Financial Stewardship               Accountability                    Transparency    Item No. 9a
Meeting Date: December 10, 2019

2019 Summary of Internal Audits
Glenn Fernandes - Director, Internal Audit

December 10, 2019
Pier 69, Commission Chambers
12:00 PM  5:00 PM

Operational Excellence                      Governance

2019 Audit Committee
Commissioner Peter Steinbrueck, Committee Chair
Commissioner Ryan Calkins, Committee Member
Christina Gehrke, Committee Public Member


2

About Internal Audit
Internal Audit conducts independent, objective, risk-based
audits of the Port's operations, activities and vendors.
Our audits add value by helping the Port achieve its
mission and result in: financial stewardship, accountability,
transparency, governance, and operational excellence.
Internal  Audit  derives  its  authority  from  the  Port
Commission.
3

18 Audits, 1 Summary Report Completed in 2019
Limited Contract              Operational (8)         Information Technology (6)
Compliance (5)
Sixt Rent A Car                      Airport Employee Access1           Security of Personally
EAN Holdings, LLC                  Diversity in Contracting               Identifiable Information1
Anton Airfood of Seattle, Inc.         Marine Maintenance Shop            HIPAA Security Compliance1
Mad Anthony's, Inc.                Architectural and Engineering        HIPAA Privacy and Breach
Airport Tenant Marketing             Consultant Rates                     Compliance
Program                                                         Closed Network System Security1
Capital                                Inventory and Control of
Checked Baggage Optimization        Hardware Assets1
Project (Phase 1)                        __________________________________
Noise Insulation Program            Payment Card Industry (PCI)1,2
Concourse D Hardstand
Holdroom
Shilshole Bay Marina Customer
Facilities Project
1 Security Sensitive  Exempt from public disclosure per RCW 42.56.420.
2 This work was performed by an outside firm. Internal Audit provided a summary report to the Audit Committee.

4

Key Themes
2019 Audits identified 13 High Risk and 29 Medium Risk issues
for management action
The Port has opportunities to strengthen internal controls and
related processes
Capital Spending  Opportunities to reduce costs / be more
efficient

5

Highlighted Audits
Operational:
1)   Marine Maintenance Shop
2)   Airport Employee Access1
3)   Architectural and Engineering Consultant Rates
Capital:
4)  Noise Insulation Program
5)  Concourse D Hardstand Holdroom
IT:
6)   Closed Network System Security1
7)   HIPAA Security Compliance1
8)   HIPAA Privacy and Breach Compliance
9)   Inventory and Control of Hardware Assets1
1 Security Sensitive  Exempt from public disclosure per RCW 42.56.420

6

Operational - Marine Maintenance Shop
(High) - Management self-identified that a process to issue and
track  keys  and  badges  needs  to  be  developed.  Marine
Maintenance  has  the  ability  to  issue  badges  that  allow
individuals to access secure Maritime facilities.
Comprehensive list of physical access points did not exist
Segregation of duties for authorization, custody, distribution did not exist
Badges of terminated employees were still active
Badge applications, showing authorization not retained
Policies and procedures not established
Status: In process, with both short term and long term deliverables.
7

Operational - Marine Maintenance Shop
(High) - Safeguards and controls have not been designed and
implemented to monitor and account for fuel and fleet usage. As
a result, an $86,000 fuel adjustment was made to the ending
2018 fuel balance. The cause of the adjustment was not known.

Status: Immediate detective controls implemented. Longer term
controls in process.
8

Operational  Architectural and Engineering Consultant Rates
(High) - CPO had not established guidelines for what is determined fair
and reasonable. Our testing of over 400 A&E consultants identified many
instances where profit margins   exceed what the industry deemed
reasonable.
Below table reflects the profit margins of the firms tested: [Note: Industry standard
ranges between 10  15 percent.]
Profit            10% and below   11-19%    20-29%    30-39%    40-49%   Above 50%
Number of
Consultants          139           81        79        60        30         18
Status: Forthcoming
9

Operational  Architectural and Engineering Consultant Rates
(High) - Management approval was not required when hourly rates
exceeded the maximum rates produced by the service rate negotiation
tool / model.
Below table reflects the number of positions that exceeded the maximum and the
amount that the Port agreed to pay over the maximum rate for every hour worked:
Positions                 Amount over the Maximum (+2%)
31                                 $51.05 - $175.03
32                                  $21.20 - $48.05
103                                   $.17 - $19.98
166
Status: Forthcoming
10

Operational  Architectural and Engineering Consultant Rates
(High) - A reconciliation between the final negotiated rates and the
contract did not occur. As a result, we were unable to verify that all
positions and rates reflected in the contract were accurate.
Below table reflects the type and number of exceptions:
Position on contract did not exist on the rate tool                          108
Rate on rate tool did not agree to the contract                              40
Position on rate tool did not exist on the contract                           20
168

Status: Forthcoming
11

Operational - Architectural and Engineering Consultant Rates
(Medium) - The Central Procurement Office is responsible for
procuring  all  contracts  related  to  public  works,  consulting
services, and goods and services.  Governance meetings, for
Executive Leadership Team (ELT) oversight of CPO, had not
occurred since December 7, 2017.

Status: Forthcoming
12

Capital - Noise Insulation Program
(High)  The Port's controls related to the review of Job Order Contract
work proposed and performed by a Job Order Contractor were not
functioning effectively. As a result, the Contractor billed the Port an
unreasonably high amount and may have billed for more work than was
performed.
Contractor charged the Port a 51% average mark-up
Assuring line items and quantities proposed are appropriate requires a diligent
review and necessitates questioning items that appear inaccurate
Our work indicated a reasonableness review was not always performed
Status: Immediate review controls have been implemented. Long Term
controls in process.
13

Capital - Concourse D Hardstand Holdroom
(Medium)  The Port's consultant did not have adequate
knowledge of airport building requirements, which resulted in
the design/concept drawings including a building type that was
not allowed in airport terminals. The Consultant's error on the
design/concept drawings resulted in additional costs to the Port
of $142,654.

Status: Management is pursuing collection
14

Capital - Concourse D Hardstand Holdroom
(Medium)  The Contract restricted the Port's ability to audit all
contractor and subcontractor records within the lump sum
contract. The audit clause only allowed audit of documents
related to changes. When audit clauses are restrictive, there is an
inherent risk that the Port may end up paying additional costs or
not receive expected deliverables, without detection.

Status: In process
15

IT Audit - HIPAA Privacy and Breach Compliance
(High)  The Port had not designated itself as a hybrid entity for
the purposes of the HIPAA Rule. The Port had not defined what
units within the Port were part of the designated health care
component.


Status: In process  expected completion is 12/31/2019
16

Limited Contract Compliance
Self reported revenue from concessionaires and rental car
companies
Audits focus on compliance with concession agreement
Audits                              Underreported Revenue                             Due to Port
4                                   $669,475                                 $70,435



17

2020 Audit Strategy
Continue with current course on Limited Contract Compliance
Audits
Continue to enhance our operational / performance audit
approach
Emphasize controls surrounding capital spending

18