Presentation
INTERNAL AUDIT 2018 Proposed Audit Plan AUDIT CATEGORIES I. Limited Contract Compliance 6 Audits (35% of Total Audits) Generally focusing on revenue/concession fees due to the Port, limited in scope, data intensive. II. Operational 8 Audits (47% of Total Audits) Broader in scope than contract compliance audits. Involves gaining an understanding of processes and related efficiencies/controls. III. Information Technology Audits 3 Audits (18% of Total Audits) Focus is on General IT System controls and vulnerabilities. 1 INTERNAL AUDIT 2018 Limited Contract Compliance Cycle Audits Contract never audited but deemed higher risk Contracts expiring in 2019 Provide audit an opportunity to review contract compliance & gaps before contract expires Issues noted during previous audit Follow up to assure issue has been remedied and risks mitigated Aviation specific directional information only (unaudited) 2 INTERNAL AUDIT 2018 Limited Contract Compliance 2018 2017 2016 2015 2014 2013 Beecher's Handmade Cheese X Sky Chefs, Inc. X X Suns, Inc. X Dollar Rent-A-Car X X Thrifty Car Rental X X Fox Rent-A-Car X X 3 INTERNAL AUDIT 2018 Operational Audits Carryover audits from 2017 Airport Taxicabs follow up on high risk issues Capital Spend Focus IAF, North Satellite Northwest Seaport Alliance 1 Review of operations and administration against the NWSA Charter to determine compliance RSM Risk Assessment Analysis - Key Audit Ideas 4 INTERNAL AUDIT 2018 Operational Audits 2018 2017 2016 2015 2014 2013 Taxi Cabs (Eastside) X X TNC's Rematch (E-KPI's) X X Maritime Maintenance Shops X Capital Program IAF X X Capital Program North Satellite X Northwest Seaport Alliance X Seatac Utilities X Disbursements/Accounts Payable X Carryover to 2018 from 2017 Audit Plan 5 INTERNAL AUDIT 2018 Information Technology Audits Data Centers Aviation Maintenance (AVM) AVM Data centers have never been audited Critical systems are housed in these data centers Change Management (AVM) Lack of a single approach to Change Management and a single source of record for system configurations greatly increase the risk of unplanned business disruptions. A New parking system was implemented in late 2017. Audit will review the technology controls surrounding this new system. 2018 2017 2016 2015 2014 2013 Data Centers (AVM) X Change Management (AVM) X T2 Systems ParkingSoft X 6 INTERNAL AUDIT 2018 Proposed Audits Limited Contract Information Operational Compliance Technology Beecher's Taxi Cabs(Eastside) Data Centers - Handmade TNC's Rematch AVM Cheese (EKPI's) Parking Soft Sky Chefs, Inc. Maritime System Maintenance Shops Suns, Inc. Change Capital Program IAF Dollar Rent-A-Car Management Capital Program (CMC AVM North Satellite Investments, Inc.) Northwest Seaport Thrifty Car Rental Alliance (DTG) Seatac Utilities Fox Rent-A-Car Disbursements / Accounts Payable Carryover to 2018 from 2017 Audit Plan 7 Information Technology Audit ICT Disaster Recovery Capability June 17, 2017 October 30, 2017 Prepared by Point B in partnership with the Port of Seattle Internal Audit department 8 ICT Disaster Recovery Audit INTERNAL AUDIT BACKGROUND What is the difference between Business Continuity and Disaster Recovery? Business Continuity maintains critical business functions in the event of a disaster or catastrophic loss of capabilities, i.e. Business Continuity is the business' survival plan. IT Disaster Recovery is an IT discipline focused on the restoration of critical technology services after a catastrophic loss, such as the loss of an entire facility or a regional disaster. Disaster Recovery Objectives: Maintain IT DR capabilities meeting desired business risk mitigation profiles Minimize the impact of disruptions to the business from catastrophic technology losses Restore services within Recovery Time and Recovery Point Objectives Maintain effective incident management, and governance Maintain effective communications to customers 9 ICT Disaster Recovery Audit INTERNAL AUDIT AUDIT OBJECTIVE Assess ICT's IT Disaster Recovery processes and capabilities, including new DR capabilities under construction today in Spokane SCENARIO Complete loss of ICT's primary data center (MER/VD) Collateral events outside of MER/VD, such as a regional disaster were not addressed due to audit time and cost limitations The scenario modeled is a high-impact, but very low likelihood event MER/VD = Main Equipment Room / Voice and Data 10 ICT Disaster Recovery Audit INTERNAL AUDIT AUDIT RESULT In general, internal controls were adequate: Technology designs include operational redundancies for all critical systems MER/VD data center is designed to withstand major failures and remain operational. ICT follows best practice approaches for continuous development of DR capabilities ICTs major incident processes are mature and well-practiced and have been tested on more than 5 major failures However, we identified two opportunities for improvement 11 ICT Disaster Recovery Audit INTERNAL AUDIT IMPROVEMENT #1 Pairs of high-availability network equipment supporting the Operations network, Enterprise network, and Internet Egress are not geographically segregated. Recommendations 1. Initiate a project to add geographic redundancy to these critical network systems 2. Consider the low likelihood of a significant event, operational impacts, and high priority of completing the present Spokane IT DR project when scheduling Management Response Management agrees with the assessment and recommendations. (See Audit Report for details on Management Response) 12 ICT Disaster Recovery Audit INTERNAL AUDIT IMPROVEMENT #2 ICT Disaster recovery processes are not integrated and aligned to the process utilized by the Emergency Coordination Center, creating a risk of inefficient recovery efforts Recommendations 1. Improve the existing program for initial and refresher NIMS ICS training for all ICT directors, managers, and key technical leads 2. Familiarize the remaining ICT staff with an overview of NIMS ICS 3. Participate in ECC mock exercises and develop mock technology incident scenarios for integrated ECC/ICT training 4. Reconcile ICT resource and location issues with ECC for technology incidents NIMS = National Incident Management System ICS = Incident Command System ECC = Emergency Coordination Center 13 ICT Disaster Recovery Audit INTERNAL AUDIT IMPROVEMENT #2 (Continued) Management Response 1. We will baseline NIMS/ ICS training, at appropriate levels, within ICT by March 31, 2018 or as available. The frequency of refresher training is being addressed at a Port policy level, with a recommendation of every 2 years 2. ICT now has a formal seat within the ECC and will be included in exercises that have technology components that would require their participation 3. As part of the training coordination effort-- roles and location expectations, along with overall ECC coordination (and exercising) will be addressed 14 Information Technology Audit ICT IT Change Management June 17, 2017 October 30, 2017 Prepared by Point B in partnership with the Port of Seattle Internal Audit department 15 ICT IT Change Management Audit INTERNAL AUDIT BACKGROUND What is IT Change Management? A broadly accepted, industry best-practice that governs the identification, prioritization, authorization, release, and communication of all changes to production environments Process Objectives: Identify and quantify the risk and impact of changes to the Port's production systems Minimize both planned and unplanned business service disruptions Manage the prioritization and release of change to production environments Effectively communicate changes and disruptions to affected business stakeholders Example Changes: ICT Change Statistics Security and application patches 3,422 production changes in past 48 months New software releases Average 8 changes per night Phone system updates Each change may impact 100s of systems, users Maintenance of IT infrastructure 16 ICT IT Change Management Audit INTERNAL AUDIT AUDIT RESULT In general, internal controls were adequate: ICT has adopted industry-best-practice ITIL methodologies ICTs processes are mature and well-practiced ICT actively executes and enforces IT Change Management ICT team members culturally reinforce the importance of the process Customers report very few unplanned outages However, we identified two opportunities for improvement 17 ICT IT Change Management Audit INTERNAL AUDIT IMPROVEMENT #1 Though clearly defined and well practiced, the IT Change Management process is not supported with an adequate toolset to maintain controls Recommendations 1. Replace the existing toolset with a single, integrated service management application 2. Adapt the existing process to take advantage of the new toolset 3. Measure and communicate Key Performance Indicators 4. Develop process controls to maintain accurate system configuration information Management Response Management agrees with the assessment and recommendations. A new toolset has already been selected and a project has been initiated with an estimated completion of initial deployment by March 31, 2018. KPIs, process controls and measures will follow the initial deployment and are expected to be completed by June 30, 2018. 18 ICT IT Change Management Audit INTERNAL AUDIT IMPROVEMENT #2 ICT and Aviation Maintenance do not share common IT Change Management processes and tools to manage change in business systems that span the responsibilities of both organizations. Recommendations 1. ICT and Aviation Maintenance should leverage each other to identify shared tools and processes Adopting the best practice of a single systems is currently unrealistic, however, due to the importance of Change Management and the impact it can have on critical systems, Internal Audit will independently review the Aviation Maintenance change management process in 2018. 19 ICT IT Change Management Audit INTERNAL AUDIT IMPROVEMENT #2 ICT Management Response ICT Management agrees with the rating and recommendation. Aviation Maintenance Management Response: Aviation Maintenance Management would like to invite the Audit Team to review the Electronic Technicians Change Management System. As ICT moves forward to upgrade their current Change Management system, aviation maintenance would like to participate from the beginning to determine if any new processes would also meet the needs of the entire organization. 20 Limited Operational Audits 21 INTERNAL AUDIT MARITIME STORMWATER UTILITY BACKGROUND The Port created the Maritime Stormwater Utility (Utility) by negotiating an agreement with the City of Seattle. On January 1, 2015, the Port established the Utility pursuant to the Revised Code of Washington. Below reflects the department's annual revenue: Maritime Stormwater Utility Revenue 2015 2016 YTD 2017 * Sale of Utilities - Surface Water $4,403,498 $2,888,599 $1,912,784 Sale of Utilities - Surface Water NWSP - 788,835 673,611 Sale of Utilities - Intercompany - 1,073,549 564,116 TOTAL $4,403,498 $4,750,983 $3,150,511 Data Source: PeopleSoft Financials *Through 8/31/2017 22 INTERNAL AUDIT MARITIME STORMWATER UTILITY RESULTS We completed a limited operational audit of the Utility for the period January 2016 June 2017. The audit was performed to assess the design and operating effectiveness of internal controls. We concluded that key terms in the Interlocal Agreement were achieved and that a system was established to assess and repair or replace, stormwater infrastructure by December 31, 2019. IA identified the following issue: (Medium) Internal controls should be implemented to decrease the likelihood of billing errors. To improve efficiency, management should also develop a plan to automate the billing process. Management Response: Management agreed to implement internal controls by January 2018 and will assess the feasibility of migrating the billing process into PROPworks by March 2018. 23 INTERNAL AUDIT ON/OFF-BOARDING OF CONSULTANTS AND CONTRACTORS BACKGROUND The Port's Contingent (Contract) Workers Policy, establishes procedures so that independent contractors and temporary agency employees (contingent workers) are used appropriately and lawfully. The IRS developed criteria to determine their classification. The criteria are streamlined into three general categories: Behavioral control: The payer has the right to control or direct only the result of the work and not what will be done or how it will be done. Financial control: How the individual is paid, e.g., weekly or hourly versus a flat fee. Type of Relationship: How permanent and how the Port and individual contractor views the relationship. Generally, the greater the behavioral and financial control, and the more permanent the relationship is, the greater the likelihood that the individual would be considered an employee. 24 INTERNAL AUDIT ON/OFF-BOARDING OF CONSULTANTS AND CONTRACTORS RESULTS Management controls, for the period January 2016-September 2017 were not adequate to ensure compliance with Port Policy and IRS requirements. (High) The Port's Contingent (Contract) Workers Policy (the Policy) needs to be updated with recent IRS and case law guidance. The Policy has not been updated in almost 10 years and is not consistent with IRS guidance and case law. (High) A process has not been established to account for and manage/monitor on and off-boarding of contingent and contract workers. We identified over 250 non-Port employees some of which had begun working at the Port in 2002 and/or had received parking cards which is not allowed by Policy. Management Response: Management agreed to develop an updated Policy by March 2018 and will develop processes, procedures, and structures by June 2018. Strategic Initiatives will lead the effort with support from Human Resources and Development, Legal, ICT, and Capital Development. 25 INTERNAL AUDIT CAPITAL PROGRAM INTERNATIONAL ARRIVALS FACILITY BACKGROUND The International Arrivals Facility (IAF) at Seattle-Tacoma International Airport will be expanded to enhance the international passenger experience, advance the Puget Sound region as a leading tourism and business gateway, and serve the traveling public. The IAF will be a multi-level, 450,000 squarefoot facility with a 900 foot walkway. The Port elected to use a design-build approach, and selected Clark Construction as the design builder. This approach provides the Port with a single point of responsibility to carry out all work on the project. 26 INTERNAL AUDIT CAPITAL PROGRAM INTERNATIONAL ARRIVALS FACILITY RESULTS The scope of the audit was for the period July 2015 July 2017 and assessed the design and operating effectiveness of internal controls and to assure that vendors were being paid in a timely and accurate manner. We identified two opportunities where improving controls would allow Port management and Clark Construction to enhance the accuracy and timeliness of payments to contractors and subcontractors. (High) Important elements of the design-build approach were missing. These resulted in unexpected costs due to rework and resulted in delayed payments to contractors and subcontractors. Some of the missing elements included incomplete designs prior to construction, some payments requests where incomplete, and work was authorized by Clark prior to signed change orders. 27 INTERNAL AUDIT CAPITAL PROGRAM INTERNATIONAL ARRIVALS FACILITY RESULTS (Medium) Internal Controls need to be enhanced to validate invoice totals to payments. This resulted in an overpayment of $89,454 to Clark in March 2017. Efficiency opportunity Internal processes should be modified to allow for faster payment to Clark Construction which will also allow for faster payment to subcontractors and the small businesses that they employ. Port Management Response(Capital Development): We agree with the recommendations and believes that establishing a single Guaranteed Maximum Price (GMP) for the Contract, would give the Design Builder flexibility to manage and mitigate risk associated with the design build process. However, Clark has yet to produce a GMP that the Port is willing to accept and until that happens Port Management will continue to exercise the contract provision that permits it to issue mini-GMPs to undertake limited scopes of work. 28 INTERNAL AUDIT CAPITAL PROGRAM INTERNATIONAL ARRIVALS FACILITY RESULTS Port Management Response (continued): Management agrees that there are opportunities to strengthen oversight of the Design-Builder. Clark Construction has made improvements to their management of subcontractors through controls management and training of the subcontractors on the proper way to submit change requests. Clark Construction Management Response Clark agrees that whenever possible, EWAs, WA, etc. should be executed prior to the commencement of the work. This practice will be followed wherever possible and practical for the nature of the design-build work. Clark will work with the POS to review additional delivery methods of the outstanding exposures to ensure the information being presented is accurate and timely. Port Management Response(Finance & Budget): Management acknowledges the Commission's desire to ensure that small businesses serving as subcontractors are paid on a timely basis, and is continuing to work on expediting the Port's payment process. 29 INTERNAL AUDIT EASTSIDE FOR HIRE, INC. (ESFH) BACKGROUND On September 16, 2016, the Port entered into a CA with ESFH to provide on-demand, outbound taxicab and for-hire vehicle transportation services at Seattle Tacoma International Airport (STIA). The Agreement term is three years, commencing on October 1, 2016 through September 30, 2019. The introduction of TNC's at STIA provides additional choices to the travelling public. The impact of these additional choices has led to a decline in demand for taxicab/flat rate for-hire. The decline in demand coupled with 405 taxi vehicles has resulted in lower than expected driver wages. IA performed this audit, not only to verify contract compliance, but also to evaluate processes, and to recommend new approaches that may benefit taxi owner/operators, ESFH, and the Port. 30 INTERNAL AUDIT EASTSIDE FOR HIRE, INC. (ESFH) RESULTS We completed an audit of ESFH for the period October 2016 through July 2017. ESFH was awarded the CA on September 16, 2016 allowing approximately two weeks for ESFH to implement processes which partly contributed to some of the challenges faced. Two issues were identified: (High) Reconciliation and refunds of prepaid owner/operator charges and payments had not been performed since the start of the contract resulting in 323 drivers that were owed on average $2,224 apiece as of July 31, 2017. This amounts to a significant sum for a driver making approximately $12/hr. An independent set of 360 drivers also owed ESFH an average of $2,251. The table below reflects information as of July 2017 according to ESFH records. Owner/Operator Refunds or Billings Due Total Refunds Due to Total Additional Billings Due Description Drivers to ESFH Total Amount $ 718,256 $ 810,486 Number of Accounts/Drivers 323 360 Amount Due to/Due from Per Driver $ 2,224 $ 2,251 Net Amount $ 302,450 $ 394,680 Number of Vehicles after netting 154 251 Net Amount Due to/Due from Per Vehicle $ 1,964 $ 1,572 31 INTERNAL AUDIT EASTSIDE FOR HIRE, INC. RESULTS (continued) (High) Contract Non-Compliance I. Technology Activity Tracking: A real-time/near real time vehicle activity tracking software system has not been implemented. Instead, ESFH contracts with SP+ to perform manual counts. The manual counts are significantly lower, by an average of 5,162, than the Port's AVI data. II. Deadheading: From inception of the contract, deadheading targets have not been achieved. Although ESFH has paid liquidity damages, the spirit of the contract provision is not being met. III. Labor Harmony Agreement: A legally enforceable labor peace guarantee has not been obtained. 32 INTERNAL AUDIT EASTSIDE FOR HIRE, INC. ESFH Management Response: Owners/operators owed $92,555 to ESFH for the trips performed from October 1, 2016 to July 31, 2017. As of October 25, 2017, the reconciliation was complete and all airport fleet vehicles have been notified to come to the ESFH office to settle and bring their accounts current. ESFH will set up the set up the scanner equipment during the month of December and will implement using it on January 1, 2018. ESFH's goal was always to meet or exceed dead heading targets. We intend to create new business outside the airport, and this will reduce deadheading. Our goal is to meet deadheading targets by December 31, 2017. Due to the Teamsters' attempt to change the Port required Labor Harmony Agreement to a full blown collective bargaining agreement; ESFH could not obtain a Labor harmony Agreement. 33 INTERNAL AUDIT EASTSIDE FOR HIRE, INC. Port Management Response (Lance Lyttle, Managing Director Aviation) The ESFH contract has been extensively monitored for contract compliance since the award of the contract in September of 2016. Specifically, no fewer than 58 meetings regarding compliance have been held by POS staff. This number does not include weekly AV staff meetings that are conducted to ensure internal coordination and communication of ongoing developments related to this contract. Summary of Audit Findings and related POS Management Responses Reconciliation of prepaid owner/operator changes and payments. RESPONSE: On-site observations by POS staff on two occasions and physical logs provided by ESFH as of November 15, indicate reconciliation through October 2017. Interviews of 25 drivers indicate repayment has been made. Internal Audit to independently audit these repayments. Provide automated transparent mechanism to provide AVI data to drivers monthly. RESPONSE: Implementation FEB 1, 2018. Eliminate driver contribution of $.10/trip community fund and work with ESFH to eliminate financial burden of short trips. RESPONSE: ESFH relieved of this RFP-proposed term on October 18, 2017. AV staff continues to work with ESFH on issue of short trips. 34 INTERNAL AUDIT EASTSIDE FOR HIRE, INC. Port Management Response (Lance Lyttle, Managing Director Aviation) Technology Activity Tracking: RESPONSE: Based on POS Legal interpretation, ESFH is non-compliant. Equipment installed in all vehicles Q1 2017. A manual bar-code scanner system is under implementation by ESFH. A second POS AVI reader is to be installed by April 1, 2018. Deadheading: RESPONSE: ESFH in compliance via liquidated damages payments. Labor Harmony: RESPONSE: Based on POS Legal interpretation, ESFH is noncompliant. Third party facilitator awaiting Teamster joint agreement to discuss. Aviation Operations and Commercial Management staff have dedicated themselves to diligent contract compliance oversight from the outset of the contract and will continue to do so. We appreciate the opportunity to provide a comprehensive response to the audit findings. 35 Lease & Concession Agreement Compliance Audits 36 INTERNAL AUDIT THE HERTZ CORPORATION DBA HERTZ CAR RENTAL BACKGROUND The Hertz Corporation (Hertz), a subsidiary of Hertz Global Holdings, Inc., is headquartered in Estero, Florida. Hertz maintains a local administrative office and fleet maintenance at the Consolidated Car Rental Facility owned by the Port. The terms of the agreement provide for a Minimum Annual Guarantee (MAG) of 85% of the total amount paid to the Port in the previous agreement year. Additionally, the agreement requires a Percentage Fee equal to 10% of gross revenues, provided the Percentage Fee is higher than the monthly MAG payment. Below reflects revenue earned by the Port: REPORTED GROSS REVENUE AND CONCESSION CALCULATION CUSTOMER FACILITY CHARGE AGREEMENT REPORTED GROSS CONCESSION FEES REPORTED CFC FEES YEAR REVENUES 2014 - 2015 $54,963,037 $5,496,304 $5,379,168 2015 - 2016 55,923,031 5,592,303 5,535,618 TOTAL $110,886,068 $11,088,607 $10,914,786 Data Source: PeopleSoft Financials and Propworks 37 INTERNAL AUDIT THE HERTZ CORPORATION DBA HERTZ CAR RENTAL RESULTS We completed a rental car concession audit of Hertz for the period June 2014 May 2016. The audit was performed to determine whether Port management's monitoring controls were effective and to assure that: Hertz reported Concession Fees were complete, properly calculated, and remitted timely to the Port; that Hertz complied with significant financial provisions of the concession agreement (CA), as amended; and that the Customer Facility Charge (CFC) was properly collected and remitted. We concluded that Hertz materially complied with the terms of the car rental agreement, and that management controls were effective. We noted the following exceptions with the CFC: 38 INTERNAL AUDIT THE HERTZ CORPORATION DBA HERTZ CAR RENTAL (Medium) Hertz did not collect the CFC at their three local locations within a three- mile radius of the airport. The CA specifically requires Hertz to collect and remit the CFC to the Port for these locations if the customer arrives by plane within 12 hours. Our audit showed that in most cases a CFC was due to the Port, amounting to $205,236 during our audit period. Hertz did not consistently comply with their vehicle drop-off policy at the Consolidated Rental Car Facility location, resulting in approximately $9,210 in CFCs due to the Port Management Response: Aviation Commercial Management will pursue collection from Hertz for the under-reported CFC's as stated above, the audit cost, and the applicable late fees and interest. Aviation Commercial Management will also work with Hertz to assure a mutual understanding of the definition of "Airport Customer" so that future interpretations are consistent for both the Port and Hertz. 39 INTERNAL AUDIT AVIS BUDGET GROUP DBA AVIS BUDGET CAR RENTAL BACKGROUND Avis Budget, headquartered in Parsippany, N.J., provides vehicle and car sharing services, operating four brands in the industry through Avis, Budget, Payless, and Zipcar. The agreement requires a Minimum Annual Guarantee (MAG) of 85% of the total amount paid to the Port in the previous agreement year or the MAG for the first agreement year at $5,950,000.00, whichever is greater. In addition, the agreement requires a Percentage Fee equal to 10% of gross revenues, provided the Percentage Fee is higher than the MAG payment. Data Source: PeopleSoft Financials and Propworks 40 INTERNAL AUDIT AVIS BUDGET GROUP DBA AVIS BUDGET CAR RENTAL RESULTS The period audited was June 2013 May 2016. The audit was performed to determine whether Port management's monitoring controls were effective and to assure that: Avis Budget reported Concession Fees were complete, properly calculated, and remitted timely to the Port; that Avis Budget complied with significant financial provisions of the Concession Agreement (CA), as amended; and that the Customer Facility Charge (CFC) was properly collected and remitted. We concluded that management controls were effective and that Avis Budget materially complied with the terms of the CA with one exception: 41 INTERNAL AUDIT AVIS BUDGET GROUP DBA AVIS BUDGET CAR RENTAL (Medium) Avis Budget was unable to provide us with details regarding adjustments made to customer bills. This led us to conclude that Avis Budget did not maintain the details of adjustments in their recordkeeping systems. Additionally, this issue was a repeat finding that was identified in a prior internal audit of Avis Budget Group, LLC Audit (Report No. 2012-20). Internal Audit is therefore disallowing $94,039 in adjustments that were noted during the audit period and seeking reimbursement for this amount. Management Response: Aviation Commercial Management will pursue collection of concession fees from Avis Budget for the adjustments, for which they were not able to provide supporting documentation, and the applicable late fees and interest. Aviation Commercial Management will also clarify with Avis Budget the records we expect them to retain in accordance with Article 8 of the Lease. 42
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.