P.O. Box 1209
Seattle, Washington 98111
www.portseattle.org
206.787.3000


APPROVED MINUTES
AUDIT COMMITTEE SPECIAL MEETING AUGUST 11, 2015

The Port of Seattle Commission Audit Committee met in a special meeting Tuesday, August 11, 2015, in
the Commission Chambers at Pier 69, 2711 Alaskan Way, Seattle, Washington. Committee members
present included Commissioner Albro, Commissioner Creighton, and Christina Gehrke. Also present were
Ted Fick, Chief Executive Officer; Dan Thomas, Chief Financial Officer; Joyce Kirangi, Internal Audit
Department Director; Jack Hutchinson, Internal Audit Manager; Elizabeth Pyatt, Assistant Auditor,
Washington State Auditor's Office; Tammy Bigelow, Audit Manager, Washington State Auditor's Office;
Tony Samer, Managing Director, Protiviti; Sriram Rajagopal, Senior Manager, Protiviti; Ruth Riddle, Senior
Internal Auditor; Brian Nancekivell, Senior Internal Auditor; Lindsay Wolpa, Commission Issues and Policy
Manager; and Amy Dressler, Assistant Commission Clerk.

Call to Order:
The committee special meeting was called to order at 9:04 a.m. by Commissioner Creighton.

Approval of Audit Committee Meeting Minutes of May 7, 2015:
The minutes of the Audit Committee special meeting of May 7, 2015, were approved.

External Audit  Washington State Auditor's Office Entrance Conference:
The Committee received a presentation from Ms. Pyatt and Ms. Bigelow that contained the following
information:
This accountability audit will determine whether there has been adequate safeguarding of public
resources and reasonable adherence to state law, regulations, policies, and procedures.
Planning is still underway; therefore specific areas to be audited have not yet been determined.
Auditors will be on site through mid-October.
A date for the exit conference is to be determined.

Information Technology and Communications Audit  PeopleSoft Post-Upgrade Implementation:
The Committee received a presentation from Mr. Samer, Mr. Rajagopol, and Ms. Kirangi that included the
following information:
The Information and Communications Technology (ICT) audits were outsourced to Protiviti as part
of the 2015 work plan. Outsourcing this type of audit is beneficial because outside firms
specializing in technology are better able to keep up with the rapid changes inherent to this field.
Information technology audits examine risk in two environments: the environment specific to
technology, including controls such as user management, maintenance and upgrades, and


Audio recordings of meeting proceedings and meeting materials are available on the Port of Seattle web site: www.portseattle.org
PORT COMMISSION AUDIT COMMITTEE MEETING MINUTES                                        Page 2 of 4
TUESDAY, AUGUST 11, 2015

business continuity; and the environment involving management controls such as reviews and
separation of duties. Risk can be managed in either environment; a risk in the technology
environment could be mitigated with use of a manual control.
The upgrade of the PeopleSoft Financials system from version 8.4 to 9.1 was a complicated project
bearing more resemblance to a complete reimplementation than a simple upgrade.
The intent of this audit was to determine whether the upgrade achieved the implementation goals,
if the functional performance and outcome goals were met, to identify lessons learned, and to
gauge stakeholder reactions.
Highlights of the implementation include a high level of satisfaction with the functionality of the
system; close collaboration between ICT, accounting, and consultants during the implementation;
successful planning and monitoring of the project budget; proactive engagement by senior
management regarding risks to the implementation; and exceptional planning documentation,
which represented best practices.
A high level of risk was found related to administrative access to the system. Five members of the
Production Support team have administrative privileges, leading to a lack of traceability. This is a
known issue when PeopleSoft is used with MS-SQL, leaving the database vulnerable to
unauthorized changes that cannot be traced to an individual user.
o Protiviti recommends implementing additional monitoring or business process controls to
mitigate this risk. Some suggested solutions, like a vaulted, frequently-changed password,
have been implemented by other organizations who have identified this risk.
o The management response from ICT expresses disagreement that this is a high risk issue.
They discussed this known issue with Protiviti at the beginning of the assessment period.
Management believes that the Accounting & Financial Reporting (AFR) department's
process controls provide additional security, and that the five individuals with
administrative privileges are essential to the operation and maintenance of the financials
environment.
A medium level of risk was found related to segregation of duties. Documentation and clarity
regarding definition of roles, with accompanying levels of access, should be improved. Processes
should be developed to review role definitions and remove redundant access privileges.

Concern was expressed regarding the difference of opinion between auditors and ICT management
regarding high level of risk related to administrative access. The committee requested elaboration upon the
management response.

Peter Garlock, Chief Information Officer, and Matt Breed, Assistant Director, ICT Infrastructure, commented
on the response to this issue. Mr. Garlock reiterated that it has long been a known issue and they have
been looking for efficient ways to mitigate the risk. He stated that this project represented a much more
complicated data migration than a typical software upgrade. Any changes made through the application are
attributed to the individual who made them; it is only if someone with database rights makes changes
directly in the SQL database that those changes are unattributed. The number of system administrators
necessary to provide the appropriate level of expertise and coverage was carefully considered, and five
was the minimum number determined necessary. These five individuals have undergone FAA and FBI
background checks. Additionally, management controls are in place on AFR's end to ensure that the
financials balance. If an anomaly is detected, some examination of who has been working in the database
can be done. ICT continues to look at alternatives to mitigate this risk.
PORT COMMISSION AUDIT COMMITTEE MEETING MINUTES                                         Page 3 of 4
TUESDAY, AUGUST 11, 2015


Commissioner Albro stated his opinion that the amount of capital managed by the Port is too great to
accept this risk, however unlikely, and urged ICT to continue looking for ways to solve this problem that do
not rely on the five individuals with administrative access. He pointed out that this makes those individuals
vulnerable to scrutiny and repercussions if something were to go wrong.

The committee requested further management examination of this matter, including a look at how other
public entities have addressed this problem, and an additional report at a later date.

Information Technology and Communications Audit  Data Center:
The Committee received a presentation from Mr. Samer, Mr. Rajagopol, and Ms. Kirangi that included the
following information:
The object of this audit was to assess data center operations, determine whether adequate
controls are in place to mitigate risks, and to determine whether the data centers could act as
recovery centers in the event of a major disaster at one of the sites.
Physical facilities were examined as well as processes.
Areas of focus included power infrastructure, environment, physical security, backup and disaster
recovery planning, asset management, and logistical access.
Protiviti's assessment was that staff is knowledgeable and well-trained, sites comply with best
design practices, backup-power systems are in place, and power supplies are tested regularly.
Protiviti identified a few areas where improvements could be made:
o ICT and Aviation have separate sets of processes and procedures, which can result in
inconsistent management of the data centers.
o The physical locations of the data centers were not designed to house IT equipment and
could be vulnerable to disasters such as flooding.
o The Scheidt Bachmann parking revenue backup procedures are insufficient because the
backup tape is stored in the same room as the system.
o Aviation Maintenance should create a formal disaster recovery plan.

Limited Operational Audit  Aviation Division Manual Receipting Operations:
The Committee received a presentation from Ms. Riddle that included the following information:
This audit reviewed information for the period of January 1, 2013, to December 21, 2014.
The purpose of this audit was to determine whether Aviation division management controls are
adequate to ensure that manual receipts are complete, and that there has been compliance with
applicable legal requirements.
Manual receipts account for about ten percent of the Port's revenue.
There were no reportable findings.

Limited Operational Audit  Seaport Truck Scrappage and Replacements for Air in Puget Sound
(ScRAPS 2) Program Audit Termination:
The Committee received a presentation from Mr. Nancekivell that included the following information:
The proposed objective of this audit was to assess management controls over program funds and
compliance in achieving desired program outcomes.
PORT COMMISSION AUDIT COMMITTEE MEETING MINUTES                                     Page 4 of 4
TUESDAY, AUGUST 11, 2015

During the planning and risk assessment phase, it was determined that risk is very low, and that
many areas the audit would cover have been recently examined by Moss Adams. This audit was
terminated.

Lease and Concession Audit  LSG Sky Chefs Inc.:
The Committee received a presentation from Mr. Hutchinson that included the following information:
The purpose of this audit was to determine whether concession fees were complete, properly
calculated, and remitted in a timely manner, and to ensure that the Port and lessee complied with
provisions of the Lease and Concession Agreement, as amended.
This audit reviewed information for the period of March 1, 2011, to February 28, 2014.
There was one reportable finding: Sky Chefs did not provide the audit response in a timely manner.

Upcoming Request for Proposal, External Audit Firm:
The committee received a report from Ms. Kirangi that included the following information:
The Port's contract with Moss Adams is up at the end of 2015. The next contract term will cover the
period of January 1, 2016, to December 31, 2020.
The audit committee's charter indicates that it must provide a recommendation to the Commission
regarding a contract with an external auditor.
A request for proposal will be presented for approval at the next Audit Committee meeting.

Adjournment:
There was no further business, and the special meeting adjourned at 10:35 a.m.

Tom Albro

Minutes approved: October 6, 2015.