Regeg o aional Transportation Authority · Scope and Objective Highlights Conducted a system-wide...
Transcript of Regeg o aional Transportation Authority · Scope and Objective Highlights Conducted a system-wide...
Regional eg o aTransportation
AuthorityAuthority
Report of Risk Assessment ResultsFinal Report of Results
December 2011
Agenda
Topic Page
Background 2Background 2
Overview of System-wide Results from Facilitated Sessions 6
Detailed System-wide Results from Facilitated Sessions 11Detailed System wide Results from Facilitated Sessions 11
Appendix - RTA Five Year Audit Program 20
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
1
BackgroundBackground
Scope and Objective Highlights
Conducted a system-wide (RTA, CTA, Metra, Pace) risk assessment• Service Boards and RTA identified their business risks for their entity which were combined into a
system-wide assessment.system wide assessment. • The risk assessment considered both incidental and inherent risks • The risk assessment is a point in time assessment and should be updated annually to reflect changing
risk environment • The assessment provides information needed for coordinating external audits with the service board’s• The assessment provides information needed for coordinating external audits with the service board s
internal audit teams
Defined a 5-year external audit program with four major categories of audits:• Ri k b d dit id tifi d b d th i k t• Risk-based audits identified based on the risk assessment• Regulatory audits identified based on new regulations and laws or noted compliance issues• Cycle-based audits identified based on common high risk areas, i.e., accounts payable• Ad-hoc audits are not identified specifically in the audit program, but may arise due to a specific issue
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
3
Process for developing the risk assessment
Task 1 – Developed Risk Assessment Approach & Model• Conducted kickoff meeting with RTA and Service Boards• Developed and confirmed risk assessment model and questionnaires• Reviewed key documentation• Developed and sent questionnaires to key staff - 36 surveys completed
Task 2 – Performed Risk Assessment with Each Entity • Performed 20 interviews with management to discuss and rank risks• Performed 20 interviews with management to discuss and rank risks• Identified and defined key business risks • Created preliminary risk portfolio and risk definitions• Performed facilitated sessions with each entity• Drafted system-wide risk universe and determined risk ratingsDrafted system-wide risk universe and determined risk ratings• Drafted internal audit program and confirmed with RTA management
Task 3 – Issued Report / Present Results • Updated preliminary risk assessment results based on RTA management review y g• Drafted and issued final report • Developed training plan and delivered training
Task 4 – Subsequent Annual Risk Assessment Updates (Future Date)
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
4
Process for rating risks and management effectiveness
Use of Anonymous Voting Technology - Resolver
• Attendees provided click pad – assigned anonymously / randomly distributed • Stated and defined Each Key Business RiskStated and defined Each Key Business Risk • Key was to level set understanding of the risk • Updated risk definitions as needed
Ranked Key Business Risk Based on Four Criteria Sets
• Impact – 5 is High and 1 is Low• Likelihood – 5 is Almost Certain and 1 is Rare Risk Score calculated by multiplying the Impact times Likelihood
• Management Effectiveness (Current State) – 5 is Optimized and 1 is InitialManagement Effectiveness (Current State) – 5 is Optimized and 1 is Initial• Management Effectiveness (Desired State) – 5 is Optimized and 1 is Initial• Risk Score calculated by multiplying the Impact times Likelihood Management Effectiveness Gap calculated by subtracting the Current State from Desired State The system-wide results an average of each entities results
Consensus Voting
• Determined the majority response for each criteria set
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
5
Note: Interview and survey results were key inputs into the facilitated session process, which resulted in the quantitative data contained in this report.
Overview ofOverview of System-wide Results from Facilitated SessionsFacilitated Sessions
System-wide risk portfolio
External Risk Factors
• Energy Costs • Funding Availability
• Labor Unions • Natural and Unnatural Disaster
• Public Official Relationships• Terrorist Acts
• State of the Economy
Internal Risk Factors
Strategic Human Capital Technology Operational
• Alternative Financing Options• Capital Program• Public Perception• Regional Planning
• Compensation and Benefits• Employee Performance
Management• Training and Development
• Business Continuity and Disaster Recovery
• IT Systems Implementation and Optimization
• Contract and Vendor Accountability
• Effectiveness and Efficiency • Fare Collectiong g
• Strategic Sourcing • Recruitment, Retention and Succession Planning
• Outdated Technology• Service Board IT System
Integration • User Access and Security
• Fare Management and Integration• Policies and Procedures • Positive Train Control• Rail/Bus/Train Operations • Resource Scheduling • Service MetricsService Metrics • State of Good Repair
Compliance Organizational Culture Passengers/Riders Financial
• Department of Homeland Security F d l T it/R il d
• Conflicts of Interest• Ethical Decision Making
• Call Center • Customer Service and
C i ti
• Accounting • Budgeting and Forecasting
• Federal Transit/Railroad Administration
• National Transportation Safety Board
• Occupational Safety and Health Administration
• Other Federal State and Local
• Fraud and Unauthorized Acts• Governance• Interagency Communication and
Coordination• Process Change Management
and Efficiency
Communication• Emergency Communication
and Response• Multi-modal Service
Coordination• Safety and Security
• Cash Position • Energy Cost Hedging • Equipment and Facility Financing• Financial Reporting • Grant Management • Inventory Management
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
7
Other Federal, State, and Local Requirements
Inventory Management • Pension Obligations
This is a summary of the risk portfolio based on results from interviews, surveys, the facilitated sessions and engagement team industry experience.
System-wide risk portfolio by risk category
Compliance, 5, 9%Technology, 5, 9%
External, 7, 12%Strategic, 5, 9%
Passenger/Riders, 5, 9%
Financial, 9, 16%
Organizational Culture, 6, 11%
Human Capital, 4, 7%
,
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
8
This chart details how the overall risk portfolio is distributed across risk categories. The count of the number of risks in each risk category is also stated.
Operational, 10, 18%
Top 20 key business risks (based on facilitated session results)
1. Funding Availability
2. State of Good Repair
11. Interagency Communication & Coordination
12. Safety and Security
3. Recruitment, Retention & Succession Planning
4. Public Perception
5. Public Official Relationships
13. Federal Transit/Railroad Administration
14. Cash Position
15. Terrorist Actsp
6. Fare Management & Integration
7. Customer Service and Communication
8 Compensation and Benefits
16. Service Board IT System Integration
17. State of Economy
18 Labor Unions8. Compensation and Benefits
9. Policies and Procedures
10. Outdated Technology
18. Labor Unions
19. Natural and Unnatural Disasters
20. Governance
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
9
The combined results were calculated by adding the total Risk Score of each entity and dividing by four (the number of entities included in the risk assessment)
Top 10 risk scores and management effectiveness gaps – System-wide
Ranking Risk Factor Risk Score
ManagementEffectiveness
Gap
1 Funding Availability 21.0 1.4
2 State of Good Repair 19.1 0.9
3 Recruitment, Retention and Succession Planning 15.8 1.4
4 Public Perception 13.2 1.0p
5 Public Official Relationships 11.3 0.9
6 Fare Management & Integration 10.8 0.9
7 Customer Service and Communication 10.8 0.9
8 C ti d B fit 10 3 1 58 Compensation and Benefits 10.3 1.5
9 Policies and Procedures 8.1 0.7
10 Outdated Technology 7.2 0.8
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
10
“Risk Score” is calculated by multiplying impact times likelihood“Management Effectiveness Gap “ is calculated by subtracting the management effectiveness current state from the management effectiveness desired state
DetailedDetailedSystem-wide Results from Facilitated SessionsFacilitated Sessions
System-wide average scores
Ranking Risk Factor Risk Category Impact LikelihoodRisk
Score
ME –Current
State
ME –Desired
State Gap1 Funding Availability External 4.6 4.5 21.0 2.9 4.3 1.42 State of Good Repair Operational 4.4 4.4 19.1 3.1 4.0 0.93 Recruitment, Retention and
Succession PlanningHuman Capital 4.0 4.0 15.8 2.4 3.8 1.4
4 Public Perception Strategic 3.5 3.8 13.2 3.0 4.0 1.05 Public Official Relationships External 3.8 3.0 11.3 3.0 3.9 0.96 Fare Management & Integration Operational 3.1 3.5 10.8 2.9 3.8 0.97 Customer Service and
CommunicationPassenger/Riders
3.4 3.1 10.8 3.2 4.1 0.9
8 Compensation and Benefits Human Capital 3.2 3.2 10.3 1.7 3.1 1.59 Policies and Procedures Operational 2.7 3.0 8.1 2.0 2.7 0.7
10 Outdated Technology Technology 2.7 2.7 7.2 2.2 3.1 0.811 Interagency Communication &
CoordinationOrganizational Culture
2.5 2.7 6.6 2.1 2.8 0.7
12 Safety and Security Passenger/Riders
2.6 2.3 6.1 2.8 3.1 0.3
13 F d l T it/R il d C li 2 4 2 3 5 6 2 6 2 9 0 313 Federal Transit/Railroad Administration
Compliance 2.4 2.3 5.6 2.6 2.9 0.3
14 Cash Position Financial 2.1 1.9 4.0 1.6 2.1 0.515 Terrorist Acts External 2.2 1.5 3.4 1.7 2.1 0.5
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
12
This slide is ordered left to right based on system-wide risk scores.Average risk score is calculated by adding the Risk Score of each entity and dividing by four (the number of entities included in the risk assessment)
System-wide average scores
Ranking Risk Factor Risk Category Impact LikelihoodRisk
Score
ME –Current
State
ME –Desired
State Gap16 Service Board IT System Integration Technology 1.5 1.7 2.5 1.1 1.8 0.617 State of Economy External 1.2 1.2 1.4 0.6 1.0 0.418 Labor Unions External 1.1 1.2 1.3 0.7 1.0 0.319 Natural and Unnatural Disasters External 1.0 1.1 1.0 1.0 1.1 0.120 Governance Organizational
Culture1.0 1.1 1.0 0.5 1.0 0.4
21 Capital Program Strategic 1.0 1.0 1.0 0.7 1.0 0.322 Energy Costs External 1.0 1.0 0.9 0.9 1.1 0.123 Alternative Financing Options Strategic 0.9 1.0 0.9 0.6 0.9 0.324 IT System Implementation and
OptimizationTechnology 0.9 1.0 0.9 0.6 1.0 0.4
25 Regional Planning Strategic 0.8 1.0 0.8 0.7 0.9 0.226 Effectiveness and Efficiency Operational 0.9 0.9 0.7 0.5 0.8 0.327 Fare Collections Operational 0.9 0.8 0.7 0.9 1.1 0.228 Positive Train Control Operational 0.7 1.0 0.7 0.7 1.0 0.3
29 Budgeting and Forecasting Financial 0.8 0.8 0.7 0.7 1.0 0.3
30 Grant Management Financial 0.8 0.8 0.6 0.7 0.9 0.131 Other Federal, State, and Local
Requirements (ADA)Compliance 0.9 0.7 0.6 0.8 1.0 0.1
32 Strategic Sourcing Strategic 0 7 0 7 0 5 0 5 0 7 0 2
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
13
This slide is ordered left to right based on system-wide risk scores.Average risk score is calculated by adding the Risk Score of each entity and dividing by four (the number of entities included in the risk assessment)
32 Strategic Sourcing Strategic 0.7 0.7 0.5 0.5 0.7 0.2
System-wide average impact
4.6 4.4
4.0 3 5
3.8 3 4
4.0
4.5
5.0
3.5 3.1
3.4 3.2
2.7 2.7 2.5 2.6 2.4 2.1 2.2
1.5 1 2 1 11 5
2.0
2.5
3.0
3.5
Ran
king
1.2 1.1 1.0 1.0 1.0 1.0 0.9 0.9 0.8 0.9 0.9 0.7 0.8 0.8 0.9 0.7
0.0
0.5
1.0
1.5
Risk Factor
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
14
Risk Factor
This slide is ordered left to right based on system-wide risk scores.Average impact is calculated by adding the impact of each entity and dividing by four (the number of entities included in the risk assessment)
System-wide average likelihood
4.5 4.4 4.0 3.8
3 54.0
4.5
5.0
3.0
3.5 3.1 3.2
3.0 2.7 2.7
2.3 2.3 1.9
1.5 1.7
1 2 1 11 5
2.0
2.5
3.0
3.5
Ran
king
1.2 1.1 1.1 1.1 1.0 1.0 1.0 1.0 1.0 0.9 0.8 1.0 0.8 0.8 0.7 0.7
0.0
0.5
1.0
1.5
Risk Factor
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
15
Risk Factor
This slide is ordered left to right based on system-wide risk scores.Average likelihood is calculated by adding the likelihood of each entity and dividing by four (the number of entities included in the risk assessment)
System-wide average risk score
21.0 19.1 20.0
25.0
15.8
13.2 11.3 10.8 10.8 10.3
8.1 7.2 6 6 6 1
10.0
15.0
Ran
king
6.6 6.1 5.6 4.0 3.4 2.5
1.4 1.3 1.0 1.0 1.0 0.9 0.9 0.9 0.8 0.7 0.7 0.7 0.7 0.6 0.6 0.5 0.0
5.0
Risk Factor
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
16
Risk Factor
This slide is ordered left to right based on system-wide risk scores.Average risk score is calculated by adding the Risk Score of each entity and dividing by four (the number of entities included in the risk assessment)
System-wide average management effectiveness (current and desired states)
3.5
4.0
4.5
enes
s
1.5
2.0
2.5
3.0
agem
ent E
ffect
ive
0.0
0.5
1.0
Man
a
Risk Factor
M t Eff ti C t M t Eff ti D i d
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
17
Management Effectiveness - Current Management Effectiveness - Desired
This slide is ordered left to right based on system-wide risk scores.Average management effectiveness is calculated by adding the management effectiveness results of each entity and dividing by four (the number of entities included in the risk assessment)
System-wide average management effectiveness gap
4.3 4.0
3.8 4.0 3.9 3.8
4.1
3 16.0
7.0
8.0
enes
s
2.9 3.1 2.4
3.0 3.0 2.9 3.2
2 0 2.2 2 12.8 2.6
3.1 2.7 3.1
2.8
3.1 2.9
2.1 2.1
1.8
1 1 1 1 1 12 0
3.0
4.0
5.0
6.0
agem
ent E
ffect
ive
1.7 2.0 2.1
1.6 1.7 1.1
0.6 0.7 1.0 0.5 0.7 0.9 0.6 0.6 0.7 0.5
0.9 0.7 0.7 0.7 0.8 0.5
1.0 1.0 1.1 1.0 1.0
1.1 0.9 1.0 0.9
0.8 1.1 1.0 1.0 0.9 1.0
0.7
0.0
1.0
2.0
Man
a
Risk Factor
M t Eff ti C t M t Eff ti D i d
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
18
Management Effectiveness - Current Management Effectiveness - Desired
This slide is ordered left to right based on system-wide risk scores.Average management effectiveness gap is calculated by adding the management effectiveness gap of each entity and dividing by four (the number of entities included in the risk assessment)
System-wide Risk Scores and Management Effectiveness Gap
GoodRepair
Perception Funding
4.5
5
Policies and Procedures
Customers
Fare Integration
Public Officials
Perception Funding
Staff
3
3.5
4
FTA/FRA
SafetyCashIT Integration
Interagency Outdated TechCompensation
2
2.5
Like
lihoo
d
Grants ADARegional Planning
PTC
Budget Forecasts
Fare CollectionAlternative Financing
Unions
CapitalEffective EfficientIT Optimization
Economy
EnergyDisasters
Governance
Terrorism
1
1.5
Sourcing
0
0.5
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5Impact
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
19
Management Effectiveness Gaps are show via the size and color of the circle. The largest circles in red represent ME Gaps of 1 to 2, The smallest size in green represents ME Gaps under 1.
RTA Five Year Audit ProgramProgram
(S F ll i P )(See Following Pages)
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 50872CHI
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
Regional Transportation AuthorityRTA Five Year Audit Program Sorted by Audit Execution and Proposed Audit
Ref Proposed Audit Proposed DescriptionLinkage to Risk Factors (Key Business Risk
Highlighted in Color Blue) RTA
CTA
Met
ra
Pace Audit
Execution Risk Category 2012 20132014 or Later
1 Audit Issues Remediation Assessment
Assess ability of management to timely and adequately address issues/findings noted in audit reports issued by various oversight bodies and identify gaps to be closed by management or trends to be addressed by management.
FTA/FRA ComplianceGovernanceOther Federal/State & Local RequirementsPublic PerceptionReputation
X X X X RTA Compliance X X X
2 Customer Service Center Operations
Assess processes related to call center operations to help ensure timely, accurate, and consistent information (experience) to customers. Assess performance of any third parties performing call center activities based on key contract provisions. Includes customer service and travel information centers across all agencies.
Customer Service & CommunicationEffectiveness & EfficiencyInteragency Communication & CoordinationPerformance MetricsPolicies & Procedures
X X X X RTA Passengers & Riders
X
3 Data Privacy Review Assess effectiveness of internal controls and processes related to data privacy and use of personally identifiable information from both employees and passengers (inclusive of agencies and contracted third parties).
Data Security & Privacy Public PerceptionReputationSegregation of DutiesUser Access
X X X X RTA Organization Culture
X X
4 Disadvantaged Business Enterprise (DBE) Program Compliance Review
Assess effectiveness of internal controls and processes related to utilization of DBE contractors by prime contractors based on defined requirements, applicable laws & regulations, policies & procedures, as well as existing contract documentation.
Cash PositionOther Federal/State & Local RequirementsPolices & ProceduresPublic Official RelationshipsPublic PerceptionReputation
X X X X RTA Compliance X X
5 Emergency Response Coordination
Assess emergency response coordination activities to determine how agencies and external parties, such as first responders and City Hall, will coordinate efforts during extended service interruptions due to weather conditions, equipment issues, unplanned and unusual events, or natural or unnatural disasters. Will include assessment of communication protocols to keep public informed as well.
Customer Service & CommunicationInteragency Communication & CoordinationNatural & Unnatural DisastersPublic PerceptionSafety & SecurityTerrorist Acts
X X X X RTA Passengers & Riders
X
6 Fraud Prevention Assessment Perform a high-level fraud prevention assessment to assist the agencies in identifying key fraud risk factors based on processes and operations, comparing to current internal control and fraud prevention/detection processes, and identify gaps to be addressed my management. Assess processes and procedures to identify, monitor, and mitigate conflicts of interest.
Conflicts of InterestEthical Decision MakingFinancial ReportingFraud & Unauthorized ActsGovernanceReputationSafeguarding of Assets
X X X X RTA Organization Culture
X
7 Grant Management Review Assess effectiveness of internal controls and processes related to grant development, management and reporting activities to help ensure effectiveness and compliance with grant requirements.
Budgeting & ForecastingFunding AvailabilityGovernancePublic Official RelationshipsState of Good Repair
X X X X RTA Financial X
RTA Five Year Audit Program Page 1 of 6
Regional Transportation AuthorityRTA Five Year Audit Program Sorted by Audit Execution and Proposed Audit
Ref Proposed Audit Proposed DescriptionLinkage to Risk Factors (Key Business Risk
Highlighted in Color Blue) RTA
CTA
Met
ra
Pace Audit
Execution Risk Category 2012 20132014 or Later
8 Hiring & Promotion Practices Review
Assess effectiveness of internal controls and processes related to hiring such as compliance with federal, state, and local laws/ordinances, transparency, background checks, approvals, internal and external postings, and alignment with organizational goals and objectives.
Compensation & BenefitsLabor UnionsPolicies & ProceduresPublic PerceptionRecruitment, Retention, & Succession PlanningOther Federal/ State & Local RequirementsReputation
X X X X RTA Human Capital X X
9 Information Technology Strategy Assessment
Perform an assessment of existing IT infrastructure, strategies, and skill sets compared to overall business objectives to create a 3 to 5 year roadmap to achieve goals and objectives of the entities. This includes developing a strategy to integrate and consolidate IT systems and applications to meet operational, performance, and compliance goals in a cost effective manner.
Fare Management & IntegrationIT Systems Implementation & OptimizationGovernanceOutdated TechnologyService Board IT System IntegrationUniversal Fare Card Implementation
X X X X RTA Information Technology
X
10 Paratransit Operational Review Review and document compliance with USDOT ADA regulatory requirements contained in 49 CFR Parts 27, 37, and 38 with respect to ADA paratransit service operations and eligibility determinations, including an analysis of capacity constraints and complaint handling.
Cash PositionCustomer Service & CommunicationEffectiveness & EfficiencyOther Federal/State & Local RequirementsPerformance MetricsPolicies & Procedures
X X RTA Compliance X
11 Passenger Safety & Security Review
Perform an assessment of current processes, protocols, and contingencies in place to respond to passenger safety and security incidents. Will include assessment of communication and escalation processes both internally and externally to employees, passengers and pertinent emergency services departments) as applicable.
Customer Service & CommunicationGovernanceInteragency Communication & CoordinationNatural & Unnatural DisastersPublic Official RelationshipsPublic PerceptionPolicies & ProceduresSafety & SecurityState of Good RepairTerrorist Acts
X X X X RTA Passengers & Riders
X
12 Procurement Spend Analysis Perform an analysis of overall spend to provide management with greater visibility into how operational funds are expended, identity three opportunities to rationalize spend, and provide leading practices on strategic sourcing.
Effectiveness & EfficiencyFunding AvailabilityPerformance MetricsStrategic Sourcing
X X X X RTA Strategic X
RTA Five Year Audit Program Page 2 of 6
Regional Transportation AuthorityRTA Five Year Audit Program Sorted by Audit Execution and Proposed Audit
Ref Proposed Audit Proposed DescriptionLinkage to Risk Factors (Key Business Risk
Highlighted in Color Blue) RTA
CTA
Met
ra
Pace Audit
Execution Risk Category 2012 20132014 or Later
13 RTA Governance Gap Assessment
Review existing governance mandates granted by way of the 2008 reform legislation or other legislative actions and determine gaps between defined mandates and actual governance practices. Assess barriers to implementation of any and provide recommendations to implement mandates and enhance overall governance and oversight processes. Also, perform and assess of how new monies granted have been allocated.
Funding AvailabilityGovernancePublic Official RelationshipsPublic PerceptionReputation
X RTA Organization Culture
X
14 Americans with Disabilities Act Review
Document compliance with USDOT ADA regulatory requirements contained in 49 CFR Parts 27, 37, and 38 with respect to fixed route bus and rail facilities, vehicles, and service operations, as applicable.
Other Federal/State & Local Requirements X X X X Agencies Compliance X
15 Business Continuity & Disaster Recovery Review
Assess the effectiveness of business continuity and disaster recovery processes including contingency plan development, escalation procedures, offsite data backup storage, and facility backups as well as perform testing of business continuity and disaster recovery plans
GovernanceInteragency Communication & CoordinationNatural & Unnatural DisastersOutdated TechnologyPolicies & ProceduresPublic PerceptionRail/Bus/Train OperationsSafety & SecurityService Board IT System IntegrationTerrorist Acts
X X X X Agencies Information Technology
X
16 Capital Program Management Review
Assess effectiveness of internal controls and processes related to capital construction project administration including invoice review and approval, budget to actual analysis, site visits, contract terms monitoring, and regulatory compliance such as Davis-Bacon and reporting.
Capital ProjectsBudgeting & ForecastingOther Federal/State & Local RequirementsPolicies & ProceduresState of Good Repair
X X X X Agencies Strategic X X
17 Cash & Treasury Review Assess effectiveness of internal controls and processes related to cash handling, cash receipts, cash flow forecasts, bank account reconciliations, wire transfers, cash transaction authority levels, segregation of duties, and existence of current policies and procedures reflective of actual processes. Also review key controls in place over the purchase, disposition, valuation, and custody of investments.
Cash PositionBudgeting & ForecastingFraud & Unauthorized ActsFunding AvailabilityPolicies & ProceduresSafeguarding of Assets
X X X X Agencies Financial X X X
18 Claims Management Review Assess processes related to claim management including litigation, negotiation, liability accrual, reporting, and organizational change to mitigate recurrence.
Cash PositionGeneral LiabilityProcess Change ManagementSafety & Security
X X X X Agencies Financial X
RTA Five Year Audit Program Page 3 of 6
Regional Transportation AuthorityRTA Five Year Audit Program Sorted by Audit Execution and Proposed Audit
Ref Proposed Audit Proposed DescriptionLinkage to Risk Factors (Key Business Risk
Highlighted in Color Blue) RTA
CTA
Met
ra
Pace Audit
Execution Risk Category 2012 20132014 or Later
19 Contract Management Review Assess the effectiveness of internal controls and processes related to contract management including vendor/contractor oversight and management activities to help ensure contracted goods and services are obtained at the agreed upon price and comply with contract requirements.
Cash PositionContract ComplianceGrant CompliancePerformance MetricsPolicies & ProceduresPublic PerceptionVendor Management
X X X X Agencies Operations X X
20 Employee Benefits Administrative Review
Assess the effectiveness of internal controls and processes related to benefits administration, including enrollment, eligibility, segregation of duties, and existence of current policies and procedures reflective of actual processes. Also perform high-level assessment of PBM/TPA contracts for inclusion of performance metrics and performance guarantees.
Cash PositionCompensation & BenefitsERISA ComplianceLabor UnionsPolicies & ProceduresRecruitment, Retention, & Succession Planning
X X X X Agencies Human Capital X
21 Employee Expense Review Review employee and board level business/travel expenses to determine whether each was appropriately approved, sufficiently documented, and timely submitted in accordance with policies and procedures. May also include validation of allowability and funding allocation and an assessment of existence of policies and procedures reflective of actual processes.
Cash PositionPolicies & ProceduresPublic PerceptionPublic Official RelationshipsReputation
X X X X Agencies Financial X X X
22 Energy Cost Management Review
Assess processes to forecast energy needs and implement effective short and long term strategies to minimize energy costs such as electricity, gasoline, and diesel. May include assessing use of contract locks, hedges, joint contracts, and swaps as well as green energy implementation. Assess how purchase efforts are coordinated across transportation agencies and sister agencies.
Funding AvailabilityCash PositionEnergy CostsInteragency Communication & CoordinationEffectiveness & EfficiencyPolicies & ProceduresPublic Perception
X X X X Agencies Financial X
23 Fare Collection Review Assess the effectiveness of internal controls and processes related to fare collection such as fare card purchases, uncollected fares, cash collections, fare account reconciliations, fare application controls, fare forecast to actual analysis, segregation of duties, and existence of current policies and procedures reflective of actual processes.
Cash PositionCustomer Service & CommunicationEffectiveness & EfficiencyFare Management & IntegrationFraud & Unauthorized ActsPublic PerceptionReputation
X X X Agencies Operations X X
24 Financial Controls Review Assess the effectiveness of internal controls and processes related to journal entries, chart of accounts maintenance, fixed assets, budgeting, accounts receivable, capital expenditures, general ledger reconciliations, monthly, quarterly and yearend close, segregation of duties, user Assess rights, and documented policies and procedures.
Effectiveness & EfficiencyFinancial DisclosureFinancial ReportingGoodwill & ImpairmentOutdated TechnologyPolicies & Procedures
X X X X Agencies Financial X X X
RTA Five Year Audit Program Page 4 of 6
Regional Transportation AuthorityRTA Five Year Audit Program Sorted by Audit Execution and Proposed Audit
Ref Proposed Audit Proposed DescriptionLinkage to Risk Factors (Key Business Risk
Highlighted in Color Blue) RTA
CTA
Met
ra
Pace Audit
Execution Risk Category 2012 20132014 or Later
25 General Information Technology Controls Review
Assess the effectiveness of general information technology controls including change management, computer operations, application development, and system access.
Data Security & PrivacyGovernanceOutdated TechnologyProcess Change ManagementSegregation of DutiesService Board IT System IntegrationUser Access
X X X X Agencies Information Technology
X X
26 Information Technology - IT Key Applications Review
Assess key IT applications to determine overall functionality provided to the business based on needs and identify any gaps.
Data Security & PrivacyEffectiveness & EfficiencyIT Systems Implementation & OptimizationOutdated TechnologySegregation of DutiesUser Access
X X X X Agencies Information Technology
X X
27 Information Technology Security Review
Assess the effectiveness of network and application security processes including network intrusion, assess rights, segregation of duties with key systems, and existence of current policies and procedures reflective of actual processes.
Data Security & PrivacyGovernanceIT Systems Implementation & OptimizationOutdated TechnologyPolicies & ProceduresPublic PerceptionReputationSegregation of DutiesUser Access
X X X X Agencies Information Technology
X
28 Payroll Review Assess the effectiveness of internal controls and processes related to payroll time and attendance, time approvals, wage, benefit, tax, and other payroll deduction calculations, and compliance with applicable laws and regulations.
Cash PositionCompensation & BenefitsFederal/State & Local Tax CompliancePolicies & Procedures
X X X X Agencies Human Capital X X X
29 Procure to Pay Process Review
Assess the effectiveness of internal controls related to the purchase to pay process including solicitations, preferred vendor list, purchase requirements, purchase orders, invoice approvals, three-way matching, purchase cards, purchase authorization limits, performance metrics, and use of defined policies and procedures.
Cash PositionContract ComplianceGrant CompliancePerformance MetricsPolicies & Procedures
X X X X Agencies Financial X X
30 Real Estate & Facilities Management Review
Assess processes related to real estate and facilities management including lease management, real estate taxes, capital planning, and maintenance. Also assess management oversight processes related to real estate inventory and cost efficiency monitoring.
Cash PositionEquipment & Facility FinancingGeneral LiabilityPerformance MetricsState of Good RepairReal Estate Asset ManagementReal Estate Tax Compliance
X X X Agencies Operations X
RTA Five Year Audit Program Page 5 of 6
Regional Transportation AuthorityRTA Five Year Audit Program Sorted by Audit Execution and Proposed Audit
Ref Proposed Audit Proposed DescriptionLinkage to Risk Factors (Key Business Risk
Highlighted in Color Blue) RTA
CTA
Met
ra
Pace Audit
Execution Risk Category 2012 20132014 or Later
31 Staff & Management Development Review
Assess processes related to performance evaluation, training and development including mid-year and annual employee evaluations, performance feedback, assessing organization talent needs, training programs, management development programs, and succession planning programs.
Compensation & BenefitsEffectiveness & EfficiencyEmployee Performance ManagementPolicies & ProceduresRecruitment, Retention, & Succession PlanningTraining & Development
X X X X Agencies Human Capital X
32 Staffing Resources Review Assess the effectiveness of internal controls and processes related to scheduling of staff and management of leave requests in a manner that efficiently utilizes all available manpower and minimizes overtime and service disruptions. Also review management oversight process related to absenteeism and direct/indirect effects to operations.
Cash PositionEffectiveness & EfficiencyEmployee Performance ManagementLabor UnionsPublic PerceptionRail/Bus/Train OperationsResource SchedulingSafety & SecurityService Metrics
X X X X Agencies Operations X
Totals 10 14 27
RTA Five Year Audit Program Page 6 of 6