Audit of the Franklin Regional Transit Authority (August 23, 2023)
August 23, 2023 · Franklin Regional Transit Authority · Read the full official report on mass.gov ↗
source
“Additionally, we determined that FRTA did not provide its employees and contractors with initial or annual cybersecurity awareness training (see Finding 1).”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Franklin Regional Transit Authority covering October 1, 2019 through September 30, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Franklin Regional Transit Authority (FRTA) for the period October 1, 2019 through September 30, 2021.”
Auditors checked whether FRTA provided ADA-required paratransit rides on time and whether it properly handled ADA paratransit complaints.
“In this performance audit, we determined whether FRTA delivered paratransit services required by the American with Disabilities Act (ADA) on time in accordance with federal law and FRTA procedures.”
FRTA provides transportation in many western Massachusetts communities, including services for riders whose disabilities prevent them from using regular fixed-route buses.
“FRTA provides transportation services to 41 cities and towns in Franklin, Hampden, Hampshire, and Worcester counties: Ashfield, Bernardston, Blanford, Buckland, Charlemont, Chester, Chesterfield, Colrain, Conway, Cummington, Deerfield, Erving, Gill, Goshen, Granville, Greenfield, Hatfield, Hawley, Heath, Huntington, Leyden, Middlefield, Montague, Montgomery, New Salem, Northfield, Orange, Petersham, Phillipston, Plainfield, Rowe, Russell, Shelburne, Shutesbury, Southampton, Southwick, Warwick, Wendell, Westampton, Whately, and Worthington.”
If you rely on FRTA paratransit, the audit says FRTA was on track with the specific on-time service and complaint-response rules the auditors tested.
“Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.”
The main problem found was not with rides or complaints, but with missing cybersecurity training for people with system access.
“During the two-year audit period, none of FRTA’s 23 employees and contractors completed cybersecurity awareness training.”
The auditor recommended that FRTA make sure employees and contractors complete cybersecurity training when they start and every year after that.
“FRTA should ensure that its employees and contractors complete initial and annual cybersecurity awareness training.”
The cybersecurity gap matters because weak training can increase the risk of cyberattacks and damage to FRTA’s finances or reputation.
“Without educating all its employees and contractors on their responsibility to protect information assets, FRTA is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
Paratransit means special transit service for people with disabilities that is meant to be comparable to regular fixed-route transit service.
“Each public entity operating a fixed route system shall provide paratransit or other special service to individuals with disabilities that is comparable to the level of service provided to individuals without disabilities who use the fixed route system.”
What the Auditor checked
- Complied Does FRTA deliver paratransit services required by the Americans with Disabilities Act (ADA) on time in accordance with Section 37.23(a) of Title 49 of the Code of Federal Regulations and FRTA’s ADA Complementary Paratransit Policies and Procedures?
- Complied Does FRTA ensure that all ADA paratransit complaints are investigated and responded to as required by Section 27.13(b) of Title 49 of the Code of Federal Regulations and FRTA’s ADA Complementary Paratransit Policies and Procedures?
What the Auditor found
Why it matters: FRTA faced a higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, sections 6.2.3 and 6.2.4. ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010; Information Security Risk Management Standard IS.010, Section 6.2.3; Information Security Risk Management Standard IS.010, Section 6.2.4 )
1 recommendation
- FRTA should ensure that its employees and contractors complete initial and annual cybersecurity awareness training.
Agency response & Auditor reply
Agency: "The current FRTA Administrative staff (4 employees) have all participated in [the Massachusetts Department of Transportation’s] cyber training program in 2021."
Auditor: "However, FRTA did not provide us with these certificates of completion; therefore, we could not determine whether or when these four employees received this cybersecurity awareness training."
More audits of this entity
Other Office of the State Auditor reports on Franklin Regional Transit Authority .
- Audit of the Franklin Regional Transit AuthorityTransit Authority · October 5, 2018