• This page, Audit of the Massachusetts Bay Transportation Authority Objectives, Scope, and Methodology, is   offered by
  • Office of the State Auditor

Audit of the Massachusetts Bay Transportation Authority Objectives, Scope, and Methodology

An overview of the purpose and process of auditing the Massachusetts Bay Transportation Authority.

Table of Contents

Overview

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Massachusetts Bay Transportation Authority (MBTA) for the period January 1, 2017 through March 15, 2019. When testing security access privileges, we extended the audit period through June 29, 2019, capturing data in the MBTA’s security access control system database as of the time of our fieldwork. Some testing required physically observing the then-current status of security controls at MBTA bus and rail maintenance facilities. This included conducting unannounced inspections of these facilities between May and July 2019. Specifically, when we assessed the physical condition of perimeter fencing, our last inspection was on July 1, 2019.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

Objective

Conclusion

1. Does the MBTA have physical security measures to prevent unauthorized access to its vehicle maintenance and storage facilities? Specifically,

 

a. Are the security access privileges of separated employees promptly disabled?

No; see Finding 1b

b. Are employee access identification (ID) cards retrieved and destroyed when employees leave the agency?

No; see Finding 1a

c. As of July 1, 2019, was perimeter security fencing in proper working condition?

Yes

 

To achieve our audit objectives, we gained an understanding of the internal controls we deemed significant to our audit objectives by reviewing agency policies and procedures, as well as conducting interviews and observations. In reviewing data pertaining to MBTA employee access ID cards, we identified an issue regarding the timeliness with which former employees’ free transportation benefit was disabled (Other Matters).  

To obtain sufficient, appropriate audit evidence to address our audit objectives, we conducted further audit testing as follows:

  • To determine whether the security access privileges of separated employees were promptly disabled, we performed the following procedures:
  • We were provided with a list from the Commonwealth Information Warehouse2 of all 1,091 MBTA employees who separated from the agency (via termination or retirement) during our audit period. We also obtained a copy, as of June 29, 2019, of the MBTA’s entire security access control system database. We then matched information in the database to the list of separated employees by linking each employee’s unique Human Resource / Compensation Management System (HR/CMS) ID number. Of the 1,091 separated employees, 906 had corresponding HR/CMS employee IDs in the security access control system database. The HR/CMS ID numbers of the other 185 did not appear in the security database.3
  • We then identified all instances where an individual on the separation report had an employee access ID card that either was still active or had been deactivated more than a day after the employee’s effective date of termination. We identified a total of 853 cards, assigned to 785 distinct individuals.For each of the 853 cards identified, we calculated the amount of time between the individual’s effective date of termination and the date the card was deactivated. Further, we reviewed access control system data to determine whether any separated employees accessed agency facilities after their effective dates of termination.
  • We selected a nonstatistical random sample of 65 of the aforementioned list of 1,091 employees and reviewed supporting documentation (such as employee exit interview forms, other human resource documentation, and Automated Fare Collection Department records) to determine whether their employee access ID cards had been retrieved upon separation and ultimately destroyed. For instances where the separated employee did not return a card, we looked for evidence to determine whether the MBTA had taken any additional action to collect the card.
  • We performed an unannounced visual inspection at each of the 20 vehicle maintenance and storage facilities that had perimeter security fencing systems in place at the time of our audit to determine whether the fencing systems were in proper working condition (i.e., had no visible signs of damage).

Whenever sampling was used, we applied a nonstatistical sampling approach, and as a result, we could not project our results to the entire population.

Data Reliability

To determine the completeness and accuracy of the list of employees who separated from the agency during the audit period, supplied to us by the MBTA, we compared it to a list of current employees. We also traced the data provided to us to original source documents, such as employee exit interview forms and other human resource documentation, for accuracy. Further, we performed other electronic tests of the data and made relevant inquiries. We determined that the data were sufficiently reliable for the purposes of this audit.

To determine the completeness and accuracy of the list of vehicle maintenance and storage facilities supplied to us by the MBTA, we reconciled the list to an MBTA-commissioned maintenance efficiency study obtained from the MBTA’s website. In addition, we interviewed agency officials who were knowledgeable about the facilities to obtain their assessments of the reliability of the list and conducted site visits to each location. We determined that the data were sufficiently reliable for the purposes of this audit.

2.     The Commonwealth Information Warehouse is a central data repository for the financial, budgetary, human resource, payroll, and time reporting information that is maintained in separate systems by individual agencies.

3.       In its response to our audit report, the MBTA suggested that HR/CMS numbers not appearing in the security database could be caused by the individual never having had or needed physical access, or by the number not being captured or not being correct in the MBTA access control system.

4.    In response to our report, the MBTA asserted that there is, and can be, only one active card per cardholder record in the system at all times. Some individuals have inactive prior cards, which could account for the larger number of cards compared to the number of individuals.

Date published: April 23, 2020

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback