Audit of the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority (the Steamship Authority) for the period January 1, 2020 through December 31, 2021. When designing the audit plan for the Steamship Authority employees’ completion of cybersecurity awareness training, we extended the audit period back to November 1, 2019 to capture training assignment and completion dates since the Steamship Authority implemented its web-based training system.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of the Steamship Authority’s internal control environment related to our objectives by reviewing applicable Steamship Authority policies and procedures and by conducting interviews and observations with Steamship Authority officials and employees.

To obtain sufficient, appropriate audit evidence to address our audit objectives, we performed the following procedures.

From the Steamship Authority’s accounting and finance system, the Steamship Authority’s treasurer generated a total population of 18,327 operating expenses, totaling $26,604,430, that were incurred during the period January 20, 2020 through March 31, 2020 and were eligible for reimbursement from CARES Act funds. Of this total amount, $9,859,884 was reimbursed from CARES Act funds. The Steamship Authority’s accounting and finance system classified these operating expenses into the following seven categories: wages, pensions, payroll taxes, vessel fuel oil, insurance, maintenance, and miscellaneous.

From the aforementioned total population of 18,327 operating expenses, we selected a random, statistical² sample of 62 operating expenses, prorated across the seven categories, using a 95% confidence level, a 0% expected error rate, and a 5% tolerable error rate. We inspected supporting documentation (i.e., vendor invoices, vouchers, schedules, and operating expense reports) for all 62 operating expenses. We did this to ensure that each of these expenses was (1) paid during the period January 20, 2020 through March 31, 2020 (the date of which the Steamship Authority’s operating expenses reached the total maximum amount eligible for reimbursement from CARES Act funds) and (2) made in accordance with FTA’s Frequently Asked Questions from FTA Grantees Regarding Coronavirus Disease 2019 (COVID-19) and the Steamship Authority’s memorandum of understanding with CCRTA, dated April 21, 2020.

We noted no exceptions in our testing; therefore, we conclude that the Steamship Authority spent CARES Act funds in accordance with FTA guidance and the Steamship Authority’s memorandum of understanding with CCRTA during our audit period.

The Steamship Authority’s human resources director provided us with three lists of cybersecurity awareness training records (one list for each of the three required cybersecurity awareness training courses), which were generated from the Steamship Authority’s web-based training system. While our audit period was January 1, 2020 through December 31, 2021, these lists covered the period November 1, 2019 (the implementation date of the web-based training system) through December 31, 2021. We extended the audit period back to include November 1, 2019 to capture assignment and completion dates of each training for all employees starting from the implementation date of the web-based training system through the end of the audit period.

We combined the three lists of cybersecurity awareness training records for a total population of 3,931 training records. We organized the assignment dates and completion dates by employee (of which, there were 911) and training course (of which, there were three) for all 3,931 training records. We also noted whether each training record was an initial training assignment (for newly hired employees) or an annual refresher training assignment (for existing employees) to determine whether (1) all 200 newly hired employees who started during the audit period were assigned to and completed the three cybersecurity awareness training courses as initial training assignments, (2) all 711 existing employees (hired before January 1, 2020) were assigned to and completed the three cybersecurity awareness training courses as annual refresher training assignments, and (3) all 911 employees completed the three cybersecurity awareness training course assignments in accordance with the Steamship Authority’s 12-month completion requirement.

Additionally, a member of our audit team was assigned to and completed all three of the cybersecurity awareness training courses to observe the format, process, and content, as well as to ensure that knowledge checks—which test the employees’ comprehension of each course—were included.

See Finding 1 for an issue we identified with the Steamship Authority’s cybersecurity awareness training practice.

CARES Act

To determine the reliability of the operating expense data within the Steamship Authority’s accounting and finance system, we interviewed Steamship Authority officials who were knowledgeable about the data. We reviewed certain general information system controls (i.e., security management, access controls, configuration management, segregation of duties, and contingency planning regarding the Steamship Authority’s accounting and finance system). From the Steamship Authority’s treasurer, we obtained a total of 18,327 rows of data from the Steamship Authority’s accounting and finance system for the period January 20, 2020 through March 31, 2020. These rows of data consisted of seven operating expense categories: wages, pensions, payroll taxes, vessel fuel oil, insurance, maintenance, and miscellaneous. For completeness, we reconciled the total dollar amount for each of the seven operating expense categories to the FTA operating expense worksheet that the Steamship Authority submitted to CCRTA as documentation for operating expense reimbursement using CARES Act funds. We tested the 18,327 rows of data for blank fields and duplicate records. From the 18,327 rows of data, we selected a random sample of 20 rows of data and traced each row to supporting documents (i.e., vendor invoices, vouchers, schedules, and operating expense reports) to verify the accuracy of the data.

Cybersecurity Awareness Training

From the Steamship Authority’s treasurer, we obtained a list of the 911 employees who were actively employed during the audit period. From this list of 911 employees, we selected a judgmental sample of 20 employees and traced the information regarding each employee (i.e., employee number, name, job title, status, position,³ hire date, and inactive⁴ and termination dates, when applicable) from this list to the information regarding each employee in corresponding personnel files, which are maintained by the Steamship Authority’s Human Resources Department, to verify the accuracy of the list of 911 employees.

To test the accuracy of the Steamship Authority’s web-based training system, we interviewed Steamship Authority officials who were knowledgeable about the system. We observed the Steamship Authority’s human resources director extract a total of 3,931 training records from the Steamship Authority’s web-based training system for the period November 1, 2019 through December 31, 2021. We tested for blank fields and duplicate records in the training records. We also selected a judgmental sample of 20 employees associated with the 3,931 training records and compared them to the list of 911 employees to ensure that the training records were for active employees.

Based on the results of our data reliability procedures described above, we determined that the information obtained for our audit period was sufficiently reliable for the purposes of our audit.