risk Management, and Metrics Plan; and Test and Evaluation Plan. This recommendation should be completed prior to the start of full-scale vessel construction.

Audit Report: AV2021020 issued on 02.23.2021
Weaknesses in FAA’s Certification and Delegation Processes Hindered Its Oversight of the 737 MAX 8
No. 1 to FAA

Update the Changed Product Rule to address the integration of technological advances and exceptions.

No. 2 to FAA

Evaluate criteria for determining whether a system meets the definition of a "novel or unusual design feature," add specificity, and implement identified improvements.

No. 3 to FAA

Require applicants to submit failure probability analysis and key assumptions in certification deliverables.

No. 4 to FAA

Assess and update Advisory Circular 25.1309 guidance related to engineering assumptions regarding pilot actions, pilot reaction times, and failure mode testing.

No. 5 to FAA

Establish and implement processes for manufacturers to officially notify FAA certification engineers of any changes made to System Safety Assessments, including after FAA flight testing has begun.

No. 6 to FAA

Establish and implement communication and coordination procedures between Boeing and FAA, and within FAA among flight test, certification, and Flight Standards.

No. 7 to FAA

Establish and implement policies and procedures for the AircraftEvaluation Group related to its role in the certification process that require,at a minimum: formal documentation of approvals; documentation of operationalflight test parameters, procedures, and outcomes; expanded written guidance onthe FSB process; and improved consistency of procedures between AEG offices.

No. 8 to FAA

Incorporate lessons learned from the Boeing 737 MAX accidents into the ODA oversight process guidance implementing a risk-based approach.

No. 9 to FAA

Clarify priorities, roles, and responsibilities for FAA engineers regarding oversight and certification work, including the timing of when oversight should be performed.

Closed on 05.31.2023
No. 10 to FAA

Perform a workforce assessment at FAA’s Boeing Aviation Safety Oversight office to determine engineer resource and expertise needs, particularly in the areas of systems engineering, human factors, and software development, to both perform certification and oversight work, and take action as necessary. 

No. 11 to FAA

Conduct an assessment to determine how frequently unit members serve as both the company engineer involved in a design as the applicant and also find compliance on FAA's behalf on that same design. Based on the results of this assessment, revise ODA guidance to strengthen controls in this area.

No. 12 to FAA

Revise ODA program requirements to ensure ODAs have internal controls in place and are organized in a way that prevents interference with ODA unit members.

Closed on 03.26.2021
No. 13 to FAA

Determine if Boeing has met the requirements of the 2015 Settlement Agreement, including reporting metrics, given the deadline of December 31, 2020 and take further actions as necessary.

No. 14 to FAA

Complete the ongoing rulemaking project that proposes requiring manufacturers to implement Safety Management Systems, including setting and publishing expected timeframes.

Audit Report: AV2021017 issued on 02.10.2021
Gaps in FAA's Oversight of the AIP State Block Grant Program Contribute to Adherence Issues and Increase Risks
No. 1 to FAA

Revise FAA policy to include equitable review of projects funded by discretionary and entitlement funds, and perform regular formal assessments of Block Grant States' (BGS) adherence to Federal requirements for project selection.

No. 2 to FAA

Revise FAA's policy on documenting project-approval decisions to ensure that BGS adhere to project prioritization.

No. 3 to FAA

Revise and implement FAA's process for resolving instances of insufficient documentation as support for reimbursement to BGS.

$5,733,468
No. 4 to FAA

Request supporting documentation for the transactions related to the $5.7 million in unsupported project costs we identified in Wisconsin, and collect all unsupported costs or identify FAA's rationale for accepting them.

$12,835
No. 5 to FAA

Assess the claims related to the $12,835 in unsupported Cash Management Improvement Act reimbursements we identified in Michigan, and review similar transactions within the SBGP for unsupported costs. Develop an action plan to collect all unsupported costs or identify FAA's rationale for accepting them.

No. 6 to FAA

Develop and implement a procedure for monitoring BGS adherence to requirements for Airport Improvement Program (AIP) expenditures at regular and frequent intervals.

No. 7 to FAA

Revise guidance for all AIP stakeholders to reinforce the required sequence in which different types of AIP funds are to be expended.

$115,666,168
No. 8 to FAA

Require Airport District Offices (ADO) and Regional Offices to comply with grant closeout requirements for BGS. Implementation of this recommendation could put $115.7 million in funds to better use.

$5,749,537
No. 9 to FAA

Develop and implement a procedure to verify the accuracy of BGS data submissions. Implementation of this recommendation could put $5.7 million in funds to better use by improving FAA's grant management oversight.

No. 10 to FAA

Formalize and implement minimum training requirements for BGS officials, and give BGS access to all FAA-conducted, AIP-related online and in-person training.

No. 11 to FAA

Finalize the draft Memorandum of Agreement outlined in the SBGP Advisory Circular and implement it for all 10 current BGS and any future program entrants.

No. 12 to FAA

Finalize and implement an SBGP-wide audit plan in accordance with FAA's SBGP Advisory Circular, and include a requirement to document resolution of findings.

No. 13 to FAA

Ensure compliance or implementation of FAA's procedure to share resolutions of Single Audit Report recommendations with the ADOs and Regional Offices that oversee the BGS.

Audit Report: SA2021018 issued on 02.10.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2020
Closed on 04.01.2021
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$5,130,999
No. 2 to OST

Determine the allowability of the questioned transactions and recover $5,130,999, if applicable.

Audit Report: QC2021016 issued on 02.01.2021
Quality Control Review of the Management Letter for the National Transportation Safety Board’s Audited Financial Statements for Fiscal Years 2020 and 2019
Closed on 03.28.2023
No. 1 to NTSB

Redesign the agency's personnel action process to ensure  that the submission of a Request for Personnel Action form immediately is  processed promptly upon the notification of an employee's separation or termination.

No. 2 to NTSB

Redesign the agency's FPPS user termination process to require the completion and submission of a FPPS User Access Form to the service provider immediately upon separation of a FPPS user from the agency.

Closed on 01.09.2023
No. 3 to NTSB

NTSB perform a review of its Reimbursable Agreements Summary report to verify that the open balance amount for each agreement is correct. 

Closed on 01.09.2023
No. 4 to NTSB

NTSB perform a review of agreements for which goods or service have been provided to ensure that billing and collection procedures have been completed or initiated 

Closed on 01.09.2023
No. 5 to NTSB

NTSB record an accrual for earned revenue that has not been collected as of the end of the reporting period. 

Closed on 03.23.2023
No. 6 to NTSB

Perform a review of the user's system access immediately  after each OFF User Access Form is processed by DOI IBC to ensure that only the  permissions requested were granted.

Closed on 03.23.2023
No. 7 to NTSB

Redesign the OFF quarterly review process to include areview of each employee's system permissions to verify that all users' access permissions granted do not exceed the permissions requested and least privilege guidelines.

Closed on 03.23.2023
No. 8 to NTSB

We recommend that the Office of Chief Financial Officer  (OCFO) enhance its existing internal control procedures over the review and  approval of journal vouchers to ensure that the basic pay data used to compute imputed costs is complete and accurate and all cost factors are included in the calculation.

Audit Report: QC2021014 issued on 01.27.2021
Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
Closed on 08.11.2021
No. 1 to FAA

Enforce existing manual controls for disabling inactive accounts after the specified period of inactivity and enable an information system to automatically disable inactive accounts after a specified period of inactivity, as required by NIST.

Closed on 11.21.2022
No. 2 to FAA

Identify and resolve discrepancies between the FAA ISPP and Center for Internet Security Benchmarks specific to the procurement system’s password configurations.  

Closed on 11.21.2022
No. 3 to FAA

If changes are needed, update the procurement system’s security documentation to reflect the database password requirements.  

Closed on 11.21.2022
No. 4 to FAA

Ensure that database password settings are in compliance with FAA ISPP.  

Closed on 08.11.2021
No. 5 to FAA

Review and update security documentation to ensure that database dependency on the general ledger and the related control deviation is documented and approved by the AO, as required by FAA policy.

Closed on 09.05.2023
No. 6 to FAA

Update application password settings to ensure compliance with the FAA ISPP. 

Closed on 06.30.2021
No. 7 to FAA

Coordinate with the appropriate resources to ensure the implementation of an appropriate separation of duties process for system administrators and developers.

Closed on 08.11.2021
No. 8 to FAA

Update password settings to ensure compliance with the FAA ISPP.

No. 9 to FAA

Design and implement a process to ensure that the inventory application, database, and operating system changes are tested, documented, and approved prior to migration into production and update the change management ticketing system to capture required approvals and evidence of testing for application, database, or operating system changes, in accordance with FAA ISPP.

No. 10 to FAA

Configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

Closed on 08.17.2021
No. 11 to FAA

Design and implement controls to validate that all employee FEGLI elections are accurately recorded in the records of the shared service center.

Closed on 06.28.2021
No. 12 to FAA

Perform an annual review of existing sites to identify those that may be in dispute, and solicit input from legal counsel to determine and document whether these sites should be included in the environmental remediation liability, as defined by generally accepted accounting principles.

No. 13 to FAA

Ensure that existing procedures over the review of journal entries are performed, at an appropriate level of precision, to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

Closed on 03.07.2022
No. 14 to FAA

Update the Journal Voucher Processing standard operating procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the JV control log reconciliation with the actions taken and resolution obtained.

Closed on 06.22.2021
No. 15 to FAA

Update policies and procedures to clarify when acceptance should be recorded for a transaction.

Closed on 06.22.2021
No. 16 to FAA

Develop and implement guidance to formally document its assessments and recognition decisions, in accordance with SFFAC No. 5, as related to assets and liabilities of exchange transactions.

Closed on 03.17.2022
No. 17 to FAA

Update the standard operating procedures to define the triggering events for which the serviceable unit cost should be revalued in accordance with applicable accounting standards. 

Closed on 03.17.2022
No. 18 to FAA

Design and implement control activities to ensure that serviceable unit costs are only revalued as a result of valid triggering events which occur during the current period. 

Closed on 03.07.2022
No. 19 to FAA

Develop policies and procedures to ensure that judgments that inform accounting estimates are based on the best available information at the time of calculating and recording the CARES Act grant accrual estimate in the financial statements.

Closed on 03.17.2022
No. 20 to FAA

Develop procedures to document the period in which user access is granted and terminated to support the operating effectiveness of the shared service center’s user access controls. 

Audit Report: QC2021015 issued on 01.27.2021
Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
Closed on 09.30.2021
No. 1 to FTA

KPMG recommends that FTA management revise the existing configuration management plans for the grant financial management application and the clearing house system to include procedures for source code access administration and required privileges, source code maintenance and storage, the process for source code deployment into the production, and any version control software utilized to support the systems.

Closed on 09.30.2021
No. 2 to FTA

KPMG recommends that FTA management reconfigure the grants management application to automatically remove roles that are not recertified annually.

Closed on 09.30.2021
No. 3 to FTA

KPMG recommends that FTA management reconfigure the application that supports the grants management system to automatically disable accounts after 60 days of inactivity.

Closed on 09.30.2021
No. 4 to FTA

KPMG recommends that FTA management update the grants management system platform's system security plan to reflect the configuration considerations in place.

Closed on 09.27.2021
No. 5 to FTA

KPMG recommends that FTA management ensure that new users are properly authorized by all required parties prior to the administration of access to FTA systems.

Closed on 03.30.2023
No. 6 to FTA

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes reviewing the SOC 1, 2, 3 reports, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.    

Closed on 03.30.2023
No. 7 to FTA

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes implementing the service organization's recommended complimentary user entity controls and monitoring these controls for proper implementation and operating effectiveness.  

Closed on 03.16.2022
No. 8 to FHWA

KPMG recommends that FHWA management update its security documentation and system security plan, in accordance with Department requirements, to capture any control deviations and compensating controls used in lieu of automatically disabling inactive accounts.  

Closed on 03.16.2022
No. 9 to OST

KPMG recommends that ESC management should provide a training refresher to contracting program managers and access control officers related to the separation process for contractors.    

Closed on 09.27.2021
No. 10 to OST

KPMG recommends that OST management design and implement policies and procedures to evaluate the impact of known changes in TIFIA loan cash flow projections between the re-estimate date and the issuance of the financial statements on the subsidy re-estimate to then be considered for subsequent event disclosure.

Closed on 09.21.2021
No. 11 to MARAD

KPMG recommends that MARAD management design and implement a process for recording donated PP&E from other federal entities to ensure these transactions are accurately recorded and in accordance with generally accepted accounting principles.

Closed on 09.21.2021
No. 12 to OST

KPMG recommends that ESC management update the Journal Voucher Processing Standard Operating Procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the journal voucher control log reconciliation with the action taken and resolution obtained.

Closed on 03.30.2023
No. 13 to OST

KPMG recommends that ESC management update procedures surrounding management's review of journal entries at ESC to ensure that journal entries are reviewed at an appropriate level of precision to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

Closed on 03.16.2022
No. 14 to FHWA

KPMG recommends that FHWA and ESC management design and implement a control that is sufficiently precise to detect and correct UDO reconciliation discrepancies in the correct fiscal year in which they occur.      

Audit Report: ST2021013 issued on 01.13.2021
FMCSA Has Not Fully Met Oversight Requirements as It Rebuilds the National Registry of Certified Medical Examiners
Closed on 08.24.2021
No. 1 to FMCSA

Implement Agency plans for eliminating the backlog of driver examination results held by medical examiners.

No. 2 to FMCSA

Develop a plan to allocate resources to the Medical Programs Division to fully implement requirements for medical examiner eligibility audits and random selection performance monitoring.

No. 3 to FMCSA

Update Agency processes for conducting periodic medical examiner eligibility audits and random selection performance monitoring as needed to incorporate upgraded National Registry tools.

No. 4 to FMCSA

Reinstate the conduct of eligibility audits and random selection performance monitoring of medical examiners.

Audit Report: ST2021012 issued on 01.13.2021
PHMSA’s Safety Culture Efforts
Closed on 08.18.2022
No. 1 to PHMSA

Describe the responsibilities and tasks necessary to develop and continuously promote a positive safety culture at PHMSA, such as a training plan on safety culture. Then clearly assign those responsibilities to leadership.  

Closed on 08.18.2022
No. 2 to PHMSA

Establish a method to track and monitor the status of initiatives related to safety culture. 

Audit Report: FS2021011 issued on 12.16.2020
DOT Needs To Strengthen Travel Card Program Internal Controls To Minimize Misuse
Closed on 03.14.2023
No. 1 to OST

Notify all travel card program participants that advance written approval must be obtained prior to incurring any travel expenses.

Closed on 09.21.2023
No. 2 to OST

Develop and implement a plan for Agency/Organization Program Coordinator to identify travel authorizations that were not submitted or approved prior to the incurrence of official travel-related expenses. The plan should include follow-up with cardholders and approvers on instances where noncompliance is identified.   

Closed on 03.14.2023
No. 3 to OST

Update DOT’s travel card management policy, DOT Order 15006.b, and DOT travel card training to include guidance on how cardholders should recover travel card account overpayments.

No. 4 to OST

Develop and implement a control that will allow the Department to identify questionable travel card transactions outside of the delinquency report review that is performed by the operating administrations.

Closed on 03.20.2023
No. 5 to OST

Expand existing training for managers and Approving Officials to incorporate a proper voucher review.  

Closed on 03.20.2023
No. 6 to OST

Notify all travel cardholders that cash withdrawals must not occur more than 3 days prior to an authorized trip.

Closed on 03.14.2023
No. 7 to OST

Strengthen current cash-advance controls to test cardholder compliance with cash advances and require follow-up with cardholders when instances are detected.

No. 8 to OST

Design and implement a control to test that cardholders are using the travel card to pay only for official travel expenses as required. The control should include follow-up with cardholders when charges unrelated to official travel are detected.

Closed on 03.20.2023
No. 9 to OST

Modify training materials to emphasize the required use of the travel card for all expenses related to official travel.  

Closed on 11.02.2023
No. 10 to OST

Develop and implement controls to require that refresher training is administered timely in electronic learning management system, and require that cardholders complete refresher training in a timely manner.

Closed on 03.20.2023
No. 11 to OST

Modify the current travel card application process to include a manager certification as required by the DOT travel card management policy.

Audit Report: AV2021010 issued on 12.08.2020
Weaknesses in FAA’s Supplemental Passenger Restraint System Authorization Process Hinder Improvements to Open-Door Helicopter Operations
No. 1 to FAA

Issue a Notice of Proposed Rulemaking and a final rule, if found to be in the public interest, that address operations using supplemental passenger restraint systems.

Closed on 08.09.2022
No. 2 to FAA

Require all supplemental passenger restraint system applications to be reviewed using a standardized evaluation checklist that defines which information must be included on the request form for authorization.   

No. 3 to FAA

Define minimum certification standards that meet aviation-specific load factors for supplemental passenger restraint systems.

No. 4 to FAA

Revise the supplemental passenger restraint system authorization procedures so applications are routed through local oversight offices to notify inspectors which operators are requesting and subsequently authorized for supplemental restraint use.

No. 5 to FAA

Develop and incorporate supplemental passenger restraint inspection criteria—such as frequency of inspections, review of harness authorization documentation, and maintenance of harnesses into inspector guidance for both Part 135 and Part 91 surveillance.

Audit Report: SA2021009 issued on 12.02.2020
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2020
Closed on 02.24.2021
No. 1 to OST

We recommend that DOT coordinate with the impacted OAs to develop a corrective action plan to resolve and close the findings identified in this report.

$25,838
No. 2 to OST

We recommend that DOT determine the allowability of the questioned transactions and recover $25,838, if applicable.

Audit Report: QC2021008 issued on 11.16.2020
Quality Control Review of the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
Closed on 03.30.2023
No. 1 to OST

KPMG recommends that DOT management design and implementprocedures to consistently and timely perform and document audit log reviews asrequired by standards for effective internal control systems and/or internalpolicy.

No. 2 to OST

KPMG recommends that DOT management design and implementprocedures to consistently and timely perform and document user account accessreviews as required by standards for effective internal control systems and/orinternal policy.

No. 3 to OST

KPMG recommends that management design and implementcomponent-specific system security plan requirements in instances where plansfor those areas not addressed in the Departmental system security plan.

Closed on 04.20.2022
No. 4 to OST

KPMG recommends that management design and implement procedures related to the retention of appropriate supporting evidence of internal controls including, but not limited to, access administration, access recertification, audit log review, and patch management.

Closed on 03.30.2023
No. 5 to OST

KPMG recommends that DOT management maintain a documentation trail which demonstrates completion of each step in the performance of their input validation control in accordance with the TIFIA Loan Subsidy Re-estimates standard operating procedures.    

Closed on 03.07.2022
No. 6 to FTA

KPMG recommends that FTA management perform a documentedrisk assessment and develop a tailored grant accrual methodology for each newgrant accrual category in which the expected costs incurred but not recordedmay differ based on the characteristics of the grant funding. To the extentcontradictory evidence or actual incurrence does not align with the initialassumptions developed, management should refine the methodology accordingly.

Closed on 03.07.2022
No. 7 to FTA

KPMG recommendeds that FTA management establish a documented review process to clearly demonstrate the historical disbursement days for all grant accrual categories have been reviewed prior to recording the grant accrual.   

Audit Report: QC2021007 issued on 11.13.2020
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
Closed on 07.03.2023
No. 1 to FAA

KPMG recommended that FAA management design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policies. 

No. 2 to FAA

KPMG recommended that FAA management design and Implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policies.

Closed on 07.20.2023
No. 3 to FAA

KPMG recommended that FAA management implement component-specific system security plan requirements.    

Audit Report: QC2021003 issued on 10.26.2020
Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security Program and Practices