Long Range Goals and Objectives: a proposal

Proposal Elements

1. Discuss and assess the underlying basis risks in the Annual Risk Assessment Plan.

2. Decide, based on the kinds and rankings of risk, what the long-term priorities of the Audit

Committee need to be.

3. Based on the basis of risks to be undertaken, re-write and formally adopt the Long-Range

Goals and Objectives document as an operational guide over the next three-year period

4. Review the resources of the Internal Audit Department to gauge whether they were able to

meet the goals set out in the Long-Range Goals and Objectives, and if necessary, request the

CEO provide budgeting needs going forward for those goals, for by augmenting Internal Audit

staff or by contracting with an external auditor.

5. Review the Audit Work plan and Annual Risk Assessment Plan for 2012 to insure they will

work to achieve the goals set out in the Long-Range Goals and Objectives document.

6. Bring the Audit Committee Charter into compliance with International Institute of Auditors

(IIA) standards.

7. As part of that, arrange for an external assessment to be conducted by a qualified,

independent reviewer or review team from outside the organization, in keeping with IIA

standards.

1. A review of the Annual Risk Assessment Plan for 2011 lists ten risk exposure elements at the

Port:

 Central Processing Systems

 Organizational Units: Internal Controls and Accountability

 Revenue (lease and concession)

 Federal Assistance

 Third Party Management

 Performance

 Financial Reporting/General Ledger

 ERM

 Special Investigations

 Capital Improvement Program

The vast majority of the report focuses on the second and third of those elements; Organizational Units,

which are mainly departmental units and their accompanying internal controls; and Lease and

Concession Revenues. This is not surprising, given that most of the description from a risk based

perspective of these areas focus on the overall size of the element, and these two areas cover the

largest financial units of the Port. The size is often expressed through a variety of indicators – operating

revenue, operating and other expenses, and payroll.

In several of these categories, there are breakdowns of sub-elements referred to as “nodes”. In the

section on these sub-elements that follows, there are explanations that contain information such as the

type of operation, the size of the operation, and the type of risk associated with it. Most of the risks

specifically identified are internal control risk, though performance risk, accountability risk, and others

are mentioned. In some elements or sub-elements, prior or present and future audits are mentioned,

mostly in areas that can be construed as high risk.

What then follows is a section called “Summary of Risks,” which contains 29 separate risks, and

associated factors, as well as an attempt to rate the likelihood of occurrence by high, moderate and low,

and the impact of the risk. This is then cross-referenced with the actual 2011 Audit Plan subsections. It

is not connected to any individual planned audits.

Finally, a plan for auditing is presented, based on:

 “1) Risk as discussed in previous sections of this document and

 2) Available audit resources. “

The plan is divided into ten different areas, with different audits assigned to each area:

 System Audit (1) (Adequate controls)

 Department Operational Audit (3) (Adequate controls, crane agreement processes)

 Lease Compliance Audits (10)

 Rent-a-Car Audits (2) (Revenue)

 Third Party Management Contracts (1)

 Lost and Found Audit (1) ( Adequate controls)

 Performance Audits (1) This seems to be actually an internal control audit.

 Continuous Monitoring (No audit, just monitoring.)

 Enterprise Risk Management (participation in management’s ERM work)

 Follow-up of significant prior audit issues (1)

 Special Request (1) (Compliance audit)

Some questions for possible consideration of the Audit Committee:

 Looking at this list we can see that almost 50% of all audit work is focused on Lease Compliance

Audits, though it will probably be less than that in staff time. This is justified by this: “To provide

adequate coverage for the biggest single source of revenue to the Port, Internal Audit continues

to maintain a level of presence and cycle audits in this area.” Yet the report also notes that the

ten units chosen are small in size. Should this be the focus of this much work?

 Most of the overall audits planned are either based on assessing adequate internal controls, or

revenue checking and recovery. Is this the desired framework for prioritization?

 Despite the categorization of risk in several different ways, there is no concrete connection

between risks stated and individual audits listed. Some of the 29 risks listed are attached to

specific audits, some are not. Most are referenced only by sub-headings, such as “2011

departmental and cross-functional audits.” Should there be a more substantiated connection?

 The issue of risk itself seems largely to revolve around size of the unit, as a measure of risk, in

that losses of revenue are perceived correctly as a major risk. But if a system is under great and

continual review, does that not lower the risk? What other methods would be useful? What

other standards of risk should be looked at?

 The process for choosing which audits get done seems to revolve around five criteria:

o Perceived risk

o Available Audit resources, both qualitative and quantitative, to conduct audits.

o Management requests

o Audit Committee requests

o Audit cycle issues (how long ago was an audit done)

So how are these competing, and/or conflicted criteria fed into the decision process, and how

are audits chosen?