Risk Asses and Work Plan
Annual Risk Assessment Plan (A.R.A.P) By Port of Seattle Internal Audit January 1, 2009 through December 31, 2009 Issue Date: XXXX Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Table of Content INTERNAL AUDIT PROFILE ...................................................................................................................3 EXECUTIVE SUMMARY..........................................................................................................................5 RISK ANALYSIS APPROACH AND METHODOLOGY ..........................................................................6 Overall Risk Elements at the Port Risk Assessment Elements PRIOR AUDIT HIGHLIGHTS .................................................................................................................11 Port-wide Audits Corporate Services Division Real Estate Division Airport Division Seaport Division CONTROL ENVIRONMENT...................................................................................................................13 Port-wide Control Environment Information/Communication/Control Activities Compliance Environment Risk Assessments Emerging Changes/Issues RISK ASSESSMENT AND IDENTIFICATION .......................................................................................17 1. Central Processing Systems 2. Organizational (e.g., department) Control Reviews 3. Revenue (lease and concession) 4. Federal Assistance 5. 3RD Party Management Contracts 6. Performance 7. Financial Reporting/General Ledger 8. Enterprise Risk Management (ERM) 9. Special Investigation and other Requests 10. Capital Improvement Program (CIP) SUMMARY OF RISK..............................................................................................................................32 RISK ASSURANCE................................................................................................................................36 2009 Projected Audit Coverage Carryover Audits from Fiscal Year 2008 Performance Audits Systems Audits Department Internal Control Reviews Lease Compliance Audits The Way Forward REFERENCES .......................................................................................................................................41 2 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Internal Audit Profile The Port of Seattle (Port) Internal Audit department was established in 2002 in the Accounting and Procurement Services Department. Effective January 2008, Internal Audit has a dual reporting responsibility to the Chief Executive Director and to the Audit Committee. The department was initially staffed by one person until August of 2006 when a second auditor was hired. The department is currently staffed as follows: Internal Audit Staff: Joyce Kirangi, CPA, – Audit Manager – Joyce is a Certified Public Accountant (CPA) with over 20 years of audit experience. She joined the Port in 2002 and has managed the Internal Audit team since then. One of her primary duties last year was to expand the Internal Audit team, recruit, and hire current staff. Prior to joining the Port, Joyce worked for the Washington State Auditors Office (SAO) for 17 years. She has led and managed the largest local government audits in the State of Washington, including King County, Pierce County, Spokane County, City of Seattle, and City of Tacoma. In her last position with the SAO, Joyce was the Regional Audit Manager for the Pierce County and Southern King County region. She oversaw all local government audits in that region and managed a team of over 20 professional auditors. She specializes in local government audits. Jack Hutchinson, CPA, CIA, – Senior Auditor – Jack is a certified Public Accountant (CPA), a Certified Internal Auditor (CIA), and has 10-plus years of accounting and auditing experience. He joined the Port in August of 2006 and has conducted a variety of audits including compliance, internal control, and operational audits. Prior to joining the Port, Jack was a Finance Director for the City of Fircrest, in Pierce County. Before that, he was an auditor with the Washington State Auditor’s Office (SAO) where he worked for 4 years. Additionally, Jack has experience in accounting and financial reporting at a biopharmaceutical company and a Native American-owned and –operated casino. Andrew Medina, CPA, CFE, – Senior Auditor - Andrew is a Certified Public Accountant (CPA), a Certified Fraud Examiner (CFE), and has over 15 years of audit experience. He joined the Port in December of 2007. Prior to joining the Port, Andrew was an internal auditor for the Clark County School District in Las Vegas, Nevada. He spent five years managing and conducting financial, operational, and compliance audits of the Nation’s fifth largest school district. As a Certified Fraud Examiner, Andrew was the department's fraud specialist, responsible for conducting the majority of the District’s fraud investigations, as well as providing training to management and staff on fraud awareness and prevention. Prior to joining the Clark County School District, Andrew was a senior auditor with the State of Nevada Gaming Control Board. For 10 years Andrew helped regulate the casino industry by managing and conducting compliance, money laundering, and financial audits of Nevada’s largest casinos. Mike Bosley, CPA – Senior Auditor – Mike is a Certified Public Accountant (CPA), and has over 15 years of accounting and audit experience. He joined the Port in September of 2008. Prior to joining the Port, he served as a senior internal auditor for Providence Health System in the Seattle area. He spent 4 years managing and conducting financial, operational, and compliance audits of Providence’s hospitals and health care services. Mike also worked as a senior auditor for the Washington State 3 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Office of the Insurance Commissioner. Mike started his career auditing closely held corporations and partnerships for the Internal Revenue Service and also was the Regional Coordinator of the Volunteer Income Tax Assistance Program. Mike is a graduate of the University of Washington. Margaret Songtantaruk – Auditor – Margaret joined the Port in October of 2006. She has over 20 years of accounting and auditing experience in private and public agencies. Since joining the Port, she has conducted a variety of audits including compliance, internal control, operational, and federal grants. Prior to joining the Port, Margaret was an auditor with the Washington State Auditors Office (SAO) for 4 years where she conducted audits of local governments including the City of Seattle, City of Bellevue, City of Auburn, City of Renton, Washington State Convention Center, Bellevue Convention Center (Meydenbauer Center), Bellevue School District, and Valley Communications Center Authority etc. In her past experience, Margaret also served as a controller for varies companies including Pacific Frontier, Inc., Evergreen Technologies, Inc., Unisea Foods, Inc., and Advanced Wireless Solutions, Inc. Juanita Labosier, CPA, – Auditor – Juanita is a Certified Public Accountant (CPA) with over 20 years of accounting and auditing experience. She joined the Port January 2008 and most recently served as an auditor with the Washington State Office of the Insurance Commissioner where she worked for 5 years conducting financial, operational, and regulatory audits of insurance companies. She has over 15 years of experience as a financial analyst in the medical profession, including 5 years as a financial analyst with Premera Blue Cross. Juanita has also served as the president of the Washington Society of Certified Public Accountants (WSCPAs) – Seattle Chapter. Bill Fovargue, CFSA – Auditor – Bill held several senior level audit positions with the State of Washington, Fortune 100 companies and professional consulting firms before joining the Port in September 2008. Prior auditing engagements included a broad spectrum of audit activities within Banking, State Government, Aerospace, Energy and Software Manufacturing industries. Bill achieved Certified Financial Services Auditor designation from the Institute of Internal Auditors (IIA) and has been a member of the Puget Sound Chapter of the IIA for 20 years. He is a graduate of the University of Washington. Bill is also a certified process improvement facilitator. The team as a whole has well over 50-plus years of experience in many auditing disciplines to include but is not limited to financial, internal control, accountability, compliance, and fraud audits. The team is sufficiently certified and conducts all audits based on applicable best practices of the profession. 4 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Executive Summary The annual risk assessment plan (A.R.A.P) is an effort by the Internal Audit team to identify Port-wide activities that could negatively impact organizational goals and objectives. It is a forward-looking document based on past performances through a risk prism. The Port is a complex, decentralized, and operates in an ever-changing environment. Its operations encompass a wide spectrum of enterprise activity ranging from international trade to capital infrastructure improvements. A significant part of the Port’s core businesses are sensitive not only to the economic forces of the region and the nation, but also to global economic climates. Moreover the Port is faced with ever-increasing competition from neighboring seaports and airports in attracting/retaining container business and airlines. Economic sensitivity and competitive force change risk outlook frequently, and pose business and operational challenges to the Port. To fully and timely consider risk, Internal Audit has implemented a process of risk assessment. The assessment is an annual process based on risk, but it is continuously updated and adjusted as necessary throughout the year. The assessment is built on a balance review of quantitative and qualitative aspects of each risk. The fact that an area or operation is identified as high risk does not necessarily mean that there have been negative results. Rather, there is a possibility of negative results. Internal Audit in the past twelve months has conducted numerous audits throughout the Port which are identified in a subsequent section of this document. Audits identified a number of opportunities to improve existing management controls, and the audit reports have recommended ways on how to realize the improvement. Internal Audit risk assessment has identified the following areas for review in 2009: 1) Performance Audit. 2) Accounts Payable and Payroll as central processing systems reviews. 3) Lease and Concession including Rent-A-Car audits. 4) Department Internal Control reviews Staring in 2009, Internal Audit will integrate into individual audits elements of performance and Enterprise Risk Management (ERM). Our audit focus will be on operational effectiveness – i.e. how effective the Port management has been in achieving it objectives departmental operations or lease management. We extend our appreciation to senior management for its continuing support for Internal Audit. Joyce Kirangi, CPA Internal Audit Manager 5 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Risk Analysis Approach and Methodology Risk analysis includes: (1) risk assessment and (2) risk management. Risk assessment is a method of identifying and measuring risks, and risk management is taking appropriate action to minimize risk. The key to risk assessment is the identification of threats and opportunities. Risk is the potential for negative results – i.e., less than expected results. The results of negative risks are not desired and therefore the objective of risk management should be to mitigate those risks. The following is Internal Audit’s attempts to identify risks that face the Port. We will thereafter measure the risks and establish a plan on how to examine the effectiveness and efficiency of risk mitigation by management. The Internal Audit team conducts a risk analysis annually and updates the assessment as necessary based on a two-prong approach. The first approach to Internal Audit’s risk assessment is intense data analysis (data mining) which is largely quantitative in nature. Internal Audit has been granted access to various systems including the Port’s major financial system--PeopleSoft. Using data from various sources, Internal Audit is able to navigate the Port’s data landscape and summarize the data into cohesive auditable units. Individual units are systematically analyzed to identify risks. The second approach to the Internal Audit risk assessment is based on prior audit experience and professional judgments, also known as qualitative risk assessment. Prior audit issues are reviewed in conjunction with management responses to gauge post-audit risk. Known and potential business environment changes are considered, as well as inherent risk factors such as Port complexity, a decentralized environment, new operations, staff turnover, and public expectations. We prefer to think of risk in qualitative terms rather than quantitative terms. In the final analysis, risk results are combined and analyzed as a whole. Cost-benefit, risk level, and economics of available audit resources are fully considered to establish audit priorities and plans for the upcoming year. The risks that are likely to create the most negative impact to the Port in the coming year are on the top of the priority list and will be addressed first. In addition to the list of audits to be performed based on the overall risk analysis, Internal Audit plans to conduct at least one systems audit annually. System in this context means any process (both functional and administrative) common to all units across the organization. Examples of such systems include payroll, accounts payable, purchasing and procurement etc. System audits are designed: 1) to identify material system weaknesses that could compromise the system and, if not corrected, could develop into a significant operation/compliance risk to the Port, and 2) to assess effectiveness of management monitoring controls. Internal Audit’s 2009 risk assessment is based on the following ten (10) risk exposure elements. This is a logical grouping mechanism for all significant risks the Port faces. The grouping is cross functional in nature and entity wide. As such, it does not readily lend itself to the audit process as a whole. To be able to audit Port operations for these elements, they are analyzed in-depth and translated into auditable units to which audit procedures can be applied. It should be noted that the risk elements are reviewed throughout the year to reflect environment changes, and if risks associated with the changes are considered significant, the work plan may be modified. 6 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Overall Risk Elements at the Port The elements below are not numbered in any particular order of importance. 1. Central Processing Systems i. Processing systems common to all units across the Port. ii. Auditable Units – accounts payable, payroll, procurement, etc… iii. Risk • Noncompliance with applicable federal, state, and local rules and regulations (payroll tax, retail tax, deposit requirements, etc…). • Inadequate controls to ensure 1) minimum accountability controls and 2) consistent and accurate processing. 2. Organizational Unit (e.g., departments) Internal Controls & Accountability i. Controls and accountability units do not necessarily equate to departments. ii. Auditable Units – recreation boating, commercial fishing (includes multiple departments), aviation maintenance, etc… iii. Risk • Noncompliance with applicable state and local (including the Port) rules and regulations. • Lack of controls and accountability regarding safeguarding of public assets. 3. Revenue (lease and concession) i. Lease and concession agreements in exchange for the use of Port property. ii. Auditable Units – individual agreements (outdoor advertising, in-flight kitchen, rental cars, etc…). iii. Risk • Unrealized revenue due to below market rent and concession. • Loss of cash flow (late payments and associated penalties) due to untimely reconciliation. • Absence of the audit clause to adequately protect Port interest. 4. Federal Assistance i. Federal grants to finance operation and construction. ii. Auditable Units – individual grants (TSA, FAA, etc…). iii. Risk • Loss of funding. • Financial loss, if repayment is ordered due to questioned costs. 5. 3rd Party Management i. Service contracts to manage Port property or operations as an extension of the Port for a fee. ii. Auditable Units – individual service contracts. iii. Risk • Noncompliance with applicable state rules and regulations. • Funding of for-profit activity with public funds. 6. Performance i. Efficient and effective use of Port resources as input in the achievement of objectives as output and outcome (measured against widely accepted applicable bench marks). 7 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 ii. Auditable Units – individual performance questions regarding output and outcome (e.g., does the Port contribute to the economic vitality in the region?). iii. Risk • Inefficient use of resources. • Insufficient output. • Outcome not achieved. 7. Financial Reporting/General Ledger i. Accurate and timely financial reporting of operations. ii. Auditable Units – Annual Financial Statements (CAFR) and individual ledger accounts. iii. Risk • Material errors in the statements. • Misinformed decisions based on inaccurate financial information. 8. Enterprise Risk Management (ERM) i. Consistent and concerted efforts to identify and address risk entity wide. ii. Auditable Units – ERM process as a whole. iii. Risk • Not having an ERM system to strategically address risks. a. Risks go unmitigated b. Opportunities lost 9. Special Investigations i. Investigations resulting from the Fraud hotline and reporting of known and suspected loss of public funds to the State Auditor’s Office (SAO). ii. Auditable Units – individual investigations. iii. Risk • Not timely investigated (loss of an opportunity to establish accountability). • Continuation of inappropriate behavior. • Loss of public funds. 10. Capital Improvement Program i. Construction. ii. Auditable Units – individual CIPs. iii. Risk • Mismanagement of construction • Mis/abuse of resources • Incorrect capitalization Subsequent to the identification of auditable units, units are assessed individually based on the following four (4) distinct yet interrelated risk factor categories to gauge the likelihood and extent of potential negative impact. A work plan for the upcoming year is an end product of the risk factor assessment. 8 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Risk Assessment Elements 1. Inherent Elements • Nature of the operation, transaction flow, or systems 1. Naturally sophisticated/complex? 2. Labor intensive? 3. Heavily regulated? 4. Sensitivity to economic forces? 5. Organized Labor? 6. Likelihood of federal financing? • Information Systems 1. OTC (Over The Counter) or internally developed? 2. Number of systems in use? 3. Critical to the operation (i.e., degree of dependency)? 4. Outdated? 5. Exception Reports? 6. Reporting Module vs. Canned Reports 2. Internal Control Elements • Controls 1. Tone at the top? 2. Material changes in management? 3. Recently re-organized, re-aligned, etc..? 4. Documented policy/procedure? 5. Communication (e.g., staff/management meetings)? 6. Monitoring (e.g., reports, meetings, reviews, etc)? • Prior audits 1. By whom? 2. The scope? 3. Number of audit issues? 4. Quality of management response? 5. Follow-up (CAP) implemented? • Risk assessment? 1. Risk appetite? 2. Control Self-Assessment performed? 3. Performance Elements • Performance Efforts 1. Performance measures implemented? 2. Periodic/Regular Benchmarking? 3. Performance reporting? • Service Output 9 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 1. Compiled? 2. Measured against benchmarks? 3. Reported? 4. Compliance Elements Includes both: 1) ones to which the Port is subject (i.e., federal, state and local) and 2) ones to which the Port is subjecting the third party. • Revenue/Funding 1. Revenue/Funding at risk, if found to be in noncompliance? 2. At-risk amount material? • Contractual obligations (lease, concession, services, construction, etc…) 1. Port interest adequately protected? 2. Overly favorable to the third party? 3. Timely reviewed and amended, if necessary? 10 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Prior Audit Highlights In 2008, Internal Audit conducted a number of operational and compliance audits involving all divisions of the Port. The following is a list of audits conducted in 2008. Detail information including management response on individual audits is available in the referenced audit report. Not included in the list are narrowly scoped engagements to review a particular transaction flow or a specific agreement. The result of such reviews has been reported as memorandum addressed to the requester of the review. Port-wide Audits • Two (2) Special Investigations Corporate Services Division • Procurement Systems Audit which included the following areas o Major Construction o Small Works o Professional/Personal Services Agreements o Open-blanket orders, Monthly fixed amount, and Purchased Order – procurement-type contracts The procurement audit was a review of procurement activity in the context of the Central Procurement Office (CPO). The focus of the audit was management monitoring controls and its effectiveness in meeting the intended goal. Real Estate Division This is a new division effective in 2008. A number of Professional service agreements from the division were part of the aforementioned port-wide PSA audit. Additional specific audit projects conducted in this division included: • Seaport Maintenance Department – departmental operation • Bell Street and Pier 66 Parking Lease – lease management • Shilshole Bay and Fishermen’s Terminal--departmental operation • World Trade Center – third-party agreement management • Bell Harbor Conference Center – third-party agreement management • Cruise Terminal of America (CTA)—lease management Airport Division • ID Badging Access Office - departmental operation • Public Parking – departmental operation • Rent-A-Car (RAC) Audits lease management 11 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 o Advantage o Enterprise o Dollar o Host o Airport Management Services Inc. o Seattle Restaurant Associates • In-flight Meal Companies - lease management o Flying Food o Sky Chefs o Gate Gourmet • Doug Fox Parking Lease - lease management • Ground Transportation – departmental operation • JCDecaux Advertising Lease - lease management The financial recovery from compliance audits totaled over $1 million, the majority of which resulted from Hertz ($1 million) and Avis ($100,000). The risk associated with the RAC audits is underreporting of some revenue streams from the concession base or simply put - reducing concession fee by unallowable deductions. Seaport Division • Grain Terminal Lease - Terminal No. 86 (lease has not responded to our audit request) 12 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Control Environment The following describes the Port from a risk standpoint. Aspects of Port operations are grouped into relevant risk categories, in general terms, to facilitate an understanding of the risk the Port faces as an organization. The Port has a complex and ever-changing environment. Its operations encompass a wide spectrum of enterprise activity ranging from international trade to capital infrastructure improvements. A significant part of the Port’s core businesses are sensitive not only to the economic forces of the region and the nation but also to global economic climates. Moreover the Port is faced with ever-increasing competition from neighboring seaports and airports in attracting/retaining container business and airlines. Economic sensitivity and competitive force change risk outlook frequently, and pose business and operational challenges to the Port. Such challenges at times could materialize as a risk of noncompliance and/or control circumvention if the organizational units facilitated operations by “cutting corners” in the name of efficiency. Equally important to the Port in consideration of risk is the Port’s organization status. As a public agency of the State of Washington, the Port is subject to a number of state statues, regulating many aspects of its daily activity - from public meetings of the Commission to the annual budgetary requirements on the tax levy. Government regulations are an inherent risk of any public agency. Port-wide Control Environment The Port is a decentralized organization. Divisions and their respective units are provided with varying degrees of authority and responsibility to conduct and manage daily activity. There are many layers of delegation of authority from the Commission, to the CEO, to the senior management, and to staff. The delegation of authority at the Port has become over-complicated and cumbersome over time, and as such mapping a particular line of authority is no longer a simple task. This complexity in delegation of authority increases the likelihood of non-compliance and/or other irregular activities. Following the 2007 SAO Performance audit, the Port revised the Resolution 3181 to more clearly delineate the authority. The weakest link in a decentralized environment is an assumption (with or without verification) of control activity performance at decentralized locations. That is, central units (e.g., payroll processing) are less likely to apply key controls or to initiate compensating controls because there is a presupposition that key control activities (e.g., approving timesheets for accuracy) are fully performed at perimeters of the organization. The end result could be a set of processed transactions without being subject to sufficient controls. Following the 2007 SAO Performance audit, the Port centralized procurement activity into one department, thereby standardizing not only the policies and procedures but also the application of those policies and procedures. Such efforts are designed to ensure there will be minimum controls applied to procurement activity in a concerted manner. In regard to the majority of revenue, the Port is not actively and directly engaged in revenue generating activity. Rather the Port earns revenue through contractual relationships where external entities are granted privilege to conduct business on Port’s property and remit a fee to the Port in exchange. A significant number of these contractual relationships are in the form of lease agreements or other contractual agreements. The majority of the tenants/customers self report to the Port based on agreedupon concession fees. Self-reporting, as a reporting process, is high risk because it has no built-in 13 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 mechanism to protect Port interest. Self reporting by Port tenants/customers is inherently susceptible to underreporting of concession fees and may lead to a revenue loss to the Port. Indeed internal audits have disclosed problems with some Port tenants in past audits. Thus, it is necessary to establish monitoring activities including periodic audits to properly mitigate the inherent risk. Unfortunately, because of limited internal audit resources, the majority of Port tenants/customers have not been audited in the past. Information/Communication/Control Activities Communication at the Port takes many forms. There are policies/procedures at the Port-wide and at the individual organizational unit level as a means to communicate public, Commission, and senior management expectations. Port-wide policies/procedures are readily available and easily accessible via intranet, but not all procedures at the unit levels enjoy such easy access. In other instances, there may be no written policies and or guidance. This could introduce an element of risk where management’s intent as stipulated in the policy may not be timely and properly communicated in the form of operational procedures. Additional risk would include: 1) operational procedures may not be lined with the overall Port policies and 2) employees may not be aware of the organization’s goals and objectives. This could also increase risk of non-compliance. The Port utilizes technology to automate and streamline recurring activities. There are a number of stand-alone systems in use across the Port that need to maintain management-defined structured communication amongst themselves. Inter-system communication is particularly significant in the financial arena, as many stand-alone subsystems need to feed into PeopleSoft, the Port’s primary financial system for in/external financial reporting. Inter-system communication highlights the importance of frequent and regular performance of reconciliation. Without reconciliation, the information integrity cannot be maintained and information reliability could become questionable. Compliance Environment Compliance at the Port is multi-dimensional. The following are various groups of compliance requirements to which the Port is subject. The Port is subject to federal regulations, many of which are federal grant and air/seaport security related. Current, Port federal audits is conducted annually by Moss Adams, an independent CPA firm. The most significant risk associated with federal audits is loss of federal funding. The loss could occur if significant material non-compliance issues are disclosed. For purposes of federal compliance, Internal Audit has relied on the work of the independent auditor and thus has not reviewed federal financial controls or compliance issues at the reporting level. As a public agency of the State of Washington, the port is subject to all provisions of Title 53 and related provisions of Revised Code of Washington (RCW). The State Auditor’s Office (SAO) conducts accountability audits annually to ensure public interest. Additionally, other state agencies such as Dept. of Revenue and Dept. of Retirement regularly review Port operations for their respective purposes. 14 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Significant audit findings from SAO could reflect the Port negatively in the eyes of the public. In addition, other state or local audits e.g.,- DOR, Department of Retirement, Labor Unions, and/or IRS audit findings could have a negative financial impact on the Port if the Port was found to owe money to those agencies. The Port is subject to numerous additional local (i.e., King County, Cit of Seattle, City of SeaTac etc.) and agreement-driven (i.e., bond covenants, union labor agreements) compliance requirements. The Port has numerous compliance requirements of its own. Applicable regulations from aforementioned federal, state, and local agencies are frequently embedded as part of the Port operations. The design is to provide reasonable assurance of compliance with applicable federal, state, and local rules and regulations through compliance with its own policies and procedures. Risk Assessments The Port currently does not have a policy requirement for departments or units to conduct risk assessments in a systemic fashion (e.g., Control Self Assessment), but various forms and degrees of risk assessment practices exist throughout the Port Emerging Changes/Issues The Port has implemented many organizational changes during 2008 as a result of CEO initiatives and the 2007 SAO Performance Audit findings. Much of nuts-and-bolts (i.e., policies and procedures) elements are still a work in progress at the time of this assessment. During transition, there is a degree of uncertainty that may introduce additional elements of risk. Operations may be affected as new decision trees begin to establish, and line staff acclimates to the new environment. When complete, Internal Audit may perform procedures to provide reasonable assurance to the Commission and management that changes are materializing as intended. AFR (Accounting and Financial Reporting) has successfully implemented a new online e-Expense system during 2008, Concur. The system appears to be robust and functioning properly. The new version of HRMS (Human Resources Management System) system has been delayed its implementation until mid-2009. There are others system changes/upgrades that are either in conceptual or budgeting stages. Through Initiative 900 (I-900), state voters provided State Auditor’s Office (SAO) with mandate to conduct performance audits of local governments. SAO conducted through a contract firm (Cotton & Company) the first performance audit at the Port in 2007. SAO released its findings in December 2007, and the Port has been diligently addressing findings from the report. SAO communicated to the Port of its intention for a second performance audit which is tentatively scheduled to begin early 2009. McKay Fraud Investigation was completed in December of 2008 and identified ten civil frauds at the Port. The report also identified a number of contractors that did not comply with the McKay investigation. As a result of this investigation, the Audit committee might want Internal Audit to conduct some work related to the firms that did not comply. The scope of this work has not yet been defined. We will leave some hours in the contingency budget for this work. 15 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Recent global economic downturns undoubtedly will affect the travel and airline industry. Such slowdowns will propagate throughout the region and surely impact the Port’s financial positions. In anticipation, the Port has put together its 2009 budget with substantial cuts across the board. From a risk perspective, economic hard times often create additional pressure/opportunity for noncompliance and fraud. Lessees may face new pressure to re-interpret certain concession/revenue provisions or underreport the concession outright. Port departments may face similar pressure with its operating budgets and may relax its due diligence on accountability. The construction of a consolidated rental car facility began in 2008 and is scheduled to open in 2011. When complete, the space occupied by RAC (Rent-A-Car) in the main parking garage will be available for general parking. The increase in parking stalls will likely generate more parking revenue for the Port. 16 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Risk Assessment and Identification (Quantitative and Qualitative) Below are ten (10) risk exposures Internal Audit considers critical to the achievement of the Port mission. Risk exposures are, among other things, based on full consideration of the Port’s organizational status as a public entity. The department has attempted to reflect all relevant and significant risks faced by the Port and group the elements in a consistent and logical way. The presence of risk simply indicates that the process of achieving the Port mission isn’t without pitfalls. The identification and the subsequent measurement of risk is accomplished by measuring a number of factors related to risk such as: complexity, regulatory, technology, dollars at risk, liquidity of assets, competence of management, strength of internal controls, monitoring activities, frequency of internal audits etc. Internal Audit is sufficiently proficient in all areas but is especially experienced in Washington State local government operations and requirements. We will use the experience and judgment to measure and prioritize the risks that are facing the Port. 1. Central Processing Systems The system refers to a group of processes common to all organizational units across the Port which may or may not include an IT system. A good example of a system in this context would be payroll. While each department may utilize different methodologies to accumulate/approve timesheets, all payroll entries are centrally processed at AFR before generating checks and posting transactions to the ledger. Certain controls are expected at the systems level to provide minimum assurance over accountability. Systems can play an important role of prevention and detection as all related transactions are expected to be processed by the system at a point in time. As such, controls at the systems’ level could be most effective and have the most impact. Internal Audit reviewed procurement in 2008 at Pier 69 as a central system for the Port to provide management with reasonable assurance that current procurement practices are well controlled to ensure compliance and accountability. Procurement in this context does not include accounts payables. The review was conducted in full recognition that the CPO and related policies/procedures has not been complete. The review was designed to deliver value-added benefits by providing management with auditor’s perspectives while policies/procedures are in the design phase. In 2009, Internal Audit will perform a systems audit of accounts payable (A/P) which will dovetail nicely with the procurement review in 2008. The A/P review will focus on the adequacy of internal control design as well as the efficiency/effectiveness and sufficiency of implemented controls. The understanding gained through the A/P review will complete the control review of a buy-to-pay cycle at the Port. The understanding will be used in other engagements as all auditable units have some degree of procurement and payment in their processes. We will also review Payroll system as it is considered part of the pay cycle. 2. Organizational (e.g., department) Control Reviews The primary risk with organizational units is the efficiency/effectiveness of internal controls over accountability in managing resources including financial and physical assets. 17 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Throughout the discussion of the department internal control review, a reference is made to the department node. The node refers to a collection of individual departments by function and/or location. Below is a table of top nine operating revenue generating department nodes. It is a good indicator of risk concentration with respect to operating revenue. (in thousands) Dept. node 2004 2006 2007 2008 Air Terminal 104,008 128,930 129,144 99,029 Airfield 47,156 50,319 57,138 42,131 Public Parking 42,037 52,617 55,463 41,199 Seaport Container Operations 38,074 49,820 49,088 41,701 Rental Cars 25,818 33,983 36,408 29,847 Concessions 21,022 28,300 31,085 26,283 Third Party Management 10,017 13,018 13,690 11,439 Airport Properties 10,089 16,911 12,104 10,478 Landside 7,517 8,929 9,881 6,955 Commercial Properties 7,066 7,697 8,175 6,207 Source: PeopleSoft * 2008 is as of October. Although different department nodes are responsible for different agreements, much of the aviation revenue in the top nine is lease and concession related. Risk associated with lease and concession is discussed under lease and concession revenue risk exposure at a later section of this assessment. Non-agreement revenues are parking at the airport and third-party managed properties. The 3rd party management is another risk exposure element discussed at a later section of this assessment as a separate risk. Operating Expenses Below is a table of top ten department nodes in operating expenses, excluding depreciation expenses. (In thousands) Dept. Node 2004 2005 2006 2007 2008* Aviation Maintenance 33,958 36,392 40,071 40,957 35,019 Police Department 16,829 17,407 16,994 18,607 14,580 Aviation Executive/AVEX 12,957 13,581 13,486 14,791 11,799 Air Terminal 11,628 14,133 13,512 14,706 11,187 Information & Communication Technology 7,674 12,636 11,086 13,266 10,953 Aviation Utilities 14,159 14,198 15,751 12,965 10,016 Maintenance 9,869 9,192 9,462 10,036 8,795 Third Party Management 7,294 8,502 9,645 9,541 7,555 Professional & Technical Services 4,644 9,752 2,081 7,864 2,611 Airport Security 4,844 4,795 5,950 7,412 5,893 Source: PeopleSoft 18 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 * 2008 is as of October. Maintenance (Air and Seaport) and security (Police and Av. Security) are two department nodes that incur significant operating expenses. Departments in this categories account for anywhere between 39% - 43% of the Port’s overall operating expenses. Table below represents all operating expenses by major account category for the last five years. (in millions) Expense Category 2004 2005 2006 2007 2008* Salaries & Benefits $72 $71 $73 $79 $69 Wages & Benefits $44 $59 $51 $63 $49 Outside Services $66 $55 $50 $48 $37 Utilities $20 $18 $21 $19 $15 Supplies & Stock $ 7 $ 8 $ 9 $ 6 $ 5 Equipment Expense $ 4 $ 5 $ 6 $ 6 $ 4 Travel & Other Emp Exps $ 3 $ 3 $ 3 $ 3 $ 3 General Expenses $ 2 $15 $ 2 $ 12 $ 6 Other $ 6 $ 6 $ 5 $ 5 $ 5 Source: PeopleSoft * 2008 is as of October. Payroll Not surprisingly, payroll related expenses are the biggest--accounting for over 50% of the total operating expense. The Port has 1,500+ employees on its payroll, and there are a number of collective bargaining agreements with various unions. Top ten departments in salaries and wages with benefits are listed below, and the list expectedly is closely related to the top ten department nodes in operating expenses. (in thousands) Dept. Node 2004 2005 2006 2007 2008* Aviation Maintenance 24,266 25,981 28,840 31,286 25,885 Police Department 14,966 15,182 15,100 15,751 12,778 Aviation Executive/AVEX 10,140 11,148 11,184 11,797 9,715 Information & Communication Technology 6,345 6,801 7,674 8,414 7,820 Maintenance 6,570 6,413 7,012 7,851 6,357 Corporate Contingencies 187 0 6,295 0 Airport Security 4,311 4,197 4,317 6,146 5,524 Accounting/Financial Reporting 3,581 4,003 4,555 5,059 3,761 Landside 4,533 4,301 4,781 4,321 3,498 Air Terminal 2,642 2,741 2,794 3,750 3,614 Source: PeopleSoft * 2008 is as of October. 19 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Currently the Port utilizes an online time entry system where original input as well as approval is processed electronically. While the online system provides mathematical accuracy and certain input validations, it presents other challenges or risks with respect to verification of complete and proper entry. Additionally, management often delegates approval authority to staff, and this practice could create a conflict of interest and other accountability issues -- it’s difficult to ascertain whether entries are approved with first-hand knowledge of the underlying activity. Compared to the paper-based traditional system, online systems tend to lack supporting documentation as management assumes online document is the full extent of applicable documentation requirements. From a risk standpoint, payroll overall is relatively a contained system despite its complexities and inherent risks. The majority of payroll disbursements are based on static drivers (i.e., salaries, hourly rate, employment tax rates, etc.), and the volume in most cases is activity independent. Example, the daily financial liability to the Port per employee remains at 7.5/8 hours at a fixed rate whether an employee is at work or on paid time off. Thus, the size of the payroll alone will not be the primary factor in determining whether to review a particular area. The quality of payroll expenses will be a bigger factor. At-risk in payroll are the earnings types that are collectively known as exceptional earnings (i.e., overtime and shift differentials). These represent something of above and beyond the base pay and as such require an additional compensation. The risk is whether they are proper (i.e., business related) and in compliance with applicable agreements/policies with respect to approval and documentation. Outside Services category The category is primarily of contractual services including Architectural & Engineering (A&E), non-A&E, and janitorial services. The risk with the outside services or consultant services is procurement compliance with applicable federal/state/local regulations including contracting irregularities such as kickbacks. A&E procurements are somewhat heavily regulated in terms of solicitation and require a fair and open competitive process. In 2008, Internal Audit conducted a systems review on the central procurement process which covers, among other things, A&E and non-A&E personal/professional agreements. While the central procurement does not perform what Internal Audit considers key controls to reasonably ensure accountability in all categories, the procurement does apply a set of procedures considered compensating controls. Key controls are with individual departments. Additionally, there has been significant exposure on professional agreements Port-wide as part of in/external audits to include the SAO 2007 Performance Audit. These reviews provided insight into administrative practices and recommended ways to strengthen current control activities. Top ten department nodes in the category are as follows. The table indicates risk concentration in a few department nodes. (in thousands) Dept. Node 2004 2005 2006 2007 2008* Air Terminal 8,040 8,574 9,525 9,364 7,082 Aviation Maintenance 4,898 5,184 5,699 6,178 4,655 Project Controls & Admin 6,058 3,653 2,558 3,162 2,021 20 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Information & Communication Technology 273 4,464 1,583 2,648 2,091 Aviation Facilities 1,963 2,141 2,082 2,592 1,386 Port Construction Services 1,380 1,175 1,712 1,913 1,636 Airfield 378 501 1,530 1,706 1,156 Aviation Executive/AVEX 1,752 1,757 1,439 1,560 1,105 Legal 1,964 1,182 1,112 1,512 893 Public Parking 1,767 1,918 2,063 1,504 1,192 Source: PeopleSoft * 2008 is as of October. Public Parking is included in the top ten as its payments to the bank for processing credit cards is included in the category. Other nodes are expected as the very nature of their responsibilities entail using outside professional services. Example, AV. Maintenance uses custodian and maintenance contracts, and Information Technology utilizes outside desktop support services. Utilities The category is among the top five major expense categories but does not pose any significant risk as it is consumption driven. Consumption can be easily verified with third-party independent documentation (i.e., Seattle Public Utility billing statements). Top three utilities in 2007 were electricity, heating (gas and steam), and surface water. Supplies and Equipment Accountability is the primary risk associated with this category. Included in the category are non-capital items (i.e., equipment and supplies) which are often referred to as small and attractive assets. These are items that are expensed because the monetary value is below the capitalization threshold. As such, they are not often required to be tracked. However most, if not all, departments do track these items, but currently there is no established central system to monitor or ensure how well departments tract these assets. Hence, risk of loss, abuse, and misuse persists. An additional risk element involving supplies and equipment purchases is procurement cards (P-cards). The Port has many procurement credit cards at many departments. As the cards tend to be used for small purchases by multiple parties, it is difficult to track both the purchaser and the purchased item. Thus, preventive and detective controls such as close monitoring of card purchases are essential to properly mitigate inherent risks of mis/abuse. Top ten department nodes in the category are as follows. (in thousands) Dept. Node 2004 2005 2006 2007 2008* Aviation Maintenance 3,196 3,540 4,173 1,780 2,336 Maintenance 1,214 1,395 1,322 1,130 813 Air Terminal 585 921 1,062 990 92 Police Department 279 293 315 309 307 Airport Security 208 251 354 292 151 21 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Aviation Executive/AVEX 358 325 319 285 294 P69 Facilities Management 105 117 120 142 93 Engineering 85 124 124 133 110 Public Parking 102 93 130 74 63 Aviation Facilities 83 88 86 71 81 Source: PeopleSoft * 2008 is as of October. Expectedly, maintenance shops at the sea and airport top the first two in the category. Internal Audit reviewed both maintenance shops in the last two years and suggested a number ways to strengthen existing controls over physical assets. Aviation Executive/AVEX is part of the top ten as the node includes the Fire Department. The majority of the supplies and equipment for the Fire are emergency supplies and uniform/protective equipment. Travel and Other Employee Expense The risk associated with this category is one of accountability. The category covers a wide range of expense items from breakfast to a cab ride and as such is inherently susceptible to misuse and abuse. In 2008, the Port replaced the aging Bank of America system with a new online expense system, Concur. There is a dedicated position within AFR for travel card expense processing which mitigates certain control deficiencies at the department level. While the position can exercise some compensating controls to ensure completeness, it does not have first-hand knowledge to determine the appropriateness of submitted expenses. This emphasizes the importance of due diligence and care by management when approving travel requests. Top ten department nodes in the category are as follows. (in thousands) Dept. Node 2004 2005 2006 2007 2008* Executive 293 422 390 428 325 Aviation Executive/AVEX 300 98 312 377 242 External Affairs 175 275 224 263 203 Human Resources & Development 156 206 266 246 209 Information & Communication Technology 102 163 167 216 224 Seaport Division Management 191 139 173 203 129 Police Department 113 147 125 173 99 Seaport Container Operations 147 155 180 169 (1) Special Advisors/ Economic Development 136 128 136 136 39 Aviation Maintenance 36 64 103 101 96 Source: PeopleSoft * 2008 is as of October. All top ten are expected. Police and Fire receive heavy training which often requires traveling and overnight stays as well as registration. Special Advisors include overseas representatives and economic teams at Pier69. Below is a table of the category expense by account. 22 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 (in thousands) Account 2004 2005 2006 2007 2008* Registration Fees/Tuition 548 620 698 845 780 Membership Dues & Fees 625 352 667 795 662 Air Fare 393 426 519 612 366 Lodging & Other Travel 291 499 582 499 178 Employee Food & Beverage 251 267 235 271 186 Subscriptions 286 320 275 250 254 Local Transportation 55 65 70 72 86 Service Awards 65 64 59 62 49 Management Education Expense 28 20 29 30 28 IDC/E&T Fellowship Program Exp 10 Source: PeopleSoft * 2008 is as of October. Overall, travel and other employee expenses have remained flat over the last five years. No unusual trends are noted at the account level. Memberships include big ticket dues to such organizations as WA Public Port Assoc., Airport Council International, and Puget Sound Regional Council. Telecommunication (in thousands) Dept. Node 2004 2005 2006 2007 2008* Information & Communication Technology 419 503 450 500 376 Police Department 105 98 111 113 84 Engineering 111 74 97 106 62 Air Terminal 29 59 82 91 86 Aviation Maintenance 76 100 105 81 71 Aviation Executive/AVEX 54 57 56 66 50 Maintenance 58 42 51 48 30 Airfield 34 35 44 48 35 External Affairs 23 28 33 33 23 Project Controls & Admin 54 32 36 33 20 Source: PeopleSoft * 2008 is as of October. All top ten are expected as communication is a significant part of their daily operations. Engineering, although expected, has a bit higher than expected communications expenses. Below is a table of the category expense by account, and no unusual trends are noted. (in thousands) Dept. Node 2004 2005 2006 2007 2008* Long Distance Charges 76 79 37 36 58 23 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Telecommunications 1,202 1,245 1,308 1,443 1,017 Telephone - Data Transmission 0 2 1 0 8 Source: PeopleSoft * 2008 is as of October. Promotional Expense Promotional expenses are frequently a subject reviewed by the State Auditor’s Office as the category allows such unusual items as alcoholic beverages. Internal Audit reviewed the expense for any unusual trends during the assessment although it considers the coverage by the SAO adequate. (in thousands) * 2004 2005 2006 2007 2008* Aviation Executive/AVEX 278 239 179 427 242 External Affairs 231 295 157 210 120 Executive 15 61 59 48 9 Special Advisors/Economic Development 194 63 59 38 36 Seaport Container Operations 40 58 35 33 2 Harbor Services 12 12 10 28 9 Cruise Services 59 67 37 17 16 Professional & Technical Services 14 17 22 13 13 Community Development 9 15 4 11 15 Project Controls & Admin 2 0 2 10 0 Source: PeopleSoft * 2008 is as of October. Other Useful Statistical Information Below are top five vendors in operating expenses in 2007, and no unusual trends are noted in the list. Ranking Operating 1 AMERICAN BUILDING MAINTENANCE 2 SEATTLE CITY LIGHT 3 BONNEVILLE POWER ADMINISTRATION 4 PUGET SOUND ENERGY 5 KONE INC.- elevator and escalator/ maintenance Source: PeopleSoft Below are top five non-payroll and non-utility accounts. Other than for 3rd management fees, it is expected that outside services as a whole are the second largest expense group following payroll including benefits. Internal Audit reviewed two 3rd party management contracts in 2008: Bell Harbor International Conference Center and World Trade Center. 3rd party management as a group is one of ten (10) risk exposure elements Internal Audit considers critical. 24 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 (in thousands) Dept. Node 2004 2005 2006 2007 2008* Non-Architectural & Eng Svcs 11,290 10,925 7,194 10,309 7,700 Other Contracted Services 30,366 18,243 16,422 10,265 7,331 Contracted Janitorial Service 7,166 8,101 8,979 8,733 6,574 3rd Party Mgmt Op Exp 6,729 7,451 8,408 8,553 7,077 Architectural & Eng Services 6,855 5,542 6,217 6,111 3,304 Source: PeopleSoft * 2008 is as of October. Non-operating Revenue/Expense Bond interest expenses have little risk as it is highly structured and in most cases predictable. Passenger Facility Charges (PFC) are a federally approved fee that commercial-service airport can impose to finance airport improvements. Collection from the customer and disbursement to the airport is the responsibility of the carrier. Starting in 1992, carriers with more than 50,000 annual charges are required to provide an independent audit of their system. Further, the Port annually engages a CPA firm to audit PFC. Due to coverage by third parties, Internal Audit considers PFC low risk. Gain/loss resulting from sale of assets has one particular risk element from a public agency point of view. All asset sales must be arms length transactions and free of conflict of interest with the buyer. 3. Revenue (lease and concession) The majority of Port’s revenue is generated based on passive earnings activity as a landlord. The Port rents land/space to various parties at both sea and airport, and expects a payment in return. The payment generally takes the form of: 1) a regularly occurring fixed amount and/or 2) a periodic settlement of a fee which is based on earnings activity by the lessee. The Port faces different risks depending on the type. To elaborate further as to the extent of the passive earnings activity to the Port’s overall operating revenues, a 5-year trend for agreement-driven revenue is provided below. The agreement in this context refers to fully executed written legal contractual relationships. For purposes of the analysis, Internal Audit reviewed all agreements within PROPWorks, an automated property and revenue management system. PROPWorks is used by both air and seaport. (in millions) 2004 2005 2006 2007 2008* Total Operating Revenue $ 377 $ 417 $ 447 $ 461 $ 363 Agreement-driven $ 248 $ 311 $ 308 $ 345 $ 347 % of agmt-driven to the Op Rev. 66% 75% 69% 77% 96% Source: PeopleSoft * 2008 is as of mid-November 25 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 The data suggests that up to 77% of the total operating revenue is derived from agreements. Given the contribution level to the operating revenue, the mitigation of risks associated with agreements becomes critical to the Port’s overall financial health. The most significant risk of agreement-driven revenue streams is one of completeness. It is difficult to satisfy the question as to the complete reporting of all applicable revenue as it relates to concession. The risk is even more evident when one considers that the majority of the agreement-driven revenue at the Port is self reporting. The Port has little direct means to confirm/refute the reported concession base. Secondary risk to the agreement-driven revenue streams would be inadequate protection of Port’s interest in the agreement itself. There is risk that the agreement may be executed without an audit clause. In such cases, the Port would not have audit access to underlying records to determine if the reported revenue is reasonable and complete. Internal Audit has in past audits found certain control deficiencies and lax management monitoring. As a result, Internal Audit has been steadily increasing transparency in the area, but given the sheer number of agreements (~700 active agreements as of Nov. 2008), it is practically impossible to review all agreements individually. Given that, the only effective and manageable way to consistently provide any assurance is to review agreements in some categories based on risk. Below is a 5-year trend of agreement-driven revenue by major revenue category. The top three (3) accounts for over 80% of the total. (in millions) 2004 2005 2006 2007 2008* Space Rental $ 141 $ 189 $ 191 $ 221 $ 213 Landing Fees 45 47 47 53 40 Car Rental Revenues 21 27 27 28 28 Food and Beverage Revenue 8 9 9 12 12 Retail Revenue 6 8 7 10 11 Revenue from Sale of Utilities 2 3 8 9 9 Land Rental 5 6 6 7 6 Advertising Revenue 3 4 4 5 4 Concession Services Revenue 1 3 3 3 4 In-Flight Kitchen Revenue 3 3 3 3 3 Other Misc. 3 5 5 5 6 Source: PeopleSoft and PROPWorks * 2008 is as of mid-November Space Rental is a low-risk area in regard to the complete and accurate receipts of the rent. Rents, for the most part, are a fixed amount on a monthly basis. Missing and/or incorrect payments would be relatively easy to capture and remedy as the payment amount does not change and is expected every month. At-risk would be a loss of revenue due to below market rents and inconsistent application/enforcement of agreed-upon provisions such as the annual acceleration clause and interest/penalty for late payments. Landing Fees are a mechanism to recover costs to maintain and operate the airport. Fees are based on a collection of eligible cost pools and are billed for every 1,000 lbs of landing weight. Analysis indicates that there has not been a significant change (>10%) in recent years. It is estimated that the fees will go down as the 2009 operating budget has been reduced, and eligible expenses at the airport will likely 26 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 continue to decrease in coming years. The primary risk is failure to include all eligible costs in allocation pools. The failure could occur as: 1) incorrect pooling of costs (i.e., omission of costs during the pooling process) and/or 2) incorrect general ledger account balances (i.e., incorrect costs are included). Additional risk subsequent to cost pooling would be risk associated with billing and collection (e.g., late payment interest and penalty), which is not as significant as the first. Considering the total number of customers (~10), Rent-A-Car (RAC) as a revenue source contributes a significant amount to the operating revenue. Internal Audit has been reviewing RACs annually and found certain issues regarding gross revenue offsets. Offsets are used to reduce concessionable revenue, and thus improper offsets translate to decreased concession to the Port. The Port has recovered well over $1 million as a result of past audits. Given the contribution to the operating revenue and the extent of the issues uncovered thus far, continued exposure is deemed necessary. As such, Internal Audit has placed all RAC reviews on a 3-year audit cycle. Food/Beverage/Retail includes shops and restaurants at the sea and airport. As a whole, the revenue stream has been steadily increasing in recent years. Internal Audit has conducted a number of reviews on big contributors in 2008: Airport Management Services, HOST, and Seattle Restaurant Associates. The reviews indicated no significant concerns. However food/beverage/retail lease agreements are often complex with various types of allowances (e.g., display allowance for newspapers) which may or may not be subject to concession. Further projected decline in the travel industry due to recent economic downturns may create additional pressure for incomplete concession reporting. Internal Audit will continue to bring exposure to the area. Utility resale is considered low risk. One risk would be a miscalculated usage base, resulting in less than full recovery of original utility fees paid by the Port. Advertising revenue is concession from outdoor advertising firms such as JC Decaux and Clear Channel. Internal Audit reviewed concession from JC Decaux in 2007 and had a minor recovery as a result. Through a public competitive process in 2007, Clear Channel prevailed in a bid to be an outdoor advertising agent at the airport. Because the agreement is fairly new and generates significant revenue (>3M) as a single advertising agent, it would be beneficial to establish Internal Audit presence to promote correct and complete reporting of all concessionable revenue. Risk associated with land rental is similar, if not identical, to ones on the space rent as discussed above. Internal Audit reviewed all in-flight tenants in 2007 and had a number of issues on disallowed offsets to concession base. Internal Audit will re-examine tenants in 2010 and determine if additional coverage is necessary. Misc. includes dockage, wharfage, crane rental, aviation fuel flowage, etc. Risk on these areas is similar to other concession arrangements in that fess to the Port may not be based on complete concessionable revenue. Below are top twenty (20) customers in 2007 in terms of total billings. Ranking has been analyzed to fully consider the agreement-driven revenue risk at the customer level. (in millions) 27 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Rank Name 2007 2008* Rank Name 2007 2008* 1 ALASKA AIRLINES INC $ 47 $ 42 11 HERTZ CORPORATION $ 8 $ 9 2 SSA TERMINALS LLC 20 25 12 AIRPORT MANAGEMENT SVCS LLC 7 8 3 UNITED AIRLINES 20 15 13 CRUISE TERMINALS OF AMERICA LLC 7 9 4 EAGLE MARINE 17 21 14 AVIS RENT A CAR SYSTEM 7 7 5 HORIZON AIR 13 11 15 LOUIS DREYFUS CORP 6 6 6 NW AIRLINES INC-PFC 13 11 16 CONTINENTAL AIR LINES INC 6 6 7 DELTA AIR LINES INC 9 8 17 AMERICAN AIRLINES INC 6 5 8 SEATAC FUEL FACIL 9 9 18 ALAMO RENT A CAR 5 5 9 SOUTHWEST 8 8 19 NATIONAL CAR RENTAL 5 5 10 HOST 8 8 20 US AIRWAYS INC 5 4 Source: PeopleSoft and PROPWorks * 2008 is as of mid-November Almost all top twenty customers are either in space or Rent-A-Car (RAC) revenue category, which is in line with the top three agreement-driven revenue category. Analysis indicates space rental revenue is quite top-heavy in that top 5 of 500+ customers in revenue groups account for over 50% of the category revenue. This indicates that residual risk after the five in the space rent category is quite dispersed and under such conditions, providing adequate audit coverage may prove difficult. 4. Federal Assistance The Port has numerous federal grants to support various operating and capital activity. Below is a 5- year history of grant revenues. The decreasing trend appears to be reflective of the construction activity associated with the third runway as well as security at both air and seaport following 9/11. (in thousands) Account Acc Desc 2004 2005 2006 2007 2008* 70810 Misc (1,149) (2,054) (333) (51) 0 70820 FAA (74,262) (62,157) (73,927) (65,555) (29,811) 70825 TSA - Seaport (42,370) (44,797) (1,399) (653) 0 70830 ODP Grant Revenue 0 0 (870) (50) 0 70835 TSA - Airport 0 0 (42,526) (19,448) 2,206 70840 DOT (560) (564) (6,991) (3,827) (1,639) 70850 WA State (87) (82) (1,148) 74 (25) 70860 DOE 0 0 0 0 0 Total (118,428) (109,655) (127,194) (89,511) (29,268) Source: PeopleSoft * 2008 is as of October 2008. When federal assistance exceeds $500,000, an audit of federal expenditures is required per the Single Audit Act of 1984, as amended. An independent CPA firm typically performs the audit. Currently Moss Adams conducts the single audit at the Port. The Port has not had any significant findings related to federal grants. Internal Audit considers the audit by Moss Adams of federal expenditures adequate, and as such the department has no plan to conduct any procedures related to the federal grants in 2009. 28 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 5. 3RD Party Management Contracts Risk is one of compliance. The requirements to which the Port is subject are the same requirements with which the 3rd party management must comply as an extension of the Port. Any noncompliance by the 3rd party management is, by extension, noncompliance by the Port. Columbia Hospitality and Wright Runstad & Co. manage Port-owned property for a fee. Internal Audit reviewed Columbia Hospitality in 2008 and plans to review Wright Runstad in 2009. 6. Performance Performance measures generally precede performance audits. Once instituted for a period of time, measures can be benchmarked against industry standards to determine efficiency and effectiveness in the achievement of goals and objectives. The Port has not instituted any performance measures, and thus the traditional approach cannot be used to conduct performance audits. However, the Port does have numerous measurable indicators of performance expectations. For example, an annual budget and expectations of job creation could be viewed as such indicators. Put it differently, a performance audit can be conducted with the budget and management expectations as a baseline performance measure. What isn’t feasible in this approach is benchmarking against external standards. Internal Audit has three or four potential candidates for a performance audit in 2009: 1) space rental, 2) cruise line of business, 3) terminal operations, and (4) leasing operations. The scope of the audit will be determined in close discussions with the Audit Committee. 7. Financial Reporting/General Ledger Accounting and Financial Reporting, formerly known as APS, prepares annual financial statements (CAFR) as of and for a period ending December 31. The statements are annually audited by an independent CPA firm, Moss Adams, for reasonableness and fair presentation. The risk of material misstatement in the government financial statements is considered low. In a manner of speaking, there is no incentive to “cook” the books. More relevant would be the disclosure risk in regard to the nature and extent of the content of the statements, but Port accounting and financial reporting staff has the expertise to adequately mitigate the risk. For the past three years, the Port has received GFOA Certificate of Achievement for Excellence in Financial Reporting. Internal Audit has no plan to conduct any review in the upcoming year related to the financial/general ledger. 8. Enterprise Risk Management (ERM) 29 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 The Audit Committee has repeatedly expressed interest in implementing an ERM system at the Port. The Committee and Internal Audit recognize the value of ERM as a tool in streamlining Port-wide efforts to effectively manage risk. The Committee has included ERM as one of its many strategic goals to achieve in the next five (5) years. At the time of the assessment, no ERM system has been implemented at the Port (i.e., no ERM system to review). Thus, risks associated with not having a formal ERM or substantially equivalent system remains outstanding. However, it should be noted that there are many silos of risk assessment conducted by many groups and or departments throughout the Port. These silo risk assessments are informal. Hence there is a need for training so that senior management and see the need and buy into the concept of a formal ERM project. For any ERM project to be successful, senior management needs to buy into the concept and see the value of the project. The risk management part of ERM will be incorporated in all our audits. The question of how well risk is managed in each system will be one of the objectives of our reviews. The discussion of the implementation of ERM at the Port will be continuing with the Audit Committee and senior Port leadership and we will implement accordingly. 9. Special Investigation and other Requests The Port considers any allegation of fraud and loss of public funds as a serious infringement of public trust and investigates fully and diligently if determined there is substantial merit to the allegation. At the time of the assessment, Internal Audit is uncertain as to the extent of the special investigation in the coming year. However, Internal Audit acknowledges that there will be some and consequently reserves a certain level of audit resources in the work plan dedicated to such investigations. 10. Capital Improvement Program (CIP) In recent years, there has been a significant amount of exposure on the contracting practices at the Port. A number of external and internal audits have been conducted in the area: 1) Port-initiated performance audit, 2) 2007 State Auditor’s performance audit, 3) Port-initiated fraud audit subsequent to the SAO audit, 4) Department of Justice audit (results not yet published), 5) Internal Audit review of PSAs, 6) Internal Audit review of procurement as a systems review, and (7) Internal Audit follow-up audit of selected SAO recommendations. Based on the findings (especially from the SAO report), the Port has reorganized and created a new division and a department to ensure improved efficiency and compliance. Concurrently the Port has been diligently working on new policies and procedures to strengthen and supplement existing ones. Many of these policies and procedures are a work in progress at the time of the assessment. Given the level of exposure in recent years through in/external audits, we can defer additional scrutiny in the CIP area with respect to controls over contracting practices to years beyond 2009. Internal Audit recommends no CIPs audit in the upcoming year. 30 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 31 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Summary of Risk Risks are events that have some probability of occurring. Risk measurement involves subjective judgment and reference to objective or historical data. The measurement of risk is accomplished by measuring a number of factors related risks such as: complexity, regulatory, technology, dollars at risk, liquidity of assets, competence of management, strength of internal control, monitoring activities, frequency of internal audits etc. Internal Audit is very experienced in Washington State local government operation and requirements. We will use that experience and judgment to measure and prioritize the risks that are facing the Port. Risk Fact Identified Risk Risk Action Plan See Detailed Work No. Measurement Plan or Likelihood of Occurring #1 The Port is subject Non- compliance HIGH Federal/State/Local 2009 Department to a number of with state statutes legal compliance is Internal Control state statues embedded in all audits Reviews regulating many by the department. aspects of its operations. Government regulations are an inherent risk of any public agency. #2 The Port is a Findings on the Port HIGH Accountability 2009 Department public agency – could create a concerns as a public Internal Control that is audited negative publicity agency is embedded in Reviews annually by SAO about the Port. all audits by the department. #3 The Port is audited If the Port was found MODERATE Continue monitoring by other state or to owe money, this audit activities/results local agencies could have a by these agencies and such as DOR, negative financial modify, as warranted, Departments of impact on the Port. the department ARAP Retirement, Local and work plan Unions, IRS etc. accordingly. #4 The Port Inadequate controls, HIGH Continuous monitoring 2009 Department environment is ineffective of key indicators of Internal Control complex and monitoring in inadequate controls, Reviews and systems decentralized. achieving Port ineffective monitoring audits objectives, and by management, and possible non- modify, as warranted, compliance the ARAP and work plan accordingly. #5 The majority of Underreporting of HIGH Continue to monitor the 2009 operational aud Port tenants and Concession fee and effectiveness of the of departmental customers have a lack of monitoring by Port management revenue managemen 32 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 self reporting Port management. monitoring systems system. and promote awareness on compliance. #6 Operating The procedures may HIGH The adequacy of 2009 Operation procedures for not line up with the policy/procedure is an departmental audits. business units are Port overall policies integral part of all not always visible. and strategy. department internal control reviews. #7 The Port has Lack of MEDIUM Sub-systems and their many stand-alone reconciliation with reconciliations are IT subsystems. the Port financial reviewed as part of the system - PeopleSoft department internal control reviews. #8 The Port receives Non-compliance with MEDIUM The department federal financial grant requirements considers the work by assistance. Moss Adams adequate. #9 The Port is No-compliance and MODERATE The adequacy of 2009 Department decentralized and lack of adherence to policy/procedure is an operational audits. has many local Port policies and integral part of all policies and strategies. department operational procedures. audit #10 In 2008, the Port Operational risk as LOW Vigilant to indicators created new new units and (financial or otherwise) operational units positions establish of systematic or control and positions – and line up staff failure. Department of acclimate Social Responsibility etc. #11 The Port is With system MEDIUM Increase Internal Audit upgrading or implementation participation in system replacing some of and/or upgrades, implementation IT systems. there is always an discussions as well as inherent risk that post-implementation something might go risk assessment wrong. #12 The Port Case reported MEDIUM Increase Internal Audit So far most of the implemented a through the fraud resources hotline reported cased fraud hotline in hotline may affect have been addressed 2008. Internal Audit by the legal workload department. #13 State Initiative 900 Negative publicity on HIGH Provide assistance to 2009 Performance – Performance the Port management on Audit Audits proactive issue mitigation prior to the performance audit. Following the audit report, issue follow-up per the Audit 33 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Committee directions. #14 The Port spends State and federal HIGH CIP is one of Internal No CIP specific audit millions each year Compliance and/or Audit’s top ten risk scheduled in 2009. on capital kickbacks. exposures and as such However, the issue of expenditures. capitalization of the area is reviewed compliance and inappropriate regularly for any kickbacks will be a charges indications of control focus of any audit we and or accountability conduct in 2009. A lot risk. of audits have been conducted in the CIP area since 2007. #15 The Port has Misappropriation HIGH No separate many remote cash and/or fraud of public engagements for receipting funds remote cash sites, but locations. the cash receipting review is included as part of the regular department internal control review if the department has a receipting operation. #16 The Port has Underreporting of HIGH Ongoing and active 2009 operational aud many tenants that concession fee to risk assessment on and effectiveness of provide food and the Port. concession management revenue retail services. agreements. monitoring. #17 Space rental is the Tenants might not LOW Ongoing and active 2009 operational aud leading major pay space rent to the risk assessment on and effectiveness of source of revenue Port concession/rent management revenue for the Port. agreements monitoring. #18 A lot of receipts Cash /checks are by HIGH Internal Audit reviewed are collected over nature susceptible to this area in 2007. the counter at the theft and fraud. Airport Public Parking. #19 Rental car Underreporting of HIGH Continue auditing 2009 operational aud agencies tend to concession fee to rental cars agencies on of RAC reviews. give unallowable the Port. a 3-year rotation cycle rebates and with a focus on discounts to their management customers. effectiveness of their management controls #20 The Port has three Non-compliance and HIGH 3rd party management 2009 3rd party review. operations that are accountability risk. contracts are one of The audit focus will be managed through Internal Audit’s top ten effectiveness of third party risk exposures and as management management such the area is monitoring controls. services. reviewed regularly for any indications of control and or 34 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 accountability risk. #21 Payroll or payroll Management often MODERATE Payroll is part of the related expenses delegates approval proposed 2009 work comprise over authority to staff - it’s plan as a systems 50% of Port difficult to ascertain audit and the focus is operating that entries are operational expenses. approved with first- effectiveness. hand knowledge of the underlying activity #22 The Port spends The primary risk with HIGH Procurement was 2009 systems audits. over $100 million the outside services reviewed in 2008 which in consulting or consultant will be followed by a services annually. services is systems audit of compliance with the accounts payable in Port policies and or 2009. The focus of the state laws. Contract audit will be irregularities. management operational effectiveness. #23 The Port spends The primary risk HIGH Supplies and 2009 Departmental quite a bit of associated with equipment are part of operational controls. money on supplies supplies & the department and equipment. equipment is operational audit. accountability. There is a risk of theft and/or abuse. #24 The Port spends Abuse of credit cards HIGH Procurement was 2009 operational over $3 million for personal gain reviewed in 2008 which systems audits. annually through and/ or personal will be followed by a P-card purchases. systems audit of procurement. accounts payable in 2009. #25 The Port spends Accountability risk HIGH Travel and other 2009 Department materially on and/or abuse related expenses are operational Control employee travel part of the department Reviews and other related internal control review. expenses. #26 The Port sells its The sale might not MODERATE Scrap sale was 2009 Operational surplus equipment be arms length reviewed in 2008 as department Control annually. transaction. part of the Av. Reviews Maintenance review. IT is one of 2009 proposed departmental operational control reviews. IT equipment is surplused regularly. #27 The Port prepares Material LOW The risk of material Accounting annual financial misstatement in the misstatement in Department has statements/CAFR. financial statements government financial competent staff to statements is LOW mitigate this risk. 35 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Risk Assurance 2009 Projected Audit Coverage The projected audit coverage for 2009 includes the following areas. The coverage is determined by two factors: 1) risk as discussed in previous sections of this document and 2) available audit resources. The coverage will be adjusted as necessary throughout the year. Carryover Audits from Fiscal Year 2008 During 2008, a number of limited scope special requests diverted available audit resources from scheduled reviews. While a certain level of contingency was considered in the 2008 work plan, the extent to which the contingency actually materialized was more than anticipated. Consequently a few projects were not completed as scheduled. • Police Department This was scheduled to be a full scope departmental operational audit. All department operations would have been subject to review based on risk. Internal Audit will include the department as part of its 2009 work plan as a full scope department operation audit. •The following third-party agreements, concessions, and leases are currently underway: World Trade Center, Bell Harbor Conference Center, Cruise Terminal of America (CTA), Host, Airport Management Services Inc., Seattle Restaurant Associates, and a review of operational effectiveness of the Port procurement system. The field work will be completed by the end of the year, but the reports will not be finalized until the first week in February 2009. • Corporate Accounts Payable The 2008 work plan included reviews of certain areas in the Port’s accounts payable including Professional Services Agreements (PSAs). The scheduled reviews were not contemplated as a systems audit. Rather, Internal Audit intended them to be more of a substantive review of end products (e.g., executed PSAs, S-type contracts, etc) for compliance. Internal Audit did not conduct separate reviews of these areas during 2008 because some of limited scope special requests (e.g., SAO audit issue follow-up procedures) included a review of the same areas. To perform separate reviews would have been a bit of duplicative audit efforts. Internal Audit is proposing a systems operational review of the A/P in 2009 which, among other things, will systematically review the areas included in the 2008 plan. Performance Audits 36 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Internal Audit has identified three potential candidates for a performance audit in 2009: 1) space rental, 3) terminal operations and (3) leasing operations. Each of the above activities has a specific set of goals which are directly linked to the Port missions. A performance audit will be conducted to determine the extent to which the stated goals have been achieved. Systems Audits Internal Audit recommends a review of both accounts payable (A/P) and payroll in 2009. The review will focus on operational effectives and management monitoring controls. Although the Port has not implemented an ERM system, Internal Audit will incorporate the risk management part of the ERM into the scope of the systems audits. That it, systems will be reviewed in terms of how well it manages risk in a systematic manner. This will be in addition to the internal control review which is the usual scope of the review. Department Operational Audits Performance audit perspectives, especially related to efficiency of operations, will be an integral part of all departmental internal control reviews. Internal Audit recommends the following department nodes for review in 2009. It should be noted that Internal Audit may not review all individual departments within the node. Risk within the node may be concentrated in some departments (i.e., risk is not distributed equally). • Police Department This is a carryover audit from fiscal year 2008. See comments above. • Air Terminal Air Terminal as a node is among the highest on both revenue (> $100 M) and expense (~ $4 M). It includes such departments as: 1) Airport Communication Center, 2) AT Business & Lease Management, 3) AT Services, and 4) Aviation Marketing. Payments to American Building Maintenance (ABM) – which is the highest paid vendor in operating expense – are coded to this node. • Information & Communication Technology ICT consumes the majority of communications related expenses including numerous IT purchases below the Port capitalization threshold. Effective and efficient use of communication devices from a performance audit perspective will be part of scope consideration. • Third Party Management 37 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 The Port has three operations that are managed by a third party. Two of these operations were audited in 2008, and Internal Audit plans to audit the third in 2009, Wright Runstad. With the completion of the Runstad review, Internal Audit will have covered all 3rd party management contracts. Internal Audit will be in position to assess whether a cycled or continuous exposure is necessary in the area in order to provide the Commission and management with reasonable assurance. The focus of the third party management review is the effectiveness of Port monitoring procedures. • Security Security as a functional group at the Port consumes a material amount of financial resources (~29 M in 2007). The group also generates, although infrequently, grant revenues from other governmental entities. Security in this context includes Police, Airfield Security, ID Badging, and Seaport Security. The majority of the security related expenses are payroll, outside services, and supplies & equipment. Effective and efficient use of FTEs from a performance audit perspective will be part of scope consideration. Internal Audit conducted a review of ID Badging in 2007 and plans to review Police in 2009. With a review of Airfield and Seaport Security, Internal Audit will have reviewed the entire security related departments as a functional group at the Port. Lease Compliance Audits To provide adequate coverage for the biggest single source of revenue to the Port, Internal Audit will continue to cycle audits in this area. The focus starting in 2009 is operational audits - specific how the effectiveness of Port management monitoring procedures. Internal Audit proposes reviews of the following lease agreements in 2009. • SSA TERMINALS LLC • EAGLE MARINE SERVICES LTD • ANTON AIRFOOD • CONCESSIONS INT'L INC. • MAD ANTHONY'S INC PIER 66 • MAD ANTHONY'S INC. • BORDERS INC • FIREWORKS • CLEAR CHANNEL WORLDWIDE •KIEWIT GENERAL JOINT VENTURE • STONEPATH LOGISTICS INT'L SERVICES INC 38 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 Rent-A-Car (RAC) Audits For the past 4 years, Internal Audit has conducting these audits and recovered a significant amount of underreported concession. Because of limited staff shortage, conducted these audits with the assistance from an external firm. Internal Audit in 2009 will be staffed to a level sufficient to conduct these audits internally. Internal Audit recommends an audit of the following RAC agreements in 2009. The department will utilize, as resources, contracted CPA firms from prior audits in staff assistance capacity and leverage the knowledge and the insight they have gained in the performance of the audit. The focus of the audits will be effectiveness of the departmental monitoring procedures. • HERTZ CORPORATION • AVIS RENT A CAR SYSTEM • BUDGET The Way Forward Consistent with the Audit Committee’s strategic goals over the next five years, Internal Audit will continue to increase its focus on management and program performance from a performance audit perspective. Internal Audit will assist management as a facilitator in the process of promoting and implementing performance measures. In the meantime, Internal Audit will take steps toward the goals by considering and incorporating (where feasible) performance audit elements into all reviews the department conducts. Port activity is replete with risks and rewards. Rewards are realized if risks are efficiently and effectively managed. In this context, Enterprise Risk Management (ERM) has been discussed as a tool to streamline the Port’s risk management practices. ERM is an enterprise-wide effort, and as such it takes management commitment to successfully implement and reap full benefits. Internal Audit will continue to participate, while maintaining independence, in ERM discussions with management. Once fully implemented, Internal Audit will review the system to determine the effectiveness and efficiency. Internal Audit reviews are planned and conducted based on risk (i.e., risk-based). No audit procedures are designed and applied without first considering the nature and extent of risk associated with the review subject. In line with the Committee direction, Internal Audit will expand the risk-based and integrate an element of ERM into its audits. One of the unique aspects of the Port is that it is financed with public funds as a public entity although much of its activity is with the private sector. As such, the Port has no shortage of compliance requirements from all levels of governments based on public expectations. Simply stated, compliance risk associated with being a public entity (i.e., public accountability and legal compliance) will always be part of the Port’s risk landscape. Given that, any ERM system the Port management ultimately implements will have to have an element to address accountability and legal compliance. Much of the oversight on accountability at the Port is performed by Washington State Auditor’s Office either through annual accountability or scope-based performance audits. Internal Audit as a group has 39 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 over 30 years of public entity audit experience in the state and understands very well the kinds of concerns the SAO would have in conducting these audits. Using the knowledge, Internal Audit will continue to provide assistance to management with respect to the SAO audit process while maintaining independence. 40 of 41 Annual Risk Assessment Plan January 1, 2009 – December 31, 2009 References The auditing standards below provide guidance on auditor’s assessment of the risk. Although these standards are more closely related to financial statement audits, concepts & application are very much applicable to the process used in A.R.A.P. • SAS No. 104 – Amendment to SAS No. 1, Codification of Auditing Standards and Procedures (“Due Professional Care in the Performance of Work”) • SAS No. 105 – Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards • SAS No. 106 - Audit Evidence • SAS No. 107 – Audit Risk and Materiality in Conducting an Audit • SAS No. 108 – Planning and Supervision • SAS No. 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement • SAS No. 110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained • SAS No. 111 – Amendment to Statement on Auditing Standards No. 30, Audit Sampling • 2007 Yellow Book. • SAS No. 99 – Superseded SAS 82, Consideration of Fraud in a Financial Statements Audit - defines fraud as an intentional act that results in a material misstatement in financial statements. • Enterprise Risk Management – 2004 COSO Integrated Framework 41 of 41
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.