Recommendation Dashboard

skip-to-content
-A A +A

OIG’s Office of Auditing and Evaluation makes recommendations to the Department of Transportation and a few independent transportation entities to correct deficiencies and encourage improvements in the safety, economy, efficiency, and management of their programs and operations. Our audit report findings and conclusions explain the basis for the specific corrective actions we recommend. This Recommendation Dashboard provides more information than ever before about the current status of OIG recommendations, which we plan to update on a weekly basis. For more information, see answers to frequently asked questions.

 

Open Recommendations by Agency

As of: The Recommendation Dashboard does not include data on many of our older audits for which all recommendations were closed prior to July 1, 2016.

 
 
Audit Report: ST2022028 issued on 04.27.2022
FRA Uses Automated Track Inspections To Aid Oversight but Could Improve Related Program Utilization Goals and Track Inspection Reporting
No. 1 to FRA

Update and implement Automated Track Inspection Program (ATIP) fleet utilization performance metric(s) and establish a process to monitor ATIP contractor performance.

No. 2 to FRA

Document the current ATIP survey prioritization process and establish a schedule for running the prioritization tool with updated data.

No. 3 to FRA

Revise the Track and Rail and Infrastructure Integrity Compliance Manual to include specific guidance for inspectors completing ATIP-related inspection reports.

No. 4 to FRA

Modify the programming logic of the Railroad Inspection System for Personal Computers so that the system will accept only correct ATIP-related inspection report entries.

No. 5 to FRA

Develop and implement training for Track Division specialists and inspectors on how to correctly prepare ATIP-related inspection reports.

No. 6 to FRA

Document and implement the track safety inspection planning processes, including guidance to district track specialists and inspectors on data sources that can be used to inform planning (e.g., risk assessment models, planning tools, and ATIP data).

Audit Report: AV2022027 issued on 04.27.2022
FAA Made Progress Through Its UAS Integration Pilot Program, but FAA and Industry Challenges Remain To Achieve Full UAS Integration
No. 1 to FAA

Establish goals, milestones, and performance measures of success for the BEYOND program to guide and track Agency and participants’ progress toward achieving beyond visual line of sight operations.

No. 2 to FAA

Communicate to BEYOND stakeholders how program operational, societal and economic benefit data will be used, analyzed, and shared to inform new policies, safety reviews, and rulemaking, including the rule for UAS operations beyond visual line of sight.

No. 3 to FAA

Implement a process to periodically assess the data collected during BEYONDâ€"annually at a minimumâ€"to determine if it is providing needed information and make adjustments as necessary.

No. 4 to FAA

Provide stakeholders and the general public with non-proprietary information related to BEYOND results via the FAA website or other appropriate means.

No. 5 to FAA

Identify intra-agency points of connection and lines of authority responsible for approving and integrating new UAS technologies, evaluate options to improve working across lines of business, and implement the best option based on the Agency’s evaluation.

No. 6 to FAA

Evaluate the causes of IPP program manager turnover as well as the communication and transfer of knowledge, policies, and procedures to new program managers in the transition process, and implement actions to address those issues in BEYOND.

Audit Report: AV2022026 issued on 03.30.2022
While FAA Is Coordinating With Other Agencies on Counter-UAS, Delays in Testing Detection and Mitigation Systems Could Impact Aviation Safety
No. 1 to FAA

Conduct a UAS detection and C-UAS program assessment that includes a determination of future resource needs and organizational structure based on how to best align those resources.

No. 2 to FAA

Evaluate the UAS detection and C-UAS coordination request process to identify and correct inefficiencies to improve timeliness in anticipation of future program growth.

No. 3 to FAA

Finalize internal UAS detection and C-UAS request processing and document retention guidance.

Audit Report: ST2022025 issued on 03.23.2022
PHMSA Can Enhance Its Hazardous Material Fitness Reviews by Meeting Its Application Processing Goal and Addressing Oversight Gaps
Closed on 05.13.2022
No. 1 to PHMSA

Develop and implement a plan to complete an automated tool for tracking safety profile evaluations.

No. 2 to PHMSA

Conduct a historic analysis and use the results as the basis for timeliness goals for Tier 2 evaluations and Tier 3 inspections in the revised Field Operations Manual .

No. 3 to PHMSA

Develop and implement a plan that updates the interagency agreement for processing approval and special permit applications, including details for conducting Tier 2 evaluations and Tier 3 fitness inspections within the 120-day goal.

No. 4 to PHMSA

Update the various software for processing applications by adding a field for the fitness inspection report number.

No. 5 to PHMSA

Update the Case Management System by adding a field to identify the application tracking number associated with a fitness inspection.

No. 6 to PHMSA

Develop and implement a plan to complete revision of the Field Operations Manual , directing that fitness memorandums include additional information identifying relevant inspections, using quality control items, and conducting risk assessments.

No. 7 to PHMSA

Synchronize the revised Approvals Program Desk Guide and the revised risk-based guidelines for referring foreign cylinder applicants.

No. 8 to PHMSA

Develop and implement a plan to complete an assessment of PHMSA oversight of U.N. Third-Party Packaging Certification Agencies and other independent entities that monitor approval and special permit holders.

No. 9 to PHMSA

Develop and implement guidelines on prioritizing fitness inspections along with other types of inspections.

No. 10 to PHMSA

Develop and implement a mechanism to improve the linking of applicants with incident and enforcement data.

No. 11 to PHMSA

Develop and implement a plan to revise application processing software user guides, with instructions to identify blank automated fitness reports.

No. 12 to PHMSA

Develop and implement a plan to update PHMSA's website on delayed application status with all required data.

Audit Report: FS2022024 issued on 03.23.2022
DOT Does Not Ensure Compliance With All Single Audit Provisions of OMB’s Uniform Guidance
Closed on 04.28.2022
No. 1 to OST

Designate a single audit accountable official (SAAO) responsible for ensuring that the OAs fulfill all the requirements of the Uniform Guidance and provide the official's name and title to OMB.

No. 2 to OST

Require the SAAO to designate a key management single audit liaison to serve as the Federal awarding agency's management point of contact for the single audit process both within and outside the Federal Government and provide the official's name and title to OMB.

No. 3 to OST

Require the SAAO to develop and implement a policy to ensure Operating Administrations (OA) meet Uniform Guidance's requirements for Federal awarding agencies.

No. 4 to OST

Require the SAAO to develop and implement processes to ensure that OAs confirm its recipients' single audits and reporting packages are completed and timely submitted to the Federal Audit Clearinghouse (FAC).

No. 5 to OST

Require the SAAO to develop and implement processes that ensure OAs download single audit reports from FAC's Image Management System and OAs identify and track single audit findings directly related to their programs.

No. 6 to OST

Require the SAAO to develop and implement processes that ensure OAs issue timely management decisions on all single audit findings affecting their programs.

No. 7 to OST

Require the SAAO to develop and implement processes that ensure OAs follow up on single audit findings and verify that OAs recipients took appropriate and timely corrective actions.

Audit Report: AV2022023 issued on 03.14.2022
FAA Needs Additional Accountability and Transparency in Reporting Performance Measures and Targets for Major System Investments and Environmental Reviews
No. 1 to FAA

Develop and implement a written policy to document the process for adding and removing programs and reporting the names of all the programs tracked in the major system investments performance measure.

No. 2 to FAA

Develop and implement a written policy or procedure to establish an internal control mechanism to identify all major transportation projects on the Federal Infrastructure Permitting Dashboard that should be tracked in the environmental performance measure and document reasons why projects are or are not determined to be major transportation projects.

No. 3 to FAA

Review and update the definition of the types of projects included in major transportation projects, to ensure all major transportation projects are being tracked under the measure.

Audit Report: FS2022022 issued on 02.15.2022
Outdated Policies Hinder FHWA’s Ability To Oversee Unobligated Emergency Relief Funds
No. 1 to FHWA

Direct the Office of Infrastructure to follow the FHWA Emergency Relief (ER) Manual regarding deallocations of unobligated funds.

$5,200,000
No. 2 to FHWA

Identify any balance of allocated quick release funds older than 6 months, that will not be obligated through the remainder of the fiscal year and that are no longer needed, including the unobligated quick release amounts described in this report, withdraw or deallocate as appropriate in accordance with the ER policy. Implementation of this recommendation could put $5.2 million in funds to better use.

No. 3 to FHWA

Update the ER Manual's quick release procedures to clarify the documentation needed for funding approval and the responsibilities to maintain sufficient evidence of required approvals for quick release requests submitted in accordance with emergency relief policy and program requirements.

$1,958,064
No. 4 to FHWA

Instruct the FHWA Texas Division to coordinate with the Texas DOT to deobligate the funds the State no longer needs, as discussed in this report. Implementation of this recommendation could put $1,958,064 in funds to better use.

No. 5 to FHWA

Update the ER Manual to incorporate the requirements in FHWA Order 5182.1, including the routine review of unobligated balances so that funds can be deallocated when no longer needed.

$176,030
No. 6 to FHWA

Recover the $176,029.71 in unallowable emergency relief payments identified in this report.

Audit Report: SA2022021 issued on 02.09.2022
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2021
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$5,409,880
No. 2 to OST

Determine the allowability of the questioned transactions and recover $ 5,409,880, if applicable.

Audit Report: FS2022019 issued on 01.31.2022
Management Letter Report on the Great Lakes Saint Lawrence Seaway Development Corporation’s Audited Financial Statements for Fiscal Years 2021 and 2020
No. 1 to GLS

Implement controls that require that the correct micro-purchase thresholds are assessed before approving SAM waivers.

No. 2 to GLS

Review payments made to the non-SAM approved vendor and determine whether the amounts are recoverable in accordance with the Payment Integrity Information Act of 2019.

No. 3 to GLS

Document and follow established controls to require that supporting documentation for CDs is obtained in a timely manner and recorded accurately so the system of record properly reflects information related to the CDs.

No. 4 to GLS

Develop and implement controls to require that employees are removed from CD accounts when they separate from the corporation and replace with current employees.

No. 5 to GLS

Implement procedures to perform periodic reviews of OM&S purchases for valuation accuracy.

No. 6 to GLS

Follow up on prior help requests submitted to system support to verify that the OM&S cost corrections have been made.

No. 7 to GLS

Work with system support to correct the deficiencies that cause OM&S cost errors.

Audit Report: QC2022017 issued on 01.31.2022
Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
No. 1 to OST

KPMG recommends that ESC management correct the ESC server inventory list to ensure that all production servers are correctly categorized

No. 2 to OST

KPMG recommends that ESC management implement a quality assurance process to confirm that all servers and systems are included during the semiannual review process.

No. 3 to MARAD

KPMG recommends that MARAD management develop and implement policies and procedures to timely evaluate and respond to changes in MARAD’s programs or activities prompted by public law or DOT directives that could impact financial reporting objectives and cause revision to its accounting treatment.

No. 4 to MARAD

KPMG recommends that MARAD management should design and implement processes to timely correct identified errors or account for changes in accounting policies.

No. 5 to OST

KPMG recommends that ESC management update procedures surrounding management’s review of journal entries to ensure journal entries are reviewed at an appropriate level of precision to determine that all manually posted entries are complete, accurate, and adequately supported by documentation.

No. 6 to OST

KPMG recommends that OST management obtain documentation from external borrowers to support the input assumption that the remaining loan value will not be disbursed.

No. 7 to OST

KPMG recommends that OST management maintain a documentation trail that includes support for each current year input in accordance with the TIFIA Loan Subsidy Re- estimates Standard Operating Procedures.

Audit Report: QC2022020 issued on 01.31.2022
Quality Control Review of the Management Letter for the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2021 and 2020
No. 1 to STB

STB management should review the current version of OMB Circular A-136 to independently verify that all required footnotes are included and bring any omissions to the service provider’s attention so that errors or omissions can be corrected.

No. 2 to STB

STB management should review the service provider’s Financial Statement and Notes Review Checklist to verify that the checklist is up to date and includes all required elements per OMB and Treasury guidance and then complete the checklist independently. Alternatively, STB management should develop and complete its own review checklist based on current Treasury and OMB reporting requirements.

No. 3 to STB

STB management should request its financial management service provider to:
a. Reevaluate the inclusion of account balances that were excluded in the Other Liabilities footnote, or
b. Disaggregate (i.e. separately report) intragovernmental other liabilities balances reported as a single line item on the balance sheet that are not included in the footnote so that the total amounts reported for Other Liabilities on the Balance Sheet and in the footnote agree.

No. 4 to STB

STB should perform routine reviews of employee benefit elections and Official Personnel Folders to ensure they are complete and accurate.

No. 5 to STB

STB should address missing or unavailable supporting documentation with its shared service provider to ensure that document retrieval tools are available and are working properly to allow retrieval of all stored documents.

No. 6 to STB

STB management should work with the service provider to identify, at least quarterly, upward adjustments that have been offset by downward adjustments in the general ledger or perform an independent review of the general ledger activity of both accounts so that manual adjustments can be recorded to properly state the ending balances of both accounts, if needed.

No. 7 to STB

STB management should design and implement policies and procedures which enhance the internal review process for upward and downward adjustment transactions and includes a reconciliation of the UDO balances with the supporting documentation to ensure that transactions have been recorded correctly.

No. 8 to STB

STB should amend its existing policy regarding the review and approval of journal vouchers to include a review of all non-reversing entries recorded during the fiscal year and to review all year-end journal vouchers before they are recorded in the agency’s general ledger.

Audit Report: QC2022018 issued on 01.31.2022
Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
No. 1 to FAA

KPMG recommends that FAA configure the password length for Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

No. 2 to FAA

KPMG recommends that FAA design and implement formal detective controls to log and monitor developer activities in the time and attendance system production environment. All programmatic changes to the time and attendance system production environment should be reviewed and reconciled from the logs to the approved change tickets.

No. 3 to FAA

KPMG recommends that FAA design and implement a process to ensure that inventory system application, database and operating system changes are tested, documented, and approved prior to migration into production in accordance with FAA policy; and update the change management ticketing system to capture required approvals and evidence of testing for inventory system application, database or operating system changes.

No. 4 to FAA

KPMG recommends that FAA configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

No. 5 to FAA

KPMG recommends that FAA update the control to investigate cases removed from the Legal Letter and Contingent Liability Report period over period prior to recording the legal liability.

No. 6 to FAA

KPMG recommends that FAA ensure that policies and procedures for revoking access to the shared services center for separated users include:
a. Timely notifying shared services center managers of FAA employees that have separated from the agency to ensure that access is removed; and
b. Enforcing the timeline for removal of separated employees from shared services center, by reviewing active user listings on a periodic basis to ensure that no separated employees still have access.

Audit Report: AV2022016 issued on 01.12.2022
Changes in Requirements and Schedule Delays Contributed to the Termination of the NAS Voice System Contract
No. 1 to FAA

Finalize the report on the NVS contract failure and the program termination, and develop action items to address the failures and a plan for implementing them.

Audit Report: QC2022015 issued on 11.15.2021
Quality Control Review of the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
No. 1 to OST

KPMG recommends that DOT management design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policy.

No. 2 to OST

KPMG recommends that DOT management design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policy.

No. 3 to OST

KPMG recommends that DOT management design and implement component-specific system security plan requirements in instances where plans for those areas not addressed in the Departmental system security plan.

No. 4 to OST

KPMG recommends that DOT management design and implement procedures related to the retention of appropriate supporting evidence of internal controls, including but not limited to, access administration, access recertification, audit log review, and patch management.

No. 5 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations risk assessment to determine the impact of a timing gap between the issuance of service organization SOC reports and the Department’s fiscal year.

No. 6 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations documented review of applicable SOC reports, which includes a consideration of results year over year, implementation of the service organizations’ recommended complimentary user entity controls and monitor such controls for proper design, implementation and operating effectiveness.

No. 7 to OST

KPMG recommends that DOT management strengthen its policies and procedures to formalize a complete process to assess and monitor applicable third-party service organizations review and evaluation of findings identified within the service organization’s SOC report and assess the impact on the Department’s internal control over financial reporting.

Audit Report: QC2022013 issued on 11.12.2021
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2021 and 2020
No. 1 to FAA

KPMG recommends FAA design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policy.

No. 2 to FAA

KPMG recommends FAA design and implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policy.

No. 3 to FAA

KPMG recommends FAA design and implement component-specific system security plan requirements in instances where plans for those areas are not addressed in the Departmental system security plan.

Audit Report: SA2022010 issued on 11.10.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2021
Closed on 03.18.2022
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$9,236,974
No. 2 to OST

Determine the allowability of the questioned transactions and recover $ 9,236,974, if applicable.

Audit Report: ST2022009 issued on 11.09.2021
Weaknesses in NHTSA’s Training and Guidance Limit Its Ability To Set and Enforce Federal Motor Vehicle Safety Standards
Closed on 05.04.2022
No. 1 to NHTSA

Update the existing written procedure for acting on rulemaking petitions to meet the required 120-day timeline.

Closed on 04.05.2022
No. 2 to NHTSA

Develop and implement a written process for reviewing compliance test reports.    

No. 3 to NHTSA

Develop and implement a training curriculum process for Safety Compliance Engineers.

No. 4 to NHTSA

Implement and communicate guidance on conducting compliance investigations.

Closed on 03.01.2022
No. 5 to NHTSA

Develop and implement a targeted process for reviewing and prioritizing conformity packages to meet the required 30-day timeframe.

No. 6 to NHTSA

Finalize and implement the Import and Certification Division's process to monitor and investigate Registered Importers' compliance with Federal regulations.

Audit Report: ZA2022008 issued on 10.27.2021
MARAD's Ability To Achieve Cost-Effective USMMA Contracts Is Compromised by Several Management Control Weaknesses
Closed on 04.04.2022
$4,900,000
No. 1 to MARAD

Establish and implement a control process to verify compliance with Federal requirements to establish files with complete documentation for all USMMA contracts and ensure that these files are readily accessible to principal users. Implementing this recommendation could put $4.9 million in Federal funds to better use by providing complete documentation to support that MARAD made efficient, compliant, and sound contracting decisions and actions.    

No. 2 to MARAD

Establish and implement a control process to verify compliance with Department requirements to use contract file checklists for all USMMA contracts.

Closed on 02.17.2022
No. 3 to MARAD

Require and verify all MARAD acquisition staff attend annual refresher training on Federal, departmental, and MARAD-specific procurement and acquisition workforce requirements. Post training material in a central location that all staff can reference and access.  

No. 4 to MARAD

Develop and implement standardized contract forms and templates to document completion of procurement requirements when awarding USMMA contracts below the Simplified Acquisition Threshold (SAT).

$52,600,000
No. 5 to MARAD

For USMMA contracts that exceed the SAT, establish and implement a process(s) to verify compliance with applicable Federal, departmental, and MARAD procurement requirements associated with market research, independent Government cost estimates, source selection strategies, price and cost analysis, acquisition planning, and legal review. Implementing this recommendation could put $52.6 million in Federal funds to better use by improving MARAD's ability to efficiently award USMMA contracts that result in the best value to the Agency and meet its needs.

No. 6 to MARAD

Establish and implement a control process to verify the Agency's oversight procedures regarding warrant requirements are correctly and consistently carried out for contract officers (CO) assigned to USMMA contracts.

No. 7 to MARAD

Establish and implement a control process to verify compliance with Federal requirements to maintain accurate and complete data in the Federal acquisition system (previously the Federal Acquisition Institute's Acquisition Training Application System, now Cornerstone OnDemand) for all USMMA contracting officer's representatives (COR).

No. 8 to MARAD

Establish and implement a control process to verify compliance with Federal, departmental, and MARAD requirements to use COR appointment letters and verify that all CORs assigned to USMMA contracts are properly certified.

No. 9 to MARAD

Establish and implement a process for maintaining and tracking progress on USMMA Capital Improvement Program (CIP) projects, analyzing how changes to Academy plans will impact the cost and schedule of existing and planned CIP projects and contracts, and confirming that congressionally appropriated CIP funds are efficiently expended.

No. 10 to MARAD

Establish and implement a requirement that any project change(s) to an approved CIP, Long Range Strategy, or other facilities-related Academy plan be submitted to and approved by the Office of the Secretary of Transportation before the change becomes final.

Audit Report: QC2022006 issued on 10.25.2021
Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security System Program and Practices
No. 1 to OST

Develop and communicate an organization wide Supply Chain Risk Management strategy and implementation plan to guide and govern supply chain risks.

No. 2 to OST

Undertake a strategic analysis of the Inspector General FISMA Metrics and the weaknesses identified in the audit, to develop a multi-year strategy and approach to include objective milestones, and resource commitments by the Department and the CIO that address the corrective actions
necessary to show steady, measurable improvements towards an effective information security program.

No. 3 to OST

Work with the Federal Aviation Administration’s CIO and Federal Motor Carrier Safety Administration’s Information Security System Manager(ISSM), to investigate and remediate cross-site scripting vulnerabilities identified in public facing web applications.

No. 4 to OST

Work and coordinate with system owners to identify and remediate weak and default authentication mechanisms within their systems and the Common Operating Environment.

No. 5 to OST

Develop and implement a process to facilitate centralized monitoring, oversight (by ISSMs and their alternates) and escalation efforts to ensure the timely completion of required security awareness training and role based training for all DOT personnel leveraging an automated integrated solution(s) and dashboards.

Audit Report: IT2022003 issued on 10.20.2021
FMCSA’s IT Infrastructure Is at Risk of Compromise
No. 1 to FMCSA

Change the passwords for the compromised web servers to strong passwords that meet DOT's Cybersecurity Compendium requirements.

Closed on 01.31.2022
No. 2 to FMCSA

Restrict access to administrator login pages to only verified administrators and computers.

Closed on 01.31.2022
No. 3 to FMCSA

Identify and remove all malware that was uploaded to FMCSA's web servers.

No. 4 to FMCSA

Develop and implement stronger malicious code protection and detection controls.

Sensitive
No. 5 to FMCSA

Sensitive information redacted

Closed on 01.31.2022
Sensitive
No. 6 to FMCSA

Sensitive information redacted

Closed on 01.31.2022
No. 7 to FMCSA

Change the passwords for FMCSA's compromised databases.

Closed on 01.31.2022
Sensitive
No. 8 to FMCSA

Sensitive information redacted

No. 9 to FMCSA

Validate whether production data is being used on other preproduction databases that FMCSA hosts.

Closed on 01.31.2022
$570,367,559
No. 10 to FMCSA

Establish and implement security safeguards for the protection of PII in accordance with DOT policy. Implementing this recommendation could put up to $570,367,559 of funds to better use by avoiding the cost of credit monitoring for affected individuals.

No. 11 to FMCSA

Implement monitoring controls and alerts to identify when database admin accounts log in from non-authorized IP addresses.

No. 12 to FMCSA

Implement real time security monitoring tools and alert features to monitor FMCSA web servers and databases for access from unauthorized IP addresses.

No. 13 to FMCSA

Develop and implement a plan to remediate all identified critical, high, and medium vulnerabilities on FMCSA devices older than October 8, 2019.

Audit Report: IT2022005 issued on 10.20.2021
FTA Does Not Effectively Assess Security Controls or Remediate Cybersecurity Weaknesses To Ensure the Proper Safeguards Are in Place to Protect Its Financial Management Systems
Closed on 02.01.2022
Pandemic Oversight
No. 1 to FTA

Select and implement security control-process isolation to protect its financial management systems (FMS and ECHO-Web) against risk.

Pandemic Oversight
No. 2 to FTA

Perform an assessment of its financial management systems (FMS, ECHO-Web, and TrAMS) security controls that at a minimum reflect the correct security control types and update each system’s system security plan with the correct control types.

Pandemic Oversight
No. 3 to FTA

Update the security assessment documents for its financial management systems (FMS, ECHO-Web, and TrAMS) to properly reflect the results of all security controls (e.g., common, hybrid, and system-specific) for selection, implementation, and assessment, per DOT requirements.

Pandemic Oversight
No. 4 to FTA

Obtain and assess all up-to-date security authorization documents associated with its financial management systems (FMS, ECHO-Web, and TrAMS) inherited controls (e.g. common, hybrid) to determine and monitor the effectiveness of its inherited controls and risk per NIST & DOT security requirements.

Sensitive
Pandemic Oversight
No. 5 to FTA

Sensitive information redacted

Closed on 01.31.2022
Sensitive
Pandemic Oversight
No. 6 to FTA

Sensitive information redacted

Pandemic Oversight
No. 7 to FTA

Implement secure configuration settings for its financial management systems (FMS and ECHO-Web) databases in accordance with Federal and DOT policies.

Sensitive
Pandemic Oversight
No. 8 to FTA

Sensitive information redacted

Pandemic Oversight
No. 9 to FTA

Develop and implement a plan that ensures continuity of federal workforce and contractual resources to fulfill contingency responsibilities for its financial management systems (FMS and ECHO-Web) to maintain continued operations should an emergency event incapacitate the primary personnel.

Pandemic Oversight
No. 10 to FTA

Conduct, document, and communicate the results of its annual incident response and data breach plan testing for financial management systems before authorization to operate (ATO); to ensure effectiveness in the event of a security incident or data breach is discovered within FTA or an external party (e.g. FTA recipient, common control provider).

Pandemic Oversight
No. 11 to FTA

Establish, document, and implement a security incident reporting process and procedures for its recipients to report incidents that affect their login credentials.

Pandemic Oversight
No. 12 to FTA

Require the FTA Information System Security Manager (ISSM)/ Privacy Officer to adhere to its Incident and Data Breach Response Plan to report recipient cybersecurity incidents involving FTA information systems or user accounts.

Sensitive
Pandemic Oversight
No. 13 to FTA

Sensitive information redacted

Audit Report: AV2022004 issued on 10.20.2021
FAA Lacks Effective Oversight Controls To Determine Whether American Airlines Appropriately Identifies, Assesses, and Mitigates Aircraft Maintenance Risks
No. 1 to FAA

Develop and implement root cause analysis training for inspectors more in line with training in the aviation industry.

No. 2 to FAA

Develop and implement a management control to ensure that inspectors maintain the link between the compliance action and the corrective action validation inspection within its inspection databases.

No. 3 to FAA

Develop and implement a management control to ensure inspectors require air carriers to provide written root cause analyses and that these analyses do not specifically identify human factors issues as root causes.

No. 4 to FAA

Develop and implement a management control to ensure that inspectors do not send compliance action close out letters until the corrective actions have been completed and validated.

No. 5 to FAA

Develop and implement a team inspection approach in order to periodically assess the air carrier's Safety Management System.

No. 6 to FAA

Develop and implement Safety Management System training for inspectors that is specifically designed to aid inspectors in evaluating air carrier risk assessments.

No. 7 to FAA

Revise the Safety Management Systems data collection tool to allow inspectors to perform more detailed reviews and accurately document the results of these reviews.

Audit Report: QC2022002 issued on 10.06.2021
Quality Control Review of the Independent Auditor’s Report on DOT’s Compliance with the Digital Accountability and Transparency Act
No. 1 to OST

Implement and document a formal quarterly review process to ensure that any nonfatal warnings related to cross-validations of Files C, D1, and D2 at the OA level are investigated, and actions to address the warnings are clearly documented.

No. 2 to OST

Develop a complete inventory of DATA Act data element sources and definitions that exist within their systems and establish controls to ensure that the inventory is updated in response to relevant changes to DOT systems or DAIMS guidance.

No. 3 to OST

Implement a control to ensure that transaction level information is reported in File C in accordance with the data standards.

No. 4 to OST

Implement and document an internal oversight review process for financial assistance awards to ensure that controls are in place to verify recipients are registered in SAM at the time of financial assistance award.

Audit Report: QC2022001 issued on 10.04.2021
Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices
No. 1 to STB

Develop an enterprise architecture that includes information security considerations and the resulting risk to the Agency, as well as incorporates STB’s existing cyber security architecture.

No. 2 to STB

Identify and define all software programs that are not authorized to execute on STB information systems.

No. 3 to STB

Establish and implement procedure to manage hardware asset inventory connected to STB’s network.

Closed on 03.28.2022
No. 4 to STB

Review all open Plan Of Actions & Milestones and assign scheduled completion dates which account for the required resources and corrective actions, including milestones, to manage and mitigate the identified risk.

No. 5 to STB

Develop a Supply Chain Risk Management strategy and supporting policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

No. 6 to STB

Develop a process to make improvements to its baseline configuration, secure configuration, and flaw remediation policies and procedures through the use of lessons learned.

No. 7 to STB

Implement documented processes for configuration management changes as required by STB policies and procedures.

No. 8 to STB

Evaluate deviations from Center for Internet Security benchmarks and determine if the associated configurations should align with best practices or if deviations should be risk accepted.

No. 9 to STB

Update vulnerability management procedures to support implementation of STB’s Vulnerability Disclosure Policy.

Closed on 04.11.2022
No. 10 to STB

Update the Access Recertification Process document to align with STB’s existing practices to ensure users complete all required training and onboarding forms.

Closed on 04.11.2022
No. 11 to STB

Develop and implement a written policy or procedure to establish an internal control mechanism to identify all major transportation projects on the Federal Infrastructure Permitting Dashboard that should be tracked in the environmental performance measure and document reasons why projects are or are not determined to be major transportation projects.

Closed on 03.28.2022
No. 12 to STB

Develop a process to make improvements to the effectiveness of its Identity, Credential, and Access Management policy, strategy, and road map.

No. 13 to STB

Define procedures to review and remove unnecessary PII collection on an organization defined frequency.

No. 14 to STB

Perform the review of Privacy Threshold Analysis for STB General Support System, At Hoc, and Dynamic Case Management system on an annual basis.

No. 15 to STB

Implement data protection policies and procedures for Data at Rest, prevention and detection of untrusted removable media, and destruction or reuse of media containing PII or other sensitive agency data.

No. 16 to STB

Address the knowledge, skills, and abilities gaps identified during the FY 2020 skill gap assessment through training or talent acquisition.

No. 17 to STB

Complete the transition from traditional three (3) year authorizations to ongoing authorizations for STB-LAN.

No. 18 to STB

Implement documented processes for collecting and reporting performance metrics at the organization and system level to assess the effectiveness of Information Security Continuous Monitoring program.

No. 19 to STB

Develop a process to make improvements to the effectiveness of its ISCM program through the collection and reporting of quantitative and qualitative performance metrics, and lessons learned.

Closed on 03.28.2022
No. 20 to STB

Define the performance metrics for measuring the incident response capability.

Closed on 03.28.2022
No. 21 to STB

Update STB Incident Response Plan to include requirements for the technologies utilized to support Incident Response processes.

Closed on 03.28.2022
No. 22 to STB

Define the frequency for the performance of Post Incident activities.

Closed on 03.28.2022
No. 23 to STB

Update STB Incident Response plan containment strategies to reflect the current agencies risk prioritization processes.

Closed on 03.28.2022
No. 24 to STB

Implement documented processes for Incident Response resolutions of tickets in consistent manner, as required by STB policies and procedures.

Closed on 03.28.2022
No. 25 to STB

Define the frequency for the performance of system level Business Impact Analyses (BIA).

No. 26 to STB

Review the organization wide BIA on an annual basis.

No. 27 to STB

Conduct a tabletop exercise of the General Support System’s information system contingency plan (ISCP) on an annual basis.

Audit Report: ZA2021037 issued on 09.27.2021
FAA Faces Challenges in Tracking Its Acquisition Workforce and Ensuring Compliance With Training, Certification, and Warrant Requirements
No. 1 to FAA

Establish and implement an effective process for: (i) identifying and tracking the Agency's acquisition workforce (such as Contracting Officers (COs), Contracting Officer's Representatives (CORs) and Program/Project Managers (P/PMs) ) and (ii) collecting and maintaining their certifications and related training records. Data collected via this process and maintained in repositories should be complete, accurate, and readily accessible.

No. 2 to FAA

Identify, remove, and/or rectify those COs, CORs, and P/PMs—currently assigned to a contract or program—that lack the required training or certification to fulfill their designated role.

No. 3 to FAA

Develop and implement training and guidance related to the Agency's replacement of FAITAS. This training and guidance should address acquisition certification requirements, documentation, and application processes under the new system.

No. 4 to FAA

Implement performance and certification metrics for CORs and P/PMs.

No. 5 to FAA

Revise AMS to reflect FAA's decision to delegate approval authority for COR certifications to the Acquisition Career Manager.

No. 6 to FAA

Strengthen the process for nominating CORs to include completing, issuing, and storing COR Delegation Letters and Nomination Forms in the contract file.

No. 7 to FAA

Strengthen quality assurance procedures to verify accuracy when identifying and reporting the acquisition P/PMs assigned to OMB Major Programs.

No. 8 to FAA

Establish a timeline to implement and verify compliance with the requirement that all P/PMs assigned to OMB Major Programs obtain and maintain a FAC P/PM Information Technology Certification.

Audit Report: QC2021038 issued on 09.27.2021
Quality Control Review of the Independent Auditor’s Report on DOT’s Enterprise Services Center
Closed on 01.12.2022
Sensitive
No. 1 to OST

Sensitive information redacted

Sensitive
No. 2 to OST

Sensitive information redacted

Sensitive
No. 3 to OST

Sensitive information redacted

Sensitive
No. 4 to OST

Sensitive information redacted

Audit Report: SA2021036 issued on 08.31.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2021
Closed on 01.12.2022
No. 1 to OST

Coordinate with impacted OAs to develop a corrective action plan to resolve and close the findings highlighted in this report.

$32,153,264
No. 2 to OST

Determine the allowability of the questioned transactions and recover $32,153,264, if applicable.

Audit Report: AV2021035 issued on 08.18.2021
FAA’s Approach for Establishing and Modifying Air Traffic Controller Staffing Levels Needs Improvement To Properly Identify Staffing Needs at Contract Towers
No. 1 to FAA

Analyze and document the justification for the FAA Contract Tower (FCT) Program's minimum staffing requirements.

No. 2 to FAA

Develop and implement an internal process to periodically review, and maintain supporting records for FCT controller staffing minimums.

No. 3 to FAA

Develop and implement an internal process—including roles and responsibilities, timeframes, and criteria—to ensure contract requirements are met, and overpayments made to contractors are recovered.

$5,140,000
No. 4 to FAA

Recover overpayments to contractors, estimated minimum of $2.64 million and minimum of $2.5 million.

Audit Report: AV2021034 issued on 08.11.2021
FAA Can Increase Its Inspector Staffing Model’s Effectiveness by Implementing System Improvements and Maximizing Its Capabilities
No. 1 to FAA

Institute a process that compares the inspector staffing model estimates to actual staffing levels. The process should identify the reasons for the differences between the two figures, establish performance measures that help assess the accuracy of the model's results, and actions taken to improve future forecasting.

No. 2 to FAA

Finalize the demand-driven metrics and determine how they will be used in conjunction with the inspector staffing model.

No. 3 to FAA

Develop and implement a plan with milestones for completing the air carrier and general aviation staffing models, including information on how the Agency plans on using them in conjunction with the current staffing model, the process by which the business rules are updated, and the results of the most recent review of the business rules.

No. 4 to FAA

Produce inspector staffing estimates and actual staffing levels at the functional and field office levels. Include these figures in the Agency's annual safety workforce plan.

No. 5 to FAA

Reinstitute the process in which Flight Standards office managers review their staffing estimates.

No. 6 to FAA

Track progress on implementing the Office Workload List, including milestones to show when the Agency anticipates using information from the system to assist with inspector staffing decisions.

No. 7 to FAA

Update information regarding implementation of the Designee Management System, including milestones to show when FAA anticipates fully integrating individual designees into the system and how it intends to use the system's data to determine whether to adjust its inspector workforce staffing levels and responsibilities.

Audit Report: IT2021033 issued on 08.02.2021
FAA Is Taking Steps to Properly Categorize High-Impact Information Systems but Security Risks Remain Until High Security Controls Are Implemented
Sensitive
No. 1 to FAA

Sensitive information redacted

Sensitive
No. 2 to FAA

Sensitive information redacted

Sensitive
No. 3 to FAA

Sensitive information redacted

Sensitive
No. 4 to FAA

Sensitive information redacted

Sensitive
No. 5 to FAA

Sensitive information redacted

Sensitive
No. 6 to FAA

Sensitive information redacted

Audit Report: ST2021032 issued on 07.21.2021
FTA Made Progress in Providing Hurricane Sandy Funds but Weaknesses in Tracking and Reporting Reduce Transparency Into Their Use
No. 1 to FTA

Establish and implement written policies and procedures to accurately communicate allocated amounts over time through FTA's documents, such as notices, memoranda, and letters; the grant management system; and external reports.

Closed on 11.23.2021
No. 2 to FTA

Complete the planned update to FTA’s Assistance Listings internal guidance to include procedures to ensure the Agency complies with the Office of Management and Budget assistance listing requirements that are intended to make obligation information readily identifiable on USASpending.gov.  

Audit Report: ST2021030 issued on 07.14.2021
FMCSA Has Gaps and Challenges in Its Oversight of CDL Disqualification Regulations
No. 1 to FMCSA

Improve current requirements for States to record, track, and maintain paper-based convictions sent and received via mail by incorporating its standardized method for States to aggregate paper-based convictions to facilitate FMCSA's evaluation of State performance.

No. 2 to FMCSA

Finalize and implement standardized operating procedures for conducting annual program reviews and for supervisory quality control reviews of completed annual program reviews.

No. 3 to FMCSA

Modify the annual program review checklist to require reviewers to address key factors and determine whether:  a. sampled out-of-State convictions were posted to driver records within the required 10 days; b. results from a review of in-State convictions and paper notifications of out-of-State convictions were documented; c. sample testing was conducted of the greater of 2 percent of electronic transactions in a month or a total of five transactions, in accordance with FMCSA’s 2016 policy memorandum; d. States are sending convictions either electronically or via mail but not using both methods; e. States begin disqualification periods on or after the date the out-of-State conviction is received; and f. States that are offering administrative appeals for out-of-State disqualifications and permitting them to be overturned are identified.    

No. 4 to FMCSA

Finalize and implement a standard operating procedure for determining when a State is not making a good faith effort to timely mitigate compliance issues and when to impose sanctions on noncompliant States.

No. 5 to FMCSA

Complete the Agency's review of the State Compliance Records Enterprise system and implement identified improvements for managing States' compliance issues.

No. 6 to FMCSA

Develop and implement a process to segregate non-CDL holder convictions from all Commercial Driver's License Information System reports and workbooks utilized to evaluate State's compliance with CDL regulations.

No. 7 to FMCSA

Develop and implement a plan for coordinating with the American Association of Motor Vehicle Administrators to mitigate risks when States transition to new software systems. 

Audit Report: FI2021029 issued on 07.12.2021
FAA’s Ability To Manage Its National Airspace System Inventory Is Limited by Several Gaps in Its Processes That Remain After Adoption of the Agency’s Current Inventory Management System
No. 1 to FAA

Revise FAA's process for identifying excess, obsolete, or unserviceable inventory toinclude consideration for the quantity of repairable parts on hand, and theexpected future demand for those parts.

Closed on 08.18.2021
No. 2 to FAA

Develop and implement an interim process for receiving, sorting, and disposing of excess, obsolete, or unserviceable inventory items at the Thomas Road Warehouse that includes the tracking of individual inventory parts from receipt through to final disposition.

No. 3 to FAA

Implementan oversight process for core due-ins that includes continuous tracking as wellas following up on any core due-ins that are not returned within 30 days.

No. 4 to FAA

Evaluate and revise the Advance Due-In Report to maximize its effectiveness in accurately tracking actual due-ins from the field.

$38,000,000
No. 5 to FAA

Research,identify, and account for the due-ins identified in the Advance Due-in Reportand request that parts be returned. If unreturned, bill NAS customersaccordingly. Implementation of this recommendation could put over $38 million infunds to better use.

Closed on 08.18.2021
No. 6 to FAA

Document and implement FAA's process forconducting monthly exchange and repair inventory value calculations.

Closed on 08.12.2021
No. 7 to FAA

Develop and implement a plan to continuously track,reconcile, and reduce the inventory quantity discrepancies that currently existbetween the Logistics Center Support System and the Warehouse ManagementSystem.

Audit Report: ST2021028 issued on 07.07.2021
MARAD Has Made Progress in Addressing NAPA Recommendations Related to Mission Focus, Program Alignment, and Ability To Meet Objectives
No. 1 to MARAD

Develop a plan with milestones for completing the remaining eight applicable recommendations.

No. 2 to MARAD

Track implementation of the plan with milestones.

Audit Report: ST2021027 issued on 06.30.2021
Fully Implementing a Grants Management Framework Will Enhance FRA’s Amtrak Funding Oversight
No. 1 to FRA

Establish and implement measurable goals and metrics for assessing the effectiveness of the oversight program.

Closed on 04.27.2022
No. 2 to FRA

Complete and implement procedures for systematically tracking issues identified through reviews of Amtrak's use of Federal funds and compliance with cooperative agreements.

No. 3 to FRA

Finalize and implement procedures for taking action to address Amtrak's noncompliance with cooperative agreement terms and conditions.

No. 4 to FRA

Implement the plan to complete information system improvements and centralize Amtrak oversight data in accordance with established milestones.

Audit Report: ZA2021026 issued on 06.02.2021
Gaps in Guidance, Training, and Oversight Impede FAA’s Ability To Comply With Buy American Laws
$127,000,000
No. 1 to FAA

Revise the Acquisition Management System (AMS) to include policy and guidance covering the BAA and BAP laws and requirements, specifically on the application of clauses, exceptions, and waivers, as well as when to obtain contractor certifications. Implementing this recommendation could put $127 million to better use by reducing the risk of FAA improperly procuring foreign-made supplies and products.

No. 2 to FAA

Develop and implement formal training that focuses on the application of FAA's BAA and BAP requirements, contract clauses, and waivers, as well as on obtaining and retaining required vendor certifications.

No. 3 to FAA

Revise AMS to include policy and guidance for FAA's Electronic Document Storage record-keeping system to include the retention of BAA and BAP documents in the official contract file.

No. 4 to FAA

Revise AMS to include guidance and procedures on how to monitor post-award compliance with the BAA requirements, including actions to take when acquisition clauses—such as vendor certification requirements—are incomplete or erroneously omitted.

Closed on 10.06.2021
No. 5 to FAA

Revise the National Acquisition Evaluation Program evaluation form and procedures to require evaluators to review and document Buy American compliance, e.g., by listing the categories of Buy American clauses as separate entries and including procedures that show evaluators how to test and document compliance.

No. 6 to FAA

Enhance existing quality control procedures to require acquisition personnel to enter FAA domestic content data (i.e., place of manufacture codes) accurately in the Federal Procurement Data System-Next Generation.

No. 7 to FAA

Develop and implement procedures for collecting, tracking, analyzing, and reporting on FAA's use of the BAP waivers and the BAA exceptions.

No. 8 to FAA

Develop and implement procedures to ensure FAA posts information on its existing use of BAP blanket waivers, as well as any newly executed waivers, for direct contracts on a public website.

Audit Report: SA2021025 issued on 05.26.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2021
Closed on 07.29.2021
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$8,008,786
No. 2 to OST

Determine the allowability of the questioned transactions and recover $8,008,786, if applicable.

Audit Report: AV2021024 issued on 05.19.2021
DOT Appropriately Relied on Unsubsidized Carriers in Accordance With Its Policy but Conducted Limited Oversight of the Essential Air Service Communities They Serve
Closed on 09.21.2021
No. 1 to OST

Notify communities of their right to petition the Department about issues with basic essential air service.    

No. 2 to OST

Conduct periodic reviews of the level of basic essential air service in accordance with Federal regulations.

Audit Report: AV2021023 issued on 03.30.2021
NextGen Benefits Have Not Kept Pace With Initial Projections, but Opportunities Remain To Improve Future Modernization Efforts
Closed on 10.18.2021
No. 1 to FAA

Publish metrics that measure performance of NextGen improvements across the NAS. 

Closed on 01.18.2022
No. 2 to FAA

Develop and implement a process that incorporates interim adjusted benefit projections and interim implementation analyses to support prioritization of NextGen programs and deployment locations. 

Closed on 10.18.2021
No. 3 to FAA

Update and provide stakeholders a risk adjusted NextGen benefit projection. 

Audit Report: AV2021022 issued on 03.10.2021
FAA Has Made Progress in Implementing ASIAS, but Work Remains To Better Predict, Prioritize, and Communicate Safety Risks
No. 1 to FAA

Develop and implement models based on criteria to prioritize requests for ASIAS safety information across the ASIAS communities.

No. 2 to FAA

Disseminate ASIAS aggregated, confidential national-level metrics, such as known risk monitoring, on a regular basis to the Safety Analysis and Promotion Division and principal aviation safety inspectors.

No. 3 to FAA

Determine if the ASIAS non-confidential information is beneficial to Flight Standards inspectors, and if so, implement guidance to field-level personnel so that inspectors have an understanding of how, when, and why they should use the system.

Audit Report: ZA2021021 issued on 03.02.2021
Vulnerabilities in MARAD’s NSMV Program May Hinder Effective Achievement of Program Goals
Closed on 04.26.2021
No. 1 to MARAD

Document and implement a risk management process to analyze program risk, including risk identification, likelihood and consequence, mitigation strategy, and monitoring activities. This documented process should also include steps for monitoring, tracking, and updating risks throughout the life of the program. This recommendation should be completed prior to the start of full-scale vessel construction.

Closed on 05.14.2021
No. 2 to MARAD

Obtain, review, and approve complete versions of each of the following VCM oversight plans: the Configuration Design and Technical Management Plan; Quality Assurance, Risk Management, and Metrics Plan; and Test and Evaluation Plan. This recommendation should be completed prior to the start of full-scale vessel construction.

Audit Report: AV2021020 issued on 02.23.2021
Weaknesses in FAA’s Certification and Delegation Processes Hindered Its Oversight of the 737 MAX 8
No. 1 to FAA

Update the Changed Product Rule to address the integration of technological advances and exceptions.

No. 2 to FAA

Evaluate criteria for determining whether a system meets the definition of a "novel or unusual design feature," add specificity, and implement identified improvements.

No. 3 to FAA

Require applicants to submit failure probability analysis and key assumptions in certification deliverables.

No. 4 to FAA

Assess and update Advisory Circular 25.1309 guidance related to engineering assumptions regarding pilot actions, pilot reaction times, and failure mode testing.

No. 5 to FAA

Establish and implement processes for manufacturers to officially notify FAA certification engineers of any changes made to System Safety Assessments, including after FAA flight testing has begun.

No. 6 to FAA

Establish and implement communication and coordination procedures between Boeing and FAA, and within FAA among flight test, certification, and Flight Standards.

No. 7 to FAA

Establish and implement policies and procedures for the AircraftEvaluation Group related to its role in the certification process that require,at a minimum: formal documentation of approvals; documentation of operationalflight test parameters, procedures, and outcomes; expanded written guidance onthe FSB process; and improved consistency of procedures between AEG offices.

No. 8 to FAA

Incorporate lessons learned from the Boeing 737 MAX accidents into the ODA oversight process guidance implementing a risk-based approach.

No. 9 to FAA

Clarify priorities, roles, and responsibilities for FAA engineers regarding oversight and certification work, including the timing of when oversight should be performed.

No. 10 to FAA

Perform a workforce assessment at FAA's Boeing Aviation Safety Oversight office to dete rmine engineer resource and expertise needs, particularly in the areas of systems engineering, human factors, and software development, to both perform certification and oversight work, and take action as necessary.

No. 11 to FAA

Conduct an assessment to determine how frequently unit members serve as both the company engineer involved in a design as the applicant and also find compliance on FAA's behalf on that same design. Based on the results of this assessment, revise ODA guidance to strengthen controls in this area.

No. 12 to FAA

Revise ODA program requirements to ensure ODAs have internal controls in place and are organized in a way that prevents interference with ODA unit members.

Closed on 03.26.2021
No. 13 to FAA

Determine if Boeing has met the requirements of the 2015 Settlement Agreement, including reporting metrics, given the deadline of December 31, 2020 and take further actions as necessary.

No. 14 to FAA

Complete the ongoing rulemaking project that proposes requiring manufacturers to implement Safety Management Systems, including setting and publishing expected timeframes.

Audit Report: AV2021017 issued on 02.10.2021
Gaps in FAA's Oversight of the AIP State Block Grant Program Contribute to Adherence Issues and Increase Risks
No. 1 to FAA

Revise FAA policy to include equitable review of projects funded by discretionary and entitlement funds, and perform regular formal assessments of Block Grant States' (BGS) adherence to Federal requirements for project selection.

No. 2 to FAA

Revise FAA's policy on documenting project-approval decisions to ensure that BGS adhere to project prioritization.

No. 3 to FAA

Revise and implement FAA's process for resolving instances of insufficient documentation as support for reimbursement to BGS.

$5,733,468
No. 4 to FAA

Request supporting documentation for the transactions related to the $5.7 million in unsupported project costs we identified in Wisconsin, and collect all unsupported costs or identify FAA's rationale for accepting them.

$12,835
No. 5 to FAA

Assess the claims related to the $12,835 in unsupported Cash Management Improvement Act reimbursements we identified in Michigan, and review similar transactions within the SBGP for unsupported costs. Develop an action plan to collect all unsupported costs or identify FAA's rationale for accepting them.

No. 6 to FAA

Develop and implement a procedure for monitoring BGS adherence to requirements for Airport Improvement Program (AIP) expenditures at regular and frequent intervals.

No. 7 to FAA

Revise guidance for all AIP stakeholders to reinforce the required sequence in which different types of AIP funds are to be expended.

$115,666,168
No. 8 to FAA

Require Airport District Offices (ADO) and Regional Offices to comply with grant closeout requirements for BGS. Implementation of this recommendation could put $115.7 million in funds to better use.

$5,749,537
No. 9 to FAA

Develop and implement a procedure to verify the accuracy of BGS data submissions. Implementation of this recommendation could put $5.7 million in funds to better use by improving FAA's grant management oversight.

No. 10 to FAA

Formalize and implement minimum training requirements for BGS officials, and give BGS access to all FAA-conducted, AIP-related online and in-person training.

No. 11 to FAA

Finalize the draft Memorandum of Agreement outlined in the SBGP Advisory Circular and implement it for all 10 current BGS and any future program entrants.

No. 12 to FAA

Finalize and implement an SBGP-wide audit plan in accordance with FAA's SBGP Advisory Circular, and include a requirement to document resolution of findings.

No. 13 to FAA

Ensure compliance or implementation of FAA's procedure to share resolutions of Single Audit Report recommendations with the ADOs and Regional Offices that oversee the BGS.

Audit Report: SA2021018 issued on 02.10.2021
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending December 31, 2020
Closed on 04.01.2021
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$5,130,999
No. 2 to OST

Determine the allowability of the questioned transactions and recover $5,130,999, if applicable.

Audit Report: QC2021016 issued on 02.01.2021
Quality Control Review of the Management Letter for the National Transportation Safety Board’s Audited Financial Statements for Fiscal Years 2020 and 2019
No. 1 to NTSB

Redesign the agency's personnel action process to ensure that the submission of a Request for Personnel Action form immediately is processed promptly upon the notification of an employee's separation or termination.

No. 2 to NTSB

Redesign the agency's FPPS user termination process to require the completion and submission of a FPPS User Access Form to the service provider immediately upon separation of a FPPS user from the agency.

No. 3 to NTSB

NTSB perform a review of its Reimbursable Agreements Summary report to verify that the open balance amount for each agreement is correct.

No. 4 to NTSB

NTSB perform a review of agreements for which goods or service have been provided to ensure that billing and collection procedures have been completed or initiated

No. 5 to NTSB

NTSB record an accrual for earned revenue that has not been collected as of the end of the reporting period.

No. 6 to NTSB

Perform a review of the user's system access immediately after each OFF User Access Form is processed by DOI IBC to ensure that only the permissions requested were granted.

No. 7 to NTSB

Redesign the OFF quarterly review process to include areview of each employee's system permissions to verify that all users' access permissions granted do not exceed the permissions requested and least privilege guidelines.

No. 8 to NTSB

We recommend that the Office of Chief Financial Officer (OCFO) enhance its existing internal control procedures over the review and approval of journal vouchers to ensure that the basic pay data used to compute imputed costs is complete and accurate and all cost factors are included in the calculation.

Audit Report: QC2021014 issued on 01.27.2021
Quality Control Review of the Management Letter for the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
Closed on 08.11.2021
No. 1 to FAA

Enforce existing manual controls for disabling inactive accounts after the specified period of inactivity and enable an information system to automatically disable inactive accounts after a specified period of inactivity, as required by NIST.

No. 2 to FAA

I dentify and resolve discrepancies between the FAA ISPP and Center for Internet Security Benchmarks specific to the procurement system's password configurations.

No. 3 to FAA

If changes are needed, update the procurement system's security documentation to reflect the databasepassword requirements.

No. 4 to FAA

Ensure that database password settings are in compliance with FAA ISPP.

Closed on 08.11.2021
No. 5 to FAA

Review and update security documentation to ensure that database dependency on the general ledger and the related control deviation is documented and approved by the AO, as required by FAA policy.

No. 6 to FAA

Update application password settings to ensure compliance with the FAA ISPP.

Closed on 06.30.2021
No. 7 to FAA

Coordinate with the appropriate resources to ensure the implementation of an appropriate separation of duties process for system administrators and developers.

Closed on 08.11.2021
No. 8 to FAA

Update password settings to ensure compliance with the FAA ISPP.

No. 9 to FAA

Design and implement a process to ensure that the inventory application, database, and operating system changes are tested, documented, and approved prior to migration into production and update the change management ticketing system to capture required approvals and evidence of testing for application, database, or operating system changes, in accordance with FAA ISPP.

No. 10 to FAA

Configure the account lockout threshold for the Windows server accounts within the FAA.gov domain to comply with FAA policy and system requirements.

Closed on 08.17.2021
No. 11 to FAA

Design and implement controls to validate that all employee FEGLI elections are accurately recorded in the records of the shared service center.

Closed on 06.28.2021
No. 12 to FAA

Perform an annual review of existing sites to identify those that may be in dispute, and solicit input from legal counsel to determine and document whether these sites should be included in the environmental remediation liability, as defined by generally accepted accounting principles.

No. 13 to FAA

Ensure that existing procedures over the review of journal entries are performed, at an appropriate level of precision, to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

Closed on 03.07.2022
No. 14 to FAA

Update the Journal Voucher Processing standard operating procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the JV control log reconciliation with the actions taken and resolution obtained.

Closed on 06.22.2021
No. 15 to FAA

Update policies and procedures to clarify when acceptance should be recorded for a transaction.

Closed on 06.22.2021
No. 16 to FAA

Develop and implement guidance to formally document its assessments and recognition decisions, in accordance with SFFAC No. 5, as related to assets and liabilities of exchange transactions.

Closed on 03.17.2022
No. 17 to FAA

Update the standard operating procedures to define the triggering events for which the serviceable unit cost should be revalued in accordance with applicable accounting standards. 

Closed on 03.17.2022
No. 18 to FAA

Design and implement control activities to ensure that serviceable unit costs are only revalued as a result of valid triggering events which occur during the current period. 

Closed on 03.07.2022
No. 19 to FAA

Develop policies and procedures to ensure that judgments that inform accounting estimates are based on the best available information at the time of calculating and recording the CARES Act grant accrual estimate in the financial statements.

Closed on 03.17.2022
No. 20 to FAA

Develop procedures to document the period in which user access is granted and terminated to support the operating effectiveness of the shared service center’s user access controls. 

Audit Report: QC2021015 issued on 01.27.2021
Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
Closed on 09.30.2021
No. 1 to FTA

KPMG recommends that FTA management revise the existing configuration management plans for the grant financial management application and the clearing house system to include procedures for source code access administration and required privileges, source code maintenance and storage, the process for source code deployment into the production, and any version control software utilized to support the systems.

Closed on 09.30.2021
No. 2 to FTA

KPMG recommends that FTA management reconfigure the grants management application to automatically remove roles that are not recertified annually.

Closed on 09.30.2021
No. 3 to FTA

KPMG recommends that FTA management reconfigure the application that supports the grants management system to automatically disable accounts after 60 days of inactivity.

Closed on 09.30.2021
No. 4 to FTA

KPMG recommends that FTA management update the grants management system platform's system security plan to reflect the configuration considerations in place.

Closed on 09.27.2021
No. 5 to FTA

KPMG recommends that FTA management ensure that new users are properly authorized by all required parties prior to the administration of access to FTA systems.

No. 6 to FTA

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes reviewing the SOC 1, 2, 3 reports, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.

No. 7 to FTA

KPMG recommends that FTA management design and implement policies and procedures that establish a formal process to assess applicable third-party SOC reports that includes implementing the service organization's recommended complimentary user entity controls and monitoring these controls for proper implementation and operating effectiveness.

Closed on 03.16.2022
No. 8 to FHWA

KPMG recommends that FHWA management update its security documentation and system security plan, in accordance with Department requirements, to capture any control deviations and compensating controls used in lieu of automatically disabling inactive accounts.  

Closed on 03.16.2022
No. 9 to OST

KPMG recommends that ESC management should provide a training refresher to contracting program managers and access control officers related to the separation process for contractors.    

Closed on 09.27.2021
No. 10 to OST

KPMG recommends that OST management design and implement policies and procedures to evaluate the impact of known changes in TIFIA loan cash flow projections between the re-estimate date and the issuance of the financial statements on the subsidy re-estimate to then be considered for subsequent event disclosure.

Closed on 09.21.2021
No. 11 to MARAD

KPMG recommends that MARAD management design and implement a process for recording donated PP&E from other federal entities to ensure these transactions are accurately recorded and in accordance with generally accepted accounting principles.

Closed on 09.21.2021
No. 12 to OST

KPMG recommends that ESC management update the Journal Voucher Processing Standard Operating Procedures to explicitly document and define the responsibility of the control operator to annotate any variances identified in the journal voucher control log reconciliation with the action taken and resolution obtained.

No. 13 to OST

KPMG recommends that ESC management update procedures surrounding management's review of journal entries at ESC to ensure that journal entries are reviewed at an appropriate level of precision to determine that all posted manual entries are complete, accurate, and adequately supported by documentation.

Closed on 03.16.2022
No. 14 to FHWA

KPMG recommends that FHWA and ESC management design and implement a control that is sufficiently precise to detect and correct UDO reconciliation discrepancies in the correct fiscal year in which they occur.      

Audit Report: ST2021013 issued on 01.13.2021
FMCSA Has Not Fully Met Oversight Requirements as It Rebuilds the National Registry of Certified Medical Examiners
Closed on 08.24.2021
No. 1 to FMCSA

Implement Agency plans for eliminating the backlog of driver examination results held by medical examiners.

No. 2 to FMCSA

Develop a plan to allocate resources to the Medical Programs Division to fully implement requirements for medical examiner eligibility audits and random selection performance monitoring.

No. 3 to FMCSA

Update Agency processes for conducting periodic medical examiner eligibility audits and random selection performance monitoring as needed to incorporate upgraded National Registry tools.

No. 4 to FMCSA

Reinstate the conduct of eligibility audits and random selection performance monitoring of medical examiners.

Audit Report: ST2021012 issued on 01.13.2021
PHMSA’s Safety Culture Efforts
No. 1 to PHMSA

Describe the responsibilities and tasks necessary to develop and continuously promote a positive safety culture at PHMSA, such as a training plan on safety culture. Then clearly assign those responsibilities to leadership.

No. 2 to PHMSA

Establish a method to track and monitor the status of initiatives related to safety culture.

Audit Report: FS2021011 issued on 12.16.2020
DOT Needs To Strengthen Travel Card Program Internal Controls To Minimize Misuse
No. 1 to OST

Notify all travel card program participants that advance written approval must be obtained prior to incurring any travel expenses.

No. 2 to OST

Develop and implement a plan for Agency/Organization Program Coordinator to identify travel authorizations that were not submitted or approved prior to the incurrence of official travel-related expenses. The plan should include follow-up with cardholders and approvers on instances where noncompliance is identified.

No. 3 to OST

Update DOT's travel card management policy, DOT Order 15006.b, and DOT travel card training to include guidance on how cardholders should recover travel card account overpayments.

No. 4 to OST

Develop and implement a control that will allow the Department to identify questionable travel card transactions outside of the delinquency report review that is performed by the operating administrations.

No. 5 to OST

Expand existing training for managers and Approving Officials to incorporate a proper voucher review.

No. 6 to OST

Notify all travel cardholders that cash withdrawals must not occur more than 3 days prior to an authorized trip.

No. 7 to OST

Strengthen current cash-advance controls to test cardholder compliance with cash advances and require follow-up with cardholders when instances are detected.

No. 8 to OST

Design and implement a control to test that cardholders are using the travel card to pay only for official travel expenses as required. The control should include follow-up with cardholders when charges unrelated to official travel are detected.

No. 9 to OST

Modify training materials to emphasize the required use of the travel card for all expenses related to official travel.

No. 10 to OST

Develop and implement controls to require that refresher training is administered timely in electronic learning management system, and require that cardholders complete refresher training in a timely manner.

No. 11 to OST

Modify the current travel card application process to include a manager certification as required by the DOT travel card management policy.

Audit Report: AV2021010 issued on 12.08.2020
Weaknesses in FAA’s Supplemental Passenger Restraint System Authorization Process Hinder Improvements to Open-Door Helicopter Operations
No. 1 to FAA

Issue a Notice of Proposed Rulemaking and a final rule, if found to be in the public interest, that address operations using supplemental passenger restraint systems.

No. 2 to FAA

Require all supplemental passenger restraint system applications to be reviewed using a standardized evaluation checklist that defines which information must be included on the request form for authorization.

No. 3 to FAA

Define minimum certification standards that meet aviation-specific load factors for supplemental passenger restraint systems.

No. 4 to FAA

Revise the supplemental passenger restraint system authorization procedures so applications are routed through local oversight offices to notify inspectors which operators are requesting and subsequently authorized for supplemental restraint use.

No. 5 to FAA

Develop and incorporate supplemental passenger restraint inspection criteriaâ€"such as frequency of inspections, review of harness authorization documentation, and maintenance of harnesses into inspector guidance for both Part 135 and Part 91 surveillance.

Audit Report: SA2021009 issued on 12.02.2020
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending September 30, 2020
Closed on 02.24.2021
No. 1 to OST

We recommend that DOT coordinate with the impacted OAs to develop a corrective action plan to resolve and close the findings identified in this report.

$25,838
No. 2 to OST

We recommend that DOT determine the allowability of the questioned transactions and recover $25,838, if applicable.

Audit Report: QC2021008 issued on 11.16.2020
Quality Control Review of the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
No. 1 to OST

KPMG recommends that DOT management design and implementprocedures to consistently and timely perform and document audit log reviews asrequired by standards for effective internal control systems and/or internalpolicy.

No. 2 to OST

KPMG recommends that DOT management design and implementprocedures to consistently and timely perform and document user account accessreviews as required by standards for effective internal control systems and/orinternal policy.

No. 3 to OST

KPMG recommends that management design and implementcomponent-specific system security plan requirements in instances where plansfor those areas not addressed in the Departmental system security plan.

Closed on 04.20.2022
No. 4 to OST

KPMG recommends that management design and implement procedures related to the retention of appropriate supporting evidence of internal controls including, but not limited to, access administration, access recertification, audit log review, and patch management.

No. 5 to OST

KPMG recommends that DOT management maintain a documentation trail which demonstrates completion of each step in the performance of their input validation control in accordance with the TIFIA Loan Subsidy Re-estimates standard operating procedures.

Closed on 03.07.2022
No. 6 to FTA

KPMG recommends that FTA management perform a documentedrisk assessment and develop a tailored grant accrual methodology for each newgrant accrual category in which the expected costs incurred but not recordedmay differ based on the characteristics of the grant funding. To the extentcontradictory evidence or actual incurrence does not align with the initialassumptions developed, management should refine the methodology accordingly.

Closed on 03.07.2022
No. 7 to FTA

KPMG recommendeds that FTA management establish a documented review process to clearly demonstrate the historical disbursement days for all grant accrual categories have been reviewed prior to recording the grant accrual.   

Audit Report: QC2021007 issued on 11.13.2020
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2020 and 2019
No. 1 to FAA

KPMG recommended that FAA management design and implement procedures to consistently and timely perform and document audit log reviews as required by standards for effective internal control systems and/or internal policies.

No. 2 to FAA

KPMG recommended that FAA management design and Implement procedures to consistently and timely perform and document user account access reviews as required by standards for effective internal control systems and/or internal policies.

No. 3 to FAA

KPMG recommended that FAA management implement component-specific system security plan requirements.

Audit Report: QC2021003 issued on 10.26.2020
Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security Program and Practices
No. 1 to OST

Require OST to either start utilizing the CSAM tool for its security control assessments or develop its own risk assessment policies and procedures as required by DOT's Cybersecurity Compendium.

No. 2 to OST

Work with OAs to update privacy risk management procedures to ensure the completion, tracking, review, and approval of privacy plans and compliance documentation prior to system authorization or reauthorization. Components should engage the Departmental Chief Privacy Officer as appropriate.

No. 3 to OST

Work with the Departmental Chief Privacy Officer to establish processes and procedures to notify Component Privacy Officers of systems scheduled for reauthorization so that required privacy risk management plans may be completed as required by policy.

No. 4 to OST

Work with the Departmental Chief Privacy Officer to establish processes and procedures to determine Component compliance with Departmental policy requiring Privacy Risk Management plans be established prior to system authorization or reauthorization.

No. 5 to OST

Coordinate with appropriate offices within the Office of Secretary to develop and implement a strategy and solution(s) to ensure that supervisors, contracting officers, and contracting officer representatives enforce personnel onboarding and off boarding procedures, completion of the DOT Rules of Behavior and other IT requirements prior to being granted access to DOT networks, systems, and information, or have existing access revoked upon separation, in accordance with DOT policy.

No. 6 to OST

Strengthen its oversight of the configuration management processes performed by OAs to ensure configuration management plans are developed, kept up-to-date, and document requirements for each system.

No. 7 to OST

Work with the FAA CIO to complete the revision of FAA Order 1800.66, Configuration Management Policy.

No. 8 to OST

Work with OAs to implement oversight to address configuration change weaknesses and to ensure configuration changes to the information systems are properly documented and tracked through implementation, and undergo a post-implementation review to verify procedures are followed.

No. 9 to OST

Ensure that baseline configuration deviations are monitored and deviations are approved to ensure that baseline compliance reports demonstrate a consistent and accurate application of baseline standards.

No. 10 to OST

Consolidate to the enterprise Tenable Nessus system to ensure accessibility of baseline compliance and/or vulnerability assessment capabilities.

No. 11 to OST

Ensure that missing security patches are either applied in accordance with DOT policy or that vulnerable software is otherwise remediated on the affected endpoints. In addition, ensure that missing security patches attributable to specific mission/business requirements are identified, control weaknesses are appropriately documented in POA&Ms, and that the authorizing official is aware of and has accepted risk for the associated weaknesses.

No. 12 to OST

Document and implement a process to identify software end of life dates and require the development of implementation plans to eliminate unsupported software.

No. 13 to OST

Work with FAA to secure a reliable funding stream for background reinvestigations.

No. 14 to OST

DOT should devise strategies, consistent with Federal policies and guidance, to overcome the logistical challenges of fingerprinting during a pandemic or other events and circumstances which prevent the timely completion of background reinvestigations.

No. 15 to OST

Work with the FAA CIO to review all systems listed in Appendix B of the FAA Air Traffic Operations (ATO) Information Security Continuous Monitoring (ISCM) Plan for NAS and Mission Support (MS) Systems to ensure the FAA ISCM plan is complete and accurate, making updates as needed.

No. 16 to OST

Work with the OST IT Director to ensure an alternate processing site (including necessary agreements) is more clearly described within the contingency plan to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance.

No. 17 to OST

Work with the PHMSA CIO to ensure an alternate storage site (including necessary agreements) is described within contingency plans to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance.

No. 18 to OST

Strengthen its oversight of the contingency planning processes performed by FMCSA, OST COE, OST VOLPE, FAA, FRA, and MARAD to ensure contingency planning documentation is developed, updated and tested in a timely manner, in accordance with policy.

Audit Report: IT2021001 issued on 10.02.2020
DOT Is Making Progress Toward Fulfilling the Requirements of the Geospatial Data Act of 2018
Closed on 03.22.2022
No. 1 to OST

Update the National Geospatial Data Asset (NGDA) Theme plan with the processes to identify, assess, and develop NGDA standards based on the Act.

Closed on 05.13.2022
No. 2 to OST

Develop and implement a process to track the financial resources necessary to manage the National Geospatial Data Asset (NGDA) Transportation data theme.

No. 3 to OST

Develop, publish and implement DOT's strategy for geospatial data-related activities as defined in its Geospatial Information System Strategic Plan.

Closed on 10.27.2020
No. 4 to OST

Work with the Chief Data Officer to verify that all Operating Administrations (OAs) designate an appropriate individual as a geospatial information officer.

No. 5 to OST

Work with Operating Administration (OA) records officers to verify that FAA, FTA, MARAD, NHTSA, OST, and PHMSA allocate appropriate resources to complete file plans and record schedules development activities through submission to the DOT Records Management Office.

No. 6 to OST

Track and monitor FRA's, MARAD's, NHTSA's and PHMSA's allocated resources to meet the responsibilities of effective geospatial data collection, production, and stewardship.

Closed on 02.18.2022
No. 7 to OST

Develop, disseminate, and implement a uniform process for all Operating Administrations to perform a quality review of geospatial data to verify compliance with Department of Transportation’s (DOT) information quality guidelines. This process should include a method of ensuring recipients of DOT funds for geospatial data collection meet appropriate quality standards, as well as an assessment of stakeholder and peer reviews in order to validate the quality of all disseminated information.

No. 8 to OST

Update, disseminate and implement Department ofTransportation's internal data inventory policy to address how the Operating Administrations should verify that geospatial data and metadata does not inappropriately disclose personally identified information to external parties and include guidelines on tracking and maintaining geospatial data asset inventory and validating that inventories are complete.

No. 9 to OST

Develop a process to verify that the Operating Administrations are aware of and apply the Department of Transportation Privacy Risk Management Policy, requiring privacy risk management activities to be completed for geospatial information systems prior to next system reauthorization.

Closed on 10.28.2021
No. 10 to OST

Develop and implement a procedure that documents and tracks  all responsibilities outlined in the Geospatial Policy on Reducing Duplication  are implemented to include Department of Transportation and Operating  Administrations' implementation of geospatial clearinghouse searches to  validate no duplication of funds.

Closed on 01.19.2022
No. 11 to OST

Develop and maintain a process to verify that all geospatial metadata meets quality standards that strengthen the internal control process to improve the quality of metadata reported on DOT’s enterprise data inventory.

No. 12 to OST

Establish, document and implement a process for ongoing monitoring of its strategy for advancing geospatial information and related geospatial data and activities appropriate to its mission in accordance with requirements of the Federal Internal Control Standards.

No. 13 to OST

Working with the Operating Administrations, require that all geospatial information systems maintain authorization status in accordance with departmental cybersecurity policies.

Audit Report: QC2020049 issued on 09.29.2020
Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices
Closed on 05.04.2021
No. 1 to STB

Implement documented processes for granting and removing user access in a consistent manner, as required by STB policies and procedures.

Closed on 05.17.2021
No. 2 to STB

Implement processes for conducting, documenting, and maintaining Position Risk Designations in a consistent manner, as required by STB policies and procedures.

Closed on 04.13.2021
No. 3 to STB

Develop a process for ensuring that the completion of rolebased training is tracked and maintained.

Closed on 06.04.2021
No. 4 to STB

Consistently implement the process to ensure all new users complete the mandatory security awareness training requirements prior to being granted access to STB systems.

Closed on 04.13.2021
No. 5 to STB

Fully develop the ISCM Strategy and all information system ISCM plans to include the required criteria documented in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137 such as: a. Considerations at the organization/business process level; b. Considerations at the information system level; and c. Processes to review and update the ISCM program and strategy.

Closed on 04.13.2021
No. 6 to STB

Define the process to ensure the timely collection of established metrics across its operational systems and reporting evaluation process to assist ISCM Stakeholders to make informed decisions.

Audit Report: ST2020050 issued on 09.28.2020
FRA Lacks Sufficient Oversight Controls To Consistently Assess Conductor Certification Compliance
Closed on 07.22.2021
No. 1 to FRA

Develop and implement a procedure for reviewing and tracking new and updated railroad conductor certification programs.

Closed on 08.24.2021
No. 2 to FRA

Finalize the Operating Practices Compliance Manual chapter on conductor certification compliance and enforcement and distribute it to inspectors; include a process an inspector can use to notify FRA Headquarters about a problem with a railroad's conductor certification program.

Closed on 02.26.2021
No. 3 to FRA

Develop and implement a plan for systematically conducting Part 242 compliance audits of all railroads to which the regulations apply.

Closed on 12.14.2020
No. 4 to FRA

Modify the Railroad Inspection System for Personal Computers (RISPC) to capture data that specifies the types of Part 242 oversight activities inspectors are recording.

Closed on 12.14.2020
No. 5 to FRA

Develop and issue instructions on the proper entry of Part 242 activity codes in RISPC.

Audit Report: QC2020046 issued on 09.22.2020
Report on the Quality Control Review of the Independent Auditor’s Report on DOT’s Enterprise Services Center
Closed on 12.16.2020
Sensitive
No. 1 to OST

Sensitive information redacted

Closed on 11.10.2021
Sensitive
No. 2 to OST

Sensitive information redacted

Closed on 11.10.2021
Sensitive
No. 3 to OST

Sensitive information redacted

Audit Report: AV2020045 issued on 09.16.2020
FAA’s Process for Updating Its Aircraft Evacuation Standards Lacks Data Collection and Analysis on Current Evacuation Risks
No. 1 to FAA

Develop and implement a systematic process to regularly collect and analyze data on emergency evacuations to determine whether evacuation standards need to be revised or updated based upon current risks.

Closed on 01.27.2022
No. 2 to FAA

Develop a policy or procedures to maintain and analyze a  record of critical data from aircraft manufacturers' evacuation demonstrations  and analyses to identify risks and ensure data used in analyses and computer  modeling are accurate and up to date.

Audit Report: AV2020044 issued on 09.02.2020
FAA Issued New Medical Requirements for Small Aircraft Pilots but Lacks Procedures and Data To Oversee the Program
No. 1 to FAA

Conduct a risk assessment of the issues related to valid driver's licenses and use of State-licensed physicians noted in this report, and implement processes to mitigate any identified risks. Include the results of this risk-assessment in the required report on the safety impact of BasicMed to Congress.

No. 2 to FAA

Develop and implement a process to collect pilot flight hours, or an alternative process that allows a meaningful assessment of the safety impact of pilots operating under BasicMed compared with pilots operating with a medical certificate.

Audit Report: AV2020043 issued on 09.02.2020
FAA and Its Partner Agencies Have Begun Work on the Aviation Cyber Initiative and Are Implementing Priorities
Closed on 02.26.2021
No. 1 to FAA

In consultation with its ACI partners, identify the resources needed to meet the current schedule for achieving ACI’s remaining priorities, and how they should be allocated. Revise the current schedule as necessary to reflect the resources that are available.

Audit Report: SA2020041 issued on 08.05.2020
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending June 30, 2020
Closed on 09.01.2020
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$3,440,165
No. 2 to OST

Determine the allowability of the questioned transactions and recover $3,440,165, if applicable.

Audit Report: AV2020040 issued on 07.29.2020
FAA Has Begun To Update ERAM but Faces Challenges Realizing Full Benefits for Airspace Users
Closed on 11.01.2021
No. 1 to FAA

Develop an action plan with schedule milestones forcompleting the assessment, test, and mitigation of the new securityrequirements for ERAM to successfully meet a high impact system categorization.

Audit Report: IT2020039 issued on 07.15.2020
FAA Is Not Remediating STARS Security Weaknesses in a Timely Manner and Contingency Planning Is Insufficient
No. 1 to FAA

Develop and implement a plan with a timeline that identifies when critical, high, and medium vulnerabilities in STARS will be mitigated and implemented at the 11 largest TRACON facilities and includes a patch management program to ensure that the security patches for all operating systems, software, and applications are up to date; and timeline when FAA will implement security-relevant software updates for critical, high, and medium vulnerabilities, in accordance with requirements.

Sensitive
No. 2 to FAA

Sensitive information redacted

Sensitive
No. 3 to FAA

Sensitive information redacted

Closed on 12.23.2021
Sensitive
No. 4 to FAA

Sensitive information redacted

Sensitive
No. 5 to FAA

Sensitive information redacted

No. 6 to FAA

Direct STARS officials to prioritize mitigation efforts to resolve the security weaknesses for the 27 security controls identified in this report; develop a Plan of Action and Milestones that realistically reflects resources and timeframes for the completion of these actions; and report on these actions in the Department's Cybersecurity Assessment and Management monitoring system.

No. 7 to FAA

Update the STARS incident response policy to include the missing elements from the National Institute of Standards and Technology.

Sensitive
No. 8 to FAA

Sensitive information redacted

No. 9 to FAA

Develop and implement an internal control that ensures that Agency staff follow requirements for access control in accordance with the STARS Security Handbook.

Sensitive
No. 10 to FAA

Sensitive information redacted

Sensitive
No. 11 to FAA

Sensitive information redacted

Audit Report: ST2020038 issued on 07.08.2020
MARAD’s Policy and Procedures for the Title XI Program’s Application Review Process Do Not Ensure Full Compliance with Requirements
No. 1 to MARAD

Update the 2012 policy manual to address all statutory and regulatory requirements.

No. 2 to MARAD

Develop and implement procedures that direct MARAD to obtain and document all application related materials required by statute and regulation.

No. 3 to MARAD

Develop and implement procedures that require program staff to adhere to MARAD's program policy and statutory and regulatory requirements.

Audit Report: EC2020036 issued on 05.27.2020
Changes in Airline Service Differ Significantly for Smaller Communities, but Limited Data on Ancillary Fees Hinders Further Analysis
Closed on 01.03.2022
No. 1 to OST

The Bureau of Transportation Statistics issue a Reporting Directive clarifying that air carriers are to include booking fees, along with any/all fees required to board the aircraft, in the fare line item reported to the Office of Airline Information’s Origin and Destination Survey.     

No. 2 to OST

The Office of Aviation Analysis develop a process to regularly collect, maintain, and use information from airlines' website disclosures of all fees charged for optional or ancillary services as a screening mechanism for significant changes in these fees. For each mainline carrier and posted fee, this information should include—but not necessarily be limited to—identification of the type of each service and its price (or price range).

Closed on 08.31.2021
$60,600,000
No. 3 to OST

The Secretary request a Revenue Ruling or policy statement from the Department of Treasury regarding the taxation of airline booking fees and, if appropriate, that the Department of Treasury take action to assess the relevant tax. If the Department of Treasury finds that these fees are taxable—and assuming no change in the conditions underlying our calculation of their impact on the Airport and Airway Trust Fund in 2019—this could conservatively result in $60.6 million in funds put to better use in every year following the determination.

Audit Report: ST2020035 issued on 05.12.2020
Gaps in FHWA’s Guidance and the Florida Division’s Process for Risk-Based Project Involvement May Limit Their Effectiveness
Closed on 02.22.2021
No. 1 to FHWA

Update and implement FHWA's guidance for risk-based project involvement to clarify the requirements for its project risk-assessment process, including expectations for conducting and documenting the risk assessment and criteria to guide the reevaluation of project risks.

Closed on 02.22.2021
No. 2 to FHWA

Identify and notify Divisions about sources of information that can inform the project risk-assessment process, such as the quarterly reports required by the grant agreement for the Florida International University project.

Closed on 12.15.2021
No. 3 to FHWA

Update and issue a procedure within the Florida Division for conducting and documenting complete project risk assessments in accordance with FHWA's national guidance.

Closed on 02.22.2021
No. 4 to FHWA

Update and implement FHWA's guidance for risk-based project involvement to clarify how the link between elevated risks and associated oversight activities, changes to oversight actions, and the results of its risk-based involvement should be documented in project oversight plans.

Closed on 02.22.2021
No. 5 to FHWA

Develop and implement guidance for documenting, in risk-based project oversight plans and associated materials, the scope of FHWA's risk-based involvement, such as through the use of checklists or standardized forms.

Closed on 02.22.2021
No. 6 to FHWA

Develop and implement guidance that establishes criteria for the content of risk-based project oversight plans to maintain consistency and avoid creating multiple redundant plans. Include examples of complete project oversight plans that can be used as a reference, and clarify the role and purpose of the oversight plan for major projects.

Closed on 12.15.2021
No. 7 to FHWA

Update and issue a procedure within the Florida Division for documenting complete risk-based project oversight plans in accordance with FHWA's national guidance.

Closed on 05.09.2022
No. 8 to FHWA

Develop and implement a process to routinely monitor the implementation and evaluate the effectiveness of FHWA’s risk-based project involvement.

Audit Report: SA2020032 issued on 05.04.2020
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending March 31, 2020
Closed on 06.11.2020
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$2,227,535
No. 2 to OST

Determine the allowability of the questioned transactions and recover $2,227,535, if applicable.

Audit Report: ST2020030 issued on 04.29.2020
Oversight Weaknesses Limit FRA’s Review, Approval, and Enforcement of Railroads’ Drug and Alcohol Testing Programs
Closed on 09.01.2020
No. 1 to FRA

Develop and implement written procedures for reviewing and approving railroads' Part 219 compliance plans, to include an oversight control, such as a supervisory or second-level review, to validate results.

Closed on 11.19.2020
No. 2 to FRA

Develop and implement a formal written process for tracking all Part 219 audits.

Closed on 11.19.2020
No. 3 to FRA

Develop and implement a written process for tracking and following up on all action items issued from Part 219 compliance audits to verify that railroads have taken corrective actions.

Closed on 03.23.2021
No. 4 to FRA

Update Drug and Alcohol program guidance for both railroads and inspectors to reflect the 2017 Maintenance-of-Way requirements.

Audit Report: ST2020031 issued on 04.28.2020
PHMSA Has Incomplete Guidance for Evaluating the Siting of Proposed Liquefied Natural Gas Facilities and Monitoring State Pipeline Safety Programs
Closed on 05.06.2020
No. 1 to PHMSA

Update and implement the Agency's procedures for reviewing the siting of proposed LNG facilities by adding steps to verify the accuracy and completeness of reviews conducted by Agency or subcontractor engineers and to document the verification.

Closed on 05.06.2020
No. 2 to PHMSA

Update and implement the Agency's procedures for conducting evaluations of State natural gas programs, including how to (a) incorporate random sampling into the selection of operators and facilities for testing and (b) identify the records or other evidence that are needed to support the evaluation.

Closed on 05.06.2020
No. 3 to PHMSA

Update guidelines to States to require at least one inspection team member to have completed all required training for lead inspectors.

Audit Report: FS2020029 issued on 04.27.2020
DOT’s Fiscal Year 2019 IPERA Compliance Review
$28,000
No. 1 to OST

Implement procedures to require Federal Highway Administration to review about $28,000 identified as improper payments and recover as appropriate.

$169,000,000
No. 2 to OST

Implement procedures to require that Federal Highway Administration develop a process to: a. detect grantees that have not reduced improper payments for 3 consecutive fiscal years or over the 3-year risk assessment cycle, and b. review those grantees' root causes to implement robust/individual corrective actions. Implementation of this recommendation could put approximately $169 million in funds to better use.

Audit Report: IT2020027 issued on 04.15.2020
FAA Lacks Sufficient Security Controls and Contingency Planning for Its DroneZone System
No. 1 to FAA

Perform a comprehensive assessment of DroneZone and LAANC's security controls that at a minimum provides the correct implementation status for system specific, common, and hybrid controls, and issue a new Authorization to Operate decision for DroneZone and its interconnected system LAANC.

No. 2 to FAA

Update the security assessment documents for DroneZone and LAANC to reflect the results of all security controls (e.g., common, hybrid, and system-specific) for selection, implementation, and assessing, per DOT requirements.

Closed on 01.11.2022
No. 3 to FAA

Establish and implement controls for monitoring, updating, and remediating open security weaknesses as well as the accepted risk in DOT repository for managing security weaknesses, per the DOT Security Weakness Management Guide. 

Closed on 09.01.2021
No. 4 to FAA

Implement procedures to validate that Security Officials responsible for DroneZone and LAANC are trained on NIST and DOT policy for assessing security controls, and require them to follow the guidance.

No. 5 to FAA

Develop Standard Operating Procedures for the use of common and hybrid controls to include at a minimum: a.) System owners must review the cloud provider Control Implementation Summary report to verify and document what controls are the customer's versus the cloud provider's. b.) System owners must review monthly cloud provider POA&Ms and develop a risk mitigation strategy or compensating controls to address any identified vulnerabilities that may impact its system cybersecurity posture. c.) System owners must coordinate with FAA common/hybrid control providers to verify the controls' actual implementation status and document them accurately in the appropriate security document.

Closed on 09.23.2021
No. 6 to FAA

Verify and validate that all external information systems providing cloud services to DroneZone and LAANC are FedRAMP-authorized; if not, obtain a departmental waiver approving their use. 

Closed on 01.11.2022
No. 7 to FAA

Develop and implement a process clearly defining how privacy controls are identified, assessed, and documented, and work with the departmental Chief Privacy Officer in developing and implementing the process. 

Closed on 09.01.2021
No. 8 to FAA

Complete modification to LAANC Memorandums of Agreement with UAS Service Suppliers to enhance data security and transparency and direct the Authorizing Official to verify and validate that all UAS Service Suppliers are adhering to security requirements outlined in the Memorandum of Agreement.

No. 9 to FAA

Develop and implement a process for testing DroneZone information systems for contingency planning, to include business impact analysis continuity of operations plans, business continuity plans, disaster recovery plans, and Information System Contingency Planning (ISCP).

No. 10 to FAA

Develop a process to annually document FAA security officials communicating all contingency planning development, planning, and recovery activities to all stakeholders and executive management prior to authorizing officials making risk-based decisions.

Closed on 09.01.2021
No. 11 to FAA

Complete an appropriate ISCP test for DroneZone with its contractor and cloud service provider to ensure the ISCP strategies can be implemented successfully.

Closed on 03.03.2021
No. 12 to FAA

Provide and verify that the required DroneZone personnel listed in the ISCP receive annual contingency planning training.

Closed on 11.24.2020
No. 13 to FAA

Develop, test and implement an alternative back-up solution verifying that DroneZone data can be backed-up and available to transport to alternate sites in the event the cloud service provider availability zone is unavailable

Audit Report: QC2020024 issued on 04.08.2020
Quality Control Review of the Management Letter for FAA’s Audited Consolidated Financial Statements for Fiscal Years 2019 and 2018
Closed on 07.14.2020
No. 1 to FAA

KPMG recommends that FAA management consider adjusting the EC&D liability for any significant changes in factors impacting the EC&D liability that can be reasonably estimated (i.e., inflation) as of and for the year ended September 30, 2019.

Closed on 07.28.2020
No. 2 to FAA

KPMG recommends that FAA management develop an information processing guide to assist in the effective operation of the HQ Journal Entry Control Log Reconciliation to ensure the reconciliation is consistently utilizing complete and accurate information, including all entries posted by usernames with HQ journal entry posting responsibility.

Closed on 01.03.2022
No. 3 to FAA

KPMG recommends that FAA management revise policies and procedures to ensure that the review of grant invoices includes the review and validation of compliance with terms and conditions per the applicable grant agreement.

Closed on 03.31.2022
No. 4 to FAA

KPMG recommends that FAA management enforce the policy that monthly audits are conducted by ESC-EDC personnel, as required by TOPS policy, to ensure that the bi-weekly log reviews are completed as required. In addition, FAA should ensure that the required monthly audits are tracked via checklist and certified by ESC-EDC personnel who conducted the audit. If ESC-EDC personnel determine that the bi-weekly reviews have not been properly completed, the ESC-EDC personnel should follow-up with the DBA to ensure that incomplete reviews are remediated and future bi-weekly log reviews are completed timely, as required by TOPS policy. 

Closed on 02.23.2021
No. 5 to FAA

KPMG recommends that FAA management update the purchase request application system's SSP to reflect the design and implementation of the formalized procedures for performance of the periodic user recertification.

Closed on 02.18.2021
No. 6 to FAA

KPMG recommends that FAA management design and implement a process in coordination with Human Resources, to ensure that the contractor and the environmental cleanup tracking application system owner remove terminated users within a defined period of time subsequent to the individuals' termination date.

Closed on 06.30.2021
No. 7 to FAA

KPMG recommends that FAA management implement a change control procedure which includes: change control documents, change control board approval, configuration change testing, and development team approval prior to preceding with implementing changes into production.

Closed on 12.16.2020
$1,006,230,000
No. 8 to FAA

KPGM recommends that FAA management continue to perform its existing monitoring procedures over excise tax revenue allocations by the IRS. In addition, KPMG recommends that FAA management communicate instances where allocations and certifications of excise tax revenue are materially inconsistent with expectations to Department of Transportation leadership and to the Department of Transportation's Office of the Inspector General to facilitate the timely allocation and certification of excise tax revenues by the IRS.

Audit Report: QC2020025 issued on 04.08.2020
Quality Control Review of the Management Letter for DOT’s Audited Consolidated Financial Statements for Fiscal Years 2019 and 2018
Closed on 05.04.2021
No. 1 to FTA

KPMG recommends that FTA management design and implement a process to ensure that a complete population of received FFRs are considered in the retrospective review.

Closed on 05.04.2021
No. 2 to FTA

KPMG recommends that FTA management document the revised FFR submission policy in their grant methodology to consider the potential impact on the retrospective review process.

Closed on 12.16.2020
No. 3 to FRA

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes reviewing the SOC-1 report, reviewing and comparing reporting updates year-over-year, and reviewing findings and their impact on the grants management system.

Closed on 12.16.2020
No. 4 to FRA

KPMG recommends that FRA management implement policies and procedures to establish a formal process to assess applicable third-party service organization reports that includes implementing the service provider's recommended Complementary User Entity Controls (CUECs) and monitoring these controls for proper implementation and operating effectiveness.

Closed on 03.30.2021
No. 5 to FHWA

KPMG recommends that FHWA develop and implement a process to notify appropriate authoritative personnel in the event that the division sponsor has not completed its user reviews timely ensuring that monthly reviews of user access within the application are completed by all divisions in accordance with the Fiscal Management Information System Standard Operating Procedures (SOP).

Closed on 05.06.2021
No. 6 to FHWA

KPMG recommends that FHWA Management revise its currentbi-weekly review process in coordination with Human Resources to ensure thatthe grants management application system owners remove terminated users withina defined time period of their termination date and that the User AccessRemoval SOP be updated to reflect the Human Resource coordination and thedefined time period.

Closed on 03.30.2021
No. 7 to FHWA

KPMG recommends that the FHWA determine the appropriate role for the grant management application user based on job function, and revoke user access to the incompatible role.

Closed on 03.30.2021
No. 8 to FHWA

KPMG recommends that the FHWA ensure that access policies and procedures regarding segregation of duties are enforced when granting users access to the grants management application via Role Based Access Control procedures as defined in the Manage Accounts SOP.

Closed on 03.30.2021
No. 9 to FHWA

KPMG recommends that the FHWA develop and implement a periodic review of access for the Database Administrators and Developers for the grants management application.

Closed on 03.30.2021
No. 10 to FHWA

KPMG recommends FHWA management update the SOP, to clearlydefine the UPACS audit log environment, log mechanisms, and frequency anddocumentation of the log reviews.

Closed on 04.20.2022
No. 11 to FHWA

KPMG recommends FHWA management enforce the Manage Log Review Files SOP or similar procedure that requires the Windows System Administrator to review Grant Management Application/UPACS operating system logs on a daily basis and digitally certify the reviews on a weekly basis.   

Closed on 04.20.2022
No. 12 to FHWA

KPMG recommends FHWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS operating system log records for completion. If SAs or DBAs determine that the Windows Weekly log records, are not completed as required, SAs and DBAs should follow-up with the Windows System Administrator to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.   

Closed on 04.20.2022
No. 13 to FHWA

KPMG recommends FHWA management enforce the Manage Log Review Files SOP or similar procedure that requires the System Administrators to review Grant Management Application/UPACS logs on a daily basis and digitally certify the reviews on a weekly basis.

Closed on 04.20.2022
No. 14 to FHWA

KPMG recommends FHWA management ensure that System Administrators (SA) or Database Administrators (DBA) review past Grant Management Application/UPACS log records for completion. If SAs or DBAs determine that the UNIX/Oracle log records, are not completed as required, SAs and DBAs should follow-up with the UNIX/Oracle System Administrators to ensure that incomplete reviews are remediated and future weekly log reviews are completed timely.     

Audit Report: QC2020026 issued on 04.08.2020
Quality Control Review of the Management Letter for NTSB’s Audited Financial Statements for Fiscal Years 2019 and 2018
Closed on 12.16.2020
No. 1 to NTSB

Enhance existing policies and procedures to ensure that the account balances, line items, and all corresponding balances reported in the agency's trial balance are complete, accurate, and classified according to their economic substance.

Closed on 12.16.2020
No. 2 to NTSB

Enhance existing policies and procedures to ensure that the account balances and line items reported in the financial statement footnotes agree with the agency's adjusted trial balance for the corresponding reporting period.

Closed on 12.16.2020
No. 3 to NTSB

Enforce existing policies and procedures regarding the review and approval of manual journal vouchers to ensure that all required levels of review are completed and the process is properly documented.

Audit Report: FI2020022 issued on 03.11.2020
DOT Needs To Enhance Oversight of Its Purchase Card Program To Mitigate Internal Control Weaknesses
Closed on 12.16.2020
No. 1 to OST

Develop procedures to ensure purchase card files are complete. At a minimum, ensure cardholders verify that: a. supervisory and/or program office approval has been obtained prior to making purchases; b. funds availability has been confirmed prior to making purchases; c. required supporting documentation is on file; d. items purchased have been received and services have been accepted; and e. sales tax has not been charged.

Closed on 01.26.2022
No. 2 to OST

Implement procedures to ensure cardholders retain records in accordance with the National Archives and Records Administration’s general records schedule. 

Closed on 12.16.2020
No. 3 to OST

Update purchase card guidance to include appropriate language that states that purchase cards cannot be used to pay for unauthorized commitments without appropriate documentation showing that the unauthorized commitment has been ratified in accordance with FAR 1.602-3.

Closed on 05.20.2021
No. 4 to FAA

Develop procedures to ensure purchase card files are complete. At a minimum, ensure cardholders verify that: a. supervisory and/or program office approval has been obtained prior to making purchases; b. funds availability has been confirmed prior to making purchases; c. required supporting documentation is on file; d. payment amounts match to invoices; e. items purchased have been received and services have been accepted; and f. sales tax has not been charged.

No. 5 to FAA

Implement procedures to ensure cardholders retain records in accordance with the National Archives and Records Administration's general records schedule.

Closed on 05.19.2020
No. 6 to FAA

Update purchase card guidance to include appropriate language that states that purchase cards cannot be used to pay for unauthorized commitments without appropriate documentation showing that the unauthorized commitment has been ratified.

Closed on 05.20.2021
No. 7 to FAA

Develop and implement controls to ensure that all trainings are administered timely in FAA’s electronic learning management system, and ensure cardholders complete refresher training in a timely manner.

Closed on 05.20.2021
No. 8 to FAA

Establish procedures to enforce the suspension of purchasing authority for cardholders that do not satisfy the refresher training requirement.

Closed on 05.24.2021
No. 9 to FAA

Reiterate the importance of following the employee close out and clearance process to Purchase Cardholders, Approving Officials and Agency Program Coordinators, when a cardholder separates from the agency or the purchase card program.

No. 10 to FAA

Develop and implement a process to monitor purchase transactions that involve credits to ensure the follow-up is performed and credits are received timely.

Closed on 04.12.2021
No. 11 to OST

Update TAM Chapter 1213, Appendix A to include appropriate language that indicates that purchase cards cannot be used to pay for unauthorized commitments without appropriate documentation showing that the unauthorized commitment has been ratified in accordance with FAR 1.602-3.

Closed on 04.12.2021
No. 12 to OST

Update Departmental policy and procedures to require all OAs (excluding FAA) to include a requirement to obtain supervisory and/or program office approval before purchases are made.

Closed on 04.12.2021
No. 13 to OST

Update the TAM to require OAs (excluding FAA) to certify individual purchase card program manuals to comply with TAM requirements.

Audit Report: ZA2020020 issued on 03.09.2020
FAA’s Competitive Award Practices Expose Its Major Program Contracts to Cost and Performance Risks
Closed on 05.10.2021
No. 1 to FAA

Revise the Acquisition Management System (AMS) and/or FAA’s Contract Pricing Handbook to address challenges around conducting appropriate price and cost analyses in order to reliably assert and support a fair and reasonable price determination for a major program contract award. This should include techniques and scenarios to address specific issues that could arise during the award process, such as establishment of a contract ceiling amount at award that includes pricing for all contract work (including option years) using a sound source or basis

Closed on 05.07.2021
No. 2 to FAA

Revise AMS to require acquisition planning for both competitive and noncompetitive major program contracts to allow adequate time and the possibility for achieving competition of option years and follow-on contracts.

$4,900,000,000
No. 3 to FAA

Strengthen internal controls to verify that all independent government cost estimates (IGCE) are completed in compliance with Agency requirements prior to the award of a major program contract. Implementing this recommendation could put up to $4.9 billion in Federal funds to better use by improving FAA's ability to establish contract pricing that is fair, reasonable, and realistic.

Closed on 03.08.2021
No. 4 to FAA

Revise AMS to clarify requirements around what actions the Program Office must take prior to the award of a major program contract when an IGCE varies by more than 15 percent from the proposed offer, and strengthen internal controls to verify these requirements are followed.

No. 5 to FAA

Strengthen internal controls to hold acquisition and program officials accountable for providing timely signatures on packages for any major program contract procurement action—such as increasing the ceiling or definitizing a contract line item number—to be submitted for Chief Financial Officer approval, per Agency requirements.

$17,300,000
No. 6 to FAA

Strengthen internal controls to ensure a sound rationale is documented to support each noncompetitive major program contract, per Agency requirements, before the award is made. Implementing this recommendation could put up to $17.3 million to better use by allowing FAA to realize the benefits of competition and make more efficient use of these Federal funds.

No. 7 to FAA

Strengthen internal controls to verify compliance with Agency requirements for conflict of interest agreements to be completed by all officials involved in a major program contract source selection process before they perform any of their responsibilities.

No. 8 to FAA

Strengthen internal controls to verify compliance with Agency requirements regarding completion and approval of source selection evaluation plans for major program contracts.

No. 9 to FAA

Strengthen internal controls to verify compliance with Agency requirements to use code names in lieu of contractor names in all source selection and evaluation communication and documentation for major program contracts.

No. 10 to FAA

Strengthen internal controls to verify compliance with Agency requirements for maintaining centralized files for major program contracts—including a complete record of the acquisition history and decisions—and for archiving and destroying documentation.

Audit Report: AV2020019 issued on 02.11.2020
FAA Has Not Effectively Overseen Southwest Airlines’ Systems for Managing Safety Risks
Closed on 02.17.2022
No. 1 to FAA

Ensure Southwest Airlines complies with regulatory requirements to provide accurate weight and balance information to pilots, or grant an exemption that justifies the non-compliance being in the public interest. 

Closed on 02.01.2021
No. 2 to FAA

Retrain inspectors at the local oversight office for Southwest Airlines on the purpose and proper use of the Voluntary Disclosure Reporting Program.

Closed on 03.30.2021
No. 3 to FAA

Train managers and inspectors of the local oversight office on their roles and responsibilities to work with Southwest Airlines for root cause analysis.

Closed on 05.18.2021
No. 4 to FAA

Enhance management controls to ensure designated airworthiness representatives comply with established procedures to verify that aircraft conform to U.S. airworthiness standards.

Closed on 05.18.2021
No. 5 to FAA

Develop a management control to ensure that designated airworthiness representatives verify the completeness and accuracy of maintenance records, and do not rely on air carrier provided summary data to make airworthiness determinations.

Closed on 02.01.2021
No. 6 to FAA

Complete a compliance review of other certificates issued by the designated airworthiness representatives used by Southwest Airlines.

Closed on 08.03.2020
No. 7 to FAA

Ensure Southwest Airlines complies with regulatory requirements that the 88 previously owned aircraft conform to U.S. aviation standards.

Closed on 03.15.2022
No. 8 to FAA

Train inspectors on FAA’s process to provide feedback on designated airworthiness representatives when corrective actions are needed, and provide inspectors access to the system used to provide feedback. 

No. 9 to FAA

Develop and implement a management control to ensure air carriers and inspectors do not use Safety Management Systems as a substitute for regulatory compliance.

No. 10 to FAA

Develop and implement guidance on how to evaluate air carrier safety risk assessments to ensure the carrier has performed a comprehensive analysis, identified root causes, and established appropriate corrective actions.

No. 11 to FAA

Develop and implement inspector guidance on how to evaluate air carrier safety culture and how it should be factored into oversight decisions.

Audit Report: SA2020016 issued on 01.29.2020
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 4-Month Period Ending December 31, 2019
Closed on 02.20.2020
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$1,135,453
No. 2 to OST

Determine the allowability of the questioned transactions and recover $1,135,453, if applicable.

Audit Report: ST2020015 issued on 01.22.2020
Improved FRA Decision Making and Financial Oversight Processes Could Have Reduced Federal Risks from the California High-Speed Rail Project
Closed on 03.17.2021
No. 1 to FRA

Revise and implement policies and procedures for when to escalate grant noncompliance issues within FRA. At a minimum, these procedures should include criteria for when to escalate noncompliance issues beyond FRA’s grants management division, and documentation of FRA’s decisions and rationale.

Closed on 03.17.2021
No. 2 to FRA

Revise and implement policies and procedures for defining FRA’s tolerance for the risk of grantee noncompliance with specific deliverable requirements, periodically assessing those risks, and documenting the resulting risk-based agency decisions on the depth of review to conduct of deliverables.

Closed on 03.17.2021
No. 3 to FRA

Define a framework for determining the minimum acceptable standards of what an interim use plan for new infrastructure funded by FRA grants should provide, and procedures for evaluating these plans.

Closed on 11.19.2020
No. 4 to FRA

Revise and implement guidance for FRA staff to conduct detailed assessments of grantees' procedures for complying with Federal expenditure requirements. This guidance should include steps for when and how FRA staff are to test grantees' implementation of their procedures through sampling and in-depth reviews of selected expenditures.

Audit Report: AV2020014 issued on 12.18.2019
NextGen Equipage: ADS-B Out Equipage Rates Are Increasing, but FAA Must Address Airspace Access Issues
Closed on 02.07.2020
No. 1 to FAA

Complete publication of the FAA advisory circular that formalizes interim guidance regarding the Service Availability Prediction Tool.

Closed on 01.09.2020
No. 2 to FAA

Analyze the feasibility of developing automated systems toprovide operators with more timely information regarding GPS issues, such asoutages and degradations, and if feasible, implement them.

Closed on 02.07.2020
No. 3 to FAA

Identify remaining steps and target action dates forcompleting the ADS-B Deviation Authorization Pre-Flight Tool system, as well ascontingencies if the system is not operational by the 2020 deadline.

Audit Report: AV2020013 issued on 12.17.2019
FAA Needs To Improve Its Oversight To Address Maintenance Issues Impacting Safety at Allegiant Air
Closed on 10.23.2020
No. 1 to FAA

Develop and implement a management control to require managers to review and validate that known risks documented in the Safety Assurance System Certificate Holder Assessment Tool are tracked until mitigated.

Closed on 11.05.2020
No. 2 to FAA

Develop and implement policies and procedures to monitor inspector compliance with Safety Assurance System training requirements.

Closed on 11.05.2020
No. 3 to FAA

Revise its inspector guidance to require Certificate Holder Evaluation Process teams to report inspection results to the local inspection office, including a determination on whether the carrier is operating at the highest possible degree of safety in the public interest and how the team reached that conclusion.

Closed on 01.13.2021
No. 4 to FAA

Revise its Compliance and Enforcement guidance and its Inspector guidance to include the severity of outcomes as a factor in considering whether inspectors should initiate compliance or enforcement actions.

Closed on 11.05.2020
No. 5 to FAA

Develop and implement a resolution process to ensure disagreements in handling non-compliances are dealt with consistently, using the most appropriate processes and all relevant information.

Closed on 12.02.2020
No. 6 to FAA

Revise its inspector guidance to clarify how inspectors address recurring non-compliances as a factor in considering whether they should initiate compliance or enforcement actions.

Closed on 11.22.2021
No. 7 to FAA

Revise its inspector guidance to require inspectors to determine that corrective actions taken by air carriers are implemented and have addressed known discrepancies prior to closing compliance actions. 

No. 8 to FAA

Perform a comprehensive review of FAA's root cause analysis training to ensure it meets Agency expectations. Modify training, as appropriate, based on the review and require inspectors to complete the course(s) or offer inspectors access to industry-based training programs.

Closed on 12.01.2020
No. 9 to FAA

Develop and implement a process to incorporate historical compliance actions in SAS for inspectors to track current and historical compliance actions.

Audit Report: FI2020012 issued on 12.11.2019
FAA Needs To Improve Oversight and Enhance Transparency in Its Franchise Fund
Closed on 07.27.2020
No. 1 to FAA

Engage an auditor to perform an independent audit of the Franchise Fund's financial statements in accordance with generally accepted Government auditing standards and the Government Accountability Office's Financial Audit Manual and that includes an opinion on the Fund's internal controls.

Closed on 11.19.2021
No. 2 to FAA

Develop and implement a process directing the Logistics Center to maintain detailed records of the age and costs of inventory items as a way to identify obsolete items and prevent unnecessary storage and maintenance costs or purchase of assets already on hand.

Closed on 08.03.2020
No. 3 to FAA

Revise the accounting treatment for imputed costs to avoid the appearance of overstating losses.

Closed on 03.16.2020
No. 4 to FAA

Assign the unassigned balance of $6.9 million in unfilled customer orders identified in this report to the appropriate Franchise Fund service organization(s).

Closed on 03.16.2020
No. 5 to FAA

Review the $2.6 million in unused unfilled customer orders identified in this report, and return the unexpended balances as appropriate.

Closed on 08.25.2020
$26,000,000
No. 6 to FAA

Develop and implement a plan to improve oversight of the Franchise Fund's unfilled customer orders balance, such as tracking performance to ensure unexpended funds are returned timely as required. Implementing this recommendation could potentially put $26 million in funds to better use.

Closed on 08.26.2020
$39,000,000
No. 7 to FAA

Revise the Franchise Fund's policies on agreements to include dealing with delinquent agreements, and require service organizations to adhere to applicable DOT and FAA policies. Implementing this recommendation could potentially put $39 million in funds to better use.

Closed on 06.30.2021
No. 8 to FAA

Implement the requirement that service organizations collect advance payments before they provide products or services, in accordance with Public Law 104-205.

Closed on 05.29.2020
No. 9 to FAA

Develop and implement a process that requires Franchise Fund service organizations to respond promptly to customer questions about agreements and price changes before the period of performance begins.

Closed on 07.07.2020
No. 10 to FAA

Develop and implement formal, documented procedures that require service organizations to include a business case when they submit a capital reserve project to the Franchise Fund Management Council for approval to ensure the project represents the best value.

Closed on 07.29.2020
No. 11 to FAA

Implement the Major Business Investment and Expenditures Policy requirement to document formal approval of capital reserve projects.

Closed on 07.29.2020
No. 12 to FAA

Develop a plan that clearly describes the Franchise Fund Management Council's vision, goals and expected outcomes for the services provided to its customers. The plan should include what initiatives or specificactions the Council will take to provide the additional oversight and transparency needed.

Closed on 04.21.2020
No. 13 to FAA

Develop Franchise Fund process and procedures that require (a) customers to document bona fide needs for new projects before agreements are written and funds obligated and advanced and (b) service organizations to accept year-end funding only for projects that clearly represent a bona fide need.

Audit Report: QC2020011 issued on 11.18.2019
Quality Control Review of the Independent Auditor’s Report on the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2019 and 2018
Closed on 12.17.2020
No. 1 to FAA

KPMG recommends that FAA management design and implement procedures to consistently perform and document application log reviews as required by existing internal policies.

No. 2 to FAA

KPMG recommends that FAA management design and implement procedures to consistently perform and document database layer audit log reviews as required by existing internal policies.

No. 3 to FAA

KPMG recommends that FAA management design and implement procedures to consistently perform and document operation system layer log reviews as required by existing internal policies.

Closed on 03.30.2021
No. 4 to FAA

KPMG recommends that FAA management design and implement procedures to consistently perform and document application level user account access reviews as required by existing internal policies.

No. 5 to FAA

KPMG recommends that FAA management design and implement procedures to consistently perform and document operating system administrative account access reviews as required by existing internal policies.

Closed on 12.17.2020
No. 6 to OST

KPMG recommends that Office of the Secretary management design controls which are sufficiently precise to ensure that each of the data inputs which are key to the cash flow projections are defined (including for loans expected to reach the substantial disbursement threshold); control procedures are sufficiently designed and documented to ensure that the inputs are validated against source documents; and the inputs are accurate prior to the annual subsidy re-estimation in September.

Closed on 12.16.2020
No. 7 to FRA

KPMG recommends that FRA management develop an accrual methodology for incurred but not submitted grantee expenses at year-end.

Closed on 12.16.2020
No. 8 to FRA

KPMG recommends that FRA management develop a process to improve communications between the Grant Office and Office of Financial Services to ensure all available expense information is recorded in the proper reporting period.

Audit Report: QC2020010 issued on 11.15.2019
Quality Control Review of the Independent Auditor’s Report on the Surface Transportation Board’s Audited Financial Statements for Fiscal Years 2019 and 2018
Closed on 12.17.2020
No. 1 to STB

LSC recommends STB ensure that year-end schedules are updated to allow sufficient timeframes to accomplish STB established internal control processes in an effective manner.

Closed on 12.17.2020
No. 2 to STB

LSC recommends STB require the accounting service provider to provide to STB evidence of quality control reviews signed and approved by supervisory personnel prior to accepting receipt of these documents.

Closed on 12.17.2020
No. 3 to STB

LSC recommends STB reject financial statements and related supporting documentation when the accounting service provider submits incomplete or inaccurate data.

Audit Report: QC2020009 issued on 11.14.2019
Quality Control Review of the Independent Auditor’s Report on the Federal Aviation Administration’s Audited Consolidated Financial Statements for Fiscal Years 2019 and 2018
Closed on 12.17.2020
No. 1 to FAA

KPMG recommends that Management design and implement procedures to consistently perform and document the following, as required by existing internal policies: Application log reviews.

No. 2 to FAA

KPMG recommends that Management design and implement procedures to consistently perform and document the following, as required by existing internal policies: Database layer audit log reviews.

No. 3 to FAA

KPMG recommends that Management design and implement procedures to consistently perform and document the following, as required by existing internal policies: Operating System layer log reviews.

Closed on 01.12.2021
No. 4 to FAA

KPMG recommends that Management design and implement procedures to consistently perform and document the following, as required by existing internal policies: Application level user account access reviews.

No. 5 to FAA

KPMG recommends that Management design and implement procedures to consistently perform and document the following, as required by existing internal policies: Operating system administrative account access reviews.

Closed on 12.16.2020
No. 6 to FAA

KPMG recommends that management design and implement review and approval control activities specific to the setup of a new donated inventory part in LCSS to ensure the established unit cost and related attributes are based on supportable and accurate information.

Closed on 02.19.2021
No. 7 to FAA

KPMG recommends that management redesign policies and procedures unique to LCSS and the receipting scenarios that are acceptable for the MISC and F&E purchase order receipt process which support the accuracy of inputs. Further, management should design and implement review and approval control activities surrounding the creation of MISC and F&E purchase orders in LCSS to ensure the unit cost and other attributes which are critical for the appropriate valuation, are valid and accurate.

Audit Report: ZA2020006 issued on 11.04.2019
Gaps in Internal Controls Impede the Department’s Management of Working Capital Fund Laptops
Closed on 05.15.2020
No. 1 to OST

Update DOT DASH 2016-01 to specifically state that FAA Strategic Sourcing for the Acquisition of Various Equipment & Supplies (SAVES) is not an approved vehicle under Office of Management and Budget (OMB) requirements.

Closed on 05.15.2020
No. 2 to OST

Document the revised IT Spend Plan process to verify OAs meet OMB requirements when procuring laptop computers.

No. 3 to OST

Implement enhanced physical security controls for the Information Technology Shared Services (ITSS) asset room where Working Capital Fund (WCF)-funded laptops are stored.

No. 4 to OST

Develop and implement supplemental guidance that defines responsibilities for the Office of Facilities, Information, and Asset Management (OFIAM) and ITSS with respect to receipt, inspection, and acceptance, and inventory management processes and procedures for WCF-purchased laptops.

No. 5 to OST

Update DOT Order 4410.4 to include: a. Defining roles and responsibilities of DOT offices and personnel with respect to management of WCF laptop computers. b. Requiring hand receipts or a similar form whenever an accountable property asset (e.g., laptop) is assigned or unassigned to/from a user. c. Requiring record retention of records from hand receipts or a similar control with the appropriate property official. d. Establishing a timeframe for submitting Reports of Survey to OFIAM.

No. 6 to OST

Establish a Board of Survey to review instances of lost or damaged WCF equipment as required by DOT Order 4410.4.

No. 7 to OST

Develop and implement a process for verifying the timely and accurate entry of laptop computer data into OFIAM's official personal property system of record, to include establishing data entry timeframes, key fields (e.g., procurement and delivery dates), and quality control checks.

$2,900,000
No. 8 to OST

Develop and implement procedures for conducting the annual property inventory to include obtaining missing hand receipts or similar control and timely resolution of discrepancies for WCF laptops. Implementation of this recommendation could result in $2.9 million in funds put to better use.

Audit Report: ST2020005 issued on 10.30.2019
FTA’s Limited Oversight of Grantees’ Compliance With Insurance Requirements Puts Federal Funds and Hurricane Sandy Insurance Proceeds at Risk
Closed on 09.28.2020
$2,125,000
No. 1 to FTA

Reduce permanently NYC DOT's Hurricane Sandy total damage assessment by $2.125 million to remove the ineligible expenses.

Closed on 10.29.2021
No. 2 to FTA

Assess the necessary data to affirm that Hurricane Sandy recovery grantees carried flood insurance that complied with the Flood Disaster Protection Act (FDPA). For any Hurricane Sandy recovery grantee that FTA determines had uninsured buildings, contents, or both that should have been insured in compliance with the FDPA, permanently reduce the grantee’s total Hurricane Sandy damage assessment by the aggregate amount of the maximum available National Flood Insurance Program (NFIP) insurance or the amount of the Federal investment in the property prior to the storm (whichever is less).  

No. 3 to FTA

Develop and implement procedures within FTA's Triennial and State Management Reviews to assess the necessary data to affirm that each grantee undergoing a comprehensive review carries flood insurance that complies with the FDPA. FTA's suggested corrective actions for any grantee deficiency in this area should include, at a minimum, requiring the grantee to submit to FTA documentation showing proof of flood insurance in the aggregate amount of the maximum available NFIP insurance or the amount of the Federal investment (whichever is less) for all structures required to have it.

Closed on 01.15.2021
No. 4 to FTA

Revise FTA’s Emergency Relief Program (ERP) guidance to include a timeframe within which grantees must apply insurance proceeds to support the policy described in its ERP Final Rule.

$982,855,757
No. 5 to FTA

Require the Hurricane Sandy Recovery grantees to apply their insurance proceeds in accordance with the timeframe established in the revised ERP guidance and in support of the policy described in its ERP Final Rule. Implementation of this recommendation could put over $982.8 million in funds to better use. This is the amount of transit-related insurance proceeds that grantees have received but have not yet spent on eligible transit recovery projects.

Closed on 07.29.2021
$180,700,000
No. 6 to FTA

Require MTA to apply the full amount of its transit-related insurance proceeds to eligible transit projects. Implementation of this recommendation could put up to $180.7 million in funds to better use.

Closed on 01.15.2021
No. 7 to FTA

Develop procedures to track grantee allocation plan implementation for expenditures solely funded with insurance proceeds.

Closed on 05.27.2021
No. 8 to FTA

Revise the ERP Toolkit checklist to include a step for FTA Regional staff to crosscheck against the approved insurance allocation plan when reviewing Hurricane Sandy grant applications and awarding Hurricane Sandy grants.

Audit Report: QC2020004 issued on 10.29.2019
Quality Control Review of the Independent Auditor’s Review of DOT’s DATA Act Implementation
No. 1 to OST

Implement and document a formal quarterly review process to ensure that any non-fatal warnings at the Operating Administration level are investigated, and actions to address the warnings are clearly documented.

Closed on 09.07.2021
No. 2 to OST

Implement and document a formal quarterly review process to ensure that any variances identified between File A and the DOT’s GTAS SF-133, and File B and OMB Circular No. A-11 and President’s budget are clearly explained and documented.

No. 3 to OST

Implement and document an internal oversight review process for financial assistance awards to ensure that controls are in place to verify recipients are registered in SAM at the time of financial assistance award.

Closed on 09.30.2021
No. 4 to OST

Develop processes to evaluate future reporting of those data elements identified as being inconsistent with DAIMS guidance.

Audit Report: QC2020002 issued on 10.23.2019
Quality Control Review of the Independent Auditor’s Report on DOT’s Information Security Program and Practices
No. 1 to OST

Perform a review of all Plans of Action and Milestone (POA&M) items closed during the audit period to include supporting documentation and re-approve their closure.

No. 2 to OST

Revise current security weakness management policies and procedures (documenting within a revision history table) to require documented evidence such as calendar appointments, meeting minutes, etc. in support of POA&M closure decisions to be uploaded into CSAM.

No. 3 to OST

Work with the OA CIOs to review current assessment and authorization processes and implement a validation process to ensure updated security plans, ATOs and risk assessments are reviewed and updated to reflect all system (including privacy) controls, vulnerabilities, and that current risks are clearly presented to the authorizing officials.

No. 4 to OST

Work with the OA CIOs to develop mechanisms to ensure updated system security plans and assessments of security controls (that were previously assessed as not satisfied or partially satisfied) reflect current operational environments, including an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated.

No. 5 to OST

Document OA subnets and OA responsibilities for devices and systems operating on the Common Operating Environment.

No. 6 to OST

Document and implement network segmentation to reduce the attack surface or susceptibility of vulnerable and sensitive OA assets in the Common Operating Environment.

No. 7 to OST

Work with OAs to remediate outstanding identity and access management weaknesses through implementation and closure of POA&Ms and control assessments to determine whether these risks were addressed.

Closed on 09.04.2020
No. 8 to OST

Work with Component Privacy Officers (POs) to develop and implement procedures then verify the completion, review, tracking and approval through review of updated PTAs, PIAs and SORNs.

Closed on 07.19.2021
No. 9 to OST

Document and implement a process to ensure incident response procedures related to the timely notification, reporting, updating, and resolution of security incidents are followed in accordance with policy.

Closed on 07.19.2021
No. 10 to OST

Review and update the OCIO Cyber Security Incident Response Plan, documenting evidence of review and revisions within a history log.

No. 11 to OST

Resolve any inconsistencies with respect to Departmental policies and procedures, which prescribe conflicting directions on whether DOT components are required to provide, develop and update incident response plans, documenting evidence of review and revisions within a history log.

No. 12 to OST

Implement a process to ensure incident response plans are developed for all OAs and updated on at least an annual basis.

Closed on 09.09.2020
No. 13 to OST

Work with the OST's Office of Intelligence, Security and Emergency Response to ensure the DOT COOP is reviewed and updated (noting evidence of the review within a history/revision log).

No. 14 to OST

Work with the OA CIOs to remediate identified weaknesses in contingency plans and BIAs, such as missing information, lack of timely review, and inadequate approvals, demonstrated by updated contingency plans and BIAs.

Audit Report: SA2020001 issued on 10.16.2019
Summary Report on Significant Single Audit Findings Impacting DOT Programs for the 3-Month Period Ending August 31, 2019
Closed on 01.16.2020
No. 1 to OST

Coordinate with impacted Operating Administrations (OA) to develop a corrective action plan to resolve and close the findings highlighted in this report.

$1,005,222
No. 2 to OST

Determine the allowability of the questioned transactions and recover $1,005,222.00, if applicable.

Audit Report: ZA2019087 issued on 09.30.2019
DOT Needs To Strengthen Its Oversight of IAAs With Volpe
No. 1 to OST

Implement requirements for documenting the rationale forentering into intra-agency agreements (IAA) with the John A. Volpe NationalTransportation Systems Center (Volpe), including why the proposed agreement isin the OA's best interest.

No. 2 to OST

Implement a process to ensure OAs' spend plans, or an alternative mechanism, include descriptions of current and planned Volpe IAA projects, as well as the projects' current and future funding needs.

No. 3 to OST

Implement oversight procedures in compliance with section 1.4.3 of DOT Order 1200.9 to verify use of required forms and the inclusion of required elements when executing Volpe IAAs, including but not limited to buyer obligation numbers, lines of accounting to be charged, and Treasury Appropriation Fund Symbols.

No. 4 to OST

Implement procedures to verify compliance with departmental requirements for conducting IAA financial completion processes and returning unused funds after the period of performance ends.

$33,300,000
No. 5 to OST

Comply with DOT Order 1200.9's financial completion and IAA closeout process requirements for the IAAs identified in table 3 of this report, and determine whether to close them and deobligate the appropriate portions of the $5,966,933 we identified. Implementing this recommendation across the 854 IAAs in our audit universe could potentially put up to $33.3 million in funds to better use.

No. 6 to OST

Develop and implement procedures to communicate with and train relevant OA staff (e.g., Program Office, Acquisitions/Procurement Office, and Budget/Finance Office staff) about DOT's current IAA-related requirements and guidance.

No. 7 to OST

Develop and implement procedures for reviewing current and future OA-issued IAA guidance to confirm alignment with DOT policy.

No. 8 to OST

Develop and implement procedures to verify OA compliance with departmental requirements for financially managing IAAs with Volpe, including conducting and documenting monthly and quarterly reconciliations, and year-end reviews.

No. 9 to OST

Develop and implement a mechanism for the OAs to document and share their performance evaluation data regarding Volpe IAAs.

Audit Report: QC2019086 issued on 09.30.2019
Report on a Quality Control Review of the Independent Service Auditor’s Report on DOT’s Enterprise Services Center
Closed on 11.07.2019
Sensitive
No. 1 to OST

Sensitive information redacted

Closed on 11.07.2019
Sensitive
No. 2 to OST

Sensitive information redacted

Closed on 11.07.2019
Sensitive
No. 3 to OST

Sensitive information redacted

Audit Report: ST2019084 issued on 09.25.2019
FMCSA’s Plan Addresses Recommendations on Prioritizing Safety Interventions but Lacks Implementation Details
No. 1 to FMCSA

For the fifth NAS recommendation, provide (a) cost estimates that account forstaffing, enforcement, and data collection; and (b) benchmarks for completion.

No. 2 to FMCSA

For the fourth and sixth NAS recommendations, provide (a)cost estimates that account for staffing, enforcement, and data collection; (b)benchmarks for completion; and (c) potential programmatic reforms, revisions toregulations, or proposals for legislation.

Audit Report: SA2019079 issued on 09.18.2019
Report on a Single Audit of the Los Angeles County Metropolitan Transportation Authority, Los Angeles, CA
Closed on 03.14.2022
No. 1 to FTA

Ensures that the Authority complies with the subrecipient monitoring requirements. 

Audit Report: SA2019080 issued on 09.18.2019
Report on a Single Audit of the State of Nebraska, Lincoln, NE
No. 1 to FTA

Ensures the State complies with the allowable costs/cost principles and subrecipient monitoring requirements.

$232,750
No. 2 to FTA

Recovers $232,750 (2018-067) from the State, if applicable.

$71,167
No. 3 to FTA

Recovers $71,167 (2018-068) from the State, if applicable.

Closed on 04.14.2021
No. 4 to NHTSA

Ensures the State complies with the allowable costs/cost principles and subrecipient monitoring requirements, resulting in questioned costs of $11,745.

Closed on 10.27.2020
$11,745
No. 5 to NHTSA

Recovers $11,745 from the State, if applicable.

Audit Report: SA2019081 issued on 09.18.2019
Report on a Single Audit of the Terre Haute Regional Airport Authority, Terre Haute, IN
Closed on 03.25.2020
No. 1 to FAA

Ensures that the Authority complies with the special tests and provisions requirements

Closed on 03.25.2020
No. 2 to FAA

Ensure that the Authority complies with the allowable costs/cost principles and reporting requirements.

Audit Report: SA2019076 issued on 09.17.2019
Report on a Single Audit of the Commonwealth of Pennsylvania, Harrisburg, PA
No. 1 to FHWA

Ensures that the Commonwealth complies with the subrecipient monitoring requirements.

Audit Report: SA2019077 issued on 09.17.2019
Report on a Single Audit of the City of Birmingham, Birmingham, AL
No. 1 to OST

Ensures the City complies with the procurement and suspension and debarment requirements.

$381,190
No. 2 to OST

Recovers $381,190 from the City, if applicable.

Audit Report: SA2019078 issued on 09.17.2019
Report on a Single Audit of the Puerto Rico Metropolitan Bus Authority, San Juan, PR
No. 1 to FTA

Ensures that the Authority complies with the equipment and real property management requirements.

Audit Report: ST2019072 issued on 09.11.2019
DOT’s Updated Anti-Harassment Policy Meets EEOC Requirements, but Program Compliance Hinges on Procedure Implementation and Data Usage
Closed on 01.16.2020
No. 1 to OST

Collect and review each OA's anti-harassment program procedures, and require revisions, as necessary, to bring them into compliance with DOT's policy and EEOC requirements.

Audit Report: SA2019068 issued on 09.10.2019
Report on a Single Audit of the Crooked Creek Traditional Council, Crooked Creek, AK
No. 1 to FHWA

Ensures that the Council complies with the activities allowed or unallowed requirements.

$194,821
No. 2 to FHWA

Recovers $194,821 from the Council, if applicable.

Audit Report: SA2019069 issued on 09.10.2019
Report on a Single Audit of the Puerto Rico Highways and Transportation Authority, San Juan, PR
No. 1 to FTA

Ensures that the Authority complies with the subrecipient monitoring requirements.

No. 2 to FHWA

Ensures that the Authority complies with the matching requirements.

Audit Report: SA2019070 issued on 09.10.2019
Report on a Single Audit of the State of Connecticut, Hartford, CT
Closed on 09.22.2021
No. 1 to FHWA

Ensures that the State complies with the allowable costs/cost principles requirements. 

Closed on 04.22.2021
$1,023,224
No. 2 to FHWA

Recovers $1,023,224 from the State, if applicable.

Audit Report: SA2019071 issued on 09.10.2019
Report on a Single Audit of the Association of Village Council Presidents, Bethel, AK