Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Franklin Regional Transit Authority (August 23, 2023)

August 23, 2023 · Franklin Regional Transit Authority · Read the full official report on mass.gov ↗

Published August 23, 2023 Audit covers October 1, 2019 – September 30, 2021 Under Diana DiZoglio · 2023–present

In plain English
The audit found that FRTA met the audited requirements for on-time ADA paratransit service and complaint handling, but it failed to make sure employees and contractors completed cybersecurity awareness training.
source
“Additionally, we determined that FRTA did not provide its employees and contractors with initial or annual cybersecurity awareness training (see Finding 1).”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Franklin Regional Transit Authority covering October 1, 2019 through September 30, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Franklin Regional Transit Authority (FRTA) for the period October 1, 2019 through September 30, 2021.”
Why was it audited?

Auditors checked whether FRTA provided ADA-required paratransit rides on time and whether it properly handled ADA paratransit complaints.

“In this performance audit, we determined whether FRTA delivered paratransit services required by the American with Disabilities Act (ADA) on time in accordance with federal law and FRTA procedures.”
Why it matters

FRTA provides transportation in many western Massachusetts communities, including services for riders whose disabilities prevent them from using regular fixed-route buses.

“FRTA provides transportation services to 41 cities and towns in Franklin, Hampden, Hampshire, and Worcester counties: Ashfield, Bernardston, Blanford, Buckland, Charlemont, Chester, Chesterfield, Colrain, Conway, Cummington, Deerfield, Erving, Gill, Goshen, Granville, Greenfield, Hatfield, Hawley, Heath, Huntington, Leyden, Middlefield, Montague, Montgomery, New Salem, Northfield, Orange, Petersham, Phillipston, Plainfield, Rowe, Russell, Shelburne, Shutesbury, Southampton, Southwick, Warwick, Wendell, Westampton, Whately, and Worthington.”
What's in it for me?

If you rely on FRTA paratransit, the audit says FRTA was on track with the specific on-time service and complaint-response rules the auditors tested.

“Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.”
The bottom line

The main problem found was not with rides or complaints, but with missing cybersecurity training for people with system access.

“During the two-year audit period, none of FRTA’s 23 employees and contractors completed cybersecurity awareness training.”
What happens next

The auditor recommended that FRTA make sure employees and contractors complete cybersecurity training when they start and every year after that.

“FRTA should ensure that its employees and contractors complete initial and annual cybersecurity awareness training.”
Why it's significant

The cybersecurity gap matters because weak training can increase the risk of cyberattacks and damage to FRTA’s finances or reputation.

“Without educating all its employees and contractors on their responsibility to protect information assets, FRTA is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
Jargon, unpacked

Paratransit means special transit service for people with disabilities that is meant to be comparable to regular fixed-route transit service.

“Each public entity operating a fixed route system shall provide paratransit or other special service to individuals with disabilities that is comparable to the level of service provided to individuals without disabilities who use the fixed route system.”

What the Auditor checked

What the Auditor found

FRTA did not ensure that employees and contractors completed initial or annual cybersecurity awareness training.
cybersecurityinternal controlsvendor oversight

Why it matters: FRTA faced a higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, sections 6.2.3 and 6.2.4. ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010; Information Security Risk Management Standard IS.010, Section 6.2.3; Information Security Risk Management Standard IS.010, Section 6.2.4 )

1 recommendation
  • FRTA should ensure that its employees and contractors complete initial and annual cybersecurity awareness training.
Agency response & Auditor reply
Agency: "The current FRTA Administrative staff (4 employees) have all participated in [the Massachusetts Department of Transportation’s] cyber training program in 2021."
Auditor: "However, FRTA did not provide us with these certificates of completion; therefore, we could not determine whether or when these four employees received this cybersecurity awareness training."

More audits of this entity

Other Office of the State Auditor reports on Franklin Regional Transit Authority .

See this entity's page with all 2 audits →