Long Range Goals and Objectives: a proposal 
Proposal Elements 
1.  Discuss and assess the underlying basis risks in the Annual Risk Assessment Plan. 
2.  Decide, based on the kinds and rankings of risk, what the long-term priorities of the Audit
Committee need to be. 
3.  Based on the basis of risks to be undertaken, re-write and formally adopt the Long-Range
Goals and Objectives document as an operational guide over the next three-year period 
4.  Review the resources of the Internal Audit Department to gauge whether they were able to
meet the goals set out in the Long-Range Goals and Objectives, and if necessary, request the
CEO provide budgeting needs going forward for those goals, for by augmenting Internal Audit
staff or by contracting with an external auditor. 
5.  Review the Audit Work plan and Annual Risk Assessment Plan for 2012 to insure they will
work to achieve the goals set out in the Long-Range Goals and Objectives document. 
6.  Bring the Audit Committee Charter into compliance with International Institute of Auditors
(IIA) standards. 
7.  As part of that, arrange for an external assessment to be conducted by a qualified,
independent reviewer or review team from outside the organization, in keeping with IIA
standards. 

1.  A review of the Annual Risk Assessment Plan for 2011 lists ten risk exposure elements at the
Port: 
Central Processing Systems 
Organizational Units: Internal Controls and Accountability 
Revenue (lease and concession) 
Federal Assistance 
Third Party Management 
Performance 
Financial Reporting/General Ledger 
ERM 
Special Investigations 
Capital Improvement Program 
The vast majority of the report focuses on the second and third of those elements; Organizational Units,
which are mainly departmental units and their accompanying internal controls; and Lease and

Concession Revenues. This is not surprising, given that most of the description from a risk based
perspective of these areas focus on the overall size of the element, and these two areas cover the
largest financial units of the Port. The size is often expressed through a variety of indicators  operating
revenue, operating and other expenses, and payroll.
In several of these categories, there are breakdowns of sub-elements referred to as "nodes". In the
section on these sub-elements that follows, there are explanations that contain information such as the
type of operation, the size of the operation, and the type of risk associated with it. Most of the risks
specifically identified are internal control risk, though performance risk, accountability risk, and others
are mentioned. In some elements or sub-elements, prior or present and future audits are mentioned,
mostly in areas that can be construed as high risk.
What then follows is a section called "Summary of Risks," which contains 29 separate risks, and
associated factors, as well as an attempt to rate the likelihood of occurrence by high, moderate and low,
and the impact of the risk. This is then cross-referenced with the actual 2011 Audit Plan subsections. It
is not connected to any individual planned audits. 
Finally, a plan for auditing is presented, based on: 
"1) Risk as discussed in previous sections of this document and 
2) Available audit resources. " 
The plan is divided into ten different areas, with different audits assigned to each area: 
System Audit (1) (Adequate controls) 
Department Operational Audit (3) (Adequate controls, crane agreement processes) 
Lease Compliance Audits (10) 
Rent-a-Car Audits (2) (Revenue) 
Third Party Management Contracts (1) 
Lost and Found Audit (1) ( Adequate controls) 
Performance Audits (1) This seems to be actually an internal control audit. 
Continuous Monitoring (No audit, just monitoring.) 
Enterprise Risk Management (participation in management's ERM work) 
Follow-up of significant prior audit issues (1) 
Special Request (1) (Compliance audit) 
Some questions for possible consideration of the Audit Committee: 
Looking at this list we can see that almost 50% of all audit work is focused on Lease Compliance
Audits, though it will probably be less than that in staff time. This is justified by this: "To provide
adequate coverage for the biggest single source of revenue to the Port, Internal Audit continues
to maintain a level of presence and cycle audits in this area."Yet the report also notes that the
ten units chosen are small in size. Should this be the focus of this much work?

Most of the overall audits planned are either based on assessing adequate internal controls, or
revenue checking and recovery. Is this the desired framework for prioritization? 
Despite the categorization of risk in several different ways, there is no concrete connection
between risks stated and individual audits listed. Some of the 29 risks listed are attached to
specific audits, some are not. Most are referenced only by sub-headings, such as "2011
departmental and cross-functional audits." Should there be a more substantiated connection? 
The issue of risk itself seems largely to revolve around size of the unit, as a measure of risk, in
that losses of revenue are perceived correctly as a major risk. But if a system is under great and
continual review, does that not lower the risk? What other methods would be useful? What
other standards of risk should be looked at? 
The process for choosing which audits get done seems to revolve around five criteria: 
o  Perceived risk 
o  Available Audit resources, both qualitative and quantitative, to conduct audits. 
o  Management requests 
o  Audit Committee requests 
o  Audit cycle issues (how long ago was an audit done) 
So how are these competing, and/or conflicted criteria fed into the decision process, and how
are audits chosen?