Internal Audit Report 


Limited Operational Audit 
Mobile Devices/Smartphones 
Current Practices 





Issue Date: June 7, 2011 
Report No. 2011-08

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 

Table of Contents 
Transmittal Letter ....................................................................................................... 3 
Executive Summary ................................................................................................... 4 
Background ................................................................................................................ 5 
Audit Objectives ......................................................................................................... 6 
Highlights and Accomplishments............................................................................. 6 
Audit Scope and Methodology .................................................................................. 7 
Conclusion .................................................................................................................. 8 
Schedule of Findings and Recommendations ......................................................... 9 









2

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 


Transmittal Letter 
We have completed an operational audit of Port mobile devices, includingsmartphones. The 
purpose of the audit was to determine if the Port is effectively managing its mobile devices. The
audit focused primarily on the controls over the 782 smartphones assigned to Port employees 
as of December 31, 2010. 
We conducted the audit using due professional care. We planned and performed the audit to
obtain reasonable assurance that the risks associated with mobile devices were sufficiently
mitigated. 
Management has the primary responsibility to establish and implement effective controls over
the proper use, monitoring, and justification of mobile devices. Our audit objective was to
examine and test those controls in order to establish whether the controls were adequate and
operating effectively. 
Based on our audit, Port management has established adequate and effective controls related
to negotiated rate structures with its mobile device service providers. We also found no
productivity concerns caused by the personal use of mobile devices. However, we noted a
weakness in management monitoring. 
We extend our appreciation to management and staff for their assistance and cooperation
during the audit. 

Joyce Kirangi, CPA 
Director, Internal Audit 






3

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 
Executive Summary 

Audit Scope and Objective  The purpose of the audit was to determine if the Port is
effectively managing mobile devices. Specifically, whether management: 
1.  Provides sufficient, complete, and clear policy directives and governance on proper
mobile device usage. 
2.  Monitors usage adequately to ensure that Port issued mobile devices are utilized for the
intended productivity benefits. 
3.  Has implemented adequate controls over usage levels and negotiated rate structures to
ensure the best economic interest of the Port. 
The scope of the audit included current Port practices, including billings and usage data from
2010. 
Background The Port provides mobile devices such as smartphones, air cards, radio
transmitters, and pagers to its employees. The business purposes for these devices include
facilitating communication when employees are working remotely, in field operations and/or
away from their desks. 
Mobile devices extend various capabilities to Port employees, including email, contact
information and internet access. Mobile devices are receiving more attention as technological
advancement shifts from desktop computers and cellphones to smartphones and tablet
computers amid increasing reliance on mobile applications. 
The ICT department performs reviews of smartphone usage to ensure that billing plans are
properly established. The Port is on shared-minute plans with three vendor providers - Verizon,
Sprint, and AT&T. When an employee exceeds their monthly allotment of minutes, additional
minutes are pooled from the Port's total available minutes.
The  Port has approximately 800 smartphones assigned to its employees, and incurs
approximately $ 580,000 annually for services related to the smartphone plans. 
Audit Result Summary  Management has implemented adequate controls to ensure the
best economic interest of the Port in negotiated rates. We also found no productivity concerns
caused by personal use of mobile devices. However, we noted that there is no formalized
process to monitor mobile device usage at the department level. Although management has a
number of mobile devices policies, it has not clearly defined "incidental personal use" in its
policies. The lack of a clear definition has contributed to various individual interpretations and
inconsistent management monitoring practices. 


4

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 
Background 
Individual departments are responsible for justifying and approving the issuance of
smartphones.  ICT's Administrative Team is responsible for establishing, monitoring, and
maintaining agreements with the service providers. Specifically, ICT's responsibilities include: 
Placing orders for devices and service-related requests upon requesting management
approval. 
Issuing mobile devices to Port employees. 
Conducting periodic inventories. 
Reviewing monthly usage to ensure Port plan limits are not exceeded. 
Coordinating with State agencies for the disposal of outdated or damaged devices. 
Smartphones, tablet computers, and other mobile devices have become indispensable tools for
today's highly mobile workforce. Such small and relatively inexpensive devices can be used for
many functions, including sending and receiving electronic mail, storing documents, delivering
presentations, and remotely accessing data. The Port started providing mobile devices in the
early 1990's, primarilyto Fire and Police Department staff. Since then, the issuance has been
steadily increasing and stabilized to approximately 800 smartphones in 2010.
Many of the Port operating units, especially at the airport, operate in a 24/7 environment which
requires staff to be on-call or otherwise available. This Port environment is unique in
comparison to most other governmental and municipal entities. 
Financial Highlights: 
As of December 31, 2010, there were 780+ smartphones and 200+ air card mobile devices in
use by Port employees. During calendar year 2010, the Port paid the following amounts to the
three vendors who provide mobile device services to the Port: 
Device 
2010 Expenditures 
Count 
Cost of 
Cost of 
Cost of    Smartphone
Smart    Air                       Annual Air
Vendor               Smartphone   Monthly              Total Costs 
phones  Cards                       Card
Devices     Service 
Charges 
Plans 
AT&T     563    -     32,590     461,745       -       494,335 
Verizon     113    144     15,119      57,352      74,287       146,758 
Nextel/Sprint    106     63      10,314       62,197       30,240       102,751 
Total       782     207    $ 58,022     $ 581,294   $ 104,527   $ 743,844 



5

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 

Current mobile device offerings on average include: 
Device Cost 
Device Type 
Plan Cost 
PDA, Smartphone, or Blackberry- an electronic device which  $100-$600 ea. 
includes some of the functions of a computer and a        $50-$150 per Month 
cellphone. 
Standard Cellphone  short-range, portable electronic device  $0-$350 ea. 
used for mobile voice communication over a network of      $20-$50 per Month 
specialized cell sites. 
EVDO Card (Evolution Data Optimized, know as Air Cards at  $0-$110 ea. 
the Port)  Card that connects to the wireless network to
allow users to connect online.                        $40-43 per Month 
Tablet Computers, notably iPads                    $300-$600 ea. 
$45 Wi-Fi costs per
Month 
Audit Objectives 
The purpose of the audit was to determine if the Port is effectively managing mobile devices. 
Specifically, whether management: 
1.  Provides sufficient, complete, and clear policy directives and governance on proper
mobile device usage. 
2.  Monitors usage adequately to ensure that Port issued smartphones are utilized for the
intended productivity benefits. 
3.  Has implemented adequate controls over usage levels and negotiated rate structures to
ensure the best economic interest of the Port. 
We reviewed current Port practices based on billings and usage data from 2010. 
Highlights and Accomplishments 
During the review, we observed efficient and effective management controls in the following
areas: 
ICT's periodic reviews of the market environment and the level of device usage has 
ensured that the Port receives best service bundles at a reasonable cost. 
ICT Administration meets with the service providers quarterly to review current plans and
proactively discuss any plan changes. 
When appropriate, ICT prepares a cost-benefit analysis to determine potential plan
savings. For instance, changes to the AT&T plan in 2010 included unlimited text and
data which resulted in overall cost savings of $53,474. 

6

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 
ICT Administration Team has been prudent in its responsibilities to manage rate
structures in the best economic interest of the Port. Below is a declining trend graph of
telecommunications expenses for the past three years. 
1,000,000
800,000                            VERIZON WIRELESS
600,000
NEXTEL WEST CORP
400,000
AT&T
200,000
0
2008     2009     2010
Source: PeopleSoft (accounts 66500, 66510, and 66550) 
Audit Scope and Methodology 
We conducted the audit to determine whether management controls surrounding mobile device
usage is adequate to provide reasonable assurance of effective operations and compliance with
Port policy/procedure. We excluded from our analysis tablet computers, air cards, radios and
data usage due to the complexities in obtaining complete and relevant data. Our audit examined
current practices and existing policies. Our work was conducted at various locations throughout
the Port and involved test work and interviews of all Port divisions. 
Our approach to the audit was risk-based from planning to test sampling. We reviewed and
assessed risks associated with processes, policies, and other procedures that have been
established to effectively manage the Port's mobile devices. The established processes cover
all phases, from the initial service request, to mobile device distribution, monitoring, and plan
negotiation. As part of the audit, we visited many business units across the Port and evaluated
whether the established controls were carried out as intended. 
We applied additional detailed audit procedures to areas with the highest likelihood of significant
negative impact. We considered the nature of the activity and evaluated it within the context of
our audit objectives. Our consideration included control (both manual and system driven)
assessment and control testing, as necessary. 
Our additional detailed audit procedures can be grouped and summarized into policy
compliance, management monitoring, and rate negotiation. We approached each audit area
with the following methodology: 
1.  Policy Compliance 
In order to determine whether management has provided sufficient, complete and clear policy
directives and governance on proper mobile device usage, we first evaluated current Port
policies, procedures, and practices. These included policies in the Port's Code of Conduct and
personnel policies. In our evaluation, we considered mobile device policies of other
governmental agencies including, but not limited to, the City of Seattle and the Port of Tacoma,
as well as published guidance from the Washington State Auditor's office.
7

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 
Additionally, we reviewed other regulations, industry guidelines, and publications such as the
Federal Labor Standards Act (FLSA) and 2011 technology initiatives survey by American
Institute of Certified Public Accountants (AICPA) to identify potential policy gaps. In the context
of the audit, policy gaps refer to concerns in mobile device areas that the current policies do not
expressly address. The gaps naturally emerge as existing policies become incrementally
outdated primarily due to evolving operating environments and/or technologies. Our reviews
were intended to capture such potential gaps. 
We interviewed 33 staff and managers throughout the Port and inquired about their familiarity
with Port policies and procedures regarding the appropriate use of Port issued devices and
what, if any, additional guidance would be helpful. We also interviewed 18 managers to assess
the extent of their monitoring of smartphone usage for non-exempt employees. 
Our selections of managers and device users for interviews were based on non-productivity
testing samples, as described below. 
2.  Monitoring of Productivity relating to Mobile Device Usage 
To determine whether management monitors smartphone usage adequately to ensure intended
productivity benefits, we utilized 2010 AT&T call data which was readily available in electronic
form. The company accounted for over 70% of mobile devices as of 12/31/2010. 
We reviewed approximately 14,000 calls to/from Port issued smartphones in 2010 to identify
non-business-related phone calls. Our approach included isolating numbers with the highest
likelihood of being non-business related and analyzed calls to/from those numbers Monday
through Friday. The isolation involved examining weekend calls and excluding Port internal
numbers and 24/7 operations. We reviewed calls to/from resulting phone numbers to obtain the
extent of non-business calls during weekdays. 
We excluded from our analysis tablet computers, air cards, radios and data use due to the
complexities in obtaining complete and accurate data. 
3.  Provider Rate Structures 
In order to ensure that the Port is obtaining the most economical and beneficial plan rates 
available, we conducted a number of interviews and reviewed relevant cost benefit analyses
prepared by ICT Administration. To confirm anticipated cost savings, we conducted independent
test work to determine if the savings were realized. 
Conclusion 
Management has implemented adequate controls to ensure the best economic interest of the
Port in negotiated rates. We also found no productivity concerns caused by personal use of
mobile devices. However, we noted that there is no formalized process to monitor mobile device
usage at the department level. Although management has a number of mobile devices policies,
it has not clearly defined "incidental personal use" in its policies. The lack of a clear definition
has contributed to various individual interpretations and inconsistent management monitoring 
practices. 
8

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 
Schedule of Findings and Recommendations 
1.  Inadequate Management Controls and Unclear Policy Regarding Smartphone Usage 
We reviewed the current controls over mobile device/smartphones purchases, usage, and
issuance. We noted the following weaknesses. 
a.  Management Monitoring 
The current Port policy does not specifically identify the parameters for allowable nonbusiness
use of smartphones, as recommended by the State Auditor's Office. The Port
policy simply states that personal use is to be incidental, but it does not provide a workable
definition of the parameters allowed. In practice, the incidental use appears to be defined
such that unless the Port incurs additional financial resources for minutes above and beyond
negotiated pooled minutes, personal usage is considered incidental. 
We interviewed 33 staff and managers throughout the Port to assess their understanding of
the current mobile device policies. The interview results indicated that all were familiar with
the Port policies and procedures, and that the current policies are helpful in defining high
level expectations (i.e., limited non-business use). However, 50% of those interviewed
believed that the policies and guidance is not clear. Specifically, "incidental personal use" is
not clearly defined. 
The lack of a clear definition of "incidental personal use" has contributed to minimal
management monitoring of mobile device usage at the department level. Although our audit
procedures found no productivity concerns stemming from personal use of smartphones, we
found the current system of monitoring to be inadequate. 
For example, the current management monitoring does not effectively address the following
risks: 
Non-exempt employee compensation for hours spent on smartphones while working
on Port related business, outside the normal working hours. 
The likelihood of assigning unnecessary smartphones to employees with no business
needs. 
High smartphone usage and its potential impact on employee productivity. 
b.  Business Justification for Smartphone 
Individual departments are responsible for justifying and approving the issuance of
smartphones to their employees (exempt or non-except). Departments submit a request to
ICT via an online Service Request. Upon receipt of the approved request, ICT processes 
and delivers devices. 
We observed that the current system does not document business justification by the
requesting department. While such documentation would help substantiate the need for
each employee to have a mobile device, the importance of the justification is escalated with
9

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 
non-exempt employees, who are less likely to need their mobile device outside of their
normal work hours. We sampled 20 smartphones issued to non-exempt employees and
conducted a test to assess the extent of whether a smartphone was necessary for the
employee's current job responsibilities. The results indicated thatapproximately 15% of the
test population had job responsibilities with a less than clear business reason for a
smartphone. 
Given the extent of smartphones in use, monitoring of the usage is necessary as a sound
organizational practice to promote intended effectiveness or productivity gains. Additionally,
effective monitoring could result in a cost savings through the reduction of the total
necessary pooled minutes. 
Recommendation 
We recommend management establish controls to: 
Refine policies related to "incidental personal use" and provide workable parameters/
guidance that can promote better monitoring. 
Monitor smartphone usage and assess potential impacts. 
Document business justification for smartphone acquisition especially for the nonexempt
employees. 

Management Response 
1. Refine policies related to "incidental personal use" and provide workable parameters/
guidance that can promote better monitoring. 
The ICT Department has taken a proactive approach to keep the costs of mobile
technologies as low as possible for the Port's 24/7 operations. Our current smart phone
plans provide unlimited data, free evening, weekend and mobile to mobile minutes, and
pooled calling minutes on weekdays. Because of these plans, incidental personal use by
employees typically results in no additional cost to the Port. 
Management agrees that policies related to "incidental personal use" need to be clarified.
Current Port policies governing the appropriate use of Port resources, including mobile
device usage, are located in the Code of Conduct (CC-1; CC-7). These policies are currently
under revision. The revision process began in Q2 2010, when the Workplace Responsibility
(WR) Officer convened a cross-department work group to clarify expectations regarding
appropriate non-business use. To inform this effort, the WR Officer also facilitated a series
of employee focus groups discussions to solicit input. Research on the appropriate use
policies of other governmental agencies and federal tax law implications was also
conducted. The revision process was placed on hold pending completion of this audit. With
the audit's conclusion, the WR Officer will facilitate completion of the revision process. The
cross-department work group will work with the Information and Communications
Technology (ICT) Governance Board to finalize a revised policy on appropriate use of Port
resources, including appropriate non-business use of mobile devices, in Q3 2011, and it will
10

Internal Audit Report 
Mobile Devices/Smartphones Operational Audit 
Current Practices 
be included in a revised version of the Code of Conduct that all Port employees will be
required to read and sign in Q4. 
In addition to clarifying appropriate personal use, management (led by the Human
Resources and Legal Departments) will work to establish guidelines for managers that 
clearly identify responsibilities for monitoring the use of Port equipment by non-exempt staff
to avoid potential compensation issues under to the Federal Labor Standards Act. 
2.  Monitor smartphone usage and assess potential impacts. 
Currently, ICT distributes all mobile device bills to Departments for user and manager
review. We believe managers are in the best position to determine what usage is
appropriate for their staff based upon their job responsibilities. While some employees have
very large usage driven by their job responsibilities others may have only minimal usage, but
get occasional calls or emails that are extremely important and fully justify the expense of
the mobile device. 
Once clearer policies and guidelines for personal use and tracking non-exempt employee
use are provided, the ICT Governance Board will clarify guidance to managers on mobile
device monitoring and evaluate opportunities to enhance current processes for distributing
and analyzing mobile device usage information. 
3.  Document business justification for smartphone acquisition especially for the nonexempt
employees 
Manager approval is currently required for all mobile device acquisitions. We believe
managers are best able to match mobility requirements with their employee's job
responsibilities. 
The ICT Governance Board will review the use of smart phones by non-exempt employees
and will evaluate the benefits versus the costs of requiring formal business justification
documentation for mobile devices. 







11