PricewaterhouseCoopers

Metropolitan Transportation Commission
2002 Report to Management


PricewaterhouseCoopers LLP
333 Market Street
San Francisco CA 94105
Telephone (415) 498 5000
Facsimile (415) 498 7100


October 25, 2002

To the Commissioners
Metropolitan Transportation Commission

In planning and performing our audit of the government-wide financial statements of the Metropolitan Transportation Commission (MTC) for the year ended June 30, 2002, we considered MTC's internal control structure in order to determine our auditing procedures for the purpose of expressing our opinion on the government-wide financial statements. As part of our audit, we evaluated MTC's system of internal accounting control, to the extent we considered necessary to evaluate the system as required by auditing standards generally accepted in the United States of America. Although our audit was not designed to provide assurance on the internal control structure, we noted certain matters involving the internal control structure and its operation, and are submitting for your consideration related recommendations designed to help the organization make improvements and achieve operational efficiencies. Our comments reflect our desire to be of continuing assistance to MTC.

Additionally, we have included in this letter a statement on communications with the Commissioners of MTC as required by professional auditing standards.

The accompanying comments and recommendations are intended solely for the information and use of the Commissioners, management, and others within MTC.

We appreciate the opportunity to have been of service to you and MTC. Should you have any questions or comments, please contact David East on (415) 498-7442 or Ian Fleming on (415) 498-7462. We look forward to being of future service to you and MTC.

Very truly yours,
PricewaterhouseCoopers LLP



Metropolitan Transportation Commission
2002 Report to Management

Item Pages

I. Required Communications 1




II. Current Recommendations
A. Accounting and Operational 3
B. Computer Environment 6



III. Status of Prior Year Recommendations 11




REQUIRED COMMUNICATIONS


Professional auditing standards require auditors to communicate with the Commissioners of MTC on a number of subjects. The following information satisfies these requirements, and is solely for use of the Commissioners and management.


1. The Auditors' Responsibility Under Generally Accepted Auditing Standards

The audit of MTC's government-wide financial statements as of and for the year ended June 30, 2002 was conducted in accordance with auditing standards generally accepted in the United States of America and Government Auditing Standards. The objective of an audit is the expression of an opinion concerning whether the financial statements of MTC present fairly, in all material respects, the financial position, the results of its operations, and cash flows of its proprietary funds in conformity with accounting principles generally accepted in the United States of America.

As part of our audit, we considered MTC's internal control structure, as required by auditing standards generally accepted in the United States of America, for the purpose of establishing a basis for determining the nature, timing, and extent of auditing procedures necessary for expressing our opinion concerning the financial statements.

Audits are based on the concept of selective testing of data and are not designed to detect all potential errors, fraud or illegal acts. Audits are also conducted with a view of the materiality of transactions, and are not intended to comment or identify all matters which might impact the financial statements or the operations of MTC, and do not provide an opinion on the adequacy of internal controls.


2. Significant Accounting Policies and Unusual Transactions

MTC adopted Governmental Accounting Standard Board (GASB) No. 34, Basic Financial Statements - Management's Discussion & Analysis-for State and Local Governments, as amended by GASB No. 37, Basic Financial Statements-and Management's Discussion and Analysis-for State and Local Governments: Omnibus, as of and for the year ended June 30, 2002 and applied those standards on a retroactive basis. GASB Statement No. 34 establishes standards for external financial reporting for state and local governments and requires that resources be classified for accounting and reporting purposes into three net asset categories; namely those invested in capital assets, net assets related to debt, restricted net assets, and unrestricted net assets. For the year ended June 30, 2002, MTC also adopted GASB Statement No. 38, Certain Financial Statement Disclosures. GASB 38 modifies, establishes, and rescinds certain financial statement disclosure requirements. Other than the change in external reporting, there were no other changes in significant accounting policies or unusual transactions during fiscal year 2002.


3. Management Judgments and Accounting Estimates

There are no significant estimates that impact the financial position and changes in net assets of MTC.


4. Significant Audit Adjustments

Significant audit adjustments, including certain balance sheet reclassifications, proposed by us were discussed and agreed to by management prior to the issuance of the financial statements. The Statement of revenues, expenditures and changes in fund balances for all governmental funds is presented under the modified accrual basis of accounting; however, GASB Statement No. 34 requires that the government-wide financial statements be presented under the accrual basis of accounting. As a result, we proposed four adjustments increasing the net change in fund balances (as determined under the modified basis of accounting) by $7,557,628 to arrive at the change in net assets (as determined under the accrual basis of accounting). The main component of the adjustments was the capitalization of the loan to the Bay Area Rapid Transit District in the amount of $7,741,000 for the purpose of presentation in the government-wide financial statements. The amount is expensed each year for the purpose of presenting the individual governmental fund. All other adjustments were of a reclassification nature.


5. Disagreements with Management

There were no disagreements with management.


6. Consultation with Other Accountants

To our knowledge, no such consultations with other accountants were held by management regarding application of accounting principles and auditing standards.


7. Major Issues Discussed with Management Prior to Our Retention

No discussion occurred in connection with our retention regarding accounting principles or scope of work.


8. Difficulties in Performing the Audit

There were none.


9. Deficiencies in Internal Control

There were no significant deficiencies in the control environment, accounting systems, and control policies and procedures. However, a number of recommendations are highlighted in this report.


10. Fraud and Illegal Acts

No fraud or illegal acts came to our attention.


II. CURRENT RECOMMENDATIONS

A. Accounting and Operational

1. Monitoring of charges for Richmond Trestle Project

Observation

In our 2001 Report to Management for the Bay Area Toll Authority (BATA), we noted that agreement was made between The State of California, Department of Transportation (Caltrans) and BATA on the Maintenance Type A receivable amounting to $37,533,643 at June 30, 2001 . The agreement stated that Caltrans would reimburse BATA in the form of funds spent on the Richmond Trestle Project.

In our 2001 Report to Management for BATA, we noted that BATA had no established procedures to ensure that the expenses charged against the receivable are valid and duly authorized. During fiscal 2002 expenses amounting to $15,506,163 were charged against the receivable. We noted an improvement in the quality of documentation received after June 30, 2002 supporting the fiscal 2002 expenses. However, BATA was not informed of expenses against the receivable until after June 30, 2002, which does not permit monitoring of the expenses on a timely basis.

Implication

The monitoring of expenses charged against the receivable is key to evaluate whether the funds are spent entirely for the purposes agreed upon between BATA and Caltrans. Failure to establish procedures to perform such monitoring could lead to invalid charges against the receivable.

Recommendation

We recommend that BATA establish procedures to adequately monitor expenses on a timely basis.


Management Response

BATA now requires Caltrans to provide quarterly documented updates in support of expenses charged against the receivable. A report is presented to BATA's Oversight Committee on the project's progress.


2. Budget to Actual Comparisons

Observation

During our review of the budgetary process, we noted that monthly budget to actual comparisons are performed by the finance department for MTC, but not for BATA or the Service Authority for Freeways and Expressways (SAFE).

Budget to actual reports relating to BATA are reviewed by the project managers on a monthly basis and budget to actual information relating to SAFE is reviewed by the project managers when it is time to prepare a new budget for the following year, however there is no budget to actual comparisons performed by the MTC finance department for either BATA or SAFE.

Implication

Reviewing budget to actual comparisons is an important control over revenues, expenditures and reimbursable grants. Without a formalized process for the finance department to review budget to actual data on a monthly basis, a potential risk exists that projects may not fully utilize grant funding. In addition, cost overruns and funding shortfalls may not be identified on a timely basis.

Recommendation

We recommend monthly budget to actual data be reviewed by the MTC finance management and budget to actual differences be reconciled.

Management Response

A new general ledger budget system replacing the various spreadsheet-based systems was brought on-line in 2002 for MTC. We expect to bring the system on-line for BATA and SAFE and all projects during fiscal 2003. Monthly reports for all funds and projects should be in use during fiscal 2003.


3. TDA Fiduciary Fund Net Assets by Apportionment Area

Observation

We noted that the fiscal 2002 TDA expenditures and allocations for numerous apportionment areas exceeded the corresponding revenues for the year. For a number of counties this had the effect of resulting in negative net asset balances for the affected individual apportionment areas. In essence monies of certain apportionment areas were being used to subsidize the negative net asset positions of other apportionment areas.

Implication

As a result of negative net asset balances arising for the affected individual apportionment areas ensuing year's revenues are being used to pay prior year expenses. This negatively impacts future expenditure budgets and the overall management of TDA funds and projects.

Recommendation

One apportionment area should not subsidize another. Expense allocation approvals must be subject to available assets at the apportionment area level. MTC should establish oversight procedures to ensure that expenses are only made from available apportionment area net assets and authorization for expenses should be curtailed in the event that actual expenses for a particular apportionment area exceed the available apportionment area net asset balance.

Management Response

We agree that one apportionment area should not subsidize another. To support and complement the individual apportionment accounts that already exist, MTC will establish a monitoring/control system and protocol that will ensure that individual allocation approvals are only made to accounts that have sufficient net asset balances to match the expense requests. Further, we will seek to establish an 'early notification' system for apportionment area claimants to notify them in advance of when net asset balances are reaching levels that may drop below anticipated future requests for any given fiscal year.


B. Computer environment

4. Information technology security

Observation

In both the 2000 and 2001 BATA Reports to Management we made certain recommendations in relation to information technology security. In particular we noted that the Commission has no formal information security policy or security awareness program. This recommendation has not yet been fully implemented.

Implication

Without establishing and promoting formal information security policies, the risk of compromising important and confidential information is increased.

Recommendation

A formal information security policy should be drafted and approved by management.

Management Response

A Request for Proposal for a consultant to do a security audit and develop policies is currently being reviewed by the legal department. We expect that a consultant will be on board in January 2003 and that the project will be completed by April. The purpose of the project is to (1) assess MTC's network and data security vulnerabilities and propose solutions to high level weaknesses; (2) develop policies and guidelines to address vulnerabilities and to enhance security; (3) recommend security system changes based on findings; and (4) propose testing and monitoring tools to maintain compliance with policies developed in the aforementioned item 2.


5. Password and user account security

Observation

We noted that there were some issues surrounding password and user account security over the ATCAS system. The ATCAS database administrator ID and password are shared by four DOT system administrators as well as by WorldCom ETC IT administrators.


Implication

The use of shared IDs reduces individual accountability.

Recommendation

We recommend that separate administrator IDs should be established and limited to authorized individuals.

Management Response

Caltrans will evaluate the procedures and correct the use of shared account ID's.


6. Formal specific security policies and procedures over ATCAS System

Observation

While Caltrans has documented general IT security policy guidance, formal security procedures have not been developed or implemented for security administration over the ATCAS system. For example, we noted:




• A formal procedure for adding and removing users has not been established. Although an access request form exists, the lead software engineer accepts informal requests via the telephone.

• Periodic review and monitoring of security events and access privileges does not occur.

Implication

Lack of formal security control procedures increases the risk of unauthorized access to the ATCAS system.

Recommendation

Management should develop and implement formal security administration procedures in accordance with security policies to include:

• Formal authorization and documentation of security access requests

• Timely removal of terminated employee access

• Periodic review of the appropriateness of user access levels

• Technical security standards (password parameters, network, operating system, and database configuration settings, etc.)

Management Response

Caltrans will evaluate the existing procedures and correct the processes consistent with this comment.


7. Secure Bridge Plaza Computer Rooms

Observation

During our visit we noted that the computer room at the Dumbarton Bridge plaza was not locked. A compensating physical access control does exist in that visitors to the bridge plazas must pass by the respective front desks, which are monitored by the bridge sergeants.

Implication

Lack of comprehensive physical security to the computer room increases the risk of unauthorized access to equipment and data.

Recommendation

We recommend that the computer rooms at bridge plazas should be locked with keys restricted to appropriate personnel.

Management Response

This is already a part of the Caltrans security policy. BATA has followed up with Caltrans personnel to have them reinforce the policy.


8. SunGard Bitech Disaster Recovery Plan

Observation

We noted that the SunGard Bitech Disaster Recovery Plan (DRP) is still in a draft form, and that there has been no testing as to the effectiveness of the DRP in recent years.

Implication

Without periodic testing, problems with the viability of the disaster recovery plan and related improvements may not be identified.

Recommendation

The disaster recovery plan should be finalized, implemented, and tested at least annually to ensure that it meets recovery objectives. Per discussion with management, a test is planned for the first quarter of calendar 2003. Management should follow up on the test results to ensure that an effective recovery plan is in place and that any exceptions are resolved.

Management Response

SunGard Bitech will test the DRP on February 4, 2003 at SunGard's recovery site in Philadelphia. Management will be provided a copy of the results.


II. STATUS OF PRIOR YEAR COMMENTS
METROPOLITAN TRANSPORTATION COMMISSION

Observation
Related party transactions

Status
Refer current year comment #3.


BAY AREA TOLL AUTHORITY

A. Accounting and Operational

Observation
1. Type A maintenance receivable

Status
Refer current year comment #1.

2. Timely reporting of expenses by Caltrans
Status
Implemented.


B. Computer Environment

Observation
3. Information technology security

Status
Partially implemented.

• The formal information security policy and security awareness program are still in process and have not yet been finalized. Refer current year comment #4.

• Implemented.

• Implemented