2019 Audit Plan Update
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Glenn Fernandes - Director, Internal Audit December 9, 2019 Pier 69, Commission Chambers 10:00 AM 12:00 PM Operational Excellence Governance 2019 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Sixt Rent A Car Contract Compliance Airport Tenant Marketing Program Contract Compliance Security of Personally Identifiable Information IT Noise Insulation Program Operational - Capital Marine Maintenance Shop Operational Mad Anthony's, Inc. Contract Compliance Checked Baggage Optimization Project (Phase 1) Operational - Capital Anton Airfood of Seattle, Inc. Contract Compliance Diversity In Contracting Operational Closed Network System Security IT Airport Employee Access Operational Concourse D Hardstand Holdroom Operational - Capital HIPAA Security Compliance IT HIPAA Privacy and Breach Compliance IT Payment Card Industry (PCI) IT Added: Architectural and Engineering Consultant Rates Operational EAN Holding, LLC Contract Compliance Shilshole Bay Marina Customer Facilities Project Operational - Capital Added: Inventory and Control of Hardware Assets IT Moved to 2020: T2 Airport Garage Parking System Replacement IT Key: Complete Removed/Added to Audit Plan 2 2019 Audit Plan Update 19 reports; 18 audit reports and 1 summary report completed in 2019 as planned: Operational (4), Capital Projects (4), IT (6), and Limited Contract Compliance (5) Audits identified 13 High Risk and 29 Medium Risk issues for management action The Port has opportunities to strengthen internal controls and related processes Capital Spending Opportunities to reduce costs / be more efficient 3 2019/2018 Suggested Recoveries Lease/Concession: 2019 Audits Amount Sixt Rent A Car $43,299 EAN Holdings, LLC 6,159 Anton Airfood of Seattle, Inc. 5,420 Mad Anthony's, Inc. 15,557 Total $70,435 2018 Audits Amount Dollar Rent A Car $22,164 Fox Rent A Car, Inc. 98,310 Thrifty Car Rental 194,135 Total $314,609 Capital: 2019 Audits Amount Concourse D Hardstand Holdroom $142,654* Checked Baggage Optimization Project Phase 1 $545,000 801,000* Total $687,654 943,654 2018 Audits Amount North Satellite Renovation and Expansion Project $1,532,281** Total $1,532,281 * In process of collection ** Not collected 4 2019/2018 Controllable Cost Over-Runs Audit 2018 Amount 2019 Amount North Satellite Renovation and Expansion Project $31,800,000 Delta Lounge 190,000 International Arrivals Facility Labor Burden 8,200,000 11,000,000 International Arrivals Facility Insurance 2,800,000 Noise Insulation Program* $660,140 Shilshole Bay Marina Customer Facilities Project** 186,400 Total $42,990,000 45,790,000 $846,540 * Calculated assuming a 16% margin markup vs. 51% ** Calculated based on design changes and revision back to original design Note: Does not include controllable cost over-runs from the Architectural & Engineering Consultant Rates Audit 5 Lease and Concession Audit Plan Approach Approximately 125 leases* Total Agreement Year Revenues Sea-Tac Economic Development 2017 $117 MM $109 MM $8 MM 2018 125 MM 117 MM 8 MM 2019** 111 MM 105 MM 6 MM Total $353 MM $331 MM $22 MM Approach Number of 2017-2019 Rating Leases Revenue Percentage Frequency High 11 $193 MM 55% 4 year cycle Medium 24 126 MM 36% 8 year cycle Low 90 34 MM 9% As needed Total 125 $353 MM 100% * See Appendix A Lease Concession Risk Universe ** Annualized using a simple average, based on actual data as of 8/31/2019 6 2020 Lease and Concession Audit Plan [Note: Audits of all high-risk rated lease agreements were completed within the last four years.] 2017-2019 Name Division Rating Revenues LenLyn Limited Aviation Medium $4,045,676 Concourse Concessions, LLC Aviation Medium 2,911,734 McDonald's USA, LLC Aviation Medium 2,711,165 Concessions Int'l, INC Aviation Medium 2,389,253 Fireworks Aviation Medium 2,180,293 Qdoba Restaurant Corporation Aviation Medium 2,136,208 E-Z Rent A Car Aviation Low 1,219,262 Total $17,593,591 Contingency Audit* Avis Budget Car Rental Aviation High $21,629,115 Total $21,629,115 * If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2020 Audit Plan. 7 Capital Projects Audit Approach 25 projects currently under contract* Risk rating of projects utilizing six attributes: Project Size (Construction Costs) Change Orders (Original Contract Sum) Contract Type Schedule Budget Known Concerns (Errors & Omissions, Potential Claims, Scope Changes, etc.) Division Current Contract Amount Construction Cost to Date Aviation $1,461 MM $890 MM Non-Aviation 18 MM 0 Total** $1,479 MM $890 MM * See Appendix B - Capital Risk Universe - Projects Currently Under Contract, Risk Rating Methodology. ** Contract costs as of August 2019. Does not include soft costs. 8 2020 Proposed Capital Audit Plan Rating* Name Schedule Budget Contract Amount Service Tunnel Renewal/Replace Red Yellow $25.1MM Central Terminal Infrastructure Upgrade Red Red 12.3MM North Terminals Utilities Upgrade Phase 1 Green Red 12.1MM AOA Perimeter Fence Line Standards Compliance Red Yellow 4.4MM Total $53.9MM Rating Contingency Audits** Schedule Budget Contract Amount Flight Corridor Safety Program Red Green $4.3MM Lora Lake Site Remediation Yellow Green 9.1MM Total $13.4MM * Ratings generated from Internal Audit's risk assessment, utilizing the following systems: Quarterly Capital Improvement Projects, Contractor Data systemetc. ** If resources exist, at Internal Audit Director's discretion, these audits will be moved to the 2020 Audit Plan. 9 Information Technology Audit Plan Approach Emerging Risks: Selected from the IT Audit Universe based on risk and perceived benefit to the Port* Center for Internet Security**: A series of 20 foundational and advanced cybersecurity actions that collectively form a defense-in-depth set of best practices, which can eliminate the most common attacks Developed by a community of IT experts who apply their first-hand experience as cyber defenders The February 2016 "California Data Breach Report" by the CA Attorney General, recommended that "The 20 controls in the Center for Internet Security's Critical Security Controls, define a minimum level of information security that all organizations that collect or maintain personal information should meet." * See Appendix C IT Audit Universe ** https://cybernetsecurity.com/industry-papers/CIS-Controls%20Version-7-cc-FINAL.PDF - page 1 10 Information Technology Audit Plan Proposed 2020 Audits Name Risk (from IT Audit Universe) Selection Criteria Network Password Management High Emerging Risk Secure Configuration for Hardware and Software on Mobile Devices, High Center for Internet Security Laptops, Workstations and Servers T2 Airport Garage Parking System Replacement High Management Request Inventory and Control of Software Assets High Center for Internet Security Proposed 2020 Status Reports Name Payment Card Industry (PCI) Qualified Security Assessor Annual review required by banking and card-brand agreements Criminal Justice Information Services (CJIS) Triennial audit by Washington State Patrol Contingency Audit* Risk (from IT Audit Universe) Selection Criteria Malware Defenses High Center for Internet Security * If a proposed audit cannot be performed, at the Internal Audit Director's discretion, this audit will be moved to the 2020 Audit Plan. 11 Historical Reports Overview 2017 2020 2020 Report Type 2017* 2018** 2019 (proposed) Limited Contract Compliance 8 6 5 7 Operational 11 8 4 4 Operational - Capital 1 5 4 4 Information Technology 2 3 6 6 22 22 19 21 * 2017 included 9 audits carried over from the 2016 audit plan. The 1st and 2nd Quarter Audit Committee Meetings discussed 2016 Audits. ** 2018 included 6 audits carried over from the 2017 audit plan. The 1st Quarter Audit Committee Meeting discussed 2017 Audits. 12 Proposed 2020 Audit Plan Limited Contract Compliance Operational Information Technology Lenlyn Limited Asset Disposal Process Network Password Management Concourse Concessions, LLS Delegation of Authority Compliance Secure Configuration for Hardware McDonald's USA, LLC Ground Transportation Taxi Cabs and Software on Mobile Devices, Concessions Int'l, INC Cash Controls Laptops, Workstations and Servers Fireworks T2 Airport Garage Parking System Qdoba Restaurant Corporation Capital Replacement1 E-Z Rent A Car Service Tunnel Renewal/Replace Inventory and Control of Software Central Terminal Infrastructure Assets Upgrade ____________________________ North Terminal Utilities Upgrade Payment Card Industry (PCI) - Phase 1 Qualified Security Assessor2 AOA Perimeter Fence Line Standards Criminal Justice Information Compliance Services (CJIS)3 1 Moved to 2020 audit plan; approved at 6/28/2019 Audit Committee Meeting. 2 This work will be performed by an outside firm. Internal Audit will provide a summary report to the Audit Committee. 3 This work will be performed by the Washington State Patrol. Internal Audit will provide a summary report to the Audit Committee. 13 Contingency Audits - if resources exist, at Internal Audit Director's discretion, these audits will be moved to the 2020 Audit Plan. Limited Contract Compliance Operational Information Technology Avis Budget Car Rental Architectural & Engineering Malware Defenses Consultant Rates Follow-Up Audit Capital Flight Corridor Safety Program Lora Lake Site Remediation 14 Audits Completed in Fourth Quarter, 2019 1) Architectural & Engineering Consultant Rates 2) Shilshole Bay Marina Customer Facilities Project 3) Inventory and Control of Hardware Assets* 4) EAN Holdings, LLC *Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Not Discussed 15 Architectural & Engineering Consultant Rates Architectural and Engineering costs account for approximately 10-20 percent of capital costs $3.6 billion in capital spending over the next five years RCW 39.80.050 states "The agency shall negotiate a contract with the most qualified firmat a price which the agency determines is fair and reasonable" 16 Results High: CPO had not established guidelines for what is determined fair and reasonable. Our testing of over 400 A&E consultants identified many instances where profit margins exceeded what the industry deemed reasonable. Below table reflects the profit margins of the firms tested: [Note:Industry standard ranges between 10 15 percent.] 17 Recommendations The Procurement Council should determine what the Port deems a fair and reasonable rate and should document the rationale for transparency. CPO should engage a third party to perform an independent model validation of the rate tool, so that management can gain confidence that the model produces accurate market rates. 18 Results High: Management approval was not required when hourly rates exceeded the maximum rates produced by the service rate negotiation tool/model. Belowtable reflects the number of positions that exceeded the maximum and the amount that the Port agreed to pay over the maximum rate for every hour worked: 19 Recommendations CPO should implement a management review process when consultant rates exceed the maximum. This review should be documented and contain established criteria and approval thresholds (i.e., up to 20% over the maximum) for both the Services Agreement Manager and Planning and Analytics Manager to approve. If the thresholds exceed their authority or if agreement cannot be reached, approval should be escalated to the appropriate person (i.e., director, COO) for approval, as required by the authority guidelines. 20 Results High: A reconciliation between the final negotiated rates and the contract did not occur. As a result, we were unable to verify that all positions and rates reflected in the contract were accurate. Below table reflects the type and number of exceptions: 21 Recommendations CPO should retain documentation to evidence the agreed upon rate and position. CPO should the use this documentation, to verify that the rates are accurately captured into the contract before it is executed. 22 Results Medium: The Central Procurement Office is responsible for procuring all contracts related to public works, consulting services, and goods and services. Governance meetings, for Executive Leadership Team (ELT) oversight of CPO, had not occurred since December 7, 2017. 23 Recommendations The Chief Operating Officer should lead an effort to determine the meeting frequency and information that is deemed necessary to perform effective governance. We also recommend that, at a minimum, the CFO and the Port's Managing Directors of Aviation and Maritime, attend these meetings. Finally, we recommend developing a charter that defines the purpose, objective, and voting rights (if necessary) within the Governance Committee. 24 Shilshole Bay Marina Customer Facilities Project Construction of three new buildings, including: two large, multi-use buildings (restroom, shower and laundry) located in the south and central areas of the Marina, plus a smaller restroom/shower building at the north end. Total project estimate: $15 million with lump-sum design-bid-build method Project Timeline: 2014 Conceptual phase January 2015 Funding approval May 2017 Anticipated substantial completion of construction September 2019 Actual construction began Estimated completion in Q2, 2020 The initial bids received in 2018: 33% higher than the engineer's estimate. Rebidded in June 2018, Western Ventures Construction was awarded the contract. 25 Results Medium: An opportunity exists to improve internal controls by requesting that Tetra Tech provide individual names on invoices. This would provide the detail required for the Port to assure that individuals being billed for services performed have the appropriate experience, fall into the appropriate job category, and are billed at the correctly negotiated rate. 26 Recommendation Port management should request that Tetra Tech provide individual names on invoices so that the Port can monitor which consultants are working on the Project. Individual names can be compared to the Level of Effort, and if there are names that are not in line with the Level of Effort, invoice reviewers have the ability to work with the Rate Negotiations Team to assure the Port is billed a fair and reasonable rate. 27 Inventory and Control of Hardware Assets* Evaluated the adequacy of internal controls related to IT hardware asset management As data breaches continue to increase in severity and scale today, organizations need to ensure the basic security controls are in place to keep data safe from attack Focused on the first of twenty control objectives from the Center for Internet Security (CIS), which was devised for an organization to be certain of what devices are on the network and are effectively defended *Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Issue Not Discussed in Public Session 28 EAN Holdings, LLC EAN Holdings (Enterprise Rent-A-Car, Alamo Rent-A-Car, and National Rent-A-Car) Percentage fee equal to 10% of gross revenues EAN generates $12 million annually in percentage fees and $14 million in Customer Facility Charges 29 Results Medium: Internal Audit identified one late payment for Percentage Fees owed for the month of October 2016. As a result, a late fee of $6,159 is due to the Port. Status: In process of collection 30 Appendix A Lease/Concession Risk Universe High Risk: Year Report Name Contract Issued 2017 2018 2019* Total ENTERPRISE RENT A CAR AIR001281 2019 $ 11,795,625 $ 12,428,124 $ 10,439,761 $ 34,663,511 AVIS BUDGET CAR RENTAL AIR001282 2017 7,581,317 7,589,972 6,457,827 21,629,115 DUFRY - SEATTLE JV AIR001661 2017 6,948,870 6,929,809 6,590,999 20,469,678 RASIER LLC AIR002022 2017 4,812,691 6,569,772 6,613,020 17,995,483 AIRPORT MANAGEMENT SERVICES LLC AIR002017 2017 5,809,324 6,287,731 4,807,242 16,904,297 HERTZ CORPORATION AIR001278 2017 5,141,903 5,311,454 5,130,177 15,583,535 IN-TER-SPACE SERVICES, INC AIR002224 2017 2,872,851 6,324,797 4,483,914 13,681,562 EASTSIDE FOR HIRE, INC (New Contract) AIR002100 2017 5,128,377 4,408,877 3,763,749 13,301,004 HOST INTERNATIONAL, INC AIR000435 2017 5,819,739 4,460,347 2,827,794 13,107,880 LOUIS DREYFUS COMPANY WASHINGTON LLC SEA002603 2017 4,727,693 4,734,772 3,639,559 13,102,024 AIRPORT MANAGEMENT SERVICES LLC AIR002018 2017 4,460,353 4,551,881 3,640,814 12,653,048 Total $ 65,098,745 $ 69,597,535 $ 58,394,856 $ 193,091,136 * Annualized based on 8/31/2019 actuals 31 Appendix A Lease/Concession Risk Universe (continued) Medium Risk: Name Contract 2017 2018 2019* Grand Total HOST INTERNATIONAL, INC AIR002019 $ 2,433,655 $ 4,771,768 $ 4,971,366 $ 12,176,788 SKY CHEFS INC AIR001849 3,769,424 4,353,390 3,988,427 12,111,241 LYFT AIR002023 2,081,719 3,710,868 4,119,210 9,911,797 DOUG FOX TRAVEL/ATZ AIR001718 3,109,296 3,238,383 3,222,648 9,570,327 GATE GOURMET INT'L AIR000042 2,638,361 2,874,824 2,959,631 8,472,816 SEATTLE RESTAURANT ASSOCIATES AIR000439 2,874,131 2,980,072 2,343,216 8,197,419 CMC INVESTMENTS INC AIR001280 1,843,234 1,989,383 1,616,993 5,449,609 REPUBLIC PARKING NORTHWEST INC SEA000425 1,795,978 1,819,256 1,372,031 4,987,264 ANTON AIRFOOD AIR000374 1,984,773 2,151,032 826,726 4,962,531 DTAG AIR001279 1,517,830 1,887,620 1,456,492 4,861,942 AIRPORT MANAGEMENT SERVICES LLC AIR000437 1,567,398 1,601,369 1,595,023 4,763,789 FLYING FOOD FARE INC AIR000086 1,419,046 1,501,111 1,232,285 4,152,442 LENLYN LIMITED AIR001788 1,248,767 1,406,196 1,390,713 4,045,676 SIXT RENT A CAR LLC AIR001632 1,300,372 1,627,902 1,084,721 4,012,995 FOX RENT A CAR INC AIR001285 1,245,147 1,548,053 1,214,369 4,007,569 CLEAR CHANNEL WORLDWIDE AIR000950 3,668,207 - - 3,668,207 CONCOURSE CONCESSIONS LLC AIR002055 1,012,207 1,035,852 863,675 2,911,734 MCDONALD'S USA, LLC $ AIR001606 686,877 998,367 1,025,920 2,711,165 BEECHER'S HANDMADE CHEESE, LLC AIR001562 850,522 932,595 912,326 2,695,443 SEATAC BAR GROUP LLC AIR002053 915,387 927,016 842,070 2,684,474 SEATTLE TACOMA INTL LIMOUSINE ASSOC AIR001991 857,636 852,551 786,721 2,496,908 CONCESSIONS INT'L INC. AIR002148 1,538,273 850,980 - 2,389,253 FIREWORKS AIR002101 167,088 1,040,112 973,093 2,180,293 QDOBA RESTAURANT CORPORATION AIR002096 - 1,095,768 1,040,441 2,136,208 $ 40,525,328 $ 45,194,467 $ 39,838,097 $ 125,557,892 * Annualized based on 8/31/2019 actuals 32 Appendix A Lease/Concession Risk Universe (continued) Low Risk: Name Contract 2017 2018 2019* Grand Total SODEXO AMERICA, LLC AIR001513 $ 545,360 $ 657,525 $ 610,069 $ 1,812,953 PAYLESS CAR RENTAL, INC AIR001451 621,917 449,314 468,472 1,539,702 SSP AMERICA SEA, LLC AIR002358 654,274 797,635 1,451,909 MAD ANTHONY'S INC. (Fisherman's Terminal) SEA000043 491,070 487,492 423,101 1,401,663 EX OFFICIO LLC AIR000580 492,375 479,082 394,493 1,365,950 E-Z RENT-A-CAR AIR001439 443,324 426,103 349,835 1,219,262 MAD ANTHONY'S INC PIER 66 SEA000294 387,129 393,839 373,050 1,154,017 SMARTE CARTE INC AIR000629 374,177 373,310 364,171 1,111,659 DILETTANTE CHOCOLATES INC AIR002094 62,366 527,782 520,990 1,111,137 HOST INTERNATIONAL, INC AIR002247 - 25,322 1,019,231 1,044,553 FRUIT & FLOWER LLC DBA FLORET AUTHORITY AIR002063 3,099 449,369 591,529 1,043,997 TASTE INC dba VINO VOLO AIR000839 319,112 328,398 347,103 994,613 QDOBA RESTAURANT CORPORATION AIR000619 886,845 91,587 - 978,432 INMOTION SEA, LLC AIR002103 37,423 427,031 473,532 937,987 ALCLEAR, LLC AIR002048 129,735 290,121 481,588 901,444 FIREWORKS AIR000612 614,187 193,170 7,106 814,463 PROJECT HORIZON AIR000618 458,339 340,199 - 798,538 IVARS INC AIR000615 721,122 66,461 - 787,583 PALLINO SEATAC LLC AIR000613 706,807 61,720 - 768,527 FOOD SYSTEMS UNLIMITED INC AIR000616 657,835 65,386 - 723,221 LATRELLES EXPRESS INC AIR000614 546,481 53,959 - 600,440 HOST LPI SEA FB, LLC AIR002361 - - 595,049 595,049 SUB POP RECORDS AIR001816 205,038 215,595 149,308 569,941 TERMINAL GETAWAY SPA SEATTLE, LLC AIR002095 26,689 236,089 254,511 517,288 Suns Inc. AIR002054 102,747 192,233 168,989 463,969 SEATTLE CHOCOLATES COMPANY LLC AIR002093 23,517 209,306 221,002 453,824 BF FOODS LLC AIR002375 428,084 25,673 453,757 1915 KCHOUSE CONCEPTS-SEATAC, LLC AIR002265 - - 404,412 404,412 CONCOURSE CONCESSIONS LLS AIR002362 - - 396,486 396,486 PALLINO SEATAC LLC AIR002241 - - 393,273 393,273 * Annualized based on 8/31/2019 actuals 33 Appendix A Lease/Concession Risk Universe (continued) Low Risk (continued): Name Contract 2017 2018 2019* Grand Total BAMBUZA SEA-TAC VENTURES AIR002365 - - 357,758 357,758 THE YARROW GROUP, LLC AIR002233 - - 357,476 357,476 SSP AMERICA SEA, LLC AIR002238 - - 355,020 355,020 DILETTANTE CHOCOLATES INC AIR001657 136,680 148,050 47,104 331,835 LATRELLES EXPRESS INC AIR002287 122,279 201,523 323,802 PLANEWEAR, LLC AIR001971 95,907 111,510 97,649 305,065 MAREL SEATTLE INC SEA001010 145,302 150,000 - 295,302 STELLAR BAMBUZA SEA, LLC AIR002240 - - 273,820 273,820 SILVERCAR, INC AIR002203 27,537 150,177 76,702 254,416 MASSAGE BAR AIR000933 229,227 12,912 - 242,299 SMARTE CARTE INC AIR002097 63,859 78,819 78,369 221,047 DILETTANTE CHOCOLATES INC AIR000621 219,481 - 219,481 LADY YUM, LLC AIR002331 97,429 121,654 219,082 AIRPORT CHANNEL AIR000988 102,297 110,673 4,050 217,020 GLASSYBABY LLC AIR002123 69,566 81,974 65,330 216,870 AIRPORT MANAGEMENT SERVICES LLC AIR001773 92,902 76,815 46,771 216,489 BILL & NICK INCORPORATED SEA000016 63,661 70,659 60,293 194,613 FIREWORKS AIR001644 183,979 - 183,979 SSP AMERICA SEA, LLC AIR002237 - - 170,867 170,867 CAFE PACIFIC CATERING, INC AIR002124 46,297 48,089 39,403 133,665 AIRPORT MANAGEMENT SERVICES LLC AIR002430 - - 119,822 119,822 SHILSHOLE BAY FUEL DOCK SEA002355 38,592 38,592 38,592 115,925 PALLINO SEATAC LLC AIR002283 96,392 18,592 114,985 BF FOODS LLC AIR002393 - 36,376 66,833 103,209 ME & MOM'S HATS DBA SEATTLE HAT$ AIR002141 24,204 38,961 36,641 99,806 CERTIFIED FOLDER DISPLAY SERVICE INC AIR001641 33,178 33,492 27,355 94,024 SECURITY POINT MEDIA, LLC AIR002437 - - 93,984 93,984 AIRPORT MANAGEMENT SERVICES LLC AIR002284 82,645 9,899 92,545 WINGZ, INC AIR002020 44,885 39,120 6,417 90,422 HAN EUN CORPORATION SEA002621 29,311 29,479 28,508 87,298 * Annualized based on 8/31/2019 actuals 34 Appendix A Lease/Concession Risk Universe (continued) Low Risk (continued): Name Contract 2017 2018 2019* Grand Total CLIPPER FERRY SERVICES, INC SEA003017 31,238 27,919 22,811 81,968 CHALO, LLC AIR002270 2,404 40,795 30,107 73,306 LADY YUM, LLC AIR002131 51,692 21,278 - 72,970 MASSAGE BAR AIR002286 64,744 7,925 72,669 FIREHOUSE EXPRESS, LLC AIR001565 37,112 33,366 - 70,478 SHARA, LLC DBA SHOW PONY AIR002330 30,950 35,867 66,818 CONCOURSE CONCESSIONS LLS AIR002374 46,962 15,104 62,066 MSM INCORPORATED SEA002783 61,143 - 61,143 HOST INTERNATIONAL, INC AIR002150 33,203 12,623 - 45,827 SEATTLE CHOCOLATES COMPANY LLC AIR001970 43,002 - 43,002 SHARA, LLC DBA SHOW PONY AIR002129 34,283 7,675 - 41,957 BUTTER LONDON INC AIR000941 41,072 - 41,072 MAC-GRAY SERVICES SEA002097 16,654 17,524 5,724 39,902 REPUBLIC PARKING NORTHWEST INC SEA000424 17,271 10,267 12,101 39,639 LUCKY SHOE SHINE, LLC AIR001888 11,934 14,176 11,651 37,761 CLEAN ENERGY FUELS CORP AIR001655 19,107 13,528 3,984 36,618 Asanda Air II LLC AIR002409 - 11,990 20,550 32,540 FILO FOODS LLC AIR002151 27,839 - 27,839 PUBLICANS, INC SEA002494 9,262 9,095 9,138 27,495 AMERICAN EXPRESS TRAVEL$ AIR001877 6,690 7,710 7,988 22,312 DELTA AIR LINES INC AIR001740 20,792 - 20,792 UNITED INDIANS OF ALL TRIBES FOUNDATION AIR002387 - - 15,922 15,922 THE WISHING STONE AIR001670 14,436 - 14,436 SEATTLE AIR VENTURES JV AIR002355 - 5,894 6,184 12,078 UNITED AIRLINES AIR001725 10,000 - - 10,000 ALASKA AIRLINES INC AIR001720 5,660 - - 5,660 SEATTLE RENT A WRECK AIR001621 2,200 2,282 - 4,481 ME & MOM'S HATS DBA SEATTLE HAT$ AIR001926 4,401 - 4,401 MAC-GRAY SERVICES SEA001479 1,880 1,902 375 4,157 ZEEBA WA, LLC DBA ZEEBA RENT-A-VAN AIR002226 - 1,782 1,507 3,289 $ 11,006,835 $ 10,159,652 $ 12,837,977 $ 34,004,575 * Annualized based on 8/31/2019 actuals 35 Appendix B Capital Risk Universe (Projects Currently Under Contract) Attributes (A) (B) (C) (D) (E) (F) Total Prior Audit 1 $720k designer E&O; $500k Owner E&O; $460k scope changes International Arrivals Facility (IAF) 5 5 3 5 5 5 28 2017; 2018 July 19, 2019 budget increased by $2.5 MM to $19.3 MM. 1 Central Terminal Infrastructure Upgrade 1 5 1 5 5 5 22 Checked Baggage Recap/Optimization Phase I 2 2 1 5 5 5 20 2019 Highline School Noise Insulation 1 5 1 5 1 3 16 2019 2 2 $911k designer E&O Service Tunnel Renewal Renewal/Replace 1 1 1 5 3 5 16 $225k scope change 3 AOA Perimeter Fence Line Standards Compliance 1 3 1 5 3 3 16 4 North Terminals Utilities Upgrade - Phase 1 See Description 4 for project risk indicators 3 Bid protest; numerous change orders; scope change Terminal Security Enhancements- Phase I Windows 1 4 1 5 1 1 13 Chiller Panel Upgrade 1 4 1 5 1 1 13 4 Original project budget of $21.3 MM for full redundant loop utility Airport Dining and Retail Infrastructure Modernization 1 1 1 5 3 2 13 (heating/cooling). Lowest bid came in at $33 MM. Stakeholder meeting Central Terminal Enhancements 1 1 1 5 3 1 12 decided to put in 2 phases. Phase 1 budgeted at $12 MM. Will go back to 5 Lora Lake Site Remediation 1 1 1 3 1 4 11 commission for Phase 2 request of additional $28 MM. Concourse D Hardstand Terminal 1 2 1 1 5 1 11 2019 Project approved for RFP in October 2019. NorthSTAR North Satellite Lobbies 5 1 1 1 1 1 10 Mechanical Energy Conservation 1 1 1 5 1 1 10 Closed 2019 5 Contingency audit. Overall budget $9.1 MM delayed due to lake fill re- Holdroom Seating For Concourses B & C 1 4 1 1 1 1 9 design and approval time from DOE. Impact of delay was $75k for work 6 Flight Corridor Safety Program 1 5 1 5 5 4 21 suspension. 15 open trends with potential cost of $700k. BHICC P66 Interior Modernization 1 1 1 1 1 2 7 SSAT HVAC Infrastructure Upgrade 1 1 1 1 1 1 6 6 Contingency audit. Numerous change orders and scope changes resulting in Shilshole Bay Marina Paving- Combined with SBM 1 1 1 1 1 1 6 2019 cost escalation from original budget. Tenant Bldgs. SD Pond Bird Deterrent Improvement 1 1 1 1 1 1 6 Condominium Sound Insulation 1 1 1 1 1 1 6 Restroom Renovations Phase 2 Enabling Work 1 1 1 1 1 1 6 Variable Frequency Drive 1 1 1 1 1 1 6 Fishermen's' Terminal Docks 3,4,5 & 6 Fixed Pier 1 1 1 1 1 1 6 Improvements 36 Appendix B Capital Risk Rating Methodology Attributes (A) Project Size (construction costs) Points $1 to $50 MM 1 >$50 MM to $75 MM 2 >75 MM to $100 MM 3 >$100 MM to $250 MM 4 >$250 MM 5 (B) Change Orders (original contract sum) Points 0 to 5% 1 6 to 7.5% 2 8 to 10% 3 10 to 15% 4 >15% 5 (C) Contract Type Points Lump sum 1 Unit Price or T&M 2 GMP w/ Shared Savings 3 GMP w/ no shared savings 4 Cost Plus 5 (D) Schedule Points On Schedule 1 Potential Schedule Overrun 3 Schedule Overrun 5 (E) Budget Points Under Budget 1 Potential Budget Overrun 3 Over Budget 5 Points (F) Known Concerns (errors & omissions, potential claims, scope change etc.) Subjective- Audit Knowledge 1-5 37 Appendix C IT Audit Universe Inherent IT General Controls Audits IT General Controls Audits Inherent Risk Risk 1 CIS - Inventory and Control of Hardware Assets HIGH 21 CIS - Malware Defenses HIGH 2 CIS - Inventory and Control of Software Assets HIGH 22 Endpoint Protection - may be a duplicate of CIS - Malware Defenses HIGH 3 CIS - Continuous Vulnerability Management (includes patching) HIGH 23 Portable Media Security HIGH 4 CIS - Controlled Use of Administrative Privileges HIGH 24 Transmission Protection HIGH 5 CIS - Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers HIGH 25 Password Management HIGH 6 CIS - Maintenance, Monitoring and Analysis of Audit Logs HIGH 26 Identity & Access Management HIGH 7 CIS - Email and Web Browser Protections HIGH 27 Disaster Recovery Program HIGH 8 CIS - Limitation and Control of Network Ports, Protocols, and Services HIGH 28 IT Risk Management HIGH 9 CIS - Data Recovery Capabilities HIGH 29 Physical & Environmental Security HIGH 10 CIS - Secure Configuration for Network Devices (e.g., Firewalls, Routers and Switches) HIGH 30 Change Management HIGH 11 CIS - Boundary Defense HIGH 31 Datacenter Ops HIGH 12 CIS - Data Protection HIGH 32 IT Governance HIGH 13 CIS - Controlled Access Based on the Need to Know HIGH 33 Periodic User Access Reviews HIGH 14 CIS - Wireless Access Control HIGH 35 System and Software Development HIGH 15 CIS - Account Monitoring and Control HIGH 36 Vendor Management HIGH 16 CIS - Implement a Security Awareness and Training Program HIGH 37 Security Program HIGH 17 CIS - Application Software Security HIGH 38 HIPAA Security Compliance HIGH 18 CIS - Incident Response and Management HIGH 34 Project Management Medium 19 CIS - Penetration Tests and Red Team Exercises HIGH 39 Triennial WA State Patrol Audit of CJIS Compliance Medium 20 Industrial Control System Security HIGH 40 Annual Review of PCI Compliance Medium 38
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.