Presentation
Port of Seattle Audit Committee September 13, 2019 Pier 69, Commission Chambers 11:00 AM 1:00 PM 2020 Proposed Budget Staffing flat year-over-year. From 2017 through 2019 we focused on staff development. 2020 utilizing staff for IT & Capital Audits. No outside consultants in 2020. Overall a decrease of 8.38% in year-over-year budget. Key Drivers Internal Audit Glenn Fernandes Director Organization Structure Pam Bailey Sr. Administrative Assistant Operational & Compliance Spencer Bright Bruce Klouzal Dan Chase Manager Capital Audit Manager - IT Audit Sr. Manager - Internal Audit Ritika Marwaha Rumiko Okuma Open Sr. Internal Auditor Sr. Internal Auditor Internal Auditor Jennifer Albrecht Internal Auditor Nikita Goyal Internal Auditor Open Internal Auditor 3 2020 Proposed Budget INTERNAL AUDIT 2018 Actual 2019 Budget 2019 Forecast 2020 Budget Amount % Amount % Amount % Amount % Salaries/Wages and Benefits $ 1,300,252 85.51% $ 1,713,416 89.44% $ 1,511,339 89.97% $ 1,699,700 96.84% Outside Services 174,640 11.48% 147,000 7.67% 115,051 6.85% 2,130 0.12% Equipment Expense 4,773 0.31% 6,680 0.35% 6,680 0.40% 4,321 0.25% Office Supplies & Stock 682 0.04% 1,000 0.05% 1,000 0.06% 600 0.03% Travel, Training, and Other Emp Expense 36,009 2.37% 39,670 2.07% 39,670 2.36% 41,615 2.37% General Expenses 986 0.06% 3,260 0.17% 2,460 0.15% 760 0.04% Trade Business & Community 150 0.01% 300 0.02% 300 0.02% 300 0.02% Telecommunications 3,135 0.21% 4,320 0.23% 3,356 0.20% 5,760 0.33% $1,520,627 100% $1,915,646 100% $1,679,856 100% $1,755,186 100% 8.4% decrease 4 2019 Audit Plan INTERNAL AUDIT Limited Contract Information Operational Compliance Technology Sixt Rent A Car LLC Airport Security Screening Program Security of Personally Enterprise Rent A Car Diversity Program Identifiable Information Anton Airfood Marine Maintenance HIPAA Compliance Mad Anthony's A&E Consultant Rates1 PCI-Quality Security Assessor Marketing Fund- Closed Network System Concessions Capital Security Baggage Optimization Inventory and Control of Noise Insulation Programs (FAA Part 150) Hardware Assets1 Concourse D Hardstand Terminal T2 Airport Garage Parking Shilshole Tenant Service Building System Replacement2 1 Approved addition to plan at 6/28/2018 Audit Committee Meeting 2 Approved removal from plan at 6/28/2018 Audit Committee Meeting 5 2019 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Sixt Rent A Car LLC Limited Compliance Marketing Fund-Concessions Limited Compliance Security of Personally Identifiable Information IT Noise Insulation Programs (FAA Part 150) Operational Capital Marine Maintenance Operational Mad Anthony's Limited Compliance Baggage Optimization Operational Capital Anton Airfood Limited Operational Diversity Program Operational Closed Network System Security IT Airport Security Screening Program Operational Concourse D Hardstand Terminal Operational Capital HIPAA Compliance IT PCI Quality Security Assessor IT Add: Architectural, Engineering & Related Support Services Operational Enterprise Rent A Car Limited Operational Shilshole Tenant Service Building Operational Capital Add: Inventory and Control of Hardware Assets IT Moved to 2020: T2 Airport Garage Parking System Replacement IT Complete Key: In Process 6 Removed/Added to Audit Plan INTERNAL AUDIT Audit Follow-Up 1) Concession Audits For 2019 audits, have been billed and collected. 2) Operational No issues past their due date. 3) Information Technology Three issues past due date. Two are close to being completed. One on T2's SOC II needs internal discussion on acceptance of risk. 7 INTERNAL AUDIT Audits Completed 1) Concourse D Hardstand Terminal 2) Airport Employee Access* 3) HIPPA Privacy/Breach 4) Closed Networks* 5) HIPPA Security* 6) Payment Card Industry (PCI)* *Security Sensitive Exempt from Public Disclosure per RWC 42.56.420 8 INTERNAL AUDIT Concourse D Hardstand Terminal Holdroom opened October 31, 2018 Design-build with a lump sum contract Total cost: $35 million, including $1.7 million in change orders Holdroom is approximately 32,400 square feet and includes six gate like areas 9 INTERNAL AUDIT Results Medium: The Port's consultant did not have adequate knowledge of airport building requirements, which resulted in the design/concept drawings including a building type that was not allowed in airport terminals. The Consultant's error on the design/concept drawings resulted in additional costs to the Port of $142,654. 10 INTERNAL AUDIT Results (Continued) Medium: The Contract restricted the Port's ability to audit all contractor and subcontractor records within the lump sum contract. The audit clause only allows audit of documents related to changes. When audit clauses are restrictive, there is an inherent risk that the Port may end up paying additional costs or not receive expected deliverables, without detection. 11 INTERNAL AUDIT Airport Employee Access Regulations Section 8, SeaTac Airport Schedule of Rules and Regulations No.5 - Security Compliance TSA regulations - 49 CFR Parts 1542, 1544, and 1546 - Security Program TSA definition of "Insider Threats" Employee screening Includes Port of Seattle employees, concession workers, contractors, and consultants Background check and training prior to badge issuance 12 INTERNAL AUDIT Results Three issues which are deemed security sensitive and exempt from public disclosure. Discussed in 1:1 with Audit Committee Members. 13 INTERNAL AUDIT HIPPA PRIVACY/BREACH Presented by: Julia Huddleston, CIPP/US, CIPM CFO & COO Apgar & Associates Compliance audit of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy/Breach requirements Existing processes and controls in place for protected health information (PHI) were assessed against the HIPAA Privacy/Breach Rules using the federal Office for Civil Rights (OCR) Audit Protocol to determine the level of compliance and identify areas for improvement 14 INTERNAL AUDIT HIPPA PRIVACY/BREACH Portland, OR based Developing and implanting practical, workable solutions since 2004 Clients range from single physician office, to mid-size technology companies, to multi-national corporations 1 5 INTERNAL AUDIT Results High: The Port had not designated itself as a hybrid entity for the purposes of the HIPAA Rule. The Port had not defined what units within the Port were part of the designated health care component. 16 INTERNAL AUDIT Results Medium: The Port's understanding of what systems and applications create, receive, use, maintain or transmit PHI and EPHI was incomplete. Combined with the hybrid entity issue, this could result in team members having more access to sensitive information than allowed by law and regulation. 17 INTERNAL AUDIT Results Medium: The Port did not consistently enter into and manage business associate agreements with vendors that use, disclose, maintain or transmit the Port's PHI and EPHI to perform a business function for the Port. 18 INTERNAL AUDIT Results Medium: HIPAA Privacy and Breach Training were not being provided to Port employees within a reasonable timeframe. 19 INTERNAL AUDIT Results Medium: The Port did not provide any four-factor risk assessment required under federal law to document how the organization made the determination that there was a low risk of compromise to PHI from the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule. 20 INTERNAL AUDIT MANAGEMENT RESPONSE Management to discuss in person. Detailed response presented in audit report. 21 INTERNAL AUDIT Closed Networks Evaluated the adequacy of internal controls related to the IT security of selected Port Industrial Control Systems (ICS) Review of three ICS: Internal Waste Treatment Plant (IWTP) Auxiliary Utility Facility (AUF) Airfield Lighting Controls and Monitoring System (ALCMS) 22 INTERNAL AUDIT Results Five issues which are deemed security sensitive and exempt from public disclosure. Discussed in 1:1 with Audit Committee Members. 23 INTERNAL AUDIT HIPPA SECURITY Compliance audit of the Health Insurance Portability and Accountability Act's (HIPAA) Security requirements Existing processes and controls in place for electronic protected health information (EPHI) were assessed against the HIPAA Security Rules using the federal Office for Civil Rights (OCR) Audit Protocol to determine the level of compliance and identify areas for improvement 24 INTERNAL AUDIT Results Five issues which are deemed security sensitive and exempt from public disclosure. Discussed in 1:1 with Audit Committee Members. 25 INTERNAL AUDIT PCI (External Assessment) 2019 review completed on August 25, 2019 The Payment Card Industry (PCI) requires merchants to complete an annual Self-Assessment Questionnaire (SAQ) Verify to the Port's acquirer (merchant bank) that the Port's security controls over credit card data handling meet the PCI requirements 26 INTERNAL AUDIT Results Four issues which are deemed security sensitive and exempt from public disclosure. Discussed in 1:1 with Audit Committee Members. 27
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.