Internal Audit Department Types of Audits All audits engagements begin with an audit objective. The audit objective or the audit question determines the type of the audit and the audit standards to follow. Internal auditing is an important part of overall governance, accountability, and internal control. Per government auditing standards, a key role of many internal audit organizations is to provide assurance that internal controls are in place to adequately mitigate risks in order to achieve organization goals and objectives. The Institute of Internal Auditors (IIA's) International Professional Practices Framework (IPPF) defines Internal Auditing as follows: • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. • It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Port of Seattle Framework for Audit Consideration Commission CEO/Port Management Port Staff Overall Desired Results (Outcomes and Outputs) Sets the overall direction and Policy Establish governance structure/ functions/departments to carry out the objectives Design and establish strategies and systems for accomplishing goals and objectives Establish processes for each function/department Operate systems as designed by management Carry out processes as designed by management Maintain financial records and documents actions taken Carry out the established processes and policies. Report results to management Outcomes, outputs, Desired Results Develop policies and procedures for each process Ensures established processes/ infrastructure meet requirements An asterisk indicates services currently provided by IA Outcomes, outputs Desired Results Outcomes, outputs Desired Results Desired Results Desired Results Page 1 Internal Audit Department Port of Seattle Mission Statement: Create Economic Vitality HERE Port of Seattle Organization Chart and Framework for Audit Consideration King County Voters Commission Executive Office Aviation Business Development Airport Operations Airport Properties Aeronautical Business Development & Management Landside Concessions Aviation Facilities Aviation Executive Aviation Director's Office Airport Office Building Management Community Development Building Department Finance & Budget Facilities & Infrastructure Environmental Management and Planning Utilities Security Maintenance Seaport Real Estate Capital Development Lease & Asset Management Development & Planning Aviation Project Management Accounting & Financial Reporting External Affairs Cruise & Maritime Operations Facilities Management Capital Development Administration Finance & Budget Health & Safety Commercial Strategy Harbor Services Central Procurement Office Human Resources & Development Information & Communications Technology Environmental & Planning Fishing & Commercial Vessels Engineering Internal Audit Labor Relations Finance & Budget Recreational Boating Port Construction Services Legal Office of Social Responsibility Maintenance Seaport Project Management Police Department Public Affairs Regional Transportation Risk Services Seaport Administration Portfolio Management Corporate Real Estate Administration Fire Department An asterisk indicates services currently provided by IA Page 2 Internal Audit Department Government Auditing Standards (GAGAS) classifies audits into three broad categories as follows: Financial Audits Performance Audits, and Attestation 1. Financial audits - Financial audits provide an independent assessment of whether an organization's reported financial information (e.g., financial condition, results, and use of resources) are presented fairly in accordance with recognized criteria (for example, FASB or GASB pronouncements). The auditor issues an independent opinion on the fair presentation of the financial statements. As part of the financial audit, the auditor also reviews the following processes only to the extent that the systems are significant over financial reporting:  Internal control system and process*  Compliance with laws and regulations*  Provisions of contracts and grants* Professional firms outside the organization typically conduct these types of audits. Currently, Moss Adams conducts the Port financial audit. 2. Performance audits - Performance audit objectives may vary widely and include assessments of program effectiveness, economy, and efficiency; internal control; compliance; and prospective analyses. Performance audits are intended to improve organizations performance, operations, reduce costs, facilitate decision-making, and contribute to public accountability. *The audit objectives that focus on program effectiveness and results typically measure the extent to which an organization is achieving its goals and objectives. Example, how well is the program/department working? Is it achieving the intended results? Is it meeting the target? The audit objectives that focus on economy and efficiency address the costs and resources used to achieve organization results. Example, why does it cost this much? Would it cost less...? How can we do the same for less (economy)? How can we produce more with the same resource (productivity)? An asterisk indicates services currently provided by IA Page 3 Internal Audit Department Performance audit objectives vary widely and may include review and assessment of the following:  Organizations/Programs effectiveness*  Organizations or Program economy/efficiency --includes development of benchmarks criteria against which performance is evaluated against  Internal controls*  Compliance*  Prospective analyses and other information* - analysis and conclusions based on assumptions about events that may occur in the future Typical questions in performance audits  Is this organization/program accomplishing what it's supposed to? (program results/effectiveness)*  Are the procedures adequate or sufficient to...? (process results/effectiveness)*  Does it have to cost this much? (program/service efficiency)  Can we produce more with the same resources? (productivity)  Is this agency doing what's required? (compliance)*  Is the agency handling resources responsibly? (compliance*/efficiency)  What really happened? (investigation)*  How much, how many, what if...? (information)* Currently, the Washington State Auditor's Office (SAO) conducts Port's performance audits at the Port. 3. Attestation Audits - An attest engagement is an engagement in which a practitioner is engaged to issue, or does issue, an examination, a review, or an agreed-upon procedures report on specified subject matter, or an assertion about the subject matter, that is the responsibility of another party. The responsible party in attest engagements is the person, individual or representative of the entity, who is responsible for the subject matter. Internal Audit, conducts a combination of many elements of audit attestations as outlined on the operational audits section. Other Types of Audits 4. Operational Audits -Operational auditing involves an objective review and assessment of the control (strategies, processes, systems, and other operating activities) that management has designed and implemented in order to achieve organizational goals and objectives. The auditor's objective is to provide independent assurance on the effectiveness of management An asterisk indicates services currently provided by IA Page 4 Internal Audit Department controls. The auditor gives an assurance of the end-results that management is trying to accomplish. For example, if management objective is to create jobs, the auditor gives an assurance whether the established (infrastructure) controls are effective to allow the creation of jobs. An operational auditor can also audit to determine whether such jobs were created. As part of the audit, an operational auditor evaluates and assesses the following:  Management efforts such as established internal controls which includes the overall governance, plan, operational strategies, policies, methods, and procedures adopted by management to meet its missions, goals, and objectives. *  The processes implemented by management for planning, organizing, directing, and controlling business unit/department operations. *  The systems put in place for measuring, reporting, and verifying the reliability and relevance of information, including monitoring business units/ or departments performance. *  Internal control is critical as it serves as a defense in safeguarding assets and in preventing and detecting errors; fraud; noncompliance with provisions of laws, regulations, contracts and grant agreements; and abuse. Part of operational auditing involves assessing and evaluating the following areas which are an integral part of internal control:  Risk assessment/Risk management efforts*  IT governance/information systems controls  Controls over compliance with applicable laws, regulations, contracts, and grant agreements*  Accountability*  Fraud*  Analysis of financial activities and non-financial information* 5. Compliance Audits* - reviews for compliance with governance regulations and policies aimed at increasing fiscal transparency of an organization. At the Port, this includes compliance audit of over 600+ lease and concession agreements. Currently, Internal Audit spends a great deal of time auditing Port contracts and concessions. In addition, other Washington State agencies like Department of Revenue and Department of Retirement audit various compliance requirements within the Port. Compliance requirements can be financial or non-financial. 6. IT Audits -reviews and assesses the design and effectiveness of computer general and application controls. An asterisk indicates services currently provided by IA Page 5