Presentation
INTERNAL AUDIT * Contract with ESFH will not be renewed. Legal settlement/contract modification with ESFH addresses risk. ** Audits will be performed in 2019 by an external audit firm. 2019 Proposed Budget 2017 Actual 2018 Budget 2018 Forecast 2019 Budget Amount % Amount % Amount % Amount % Salaries/Wages and Benefits (1) $1,264,939 78.90% $ 1,561,708 85.43% $ 1,488,145 85.85% $ 1,704,674 89.57% Outside Services (2) 296,757 18.51% 207,280 11.34% 188,280 10.86% 147,000 7.72% Equipment Expense 8,463 0.53% 11,380 0.62% 11,380 0.66% 5,000 0.26% Office Supplies & Stock 954 0.06% 1,000 0.05% 1,000 0.06% 1,000 0.05% Travel, Training, and Other Emp Expenses (3) 22,498 1.40% 38,040 2.08% 38,000 2.19% 38,070 2.00% General Expenses 4,138 0.26% 2,240 0.12% 2,240 0.13% 2,760 0.15% Trade Business & Community 0.00% 150 0.01% 300 0.02% Telecommunications 5,419 0.34% 6,420 0.35% 4,325 0.25% 4,320 0.23% $1,603,168 100% $1,828,068 100% $1,733,520 100% $1,903,124 100% 1) 2019 Budget includes one additional head. 2) Outside Services reflects a significant reduction from 2018, as we outsource fewer Information Technology (IT) Audits and utilize our in house IT auditor to perform these audits. 3) Travel, Training & Other Employee Expenses is primarily for training and development of our internal audit staff. Overall a 4.11% Increase from 2018 Budget. Benchmarking Internal Audit (IA) A comparison of similar Ports with Aviation & Maritime Functions, shows that the IA function at the Port of Seattle is leaner than its peers. Port Authority 2017 Auditors Passengers Phoenix Sky Harbor 44 MM 6* Port of Seattle 47 MM 9 San Diego 22 MM 12 Massachusetts 38 MM 13 Los Angeles 85 MM 22 New York 132 MM 73** Notes: (see appendix for more detail) *PHX does not have maritime operations; additionally, IT audits are performed by the City of Phoenix Audit Staff (comparable data was not available). ** NY Port Authority has certain transit functions, maritime, and three airports; attributing to their large internal audit functions. 2018 Internal Audit Reporting Structure / Glenn Fernandes Director Organization Chart Operational & Compliance Bruce Klouzal Capital Audits Dan Chase Lead IT Auditor Manager Grade 29 Manager, Grade 31 Grade 29 Ritika Marwaha Spencer Bright - Acting Sr. Internal Auditor Manager Open Dandan Wang Internal Auditor Sr. Internal Auditor Margaret Songtantaruk Sr. Internal Auditor Roneel Prasad Internal Auditor Importance of Capital Audits The Port of Seattle is spending approximately $1B in Capital per year. It is important that we build and develop our Capital Audit skill set within IA. Recently issued audit reports: International Arrivals Facility Fundamental components of the Design-Build process were missing. Norwegian Cruise Terminal (Pier 66) Monitoring and approval of change orders. Delta Lounge Deficiencies in the oversight of Port funds used by Delta. North Satellite $31.8 MM in additional costs due to a failure to obtain a legally binding agreement with Alaska. $1.2 MM that needed to be recouped from Alaska. Outside Services HIPAA Required Audit $80,000 The Department of Health & Human Services requires that this be done periodically. Capital Audit Expert Consultant - $50,000 Funding is for an expert construction consultant, that can partner with our audit team in 2019, on a capital audit engagement. AUDITS 1) Cruise Related Investments 2) Cash Controls Sea-Tac Parking Garage 3) Interim West Side Fire Station 4) T2 ParkingSoft System 5) Fox Rent-A-Car 7 INTERNAL AUDIT Cruise Related Investments Revenue 2017 ~ $17.6 MM 2018 ~ $15.4 MM (YTD Aug.) Passengers 2017 / 2018 ~ 1.1 MM Hosts more passengers than any other Port on the West Coast. Eleven different ships offering Alaska cruise itineraries. 8 INTERNAL AUDIT Results Medium - Port Management did not correctly utilize all data available when presenting the economic benefit of the baggage valet program to the Commission. This resulted in a potential overstatement of the economic benefit to the Seattle area. 2017 Port Baggage Valet Study 1,253 passenger's surveyed 64% went directly to airport Visit Seattle methodology of $63.64 includes $17.63 in transportation costs to airport. Net of $46.01 in incremental spend. 9 INTERNAL AUDIT Management Response The Maritime Division and the Cruise team will ensure we use the best available data as we move forward. As the program matures, we will continue to refine the program as well as refine the ways we can measure impacts. We are committed to reporting those as accurately as possible and, in the future will not include transportation costs or the estimates for spending by the portion of passengers that went to the airport unless we have reliable data showing that they spend incremental money that would not have been spent without the program. We appreciate the review as we strive to improve our program. 10 INTERNAL AUDIT Cash Control Sea-Tac Parking Garage 2017 Parking Revenue Cash - $3.3 MM Credit Card - $78 MM 2018 Revenue (YTD Aug. 31) Cash - $2 MM Credit Card - $52 MM Largest parking facility in the region with more than 13,000 stalls 11 INTERNAL AUDIT Results Medium - Opportunities exist to enhance access controls to the cash counting room and to reduce the amount of the $20,000 change fund. Management Response The door code will be changed every three months. A work order was placed to install a card reader. The working fund will be reduced by $4,000. 12 INTERNAL AUDIT Interim West Side Fire Station Aircraft Rescue Fire Fighting Station $5.5 MM Minimum estimated life four years FAA requires emergency response - three minutes to midpoint of farthest runway 13 INTERNAL AUDIT Management Letter Discussion INTERNAL AUDIT RESULTS Medium - We identified sections of the cost estimate, that in our opinion, did not appear to align with industry practice and in some cases appeared excessive. Allowance - $513,000 (30%) Contingencies $730,000 Construction $467,000 (15%) Project $263,000 (5%) Recommendations Defer Commission authorization (i.e. 30% or 50% design) Lean review to minimize costs and related inefficiencies 15 INTERNAL AUDIT Management Response (Summarized) Design Development Allowance Ranges between 20-30% at conceptual planning 30% was used because of unknowns and risks Located within Airfield Operating Area Dust protection, security requirements, job conditions Reduced to 15% at 60% design Will be reduced to zero at 100% design 16 INTERNAL AUDIT Management Response (Summarized) Construction Contingency ($467,000) Used for change orders New construction - 5% / Renovation project 15% Reduced contingency to 12% Project Contingency ($263,000) Used for unanticipated circumstances or cost overruns i.e. sewer fees, connection fees, other fees, jurisdictional complications Project cost is now estimated at $5.8 MM Increased fencing, plumbing fixtures, mechanical, electrical 17 Information Technology Audit T2 ParkingSoft System Audit June 1, 2018 August 31, 2018 Prepared by Protiviti in partnership with the Port of Seattle Internal Audit department 18 T2 ParkingSoft System Audit INTERNAL AUDIT BACKGROUND The Port of Seattle engaged ParkingSoft in 2017 to implement a new parking system for the SeaTac airport parking garage. The Port of Seattle's Internal Audit department partnered with Protiviti to perform an audit of ParkingSoft system during the period of June 2018 and August 2018. The audit was focused on system access controls, a review of historical issues to assess reasons for downtime, and other risks related to the new system that might compromise system stability. The previous Parking garage management system, Entervo by Scheidt & Bachmann (S&B), was operated at SeaTac Airport for approximately five (5) years before the current ParkingSoft system was installed. Early in its lifecycle it was determined that Entervo would not be able to support future functionality requirements necessary to support the airport's business development initiatives. The nature of the system's architecture also created several inherent risks including single points of failure, challenging patching and maintenance procedures, limited system and transactional logging, and problematic access administration. 19 T2 ParkingSoft System Audit INTERNAL AUDIT AUDIT OBJECTIVE The scope of this audit included the processes and practices performed by Port of Seattle to manage the parking system installed at SeaTac airport, as well as addressing historical event reports to evaluate overall system stability and reliability. AUDIT SCOPE AND METHODOLOGY Evaluation of Access Review of Historical Issues: Assessing Other Risks: Controls: Review of access Evaluation of functionality Review of firewall settings provisioning and de- and controls implemented and network diagram from provisioning processes. to address historical issues. T2. Documentation review of Incident management Analysis of provided the overall access process walkthrough, technical system management process. including common documentation. Review of appropriateness maintenance requirements System architecture of access including roles for system components documentation review. within the system. from both Information and Communications Technology and Aviation Maintenance Departments. 20 T2 ParkingSoft System Audit INTERNAL AUDIT AUDIT RESULT The results of the audit demonstrate that the Port of Seattle has taken steps to increase the stability and security of this parking system over previous systems. These steps included: Transferring certain operational responsibilities to a third party Selecting a system architecture that included redundancies and reduced potential single points of failure Including functionality such as unique transaction IDs Four opportunities for improvement identified during this audit are included on the following slides. 21 T2 ParkingSoft System Audit INTERNAL AUDIT IMPROVEMENT #1 Monitoring of Devices Monitoring exists, but was limited; Alerting capabilities are system-wide and are not currently implemented to alert personnel of unusual activity or outages on individual devices. This may present a risk of uncollected revenue due to isolated system issues. Recommendations Work with T2 to ensure events are monitored with appropriate detail and converge to provide alerts of issues and abnormal activity. Management Response Management concurs that there is value in providing additional monitoring to alert on the lack of transactions from field devices and will pursue that option with T2. (See Audit Report for details on Management Response) 22 T2 ParkingSoft System Audit INTERNAL AUDIT IMPROVEMENT #2 Monitoring of Vendor Responsibilities The vendor does not provide SSAE-18 (SOC1) and/or SOC2 or ISO 27001 certification reports to describe its control environment and provide assurance around its ongoing operational activities. The design of the system is such that the vendor is contractually responsible for managing certain portions of the system infrastructure on behalf of the Port. Recommendations The Port should request that T2 undertake an assurance mechanism, such as a SSAE-18 (SOC1) and/or SOC2 or ISO 27001 certification, to provide ongoing visibility into the effectiveness of key operations. Management Response Management agrees and has formally requested that T2 provide protection against the risks called out in this finding and will work with them to ensure that the appropriate protections are in place. 23 T2 ParkingSoft System Audit INTERNAL AUDIT IMPROVEMENT #3 Physical Access to Port of Seattle Managed Assets Key infrastructure supporting the parking system is located in a room which serves multiple purposes. As a result, more individuals than necessary may have physical access to these systems, and the systems may be exposed to dust, vibration, and other environmental risks that could impact system availability and maintenance over time. Recommendations Controls should be implemented to ensure that any actions performed on these systems are clearly traceable in the event of an issue. The server room should either be dedicated to hosting the systems, or additional safeguards should be implemented, such as cages and cameras, in order to limit access to key systems and provide accountability. Management Response Because physical access to the room is already restricted and contains access control and a camera, we feel this is low risk. However, we will investigate the feasibility of adding locking doors to the server racks to address the recommendation of the audit. 24 T2 ParkingSoft System Audit INTERNAL AUDIT IMPROVEMENT #4 Firewall Settings and Review Opportunities were identified to further restrict configurations within the firewall. Recommendations 1. Perform a full review of the current firewall rules and configurations, and implement a process to review configurations every six months. 2. Ensure all firewall rules have full business justifications, and can be linked to change tickets and approvals. Management Response We concur. Legacy firewall settings on the port managed firewalls have been analyzed and removed where not in use. We have also requested that T2 review the remaining rules and confirm that they are required for the general operations of the Parking and Revenue Control System. In addition, we have asked T2 to review their managed firewall settings and confirm that they comply with the 6 month firewall review cycle. 25 INTERNAL AUDIT Minimum Annual Guarantee - 10% of Gross Revenue Customer Facility Charge - $6 per rental 2014 2017 Percentage Fees ~ $1.1 MM / Year CFC Fees ~ $1.5 MM / Year 26 INTERNAL AUDIT Result Medium - Fox owes $52,150 in additional Percentage Fees. (Incidental Revenue) Medium - Fox owes $10,578 in additional CFC fees. (Waived CFCs) Management Response Management will seek to recover the fees, together with any applicable late fees and interest charges. Management will also communicate both verbally and in writing their obligations with respect to revenues and CFC's. 27
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.