Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
GOVERNANCE AND AUDIT COMMITTEE
Thursday, May 4, 2017
4:00 PM
Conference Room 157
County Government Center
70 West Hedding Street
San Jose, CA
AGENDA
CALL TO ORDER
1. ROLL CALL
2. PUBLIC PRESENTATIONS:
This portion of the agenda is reserved for persons desiring to address the Committee on
any matter not on the agenda. Speakers are limited to 2 minutes. The law does not
permit Committee action or extended discussion on any item not on the agenda except
under special circumstances. If Committee action is requested, the matter can be placed
on a subsequent agenda. All statements that require a response will be referred to staff
for reply in writing.
3. ORDERS OF THE DAY
CONSENT AGENDA
4. ACTION ITEM - Approve the Regular Meeting Minutes of March 2, 2017.
5. ACTION ITEM - Recommend that the Board of Directors: (1) adopt a resolution
amending the VTA Administrative Code to establish the 2016 Measure B Citizens’
Oversight Committee; and (2) approve the bylaws for that committee.
6. ACTION ITEM - Ratify appointments to the Bicycle & Pedestrian Advisory Committee
for the two-year term ending June 30, 2018.
7. RECESS TO CLOSED SESSION
A. THREAT TO PUBLIC SERVICES OR AGENCY INFORMATION
(Government Code Section 54957)
Consultation with Chief Information Officer, Gary Miskell
Santa Clara Valley Transportation Authority
Governance and Audit Committee May 4, 2017
Page 2
8. RECONVENE TO OPEN SESSION
9. CLOSED SESSION REPORT
REGULAR AGENDA
10. ACTION ITEM - Review and receive the Auditor General's report on the IT
Development and Project Management Assessment.
11. ACTION ITEM - Review and receive the Auditor General's report on the Investment
Program Controls Internal Audit performed during Fiscal Year 2017.
12. INFORMATION ITEM - Receive an update from Auditor General Office staff on the
status of projects contained in the current Internal Audit Work Plan.
13. ACTION ITEM - Recommend Board approval of the Auditor General’s recommended
Internal Audit Work Plans for the next two fiscal years (FY) for a maximum amount of
$531,000 for FY 2018 and $465,000 for FY 2019.
OTHER ITEMS
14. Items of Concern and Referral to Administration.
15. Review Committee Work Plan. (Fernandez)
16. Committee Staff Report. (Fernandez)
17. Chairperson's Report. (Bruins)
18. Determine Items for the Consent Agenda for future VTA Board of Directors' meetings.
19. ANNOUNCEMENTS
20. ADJOURN
In accordance with the Americans with Disabilities Act (ADA) and Title VI of the Civil Rights
Act of 1964, VTA will make reasonable arrangements to ensure meaningful access to its
meetings for persons who have disabilities and for persons with limited English proficiency who
need translation and interpretation services. Individuals requiring ADA accommodations should
notify the Board Secretary’s Office at least 48-hours prior to the meeting. Individuals requiring
language assistance should notify the Board Secretary’s Office at least 72-hours prior to the
meeting. The Board Secretary may be contacted at (408) 321-5680 or
[email protected] or (408) 321-2330 (TTY only). VTA’s home page is www.vta.org
or visit us on www.facebook.com/scvta. (408) 321-2300: 中文 / Español / 日本語 /
한국어 / tiếng Việt / Tagalog.
Santa Clara Valley Transportation Authority
Governance and Audit Committee May 4, 2017
Page 3
Disclosure of Campaign Contributions to Board Members (Government Code Section 84308) In
accordance with Government Code Section 84308, no VTA Board Member shall accept, solicit,
or direct a contribution of more than $250 from any party, or his or her agent, or from any
participant, or his or her agent, while a proceeding involving a license, permit, or other
entitlement for use is pending before the agency. Any Board Member who has received a
contribution within the preceding 12 months in an amount of more than $250 from a party or
from any agent or participant shall disclose that fact on the record of the proceeding and shall not
make, participate in making, or in any way attempt to use his or her official position to influence
the decision. A party to a proceeding before VTA shall disclose on the record of the proceeding
any contribution in an amount of more than $250 made within the preceding 12 months by the
party, or his or her agent, to any Board Member. No party, or his or her agent, shall make a
contribution of more than $250 to any Board Member during the proceeding and for three
months following the date a final decision is rendered by the agency in the proceeding. The
foregoing statements are limited in their entirety by the provisions of Section 84308 and parties
are urged to consult with their own legal counsel regarding the requirements of the law.
All reports for items on the open meeting agenda are available for review in the Board
Secretary’s Office, 3331 North First Street, San Jose, California, (408) 321-5680, the Monday,
Tuesday, and Wednesday prior to the meeting. This information is available on VTA’s website
at http://www.vta.org and also at the meeting.
NOTE: THE BOARD OF DIRECTORS MAY ACCEPT, REJECT OR MODIFY
ANY ACTION RECOMMENDED ON THIS AGENDA.
Governance and Audit Committee
Thursday, March 2, 2017
MINUTES
CALL TO ORDER
The Regular Meeting of the Governance and Audit Committee (“Committee”) was called
to order at 4:03 p.m. by Chairperson Bruins in Conference Room 157, County
Government Center, 70 West Hedding, San Jose, California.
1. ROLL CALL
Attendee Name Title Status
Jeannie Bruins Chairperson Present
Cindy Chavez Member Present
Glenn Hendricks Member Present
Sam Liccardo Vice Chairperson Present
Teresa O'Neill Member Present
2. PUBLIC PRESENTATIONS:
There were no Public Presentations.
3. ORDERS OF THE DAY
Angelique M. Gaeta, Chief of Staff, noted the Auditor General's report on the IT
Development & Project Management Assessment will be heard at the next meeting.
CONSENT AGENDA
4. Regular Meeting Minutes of February 2, 2017
M/S/C (O’Neill/Hendricks) to approve the Regular Meeting Minutes of
February 2, 2017.
NOTE: M/S/C MEANS MOTION SECONDED AND CARRIED AND, UNLESS OTHERWISE INDICATED,
THE MOTION PASSED UNANIMOUSLY.
4
Governance and Audit Committee Minutes Page 2 of 5 March 2, 2017
5. Appointments to the Committee for Transportation Mobility & Accessibility
M/S/C (O'Neill/Hendricks) to approve the appointment to the Committee for
Transportation Mobility & Accessibility for the four-year term ending
December 31, 2020 of Rowan Fairgrove, representing Seniors/Individuals with
Disabilities.
6. Appointments to VTA Policy Advisory Boards
M/S/C (O'Neill/ Hendricks) to approve appointments to VTA Policy Advisory Boards.
RESULT:
MOVER:
SECONDER:
AYES:
NOES:
ABSENT:
APPROVED - Agenda Items #4 - 6
O’Neill, Member
Hendricks, Member
Bruins, Chavez, Hendricks, O’Neill
None
Liccardo
Vice Chairperson Liccardo arrived at the meeting and took his seat at 4:12 p.m.
REGULAR AGENDA
7. FY18 & FY19 Internal Audit Work Plan Proposed Projects
Bill Eggert, Auditor General, provided a brief overview of the report and a presentation
entitled "Proposed FY18 & FY19 Internal Audit Work Plan Projects," highlighting the
following: 1) Content; 2) VTA Auditor General Responsibilities; 3) VTA's Internal Audit
Process; 4) FY17 Risk Assessment Refresh; 5) FY17 Risk Assessment Refresh - Heat
Map; 6) Proposed FY18 & FY19 Auditor General Projects; 7) Proposed Future Auditor
General Projects, and; 8) Proposed Recurring Auditor General Projects.
The Committee and staff discussed the following: 1) two people attended the annual
Public Audit meeting which was held on February 28, 2017; 2) order of proposed FY18
& FY19 Auditor General Projects; 3) suggest an updated Cyber Security Comprehensive
Risk Assessment be conducted due to new vulnerabilities, and; 4) VTA funding
structures and challenges will be addressed at the April 21, 2017, Board Workshop.
On order of Chairperson Bruins and there being no objection, the Committee reviewed
and provided direction on the Auditor General’s proposed list of potential one-time
projects (not recurring tasks) for the upcoming FY18 and FY19 Internal Audit Work
Plans.
4
Governance and Audit Committee Minutes Page 3 of 5 March 2, 2017
8. Amend FY 2017 Internal Audit Work Plan
Mr. Eggert provided a brief overview of the staff report.
Discussion ensued about: 1) implied order of projects is based on timing, and; 2) suggest
an Metropolitan Transportation Commission (MTC) initiated audit or independent third
party audit of the MTC Allocation would be more persuasive.
M/S/C (O’Neill/Chavez) to approve amending the FY 2017 Internal Audit Work Plan to
defer one project to the next fiscal year due to VTA's revised project timeline and replace
it with a new high-priority project.
RESULT:
MOVER:
SECONDER:
AYES:
NOES:
ABSENT:
APPROVED - Agenda Item #8
O’Neill, Member
Chavez, Member
Bruins, Chavez, Hendricks, Liccardo, O’Neill
None
None
9. VTA State Lobbyist Report
Kurt Evans, State & Federal Government Affairs Manager, introduced Delaney Hunter of
Gonzalez, Quintana, Hunter & Cruz, VTA’s State lobbyist.
Ms. Hunter expressed concern about key transportation issues of interest to VTA which
are currently happening in Sacramento, highlighting: 1) Senate Bill (SB) 1,
Transportation Funding Package, Assembly Member Jim Beall, and; 2) Cap & Trade.
Ms. Hunter stated SB-1 does not currently have the required 2/3 super majority vote to
pass in the Senate, and a tremendous amount of hard work needs to take place to reach
that number. The bill has not been set on the Assembly side and currently lacks focus.
Ms. Hunter stated the Cap & Trade auction took place in February, 2017, resulting in
$8M for the Greenhouse Gas Reduction Fund. She noted this does not bode well for
transportation. She indicated there is hope and stated additional legislation would provide
more security around the Cap & Trade funding source.
Members of the Committee discussed the following: 1) possibility of getting a legislative
extension for the April, 2017, Cap & Trade auction; 2) requested a list of moderate
Democrats and Republicans that are not supportive of transportation projects, and;
3) tools to facilitate better outcomes.
Ms. Hunter reiterated the need to work together to preserve and maintain federal funding
for transportation projects.
On order of Chairperson Bruins and there being no objection, the Committee received
a report from VTA's state lobbyist, Gonzalez, Quintana, Hunter & Cruz.
4
Governance and Audit Committee Minutes Page 4 of 5 March 2, 2017
OTHER ITEMS
10. Items of Concern and Referral to Administration
There were no Items of Concern and Referral to Administration.
11. Review Committee Work Plan
Ms. Gaeta briefly discussed items scheduled for the May 4, 2017, meeting including
several Auditor General items.
Chairperson Bruins stated the approval process for the 2016 Measure B Citizens'
Oversight Committee, will be placed on the Regular Agenda of the March 2, 2017, VTA
Board of Directors (Board) meeting.
On order of Chairperson Bruins and there being no objection, the Committee reviewed
the Committee Work Plan.
12. Committee Staff Report
Ms. Gaeta noted Governance and Audit Committee items scheduled for the
March 2, 2017, Board meeting, including the approval of the appointment process for the
2016 Measure B Citizens' Oversight Committee.
Member Chavez expressed appreciation for the thorough presentation VTA provided on
the process. She expressed concern that the Transit Justice Community is not represented
and looks forward to discussion on that matter.
13. Chairperson's Report
There was no Chairperson’s Report.
14. Determine Items for the Consent Agenda for Future Board of Directors' Meetings
CONSENT:
Agenda Item # 8., Approve amending the FY 2017 Internal Audit Work Plan to defer
one project to the next fiscal year due to VTA's revised project timeline and replace it
with a new high-priority project.
REGULAR: None
15. ANNOUNCEMENTS
There were no Announcements.
4
Governance and Audit Committee Minutes Page 5 of 5 March 2, 2017
16. ADJOURN
On order of Chairperson Bruins and there being no objection, the Committee was
adjourned at 4:53 p.m.
Respectfully submitted,
Anita McGraw, Board Assistant
VTA Office of the Board Secretary
4
Date: May 1, 2017
Current Meeting: May 4, 2017
Board Meeting: June 1, 2017
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation Authority
Governance and Audit Committee
FROM: Elaine Baltao, Board Secretary
Robert Fabela, General Counsel
SUBJECT: Amend the VTA Administrative Code to Establish the 2016 Measure B Citizens
Oversight Committee and Approve the Committee Bylaws
Policy-Related Action: Yes Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Recommend that the Board of Directors: (1) adopt a resolution amending the VTA
Administrative Code to establish the 2016 Measure B Citizens’ Oversight Committee; and (2)
approve the bylaws for that committee.
BACKGROUND:
The VTA Administrative Code (“Admin Code”) prescribes the governance, administrative and
financial provisions of VTA including the powers and duties of officers, the method of
appointment of its governing board, committees and employees, and the methods, procedures,
and systems for the operation and management of the organization. It is the rulebook established
by the Board defining how VTA is structured and how it conducts its business. Amendments to
the Admin Code require Board adoption of a resolution specifying the changes.
VTA committee bylaws govern the proceedings of the committee and its meetings and must be
consistent with the Admin Code.
On November 8, 2016 the voters of Santa Clara County overwhelmingly approved Measure B
that enacted a thirty year ½ cent sales tax for transit and transportation improvements. The 2016
Measure B ballot specified VTA as the administrator of the tax, and that “an independent
citizens’ oversight committee shall be appointed to ensure that the funds are being expended
consistent with the approved Program.” The ballot also listed the specific duties and
responsibilities of the citizens’ oversight committee.
5
Page 2 of 3
At its March 2, 2017 meeting, the Board of Directors, following the recommendation of the
Governance & Audit Committee, approved the appointment process for the 2016 Measure B
Citizens’ Oversight Committee.
DISCUSSION:
Submitted for Board consideration are: (1) proposed amendments to the Admin Code (shown on
Attachment A) to establish the 2016 Measure B Citizens’ Oversight Committee (“Committee”);
and (2) the proposed bylaws to govern the proceedings of the Committee and its meetings
(Attachment B). Both actions are in fulfillment of the 2016 Measure B ballot that requires
establishment of a citizens’ oversight committee to perform the specific duties defined in the
ballot.
The Committee bylaws were developed from the current bylaws for VTA’s advisory committees,
policy advisory boards, and the 2000 Measure A Citizens Watchdog Committee. They
incorporate the proven provisions of each as where appropriate.
The most substantive recommended modifications to the Admin Code and the key provisions in
the Committee bylaws being established are:
A. Committee will serve during the term of the sales tax (April 2017 - March 2047) and for a
reasonable period thereafter necessary to complete its work. [Admin Code §4-35; page A2;
Bylaws §2.1, page B2]
B. Membership provisions consist of those approved by the Board on March 2, 2017 to assist
the committee in its task of evaluating revenues and project expenditures to ensure they are
being expended consistent with the approved program. These include: (A) Eight (8) voting
positions from defined areas of expertise and with required experience; (B) members must
be registered voters of Santa Clara County; (C) members cannot hold elected or appointed
office or be VTA or Member Agency staff; (D) four (4) years terms, limited to two (2)
consecutive terms. [Admin Code §4-36; starting Page A2; Bylaws §3.1, starting page B10]
C. Committee will meet a minimum of four (4) times per year. [Admin Code §4-40; page A3;
Bylaws §5.1, page B6]
D. Five (5) members required to establish a quorum; five (5) affirmative votes required to pass
an item. [Admin Code §4-40; page A3; Bylaws §5.4, page B7]
E. Due to the Committee duties and responsibilities being defined in the 2016 Measure B
ballot, establishment and any modifications to the 2016 Measure B Citizens’ Oversight
Committee bylaws requires the approval of the Board of Directors. [Admin Code §4-37;
page A3; Bylaws §7.1, page B10]
If approved by the Board, the provisions would take effect immediately.
5
Page 3 of 3
ALTERNATIVES:
The Board could modify, reject or add certain provisions to the recommended bylaws for the
Committee or the Admin Code.
FISCAL IMPACT:
There is no direct fiscal impact associated with amending the VTA Administrative Code. Any
costs related to administration of the 2016 Measure B Citizens’ Oversight Committee will be
paid by 2016 Measure B funds.
Prepared by: Stephen Flynn, Advisory Committee Coordinator
Memo No. 6036
ATTACHMENTS:
A--Admin Code_01JUN2017.Proposed_CH4-SectionV (PDF)
B--2016 MBCOC_bylaws_01JUN2017_Proposed (PDF)
5
SANTA CLARA VALLEY
TRANSPORTATION AUTHORITY
ADMINISTRATIVE CODE
Adopted December 20, 1994
Effective January 1, 1995
With Amendments through January 5, 2017
5.a
Reprint 1/05/2017
Through Resolution 2017.01.03 and Board Action 1/05/17 2
…
Chapter 4
ADVISORY BOARDS AND COMMITTEES; OVERSIGHT COMMITTEES
...
Article V
Oversight Committees
Sec. 4-35. Overview; establishment.
The 2016 Measure B sales tax (“Measure B”) was approved by Santa Clara County
voters on November 8, 2016. The ballot specified that VTA as the administrator of the tax, and
that “an independent citizens’ oversight committee shall be appointed to ensure that the funds
are being expended consistent with the approved Program.” The ballot also listed the specific
duties and responsibilities of the citizens’ oversight committee.
In accordance with the 2016 Measure B ballot, the VTA Board of Directors has
established the 2016 Measure B Citizens’ Oversight Committee (“Committee”) to perform the
specific duties defined in the ballot. The Committee shall serve during the term of the sales tax
(April 2017 – March 2047) and for a reasonable period thereafter necessary for the Committee
to complete its work.
Sec. 4-36. Membership; membership requirements; term of office.
The Committee shall be composed of eight (8) voting members. All members shall be
registered voters of Santa Clara County during their term. The Committee shall not have
alternate members. To assure independence, no elected or appointed public official shall be
appointed to the Committee. Further membership requirements may be established in the
bylaws for the committee.
The membership shall be comprised of individuals with relevant expertise and
experience necessary to assist the Committee in its task of evaluating 2016 Measure B revenues
and project expenditures to determine compliance with the commitments made to voters in the
ballot.
Committee members will be subject to VTA’s Conflict of Interest policies as specified
in the VTA Administrative Code. Members will also be required to complete and submit the
California Fair Political Practices Commission’s Form 700 – Statement of Economic Interests
at the required intervals.
Committee members shall be appointed for a four (4) year term, commencing on
January 1. Half the terms shall be staggered by a two-year interval. Members are limited to
two consecutive terms.
5.a
Reprint 1/05/2017
Through Resolution 2017.01.03 and Board Action 1/05/17 3
The Board of Directors shall approve all appointments to the 2016 Measure B Citizens’
Advisory Committee following an appointment process specified in the bylaws for the
committee.
Sec. 4-37. Bylaws.
Bylaws shall be established for the Committee for the conduct of its business. Bylaws
may be amended by the Committee by the affirmative vote of a majority of its total authorized
membership and with the approval of the Board of Directors. The Board of Directors may also
impose changes to the Committee bylaws it deems to be in the best interest of the public.
Sec. 4-38. Specific duties
The primary duty of the committee, as stated in the Measure B ballot, is to ensure that
Measure B funds are being expended consistent with the approved Measure B Program.
The specific duties and tasks of the 2016 Measure B Citizens’ Oversight Committee
shall be established in its bylaws based on those defined in the Measure B ballot. The VTA
Board of Directors may approve additional tasks for the committee that align, but do not
conflict with, its Measure B duties.
Sec. 4-39. Staff support; expense; reimbursement for travel to/from Committee meetings.
Agendas, public noticing, minutes and other staff services shall be furnished to the
Committees as directed by the General Manager and in compliance with the Ralph M. Brown
Act (commencing with Section 54950 of the Government Code).
VTA shall provide reasonable resources necessary for the Committee to fulfill its duties
as specified in the Measure B ballot.
VTA shall reimburse to each Committee member, upon request thereof, the actual cost
of travel to and from a scheduled 2016 Measure B Citizens’ Oversight Committee or
subcommittee meeting. Cost of travel consists of actual fare paid if by public transportation or
paratransit, and current IRS mileage rate if by automobile.
No individual member of the Committee shall be entitled to reimbursement for travel or
other expenses except as authorized by the Board Chairperson or the General Manager.
Sec. 4-40. Meetings; Quorum; Voting.
The committee shall meet a minimum of four times per year. The presence of five (5)
members shall constitute a quorum for the transaction of business. All acts of the Committee
shall require the presence of a quorum and the affirmative vote of a majority of the total
membership (five (5) members).
5.a
BYLAWS FOR THE 2016 MEASURE B CITIZENS’ OVERSIGHT COMMITTEE
Article I
GENERAL PROVISIONS
§1.1 Purpose
These Bylaws govern the proceedings of the 2016 Measure B Citizens’ Oversight
Committee, an independent oversight committee established by provision of the 2016 Measure B
ballot approved by Santa Clara County voters on November 8, 2016.
The 2016 Measure B ballot specified that “an independent citizens’ oversight committee shall
be appointed to ensure that the funds are being expended consistent with the approved Program.”
The ballot also listed the Committee’s specific duties and responsibilities, which are incorporated
into these bylaws (§2.1).
§1.2 Construction of Bylaws
Unless the provisions or the context of these Bylaws otherwise require, the general
provisions, rules of construction and definitions set forth in Chapter 1 of the VTA Administrative
Code shall govern the construction of these Bylaws. As used in these Bylaws, “Committee” means
the 2016 Measure B Citizens’ Oversight Committee. These Bylaws shall govern the Committee’s
proceedings to the extent they are not inconsistent with VTA’s Administrative Code or law.
§1.3 Definitions
a. As used in these Bylaws, “Board of Directors” means the Board of Directors of the Santa
Clara Valley Transportation Authority (VTA).
b. As used in these Bylaws, “chairperson” means the chairperson of the Committee.
c. As used in these Bylaws, “secretary” means the secretary of the Committee.
d. As used in these Bylaws, “Member Agency” means the County of Santa Clara or a city within
Santa Clara County.
e. As used in these Bylaws, “2016 Measure B” or “Measure B” means the 2016 Measure B
Transportation Sales Tax approved by Santa Clara County voters on November 8, 2016.
5.b
Page 2 of 10
Article II
DUTIES AND AUTHORITY
§2.1 Mission and Duties
The Committee is an independent body, established by the VTA Board of Directors in
accordance with the provisions and intent of the 2016 Measure B ballot. Its purpose shall be to
ensure that 2016 Measure B funds are being expended consistent with the approved programs.
The Committee does not advise, report to, or take direction from the VTA Board of
Directors. Instead, it reports to the residents of Santa Clara County and derives it authority from the
ballot measure.
Policy-related decisions for the 2016 Measure B Program, including the composition,
implementation, completion schedule, and funding level of specific projects in the Program
Categories specified in the ballot are the responsibility of the VTA Board of Directors.
The mission and duties of the Committee shall be:
MISSION:
To ensure that 2016 Measure B funds are being expended consistent with the approved
Measure B Program.
DUTIES:
The Committee shall serve as the independent Citizens’ Oversight Committee for the 2016
Measure B Transportation Sales Tax during the term of the sales tax (April 2017 – March
2047) and for a reasonable period thereafter necessary for the Committee to complete its
work.
The Committee shall provide independent verification that the tax revenue collected under
the 2016 Measure B Transportation Sales Tax is being expended appropriately to deliver the
projects and programs described in the ballot measure. The specific duties of the Committee,
as specified in the 2016 Measure B ballot, shall be:
Select a qualified, independent professional audit firm to conduct an audit of the
revenues and expenditures.
Direct the independent auditor to conduct an annual audit that will review the receipt of
revenue and expenditure of funds.
Hold at least one public hearing prior to issuing the Committee’s annual report, which
hearing(s) shall be subject to the Brown Act and may be part of the Committee’s regular
or special meetings.
Page 3 of 10
Issue a report annually to inform the residents of Santa Clara County residents how the
funds are being spent. The report shall indicate, based upon the independent audit,
whether the public’s money is being expended for the purposes as described in the
ballot measure or adjusted as circumstances warrant through the required approval
process. The report shall indicate the results of the independent audit, public hearing
and any additional findings the Committee may have.
Request from time to time a status report and/or presentation from project sponsors
charged with delivering the various projects under this measure on their progress and
expenditures.
In addition, the Committee shall be responsible for:
Independently reviewing and assessing appeals from project applicants/sponsors
regarding disagreements or differences in interpretation of project awards, program or
project requirements, or other Measure B matters. This shall include communicating in
writing to the project applicant/sponsor and affected VTA staff the Committee’s finding
on the matter, after conducting a public hearing.
In the event they disagree with the findings of the Committee, project
applicants/sponsors will have the ability to appeal the results of the Committee’s
independent assessment to the VTA Board of Directors. Included in the information
provided to the Board of Directors on the appeal will be the Committee’s written
assessment and finding(s) on the matter, and any other records relating to the
Committee’s public hearing.
§2.2 Limitations on Authority
The Committee shall have no independent duties other than those specified in these bylaws.
The Committee shall have no authority to take actions that bind VTA or the Board of Directors. No
expenditures or requisitions for services and supplies shall be authorized by the Committee except
for reasonable expenditures and requisitions in fulfillment of 2016 Measure B ballot duties. No
individual member of the Committee shall be entitled to reimbursement for travel or other expenses
except as authorized by the Board of Directors or General Manager.
Page 4 of 10
Article III
MEMBERSHIP
§3.1 Membership
The Committee shall be composed of eight (8) voting members. All members shall be
registered voters of Santa Clara County during their term. The Committee shall not have alternate
members due to its need for expertise, specific experience and continuity of knowledge.
To assure independence, no member of the Board of Directors or alternate, VTA Policy
Advisory Committee member or alternate, or other elected public official shall be appointed to the
Committee. Appointees to other VTA boards and committees are not eligible to serve. Committee
members may not be employed by VTA or any of its Member Agencies during their term. If any
applicant for the Committee holds such office or position, he or she may apply for this Committee
subject to his or her commitment to resign from that office or position prior to serving on the
Committee.
The membership shall be comprised of individuals with relevant expertise and experience
needed to assist the Committee in its task of evaluating 2016 Measure B revenues and project
expenditures to determine compliance with the commitments made to voters in the ballot. The
membership will consist of individuals that fulfill the following area-of-expertise criteria:
(1) A retired federal or state judge or administrative law judge or an individual with experience
as a mediator or arbitrator.
(2) A professional from the field of municipal/public finance with a minimum of four years
relevant experience.
(3) A professional with a minimum of four years of experience in management and
administration of financial policies, performance measurement and reviews.
(4) A professional with demonstrated experience of four years or more in the management of
large scale construction projects.
(5) A regional community organization representative with at least one year of decision making
experience.
(6) A regional business organization representative with at least one year of decision making
experience.
(7) A professional with four years of experience in organized labor.
(8) A professional with a minimum of four years of experience in educational administration at
the high school or college level.
Each member shall represent only one of the eight (8) specified areas of expertise. If
following a good-faith effort this is not achieved, then no more than two members from one of the
other areas of expertise may be selected. In addition, reasonable effort shall be made where possible
in appointments to balance the geographic regions of the County. The Board of Directors may, with
reasonable cause, redefine these areas of expertise.
Page 5 of 10
Committee members will be subject to VTA’s Conflict of Interest policies as specified in the
VTA Administrative Code. Members are prohibited from acting in any commercial activity directly
or indirectly involving VTA, such as being a consultant to VTA or to any party with pending legal
action against VTA during their tenure. Members shall not have direct commercial interest or
employment with any public or private entity which receives sales tax funds authorized by this
Measure. Members will be required to complete and submit the California Fair Political Practices
Commission’s Form 700 – Statement of Economic Interests at the required intervals.
The application process shall be open to provide qualified citizens the opportunity to
participate. Applications for vacant positions shall be submitted online at a dedicated site
administrated by VTA or by alternative submittal if the dedicated site is unavailable. Applications
received will be reviewed by an Evaluation Subcommittee of the Board of Directors appointed by the
Board Chairperson. The Subcommittee will submit eligible candidates to the Governance & Audit
Committee, who will recommend finalist candidates to the Chairperson. The Board Chairperson will
then determine candidates to submit for Board of Directors’ approval.
§3.2 Members’ Terms
Committee members shall be appointed for a four (4) year term, commencing on January 1.
Terms shall be staggered to ensure continuity of knowledge and relevant expertise; half (four (4)) of
the terms shall be offset by a two-year interval from the remaining ones in accordance with the
schedule for staggered terms established at initial appointment of Committee members. Members
are limited to two consecutive terms.
§3.3 Vacancies
Vacancies shall be filled from the same category of expertise that the original appointment
was from, where reasonably possible, in accordance with the criteria defined in §3.1.
Article IV
OFFICERS
§4.1 Chairperson and Vice Chairperson
The Committee shall elect from its membership a chairperson and a vice chairperson at its
last meeting of the calendar year, where feasible, to serve for a one-year term effective January 1 of
the next calendar year. Members are eligible to serve multiple terms.
In the event of a vacancy in the chairperson’s position, the vice chairperson shall succeed as
chairperson for the balance of the chairperson’s term and the Committee shall elect a successor to fill
the vacancy in the vice chairperson’s position as provided in the following. In the event of a vacancy
in the vice chairperson’s position, the Committee shall elect a successor from its membership to fill
the vice chairperson’s position for the remainder of the vice chairperson’s term.
Page 6 of 10
The chairperson shall preside at all meetings of the Committee and represent the Committee
before the Board of Directors or its committees as needed. The chairperson, in consultation with the
Committee staff liaison, may identify items of interest for future committee agendas that are relevant
to the Committee’s mission and duties.
The vice chairperson shall perform the duties of the chairperson when the chairperson is
absent.
The Committee shall appoint a nomination subcommittee to identify Committee members
interested in serving as chairperson and/or vice chairperson. Members willing to serve in either of
these positions may submit their names to the nomination subcommittee for nomination. Members
may also submit names of other members for nomination. The nomination subcommittee shall
verify that members whose names have been submitted are willing serve in those positions. The
nomination committee shall submit to the Committee the names of those members having indicated
a willingness to serve in either or both of the positions. In addition, the nomination subcommittee
may make a recommendation for election of any Committee member indicating his/her willingness
to serve. Notwithstanding these procedures, any member may nominate a member from the floor.
4.2 Secretary
The Secretary of the Board of Directors shall furnish administrative support services to
prepare and distribute the Committee’s agendas, notices, minutes, correspondence and other
documents and shall assign an employee to attend each meeting of the Committee to serve in the
capacity as the Committee’s secretary. The secretary shall maintain a record of all proceedings of the
Committee as required by law and shall perform other duties as provided in these Bylaws.
Article V
MEETINGS
§5.1 Regular Meetings
Regular meetings dates and times shall be established by the Committee in consultation with
the General Manager and Secretary of the Board of Directors. Effort shall be made to establish
regularly recurring cyclical meeting dates that maximize Committee member attendance. The
Committee meeting shall be conducted at the VTA Administrative Offices, 3331 North First Street,
San Jose, California. The Committee shall meet a minimum of four (4) times per year.
Whenever a regular meeting falls on a holiday observed by VTA, the meeting shall be held
on another day or, in consultation with the General Manager and Secretary of the Board of Directors,
canceled at the direction of the Committee. A rescheduled regular meeting shall be designated a
regular meeting.
Page 7 of 10
§5.2 Special Meetings
A special meeting may be called by the chairperson with the approval of the General
Manager. The meeting shall be called and noticed as provided in Section 5.3 below.
§5.3 Calling and Noticing of Meetings
All regular and special meetings shall be called, noticed and conducted in accordance with
the applicable provisions of the Ralph M. Brown Act (commencing with Section 54950 of the
Government Code). The General Manager and General Counsel shall be given notice of all
meetings.
§5.4 Quorum; Vote; Committee of the Whole
The presence of five (5) members shall constitute a quorum for the transaction of business.
All acts of the Committee shall require the presence of a quorum and the affirmative vote of a
majority of the total membership (five (5) members). At any regularly called meeting not held
because of a lack of a quorum, the members present may constitute themselves a “committee of the
whole” for the purpose of discussing matters on the agenda of interest to the committee members
present. The committee of the whole shall automatically cease to exist if a quorum is present at the
meeting.
§5.5 [Reserved]
§5.6 Thirty Minute Rule
If a quorum has not been established within thirty minutes of the noticed starting time for the
meeting, the secretary and clerical support staff may be excused from further attendance at the
meeting.
§5.7 Absences
A member is allowed to be absent from 50% of regular Committee meetings in any twelve-
month period. The position may be vacated upon an absence in excess of that limit.
§5.8 Matters Not Listed On the Agenda Requiring Committee Action
Except as provided below, a matter requiring Committee action shall be listed on the posted
agenda before the Committee may act upon it. The Committee may take action on items not
appearing on the posted agenda only upon a determination by a two-thirds vote of the Committee, or
if less than two-thirds of the members are present, a unanimous vote of those members present, that
there is a need to take immediate action AND the need to take action came to the attention of the
Committee subsequent to the agenda being posted.
Page 8 of 10
§5.9 Time Limits for Speakers
Each member of the public appearing at a Committee meeting shall be limited to two minutes
in his or her presentation. However, the time limit may be adjusted, at the discretion of the
Chairperson, to such time as the Chairperson may determine to be reasonable under the specific
circumstances. Any person addressing the Committee may submit written statements, petitions or
other documents to complement his or her presentation.
§5.10 Impertinence; Disturbance of Meeting
Any person making personal, impertinent or indecorous remarks while addressing the
Committee may be barred by the chairperson from further appearance before the Committee at that
meeting, unless permission to continue is granted by an affirmative vote of the Committee. The
chairperson may order any person removed from the Committee meeting who causes a disturbance
or interferes with the conduct of the meeting, and the chairperson may direct the meeting room
cleared when deemed necessary to maintain order.
§5.11 Access to Public Records Distributed at Meeting
Writings distributed during a Committee meeting shall be made available for public
inspection at the meeting if prepared by VTA or a member of the Committee, or after the meeting if
prepared by some other person. All such writings become public records and are treated as such.
Page 9 of 10
Article VI
AGENDAS AND MEETING NOTICES
§6.1 Agenda Format and Content
The agenda shall specify the starting time and location of the meeting and shall contain a
brief general description of each item of business to be transacted or discussed at the meeting. The
description shall be reasonably calculated to adequately inform the public of the subject matter of
each agenda item.
Items may be referred for inclusion on an agenda by: (1) the General Manager; (2) the
Committee Chairperson, in consultation with the Committee Staff Liaison; and (3) the Committee,
with a quorum present and upon the affirmative vote of a majority of the members present. Other
entities or individuals may request that the Committee include specific items on its agenda, but the
decision to do so rests with the Committee and its chairperson. The order of business shall be
established by the secretary with the approval of the chairperson.
§6.2 Public Presentations
Each agenda for a regular meeting shall provide an opportunity for members of the public to
address the Committee on matters of interest to the public either before or during the Committee’s
consideration of the item, if it is listed on the agenda, or, if it is not listed on the agenda but is within
the jurisdiction of the Committee, under the agenda item heading “Public Presentations.” The
Committee shall not act upon an item that is not listed on the agenda except as provided under
Section 5.8. Each notice for a special meeting shall provide an opportunity for members of the
public to directly address the Committee concerning any item that has been described in the notice
for the meeting before or during consideration of that item.
§6.3 Agenda Preparation
The secretary shall prepare the agenda for each meeting in consultation with VTA staff and
the Committee Chairperson. Material intended for placement on the agenda shall be delivered to the
secretary on or before 12:00 Noon on the date established as the agenda deadline for the forthcoming
meeting. The secretary may withhold placement on the agenda of any matter which is not timely
received, lacks sufficient information or is in need of staff or other review and report prior to
consideration by the Committee.
§6.4 Agenda Posting and Delivery
The written agenda for each regular meeting and each meeting continued for more than five
calendar days shall be posted by the secretary at least 72 hours before the meeting is scheduled to
begin. The written agenda for every special meeting shall be posted by the secretary at least 24 hours
before the special meeting is scheduled to begin. The agenda shall be posted in a location that is
freely accessible to members of the public. The agenda together with supporting documents shall be
delivered to each Committee member, the General Manager and General Counsel at least three days
before each regular meeting and at least 24 hours before each special meeting.
Page 10 of 10
§6.5 Meeting Notices
The secretary shall provide notice of every regular meeting, and every special meeting which
is called at least three days prior to the date set for the meeting, to each person who has filed with
VTA a written request for notice as provided in Section 54954.1 of the Government Code. The
notice shall be sent at least three days prior to the date set for the meeting. Notice of special
meetings called less than seven days prior to the date set for the meeting shall be given as the
secretary deems practical.
Article VII
MISCELLANEOUS
§7.1 Adoption and Amendment of Bylaws
Establishment of these Bylaws shall be approved by the Board of Directors. Any
subsequent amendment thereof shall require the affirmative vote of a majority of total Committee
membership and the approval of the Board of Directors. For efficiency, the VTA General Manager,
in consultation with the General Counsel, is authorized to make minor, non-substantive corrections
and adjustments to these bylaws to correct errors and to reflect ongoing practice adopted by the
Committee.
The Board may also impose changes to the bylaws that it deems to be in the best interests of
the community.
§7.2 Rosenberg’s Rules
All rules of order not herein provided for shall be determined in accordance with Rosenberg’s
Rules of Order, latest edition.
Adopted by the Board of Directors: (approval date)
Date: April 27, 2017
Current Meeting: May 4, 2017
Board Meeting: N/A
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation Authority
Governance and Audit Committee
THROUGH: General Manager, Nuria I. Fernandez
FROM: Board Secretary, Elaine Baltao
SUBJECT: Ratification of Appointments to the Bicycle & Pedestrian Advisory Committee
Policy-Related Action: No Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Ratify appointments to the Bicycle & Pedestrian Advisory Committee for the two-year term
ending June 30, 2018.
BACKGROUND:
The Bicycle & Pedestrian Advisory Committee (BPAC) advises the VTA Board of Directors on
planning and funding for bicycle and pedestrian projects and issues. The BPAC consists of 16
voting members, one appointed by each of VTA’s Member Agencies (the 15 cities in the county
and the County of Santa Clara), and one non-voting member and alternate appointed by the
Silicon Valley Bicycle Coalition (SVBC). The BPAC also serves as the countywide bicycle and
pedestrian advisory committee for the County of Santa Clara.
The BPAC bylaws specify that the appointment term is two years and that members may be
appointed to successive terms. Committee members must live, work or both in Santa Clara
County during their term. Voting members of the Committee must also be a representative of
the Member Agency’s local bicycle advisory committee or, for Member Agencies without a local
bicycle advisory committee, their representative must be an individual who lives or works in the
local jurisdiction and is interested in bicycle or pedestrian issues. BPAC members are precluded
from representing a Member Agency that is their employer.
6
Page 2 of 3
The process to fill BPAC vacancies is that staff notifies the appointing authority of the vacancy
or approaching term expiration and provides the current membership requirements. The
appointing authority then appoints one member for the designated membership position. For
vacancies occurring mid-term, the bylaws specify that they be filled for the remainder of the term
by the appointing authority. In both cases, the Governance & Audit Committeemust ratify the
appointment.
DISCUSSION:
The Town of Los Altos Hills has appointed Susan Cretekos as its new representative on the
BPAC, replacing Breene Kerr who relocated out of the area.
Ms. Cretekos is a Los Altos resident, having lived there for over 55 years. Show owns a
preschool in Los Altos, and has worked as a preschool Director and teacher for over 40 years in
Los Altos. Prior to that, she was a supervisor at an electronics manufacturing company. She
earned her undergraduate degree in Education.
Ms. Cretekos is a regular bicyclist and avid walker/hiker and equestrian. She is an avid patron of
the paths in Los Altos Hills, regularly riding and biking there as well as Shoreline Park and Mid-
Peninsula Open Space District properties.
Her civic and charitable activities include serving on the Los Altos Hills Pathway Committee.
She has also previously served as a PTA president, Cub Scout leader, Sunday school teacher, a
member of the 4H, and a member of the Los Altos Hills Horseman's Association.
The City of Gilroy has appointed Carolyn Schimandle as its new representative on the BPAC,
replacing David Almeida who resigned due to schedule conflicts.
Ms. Schimandle, a Gilroy resident, is a Northern California native, having lived in the South
County area her entire life except for a brief period spent in Sacramento for work. She works for
Santa Clara County Parks as a Parks Program Coordinator for Interpretation and Outdoor
Recreation where she plans interpretation and education programs and materials, and works on
museum collections and archives policy and procedures. Most of her work currently focuses on
Martial Cottle Park in south San Jose. Prior to that, she worked for the California State Parks for
many years, and in high tech, including at Apple. Her education includes earning a Bachelor’s
degree in Music (Clarinet Performance) from the San Francisco Conservatory of Music, a
Bachelor of Science in General Engineering - Computer Science from San Jose State University,
and a Master’s degree in Public History from the California State University - Sacramento.
Ms. Schimandle is an avid bicyclist, including using it to commute. She regularly commutes,
weather and schedule permitting, all or part way from Gilroy to San Jose. Most of her errands
are also made via bike. When she lived in Sacramento, she commuted by bike nearly every day.
She was a member of the Almaden Cycle Touring Club before moving to Sacramento, where she
became an active member of the Sacramento Bike Hikers.
6
Page 3 of 3
Her civic and charitable activities include serving as the historian for the California State Parks
Ranger Association. She also served as a La Leche League leader for several years in San Jose
and South County and on the board of the Sacramento County Historical Society.
The City of Cupertino has appointed Erik Lindskog as its new representative on the BPAC,
replacing Gary Jones who resigned due to personal reasons.
Mr. Lindskog, who lives in Cupertino, has lived there since 2006 and in the Bay Area since
1999. Lindskog currently works for Qualcomm with wireless design, which has been his
profession in several companies in the past. He earned Masters of Science degrees in
Engineering Physics from Uppsala University, Sweden and Applied Physics and Electrical
Engineering from Case Western Reserve University. He also earned his Ph.D. in Signal
Processing from Uppsala University, Sweden. In addition, he has also visited and conducted
research at Northeastern University in Boston and at Stanford University.
Mr. Lindskog is currently a Bicycle and Pedestrian Commissioner for Cupertino and has a long
standing interest and practical experience from getting around on bicycle and on foot in cities in
North America, Scandinavia, UK, Europe and India.
Based on their qualifications, expertise and community service, staff recommends that the Board
ratify these appointments.
ALTERNATIVES:
The Board could choose to not ratify any or all of these appointments and could request that the
appointing authority appoint another representative.
FISCAL IMPACT:
There is no fiscal impact as a result of this action.
Prepared by: Stephen Flynn, Advisory Committee Coordinator
Memo No. 6074
6
Date: April 26, 2017
Current Meeting: May 4, 2017
Board Meeting: June 1, 2017
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation Authority
Governance and Audit Committee
FROM: Auditor General, Bill Eggert
SUBJECT: IT Development and Project Management Assessment
Policy-Related Action: No Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Review and receive the Auditor General's report on the IT Development and Project
Management Assessment.
BACKGROUND:
IT Development and Project Management Assessment is one of the projects contained in the
Board-approved FY 2017 Internal Audit Work Plan. The Auditor General’s Office completed
this project between August and December 2016 and the attached report is the result of that
review.
VTA has complex operations to support the Santa Clara Valley’s transportation needs, which
require diverse and innovative information technology (IT). VTA’s IT department resides in the
Business Services division and is managed by VTA’s Chief Information Officer (CIO)/Chief
Technology Officer (CTO). Although VTA has an IT department, it is not currently responsible
for management and/or oversight of all technology operations at VTA. Instead, VTA currently
utilizes a decentralized model that has certain technology operations being managed by other
departments with limited or no IT oversight.
DISCUSSION:
The objective of this review was to: (1) obtain an understanding of VTA’s Information
Technology, Operational Technology Project Management Methodology, and System
Development Lifecycle (SDLC) processes and internal controls; (2) assess the design and
10
Page 2 of 2
operating effectiveness of supporting internal controls and compliance with internal control
frameworks; and (3) identify opportunities for process and control improvements.
Based on the work performed, an overall report rating of High was assigned to help management
understand our assessment of the overall design and effectiveness of the controls evaluated
during the review. This was based on five observation categories, two of which were rated High,
one as Medium, and two as Low. Our recommendations addressed the following areas:
IT governance and risk management
Management roles and responsibilities for technology
Decentralized operations and non-standard policies and procedures
Change management processes and controls
Project management methodology and production environment monitoring
Strategic IT performance management
In addition, we included one recommendation for VTA to undergo an independent entity-wide
comprehensive IT risk assessment. This recommendation was not rated but is included as a
proposed project in the Auditor General’s Recommended FY18 & FY19 Internal Audit Work
Plan that the Governance & Audit Committee and Board will consider at their May and June
2017 meetings, respectively.
Management concurs with the recommendations identified and has committed to implement the
recommended mitigation actions by the end of December 2017.
Recommendations for improvement or efficiency opportunities contained in this report are
presented for the consideration of VTA management, which is responsible for the effective
implementation of any action plans.
FISCAL IMPACT:
There is no financial impact associated with acceptance of this report.
Prepared by: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee Coordinator
Memo No. 5713
ATTACHMENTS:
A--IT Development and Project Management Assessment (PDF)
10
IT Development and Project Management Assessment Auditor General Report No. 2017-01
April 20, 2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
2 © 2016 RSM US LLP. All Rights Reserved.
EXECUTIVE SUMMARY
Overall Rating (See Appendices A and B for definitions)
Report Rating
Number of Observations by Risk Rating
High Medium Low
IT Development and Project Management
High 2 1 2
Background
VTA has complex operations to support the Santa Clara Valley’s transportation needs, which require diverse and innovative information technology (IT). VTA’s IT department resides in the Business Services Division and is managed VTA’s Chief Information Officer (CIO). Although VTA has an IT department, there are several decentralized technology operations managed by other departments with limited or no IT oversight.
Due to the complexity of VTA’s organizational structure and rapidly evolving technology needs, the VTA Board approved an IT Development and Project Management Assessment within the FY 2017 Internal Audit Work Plan. The Auditor General’s Office completed this project between August and December 2016.
This review was performed in accordance with the Standards for Consulting Services issued by the American Institute of Certified Public Accountants. This report is intended for use by VTA’s Board of Directors, Governance & Audit Committee, and management. Recommendations for improvement are presented for management’s consideration, and management is responsible for the effective implementation of corrective action plans.
Objective and Scope
The objective of this review was to:
Obtain an understanding of VTA’s Information Technology Project Management Methodology and System Development Lifecycle (SDLC) processes and internal controls
Assess the effectiveness of design and operation of supporting internal controls and compliance with these frameworks, as applicable
Identify opportunities for process and control improvements The works steps completed, as well as scope and risks covered in the assessment are detailed in Appendix B.
We would like to thank those who assisted us throughout this review. Questions should be addressed to Bill Eggert, Auditor General, in the VTA Auditor General’s Office at [email protected].
Overall Summary and Review Highlights
VTA has employed a decentralized IT operations and project management model to meet its rapidly accelerating and complex technology needs. Based on our review, we did not find sufficient evidence to support that technology risks and basic project management requirements were defined or properly considered agency-wide by VTA management.
VTA has limited agency-wide governance and oversight of technology operations. As a result, management has not adequately implemented comprehensive processes and controls for high-risk technology processes, such as change management. In addition, the availability and reliability of information was limited due to many ad-hoc, non-standard, and undocumented processes. Overall, ineffective technology governance and oversight of the technology change management process resulted in a substantial number of control design exceptions identified during our review.
An overall report rating of High was assigned to help management understand our assessment of the overall design and effectiveness of the controls assessed during our review. Recommendations are described in detail beginning on page 4 and include the following key recommendations:
Centralize organizational responsibility for technology governance, risk management, and operational oversight
Define technology roles and responsibilities agency-wide Standardize policies and procedures for change management and
other critical technology processes agency-wide Due to the specific scope of this review and observations identified related to agency-wide technology governance and risk management, we are also recommending an independent, comprehensive, entity-wide IT Risk Assessment described on page 14.
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
3 © 2016 RSM US LLP. All Rights Reserved.
OBSERVATIONS SUMMARY
Following is a summary of observations noted in the areas reviewed.
Definitions of the observation rating scale are included in Appendix A.
Ratings by Observation
Observation Title Rating
1. AGENCY-WIDE OVERSIGHT OF DECENTRALIZED TECHNOLOGY OPERATIONS High
2. CHANGE MANAGEMENT PROCESS AND CONTROLS High
3. PROJECT MANAGEMENT METHODOLOGY AND MONITORING Medium
4. IT GOVERNANCE AND STRATEGIC ALIGNMENT Low
5. STRATEGIC IT PERFORMANCE MANAGEMENT Low
Other Auditor General Recommendations
Recommendation Title Rating
6. COMPREHENSIVE IT RISK ASSESSMENT Not Rated
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
4 © 2016 RSM US LLP. All Rights Reserved.
DETAILED OBSERVATIONS
1. Agency-wide Oversight of Decentralized Technology Operations
Observation: VTA has decentralized technology operations but has not established IT oversight responsibilities agency-wide nor implemented a comprehensive technology internal control framework and policies to manage change and technology risks.
Recommendation: VTA centralize organizational responsibility for technology governance, risk management, and operational oversight; implement agency-wide technology control framework and standards for critical technology processes.
Management’s Action Plan
Observation Rating: High
1.1 Although VTA has a Chief Information Officer and Information Technology (IT) department, critical technology, such as transit operations and scheduling applications including Supervisory Control and Data Acquisition (SCADA) and Trapeze OPS, is managed primarily outside of the IT department. There is minimal oversight from IT for these applications because VTA has not clearly established governance requirements and oversight responsibilities for technology operations outside of IT. For the specific technology processes in scope of this review, VTA did not have clearly defined roles and responsibilities, nor consistently defined and enforced IT controls agency-wide. For example, VTA did not establish and communicate policy requirements for the systems development life cycle (SDLC), which should define the agency-wide requirements for the planning, analysis, design, implementation and maintenance of information systems at VTA. In addition, there was no evidence during our review that VTA had established and consistently implemented a technology governance and control framework agency-wide, both internally and for vendor-assisted services. The combination of VTA’s complex transit and decentralized technology operations with limited required IT governance and control increasingly makes VTA susceptible to strategic, reputational, operational, and financial risks.
1.1.a We recommend that VTA centralize organizational responsibility for technology governance, risk management, and operational oversight. For the IT scope items covered in this review, including project management and change management, we recommend that the centralized IT business process owner develop agency-wide standards and policies in conjunction with stakeholders, communicate policies to all pertinent parties, both internally and externally when necessary, and oversee compliance agency-wide.
1.1.a VTA management agrees with the recommendation. We will modify and enhance our existing processes, policies and procedures to include all information technology, IT business processes, governance, technology risk management, project management and change management oversight agency-wide, promulgating them accordingly. To achieve this, management will leverage our existing Information Technology and Innovation governance program to include all VTA information technology projects and programs, not just those within the IT department. VTA has a proven existing technology governance process using the Technology Steering Committee (TSC). The TSC charter has already been modified to include all agency-wide technology projects, systems and efforts, and the modified charter has been approved by the TSC. Responsible Party: Director of Business Services and Chief Information Officer Target Date: 10/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
5 © 2016 RSM US LLP. All Rights Reserved.
1. Agency-wide Oversight of Decentralized Technology Operations
Observation: VTA has decentralized technology operations but has not established IT oversight responsibilities agency-wide nor implemented a comprehensive technology internal control framework and policies to manage change and technology risks.
Recommendation: VTA centralize organizational responsibility for technology governance, risk management, and operational oversight; implement agency-wide technology control framework and standards for critical technology processes.
Management’s Action Plan
1.1.b As part of the centralization of IT responsibility and establishment of agency-wide standards, we recommend that VTA evaluate existing IT governance and control practices and implement an industry-accepted control framework. Fully implementing a formal control framework will help management maximize the value of IT and effectively manage IT risk.
1.1.b VTA management agrees. We will evaluate our existing IT governance and control practices and modify and enhance them as needed to incorporate agency-wide application while also enhancing effectiveness. The new agency-wide policy and procedures will include the industry-accepted control framework, and will have the Technology Steering Committee as the governance control point.
Responsible Party: Director of Business Services and Chief Information Officer
Target Date: 10/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
6 © 2016 RSM US LLP. All Rights Reserved.
1. Agency-wide Oversight of Decentralized Technology Operations
Observation: VTA has decentralized technology operations but has not established IT oversight responsibilities agency-wide nor implemented a comprehensive technology internal control framework and policies to manage change and technology risks.
Recommendation: VTA centralize organizational responsibility for technology governance, risk management, and operational oversight; implement agency-wide technology control framework and standards for critical technology processes.
Management’s Action Plan
1.2 IT management did not readily provide a centralized, agency-wide application inventory with clear definitions for any subsets of applications distinguished by management during our interviews (e.g. key and non-key, critical, etc.). Although certain lists were made available during and after completion of fieldwork, the various application lists obtained did not include known applications, such as SCADA and SAP (VTA’s enterprise-wide financial and operations application), nor had the defining attributes for each item been completed to indicate the list provided was current, complete, and accurate. The disparate nature and general lack of availability of the information requested illustrated inadequate processes and oversight of critical technology information that is necessary for effective business decision making.
1.2 In order to ensure IT applications are appropriately managed, we recommend that VTA leverage existing documentation and develop a process to document and maintain a centralized, agency-wide IT application inventory. We also recommend that management clearly define any relevant attributes for each application, such as assessment of criticality, operational status, owning department, technical owner, etc. Maintaining an accurate IT application inventory is a critical component to ensuring applications are governed by agency-wide IT standards and will facilitate better understanding of IT costs and associated technology risks for various applications.
1.2 VTA management concurs with the recommendation. Prior to the Auditor General’s review, the IT Department had begun the process of deploying a new change management procedure and supporting change management tool. Accordingly, the scope of the deployment is being updated to be an agency-wide change management procedure and supporting change management tool. The technology change management tool contains an inventory of all applications and documents all relevant application attributes.
Responsible Party: Technology – Chief Information Officer
Target Date: 10/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
7 © 2016 RSM US LLP. All Rights Reserved.
2. Change Management Process and Controls
Observation: VTA does not have formal, standard IT change management processes and procedures in place to ensure all changes to IT infrastructure are adequately controlled to minimize risk.
Recommendation: Automate and centralize existing change management processes and enforce the Change Management policy by consistently documenting, evaluating, prioritizing, authorizing, testing, and monitoring changes to minimize adverse impacts to VTA and increase efficiency.
Management’s Action Plan
Observation Rating: High
2.1 The Change Management Policy and Process provided by management did not have evidence of approval. The scope of Change Management policy applies to “hardware, network, software, application, environment, system, desktop build or associated documentation,” but we were only able to evaluate changes that could be identified from existing repositories. We were able to identify technology projects on the IT project management SharePoint site, SAP changes logged in the Magic ticketing system, as well as approved capital projects. We evaluated changes for compliance with the Change Management Policy and Process provided and found that it was not consistently adhered to by VTA. The policy provides robust guidelines for changes to ensure all changes are initiated, controlled, evaluated, built, tested, implemented, and reviewed appropriately; however, these change management policy requirements were only partially met by VTA for the samples inspected during our review. We identified the following examples of failures to comply with policy during our review:
Technology Service Request (TSR) forms were not used for all non-standard technology change requests
2.1.a We recommend that VTA update, review, and formally approve the Change Management policy and process documents, ensuring that best practices are retained and any changes as a result of this review be incorporated.
2.1.a VTA management agrees. We will review, modify and enhance as necessary our existing Change Management policy and process documents to reflect agency-wide application and also incorporate best practices and recommended improvements from this review.
Responsible Party: Technology – Chief Information Officer
Target Date: 10/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
8 © 2016 RSM US LLP. All Rights Reserved.
2. Change Management Process and Controls
Observation: VTA does not have formal, standard IT change management processes and procedures in place to ensure all changes to IT infrastructure are adequately controlled to minimize risk.
Recommendation: Automate and centralize existing change management processes and enforce the Change Management policy by consistently documenting, evaluating, prioritizing, authorizing, testing, and monitoring changes to minimize adverse impacts to VTA and increase efficiency.
Management’s Action Plan
TSR forms submitted for SAP changes did not have the Technical Assessment completed by IT to determine the type of change, development effort, cost estimate, defined responsibilities, and corresponding requirements
SAP changes were not assigned the correct change types (standard, minor, major, and significant) per policy
Changes were not consistently evaluated to understand potential implications of the proposed change, including possible impacts to business or other technology, resources and previously approved schedules
Test plans for changes were not clearly defined, documented, performed, nor tracked centrally to document evidence of testing results
Changes did not document required back-out or rollback plans
2.1.b We recommend that VTA develop and deliver change management training to the relevant teams and personnel involved. For example, management and end-users must be trained on the proper method to submit and approve requests, whereas all relevant employees must be trained on the types of changes, requirements to develop changes, testing requirements before implementation, and other related change management procedures.
2.1.b VTA management agrees. We will leverage our existing Change Management training developed for just IT Department staff and revise it accordingly to make it most effective for all affected staff.
Responsible Party: Technology – Technology Manager
Target Date: 10/31/2017 (programs and materials revised and training of staff initiated)
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
9 © 2016 RSM US LLP. All Rights Reserved.
2. Change Management Process and Controls
Observation: VTA does not have formal, standard IT change management processes and procedures in place to ensure all changes to IT infrastructure are adequately controlled to minimize risk.
Recommendation: Automate and centralize existing change management processes and enforce the Change Management policy by consistently documenting, evaluating, prioritizing, authorizing, testing, and monitoring changes to minimize adverse impacts to VTA and increase efficiency.
Management’s Action Plan
2.2 Although VTA’s Change Management Policy and Process defines a Change Management Database (CMDB) where all changes are tracked and documented from initiation through implementation and review, VTA does not currently track and document all technology changes centrally. As a result, there are instances where technology changes may be implemented entirely outside of a formal process with limited or no documentation. During our review, SAP was the only application where we observed changes documented in the Magic ticketing system. SAP Request For Changes (RFC) were initiated with a paper request called a TSR form and were subsequently recorded in the ticketing system. 63 SAP changes were documented as complete in Magic during FY 2016. The changes we observed in Magic had inconsistent use of data fields and change attributes, and certain fields did not appear to be utilized by IT personnel. In addition, the 63 changes in FY 2016 were completed an average of 87 days after the assigned due date in the system, and only one of the changes was completed before the due date.
2.2.a We recommend that VTA leverage available software and develop a process where all technology requests for changes agency-wide are required to be tracked in a central ticketing system. Where feasible, we recommend that management automate processes and approval workflows to maximize efficiency and standardize the change management process. 2.2.b In addition, we recommend that management clearly define all relevant change attributes and requirements within the system that align with the Change Management policy and process requirements. As a result, data will become more relevant and reliable to the organization and process performance can be monitored and managed to meet the needs of operations.
2.2.a VTA management agrees. Prior to completion of the Auditor General’s review, IT had begun the process to deploy a new change management procedure and supporting change management tool. The change management tool will contain central ticketing, automated workflow and technology application inventory including all relevant attributes. VTA will expand the scope of the deployment to be an agency-wide and cover all applications.
Responsible Party: Technology – Technology Manager
Target Date: 10/31/2017 2.2.b VTA management agrees. The change management tool will incorporate all relevant change attributes as defined in the agency-wide Change Management policy and process being developed. The agency-wide change management procedure and supporting change management tool will significantly improve VTA’s monitoring capabilities. Responsible Parties: Technology – Technology Manager
Target Date: 10/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
10 © 2016 RSM US LLP. All Rights Reserved.
2. Change Management Process and Controls
Observation: VTA does not have formal, standard IT change management processes and procedures in place to ensure all changes to IT infrastructure are adequately controlled to minimize risk.
Recommendation: Automate and centralize existing change management processes and enforce the Change Management policy by consistently documenting, evaluating, prioritizing, authorizing, testing, and monitoring changes to minimize adverse impacts to VTA and increase efficiency.
Management’s Action Plan
2.3 Based on our review, we identified users with write/edit access to both the development and production environments of SAP. Although management has implemented the use of SAP’s Governance, Risk, and Compliance (GRC) tool to evaluate SAP user conflicts, the GRC does not assess user conflicts in other key applications due to system limitations. In addition, the GRC tool was unable to detect the segregation of duties (SOD) conflict that exists when a user has access to both the development and production environments. There is not a process in place to monitor and manage segregation of duties between development and production environments for all internally hosted applications at VTA. Separate from preventing conflicts with user access controls, VTA also has not implemented a potential control to mitigate some of the risk associated with these segregation of duties conflicts. An IT tool such as LogRhythm, which IT has currently configured to monitor one IT application, could potentially be configured to monitor and detect unauthorized changes to production environments and mitigate the risk of unauthorized changes to technology.
2.3 We recommend that VTA develop a consistent and well-defined process to manage logical user access and provisioning for development and production environments for all internally hosted applications at VTA to reduce segregation of duties conflicts and minimize the risk of unauthorized changes. When management determines that conflicts cannot be eliminated due to business needs, we recommend that VTA implement appropriate mitigating controls so that potential control failures can be detected and resolved. VTA may consider configuring LogRhythm or other industry-accepted application for mitigation efforts.
2.3 VTA management agrees. Prior to the Auditor General’s review, VTA had developed an
implementation plan and approved funding to implement advanced cyber security hardware and software solutions that include mitigating user access and segregation of duties risks. In addition, the Change Management ticketing solution will improve VTA’s ability to track and monitor user access, which will be configured to track all agency-wide application access levels, both major and minor, as well as permissions when applicable.
Responsible Party: Technology – Chief Information Officer & Technology Manager
Target Date: 12/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
11 © 2016 RSM US LLP. All Rights Reserved.
3. Project Management Methodology and Monitoring
Observation:
VTA does not have a formal project management methodology that is consistently utilized and monitored for execution.
Recommendation:
VTA formally define a project management methodology and when and what technology projects its utilization is required, as well as standards for monitoring and reporting on projects.
Management’s Action Plan
Observation Rating: Medium
3.1 VTA has multiple types of Technology projects, including capital projects approved by the Capital Improvement Program Oversight Committee (CIPOC) and managed by various departments; IT technology projects managed by the IT Department funded through the operating budget, as well as other technology changes ranging in complexity and cost.
Although VTA’s IT Department has implemented a Project Management Office (PMO) and deployed a SharePoint site to be used for centralized project management, there is not a formal project management process or methodology that is consistently utilized on all Technology projects agency wide.
3.1.a As a part of overall IT governance and technology roles and responsibilities, we recommend that VTA formalize its technology project management methodology and define when and under what circumstances it must be employed.
3.1.b In addition, we recommend that management identify and train relevant employees and project managers to enhance overall project quality, efficiency, and consistency of monitoring of deliverables agency-wide.
3.1.a VTA management agrees. We will modify and enhance the our existing information technology project management methodology as needed in order for it to be used as an agency-wide information technology process solution, including under what criteria it is required to be utilized. This process will include focusing on enhancing the level of formalization and documentation.
Responsible Party: Technology – Technology Manager
Target Date: 12/31/2017
3.1.b VTA management agrees. IT will identify and ensure that relevant staff are appropriately trained in order to enhance technology project quality, efficiency, and consistency of deliverables agency-wide. To achieve this, we will leverage the combination of: (1) the existing project management training developed for IT Department staff, revising it accordingly to be effective for all applicable staff throughout the organization, and (2) the existing project management training available in SuccessFactors.
Responsible Party: Technology – Technology Manager
Target Date: 12/31/2017 (programs and materials revised and training of staff initiated)
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
12 © 2016 RSM US LLP. All Rights Reserved.
3. Project Management Methodology and Monitoring
Observation:
VTA does not have a formal project management methodology that is consistently utilized and monitored for execution.
Recommendation:
VTA formally define a project management methodology and when and what technology projects its utilization is required, as well as standards for monitoring and reporting on projects.
Management’s Action Plan
3.2 Technology Project Managers and PMO staff typically only monitor the project’s budget consumption, which does not assess a project’s progress against the project schedule, budget and delivery of scope. Without a formal project management methodology there are limited standards for project monitoring, which is often ad-hoc and inconsistent across projects.
3.2 We recommend that management enhance existing project monitoring controls and establish requirements for project managers to evaluate a project’s progress at a given point in time, with forecasting for completion, final cost, and variance analysis. For example, management may consider earned value analysis (EVA) as part of Technology Project Management methodology. Management may also consider including this analysis as part of standard project reporting, including updates made to the CIPOC, to improve project transparency and accountability.
3.2 VTA management agrees to modify and strengthen our existing processes and documents in this regard to apply to new technology projects, systems and programs in all VTA divisions and departments, subject to the Chief Information Officer’s review and evaluation of the specific operational needs of each project.
VTA will add appropriate monitoring mechanisms to its Technology Project management methodology. This will include, but not be limited to, adding to the “Project Status” section within the CIPOC report two additional reporting categories for IT projects that require this level of control, such determination made by the Chief Information Officer. The project monitoring categories that will be added include: (1) Budgeted Cost of Work Scheduled (BCWS); and (2) Budget Cost of Work Performed (BCWP). An evaluation will also be conducted to determine the value of adding the same or similar monitoring mechanisms to TSC reports.
Responsible Party: Technology – Technology Manager
Target Date: 12/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
13 © 2016 RSM US LLP. All Rights Reserved.
3. Project Management Methodology and Monitoring
Observation:
VTA does not have a formal project management methodology that is consistently utilized and monitored for execution.
Recommendation:
VTA formally define a project management methodology and when and what technology projects its utilization is required, as well as standards for monitoring and reporting on projects.
Management’s Action Plan
3.3 VTA’s capital projects request forms require planned funding and expenditures for each submission. In some instances when a project’s
scope includes a technology component, the underlying expense assumptions are estimates that do not include a thorough technical functional evaluation that adequately considers project requirements to estimate cost. Without an adequate technical assessment, changes to the scope or necessary budget augmentations have resulted to deliver the original project scope of work.
3.3 We recommend that capital projects with a technology component, even if the project will not be managed by IT, include a thorough technology assessment with appropriate expertise to develop refined budget assumptions as part of the project application process.
3.3 VTA management agrees. VTA will modify the Capital Project Request Form process and associated forms to require that for large-scale or multi-year capital project requests that have a software application, IT hardware, CCTV, radio or related technology. The program manager must submit a specific supplemental for (“Schedule T”) for Chief Information Officer evaluation and approval before the project is submitted to the Budget Department for consideration. Lack of an approved Schedule T will disqualify the project from further consideration.
Responsible Party: Technology (Technology Manager) and Finance (Fiscal Resource Manager)
Target Date: 10/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
14 © 2016 RSM US LLP. All Rights Reserved.
4. IT Governance and Strategic Alignment
Observation: VTA has established governance functions through its Technology Strategy document and steering committees, but they do not consistently have management participation and alignment with VTA’s strategic objectives.
Recommendation: We recommend that VTA enhance the current technology governance process to require oversight by the General Manager, as well as enhancing requirements for the steering committees to encourage management accountability.
Management’s Action Plan
Observation Rating: Low
4.1 VTA has taken initial steps to implement IT governance, including the Technology Strategy document completed by the CIO. The Technology Strategy document includes charters for the Technology Working Group (TWG) and Technology Steering Committee (TSC), which are comprised of senior management and are responsible for IT strategic planning, policy, and staff oversight of projects. However, the TSC charter does not define requirements for meeting frequency nor documentation standards, and based on our testing, six of the twelve scheduled TSC meetings in FY16 were cancelled. Upon further review and inquiry with management, we verified that the Technology Strategy had not been formally reviewed and approved by executive management outside of IT, the General Manager, nor the VTA Board, to ensure agreement on alignment with business objectives and overarching technology governance strategies.
4.1.a We recommend that VTA enhance the overall value of the existing Technology Strategy document by formalizing the process whereby key components, including technology roles and responsibilities and performance standards, are regularly reviewed and updated to align with VTA’s strategic objectives. In addition, we recommend that VTA executive management and the General Manager review and approve the Technology Strategy to promote management understanding and support of VTA’s technology strategy.
4.1.a VTA management agrees and has completed implementation of the recommended actions, which were initiated prior to the Auditor General’s review. To that end, under the direction of the Business Services Director the Technology strategic plan, Technology Vision, was created on December 14, 2016. This plan was reviewed and approved by the General Manager in January 2017 and also presented that same month to VTA executive managers for their review and input.
Per the Technology Steering Committee charter, Technology Vision was presented to the TSC and approved on January 23, 2017. The Technology Steering Committee is the formal review and final approval for all technology programs including the Technology Strategy. The revised TSC charter also provides for ongoing periodic review of Technology Vision to ensure alignment with VTA’s Strategic Plan.
Responsible Party: Director of Business Services and Chief Information Officer Target Date: 1/23/2017 – Action Completed
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
15 © 2016 RSM US LLP. All Rights Reserved.
4. IT Governance and Strategic Alignment
Observation: VTA has established governance functions through its Technology Strategy document and steering committees, but they do not consistently have management participation and alignment with VTA’s strategic objectives.
Recommendation: We recommend that VTA enhance the current technology governance process to require oversight by the General Manager, as well as enhancing requirements for the steering committees to encourage management accountability.
Management’s Action Plan
4.1.b We recommend that VTA update the TWG and TSC charters to include requirements for meeting frequency (e.g. monthly), meeting minutes, as well as attendance (i.e. quorum) to enhance management accountability and participation in IT governance.
4.1.b VTA management agrees. The Chief Information Officer submitted these recommendations to the Technology Steering Committee (TSC) at the January 23, 2017 meeting. The TSC took under consideration a number of potential amendments of the TSC charter. The Committee approved amending the charter to incorporate these suggestions, which was accomplished by adding a new meeting logistics section.
Responsible Party: Technology – Chief Information Officer Target Date: 1/26/2017 – Action Complete
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
16 © 2016 RSM US LLP. All Rights Reserved.
5. IT Performance Monitoring
Observation: Technology performance monitoring does not include metrics and KPIs that adequately monitor technology change management or project management processes.
Recommendation: VTA enhance existing metrics and KPIs for both technology change management and project management processes to adequately monitor process effectiveness and efficiency and drive continuous improvement.
Management’s Action Plan
Observation Rating: Low
5.1 Although VTA has taken preliminary steps to monitor IT performance, the metrics and KPI Dashboard provided by IT do not adequately monitor the technology change management or project management processes covered in the scope of this review. The majority of the dashboard metrics monitored were end-customer / user measurements, and did not include metrics for IT internal business process results that drive achievement of strategic objectives. Effective performance monitoring relies on alignment of metrics and KPIs with organizational goals and is dependent on the availability of relevant, accurate data. For the specific processes covered during the scope of this review, VTA’s decentralized and manual processes dramatically affect its ability to understand agency-wide technology operations and costs, and subsequently monitor performance.
5.1 We recommend that VTA evaluate the quality and availability of information and subsequently enhance existing metrics and KPIs for both technology change management and project management processes to adequately monitor process effectiveness and efficiency and drive continuous improvement.
5.1 VTA management agrees. Prior to the Auditor General’s review, the IT Department had begun the process of deploying a new change management procedure and supporting change management tool. The scope of this deployment is being expanded to encompass the agency-wide change management procedure and the supporting change management tool. Included in the change management tools is a set of well-defined industry standard KPI’s and management dashboard. The project management process will monitor and track all technology projects agency-wide to support successful project delivery and continuous improvement.
Responsible Party: Technology – Technology Manager
Target Date: 10/31/2017
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
17 © 2016 RSM US LLP. All Rights Reserved.
6. Comprehensive IT Risk Assessment
Rating: Not Rated
Recommendation:
Due to the nature of the governance and control weaknesses identified during our limited scope focused on change management, we recommend that VTA undergo an independent entity-wide IT risk assessment. A comprehensive, entity-wide IT risk assessment will allow VTA management to obtain a more thorough understanding of risk as it pertains to VTA’s existing technology, operations, and governance environment. Considerations in the assessment could include the following scope areas:
Business process and IT support structures IT general controls not covered in this review Evaluation of existing IT risks, such as:
o Network Administration o Business Continuity Planning o Regulatory Compliance o Cybersecurity
Benchmarking of IT practices By performing further analysis, VTA can develop a strategic IT roadmap and remediation plan that effectively aligns technology with VTA’s strategic business
objectives and agency-wide IT risk management and governance needs.
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
18 © 2016 RSM US LLP. All Rights Reserved.
APPENDIX A—RATING DEFINITIONS
Observation Risk Rating Definitions
Report Rating Definitions
Rating Definition Rating Explanation
Low
Process improvements exist but are not an immediate priority for VTA. Taking advantage of these opportunities would be considered best practice for VTA.
Low
Adequate internal controls are in place and operating effectively. Few, if any, improvements in the internal control structure are required. Observation should be limited to only low risk observations identified or moderate observations which are not pervasive in nature.
Medium
Process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception. This opportunity should be considered in the near term.
Medium
Certain internal controls are either: Not in place or are not operating effectively, which in the aggregate,
represent a significant lack of control in one or more of the areas within the scope of the review.
Several moderate control weaknesses in one process, or a combination of high and moderate weaknesses which collectively are not pervasive.
High
Significant process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception presents. This opportunity should be addressed immediately.
High
Fundamental internal controls are not in place or operating effectively for substantial areas within the scope of the review. Systemic business risks exist which have the potential to create situations that could significantly impact the control environment. Significant/several control weaknesses (breakdown) in the overall control
environment in part of the business or the process being reviewed. Significant non-compliance with laws and regulations. High risk observations which are pervasive in nature.
Not Rated
Observation identified is not considered a control or process improvement opportunity but should be considered by management or the board, as appropriate.
Not Rated Adequate internal controls are in place and operating effectively. No reportable observations were identified during the review.
10.a
IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017
19 © 2016 RSM US LLP. All Rights Reserved.
APPENDIX B — SCOPE, WORK PLAN AND BACKGROUND
FIELDWORK DATES: August 22, 2016 to December 2, 2016
WORK STEPS COMPLETED: The following steps were taken to complete our analysis and deliver a report with recommendations:
Kickoff meeting and preliminary documentation review Walkthroughs and interviews with Information Technology and Operations Technology key personnel Documentation of processes and controls Design and operating effectiveness testing of key controls Identification of recommendations and opportunities for improvement
SCOPE AND KEY RISK AREAS Examine the policies, processes, and controls in place around VTA’s Information Technology and Operation Technology Project Management and systems development. The review focused on the following risk areas:
IT strategic planning IT project management methodology IT methodology/ framework(s) Systems development life cycle (SDLC) Change management IT Vendor / Third Party Management, specific to project management and SDLC Budgeting controls NOTE: SCADA technology operations was specifically excluded from the scope of this review because it is managed by a separate team, outside of
Information Technology with limited to no agency-level technology oversight.
10.a
© 2016 RSM US LLP. All rights Reserved.
RSM US LLP 100 W. San Fernando Street, Suite 460
San Jose, CA 95113 408.5724450
www.rsmus.com
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2016 RSM US LLP. All Rights Reserved.
10.a
Date: April 26, 2017
Current Meeting: May 4, 2017
Board Meeting: June 1, 2017
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation Authority
Governance and Audit Committee
FROM: Auditor General, Bill Eggert
SUBJECT: Investment Program Controls Internal Audit -- FY 2017
Policy-Related Action: No Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Review and receive the Auditor General's report on the Investment Program Controls Internal
Audit performed during Fiscal Year 2017.
BACKGROUND:
Investment Program Controls is one of the projects contained in the Board-approved FY 2017
Internal Audit Work Plan. The Auditor General’s Office completed this project between March
and April 2017 and the attached report is the result of that review.
VTA has a Treasury function responsible for managing VTA’s investment portfolio in
unrestricted and restricted funds. As of December 2016, the total value of the investment
program was approximately $1.3 billion. Investment decisions are guided by a Board-adopted
policy to help ensure successful and prudent management of public funds and avoid inordinate
risk. This policy requires the Auditor General to perform a review of the internal controls within
the investments process every second year (biennially).
DISCUSSION:
In March 2017, the Auditor General’s Office initiated the Investment Program Controls Internal
Audit. The objective of this review was to evaluate the effectiveness of the design and operation
of the investment controls to assess whether reasonable safeguards are in place to minimize
VTA’s exposure to unreasonable financial loss or reputational damage as a result of its
investment program.
11
Page 2 of 2
Based on the work performed, it is our conclusion that VTA’s investment program controls are
designed and operating effectively since our testing of 12 key controls did not result in any
exceptions or control deficiencies. Due to this, an overall report rating was not assigned.
Dating back to 2010, the Auditor General has identified no medium or high-risk observations for
investment program controls and evidence continues to demonstrate management’s effective
operation of internal controls. Although existing policy requires Auditor General review of
VTA’s investment program controls every two years, we recommend that the Board consider
revising the existing Investment Policy to lengthen the interval between required internal audit
reviews from a biennial to triennial (every third year) basis. This would allow for reallocation of
Auditor General resources to other projects focused on areas of higher risk.
FISCAL IMPACT:
There is no financial impact associated with acceptance of this report.
Prepared by: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee Coordinator
Memo No. 5982
ATTACHMENTS:
A--Investment Program Controls IA--FY17 (PDF)
11
Investment Program Controls Internal Audit Auditor General Report No. 2017-02
April 20, 2017
11.a
Investment Program Controls Internal Audit Auditor General Report Issued: April 20, 2017
2 © 2017 RSM US LLP. All Rights Reserved.
EXECUTIVE SUMMARY
Overall Rating (See Appendix A for definitions)
Report Rating
Number of Observations by Risk Rating
High Medium Low
Investment Program Controls
Not Rated 0 0 0
Background VTA has a Treasury function that is responsible for managing VTA’s investment portfolio in unrestricted and restricted funds. As of December 2016, the total value of the program was approximately $1.2 billion. VTA’s investment program is required to comply with the California Government Section 53601 et seq. and the VTA Board-approved “Investment of Unrestricted and Restricted Funds” policy. The Investment Policy requires the Auditor General to perform a review of the internal controls within the investments process every other year (biennially).
A component project contained in the Board-approved FY 2017 Internal Audit Work Plan is this Investment Program Controls Internal Audit. The Auditor General’s Office completed this review in April 2017. This review, as are all Auditor General reviews, was performed in accordance with the Standards for Consulting Services issued by the American Institute of Certified Public Accountants.
This report was prepared for use by VTA’s Board of Directors, Governance and Audit Committee, and management. Recommendations for improvement are presented for management’s consideration and management is responsible for the effective implementation of corrective action plans.
Objective and Scope The objective of this review was to assess whether reasonable safeguards are in place to minimize VTA’s exposure to unreasonable financial loss or reputational damage as a result of its investment program. Fieldwork was completed in March and April 2017 with the following scope areas:
Fund and investment portfolio compliance with VTA policies and applicable legislative / government requirements
Periodic investment program controls Segregation of duties Third-party service organization / custodial agents internal controls
Our engagement consisted of a review of existing policies, processes and procedures; staff interviews; process walkthroughs; and sample testing to validate design and operating effectiveness of internal controls for the scope areas described above.
Overall Summary and Review Highlights
Based on the work performed, it is our conclusion that VTA’s investment program controls are designed and operating effectively since our testing of 12 key controls did not result in any exceptions or control deficiencies.
Testing completed in our review covered the key scope areas, including key controls that require Investment Policy approval, management review of investment performance report, investment accounting, and estimated net cash needs review.
An overall report rating was not assigned because there are adequate internal controls in place and operating effectively to mitigate risk and no reportable observations were identified during the review.
Auditor General reviews of VTA’s investment program controls have not resulted in any medium or high-risk observations since 2010 and controls continue to operate effectively. Although current Board policy requires this audit to be conducted on a biennial basis, the Auditor General recommends consideration be given to extending the period between reviews to three years (a triennial audit cycle).
With effective internal controls, VTA continues to mitigate the inherent risk of its investment program. If the Board determines that the residual risk is of an acceptable level, lengthening the required audit interval would allow Auditor General resources to be reallocated to other programmatic areas of higher risk.
We would like to thank those who assisted us throughout this review. Questions should be addressed to Bill Eggert, Auditor General, in the VTA Auditor General’s Office at [email protected].
11.a
Investment Program Controls Internal Audit Auditor General Report Issued: April 20, 2017
3 © 2017 RSM US LLP. All Rights Reserved.
OBSERVATIONS SUMMARY
There were no risk-rated observations identified during our review. Below is the “Not Rated” observation and recommendation identified for consideration.
Definitions of the observation rating scale are included in Appendix A.
Other Auditor General Observations
Rating: Not Rated
Dating back to 2010, the Auditor General has identified no medium or high-risk observations for investment program controls and evidence continues to demonstrate management’s’ effective operation of internal controls. Although existing policy requires Auditor General reviews of VTA’s investment program controls every two years, we recommend that the Board consider revising the existing Investment Policy to lengthen the interval between required internal audit reviews of investment internal controls from a biennial to triennial basis. The Auditor General has assessed that the inherent risk of the investment program continues to be effectively mitigated by key controls as substantiated in the recurring Auditor General reviews. If the Board concludes that risk is at an acceptable level because of effective internal controls and results presented in this report, VTA can determine to reduce the frequency of the internal audits of investment program controls and allow for reallocation of Auditor General resources to Internal Audit projects focused on areas of higher risk.
11.a
Investment Program Controls Internal Audit Auditor General Report Issued: April 20, 2017
4 © 2017 RSM US LLP. All Rights Reserved.
APPENDIX A—RATING DEFINITIONS
Observation Risk Rating Definitions
Report Rating Definitions
Rating Definition Rating Explanation
Low
Process improvements exist but are not an immediate priority for VTA. Taking advantage of these opportunities would be considered best practice for VTA.
Low
Adequate internal controls are in place and operating effectively. Few, if any, improvements in the internal control structure are required. Observation should be limited to only low risk observations identified or moderate observations which are not pervasive in nature.
Medium
Process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception. This opportunity should be considered in the near term.
Medium
Certain internal controls are either: Not in place or are not operating effectively, which in the aggregate,
represent a significant lack of control in one or more of the areas within the scope of the review.
Several moderate control weaknesses in one process, or a combination of high and moderate weaknesses which collectively are not pervasive.
High
Significant process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception presents. This opportunity should be addressed immediately.
High
Fundamental internal controls are not in place or operating effectively for substantial areas within the scope of the review. Systemic business risks exist which have the potential to create situations that could significantly impact the control environment. Significant/several control weaknesses (breakdown) in the overall control
environment in part of the business or the process being reviewed. Significant non-compliance with laws and regulations. High risk observations which are pervasive in nature.
Not Rated
Observation identified is not considered a control or process improvement opportunity but should be considered by management or the board, as appropriate.
Not Rated Adequate internal controls are in place and operating effectively. No reportable observations were identified during the review.
11.a
© 2016 RSM US LLP. All rights Reserved.
RSM US LLP 100 W. San Fernando Street, Suite 460
San Jose, CA 95113 408.5724450
www.rsmus.com
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2017 RSM US LLP. All Rights Reserved.
11.a
Date: April 26, 2017
Current Meeting: May 4, 2017
Board Meeting: N/A
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation Authority
Governance and Audit Committee
FROM: Auditor General, Bill Eggert
SUBJECT: Review Status of Internal Audit Work Plan
FOR INFORMATION ONLY
VTA’s Auditor General is responsible for developing and recommending the annual Internal
Audit Work Plan, assigning and managing the resources required to conduct each internal audit
or project, and providing project results and progress reports to the Governance & Audit
Committee.
To keep members informed, the Auditor General's Office provides at each Governance & Audit
Committee meeting a report on the current status of the Internal Audit Work Plan and its
component projects. This includes an update on the projects currently underway as well as the
projected order and estimated completion schedule of the remaining projects.
Prepared By: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee Coordinator
Memo No. 1896
12
Internal Audit Work Plan Status Report
1
Project / Activity
Governance & Audit Committee Meeting
FY17
Nov2016
Dec2016
Feb 2017
Mar2017
May 2017
June 2017
IT Development and Project Management Assessment
Inventory Management and Costing Assessment
Recommended FY18 & FY19 Internal Audit Work Plans
Follow Up: Sheriff’s Office Contract Compliance
Investment Controls (every two years per Board Policy)
Inventory and Assets Held at Outreach
Interagency Agreements Risk Assessment
BART Silicon Valley Extension (Contractor Compliance)
Records Management Program Assessment
Follow Up: Trapeze Ops Pre-Implementation Review
Follow Up: Operator Scheduling Review
Follow Up: Public Safety Process Assessment
Note: the timelines reflected above are estimates and may be subject to change due to scheduling constraints and/or Board requests.
In progress – On Hold
In progress
Plan Complete
Report Complete
In progress
In progress
Report Complete
Report Complete
Report Complete
In progress
In progress
In progress
12.a
Internal Audit Work Plan Status Report – Completed Projects
2
Project / Activity
Board Meeting
FY16 FY17
May2016
June 2016
Oct2016
Dec 2016
Jan 2017
Mar2017
Grants Management and Compliance Assessment
Procurement and Contracts Process Assessment: Follow-Up
Alum Rock BRT Project Construction Delay Assessment
Paratransit Operations Assessment – Phase II Testing
Succession Planning Process Assessment
Risk Assessment Refresh
Follow-up: Third-party Fare Reporting Process Assessment
Follow-up: ATU Pension Review
Express Lane Funding and Operations Assessment
Follow up: Timekeeping and Payroll Process Review
Follow up: Investment Program Controls Internal Audit
Complete
Completed
Completed
Note: the projects above are considered completed when the Auditor General’s report is noted on the meeting agenda and accepted by the full Board. Completed reports are available on the VTA website under the Board meeting agenda.
Completed
Completed
Completed
Completed
Completed
Completed
Completed
Completed
12.a
Date: April 26, 2017
Current Meeting: May 4, 2017
Board Meeting: June 1, 2017
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation Authority
Governance and Audit Committee
FROM: Auditor General, General Manager, Bill Eggert, Nuria Fernandez
SUBJECT: Recommended FY 2018 & FY 2019 Internal Audit Work Plans
Policy-Related Action: No Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Recommend Board approval of the Auditor General’s recommended Internal Audit Work Plans
for the next two fiscal years (FY) for a maximum amount of $531,000 for FY 2018 and $465,000
for FY 2019.
BACKGROUND:
VTA’s Auditor General is responsible for assisting the Board of Director in fulfilling its
fiduciary responsibilities of overseeing risks and controls in financial reporting, financial
integrity, reputation and public perception of the organization, and program activities. The
Auditor General has a direct reporting relationship to the Board and Governance & Audit
Committee and an administrative reporting relationship to the General Manager. The Auditor
General is, among other duties, responsible for:
Developing and recommending the annual Internal Audit Work Plan
Assigning and managing the audit resources required to conduct each internal audit or
project
Providing audit results and progress reports to the Governance & Audit Committee and
Board
The VTA Board of Directors has contracted with RSM LLP to serve as its Auditor General and
perform internal audit and consultative functions.
13
Page 2 of 3
To develop its recommended internal audit work plan, the Auditor General’s Office annually
facilitates a high-level risk assessment of significant current or future potential financial,
business or reputational risks to VTA. These risks are derived from a combination of interviews
with key management, trends or issues in the business or governmental sectors, working
knowledge of the organization, and input solicited from the GM/CEO and senior staff. The
auditable risks are then identified, prioritized and considered for potential projects in the
recommend work plan for the upcoming fiscal year or two. The results of the Risk Assessment
Refresh conducted during FY 2017 were presented to the Governance and Audit Committee in
September and to the Board at its October 2017 meeting.
DISCUSSION:
Following review and direction by the Governance & Audit Committee, the Auditor General’s
Office, in collaboration with the management, used the results from the Risk Assessment Refresh
and developed cost estimates for potential Auditor General projects. The product of this process
is the Auditor General’s recommended FY 2018 and FY 2019 Internal Audit Work Plans, shown
on Attachment A. It should be noted that based on the complexity and timing of some projects
combined with the availability of resources, not all potential projects contained in the Risk
Assessment Refresh are included in the Recommended Internal Audit Work Plans for FY 2018
& FY 2019 and thus may be recommended for subsequent years.
VTA Internal Audit Work Plans consist of three sections based on the specific activities or
responsibilities each addresses: (1) standing (recurring) Auditor General activities such as the
annual risk refresh and support of the Ethics Hotline; (2) new one-time internal audit projects or
assessments; and (3) Supplemental Work Allowance (SWA). SWA is comprised of a small
quantity of pooled funds pre-approved by the Board for specific allocation by the Governance &
Audit Committee at its discretion to respond to changing conditions and events or to address
levels of effort that need to be adjusted from the initial estimate.
The Governance & Audit Committee considered the Auditor General’s proposed projects for the
FY 2018 & FY 2019 Internal Audit Work Plans at its March 2017 meeting. The Committee
requested additional information about VTA’s cyber security processes and controls from
management. Cyber security was not discretely identified in the Risk Assessment Refresh Heat
Map results presented in September 2016. As a result, the Auditor General added Cyber
Security to the Heat Map presented in Attachment A and included a proposed Cyber Security
Assessment that the Governance and Audit Committee that the Committee can choose to either
include, defer or delete from the recommended FY 2018 Internal Audit Work Plan. Cyber
security risks to VTA will be discussed in Closed Session at the May 4, 2017 Governance &
Audit Committee meeting; this item precedes Committee consideration of the recommended
Internal Audit Work Plans for the next two years.
13
Page 3 of 3
The recommended FY 2018 & FY 2019 Internal Audit Work Plans are shown on Attachment A.
The recommended plan for FY 2018 has a combined maximum cost of $531,000, which includes
the optional Cyber Security Assessment for $66,000 that can be removed or deferred at the
Committee’s discretion. Included among the various cost categories are five new, one-time
projects, including Cyber Security, totaling $285,000. The combined total without the optional
Cyber Security project is $465,000. The recommended FY 2019 plan is for a maximum of
$465,000, which includes six new one-time projects totaling $278,000. Both plans include
$50,000 of SWA each, which has been increased from the previous $35,000 annual amount at
VTA administration’s request in order to provide enhanced capability for the Committee to
rapidly respond to changing conditions and events or to adjust levels of effort. The
recommended component projects and activities and the level-of-effort for each section for each
year are shown starting on Page 5 of Attachment A.
Both recommended FY 2018 and FY 2019 plans include a new proposed transaction monitoring
audit. Similar to Investment Program Controls, which is audited on a recurring basis every two
years in conformance with Board-adopted policy, the Auditor General recommends that certain
specific processes be included in future work plans to undergo independent assessments of
limited scope on a recurring cyclical basis.
The Governance & Audit Committee will consider the recommended FY 2018 and FY 2019
Internal Audit Work Plans at its May 2017 meeting. The Committee’s recommendation
regarding approval of this item plus any requested changes will be incorporated into the
Recommended Work Plans that will be submitted for Board adoption at its June 1, 2017 meeting.
If the work plans are approved by the Board, the specific schedule for completing the component
one-time projects will be determined in coordination with the General Manager and VTA
administration with the goal of performing the projects at an appropriate time and manner that
prevents or minimizes disruption to VTA operations.
ALTERNATIVES:
The Committee could recommend that the Board add, delete or modify some or all of the
specific projects and services included in either the Recommended FY 2018 or FY 2019 Internal
Audit Work Plans.
FISCAL IMPACT:
Sufficient appropriation to complete the recommended FY 2018 and FY 2019 Internal Audit
Work Plans is included in the Proposed FY 2018 and FY 2019 VTA Transit Fund Operating
Budgets, respectively.
Prepared by: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee Coordinator
Memo No. 5983
ATTACHMENTS:
A--AG Recommended FY18 and FY19 IA Work Plans (PDF)
13
© 2017 RSM US LLP. All Rights Reserved. © 2017 RSM US LLP. All Rights Reserved.
SANTA CLARA VALLEY TRANSPORTATION AUTHORITY Recommended FY18 & FY19 Internal Audit Work Plans
May 4, 2017
13.a
© 2017 RSM US LLP. All Rights Reserved.
FY17 Risk Assessment Refresh - Heat Map
* Risk added subsequent to Risk Assessment Refresh presented in September 2016
Ris
k I
mp
act
LOW
HIGH
HIGH
BART-to-Silicon Valley
Extension
Capital Projects and
Planning
Joint Development
Community Outreach
Bus and Rail Yard
Operations
Records Management
Business Continuity
Paratransit
Special Events / Stadiums
CAD/AVL – RTI Replacement
Rolling Stock(Bus / LRV)
Information and
Operation Technology
Network Security
BART Post
Go-Live
Allied Barton Contract
Succession Planning
CCTV
MTC Allocation
SAP
Inventory Management
Eco Pass
Regulatory Compliance
TrapezePass
Non-transit revenue
SharedRidership
Third-Party Service
ProvidersExpress Lane
Funding & Operations
Interagency Agreements
Fare Policy
Fare Collections/
Ridership
2016 Sales Tax
Measure B
Communication
Vulnerability
2
Cyber Security*
State of Good Repair
13.a
© 2017 RSM US LLP. All Rights Reserved.
Recommended FY18 & FY19 Auditor General Projects
3
Project Areas Description
RTI Project – CAD/AVL Replacement
Examine current and potential future needs of the RTI (Real Time information) project for Computer-Aided Dispatch (CAD) / Automatic Vehicle Location (AVL). Considerations may include:* Pre-Implementation review * Cost/Funding * System implementation strategy * RFP and contract, vendor capabilities
Special Events and Stadiums
Examine new risks associated with the servicing of new athletic stadiums. Considerations may include: * Infrastructure, equipment, staffing, and morale * Integration of existing service and connectivity to stadiums * MOUs and the cost to VTA * Operator/Field Supervisor availability* Ambassador program and additional potential outsourcing opportunities * Progress on schedule, budget, safety matters, policies, and roles to-date
Joint Development
Examine current and future joint development plans. Considerations may include: * Land use and zoning * Project planning and development * Monetization of assets and property sales * Community outreach * Political pressure * Risk management
Comprehensive IT Risk Assessment
Examine the risks and efficacy of controls related to VTA’s comprehensive IT operations and governance environment. Considerations may include: * Business process and IT support structures * Benchmarking of IT practices * IT general controls (ITGC) * IT application controls (ITAC)* Evaluation of other IT risks: cyber security, network administration, business continuity planning, and compliance
Paratransit - Operations Transition
Examine the controls and processes surrounding VTA’s Access paratransit operations. Considerations may include:* Transition from previous provider and service model, including process assessment and implementation* Implementation of management response from prior audits* Compliance with new contract * Community outreach
Cyber Security(Pending G&A
Determination)
Examine VTA’s Cyber Security framework and evaluate adequacy processes and controls. Considerations may include: * Risk management and compliance * Third-party management* Information and asset management * Identity and access management * Threat and vulnerability assessment * Data management and protection * Crisis Management capability and resiliency * Security operations, awareness, and training
13.a
© 2017 RSM US LLP. All Rights Reserved.
Recommended FY18 & FY19 Auditor General Projects Project Areas Description
Trapeze Pass
Examine the implementation and controls of the Trapeze Pass system for VTA Access paratransit services, focused on:* Software acquisition and configuration * System implementation and application go-live* System controls and reporting * Interface with invoicing and date reporting
Regulatory Compliance
Examine the processes for establishing and tracking VTA’s regulatory compliance requirements. Considerations may include:* Regulators and organizational compliance requirements * Internal monitoring and controls assessment* Compliance assessment * Federal, state, and local regulations
Business Continuity Plan
Examine VTA’s Business Continuity Plan. Considerations may include:* Adequacy, completeness, and appropriateness of plan * Feasibility: people and processes* Adequacy and effectiveness of testing controls * Mission critical coverage
Fixed Assets Program
Examine VTA’s operational and financial process and controls for fixed assets and state of good repair. Considerations may include:* Adequacy of policies and procedures * Asset requisition and capital budgeting* Financial and reconciliation controls * Capital budget monitoring and overruns * Depreciation methodology and expense recognition * Transfer and disposal of assets
Capital Budget and Project Controls
Examine VTA’s Capital Budget planning and monitoring processes. Considerations may include: * Methodology for reviewing and approving projects * Project feasibility and planning* Capital project and schedule execution * Contractor selection and oversight * Project change order controls * Cost and project monitoring controls
Maintenance Operations &
Scheduling
Examine VTA’s maintenance operations and scheduling processes at bus and rail yards. Considerations may include:* Methodology for planning and scheduling maintenance * Internal controls and monitoring programs* Key performance indicators (KPIs) and continuous improvement * Utilization of SAP and other technology * Productivity and process effectiveness * Parts planning and inventory utilization
4
13.a
© 2017 RSM US LLP. All Rights Reserved. 5
Work Plan FYE June 30, 2018
Est. Hours Est. Cost
Auditor General Projects:
RTI Project CAD / AVL Replacement 260 $44,000Special Events and Stadiums 320 $55,000IT Risk Assessment 370 $63,000Paratransit Operations Transition 300 $50,000Transaction Monitoring Audit* (Pending G&A determination) 120 $18,000Joint Development 320 $55,000Cyber Security Assessment (Pending G&A determination) 390 $66,000
Audit General Services:
AG Services Support 380 $65,000 Annual Risk Refresh 80 $12,500Follow-up of Management Action Plans 70 $12,000
Ethics Hotline Support 80 $13,500Expenses (Travel and Related Costs) n/a $27,000Supplemental Work Allowance (for Projects TBD by G&A Committee) 200 $50,000
Total - with Cyber Security 2,890 $531,000
Total - without Cyber Security 2,500 $465,000
Recommended FY 2018 Internal Audit Work Plan
* See page 8 for recommended transaction monitoring audits
13.a
© 2017 RSM US LLP. All Rights Reserved. 5
Work Plan FYE June 30, 2019
Est. Hours Est. Cost
Auditor General Projects:
Trapeze Pass 260 $44,000Regulatory Compliance Assessment 310 $52,000Business Continuity Plan 330 $55,000Capital Budget and Project Controls 310 $53,000 Fixed Assets Program 340 $58,000Investment Program Controls or Transactional Monitoring Audit* 100 $16,000
Audit General Services:
AG Services Support 380 $65,000 Risk Assessment and Two-Year Audit Plan 100 $19,500Follow-up of Management Action Plans 80 $12,000
Ethics Hotline Support 80 $13,500Expenses (Travel and Related Costs) n/a $27,000Supplemental Work Allowance (for Projects TBD by G&A Committee) 200 $50,000
Total 2500 $465,000
Recommended FY 2019 Internal Audit Work Plan13.a
© 2017 RSM US LLP. All Rights Reserved.
Proposed Future Auditor General Projects Project Area Description
2016 Sales Tax Measure B
Examine current and future plans of the proposed Sales Tax Measure funding. Considerations may include: * Future audit requirements * VTA oversight and management * Ballot-required Citizens Oversight Committee* Reporting and monitoring of capital expenditures, political impact, and community outreach
VendorManagement
Examine VTA’s Vendor Management process and controls. Considerations may include:* Duplicate payments * Vendor master data inputs and controls* Ongoing vendor monitoring * Segregation of duties and fraud prevention controls* Vendor selection processes and controls, including high risk or disqualified vendors
Bus and Rail Yard Operations
Examine VTA’s operational processes and controls at bus and rail yards. Assessment considerations may include:* Productivity and process effectiveness * Internal controls and monitoring programs* Key performance indicators (KPIs) and continuous improvement programs
Diridon Station
Examine current and future plans for the Diridon Station. Considerations may include: * Project planning and development * Joint Development* Community outreach
Rolling Stock
Examine the process related to the purchase, planning, use, and maintenance of VTA’s rolling stock. Considerations may include:* Maintenance schedule and productivity * Equipment shortages* Supply chain operations related to parts procurement * Potential impact on the system and riders * Mid-life rehabilitation * Rail and bus pull-out
MTC Allocation
Examine the controls and processes surrounding VTA’s MTC allocation. Considerations may include:* Reasonableness and proportion of allocation * Impact of BART go-live* Subjectivity in allocation process * VTA process to identify and apply for grant funding
7
13.a
© 2017 RSM US LLP. All Rights Reserved.
Recommended Transaction Audits
• Currently, the Board-adopted policy requires the Investment Program Controls be audited every 2 years due to the program risk.
• To complement the dynamic Internal Audit Work Plan, the Auditor General recommends that the Board consider including transaction monitoring audits for additional processes to independently assess on a recurring basis. Recommend processes for G&A consideration include:
− Vendor Master File − Accounts Payable / Disbursements− Procurement cards / Travel & Expenses− Journal Entries and Account Reconciliations − Payroll
8
13.a