An audio recording of the meeting proceedings and meeting materials are available on the Port of Seattle

web site - www.portseattle.org.

Manager of Human Resources Information System; Jeff Hollingsworth, Senior Manager of Risk

Management; Joyce Kirangi, Internal Audit Department Director; Jack Hutchinson, Internal Audit Manager;

Tom Barnard, Research and Policy Analyst; and Katherine Blair, Commission Records Specialist.

Commissioner Holland was absent.

Call to Order:

The committee special meeting was called to order at 9:10 a.m. by Commissioner Albro.

Approval of Audit Committee Meeting Minutes of November 1, 2011:

On motion by Commissioner Tarleton, seconded by Commissioner Albro, the minutes of the Audit

Committee special meeting of November 1, 2011, were approved.

Enterprise Risk Management Project:

Technology (ICT). Mr. Thomas noted the importance of concentrating on evaluating the usefulness and

benefit of the framework for considering enterprise-level risks and the appropriate degree of application of the

methodology for Port operations.

Ms. Smith stated there are two stages to the ERM process, including a series of interviews and a

workshop. Interviews included 19 different people, senior managers, middle managers, and front line staff,

both in ICT and five ICT stakeholders. Members in the ICT department were asked:

 Given your strategic objectives what are the biggest risks to achieving those?

ICT users where asked:

 What do you see as the biggest risks to achieving your business objectives with regard to ICT

services?

In response to Commissioner Albro, Mr. Hollingsworth noted that five ICT stakeholders were identified in

conjunction with Kim Albert, Senior Manager of ICT Business Services, and included Lindsay Pulsifer, Mark

Coates, Dakota Chamberlin, Rudy Caluza, and Mike Ehl.

Ms. Smith noted that after discussing the results in the workshop, the second part of the workshop focused

on creating a risk matrix that included the likelihood of a risk’s occurrence and the impact if the risk occurs.

In response to Commissioner Tarleton, Ms. Smith stated that the people who were interviewed were the

ones invited to participate in the workshop. Commissioner Tarleton stated that the fact that the 50 risks

were consolidated into 17, which were then consolidated down to 16 at the workshop, demonstrates that

the methodology for consolidating those risks is sound.

Ms. Smith stated that the workshop used real-time voting software, which participants used to vote on the

likelihood the risk would happen and the impact if the risk happens (given the mitigation efforts already in

include identifying the consequences.

Mr. Hollingsworth noted impact and likelihood were weighted equally for the final score. Commissioner

Tarleton noted it was interesting that decentralized systems were identified as the highest risk and highest

likelihood out of the 16. Decentralized systems can also create a cushion to help rebuild capacity and

potentially rebuild systems due to catastrophic loss. Ms. Smith commented that the decentralized systems

also included decentralized management and decision making and coordination. Commissioner Albro

asked about the ICT budget as a risk. Mr. Thomas stated it was a risk of having insufficient funding.

Commissioner Albro stated that there is also opportunity cost from a growing ICT budget as it pulls money

away from other projects. He stated it is important to look at the enterprise as a whole when identifying

risks.

Port is appropriate.

Ms. Gehrke observed that all 16 risks were either likely or almost certain. She asked if there was

something in the modeling that overstated risk. Mr. Hollingsworth stated there were other items identified,

but because of the mitigation already in place were not included in the risk matrix. Ms. Gehrke suggested a

statement that the only risks listed are those of high likelihood in the interest of transparency.

Comprehensive Operational Audit – Airfield Operations:

At the discretion of the Chair, a written report was accepted in lieu of a staff presentation on the

Comprehensive Operational Audit of Airfield Operations, covering the period of January 1, 2008, to

December 31, 2010. The purpose of the audit, as reported, was to determine whether management had

implemented adequate controls to ensure the following:

 Professional services contracts are in compliance with requirements;

 Small and attractive items are properly safeguarded; and

 Benchmarks are available and can be used to help improve Airport operations.

The report included no findings of significance, and there was no discussion of this agenda item.

 Who will conduct the peer review?

Ms. Gehrke stated that it is clear that the Port has to follow the Government Accountability Office’s

Government Auditing Standards (Yellow Book) as a government entity; however, there may be items in the

International Standards for the Professional Practice of Internal Auditing (Red Book) that should be looked

at that would be beneficial. Ms. Gehrke noted that there were no concerns with having the Association of

Local Government Auditors (AGLA) do the peer review work. Ms. Kirangi noted the opinion letter would be

on the Yellow Book, and that if elements are selected from the Red Book a second opinion letter would be

necessary. Ms. Gehrke suggested having an opinion on both the Yellow and Red Book with gaps identified

so the committee can discuss the gaps and see if they are applicable. Ms. Kirangi stated that the Internal

Audit department used the Yellow Book and, when the department is audited, that is the standard that is

used. In terms of combined processes, the Internal Audit department uses the Government Auditing

Standards rather than the Red Book. Ms. Gehrke responded that the structure at the Port includes an

Commissioner Albro requested that Ms. Kirangi review the minutes from November 1, 2011, particularly the

Department, among others. Commissioner Albro asked to see a letter of engagement or a letter of

invitation that describes exactly what the Port is asking the agency that will do the peer review to do. The

Audit Committee will need to see the official document and approve it before it is mailed or published.

Commissioner Albro asked to have the letter at the January 10, 2012, committee meeting for approval.

In response to Ms. Kirangi, Ms. Gehrke clarified the committee does not need a request for proposal, rather

an engagement letter that clearly states what the scope of work will include.

Mr. Barnard stated that there are no concerns if the AGLA needs to submit two letters of opinion as long as

the content is covered. Commissioner Tarleton stated that she is not as concerned with who does the

work, but wants the scope of work to be clear and approved by the Audit Committee.

2011 Work Plan Status Update:

across the Port have been interviewed and shared what their key concerns are in their divisions and Port-

wide. Six overall risks where identified including ICT, strategic/governance, operational, compliance,

accountability/transparency, and reporting risks. He reported that the preliminary 2012 work plan includes

lease and concession, limited operational, business units/department, third-party management, and central

key processing system audits.

Ms. Gehrke asked for statistics of the auditable units that shows how many belong to which group, such as

lease and concession audits. Mr. Hutchinson stated that over 90 percent would be lease and concession

audits. Ms. Gehrke requested that lease and concession audits be separated from the remaining auditable

units, and for the remaining to be listed out.

Ms. Gehrke stated that it is unclear how the six different areas of impact are combined to form one impact

score. She noted the maximum total score is 25, but the highest score is a 14.25, which suggests there is

no critical risk at the organization, although the results of the ERM showed a lot of high critical risk in ICT.

Ms. Gehrke asked if there was a disconnect between how Internal Audit and management view risk and

how ERM should be incorporated into the Internal Audit risk assessment. Mr. Hutchinson stated they

would provide the requested information and noted that the scale used by ERM is different from the Internal

stated there should be some examination of why the ERM would show high risk, when the auditors do not

show a high risk. Commissioner Tarleton commented that the peer review might help when looking at the

way risk is determined. Ms. Kirangi stated that one of the items used in determining risk is information from

past audits.

Adjournment:

There being no further business, the special meeting was adjourned at 10:30 a.m.