Federal Reports

Performance Audit Report on the Federal Labor Relations Authority’s Compliance with the Payment Integrity Information Act of 2019 for Fiscal Year 2025

Fiscal Year 2025 Independent Evaluation of the SEC's Implementation of the Federal Information Security Modernization Act of 2014, Report No. 589

Our Objective(s)To perform a quality control review (QCR) of KPMG LLP's management letter related to the audit of the DOT's consolidated financial statements as of and for the fiscal year ended September 30, 2025. We reviewed KPMG's management letter, dated January 29, 2026, and related documentation.
About This ReportWe contracted with the independent public accounting firm KPMG LLP to audit DOT's consolidated financial statements. KPMG also issued a management letter discussing internal control matters that KPMG was not required to include in its audit report.
What We FoundThe independent auditor, KPMG, found eight internal control matters in DOT's management of operations:

Weakness exists within the Federal Highway Administration grant management system change management process,
Weaknesses exist within the user access application change management process,
Weaknesses in password requirements for the user access application database,
Weaknesses in new user provisioning process for grant management system operating system,
Weaknesses in the frequency of the Office of the Chief Information Officer administrator access semi-annual review,
Weaknesses within the Federal Transit Administration (FTA) general user base review and privileged access review,
Weaknesses in Federal Aid grant accrual assumptions, and
Weaknesses in FTA's review of grant accrual calculations.

Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
RecommendationsWe agree with KPMG's 10 recommendations to help strengthen DOT's information system and business controls.

Our Objective(s)To perform a quality control review (QCR) of KPMG LLP's management letter related to the audit of the Federal Aviation Administration's (FAA) financial statements for fiscal year 2025. We reviewed KPMG's management letter, dated January 28, 2026, and related documentation.
About This ReportWe contracted with the independent public accounting firm KPMG to audit FAA's financial statements. KPMG also issued a management letter discussing internal control matters that KPMG was not required to include in its audit report.
What We FoundThe independent auditor, KPMG, found four internal control matters in FAA's management of operations:

Weaknesses in documenting review of FAA procurement system users during non-routine provisioning,
Weaknesses in the recording of right-to-use leases,
Weaknesses in ESC's review of manual journal entries,
Untimely review of year-end journal vouchers.

Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
RecommendationsWe agree with KPMG's four recommendations to help strengthen FAA's information technology and service organization system and business processes.

Our Objective(s)To perform a quality control review (QCR) of Allmond & Company, LLC's management letter related to the audit of the Surface Transportation Board's (STB) financial statements for the fiscal year ended September 30, 2025. We reviewed Allmond's management letter, dated January 7, 2026, and related documentation.
About This ReportWe contracted with the independent public accounting firm Allmond to audit STB's financial statements. Almond also issued a management letter discussing internal control matters that Allmond was not required to include in its audit report.
What We FoundThe independent auditor, Allmond, found nine internal control matters in STB's operations:

Completion of revenue reconciliations was not properly evidenced,
Complementary user entity controls were not properly designed and implemented for the use of service organization systems,
Accounts payable transaction was recorded and paid from an incorrect funding year,
Improvements needed in internal control relating to the processing of personnel actions,
Improvements needed in internal controls relating to annual leave,
Improvements needed in internal control relating to the performance of property inventories,
Lack of sufficient internal control over financial reporting relating to upward and downward adjustments of prior year obligations,
Leave carryover balances were not properly calculated or reviewed, and
Federal Employees Health Benefits Program premiums were included in Old-Age, Survivors, and Disability Insurance and Medicare taxes in error.

Our QCR disclosed no instances in which Allmond did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
RecommendationsWe agree with Allmond's 17 recommendations to help strengthen STB's internal controls.

This report presents the results of our verification inspection of the U.S. Small Business Administration’s (SBA) corrective actions for the recommendations from the Office of Inspector General (OIG) Audit of SBA’s Desktop Loss Verification Process (Report 19-23). A verification inspection is a review that focuses on the implementation of closed recommendations from prior OIG reports.

SBA made corrective actions in response to our prior audit and implemented a process to ensure all disaster assistance loans were verified before disbursing funds. However, the corrective actions the agency made in response to our prior audit no longer exist because SBA changed its loan processing management system and developed new processes. We found the same issues identified in our prior audit continue to persist because SBA did not address our recommendations when the agency transitioned to its new loan processing platform in 2023. In some cases, SBA weakened or eliminated internal controls even further.

In this verification inspection, we reviewed the files for 28 SBA disaster assistance loans approved in fiscal year 2025 and found 12 were missing photographs of the claimed damages. Only 1 of the 28 files contained contractor estimates for cost of repair or replacement, insurance reports, or repair receipts. The loss verifiers’ comments in the files were often minimal in supporting their conclusions from the documentation submitted. We will not reopen the recommendations from Report 19-23 but will instead incorporate our findings into a future audit of SBA’s disaster assistance loan loss verification process. SBA elected not to provide a formal response to this report.