governance and audit committee - amazon web...

GOVERNANCE AND AUDIT COMMITTEE

Thursday, May 4, 2017

4:00 PM

Conference Room 157

County Government Center

70 West Hedding Street

San Jose, CA

AGENDA

CALL TO ORDER

1. ROLL CALL

2. PUBLIC PRESENTATIONS:

This portion of the agenda is reserved for persons desiring to address the Committee on

any matter not on the agenda. Speakers are limited to 2 minutes. The law does not

permit Committee action or extended discussion on any item not on the agenda except

under special circumstances. If Committee action is requested, the matter can be placed

on a subsequent agenda. All statements that require a response will be referred to staff

for reply in writing.

3. ORDERS OF THE DAY

CONSENT AGENDA

4. ACTION ITEM - Approve the Regular Meeting Minutes of March 2, 2017.

5. ACTION ITEM - Recommend that the Board of Directors: (1) adopt a resolution

amending the VTA Administrative Code to establish the 2016 Measure B Citizens’

Oversight Committee; and (2) approve the bylaws for that committee.

6. ACTION ITEM - Ratify appointments to the Bicycle & Pedestrian Advisory Committee

for the two-year term ending June 30, 2018.

7. RECESS TO CLOSED SESSION

A. THREAT TO PUBLIC SERVICES OR AGENCY INFORMATION

(Government Code Section 54957)

Consultation with Chief Information Officer, Gary Miskell

Santa Clara Valley Transportation Authority

Governance and Audit Committee May 4, 2017

8. RECONVENE TO OPEN SESSION

9. CLOSED SESSION REPORT

REGULAR AGENDA

10. ACTION ITEM - Review and receive the Auditor General's report on the IT

Development and Project Management Assessment.

11. ACTION ITEM - Review and receive the Auditor General's report on the Investment

Program Controls Internal Audit performed during Fiscal Year 2017.

12. INFORMATION ITEM - Receive an update from Auditor General Office staff on the

status of projects contained in the current Internal Audit Work Plan.

13. ACTION ITEM - Recommend Board approval of the Auditor General’s recommended

Internal Audit Work Plans for the next two fiscal years (FY) for a maximum amount of

$531,000 for FY 2018 and $465,000 for FY 2019.

OTHER ITEMS

14. Items of Concern and Referral to Administration.

15. Review Committee Work Plan. (Fernandez)

16. Committee Staff Report. (Fernandez)

17. Chairperson's Report. (Bruins)

18. Determine Items for the Consent Agenda for future VTA Board of Directors' meetings.

19. ANNOUNCEMENTS

20. ADJOURN

In accordance with the Americans with Disabilities Act (ADA) and Title VI of the Civil Rights

Act of 1964, VTA will make reasonable arrangements to ensure meaningful access to its

meetings for persons who have disabilities and for persons with limited English proficiency who

need translation and interpretation services. Individuals requiring ADA accommodations should

notify the Board Secretary’s Office at least 48-hours prior to the meeting. Individuals requiring

language assistance should notify the Board Secretary’s Office at least 72-hours prior to the

meeting. The Board Secretary may be contacted at (408) 321-5680 or

[email protected] or (408) 321-2330 (TTY only). VTA’s home page is www.vta.org

or visit us on www.facebook.com/scvta. (408) 321-2300: 中文 / Español / 日本語 /

한국어 / tiếng Việt / Tagalog.

Santa Clara Valley Transportation Authority

Governance and Audit Committee May 4, 2017

Disclosure of Campaign Contributions to Board Members (Government Code Section 84308) In

accordance with Government Code Section 84308, no VTA Board Member shall accept, solicit,

or direct a contribution of more than $250 from any party, or his or her agent, or from any

participant, or his or her agent, while a proceeding involving a license, permit, or other

entitlement for use is pending before the agency. Any Board Member who has received a

contribution within the preceding 12 months in an amount of more than $250 from a party or

from any agent or participant shall disclose that fact on the record of the proceeding and shall not

make, participate in making, or in any way attempt to use his or her official position to influence

the decision. A party to a proceeding before VTA shall disclose on the record of the proceeding

any contribution in an amount of more than $250 made within the preceding 12 months by the

party, or his or her agent, to any Board Member. No party, or his or her agent, shall make a

contribution of more than $250 to any Board Member during the proceeding and for three

months following the date a final decision is rendered by the agency in the proceeding. The

foregoing statements are limited in their entirety by the provisions of Section 84308 and parties

are urged to consult with their own legal counsel regarding the requirements of the law.

All reports for items on the open meeting agenda are available for review in the Board

Secretary’s Office, 3331 North First Street, San Jose, California, (408) 321-5680, the Monday,

Tuesday, and Wednesday prior to the meeting. This information is available on VTA’s website

at http://www.vta.org and also at the meeting.

NOTE: THE BOARD OF DIRECTORS MAY ACCEPT, REJECT OR MODIFY

ANY ACTION RECOMMENDED ON THIS AGENDA.

Governance and Audit Committee

Thursday, March 2, 2017

MINUTES

CALL TO ORDER

The Regular Meeting of the Governance and Audit Committee (“Committee”) was called

to order at 4:03 p.m. by Chairperson Bruins in Conference Room 157, County

Government Center, 70 West Hedding, San Jose, California.

1. ROLL CALL

Attendee Name Title Status

Jeannie Bruins Chairperson Present

Cindy Chavez Member Present

Glenn Hendricks Member Present

Sam Liccardo Vice Chairperson Present

Teresa O'Neill Member Present

2. PUBLIC PRESENTATIONS:

There were no Public Presentations.

3. ORDERS OF THE DAY

Angelique M. Gaeta, Chief of Staff, noted the Auditor General's report on the IT

Development & Project Management Assessment will be heard at the next meeting.

CONSENT AGENDA

4. Regular Meeting Minutes of February 2, 2017

M/S/C (O’Neill/Hendricks) to approve the Regular Meeting Minutes of

February 2, 2017.

NOTE: M/S/C MEANS MOTION SECONDED AND CARRIED AND, UNLESS OTHERWISE INDICATED,

THE MOTION PASSED UNANIMOUSLY.

4

Governance and Audit Committee Minutes Page 2 of 5 March 2, 2017

5. Appointments to the Committee for Transportation Mobility & Accessibility

M/S/C (O'Neill/Hendricks) to approve the appointment to the Committee for

Transportation Mobility & Accessibility for the four-year term ending

December 31, 2020 of Rowan Fairgrove, representing Seniors/Individuals with

Disabilities.

6. Appointments to VTA Policy Advisory Boards

M/S/C (O'Neill/ Hendricks) to approve appointments to VTA Policy Advisory Boards.

RESULT:

MOVER:

SECONDER:

AYES:

NOES:

ABSENT:

APPROVED - Agenda Items #4 - 6

O’Neill, Member

Hendricks, Member

Bruins, Chavez, Hendricks, O’Neill

None

Liccardo

Vice Chairperson Liccardo arrived at the meeting and took his seat at 4:12 p.m.

REGULAR AGENDA

7. FY18 & FY19 Internal Audit Work Plan Proposed Projects

Bill Eggert, Auditor General, provided a brief overview of the report and a presentation

entitled "Proposed FY18 & FY19 Internal Audit Work Plan Projects," highlighting the

following: 1) Content; 2) VTA Auditor General Responsibilities; 3) VTA's Internal Audit

Process; 4) FY17 Risk Assessment Refresh; 5) FY17 Risk Assessment Refresh - Heat

Map; 6) Proposed FY18 & FY19 Auditor General Projects; 7) Proposed Future Auditor

General Projects, and; 8) Proposed Recurring Auditor General Projects.

The Committee and staff discussed the following: 1) two people attended the annual

Public Audit meeting which was held on February 28, 2017; 2) order of proposed FY18

& FY19 Auditor General Projects; 3) suggest an updated Cyber Security Comprehensive

Risk Assessment be conducted due to new vulnerabilities, and; 4) VTA funding

structures and challenges will be addressed at the April 21, 2017, Board Workshop.

On order of Chairperson Bruins and there being no objection, the Committee reviewed

and provided direction on the Auditor General’s proposed list of potential one-time

projects (not recurring tasks) for the upcoming FY18 and FY19 Internal Audit Work

Plans.

4


8. Amend FY 2017 Internal Audit Work Plan

Mr. Eggert provided a brief overview of the staff report.

Discussion ensued about: 1) implied order of projects is based on timing, and; 2) suggest

an Metropolitan Transportation Commission (MTC) initiated audit or independent third

party audit of the MTC Allocation would be more persuasive.

M/S/C (O’Neill/Chavez) to approve amending the FY 2017 Internal Audit Work Plan to

defer one project to the next fiscal year due to VTA's revised project timeline and replace

it with a new high-priority project.

RESULT:

MOVER:

SECONDER:

AYES:

NOES:

ABSENT:

APPROVED - Agenda Item #8

O’Neill, Member

Chavez, Member

Bruins, Chavez, Hendricks, Liccardo, O’Neill

None

None

9. VTA State Lobbyist Report

Kurt Evans, State & Federal Government Affairs Manager, introduced Delaney Hunter of

Gonzalez, Quintana, Hunter & Cruz, VTA’s State lobbyist.

Ms. Hunter expressed concern about key transportation issues of interest to VTA which

are currently happening in Sacramento, highlighting: 1) Senate Bill (SB) 1,

Transportation Funding Package, Assembly Member Jim Beall, and; 2) Cap & Trade.

Ms. Hunter stated SB-1 does not currently have the required 2/3 super majority vote to

pass in the Senate, and a tremendous amount of hard work needs to take place to reach

that number. The bill has not been set on the Assembly side and currently lacks focus.

Ms. Hunter stated the Cap & Trade auction took place in February, 2017, resulting in

$8M for the Greenhouse Gas Reduction Fund. She noted this does not bode well for

transportation. She indicated there is hope and stated additional legislation would provide

more security around the Cap & Trade funding source.

Members of the Committee discussed the following: 1) possibility of getting a legislative

extension for the April, 2017, Cap & Trade auction; 2) requested a list of moderate

Democrats and Republicans that are not supportive of transportation projects, and;

3) tools to facilitate better outcomes.

Ms. Hunter reiterated the need to work together to preserve and maintain federal funding

for transportation projects.

On order of Chairperson Bruins and there being no objection, the Committee received

a report from VTA's state lobbyist, Gonzalez, Quintana, Hunter & Cruz.

4


OTHER ITEMS

10. Items of Concern and Referral to Administration

There were no Items of Concern and Referral to Administration.

11. Review Committee Work Plan

Ms. Gaeta briefly discussed items scheduled for the May 4, 2017, meeting including

several Auditor General items.

Chairperson Bruins stated the approval process for the 2016 Measure B Citizens'

Oversight Committee, will be placed on the Regular Agenda of the March 2, 2017, VTA

Board of Directors (Board) meeting.

On order of Chairperson Bruins and there being no objection, the Committee reviewed

the Committee Work Plan.

12. Committee Staff Report

Ms. Gaeta noted Governance and Audit Committee items scheduled for the

March 2, 2017, Board meeting, including the approval of the appointment process for the

2016 Measure B Citizens' Oversight Committee.

Member Chavez expressed appreciation for the thorough presentation VTA provided on

the process. She expressed concern that the Transit Justice Community is not represented

and looks forward to discussion on that matter.

13. Chairperson's Report

There was no Chairperson’s Report.

14. Determine Items for the Consent Agenda for Future Board of Directors' Meetings

CONSENT:

Agenda Item # 8., Approve amending the FY 2017 Internal Audit Work Plan to defer

one project to the next fiscal year due to VTA's revised project timeline and replace it

with a new high-priority project.

REGULAR: None

15. ANNOUNCEMENTS

There were no Announcements.

4


16. ADJOURN

On order of Chairperson Bruins and there being no objection, the Committee was

adjourned at 4:53 p.m.

Respectfully submitted,

Anita McGraw, Board Assistant

VTA Office of the Board Secretary

4

Date: May 1, 2017

Current Meeting: May 4, 2017

Board Meeting: June 1, 2017

BOARD MEMORANDUM

TO: Santa Clara Valley Transportation Authority


FROM: Elaine Baltao, Board Secretary

Robert Fabela, General Counsel

SUBJECT: Amend the VTA Administrative Code to Establish the 2016 Measure B Citizens

Oversight Committee and Approve the Committee Bylaws

Policy-Related Action: Yes Government Code Section 84308 Applies: No

ACTION ITEM

RECOMMENDATION:

Recommend that the Board of Directors: (1) adopt a resolution amending the VTA

Administrative Code to establish the 2016 Measure B Citizens’ Oversight Committee; and (2)

approve the bylaws for that committee.

BACKGROUND:

The VTA Administrative Code (“Admin Code”) prescribes the governance, administrative and

financial provisions of VTA including the powers and duties of officers, the method of

appointment of its governing board, committees and employees, and the methods, procedures,

and systems for the operation and management of the organization. It is the rulebook established

by the Board defining how VTA is structured and how it conducts its business. Amendments to

the Admin Code require Board adoption of a resolution specifying the changes.

VTA committee bylaws govern the proceedings of the committee and its meetings and must be

consistent with the Admin Code.

On November 8, 2016 the voters of Santa Clara County overwhelmingly approved Measure B

that enacted a thirty year ½ cent sales tax for transit and transportation improvements. The 2016

Measure B ballot specified VTA as the administrator of the tax, and that “an independent

citizens’ oversight committee shall be appointed to ensure that the funds are being expended

consistent with the approved Program.” The ballot also listed the specific duties and

responsibilities of the citizens’ oversight committee.

5

oblena_m

Rectangle

of 3

At its March 2, 2017 meeting, the Board of Directors, following the recommendation of the

Governance & Audit Committee, approved the appointment process for the 2016 Measure B

Citizens’ Oversight Committee.

DISCUSSION:

Submitted for Board consideration are: (1) proposed amendments to the Admin Code (shown on

Attachment A) to establish the 2016 Measure B Citizens’ Oversight Committee (“Committee”);

and (2) the proposed bylaws to govern the proceedings of the Committee and its meetings

(Attachment B). Both actions are in fulfillment of the 2016 Measure B ballot that requires

establishment of a citizens’ oversight committee to perform the specific duties defined in the

ballot.

The Committee bylaws were developed from the current bylaws for VTA’s advisory committees,

policy advisory boards, and the 2000 Measure A Citizens Watchdog Committee. They

incorporate the proven provisions of each as where appropriate.

The most substantive recommended modifications to the Admin Code and the key provisions in

the Committee bylaws being established are:

A. Committee will serve during the term of the sales tax (April 2017 - March 2047) and for a

reasonable period thereafter necessary to complete its work. [Admin Code §4-35; page A2;

Bylaws §2.1, page B2]

B. Membership provisions consist of those approved by the Board on March 2, 2017 to assist

the committee in its task of evaluating revenues and project expenditures to ensure they are

being expended consistent with the approved program. These include: (A) Eight (8) voting

positions from defined areas of expertise and with required experience; (B) members must

be registered voters of Santa Clara County; (C) members cannot hold elected or appointed

office or be VTA or Member Agency staff; (D) four (4) years terms, limited to two (2)

consecutive terms. [Admin Code §4-36; starting Page A2; Bylaws §3.1, starting page B10]

C. Committee will meet a minimum of four (4) times per year. [Admin Code §4-40; page A3;

Bylaws §5.1, page B6]

D. Five (5) members required to establish a quorum; five (5) affirmative votes required to pass

an item. [Admin Code §4-40; page A3; Bylaws §5.4, page B7]

E. Due to the Committee duties and responsibilities being defined in the 2016 Measure B

ballot, establishment and any modifications to the 2016 Measure B Citizens’ Oversight

Committee bylaws requires the approval of the Board of Directors. [Admin Code §4-37;

page A3; Bylaws §7.1, page B10]

If approved by the Board, the provisions would take effect immediately.

5

oblena_m

Rectangle

of 3

ALTERNATIVES:

The Board could modify, reject or add certain provisions to the recommended bylaws for the

Committee or the Admin Code.

FISCAL IMPACT:

There is no direct fiscal impact associated with amending the VTA Administrative Code. Any

costs related to administration of the 2016 Measure B Citizens’ Oversight Committee will be

paid by 2016 Measure B funds.

Prepared by: Stephen Flynn, Advisory Committee Coordinator

Memo No. 6036

ATTACHMENTS:

A--Admin Code_01JUN2017.Proposed_CH4-SectionV (PDF)

B--2016 MBCOC_bylaws_01JUN2017_Proposed (PDF)

5

oblena_m

Rectangle

SANTA CLARA VALLEY

TRANSPORTATION AUTHORITY

ADMINISTRATIVE CODE

Adopted December 20, 1994

Effective January 1, 1995

With Amendments through January 5, 2017

5.a

oblena_m

Rectangle

Reprint 1/05/2017

Through Resolution 2017.01.03 and Board Action 1/05/17 2

…

Chapter 4

ADVISORY BOARDS AND COMMITTEES; OVERSIGHT COMMITTEES

...

Article V

Oversight Committees

Sec. 4-35. Overview; establishment.

The 2016 Measure B sales tax (“Measure B”) was approved by Santa Clara County

voters on November 8, 2016. The ballot specified that VTA as the administrator of the tax, and

that “an independent citizens’ oversight committee shall be appointed to ensure that the funds

are being expended consistent with the approved Program.” The ballot also listed the specific

duties and responsibilities of the citizens’ oversight committee.

In accordance with the 2016 Measure B ballot, the VTA Board of Directors has

established the 2016 Measure B Citizens’ Oversight Committee (“Committee”) to perform the

specific duties defined in the ballot. The Committee shall serve during the term of the sales tax

(April 2017 – March 2047) and for a reasonable period thereafter necessary for the Committee

to complete its work.

Sec. 4-36. Membership; membership requirements; term of office.

The Committee shall be composed of eight (8) voting members. All members shall be

registered voters of Santa Clara County during their term. The Committee shall not have

alternate members. To assure independence, no elected or appointed public official shall be

appointed to the Committee. Further membership requirements may be established in the

bylaws for the committee.

The membership shall be comprised of individuals with relevant expertise and

experience necessary to assist the Committee in its task of evaluating 2016 Measure B revenues

and project expenditures to determine compliance with the commitments made to voters in the

ballot.

Committee members will be subject to VTA’s Conflict of Interest policies as specified

in the VTA Administrative Code. Members will also be required to complete and submit the

California Fair Political Practices Commission’s Form 700 – Statement of Economic Interests

at the required intervals.

Committee members shall be appointed for a four (4) year term, commencing on

January 1. Half the terms shall be staggered by a two-year interval. Members are limited to

two consecutive terms.

5.a

oblena_m

Rectangle

Reprint 1/05/2017

Through Resolution 2017.01.03 and Board Action 1/05/17 3

The Board of Directors shall approve all appointments to the 2016 Measure B Citizens’

Advisory Committee following an appointment process specified in the bylaws for the

committee.

Sec. 4-37. Bylaws.

Bylaws shall be established for the Committee for the conduct of its business. Bylaws

may be amended by the Committee by the affirmative vote of a majority of its total authorized

membership and with the approval of the Board of Directors. The Board of Directors may also

impose changes to the Committee bylaws it deems to be in the best interest of the public.

Sec. 4-38. Specific duties

The primary duty of the committee, as stated in the Measure B ballot, is to ensure that

Measure B funds are being expended consistent with the approved Measure B Program.

The specific duties and tasks of the 2016 Measure B Citizens’ Oversight Committee

shall be established in its bylaws based on those defined in the Measure B ballot. The VTA

Board of Directors may approve additional tasks for the committee that align, but do not

conflict with, its Measure B duties.

Sec. 4-39. Staff support; expense; reimbursement for travel to/from Committee meetings.

Agendas, public noticing, minutes and other staff services shall be furnished to the

Committees as directed by the General Manager and in compliance with the Ralph M. Brown

Act (commencing with Section 54950 of the Government Code).

VTA shall provide reasonable resources necessary for the Committee to fulfill its duties

as specified in the Measure B ballot.

VTA shall reimburse to each Committee member, upon request thereof, the actual cost

of travel to and from a scheduled 2016 Measure B Citizens’ Oversight Committee or

subcommittee meeting. Cost of travel consists of actual fare paid if by public transportation or

paratransit, and current IRS mileage rate if by automobile.

No individual member of the Committee shall be entitled to reimbursement for travel or

other expenses except as authorized by the Board Chairperson or the General Manager.

Sec. 4-40. Meetings; Quorum; Voting.

The committee shall meet a minimum of four times per year. The presence of five (5)

members shall constitute a quorum for the transaction of business. All acts of the Committee

shall require the presence of a quorum and the affirmative vote of a majority of the total

membership (five (5) members).

5.a

oblena_m

Rectangle

BYLAWS FOR THE 2016 MEASURE B CITIZENS’ OVERSIGHT COMMITTEE

Article I

GENERAL PROVISIONS

§1.1 Purpose

These Bylaws govern the proceedings of the 2016 Measure B Citizens’ Oversight

Committee, an independent oversight committee established by provision of the 2016 Measure B

ballot approved by Santa Clara County voters on November 8, 2016.

The 2016 Measure B ballot specified that “an independent citizens’ oversight committee shall

be appointed to ensure that the funds are being expended consistent with the approved Program.”

The ballot also listed the Committee’s specific duties and responsibilities, which are incorporated

into these bylaws (§2.1).

§1.2 Construction of Bylaws

Unless the provisions or the context of these Bylaws otherwise require, the general

provisions, rules of construction and definitions set forth in Chapter 1 of the VTA Administrative

Code shall govern the construction of these Bylaws. As used in these Bylaws, “Committee” means

the 2016 Measure B Citizens’ Oversight Committee. These Bylaws shall govern the Committee’s

proceedings to the extent they are not inconsistent with VTA’s Administrative Code or law.

§1.3 Definitions

a. As used in these Bylaws, “Board of Directors” means the Board of Directors of the Santa

Clara Valley Transportation Authority (VTA).

b. As used in these Bylaws, “chairperson” means the chairperson of the Committee.

c. As used in these Bylaws, “secretary” means the secretary of the Committee.

d. As used in these Bylaws, “Member Agency” means the County of Santa Clara or a city within

Santa Clara County.

e. As used in these Bylaws, “2016 Measure B” or “Measure B” means the 2016 Measure B

Transportation Sales Tax approved by Santa Clara County voters on November 8, 2016.

5.b

oblena_m

Rectangle

of 10

Article II

DUTIES AND AUTHORITY

§2.1 Mission and Duties

The Committee is an independent body, established by the VTA Board of Directors in

accordance with the provisions and intent of the 2016 Measure B ballot. Its purpose shall be to

ensure that 2016 Measure B funds are being expended consistent with the approved programs.

The Committee does not advise, report to, or take direction from the VTA Board of

Directors. Instead, it reports to the residents of Santa Clara County and derives it authority from the

ballot measure.

Policy-related decisions for the 2016 Measure B Program, including the composition,

implementation, completion schedule, and funding level of specific projects in the Program

Categories specified in the ballot are the responsibility of the VTA Board of Directors.

The mission and duties of the Committee shall be:

MISSION:

To ensure that 2016 Measure B funds are being expended consistent with the approved

Measure B Program.

DUTIES:

The Committee shall serve as the independent Citizens’ Oversight Committee for the 2016

Measure B Transportation Sales Tax during the term of the sales tax (April 2017 – March

2047) and for a reasonable period thereafter necessary for the Committee to complete its

work.

The Committee shall provide independent verification that the tax revenue collected under

the 2016 Measure B Transportation Sales Tax is being expended appropriately to deliver the

projects and programs described in the ballot measure. The specific duties of the Committee,

as specified in the 2016 Measure B ballot, shall be:

Select a qualified, independent professional audit firm to conduct an audit of the

revenues and expenditures.

Direct the independent auditor to conduct an annual audit that will review the receipt of

revenue and expenditure of funds.

Hold at least one public hearing prior to issuing the Committee’s annual report, which

hearing(s) shall be subject to the Brown Act and may be part of the Committee’s regular

or special meetings.

of 10

Issue a report annually to inform the residents of Santa Clara County residents how the

funds are being spent. The report shall indicate, based upon the independent audit,

whether the public’s money is being expended for the purposes as described in the

ballot measure or adjusted as circumstances warrant through the required approval

process. The report shall indicate the results of the independent audit, public hearing

and any additional findings the Committee may have.

Request from time to time a status report and/or presentation from project sponsors

charged with delivering the various projects under this measure on their progress and

expenditures.

In addition, the Committee shall be responsible for:

Independently reviewing and assessing appeals from project applicants/sponsors

regarding disagreements or differences in interpretation of project awards, program or

project requirements, or other Measure B matters. This shall include communicating in

writing to the project applicant/sponsor and affected VTA staff the Committee’s finding

on the matter, after conducting a public hearing.

In the event they disagree with the findings of the Committee, project

applicants/sponsors will have the ability to appeal the results of the Committee’s

independent assessment to the VTA Board of Directors. Included in the information

provided to the Board of Directors on the appeal will be the Committee’s written

assessment and finding(s) on the matter, and any other records relating to the

Committee’s public hearing.

§2.2 Limitations on Authority

The Committee shall have no independent duties other than those specified in these bylaws.

The Committee shall have no authority to take actions that bind VTA or the Board of Directors. No

expenditures or requisitions for services and supplies shall be authorized by the Committee except

for reasonable expenditures and requisitions in fulfillment of 2016 Measure B ballot duties. No

individual member of the Committee shall be entitled to reimbursement for travel or other expenses

except as authorized by the Board of Directors or General Manager.

of 10

Article III

MEMBERSHIP

§3.1 Membership

The Committee shall be composed of eight (8) voting members. All members shall be

registered voters of Santa Clara County during their term. The Committee shall not have alternate

members due to its need for expertise, specific experience and continuity of knowledge.

To assure independence, no member of the Board of Directors or alternate, VTA Policy

Advisory Committee member or alternate, or other elected public official shall be appointed to the

Committee. Appointees to other VTA boards and committees are not eligible to serve. Committee

members may not be employed by VTA or any of its Member Agencies during their term. If any

applicant for the Committee holds such office or position, he or she may apply for this Committee

subject to his or her commitment to resign from that office or position prior to serving on the

Committee.

The membership shall be comprised of individuals with relevant expertise and experience

needed to assist the Committee in its task of evaluating 2016 Measure B revenues and project

expenditures to determine compliance with the commitments made to voters in the ballot. The

membership will consist of individuals that fulfill the following area-of-expertise criteria:

(1) A retired federal or state judge or administrative law judge or an individual with experience

as a mediator or arbitrator.

(2) A professional from the field of municipal/public finance with a minimum of four years

relevant experience.

(3) A professional with a minimum of four years of experience in management and

administration of financial policies, performance measurement and reviews.

(4) A professional with demonstrated experience of four years or more in the management of

large scale construction projects.

(5) A regional community organization representative with at least one year of decision making

experience.

(6) A regional business organization representative with at least one year of decision making

experience.

(7) A professional with four years of experience in organized labor.

(8) A professional with a minimum of four years of experience in educational administration at

the high school or college level.

Each member shall represent only one of the eight (8) specified areas of expertise. If

following a good-faith effort this is not achieved, then no more than two members from one of the

other areas of expertise may be selected. In addition, reasonable effort shall be made where possible

in appointments to balance the geographic regions of the County. The Board of Directors may, with

reasonable cause, redefine these areas of expertise.

of 10

Committee members will be subject to VTA’s Conflict of Interest policies as specified in the

VTA Administrative Code. Members are prohibited from acting in any commercial activity directly

or indirectly involving VTA, such as being a consultant to VTA or to any party with pending legal

action against VTA during their tenure. Members shall not have direct commercial interest or

employment with any public or private entity which receives sales tax funds authorized by this

Measure. Members will be required to complete and submit the California Fair Political Practices

Commission’s Form 700 – Statement of Economic Interests at the required intervals.

The application process shall be open to provide qualified citizens the opportunity to

participate. Applications for vacant positions shall be submitted online at a dedicated site

administrated by VTA or by alternative submittal if the dedicated site is unavailable. Applications

received will be reviewed by an Evaluation Subcommittee of the Board of Directors appointed by the

Board Chairperson. The Subcommittee will submit eligible candidates to the Governance & Audit

Committee, who will recommend finalist candidates to the Chairperson. The Board Chairperson will

then determine candidates to submit for Board of Directors’ approval.

§3.2 Members’ Terms

Committee members shall be appointed for a four (4) year term, commencing on January 1.

Terms shall be staggered to ensure continuity of knowledge and relevant expertise; half (four (4)) of

the terms shall be offset by a two-year interval from the remaining ones in accordance with the

schedule for staggered terms established at initial appointment of Committee members. Members

are limited to two consecutive terms.

§3.3 Vacancies

Vacancies shall be filled from the same category of expertise that the original appointment

was from, where reasonably possible, in accordance with the criteria defined in §3.1.

Article IV

OFFICERS

§4.1 Chairperson and Vice Chairperson

The Committee shall elect from its membership a chairperson and a vice chairperson at its

last meeting of the calendar year, where feasible, to serve for a one-year term effective January 1 of

the next calendar year. Members are eligible to serve multiple terms.

In the event of a vacancy in the chairperson’s position, the vice chairperson shall succeed as

chairperson for the balance of the chairperson’s term and the Committee shall elect a successor to fill

the vacancy in the vice chairperson’s position as provided in the following. In the event of a vacancy

in the vice chairperson’s position, the Committee shall elect a successor from its membership to fill

the vice chairperson’s position for the remainder of the vice chairperson’s term.

of 10

The chairperson shall preside at all meetings of the Committee and represent the Committee

before the Board of Directors or its committees as needed. The chairperson, in consultation with the

Committee staff liaison, may identify items of interest for future committee agendas that are relevant

to the Committee’s mission and duties.

The vice chairperson shall perform the duties of the chairperson when the chairperson is

absent.

The Committee shall appoint a nomination subcommittee to identify Committee members

interested in serving as chairperson and/or vice chairperson. Members willing to serve in either of

these positions may submit their names to the nomination subcommittee for nomination. Members

may also submit names of other members for nomination. The nomination subcommittee shall

verify that members whose names have been submitted are willing serve in those positions. The

nomination committee shall submit to the Committee the names of those members having indicated

a willingness to serve in either or both of the positions. In addition, the nomination subcommittee

may make a recommendation for election of any Committee member indicating his/her willingness

to serve. Notwithstanding these procedures, any member may nominate a member from the floor.

4.2 Secretary

The Secretary of the Board of Directors shall furnish administrative support services to

prepare and distribute the Committee’s agendas, notices, minutes, correspondence and other

documents and shall assign an employee to attend each meeting of the Committee to serve in the

capacity as the Committee’s secretary. The secretary shall maintain a record of all proceedings of the

Committee as required by law and shall perform other duties as provided in these Bylaws.

Article V

MEETINGS

§5.1 Regular Meetings

Regular meetings dates and times shall be established by the Committee in consultation with

the General Manager and Secretary of the Board of Directors. Effort shall be made to establish

regularly recurring cyclical meeting dates that maximize Committee member attendance. The

Committee meeting shall be conducted at the VTA Administrative Offices, 3331 North First Street,

San Jose, California. The Committee shall meet a minimum of four (4) times per year.

Whenever a regular meeting falls on a holiday observed by VTA, the meeting shall be held

on another day or, in consultation with the General Manager and Secretary of the Board of Directors,

canceled at the direction of the Committee. A rescheduled regular meeting shall be designated a

regular meeting.

of 10

§5.2 Special Meetings

A special meeting may be called by the chairperson with the approval of the General

Manager. The meeting shall be called and noticed as provided in Section 5.3 below.

§5.3 Calling and Noticing of Meetings

All regular and special meetings shall be called, noticed and conducted in accordance with

the applicable provisions of the Ralph M. Brown Act (commencing with Section 54950 of the

Government Code). The General Manager and General Counsel shall be given notice of all

meetings.

§5.4 Quorum; Vote; Committee of the Whole

The presence of five (5) members shall constitute a quorum for the transaction of business.

All acts of the Committee shall require the presence of a quorum and the affirmative vote of a

majority of the total membership (five (5) members). At any regularly called meeting not held

because of a lack of a quorum, the members present may constitute themselves a “committee of the

whole” for the purpose of discussing matters on the agenda of interest to the committee members

present. The committee of the whole shall automatically cease to exist if a quorum is present at the

meeting.

§5.5 [Reserved]

§5.6 Thirty Minute Rule

If a quorum has not been established within thirty minutes of the noticed starting time for the

meeting, the secretary and clerical support staff may be excused from further attendance at the

meeting.

§5.7 Absences

A member is allowed to be absent from 50% of regular Committee meetings in any twelve-

month period. The position may be vacated upon an absence in excess of that limit.

§5.8 Matters Not Listed On the Agenda Requiring Committee Action

Except as provided below, a matter requiring Committee action shall be listed on the posted

agenda before the Committee may act upon it. The Committee may take action on items not

appearing on the posted agenda only upon a determination by a two-thirds vote of the Committee, or

if less than two-thirds of the members are present, a unanimous vote of those members present, that

there is a need to take immediate action AND the need to take action came to the attention of the

Committee subsequent to the agenda being posted.

of 10

§5.9 Time Limits for Speakers

Each member of the public appearing at a Committee meeting shall be limited to two minutes

in his or her presentation. However, the time limit may be adjusted, at the discretion of the

Chairperson, to such time as the Chairperson may determine to be reasonable under the specific

circumstances. Any person addressing the Committee may submit written statements, petitions or

other documents to complement his or her presentation.

§5.10 Impertinence; Disturbance of Meeting

Any person making personal, impertinent or indecorous remarks while addressing the

Committee may be barred by the chairperson from further appearance before the Committee at that

meeting, unless permission to continue is granted by an affirmative vote of the Committee. The

chairperson may order any person removed from the Committee meeting who causes a disturbance

or interferes with the conduct of the meeting, and the chairperson may direct the meeting room

cleared when deemed necessary to maintain order.

§5.11 Access to Public Records Distributed at Meeting

Writings distributed during a Committee meeting shall be made available for public

inspection at the meeting if prepared by VTA or a member of the Committee, or after the meeting if

prepared by some other person. All such writings become public records and are treated as such.

of 10

Article VI

AGENDAS AND MEETING NOTICES

§6.1 Agenda Format and Content

The agenda shall specify the starting time and location of the meeting and shall contain a

brief general description of each item of business to be transacted or discussed at the meeting. The

description shall be reasonably calculated to adequately inform the public of the subject matter of

each agenda item.

Items may be referred for inclusion on an agenda by: (1) the General Manager; (2) the

Committee Chairperson, in consultation with the Committee Staff Liaison; and (3) the Committee,

with a quorum present and upon the affirmative vote of a majority of the members present. Other

entities or individuals may request that the Committee include specific items on its agenda, but the

decision to do so rests with the Committee and its chairperson. The order of business shall be

established by the secretary with the approval of the chairperson.

§6.2 Public Presentations

Each agenda for a regular meeting shall provide an opportunity for members of the public to

address the Committee on matters of interest to the public either before or during the Committee’s

consideration of the item, if it is listed on the agenda, or, if it is not listed on the agenda but is within

the jurisdiction of the Committee, under the agenda item heading “Public Presentations.” The

Committee shall not act upon an item that is not listed on the agenda except as provided under

Section 5.8. Each notice for a special meeting shall provide an opportunity for members of the

public to directly address the Committee concerning any item that has been described in the notice

for the meeting before or during consideration of that item.

§6.3 Agenda Preparation

The secretary shall prepare the agenda for each meeting in consultation with VTA staff and

the Committee Chairperson. Material intended for placement on the agenda shall be delivered to the

secretary on or before 12:00 Noon on the date established as the agenda deadline for the forthcoming

meeting. The secretary may withhold placement on the agenda of any matter which is not timely

received, lacks sufficient information or is in need of staff or other review and report prior to

consideration by the Committee.

§6.4 Agenda Posting and Delivery

The written agenda for each regular meeting and each meeting continued for more than five

calendar days shall be posted by the secretary at least 72 hours before the meeting is scheduled to

begin. The written agenda for every special meeting shall be posted by the secretary at least 24 hours

before the special meeting is scheduled to begin. The agenda shall be posted in a location that is

freely accessible to members of the public. The agenda together with supporting documents shall be

delivered to each Committee member, the General Manager and General Counsel at least three days

before each regular meeting and at least 24 hours before each special meeting.

of 10

§6.5 Meeting Notices

The secretary shall provide notice of every regular meeting, and every special meeting which

is called at least three days prior to the date set for the meeting, to each person who has filed with

VTA a written request for notice as provided in Section 54954.1 of the Government Code. The

notice shall be sent at least three days prior to the date set for the meeting. Notice of special

meetings called less than seven days prior to the date set for the meeting shall be given as the

secretary deems practical.

Article VII

MISCELLANEOUS

§7.1 Adoption and Amendment of Bylaws

Establishment of these Bylaws shall be approved by the Board of Directors. Any

subsequent amendment thereof shall require the affirmative vote of a majority of total Committee

membership and the approval of the Board of Directors. For efficiency, the VTA General Manager,

in consultation with the General Counsel, is authorized to make minor, non-substantive corrections

and adjustments to these bylaws to correct errors and to reflect ongoing practice adopted by the

Committee.

The Board may also impose changes to the bylaws that it deems to be in the best interests of

the community.

§7.2 Rosenberg’s Rules

All rules of order not herein provided for shall be determined in accordance with Rosenberg’s

Rules of Order, latest edition.

Adopted by the Board of Directors: (approval date)

Date: April 27, 2017


Board Meeting: N/A

BOARD MEMORANDUM



THROUGH: General Manager, Nuria I. Fernandez

FROM: Board Secretary, Elaine Baltao

SUBJECT: Ratification of Appointments to the Bicycle & Pedestrian Advisory Committee

Policy-Related Action: No Government Code Section 84308 Applies: No

ACTION ITEM

RECOMMENDATION:

Ratify appointments to the Bicycle & Pedestrian Advisory Committee for the two-year term

ending June 30, 2018.

BACKGROUND:

The Bicycle & Pedestrian Advisory Committee (BPAC) advises the VTA Board of Directors on

planning and funding for bicycle and pedestrian projects and issues. The BPAC consists of 16

voting members, one appointed by each of VTA’s Member Agencies (the 15 cities in the county

and the County of Santa Clara), and one non-voting member and alternate appointed by the

Silicon Valley Bicycle Coalition (SVBC). The BPAC also serves as the countywide bicycle and

pedestrian advisory committee for the County of Santa Clara.

The BPAC bylaws specify that the appointment term is two years and that members may be

appointed to successive terms. Committee members must live, work or both in Santa Clara

County during their term. Voting members of the Committee must also be a representative of

the Member Agency’s local bicycle advisory committee or, for Member Agencies without a local

bicycle advisory committee, their representative must be an individual who lives or works in the

local jurisdiction and is interested in bicycle or pedestrian issues. BPAC members are precluded

from representing a Member Agency that is their employer.

6

of 3

The process to fill BPAC vacancies is that staff notifies the appointing authority of the vacancy

or approaching term expiration and provides the current membership requirements. The

appointing authority then appoints one member for the designated membership position. For

vacancies occurring mid-term, the bylaws specify that they be filled for the remainder of the term

by the appointing authority. In both cases, the Governance & Audit Committeemust ratify the

appointment.

DISCUSSION:

The Town of Los Altos Hills has appointed Susan Cretekos as its new representative on the

BPAC, replacing Breene Kerr who relocated out of the area.

Ms. Cretekos is a Los Altos resident, having lived there for over 55 years. Show owns a

preschool in Los Altos, and has worked as a preschool Director and teacher for over 40 years in

Los Altos. Prior to that, she was a supervisor at an electronics manufacturing company. She

earned her undergraduate degree in Education.

Ms. Cretekos is a regular bicyclist and avid walker/hiker and equestrian. She is an avid patron of

the paths in Los Altos Hills, regularly riding and biking there as well as Shoreline Park and Mid-

Peninsula Open Space District properties.

Her civic and charitable activities include serving on the Los Altos Hills Pathway Committee.

She has also previously served as a PTA president, Cub Scout leader, Sunday school teacher, a

member of the 4H, and a member of the Los Altos Hills Horseman's Association.

The City of Gilroy has appointed Carolyn Schimandle as its new representative on the BPAC,

replacing David Almeida who resigned due to schedule conflicts.

Ms. Schimandle, a Gilroy resident, is a Northern California native, having lived in the South

County area her entire life except for a brief period spent in Sacramento for work. She works for

Santa Clara County Parks as a Parks Program Coordinator for Interpretation and Outdoor

Recreation where she plans interpretation and education programs and materials, and works on

museum collections and archives policy and procedures. Most of her work currently focuses on

Martial Cottle Park in south San Jose. Prior to that, she worked for the California State Parks for

many years, and in high tech, including at Apple. Her education includes earning a Bachelor’s

degree in Music (Clarinet Performance) from the San Francisco Conservatory of Music, a

Bachelor of Science in General Engineering - Computer Science from San Jose State University,

and a Master’s degree in Public History from the California State University - Sacramento.

Ms. Schimandle is an avid bicyclist, including using it to commute. She regularly commutes,

weather and schedule permitting, all or part way from Gilroy to San Jose. Most of her errands

are also made via bike. When she lived in Sacramento, she commuted by bike nearly every day.

She was a member of the Almaden Cycle Touring Club before moving to Sacramento, where she

became an active member of the Sacramento Bike Hikers.

6

of 3

Her civic and charitable activities include serving as the historian for the California State Parks

Ranger Association. She also served as a La Leche League leader for several years in San Jose

and South County and on the board of the Sacramento County Historical Society.

The City of Cupertino has appointed Erik Lindskog as its new representative on the BPAC,

replacing Gary Jones who resigned due to personal reasons.

Mr. Lindskog, who lives in Cupertino, has lived there since 2006 and in the Bay Area since

1999. Lindskog currently works for Qualcomm with wireless design, which has been his

profession in several companies in the past. He earned Masters of Science degrees in

Engineering Physics from Uppsala University, Sweden and Applied Physics and Electrical

Engineering from Case Western Reserve University. He also earned his Ph.D. in Signal

Processing from Uppsala University, Sweden. In addition, he has also visited and conducted

research at Northeastern University in Boston and at Stanford University.

Mr. Lindskog is currently a Bicycle and Pedestrian Commissioner for Cupertino and has a long

standing interest and practical experience from getting around on bicycle and on foot in cities in

North America, Scandinavia, UK, Europe and India.

Based on their qualifications, expertise and community service, staff recommends that the Board

ratify these appointments.

ALTERNATIVES:

The Board could choose to not ratify any or all of these appointments and could request that the

appointing authority appoint another representative.

FISCAL IMPACT:

There is no fiscal impact as a result of this action.

Prepared by: Stephen Flynn, Advisory Committee Coordinator

Memo No. 6074

6




BOARD MEMORANDUM



FROM: Auditor General, Bill Eggert

SUBJECT: IT Development and Project Management Assessment


ACTION ITEM

RECOMMENDATION:

Review and receive the Auditor General's report on the IT Development and Project

Management Assessment.

BACKGROUND:

IT Development and Project Management Assessment is one of the projects contained in the

Board-approved FY 2017 Internal Audit Work Plan. The Auditor General’s Office completed

this project between August and December 2016 and the attached report is the result of that

review.

VTA has complex operations to support the Santa Clara Valley’s transportation needs, which

require diverse and innovative information technology (IT). VTA’s IT department resides in the

Business Services division and is managed by VTA’s Chief Information Officer (CIO)/Chief

Technology Officer (CTO). Although VTA has an IT department, it is not currently responsible

for management and/or oversight of all technology operations at VTA. Instead, VTA currently

utilizes a decentralized model that has certain technology operations being managed by other

departments with limited or no IT oversight.

DISCUSSION:

The objective of this review was to: (1) obtain an understanding of VTA’s Information

Technology, Operational Technology Project Management Methodology, and System

Development Lifecycle (SDLC) processes and internal controls; (2) assess the design and

10

of 2

operating effectiveness of supporting internal controls and compliance with internal control

frameworks; and (3) identify opportunities for process and control improvements.

Based on the work performed, an overall report rating of High was assigned to help management

understand our assessment of the overall design and effectiveness of the controls evaluated

during the review. This was based on five observation categories, two of which were rated High,

one as Medium, and two as Low. Our recommendations addressed the following areas:

IT governance and risk management

Management roles and responsibilities for technology

Decentralized operations and non-standard policies and procedures

Change management processes and controls

Project management methodology and production environment monitoring

Strategic IT performance management

In addition, we included one recommendation for VTA to undergo an independent entity-wide

comprehensive IT risk assessment. This recommendation was not rated but is included as a

proposed project in the Auditor General’s Recommended FY18 & FY19 Internal Audit Work

Plan that the Governance & Audit Committee and Board will consider at their May and June

2017 meetings, respectively.

Management concurs with the recommendations identified and has committed to implement the

recommended mitigation actions by the end of December 2017.

Recommendations for improvement or efficiency opportunities contained in this report are

presented for the consideration of VTA management, which is responsible for the effective

implementation of any action plans.

FISCAL IMPACT:

There is no financial impact associated with acceptance of this report.

Prepared by: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee Coordinator

Memo No. 5713

ATTACHMENTS:

A--IT Development and Project Management Assessment (PDF)

10

IT Development and Project Management Assessment Auditor General Report No. 2017-01

April 20, 2017

10.a

IT Development and Project Management Assessment Auditor General Report Issued: April 20, 2017

2 © 2016 RSM US LLP. All Rights Reserved.

EXECUTIVE SUMMARY

Overall Rating (See Appendices A and B for definitions)

Report Rating

Number of Observations by Risk Rating

High Medium Low

IT Development and Project Management

High 2 1 2

Background

VTA has complex operations to support the Santa Clara Valley’s transportation needs, which require diverse and innovative information technology (IT). VTA’s IT department resides in the Business Services Division and is managed VTA’s Chief Information Officer (CIO). Although VTA has an IT department, there are several decentralized technology operations managed by other departments with limited or no IT oversight.

Due to the complexity of VTA’s organizational structure and rapidly evolving technology needs, the VTA Board approved an IT Development and Project Management Assessment within the FY 2017 Internal Audit Work Plan. The Auditor General’s Office completed this project between August and December 2016.

This review was performed in accordance with the Standards for Consulting Services issued by the American Institute of Certified Public Accountants. This report is intended for use by VTA’s Board of Directors, Governance & Audit Committee, and management. Recommendations for improvement are presented for management’s consideration, and management is responsible for the effective implementation of corrective action plans.

Objective and Scope

The objective of this review was to:

Obtain an understanding of VTA’s Information Technology Project Management Methodology and System Development Lifecycle (SDLC) processes and internal controls

Assess the effectiveness of design and operation of supporting internal controls and compliance with these frameworks, as applicable

Identify opportunities for process and control improvements The works steps completed, as well as scope and risks covered in the assessment are detailed in Appendix B.

We would like to thank those who assisted us throughout this review. Questions should be addressed to Bill Eggert, Auditor General, in the VTA Auditor General’s Office at [email protected].

Overall Summary and Review Highlights

VTA has employed a decentralized IT operations and project management model to meet its rapidly accelerating and complex technology needs. Based on our review, we did not find sufficient evidence to support that technology risks and basic project management requirements were defined or properly considered agency-wide by VTA management.

VTA has limited agency-wide governance and oversight of technology operations. As a result, management has not adequately implemented comprehensive processes and controls for high-risk technology processes, such as change management. In addition, the availability and reliability of information was limited due to many ad-hoc, non-standard, and undocumented processes. Overall, ineffective technology governance and oversight of the technology change management process resulted in a substantial number of control design exceptions identified during our review.

An overall report rating of High was assigned to help management understand our assessment of the overall design and effectiveness of the controls assessed during our review. Recommendations are described in detail beginning on page 4 and include the following key recommendations:

Centralize organizational responsibility for technology governance, risk management, and operational oversight

Define technology roles and responsibilities agency-wide Standardize policies and procedures for change management and

other critical technology processes agency-wide Due to the specific scope of this review and observations identified related to agency-wide technology governance and risk management, we are also recommending an independent, comprehensive, entity-wide IT Risk Assessment described on page 14.

10.a

mailto:[email protected]



OBSERVATIONS SUMMARY

Following is a summary of observations noted in the areas reviewed.

Definitions of the observation rating scale are included in Appendix A.

Ratings by Observation

Observation Title Rating

1. AGENCY-WIDE OVERSIGHT OF DECENTRALIZED TECHNOLOGY OPERATIONS High

2. CHANGE MANAGEMENT PROCESS AND CONTROLS High

3. PROJECT MANAGEMENT METHODOLOGY AND MONITORING Medium

4. IT GOVERNANCE AND STRATEGIC ALIGNMENT Low

5. STRATEGIC IT PERFORMANCE MANAGEMENT Low

Other Auditor General Recommendations

Recommendation Title Rating

6. COMPREHENSIVE IT RISK ASSESSMENT Not Rated

10.a



DETAILED OBSERVATIONS

1. Agency-wide Oversight of Decentralized Technology Operations

Observation: VTA has decentralized technology operations but has not established IT oversight responsibilities agency-wide nor implemented a comprehensive technology internal control framework and policies to manage change and technology risks.

Recommendation: VTA centralize organizational responsibility for technology governance, risk management, and operational oversight; implement agency-wide technology control framework and standards for critical technology processes.

Management’s Action Plan

Observation Rating: High

1.1 Although VTA has a Chief Information Officer and Information Technology (IT) department, critical technology, such as transit operations and scheduling applications including Supervisory Control and Data Acquisition (SCADA) and Trapeze OPS, is managed primarily outside of the IT department. There is minimal oversight from IT for these applications because VTA has not clearly established governance requirements and oversight responsibilities for technology operations outside of IT. For the specific technology processes in scope of this review, VTA did not have clearly defined roles and responsibilities, nor consistently defined and enforced IT controls agency-wide. For example, VTA did not establish and communicate policy requirements for the systems development life cycle (SDLC), which should define the agency-wide requirements for the planning, analysis, design, implementation and maintenance of information systems at VTA. In addition, there was no evidence during our review that VTA had established and consistently implemented a technology governance and control framework agency-wide, both internally and for vendor-assisted services. The combination of VTA’s complex transit and decentralized technology operations with limited required IT governance and control increasingly makes VTA susceptible to strategic, reputational, operational, and financial risks.

1.1.a We recommend that VTA centralize organizational responsibility for technology governance, risk management, and operational oversight. For the IT scope items covered in this review, including project management and change management, we recommend that the centralized IT business process owner develop agency-wide standards and policies in conjunction with stakeholders, communicate policies to all pertinent parties, both internally and externally when necessary, and oversee compliance agency-wide.

1.1.a VTA management agrees with the recommendation. We will modify and enhance our existing processes, policies and procedures to include all information technology, IT business processes, governance, technology risk management, project management and change management oversight agency-wide, promulgating them accordingly. To achieve this, management will leverage our existing Information Technology and Innovation governance program to include all VTA information technology projects and programs, not just those within the IT department. VTA has a proven existing technology governance process using the Technology Steering Committee (TSC). The TSC charter has already been modified to include all agency-wide technology projects, systems and efforts, and the modified charter has been approved by the TSC. Responsible Party: Director of Business Services and Chief Information Officer Target Date: 10/31/2017

10.a







1.1.b As part of the centralization of IT responsibility and establishment of agency-wide standards, we recommend that VTA evaluate existing IT governance and control practices and implement an industry-accepted control framework. Fully implementing a formal control framework will help management maximize the value of IT and effectively manage IT risk.

1.1.b VTA management agrees. We will evaluate our existing IT governance and control practices and modify and enhance them as needed to incorporate agency-wide application while also enhancing effectiveness. The new agency-wide policy and procedures will include the industry-accepted control framework, and will have the Technology Steering Committee as the governance control point.

Responsible Party: Director of Business Services and Chief Information Officer

Target Date: 10/31/2017

10.a







1.2 IT management did not readily provide a centralized, agency-wide application inventory with clear definitions for any subsets of applications distinguished by management during our interviews (e.g. key and non-key, critical, etc.). Although certain lists were made available during and after completion of fieldwork, the various application lists obtained did not include known applications, such as SCADA and SAP (VTA’s enterprise-wide financial and operations application), nor had the defining attributes for each item been completed to indicate the list provided was current, complete, and accurate. The disparate nature and general lack of availability of the information requested illustrated inadequate processes and oversight of critical technology information that is necessary for effective business decision making.

1.2 In order to ensure IT applications are appropriately managed, we recommend that VTA leverage existing documentation and develop a process to document and maintain a centralized, agency-wide IT application inventory. We also recommend that management clearly define any relevant attributes for each application, such as assessment of criticality, operational status, owning department, technical owner, etc. Maintaining an accurate IT application inventory is a critical component to ensuring applications are governed by agency-wide IT standards and will facilitate better understanding of IT costs and associated technology risks for various applications.

1.2 VTA management concurs with the recommendation. Prior to the Auditor General’s review, the IT Department had begun the process of deploying a new change management procedure and supporting change management tool. Accordingly, the scope of the deployment is being updated to be an agency-wide change management procedure and supporting change management tool. The technology change management tool contains an inventory of all applications and documents all relevant application attributes.

Responsible Party: Technology – Chief Information Officer


10.a



2. Change Management Process and Controls

Observation: VTA does not have formal, standard IT change management processes and procedures in place to ensure all changes to IT infrastructure are adequately controlled to minimize risk.

Recommendation: Automate and centralize existing change management processes and enforce the Change Management policy by consistently documenting, evaluating, prioritizing, authorizing, testing, and monitoring changes to minimize adverse impacts to VTA and increase efficiency.


Observation Rating: High

2.1 The Change Management Policy and Process provided by management did not have evidence of approval. The scope of Change Management policy applies to “hardware, network, software, application, environment, system, desktop build or associated documentation,” but we were only able to evaluate changes that could be identified from existing repositories. We were able to identify technology projects on the IT project management SharePoint site, SAP changes logged in the Magic ticketing system, as well as approved capital projects. We evaluated changes for compliance with the Change Management Policy and Process provided and found that it was not consistently adhered to by VTA. The policy provides robust guidelines for changes to ensure all changes are initiated, controlled, evaluated, built, tested, implemented, and reviewed appropriately; however, these change management policy requirements were only partially met by VTA for the samples inspected during our review. We identified the following examples of failures to comply with policy during our review:

Technology Service Request (TSR) forms were not used for all non-standard technology change requests

2.1.a We recommend that VTA update, review, and formally approve the Change Management policy and process documents, ensuring that best practices are retained and any changes as a result of this review be incorporated.

2.1.a VTA management agrees. We will review, modify and enhance as necessary our existing Change Management policy and process documents to reflect agency-wide application and also incorporate best practices and recommended improvements from this review.

Responsible Party: Technology – Chief Information Officer


10.a







TSR forms submitted for SAP changes did not have the Technical Assessment completed by IT to determine the type of change, development effort, cost estimate, defined responsibilities, and corresponding requirements

SAP changes were not assigned the correct change types (standard, minor, major, and significant) per policy

Changes were not consistently evaluated to understand potential implications of the proposed change, including possible impacts to business or other technology, resources and previously approved schedules

Test plans for changes were not clearly defined, documented, performed, nor tracked centrally to document evidence of testing results

Changes did not document required back-out or rollback plans

2.1.b We recommend that VTA develop and deliver change management training to the relevant teams and personnel involved. For example, management and end-users must be trained on the proper method to submit and approve requests, whereas all relevant employees must be trained on the types of changes, requirements to develop changes, testing requirements before implementation, and other related change management procedures.

2.1.b VTA management agrees. We will leverage our existing Change Management training developed for just IT Department staff and revise it accordingly to make it most effective for all affected staff.

Responsible Party: Technology – Technology Manager

Target Date: 10/31/2017 (programs and materials revised and training of staff initiated)

10.a







2.2 Although VTA’s Change Management Policy and Process defines a Change Management Database (CMDB) where all changes are tracked and documented from initiation through implementation and review, VTA does not currently track and document all technology changes centrally. As a result, there are instances where technology changes may be implemented entirely outside of a formal process with limited or no documentation. During our review, SAP was the only application where we observed changes documented in the Magic ticketing system. SAP Request For Changes (RFC) were initiated with a paper request called a TSR form and were subsequently recorded in the ticketing system. 63 SAP changes were documented as complete in Magic during FY 2016. The changes we observed in Magic had inconsistent use of data fields and change attributes, and certain fields did not appear to be utilized by IT personnel. In addition, the 63 changes in FY 2016 were completed an average of 87 days after the assigned due date in the system, and only one of the changes was completed before the due date.

2.2.a We recommend that VTA leverage available software and develop a process where all technology requests for changes agency-wide are required to be tracked in a central ticketing system. Where feasible, we recommend that management automate processes and approval workflows to maximize efficiency and standardize the change management process. 2.2.b In addition, we recommend that management clearly define all relevant change attributes and requirements within the system that align with the Change Management policy and process requirements. As a result, data will become more relevant and reliable to the organization and process performance can be monitored and managed to meet the needs of operations.

2.2.a VTA management agrees. Prior to completion of the Auditor General’s review, IT had begun the process to deploy a new change management procedure and supporting change management tool. The change management tool will contain central ticketing, automated workflow and technology application inventory including all relevant attributes. VTA will expand the scope of the deployment to be an agency-wide and cover all applications.


Target Date: 10/31/2017 2.2.b VTA management agrees. The change management tool will incorporate all relevant change attributes as defined in the agency-wide Change Management policy and process being developed. The agency-wide change management procedure and supporting change management tool will significantly improve VTA’s monitoring capabilities. Responsible Parties: Technology – Technology Manager


10.a







2.3 Based on our review, we identified users with write/edit access to both the development and production environments of SAP. Although management has implemented the use of SAP’s Governance, Risk, and Compliance (GRC) tool to evaluate SAP user conflicts, the GRC does not assess user conflicts in other key applications due to system limitations. In addition, the GRC tool was unable to detect the segregation of duties (SOD) conflict that exists when a user has access to both the development and production environments. There is not a process in place to monitor and manage segregation of duties between development and production environments for all internally hosted applications at VTA. Separate from preventing conflicts with user access controls, VTA also has not implemented a potential control to mitigate some of the risk associated with these segregation of duties conflicts. An IT tool such as LogRhythm, which IT has currently configured to monitor one IT application, could potentially be configured to monitor and detect unauthorized changes to production environments and mitigate the risk of unauthorized changes to technology.

2.3 We recommend that VTA develop a consistent and well-defined process to manage logical user access and provisioning for development and production environments for all internally hosted applications at VTA to reduce segregation of duties conflicts and minimize the risk of unauthorized changes. When management determines that conflicts cannot be eliminated due to business needs, we recommend that VTA implement appropriate mitigating controls so that potential control failures can be detected and resolved. VTA may consider configuring LogRhythm or other industry-accepted application for mitigation efforts.

2.3 VTA management agrees. Prior to the Auditor General’s review, VTA had developed an

implementation plan and approved funding to implement advanced cyber security hardware and software solutions that include mitigating user access and segregation of duties risks. In addition, the Change Management ticketing solution will improve VTA’s ability to track and monitor user access, which will be configured to track all agency-wide application access levels, both major and minor, as well as permissions when applicable.

Responsible Party: Technology – Chief Information Officer & Technology Manager


10.a



3. Project Management Methodology and Monitoring

Observation:

VTA does not have a formal project management methodology that is consistently utilized and monitored for execution.

Recommendation:

VTA formally define a project management methodology and when and what technology projects its utilization is required, as well as standards for monitoring and reporting on projects.


Observation Rating: Medium

3.1 VTA has multiple types of Technology projects, including capital projects approved by the Capital Improvement Program Oversight Committee (CIPOC) and managed by various departments; IT technology projects managed by the IT Department funded through the operating budget, as well as other technology changes ranging in complexity and cost.

Although VTA’s IT Department has implemented a Project Management Office (PMO) and deployed a SharePoint site to be used for centralized project management, there is not a formal project management process or methodology that is consistently utilized on all Technology projects agency wide.

3.1.a As a part of overall IT governance and technology roles and responsibilities, we recommend that VTA formalize its technology project management methodology and define when and under what circumstances it must be employed.

3.1.b In addition, we recommend that management identify and train relevant employees and project managers to enhance overall project quality, efficiency, and consistency of monitoring of deliverables agency-wide.

3.1.a VTA management agrees. We will modify and enhance the our existing information technology project management methodology as needed in order for it to be used as an agency-wide information technology process solution, including under what criteria it is required to be utilized. This process will include focusing on enhancing the level of formalization and documentation.



3.1.b VTA management agrees. IT will identify and ensure that relevant staff are appropriately trained in order to enhance technology project quality, efficiency, and consistency of deliverables agency-wide. To achieve this, we will leverage the combination of: (1) the existing project management training developed for IT Department staff, revising it accordingly to be effective for all applicable staff throughout the organization, and (2) the existing project management training available in SuccessFactors.


Target Date: 12/31/2017 (programs and materials revised and training of staff initiated)

10.a




Observation:


Recommendation:



3.2 Technology Project Managers and PMO staff typically only monitor the project’s budget consumption, which does not assess a project’s progress against the project schedule, budget and delivery of scope. Without a formal project management methodology there are limited standards for project monitoring, which is often ad-hoc and inconsistent across projects.

3.2 We recommend that management enhance existing project monitoring controls and establish requirements for project managers to evaluate a project’s progress at a given point in time, with forecasting for completion, final cost, and variance analysis. For example, management may consider earned value analysis (EVA) as part of Technology Project Management methodology. Management may also consider including this analysis as part of standard project reporting, including updates made to the CIPOC, to improve project transparency and accountability.

3.2 VTA management agrees to modify and strengthen our existing processes and documents in this regard to apply to new technology projects, systems and programs in all VTA divisions and departments, subject to the Chief Information Officer’s review and evaluation of the specific operational needs of each project.

VTA will add appropriate monitoring mechanisms to its Technology Project management methodology. This will include, but not be limited to, adding to the “Project Status” section within the CIPOC report two additional reporting categories for IT projects that require this level of control, such determination made by the Chief Information Officer. The project monitoring categories that will be added include: (1) Budgeted Cost of Work Scheduled (BCWS); and (2) Budget Cost of Work Performed (BCWP). An evaluation will also be conducted to determine the value of adding the same or similar monitoring mechanisms to TSC reports.



10.a




Observation:


Recommendation:



3.3 VTA’s capital projects request forms require planned funding and expenditures for each submission. In some instances when a project’s

scope includes a technology component, the underlying expense assumptions are estimates that do not include a thorough technical functional evaluation that adequately considers project requirements to estimate cost. Without an adequate technical assessment, changes to the scope or necessary budget augmentations have resulted to deliver the original project scope of work.

3.3 We recommend that capital projects with a technology component, even if the project will not be managed by IT, include a thorough technology assessment with appropriate expertise to develop refined budget assumptions as part of the project application process.

3.3 VTA management agrees. VTA will modify the Capital Project Request Form process and associated forms to require that for large-scale or multi-year capital project requests that have a software application, IT hardware, CCTV, radio or related technology. The program manager must submit a specific supplemental for (“Schedule T”) for Chief Information Officer evaluation and approval before the project is submitted to the Budget Department for consideration. Lack of an approved Schedule T will disqualify the project from further consideration.

Responsible Party: Technology (Technology Manager) and Finance (Fiscal Resource Manager)


10.a



4. IT Governance and Strategic Alignment

Observation: VTA has established governance functions through its Technology Strategy document and steering committees, but they do not consistently have management participation and alignment with VTA’s strategic objectives.

Recommendation: We recommend that VTA enhance the current technology governance process to require oversight by the General Manager, as well as enhancing requirements for the steering committees to encourage management accountability.


Observation Rating: Low

4.1 VTA has taken initial steps to implement IT governance, including the Technology Strategy document completed by the CIO. The Technology Strategy document includes charters for the Technology Working Group (TWG) and Technology Steering Committee (TSC), which are comprised of senior management and are responsible for IT strategic planning, policy, and staff oversight of projects. However, the TSC charter does not define requirements for meeting frequency nor documentation standards, and based on our testing, six of the twelve scheduled TSC meetings in FY16 were cancelled. Upon further review and inquiry with management, we verified that the Technology Strategy had not been formally reviewed and approved by executive management outside of IT, the General Manager, nor the VTA Board, to ensure agreement on alignment with business objectives and overarching technology governance strategies.

4.1.a We recommend that VTA enhance the overall value of the existing Technology Strategy document by formalizing the process whereby key components, including technology roles and responsibilities and performance standards, are regularly reviewed and updated to align with VTA’s strategic objectives. In addition, we recommend that VTA executive management and the General Manager review and approve the Technology Strategy to promote management understanding and support of VTA’s technology strategy.

4.1.a VTA management agrees and has completed implementation of the recommended actions, which were initiated prior to the Auditor General’s review. To that end, under the direction of the Business Services Director the Technology strategic plan, Technology Vision, was created on December 14, 2016. This plan was reviewed and approved by the General Manager in January 2017 and also presented that same month to VTA executive managers for their review and input.

Per the Technology Steering Committee charter, Technology Vision was presented to the TSC and approved on January 23, 2017. The Technology Steering Committee is the formal review and final approval for all technology programs including the Technology Strategy. The revised TSC charter also provides for ongoing periodic review of Technology Vision to ensure alignment with VTA’s Strategic Plan.

Responsible Party: Director of Business Services and Chief Information Officer Target Date: 1/23/2017 – Action Completed

10.a



4. IT Governance and Strategic Alignment

Observation: VTA has established governance functions through its Technology Strategy document and steering committees, but they do not consistently have management participation and alignment with VTA’s strategic objectives.

Recommendation: We recommend that VTA enhance the current technology governance process to require oversight by the General Manager, as well as enhancing requirements for the steering committees to encourage management accountability.


4.1.b We recommend that VTA update the TWG and TSC charters to include requirements for meeting frequency (e.g. monthly), meeting minutes, as well as attendance (i.e. quorum) to enhance management accountability and participation in IT governance.

4.1.b VTA management agrees. The Chief Information Officer submitted these recommendations to the Technology Steering Committee (TSC) at the January 23, 2017 meeting. The TSC took under consideration a number of potential amendments of the TSC charter. The Committee approved amending the charter to incorporate these suggestions, which was accomplished by adding a new meeting logistics section.

Responsible Party: Technology – Chief Information Officer Target Date: 1/26/2017 – Action Complete

10.a



5. IT Performance Monitoring

Observation: Technology performance monitoring does not include metrics and KPIs that adequately monitor technology change management or project management processes.

Recommendation: VTA enhance existing metrics and KPIs for both technology change management and project management processes to adequately monitor process effectiveness and efficiency and drive continuous improvement.


Observation Rating: Low

5.1 Although VTA has taken preliminary steps to monitor IT performance, the metrics and KPI Dashboard provided by IT do not adequately monitor the technology change management or project management processes covered in the scope of this review. The majority of the dashboard metrics monitored were end-customer / user measurements, and did not include metrics for IT internal business process results that drive achievement of strategic objectives. Effective performance monitoring relies on alignment of metrics and KPIs with organizational goals and is dependent on the availability of relevant, accurate data. For the specific processes covered during the scope of this review, VTA’s decentralized and manual processes dramatically affect its ability to understand agency-wide technology operations and costs, and subsequently monitor performance.

5.1 We recommend that VTA evaluate the quality and availability of information and subsequently enhance existing metrics and KPIs for both technology change management and project management processes to adequately monitor process effectiveness and efficiency and drive continuous improvement.

5.1 VTA management agrees. Prior to the Auditor General’s review, the IT Department had begun the process of deploying a new change management procedure and supporting change management tool. The scope of this deployment is being expanded to encompass the agency-wide change management procedure and the supporting change management tool. Included in the change management tools is a set of well-defined industry standard KPI’s and management dashboard. The project management process will monitor and track all technology projects agency-wide to support successful project delivery and continuous improvement.



10.a



6. Comprehensive IT Risk Assessment

Rating: Not Rated

Recommendation:

Due to the nature of the governance and control weaknesses identified during our limited scope focused on change management, we recommend that VTA undergo an independent entity-wide IT risk assessment. A comprehensive, entity-wide IT risk assessment will allow VTA management to obtain a more thorough understanding of risk as it pertains to VTA’s existing technology, operations, and governance environment. Considerations in the assessment could include the following scope areas:

Business process and IT support structures IT general controls not covered in this review Evaluation of existing IT risks, such as:

o Network Administration o Business Continuity Planning o Regulatory Compliance o Cybersecurity

Benchmarking of IT practices By performing further analysis, VTA can develop a strategic IT roadmap and remediation plan that effectively aligns technology with VTA’s strategic business

objectives and agency-wide IT risk management and governance needs.

10.a



APPENDIX A—RATING DEFINITIONS

Observation Risk Rating Definitions

Report Rating Definitions

Rating Definition Rating Explanation

Low

Process improvements exist but are not an immediate priority for VTA. Taking advantage of these opportunities would be considered best practice for VTA.

Low

Adequate internal controls are in place and operating effectively. Few, if any, improvements in the internal control structure are required. Observation should be limited to only low risk observations identified or moderate observations which are not pervasive in nature.

Medium

Process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception. This opportunity should be considered in the near term.

Medium

Certain internal controls are either: Not in place or are not operating effectively, which in the aggregate,

represent a significant lack of control in one or more of the areas within the scope of the review.

Several moderate control weaknesses in one process, or a combination of high and moderate weaknesses which collectively are not pervasive.

High

Significant process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception presents. This opportunity should be addressed immediately.

High

Fundamental internal controls are not in place or operating effectively for substantial areas within the scope of the review. Systemic business risks exist which have the potential to create situations that could significantly impact the control environment. Significant/several control weaknesses (breakdown) in the overall control

environment in part of the business or the process being reviewed. Significant non-compliance with laws and regulations. High risk observations which are pervasive in nature.

Not Rated

Observation identified is not considered a control or process improvement opportunity but should be considered by management or the board, as appropriate.

Not Rated Adequate internal controls are in place and operating effectively. No reportable observations were identified during the review.

10.a



APPENDIX B — SCOPE, WORK PLAN AND BACKGROUND

FIELDWORK DATES: August 22, 2016 to December 2, 2016

WORK STEPS COMPLETED: The following steps were taken to complete our analysis and deliver a report with recommendations:

Kickoff meeting and preliminary documentation review Walkthroughs and interviews with Information Technology and Operations Technology key personnel Documentation of processes and controls Design and operating effectiveness testing of key controls Identification of recommendations and opportunities for improvement

SCOPE AND KEY RISK AREAS Examine the policies, processes, and controls in place around VTA’s Information Technology and Operation Technology Project Management and systems development. The review focused on the following risk areas:

IT strategic planning IT project management methodology IT methodology/ framework(s) Systems development life cycle (SDLC) Change management IT Vendor / Third Party Management, specific to project management and SDLC Budgeting controls NOTE: SCADA technology operations was specifically excluded from the scope of this review because it is managed by a separate team, outside of

Information Technology with limited to no agency-level technology oversight.

10.a

© 2016 RSM US LLP. All rights Reserved.

RSM US LLP 100 W. San Fernando Street, Suite 460

San Jose, CA 95113 408.5724450

www.rsmus.com

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2016 RSM US LLP. All Rights Reserved.

10.a




BOARD MEMORANDUM




SUBJECT: Investment Program Controls Internal Audit -- FY 2017


ACTION ITEM

RECOMMENDATION:

Review and receive the Auditor General's report on the Investment Program Controls Internal

Audit performed during Fiscal Year 2017.

BACKGROUND:

Investment Program Controls is one of the projects contained in the Board-approved FY 2017

Internal Audit Work Plan. The Auditor General’s Office completed this project between March

and April 2017 and the attached report is the result of that review.

VTA has a Treasury function responsible for managing VTA’s investment portfolio in

unrestricted and restricted funds. As of December 2016, the total value of the investment

program was approximately $1.3 billion. Investment decisions are guided by a Board-adopted

policy to help ensure successful and prudent management of public funds and avoid inordinate

risk. This policy requires the Auditor General to perform a review of the internal controls within

the investments process every second year (biennially).

DISCUSSION:

In March 2017, the Auditor General’s Office initiated the Investment Program Controls Internal

Audit. The objective of this review was to evaluate the effectiveness of the design and operation

of the investment controls to assess whether reasonable safeguards are in place to minimize

VTA’s exposure to unreasonable financial loss or reputational damage as a result of its

investment program.

11

of 2

Based on the work performed, it is our conclusion that VTA’s investment program controls are

designed and operating effectively since our testing of 12 key controls did not result in any

exceptions or control deficiencies. Due to this, an overall report rating was not assigned.

Dating back to 2010, the Auditor General has identified no medium or high-risk observations for

investment program controls and evidence continues to demonstrate management’s effective

operation of internal controls. Although existing policy requires Auditor General review of

VTA’s investment program controls every two years, we recommend that the Board consider

revising the existing Investment Policy to lengthen the interval between required internal audit

reviews from a biennial to triennial (every third year) basis. This would allow for reallocation of

Auditor General resources to other projects focused on areas of higher risk.

FISCAL IMPACT:

There is no financial impact associated with acceptance of this report.


Memo No. 5982

ATTACHMENTS:

A--Investment Program Controls IA--FY17 (PDF)

11

Investment Program Controls Internal Audit Auditor General Report No. 2017-02

April 20, 2017

11.a

Investment Program Controls Internal Audit Auditor General Report Issued: April 20, 2017


EXECUTIVE SUMMARY

Overall Rating (See Appendix A for definitions)

Report Rating

Number of Observations by Risk Rating

High Medium Low

Investment Program Controls

Not Rated 0 0 0

Background VTA has a Treasury function that is responsible for managing VTA’s investment portfolio in unrestricted and restricted funds. As of December 2016, the total value of the program was approximately $1.2 billion. VTA’s investment program is required to comply with the California Government Section 53601 et seq. and the VTA Board-approved “Investment of Unrestricted and Restricted Funds” policy. The Investment Policy requires the Auditor General to perform a review of the internal controls within the investments process every other year (biennially).

A component project contained in the Board-approved FY 2017 Internal Audit Work Plan is this Investment Program Controls Internal Audit. The Auditor General’s Office completed this review in April 2017. This review, as are all Auditor General reviews, was performed in accordance with the Standards for Consulting Services issued by the American Institute of Certified Public Accountants.

This report was prepared for use by VTA’s Board of Directors, Governance and Audit Committee, and management. Recommendations for improvement are presented for management’s consideration and management is responsible for the effective implementation of corrective action plans.

Objective and Scope The objective of this review was to assess whether reasonable safeguards are in place to minimize VTA’s exposure to unreasonable financial loss or reputational damage as a result of its investment program. Fieldwork was completed in March and April 2017 with the following scope areas:

Fund and investment portfolio compliance with VTA policies and applicable legislative / government requirements

Periodic investment program controls Segregation of duties Third-party service organization / custodial agents internal controls

Our engagement consisted of a review of existing policies, processes and procedures; staff interviews; process walkthroughs; and sample testing to validate design and operating effectiveness of internal controls for the scope areas described above.

Overall Summary and Review Highlights

Based on the work performed, it is our conclusion that VTA’s investment program controls are designed and operating effectively since our testing of 12 key controls did not result in any exceptions or control deficiencies.

Testing completed in our review covered the key scope areas, including key controls that require Investment Policy approval, management review of investment performance report, investment accounting, and estimated net cash needs review.

An overall report rating was not assigned because there are adequate internal controls in place and operating effectively to mitigate risk and no reportable observations were identified during the review.

Auditor General reviews of VTA’s investment program controls have not resulted in any medium or high-risk observations since 2010 and controls continue to operate effectively. Although current Board policy requires this audit to be conducted on a biennial basis, the Auditor General recommends consideration be given to extending the period between reviews to three years (a triennial audit cycle).

With effective internal controls, VTA continues to mitigate the inherent risk of its investment program. If the Board determines that the residual risk is of an acceptable level, lengthening the required audit interval would allow Auditor General resources to be reallocated to other programmatic areas of higher risk.

We would like to thank those who assisted us throughout this review. Questions should be addressed to Bill Eggert, Auditor General, in the VTA Auditor General’s Office at [email protected].

11.a

mailto:[email protected]



OBSERVATIONS SUMMARY

There were no risk-rated observations identified during our review. Below is the “Not Rated” observation and recommendation identified for consideration.

Definitions of the observation rating scale are included in Appendix A.

Other Auditor General Observations

Rating: Not Rated

Dating back to 2010, the Auditor General has identified no medium or high-risk observations for investment program controls and evidence continues to demonstrate management’s’ effective operation of internal controls. Although existing policy requires Auditor General reviews of VTA’s investment program controls every two years, we recommend that the Board consider revising the existing Investment Policy to lengthen the interval between required internal audit reviews of investment internal controls from a biennial to triennial basis. The Auditor General has assessed that the inherent risk of the investment program continues to be effectively mitigated by key controls as substantiated in the recurring Auditor General reviews. If the Board concludes that risk is at an acceptable level because of effective internal controls and results presented in this report, VTA can determine to reduce the frequency of the internal audits of investment program controls and allow for reallocation of Auditor General resources to Internal Audit projects focused on areas of higher risk.

11.a



APPENDIX A—RATING DEFINITIONS

Observation Risk Rating Definitions

Report Rating Definitions

Rating Definition Rating Explanation

Low

Process improvements exist but are not an immediate priority for VTA. Taking advantage of these opportunities would be considered best practice for VTA.

Low

Adequate internal controls are in place and operating effectively. Few, if any, improvements in the internal control structure are required. Observation should be limited to only low risk observations identified or moderate observations which are not pervasive in nature.

Medium

Process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception. This opportunity should be considered in the near term.

Medium

Certain internal controls are either: Not in place or are not operating effectively, which in the aggregate,

represent a significant lack of control in one or more of the areas within the scope of the review.

Several moderate control weaknesses in one process, or a combination of high and moderate weaknesses which collectively are not pervasive.

High

Significant process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception presents. This opportunity should be addressed immediately.

High

Fundamental internal controls are not in place or operating effectively for substantial areas within the scope of the review. Systemic business risks exist which have the potential to create situations that could significantly impact the control environment. Significant/several control weaknesses (breakdown) in the overall control

environment in part of the business or the process being reviewed. Significant non-compliance with laws and regulations. High risk observations which are pervasive in nature.

Not Rated

Observation identified is not considered a control or process improvement opportunity but should be considered by management or the board, as appropriate.

Not Rated Adequate internal controls are in place and operating effectively. No reportable observations were identified during the review.

11.a

© 2016 RSM US LLP. All rights Reserved.

RSM US LLP 100 W. San Fernando Street, Suite 460

San Jose, CA 95113 408.5724450

www.rsmus.com

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2017 RSM US LLP. All Rights Reserved.

11.a



Board Meeting: N/A

BOARD MEMORANDUM




SUBJECT: Review Status of Internal Audit Work Plan

FOR INFORMATION ONLY

VTA’s Auditor General is responsible for developing and recommending the annual Internal

Audit Work Plan, assigning and managing the resources required to conduct each internal audit

or project, and providing project results and progress reports to the Governance & Audit

Committee.

To keep members informed, the Auditor General's Office provides at each Governance & Audit

Committee meeting a report on the current status of the Internal Audit Work Plan and its

component projects. This includes an update on the projects currently underway as well as the

projected order and estimated completion schedule of the remaining projects.

Prepared By: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee Coordinator

Memo No. 1896

12

Internal Audit Work Plan Status Report

1

Project / Activity

Governance & Audit Committee Meeting

FY17

Nov2016

Dec2016

Feb 2017

Mar2017

May 2017

June 2017

IT Development and Project Management Assessment

Inventory Management and Costing Assessment

Recommended FY18 & FY19 Internal Audit Work Plans

Follow Up: Sheriff’s Office Contract Compliance

Investment Controls (every two years per Board Policy)

Inventory and Assets Held at Outreach

Interagency Agreements Risk Assessment

BART Silicon Valley Extension (Contractor Compliance)

Records Management Program Assessment

Follow Up: Trapeze Ops Pre-Implementation Review

Follow Up: Operator Scheduling Review

Follow Up: Public Safety Process Assessment

Note: the timelines reflected above are estimates and may be subject to change due to scheduling constraints and/or Board requests.

In progress – On Hold

In progress

Plan Complete

Report Complete

In progress

In progress

Report Complete

Report Complete

Report Complete

In progress

In progress

In progress

12.a

Internal Audit Work Plan Status Report – Completed Projects

2

Project / Activity

Board Meeting

FY16 FY17

May2016

June 2016

Oct2016

Dec 2016

Jan 2017

Mar2017

Grants Management and Compliance Assessment

Procurement and Contracts Process Assessment: Follow-Up

Alum Rock BRT Project Construction Delay Assessment

Paratransit Operations Assessment – Phase II Testing

Succession Planning Process Assessment

Risk Assessment Refresh

Follow-up: Third-party Fare Reporting Process Assessment

Follow-up: ATU Pension Review

Express Lane Funding and Operations Assessment

Follow up: Timekeeping and Payroll Process Review

Follow up: Investment Program Controls Internal Audit

Complete

Completed

Completed

Note: the projects above are considered completed when the Auditor General’s report is noted on the meeting agenda and accepted by the full Board. Completed reports are available on the VTA website under the Board meeting agenda.

Completed

Completed

Completed

Completed

Completed

Completed

Completed

Completed

12.a




BOARD MEMORANDUM



FROM: Auditor General, General Manager, Bill Eggert, Nuria Fernandez

SUBJECT: Recommended FY 2018 & FY 2019 Internal Audit Work Plans


ACTION ITEM

RECOMMENDATION:

Recommend Board approval of the Auditor General’s recommended Internal Audit Work Plans

for the next two fiscal years (FY) for a maximum amount of $531,000 for FY 2018 and $465,000

for FY 2019.

BACKGROUND:

VTA’s Auditor General is responsible for assisting the Board of Director in fulfilling its

fiduciary responsibilities of overseeing risks and controls in financial reporting, financial

integrity, reputation and public perception of the organization, and program activities. The

Auditor General has a direct reporting relationship to the Board and Governance & Audit

Committee and an administrative reporting relationship to the General Manager. The Auditor

General is, among other duties, responsible for:

Developing and recommending the annual Internal Audit Work Plan

Assigning and managing the audit resources required to conduct each internal audit or

project

Providing audit results and progress reports to the Governance & Audit Committee and

Board

The VTA Board of Directors has contracted with RSM LLP to serve as its Auditor General and

perform internal audit and consultative functions.

13

of 3

To develop its recommended internal audit work plan, the Auditor General’s Office annually

facilitates a high-level risk assessment of significant current or future potential financial,

business or reputational risks to VTA. These risks are derived from a combination of interviews

with key management, trends or issues in the business or governmental sectors, working

knowledge of the organization, and input solicited from the GM/CEO and senior staff. The

auditable risks are then identified, prioritized and considered for potential projects in the

recommend work plan for the upcoming fiscal year or two. The results of the Risk Assessment

Refresh conducted during FY 2017 were presented to the Governance and Audit Committee in

September and to the Board at its October 2017 meeting.

DISCUSSION:

Following review and direction by the Governance & Audit Committee, the Auditor General’s

Office, in collaboration with the management, used the results from the Risk Assessment Refresh

and developed cost estimates for potential Auditor General projects. The product of this process

is the Auditor General’s recommended FY 2018 and FY 2019 Internal Audit Work Plans, shown

on Attachment A. It should be noted that based on the complexity and timing of some projects

combined with the availability of resources, not all potential projects contained in the Risk

Assessment Refresh are included in the Recommended Internal Audit Work Plans for FY 2018

& FY 2019 and thus may be recommended for subsequent years.

VTA Internal Audit Work Plans consist of three sections based on the specific activities or

responsibilities each addresses: (1) standing (recurring) Auditor General activities such as the

annual risk refresh and support of the Ethics Hotline; (2) new one-time internal audit projects or

assessments; and (3) Supplemental Work Allowance (SWA). SWA is comprised of a small

quantity of pooled funds pre-approved by the Board for specific allocation by the Governance &

Audit Committee at its discretion to respond to changing conditions and events or to address

levels of effort that need to be adjusted from the initial estimate.

The Governance & Audit Committee considered the Auditor General’s proposed projects for the

FY 2018 & FY 2019 Internal Audit Work Plans at its March 2017 meeting. The Committee

requested additional information about VTA’s cyber security processes and controls from

management. Cyber security was not discretely identified in the Risk Assessment Refresh Heat

Map results presented in September 2016. As a result, the Auditor General added Cyber

Security to the Heat Map presented in Attachment A and included a proposed Cyber Security

Assessment that the Governance and Audit Committee that the Committee can choose to either

include, defer or delete from the recommended FY 2018 Internal Audit Work Plan. Cyber

security risks to VTA will be discussed in Closed Session at the May 4, 2017 Governance &

Audit Committee meeting; this item precedes Committee consideration of the recommended

Internal Audit Work Plans for the next two years.

13

of 3

The recommended FY 2018 & FY 2019 Internal Audit Work Plans are shown on Attachment A.

The recommended plan for FY 2018 has a combined maximum cost of $531,000, which includes

the optional Cyber Security Assessment for $66,000 that can be removed or deferred at the

Committee’s discretion. Included among the various cost categories are five new, one-time

projects, including Cyber Security, totaling $285,000. The combined total without the optional

Cyber Security project is $465,000. The recommended FY 2019 plan is for a maximum of

$465,000, which includes six new one-time projects totaling $278,000. Both plans include

$50,000 of SWA each, which has been increased from the previous $35,000 annual amount at

VTA administration’s request in order to provide enhanced capability for the Committee to

rapidly respond to changing conditions and events or to adjust levels of effort. The

recommended component projects and activities and the level-of-effort for each section for each

year are shown starting on Page 5 of Attachment A.

Both recommended FY 2018 and FY 2019 plans include a new proposed transaction monitoring

audit. Similar to Investment Program Controls, which is audited on a recurring basis every two

years in conformance with Board-adopted policy, the Auditor General recommends that certain

specific processes be included in future work plans to undergo independent assessments of

limited scope on a recurring cyclical basis.

The Governance & Audit Committee will consider the recommended FY 2018 and FY 2019

Internal Audit Work Plans at its May 2017 meeting. The Committee’s recommendation

regarding approval of this item plus any requested changes will be incorporated into the

Recommended Work Plans that will be submitted for Board adoption at its June 1, 2017 meeting.

If the work plans are approved by the Board, the specific schedule for completing the component

one-time projects will be determined in coordination with the General Manager and VTA

administration with the goal of performing the projects at an appropriate time and manner that

prevents or minimizes disruption to VTA operations.

ALTERNATIVES:

The Committee could recommend that the Board add, delete or modify some or all of the

specific projects and services included in either the Recommended FY 2018 or FY 2019 Internal

Audit Work Plans.

FISCAL IMPACT:

Sufficient appropriation to complete the recommended FY 2018 and FY 2019 Internal Audit

Work Plans is included in the Proposed FY 2018 and FY 2019 VTA Transit Fund Operating

Budgets, respectively.


Memo No. 5983

ATTACHMENTS:

A--AG Recommended FY18 and FY19 IA Work Plans (PDF)

13

© 2017 RSM US LLP. All Rights Reserved.

FY17 Risk Assessment Refresh - Heat Map

* Risk added subsequent to Risk Assessment Refresh presented in September 2016

Ris

k I

mp

act

LOW

HIGH

HIGH

BART-to-Silicon Valley

Extension

Capital Projects and

Planning

Joint Development

Community Outreach

Bus and Rail Yard

Operations

Records Management

Business Continuity

Paratransit

Special Events / Stadiums

CAD/AVL – RTI Replacement

Rolling Stock(Bus / LRV)

Information and

Operation Technology

Network Security

BART Post

Go-Live

Allied Barton Contract

Succession Planning

CCTV

MTC Allocation

SAP

Inventory Management

Eco Pass

Regulatory Compliance

TrapezePass

Non-transit revenue

SharedRidership

Third-Party Service

ProvidersExpress Lane

Funding & Operations

Interagency Agreements

Fare Policy

Fare Collections/

Ridership

2016 Sales Tax

Measure B

Communication

Vulnerability

2

Cyber Security*

State of Good Repair

13.a


Recommended FY18 & FY19 Auditor General Projects

3

Project Areas Description

RTI Project – CAD/AVL Replacement

Examine current and potential future needs of the RTI (Real Time information) project for Computer-Aided Dispatch (CAD) / Automatic Vehicle Location (AVL). Considerations may include:* Pre-Implementation review * Cost/Funding * System implementation strategy * RFP and contract, vendor capabilities

Special Events and Stadiums

Examine new risks associated with the servicing of new athletic stadiums. Considerations may include: * Infrastructure, equipment, staffing, and morale * Integration of existing service and connectivity to stadiums * MOUs and the cost to VTA * Operator/Field Supervisor availability* Ambassador program and additional potential outsourcing opportunities * Progress on schedule, budget, safety matters, policies, and roles to-date

Joint Development

Examine current and future joint development plans. Considerations may include: * Land use and zoning * Project planning and development * Monetization of assets and property sales * Community outreach * Political pressure * Risk management

Comprehensive IT Risk Assessment

Examine the risks and efficacy of controls related to VTA’s comprehensive IT operations and governance environment. Considerations may include: * Business process and IT support structures * Benchmarking of IT practices * IT general controls (ITGC) * IT application controls (ITAC)* Evaluation of other IT risks: cyber security, network administration, business continuity planning, and compliance

Paratransit - Operations Transition

Examine the controls and processes surrounding VTA’s Access paratransit operations. Considerations may include:* Transition from previous provider and service model, including process assessment and implementation* Implementation of management response from prior audits* Compliance with new contract * Community outreach

Cyber Security(Pending G&A

Determination)

Examine VTA’s Cyber Security framework and evaluate adequacy processes and controls. Considerations may include: * Risk management and compliance * Third-party management* Information and asset management * Identity and access management * Threat and vulnerability assessment * Data management and protection * Crisis Management capability and resiliency * Security operations, awareness, and training

13.a


Recommended FY18 & FY19 Auditor General Projects Project Areas Description

Trapeze Pass

Examine the implementation and controls of the Trapeze Pass system for VTA Access paratransit services, focused on:* Software acquisition and configuration * System implementation and application go-live* System controls and reporting * Interface with invoicing and date reporting

Regulatory Compliance

Examine the processes for establishing and tracking VTA’s regulatory compliance requirements. Considerations may include:* Regulators and organizational compliance requirements * Internal monitoring and controls assessment* Compliance assessment * Federal, state, and local regulations

Business Continuity Plan

Examine VTA’s Business Continuity Plan. Considerations may include:* Adequacy, completeness, and appropriateness of plan * Feasibility: people and processes* Adequacy and effectiveness of testing controls * Mission critical coverage

Fixed Assets Program

Examine VTA’s operational and financial process and controls for fixed assets and state of good repair. Considerations may include:* Adequacy of policies and procedures * Asset requisition and capital budgeting* Financial and reconciliation controls * Capital budget monitoring and overruns * Depreciation methodology and expense recognition * Transfer and disposal of assets

Capital Budget and Project Controls

Examine VTA’s Capital Budget planning and monitoring processes. Considerations may include: * Methodology for reviewing and approving projects * Project feasibility and planning* Capital project and schedule execution * Contractor selection and oversight * Project change order controls * Cost and project monitoring controls

Maintenance Operations &

Scheduling

Examine VTA’s maintenance operations and scheduling processes at bus and rail yards. Considerations may include:* Methodology for planning and scheduling maintenance * Internal controls and monitoring programs* Key performance indicators (KPIs) and continuous improvement * Utilization of SAP and other technology * Productivity and process effectiveness * Parts planning and inventory utilization

4

13.a

© 2017 RSM US LLP. All Rights Reserved. 5

Work Plan FYE June 30, 2018

Est. Hours Est. Cost

Auditor General Projects:

RTI Project CAD / AVL Replacement 260 $44,000Special Events and Stadiums 320 $55,000IT Risk Assessment 370 $63,000Paratransit Operations Transition 300 $50,000Transaction Monitoring Audit* (Pending G&A determination) 120 $18,000Joint Development 320 $55,000Cyber Security Assessment (Pending G&A determination) 390 $66,000

Audit General Services:

AG Services Support 380 $65,000 Annual Risk Refresh 80 $12,500Follow-up of Management Action Plans 70 $12,000

Ethics Hotline Support 80 $13,500Expenses (Travel and Related Costs) n/a $27,000Supplemental Work Allowance (for Projects TBD by G&A Committee) 200 $50,000

Total - with Cyber Security 2,890 $531,000

Total - without Cyber Security 2,500 $465,000

Recommended FY 2018 Internal Audit Work Plan

* See page 8 for recommended transaction monitoring audits

13.a

© 2017 RSM US LLP. All Rights Reserved. 5

Work Plan FYE June 30, 2019

Est. Hours Est. Cost

Auditor General Projects:

Trapeze Pass 260 $44,000Regulatory Compliance Assessment 310 $52,000Business Continuity Plan 330 $55,000Capital Budget and Project Controls 310 $53,000 Fixed Assets Program 340 $58,000Investment Program Controls or Transactional Monitoring Audit* 100 $16,000

Audit General Services:

AG Services Support 380 $65,000 Risk Assessment and Two-Year Audit Plan 100 $19,500Follow-up of Management Action Plans 80 $12,000

Ethics Hotline Support 80 $13,500Expenses (Travel and Related Costs) n/a $27,000Supplemental Work Allowance (for Projects TBD by G&A Committee) 200 $50,000

Total 2500 $465,000

Recommended FY 2019 Internal Audit Work Plan13.a


Proposed Future Auditor General Projects Project Area Description

2016 Sales Tax Measure B

Examine current and future plans of the proposed Sales Tax Measure funding. Considerations may include: * Future audit requirements * VTA oversight and management * Ballot-required Citizens Oversight Committee* Reporting and monitoring of capital expenditures, political impact, and community outreach

VendorManagement

Examine VTA’s Vendor Management process and controls. Considerations may include:* Duplicate payments * Vendor master data inputs and controls* Ongoing vendor monitoring * Segregation of duties and fraud prevention controls* Vendor selection processes and controls, including high risk or disqualified vendors

Bus and Rail Yard Operations

Examine VTA’s operational processes and controls at bus and rail yards. Assessment considerations may include:* Productivity and process effectiveness * Internal controls and monitoring programs* Key performance indicators (KPIs) and continuous improvement programs

Diridon Station

Examine current and future plans for the Diridon Station. Considerations may include: * Project planning and development * Joint Development* Community outreach

Rolling Stock

Examine the process related to the purchase, planning, use, and maintenance of VTA’s rolling stock. Considerations may include:* Maintenance schedule and productivity * Equipment shortages* Supply chain operations related to parts procurement * Potential impact on the system and riders * Mid-life rehabilitation * Rail and bus pull-out

MTC Allocation

Examine the controls and processes surrounding VTA’s MTC allocation. Considerations may include:* Reasonableness and proportion of allocation * Impact of BART go-live* Subjectivity in allocation process * VTA process to identify and apply for grant funding

7

13.a


Recommended Transaction Audits

• Currently, the Board-adopted policy requires the Investment Program Controls be audited every 2 years due to the program risk.

• To complement the dynamic Internal Audit Work Plan, the Auditor General recommends that the Board consider including transaction monitoring audits for additional processes to independently assess on a recurring basis. Recommend processes for G&A consideration include:

− Vendor Master File − Accounts Payable / Disbursements− Procurement cards / Travel & Expenses− Journal Entries and Account Reconciliations − Payroll

8

13.a

governance and audit committee - amazon web...

Documents