INTERNAL AUDIT

State of Good Repair Audit

R-19-01
December 21, 2020

UTA Internal Audit

Audit Conclusion Report
Protected Record - Do Not Distribute
Table of Contents
Executive Summary 3
Attachment A: Detail of Findings 5

Rating Matrix

Descriptor Guide

Matters considered being fundamental to the maintenance of internal control or

High good corporate governance. These matters should be subject to agreed remedial
action within three months.
Matters considered being important to the maintenance of internal control or good
Medium corporate governance. These matters should be subject to agreed remedial action
within six months.
Matters considered being of minor importance to the maintenance of internal
control or good corporate governance or that represents an opportunity for
Low
improving the efficiency of existing processes. These matters should be subject to
agreed remedial action and further evaluation within twelve months.

Distribution List

Title For For Reviewed prior to release

Action¹ Information
Chief Executive Director * *
Chief Operating Officer *
Chief Financial Officer *
Comptroller *
Director of Asset Management *
State of Good Repair Manager *

¹For Action indicates that a person is responsible, either directly or indirectly depending on their role in the process, for addressing an audit
finding.

UTA Internal Audit

Audit Conclusion Report Page 2 of 8
Protected Record - Do Not Distribute
Executive Summary

Introduction
In conjunction with the Board of Trustees’ Audit Committee, Internal Audit (IA) developed a risk-based annual
audit plan. This audit was conducted in accordance with the International Standards for the Professional Practice of
Internal Audit, published by the Institute for Internal Auditors (IIA).

IA was directed by the Board of Trustees to perform an audit to determine if controls over State of Good Repair
(SGR) were designed and operating effectively to ensure compliance with federal regulations, state laws, and
internal policies and procedures, as well as to support the achievement of management objectives as part of the
2019 Audit Plan. The preliminary assessment stage of the audit was concluded in March 2019 and the final audit
was completed in December 2020.

Background and Functional Overview

The SGR group resides in the Asset Management Department since an organizational re-alignment that took place
during October 2018.

The SGR group’s responsibilities include the Transit Asset Management (TAM) Plan, the Bridge Inspection
Program, administration of UTA’s Geographical Information System (GIS) program and has a role in the overall
Continuing Control effort relating to federally funded assets in accordance with the Grants Management program.

The Transit Asset Management Rule from the Federal Transit Administration (FTA) imposed a deadline for the
creation of an agency TAM Plan by October 1, 2018. UTA signed its TAM Plan in late September 2018, preventing
a full cycle to be completed before the audit preliminary assessment period.

The original TAM Plan addressed the most basic requirements of the TAM rule with the expectation the TAM Plan
would be updated in 2019 and would be more aligned with agency goals, priorities, and strategies after the new
Executive team was formed. As of December 2020, the updated TAM plan is in draft form.

The SGR and the Accounting departments migrated asset data from the previous inventory system to JD Edwards
(JDE). As part of the process, a physical inventory of all assets was performed. Accounting is still updating and
testing data, however JDE is now the asset recordkeeping application that management places reliance.

Objectives and Scope

The period of the preliminary assessment was January 1, 2019 through March 8, 2019 with the completion of the
audit work focusing on January 1, 2020 through October 31, 2020.

The primary areas of focus for the State of Good Repair audit were:
• Governance
• Asset Management Software and related Information Technology General Controls
• Transit Asset Management Plan
• Asset information completeness, accuracy, and validity
• Data consolidation and reporting
• Continuing control related to SGR

UTA Internal Audit

Audit Conclusion Report Page 3 of 8
Protected Record - Do Not Distribute
Internal audit excluded from the scope of this audit areas such as:
• Asset replacement costs
• Management decisions regarding TAM Plan recommendations
• ERP System Asset Records (Accounting Capital Asset Sub ledger)
• Asset Management Application Asset Records

IA notes that the 2018 TAM Plan was finalized and approved in September of 2018 and had not been fully executed
during the scope of the Preliminary Assessment, and the current TAM plan is still in draft. Therefore, our review
was limited to comparison of the 2018 TAM Plan to the CFR requirements, as understood by IA, and controls over
capital asset inventories and assumptions used in capital funding needs projections.

Audit Conclusion Summary

1. IA’s evaluation of the asset inventory data migration determined the data was materially accurate and
complete.
2. The controls to identify and investigate data anomalies are properly designed and currently operating
effectively.
3. The controls over the physical inventory of assets were not sufficient to ensure the capital asset existence
was verified and supported with conclusive evidence.
4. UTA met the FTA’s requirement that transit agencies develop a TAM Plan by October 1, 2018. During the
design of the 2018 TAM Plan changes to UTA’s governance structure were implemented by the Utah State
Legislature. The governance changes added to the complexity of preparing the TAM Plan. Apart from the
development and approval of the TAM Plan, additional governance over asset management and SGR was
put into place through Corporate Policy 2.1.16, “Transit Asset Management and State of Good Repair”.
The preliminary assessment found that to better align with FTA requirements and to implement and carry
out a meaningful TAM Plan, additional governance was needed. The preliminary assessment found SGR
risk was not limited to the SGR team’s activities, but was spread across other departments such as
Operations, Accounting and Asset Management.

Audit Conclusion Recommendations

IA recommends the Accounting and SGR departments revise the quality assurance audit of revenue vehicles
conducted at each Change Day to include non-revenue vehicles, equipment, and other non-infrastructure assets, and
to require evidence of asset existence, such as a photograph and location that can be verified. This added process
will address concerns reported in the FY 2019 Triennial Review regarding continuing control of assets.

Revisions to UTA policy 2.1.16 “Transit Asset Management & State of Good Repair” address the risks identified
in the Preliminary Assessment phase of the audit, but the revisions were still not approved at the time the audit
phrase was concluded. IA recommends expediting the formal adoption of Policy 2.1.16 “Transit Asset Management
& State of Good Repair” since it addressed the risks identified in the Preliminary Assessment phase.

This report details the results of the audit based on limited sample testing the responsibility for the maintenance of
an effective system of internal control and the prevention and detection of irregularities and fraud rests with
management.

Internal Audit would like to thank management and staff for their cooperation and assistance during the audit.

UTA Internal Audit

Audit Conclusion Report Page 4 of 8
Protected Record - Do Not Distribute
ATTACHMENT A: Details of Findings

Audit Finding R-19-01-01 Asset Verification Risk Level: High

Criteria:
Accounting Department’s document, Capital Assets Inventory Procedures:
Attributes verified and reconciled to the asset record include (at a minimum):
- UTA asset tag number, facilities tag number, vehicle number, assigned JDE number
- Description
- Manufacturer
- Model Number
- Vehicle Identification number, serial number, license plate
- Responsible Business Unit
- Location
- Use Status
- Picture with GPS location

Condition:
Evidence was not always available to verify an assets existence.
IA requested available supporting documents and reviewed JD Edwards support for 47 SGR assets. IA
identified 13 of 47 SGR assets did not have evidence that the asset was verified, that the asset existed, or
did not have documentation supporting the asset. Testing resulted a 27% error rate.

Specifically:
3 Maintenance equipment assets did not have supporting documentation, or photo available. Assets
lacked evidence of verification or existence.
2 Non-Revenue vehicle assets were supported with the registration on file, however there was not a
photo to document the physical asset.

IA categorized infrastructure items with characteristics hindering the likelihood of theft low-risk.
The following low-risk items lacked evidence of verification or existence:
8 of the 13 assets are related to infrastructure:
4 assets were related to train control
1 asset is Cable Transmission cable
1 asset is Bus Wash
1 asset is Bridge Crane
1 asset is Fencing

Root/Cause Analysis:
There was a lack of communication between the Accounting and SGR departments regarding the
requirements needed to verify assets.

Possible Risk:
• Asset inventories and records may not be complete, valid, or accurate.
• Missing assets or fraudulent activities may not be identified in a timely manner.

UTA Internal Audit

Audit Conclusion Report Page 5 of 8
Protected Record - Do Not Distribute
Recommendations:
IA recommends the Accounting and SGR departments revise the Change Day Quality Assurance Audit of
revenue vehicles to include non-revenue vehicles, equipment, and other non-infrastructure assets and to
require evidence of asset existence, such as a photograph and location that can be verified. This added
process will address concerns reported in the FY 2019 Triennial Review regarding continuing control of
assets.

Management Response and Action Plan:

Accounting and SGR will develop a plan to expand the Change Day Quality Assurance Audit (QAA) of
revenue vehicles to include non-revenue vehicles, equipment, and other non-infrastructure assets and
require evidence of asset existence.
Currently, the QAA requires a 10% audit of revenue vehicles except for Commuter Rail vehicles for a
total of approximately 140 vehicles. The modified QAA will still require the 10% audit of all revenue
vehicles but will be expanded to include other asset categories and will place a cap at 200 items per
change day cycle. This QAA would not cover the following asset types:
• No assets unless they are over $5,000 (excludes “zero-cost” assets)
o Mainly covers minor facility assets, bus engines, and bus transmissions
• No building or building improvements
• No land or land improvements
The high-level plan for these QAA’s will be as follows:
The focus of the QAA is intended to be the data associated with the assets which should lead to a
successful location of the asset being reviewed. The QAA will be structured to place the focus on the
data. If the asset is not located quickly, within one or two attempts, the asset will be marked as not found
and recommendations for the data modification will be provided to the Responsible Business Units
(RBU(s)) for correction. Accounting and the SGR teams will provide the personnel for these QAA
efforts.
The DSI application was found to be mostly incompatible with JD Edwards with respect to the photo
captures and association of the photos to the assets upon reconciliation. JDE was unable to accept the
photos due to data incompatibilities between it and the DSI application. The audit would probably still
have had errors, but this issue is a contributing factor to the high error rate identified above. IT is working
still to attach the photos to the assets in JDE but it is a slow and manual process. Unfortunately, this does
not look like an issue that can be resolved via technology and requires a large amount of manual effort on
the back end for photo association.
For a temporary solution, until a more permanent option is found for JD Edwards, the ESRI GIS Collector
Platform will be utilized to perform these checks and capture the photos along with comments the
SGR/Accounting team may have for the item being reviewed. Management acknowledges this solution
requires the use of another system outside of JDE, however, given the severity classification of this
finding, an existing and functioning system with a high-level of user-configurability is required. Prior to

UTA Internal Audit

Audit Conclusion Report Page 6 of 8
Protected Record - Do Not Distribute
 Audit Finding R-19-01-01 Asset Verification continued Risk Level: High

each check, a download will be taken from JDE, the required assets selected for the audit, and then those,
with the required data fields, will be uploaded to ESRI for the relevant QAA. The SGR team will provide
the necessary training to Accounting for using this platform.
Target Completion Date: June 01, 2021

Audit Finding R-19-01-02 Alignment with FTA Guidance Risk Level: Medium

Criteria:
The FTA “Transit Asset Management Guide, FTA Report No. 0098” states, “Establishing an asset
management policy and strategy helps to focus management and business processes on the agency’s
business objectives, which are usually the outcomes of most importance to customers.”

FTA Guidance states that, “Primarily, asset management plans have two major components:
• Enterprise-wide implementation actions that provide enabling support and direction for asset management
across all asset classes and services
• Direction and expectations for asset class owners and department managers regarding lifecycle
management planning and processes—with a focus on the lifecycle management plans...”
Source: www.transit.dot.gov/TAM/gettingstarted/FAQsArchive

49 CFR Section 625.33 states that, “Investment prioritization. (a) A TAM plan must include an investment
prioritization that identifies a provider’s programs and projects to improve or manage over the TAM plan
horizon period the state of good repair of capital assets for which the provider has direct capital
responsibility. … (f) When developing its investment prioritization, a provider must take into consideration
requirements under 49 CFR 37.161 and 37.163 concerning maintenance of accessible features and the
requirements under 49 CFR 37.43 concerning alteration of transportation facilities.”

Condition:
IA, as part of the Preliminary Assessment, compared both the Policy 2.1.16 “Transit Asset Management &
State of Good Repair” and the 2018 TAM Plan to the FTA requirements found in the TAM Rule and
determined that the documents were not fully aligned with the requirements. Specifically the policy and
plan had the following inadequacies:
o The TAM Plan has not been defined as a policy or procedure.
o There was no clear link between UTA’s business objectives and the objective set forth in the
TAM Policy.
o Neither Policy 2.1.16 nor the TAM Plan adequately identified managers’ capital asset
responsibilities
o Neither Policy 2.1.16 nor the TAM Plan assigns authority or responsibility for investment
prioritization and project rankings process nor were there detailed procedures documenting the
process.

Root/Cause Analysis:
• A risk assessment was not conducted prior to the development of the TAM Plan
• The TAM Plan addressed the most basic requirements of the TAM rule with the expectation the TAM
Plan would be updated in 2019

UTA Internal Audit

Audit Conclusion Report Page 7 of 8
Protected Record - Do Not Distribute
 Audit Finding R-19-01-02 Alignment with FTA Guidance continued Risk Level: Medium

Possible Risk:
• TAM Plan may not fully carry the weight or entity alignment that the FTA is seeking
• The Asset Management Plan may not align with UTA’s strategic vision and objectives
• Strategic opportunities to minimize capital assets maintenance and operating costs over the asset’s life
cycle may not be realized
• Decision-makers may not have sufficient or accurate information to make budget and other financial
decisions

Preliminary Assessment Recommendations:

a) A risk assessment or gap analysis of asset management processes should be performed that includes
consideration of CFR requirements and agency objectives
b) Asset management goals and objectives should be clearly established, documented in a policy, and
communicated throughout UTA
c) The TAM Plan should be:
i. Modified where needed based on gaps identified from the risk assessment
ii. Aligned with strategies, goals and objectives established by UTA management and documented
in policy
iii. Based on input and feedback from all responsible parties for transit assets
iv. Distributed to all stakeholders, including asset managers and the executive team
v. Supported by business level processes and related training
d) Adequate authority should be established and assigned in a policy or SOP to direct individuals
responsible for creating and maintaining asset information and to establish Agency wide objectives, goals
and expected outcomes

Audit Recommendations:
Revisions to UTA policy 2.1.16 “Transit Asset Management & State of Good Repair” address the risks
identified in the Preliminary Assessment phase of the audit, but the revisions were still not approved at
the time the audit phrase was concluded. IA recommends expediting the formal adoption of Policy 2.1.16
“Transit Asset Management & State of Good Repair” since it addressed the risks identified in the
Preliminary Assessment phase.

Management Response and Action Plan:

The Transit Asset Management & State of Good Repair policy has been reviewed by the Executive Team
and is in the cue to go the Board of Trustees for approval. Due to the unique nature and complexity of this
policy, it was important to take the necessary time to ensure the policy was complete and comprehensive.
To get to the point where the policy update could be addressed most effectively, it was important to
correct previously identified audit findings, and complete the physical inventory prior to finalizing the
policy. Once approved, the policy will provide the necessary foundation to update the TAM Plan
accordingly.
Management anticipates having this policy on the Board Agenda no later than February 24, 2021 and
completed by March 31, 2021
Target Completion Date:
March 31, 2021

UTA Internal Audit

Audit Conclusion Report Page 8 of 8
Protected Record - Do Not Distribute