Minutes
P.O. Box 1209 Seattle, Washington 98111 www.portseattle.org 206.787.3000 APPROVED MINUTES AUDIT COMMITTEE SPECIAL MEETING AUGUST 11, 2015 The Port of Seattle Commission Audit Committee met in a special meeting Tuesday, August 11, 2015, in the Commission Chambers at Pier 69, 2711 Alaskan Way, Seattle, Washington. Committee members present included Commissioner Albro, Commissioner Creighton, and Christina Gehrke. Also present were Ted Fick, Chief Executive Officer; Dan Thomas, Chief Financial Officer; Joyce Kirangi, Internal Audit Department Director; Jack Hutchinson, Internal Audit Manager; Elizabeth Pyatt, Assistant Auditor, Washington State Auditor's Office; Tammy Bigelow, Audit Manager, Washington State Auditor's Office; Tony Samer, Managing Director, Protiviti; Sriram Rajagopal, Senior Manager, Protiviti; Ruth Riddle, Senior Internal Auditor; Brian Nancekivell, Senior Internal Auditor; Lindsay Wolpa, Commission Issues and Policy Manager; and Amy Dressler, Assistant Commission Clerk. Call to Order: The committee special meeting was called to order at 9:04 a.m. by Commissioner Creighton. Approval of Audit Committee Meeting Minutes of May 7, 2015: The minutes of the Audit Committee special meeting of May 7, 2015, were approved. External Audit Washington State Auditor's Office Entrance Conference: The Committee received a presentation from Ms. Pyatt and Ms. Bigelow that contained the following information: This accountability audit will determine whether there has been adequate safeguarding of public resources and reasonable adherence to state law, regulations, policies, and procedures. Planning is still underway; therefore specific areas to be audited have not yet been determined. Auditors will be on site through mid-October. A date for the exit conference is to be determined. Information Technology and Communications Audit PeopleSoft Post-Upgrade Implementation: The Committee received a presentation from Mr. Samer, Mr. Rajagopol, and Ms. Kirangi that included the following information: The Information and Communications Technology (ICT) audits were outsourced to Protiviti as part of the 2015 work plan. Outsourcing this type of audit is beneficial because outside firms specializing in technology are better able to keep up with the rapid changes inherent to this field. Information technology audits examine risk in two environments: the environment specific to technology, including controls such as user management, maintenance and upgrades, and Audio recordings of meeting proceedings and meeting materials are available on the Port of Seattle web site: www.portseattle.org PORT COMMISSION AUDIT COMMITTEE MEETING MINUTES Page 2 of 4 TUESDAY, AUGUST 11, 2015 business continuity; and the environment involving management controls such as reviews and separation of duties. Risk can be managed in either environment; a risk in the technology environment could be mitigated with use of a manual control. The upgrade of the PeopleSoft Financials system from version 8.4 to 9.1 was a complicated project bearing more resemblance to a complete reimplementation than a simple upgrade. The intent of this audit was to determine whether the upgrade achieved the implementation goals, if the functional performance and outcome goals were met, to identify lessons learned, and to gauge stakeholder reactions. Highlights of the implementation include a high level of satisfaction with the functionality of the system; close collaboration between ICT, accounting, and consultants during the implementation; successful planning and monitoring of the project budget; proactive engagement by senior management regarding risks to the implementation; and exceptional planning documentation, which represented best practices. A high level of risk was found related to administrative access to the system. Five members of the Production Support team have administrative privileges, leading to a lack of traceability. This is a known issue when PeopleSoft is used with MS-SQL, leaving the database vulnerable to unauthorized changes that cannot be traced to an individual user. o Protiviti recommends implementing additional monitoring or business process controls to mitigate this risk. Some suggested solutions, like a vaulted, frequently-changed password, have been implemented by other organizations who have identified this risk. o The management response from ICT expresses disagreement that this is a high risk issue. They discussed this known issue with Protiviti at the beginning of the assessment period. Management believes that the Accounting & Financial Reporting (AFR) department's process controls provide additional security, and that the five individuals with administrative privileges are essential to the operation and maintenance of the financials environment. A medium level of risk was found related to segregation of duties. Documentation and clarity regarding definition of roles, with accompanying levels of access, should be improved. Processes should be developed to review role definitions and remove redundant access privileges. Concern was expressed regarding the difference of opinion between auditors and ICT management regarding high level of risk related to administrative access. The committee requested elaboration upon the management response. Peter Garlock, Chief Information Officer, and Matt Breed, Assistant Director, ICT Infrastructure, commented on the response to this issue. Mr. Garlock reiterated that it has long been a known issue and they have been looking for efficient ways to mitigate the risk. He stated that this project represented a much more complicated data migration than a typical software upgrade. Any changes made through the application are attributed to the individual who made them; it is only if someone with database rights makes changes directly in the SQL database that those changes are unattributed. The number of system administrators necessary to provide the appropriate level of expertise and coverage was carefully considered, and five was the minimum number determined necessary. These five individuals have undergone FAA and FBI background checks. Additionally, management controls are in place on AFR's end to ensure that the financials balance. If an anomaly is detected, some examination of who has been working in the database can be done. ICT continues to look at alternatives to mitigate this risk. PORT COMMISSION AUDIT COMMITTEE MEETING MINUTES Page 3 of 4 TUESDAY, AUGUST 11, 2015 Commissioner Albro stated his opinion that the amount of capital managed by the Port is too great to accept this risk, however unlikely, and urged ICT to continue looking for ways to solve this problem that do not rely on the five individuals with administrative access. He pointed out that this makes those individuals vulnerable to scrutiny and repercussions if something were to go wrong. The committee requested further management examination of this matter, including a look at how other public entities have addressed this problem, and an additional report at a later date. Information Technology and Communications Audit Data Center: The Committee received a presentation from Mr. Samer, Mr. Rajagopol, and Ms. Kirangi that included the following information: The object of this audit was to assess data center operations, determine whether adequate controls are in place to mitigate risks, and to determine whether the data centers could act as recovery centers in the event of a major disaster at one of the sites. Physical facilities were examined as well as processes. Areas of focus included power infrastructure, environment, physical security, backup and disaster recovery planning, asset management, and logistical access. Protiviti's assessment was that staff is knowledgeable and well-trained, sites comply with best design practices, backup-power systems are in place, and power supplies are tested regularly. Protiviti identified a few areas where improvements could be made: o ICT and Aviation have separate sets of processes and procedures, which can result in inconsistent management of the data centers. o The physical locations of the data centers were not designed to house IT equipment and could be vulnerable to disasters such as flooding. o The Scheidt Bachmann parking revenue backup procedures are insufficient because the backup tape is stored in the same room as the system. o Aviation Maintenance should create a formal disaster recovery plan. Limited Operational Audit Aviation Division Manual Receipting Operations: The Committee received a presentation from Ms. Riddle that included the following information: This audit reviewed information for the period of January 1, 2013, to December 21, 2014. The purpose of this audit was to determine whether Aviation division management controls are adequate to ensure that manual receipts are complete, and that there has been compliance with applicable legal requirements. Manual receipts account for about ten percent of the Port's revenue. There were no reportable findings. Limited Operational Audit Seaport Truck Scrappage and Replacements for Air in Puget Sound (ScRAPS 2) Program Audit Termination: The Committee received a presentation from Mr. Nancekivell that included the following information: The proposed objective of this audit was to assess management controls over program funds and compliance in achieving desired program outcomes. PORT COMMISSION AUDIT COMMITTEE MEETING MINUTES Page 4 of 4 TUESDAY, AUGUST 11, 2015 During the planning and risk assessment phase, it was determined that risk is very low, and that many areas the audit would cover have been recently examined by Moss Adams. This audit was terminated. Lease and Concession Audit LSG Sky Chefs Inc.: The Committee received a presentation from Mr. Hutchinson that included the following information: The purpose of this audit was to determine whether concession fees were complete, properly calculated, and remitted in a timely manner, and to ensure that the Port and lessee complied with provisions of the Lease and Concession Agreement, as amended. This audit reviewed information for the period of March 1, 2011, to February 28, 2014. There was one reportable finding: Sky Chefs did not provide the audit response in a timely manner. Upcoming Request for Proposal, External Audit Firm: The committee received a report from Ms. Kirangi that included the following information: The Port's contract with Moss Adams is up at the end of 2015. The next contract term will cover the period of January 1, 2016, to December 31, 2020. The audit committee's charter indicates that it must provide a recommendation to the Commission regarding a contract with an external auditor. A request for proposal will be presented for approval at the next Audit Committee meeting. Adjournment: There was no further business, and the special meeting adjourned at 10:35 a.m. Tom Albro Minutes approved: October 6, 2015.
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.