Metro kos Angeles Caunty Qne Gateway PIaza 213.922, Metropafitan Ttansportatisn Authority Los Angefes, G4 gcralz-zg1;2 rnetr0.n EXECUTfVE MANAGEMENT AND AUDIT COMMITTEE FEBRUARY - 18,2010 SUBJECT: CQMPRENEMSlVE ANNUAL FfNANCtAt REPORT F!SCAL V AR 2009 ACTlONr RECEfVE AND FILE Receive and file A. The Comprehensive Annual Financial Report (CAFR) for the fiscal year ended June 30,2009; and B. KPMG LLP's Management Letter presenting internal control and other operational matters for considemtion. ISSUE We are required to be audited annually by independent certified public accountants. This report presents the CAFR related Management Letter From KPMG for the year ended June 30,2009. The CAFR Includes our audited financial statements, supplemental information and unqualified opinion from KPMG LLP the independent auditor. KPMG representatives will provide a presentation on the results of their audit. As a savings measure, a hard copy of the CAFR is on file with the Board Secretary and is atso availabse oor 2he Metro website. http://www. metro. nevabouf us/fnance/ima~es/cafr 2009,pdf The Management Letter is issued by KPMG to communicate certain matters involving internal control and other operational matters and management's related response.
ATTACHMENT(S1 A. KPMG LLP3s Management Letter dated Prepared by: Ruthe Hotden, Chief Auditor Comprehensive Annual Financial Report
Chief Auditor Arthur T. Leahy Chief Executive Officer Comprehensive Annual Financial Report
KPMG LLP Suite 700 20 Pacifica Irvine, CA 92618-3391 The Board of Directors Los Angeles County Metropolitan. Transportation Authority One Gateway Plaza Los Angeles, CA 9001 2 Ladies and Gentlemen: We have audited the financial statements of the Los Angeles County Metropolitan Transportation Authority (LACMTA) for the year ended June 30, 2009, and have issued our report thereon dated December 11, 2009. In planning and performing our audit of the financial statements of LACMTA, in accordance with auditing standards generally accepted in the United States of America, we considered LACMTA's internal control. over financial reporting (internal control) as a basis for designing our auditing procedures for the purpose of expressing our opinion on the financial statements but not for the purpose of expressing an opinion on the effectiveness of LACMTA's internal control. Accordingly, we do not express an opinion on the effectiveness of LACMTA's internal control. During our audit, we noted certain matters involving internal control and other operational matters that are presented for your consideration. These cormnents and recommendations, all of which have been discussed with the appropriate members of management, are intended to improve internal control or result in other operating eficiencies and are sumrn&zed in Appendix I. Our audit procedures are designed primarily to enable us to fom an opinion on the financial statements and, therefore, may not bring to light all weaknesses in policies or procedures that may exist. We aim, however, to use our knowledge of LACMTA's organization gained during our work to make comments and suggestions that we hope will be useful to you. We would be pleased to discuss these comments and recommendations with you at any time. This communication is intended solely for the information and use of management, Board of Directors, others within the organization, and is not intended to be and should not be used by anyone other than these specified parties very truly yours, KPMG LLP, a U.S. limited liability partnership, is the U.S. member firm of KPMG International, a Swiss cooperative.
Page 2 Deficiency #09-01: Information Technology - Password Polices (Windows) Appendix f Based on our online observation of the Password Policy within the Windows Active Directory, we noted the current configuration for password complexity was not enabled. This setting does not comply with the (LACMTA) Information Security 2 - Password Generation document dated August 2005. We noted that the Los Angeles County Metropolitan Transportation Authority policy states that password complexity should be enabled requiring aigha and numeric characters. Effect (or Potential Effect) Increases the risk of unauthorized access to the network by external or internal parties. We recommend that management either implement the password requirements as noted in their Information Security policy or update the policy to reflect the current Windows password settings. Additionally, justification for not configuring password complexity should be documented. The implementation of password complexity was completed on August 27, 2009. Deficiency M9-02: Information Technology - Data Center Physical Access Based on our test work, we noted one individual with inappropriate access to the data center. Additionally, we noted the Systems Maintenance Supervisor maintained four extra badges, which are provided when technician staff personnel leave their card at home or when a day consultant requires access to the room. The assignment of these badges is not logged. Subsequent to year-end, the access has been corrected. E&t (or Potential Effect) Inappropriate individuals may access the data center and compromise LACMTA Infomation Technology (IT)Assets. We recommend that management implement a periodic review of data center access to verify access to the data center is limited to appropriate individuals. The Computer Center access list is reviewed quarterly. One individual was granted access to work on a project that was no longer needed. Also, the four extra badges, which were not used, were turned in as noted above.
Page 3 Deficiency #09-03: Information Technology - Administrative Access to M3 Based on our online observation of the Administrative users within the M3 system, we noted that the SpezrAdmin and SpearMaster Superuser accounts are shared. As such, unauthorized changes may be made without accountability. These accounts are required by system functionality and cannot be assigned to individual users. The SpearMaster Superuser account has access to migrate changes into production including functions, tables, and procedures. The SpearAdwtn is able to add and remove users and is able to look at and update data tables. We noted that an informal review of the account activity is completed, but the review is not perfomed on a regular basis and evidence is not retained. Effect for Pute~tiaE Effect) Unauthorized changes or transactions may be pasted without accountability. Given that these administrative accounts are required by the system, we recommend IT research to determine if the passwords can be changed to ensure unauthorized individuals cannot access these powerhl Ds. If so, we recommend the passwords be changed on a regular basis. We additionally recommend that the periodic review of the administrative account activity be formalized and documented similar to the monitoring control in place over database administration. The SpearMaster Supemser account is controlled by the Database Administration (DBA) group. Only one person is authorized to access M3 using this account within the group, This account is controlled and audited on a regular basis. A weekly audit report generates the SpearMaster account activity. The SpearAdrnin account is used by developers to promote changes into the database. A weekly audit log provides an audit trail of the users authorized to access the system with this account. The OS-username along with the action taken under the SpearAdmin account is tracked. Deficiency #09-04: Information Technology - Periodic User Access Review - M3 Based on our inspection of the periodic access reviews for the M3 application, we were unable to determine if or when periodic reviews were performed. Currently, access listings are sent to the business users, but evidence of review and updates to security based on the review was not retained. As such, inappropriate access may not be identified in a timely manner. Effect (or Potential Effect) Users may have inappropriate access to the M3 application allowing the ability to process unauthorized transactions.
Page 4 We recommend LACMTA IT require the business users to send positive confirmation to JT indicating they have reviewed the user listings and have no changes. The confirmation and any requested changes should be retained. IT will work with Fleet Management Services to annually conduct a review of the M3 user access list(s) pertaining to the various line of business areas. All such confirmations will be kept on file. Deficiency #09-05: Information Technology - Separated Users During the performance of testing over separated users, we noted four network user IDS were active for greater than 30 days after date of separation. For the network, since the IDS were removed, we could not determine if the IDS were used between the termination date and the date the IDS were removed. Effect (or Potential Effeco Unauthorized transactions may be processed by separated employees or their accounts may be maliciously used by other employees. We understand that there may be a delay between the processing of the H um Resources department (HR) paperwork and notification to IT of the separation. We recommend IT work with Audit and HR to identi@ the root cause of the delay and implement procedures to ensure separated employees are removed within 30 days. HR acknowledged that they do not always receive the required separation paper work Erom the divisions in a timely mmm, which results in a processing delay. To improve in this area, HR will track the process more closely and rernind tardy divisions of the need to remove separated employees fiom the systems as soon as possible. Deficiency #09-06: Information TecbnoIogy - Administrative Access (TOTS) Based on our inspection of users with access to TOTS Application with management, we noted that the Program Version Control System (PVCS) administrator who has access to migrate changes into production also has access to modify code. Changes made by this individual, may not be authorized as there is a lack of separation of duties. We were able to review system logs to verify the PVCS administrator did not perform iaappropriate duties. Zffect (or Potential Effect) Unauthorized changes or transactions may be posted without accountability.
Page 5 Due to limited resources, we understand that the PVCS administrator requires access to migrate changes and modify code. We recommend a monitoring control similar to the control in place to monitor database administrator access be implemented. IT will implement a review process of the PVCS administrator access similar to the process used to monitor database administrator access. Deficiency #09-07: Capitalization of Buses Condition and Cante;rct According to LACMTA's capitalization policy, buses must be placed in service before they are depreciated. LACMTA generally makes 3 pxogxess payments for the purchase of buses (1096, 60%, and 30%). During our audit, we noted that buses, for which progress payments had been made, and were not yet received, inspected, and accepted, were inappropriately depreciated. 'While management routinely makes subsequent adjustments to correct the timing difference, there appears to be a time lag, generally 2 to 5 months, between the time the buses are received and the time adjustments are made. There are cases in which it may stretch between fiscal years. Based on the guidelines noted in Governmental Accounting Standards Boasd (GASB) Z400.lQ4, "capital assets should be depreciated over their estimated useful lives unless they are either inexhaustible or are infrastructure assets reported using the modified approach." The estimated usefit1 life of a bus commences when the bus is placed in service at which point it should begin to be depreciated. We noted that a timing difference exists between the the the depreciation expease is incurred and ultimately recognized. Management performed an analysis in order to assess the prior period impact on depreciation and identified 101 buses in the Enterprise Fund, which were inappropriately depreciated in the prior period. As a result, the $410 million in depreciation expense recognized in the Enterprise Fund in fiscal year 2008 was overstated by $2.3 million, or 0.5%. E'ect (or Potential Egect) Untimely capitalization of buses may result in a misstatement to depreciation expense and consequently a misstatement to net assets. We recommend that management adhere to internal policies and procedures and establish controls to ensure that buses are received, inspected, and accepted prior to being capitalized, per the capitalization policy. Capitalization and subsequent depreciation of purchased rolling stock is recognized upon its receipt and acceptance in accordance with past practice and procedures. The fiscal year 2008 mistake of early capitalization and depreciation of purchased buses was an oversight due mainly to shortage of resources in the department and had been corrected in fiscal year 2009.
Page 6 Management believes that this $2.3 miliion overstatement of depreciation expense out of a total depreciation expense for the year of $410.5 million was immaterial and did not constitute a material misstatement of net assets.