Audit Committee LETTER 2008 Interim F
Port of Seattle 2008 Interim Fieldwork Results Presented to the Audit Committee on February 27, 2009 999 Third Avenue, Suite 2800 Seattle, WA 98104-4019 206-302-6500 BACKGROUND Generally-accepted auditing standards require that we consider the Port of Seattle's internal control over financial reporting (internal control) as a basis for designing our auditing procedures and for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Port's internal control. Additionally, OMB Circular A-133 requires we perform procedures to obtain an understanding of internal control over federal programs sufficient to plan the audit to support a low-assessed level of control risk for major programs. We use the Committee of Sponsoring Organization (COSO) framework when evaluating the Port's internal control. COSO Framework COSO defines internal control as a process, affected by an entity's board of directors (i.e., Port Commission), management, and other personnel, designed to provide reasonable assurance regarding the achievement of defined objectives. These objectives are: Effectiveness and efficiency of operations, which involves the organization's basic business objectives, performance and profitability goals and the safeguarding of resources. Reliability of financial reporting. Compliance with applicable laws and regulations. Components Internal control consists of five interrelated components. All five components are relevant and important to achieving the organization's objectives. The components are: Control Environment The core of any business is its people, their individual attributes, including integrity, ethical values and competence, and the environment in which they operate. The control environment is the foundation for all the other components as it provides structure to an organization. Risk Assessment The organization must be aware of and deal with the risks it faces. It must set objectives, integrating activities from all divisions, so that the organization is operating in concert. It also must establish mechanisms to identify analyze and manage the related risks. Control Activities Control policies and procedures must be established and executed to help ensure that the actions identified by management as necessary to address risks to achieve the organization's objectives are effectively carried out. 2 Information and Communication Surrounding these activities are information and communication systems. These enable the organization's people to capture and exchange the information needed to conduct, manage and control its operations. Monitoring The entire process must be monitored, and modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant. In summary, the control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. Within this environment, management assesses risks to the achievement of specified objectives. Control activities are implemented to help ensure that management directives to address the risks are carried out. Meanwhile, relevant information is captured and communicated throughout the organization. The entire process is monitored and modified as conditions warrant. Internal controls only provide reasonable assurance to management and those charged with governance that the organization's objectives are being achieved. This is because as with any system that is operated by people, there are inherent limitations. These limitations include: the realities that human judgment in decision-making can be faulty; persons responsible for establishing controls need to consider their relative costs and benefits; and, breakdowns can occur because of human failures such as simple error or mistake. Additionally, controls can be circumvented by collusion of two or more people. Finally, management may have the ability to override the internal control system. We factor these limitations in the design and conduct of our internal control procedures. Enterprise Risk Management Enterprise Risk Management (ERM) framework is designed to achieve the following objectives: Strategic High-level goals, the organization's mission Operations Effective and efficient use of its resources Reporting Reliability of reporting Compliance Compliance with applicable laws and regulations The framework overlays two additional components in addition to those of COSO's internal control framework: Objective setting Management has a process in place to set objectives that are aligned with the entity's mission. Event identification Management is identifying risks and opportunities (both internal and external) in place affecting achievement of the entity's objective. While the focus of our procedures is with the five components of COSO, we believe that it is important to note that the COSO framework is an integral part of the ERM framework. Additionally, as the primary focus of the audit is to form an opinion of the fairness of presentation of the financial statements as well as audit and report on the administration of 3 federal awards both of which are part of the four ERM objectives mentioned above the results of our audit helps the Port understand the extent to which those objectives are met. OUR AUDIT APPROACH AND RESULTS Our firm follows a top-down approach when evaluating internal control from entity-level controls to controls that relate to specific financial statement assertions as follows: Obtain and assess the Port's entity-level controls including information technology environment and the effect on the internal control structure. (Control environment, information and communication, risk assessment) Identify significant accounts and processes. Obtain copies of system, policy, and procedure documentation from various departments. (Control activities, control environment) Obtain knowledge of design and implementation of controls relevant to financial statement assertions and compliance with laws and regulations that have direct and material effect on determination of financial statement amounts. (Control activities, monitoring) Perform tests of controls that relate to financial statement assertions and integrate with tests of controls and compliance related to the Port's federal awards. (Control activities) Entity-Level Controls We consider entity-level controls to be very important because they have a pervasive impact on all other specific controls and procedures. As such, we evaluate the effectiveness of entity-level controls first because if compromised, controls at the process or transaction level may not work even though they are well-designed and operate effectively. Some of the common entity-level controls at the Port include: Tone at the top Delegation of authority Policies and procedures Audit committee Internal audit The results of our testing enabled us to rely on the Port's entity-level controls. 4 Information Technology We review the Port's information technology environment in order to obtain an understanding of how the Port's information technology (IT) affects control activities that are relevant to the audit. When IT is used to initiate, authorize, record, process, and report transactions or data that is included in the financial statements, the system may include control related to the corresponding significant accounts or may be critical to the functioning of manual controls. IT control activities can be viewed in terms of general controls (ITGCs) and application controls. ITGCs are Port-wide policies and procedures that ensure the proper function and control of information technology. ITGCs include controls over data center and networks operations; system software acquisition, change, and maintenance; access security; and application system acquisition, development, and maintenance. ITGCs are important because they affect applications and data that becomes a part of the financial statements. We evaluate ITGCs using the five COSO components. For example we assess whether: Technology staff are competent and management provides support for technology staff. (Control environment) Technology conditions are stable. (Risk assessment) Sufficient controls exist to review performance. (Control activities) Roles and responsibilities are defined and communicated to IT staff. (Information and communication) Performance is tracked and the quality of IT controls is assessed. (Monitoring) Application controls apply to the processing of individual applications. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. We test application controls in conjunction with financial statement controls. We placed special emphasis on the newly-implemented Marina Management System, ERP Gateway, and Clarity Budgeting System. Significant Accounts and Processes We review the Port's financial statements andassess which accounts and classes of transactions have a significant element of risk of material misstatement. We consider items such as susceptibility to error, complexity, volatility of recorded amounts, changes in the account balance or process, degree of subjectivity, compliance issues, etc., when determining the level of risk for each account or class of transaction. Underlying the significant accounts and classes of transactions are significant processes. 5 We've identified the following accounts and processes as significant to the Port: Administration of federal grants Treasury and investments Billings, cash receipts, and Debt and related accounts receivables Pollution remediation obligation Signatory Lease and Operating and contingencies Agreement Third party management Procurement, cash Financial close and reporting disbursements, and payables Budget Payroll Capital projects Assessing Design and Implementation of Internal Controls In order to obtain an understanding of the Port's internal control over these accounts and processes, we evaluate the design of controls and determine whether they have been implemented. The objective of performing an evaluation of the design of controls is to assess whether the controls are capable of preventing, detecting, or correcting misstatements. Assessing implementation is determining whether the controls are in place as designed. We consider the design and implementation of both manual and application controls or a combination of both. We assessed the design and implementation of controls for all the significant accounts and processes listed above. Walkthroughs In addition to assessing design and implementation of controls, we performed walkthroughs of certain processes, whereby we reviewed a few transactions within each system from beginning to end (i.e., cradle-to-grave method). Some of the walkthrough procedures we perform are reperforming the control, examining source documents, observing real-time application of the control, and performing corroborative interviews with Port personnel. Test of Controls After concluding on the design and implementation of controls, we determine which areas we want to perform tests of operating effectiveness of internal controls. We prefer testing internal control wherever possible so as to reduce the amount of substantive testing at final fieldwork. While internal control is a process, its effectiveness is a state or condition of the process at a point in time. To test for effectiveness, we look to ensure that the control achieves management's objectives, financial statements are prepared reliably, and that applicable laws and regulations are complied. Depending on the frequency of the control, we test a sample of two-to-twenty-five transactions for each instance of the controls. For example, for controls occurring annually and bearing low risk, we may select two instances whereas for daily controls we would select twentyfive instances of the control. We have obtained the intended level of reliance on internal controls as determined by our audit approach decision model. 6 Compliance Testing Major programs identified in 2008 are the Airport Improvement Program and Transportation Security Grant which, as of September 30, 2008, represented about $31 million or 91% of total federal expenditures at that date. We also performed test of controls and substantive testing of compliance for all direct and material compliance requirements. In March, we will perform additional testing for grant claims filed in the fourth quarter. Administrative requirements tested included the following: Allowable costs Period of availability Cash management Procurement Davis-Bacon Act Real property acquisition Equipment management Reporting Matching Special tests and provisions Passenger Facility Charge Program (PFC) In March, we will perform tests of internal control in conjunction with the audit of PFC cash receipts and disbursements. Results of Interim Procedures We obtained the planned level of reliance on internal controls. There were no material weaknesses identified as a result of our testing. There were no findings or instances of non-compliance noted in our tests of the controls governing federal awards. 7 AUDIT PROGRESS AUDIT SCHEDULE TIMING Audit Planning Meet with accounting staff to set up the year-end audit timeline, identify Completed and resolve pertinent issues, perform a risk assessment, and address any concerns of management or members of the audit committee or Port Commission. Provide management with a detailed comprehensive list of account Completed analyses and other materials to prepare prior to the start of the audit. Work closely with those involved in the audit process to clearly identify roles and responsibilities during the audit. Meet with the audit committee to provide an overview of the planned Completed scope and timing of the audit in our engagement service plan. Meet with Port management to discuss new Port transactions or Continuous activities and new or pending accounting and auditing guidance. Audit Fieldwork Perform interim field work to perform testing of the Port's internal Completed controls and to facilitate planning for year-end audit fieldwork. Test certain accounts such as revenue recognition, leases, environmental liabilities, and construction in progress. Perform procedures related to administration of federal awards in October December 2008 and accordance with Federal Circular OMB A-133. April 2009 Perform the year-end audit fieldwork of the Port's account balances February March 2009 (financial statement audits and testing of fourth-quarter data in Schedule of Federal Awards). Perform the audit on PFC receipts and expenditures and related internal April 2009 controls. Report Preparation Issue our opinion on the financial statements and schedule of Net On or before April 30, 2009 Revenues Available for Revenue Bond Debt Service. Issue Single Audit reports and PFC program audit report. On or before June 30, 2009 Issue the draft management letter of recommendations. On or before June 30, 2009 Meet with the Port Commission and management to present audit As requested results. 8
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.