Metropolitan Transportation Authority ERM/Internal Control...

Metropolitan Transportation Authority

ERM/Internal Control Summary Report 2015 - 2016

Submitted By MTA Corporate Compliance

2 Broadway, 16th Floor New York, New York 10004

Memorandum

I> Metropolitan Transportation Authority State of New York

Date November 2, 2016

From

All MTA Em1?IOY~ . ~. Thomas ~. Prender t, Chairman and CEO

To

Re Annual Commitment to Efficient and Effective Internal Controls

The Metropolitan Transportation Authority ("MTA") is committed to maintammg a system of efficient and effective internal controls. Internal controls is the integration of the activities, plans, attitudes, policies, and efforts of all MTA employees working together to provide reasonable assurance that we will achieve our objectives and mission.

The overall purpose of our internal controls system is to help the MTA: (1) promote orderly, economical, efficient and effective operations, (2) provide quality services for our stake holders consistent with our mission; (3) safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud; (4) promote compliance with our Code of Ethics, laws, regulations, contracts and management directives and; (5) develop and maintain reliable financial/management data which is accurately presented in timely reports.

Each employee is responsible for ensuring that we comply with our system of internal controls. For our internal controls to be most effective, each employee must be responsible for becoming familiar with our policies, operating procedures, and the legal requirements that apply to his or her job, and must abide by these requirements at all times.

If you want additional information about our internal controls program you can contact your Agency Internal Control Staff (list attached) or MTA Chief Compliance Officer, Lamond W. Kearse at 646-252-1329.

Memorandum

8 Metropolitan Transportation Authority State of New York

To: Audit Committee

From: Lamond W. Kearse, Chief Compliance Offi

Date: November 2, 2016

Re: Management Assessment: Effectiveness of its Internal Controls FY2015

The Metropolitan Transportation Authority's Chief Compliance Officer is responsible for overseeing the establishment and operation of the MTA's internal control program, which includes each of its subsidiary and affiliated entities ("MTA").

This statement certifies that management has documented and assessed the internal control structure and procedures of the MTA for the year ending December 31, 2015. In making this assessment, management used criteria set forth by MTA's Enterprise 'Risk Management/Internal Control Guidelines, Standards for Internal Control in New York State published by the Office of the State Comptroller, Guidelines issued by the Independent Authority Budget Office, and the Guidelines of the Commission of Sponsoring Organizations of the Treadway Commission.

This assessment found the MTA's internal controls to be adequate, and to the extent that deficiencies were identified, the MTA has developed corrective action plans to reduce any corresponding risk.

Therefore based upon the above I believe that as of December 31,2015, the MTA's internal control structure and procedures are effective.

c: Michael Fucilli, Auditor General ' Enterprise Risk Management Committee

METROPOLITAN TRANSPORTATION AUTHORITY

INTERNAL CONTROL CERTIFICATION 2015-16

METROPOLITAN TRANSPORTATION AUTHORITY Authority Name

THOMAS F. PRENDERGAST, CHAIRMAN AND CHIEF EXECUTIVE OFFICER Chairperson Governing Board

2 Broadway, New York, NY 10017 212-878-7200 Authority Address Telephone Number

Lamond W. Kearse, Chief Compliance Officer 646-252-1330 Name of Internal Control Officer Telephone Number

[email protected] Email Address of Internal Control Officer

I hereby certify to the best of my knowledge and belief that the Metropolitan Transportation Authority is:

o Fully Compliant (Full compliance with all provisions)

D Partially Compliant (Partial compliance with sOIne or all provisions)

D Not Compliant (Noncompliance with all provisions)

With the New York State Governmental Accountability, Audit and Internal Control Act.

'-'1k..........,L.L&an and Chief Executive Officer Date

2015-2016 Internal Control Summary Report

Table of Contents

Page

Section A. Requirement: Establish and Maintain Guidelines for a System of Internal Controls______________1

Section B. Requirement: Establish and Maintain a System of Internal Controls and a Program

of Internal Control Review____________________________________________________________ 3

Part 1. Process Used to Review Internal Controls ______________________________________3

Part 2. Significant Business Processes Identified During the 2015-16 Review Process_________5

Part 3. Material Weakness or Significant Deficiencies Revealed During the

2015-16 Review Process____________________________________________________44

Part 4. The Internal Control Program Details 2015-16_________________________________59

Section C. Requirement: Make Available to Each Officer and Employee a Clear and Concise Statement

of the Generally Applicable Management Policies and Standards ___________________________68

Section D. Requirement: Designate an Internal Control Officer (ICO), Who Shall Report to the

Chairman of the MTA, to Implement and Review the Internal Control Responsibilities

Established Pursuant to the Act and Internal Standards ___________________________________72

Section E. Requirement: Implement Education and Training Efforts to Ensure that Officers and

Employees Have Achieved Adequate Awareness and Understanding of Internal Control

Standards and, as Appropriate, Evaluation Techniques ____________________________________76


2015-16 INTERNAL CONTROL SUMMARY REPORT

2015-2016 Internal Control Summary Report Page 1 of 81

Date

Completed by Phone

Lamond W. Kearse, Chief Compliance Officer (646) 252-1330

MTA Bridges and Tunnels Angelo Cerbone (646) 252-7505

MTA Bus Company Robert Picarelli (718) 696-3614

MTA Capital Construction Daniel Worrell (646) 252-1303

MTA Headquarters Michael Amrick (212) 878-7422

MTA Long Island Rail Road Mark D. Young (718) 558-7777

MTA Metro-North Railroad Nathan Gilbertson (212) 340-2197

MTA New York City Transit William Vazoulas (646) 252-6610

_______________________________________________________________________________

Section A. Requirement: Establish and Maintain Guidelines for a System of Internal

Controls

Standard: Internal control guidelines communicate an Organization’s management

and programmatic objectives to its employees and provide the methods and

procedures used to assess the effectiveness of its internal controls in supporting those

objectives. Internal control guidelines should state the Board’s support of internal

controls to provide staff with an understanding of the benefits of effective controls;

identify primary responsibilities and the objectives; explain how internal controls are

organized and managed; define responsibilities of management and staff; acknowledge

that internal controls adhere to accepted standards; and describe the process for

evaluating internal controls.

Metropolitan Transportation Authority – Enterprise

The Metropolitan Transportation Authority, a public benefit corporation of the State

of New York, has the responsibility for developing and implementing a unified mass

transportation policy for The City of New York and Dutchess, Nassau, Orange,

Putnam, Rockland, Suffolk and Westchester counties.

In November 2011, the Metropolitan Transportation Authority Board adopted

Enterprise Risk Management and Internal Control Guidelines (“ERM Guidelines”).

These guidelines replaced MTA All Agency Policy Directive 11-008 entitled

Accountability & Internal Control issued June 8, 1990. The purpose of the ERM

Guidelines is to establish an effective system of internal controls for the Authority

which complies with the requirements of the New York State Government

Accountability, Audit and Internal Control Act of 1999, Public Authorities Law




Sections 2930 through 2932 (“the Act”), the Standards for Internal Control in New

York State published by the Office of the State Comptroller, Guidelines issued by the

Independent Authority Budget Office (“IABO”), and the Commission of Sponsoring

Organizations of the Treadway Commission standards (“COSO”).

The ERM Guidelines establish the MTA Board’s support of internal controls and its

commitment to provide staff with an understanding of the benefits of effective

controls. It also identifies the Authority’s primary responsibilities and the objectives

of internal controls; explains how internal controls are organized and managed;

defines responsibilities of management, supervisors and staff; acknowledges that

MTA’s internal controls adhere to accepted standards; and describes the

organization’s process for evaluating internal controls.

In 2004, the MTA Board established the position of Chief Compliance Officer. The

Chief Compliance Officer serves as the Chief Risk Officer/Internal Control Officer

(“ICO”) for the MTA and its Affiliated and Subsidiary Agencies. In addition, each

Agency appoints an Authority Internal Control Officer for their Agency (“AICO”)

who is a direct report to the Agency President or their designee.

The guidelines also establish an Enterprise Risk Management Committee. The

Committee meets at least quarterly to review and suggest improvements to the

program. AICO’s or their designees serve on the Committee, which is chaired by the

Chief Compliance Officer.

MTA’s Enterprise Risk Management/Internal Control Program is compliant with the

Act, the Standards for Internal Control in New York State published by the Office of

the State Comptroller, IABO guidelines, and COSO standards. MTA’s Enterprise Risk

Management/internal control program is modeled after current best practices of

integrating corporate governance, internal controls, compliance and ethics.




Section B. Requirement: Establish and Maintain a System of Internal Controls and a

Program of Internal Control Review

Standards: The program of internal control review shall be a structured, continuing

and well documented system designed to identify internal control weaknesses,

identify actions that are needed to correct these weaknesses, monitor the

implementation of necessary corrective actions and periodically assess the adequacy

of the internal controls. The procedures for evaluating the adequacy of that system

also vary, but at a minimum should: Identify and clearly document the primary

operating responsibilities; define the objectives of these functions so they are easily

understood by staff accountable for carrying out the functions; identify/document the

policies and procedures used to execute functions; identify the major functions of

each assessable unit; develop a process or cycle to assess risk and test controls for

major functions; assess the risks and consequences associated with controls failing to

promote the objectives of major functions; test controls to ensure they are working as

intended; and institute a centrally monitored process to document, monitor and

report deficiencies and corrective actions.

Part 1. Process Used To Review Internal Controls


The Enterprise Risk Management/Internal Control Program is based on vulnerability

(Risk) assessments and the ranking of business processes based on the level of risk

assigned to each one. The Metropolitan Transportation Authority and its Affiliated

and Subsidiary Agencies (“MTA”) identify all major business processes, determine the

level of risk and develop a system of controls to manage and mitigate those risks. Self-

assessments and testing of existing controls is required to determine whether they are

functioning as intended and the adequacy of those controls. If weaknesses are

detected, a corrective action plan is created with a timetable for addressing and

resolving the deficiencies.

The primary control techniques, which support the control evaluation process, are

documentation and recordkeeping, authorization of transactions, segregation of

duties, supervision and security of information and data. Policies and procedures, logs

and records, supervision and structure based on corporate organization charts and the

various levels of data security are examples of the control techniques which support

the Internal Control Program and enable each department to effectively monitor

their internal control system.




MTA is utilizing a single set of software applications to manage the MTA’s Internal

Control, Compliance and Governance programs.

These applications, in the broadest sense, are designed to add greater accountability

and transparency to the MTA’s Compliance/Internal Control efforts. The applications

allow the MTA to, among other things:

monitor compliance with MTA and Agency policies and procedure,

monitor compliance with multiple regulatory requirements,

align internal controls with policies and regulations,

replace labor-intensive vulnerability assessments with automated GRC process

management,

monitor internal controls not just by Agency but as part of an integrated business

processes across Agencies,

track and document risks and internal controls related to those business processes,

track corrective action plans and audit recommendations, and

evaluate, test and report on the status of internal controls.

MTA utilizes a risk-based approach for continuous internal control monitoring and

testing, based upon annually reviewed vulnerability assessments. These assessments

assist Agencies in identifying key vulnerabilities and controls in place throughout the

Authority.




Part 2. Significant Business Processes Identified During the 2015-16 Review

Process

MTA Bridges and Tunnels - Significant Business Processes

Department Subdivision Business Process Reviewed

Engineering &

Construction

Planning

Develop plans, goals and objectives

in support of the Authority’s

Strategic Business Plan

Yes

Design Design and review architectural

engineering projects

Yes

Program/Project

Management

Plan, budget and schedule capital

and operating projects

Yes

Perform construction safety

oversight and monitor work

injuries

No

Bridge Inspection

Assure that bridge inspections are

planned and scheduled and

performed in accordance with

FHWA, AASHTO, NYSDOT and

Engineering and Construction

procedure requirements.

No

Quality Assurance

Maintain quality assurance over

project development, design and

management activities for all

construction work

Yes

Procurement Credit

Card (PCC)

Assure that cardholder’s PCC

Transactions performed to support

department operations are per

P&M-235 procedure and comply

with requirements

No

Finance Accounting

Financial statement preparation Yes

Accounts receivable – ensure that

outside party billing and collection

activities are done accurately and

timely

No

Audit Liaison – Coordinate and

facilitate auditor access to records

and personnel

No

Health & Safety

Provide statistical analysis of

employee and customer lost time

for safety program management

Yes

Provide technical guidance, review

& oversight of capital, major

maintenance & emergency

response activities.

Yes




MTA Bridges and Tunnels - Significant Business Processes – cont’d.


Health & Safety

Provide technical oversight and

guidance for all safety training

courses

No

Prepare and submit compliance

reports with environmental and

occupational safety and health

regulations

No

Review all contracts, construction

design plans & specifications,

contractor and consultant safety

plans for environmental, health &

safety concerns.

Yes

Perform 11 facility NYS Code

inspections annually. Prepare

written annual report to NY State.

Perform ongoing construction

inspections on all capital & major

maintenance projects for safety

randomly during the life of the

project.

No

Provide industrial hygiene program

management including to material

safety data sheets reviews as

required for contractor & new

product facility use.

Yes

Internal Security Security Operations

Manage armed security operations Yes

Manage secondary and

independent alarm monitoring of

JROC Vault.

Yes

Security Operations Center Yes

Manage, maintain and administer

the 24/7 electronic security systems

of B&T.

Yes

Coordinate disaster recovery efforts

for MTA Bridges & Tunnels

Yes

Manage and maintain security

policies for MTA B&T

No

Coordinate evacuation drill efforts

for all MTA Bridges & Tunnels

locations

Yes

Identification cards Yes






Internal Security

Security Operations Coordinate the securing of sensitive

documents

Yes

Electronic

Security Support

Maintain and manage electronic

security systems

Yes

Special Investigations

Investigate employee misconduct. No

Ensure adequate security for

employees, property and revenue.

Yes

Safeguard firearms and shields. Yes

Security System

Operations

Departmental Support – Utilizing

system reports and video tapes to

identify system problems and

identify fraud and theft.

Yes

Database Management – Document

and maintain the BTO Toll Rate

Audit and Equipment Failure

Database.

Yes

Safety – Perform safety audits at all

ISD staff work locations.

No

ID Toll Keys – Issuance and

retrieval of ID toll keys to and from

toll collection personnel

Yes

Random Toll Collection

Monitoring – Operation LookSee

Yes

Special projects – Consult and assist

other departments in security and

traffic analysis related areas.

No

ETC System User Access. Yes

Labor Relations

Represent agency at Public

Employment Relations Board

No

Represent agency in interest

arbitrations.

Yes

Advise managers, hear grievances,

write responses.

Yes

Negotiate labor contracts. Yes

Represent agency in Rights.

Arbitrations.

Yes

Prefer/Prosecute Employee

Disciplinary Charges.

Yes

Participate in Labor Management

Meetings.

Yes






Labor Relations

Union Releases – Presidential

releases of employees to complete

Union Business pursuant to the

terms of the CBA.

Yes

Legal

Administer agency’s Worker’s

Compensation Program.

Yes

Process Subpoenas. Yes

Process Liens/Levies. Yes

Administer agency’s Property

Damage Program.

No

Manage employment actions. No

Conduct vendor responsibility

hearings.

Yes

Conduct Procurement Action

Reviews to ensure that agency

contracts are legally sufficient.

Yes

Conduct motions practices. Yes

Manage/monitor outside counsel

activities.

Yes

Counsel Review – FOIL review and

approval.

Yes

Operations Facilities

Ensure toll collection functions are

performed in coordination with

directives.

Yes

Ensure customer and employee

safety.

Yes

Maintain adequate level of security

at critical areas against potential

threats, vandalism, theft and acts of

terrorism.

Yes

Manage Authority facilities –

ensure workforce compliance with

Operations directives.

Yes

Handle emergencies – ensure

wreckers are operational and

operating personnel are prepared to

respond to customers’ needs.

Yes

Manage Traffic – ensure consistent

truck enforcement operations at

B&T facilities.

Yes






Operations

Administration

Gun range operations – ensure the

highest level of firearms training

and safety in accordance with

Authority policies and procedures.

Yes

Respiratory protection – Verify

that air purifying respirators and

escape hood equipment are in

accordance with OSHA yearly

requirements.

Yes

Plan and prepare departmental

goals and objectives.

No

Control employee attendance. Yes

Schedule and train operating

workforce.

Yes

Document operating procedures. Yes

Handle customer relations. No

Operations security training. No

Reimbursement of funds – ensure

employees are reimbursed for

carfare and monetary entitlements

in accordance with B&T policies.

No

Maintenance

Ensure Fire Protection System

Maintenance procedures are

properly performed and meet

agency requirements.

Yes

Central maintenance projects/work

orders.

Yes

Manage maintenance

projects/contracts – ensure that

contractors meet all Authority

requirements.

Yes

Maintain EZ-Pass equipment. No

Perform preventive maintenance. No

Suicide prevention phone system

functionality.

No

Radio communication repeater

maintenance.

Yes

Emergency equipment availability. No






Planning and Budget

Strategic Planning

Operating budget monitoring and

reporting - Manage and maintain

the Hyperion Budget System

(BSCFIN & BSCENC).

Yes

Compliance activities - Conduct

safety audits of office conditions in

compliance with the All-Agency

Safety Initiative.

Yes

Coordinate agency operating

budget preparation.

Yes

Operating budget forecasting and

reporting.

Yes

Departmental support – Provide

financial analysis for labor contract

proposals for collective bargaining

negotiations; present final contract

costing for MTA Board approval.

No

Capital Planning

Prepare 5 Year Capital Plan. Yes

Administer the Capital, Near, Term

Security, and Operating (Major

Maintenance, Painting, GES,

Capitalized Assets).

Yes

Maintain Capital Budget

information.

No

Capital and transportation planning

activities.

No

Coordinate facility-wide motorist

survey.

No

Compliance activities – Conduct

annual inspection of Planning and

Budget back-up data in compliance

with B&T data back-up initiative.

No

Procurement

Procure services and goods -

Develop and prepare RFP’s and

RFQ’s.

Yes

Implement MTA Audit Services’

recommendations.

No

Maintain ReqTrak and provide

information as required by statute,

or by MTA/B&T management

No






Procurement

Bid Administration/ Vendor

relations –Provide Bid

Administration Support.

Yes

Secure classified documents –

Ensure that classified documents

are properly handled.

No

Disaster Recovery –Restore P&M

information services.

No

Evaluate compliance with Lobby

Law (State Finance Law 139 J and

K)

No

Revenue

Management

E-ZPass Contract

Compliance

Contract Compliance – Monitor

selected CSC operations that are

most visible to the customers for

contract compliance and DMV

validation.

Yes

E-ZPass Project

Management

Project management - Monitor

customer discount programs, tag

inventories and customer relations.

Yes

Revenue Audit

Perform manual audits to identify

and document cash shortages in a

timely manner.

Yes

BTO Shortages – review and

confirm shortages, submit to

Payroll for deduction from BTO

salary and process Annual Giveback

Yes

Shortchange complaints –Process

complaints received from patrons

using Authority’s facilities

regarding incorrect change in

accordance with Authority’s

policies.

Yes

Management reporting –

Compilation of traffic and revenue

information for monthly reporting.

Yes

RAAS access – Ensure that only

authorized users have access to

RAAS.

Yes

Revenue Operations

Vault inventories – Accounting for

cash held for at facilities to

replenish working funds and all

tags stored in the vault at the

Customer Service Center.

Yes






Revenue

Management

Revenue Operations

Armored Management – Ensure

that currency pick-up from the

facilities, deliveries to the RICP and

the bank are conducted in

accordance with established

procedures.

Yes

Alternate Processing Center –

Maintain and test the Alternate

Processing Center.

No

Counterfeit currency deposits –

Maintain a record of all counterfeit

currency coming from the facilities

and send currency to the Secret

Service

No

Inventories of computer equipment

and coin processing machines.

No

Revenue Processing Center

Operations – Ensure that all

revenue collected by the BTOs is

counted in accordance with

Authority’s procedures.

Yes

Revenue Systems

Maintenance

Perform monthly reconciliations of

non-revenue tags

Yes

Non-revenue tag issuance review

documentation to ensure that all

non-revenue tag issuances are

authorized.

No

Carpool tickets – Process requests

from Staten Island residents for car

pool tickets.

No

Non-revenue tag control – Perform

“desk audits” of selected agencies to

ensure accountability of non-

revenue tags issued.

Yes

Tag database – Ensure that only

authorized users have access to the

database.

No

General General - Conduct employee safety

audits

Yes

Staff Services Human Resources Human resources - Review and

maintain personnel records

Yes






Staff Services

Human Resources

Benefits – Administer and maintain

records of all employees’ health and

insurance programs.

Yes

Leave administration - Monitor

medical leave absences and family

medical leave

Yes

Human Resource Information

System - Management of

PeopleSoft to ensure that all

information is relevant, accurate

and up-to date.

Yes

Employment – Handling the entire

employment process: job postings,

background investigations, salary

verification, pre-employment drug

screening, medical examination and

job offer.

Yes

Personnel Records – Maintain

Authority’s personnel records

securely and according to policies.

Yes

Management training – Schedule

training for non-represented

employees.

No

Administration

Administer the drug and alcohol

program.

Yes

Administer the education assistance

program.

Yes

Administer the employee travel

and business expense authorization

program.

Yes

Department credit card – manage

and authorize the use and approval

of all expenses charged to the

department’s procurement credit

card.

No

Monitor and develop annual

department budget.

No

Securing classified documents. Yes

Contract administration – track the

expiration and renewal dates for

the administration department’s

contracts.

No






Staff Services

Administration

Contract billing – Process invoices

for services provided under

administration’s outside contracts.

No

Safety inspections – Conduct safety

inspections of administration’s

work space.

Yes

Policy updates – Review and

update the administration policies

as required.

No

Central Control Unit

Kronos timecard reconciliation Yes

Leave cases – Open leave cases to

track employees approved leaves

Yes

Special payrolls – Manage the

special payroll process.

Yes

Payroll discrepancy reconciliation Yes

Retirees/Separated employees Yes

MTA Bus Company - Significant Business Processes


Depot Operations

Administration Procurement Yes

Facilities Security Yes

Administration UTS System Access Yes

Facilities Environmental

Compliance

SPCC Yes

Safety & Training Maintenance

Bus Accident Monitoring Yes

Bus Operator Monitoring Yes

Transportation 19-A Program Yes

Security

Facility/Property Access Yes

CCTV Yes

Key Control Yes

Procurement Contract

Administration

Approval & Authorization Yes

Contract Licenses Yes

Invoice Processing Yes

Controller General Accounting Account Reconciliations Yes

Financial Statement Preparation Yes




MTA Bus Company - Significant Business Processes – cont’d.


Controller General Accounting JE Approval Yes

System Access Yes

Facilities P & E Operations Ordering Parts Yes

Contractor Work Performed Yes

Paratransit Transportation Vehicles Accountability Yes

Carriers Monitoring Yes

Claims No Faulty Insurance Accident Claims Processing Yes

MTA Capital Construction - Significant Business Processes


Capital Security

Program Program Security

Grant Compliance for Transit

Security Grant Program

No

Design and Construction for

Security Projects

No

Security Program Initiated Design/

Construction Projects

No

Capital Security

Program Program Security

Documents Filing and Retention of

Capital Security Projects

No

Chief Engineer Engineering

Claims Yes

Code Compliance - Design No

Code Compliance - Construction No

Code Compliance –Close Out No

Finance Budget &

Administration Finance

Capital Invoice Disbursements Yes

Operating (Non-PO)

Vendor/Contractor Invoice

Disbursements

Yes

Operating (Non-PO) Employees

Invoice Disbursements

Yes

Issuing WAR Certificates for

Capital Invoices

Yes

Budget & Forecasting: Expense

Review

No

Financial Plans No

Monthly Financial Reporting to

MTAHQ & Board

No

Project Funding No

WAR Closeouts No




MTA Capital Construction - Significant Business Processes – cont’d.


Finance Budget &

Administration Grant Management

FTA Compliance No

Grant Management for FTA and

FRA

No

General Counsel &

Procurement

General Counsel

Claims - Contractors & Consultants No

Claims - CC Against the

Contractors

No

Contract & Procurement Reviews No

Litigations & Lawsuits No

Ethics No

Procurement &

Administration

Material Purchasing No

Vendor / Supplier Selection Yes

Purchasing No

Competitive Bidding Yes

Personal Services Contracts Yes

Sole / Single Source Non-

Competitive

Yes

General Counsel &

Procurement

Procurement &

Administration

Legal & Regulatory Compliance Yes

Performance Monitoring Yes

Records Retention No

Evaluation / Due Diligence Yes

Human Resources Human Resources

Recruitment Yes

Diversity Recruitment Yes

Salary Administration No

Performance Reviews No

Promotions Yes

Employee and Intern On-Boarding No

Job Evaluations No

Policy Reviews & Updates No

Requests for a Reasonable

Accommodation Under ADA

No

Planning and

Development &

Chief Architect

Sustainability &

Environmental

Services

Environmental Compliance No

Federal Transit Administration

Environmental Requirements

No

Manage Environmental

Consultants

No

Prepare Environmental Reports No

Address Public Complaints No

Planning Design &

Development

Fulton Center Transition to

Operations

Yes






Planning and

Development &

Chief Architect

Planning Design &

Development

Architecture and Design Review

and Oversight

No

Program Controls &

Quality Assurance

Scheduling & Claims

IPS Updates No

Review of Individual Program(s)

IPS Schedule

No

Review of Individual Program(s)

Contract TIA’s

No

Estimating & Cost

Controls

Perform Budget Estimates Yes

Estimating Contract Modification

(Change Order) Estimates

Yes

Security Policies & Procedures No

Quality Assurance

Contractor Quality Control

Compliance

No

Construction Manager Quality

Assurance Compliance

Yes

Program Controls &

Quality Assurance

Quality Assurance Quality Assurance Monitoring Yes

Risk Management &

Budget Controls

Perform Risk Assessments on all

Contracts

No

Support Program Risk Management No

Project and

Construction

Management

7 Line Extension

Consultant Payment Verification No

Contractor Payment Verification No

Additional Work Orders (AWO)

Verification

No

Engineering Force Account (EFA)

Verification

Yes

TA Labor Account Verification No

Emergency Response Compliance

Preparedness and Response Plans

No

Project Quality Compliance No

Project Safety Compliance No

Project Security Compliance Yes

Sub-Contractor Payment

Verification

Yes

Prevailing Wages No

Disadvantage Minority or Women

Owned Business Enterprises

Yes

East Side Access


Contractor Payment Verification Yes

Construction Contract Modification

Verification

Yes






Project and

Construction

Management

East Side Access

Warehouse Inventory Control No

Force Account Verification No

Force Account Payment

Verification

No

Sub-contractor Payment

Verification

No

Prevailing Wages Yes


Business Enterprises

No

Document Control No

Asset Inventory Control in

Programs and Field Offices

No

Asset Maintenance No

Code Compliance Construction Yes

System Safety Certification No

Computer System Data Security Yes

Computer Network System Disaster

Recovery

Yes

Claims Mitigation and Disputes

Resolution

No



No

Project Quality Compliance Yes


Project Work Site Security

Compliance

Yes

Community Outreach Yes

Change Control No

Scheduling No

Fulton Center/Lower

Manhattan


Contractor Payment Verification Yes


Verification

Yes


Verification

No




No








Project and

Construction

Management

Fulton Center/Lower

Manhattan

Project Security Compliance No


Verification

No

Prevailing Wages Yes



Yes

Penn Station Access

Completion of Conceptual

Engineering Report

No

Procurement of Program Manager

Consultant

No

Execute Agreements with Agency

Stakeholders – MNR, Amtrak,

CTDOT

No

Engineering Design of PSA No

Second Avenue

Subway


Contractor Payment Verification No


Verification

No


Verification

Yes




No



Project Security Compliance Yes


Verification

Yes

Prevailing Wages No



Yes

Safety Safety

Contractor Regulatory Compliance No

Safety Monitoring No

Safety Training –

Contractor/Consultant

No

Staffing No

Emergency No

Environmental No

Maintenance and Protection of

Traffic (MPT)

No






Strategic Initiatives

& Communications

Strategic Initiatives &

Communications

Communications Policy No

MTA Headquarters - Significant Business Processes


Administration Operation Support Emergency Preparedness for

natural disasters

Yes

Budget Budget

Budget and Financial Statement

Preparation

Yes

Review of Financial Reports No

Business Service

Center

Finance

Accounts Payable Yes

Payroll Administration – Rn

Payroll

Yes

Travel and Business Expense

Reimbursement

Yes

Human Resources

Administration Items Yes

Benefits Yes

HRIS Yes

IT

Coordinate Disaster Recovery Test Yes

Change Management Yes

Cybersecurity Yes

Procurement

Issue Various Reports on

Procurement Activities

No

Tracking No

Manage Procurement Procedures No

Capital Program

Funding

Capital Program

Budget

and Grants

Management

Preparation ARRA 1512 Report Yes

Capital Program

Management

Capital Program

Management

Capital Budget Process Yes

Comptroller Comptroller Consolidated Financial Statements Yes

Chief of Staff Arts for Transit and

Facilities Design

Coordination Yes

Corporate Affairs

and

Communications

New York Transit

Museum

Operate the New York Transit

Museum

Yes

Policies and

Procedures

Community Affairs Yes




MTA Headquarters - Significant Business Processes – cont’d.


Corporate

Compliance

Ethics Program Code of Ethics Yes

Ethics Training Yes

Regulatory Reporting Preparation Annual Report Yes

Compliance Whistleblower Protection Yes

Internal Control

System

Internal Control Program Yes

Department of

Diversity and Civil

Rights

Certification Unit Determine Eligibility of New

Applicants for DBE Certification

Yes

Contract Compliance

Unit

Contract Integrity Monitoring Yes

Contract Integrity Monitory

Review of Monthly Participation

Report Submission

Yes

Field Visits Yes

EEO Investigations Yes

Out Reach Mentoring Program Yes

IT Department Enterprise Security Data Protection No

Information Services Information Services No

Facilities Operations

Office Services and

Building Services and

Administrative

Services

Building Security Yes

General Counsel Legal

Contracts and Procurements Yes

Environmental Yes

Litigation Yes

Human Resources

Benefits Benefit Policy and Research Yes

Deferred

Compensation

Communications Yes

Offer Deferred Yes

Defined Benefit

Pensions

Defined Pensions Yes

Recruitment Staffing and Employee Relations Yes

Risk and Insurance

Management

Claims Claims Management Yes

Risk Assessment and

Coverage

Insurance Coverage Yes

Risk Control and

Reporting

OCIP Yes

Treasury Treasury Cash and Investments




MTA Long Island Rail Road - Significant Business Processes


All All

Management Compensatory Time Yes

Overtime Yes

Procurement Card Yes

Procurement Card – Hotel Yes

Employee Accident Reporting Yes

Employee Accident Counseling Yes

Train Accident Report Yes

Budget Submission Yes

Controller

Accounting

Calculation of Overhead Rates No

Verification of Trackage Fees

Payable from NYAR

No

Verification of Royalty and Switch

Fees payable from NYAR

No

Payroll Processing of Weekly Time and

Labor Information

Yes

Revenue Information

& Control

Tariff Table No

Ticket Stock No

Corporate Safety

Occupational &

Environmental

Safety Petroleum Bulk Storage

Tank Management Program

Yes

Safety Operations Monitor Company Compliance

with Safety Mandates

No

Fire Marshal

Evaluate the design and build for

new construction and changes to

existing constructions

Yes

Design and implement Emergency

Action Plans

No

Corporate Training

and Employee

Development

Training

Produce and Deliver Mandated

Training

Yes

Ethics Training Yes

Department of

Program

Management

Project Planning &

Controls

Productivity Tracking Yes

Design Management Consultants Contracts No

Best Value Analysis No

Construction

Management

Force Account Construction No

Managing Change Requests No

Central

Administration

Invoice Processing (3rd Party

Contracts)

No

Invoice Processing (Force account) No




MTA Long Island Rail Road - Significant Business Processes – cont’d.


Department of

Program

Management

Central

Administration

M/W/DBE Compliance Reporting No

Code Compliance Process No

Engineering

Signals &

Communications

FRA Signal Appliance Testing No

Station PA Inspections Yes

Valuable Metals Yes

Calibration –Communications Yes

Radio Maintenance Yes

Radio Repair Yes

Facilities

Management

East/West

Contract Compliance No

Joint Facilities Agreement Yes

Elevator & Escalator No

Power Engineer Electric Traction Yes

Administration Track Geometry Measurement

TC-82

No

Special Projects &

East Side Access Operation Readiness

Substantial Completion Yes

Design Review No

Asset Management No

Rail Activation Plan Yes

Modeling Review No

Construction Scheduling No

Project Management No

Human Resources

Employment

Respond to report of Medical

Condition by Employer

Yes

Update Job Description and

Physical Agility Screening (PAS)

Yes

Employee Services

FMLA Compliance Yes

Administer Alcohol and Substance

Testing Program

Yes

DA/DS Compliance No

Administer Sick Leave Yes

Labor Relations Trial Office

Plan, Lead and Direct the Activity

of Trial Procedures

Yes

Implement and Administer Labor

Relations for MofE

Yes

Trial Waivers Yes






Labor Relations Trial Office

Conduct Departmental

Investigations and Special

Assignments designated by

Operating Departments

Yes

Law Department

Torts &

Administration

Outside Counsel Monitoring Yes

Approve & Voucher Payments No

Special Projects

Major Third Party Development of

Capital Projects

No

Minor Third Party Projects and

Force Account Agreements

No

Claims

Lawsuits – Support Attorney in

Trial Preparation

Yes

Federal Employees Liability Act

(FELA) Claims

No

Property Damage No

Insurance Cases No

Payments/Security – Settlements No

Subpoena Checks No

Calculate Liens & Lost Wages No

Debt Collection No

Procurement Vendor Responsibility Yes

Maintenance of

Equipment

RCM Administration RCM Management & Review Yes

Fleet Support Shops

Support Shop Rebuild Program Yes

MU Periodic Inspections No

MU Heavy Repairs, Overhauls and

Fleet Modifications

No

Fleet Operations

MU-2B Inspection No

MU Class I Brake Test No

MU Toilet Servicing No

MU EIC (Extraordinary Interior

Cleaning)

No

Diesel Shops and

Yards

Locomotive Daily Inspection Yes

Diesel Coach (C3) Periodic

Inspection

Yes

Diesel Locomotive Periodic

Inspection

Yes

Running Repairs of Diesel

Locomotive and Coach Equipment

Yes






Maintenance of

Equipment

Diesel Shops and

Yards

Reliability-Centered Maintenance,

Fleet Modifications and Heavy

Repairs

Yes

DH Coach EIC Cleaning No

Diesel Hauled Coach Toilet

Servicing

No

Quality Assurance &

Control

QC Inspections of Periodic

Inspections, RCM, Fleet

Modifications, etc. done in MofE

repair shops

Yes

QC Inspection of MU DH Fleets:

Extraordinary Interior Cleaning

(EIC), Lay-Up Cleaning (LUC) and

Turn Around Cleaning

Yes

MU and DH Fleets: Toilet

Inspection

No

DM Locomotive Shoe Beam

Cleaning Inspections

Yes

In-Service HVAC Temperature

Survey

No

Perform surveys as requested by

Management, Performance

Improvement Team (PIT) / Task

Forces or Engineering

Yes

MofE Administration

Recovery information and report

coordination

Yes

Fleet Analysis and Document

Control

Yes

Office of

Management &

Budget

N/A

Operating Budget – Budget

Submission

Yes

Development of Monthly

Financial Package

Yes

Operating Funded Capital Budget

Project Selection and Monitoring

No

Operating Budget Impact No

Office of Security Pass Office

Pass Issuance, Destruction and

Property Access

Yes

Pass Issuance to Employees Yes

Issuance of Transportation Pass

and ID only to Contractors

Yes

Employee status changes

(terminations, retirements, etc.)

Yes






Office of Security

Pass Office

Recovery and Destruction of

invalid/expired Employee,

contractor passes and voided stock

Yes

Review and Approval of Medical

Certification forms submitted by

applicants requesting permanent

transportation pass

Yes

Compliance Accident Reporting Motor Vehicle Yes

Annual Driver Qualifications Yes

Positive Train

Control

Manage Capital Project

Construction

Yes

Monitor Force Account Work for

Capital Projects

Yes

Procurement &

Logistics

Contracts Emergency Procurements No

PCard Administration

Monitor compliance with policy

and procedures.

Yes

Monitor maintenance of PCard

accounts

Yes

Stores

Material Handling – Receipts of

Materials

No

Procurement – Property

Management

No

Service Planning Scheduling

Produce Equipment Manipulation

Schedule

No

Produce Employee & Public

Timetables

No

Produce Crew Assignment Books No

Stations

Customer Service

Program

Administration of CAP Database No

CAP Activation – Planned &

Unplanned (Emergency) Events

No

CAP Notification No

Lost & Found

Stations

Manage Lost & Found Operations

Penn Station & Island Stations

No

Lost & Found at Penn Stations No

Tickets Sales

TOM Reporting of Cash Receipts

by Ticket Clerks

Yes

TVM Reporting of Cash Receipts Yes

TOM Reporting of Ticket Sales by

Ticket Clerks

No






Stations

Ticket Sales

TVM Reporting of Ticket Sales No

Penn Ticket Remittance Operation No

Maintaining & Distributing Ticket

Stock

Yes

Station Operations

Recording Ronkonkoma Garage

Monthly & Daily Sales

Yes

Ronkonkoma Garage – Refund

Transactions

Yes

Recording Ronkonkoma Garage

Monthly & Daily deposit

Yes

Recording of Mineola Garage

Daily Ticket Sales & Monthly

Reimbursable Operating Expenses

Yes

Recording of Mineola Garage

Monthly and Daily Deposit

Yes

Mineola Refund Transaction Yes

MIC Garage Maintenance

Requirements

Yes

Managing Penn Station Cleaning

Contract with Fed Cap a subsidiary

of NYSID

Yes

Special Services – Sell to

Customers

No

Station Cleaning

Audit Sales and Inventory Activity No

Monthly Expense & Revenue

Reporting

No

Special Services

Inventory Control -Maintain and

Track Purchase Order

No

Transportation

Services

Safety

Compliance with Federal

Mandates & Safety for Hours of

Service

Yes

Compliance with Federal

Mandates & Safety – Random

Drug Testing

Yes

Engineer Certification No

Safety Inspections & Safety

Discussions

No

Train Movement Tower Inspections Yes

Train Dispatchers Yes






Transportation

Services

Train Movement

Monitor TIMACS & OTP

Reporting

Yes

On-Board Fare Collection Yes

On Board Test Team Yes

NYAR Qualifications of Freight

Operators

Yes

Train Consist Compliance No

Safety Observations – Workplace

Safety

No

Safety Observations – Train

Operations

No

Internal

Administration

Payroll Processing & Exceptions

Claims Resolution

Yes

Requisitions No

Agency Reimbursements – Capital

Projects

No

Administer Flagging Needs No

Identifying Needs for Certain

Essential Personnel

No

Addressing Customer Complaints No

MTA Metro-North Railroad - Significant Business Processes


Budget Preparation and Monitoring of the

MNR Financial Plan

No

Capital Programs

Construction

Management

Capital Project Emergency Response Yes

Capital Project Quality Compliance No

Capital Project Safety Compliance Yes

Capital Project Security Compliance No

Program

Management

Capital Project Management

– Bridges, Tunnels, and Track

No


– GCT

No


– Power

No


– Rolling Stock

No




MTA Metro-North Railroad - Significant Business Processes – cont’d.


Capital Programs

Program

Management


– Shops, Yards, Environmental, and

Special

No

Project Controls

and Technical

Services

Capital Project Status Reporting No

Controller

General and

Subsidy Accounting

Capitalization of Fixed Assets Yes

Financial Statements Preparation

– External

No

FTA – NTD Regulatory Reporting

Requirements

Yes

Passenger Revenue

Accounting

Credit and Debit Fees Reconciliation No

Mail and Ride Ticket Program

Management

Yes

Operations Revenue Reporting No

Ticket Refunds Yes

Ticket Revenue Management Yes

Ticket Sales Reconciliation to Banks Yes

Ticket Stock Management Yes

Payroll and

Timekeeping

Leave Balance Payouts Management Yes

Leave Balance Payouts OT&E Yes

Leave Balance Payouts T&E Yes

Time and Labor Payroll Close

Process

Yes

Corporate and Public

Affairs

Manage the Metro-North Website No

Promotional Programs No

Corporate Compliance

and Strategic

Initiatives

Manage the Internal Control

Program

No

Customer Service and

Stations

CS&S

Administration

Manage CS&S Vendor Contracts No

Manage Parking Facilities Program Yes

Station and Customer Information

Distribution

No

Timetables and Schedules No

GCT Services Trackside Commissary Operations

and Sales

Yes






Customer Service and

Stations

Ticket Sales and

Service

Manage Ticket Sales (Stations and

TRO)

Yes

Manage Ticket Sales (TVM) Yes

Diversity and EEO EEO Office

Investigate Discrimination

Complaints

Yes

Mandatory EEO Reporting Yes

Human Resources

Human Resources

Administration

ADA Compliance No

Avoidance of Nepotism Yes

Dual Employment Yes

Employee Background Investigations Yes

Employee Separation Process Yes

Extended Sick Leave Management No

Family and Medical Leave Case

Management

Yes

Hiring Process-Agreement Yes

Hiring Process-Non-Agreement Yes

Military Leave Management Yes

Pre-Employment and Promotional

Testing

No

Occupational

Health Services

Manage the Vendor Health Care

Contract

No

Pre-Placement/Periodic and

Mandated Medical Exams

No

Provide Return to Duty

Examinations

No

Safeguard Employee Medical Records No

Training and

Development

Provide Mandated Employee

Training

Yes

Training Program Development Yes

Training Recordkeeping No

Labor Relations

Departmental

Hearings,

Investigations and

Labor Costing

Manage Departmental Hearings and

Investigations

No

Legal Claims Services Claims Management No






Legal

Environmental

Compliance and

Services

Handling Regulated Waste Yes

Prepare Annual Environmental

Audit

No

Stormwater Management Yes

General Counsel

Litigation (Non Claims) Case

Management

No

Oversee Agency Records

Management Program

No

Maintenance of

Equipment

Assistant Chief

Mechanical Officer

Identification and Repair of In-

Service Rolling Stock Failures – H&H

Yes

Identification and Repair of In-

Service Rolling Stock Failures – NHL

Yes

Perform Calendar Day Mechanical

Inspections – H&H

No

Perform Calendar Day Mechanical

Inspections – NHL

No

Perform Maintenance H&H per MNR

RCM Requirements

Yes

Perform Maintenance NHL per MNR

RCM Requirements

No

Perform Periodic Safety Inspections

H&H – FRA Required

No

Perform Periodic Safety Inspections

NHL – FRA Required

No

Repair Rolling Stock In Service

Failures – H&H

Yes

Repair Rolling Stock In Service

Failures – NHL

No

M of E Budget and

Administration

Manage M of E Vendor Contracts No

M of E Timekeeping Yes

Maintenance of Way Communications

and Signals

Grade Crossing Inspection and

Maintenance

Yes

Maintenance and Repair of Customer

Information Systems at Stations

Yes

Maintenance and Repair of Security

Systems

No

Monitoring Employee Hours of

Service (HOS) Regulations

Yes

Provision and Management of

Telecommunications Services

No






Maintenance of Way

Communications

and Signals

Signal Inspection Yes

Signal Maintenance and Repair Yes

M of W

Administration

Manage M of W Vendor Contracts No

M of W Timekeeping Yes

M of W Material

Management

Issuance of Standard Stock Material Yes

Maintain Warehouse and Inventory

Security

Yes

Perform Inventory Cycle Counts Yes

Receipt of Standard Stock Material Yes

Power

AC Substation Inspection - NHL Yes

Catenary Inspection and

Maintenance

Yes

DC Substation Inspection - H&H Yes

DC Traction Power Inspection Yes

Third Rail Cyclical Maintenance No

Track and

Structures

Annual Bridge Inspection Yes

Bridge Maintenance and Repair Yes

Equipment Run Track Inspection Yes

Facility Inspection Yes

Facility Maintenance and Repair Yes

Inspection, Maintenance, and Repair

of Work Equipment

No

Load Ratings for Bridges Yes

Station Inspection No

Station Maintenance and Repair No

Track Maintenance and Repair Yes

Visual Track Inspection Yes

Office of the President Correspondence Handling Yes

Office of System Safety

Asbestos and Lead Abatement

Activities

No

Conduct Field Investigations Yes

Emergency Preparedness Planning

Training and Exercises

No

GCT Fire Brigade and Emergency

Medical Services

No

Investigate Personal Injuries Yes

License Monitoring Yes






Office of System Safety

FRA Accident/Incident Reporting

(49 CFR Part 225)

No

System Safety Program Plan (SSPP) No

Operations

Operating Capital

Projects, Budgets,

and Controls

Management and Monitoring of

Diesel Fuel

Yes

Management and Monitoring of

Heating Fuel

Yes

Support Force Account Management

and Perform Project Control

Functions

No

Operating Rules

Develop, Publish and Distribute

Operating Rules and Procedures

No

Manage the Efficiency Testing

Program

No

Random Drug and Alcohol Testing Yes

Operations

Administration

Fuel Card Management and Fuel Use

Monitoring

No

Non-Revenue Vehicle Management

and Monitoring

No

Operations

Analysis and

Equipment

Utilization

Fleet Management No

Planning

Operations

Planning and

Analysis

Monitoring and Reporting Ridership No

New Fare Payment Systems No

Schedule Development and

Implementation

No

Procurement and

Material Management

Material

Management

Asset Disposition Yes

Issuance of Standard Stock Material No

Maintain Warehouse and Inventory

Security

Yes

Perform Inventory Cycle Counts Yes

Receipt of Standard Stock Material No

Procurement Non-

Operations

Competitive Procurements –

Capital/Non-Operations

Yes

Contract Administration –


No






Procurement and

Material Management

Procurement Non-

Operations

Emergency Procurements –


Yes

Non-Competitive Procurements –


Yes

Procurement

Operations

Competitive Procurements –

Operations

Yes

Contract Administration –

Operations

No

Emergency Procurements –

Operations

Yes

Non-Competitive Procurements –

Operations

Yes

P&MM

Administration

Procurement Card Management and

Monitoring

No

Security

Manage the MNR Credentialing Yes

Oversee and Review Security

Elements of Projects

Yes

Security Management Yes

Security Systems Administration Yes

Security Systems Configuration

Change Management

Yes

Transportation

Conductor

Qualification and

Licensing

Conductor Compliance Evaluation

Management

Yes

Licensing Conductors Yes

Monitor Conductor Compliance Yes

Monitor Conductor Service Revenue

Remittances

Yes

Field Operations

Monitor Train Crew Performance –

Engineers and Conductors

Yes

Provide and Monitor Conductor

Flagging

Yes

Yard Operations Yes

Finance,

Administration and

Crew Management

Crew Dispatch Operations Yes

Lost Time Control/Claims Processing No

Pick Selection Process No

T&E Staffing Yes






Transportation Operations Control

Center

Capital Construction Track Usage

Coordination

Yes

Daily Routing of Trains Yes

Process and Prepare System-wide

Notifications and Information

Distribution

Yes

Provide Required on the Job OCC

Training

Yes

Right of Way Safety Protection Yes

MTA New York City Transit - Significant Business Processes


Department of

Subways

Maintenance of

Way/Electronics

Maintenance Division

Emergency Alarm and Telephone

Inspections

Yes

CCTV Monitoring Equipment

Inspections

Yes

Access and Intrusion System

Inspections

No

Employee and Customer Safety Yes

Maintenance of Way/

Engineering

Random Signals Inspection Audits Yes


Maintenance of

Way/Track

Third Rail Inspections Ye

Track Inspections Yes

Employee and Customer Safety No

Unauthorized Access Prevention:

Third Rail CBH (Circuit Breaker

House)

Yes

Maintenance of

Way/Infrastructure

Repair Structures Defects Identified

by MOW Eng. Inspections

No

Fire Suppression System

Inspections

Yes

HVAC Equipment Inspections No


Lead Particulate Management Yes




MTA New York City Transit - Significant Business Processes – cont’d.


Department of

Subways

Maintenance of

Way/Infrastructure

Asbestos Handling No


Hydraulic Facilities, Emergency

Exits

Yes

Maintenance of

Way/Power

Substation Power Equipment

Inspections

Yes

Emergency Alarm Panel

Inspections

Yes

SCADA System Tests Yes


Revenue Meter Reading Yes

Asset Management No

Maintenance of

Way/Electrical

Signals

Preventive Maintenance of Signal

Equipment

Yes

Supervisory Signal Equipment

Inspections

Yes

Open or Grounded Track Wire

Replacement

No


Maintenance of

Way/Elevators and

Escalators

American Society of Mechanical

Engineering Inspections

No

Preventive Maintenance of

Elevators and Escalators

Yes


Maintenance of

Way/Operations

Support

Division-Wide Safety Oversight Yes

Safety Training Yes

Timekeeping Yes

Dual Employment No

Random Drug Testing Yes

Program Compliance

Hearing Conservation

Program Compliance

Yes

Medical Scheduling Yes

Procurement Cards Yes

Division of Rapid

Transit Operations

Reporting Defective Car

Equipment

Yes






Department of

Subways

Division of Rapid

Transit Operations


Fitness for Duty Yes

Supervisory Critiques and

Evaluations of Customer Safety

Yes


Towers

No

Gap Filler Emergency Procedures Yes

Division of Stations

Station Inspections No



Electrical Distribution/Power

Rooms

Yes

Revenue Accountability Yes

Division of Car

Equipment

Passenger Car Inspections Yes


Inspections of Material Upon

Delivery

No

Staten Island Railway

SMS of Brake Valves Yes

Signal Inspections Yes

Switch Inspection Yes

Track Inspections No


Safety Training No

Revenue Accountability Yes

Random Drug Testing Program

Compliance

No

Hearing Conservation Program

Compliance

Yes

Capital Programs Department of Subways In-House


No

Department of

Security

Access to Loading Dock &

Receiving Area: Livingston Plaza

Yes

Challenging for Pass ID at Points of

Entry

Yes

Visitor Entry into Facilities Yes

Monitoring Employee Driver’s

Licenses

Yes






Department of

Security

Protection of Social Security

Numbers

Yes

Electronic Access Control

Functionality

Yes

Patrol Train Yards for Graffiti and

Vandalism

Yes

WMD HazMat Team-Minimum

Staffing/ Required Training

Standards

Yes

WMD Detection Equipment

Functionality

Yes

Audit CCTV Video Functionality

into the Security Command Center

Yes

Department of Buses

Restrict Access to Random Drug

Testing Scheduling

No

Review and Approval of Facility

Inspections

Yes

Timely Notification to Employees

for Random Drug Testing

No

Random Drug Testing Attendance No

Review of Contract Work

Performed

Yes

Monitoring and Approving

Contract Work Performed

Yes

Random Drug Testing No-Show

Failures

No

Maintain Random Drug Testing

Documentation

No

Contract Work Initiation and

Authorization to Proceed

Yes

Daily Fuel Reconciliation No

Procurement Card Usage Yes

Identification of Vehicles Yes

Fuel Reconciliation Variance No

Monitoring of Carriers Yes

Ten day Fuel Reconciliation

Review

No

Scheduled Program Maintenance Yes






Department of Buses

Fuel Sampling No

Pre-Trip Inspections No

Daily Facility Inspection Yes

Central Maintenance Facility

(CMF) Inspections

Yes

Bus Accident Monitoring &

Administration

Yes

Bus Operator Monitoring Yes

Material Purchases Authorization No

Project Management Review &

Approval

No

Procurement Card Purchase

Verification

Yes

Fuel Delivery No

Procurement Card Review and

Approval

Yes

Contract Work Request Approval

Process

Yes

Daily Fuel Reconciliation Review No

Department of

Capital Program

Management

Contractor Payments Verifications No

Additional Work Orders (AWO’s)

Verifications

Yes

National Environmental Policy Act

(NEPA) Review of Projects for

Federal Funding

Yes

Estimating/Cost

Control Compliance

Yes

Schedule Control

Compliance

No

Department of the

Executive Vice

President

Office of the

Controller

Process Release of Retainage Yes

Process Final Payments Yes

Preparation of Bidder Evaluations Yes

Control Letters of Credit No

Control and Coordinate the

Recording, Analysis and Disbursing

of all Third Party Contract

Payments and Documentation

No




MTA New York City Transit – Significant Business Processes – cont’d.


Department of the

Executive Vice

president

Office of the

Controller

The Receipt, Recording and Timely

Billing of all Force Account

Expenditures

Yes

Quarterly Forecast of Actual to

Budget Expenses

No

Reconciliation of Position Strength

Report Authorized Positions to

Active Employee Listing

Yes

Oversee the Internal Control

Program

Yes

Oversee the Controlling and

Safeguarding of NYCT Furniture

and Equipment

No

Protecting of Social Security

Numbers

No

Office of

Management and

Budget

Report Ridership Numbers Yes

Quarterly Hiring Plan No

Monthly Report to the MTA Board Yes


Numbers and Other Sensitive

Employee Information

No

Report Fare Box Revenue Yes

Division of

Operations Planning

Billing for NYCDOT Bus Stop

Changes in Accordance with

NYCT’s Bus Stop Contract

Yes

Division of Supply

Logistics

Vendor Receipts Yes

Issuance of Material to End User Yes

Receipts and Issuance of Tools Yes

Control of High Pilferage Items No

Receipt and Issuance of Gas and

Diesel Fuel

Yes

Division of Materiel

Material Information Reporting Yes

Distribution of Sensitive

Procurement Documents

Yes

Monitor Vendor On-Time

Performance

No

Maintain an Effective Staff

Summary Process

Yes

Award of Contractual Options and

Modifications

Yes




MTA New York City Transit – Significant Business Processes – cont’d.


Department of the

Executive Vice

President

Division of Materiel

Protecting Social Security Numbers

and Other Sensitive Information

No

Procurement Card Administration No

Division of Revenue

Control

Oversee Operation and

Maintenance of Security

Equipment/Systems at Revenue

Control Facilities

Yes

Provide Oversight of Contracted

Armed Security Services for

Protection of Revenue, Fare Media,

and Employees

Yes

Security of NYCT Handguns Listed

on the Division of Revenue

Control’s Gun Custodian License

Yes

Process MetroCard Vending

Machine (MVM) Revenue

Yes

Process Subway Booth Revenue Yes


Hearing Conservation Program Yes

Transport and Secure MetroCard

Vending Machine (MVM) Revenue

Yes

Transport and Secure Subway

Booth Revenue

Yes

Safeguard and Control Debit/Credit

Card Information

No

Division of Human

Resources

Maintain Protection of Social

Security Numbers

Yes

Dual Employment No

Enforcement of Nepotism Policy Yes

Administer Health Benefits Vendor

Payments

Yes

Pharmaceutical Rebate Credit

Reimbursements

Yes

Hearing Conservation Program Yes

Drug and Alcohol Testing Yes

Work Life Services No

Infectious Waste Disposal No

Division of Special

Investigations &

Reviews

Conduct Investigations and

Reviews

Yes

Use of Procurement Card No

Safeguarding Authority Assets Yes






Office of Equal

Employment

Opportunity

Pre-complaint and/or Intake

Process for Employees’ Complaints

of Discrimination

Yes

Pre-complaint and/or Intake

Process for Customers’ Complaints

of Discrimination

No

Prepare Letters from the President

on EEO, Sexual and Other

Discriminatory Harassment and

Respect in the Workplace Policies

Yes

Protect and Safeguard Social

Security Numbers

Yes

Prepare and Submit Biennial EEO-

4 Report to the Equal Employment

Opportunity Commission (EEOC)

on the Gender, Race, and Ethnic

Demographics of NYCT’s

Workforce

No

Eliminate the Hard-copy

Distribution of Documents and

Reports in Favor of Electronic

Distributions

Yes

Monitor all Applications for Dual

Employment for Compliance with

NYC Transit Policy

No

Safeguard NYC Transit Assets Yes

Department of Labor

Relations


Numbers

Yes

Use of Procurement Card No

Department of

Corporate

Communications


Numbers

No

Office of System

Safety (OSS)

Site Evaluations of Large Quantity

Generators of Hazardous Waster

Yes

Policy/Instruction Compliance

Oversight Technical Assistance

Yes

Contract Management/

Administration

Yes

Job Task Evaluations Yes






Office of System

Safety (OSS)

Chemical Product Evaluations Yes

Hearing Conservation Program –

Data Analysis

Yes


Reporting

Yes

Hearing Conservation Program -

Audits

Yes


P/I Update/Maintenance

Yes

Mercury Bulb Recycling Contract

Management/

Administration

No

Safeguarding Authority Assets No

NYC Department of Labor (DOL)

SH-900 Summary Report

Yes

NYC Department of Labor (DOL)

SH-900 Log Report

Yes


Numbers

Yes

Dual Employment Yes


OSS Managed Asbestos Abatement Yes

CPM Managed Asbestos Abatement No

Investigate Collisions and

Derailments

Yes

Investigate Fatal Employee

Accidents

Yes

Investigate “ Near Miss “ Incidents Yes

Investigate Multiple Injury Bus

Collisions

Yes

Investigate Fatal Accidents Yes

Investigate Mechanical Failures &

Bus Fires

Yes

Witness the Acceptance Testing of

Fire Detection and Suppression

Systems

Yes

Perform Fire Life Safety Oversight

of Operating Procedures & Policies

Yes

Joint OSS/TWU Track Safety

Inspection

No




Part 3. Significant Business Processes Identified During the 2015-16 Review

Process Material weakness or significant deficiencies revealed during the

2015-16 review process

MTA – Enterprise – Material Weakness/Significant Deficiencies

There were no material weakness or significant deficiencies revealed during the 2015-

16 review process.

MTA Bridges and Tunnels – Material Weakness/Significant Deficiencies

MTA Bridges and Tunnels conducted 158 internal control reviews in 2015, including

a number of safety audits in accordance with the All-Agency Safety Initiative. There

were no significant deficiencies revealed during the 2015-16 review process.

MTA Bus Company – Material Weakness/Significant Deficiencies

There were no material weakness or significant deficiencies revealed during the 2015-

16 review process.

MTA Capital Construction – Material Weakness/Significant Deficiencies

Subsidiary Subdivision Second Avenue Subway (SAS) Project

Business Process Overall Risk Ranking Project Security Compliance Medium

Weakness/Deficiency: Site assessments of the security procedures at SAS were conducted to evaluate

compliance with the site security plans disclosed the need to implement stronger

security controls at SAS. Specifically, the site assessments disclosed certain

weaknesses specific to access, perimeter, and inventory controls. The responsibility of

project security lies with the contractors hired by MTACC and they are responsible

for maintaining adequate site security procedures and for adhering to the security

specifications listed in the contracts with MTACC.

Corrective Action: MTACC has directed the contractors and construction

managers (CM) to implement stronger security controls. Specifically, the contractors

and CM’s have been instructed to immediately evaluate and fortify site perimeter, and




to improve accountability over site access to ensure that there are adequate

monitoring of the perimeter during off shifts hours. As a result, counter measures

have been implemented to improve perimeter controls over personnel entering the

construction site.

Subsidiary Subdivision East Side Access (ESA) Project Information Management

Business Process Overall Risk Ranking Computer Systems Data Security Medium

Weakness/Deficiency: Although anti-virus software was in place on both servers and computers

and all incoming emails were being scanned, a new strand of virus was

introduced that was not yet supported by the antivirus software provider.

As a result, the ESA Computer System was compromised and a robust

virus was introduced into the network encrypting files on the servers and

workstations. The ESA network was subsequently restored with some

data lost.

Corrective Action: ESA brought in external consultant support to assist with identifying the

source of the breach and with recovery. MTACC met with MTA IT and

conferred with the service providers to evaluate the system's security to

take steps to protect the rest of the systems and to identify next steps.

ESA has instituted new procedures to scan all incoming email and

restricting access to unsafe or inappropriate websites. Additionally,

MTACC commissioned an independent consultant to investigate and

report on the breach and security improvements.

Subsidiary Subdivision East Side Access (ESA) Project Information Management

Business Process Overall Risk Ranking Computer Network System Disaster Recovery Medium

Weakness/Deficiency: The ESA Computer System was compromised and a robust virus was introduced into

the network encrypting files on the servers and workstations. The anti-virus software

failed to detect or stop the introduction of this virus. As a result, the ESA network

was offline. Although IT was able to restore the systems using the backup files, there

were some data lost. Also, the last disaster recovery test was conducted two years ago

by IT.




Corrective Action: ESA brought in external consultant support to assist with identifying the source of the

breach and with recovery. MTACC met with MTA IT and conferred with the service

providers to evaluate the system's security to take steps to protect the rest of the

systems and to identify next steps. MTACC commissioned an independent

consultant to investigate and report on the breach and security

improvements. The disaster recovery plan will be updated within the next six

months and will be reviewed by the independent consultants to ensure completeness.

Subsidiary Subdivision East Side Access (ESA) Project

Business Process Overall Risk Ranking Project Security Compliance Medium

Weakness/Deficiency: Site assessments of the security procedures at ESA were conducted to evaluate

compliance with the site security plans disclosed the need to implement stronger

security controls at ESA. Specifically, the site assessments disclosed certain

weaknesses specific to access, perimeter, and inventory controls.

ESA has developed a Project-wide Construction Safety and Security

Management Plan to address the management philosophy and basic

requirements for security during the construction phase. While ESA is

overall responsible for project site security, ESA has hired a security firm to assist

with the execution of ESA’s site security plan. The security firm is responsible for

adhering to the project-wide construction safety and security management

plan and for following the security specifications listed in the contracts with

MTACC.

Corrective Action: Immediate steps were taken to remove the current security company in

favor of procuring a new firm. ESA will assess the adequacy of its current

project-wide construction safety and security management plan to protect

ESA assets. Additionally, in procuring the new security firm, ESA will ensure

that any security weaknesses identified are addressed when procuring a new

security firm.




MTA Long Island Rail Road – Material Weakness/Significant Deficiencies

Subsidiary Subdivision Controllers’ Office Disbursements & Time and

Attendance

Business Process Overall Risk Ranking Utility Control Medium

Weakness/Deficiency: The LIRR Utility Control Group is responsible for: reviewing PSEG/LI Traction

power invoices for accuracy and submitting them to BSC for payment; maintaining a

database of invoices to monitor issues; and contacting vendors with incorrect billings

and ensuring that MTA BSC is contacted regarding payment errors and uncashed

checks. Overall the controls evaluated were working as intended. However, although

the LIRR Utility Group intended to review the branch line analysis in 2015, the

analysis was not performed because of staffing constraints. Nevertheless, as a result of

communications between LIRR and PSEG LI, the issues below were identified and

corrected.

a) LIRR has been constantly questioning PSEG LI about the accuracy of invoices and

as a result, on April 19, 2016, PSEG LI advised LIRR, that from January 2014 to

February 2015, PSEG LI had inadvertently overbilled LIRR $1.92 million because

of a branch line analysis over-estimation error that occurred when two meters

were not operating and the estimates were not proportioned. As a result, PSEG LI

refunded LIRR in the form of credits in subsequent invoices and a check was

issued in May 2016 for the remaining balance.

b) In December 2013, the PSEG LI advised the LIRR about an increase in the energy

rates to offset decreases in other rate categories such as, New York State

Assessment and Payments in lieu of Taxes. Because of these rate changes, on April

13, 2016, PSEG LI informed the LIRR that for 2015, $52,068 is due to the LIRR.

Subsequently, on June 28, 2016, PSEG LI reduced its computation of the amount

due for 2015 to $49,775, after taking into account an adjustment for the branch

line over-estimation error. However, the LIRR Utility Group plans to review the

accuracy of the PSEG LI’s computed credit.

Corrective Action: Review the PSEG LI branch line analysis. The review should check that the branch

analyses are in accordance with the estimation methodology that the LIRR agreed to

with LIPA/PSEG LI and that the computations are accurate. Estimated Implementation Date – 3rd Qtr. 2016




Subsidiary Subdivision Corporate Safety Fire Marshal

Business Process Overall Risk Ranking Incident Response and Investigations Low

Weakness/Deficiency The Office of the Fire Marshal (OFM) is responsible for: developing an SOP regarding

the performance of investigation incidents; performing trend analysis, noting repeat

incidents; reporting on the remediation and planned action to be taken to correct

deficiency noted; conducting quarterly meetings with departments to discuss the

implementation of open recommendations; and performing field visits to verify

implementation or status of recommendations.

Based on the review of the above controls, SOPs for the OFM and the Investigations

& Analysis Groups are not yet finalized and currently in draft status. Additionally,

trend analysis to identify repeat incidents was not performed as the Investigations &

Analysis Group is currently recruiting. Reporting of incident remediation and

corrective actions is not properly documented. There is no evidence to indicate that

quarterly meetings are being held with departments to discuss the implementation of

open recommendations, or that periodic field visits are being held to verify the status

of implementation of recommendations.

Corrective Action The SOPs for the Fire Marshal and the Investigations Analysis Group will be finalized

by 4th Qtr. 2016. The Investigations & Analysis Group is currently awaiting new

hires. The trend analysis will begin in 4th Qtr. 2016. Meetings and field visits will be

held and documented. Incident remediation and response criteria is already

established and expected to be finalized by 4th Qtr. 2016. OFM will update the

spreadsheet to reflect current status of identified items. Estimated Implementation Date - 4th Qtr. 2016. Subsidiary Subdivision Corporate Safety Safety Operations

Business Process Overall Risk Ranking Corporate Safety Compliance & Audits High




Weakness/Deficiency Safety Operations is responsible for: evaluating whether the System Safety Program

plan is up to date; maintaining Standard Operating Procedures (SOPs) for performing

compliance evaluation; assigning dedicated staff to a number of high risk compliance

evaluations and monitoring performance against the goals; establishing a risk based

prioritization of areas to perform compliance reviews; and reporting on the

remediation and planned action to be taken to correct deficiency noted.

Based on the review of the controls evaluated: a) the current version of the System

Safety Program Plan states in Section 3.4.1 that the plan shall be reviewed and

updated semi-annually. However it was conveyed that the frequency was an error.

The review frequency was intended to be performed every two years. b) SOPs for

performing compliance evaluation are currently in draft status. c) A 2014 spreadsheet

for tracking customer accident data was provided; however the 2015 spreadsheet was

not available during the review. In addition, there was no matrix for the risk based

prioritization due to position vacancies. d) There are no reports available for

Roadway Worker Protection and Investigations and Analysis, e) no report was

available on the remediation and planned action to correct deficiencies.

Corrective Action a) The review of System Safety Program Plan will be incorporated in the Safety

Management System (SMS) when the Federal Final Rule is finalized. b) SOPs will be

finalized (i.e., Roadway Worker Field Compliance Manager SOP). c) The

Investigations and Analysis Director is currently recruiting staff who will be

dedicated to compliance, evaluations and monitoring performance against goals. They

will resume compiling accident data in the existing spreadsheet. d) Newly established

groups will begin providing reports for the Roadway Worker Protection and

Investigations and Analysis, e) The new established groups will also report on the

remediation and status of corrective actions. Estimated Completion Date – 4th Qtr. 2016 Subsidiary Subdivision Transportation Services Train Movement

Business Process Overall Risk Ranking NYAR Qualifications of Freight Operators Very High

Weakness/Deficiency LIRR Transportation Services is responsible to maintain a list of NYAR personnel and

verify qualifications; if trained by LIRR, ensure training information is captured in

LIRR’s system; and verify that NYAR personnel carry current certification cards.




Although the LIRR maintains a copy of all NYAR Conductor and Engineer

Certification Cards, it is not common practice for LIRR Management to perform

inspections of NYAR Conductor/Engineers while out in the field.

Corrective Action Transportation will determine if it is feasible to perform on board certification card

checks and inspections of NYAR Conductors and Engineers. Estimated Implementation Date – 3rdQtr. 2016 Subsidiary Subdivision Corporate Safety Fire Marshal

Business Process Overall Risk Ranking Emergency Action Plans Medium

Weakness/Deficiency As of 2014, many of the existing EAPs had not been updated.

Corrective Action This item remains from the 2014-2015 review. An employee has been assigned the

task and has begun a systematic approach to achieve the goal of completing,

reviewing, and updating EAPs. Existing plans that are in draft stage, or have not been

updated over the last year should have better identifying labels on the H drive.

Alternatively, a running project list could be developed as a means of tracking

progress. As of September 2016, OFM is on schedule and anticipates completion of

the EAPs by the end of 4th Qtr. 2016. Estimated Implementation Date – 4th Qtr. 2016 Subsidiary Subdivision Transportation Services Administration

Business Process Overall Risk Ranking Time & Attendance High

Weakness/Deficiency This item remains from the 2013-2014 review. Yardmaster employees often work

overtime at the beginning or end of their shifts. In order to be paid, they are required

to complete a Yardmaster Time Slip, which should identify overtime hours worked,

describe tasks performed and indicate overtime approval.




In order to test the controls, 39 time slips submitted during May through August 2013

were reviewed. The 2014 review of those time slips revealed five (5) employees were

paid overtime without the supervisor’s approval. For two (2) of the five (5)

employees, the time slip simply referred to an agreement as a justification for the

overtime.

Corrective Action Transportation agrees that all Yardmaster Time Slips should be approved by a

manager and will re-instruct them to sign and print their names on the forms.

Additionally, the department will develop an “authorization sheet” listing authorized

managers who may sign the slips. Payroll Dispatchers will refer to the listing to verify

authorization. Employees will be notified of the revised procedure via email and a

Policy & Procedure will be implemented by the end of the 3rd Quarter 2014. With

the introduction of paperless time slips, scheduled for roll out by the 1st Quarter

2015, this issue will be addressed.

Pending the implementation of the Paperless Time Slips (PTS), managers on the

authorized list were instructed to sign and print their name on all Yardmaster Time

Slips. Additionally, new protocols were implemented in the Crew Management

Office, providing Transportation Services with the ability to make assessments and

perform random audits to ensure that all claims are paid accurately. Furthermore, in

February 2016, the Administration Group performed several assessments of the

Yardmaster time slip approval process and found that it is in compliance with the

protocols that were instituted.

Currently, MTAIT is waiting for approval to bring a consultant on board to complete

PTS. As such the completion date may change. Nevertheless, the Yardmaster time

slip approval process is still in place and being utilized by the Crew Management

Office to ensure that the time slips are properly approved.

MTA Metro-North Railroad – Material Weakness/Significant Deficiencies

Subsidiary Subdivision Maintenance of Way Communications & Signals

Business Processes Overall Risk Ranking

Grade Crossing Inspection and Maintenance Very High

Signal Inspection

Weakness/Deficiency: This item remains from the 2013-2014 review. As a result of the Federal Railroad

Administration’s (FRA) Operation Deep Dive review, the recordkeeping system used

by MNR for signal and grade crossing tests and inspections was deemed deficient.




The lack of an efficient electronic system to capture and record signal and grade

crossing test and inspection information could lead to insufficient testing/inspections

or tests not being performed according to their assigned schedules.

Corrective Action: As a building block to the MTA-wide Enterprise Asset Management (EAM) initiative

which is years away, MNR has retained a consultant to develop an interim MNR

EAM System to report infrastructure incidents and maintenance needs, generate and

track the close-out of corrective work orders, document inspections, condition

assessments, and collect historic data to improve the management of Maintenance of

Way physical assets. The initial implementation as part of a phased MofW

department by department rollout is scheduled to begin in 4Q2016 with continued

rollout throughout 2017 and thereafter. Once implemented, the new system will

enable improved scheduling and monitoring of signal and grade crossing inspection

and testing. These business processes were tested as part of the 2015-16 review, and

while improvements have been made the Corrective Action as described above is still

valid and necessary. Subsidiary Subdivision Maintenance of Way Track & Structures

Business Process Overall Risk Ranking Facility Maintenance and Repair Very High

Weakness/Deficiency: This item remains from the 2013-2014 review. As a result of an MTA Audit of

Facility Maintenance, a number of deficiencies were identified in the following areas

of Facility Maintenance and Repair: maintenance requirements; time standards and

the tracking of maintenance completion; and effectiveness of the Asset Management

System (AMS) for monitoring cyclical as well as corrective maintenance requests and

work completed.

Corrective Action: MNR Track and Structures Management hired a new Department Head to oversee

facility maintenance and repair. In addition, two Facility Inspectors have been hired

and a two more inspectors are expected in early fall 2016. The new leadership has

established a 30-day cyclical maintenance inspection program for all major MNR

facilities. A paper process is in place to document cyclical inspection findings and

follow-up. MTA IT has dedicated a resource to make the necessary modifications to

AMS which will streamline and improve upon the paper process. Beta testing is

currently underway.




As a building block to the MTA-wide Enterprise Asset Management (EAM) initiative







rollout throughout 2017 and thereafter. This business process was tested as part of the

2015-16 review, and while improvements have been made the Corrective Action as

described above is still valid and necessary. Subsidiary Subdivision Maintenance of Way Communications & Signals

Business Process Overall Risk Ranking Monitoring Employee Hours of Very High

Service (HOS) Regulations

Weakness/Deficiency: Based on 2014 testing of this process, inaccurate entries were found in the paper

employee records used for documenting Hours of Service (HOS) activity and

compliance. These records are not used for employee payment purposes, but the

records should reflect actual “on-duty” and “off-duty” times for each day. It is

important to note that no actual HOS violations were identified. Additional testing of

this process as part of the 2015-16 review showed continued control weakness, which

reinforces the need for the Corrective Action described below.

Corrective Action: As part of a Metro-North wide initiative to transition all HOS employees to electronic

recordkeeping, Maintenance of Way management is pursuing an electronic solution

to HOS recordkeeping and monitoring for HOS signal employees. An electronic HOS

(eHOS) system was implemented in 2014 for all train service employees, and

modifications to the system are planned to accommodate additional departments.

The implementation for signal employees is scheduled for 2Q 2017 and is dependent

on additional programming work and the provision of electronic hardware to

employees, which is being coordinated with MTA IT.

All HOS signal employees have been re-instructed on the importance of filling out

the paperwork to reflect actual “on-duty” and “off-duty” times for each day. In

addition, until the electronic system is implemented, periodic random checks will be

performed by the Managers who have HOS employees working within their

management center.




Subsidiary Subdivision Maintenance of Way Track & Structures

Business Process Overall Risk Ranking Track Maintenance and Repair Very High

Weakness/Deficiency: This item remains from the 2013-2014 review. As a result of several operational

incidents and subsequent external reviews in 2013-14 (National Transportation Safety

Board, Transportation Technology Center, Inc. (TTCI) and the Federal Railroad

Administration’s (FRA) Operation Deep Dive), MNR’s process used for Track

Maintenance and Repair and related follow-up actions was deemed deficient. The

process did not provide management with an effective way to record

scheduled/unscheduled maintenance and repairs; ensure corrective actions had taken

place; or identify and analyze trends. Management and staffing concerns were also

raised in the reviews and are being addressed through a comprehensive

reorganization of the Track Department.

Corrective Action: Multiple interim electronic databases for improved tracking and follow-up on track

repairs have been established. As a building block to the MTA-wide Enterprise Asset

Management (EAM) initiative which is years away, MNR has retained a consultant to

develop an interim MNR EAM System to report infrastructure incidents and

maintenance needs, generate and track the close-out of corrective work orders,

document inspections, condition assessments, and collect historic data to improve the

management of Maintenance of Way physical assets. The initial implementation as

part of a phased MofW department by department rollout is scheduled to begin in

4Q2016 with continued rollout throughout 2017 and thereafter. This business process

was tested as part of the 2015-16 review, and while improvements have been made

the Corrective Action as described above is still valid and necessary. Subsidiary Subdivision Maintenance of Way Track & Structures

Business Process Overall Risk Ranking Visual Track Inspection Very High

Weakness/Deficiency: This item remains from the 2013-2014 review. As a result of several operational

incidents and subsequent external reviews in 2013-14 (National Transportation Safety

Board, Transportation Technology Center, Inc. (TTCI) and the Federal Railroad




Administration’s (FRA) Operation Deep Dive), MNR’s process used for Visual Track

Inspection and related follow-up actions was deemed deficient. The manual, paper-

intensive process for recording inspections and found defects made follow-up and

close-out of required actions difficult to track, and therefore, did not provide

management with an effective way to: prioritize defects; ensure corrective actions had

taken place; or identify and analyze trends. Management and staffing concerns were

also raised in the reviews and are being addressed through a comprehensive

reorganization of the Track Department.

Corrective Action: As a building block to the MTA-wide Enterprise Asset Management (EAM) initiative







rollout throughout 2017 and thereafter. This business process was tested again in the

2015-16 review, and while improvements have been made the stated Corrective

Action as described above is still valid and necessary. This business process was tested

as part of the 2015-16 review, and while improvements have been made the

Corrective Action as described above is still valid and necessary.

MTA New York City Transit – Material Weakness/Significant Deficiencies

Subsidiary Subdivision Department of Subways Maintenance of Way/Track

Business Process Overall Risk Ranking Safeguarding Authority Assets Medium

Weakness/Deficiency: The review found that several items were not recorded in the inventory database and

management expressed concern that some Procurement Card purchases were not

recorded in the database. The review also revealed that inventory key distribution

records were not up to date and an inventory reconciliation was not performed as

required.

Corrective Action: Management will conduct semi-annual walk-throughs of inventory storage areas to

ensure that inventory items are bar-coded and recorded in the database.




The Division Head will instruct all Procurement Card holders to ensure that they

notify the Inventory Coordinator as to all inventory purchases, and provide the

necessary supporting documentation. Management will make sure that key

distribution lists are updated as required. Instructions for the annual inventory

reconciliation will come from the Division Head and will state the importance of

conducting the reconciliation annually. This activity will be retested in 2016.

Subsidiary Subdivision Department of Buses Facilities

Business Process Overall Risk Ranking Monitoring and Approving Contract Work High

Weakness/Deficiency: The review showed that the Facility Manager did

not close out work orders after work was completed.

Corrective Action: The controls will be redesigned to create a better

process for Facility Managers to close out work orders for work performed

by contractors.

Subsidiary Subdivision

Department of Buses Manhattan Division – Mother

Clara Hale (MCH) Depot

Business Process Overall Risk Ranking

Security/Daily Facility Inspection High

Weakness/Deficiency: The review showed that Supervisors failed to

complete the inspections accurately.

Corrective Action: All Line Supervisors were advised of the issues and

reinstructed on the proper procedures for completing the facility

inspections. The depot will retest the controls in the 1st quarter of 2016

once all the corrective actions have been incorporated.

Subsidiary Subdivision

Department of Buses Manhattan Division – MJ Quill

Depot

Business Process Overall Risk Ranking

Security/Daily Facility Inspection – High

Review and Approval




Weakness/Deficiency: The review showed that Supervisors failed to

complete the inspections accurately.

Corrective Action: All Line Supervisors were advised of the issues and

reinstructed on the proper procedures for completing the facility

inspections. The depot will retest the controls in the 1st quarter of 2016

once all the corrective actions have been incorporated.

Subsidiary Subdivision Department of Buses Manhattan Division – MJ Quill

Depot

Business Process Overall Risk Ranking Administration/Procurement Medium

Card Administration – NYCT DOB

Weakness/Deficiency: The review showed that statements were not submitted to the

cardholder’s immediate Supervisor and responsibility center Division

Head for review and approval.

Corrective Action: Management will be reinstructed on the proper procedures related to the

procurement card and their responsibilities to perform review and

approval.

Subsidiary Subdivision Division of Human Resources

Business Process Overall Risk Ranking Enforcement of Nepotism Policy High

Weakness/Deficiency: The majority of non-compliance issues were the result of Human

Resources representative not requesting, securing, or attaching

“Nepotism” forms for promotional actions.

Corrective Action: The New York City Transit, Division of Human Resources will ensure

compliance with the Anti-Nepotism Policy Directive 11-051 and the MTA

Code of Ethics by requiring incumbents to complete and submit a

Nepotism form with any promotional action.




E-mails were forwarded to all NYCT Department Human Resources

liaisons as well as Division of Human Resources representatives with

instructions pertaining the enforcement of Anti-Nepotism policies.

Subsidiary Subdivision Office of Labor Relations

Business Process Overall Risk Ranking Use of Transit Issued Gas Cards Low

Weakness/Deficiency: The review revealed that manual entries and/or lack of entries and

receipts by investigator(s) do not correspond with the monthly gas

purchased reports.

Corrective Action: There will be a monthly review/reconciliation of the investigators’ daily

sheets and verification with the monthly report of gas purchases to ensure

that there are no discrepancies or fraudulent transactions. In addition, a

review will be performed to ensure that all gas purchases are documented

with receipts.

Subsidiary Subdivision Office of System Safety EPIH/IH

Business Process Overall Risk Ranking Hearing Conservation Program – Very High

(HCP) Reporting

Weakness/Deficiency: The review revealed that No Personal Protective Equipment (PPE) Spot

Checks were scheduled to be performed by the Industrial Hygiene

Division (IH) during the first half of 2015. The IH Manager did not assign

staff to perform this task for the first half of 2015.

Corrective Action: The IH Division performed PPE Spot Checks for twenty (20) New York

City Transit bus depots. The IH Manager generated Outlook reminders to

ensure that IH staff performed tire changing PPE Spot Checks for twenty

(20) bus depots by 12/31/2015.




Part 4. The Internal Control Program Details 2015-16 (Include description of

program's organizational structure, operations significant accomplishments

and any planned enhancements/improvements)

MTA Bridges and Tunnels

The MTA Chief Compliance Officer disseminates information related to activities of

the Office of the State Comptroller with respect to internal controls at the quarterly

ICO meetings. Information regarding any significant changes is then provided to

applicable staff at all levels.

All information on vulnerability self-assessments, internal control testing, and

corrective action plans is captured and documented centrally and entered into one

PC-based tracking system. A component of this system documents the corrective

actions planned or taken. The documentation of corrective action plans are

periodically reviewed by the ICO for appropriateness as well as for open items. Based

on this review, the ICO requires DICCs to follow up with departmental management

to ensure that corrective action was taken as reported, and if not resolved, continue to

report changes in the status of these actions until they are resolved.

All departments establish a detailed risk-based testing plan that closely links control

testing frequency to the relative risk defined in each department's vulnerability

assessment. This allows managers to better plan for and allocate resources for testing.

Using this plan, each department establishes goals for testing with the ICO at the

beginning of the year.

Once activity managers perform control testing, the results of such testing are

reported to the ICO, after the respective DICC and Department Head have reviewed

the tests and signed off on the document. These enhancements have continued to

increase both the number and quality of internal control testing performed and

reported on each year.

In addition, MTA B&T has implemented, on its Intranet site, a section dedicated to

the B&T Internal Control Program. This section includes an Intranet based training

program for employees to obtain, on-line, basic awareness of internal control

concepts. It also contains B&T and MTA All-Agency Policies, internal control related

forms, and other information on the Internal Control Act, and internal control

standards and techniques.

In November 2015, a detailed classroom-based course on implementing the B&T

Internal Control Program and compliance with the Internal Control Act was provided

to selected managers.




In 2016, the effectiveness of departmental compliance with the B&T Internal Control

Program will be further reviewed, including evaluations of the adequacy of

vulnerability assessments and quality of internal control testing performed. Effective

2014, the B&T Internal Control Program was interfaced into the Compliance

Management Software System (GRC).

MTA Bus Company

The Chief Officer, Internal Studies and Operation Improvement is responsible for the

overall internal control program. The Director, Internal Controls manages the

program on a day-to-day basis. The Director is assisted by an Analyst. The Director

coordinates the internal control program with liaisons in each department. The

Director provides annual training to the liaisons and ongoing assistance and

mentoring through the year. Automated records of all aspects of the program are

maintained. In recent years, the Director has re-engineered many of the program

steps to provide increased structure and consistency. The Director will continue to

evaluate the program for further opportunities for economies and efficiencies

MTA Capital Construction

The Internal Control Program at MTACC is coordinated by the Director of

Internal Controls with assistance from the ICC. The program is ongoing and

includes a periodic review and self-assessment of MTACC’s functions and the

processes used to assure that objectives are achieved. Program areas and

departments are required to establish a detailed risk-based testing plan that

closely links control testing frequency to the relative risk defined in each

area’s vulnerability assessment. This plan allows managers to allocate

resources for testing. Using this plan, each area establishes goals for testing

with the ICC/ICO. The results of testing are reported to the ICO. Based on the

results of the tests a corrective action implementation plan is proposed for the

subsequent certification period.

Projects currently managed by MTACC are funded in part through the FTA

and are therefore subject to additional scrutiny. Supplemental testing of

project management controls for these projects are performed by an

independent engineering firm(s) hired by the FTA. Their recommendations

are incorporated into MTACC’s testing program.




MTACC capital project and program management activities are performed in

accordance with uniform methods, standards, procedures and guidelines

(established by MTACC, NYCT Capital Program Management and MTA

Headquarters), to assure that project management activities are performed

efficiently and in a manner that best serves the interests of MTACC.

MTACC’s system of internal control is based on New York State laws,

including standards developed by the State Comptroller such as: Standards for Internal Control in New York State Government.

The Standards for Internal Controls in New York State Government and MTA

Agency Wide Enterprise Risk Management and Internal Control Guidelines, are the source for MTACC’s training on internal controls. MTACC’s training

program also refers to applicable provisions of the Public Officers Law,

including rules on ethics and conflicts of interests. Included in the training

materials is the Managers Guide for testing compliance with internal control

requirements. Where applicable, we incorporate recommendations made by

the New York State Internal Control Task Force report.

Key features of the MTACC internal control program include:

Identifying, reviewing, and testing controls used to manage risk.

Developing and implementing corrective action plans where applicable.

Documenting control reviews, procedures, policies, and standards of

operation for key business activities.

Disseminating appropriate internal control information to employees,

including relevant departmental procedures.

The ultimate objective of the program is to provide reasonable assurance

that MTACC’s operations are functioning effectively and efficiently, and

that department goals are being achieved.

Information is communicated (for all projects) between and among all levels at

MTACC to help the Agency achieve its objectives in areas such as project

management, quality assurance, financial reporting and compliance.

Operations are monitored in two ways: through ongoing or continuous

monitoring of activities and through regular evaluations. The information

received as a result of this monitoring process is communicated to appropriate

management.




The ongoing or continuous evaluations are performed by the respective

Program Managers, Project Managers, Design / Construction Manager,

Construction Coordinators, Field Engineers and field personnel at site

locations. These individuals are responsible for verifying and documenting

that the contractor is completing the project according to contract

specifications. For example, production meetings are scheduled on a regular

basis to discuss items such as drawings, materials, fabrication, acceptance

testing and other issues relating to the production schedules.

More specifically; weekly staff meetings are held with all direct reports and bi-

weekly meetings are held with all Project Management Teams. On a monthly

basis MTACC reports to the MTA Board of Directors at their Capital Program

Oversight Committee and Finance Committee meetings. On a bi-monthly

basis a project status meeting is held with the MTA/MTACC Security Team.

There is also a quarterly oversight meeting with the FTA. Other meetings are

scheduled as needed.

Annual Risk “Vulnerability” Assessments are conducted by all departments to

ensure that their activities are still relevant. The risk assessments require the

departments to identify major business activities, to determine the ranking,

and to develop the related controls and tests to manage and mitigate the

identified risk. The ICC and Business Process Owners are responsible for

reviewing prior year vulnerability assessments with their departments and

coordinating their business process testing. Testing standards and results are

reviewed by the ICO to ensure compliance with standards.

The ICO updates and provides awareness training to the ICC and MTACC

Executives on good internal control practices. Additionally, the ICO provides

guidance to the ICC, departments and business process owners on assessing

risks, mitigating controls, and remediating control deficiencies. This includes

ongoing feedback on MTACC’s internal control process is reviewed annual to

ensure the adequacy of the program. Adjustments are made to the program

based on the review.




MTA Headquarters

Annual “Risk Assessments” were conducted by all departments where major business

activities were risk ranked and controls over those risks identified. Cycle testing is

used where all “high risk” items are reviewed annually and medium to low risk

ranked items are reviewed on a cycle of once every three years to once every five

years depending on rank level. In each previous cycle risks were adjusted up or down

to reflect changed conditions.

The vulnerability assessments from the prior year were sent to all departments and

reviewed with their Internal Control Coordinators.

As to items to be tested, each department with the assistance of the Internal Control

coordinator and the Internal Control Officer determined what the standards will be

for testing in their department. These standards must be consistent with the training

and re-training which the coordinators received from the Internal Control Officer on

testing.

Most test results were reviewed with department management. All test results were

reviewed by the Internal Control Officer. Items for which corrective actions were

required were noted and monitored. If any substantive issues were found they were

raised to the attention of senior management.

MTAHQ management is required to respond to each audit recommendation with a

corrective action plan detailing steps that have or will be taken to address the

recommendation. Since 2009 Corporate Compliance has monitored all outstanding

audits and reports to the MTA Audit Committee all audit recommendations that have

exceeded their planned implementation date by six months or more.

Quarterly requests to appropriate individuals for updates on the status of corrective

actions are performed.

Audit recommendations, corrective action plans and the vulnerability assessments are

stored electronically. MTA has begun to move the information to its new GRC

platform which will reduce paper, allow easier follow up via e-mails, maintain a

historical record, and allow easier transfer of information. Corrective actions that

have exceeded their implementation generate an email to both the individual

responsible for implementation and to Corporate Compliance.

MTAHQ continues to work with the new IT Department in consolidating IT risks

and controls and anticipates the process will fully completed in 2017.




MTA Long Island Rail Road

The Internal Control Program is administered and coordinated by the ICO who

delegates administration of the Program to the BPMCC’s DCAs under the supervision

of the Director, BPMCC. The DCAs work closely with the MOCAs throughout the

year ensuring that the elements of The Act are adhered to and the LIRR’s Program is

functioning as intended.

During 2015, the DCAs met with the various departments to ensure that the activities

on their Vulnerability Assessments are reviewed and updated to reflect their current

processes. Also, the DCAs participated in four (4) corporate training classes to provide

employee awareness of the internal control process. The 2013 new COSO framework

was presented to the attendees and the importance of its implementation is

continuously stressed.

Additionally, as we move toward the implementation of Governance Risk

Compliance (GRC) system, the subject was discussed with all MOCAs and the

departments’ VAs were updated to reflect the information required in GRC. As a

result, during 2015, all LIRR departments’ VAs, except one, are already entered into

the GRC system. BPMCC met with this last department to help develop their VAs,

which will be entered into the GRC system during the 3rd quarter of 2016.

MTA Metro-North Railroad

Metro-North’s Corporate Compliance unit is now comprised of four positions: a

Director of Corporate Compliance and Strategic Initiatives, who is the AICO; an

Assistant Director of Corporate Compliance; a Manager of Corporate Compliance; and

a Corporate Compliance & Strategic Analyst. The unit is expected to be fully staffed

by the Fall of 2016. Together, these positions are responsible for managing Metro-

North’s Internal Control Program. The addition of an Assistant Director level position

is intended to strengthen the unit’s corporate policy and procedure work as well as

increase the unit’s ability and capacity to assist Departments with their Internal

Control testing and documentation requirements.

The Corporate Compliance unit is also responsible for maintaining and updating

Metro-North’s corporate policies and procedures. The Director is a member of MTA’s

Enterprise Risk Management Committee, and works directly with the MTA’s Chief

Compliance Officer on MTA all-agency internal control and policy matters.




Finally, the Strategic Initiatives work of the unit serves Metro-North in a business

improvement capacity through a combination of strategic planning, business process

reviews, benchmarking and best practices work. The unit also performs audit liaison

work with MTA Audit Services and external auditors.

Departments have assessed their major functions with a focus on identifying and

assessing the most significant business processes which are critical to achieving their

objectives as a Department. Departments are all utilizing a consistent approach to

rating risk which is based on a comprehensive assessment of the significance of

impact and likelihood of occurrence of the risk. Corporate Compliance has continued

to make progress in the Testing of Internal Controls. Improvements have continued

to be made, in part based on the GRC’s system capabilities and our employees’

exposure and experience with the process. Testing instructions and results are more

clearly defined and reported in GRC. The ability to upload relevant testing

information and documentation and a thorough verification process provides

additional assurances that tests are being performed properly.

Accomplishments and improvements for the 2015-16 review are primarily

attributable to the maturity and experience of utilizing the GRC system and

continued improvements in departmental testing. With additional staff, the

Corporate Compliance unit has worked with Departments to increase the quality and

quantity of testing in this year’s review.

Planned enhancements for the internal control program in 2016 will focus on

increasing the use, functionality and efficiency of GRC. Additional staff will also

increase the unit’s capacity to work more proactively and strategically with

Departments to further improve testing and mitigate risk.

MTA New York City Transit

NYCT is the largest mass transportation system in the U.S. It provides subway, bus,

and paratransit services to the five boroughs of New York City. NYCT provides

customers with safe, convenient, comfortable, and reliable train and bus service by

the efficient and effective utilization of human, physical, and financial resources. In

pursuit of these goals, management and staff in the various operating and

administrative departments understand the importance of working together and

utilizing the available resources to ensure that customers receive the best possible

service. The President, Executive Staff, and Senior Management supported by

professional, technical, operational and administrative personnel, unite to form a

team that achieves these objectives.




Because of the complexity of its business, NYCT must comply with a variety of

Federal, State, and Local laws. In addition, it is subject to rigorous scrutiny and

oversight by regulatory agencies such as the NTSB, FTA, OSHA, and the New York

State Department of Labor. NYCT is also guided by internal policies and procedures

that outline and provide detailed instructions on how to perform major tasks within

the organization.

The Internal Control Process at NYCT is specified by Internal Control

Policy/Instruction (P/I) 1.8.1. This P/I incorporates directives from the Internal

Control Act, and State Comptroller’s Office and sets forth the requirements for each

department to establish and maintain a system of internal controls. The NYCT

program is predicated on vulnerability assessments and the ranking of activities based

on the level of risk assigned to each one. Departments must then develop a system of

controls to manage and mitigate the risk. The controls for selected high-risk activities

are tested on a cyclical basis to determine whether they are functioning as intended,

and the adequacy of those controls. If weaknesses are detected, the department must

submit an action plan and timetable for addressing and resolving the deficiencies.

The implementation of each corrective action is reviewed and monitored by the

Office of the Controller.

Follow-up on corrective actions taken to eliminate weaknesses is performed by

departmental personnel. The results of the departments’ review are monitored by the

Office of the Controller. A schedule of control weaknesses, corrective actions, and

dates of completion is prepared. The Office of the Controller corresponds with each

Internal Control Manager to ensure that all action items are completed satisfactorily

and timely, if cost beneficial. The status of weaknesses and related resolutions is

tracked via electronic systems.

NYCT has been proactive in coordinating and integrating the requirements of the

State Comptroller’s Standards for Internal Controls in New York State Government

that support a good internal control system. This is reflected by the fact that the

current Policy/Instruction (P/I) on Internal Control Policy cites the Office of the State

Comptroller as a major source of the information contained therein. The P/I refers to,

and incorporates excerpts from, the standards that are enumerated in the State

Comptroller’s guidance.

These references include, but are not limited to, the definition and purpose of internal

control, the specific techniques that provide the greatest assurance of a strong system

of control and the five components of an internal control program.




The Internal Control P/I also contains information regarding the ongoing evaluation

of activities, risks and controls and the periodic testing of controls to ensure that they

are functioning as intended; strategic planning to focus on the long range goals of the

organization in an effort to achieve its mission; and the role of the Internal Audit

function to perform independent reviews of the internal control program to assess its

effectiveness and recommend changes, if necessary.

This information has been widely distributed throughout the organization and has

become a part of its annual training effort. By recognizing and incorporating these

important concepts from the Standards for Internal Controls in New York State,

NYCT continues to enhance the quality and effectiveness of its internal control

program.

NYCT has developed a multi-faceted approach to effectively communicate

information within the organization. Formal memoranda from Senior Management

are distributed through a number of media channels to apprise staff of important

issues and changes that will be taking place. The specific means of communication

include distributions with paychecks, mass e-mail, posting on the intranet and via

interoffice mail. These methods are also used to distribute policies, procedures,

directives and brochures that deal with a variety of topics. Formal meetings and

training seminars are convened to provide guidance, instruction and feedback on

specific subjects on internal control. There are also financial and management reports

that offer insight into the results of operations and audit reports that indicate the

compliance of the organization with the applicable laws, rules, regulations, policies

and procedures that govern the numerous activities that are undertaken by NYCT.

When taken in the aggregate, these methods of communication provide NYCT

personnel with an effective network which ensures that vital information is conveyed

in a timely manner to all of those involved in the agency’s key processes.




Section C. Requirement: Make available to each officer and employee a clear and concise

statement of the generally applicable management policies and standards

Standard: The Annual Internal Control statement should set the tone at the top. It

should emphasize the importance of effective internal controls and the responsibility

of each officer and employee for effective internal controls. Managerial policies and

procedures for the performance of specific functions are articulated in administrative

manuals, employee handbooks, job descriptions and applicable policy and procedure

manuals. While it is not necessary for all employees to possess all manuals, employees

should be provided with, or have access to, applicable policies and procedures for

their position.

Specific actions taken, or needed, to comply with this requirement


MTA Corporate Compliance continues to manage all agency policy directives and

Board of Directors Guidelines


An annual letter from the President is sent to all employees to reaffirm B&T’s policy

in compliance with the New York State Governmental Accountability, Audit and

Internal Control Act. It reemphasizes the importance of effective internal controls to

the agency and the responsibility of each employee for the maintenance of effective

internal controls.

Attached to the President’s letter is an internally generated brochure “Internal

Controls and You”, which defines what internal controls are, what is required by the

Internal Control Act, how the Internal Control Act is carried out at B&T, what are

the employee’s responsibilities for internal controls and also gives an updated listing,

by department, of the Departmental Internal Control Coordinators as well as their

telephone numbers.

An annual internal control training course was provided to selected managers in

November 2015 to allow them to attain a more comprehensive understanding of

internal control concepts.




MTA Bus Company

All agency policies and procedures are accessible on the MTA intranet and posted

were applicable within offices and depots. In addition, some policies that are

significant such as ethics, safety, and use of agency funds are posted on employees

training modules and require confirmation of completion


Employee conduct is governed by the MTA All-Agency policies including the

Code of Ethics, applicable provisions of the Public Officers Law including rules

on ethics and conflicts of interests. A copy of the MTA-All Agency Code of

Ethics and the Public Officers Law is provided to all employees at the time of

their employment. A memorandum from the MTACC’s President is emailed

to all employees reaffirming everyone’s responsibility for maintaining an

effective system of internal controls as prescribed by management and

statutory requirements. Included in the email distribution is a pamphlet to

help employees understand their roles and meet their operation goals.

MTACC conducts its business primarily by reference to written policies, such

as a plan of organization, the formal delegation of responsibilities, and program

area procedures. Copies of MTACC’s policies are maintained within each

program area or department. Additionally, MTACC has made available on the

intranet all of its policies and procedures to all employees.

There are various control techniques which support the Internal Control

Program and enable each department and process to effectively monitor their

internal control system. Some examples which support the control evaluation

process include documentation and recordkeeping, authorization of

transactions, segregation of duties, supervision and security of information and

data. Policies and procedures, logs and records, supervision and structure based

on corporate organization charts and the various levels of data security.




MTA Headquarters

The MTA Policies and Procedures have been integrated into our GRC platform. MTA

All-Agency and MTAHQ policies are now stored in a central repository which allows

employees to obtain the most recent version of any policy directly from a web based

search. In addition, The MTA Code of Ethics is available on the MTA’s Intranet and

the internet sites.

Corporate Compliance continues to manage enterprise policy directives and MTAHQ

policies and procedures. In addition certain enterprise policy directives are posted on

MTA’s Internet page under governance/compliance


LIRR makes available to all employees, via the Intranet, Corporate Policy &

Procedure BPM-003 Management Control Review, in compliance with The Act. This

policy emphasizes the importance of Internal Controls and the responsibility of all

employees to ensure that effective controls are maintained in the performance of

their daily activities. In addition, the MCR Handbook is available to all employees

that have access to the Intranet. For employees that do not have access to the

Intranet, a physical copy of the Handbook can be obtained by contacting BPMCC or

their Department MOCAs.

At the department level, Standard Operating Procedures and corporate policies are

developed and made available to staff, as applicable. A process is also in place to

ensure that policies and procedures are reviewed and updated on a regular basis. In

2015, 33 corporate policies were reviewed and updated as appropriate. In addition,

two (2) new corporate policies were developed. New processes or the

implementation of new systems have accounted for the creation of new policies as

well as the updating of existing policies and procedures. HR maintains supplemental

documentation, which further supports internal control efforts, i.e., organization

charts and job descriptions.


An annual memorandum from the President to all Metro-North employees

communicates the importance of internal controls at Metro-North. The memo refers

employees to the Metropolitan Transportation Authority’s Enterprise Risk

Management and Internal Control Guidelines, which serve as Metro-North’s internal

control policy.




The memo clarifies responsibilities and describes the need for every employee to

comply with and enforce policies and procedures in order to ensure Metro-North’s

operation is both responsible and successful.

The Corporate Compliance unit works with Department Heads, Managers, Testers

and Internal Control Coordinators to continuously improve departmental compliance

and educate employees about internal controls. This is done through a combination

of formal training and departmental as well as individual meetings and reviews.

Internal Control Coordinators act as the Departmental point person for ensuring the

completion of internal control reviews.

In an effort to provide more information and guidance to Metro-North staff about

internal controls and the processes used to complete internal control reviews, there is

a Metro-North intranet page devoted to internal controls

(http://www.mnr.org/intranet/internalcontrols/ICS.cfm). Included on this page are

active links to: the GRC system and the GRC manual, which is a step-by-step guide

on how to use GRC to perform internal control reviews; the MTA Board Guidelines;

the annual memo from the President; guidance on performing risk assessments and

assigning risk ratings; testing result forms for use by internal control testers; the NYS

Division of Budget’s Managers Guide for Testing; the Executive Summary of the

COSO Internal Control – Integrated Framework; and finally, contact information for

the AICO and the Assistant Director of Corporate Compliance.

In addition to specific guidance, manuals and procedures provided to managers and

employees in their respective Departments at Metro-North (primarily located on

Metro-North’s intranet), all Metro-North employees are expected to be familiar with

and adhere to the MTA All-Agency Code of Ethics, which is also available on the

intranet.


The Officers, Managers and Employees of NYCT are routinely notified of the policies

and standards with which they are expected to comply. The President and Senior

Management issue bulletins and other correspondence that provide clear instructions

and guidance on a variety of topics.




These high level publications are provided to employees as reminders of existing

policies or as instruction on new activities and initiatives. They contain general

information in the areas of operations, administration, finance and internal controls.

NYCT stresses the theme that internal control is everyone’s business. This principle is

the focal point of the NYCT brochure and the Presidential memos on internal

controls, which are distributed to all employees on a regular basis. By incorporating

the tenets of internal control into every task that is performed, NYCT has created an

environment that provides reasonable assurance that its resources are protected

against fraud, waste and mismanagement and that its activities are performed in an

effective and efficient manner. In addition to the general guidance provided by

management, NYCT maintains policies, procedures, handbooks and management

directives for all major activities. These manuals are available on-line. They are

reviewed, updated, and distributed to the appropriate areas of responsibility on a

regular basis.

Section D. Requirement: Designate an Internal Control Officer (ICO), who shall report to

the Chairman of the MTA, to implement and review the internal control

responsibilities established pursuant to Act and Internal Control Standards

Standard: The ICO works with appropriate personnel within the MTA to coordinate

the internal control activities and to help ensure that the internal control program

meets the requirements. Although the ICO evaluates the adequacy of the internal

control reviews performed by authority staff, program and line managers are

primarily responsible for conducting reviews to assure adherence to controls and

analyzing and improving control systems. The ICO should be an individual with

sufficient authority to act on behalf of the Chairman in implementing and reviewing

the agency’s internal control program. This individual should have a broad

knowledge of MTA’s operations, personnel and policy objectives.



Pursuant to Public Authorities Law Section 2931, the MTA Board designated its Chief

Compliance Officer as the MTA’s Chief Risk Officer/Internal Control Officer (“ICO”)

with responsibilities for overseeing MTA’s Corporate Compliance efforts, which

include corporate governance, internal controls, ethics and compliance. The MTA’s

Chief Compliance Officer has reporting responsibilities to MTA’s Chairman and the

MTA Board. Pursuant to the Audit Committee’s Charter, the Chief Compliance

Officer has an affirmative reporting obligation to the MTA Board on the internal

control program through the Audit Committee.




The Chief Compliance Officer has several years of experience in the area of finance

and financial institution regulation. Before coming to the MTA, he spent 10 years at

the United States Securities and Exchange Commission and 6 years with the New

York City Department of Finance.


The B&T Internal Control Officer (ICO) was appointed by the President to administer

and assure implementation of the B&T Internal Control Program. The ICO working

with MTA Audit Services and the Independent Auditors, directs and continually

evaluates and assesses B&T’s system of internal controls. Together, they help B&T

management maintain B&T’s system of controls in a complete and current condition,

and ensure that all employees are adequately trained in the requirements of their jobs

and the principles of internal control. The ICO is also supported by Departmental

Internal Control Coordinators within various B&T departments who provide

additional administration of the B&T Internal Control Program.

MTA Bus Company

Internal controls are discussed and emphasized at senior staff meetings. Policies and

procedures are available on-line for access to all employees, and where required,

posted in locations. Beginning in 2016, the agency is requiring employees to take a 30

minute internal control training course. Employees are required to complete the

training by December 2016.


The Internal Control Officer (ICO) reports to MTACC President through the

organization’s Chief Financial Officer. Oversight for the Program is provided

by MTA’s CCO. Additionally, the ICO interfaces directly with MTACC’s Staff,

Program Executives, Department Heads and Audit Services for adherence and

improving MTACC controls and systems. Besides oversight responsibility over

the Internal Controls program, he serves as a liaison between Departments,

Audit Services and other external auditors in bridging implementation of

corrective action plans recommended by auditors.

The ICO, with the assistance of the Internal Control Coordinators, directs and

continually evaluates and accesses MTACC’s system of internal control.




The ICO has over 20 years of internal audit, internal controls and operational

risk management experience in a broad range of industries. Before joining the

MTACC, he was the head of internal controls for a multi-billion dollar

division of a global corporation. He holds certification in risk management

assurance, and fraud examination with a Master of Public Administration in

Financial Management.

MTACC’s ICO is a member of the ERM Committee representing MTACC.

The ERM Committee is chaired by the MTA CCO and meets periodically to

review and suggest improvements to the ERM program.

MTA Headquarters

The MTAHQ Internal Control Officer has over 35 years of experience in Human

Resources of which 18 were with the MTA in Compensation. Most of the jobs

descriptions in HQ were written and evaluated by this individual. Thus, the scope of

HQ operations and the history of various departments are well known to the Internal

Control Officer.

Additionally, the incumbent holds two advance degrees, a MBA in Organizational

Development and a Post Masters Certificate in Marketing.

The ICO works with appropriate personnel within the authority to coordinate the

internal control activities and to help ensure that the internal control program meets

the requirements established by BPRM Item B-350. Although the ICO evaluates the

adequacy of the internal control reviews performed by Agency or authority staff,

program and line managers are primarily responsible for conducting reviews to assure

adherence to controls and analyzing and improving control systems.


LIRR’s ICO is the Vice President and Chief Financial Officer who reports directly to

the President. Under his/her direct leadership, the DCAs administer the program,

providing training, guidance, and instruction to the MOCAs. The ICO has tasked the

BPMCC Department with the coordination and monitoring of audits performed by

MTA Audit Services, MTA Office of the Inspector General, New York State

Comptroller and other external audits - an objective of which is to apply audit

findings to department business activities to determine if additional controls need to

be created or existing controls need to be enhanced.




The objective is to ensure that business activities are governed by policy and

procedure thus providing congruence with the control technique of documentation

and recordkeeping. Finally, the ICO provides periodic updates to fellow Senior Staff

members on the status of the MCR Program and reinforces the need for their

continued support of the program.


Metro-North’s Internal Control Officer reports directly to the Executive Vice

President of Metro-North. The AICO’s organizational title is Director, Corporate

Compliance and Strategic Initiatives. The scope of his duties includes serving as

Metro-North’s Audit liaison to ensure the linking of audit findings and

recommendations with internal controls. He oversees corporate policy development

and updates, and is also directly involved in various organizational process review and

improvement efforts which support and reinforce the Internal Control Program and

vice versa. He has been working with and for large public sector transportation

agencies in the areas of planning, policy and management for 16 years and holds a

Masters of Urban Planning from New York University.

The annual Internal Control memorandum from the President to all employees

communicates who the AICO is (including contact information) and reinforces the

importance of and responsibility for internal controls at Metro-North. The AICO

administers the Internal Control Program and monitors compliance with the

program.


The President has designated an Internal Control Officer (ICO) to implement, oversee

and review the internal control program and its responsibilities within NYCT. The

ICO reports to the Executive Vice President while interfacing with the President,

Senior Management, MTA Headquarters, and New York State on the status and

progress of the program. Additionally, the ICO prepares NYCT’s annual Internal

Control Summary and Certification for the MTA and State and keeps the departments

and divisions apprised of their responsibility to comply with the P/I and the

provisions of the Internal Control Act. Another important function of the ICO is to

ensure that management and staff receive the appropriate level of IC training and the

information necessary to execute the requirements of the IC program. NYCT’s ICO is

the Controller who presides over the accounting and financial matters of the

organization.




As such, he is well versed in all aspects of internal control relating to operations and

administration due to the high level of interaction with Senior Management in

NYCT, and the MTA. The ICO is assisted by an Internal Control Coordinator (ICC)

and other members of staff within the Office of the Controller, who manage the day

to day implementation of the IC program.

The functions performed by dedicated staff include providing training to internal

control personnel, reviewing and commenting on the quality of items that are

submitted, providing feedback to the Department/Division Heads in cases of

significant non-compliance with the Act and receiving, reviewing, interpreting and

distributing all correspondence from the MTA and New York State.

The appointment of the ICO was communicated to all employees via the intranet and

to internal control personnel during training sessions.

Section E. Requirement: Implement education and training efforts to ensure that officers

and employees have achieved adequate awareness and understanding of

internal control standards and, as appropriate, evaluation techniques

Standard: Authorities should identify staff requiring internal control training and the

depth and content of that training. Such education and training should be on-going

with specific courses directed at line staff, middle managers and executive

management. For organizations that have established internal audit functions,

training and education should be offered on the appropriate role of the internal

auditor within the organization’s internal control system.



MTA Corporate Compliance a new mandated training and policy certification

program in cooperation with the State. All MTA Employees and certain contractors

are now required to take a series of compliance training courses.


All employees receive exposure to B&T’s and MTA’s all-agency policies on the

Intranet. Copies of the Authority’s internal control awareness brochure Internal

Controls and You is distributed to employees periodically at ethics training sessions

and other Agency forums.




An Intranet-based, interactive internal control awareness course was implemented

and is updated annually when necessary. This tool serves as an additional vehicle for

a broad range of employees to receive basic training in internal control concepts. A

more detailed updated classroom-based training program, with specific instructions

on implementation of the Internal Control Program and compliance with the Internal

Control Act, was provided to selected managers in November 2015.

The ICO also meets with all DICCs on a quarterly basis to review progress towards

implementing various Internal Control Program initiatives and provides them with

additional control information, and reviews ways to improve the Internal Control

Program.

MTA Bus Company

Robert Picarelli, Chief Officer, Internal Investigations & System Security, is

designated as the Internal Control Officer (ICO) for MTA Bus. Robert Picarelli has

been the ICO for NYCT Bus since the inception of the Internal Control program at

NYCT Bus, and also coordinates external audits of the MTA’s bus operations.

Accordingly, audit findings and recommendations are integrated into the Internal

Control program as required across the operations.


To make certain that MTACC executives and employees continue to maintain a

satisfactory awareness and understanding of internal control standards and

framework, Internal Control Training & Educational Program was developed for ICC

and Executives. As previously mentioned, a memorandum from the MTACC

President stressing the importance of having an effective and efficient Internal

Control Program; including management’s responsibility for ensuring effective

Management Control Reviews, and the MTACC’s obligation to comply with the

requirements of the New York State Governmental Accountability, Audit and

Internal Control Act was sent to all employees on June 1st, 2016.

Attached to this memorandum is a pamphlet entitled Internal Controls and You. The

objective of the pamphlet is to provide employees with a basic understanding of

internal controls and demonstrate how controls help meet MTACC’s operational

goals.




All new employees subject to financial disclosure requirement of the Code of Ethics

are required to take ethics training within 90 days of employment. Additionally, the

MTACC President and his direct reports are required to take an annual ethics training

while all other employees subject to financial disclosure requirement are required to

take a refresher ethics training course on a two year cycle. The ICO in conjunction

with Human Resources coordinate scheduling employees to ensure that they attend

the ethics training.

MTACC’s ICO serves on the ERM Committee. Recommendations for improvements

arising from the Committee are shared with the MTACC’s ICC.

MTA Headquarters

All Coordinators have yearly training on Internal Controls and their role in the

program. Employees have access to information on the program via e-mails and “open

house” information sessions. All Senior Managers receive yearly training on Internal

Controls and their role in the program.

One day per month, MTA Today is dedicated to compliance and ethics issues

providing our employees with entertaining video regarding relevant topics such as

gifts and conflict of interests. In addition, we are circulating, “Tone from the Top” and

“Ethikos” magazine to senior staff.


The BPMCC Department, under the supervision of the ICO, provided the following

to promote internal control education and foster management control awareness at

the LIRR:

In 2015 the LIRR conducted four “Business Administration & Processes” classes

that are part of the Management Education Core Curriculum Program. The

classes included a two-hour session on the “Management Control Review

Program & Managing Internal Controls”. The format was based on the updated

2013 COSO model and the basic components and principles of internal control

i.e., control environment, risk assessment, control activities, information and

communication, and monitoring.

As part of their orientation, all new employees are provided with information on

internal controls and its importance at the LIRR. Employees are also encouraged

to reach out to their MOCAs and/or DCAs with any questions or concerns.




DCAs are committed to providing training, guidance and instruction to the

MOCAs. Throughout the year, the importance of effective and efficient controls

is stressed. On an as needed basis, including when a department has a new

MOCA, the DCAs meet with the MOCAs to review, clarify and help with the

completion of control evaluations or with updating of the Vulnerability

Assessment when there are any changes in the procedures or processes.

In 2015 BPMCC provided department specific training sessions to Maintenance of

Equipment and East Side Access Departments. Also various meetings were held

with other departments including Stations, Engineering and Human Resources to

discuss the review and update of their existing VAs and ensure that any new

activities or changes to their processes were being addressed and that controls

reflect current processes.

In 2015 the VAs were revamped and new ones developed as appropriate for the

following departments: Corporate Safety, East Side Access, Engineering and

Human Resources.

A Management Control Review Handbook is available on the Intranet and

updated, as applicable. This handbook provides managers with the guidance and

tools needed to perform their internal control responsibilities under the MCR

Program.

All LIRR employees received a pamphlet entitled “Management Control

Responsibility at the LIRR” with a synopsis of the definitions related to internal

controls, a description of the internal control program and a listing of MOCAs

and DCAs. The pamphlet was accompanied by a memo from the LIRR President

reminding employees of the structure and affirming the importance of the

internal control program.


The training for Internal Control Coordinators, and Testers was primarily carried out

in 1-on-1 sessions with Corporate Compliance staff. These sessions focused on how to

develop and update business processes, do reviews and tests as well as how to use the

GRC system. As with any newer application, the Corporate Compliance unit has

provided ongoing assistance to GRC users at all levels, including Business Process

Owners and Department Heads. A detailed manual is also posted on Metro-North’s

Internal Control Program intranet page. Throughout the 2015-16 review period,

Internal Control training was provided to over 3100 MNR employees via the NY State

online training module.




In early 2016, Corporate Compliance staff met with individual departments to review

their significant business processes, risks, controls and the internal control review

process. These sessions, attended by Department Heads and key personnel, provided

an opportunity to educate managers and their staff on the purpose and importance of

internal controls as well as provide additional guidance on risk assessments and

testing requirements.


Education and training regarding internal control is provided to all departmental

personnel that are involved in the internal control process. The Office of the

Controller conducts an annual training seminar for Internal Control Managers and

their support staff that provides a framework of the internal control process and

detailed instructions on the various components of which it is comprised. Attendance

is mandatory. Information is provided on the identification and listing of major

activities, the evaluation and ranking of risks for each activity via the vulnerability

assessment, the development of controls to counteract the risks, the testing of controls

on a regular basis, reporting of weaknesses found, and implementing corrective

actions to eliminate any deficiencies that are identified. In addition, all IC Testers,

Activity Managers and Division/Subdivision Heads receive comprehensive training

each year.

This additional training is a result of the implementation of the recommendation

from the Internal Control Task Force requiring employees to be grouped and trained

by function. It also ensures that NYCT is in compliance with this important aspect of

the Act. Throughout the year, upon request, individual departmental personnel

receive further training in closed group sessions that are tailored for the specific needs

of each department.

The format utilized by the Office of the Controller is based on the COSO model and

the five basic components of internal control that it stresses, as listed below:

Control environment

Risk assessment

Control activities

Information and communication

Monitoring




In addition, it conforms to the standards provided by the NYS Comptroller’s Office

and the MTA Agency-Wide Enterprise Risk Management and Internal Control

Guidelines. In support of the training effort, a guide was developed to interpret and

clarify the tenets of the COSO model and present a detailed step-by-step description

of the IC process. NYCT’s Internal Control Program adheres fully to the provisions of

the updated COSO Internal Control Framework.

Internal Control education is further achieved through letters and other

correspondence from the President, Senior Management, and the ICO’s Office that

are distributed to NYCT employees to emphasize the requirements of the Act. An

Internal Control Brochure, detailing NYCT’s commitment to the Internal Control

Program, was placed on the TENS website and is available for viewing by employees.

The following is a sample of the correspondence and announcements that were either

posted on the NYCT Intranet, or distributed to employees in an effort to heighten

awareness on the following examples of internal control related subjects:

Internal Control Issues (i.e. Security, Data Protection, etc.)

Respectful Workplace Policy, Diversity, And Equal Employment Opportunity

Heat Stress

Drug and Alcohol Policy Statement

Domestic Violence Awareness

Cyber Security Safety at Work

Protecting Your Vision

Safety Management Impacts all Employees

Keeping Your Mobile Device Safe

Metropolitan Transportation Authority ERM/Internal Control...

Documents

Transcript of Metropolitan Transportation Authority ERM/Internal Control...