11b Presentation Audits Completed in 2020
Financial Stewardship Accountability Transparency Item No. 11b attach 1 Meeting Date: December 8, 2020 2020 Summary of Internal Audits Glenn Fernandes - Director, Internal Audit December 8, 2020 Remote Meeting 12:00 PM 5:00 PM Operational Excellence Governance 2020 Audit Committee Commissioner Ryan Calkins, Committee Chair Commissioner Stephanie Bowman, Committee Member Christina Gehrke, Committee Public Member 2 About Internal Audit Internal Audit conducts independent, objective, risk-based audits of the Port's operations, activities and vendors. Our audits add value by helping the Port achieve its mission and contribute to: financial stewardship, accountability, transparency, governance, and operational excellence. Internal Audit derives its authority from the Port Commission. Internal Audit is a catalyst in the Port's sound governance and risk management. 3 Institute of Internal Auditors (IIA) - Combined Assurance The governing body, management,andinternalaudit have their distinct responsibilities, but all activities need to be aligned with the objectives of the organization. The basis for successful coherence is regular and effective coordination, collaboration, and communication. Source: The Institute of Internal Auditors, THE IIA'S THREE LINES MODEL An Update of the Three Lines of Defense, published in July 2020. 4 17 Audits, 1 Analysis Memo, 2 Summary Reports Completed in 2020 Limited Contract Compliance (5) Operational (9) Information Technology (6) Concourse Concessions, LLC Equipment Acquisition, Monitoring & Network Password Management McDonald's USA, LLC Disposal Secure Configuration for Hardware and Fireworks Galleries, LLC Ground Transportation Taxi Cabs Software on Mobile Devices, Laptops, Qdoba Restaurant Corporation Cash Controls Workstations and Servers E-Z Rent A Car, Incorporated Interlocal Agreement Mapping1 Inventory & Control of Software Assets Delegation of Authority2 Malware Defenses (ICT)2 Public Health Emergency Leave Program ____________________________ (PHEL)3 Payment Card Industry (PCI) Qualified Security Assessor4 Capital Criminal Justice Information Systems (CJIS)5 Service Tunnel Renewal/Replace Project Central Terminal Infrastructure Upgrade (Bid and Design Phases) AOA Perimeter Fence Line Standards Project 1 This is a focused analysis, not an audit, accordingly we issued a Memo. 4 This work was performed by an outside firm. Internal Audit provided a summary report to the Audit Committee. 2 This contingency audit was approved by the Audit Committee in December 2019. 5 This work was performed by the Washington State Patrol. Internal Audit provided a summary report to the Audit Committee. 3 This audit was added per HR request. 5 Key Themes 2020 Audits identified 3 High Risk, 21 Medium Risk, and 4 Low Risk rated issues for management action. Internal Audit responded to the unprecedented pandemic risk to the Port by initiating and completing, a time-sensitive advisory project on FEMA Reimbursement and a Public Health Emergency Leave Audit. The Port has opportunities to strengthen internal controls and related processes to mitigate business risks. The Port has opportunities to reduce change orders, schedule delays, and design issues on future projects. 6 Highlighted Audits 1) Cash Controls 2) Public Health Emergency Leave Program (PHEL) 3) Ground Transportation - Taxicabs 7 Operational - Cash Controls Audit scope included - Fishermen's Terminal (FT), Shilshole Bay Marina (SBM), and Airport Lost and Found (L&F) Cash is the most liquid of assets and is inherently susceptible to misappropriation Evaluated the design and effectiveness of internal controls supporting cash processes Audit Time Period: January 2019 December 2019 Audit Criteria, including: RCW 43.09.240 - Deposit of collections RCW 63.21.060 - Duties of governmental entity acquiring lost propertyDisposal of property Internal controls principles (e.g., Segregation of duties, review/approval by authorized personnel) 8 Operational - Cash Controls Cash Receipts by Location: Department 2018 Revenue 2019 Revenue Total Revenue % of Total Revenue Airport Public / Employee Parking $3,343,444 $2,971,534 6,314,978 87.3% Shilshole Bay Marina Operations 294,835 233,551 528,386 7.3% Bell Harbor Int. Conf. Center/World Trade Center 19,942 133,639 153,582 2.1% Fishermen's Terminal Operations 60,301 84,941 145,242 2.0% Aviation Customer Service (Airport Lost & Found)* 14,531 * 43,000 ** 57,531 0.8% Bell Harbor (Pier 66) Marina 13,584 6,352 19,936 0.3% Accounting and Financial Reporting 7,080 5,049 12,129 0.2% Total $3,753,717 $3,478,067 $7,231,784 100% * Reflects non-claimed currency deposited into Port's account. ** April through December / Hallmark contract commenced April 2019 (does not include foreign currency). 9 Operational Cash Controls (Medium) Segregation of Duties were not integrated into the cash processes at Fishermen's Terminal and Shilshole Bay Marina. Staff levels were limited at these locations, however, introducing a few key control enhancements to the existing processes could reduce the risk of misappropriation. A fundamental element of internal control is the segregation of key duties. The basic idea underlying segregation of duties is that no employee or group of employees should be in a position both to perpetrate and conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are: Custody of cash Authorization or approval of related transactions affecting cash Recording or reporting of related transactions Reconciliations Status: Management has completed action plans to strengthen the segregation of duties in the cash handling process. 10 Operational Cash Controls (Medium) The Airport (SEA) Lost and Found staff did not follow established procedures on cash handling. Accordingly, during our testing, we were unable to verify transactions where currency received was accurately recorded, retained, released to the claimant, or deposited to the Port's bank account. During the audit period, April through December 2019, total cash turned over to the Lost and Found, was approximately $43,000 (excluding foreign currencies), of which approximately $28,500 was not claimed and deposited into the Port's bank account. Status: Management has completed action plans to reinforce the enhanced cash handling procedures to the contracted company personnel. 11 Operational - Public Health Emergency Leave Program (PHEL) Audit requested by the Senior Director of Human Resources. Audit Objective - To determine whether the use of PHEL was in alignment with Port policy. PHEL was originally authorized for up to 80 hours and extended to 240 hours in April of 2020 for specific circumstances related to COVID-19. As of July 2020, 952 Port employees used approximately 155,000 hours of PHEL at an estimated cost, to the Port, of $7.7 million. Internal Audit's testing included - interviewing supervisors from multiple departments and review of supporting documents. Testing covered 287 employees who used 54,075 hours. 12 Operational Public Health Emergency Leave Program (PHEL) (High) The lack of centralized administration of the PHEL program, and vague policy language increased the potential that PHEL was abused or approved for unintended purposes. Multiple Departments/Teams Involved: Total Rewards (HR) - Tracked employees who met high-risk category or had children whose schools or daycare centers were closed. Health and Safety (HR) - Tracked employees exposed to, experienced symptoms of, or tested positive for COVID-19. Health and Safety, however, did not monitor or track the number of PHEL hours an employee used. Departments Approved for Minimum Essential Staffing - Policy did not address how PHEL was to be used for minimum essential staffing. Departments were given flexibility on how to allocate, track hours, and monitor PHEL use. Some managers allowed staff to take PHEL through a rotational basis, so that there was an "equitable opportunity." Status: Management has completed action plans to strengthen the controls over documentation, approval, and compliance monitoring. 13 Operational Public Health Emergency Leave Program (PHEL) (High) Port management did not have adequate procedures in place to monitor the potential of employees collecting unemployment insurance benefits and receiving compensation from the Port concurrently. Families First Coronavirus Response Act (FFCRA) created an opportunity for employees to use leave without pay and collect unemployment. Multiple departments and a third-party vendor had separate independent roles in payroll coding, monitoring the PHEL program, and approving unemployment claims. Internal Audit identified three employees who reported compensable time on their timesheets and received unemployment benefits simultaneously. Status: Management has completed action plans to improve unemployment monitoring procedures. 14 Operational Ground Transportation Taxi Cabs In May 2019, the Port of Seattle Commission, through motion number 2019-03, established a two-year pilot program for the on-demand (flat rate/for hire) service at the Seattle Tacoma International Airport. The program included the following key elements: The Port earns an all-inclusive per-trip fee of six dollars ($6.00) per outbound trip. Currently, 409 vehicles are in the program. Owner/operators that were offering on-demand taxi and flat-rate for-hire services under the previous program (East Side for Hire) were retained for the pilot program through September 30, 2021. Through Commission motion, activity fees were deferred for the period March 25, 2020 through July 31, 2020 to provide relief due to COVID-19. 15 Operational Ground Transportation Taxi Cabs (High) The reconciliation process to identify and resolve differences between the Port's Automated Vehicle Identification (AVI) system and the in-house phone billing application (App.) needs to be enhanced and performed on a timely basis. Both the AVI system and application are technology-based tools that, when functioning as intended, should produce little to no variance, which will indicate that vehicles are being billed accurately. The App. Count, which bills the driver, was 3,100 higher than the AVI count, which tracks vehicles activity, in November of 2019. Internal Audit noted a significant improvement in August of 2020, trip volumes were significantly lower as well, and we did not have sufficient data to conclude as to whether the issues had been fixed. Status: Management will continue to work with BI and aspire to a 100% match between AVI and App. 16 Operational Ground Transportation Taxi Cabs (Medium) An Information Technology Control for ensuring that only authorized individuals had access to the Taxi application, had failed. Although not exploited, an error in coding allowed all users of the Port's Enterprise network to have limited access to the application. Users in the Taxi application can enable or disable taxi operators signed up in the program. While this does not appear to affect the number of billed trips, an issue with approved access could potentially allow unauthorized vehicles to be added to the system or inappropriately denied access. Status: Completed. A fix was deployed in October 2020, preventing non- authorized users from logging into the application. Management will request a list of authorized users from ICT on a quarterly basis to validate users in the App. 17 IT Audits Continued efforts to perform baseline Center for Internet Security audits (completed three in 2020) to help ensure the Port has a solid foundation of IT controls. We completed the following in 2020: 1) Network Password Management1 2) Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers1 4 3) Inventory & Control of Software Assets1 4 4) Malware Defenses (ICT)1 4 5) Payment Card Industry (PCI) Qualified Security Assessor 2 6) Criminal Justice Information Systems (CJIS)1 3 1 Security Sensitive Exempt from public disclosure per RCW 42.56.420; these will not be discussed. 2 This work was performed by an external Qualified Security Assessor. Internal Audit provided a summary report to the Audit Committee. 3 This work was performed by the Washington State Patrol. Internal Audit provided a summary report to the Audit Committee. 4 This is a Center for Internet Security control audit. Status: Security Sensitive audits were discussed in non -public sessions. The 2020 PCI review completed by an external firm resulted in an overall COMPLIANT rating. 18 Limited Contract Compliance Self reported revenue from concessionaires and rental car companies Audits focus on compliance with concession agreement Two audits not performed due to COVID-19 (Lenlyn Limited and Concessions International, LLC) Audits Underreported Revenue Due to Port 5 $189,522 $27,993* 1) Concourse Concessions, LLC* 2) McDonald's USA, LLC 3) Fireworks Galleries, LLC 4) Qdoba Restaurant Corporation 5) E-Z Rent A Car, Incorporated * In process of collecting - $1,527. 19 2021 Audit Strategy Stay independent. Emphasis on developing staff with existing resources. Identify control weaknesses through audits, with an increased focus on partnering with management. Continue to focus on Capital Delivery (Financial, Quality, & Schedule). Focus on the 20 "Center for Internet Security" audits that will provide the groundwork for well-established cybersecurity controls. 20
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.