Attachment Risk Asses and Work Plan for Audit Meeting held Jan 06, 2009 1:00PM at Pier 69

Risk Asses and Work Plan

Annual Risk Assessment Plan
(A.R.A.P)
By
Port of Seattle
Internal Audit

January 1, 2009 through December 31, 2009

Issue Date: XXXX

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Table of Content

INTERNAL AUDIT PROFILE ...................................................................................................................3
EXECUTIVE SUMMARY..........................................................................................................................5
RISK ANALYSIS APPROACH AND METHODOLOGY ..........................................................................6
Overall Risk Elements at the Port
Risk Assessment Elements
PRIOR AUDIT HIGHLIGHTS .................................................................................................................11
Port-wide Audits
Corporate Services Division
Real Estate Division
Airport Division
Seaport Division
CONTROL ENVIRONMENT...................................................................................................................13
Port-wide Control Environment
Information/Communication/Control Activities
Compliance Environment
Risk Assessments
Emerging Changes/Issues
RISK ASSESSMENT AND IDENTIFICATION .......................................................................................17
1. Central Processing Systems
2. Organizational (e.g., department) Control Reviews
3. Revenue (lease and concession)
4. Federal Assistance
5. 3RD Party Management Contracts
6. Performance
7. Financial Reporting/General Ledger
8. Enterprise Risk Management (ERM)
9. Special Investigation and other Requests
10. Capital Improvement Program (CIP)
SUMMARY OF RISK..............................................................................................................................32
RISK ASSURANCE................................................................................................................................36
2009 Projected Audit Coverage
Carryover Audits from Fiscal Year 2008
Performance Audits
Systems Audits
Department Internal Control Reviews
Lease Compliance Audits
The Way Forward
REFERENCES .......................................................................................................................................41

2 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Internal Audit Profile
The Port of Seattle (Port) Internal Audit department was established in 2002 in the Accounting and
Procurement Services Department. Effective January 2008, Internal Audit has a dual reporting
responsibility to the Chief Executive Director and to the Audit Committee. The department was initially
staffed by one person until August of 2006 when a second auditor was hired. The department is
currently staffed as follows:
Internal Audit Staff:
Joyce Kirangi, CPA, – Audit Manager – Joyce is a Certified Public Accountant (CPA) with over 20
years of audit experience. She joined the Port in 2002 and has managed the Internal Audit team since
then. One of her primary duties last year was to expand the Internal Audit team, recruit, and hire current
staff. Prior to joining the Port, Joyce worked for the Washington State Auditors Office (SAO) for 17
years. She has led and managed the largest local government audits in the State of Washington,
including King County, Pierce County, Spokane County, City of Seattle, and City of Tacoma. In her last
position with the SAO, Joyce was the Regional Audit Manager for the Pierce County and Southern King
County region. She oversaw all local government audits in that region and managed a team of over 20
professional auditors. She specializes in local government audits.
Jack Hutchinson, CPA, CIA, – Senior Auditor – Jack is a certified Public Accountant (CPA), a
Certified Internal Auditor (CIA), and has 10-plus years of accounting and auditing experience. He
joined the Port in August of 2006 and has conducted a variety of audits including compliance, internal
control, and operational audits. Prior to joining the Port, Jack was a Finance Director for the City of
Fircrest, in Pierce County. Before that, he was an auditor with the Washington State Auditor’s Office
(SAO) where he worked for 4 years. Additionally, Jack has experience in accounting and financial
reporting at a biopharmaceutical company and a Native American-owned and –operated casino.
Andrew Medina, CPA, CFE, – Senior Auditor - Andrew is a Certified Public Accountant (CPA), a
Certified Fraud Examiner (CFE), and has over 15 years of audit experience. He joined the Port in
December of 2007. Prior to joining the Port, Andrew was an internal auditor for the Clark County School
District in Las Vegas, Nevada. He spent five years managing and conducting financial, operational, and
compliance audits of the Nation’s fifth largest school district. As a Certified Fraud Examiner,
Andrew was the department's fraud specialist, responsible for conducting the majority of the
District’s fraud investigations, as well as providing training to management and staff on fraud
awareness and prevention. Prior to joining the Clark County School District, Andrew was a senior
auditor with the State of Nevada Gaming Control Board. For 10 years Andrew helped regulate the
casino industry by managing and conducting compliance, money laundering, and financial audits of
Nevada’s largest casinos.
Mike Bosley, CPA – Senior Auditor – Mike is a Certified Public Accountant (CPA), and has over 15
years of accounting and audit experience. He joined the Port in September of 2008. Prior to joining the
Port, he served as a senior internal auditor for Providence Health System in the Seattle area. He spent
4 years managing and conducting financial, operational, and compliance audits of Providence’s
hospitals and health care services. Mike also worked as a senior auditor for the Washington State
3 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Office of the Insurance Commissioner. Mike started his career auditing closely held corporations and
partnerships for the Internal Revenue Service and also was the Regional Coordinator of the Volunteer
Income Tax Assistance Program. Mike is a graduate of the University of Washington.

Margaret Songtantaruk – Auditor – Margaret joined the Port in October of 2006. She has over 20
years of accounting and auditing experience in private and public agencies. Since joining the Port, she
has conducted a variety of audits including compliance, internal control, operational, and federal grants.
Prior to joining the Port, Margaret was an auditor with the Washington State Auditors Office (SAO) for 4
years where she conducted audits of local governments including the City of Seattle, City of Bellevue,
City of Auburn, City of Renton, Washington State Convention Center, Bellevue Convention Center
(Meydenbauer Center), Bellevue School District, and Valley Communications Center Authority etc. In
her past experience, Margaret also served as a controller for varies companies including Pacific
Frontier, Inc., Evergreen Technologies, Inc., Unisea Foods, Inc., and Advanced Wireless Solutions, Inc.
Juanita Labosier, CPA, – Auditor – Juanita is a Certified Public Accountant (CPA) with over 20 years
of accounting and auditing experience. She joined the Port January 2008 and most recently served as
an auditor with the Washington State Office of the Insurance Commissioner where she worked for 5
years conducting financial, operational, and regulatory audits of insurance companies. She has over 15
years of experience as a financial analyst in the medical profession, including 5 years as a financial
analyst with Premera Blue Cross. Juanita has also served as the president of the Washington Society
of Certified Public Accountants (WSCPAs) – Seattle Chapter.
Bill Fovargue, CFSA – Auditor – Bill held several senior level audit positions with the State of
Washington, Fortune 100 companies and professional consulting firms before joining the Port in
September 2008. Prior auditing engagements included a broad spectrum of audit activities within
Banking, State Government, Aerospace, Energy and Software Manufacturing industries. Bill achieved
Certified Financial Services Auditor designation from the Institute of Internal Auditors (IIA) and has
been a member of the Puget Sound Chapter of the IIA for 20 years. He is a graduate of the University
of Washington. Bill is also a certified process improvement facilitator.
The team as a whole has well over 50-plus years of experience in many auditing disciplines to include
but is not limited to financial, internal control, accountability, compliance, and fraud audits. The team is
sufficiently certified and conducts all audits based on applicable best practices of the profession.

4 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Executive Summary
The annual risk assessment plan (A.R.A.P) is an effort by the Internal Audit team to identify Port-wide
activities that could negatively impact organizational goals and objectives. It is a forward-looking
document based on past performances through a risk prism.
The Port is a complex, decentralized, and operates in an ever-changing environment. Its operations
encompass a wide spectrum of enterprise activity ranging from international trade to capital
infrastructure improvements. A significant part of the Port’s core businesses are sensitive not only to
the economic forces of the region and the nation, but also to global economic climates. Moreover the
Port is faced with ever-increasing competition from neighboring seaports and airports in
attracting/retaining container business and airlines. Economic sensitivity and competitive force change
risk outlook frequently, and pose business and operational challenges to the Port.
To fully and timely consider risk, Internal Audit has implemented a process of risk assessment. The
assessment is an annual process based on risk, but it is continuously updated and adjusted as
necessary throughout the year. The assessment is built on a balance review of quantitative and
qualitative aspects of each risk. The fact that an area or operation is identified as high risk does not
necessarily mean that there have been negative results. Rather, there is a possibility of negative
results.
Internal Audit in the past twelve months has conducted numerous audits throughout the Port which are
identified in a subsequent section of this document. Audits identified a number of opportunities to
improve existing management controls, and the audit reports have recommended ways on how to
realize the improvement.
Internal Audit risk assessment has identified the following areas for review in 2009:
1) Performance Audit.
2) Accounts Payable and Payroll as central processing systems reviews.
3) Lease and Concession including Rent-A-Car audits.
4) Department Internal Control reviews
Staring in 2009, Internal Audit will integrate into individual audits elements of performance and
Enterprise Risk Management (ERM). Our audit focus will be on operational effectiveness – i.e. how
effective the Port management has been in achieving it objectives departmental operations or lease
management.
We extend our appreciation to senior management for its continuing support for Internal Audit.

Joyce Kirangi, CPA
Internal Audit Manager

5 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Risk Analysis Approach and Methodology
Risk analysis includes: (1) risk assessment and (2) risk management. Risk assessment is a method of
identifying and measuring risks, and risk management is taking appropriate action to minimize risk. The
key to risk assessment is the identification of threats and opportunities. Risk is the potential for negative
results – i.e., less than expected results. The results of negative risks are not desired and therefore the
objective of risk management should be to mitigate those risks.
The following is Internal Audit’s attempts to identify risks that face the Port. We will thereafter measure
the risks and establish a plan on how to examine the effectiveness and efficiency of risk mitigation by
management.
The Internal Audit team conducts a risk analysis annually and updates the assessment as necessary
based on a two-prong approach. The first approach to Internal Audit’s risk assessment is intense data
analysis (data mining) which is largely quantitative in nature. Internal Audit has been granted access to
various systems including the Port’s major financial system--PeopleSoft. Using data from various
sources, Internal Audit is able to navigate the Port’s data landscape and summarize the data into
cohesive auditable units. Individual units are systematically analyzed to identify risks.
The second approach to the Internal Audit risk assessment is based on prior audit experience and
professional judgments, also known as qualitative risk assessment. Prior audit issues are reviewed in
conjunction with management responses to gauge post-audit risk. Known and potential business
environment changes are considered, as well as inherent risk factors such as Port complexity, a
decentralized environment, new operations, staff turnover, and public expectations. We prefer to think
of risk in qualitative terms rather than quantitative terms.
In the final analysis, risk results are combined and analyzed as a whole. Cost-benefit, risk level, and
economics of available audit resources are fully considered to establish audit priorities and plans for the
upcoming year. The risks that are likely to create the most negative impact to the Port in the coming
year are on the top of the priority list and will be addressed first.
In addition to the list of audits to be performed based on the overall risk analysis, Internal Audit plans to
conduct at least one systems audit annually. System in this context means any process (both functional
and administrative) common to all units across the organization. Examples of such systems include
payroll, accounts payable, purchasing and procurement etc. System audits are designed: 1) to identify
material system weaknesses that could compromise the system and, if not corrected, could develop
into a significant operation/compliance risk to the Port, and 2) to assess effectiveness of management
monitoring controls.
Internal Audit’s 2009 risk assessment is based on the following ten (10) risk exposure elements. This is
a logical grouping mechanism for all significant risks the Port faces. The grouping is cross functional in
nature and entity wide. As such, it does not readily lend itself to the audit process as a whole. To be
able to audit Port operations for these elements, they are analyzed in-depth and translated into
auditable units to which audit procedures can be applied.
It should be noted that the risk elements are reviewed throughout the year to reflect environment
changes, and if risks associated with the changes are considered significant, the work plan may be
modified.
6 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Overall Risk Elements at the Port
The elements below are not numbered in any particular order of importance.
1. Central Processing Systems
i. Processing systems common to all units across the Port.
ii. Auditable Units – accounts payable, payroll, procurement, etc…
iii. Risk
• Noncompliance with applicable federal, state, and local rules and regulations (payroll tax,
retail tax, deposit requirements, etc…).
• Inadequate controls to ensure 1) minimum accountability controls and 2) consistent and
accurate processing.
2. Organizational Unit (e.g., departments) Internal Controls & Accountability
i. Controls and accountability units do not necessarily equate to departments.
ii. Auditable Units – recreation boating, commercial fishing (includes multiple departments),
aviation maintenance, etc…
iii. Risk
• Noncompliance with applicable state and local (including the Port) rules and regulations.
• Lack of controls and accountability regarding safeguarding of public assets.
3. Revenue (lease and concession)
i. Lease and concession agreements in exchange for the use of Port property.
ii. Auditable Units – individual agreements (outdoor advertising, in-flight kitchen, rental cars, etc…).
iii. Risk
• Unrealized revenue due to below market rent and concession.
• Loss of cash flow (late payments and associated penalties) due to untimely reconciliation.
• Absence of the audit clause to adequately protect Port interest.
4. Federal Assistance
i. Federal grants to finance operation and construction.
ii. Auditable Units – individual grants (TSA, FAA, etc…).
iii. Risk
• Loss of funding.
• Financial loss, if repayment is ordered due to questioned costs.
5. 3rd Party Management
i. Service contracts to manage Port property or operations as an extension of the Port for a fee.
ii. Auditable Units – individual service contracts.
iii. Risk
• Noncompliance with applicable state rules and regulations.
• Funding of for-profit activity with public funds.
6. Performance
i. Efficient and effective use of Port resources as input in the achievement of objectives as output
and outcome (measured against widely accepted applicable bench marks).
7 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
ii. Auditable Units – individual performance questions regarding output and outcome (e.g., does
the Port contribute to the economic vitality in the region?).
iii. Risk
• Inefficient use of resources.
• Insufficient output.
• Outcome not achieved.
7. Financial Reporting/General Ledger
i. Accurate and timely financial reporting of operations.
ii. Auditable Units – Annual Financial Statements (CAFR) and individual ledger accounts.
iii. Risk
• Material errors in the statements.
• Misinformed decisions based on inaccurate financial information.
8. Enterprise Risk Management (ERM)
i. Consistent and concerted efforts to identify and address risk entity wide.
ii. Auditable Units – ERM process as a whole.
iii. Risk
• Not having an ERM system to strategically address risks.
a. Risks go unmitigated
b. Opportunities lost
9. Special Investigations
i. Investigations resulting from the Fraud hotline and reporting of known and suspected loss of
public funds to the State Auditor’s Office (SAO).
ii. Auditable Units – individual investigations.
iii. Risk
• Not timely investigated (loss of an opportunity to establish accountability).
• Continuation of inappropriate behavior.
• Loss of public funds.
10. Capital Improvement Program
i. Construction.
ii. Auditable Units – individual CIPs.
iii. Risk
• Mismanagement of construction
• Mis/abuse of resources
• Incorrect capitalization
Subsequent to the identification of auditable units, units are assessed individually based on the
following four (4) distinct yet interrelated risk factor categories to gauge the likelihood and extent of
potential negative impact. A work plan for the upcoming year is an end product of the risk factor
assessment.

8 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Risk Assessment Elements

1. Inherent Elements
• Nature of the operation, transaction flow, or systems
1. Naturally sophisticated/complex?
2. Labor intensive?
3. Heavily regulated?
4. Sensitivity to economic forces?
5. Organized Labor?
6. Likelihood of federal financing?
• Information Systems
1. OTC (Over The Counter) or internally developed?
2. Number of systems in use?
3. Critical to the operation (i.e., degree of dependency)?
4. Outdated?
5. Exception Reports?
6. Reporting Module vs. Canned Reports
2. Internal Control Elements
• Controls
1. Tone at the top?
2. Material changes in management?
3. Recently re-organized, re-aligned, etc..?
4. Documented policy/procedure?
5. Communication (e.g., staff/management meetings)?
6. Monitoring (e.g., reports, meetings, reviews, etc)?
• Prior audits
1. By whom?
2. The scope?
3. Number of audit issues?
4. Quality of management response?
5. Follow-up (CAP) implemented?
• Risk assessment?
1. Risk appetite?
2. Control Self-Assessment performed?
3. Performance Elements
• Performance Efforts
1. Performance measures implemented?
2. Periodic/Regular Benchmarking?
3. Performance reporting?
• Service Output
9 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
1. Compiled?
2. Measured against benchmarks?
3. Reported?
4. Compliance Elements
Includes both: 1) ones to which the Port is subject (i.e., federal, state and local) and 2) ones to
which the Port is subjecting the third party.
• Revenue/Funding
1. Revenue/Funding at risk, if found to be in noncompliance?
2. At-risk amount material?
• Contractual obligations (lease, concession, services, construction, etc…)
1. Port interest adequately protected?
2. Overly favorable to the third party?
3. Timely reviewed and amended, if necessary?

10 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Prior Audit Highlights
In 2008, Internal Audit conducted a number of operational and compliance audits involving all divisions
of the Port.
The following is a list of audits conducted in 2008. Detail information including management response
on individual audits is available in the referenced audit report. Not included in the list are narrowly
scoped engagements to review a particular transaction flow or a specific agreement. The result of such
reviews has been reported as memorandum addressed to the requester of the review.
Port-wide Audits

• Two (2) Special Investigations

Corporate Services Division
• Procurement Systems Audit which included the following areas
o Major Construction
o Small Works
o Professional/Personal Services Agreements
o Open-blanket orders, Monthly fixed amount, and Purchased Order – procurement-type
contracts
The procurement audit was a review of procurement activity in the context of the Central Procurement
Office (CPO). The focus of the audit was management monitoring controls and its effectiveness in
meeting the intended goal.
Real Estate Division
This is a new division effective in 2008. A number of Professional service agreements from the division
were part of the aforementioned port-wide PSA audit. Additional specific audit projects conducted in
this division included:
• Seaport Maintenance Department – departmental operation
• Bell Street and Pier 66 Parking Lease – lease management
• Shilshole Bay and Fishermen’s Terminal--departmental operation
• World Trade Center – third-party agreement management
• Bell Harbor Conference Center – third-party agreement management
• Cruise Terminal of America (CTA)—lease management
Airport Division
• ID Badging Access Office - departmental operation
• Public Parking – departmental operation
• Rent-A-Car (RAC) Audits lease management
11 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
o Advantage
o Enterprise
o Dollar
o Host
o Airport Management Services Inc.
o Seattle Restaurant Associates
• In-flight Meal Companies - lease management
o Flying Food
o Sky Chefs
o Gate Gourmet
• Doug Fox Parking Lease - lease management
• Ground Transportation – departmental operation
• JCDecaux Advertising Lease - lease management
The financial recovery from compliance audits totaled over $1 million, the majority of which resulted
from Hertz ($1 million) and Avis ($100,000). The risk associated with the RAC audits is underreporting
of some revenue streams from the concession base or simply put - reducing concession fee by
unallowable deductions.
Seaport Division
• Grain Terminal Lease - Terminal No. 86 (lease has not responded to our audit request)

12 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Control Environment
The following describes the Port from a risk standpoint. Aspects of Port operations are grouped into
relevant risk categories, in general terms, to facilitate an understanding of the risk the Port faces as an
organization.
The Port has a complex and ever-changing environment. Its operations encompass a wide spectrum of
enterprise activity ranging from international trade to capital infrastructure improvements. A significant
part of the Port’s core businesses are sensitive not only to the economic forces of the region and the
nation but also to global economic climates. Moreover the Port is faced with ever-increasing
competition from neighboring seaports and airports in attracting/retaining container business and
airlines. Economic sensitivity and competitive force change risk outlook frequently, and pose business
and operational challenges to the Port. Such challenges at times could materialize as a risk of
noncompliance and/or control circumvention if the organizational units facilitated operations by “cutting
corners” in the name of efficiency.
Equally important to the Port in consideration of risk is the Port’s organization status. As a public
agency of the State of Washington, the Port is subject to a number of state statues, regulating many
aspects of its daily activity - from public meetings of the Commission to the annual budgetary
requirements on the tax levy. Government regulations are an inherent risk of any public agency.
Port-wide Control Environment
The Port is a decentralized organization. Divisions and their respective units are provided with varying
degrees of authority and responsibility to conduct and manage daily activity. There are many layers of
delegation of authority from the Commission, to the CEO, to the senior management, and to staff. The
delegation of authority at the Port has become over-complicated and cumbersome over time, and as
such mapping a particular line of authority is no longer a simple task. This complexity in delegation of
authority increases the likelihood of non-compliance and/or other irregular activities. Following the 2007
SAO Performance audit, the Port revised the Resolution 3181 to more clearly delineate the authority.
The weakest link in a decentralized environment is an assumption (with or without verification) of
control activity performance at decentralized locations. That is, central units (e.g., payroll processing)
are less likely to apply key controls or to initiate compensating controls because there is a
presupposition that key control activities (e.g., approving timesheets for accuracy) are fully performed at
perimeters of the organization. The end result could be a set of processed transactions without being
subject to sufficient controls. Following the 2007 SAO Performance audit, the Port centralized
procurement activity into one department, thereby standardizing not only the policies and procedures
but also the application of those policies and procedures. Such efforts are designed to ensure there will
be minimum controls applied to procurement activity in a concerted manner.
In regard to the majority of revenue, the Port is not actively and directly engaged in revenue generating
activity. Rather the Port earns revenue through contractual relationships where external entities are
granted privilege to conduct business on Port’s property and remit a fee to the Port in exchange. A
significant number of these contractual relationships are in the form of lease agreements or other
contractual agreements. The majority of the tenants/customers self report to the Port based on agreedupon
concession fees. Self-reporting, as a reporting process, is high risk because it has no built-in
13 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
mechanism to protect Port interest. Self reporting by Port tenants/customers is inherently susceptible to
underreporting of concession fees and may lead to a revenue loss to the Port. Indeed internal audits
have disclosed problems with some Port tenants in past audits. Thus, it is necessary to establish
monitoring activities including periodic audits to properly mitigate the inherent risk. Unfortunately,
because of limited internal audit resources, the majority of Port tenants/customers have not been
audited in the past.
Information/Communication/Control Activities
Communication at the Port takes many forms.
There are policies/procedures at the Port-wide and at the individual organizational unit level as a
means to communicate public, Commission, and senior management expectations.
Port-wide policies/procedures are readily available and easily accessible via intranet, but not all
procedures at the unit levels enjoy such easy access. In other instances, there may be no written
policies and or guidance. This could introduce an element of risk where management’s intent as
stipulated in the policy may not be timely and properly communicated in the form of operational
procedures. Additional risk would include: 1) operational procedures may not be lined with the overall
Port policies and 2) employees may not be aware of the organization’s goals and objectives. This could
also increase risk of non-compliance.
The Port utilizes technology to automate and streamline recurring activities. There are a number of
stand-alone systems in use across the Port that need to maintain management-defined structured
communication amongst themselves. Inter-system communication is particularly significant in the
financial arena, as many stand-alone subsystems need to feed into PeopleSoft, the Port’s primary
financial system for in/external financial reporting. Inter-system communication highlights the
importance of frequent and regular performance of reconciliation. Without reconciliation, the information
integrity cannot be maintained and information reliability could become questionable.
Compliance Environment
Compliance at the Port is multi-dimensional. The following are various groups of compliance
requirements to which the Port is subject.
The Port is subject to federal regulations, many of which are federal grant and air/seaport security
related. Current, Port federal audits is conducted annually by Moss Adams, an independent CPA firm.
The most significant risk associated with federal audits is loss of federal funding. The loss could occur if
significant material non-compliance issues are disclosed. For purposes of federal compliance, Internal
Audit has relied on the work of the independent auditor and thus has not reviewed federal financial
controls or compliance issues at the reporting level.
As a public agency of the State of Washington, the port is subject to all provisions of Title 53 and
related provisions of Revised Code of Washington (RCW). The State Auditor’s Office (SAO) conducts
accountability audits annually to ensure public interest. Additionally, other state agencies such as Dept.
of Revenue and Dept. of Retirement regularly review Port operations for their respective purposes.

14 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Significant audit findings from SAO could reflect the Port negatively in the eyes of the public. In
addition, other state or local audits e.g.,- DOR, Department of Retirement, Labor Unions, and/or IRS
audit findings could have a negative financial impact on the Port if the Port was found to owe money to
those agencies.
The Port is subject to numerous additional local (i.e., King County, Cit of Seattle, City of SeaTac etc.)
and agreement-driven (i.e., bond covenants, union labor agreements) compliance requirements.
The Port has numerous compliance requirements of its own. Applicable regulations from
aforementioned federal, state, and local agencies are frequently embedded as part of the Port
operations. The design is to provide reasonable assurance of compliance with applicable federal, state,
and local rules and regulations through compliance with its own policies and procedures.
Risk Assessments
The Port currently does not have a policy requirement for departments or units to conduct risk
assessments in a systemic fashion (e.g., Control Self Assessment), but various forms and degrees of
risk assessment practices exist throughout the Port
Emerging Changes/Issues
The Port has implemented many organizational changes during 2008 as a result of CEO initiatives and
the 2007 SAO Performance Audit findings. Much of nuts-and-bolts (i.e., policies and procedures)
elements are still a work in progress at the time of this assessment. During transition, there is a degree
of uncertainty that may introduce additional elements of risk. Operations may be affected as new
decision trees begin to establish, and line staff acclimates to the new environment. When complete,
Internal Audit may perform procedures to provide reasonable assurance to the Commission and
management that changes are materializing as intended.
AFR (Accounting and Financial Reporting) has successfully implemented a new online e-Expense
system during 2008, Concur. The system appears to be robust and functioning properly. The new
version of HRMS (Human Resources Management System) system has been delayed its
implementation until mid-2009. There are others system changes/upgrades that are either in
conceptual or budgeting stages.
Through Initiative 900 (I-900), state voters provided State Auditor’s Office (SAO) with mandate to
conduct performance audits of local governments. SAO conducted through a contract firm (Cotton &
Company) the first performance audit at the Port in 2007. SAO released its findings in December 2007,
and the Port has been diligently addressing findings from the report. SAO communicated to the Port of
its intention for a second performance audit which is tentatively scheduled to begin early 2009.
McKay Fraud Investigation was completed in December of 2008 and identified ten civil frauds at the
Port. The report also identified a number of contractors that did not comply with the McKay
investigation. As a result of this investigation, the Audit committee might want Internal Audit to conduct
some work related to the firms that did not comply. The scope of this work has not yet been defined.
We will leave some hours in the contingency budget for this work.

15 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Recent global economic downturns undoubtedly will affect the travel and airline industry. Such
slowdowns will propagate throughout the region and surely impact the Port’s financial positions. In
anticipation, the Port has put together its 2009 budget with substantial cuts across the board. From a
risk perspective, economic hard times often create additional pressure/opportunity for noncompliance
and fraud. Lessees may face new pressure to re-interpret certain concession/revenue provisions or
underreport the concession outright. Port departments may face similar pressure with its operating
budgets and may relax its due diligence on accountability.
The construction of a consolidated rental car facility began in 2008 and is scheduled to open in 2011.
When complete, the space occupied by RAC (Rent-A-Car) in the main parking garage will be available
for general parking. The increase in parking stalls will likely generate more parking revenue for the Port.

16 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Risk Assessment and Identification
(Quantitative and Qualitative)
Below are ten (10) risk exposures Internal Audit considers critical to the achievement of the Port
mission. Risk exposures are, among other things, based on full consideration of the Port’s
organizational status as a public entity. The department has attempted to reflect all relevant and
significant risks faced by the Port and group the elements in a consistent and logical way.
The presence of risk simply indicates that the process of achieving the Port mission isn’t without pitfalls.
The identification and the subsequent measurement of risk is accomplished by measuring a number of
factors related to risk such as: complexity, regulatory, technology, dollars at risk, liquidity of assets,
competence of management, strength of internal controls, monitoring activities, frequency of internal
audits etc. Internal Audit is sufficiently proficient in all areas but is especially experienced in Washington
State local government operations and requirements. We will use the experience and judgment to
measure and prioritize the risks that are facing the Port.
1. Central Processing Systems
The system refers to a group of processes common to all organizational units across the Port which
may or may not include an IT system. A good example of a system in this context would be payroll.
While each department may utilize different methodologies to accumulate/approve timesheets, all
payroll entries are centrally processed at AFR before generating checks and posting transactions to the
ledger. Certain controls are expected at the systems level to provide minimum assurance over
accountability. Systems can play an important role of prevention and detection as all related
transactions are expected to be processed by the system at a point in time. As such, controls at the
systems’ level could be most effective and have the most impact.
Internal Audit reviewed procurement in 2008 at Pier 69 as a central system for the Port to provide
management with reasonable assurance that current procurement practices are well controlled to
ensure compliance and accountability. Procurement in this context does not include accounts payables.
The review was conducted in full recognition that the CPO and related policies/procedures has not
been complete. The review was designed to deliver value-added benefits by providing management
with auditor’s perspectives while policies/procedures are in the design phase.
In 2009, Internal Audit will perform a systems audit of accounts payable (A/P) which will dovetail nicely
with the procurement review in 2008. The A/P review will focus on the adequacy of internal control
design as well as the efficiency/effectiveness and sufficiency of implemented controls. The
understanding gained through the A/P review will complete the control review of a buy-to-pay cycle at
the Port. The understanding will be used in other engagements as all auditable units have some degree
of procurement and payment in their processes. We will also review Payroll system as it is considered
part of the pay cycle.

2. Organizational (e.g., department) Control Reviews
The primary risk with organizational units is the efficiency/effectiveness of internal controls over
accountability in managing resources including financial and physical assets.
17 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Throughout the discussion of the department internal control review, a reference is made to the
department node. The node refers to a collection of individual departments by function and/or location.
Below is a table of top nine operating revenue generating department nodes. It is a good indicator of
risk concentration with respect to operating revenue.
(in thousands)
Dept. node 2004 2006 2007 2008
Air Terminal 104,008 128,930 129,144 99,029
Airfield 47,156 50,319 57,138 42,131
Public Parking 42,037 52,617 55,463 41,199
Seaport Container Operations 38,074 49,820 49,088 41,701
Rental Cars 25,818 33,983 36,408 29,847
Concessions 21,022 28,300 31,085 26,283
Third Party Management 10,017 13,018 13,690 11,439
Airport Properties 10,089 16,911 12,104 10,478
Landside 7,517 8,929 9,881 6,955
Commercial Properties 7,066 7,697 8,175 6,207
Source: PeopleSoft
* 2008 is as of October.
Although different department nodes are responsible for different agreements, much of the aviation
revenue in the top nine is lease and concession related. Risk associated with lease and concession is
discussed under lease and concession revenue risk exposure at a later section of this assessment.
Non-agreement revenues are parking at the airport and third-party managed properties. The 3rd party
management is another risk exposure element discussed at a later section of this assessment as a
separate risk.
Operating Expenses
Below is a table of top ten department nodes in operating expenses, excluding depreciation expenses.
(In thousands)
Dept. Node 2004 2005 2006 2007 2008*
Aviation Maintenance 33,958 36,392 40,071 40,957 35,019
Police Department 16,829 17,407 16,994 18,607 14,580
Aviation Executive/AVEX 12,957 13,581 13,486 14,791 11,799
Air Terminal 11,628 14,133 13,512 14,706 11,187
Information & Communication Technology 7,674 12,636 11,086 13,266 10,953
Aviation Utilities 14,159 14,198 15,751 12,965 10,016
Maintenance 9,869 9,192 9,462 10,036 8,795
Third Party Management 7,294 8,502 9,645 9,541 7,555
Professional & Technical Services 4,644 9,752 2,081 7,864 2,611
Airport Security 4,844 4,795 5,950 7,412 5,893
Source: PeopleSoft
18 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
* 2008 is as of October.
Maintenance (Air and Seaport) and security (Police and Av. Security) are two department nodes that
incur significant operating expenses. Departments in this categories account for anywhere between
39% - 43% of the Port’s overall operating expenses.
Table below represents all operating expenses by major account category for the last five years.
(in millions)
Expense Category 2004 2005 2006 2007 2008*
Salaries & Benefits $72 $71 $73 $79 $69
Wages & Benefits $44 $59 $51 $63 $49
Outside Services $66 $55 $50 $48 $37
Utilities $20 $18 $21 $19 $15
Supplies & Stock $ 7 $ 8 $ 9 $ 6 $ 5
Equipment Expense $ 4 $ 5 $ 6 $ 6 $ 4
Travel & Other Emp Exps $ 3 $ 3 $ 3 $ 3 $ 3
General Expenses $ 2 $15 $ 2 $ 12 $ 6
Other $ 6 $ 6 $ 5 $ 5 $ 5
Source: PeopleSoft
* 2008 is as of October.
Payroll
Not surprisingly, payroll related expenses are the biggest--accounting for over 50% of the total
operating expense. The Port has 1,500+ employees on its payroll, and there are a number of collective
bargaining agreements with various unions.
Top ten departments in salaries and wages with benefits are listed below, and the list expectedly is
closely related to the top ten department nodes in operating expenses.
(in thousands)
Dept. Node 2004 2005 2006 2007 2008*
Aviation Maintenance 24,266 25,981 28,840 31,286 25,885
Police Department 14,966 15,182 15,100 15,751 12,778
Aviation Executive/AVEX 10,140 11,148 11,184 11,797 9,715
Information & Communication Technology 6,345 6,801 7,674 8,414 7,820
Maintenance 6,570 6,413 7,012 7,851 6,357
Corporate Contingencies 187 0 6,295 0
Airport Security 4,311 4,197 4,317 6,146 5,524
Accounting/Financial Reporting 3,581 4,003 4,555 5,059 3,761
Landside 4,533 4,301 4,781 4,321 3,498
Air Terminal 2,642 2,741 2,794 3,750 3,614
Source: PeopleSoft
* 2008 is as of October.

19 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Currently the Port utilizes an online time entry system where original input as well as approval is
processed electronically. While the online system provides mathematical accuracy and certain input
validations, it presents other challenges or risks with respect to verification of complete and proper
entry. Additionally, management often delegates approval authority to staff, and this practice could
create a conflict of interest and other accountability issues -- it’s difficult to ascertain whether entries are
approved with first-hand knowledge of the underlying activity. Compared to the paper-based traditional
system, online systems tend to lack supporting documentation as management assumes online
document is the full extent of applicable documentation requirements.
From a risk standpoint, payroll overall is relatively a contained system despite its complexities and
inherent risks. The majority of payroll disbursements are based on static drivers (i.e., salaries, hourly
rate, employment tax rates, etc.), and the volume in most cases is activity independent. Example, the
daily financial liability to the Port per employee remains at 7.5/8 hours at a fixed rate whether an
employee is at work or on paid time off. Thus, the size of the payroll alone will not be the primary factor
in determining whether to review a particular area. The quality of payroll expenses will be a bigger
factor.
At-risk in payroll are the earnings types that are collectively known as exceptional earnings (i.e.,
overtime and shift differentials). These represent something of above and beyond the base pay and as
such require an additional compensation. The risk is whether they are proper (i.e., business related)
and in compliance with applicable agreements/policies with respect to approval and documentation.
Outside Services category
The category is primarily of contractual services including Architectural & Engineering (A&E), non-A&E,
and janitorial services. The risk with the outside services or consultant services is procurement
compliance with applicable federal/state/local regulations including contracting irregularities such as
kickbacks. A&E procurements are somewhat heavily regulated in terms of solicitation and require a fair
and open competitive process.
In 2008, Internal Audit conducted a systems review on the central procurement process which covers,
among other things, A&E and non-A&E personal/professional agreements. While the central
procurement does not perform what Internal Audit considers key controls to reasonably ensure
accountability in all categories, the procurement does apply a set of procedures considered
compensating controls. Key controls are with individual departments. Additionally, there has been
significant exposure on professional agreements Port-wide as part of in/external audits to include the
SAO 2007 Performance Audit. These reviews provided insight into administrative practices and
recommended ways to strengthen current control activities.
Top ten department nodes in the category are as follows. The table indicates risk concentration in a few
department nodes.
(in thousands)
Dept. Node 2004 2005 2006 2007 2008*
Air Terminal 8,040 8,574 9,525 9,364 7,082
Aviation Maintenance 4,898 5,184 5,699 6,178 4,655
Project Controls & Admin 6,058 3,653 2,558 3,162 2,021
20 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Information & Communication Technology 273 4,464 1,583 2,648 2,091
Aviation Facilities 1,963 2,141 2,082 2,592 1,386
Port Construction Services 1,380 1,175 1,712 1,913 1,636
Airfield 378 501 1,530 1,706 1,156
Aviation Executive/AVEX 1,752 1,757 1,439 1,560 1,105
Legal 1,964 1,182 1,112 1,512 893
Public Parking 1,767 1,918 2,063 1,504 1,192
Source: PeopleSoft
* 2008 is as of October.
Public Parking is included in the top ten as its payments to the bank for processing credit cards is
included in the category. Other nodes are expected as the very nature of their responsibilities entail
using outside professional services. Example, AV. Maintenance uses custodian and maintenance
contracts, and Information Technology utilizes outside desktop support services.
Utilities
The category is among the top five major expense categories but does not pose any significant risk as
it is consumption driven. Consumption can be easily verified with third-party independent
documentation (i.e., Seattle Public Utility billing statements). Top three utilities in 2007 were electricity,
heating (gas and steam), and surface water.
Supplies and Equipment
Accountability is the primary risk associated with this category. Included in the category are non-capital
items (i.e., equipment and supplies) which are often referred to as small and attractive assets. These
are items that are expensed because the monetary value is below the capitalization threshold. As such,
they are not often required to be tracked. However most, if not all, departments do track these items,
but currently there is no established central system to monitor or ensure how well departments tract
these assets. Hence, risk of loss, abuse, and misuse persists.
An additional risk element involving supplies and equipment purchases is procurement cards (P-cards).
The Port has many procurement credit cards at many departments. As the cards tend to be used for
small purchases by multiple parties, it is difficult to track both the purchaser and the purchased item.
Thus, preventive and detective controls such as close monitoring of card purchases are essential to
properly mitigate inherent risks of mis/abuse.
Top ten department nodes in the category are as follows.
(in thousands)
Dept. Node 2004 2005 2006 2007 2008*
Aviation Maintenance 3,196 3,540 4,173 1,780 2,336
Maintenance 1,214 1,395 1,322 1,130 813
Air Terminal 585 921 1,062 990 92
Police Department 279 293 315 309 307
Airport Security 208 251 354 292 151
21 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Aviation Executive/AVEX 358 325 319 285 294
P69 Facilities Management 105 117 120 142 93
Engineering 85 124 124 133 110
Public Parking 102 93 130 74 63
Aviation Facilities 83 88 86 71 81
Source: PeopleSoft
* 2008 is as of October.
Expectedly, maintenance shops at the sea and airport top the first two in the category. Internal Audit
reviewed both maintenance shops in the last two years and suggested a number ways to strengthen
existing controls over physical assets. Aviation Executive/AVEX is part of the top ten as the node
includes the Fire Department. The majority of the supplies and equipment for the Fire are emergency
supplies and uniform/protective equipment.
Travel and Other Employee Expense
The risk associated with this category is one of accountability. The category covers a wide range of
expense items from breakfast to a cab ride and as such is inherently susceptible to misuse and abuse.
In 2008, the Port replaced the aging Bank of America system with a new online expense system,
Concur. There is a dedicated position within AFR for travel card expense processing which mitigates
certain control deficiencies at the department level. While the position can exercise some compensating
controls to ensure completeness, it does not have first-hand knowledge to determine the
appropriateness of submitted expenses. This emphasizes the importance of due diligence and care by
management when approving travel requests.
Top ten department nodes in the category are as follows.
(in thousands)
Dept. Node 2004 2005 2006 2007 2008*
Executive 293 422 390 428 325
Aviation Executive/AVEX 300 98 312 377 242
External Affairs 175 275 224 263 203
Human Resources & Development 156 206 266 246 209
Information & Communication Technology 102 163 167 216 224
Seaport Division Management 191 139 173 203 129
Police Department 113 147 125 173 99
Seaport Container Operations 147 155 180 169 (1)
Special Advisors/ Economic Development 136 128 136 136 39
Aviation Maintenance 36 64 103 101 96
Source: PeopleSoft
* 2008 is as of October.
All top ten are expected. Police and Fire receive heavy training which often requires traveling and
overnight stays as well as registration. Special Advisors include overseas representatives and
economic teams at Pier69.
Below is a table of the category expense by account.
22 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

(in thousands)
Account 2004 2005 2006 2007 2008*
Registration Fees/Tuition 548 620 698 845 780
Membership Dues & Fees 625 352 667 795 662
Air Fare 393 426 519 612 366
Lodging & Other Travel 291 499 582 499 178
Employee Food & Beverage 251 267 235 271 186
Subscriptions 286 320 275 250 254
Local Transportation 55 65 70 72 86
Service Awards 65 64 59 62 49
Management Education Expense 28 20 29 30 28
IDC/E&T Fellowship Program Exp 10
Source: PeopleSoft
* 2008 is as of October.
Overall, travel and other employee expenses have remained flat over the last five years. No unusual
trends are noted at the account level. Memberships include big ticket dues to such organizations as WA
Public Port Assoc., Airport Council International, and Puget Sound Regional Council.
Telecommunication
(in thousands)
Dept. Node 2004 2005 2006 2007 2008*
Information & Communication Technology 419 503 450 500 376
Police Department 105 98 111 113 84
Engineering 111 74 97 106 62
Air Terminal 29 59 82 91 86
Aviation Maintenance 76 100 105 81 71
Aviation Executive/AVEX 54 57 56 66 50
Maintenance 58 42 51 48 30
Airfield 34 35 44 48 35
External Affairs 23 28 33 33 23
Project Controls & Admin 54 32 36 33 20
Source: PeopleSoft
* 2008 is as of October.
All top ten are expected as communication is a significant part of their daily operations. Engineering,
although expected, has a bit higher than expected communications expenses.
Below is a table of the category expense by account, and no unusual trends are noted.
(in thousands)
Dept. Node 2004 2005 2006 2007 2008*
Long Distance Charges 76 79 37 36 58
23 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Telecommunications 1,202 1,245 1,308 1,443 1,017
Telephone - Data Transmission 0 2 1 0 8
Source: PeopleSoft
* 2008 is as of October.
Promotional Expense
Promotional expenses are frequently a subject reviewed by the State Auditor’s Office as the category
allows such unusual items as alcoholic beverages. Internal Audit reviewed the expense for any unusual
trends during the assessment although it considers the coverage by the SAO adequate.
(in thousands)
* 2004 2005 2006 2007 2008*
Aviation Executive/AVEX 278 239 179 427 242
External Affairs 231 295 157 210 120
Executive 15 61 59 48 9
Special Advisors/Economic Development 194 63 59 38 36
Seaport Container Operations 40 58 35 33 2
Harbor Services 12 12 10 28 9
Cruise Services 59 67 37 17 16
Professional & Technical Services 14 17 22 13 13
Community Development 9 15 4 11 15
Project Controls & Admin 2 0 2 10 0
Source: PeopleSoft
* 2008 is as of October.
Other Useful Statistical Information
Below are top five vendors in operating expenses in 2007, and no unusual trends are noted in the list.
Ranking Operating
1 AMERICAN BUILDING MAINTENANCE
2 SEATTLE CITY LIGHT
3 BONNEVILLE POWER ADMINISTRATION
4 PUGET SOUND ENERGY
5 KONE INC.- elevator and escalator/ maintenance
Source: PeopleSoft
Below are top five non-payroll and non-utility accounts. Other than for 3rd management fees, it is
expected that outside services as a whole are the second largest expense group following payroll
including benefits. Internal Audit reviewed two 3rd party management contracts in 2008: Bell Harbor
International Conference Center and World Trade Center. 3rd party management as a group is one of
ten (10) risk exposure elements Internal Audit considers critical.

24 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

(in thousands)
Dept. Node 2004 2005 2006 2007 2008*
Non-Architectural & Eng Svcs 11,290 10,925 7,194 10,309 7,700
Other Contracted Services 30,366 18,243 16,422 10,265 7,331
Contracted Janitorial Service 7,166 8,101 8,979 8,733 6,574
3rd Party Mgmt Op Exp 6,729 7,451 8,408 8,553 7,077
Architectural & Eng Services 6,855 5,542 6,217 6,111 3,304
Source: PeopleSoft
* 2008 is as of October.
Non-operating Revenue/Expense
Bond interest expenses have little risk as it is highly structured and in most cases predictable.
Passenger Facility Charges (PFC) are a federally approved fee that commercial-service airport can
impose to finance airport improvements. Collection from the customer and disbursement to the airport
is the responsibility of the carrier. Starting in 1992, carriers with more than 50,000 annual charges are
required to provide an independent audit of their system. Further, the Port annually engages a CPA
firm to audit PFC. Due to coverage by third parties, Internal Audit considers PFC low risk.
Gain/loss resulting from sale of assets has one particular risk element from a public agency point of
view. All asset sales must be arms length transactions and free of conflict of interest with the buyer.

3. Revenue (lease and concession)
The majority of Port’s revenue is generated based on passive earnings activity as a landlord. The Port
rents land/space to various parties at both sea and airport, and expects a payment in return. The
payment generally takes the form of: 1) a regularly occurring fixed amount and/or 2) a periodic
settlement of a fee which is based on earnings activity by the lessee. The Port faces different risks
depending on the type.
To elaborate further as to the extent of the passive earnings activity to the Port’s overall operating
revenues, a 5-year trend for agreement-driven revenue is provided below. The agreement in this
context refers to fully executed written legal contractual relationships. For purposes of the analysis,
Internal Audit reviewed all agreements within PROPWorks, an automated property and revenue
management system. PROPWorks is used by both air and seaport.
(in millions) 2004 2005 2006 2007 2008*
Total Operating Revenue $ 377 $ 417 $ 447 $ 461 $ 363
Agreement-driven $ 248 $ 311 $ 308 $ 345 $ 347
% of agmt-driven to the Op Rev. 66% 75% 69% 77% 96%
Source: PeopleSoft
* 2008 is as of mid-November

25 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
The data suggests that up to 77% of the total operating revenue is derived from agreements. Given the
contribution level to the operating revenue, the mitigation of risks associated with agreements becomes
critical to the Port’s overall financial health. The most significant risk of agreement-driven revenue
streams is one of completeness. It is difficult to satisfy the question as to the complete reporting of all
applicable revenue as it relates to concession. The risk is even more evident when one considers that
the majority of the agreement-driven revenue at the Port is self reporting. The Port has little direct
means to confirm/refute the reported concession base.
Secondary risk to the agreement-driven revenue streams would be inadequate protection of Port’s
interest in the agreement itself. There is risk that the agreement may be executed without an audit
clause. In such cases, the Port would not have audit access to underlying records to determine if the
reported revenue is reasonable and complete.
Internal Audit has in past audits found certain control deficiencies and lax management monitoring. As
a result, Internal Audit has been steadily increasing transparency in the area, but given the sheer
number of agreements (~700 active agreements as of Nov. 2008), it is practically impossible to review
all agreements individually. Given that, the only effective and manageable way to consistently provide
any assurance is to review agreements in some categories based on risk.
Below is a 5-year trend of agreement-driven revenue by major revenue category. The top three (3)
accounts for over 80% of the total.
(in millions) 2004 2005 2006 2007 2008*
Space Rental $ 141 $ 189 $ 191 $ 221 $ 213
Landing Fees 45 47 47 53 40
Car Rental Revenues 21 27 27 28 28
Food and Beverage Revenue 8 9 9 12 12
Retail Revenue 6 8 7 10 11
Revenue from Sale of Utilities 2 3 8 9 9
Land Rental 5 6 6 7 6
Advertising Revenue 3 4 4 5 4
Concession Services Revenue 1 3 3 3 4
In-Flight Kitchen Revenue 3 3 3 3 3
Other Misc. 3 5 5 5 6
Source: PeopleSoft and PROPWorks
* 2008 is as of mid-November
Space Rental is a low-risk area in regard to the complete and accurate receipts of the rent. Rents, for
the most part, are a fixed amount on a monthly basis. Missing and/or incorrect payments would be
relatively easy to capture and remedy as the payment amount does not change and is expected every
month. At-risk would be a loss of revenue due to below market rents and inconsistent
application/enforcement of agreed-upon provisions such as the annual acceleration clause and
interest/penalty for late payments.
Landing Fees are a mechanism to recover costs to maintain and operate the airport. Fees are based on
a collection of eligible cost pools and are billed for every 1,000 lbs of landing weight. Analysis indicates
that there has not been a significant change (>10%) in recent years. It is estimated that the fees will go
down as the 2009 operating budget has been reduced, and eligible expenses at the airport will likely
26 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
continue to decrease in coming years. The primary risk is failure to include all eligible costs in allocation
pools. The failure could occur as: 1) incorrect pooling of costs (i.e., omission of costs during the pooling
process) and/or 2) incorrect general ledger account balances (i.e., incorrect costs are included).
Additional risk subsequent to cost pooling would be risk associated with billing and collection (e.g., late
payment interest and penalty), which is not as significant as the first.
Considering the total number of customers (~10), Rent-A-Car (RAC) as a revenue source contributes a
significant amount to the operating revenue. Internal Audit has been reviewing RACs annually and
found certain issues regarding gross revenue offsets. Offsets are used to reduce concessionable
revenue, and thus improper offsets translate to decreased concession to the Port. The Port has
recovered well over $1 million as a result of past audits. Given the contribution to the operating revenue
and the extent of the issues uncovered thus far, continued exposure is deemed necessary. As such,
Internal Audit has placed all RAC reviews on a 3-year audit cycle.
Food/Beverage/Retail includes shops and restaurants at the sea and airport. As a whole, the revenue
stream has been steadily increasing in recent years. Internal Audit has conducted a number of reviews
on big contributors in 2008: Airport Management Services, HOST, and Seattle Restaurant Associates.
The reviews indicated no significant concerns. However food/beverage/retail lease agreements are
often complex with various types of allowances (e.g., display allowance for newspapers) which may or
may not be subject to concession. Further projected decline in the travel industry due to recent
economic downturns may create additional pressure for incomplete concession reporting. Internal Audit
will continue to bring exposure to the area.
Utility resale is considered low risk. One risk would be a miscalculated usage base, resulting in less
than full recovery of original utility fees paid by the Port.
Advertising revenue is concession from outdoor advertising firms such as JC Decaux and Clear
Channel. Internal Audit reviewed concession from JC Decaux in 2007 and had a minor recovery as a
result. Through a public competitive process in 2007, Clear Channel prevailed in a bid to be an outdoor
advertising agent at the airport. Because the agreement is fairly new and generates significant revenue
(>3M) as a single advertising agent, it would be beneficial to establish Internal Audit presence to
promote correct and complete reporting of all concessionable revenue.
Risk associated with land rental is similar, if not identical, to ones on the space rent as discussed
above.
Internal Audit reviewed all in-flight tenants in 2007 and had a number of issues on disallowed offsets to
concession base. Internal Audit will re-examine tenants in 2010 and determine if additional coverage is
necessary.
Misc. includes dockage, wharfage, crane rental, aviation fuel flowage, etc. Risk on these areas is
similar to other concession arrangements in that fess to the Port may not be based on complete
concessionable revenue.
Below are top twenty (20) customers in 2007 in terms of total billings. Ranking has been analyzed to
fully consider the agreement-driven revenue risk at the customer level.
(in millions)
27 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Rank Name 2007 2008* Rank Name 2007 2008*
1 ALASKA AIRLINES INC $ 47 $ 42 11 HERTZ CORPORATION $ 8 $ 9
2 SSA TERMINALS LLC 20 25 12 AIRPORT MANAGEMENT SVCS LLC 7 8
3 UNITED AIRLINES 20 15 13 CRUISE TERMINALS OF AMERICA LLC 7 9
4 EAGLE MARINE 17 21 14 AVIS RENT A CAR SYSTEM 7 7
5 HORIZON AIR 13 11 15 LOUIS DREYFUS CORP 6 6
6 NW AIRLINES INC-PFC 13 11 16 CONTINENTAL AIR LINES INC 6 6
7 DELTA AIR LINES INC 9 8 17 AMERICAN AIRLINES INC 6 5
8 SEATAC FUEL FACIL 9 9 18 ALAMO RENT A CAR 5 5
9 SOUTHWEST 8 8 19 NATIONAL CAR RENTAL 5 5
10 HOST 8 8 20 US AIRWAYS INC 5 4
Source: PeopleSoft and PROPWorks
* 2008 is as of mid-November
Almost all top twenty customers are either in space or Rent-A-Car (RAC) revenue category, which is in
line with the top three agreement-driven revenue category. Analysis indicates space rental revenue is
quite top-heavy in that top 5 of 500+ customers in revenue groups account for over 50% of the category
revenue. This indicates that residual risk after the five in the space rent category is quite dispersed and
under such conditions, providing adequate audit coverage may prove difficult.
4. Federal Assistance
The Port has numerous federal grants to support various operating and capital activity. Below is a 5-
year history of grant revenues. The decreasing trend appears to be reflective of the construction activity
associated with the third runway as well as security at both air and seaport following 9/11.
(in thousands)
Account Acc Desc 2004 2005 2006 2007 2008*
70810 Misc (1,149) (2,054) (333) (51) 0
70820 FAA (74,262) (62,157) (73,927) (65,555) (29,811)
70825 TSA - Seaport (42,370) (44,797) (1,399) (653) 0
70830 ODP Grant Revenue 0 0 (870) (50) 0
70835 TSA - Airport 0 0 (42,526) (19,448) 2,206
70840 DOT (560) (564) (6,991) (3,827) (1,639)
70850 WA State (87) (82) (1,148) 74 (25)
70860 DOE 0 0 0 0 0
Total (118,428) (109,655) (127,194) (89,511) (29,268)
Source: PeopleSoft
* 2008 is as of October 2008.
When federal assistance exceeds $500,000, an audit of federal expenditures is required per the Single
Audit Act of 1984, as amended. An independent CPA firm typically performs the audit. Currently Moss
Adams conducts the single audit at the Port.
The Port has not had any significant findings related to federal grants. Internal Audit considers the audit
by Moss Adams of federal expenditures adequate, and as such the department has no plan to conduct
any procedures related to the federal grants in 2009.

28 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

5. 3RD Party Management Contracts
Risk is one of compliance. The requirements to which the Port is subject are the same requirements
with which the 3rd party management must comply as an extension of the Port. Any noncompliance by
the 3rd party management is, by extension, noncompliance by the Port. Columbia Hospitality and Wright
Runstad & Co. manage Port-owned property for a fee.
Internal Audit reviewed Columbia Hospitality in 2008 and plans to review Wright Runstad in 2009.

6. Performance
Performance measures generally precede performance audits. Once instituted for a period of time,
measures can be benchmarked against industry standards to determine efficiency and effectiveness in
the achievement of goals and objectives.
The Port has not instituted any performance measures, and thus the traditional approach cannot be
used to conduct performance audits. However, the Port does have numerous measurable indicators of
performance expectations. For example, an annual budget and expectations of job creation could be
viewed as such indicators. Put it differently, a performance audit can be conducted with the budget and
management expectations as a baseline performance measure. What isn’t feasible in this approach is
benchmarking against external standards.
Internal Audit has three or four potential candidates for a performance audit in 2009: 1) space rental, 2)
cruise line of business, 3) terminal operations, and (4) leasing operations. The scope of the audit will be
determined in close discussions with the Audit Committee.

7. Financial Reporting/General Ledger
Accounting and Financial Reporting, formerly known as APS, prepares annual financial statements
(CAFR) as of and for a period ending December 31. The statements are annually audited by an
independent CPA firm, Moss Adams, for reasonableness and fair presentation.
The risk of material misstatement in the government financial statements is considered low. In a
manner of speaking, there is no incentive to “cook” the books. More relevant would be the disclosure
risk in regard to the nature and extent of the content of the statements, but Port accounting and
financial reporting staff has the expertise to adequately mitigate the risk. For the past three years, the
Port has received GFOA Certificate of Achievement for Excellence in Financial Reporting.
Internal Audit has no plan to conduct any review in the upcoming year related to the financial/general
ledger.

8. Enterprise Risk Management (ERM)

29 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
The Audit Committee has repeatedly expressed interest in implementing an ERM system at the Port.
The Committee and Internal Audit recognize the value of ERM as a tool in streamlining Port-wide
efforts to effectively manage risk. The Committee has included ERM as one of its many strategic goals
to achieve in the next five (5) years.
At the time of the assessment, no ERM system has been implemented at the Port (i.e., no ERM system
to review). Thus, risks associated with not having a formal ERM or substantially equivalent system
remains outstanding. However, it should be noted that there are many silos of risk assessment
conducted by many groups and or departments throughout the Port. These silo risk assessments are
informal. Hence there is a need for training so that senior management and see the need and buy into
the concept of a formal ERM project. For any ERM project to be successful, senior management needs
to buy into the concept and see the value of the project.
The risk management part of ERM will be incorporated in all our audits. The question of how well risk is
managed in each system will be one of the objectives of our reviews. The discussion of the
implementation of ERM at the Port will be continuing with the Audit Committee and senior Port
leadership and we will implement accordingly.

9. Special Investigation and other Requests
The Port considers any allegation of fraud and loss of public funds as a serious infringement of public
trust and investigates fully and diligently if determined there is substantial merit to the allegation.
At the time of the assessment, Internal Audit is uncertain as to the extent of the special investigation in
the coming year. However, Internal Audit acknowledges that there will be some and consequently
reserves a certain level of audit resources in the work plan dedicated to such investigations.

10. Capital Improvement Program (CIP)
In recent years, there has been a significant amount of exposure on the contracting practices at the
Port. A number of external and internal audits have been conducted in the area: 1) Port-initiated
performance audit, 2) 2007 State Auditor’s performance audit, 3) Port-initiated fraud audit subsequent
to the SAO audit, 4) Department of Justice audit (results not yet published), 5) Internal Audit review of
PSAs, 6) Internal Audit review of procurement as a systems review, and (7) Internal Audit follow-up
audit of selected SAO recommendations.
Based on the findings (especially from the SAO report), the Port has reorganized and created a new
division and a department to ensure improved efficiency and compliance. Concurrently the Port has
been diligently working on new policies and procedures to strengthen and supplement existing ones.
Many of these policies and procedures are a work in progress at the time of the assessment.
Given the level of exposure in recent years through in/external audits, we can defer additional scrutiny
in the CIP area with respect to controls over contracting practices to years beyond 2009.
Internal Audit recommends no CIPs audit in the upcoming year.
30 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

31 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Summary of Risk

Risks are events that have some probability of occurring. Risk measurement involves subjective
judgment and reference to objective or historical data. The measurement of risk is accomplished by
measuring a number of factors related risks such as: complexity, regulatory, technology, dollars at risk,
liquidity of assets, competence of management, strength of internal control, monitoring activities,
frequency of internal audits etc. Internal Audit is very experienced in Washington State local
government operation and requirements. We will use that experience and judgment to measure and
prioritize the risks that are facing the Port.

Risk Fact Identified Risk Risk Action Plan See Detailed Work
No. Measurement Plan
or Likelihood
of Occurring
#1 The Port is subject Non- compliance HIGH Federal/State/Local 2009 Department
to a number of with state statutes legal compliance is Internal Control
state statues embedded in all audits Reviews
regulating many by the department.
aspects of its
operations.
Government
regulations are an
inherent risk of
any public agency.
#2 The Port is a Findings on the Port HIGH Accountability 2009 Department
public agency – could create a concerns as a public Internal Control
that is audited negative publicity agency is embedded in Reviews
annually by SAO about the Port. all audits by the
department.
#3 The Port is audited If the Port was found MODERATE Continue monitoring
by other state or to owe money, this audit activities/results
local agencies could have a by these agencies and
such as DOR, negative financial modify, as warranted,
Departments of impact on the Port. the department ARAP
Retirement, Local and work plan
Unions, IRS etc. accordingly.
#4 The Port Inadequate controls, HIGH Continuous monitoring 2009 Department
environment is ineffective of key indicators of Internal Control
complex and monitoring in inadequate controls, Reviews and systems
decentralized. achieving Port ineffective monitoring audits
objectives, and by management, and
possible non- modify, as warranted,
compliance the ARAP and work
plan accordingly.
#5 The majority of Underreporting of HIGH Continue to monitor the 2009 operational aud
Port tenants and Concession fee and effectiveness of the of departmental
customers have a lack of monitoring by Port management revenue managemen
32 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
self reporting Port management. monitoring systems
system. and promote
awareness on
compliance.
#6 Operating The procedures may HIGH The adequacy of 2009 Operation
procedures for not line up with the policy/procedure is an departmental audits.
business units are Port overall policies integral part of all
not always visible. and strategy. department internal
control reviews.
#7 The Port has Lack of MEDIUM Sub-systems and their
many stand-alone reconciliation with reconciliations are
IT subsystems. the Port financial reviewed as part of the
system - PeopleSoft department internal
control reviews.
#8 The Port receives Non-compliance with MEDIUM The department
federal financial grant requirements considers the work by
assistance. Moss Adams
adequate.
#9 The Port is No-compliance and MODERATE The adequacy of 2009 Department
decentralized and lack of adherence to policy/procedure is an operational audits.
has many local Port policies and integral part of all
policies and strategies. department operational
procedures. audit
#10 In 2008, the Port Operational risk as LOW Vigilant to indicators
created new new units and (financial or otherwise)
operational units positions establish of systematic or control
and positions – and line up staff failure.
Department of acclimate
Social
Responsibility etc.
#11 The Port is With system MEDIUM Increase Internal Audit
upgrading or implementation participation in system
replacing some of and/or upgrades, implementation
IT systems. there is always an discussions as well as
inherent risk that post-implementation
something might go risk assessment
wrong.
#12 The Port Case reported MEDIUM Increase Internal Audit So far most of the
implemented a through the fraud resources hotline reported cased
fraud hotline in hotline may affect have been addressed
2008. Internal Audit by the legal
workload department.
#13 State Initiative 900 Negative publicity on HIGH Provide assistance to 2009 Performance
– Performance the Port management on Audit
Audits proactive issue
mitigation prior to the
performance audit.
Following the audit
report, issue follow-up
per the Audit
33 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
Committee directions.
#14 The Port spends State and federal HIGH CIP is one of Internal No CIP specific audit
millions each year Compliance and/or Audit’s top ten risk scheduled in 2009.
on capital kickbacks. exposures and as such However, the issue of
expenditures. capitalization of the area is reviewed compliance and
inappropriate regularly for any kickbacks will be a
charges indications of control focus of any audit we
and or accountability conduct in 2009. A lot
risk. of audits have been
conducted in the CIP
area since 2007.

#15 The Port has Misappropriation HIGH No separate
many remote cash and/or fraud of public engagements for
receipting funds remote cash sites, but
locations. the cash receipting
review is included as
part of the regular
department internal
control review if the
department has a
receipting operation.
#16 The Port has Underreporting of HIGH Ongoing and active 2009 operational aud
many tenants that concession fee to risk assessment on and effectiveness of
provide food and the Port. concession management revenue
retail services. agreements. monitoring.
#17 Space rental is the Tenants might not LOW Ongoing and active 2009 operational aud
leading major pay space rent to the risk assessment on and effectiveness of
source of revenue Port concession/rent management revenue
for the Port. agreements monitoring.
#18 A lot of receipts Cash /checks are by HIGH Internal Audit reviewed
are collected over nature susceptible to this area in 2007.
the counter at the theft and fraud.
Airport Public
Parking.
#19 Rental car Underreporting of HIGH Continue auditing 2009 operational aud
agencies tend to concession fee to rental cars agencies on of RAC reviews.
give unallowable the Port. a 3-year rotation cycle
rebates and with a focus on
discounts to their management
customers. effectiveness of their
management controls
#20 The Port has three Non-compliance and HIGH 3rd party management 2009 3rd party review.
operations that are accountability risk. contracts are one of The audit focus will be
managed through Internal Audit’s top ten effectiveness of
third party risk exposures and as management
management such the area is monitoring controls.
services. reviewed regularly for
any indications of
control and or
34 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
accountability risk.
#21 Payroll or payroll Management often MODERATE Payroll is part of the
related expenses delegates approval proposed 2009 work
comprise over authority to staff - it’s plan as a systems
50% of Port difficult to ascertain audit and the focus is
operating that entries are operational
expenses. approved with first- effectiveness.
hand knowledge of
the underlying
activity
#22 The Port spends The primary risk with HIGH Procurement was 2009 systems audits.
over $100 million the outside services reviewed in 2008 which
in consulting or consultant will be followed by a
services annually. services is systems audit of
compliance with the accounts payable in
Port policies and or 2009. The focus of the
state laws. Contract audit will be
irregularities. management
operational
effectiveness.
#23 The Port spends The primary risk HIGH Supplies and 2009 Departmental
quite a bit of associated with equipment are part of operational controls.
money on supplies supplies & the department
and equipment. equipment is operational audit.
accountability. There
is a risk of theft
and/or abuse.
#24 The Port spends Abuse of credit cards HIGH Procurement was 2009 operational
over $3 million for personal gain reviewed in 2008 which systems audits.
annually through and/ or personal will be followed by a
P-card purchases. systems audit of
procurement. accounts payable in
2009.
#25 The Port spends Accountability risk HIGH Travel and other 2009 Department
materially on and/or abuse related expenses are operational Control
employee travel part of the department Reviews
and other related internal control review.
expenses.
#26 The Port sells its The sale might not MODERATE Scrap sale was 2009 Operational
surplus equipment be arms length reviewed in 2008 as department Control
annually. transaction. part of the Av. Reviews
Maintenance review. IT
is one of 2009
proposed departmental
operational control
reviews. IT equipment
is surplused regularly.
#27 The Port prepares Material LOW The risk of material Accounting
annual financial misstatement in the misstatement in Department has
statements/CAFR. financial statements government financial competent staff to
statements is LOW mitigate this risk.

35 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Risk Assurance

2009 Projected Audit Coverage
The projected audit coverage for 2009 includes the following areas. The coverage is determined by two
factors: 1) risk as discussed in previous sections of this document and 2) available audit resources. The
coverage will be adjusted as necessary throughout the year.
Carryover Audits from Fiscal Year 2008
During 2008, a number of limited scope special requests diverted available audit resources from
scheduled reviews. While a certain level of contingency was considered in the 2008 work plan, the
extent to which the contingency actually materialized was more than anticipated. Consequently a few
projects were not completed as scheduled.
• Police Department
This was scheduled to be a full scope departmental operational audit. All department operations
would have been subject to review based on risk.
Internal Audit will include the department as part of its 2009 work plan as a full scope department
operation audit.
•The following third-party agreements, concessions, and leases are currently underway: World Trade
Center, Bell Harbor Conference Center, Cruise Terminal of America (CTA), Host, Airport
Management Services Inc., Seattle Restaurant Associates, and a review of operational effectiveness
of the Port procurement system. The field work will be completed by the end of the year, but the
reports will not be finalized until the first week in February 2009.
• Corporate Accounts Payable
The 2008 work plan included reviews of certain areas in the Port’s accounts payable including
Professional Services Agreements (PSAs). The scheduled reviews were not contemplated as a
systems audit. Rather, Internal Audit intended them to be more of a substantive review of end
products (e.g., executed PSAs, S-type contracts, etc) for compliance. Internal Audit did not conduct
separate reviews of these areas during 2008 because some of limited scope special requests (e.g.,
SAO audit issue follow-up procedures) included a review of the same areas. To perform separate
reviews would have been a bit of duplicative audit efforts.
Internal Audit is proposing a systems operational review of the A/P in 2009 which, among other
things, will systematically review the areas included in the 2008 plan.
Performance Audits

36 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Internal Audit has identified three potential candidates for a performance audit in 2009: 1) space rental,
3) terminal operations and (3) leasing operations.
Each of the above activities has a specific set of goals which are directly linked to the Port missions. A
performance audit will be conducted to determine the extent to which the stated goals have been
achieved.
Systems Audits
Internal Audit recommends a review of both accounts payable (A/P) and payroll in 2009. The review will
focus on operational effectives and management monitoring controls.
Although the Port has not implemented an ERM system, Internal Audit will incorporate the risk
management part of the ERM into the scope of the systems audits. That it, systems will be reviewed in
terms of how well it manages risk in a systematic manner. This will be in addition to the internal control
review which is the usual scope of the review.
Department Operational Audits
Performance audit perspectives, especially related to efficiency of operations, will be an integral part of
all departmental internal control reviews.
Internal Audit recommends the following department nodes for review in 2009. It should be noted that
Internal Audit may not review all individual departments within the node. Risk within the node may be
concentrated in some departments (i.e., risk is not distributed equally).
• Police Department
This is a carryover audit from fiscal year 2008. See comments above.
• Air Terminal
Air Terminal as a node is among the highest on both revenue (> $100 M) and expense (~ $4 M). It
includes such departments as: 1) Airport Communication Center, 2) AT Business & Lease
Management, 3) AT Services, and 4) Aviation Marketing. Payments to American Building
Maintenance (ABM) – which is the highest paid vendor in operating expense – are coded to this
node.
• Information & Communication Technology
ICT consumes the majority of communications related expenses including numerous IT purchases
below the Port capitalization threshold. Effective and efficient use of communication devices from a
performance audit perspective will be part of scope consideration.
• Third Party Management

37 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
The Port has three operations that are managed by a third party. Two of these operations were
audited in 2008, and Internal Audit plans to audit the third in 2009, Wright Runstad.
With the completion of the Runstad review, Internal Audit will have covered all 3rd party management
contracts. Internal Audit will be in position to assess whether a cycled or continuous exposure is
necessary in the area in order to provide the Commission and management with reasonable
assurance. The focus of the third party management review is the effectiveness of Port monitoring
procedures.
• Security
Security as a functional group at the Port consumes a material amount of financial resources (~29 M
in 2007). The group also generates, although infrequently, grant revenues from other governmental
entities. Security in this context includes Police, Airfield Security, ID Badging, and Seaport Security.
The majority of the security related expenses are payroll, outside services, and supplies &
equipment. Effective and efficient use of FTEs from a performance audit perspective will be part of
scope consideration.
Internal Audit conducted a review of ID Badging in 2007 and plans to review Police in 2009. With a
review of Airfield and Seaport Security, Internal Audit will have reviewed the entire security related
departments as a functional group at the Port.

Lease Compliance Audits
To provide adequate coverage for the biggest single source of revenue to the Port, Internal Audit will
continue to cycle audits in this area. The focus starting in 2009 is operational audits - specific how the
effectiveness of Port management monitoring procedures.
Internal Audit proposes reviews of the following lease agreements in 2009.
• SSA TERMINALS LLC
• EAGLE MARINE SERVICES LTD
• ANTON AIRFOOD
• CONCESSIONS INT'L INC.
• MAD ANTHONY'S INC PIER 66
• MAD ANTHONY'S INC.
• BORDERS INC
• FIREWORKS
• CLEAR CHANNEL WORLDWIDE
•KIEWIT GENERAL JOINT VENTURE
• STONEPATH LOGISTICS INT'L SERVICES INC

38 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

Rent-A-Car (RAC) Audits
For the past 4 years, Internal Audit has conducting these audits and recovered a significant amount of
underreported concession. Because of limited staff shortage, conducted these audits with the
assistance from an external firm. Internal Audit in 2009 will be staffed to a level sufficient to conduct
these audits internally.
Internal Audit recommends an audit of the following RAC agreements in 2009. The department will
utilize, as resources, contracted CPA firms from prior audits in staff assistance capacity and leverage
the knowledge and the insight they have gained in the performance of the audit. The focus of the
audits will be effectiveness of the departmental monitoring procedures.
• HERTZ CORPORATION
• AVIS RENT A CAR SYSTEM
• BUDGET

The Way Forward
Consistent with the Audit Committee’s strategic goals over the next five years, Internal Audit will
continue to increase its focus on management and program performance from a performance audit
perspective. Internal Audit will assist management as a facilitator in the process of promoting and
implementing performance measures. In the meantime, Internal Audit will take steps toward the goals
by considering and incorporating (where feasible) performance audit elements into all reviews the
department conducts.
Port activity is replete with risks and rewards. Rewards are realized if risks are efficiently and effectively
managed. In this context, Enterprise Risk Management (ERM) has been discussed as a tool to
streamline the Port’s risk management practices. ERM is an enterprise-wide effort, and as such it takes
management commitment to successfully implement and reap full benefits. Internal Audit will continue
to participate, while maintaining independence, in ERM discussions with management. Once fully
implemented, Internal Audit will review the system to determine the effectiveness and efficiency.
Internal Audit reviews are planned and conducted based on risk (i.e., risk-based). No audit procedures
are designed and applied without first considering the nature and extent of risk associated with the
review subject. In line with the Committee direction, Internal Audit will expand the risk-based and
integrate an element of ERM into its audits.
One of the unique aspects of the Port is that it is financed with public funds as a public entity although
much of its activity is with the private sector. As such, the Port has no shortage of compliance
requirements from all levels of governments based on public expectations. Simply stated, compliance
risk associated with being a public entity (i.e., public accountability and legal compliance) will always be
part of the Port’s risk landscape. Given that, any ERM system the Port management ultimately
implements will have to have an element to address accountability and legal compliance.
Much of the oversight on accountability at the Port is performed by Washington State Auditor’s Office
either through annual accountability or scope-based performance audits. Internal Audit as a group has
39 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009
over 30 years of public entity audit experience in the state and understands very well the kinds of
concerns the SAO would have in conducting these audits. Using the knowledge, Internal Audit will
continue to provide assistance to management with respect to the SAO audit process while maintaining
independence.

40 of 41

Annual Risk Assessment Plan
January 1, 2009 – December 31, 2009

References
The auditing standards below provide guidance on auditor’s assessment of the risk. Although these
standards are more closely related to financial statement audits, concepts & application are very much
applicable to the process used in A.R.A.P.
• SAS No. 104 – Amendment to SAS No. 1, Codification of Auditing Standards and Procedures (“Due
Professional Care in the Performance of Work”)
• SAS No. 105 – Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing
Standards
• SAS No. 106 - Audit Evidence
• SAS No. 107 – Audit Risk and Materiality in Conducting an Audit
• SAS No. 108 – Planning and Supervision
• SAS No. 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement
• SAS No. 110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the
Audit Evidence Obtained
• SAS No. 111 – Amendment to Statement on Auditing Standards No. 30, Audit Sampling
• 2007 Yellow Book.
• SAS No. 99 – Superseded SAS 82, Consideration of Fraud in a Financial Statements Audit - defines
fraud as an intentional act that results in a material misstatement in financial statements.
• Enterprise Risk Management – 2004 COSO Integrated Framework

41 of 41

Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.

Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.

PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.