Port of Seattle Audit Committee 
September 13, 2019 
Pier 69, Commission Chambers 
11:00 AM  1:00 PM

2020 Proposed Budget 
Staffing flat year-over-year. 
From 2017 through 2019 we focused on staff
development. 
2020 utilizing staff for IT & Capital Audits. 
No outside consultants in 2020. 
Overall a decrease of 8.38% in year-over-year budget. 
Key Drivers

Internal Audit                     Glenn Fernandes 
Director 
Organization
Structure                     Pam Bailey 
Sr. Administrative
Assistant 

Operational & Compliance 
Spencer Bright                Bruce Klouzal 
Dan Chase 
Manager  Capital Audit          Manager - IT Audit 
Sr. Manager - Internal Audit 

Ritika Marwaha 
Rumiko Okuma                     Open 
Sr. Internal Auditor 
Sr. Internal Auditor               Internal Auditor 

Jennifer Albrecht 
Internal Auditor 

Nikita Goyal 
Internal Auditor 


Open 
Internal Auditor                                                                                 3

2020 Proposed Budget                            INTERNAL AUDIT 
2018 Actual                 2019 Budget              2019 Forecast              2020 Budget 

Amount        %         Amount       %        Amount      %         Amount       % 
Salaries/Wages and Benefits                      $    1,300,252  85.51%      $  1,713,416  89.44%     $ 1,511,339  89.97%      $  1,699,700  96.84%
Outside Services                                          174,640  11.48%           147,000   7.67%         115,051   6.85%              2,130   0.12%
Equipment Expense                                    4,773  0.31%            6,680  0.35%          6,680  0.40%            4,321  0.25%
Office Supplies & Stock                                        682   0.04%              1,000   0.05%           1,000   0.06%                600   0.03%
Travel, Training, and Other Emp Expense                   36,009   2.37%            39,670   2.07%          39,670   2.36%            41,615   2.37%
General Expenses                                           986   0.06%             3,260   0.17%           2,460   0.15%               760   0.04%
Trade Business & Community                              150   0.01%              300   0.02%            300   0.02%              300   0.02%
Telecommunications                                    3,135   0.21%             4,320   0.23%          3,356   0.20%             5,760   0.33%
$1,520,627   100%       $1,915,646   100%     $1,679,856   100%       $1,755,186   100%

8.4% decrease 

4

2019 Audit Plan                                      INTERNAL AUDIT 
Limited Contract                                              Information
Operational 
Compliance                                              Technology 
Sixt Rent A Car LLC              Airport Security Screening Program               Security of Personally
Enterprise Rent A Car          Diversity Program                                 Identifiable Information 
Anton Airfood                Marine Maintenance                           HIPAA  Compliance 
Mad Anthony's               A&E Consultant Rates1                         PCI-Quality Security Assessor 
Marketing Fund-                                                            Closed Network System
Concessions                  Capital                                         Security 
Baggage Optimization                           Inventory and Control of
Noise Insulation Programs (FAA Part 150)         Hardware Assets1 
Concourse D Hardstand Terminal                T2 Airport Garage Parking
Shilshole Tenant Service Building                  System Replacement2 

1 Approved addition to plan at 6/28/2018 Audit Committee Meeting 
2 Approved removal from plan at 6/28/2018 Audit Committee Meeting 
5

2019 AUDIT PLAN STATUS 
Audit Title                              Type            Jan     Feb     Mar     Apr     May     Jun      Jul      Aug      Sep      Oct      Nov     Dec 
Sixt Rent A Car LLC                                     Limited Compliance 
Marketing Fund-Concessions                              Limited Compliance 
Security of Personally Identifiable Information                  IT 
Noise Insulation Programs (FAA Part 150)                     Operational  Capital 
Marine Maintenance                                    Operational 
Mad Anthony's                                        Limited Compliance 
Baggage Optimization                                   Operational  Capital 
Anton Airfood                                        Limited Operational 
Diversity Program                                      Operational 
Closed Network System Security                           IT 
Airport Security Screening Program                         Operational 
Concourse D Hardstand Terminal                           Operational  Capital 
HIPAA Compliance                                     IT 
PCI Quality Security Assessor                              IT 
Add: Architectural, Engineering & Related Support Services        Operational 
Enterprise Rent A Car                                   Limited Operational 
Shilshole Tenant Service Building                           Operational  Capital 
Add: Inventory and Control of Hardware Assets                IT 
Moved to 2020: T2 Airport Garage Parking System Replacement     IT 

Complete 
Key:                       In Process                                                                                                              6 
Removed/Added to Audit Plan

INTERNAL AUDIT 
Audit Follow-Up 
1) Concession Audits 
For 2019 audits, have been billed and collected. 
2) Operational 
No issues past their due date. 
3) Information Technology 
Three issues past due date. 
Two are close to being completed. 
One on T2's SOC II needs internal discussion on acceptance
of risk. 

7

INTERNAL AUDIT 
Audits Completed 

1) Concourse D Hardstand Terminal 
2) Airport Employee Access* 
3) HIPPA Privacy/Breach 
4) Closed Networks* 
5) HIPPA Security* 
6) Payment Card Industry (PCI)* 

*Security Sensitive  Exempt from Public Disclosure per RWC 42.56.420 

8

INTERNAL AUDIT 
Concourse D Hardstand Terminal 
Holdroom opened October 31, 2018 

Design-build with a lump sum contract 

Total cost: $35 million, including $1.7 million in change orders 

Holdroom is approximately 32,400 square feet and includes six
gate like areas 

9

INTERNAL AUDIT 
Results 
Medium: The Port's consultant did not have adequate
knowledge of airport building requirements, which resulted in the
design/concept drawings including a building type that was not
allowed in airport terminals. 
The Consultant's error on the design/concept drawings resulted
in additional costs to the Port of $142,654. 


10

INTERNAL AUDIT 
Results (Continued) 
Medium: The Contract restricted the Port's ability to audit all
contractor and subcontractor records within the lump sum
contract. 
The audit clause only allows audit of documents related to
changes. 
When audit clauses are restrictive, there is an inherent risk that
the Port may end up paying additional costs or not receive
expected deliverables, without detection. 

11

INTERNAL AUDIT 
Airport Employee Access 
Regulations 
Section 8, SeaTac Airport Schedule of Rules and
Regulations No.5 - Security Compliance 
TSA regulations - 49 CFR Parts 1542, 1544, and 1546 -
Security Program 
TSA definition of "Insider Threats" 
Employee screening 
Includes Port of Seattle employees, concession workers,
contractors, and consultants 
Background check and training prior to badge issuance 

12

INTERNAL AUDIT 
Results 
Three issues which are deemed security sensitive and exempt from
public disclosure. 
Discussed in 1:1 with Audit Committee Members. 




13

INTERNAL AUDIT 
HIPPA PRIVACY/BREACH 
Presented by: 
Julia Huddleston, CIPP/US, CIPM 
CFO & COO 
Apgar & Associates 
Compliance audit of the Health Insurance Portability and
Accountability Act's (HIPAA) Privacy/Breach requirements 
Existing processes and controls in place for protected health
information (PHI) were assessed against the HIPAA
Privacy/Breach Rules using the federal Office for Civil Rights
(OCR) Audit Protocol to determine the level of compliance and
identify areas for improvement 
14

INTERNAL AUDIT 
HIPPA PRIVACY/BREACH 

Portland, OR based 
Developing and implanting practical, workable solutions since
2004 
Clients range from single physician office, to mid-size technology
companies, to multi-national corporations 


1
5

INTERNAL AUDIT 
Results 
High: The Port had not designated itself as a hybrid entity for
the purposes of the HIPAA Rule. The Port had not defined what
units within the Port were part of the designated health care
component. 



16

INTERNAL AUDIT 
Results 
Medium: The Port's understanding of what systems and
applications create, receive, use, maintain or transmit PHI and
EPHI was incomplete. Combined with the hybrid entity issue,
this could result in team members having more access to
sensitive information than allowed by law and regulation.



17

INTERNAL AUDIT 
Results 
Medium: The Port did not consistently enter into and manage
business associate agreements with vendors that use, disclose,
maintain or transmit the Port's PHI and EPHI to perform a
business function for the Port. 



18

INTERNAL AUDIT 
Results 
Medium: HIPAA Privacy and Breach Training were not being
provided to Port employees within a reasonable timeframe. 




19

INTERNAL AUDIT 
Results 
Medium: The Port did not provide any four-factor risk
assessment required under federal law to document how the
organization made the determination that there was a low risk of
compromise to PHI from the acquisition, access, use, or
disclosure of protected health information in a manner not
permitted under the Privacy Rule. 


20

INTERNAL AUDIT 
MANAGEMENT RESPONSE 
Management to discuss in person. Detailed response
presented in audit report. 




21

INTERNAL AUDIT 
Closed Networks 
Evaluated the adequacy of internal controls related to the IT
security of selected Port Industrial Control Systems (ICS) 
Review of three ICS: 
Internal Waste Treatment Plant (IWTP) 
Auxiliary Utility Facility (AUF) 
Airfield Lighting Controls and Monitoring System (ALCMS) 


22

INTERNAL AUDIT 
Results 
Five issues which are deemed security sensitive
and exempt from public disclosure. 
Discussed in 1:1 with Audit Committee Members. 




23

INTERNAL AUDIT 
HIPPA SECURITY 
Compliance audit of the Health Insurance Portability and
Accountability Act's (HIPAA) Security requirements 
Existing processes and controls in place for electronic protected
health information (EPHI) were assessed against the HIPAA
Security Rules using the federal Office for Civil Rights (OCR)
Audit Protocol to determine the level of compliance and identify
areas for improvement 


24

INTERNAL AUDIT 
Results 
Five issues which are deemed security sensitive and exempt from
public disclosure. 
Discussed in 1:1 with Audit Committee Members. 




25

INTERNAL AUDIT 
PCI (External Assessment) 
2019 review completed on August 25, 2019 
The Payment Card Industry (PCI) requires merchants to
complete an annual Self-Assessment Questionnaire (SAQ) 
Verify to the Port's acquirer (merchant bank) that the
Port's security controls over credit card data handling
meet the PCI requirements 


26

INTERNAL AUDIT 
Results 
Four issues which are deemed security sensitive and exempt from
public disclosure. 
Discussed in 1:1 with Audit Committee Members. 




27