Quality Control Review of the Management Letter for the Department of Transportation’s Audited Consolidated Financial Statements for Fiscal Years 2022 and 2021

Date Issued

Wednesday, February 8, 2023

Submitting OIG

Department of Transportation OIG

Other Participating OIGs

Department of Transportation OIG

Agencies Reviewed/Investigated

Department of Transportation

Components

Office of the Special Trustee for American Indians

Office of the Secretary of Transportation

Report Number

QC2023016

Report Description

What We Looked AtThis report presents the results of our quality control review (QCR) of KPMG LLP’s management letter for its audit, conducted under contract with us, of the Department of Transportation’s (DOT) consolidated financial statements for fiscal years 2022 and 2021. The management letter discusses six internal control matters that KPMG was not required to include in its audit report. What We FoundOur QCR of the management letter disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards. Our RecommendationsKPMG made 12 recommendations in its management letter. DOT concurred with all 12 recommendations.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 4 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
KPMG recommends that DOT OCIO management revise the website containing the policy documentation to ensure all documents are consistent and contain the same listing of required controls for moderate-impact systems.
2	Yes	$0	$0
KPMG recommends that DOT OCIO management should document any Department-wide tailoring decisions within the appropriate security documentation, as required by NIST.
3	Yes	$0	$0
KPMG recommends that DOT OCIO management should define and document control tailoring requirements for the Department and its Operating Administrations.
5	Yes	$0	$0
KPMG recommends that ESC management create monitoring procedures over the existing management review of the JV control logs monthly reconciliation to ensure the consistent operation of the control, as defined within policy.