Quality Control Review of the Management Letter for the Department of Transportation's Audited Consolidated Financial Statements for Fiscal Year 2025

Date Issued

Wednesday, February 25, 2026

Submitting OIG

Department of Transportation OIG

Agencies Reviewed/Investigated

Department of Transportation

Components

Office of the Secretary of Transportation

Report Number

QC2026019

Report Description

Our Objective(s)To perform a quality control review (QCR) of KPMG LLP's management letter related to the audit of the DOT's consolidated financial statements as of and for the fiscal year ended September 30, 2025. We reviewed KPMG's management letter, dated January 29, 2026, and related documentation.
About This ReportWe contracted with the independent public accounting firm KPMG LLP to audit DOT's consolidated financial statements. KPMG also issued a management letter discussing internal control matters that KPMG was not required to include in its audit report.
What We FoundThe independent auditor, KPMG, found eight internal control matters in DOT's management of operations:

Weakness exists within the Federal Highway Administration grant management system change management process,
Weaknesses exist within the user access application change management process,
Weaknesses in password requirements for the user access application database,
Weaknesses in new user provisioning process for grant management system operating system,
Weaknesses in the frequency of the Office of the Chief Information Officer administrator access semi-annual review,
Weaknesses within the Federal Transit Administration (FTA) general user base review and privileged access review,
Weaknesses in Federal Aid grant accrual assumptions, and
Weaknesses in FTA's review of grant accrual calculations.

Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
RecommendationsWe agree with KPMG's 10 recommendations to help strengthen DOT's information system and business controls.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://www.oig.dot.gov/library-item/47155

Open Recommendations

This report has 10 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
FHWA management enforce the FHWA Configuration and Change Management Process to ensure that approvals and documentation related to application changes ae completed in accordance with the National Institute of Standards and Technology (NIST) 800-53, DOT and system requirements.
2	Yes	$0	$0
FHWA management enforce the change management requirements per the DOT Compendium and the FHWA Configuration and Change Management Process policy to ensure testing and approvals are appropriately performed and documented for each change.
3	Yes	$0	$0
User access application management implement and enforce the password complexity requirements in accordance with NIST 800-53, Office of the Chief Information Officer (OCIO) Cybersecurity Compendium Workbook, and the application's System Security Plan (SSP).
4	Yes	$0	$0
OCIO management enforce required policies and procedures to ensure that roles and permissions are clearly identified, documented and approved within a new access request form/ticket prior to provisioning administrator access within grant management system's operation system.
5	Yes	$0	$0
FHWA and OCIO management implement a quarterly access review of user access configured within the FHWA grant management system and user access application databases and the FHWA grant management system operating system in accordance with the DOT OCIO, Cybersecurity Compendium Workbook.
6	Yes	$0	$0
FTA management implement a quarterly access review process over all integrated Appian platform access reviews in accordance with the DOT Compendium.
7	Yes	$0	$0
FHWA management further refine and enhance their estimation methodology to ensure it remains responsive to future expense fluctuations, including conducting a timely comprehensive risk assessment as a result of their quarterly lookback process.
8	Yes	$0	$0
FTA enhance and finalize the FTA Grant Accrual Standard Operating Procedure (SOP) to more clearly outline the historical day calculation methodology used in the accrual calculation.
9	Yes	$0	$0
FTA ensure the review process is sufficient to identify any deviations from the outlined policy.
10	Yes	$0	$0
FTA communicate the finalized SOP to preparers of the grant accrual workbook to ensure appropriate understanding of the enhanced methodology and review requirements.