PeopleSoft Upgrade Post-Implementation Audit 
Initially Issued on June 2015 
Reissued on October 2015 with the updated
management response to the first observation only on
page 5

Table of Contents 

Executive Summary 
Objective, Scope & Approach                   3 
Highlights and Accomplishments                 4 
Summary of Observations                  5-10 




This document is intended solely for the use of Port of Seattle Audit Committee and Management. It is not
intended to be used or relied upon by others for any purpose whatsoever.
This document provides the Audit Committee and Management with information about the condition of the
business at one point in time. Future changes in environmental factors and actions by personnel may
significantly and adversely impact the results of these analyses in ways that this document did not and
cannot anticipate.

Executive Summary 
Objective 
Protiviti was engaged by the Port of Seattle ("the Port") to perform a post-implementation review of the PeopleSoft Financials
system upgrade from version 8.4 to 9.1 to determine if the upgrade achieved the overall implementation goals, if the functional
performance and outcomes met the expected performance, to identify any lessons learned and to develop action plans, if
necessary. This document summarizes the objectives, key observations, and recommendations resulting from these efforts as of
April 2015. 
Scope 
The Post Implementation Review performed by Protiviti focused on the following key areas: 
A. Business Case and Planning 
B. Change Management and Installation 
C. Risk and Risk Mitigation; and 
D. Stakeholder Acceptance and Satisfaction 
i.    Quality Assurance, Stakeholder Approvals and Benefit realization 
ii.   PeopleSoft Current State Security Model Review 
Approach 
Protiviti adopted the following approach for the Post Implementation Review : 
Obtain and Review available documentation around the scope areas. 
Conduct interviews & demonstrations with stakeholders to understand processes, tools & repositories used during the
implementation that were deemed relevant to the review. 
Data sampling to corroborate the understanding obtained via interviews. 
(For Security review only)  Assess current state of PeopleSoft security model in Production and validate observations with
stakeholders. 

3      2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Executive Summary 
Highlights and Accomplishments 
In the course of conducting this audit, several areas of strengths were observed that could be leveraged during future initiatives. 
The following is a list of highlights and accomplishments that the Protiviti team would like to note for the benefit of the Port's 
Management: 
Delivery on project objectives and business functionality  It was noted, via interviews with project team, stakeholders and 
Senior Management, that the project team successfully delivered on the key objectives and business functionality. 
Project team collaboration  Per inquiry with project team and stakeholders, it was observed that there was very close 
collaboration between Information Technology, Accounting and Consultant teams during the course of implementation. This was 
key to completing an implementing such a scale of implementation under budget without significant schedule extension. 
Project budget planning and monitoring  Planned budget and actual spend were closely aligned for this project, with the 
project being implemented under budget . Per inquiry, it was noted that budget was closely monitored, regularly updated and 
shared with Senior Management. There were contingencies built into the budget given the lead time required to obtain 
approvals prior to commencing a project and although these were not used, it indicates a good level of planning on the team's 
part to plan for unforeseen expenditure. 
Risk management: Proactive Senior Management engagement and direction  Per inquiry it was noted that the frequency 
of meetings with Senior Management increased as the project moved closer to implementation. Proactive engagement by 
Senior Management around risks was noted in the specific instance of resource changes implemented by the team as a result 
of "sit-down" meeting with the Consultant when a skill mismatch was observed. Also, following the direction laid down by Senior 
Management, the project team took some key decisions early on in the project (excluding Project costing and adopting as much 
as out-of-box functionality as possible) that reduced risk exposure and contributed to a successful implementation. 
Planning documentation  Review of project documentation and information gathered via interviews indicate a high level of 
initial planning, with detailed plans (Change Management Plan  for organization and system changes, Risk Management Plan 
and Project Management Plan) being created upfront. 
4      2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Summary of Observations 
PeopleSoft Security Review: Administrative Access                                          Risk: High 
All five members of Production Support team retain administrative privileges to the application environment and access to
the database. Lack of traceability when logging into the Database using an administrative ID is a known issue in
PeopleSoft (with MS-SQL) that leaves the database vulnerable to unauthorized changes that cannot be attributed to
individual users. 
Recommendation: 
This level of access to financially sensitive information in the production environment is a high risk. Port Management or Internal Audit (IA)
could potentially decide to lower the risk rating based on their assessment of the effectiveness of the business process controls put in place,
both in terms of comprehensiveness of design and implementation effectiveness. Management should evaluate the below recommendations
in the light of resource/staff availability and any existing contractual obligations: 
Investigate the possibility of an automated mechanism to actively monitor Production environment for unauthorized changes. 
Consider setting up a production-like environment for troubleshooting production issues. 
Consider implementing a secured password vault for storing Administrator password, access to which should be limited to the appropriate
personnel, after obtaining the required approvals. Password should be changed after each access. 
Barring any changes to administrative access to reduce the risks associated with this observation, Port Management or Internal Audit
should consider conducting a thorough review of business process controls for comprehensiveness of design and implementation
effectiveness to evaluate if they adequately mitigate risks related to potential fraudulent activities. 
Consider assigning specific maintenance window for applying vendor-provided patches. 
Consider renegotiating SLAs with business, if required, in order to set expectations on turnaround time for resolving issue. 
Re-issued Management Response: 
ICT is implementing a new procedure designed to eliminate the potential for unauthorized changes to production data by any member of the
financial system production support team. This new procedure will terminate their direct access to production data, and will require that a
database administrator be concurrently involved in all updates/changes to production data that may be required to support the application. 


5      2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Summary of Observations 
PeopleSoft Security Review: Segregation of Duties (SoD)                                      Risk: Medium 
There is a lack of clear definition of roles or SoD in PeopleSoft resulting in some employees having excessive access
and ability to perform potentially fraudulent transactions. 
Recommendation: 
Management should consider undertaking a full review of SoD and sensitive access followed by associated remediation measures. A 
comprehensive role definition should be created for PeopleSoft financials application with clear SoD. All roles providing duplication of
access privileges should be appropriately remediated and roles that are not actively used should be removed from the database.
Management should also establish a schedule for a review of role definitions and configuration (in Production environment) on a quarterly
basis. Additionally, Management should also enhance the authorization request form to include accurate and detailed description of roles to
ensure appropriate access is requested for staff. 








6      2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Summary of Observations 
PeopleSoft Security Review: Segregation of Duties (contd.)                                     Risk: Medium 

Management Response: 
Port management appreciates Protiviti's observations resulting from their review of controls limited to IT systems risk, and respects that
Protiviti could not independently verify the comprehensiveness of design or validate implementation effectiveness of the Port's augmenting
business process controls in place, due to scope limitation of the audit engagement. Port management values Protiviti's recommendations
and will give them serious consideration as we continue to seek opportunities to refine and improve the broader systems/process internal
controls environment. 
An important point is that in addition to the system access/roles security protocols in place that enable a user to transact in PeopleSoft
Financials, the Port/Accounting & Financial Reporting (AFR) department has in place solid internal controls, as shared with Protiviti, in the
form of fully documented business process internal controls. This combined internal controls framework is robust and is expected to
addresses both financial systems risk and business process operational controls taken as a whole. Together, possible system risks are
expected to be effectively mitigated through business process controls, as a key risk exposure to the Port involving its financial systems are
the execution of fraudulent transactions that may result in a loss of funds or assets, or a material misstatement in its financial statements.
Internal controls over all key transactional and business processes are in place. 
The Port's overall system of internal controls (addressing both systems risk and financial business process risks) is audited annually by the
Port's independent Certified Public Accounting firm (Moss Adams) as to design and operational effectiveness, as part of their audit of the
Port's financial statements and federal awarded funds administration/regulatory compliance. These internal controls are also audited
annually by the Washington State Auditor's Office as part of their public funds/assets accountability audit, focused on evaluating whether
public resources are handled properly and in compliance with laws and regulations, and whether effective internal controls are in place to
promote accountability and encourage sound financial management practices. The Port annually receives clean audits (no major findings)
as to the overall design and operational effectiveness of the internal controls in place including the use of the PeopleSoft Financials
system. 

7      2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Summary of Observations 
PeopleSoft Security Review: Segregation of Duties (contd.)                                     Risk: Medium 

Management Response: (contd.) 
The Port of Seattle acknowledges that a security design document for v9.1 setup/configuration is not currently present. Where a
functional/technical design document may often be developed during a comprehensive upgrade project when security is configured; the
PeopleSoft Financials v9.1 upgrade was a technical only upgrade and within this scope the Port did not utilize resources to fully implement
formal best practice. Rather, the decision was to focus resources on functionality critical to business operations. It was decided that
security would be rolled over to the new version status quo thus, a comprehensive design document was not completed at that time. 
However, the Port does absolutely adhere to formal security administration protocols. While undocumented in terms of design, the
business processes that support this key responsibility are firmly established and followed. All PeopleSoft Financials security requests go
through a 3-tier review and approval process. First, requests are submitted to the respective operational workgroup manager for first tier
approval. They are then forwarded to a separate team, the AFR Business Technology Analysts, for review/approval. They are then 
submitted to yet another separate group, the ICT PeopleSoft Developer team. The AFR Business Technology team does not have access
to the PeopleSoft PeopleTools module where security access is administered. The ICT PeopleSoft Developers separately have this
security access to update the end users security profile in PeopleSoft. Furthermore, a quarterly security audit, separately administered by
the AFR Business Technology team, is also performed where each employee that has access to their PeopleSoft Financials module is 
reviewed by the workgroup managers for reasonableness and appropriateness. 
The Port of Seattle appreciates and will consider the recommendation of creating a comprehensive security design document to document
the security protocols in place and make any further refinements as informed through this audit. 



8      2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Summary of Observations 
PeopleSoft Security Review: Segregation of Duties (contd.)                                     Risk: Medium 

Management Response: (contd.) 
The Port of Seattle PeopleSoft Team (includes ICT PeopleSoft Developers and AFR Business Technology Analysts) partner, and share 
distinct and separate responsibilities, to administer security for PeopleSoft Financials. The AFR Business Technology team is responsible
for approving and auditing all transactional add/update access to PSFS modules. The ICT PeopleSoft Developers are responsible for
approving and auditing the delivered roles that are used by ICT to administer the database and associated tasks. For this reason, the
Roles that the AFR Business Technology Analysts are responsible for are "hard coded" into the query criteria that is used to perform the
audit. The role that this audit report references was an old, outdated, PeopleSoft delivered role that is no longer being used by AFR.
Hence, it was not "hard coded" into the query criteria and, therefore, did not appear in the comprehensive quarterly audit review process.
We note that while there were roles identified that were not present on the PeopleSoft Financials Security Request Form, the administration
and audit that is performed on our security module is very comprehensive and there are no employee's with inappropriate or unauthorized
access. This is affirmed by AFR's quarterly review. 
We have, however, recognized the opportunity presented and are developing new reports that will capture all roles that are assigned to any
Port of Seattle employee, regardless of departmental ownership. The PeopleSoft Authorization Form will be updated to include all roles
that are active in the Production environment. 




9      2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Summary of Observations 
PeopleSoft Security Review: Segregation of Duties (contd.)                                     Risk: Medium 

Management Response: (contd.) 
The PeopleSoft Financials v9.1 Authorization Request form includes 3 columns: the PSFS Module, Role, and Description. This form is
completed by the end user, or end users manager. The descriptions of the roles are intended to be generic as our audience is not
necessarily of technical background. While the title may not be all encompassing, the information contained is accurate. The typical
business process that is followed for security is for the end user to request that we "clone" another user who is performing the same work.
The end user then populates the appropriate roles on the form to submit for approval. A form referencing the role description as the
specific technical verbiage for the page/component name would cause confusion for our end users. Nevertheless, as we plan to develop a
comprehensive security design document, we seek to find a practical balance of understanding for our end users. A permission 
list/page/component/add/update/correct description can be noted, in addition to a description that makes sense to the end user. 
The above discusses the comprehensive system/roles security and transactional/operational internal controls in place. We also clarify that
a different system security risk area that these controls would in part mitigate is in regard to Protiviti's observations provided under the
section, "PeopleSoft Security Review: Administrative Access" which is responded to separately in that section. 
Port management appreciates the analysis and observations noted by Protiviti. We will continue to build upon our sound internal controls
that are in place, with serious consideration to the recommendations provided.
As we have collectively acknowledged, the technical upgrade from v 8.4 to v9.1 was in itself a massive and complex undertaking, but a
very successful implementation that went live smoothly and which the Port is very proud of. 



10     2015 Protiviti Inc. 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.